Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sca-patterns-sle12 for openSUSE:Factory checked in at 2021-02-07 15:20:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sca-patterns-sle12 (Old) and /work/SRC/openSUSE:Factory/.sca-patterns-sle12.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sca-patterns-sle12" Sun Feb 7 15:20:47 2021 rev:9 rq:869594 version:1.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/sca-patterns-sle12/sca-patterns-sle12.changes 2020-12-16 11:01:48.871648106 +0100 +++ /work/SRC/openSUSE:Factory/.sca-patterns-sle12.new.28504/sca-patterns-sle12.changes 2021-02-07 15:23:41.186176383 +0100 @@ -1,0 +2,5 @@ +Mon Jan 25 17:59:02 UTC 2021 - jason.rec...@suse.com + +- Patterns for TID000019786 Security Vulnerability: SADDNS attack (CVE-2020-25705) + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sca-patterns-sle12.spec ++++++ --- /var/tmp/diff_new_pack.hId1Gi/_old 2021-02-07 15:23:41.686176954 +0100 +++ /var/tmp/diff_new_pack.hId1Gi/_new 2021-02-07 15:23:41.690176959 +0100 @@ -1,7 +1,7 @@ # # spec file for package sca-patterns-sle12 # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++++++ sca-patterns-sle12-1.0.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp2/saddns-000019786_122.py new/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp2/saddns-000019786_122.py --- old/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp2/saddns-000019786_122.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp2/saddns-000019786_122.py 2021-01-25 19:59:42.891439423 +0100 @@ -0,0 +1,120 @@ +#!/usr/bin/python + +# Title: Side-channel AttackeD DNS +# Description: Security Vulnerability: SADDNS attack (CVE-2020-25705) +# Distro: SLES12 SP2 +# Modified: 2021 Jan 21 +# +############################################################################## +# Copyright (C) 2021, SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <jason.rec...@suse.com> +# +############################################################################## + +############################################################################## +# Module Definition +############################################################################## + +import re +import os +import Core +import SUSE + +############################################################################## +# Overriden (eventually or in part) from SDP::Core Module +############################################################################## + +META_CLASS = "SLE" +META_CATEGORY = "Security" +META_COMPONENT = "DNS" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019786|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1175721|META_LINK_CVE=https://www.suse.com/security/cve/CVE-2020-25705/|META_LINK_SADDNS=https://www.saddns.net/"; + +KERNEL_VERSION = '4.4.121-92.146' +DNS_PACKAGE = 'bind' +DNS_SERVICE = 'named' +RC_DNS_ENABLED = 1 +RC_DNS_DISABLED = 0 +RC_DNS_ERROR = -1 + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) +############################################################################## +# Local Function Definitions +############################################################################## + +def workAroundApplied(): + fileOpen = "network.txt" + section = "iptables -t filter" + content = {} + IN_STATE = False + WORK_AROUND = re.compile("DROP.*icmp.*icmptype") + if Core.getSection(fileOpen, section, content): + for line in content: + if IN_STATE: + if "Chain" in content[line]: # we reached the end of the output chain + return False + elif WORK_AROUND.search(content[line]): # we find the workaround + return True + elif "Chain OUTPUT" in content[line]: # the workaround only applies in the output chain + IN_STATE = True + return False + +def namedStatus(): + fileOpen = "dns.txt" + section = "chkconfig named --list" + content = {} + RC = RC_DNS_ERROR + if Core.getSection(fileOpen, section, content): + for line in content: + if content[line].startswith(DNS_SERVICE): + if ":on" in content[line]: + RC = RC_DNS_ENABLED + else: + RC = RC_DNS_DISABLED + return RC + +############################################################################## +# Main Program Execution +############################################################################## + +ACTIVE_VERSION = SUSE.compareKernel(KERNEL_VERSION) +if( ACTIVE_VERSION < 0 ): + if( SUSE.packageInstalled(DNS_PACKAGE) ): + SERVICE_INFO = namedStatus() + if( SERVICE_INFO == RC_DNS_DISABLED ): + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.IGNORE, "Service is disabled: " + str(DNS_SERVICE)) + elif( SERVICE_INFO == RC_DNS_ENABLED ): + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.CRIT, "SAD DNS security risk detected, update server for fixes") + else: + Core.updateStatus(Core.WARN, "Potential SAD DNS security risk if named enabled, update server for fixes") + else: + Core.updateStatus(Core.ERROR, "The package " + DNS_PACKAGE + " is NOT installed") +else: + Core.updateStatus(Core.IGNORE, "SAD DNS security risk resolved in kernel version " + KERNEL_VERSION) + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp3/saddns-000019786_123.py new/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp3/saddns-000019786_123.py --- old/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp3/saddns-000019786_123.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp3/saddns-000019786_123.py 2021-01-25 19:59:42.895439331 +0100 @@ -0,0 +1,120 @@ +#!/usr/bin/python + +# Title: Side-channel AttackeD DNS +# Description: Security Vulnerability: SADDNS attack (CVE-2020-25705) +# Distro: SLES12 SP3 +# Modified: 2021 Jan 21 +# +############################################################################## +# Copyright (C) 2021, SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <jason.rec...@suse.com> +# +############################################################################## + +############################################################################## +# Module Definition +############################################################################## + +import re +import os +import Core +import SUSE + +############################################################################## +# Overriden (eventually or in part) from SDP::Core Module +############################################################################## + +META_CLASS = "SLE" +META_CATEGORY = "Security" +META_COMPONENT = "DNS" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019786|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1175721|META_LINK_CVE=https://www.suse.com/security/cve/CVE-2020-25705/|META_LINK_SADDNS=https://www.saddns.net/"; + +KERNEL_VERSION = '4.4.180-94.135' +DNS_PACKAGE = 'bind' +DNS_SERVICE = 'named' +RC_DNS_ENABLED = 1 +RC_DNS_DISABLED = 0 +RC_DNS_ERROR = -1 + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) +############################################################################## +# Local Function Definitions +############################################################################## + +def workAroundApplied(): + fileOpen = "network.txt" + section = "iptables -t filter" + content = {} + IN_STATE = False + WORK_AROUND = re.compile("DROP.*icmp.*icmptype") + if Core.getSection(fileOpen, section, content): + for line in content: + if IN_STATE: + if "Chain" in content[line]: # we reached the end of the output chain + return False + elif WORK_AROUND.search(content[line]): # we find the workaround + return True + elif "Chain OUTPUT" in content[line]: # the workaround only applies in the output chain + IN_STATE = True + return False + +def namedStatus(): + fileOpen = "dns.txt" + section = "chkconfig named --list" + content = {} + RC = RC_DNS_ERROR + if Core.getSection(fileOpen, section, content): + for line in content: + if content[line].startswith(DNS_SERVICE): + if ":on" in content[line]: + RC = RC_DNS_ENABLED + else: + RC = RC_DNS_DISABLED + return RC + +############################################################################## +# Main Program Execution +############################################################################## + +ACTIVE_VERSION = SUSE.compareKernel(KERNEL_VERSION) +if( ACTIVE_VERSION < 0 ): + if( SUSE.packageInstalled(DNS_PACKAGE) ): + SERVICE_INFO = namedStatus() + if( SERVICE_INFO == RC_DNS_DISABLED ): + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.IGNORE, "Service is disabled: " + str(DNS_SERVICE)) + elif( SERVICE_INFO == RC_DNS_ENABLED ): + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.CRIT, "SAD DNS security risk detected, update server for fixes") + else: + Core.updateStatus(Core.WARN, "Potential SAD DNS security risk if named enabled, update server for fixes") + else: + Core.updateStatus(Core.ERROR, "The package " + DNS_PACKAGE + " is NOT installed") +else: + Core.updateStatus(Core.IGNORE, "SAD DNS security risk resolved in kernel version " + KERNEL_VERSION) + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp4/saddns-000019786_124.py new/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp4/saddns-000019786_124.py --- old/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp4/saddns-000019786_124.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp4/saddns-000019786_124.py 2021-01-25 19:59:42.895439331 +0100 @@ -0,0 +1,120 @@ +#!/usr/bin/python + +# Title: Side-channel AttackeD DNS +# Description: Security Vulnerability: SADDNS attack (CVE-2020-25705) +# Distro: SLES12 SP4 +# Modified: 2021 Jan 21 +# +############################################################################## +# Copyright (C) 2021, SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <jason.rec...@suse.com> +# +############################################################################## + +############################################################################## +# Module Definition +############################################################################## + +import re +import os +import Core +import SUSE + +############################################################################## +# Overriden (eventually or in part) from SDP::Core Module +############################################################################## + +META_CLASS = "SLE" +META_CATEGORY = "Security" +META_COMPONENT = "DNS" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019786|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1175721|META_LINK_CVE=https://www.suse.com/security/cve/CVE-2020-25705/|META_LINK_SADDNS=https://www.saddns.net/"; + +KERNEL_VERSION = '4.12.14-95.65' +DNS_PACKAGE = 'bind' +DNS_SERVICE = 'named' +RC_DNS_ENABLED = 1 +RC_DNS_DISABLED = 0 +RC_DNS_ERROR = -1 + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) +############################################################################## +# Local Function Definitions +############################################################################## + +def workAroundApplied(): + fileOpen = "network.txt" + section = "iptables -t filter" + content = {} + IN_STATE = False + WORK_AROUND = re.compile("DROP.*icmp.*icmptype") + if Core.getSection(fileOpen, section, content): + for line in content: + if IN_STATE: + if "Chain" in content[line]: # we reached the end of the output chain + return False + elif WORK_AROUND.search(content[line]): # we find the workaround + return True + elif "Chain OUTPUT" in content[line]: # the workaround only applies in the output chain + IN_STATE = True + return False + +def namedStatus(): + fileOpen = "dns.txt" + section = "chkconfig named --list" + content = {} + RC = RC_DNS_ERROR + if Core.getSection(fileOpen, section, content): + for line in content: + if content[line].startswith(DNS_SERVICE): + if ":on" in content[line]: + RC = RC_DNS_ENABLED + else: + RC = RC_DNS_DISABLED + return RC + +############################################################################## +# Main Program Execution +############################################################################## + +ACTIVE_VERSION = SUSE.compareKernel(KERNEL_VERSION) +if( ACTIVE_VERSION < 0 ): + if( SUSE.packageInstalled(DNS_PACKAGE) ): + SERVICE_INFO = namedStatus() + if( SERVICE_INFO == RC_DNS_DISABLED ): + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.IGNORE, "Service is disabled: " + str(DNS_SERVICE)) + elif( SERVICE_INFO == RC_DNS_ENABLED ): + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.CRIT, "SAD DNS security risk detected, update server for fixes") + else: + Core.updateStatus(Core.WARN, "Potential SAD DNS security risk if named enabled, update server for fixes") + else: + Core.updateStatus(Core.ERROR, "The package " + DNS_PACKAGE + " is NOT installed") +else: + Core.updateStatus(Core.IGNORE, "SAD DNS security risk resolved in kernel version " + KERNEL_VERSION) + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp5/saddns-000019786_125.py new/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp5/saddns-000019786_125.py --- old/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp5/saddns-000019786_125.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle12-1.0.1/patterns/SLE/sle12sp5/saddns-000019786_125.py 2021-01-25 19:59:42.895439331 +0100 @@ -0,0 +1,120 @@ +#!/usr/bin/python + +# Title: Side-channel AttackeD DNS +# Description: Security Vulnerability: SADDNS attack (CVE-2020-25705) +# Distro: SLES12 SP5 +# Modified: 2021 Jan 21 +# +############################################################################## +# Copyright (C) 2021, SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <jason.rec...@suse.com> +# +############################################################################## + +############################################################################## +# Module Definition +############################################################################## + +import re +import os +import Core +import SUSE + +############################################################################## +# Overriden (eventually or in part) from SDP::Core Module +############################################################################## + +META_CLASS = "SLE" +META_CATEGORY = "Security" +META_COMPONENT = "DNS" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019786|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1175721|META_LINK_CVE=https://www.suse.com/security/cve/CVE-2020-25705/|META_LINK_SADDNS=https://www.saddns.net/"; + +KERNEL_VERSION = '4.12.14-122.54' +DNS_PACKAGE = 'bind' +DNS_SERVICE = 'named' +RC_DNS_ENABLED = 1 +RC_DNS_DISABLED = 0 +RC_DNS_ERROR = -1 + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) +############################################################################## +# Local Function Definitions +############################################################################## + +def workAroundApplied(): + fileOpen = "network.txt" + section = "iptables -t filter" + content = {} + IN_STATE = False + WORK_AROUND = re.compile("DROP.*icmp.*icmptype") + if Core.getSection(fileOpen, section, content): + for line in content: + if IN_STATE: + if "Chain" in content[line]: # we reached the end of the output chain + return False + elif WORK_AROUND.search(content[line]): # we find the workaround + return True + elif "Chain OUTPUT" in content[line]: # the workaround only applies in the output chain + IN_STATE = True + return False + +def namedStatus(): + fileOpen = "dns.txt" + section = "chkconfig named --list" + content = {} + RC = RC_DNS_ERROR + if Core.getSection(fileOpen, section, content): + for line in content: + if content[line].startswith(DNS_SERVICE): + if ":on" in content[line]: + RC = RC_DNS_ENABLED + else: + RC = RC_DNS_DISABLED + return RC + +############################################################################## +# Main Program Execution +############################################################################## + +ACTIVE_VERSION = SUSE.compareKernel(KERNEL_VERSION) +if( ACTIVE_VERSION < 0 ): + if( SUSE.packageInstalled(DNS_PACKAGE) ): + SERVICE_INFO = namedStatus() + if( SERVICE_INFO == RC_DNS_DISABLED ): + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.IGNORE, "Service is disabled: " + str(DNS_SERVICE)) + elif( SERVICE_INFO == RC_DNS_ENABLED ): + if( workAroundApplied() ): + Core.updateStatus(Core.WARN, "SAD DNS security risk detected, but workaround applied, update server for fixes") + else: + Core.updateStatus(Core.CRIT, "SAD DNS security risk detected, update server for fixes") + else: + Core.updateStatus(Core.WARN, "Potential SAD DNS security risk if named enabled, update server for fixes") + else: + Core.updateStatus(Core.ERROR, "The package " + DNS_PACKAGE + " is NOT installed") +else: + Core.updateStatus(Core.IGNORE, "SAD DNS security risk resolved in kernel version " + KERNEL_VERSION) + +Core.printPatternResults() +
