SUSE Security Update: Security update for WebYaST
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:0022-1
Rating:             important
References:         #851116 
Cross-References:   CVE-2013-3709
Affected Products:
                    WebYaST 1.2
______________________________________________________________________________

   An update that fixes one vulnerability is now available. It
   includes one version update.

Description:


   In the past WebYAST was installed with world readable
   secret tokens.  Although these were modified on the start
   of the webyast service and so  could not be read from
   remote, it was possible for local attackers on the  same
   machine to read the secrets and so gain local root access
   via the  webyast services. This has been fixed.
   (CVE-2013-3709)

   Security Issue reference:

   * CVE-2013-3709
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3709
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - WebYaST 1.2:

      zypper in -t patch slewyst12-webyast-base-ui-8706

   To bring your system up-to-date, use "zypper patch".


Package List:

   - WebYaST 1.2 (noarch) [New Version: 0.2.64]:

      webyast-base-ui-0.2.64-0.3.1
      webyast-base-ui-branding-default-0.2.64-0.3.1
      webyast-base-ui-testsuite-0.2.64-0.3.1


References:

   http://support.novell.com/security/cve/CVE-2013-3709.html
   https://bugzilla.novell.com/851116
   ?keywords=af7e4362e22d530ab6e447346f0afdfb

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org