Detections
Analytics
openSUSE Security Update : hylafax+ (openSUSE-2020-1209)
high Nessus Plugin ID 139652
Language:
Synopsis
The remote openSUSE host is missing a security update.Description
This update for hylafax+ fixes the following issues :Hylafax was updated to upstream version 7.0.3.
Security issues fixed :
- CVE-2020-15396: Secure temporary directory creation for faxsetup, faxaddmodem, and probemodem (boo#1173521).
- CVE-2020-15397: Sourcing of files into binaries from user writeable directories (boo#1173519).
Non-security issues fixed :
- add UseSSLFax feature in sendfax, sendfax.conf, hyla.conf, and JobControl (31 Jul 2020)
- be more resilient in listening for the Phase C carrier (30 Jul 2020)
- make sure to return to command mode if HDLC receive times out (29 Jul 2020)
- make faxmail ignore boundaries on parts other than multiparts (29 Jul 2020)
- don't attempt to write zero bytes of data to a TIFF (29 Jul 2020)
- don't ever respond to CRP with CRP (28 Jul 2020)
- reset frame counter when a sender retransmits PPS for a previously confirmed ECM block (26 Jul 2020)
- scrutinize PPM before concluding that the sender missed our MCF (23 Jul 2020)
- fix modem recovery after SSL Fax failure (22, 26 Jul 2020)
- ignore echo of PPR, RTN, CRP (10, 13, 21 Jul 2020)
- attempt to handle NSF/CSI/DIS in Class 1 sending Phase D (6 Jul 2020)
- run scripts directly rather than invoking them via a shell for security hardening (3-5 Jul 2020)
- add senderFumblesECM feature (3 Jul 2020)
- add support for PIN/PIP/PRI-Q/PPS-PRI-Q signals, add senderConfusesPIN feature, and utilize PIN for rare conditions where it may be helpful (2, 6, 13-14 Jul 2020)
- add senderConfusesRTN feature (25-26 Jun 2020)
- add MissedPageHandling feature (24 Jun 2020)
- use and handle CFR in Phase D to retransmit Phase C (16, 23 Jun 2020)
- cope with hearing echo of RR, CTC during Class 1 sending (15-17 Jun 2020)
- fix listening for retransmission of MPS/EOP/EOM if it was received corrupt on the first attempt (15 Jun 2020)
- don't use CRP when receiving PPS/PPM as some senders think we are sending MCF (12 Jun 2020)
- add BR_SSLFAX to show SSL Fax in notify and faxinfo output (1 Jun 2020)
- have faxinfo put units on non-standard page dimensions (28 May 2020)
- improve error messages for JobHost connection errors (22 May 2020)
- fix perpetual blocking of jobs when a job preparation fails, attempt to fix similar blocking problems for bad jobs in batches, and add 'unblock' faxconfig feature (21 May 2020)
- ignore TCF if we're receiving an SSL Fax (31 Jan 2020)
- fixes for build on FreeBSD 12.1 (31 Jan - 3 Feb 2020)
Solution
Update the affected hylafax+ packages.See Also
Plugin Details
Severity: High
ID: 139652
File Name: openSUSE-2020-1209.nasl
Version: 1.3
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 8/18/2020
Updated: 2/26/2024
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.2
Temporal Score: 5.6
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2020-15397
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 7
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:opensuse:hylafax%2b-debugsource, p-cpe:/a:novell:opensuse:hylafax%2b, p-cpe:/a:novell:opensuse:libfaxutil7_0_3-debuginfo, p-cpe:/a:novell:opensuse:hylafax%2b-debuginfo, cpe:/o:novell:opensuse:15.2, p-cpe:/a:novell:opensuse:libfaxutil7_0_3, p-cpe:/a:novell:opensuse:hylafax%2b-client-debuginfo, p-cpe:/a:novell:opensuse:hylafax%2b-client
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 8/14/2020
Vulnerability Publication Date: 6/30/2020
Reference Information
CVE: CVE-2020-15396, CVE-2020-15397