Security update for ksh

Announcement ID: SUSE-SU-2024:2756-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2019-14868 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-14868 ( NVD ): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • Legacy Module 12
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP5
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server 12 SP5
  • SUSE Linux Enterprise Server for SAP Applications 12
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • SUSE Linux Enterprise Software Development Kit 12 SP5

An update that solves one vulnerability and has two security fixes can now be installed.

Description:

This update for ksh fixes the following issues:

  • CVE-2019-14868: Fixed code injection due to environment variables on startup interpreted as arithmetic expression (bsc#1160796)

Other fixes: - do not use posix_spawn as it lacks proper job handling (bsc#1224057) - fix segfault in variable substitution (bsc#1129288)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Legacy Module 12
    zypper in -t patch SUSE-SLE-Module-Legacy-12-2024-2756=1
  • SUSE Linux Enterprise Software Development Kit 12 SP5
    zypper in -t patch SUSE-SLE-SDK-12-SP5-2024-2756=1

Package List:

  • Legacy Module 12 (aarch64 ppc64le s390x x86_64)
    • ksh-debuginfo-93vu-19.3.2
    • ksh-debugsource-93vu-19.3.2
    • ksh-93vu-19.3.2
  • SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64)
    • ksh-debuginfo-93vu-19.3.2
    • ksh-debugsource-93vu-19.3.2
    • ksh-devel-93vu-19.3.2

References: