SUSE-SU-2021:2136-1

Details

This update for cryptctl fixes the following issues:

Update to version 2.4:

CVE-2019-18906: Client side password hashing was equivalent to clear text password storage (bsc#1186226)
First step to use plain text password instead of hashed password.
Move repository into the SUSE github organization
in RPC server, if client comes from localhost, remember its ipv4 localhost address instead of ipv6 address
tell a record to clear expired pending commands upon saving a command result; introduce pending commands RPC test case
avoid hard coding 127.0.0.1 in host ID of alive message test; let system administrator mount and unmount disks by issuing these two commands on key server.

Affected Packages

cryptctl

SUSE Enterprise Storage 6SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP1-LTSSSUSE Linux Enterprise Module for Basesystem 15 SP2SUSE Linux Enterprise Module for Basesystem 15 SP3

Fixed in:

2.4-4.5.1

References

REPORT

https://bugzilla.suse.com/1186226

WEB

https://www.suse.com/security/cve/CVE-2019-18906

ADVISORY

https://www.suse.com/support/update/announcement/2021/suse-su-20212136-1/