Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop (SUSE-SU-2024:4054-1)

high Nessus Plugin ID 212526

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:4054-1 advisory.

 xmlgraphics-fop was updated from version 2.8 to 2.10:

 - Security issues fixed:

 * CVE-2024-28168: Fixed improper restriction of XML External Entity (XXE) reference (bsc#1231428)

 - Upstream changes and bugs fixed:

 * Version 2.10:

 + footnote-body ignores rl-tb writing mode + SVG tspan content is displayed out of place + Added new schema to handle pdf/a and pdfa/ua + Correct fop version at runtime + NoSuchElementException when using font with no family name + Resolve classpath for binary distribution + Switch to spotbugs + Set an automatic module name + Rename packages to avoid conflicts with modules + Resize table only for multicolumn page + Missing jars in servlet + Optimise performance of PNG with alpha using raw loader + basic-link not navigating to corresponding footnote + Added option to sign PDF + Added secure processing for XSL input + Allow sections which need security permissions to be run when AllPermission denied in caller code + Remove unused PDFStructElem + Remove space generated by fo:wrapper + Reset content length for table changing ipd + Added alt text to PDF signature + Allow change of resource level for SVG in AFP + Exclude shape not in clipping path for AFP + Only support 1 column for redo of layout without page pos only + Switch to Jakarta servlet API + NPE when list item is split alongside an ipd change + Added mandatory MODCA triplet to AFP + Redo layout for multipage columns + Added image mask option for AFP + Skip written block ipds inside float + Allow curly braces for src url + Missing content for last page with change ipd + Added warning when different pdf languages are used + Only restart line manager when there is a linebreak for blocklayout

 * Version 2.9:

 + Values in PDF Number Trees must be indirect references + Do not delete files on syntax errors using command line + Surrogate pair edge-case causes Exception + Reset character spacing + SVG text containing certain glyphs isn't rendered + Remove duplicate classes from maven classpath + Allow use of page position only on redo of layout + Failure to render multi-block itemBody alongside float + Update to PDFBox 2.0.27 + NPE if link destination is missing with accessibility + Make property cache thread safe + Font size was rounded to 0 for AFP TTF + Cannot process a SVG using mvn jars + Remove serializer jar + Allow creating a PDF 2.0 document + Text missing after page break inside table inline + IllegalArgumentException for list in a table + Table width may be too wide when layout width changes + NPE when using broken link and PDF 1.5 + Allow XMP at PDF page level + Symbol font was not being mapped to unicode + Correct font differences table for Chrome + Link against Java 8 API + Added support for font-selection-strategy=character-by-character + Merge form fields in external PDFs + Fixed test for Java 11

 xmlgraphics-batik was updated from version 1.17 to 1.18:

 - PNG transcoder references nonexistent class
 - Set offset to 0 if missing in stop tag
 - Validate throws NPE
 - Fixed missing arabic characters
 - Animated rotate tranform ignores y-origin at exactly 270 degrees
 - Set an automatic module name
 - Ignore inkscape properties
 - Switch to spotbugs
 - Allow source and target resolution configuration

 xmlgraphics-commons was updated from version 2.8 to 2.10:

 - Fixed test for Java 11
 - Allow XMP at PDF page level
 - Allow source resolution configuration
 - Added new schema to handle pdf/a and pdfa/ua
 - Set an automatic module name
 - Switch to spotbugs
 - Do not use a singleton for ImageImplRegistry

 javapackages-tools was updated from version 6.3.0 to 6.3.4:

 - Version 6.3.4:

 * A corner case when which is not present
 * Remove dependency on which
 * Simplify after the which -> type -p change
 * jpackage_script: Remove pointless assignment when %java_home is unset
 * Don't export JAVA_HOME (bsc#1231347)

 - Version 6.3.2:

 * Search for JAVACMD under JAVA_HOME only if it's set
 * Obsolete set_jvm and set_jvm_dirs functions
 * Drop unneeded _set_java_home function
 * Remove JAVA_HOME check from check_java_env function
 * Bump codecov/codecov-action from 2.0.2 to 4.6.0
 * Bump actions/setup-python from 4 to 5
 * Bump actions/checkout from 2 to 4
 * Added custom dependabot config
 * Remove the test for JAVA_HOME and error if it is not set
 * java-functions: Remove unneeded local variables
 * Fixed build status shield

 - Version 6.3.1:

 * Allow missing components with abs2rel
 * Fixed tests with python 3.4
 * Sync spec file from Fedora
 * Drop default JRE/JDK
 * Fixed the use of java-functions in scripts
 * Test that we don't bomb on <relativePath/>
 * Test variable expansion in artifactId
 * Interpolate properties also in the current artifact
 * Rewrite abs2rel in shell
 * Use asciidoctor instead of asciidoc
 * Fixed incompatibility with RPM 4.20
 * Reproducible exclusions order in maven metadata
 * Do not bomb on <relativePath/> construct
 * Make maven_depmap order of aliases reproducible

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1231347

https://bugzilla.suse.com/1231428

http://www.nessus.org/u?4e2f6a7b

https://www.suse.com/security/cve/CVE-2024-28168

Plugin Details

Severity: High

ID: 212526

File Name: suse_SU-2024-4054-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/12/2024

Updated: 12/12/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 4.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:P

CVSS Score Source: CVE-2024-28168

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:javapackages-ivy, p-cpe:/a:novell:suse_linux:xmlgraphics-fop, p-cpe:/a:novell:suse_linux:python3-javapackages, p-cpe:/a:novell:suse_linux:xmlgraphics-commons, p-cpe:/a:novell:suse_linux:javapackages-local, p-cpe:/a:novell:suse_linux:javapackages-gradle, p-cpe:/a:novell:suse_linux:javapackages-filesystem, p-cpe:/a:novell:suse_linux:xmlgraphics-batik-css, p-cpe:/a:novell:suse_linux:xmlgraphics-batik, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:javapackages-tools

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/26/2024

Vulnerability Publication Date: 10/9/2024

Reference Information

CVE: CVE-2024-28168

SuSE: SUSE-SU-2024:4054-1