Detections
Analytics

Fedora 38 : rear (2024-49ddbf447d)

medium Nessus Plugin ID 190823

Language:

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-49ddbf447d advisory.

 * Fri Feb 9 2024 Luk Zaoral <[email protected]> - 2.7-8
 - Sync with patches in CentOS Stream 9 (kudos to @pcahyna!) chronologically from the latest:
 - Resolve libs for executable links in COPY_AS_IS, PR 3073
 - Skip invalid disk drives when saving layout PR 3047
 - Do not delete NetBackup logs in case of errors and save /usr/openv/netbackup/logs to the restored system after a successful recovery
 - Add /usr/openv/var to COPY_AS_IS_NBU, fixes an issue seen with NetBackup 10.2.0.1
 - Support saving and restoring hybrid BIOS/UEFI bootloader, PRs 3145 3136
 * Thu Feb 8 2024 Luk Zaoral <[email protected]> - 2.7-7
 - do not generate /etc/rear/os.conf during build
 * Wed Feb 7 2024 Luk Zaoral <[email protected]> - 2.7-6
 - copy the console= kernel arguments from the original system
 * Tue Feb 6 2024 Luk Zaoral <[email protected]> - 2.7-5
 - replace dhcp-client with dhcpcd (rhbz#2247060)
 * Tue Feb 6 2024 Luk Zaoral <[email protected]> - 2.7-4
 - make initrd accessible only by root (CVE-2024-23301)
 * Tue Feb 6 2024 Luk Zaoral <[email protected]> - 2.7-3
 - fix unusable recovery with newer systemd (rbhz#2254871)
 * Mon Feb 5 2024 Luk Zaoral <[email protected]> - 2.7-2
 - migrate to SPDX license format
 - properly use %license and %doc macros
 - use https in URLs
 * Fri Feb 2 2024 Luk Zaoral <[email protected]> - 2.7-1
 - rebase to version 2.7 (rhbz#2215778)
 - drop obsolete patches
 - rebase remaining patches
 * Fri Feb 2 2024 Luk Zaoral <[email protected]> - 2.6-14
 - Sync with patches in CentOS Stream 9 (kudos to @pcahyna!) chronologically from the latest:
 - Backport PR 3061 to save LVM pool metadata volume size in disk layout and restore it
 - Backport PR 3058 to skip useless xfs mount options when mounting during recovery, prevents mount errors like logbuf size must be greater than or equal to log stripe size
 - Add patch to force removal of lvmdevices, prevents LVM problems after restoring to different disks/cloning. Upstream PR 3043
 - Add patch to start rsyslog and include NBU systemd units
 - Apply PR 3027 to ensure correct creation of the rescue environment when a file is shrinking while being read
 - Backport PR 2774 to increase USB_UEFI_PART_SIZE to 1024 MiB
 - Apply upstream patch for temp dir usage with LUKS to ensure that during recovery an encrypted disk can be unlocked using a keyfile
 - Backport upstream PR 3031: Secure Boot support for OUTPUT=USB
 - Correct a mistake done when backporting PR 2691
 - Backport PR2943 to fix s390x dasd formatting
 - Require s390utils-{core,base} on s390x
 - Apply PR2903 to protect against colons in pvdisplay output
 - Apply PR2873 to fix initrd regeneration on s390x
 - Apply PR2431 to migrate XFS configuration files
 - Exclude /etc/lvm/devices from the rescue system to work around a segfault in lvm pvcreate
 - Avoid stderr message about irrelevant broken links
 - Changes for NetBackup (NBU) 9.x support
 - Backport PR2831 - rsync URL refactoring fixes rsync OUTPUT_URL when different from BACKUP_URL
 - Apply PR2795 to detect changes in system files between backup and rescue image
 - Apply PR2808 to exclude dev/watchdog* from recovery system
 - Backport upstream PRs 2827 and 2839 to pass -y to lvcreate instead of one y on stdin
 - Apply PR2811 to add the PRE/POST_RECOVERY_COMMANDS directives
 - Recommend dosfstools on x86_64, needed for EFI System Partition
 - Backport PR2825 to replace defunct mkinitrd with dracut
 - Apply PR2580 to load the nvram module in the rescue environment in order to be able to set the boot order on ppc64le LPARs
 - Backport PR2822 to include the true vi executable in rescue ramdisk
 - Apply PR2675 to fix leftover temp dir bug (introduced in backported PR2625)
 - Apply PR2603 to ignore unused PV devices
 - Apply upstream PR2750 to avoid exclusion of wanted multipath devices
 - Remove unneeded xorriso dep on s390x (no ISO image support there)
 - Apply upstream PR2736 to add the EXCLUDE_{IP_ADDRESSES,NETWORK_INTERFACES} options
 - Add patch for better handling of thin pools and other LV types not supported by vgcfgrestore
 - Sync spec changes and downstream patches from RHEL 8 rear-2.6-2
 - Fix multipath performance regression in 2.6, introduced by upstream PR #2299.
 Resolves: rhbz1993296
 - On POWER add bootlist & ofpathname to the list of required programs conditionally (bootlist only if running under PowerVM, ofpathname always except on PowerNV) - upstream PR2665, add them to package dependencies Resolves: rhbz1983013
 - Backport PR2608:
 Fix setting boot path in case of UEFI partition (ESP) on MD RAID Resolves: rhbz1945869
 - Backport PR2625 Prevents accidental backup removal in case of errors Resolves: rhbz1958247
 - Fix rsync error and option handling Resolves: rhbz1930662
 - Put TMPDIR on /var/tmp by default, otherwise it may lack space RHBZ #1988420, upstream PR2664
 - Sync spec changes and downstream patches from RHEL 8
 - Require xorriso instead of genisoimage
 - Add S/390 support and forgotten dependency on the file utility
 - Backport upstream code related to LUKS2 support
 - Modify the cron command to avoid an e-mail with error message after ReaR is installed but not properly configured when the cron command is triggered for the first time
 - Changes for NetBackup (NBU) support, upstream PR2544
 - Add dependency on dhcp-client, RHBZ #1926451


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected rear package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2024-49ddbf447d

Plugin Details

Severity: Medium

ID: 190823

File Name: fedora_2024-49ddbf447d.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2/21/2024

Updated: 11/15/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2024-23301

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:38, p-cpe:/a:fedoraproject:fedora:rear

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/12/2024

Vulnerability Publication Date: 1/12/2024

Reference Information

CVE: CVE-2024-23301