Bug 1146785

Summary: AUDIT-FIND: resource-agents: Static tmp file in oradg.sh.in
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: nick wang <nwang>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: atoptsoglou, nwang, varkoly
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1021689    

Description Johannes Segitz 2019-08-22 08:50:08 UTC 
resource-agents-4.3.018.a7fb5035/rgmanager/src/resources/oradg.sh.in
125 spool /tmp/dgstatus.${ORACLE_SID};

Please use a secure tmp file
Comment 3 nick wang 2020-03-26 13:02:34 UTC 
The fix from Peter to change location to ${HA_RSCTMP}(${localstatedir}/run/resource-agents/ by default) is merged in [1], so close this.
(Change to "/run" is accepted, so doesn't need mktemp to a random file.)

[1] https://github.com/ClusterLabs/resource-agents/pull/1467

Will file a new issue in upstream to fix comment#2.
Comment 4 Johannes Segitz 2020-03-26 13:10:03 UTC 
(In reply to nick wang from comment #3)
Please don't close security bugs. Reassign them to security@suse.de once our products are fixed. Thanks
Comment 8 Swamp Workflow Management 2020-04-23 19:32:55 UTC 
SUSE-SU-2020:1090-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 15 (src):    resource-agents-4.3.0184.6ee15eb2-3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-04-23 19:35:25 UTC 
SUSE-SU-2020:1089-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 15-SP1 (src):    resource-agents-4.3.0184.6ee15eb2-4.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-04-23 19:36:49 UTC 
SUSE-SU-2020:1092-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146776,1146784,1146785,1146787,1146789,1161898
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 12-SP3 (src):    resource-agents-4.0.1+git.1495055229.643177f1-2.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-04-23 19:38:41 UTC 
SUSE-SU-2020:1091-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787,1146789
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 12-SP5 (src):    resource-agents-4.3.018.a7fb5035-3.42.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    resource-agents-4.3.018.a7fb5035-3.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-04-24 19:19:25 UTC 
SUSE-SU-2020:14348-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146784,1146785,1146787
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability Extension 11-SP4 (src):    resource-agents-3.9.5-50.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-05-01 22:38:24 UTC 
openSUSE-SU-2020:0585-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    resource-agents-4.3.0184.6ee15eb2-lp151.3.18.1
Comment 14 Alexandros Toptsoglou 2020-05-04 08:46:15 UTC 
Done
Comment 21 Swamp Workflow Management 2022-07-08 13:17:28 UTC 
SUSE-SU-2022:2337-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787,1196164,1197956,1199766
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise High Availability 15-SP2 (src):    resource-agents-4.4.0+git57.70549516-150200.3.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.