An update that solves 11 vulnerabilities and has 22 fixes is now available. It includes two new package versions.
SUSE Studio was prone to several cross-site-scripting (XSS) and shell quoting issues.
* CVE-2011-2652 - XSS vulnerability in overlay files: bad escaping archive file list * CVE-2011-2651 - Remote code execution via crafted filename in file browser * CVE-2011-2650 - XSS vulnerability when displaying RPM info (pattern name) * CVE-2011-2649 - Unwanted shell expansion when executing commands in FileUtils fix * CVE-2011-2648 - Arbitrary code execution via filters in modified files * CVE-2011-2647 - studio: Remote code execution via crafted archive name in testdrive's modified files * CVE-2011-2646 - studio: Remote code execution via crafted filename in testdrive's modified files * CVE-2011-2645 - Remote code execution via crafted custom RPM filename * CVE-2011-2644 - XSS vulnerability in displaying RPM info * CVE-2011-2226 - XSS vulnerability when displaying pattern listing * CVE-2011-2225 - Overlay directory pathes are not properly escaped before inclusion into config.sh
Furthermore, the following non-security fixes are included:
* 682978: Fix apache config for cloning appliances with image repos * 681902: Fix images being deleted when one format is deleted * 571584: Show 32bit packages in 64bit appliance when there's no 64bit version available * 701512: Remove kiwi version dependency on release * 704730: Fix script for fixing the apache configuration * 707637: Fixed rmds segfaults during attempt of adding specially crafted repositories * 704726: Disable partition alignment for SLE10 * 709437: Fix Export script * 689907: Fix SLE 10 SP3 appliances containing SP2 product file * 711998: Do not waste disk space when generating the export tarball
In addition, this update provides kiwi version 3.73.1 with the following fixes:
* 667082: KIWIManager.sh rpmLibs() should execute ldconfig after baselib cleanup * 668014: Support raid 1 (mirroring) for pxe images * 670299: kiwi's implementation of 4k alignment feature covers only first partition * 675004: TFTP block size * 694506: Kiwi: boot partition runs out of space * 659843: Avoid initialization of KMS without kernel support * 693847: fixed URL quoting, we have to distinguish the quoting
Also an important fix was made to the "export" script.