Bug 1127838 (CVE-2019-0804)

Summary: VUL-0: CVE-2019-0804: python-azure-agent: Undisclosed vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Karol Babioch <karol>
Component: IncidentsAssignee: Robert Schweikert <rjschwei>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jsegitz, maint-coord, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 4 Marcus Meissner 2019-03-13 09:08:13 UTC 
there have been public postings

Ubuntu advisory:

https://www.pro-linux.de/sicherheit/2/47846/preisgabe-von-informationen-in-walinuxagent.html
Comment 5 Marcus Meissner 2019-03-13 09:09:13 UTC 
==========================================================================
Ubuntu Security Notice USN-3907-1
March 12, 2019

walinuxagent vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

WALinuxAgent could be made to expose sensitive information.

Software Description:
- walinuxagent: Windows Azure Linux Agent

Details:

It was discovered that WALinuxAgent created swap files with incorrect
permissions. A local attacker could possibly use this issue to obtain
sensitive information from the swap file.
Comment 8 Robert Schweikert 2019-03-13 12:39:25 UTC 
Great thanks. Released
Comment 9 Swamp Workflow Management 2019-03-13 12:56:51 UTC 
SUSE-SU-2019:0603-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1127838
CVE References: CVE-2019-0804
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    python-azure-agent-2.2.36-7.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-azure-agent-2.2.36-7.6.1
Comment 10 Marcus Meissner 2019-03-13 13:03:20 UTC 
was there any upstream advisory and can you link it?
Comment 11 Marcus Meissner 2019-03-13 13:12:42 UTC 
Only the python3 version of the code was affected, so SLE12 and older are not affected.
Comment 12 Swamp Workflow Management 2019-03-26 09:42:18 UTC 
This is an autogenerated message for OBS integration:
This bug (1127838) was mentioned in
https://build.opensuse.org/request/show/685775 Factory / python-azure-agent
Comment 14 Johannes Segitz 2019-10-04 04:41:55 UTC 
Also affects 11 and 12, see bsc#1152980
Comment 16 Swamp Workflow Management 2019-12-30 17:12:31 UTC 
SUSE-SU-2019:3393-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1127838,1159639
CVE References: CVE-2019-0804
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    python-azure-agent-2.2.45-7.9.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-azure-agent-2.2.45-7.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-12-30 17:13:22 UTC 
SUSE-SU-2019:3394-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1127838,1159639
CVE References: CVE-2019-0804
Sources used:
SUSE Linux Enterprise Module for Public Cloud 12 (src):    python-azure-agent-2.2.45-34.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-02-24 20:12:09 UTC 
SUSE-SU-2020:0440-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1127838
CVE References: CVE-2019-0804
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src):    python-azure-agent-2.2.45-3.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-azure-agent-2.2.45-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2020-02-29 23:11:05 UTC 
openSUSE-SU-2020:0261-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1127838
CVE References: CVE-2019-0804
Sources used:
openSUSE Leap 15.1 (src):    python-azure-agent-2.2.45-lp151.2.3.1
Comment 22 Swamp Workflow Management 2020-08-18 13:19:49 UTC 
SUSE-SU-2020:14454-1: An update that solves one vulnerability and has 11 fixes is now available.

Category: security (moderate)
Bug References: 1061584,1074865,1087764,1092831,1094420,1119542,1127838,1167601,1167602,1173866,1175130,997614
CVE References: CVE-2019-0804
JIRA References: ECO-2419,ECO-80,PM-2119
Sources used:
SUSE Linux Enterprise Server 11-PUBCLOUD (src):    python-azure-agent-2.2.45-28.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.