important: libuser/targetcli security update
important
An update for libuser/targetcli is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
libuser: The libuser-devel package contains header files, static libraries, and other files useful for developing applications with libuser.
targetcli: An administration shell for configuring iSCSI, FCoE, and other SCSI targets, using the TCM/LIO kernel target subsystem. FCoE users will also need to install and use fcoe-utils.
Security Fix(es):
libuser: A flaw was found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root.(CVE-2015-3246)
libuser: It was found that libuser, as used by the chfn userhelper functionality, did not properly filter out newline characters in GECOS fields. A local, authenticated user could use this flaw to corrupt the /etc/passwd file, resulting in a denial-of-service on the system.(CVE-2015-3245)
libuser: bugfix
targetcli: An access flaw was found in targetcli, where the `/etc/target` and underneath backup directory/files were world-readable. This flaw allows a local attacker to access potentially sensitive information such as authentication credentials from the /etc/target/saveconfig.json and backup files. The highest threat from this vulnerability is to confidentiality.(CVE-2020-13867)
targetcli: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F30B3.