{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for hylafax+","title":"Title of the patch"},{"category":"description","text":"This update for hylafax+ fixes the following issues:\n\nHylafax was updated to upstream version 7.0.3.\n\nSecurity issues fixed:\n\n- CVE-2020-15396: Secure temporary directory creation for faxsetup, faxaddmodem, and probemodem (boo#1173521).\n- CVE-2020-15397: Sourcing of files into binaries from user writeable directories (boo#1173519).\n\nNon-security issues fixed:\n\n* add UseSSLFax feature in sendfax, sendfax.conf, hyla.conf, and JobControl\n  (31 Jul 2020)\n* be more resilient in listening for the Phase C carrier (30 Jul 2020)\n* make sure to return to command mode if HDLC receive times out (29 Jul 2020)\n* make faxmail ignore boundaries on parts other than multiparts (29 Jul 2020)\n* don't attempt to write zero bytes of data to a TIFF (29 Jul 2020)\n* don't ever respond to CRP with CRP (28 Jul 2020)\n* reset frame counter when a sender retransmits PPS for a previously confirmed\n  ECM block (26 Jul 2020)\n* scrutinize PPM before concluding that the sender missed our MCF (23 Jul 2020)\n* fix modem recovery after SSL Fax failure (22, 26 Jul 2020)\n* ignore echo of PPR, RTN, CRP (10, 13, 21 Jul 2020)\n* attempt to handle NSF/CSI/DIS in Class 1 sending Phase D (6 Jul 2020)\n* run scripts directly rather than invoking them via a shell for security\n  hardening (3-5 Jul 2020)\n* add senderFumblesECM feature (3 Jul 2020)\n* add support for PIN/PIP/PRI-Q/PPS-PRI-Q signals, add senderConfusesPIN\n  feature, and utilize PIN for rare conditions where it may be helpful\n  (2, 6, 13-14 Jul 2020)\n* add senderConfusesRTN feature (25-26 Jun 2020)\n* add MissedPageHandling feature (24 Jun 2020)\n* use and handle CFR in Phase D to retransmit Phase C (16, 23 Jun 2020)\n* cope with hearing echo of RR, CTC during Class 1 sending (15-17 Jun 2020)\n* fix listening for retransmission of MPS/EOP/EOM if it was received\n  corrupt on the first attempt (15 Jun 2020)\n* don't use CRP when receiving PPS/PPM as some senders think\n  we are sending MCF (12 Jun 2020)\n* add BR_SSLFAX to show SSL Fax in notify and faxinfo output (1 Jun 2020)\n* have faxinfo put units on non-standard page dimensions (28 May 2020)\n* improve error messages for JobHost connection errors (22 May 2020)\n* fix perpetual blocking of jobs when a job preparation fails,\n  attempt to fix similar blocking problems for bad jobs in\n  batches, and add 'unblock' faxconfig feature (21 May 2020)\n* ignore TCF if we're receiving an SSL Fax (31 Jan 2020)\n* fixes for build on FreeBSD 12.1 (31 Jan - 3 Feb 2020)\n","title":"Description of the patch"},{"category":"details","text":"openSUSE-2020-1209","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1209-1.json"},{"category":"self","summary":"URL for openSUSE-SU-2020:1209-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/X6XT7KUJG3ZNIXOR2ITCKSIPAFF3NF6A/"},{"category":"self","summary":"E-Mail link for openSUSE-SU-2020:1209-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/X6XT7KUJG3ZNIXOR2ITCKSIPAFF3NF6A/"},{"category":"self","summary":"SUSE Bug 1173519","url":"https://bugzilla.suse.com/1173519"},{"category":"self","summary":"SUSE Bug 1173521","url":"https://bugzilla.suse.com/1173521"},{"category":"self","summary":"SUSE CVE CVE-2020-15396 page","url":"https://www.suse.com/security/cve/CVE-2020-15396/"},{"category":"self","summary":"SUSE CVE CVE-2020-15397 page","url":"https://www.suse.com/security/cve/CVE-2020-15397/"}],"title":"Security update for hylafax+","tracking":{"current_release_date":"2020-08-14T18:18:53Z","generator":{"date":"2020-08-14T18:18:53Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"openSUSE-SU-2020:1209-1","initial_release_date":"2020-08-14T18:18:53Z","revision_history":[{"date":"2020-08-14T18:18:53Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"hylafax+-7.0.3-lp152.3.6.1.x86_64","product":{"name":"hylafax+-7.0.3-lp152.3.6.1.x86_64","product_id":"hylafax+-7.0.3-lp152.3.6.1.x86_64"}},{"category":"product_version","name":"hylafax+-client-7.0.3-lp152.3.6.1.x86_64","product":{"name":"hylafax+-client-7.0.3-lp152.3.6.1.x86_64","product_id":"hylafax+-client-7.0.3-lp152.3.6.1.x86_64"}},{"category":"product_version","name":"libfaxutil7_0_3-7.0.3-lp152.3.6.1.x86_64","product":{"name":"libfaxutil7_0_3-7.0.3-lp152.3.6.1.x86_64","product_id":"libfaxutil7_0_3-7.0.3-lp152.3.6.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"openSUSE Leap 15.2","product":{"name":"openSUSE Leap 15.2","product_id":"openSUSE Leap 15.2","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.2"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"hylafax+-7.0.3-lp152.3.6.1.x86_64 as component of openSUSE Leap 15.2","product_id":"openSUSE Leap 15.2:hylafax+-7.0.3-lp152.3.6.1.x86_64"},"product_reference":"hylafax+-7.0.3-lp152.3.6.1.x86_64","relates_to_product_reference":"openSUSE Leap 15.2"},{"category":"default_component_of","full_product_name":{"name":"hylafax+-client-7.0.3-lp152.3.6.1.x86_64 as component of openSUSE Leap 15.2","product_id":"openSUSE Leap 15.2:hylafax+-client-7.0.3-lp152.3.6.1.x86_64"},"product_reference":"hylafax+-client-7.0.3-lp152.3.6.1.x86_64","relates_to_product_reference":"openSUSE Leap 15.2"},{"category":"default_component_of","full_product_name":{"name":"libfaxutil7_0_3-7.0.3-lp152.3.6.1.x86_64 as component of openSUSE Leap 15.2","product_id":"openSUSE Leap 15.2:libfaxutil7_0_3-7.0.3-lp152.3.6.1.x86_64"},"product_reference":"libfaxutil7_0_3-7.0.3-lp152.3.6.1.x86_64","relates_to_product_reference":"openSUSE Leap 15.2"}]},"vulnerabilities":[{"cve":"CVE-2020-15396","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-15396"}],"notes":[{"category":"general","text":"In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility calls chown on files in user-owned directories. By winning a race, a local attacker could use this to escalate his privileges to root.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 15.2:hylafax+-7.0.3-lp152.3.6.1.x86_64","openSUSE Leap 15.2:hylafax+-client-7.0.3-lp152.3.6.1.x86_64","openSUSE Leap 15.2:libfaxutil7_0_3-7.0.3-lp152.3.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2020-15396","url":"https://www.suse.com/security/cve/CVE-2020-15396"},{"category":"external","summary":"SUSE Bug 1173521 for CVE-2020-15396","url":"https://bugzilla.suse.com/1173521"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 15.2:hylafax+-7.0.3-lp152.3.6.1.x86_64","openSUSE Leap 15.2:hylafax+-client-7.0.3-lp152.3.6.1.x86_64","openSUSE Leap 15.2:libfaxutil7_0_3-7.0.3-lp152.3.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["openSUSE Leap 15.2:hylafax+-7.0.3-lp152.3.6.1.x86_64","openSUSE Leap 15.2:hylafax+-client-7.0.3-lp152.3.6.1.x86_64","openSUSE Leap 15.2:libfaxutil7_0_3-7.0.3-lp152.3.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-08-14T18:18:53Z","details":"important"}],"title":"CVE-2020-15396"},{"cve":"CVE-2020-15397","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-15397"}],"notes":[{"category":"general","text":"HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that execute binaries from directories writable by unprivileged users (e.g., locations under /var/spool/hylafax that are writable by the uucp account). This allows these users to execute code in the context of the user calling these binaries (often root).","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 15.2:hylafax+-7.0.3-lp152.3.6.1.x86_64","openSUSE Leap 15.2:hylafax+-client-7.0.3-lp152.3.6.1.x86_64","openSUSE Leap 15.2:libfaxutil7_0_3-7.0.3-lp152.3.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2020-15397","url":"https://www.suse.com/security/cve/CVE-2020-15397"},{"category":"external","summary":"SUSE Bug 1173519 for CVE-2020-15397","url":"https://bugzilla.suse.com/1173519"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 15.2:hylafax+-7.0.3-lp152.3.6.1.x86_64","openSUSE Leap 15.2:hylafax+-client-7.0.3-lp152.3.6.1.x86_64","openSUSE Leap 15.2:libfaxutil7_0_3-7.0.3-lp152.3.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["openSUSE Leap 15.2:hylafax+-7.0.3-lp152.3.6.1.x86_64","openSUSE Leap 15.2:hylafax+-client-7.0.3-lp152.3.6.1.x86_64","openSUSE Leap 15.2:libfaxutil7_0_3-7.0.3-lp152.3.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-08-14T18:18:53Z","details":"important"}],"title":"CVE-2020-15397"}]}