Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sca-patterns-sle15 for openSUSE:Factory checked in at 2021-02-07 15:20:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sca-patterns-sle15 (Old) and /work/SRC/openSUSE:Factory/.sca-patterns-sle15.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sca-patterns-sle15" Sun Feb 7 15:20:45 2021 rev:4 rq:869584 version:1.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/sca-patterns-sle15/sca-patterns-sle15.changes 2020-12-16 11:01:52.015651195 +0100 +++ /work/SRC/openSUSE:Factory/.sca-patterns-sle15.new.28504/sca-patterns-sle15.changes 2021-02-07 15:23:40.246175309 +0100 @@ -1,0 +2,10 @@ +Tue Jan 26 18:47:03 UTC 2021 - jason.rec...@gmail.com + +- Pattern for TID000019825 - Graphic interface no longer working after patches + +------------------------------------------------------------------- +Mon Jan 25 17:54:17 UTC 2021 - jason.rec...@suse.com + +- Patterns for TID000019786 Security Vulnerability: SADDNS attack (CVE-2020-25705) + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sca-patterns-sle15.spec ++++++ --- /var/tmp/diff_new_pack.CJCnJ8/_old 2021-02-07 15:23:40.734175867 +0100 +++ /var/tmp/diff_new_pack.CJCnJ8/_new 2021-02-07 15:23:40.738175871 +0100 @@ -1,7 +1,7 @@ # # spec file for package sca-patterns-sle15 # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++++++ sca-patterns-sle15-1.0.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp0/saddns-000019786_150.py new/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp0/saddns-000019786_150.py --- old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp0/saddns-000019786_150.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp0/saddns-000019786_150.py 2021-01-25 20:00:09.334834906 +0100 @@ -0,0 +1,105 @@ +#!/usr/bin/python + +# Title: Side-channel AttackeD DNS +# Description: Security Vulnerability: SADDNS attack (CVE-2020-25705) +# Distro: SLES15 SP0 +# Modified: 2021 Jan 16 +# +############################################################################## +# Copyright (C) 2021, SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <jason.rec...@suse.com> +# +############################################################################## + +############################################################################## +# Module Definition +############################################################################## + +import re +import os +import Core +import SUSE + +############################################################################## +# Overriden (eventually or in part) from SDP::Core Module +############################################################################## + +META_CLASS = "SLE" +META_CATEGORY = "Security" +META_COMPONENT = "DNS" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019786|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1175721|META_LINK_CVE=https://www.suse.com/security/cve/CVE-2020-25705/|META_LINK_SADDNS=https://www.saddns.net/"; + +KERNEL_VERSION = '4.12.14-150.63' +DNS_PACKAGE = 'bind' +DNS_SERVICE = 'named.service' + + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) +############################################################################## +# Local Function Definitions +############################################################################## + +def workAroundApplied(): + fileOpen = "network.txt" + section = "iptables -t filter" + content = {} + IN_STATE = False + WORK_AROUND = re.compile("DROP.*icmp.*icmptype") + if Core.getSection(fileOpen, section, content): + for line in content: + if IN_STATE: + if "Chain" in content[line]: # we reached the end of the output chain + return False + elif WORK_AROUND.search(content[line]): # we find the workaround + return True + elif "Chain OUTPUT" in content[line]: # the workaround only applies in the output chain + IN_STATE = True + return False + +############################################################################## +# Main Program Execution +############################################################################## + +ACTIVE_VERSION = SUSE.compareKernel(KERNEL_VERSION) +if( ACTIVE_VERSION < 0 ): + if( SUSE.packageInstalled(DNS_PACKAGE) ): + SERVICE_INFO = SUSE.getServiceDInfo(DNS_SERVICE) + if not SERVICE_INFO: + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.WARN, "SAD DNS security risk detected if named enabled, update server for fixes") + else: + if( SERVICE_INFO['UnitFileState'] == 'enabled' ): + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.CRIT, "SAD DNS security risk detected, update server for fixes") + else: + Core.updateStatus(Core.IGNORE, "Service is disabled: " + str(DNS_SERVICE)); + else: + Core.updateStatus(Core.ERROR, "The package " + DNS_PACKAGE + " is NOT installed") +else: + Core.updateStatus(Core.IGNORE, "SAD DNS security risk resolved in kernel version " + KERNEL_VERSION) + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/saddns-000019786_151.py new/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/saddns-000019786_151.py --- old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/saddns-000019786_151.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/saddns-000019786_151.py 2021-01-25 20:00:09.334834906 +0100 @@ -0,0 +1,105 @@ +#!/usr/bin/python + +# Title: Side-channel AttackeD DNS +# Description: Security Vulnerability: SADDNS attack (CVE-2020-25705) +# Distro: SLES15 SP1 +# Modified: 2021 Jan 16 +# +############################################################################## +# Copyright (C) 2021, SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <jason.rec...@suse.com> +# +############################################################################## + +############################################################################## +# Module Definition +############################################################################## + +import re +import os +import Core +import SUSE + +############################################################################## +# Overriden (eventually or in part) from SDP::Core Module +############################################################################## + +META_CLASS = "SLE" +META_CATEGORY = "Security" +META_COMPONENT = "DNS" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019786|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1175721|META_LINK_CVE=https://www.suse.com/security/cve/CVE-2020-25705/|META_LINK_SADDNS=https://www.saddns.net/"; + +KERNEL_VERSION = '4.12.14-197.72' +DNS_PACKAGE = 'bind' +DNS_SERVICE = 'named.service' + + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) +############################################################################## +# Local Function Definitions +############################################################################## + +def workAroundApplied(): + fileOpen = "network.txt" + section = "iptables -t filter" + content = {} + IN_STATE = False + WORK_AROUND = re.compile("DROP.*icmp.*icmptype") + if Core.getSection(fileOpen, section, content): + for line in content: + if IN_STATE: + if "Chain" in content[line]: # we reached the end of the output chain + return False + elif WORK_AROUND.search(content[line]): # we find the workaround + return True + elif "Chain OUTPUT" in content[line]: # the workaround only applies in the output chain + IN_STATE = True + return False + +############################################################################## +# Main Program Execution +############################################################################## + +ACTIVE_VERSION = SUSE.compareKernel(KERNEL_VERSION) +if( ACTIVE_VERSION < 0 ): + if( SUSE.packageInstalled(DNS_PACKAGE) ): + SERVICE_INFO = SUSE.getServiceDInfo(DNS_SERVICE) + if not SERVICE_INFO: + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.WARN, "SAD DNS security risk detected if named enabled, update server for fixes") + else: + if( SERVICE_INFO['UnitFileState'] == 'enabled' ): + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.CRIT, "SAD DNS security risk detected, update server for fixes") + else: + Core.updateStatus(Core.IGNORE, "Service is disabled: " + str(DNS_SERVICE)); + else: + Core.updateStatus(Core.ERROR, "The package " + DNS_PACKAGE + " is NOT installed") +else: + Core.updateStatus(Core.IGNORE, "SAD DNS security risk resolved in kernel version " + KERNEL_VERSION) + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/xschema-000019825.py new/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/xschema-000019825.py --- old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/xschema-000019825.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/xschema-000019825.py 2021-01-26 20:34:39.399693633 +0100 @@ -0,0 +1,82 @@ +#!/usr/bin/python + +# Title: Graphic Interface Failure +# Description: Graphic interface no longer working after patches +# Modified: 2021 Jan 26 +# +############################################################################## +# Copyright (C) 2021, SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <jason.rec...@suse.com> +# +############################################################################## + +############################################################################## +# Module Definition +############################################################################## + +import re +import os +import Core +import SUSE + +############################################################################## +# Overriden (eventually or in part) from SDP::Core Module +############################################################################## + +META_CLASS = "SLE" +META_CATEGORY = "X" +META_COMPONENT = "Schema" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019825"; + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) + +PACKAGE_NAME = 'gsettings-desktop-schemas' + +############################################################################## +# Local Function Definitions +############################################################################## + +def errorFound(): + fileOpen = "messages.txt" + section = "/var/log/messages" + content = {} + ERROR_MSG = re.compile("gnome-session-binary.*GLib-GIO-ERROR.*No GSettings schemas are installed on the system", re.IGNORECASE) + if Core.getSection(fileOpen, section, content): + for line in content: + if ERROR_MSG.search(content[line]): + return True + return False + +############################################################################## +# Main Program Execution +############################################################################## + +if ( SUSE.packageInstalled(PACKAGE_NAME) ): + if( errorFound() ): + Core.updateStatus(Core.WARN, "If you have graphical interface issues, check gschemas.compiled permissions") + else: + Core.updateStatus(Core.IGNORE, "No GLib-GIO-ERROR message found") +else: + Core.updateStatus(Core.IGNORE, "The package " + PACKAGE_NAME + " is NOT installed") + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp2/saddns-000019786_152.py new/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp2/saddns-000019786_152.py --- old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp2/saddns-000019786_152.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp2/saddns-000019786_152.py 2021-01-25 20:00:09.334834906 +0100 @@ -0,0 +1,105 @@ +#!/usr/bin/python + +# Title: Side-channel AttackeD DNS +# Description: Security Vulnerability: SADDNS attack (CVE-2020-25705) +# Distro: SLES15 SP2 +# Modified: 2021 Jan 12 +# +############################################################################## +# Copyright (C) 2021, SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <jason.rec...@suse.com> +# +############################################################################## + +############################################################################## +# Module Definition +############################################################################## + +import re +import os +import Core +import SUSE + +############################################################################## +# Overriden (eventually or in part) from SDP::Core Module +############################################################################## + +META_CLASS = "SLE" +META_CATEGORY = "Security" +META_COMPONENT = "DNS" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019786|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1175721|META_LINK_CVE=https://www.suse.com/security/cve/CVE-2020-25705/|META_LINK_SADDNS=https://www.saddns.net/"; + +KERNEL_VERSION = '5.3.18-24.37' +DNS_PACKAGE = 'bind' +DNS_SERVICE = 'named.service' + + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) +############################################################################## +# Local Function Definitions +############################################################################## + +def workAroundApplied(): + fileOpen = "network.txt" + section = "iptables -t filter" + content = {} + IN_STATE = False + WORK_AROUND = re.compile("DROP.*icmp.*icmptype") + if Core.getSection(fileOpen, section, content): + for line in content: + if IN_STATE: + if "Chain" in content[line]: # we reached the end of the output chain + return False + elif WORK_AROUND.search(content[line]): # we find the workaround + return True + elif "Chain OUTPUT" in content[line]: # the workaround only applies in the output chain + IN_STATE = True + return False + +############################################################################## +# Main Program Execution +############################################################################## + +ACTIVE_VERSION = SUSE.compareKernel(KERNEL_VERSION) +if( ACTIVE_VERSION < 0 ): + if( SUSE.packageInstalled(DNS_PACKAGE) ): + SERVICE_INFO = SUSE.getServiceDInfo(DNS_SERVICE) + if not SERVICE_INFO: + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.WARN, "SAD DNS security risk detected if named enabled, update server for fixes") + else: + if( SERVICE_INFO['UnitFileState'] == 'enabled' ): + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.CRIT, "SAD DNS security risk detected, update server for fixes") + else: + Core.updateStatus(Core.IGNORE, "Service is disabled: " + str(DNS_SERVICE)); + else: + Core.updateStatus(Core.ERROR, "The package " + DNS_PACKAGE + " is NOT installed") +else: + Core.updateStatus(Core.IGNORE, "SAD DNS security risk resolved in kernel version " + KERNEL_VERSION) + +Core.printPatternResults() +
