Vulnerability   
Search   
    Search 211766 CVE descriptions
and 97459 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.1.4.2021.1094.1
Category:SuSE Local Security Checks
Title:SUSE: Security Advisory (SUSE-SU-2021:1094-1)
Summary:The remote host is missing an update for the 'flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk' package(s) announced via the SUSE-SU-2021:1094-1 advisory.
Description:Summary:
The remote host is missing an update for the 'flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk' package(s) announced via the SUSE-SU-2021:1094-1 advisory.

Vulnerability Insight:
This update for flatpak, libostree, xdg-desktop-portal,
xdg-desktop-portal-gtk fixes the following issues:

libostree:

Update to version 2020.8

Enable LTO. (bsc#1133120)

This update contains scalability improvements and bugfixes.

Caching-related HTTP headers are now supported on summaries and
signatures, so that they do not have to be re-downloaded if not changed
in the meanwhile.

Summaries and delta have been reworked to allow more fine-grained
fetching.

Fixes several bugs related to atomic variables, HTTP timeouts, and
32-bit architectures.

Static deltas can now be signed to more easily support offline
verification.

There's now support for multiple initramfs images, Is it possible to
have a 'main' initramfs image and a secondary one which represents local
configuration.

The documentation is now moved to [link moved to references]

Fix for an assertion failure when upgrading from systems before ostree
supported devicetree.

ostree no longer hardlinks zero sized files to avoid hitting filesystem
maximum link counts.

ostree now supports `/` and `/boot` being on the same filesystem.

Improvements to the GObject Introspection metadata, some (cosmetic)
static analyzer fixes, a fix for the immutable bit on s390x, dropping a
deprecated bit in the systemd unit file.

Fix a regression 2020.4 where the 'readonly sysroot' changes incorrectly
left the sysroot read-only
on systems that started out with a read-only `/` (most of them, e.g.
Fedora Silverblue/IoT at least).

The default dracut config now enables reproducibility.

There is a new ostree admin unlock `--transient`. This should to be a
foundation for further support for 'live' updates.

New `ed25519` signing support, powered by `libsodium`.

stree commit gained a new `--base` argument, which significantly
simplifies constructing 'derived' commits, particularly for systems
using SELinux.

Handling of the read-only sysroot was reimplemented to run in the
initramfs and be more reliable. Enabling the `readonly=true` flag in the
repo config is recommended.

Several fixes in locking for the temporary 'staging' directories OSTree
creates, particularly on NFS.

A new `timestamp-check-from-rev` option was added for pulls, which makes
downgrade protection more reliable and will be used by Fedora CoreOS.

Several fixes and enhancements made for 'collection' pulls including a
new `--mirror` option.

The ostree commit command learned a new `--mode-ro-executables` which
enforces `W^R` semantics
on all executables.

Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE`
to help standardize the architecture of the OSTree commit. This could be
used on the client side for example to sanity-check that the commit
matches the architecture of the machine before deploying.

Stop invalid usage of `%_libexecdir`:
+ Use `%{_prefix}/lib` where appropriate.
+ Use `_systemdgeneratordir` for t... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk' package(s) on SUSE Linux Enterprise Module for Desktop Applications 15-SP2, SUSE Linux Enterprise Module for Basesystem 15-SP2

Solution:
Please install the updated package(s).

CVSS Score:
7.2

CVSS Vector:
AV:L/AC:L/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2021-21261
CopyrightCopyright (C) 2021 Greenbone Networks GmbH

This is only one of 97459 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2021 E-Soft Inc. All rights reserved.