Bug 1127838 – VUL-0: CVE-2019-0804: python-azure-agent: Undisclosed vulnerability

Bug 1127838 - (CVE-2019-0804) VUL-0: CVE-2019-0804: python-azure-agent: Undisclosed vulnerability

(CVE-2019-0804)
Summary:	VUL-0: CVE-2019-0804: python-azure-agent: Undisclosed vulnerability

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Robert Schweikert
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-03-05 06:33 UTC by Karol Babioch
Modified:	2020-08-18 13:19 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 4 Marcus Meissner 2019-03-13 09:08:13 UTC

there have been public postings

Ubuntu advisory:

https://www.pro-linux.de/sicherheit/2/47846/preisgabe-von-informationen-in-walinuxagent.html

Comment 5 Marcus Meissner 2019-03-13 09:09:13 UTC

==========================================================================
Ubuntu Security Notice USN-3907-1
March 12, 2019

walinuxagent vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

WALinuxAgent could be made to expose sensitive information.

Software Description:
- walinuxagent: Windows Azure Linux Agent

Details:

It was discovered that WALinuxAgent created swap files with incorrect
permissions. A local attacker could possibly use this issue to obtain
sensitive information from the swap file.

Comment 8 Robert Schweikert 2019-03-13 12:39:25 UTC

Great thanks. Released

Comment 9 Swamp Workflow Management 2019-03-13 12:56:51 UTC

SUSE-SU-2019:0603-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1127838
CVE References: CVE-2019-0804
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    python-azure-agent-2.2.36-7.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-azure-agent-2.2.36-7.6.1

Comment 10 Marcus Meissner 2019-03-13 13:03:20 UTC

was there any upstream advisory and can you link it?

Comment 11 Marcus Meissner 2019-03-13 13:12:42 UTC

Only the python3 version of the code was affected, so SLE12 and older are not affected.

Comment 12 Swamp Workflow Management 2019-03-26 09:42:18 UTC

This is an autogenerated message for OBS integration:
This bug (1127838) was mentioned in
https://build.opensuse.org/request/show/685775 Factory / python-azure-agent

Comment 14 Johannes Segitz 2019-10-04 04:41:55 UTC

Also affects 11 and 12, see bsc#1152980

Comment 16 Swamp Workflow Management 2019-12-30 17:12:31 UTC

SUSE-SU-2019:3393-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1127838,1159639
CVE References: CVE-2019-0804
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    python-azure-agent-2.2.45-7.9.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-azure-agent-2.2.45-7.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2019-12-30 17:13:22 UTC

SUSE-SU-2019:3394-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1127838,1159639
CVE References: CVE-2019-0804
Sources used:
SUSE Linux Enterprise Module for Public Cloud 12 (src):    python-azure-agent-2.2.45-34.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2020-02-24 20:12:09 UTC

SUSE-SU-2020:0440-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1127838
CVE References: CVE-2019-0804
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src):    python-azure-agent-2.2.45-3.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-azure-agent-2.2.45-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2020-02-29 23:11:05 UTC

openSUSE-SU-2020:0261-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1127838
CVE References: CVE-2019-0804
Sources used:
openSUSE Leap 15.1 (src):    python-azure-agent-2.2.45-lp151.2.3.1

Comment 22 Swamp Workflow Management 2020-08-18 13:19:49 UTC

SUSE-SU-2020:14454-1: An update that solves one vulnerability and has 11 fixes is now available.

Category: security (moderate)
Bug References: 1061584,1074865,1087764,1092831,1094420,1119542,1127838,1167601,1167602,1173866,1175130,997614
CVE References: CVE-2019-0804
JIRA References: ECO-2419,ECO-80,PM-2119
Sources used:
SUSE Linux Enterprise Server 11-PUBCLOUD (src):    python-azure-agent-2.2.45-28.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.