aquasecurity · knqyf263 · Jul 31, 2024 · Jul 24, 2024 · Jul 30, 2024
@@ -23,12 +23,14 @@ type Distribution int
 
 const (
  SUSEEnterpriseLinux Distribution = iota
+ SUSEEnterpriseLinuxMicro
  OpenSUSE
  OpenSUSETumbleweed
 
- platformOpenSUSELeapFormat = "openSUSE Leap %s"
- platformOpenSUSETumbleweedFormat = "openSUSE Tumbleweed"
- platformSUSELinuxFormat = "SUSE Linux Enterprise %s"
+ platformOpenSUSELeapFormat = "openSUSE Leap %s"
+ platformOpenSUSETumbleweedFormat = "openSUSE Tumbleweed"
+ platformSUSELinuxFormat = "SUSE Linux Enterprise %s"
+ platformSUSELinuxEnterpriseMicroFormat = "SUSE Linux Enterprise Micro %s"
 )
 
 var (
@@ -68,7 +70,7 @@ func (vs VulnSrc) Update(dir string) error {
 
  rootDir := filepath.Join(dir, "vuln-list", suseDir)
  switch vs.dist {
- case SUSEEnterpriseLinux:
+ case SUSEEnterpriseLinux, SUSEEnterpriseLinuxMicro:
  rootDir = filepath.Join(rootDir, "suse")
  case OpenSUSE, OpenSUSETumbleweed:
  rootDir = filepath.Join(rootDir, "opensuse")
@@ -207,9 +209,22 @@ func getOSVersion(platformName string) string {
  }
  return fmt.Sprintf(platformOpenSUSELeapFormat, ss[2])
  }
+ if strings.HasPrefix(platformName, "SUSE Linux Enterprise Micro") {
+ // SUSE Linux Enterprise Micro 5.3
+ ss := strings.Split(platformName, " ")
+ if len(ss) < 5 {
+ log.Printf("invalid version: %s", platformName)
+ return ""
+ }
+ if _, err := version.Parse(ss[4]); err != nil {
+ log.Printf("invalid version: %s, err: %s", platformName, err)
+ return ""
+ }
+ return fmt.Sprintf(platformSUSELinuxEnterpriseMicroFormat, ss[4])
+ }
  if strings.Contains(platformName, "SUSE Linux Enterprise") {
- // e.g. SUSE Linux Enterprise Storage 7, SUSE Linux Enterprise Micro 5.1
- if strings.HasPrefix(platformName, "SUSE Linux Enterprise Storage") || strings.HasPrefix(platformName, "SUSE Linux Enterprise Micro") {
+ // e.g. SUSE Linux Enterprise Storage 7
+ if strings.HasPrefix(platformName, "SUSE Linux Enterprise Storage") {
  return ""
  }
 
@@ -282,6 +297,8 @@ func splitPkgName(pkgName string) (string, string) {
 func (vs VulnSrc) Get(version string, pkgName string) ([]types.Advisory, error) {
  var bucket string
  switch vs.dist {
+ case SUSEEnterpriseLinuxMicro:
+ bucket = fmt.Sprintf(platformSUSELinuxEnterpriseMicroFormat, version)
  case SUSEEnterpriseLinux:
  bucket = fmt.Sprintf(platformSUSELinuxFormat, version)
  case OpenSUSE:

@@ -193,6 +193,56 @@ func TestVulnSrc_Update(t *testing.T) {
  },
  },
  },
+ {
+ name: "happy path with SLE Micro CVRF including SUSE Linux Enterprise Micro",
+ dir: filepath.Join("testdata", "happy", "SUSE Linux Enterprise Micro"),
+ dist: SUSEEnterpriseLinuxMicro,
+ wantValues: []vulnsrctest.WantValues{
+ {
+ Key: []string{"data-source", "SUSE Linux Enterprise Micro 5.3"},
+ Value: types.DataSource{
+ ID: vulnerability.SuseCVRF,
+ Name: "SUSE CVRF",
+ URL: "https://ftp.suse.com/pub/projects/security/cvrf/",
+ },
+ },
+ {
+ Key: []string{"advisory-detail", "SUSE-SU-2024:2546-1", "SUSE Linux Enterprise Micro 5.3", "gnutls"},
+
+ Value: types.Advisory{
+ FixedVersion: "3.7.3-150400.8.1",
+ },
+ },
+ {
+ Key: []string{"advisory-detail", "SUSE-SU-2024:2546-1", "SUSE Linux Enterprise Micro 5.3", "libgnutls30"},
+ Value: types.Advisory{
+ FixedVersion: "3.7.3-150400.8.1",
+ },
+ },
+ {
+ Key: []string{"vulnerability-detail", "SUSE-SU-2024:2546-1", "suse-cvrf"},
+ Value: types.VulnerabilityDetail{
+ Title: "Security update for gnutls",
+ Description: "This update for gnutls fixes the following issues:\n\n- CVE-2024-28835: Fixed a certtool crash when verifying a certificate\n chain (bsc#1221747).\n- CVE-2024-28834: Fixed a side-channel attack in the deterministic\n ECDSA (bsc#1221746).\n\nOther fixes:\n\n- Fixed a memory leak when using the entropy collector (bsc#1221242).\n",
+ References: []string{
+ "https://www.suse.com/support/update/announcement/2024/suse-su-20242546-1/",
+ "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018994.html",
+ "https://www.suse.com/support/security/rating/",
+ "https://bugzilla.suse.com/1221242",
+ "https://bugzilla.suse.com/1221746",
+ "https://bugzilla.suse.com/1221747",
+ "https://www.suse.com/security/cve/CVE-2024-28834/",
+ "https://www.suse.com/security/cve/CVE-2024-28835/",
+ },
+ Severity: types.SeverityMedium,
+ },
+ },
+ {
+ Key: []string{"vulnerability-id", "SUSE-SU-2024:2546-1"},
+ Value: map[string]interface{}{},
+ },
+ },
+ },
  {
  name: "sad path (dir doesn't exist)",
  dir: filepath.Join("testdata", "badPath"),
@@ -594,7 +644,7 @@ func TestGetOSVersion(t *testing.T) {
  },
  {
  inputPlatformName: "SUSE Linux Enterprise Micro 5.1",
- expectedPlatformName: "",
+ expectedPlatformName: "SUSE Linux Enterprise Micro 5.1",
  },
  }
  for _, tc := range testCases {

@@ -0,0 +1,156 @@
+{
+ "Title": "Security update for gnutls",
+ "Tracking": {
+ "ID": "SUSE-SU-2024:2546-1",
+ "Status": "Final",
+ "Version": "1",
+ "InitialReleaseDate": "2024-07-17T12:44:32Z",
+ "CurrentReleaseDate": "2024-07-17T12:44:32Z",
+ "RevisionHistory": [
+ {
+ "Number": "1",
+ "Date": "2024-07-17T12:44:32Z",
+ "Description": "current"
+ }
+ ]
+ },
+ "Notes": [
+ {
+ "Text": "Security update for gnutls",
+ "Title": "Topic",
+ "Type": "Summary"
+ },
+ {
+ "Text": "This update for gnutls fixes the following issues:\n\n- CVE-2024-28835: Fixed a certtool crash when verifying a certificate\n chain (bsc#1221747).\n- CVE-2024-28834: Fixed a side-channel attack in the deterministic\n ECDSA (bsc#1221746).\n\nOther fixes:\n\n- Fixed a memory leak when using the entropy collector (bsc#1221242).\n",
+ "Title": "Details",
+ "Type": "General"
+ },
+ {
+ "Text": "The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
+ "Title": "Terms of Use",
+ "Type": "Legal Disclaimer"
+ },
+ {
+ "Text": "SUSE-2024-2546,SUSE-SLE-Micro-5.3-2024-2546",
+ "Title": "Patchnames",
+ "Type": "Details"
+ }
+ ],
+ "ProductTree": {
+ "Relationships": [
+ {
+ "ProductReference": "gnutls-3.7.3-150400.8.1",
+ "RelatesToProductReference": "SUSE Linux Enterprise Micro 5.3",
+ "RelationType": "Default Component Of"
+ },
+ {
+ "ProductReference": "libgnutls30-3.7.3-150400.8.1",
+ "RelatesToProductReference": "SUSE Linux Enterprise Micro 5.3",
+ "RelationType": "Default Component Of"
+ },
+ {
+ "ProductReference": "libgnutls30-hmac-3.7.3-150400.8.1",
+ "RelatesToProductReference": "SUSE Linux Enterprise Micro 5.3",
+ "RelationType": "Default Component Of"
+ }
+ ]
+ },
+ "References": [
+ {
+ "URL": "https://www.suse.com/support/update/announcement/2024/suse-su-20242546-1/",
+ "Description": "Link for SUSE-SU-2024:2546-1"
+ },
+ {
+ "URL": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018994.html",
+ "Description": "E-Mail link for SUSE-SU-2024:2546-1"
+ },
+ {
+ "URL": "https://www.suse.com/support/security/rating/",
+ "Description": "SUSE Security Ratings"
+ },
+ {
+ "URL": "https://bugzilla.suse.com/1221242",
+ "Description": "SUSE Bug 1221242"
+ },
+ {
+ "URL": "https://bugzilla.suse.com/1221746",
+ "Description": "SUSE Bug 1221746"
+ },
+ {
+ "URL": "https://bugzilla.suse.com/1221747",
+ "Description": "SUSE Bug 1221747"
+ },
+ {
+ "URL": "https://www.suse.com/security/cve/CVE-2024-28834/",
+ "Description": "SUSE CVE CVE-2024-28834 page"
+ },
+ {
+ "URL": "https://www.suse.com/security/cve/CVE-2024-28835/",
+ "Description": "SUSE CVE CVE-2024-28835 page"
+ }
+ ],
+ "Vulnerabilities": [
+ {
+ "CVE": "CVE-2024-28834",
+ "Description": "A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.",
+ "Threats": [
+ {
+ "Type": "Impact",
+ "Severity": "moderate"
+ }
+ ],
+ "References": [
+ {
+ "URL": "https://www.suse.com/security/cve/CVE-2024-28834.html",
+ "Description": "CVE-2024-28834"
+ },
+ {
+ "URL": "https://bugzilla.suse.com/1221746",
+ "Description": "SUSE Bug 1221746"
+ }
+ ],
+ "ProductStatuses": [
+ {
+ "Type": "Fixed",
+ "ProductID": [
+ "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1",
+ "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1",
+ "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1"
+ ]
+ }
+ ],
+ "CVSSScoreSets": {}
+ },
+ {
+ "CVE": "CVE-2024-28835",
+ "Description": "A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.",
+ "Threats": [
+ {
+ "Type": "Impact",
+ "Severity": "moderate"
+ }
+ ],
+ "References": [
+ {
+ "URL": "https://www.suse.com/security/cve/CVE-2024-28835.html",
+ "Description": "CVE-2024-28835"
+ },
+ {
+ "URL": "https://bugzilla.suse.com/1221747",
+ "Description": "SUSE Bug 1221747"
+ }
+ ],
+ "ProductStatuses": [
+ {
+ "Type": "Fixed",
+ "ProductID": [
+ "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1",
+ "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1",
+ "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1"
+ ]
+ }
+ ],
+ "CVSSScoreSets": {}
+ }
+ ]
+}