Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sca-patterns-sle15 for openSUSE:Factory checked in at 2021-04-22 18:03:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sca-patterns-sle15 (Old) and /work/SRC/openSUSE:Factory/.sca-patterns-sle15.new.12324 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sca-patterns-sle15" Thu Apr 22 18:03:51 2021 rev:8 rq:887351 version:1.0.2 Changes: -------- --- /work/SRC/openSUSE:Factory/sca-patterns-sle15/sca-patterns-sle15.changes 2021-04-06 17:32:25.187302795 +0200 +++ /work/SRC/openSUSE:Factory/.sca-patterns-sle15.new.12324/sca-patterns-sle15.changes 2021-04-22 18:04:38.806569258 +0200 @@ -1,0 +2,13 @@ +Wed Apr 21 17:45:48 UTC 2021 - Jason Record <[email protected]> + +- New regular patterns (8) for version 1.0.2 + + sle15all/acpid-000019708.py: acpid.service failed to start after upgrade (bsc#1158890) + + sle15all/slapd-000019711.py: slapd.service not enabled/failed after upgrade from SLES 11 SP4 to SLES 15 (bsc#1156353) + + sle15sp0/ucodeintel_150-000019635.py: L1D data cache eviction and Vector Register sampling - CVE-2020-0548, CVE-2020-0549 (bsc#1156353) + + sle15sp1/crosstalk_151-000019643.py: Special Register Buffer Data Sampling aka CrossTalk (CVE-2020-0543) (bsc#1154824) + + sle15sp1/qlogic-000019630.py: System crashes when the system is rebooted with SR-IOV enabled QLogic cards (bsc#1155990) + + sle15sp1/ucodeintel_151-000019635.py: L1D data cache eviction and Vector Register sampling - CVE-2020-0548, CVE-2020-0549 (bsc#1156353) + + sle15sp2/crosstalk_152-000019643.py: Special Register Buffer Data Sampling aka CrossTalk (CVE-2020-0543) (bsc#1154824) + + sle15sp2/ucodeintel_152-000019635.py: L1D data cache eviction and Vector Register sampling - CVE-2020-0548, CVE-2020-0549 (bsc#1156353) + +------------------------------------------------------------------- Old: ---- sca-patterns-sle15-1.0.1.tar.gz New: ---- sca-patterns-sle15-1.0.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sca-patterns-sle15.spec ++++++ --- /var/tmp/diff_new_pack.hx30Bw/_old 2021-04-22 18:04:39.230569904 +0200 +++ /var/tmp/diff_new_pack.hx30Bw/_new 2021-04-22 18:04:39.234569910 +0200 @@ -25,7 +25,7 @@ %define category SLE Name: sca-patterns-sle15 -Version: 1.0.1 +Version: 1.0.2 Release: 0 Summary: Supportconfig Analysis Patterns for SLE15 License: GPL-2.0-only ++++++ sca-patterns-sle15-1.0.1.tar.gz -> sca-patterns-sle15-1.0.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15all/acpid-000019708.py new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15all/acpid-000019708.py --- old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15all/acpid-000019708.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15all/acpid-000019708.py 2021-04-05 18:52:38.453474375 +0200 @@ -0,0 +1,78 @@ +#!/usr/bin/python +# +# Title: Pattern for TID000019708 +# Description: acpid.service failed to start after upgrade +# Source: Package Version Pattern Template v0.3.1 +# Options: SLE,Services,acpid,acpid,000019708,1158890,1,1,0 +# Modified: 2021 Apr 05 +# +############################################################################## +# Copyright (C) 2021 SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <[email protected]> +# +############################################################################## + +import re +import os +import Core +import SUSE + +META_CLASS = "SLE" +META_CATEGORY = "Services" +META_COMPONENT = "acpid" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019708|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1158890"; +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) + +############################################################################## +# Local Function Definitions +############################################################################## + +def serviceFailed(): + global SERVICE + + fileOpen = "systemd.txt" + section = "/systemctl --failed" + content = [] + CONFIRMED = re.compile(SERVICE, re.IGNORECASE) + if Core.getRegExSection(fileOpen, section, content): + for line in content: + if CONFIRMED.search(line): + return True + return False + +############################################################################## +# Main Program Execution +############################################################################## + +PACKAGE = "acpid" +SERVICE = 'acpid.service' + +if( SUSE.packageInstalled(PACKAGE) ): + if( serviceFailed() ): + Core.updateStatus(Core.WARN, "Please remove the " + PACKAGE + " package, the " + SERVICE + " has failed") + else: + Core.updateStatus(Core.WARN, "Please remove the depricated " + PACKAGE + " package") +else: + Core.updateStatus(Core.ERROR, "ERROR: RPM package " + PACKAGE + " not installed") + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15all/slapd-000019711.py new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15all/slapd-000019711.py --- old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15all/slapd-000019711.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15all/slapd-000019711.py 2021-04-05 19:53:38.156626796 +0200 @@ -0,0 +1,104 @@ +#!/usr/bin/python +# +# Title: Pattern for TID000019711 +# Description: slapd.service not enabled/failed after upgrade from SLES 11 SP4 to SLES 15 +# Source: Package Version Pattern Template v0.3.1 +# Options: SLE,Services,LDAP,slapd,000019711,0,2,1,1 +# Modified: 2021 Apr 05 +# +############################################################################## +# Copyright (C) 2021 SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <[email protected]> +# +############################################################################## + +import re +import os +import Core +import SUSE + +META_CLASS = "SLE" +META_CATEGORY = "Services" +META_COMPONENT = "LDAP" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019711"; +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) + +############################################################################## +# Local Function Definitions +############################################################################## + +def configChange(): + fileOpen = "y2log.txt" + section = "YaST2/config_diff.*log" + content = [] + CONFIRMED = re.compile("Changed configuration file.*for openldap2-[0-9]", re.IGNORECASE) + if Core.isFileActive(fileOpen): + if Core.getRegExSection(fileOpen, section, content): + for line in content: + if CONFIRMED.search(line): + return True + return False + +def upgraded(): + fileOpen = "y2log.txt" + section = "y2start.log" + content = [] + UPGRADE = re.compile("Upgrade.*1", re.IGNORECASE) + if Core.getRegExSection(fileOpen, section, content): + for line in content: + if UPGRADE.search(line): + return True + return False + +############################################################################## +# Main Program Execution +############################################################################## + +PACKAGE = "openldap2" +SERVICE_NAME = 'slapd.service' +SERVICE_INFO = SUSE.getServiceDInfo(SERVICE_NAME) + +if( SUSE.packageInstalled(PACKAGE) ): + if( SERVICE_INFO['UnitFileState'] == 'enabled' ): + if( SERVICE_INFO['SubState'] == 'running' ): + Core.updateStatus(Core.IGNORE, "Service enabled and running: " + str(SERVICE_NAME)) + else: + if( configChange() ): + if( upgraded() ): + Core.updateStatus(Core.WARN, "The " + SERVICE_NAME + " is not enabled or running after upgrade, confirm it's status") + else: + Core.updateStatus(Core.WARN, "If you use " + SERVICE_NAME + ", confirm it's status") + else: + Core.updateStatus(Core.ERROR, "No configuration change found") + else: + if( configChange() ): + if( upgraded() ): + Core.updateStatus(Core.CRIT, "The " + SERVICE_NAME + " is not enabled or running after upgrade, confirm it's status") + else: + Core.updateStatus(Core.WARN, "If you use " + SERVICE_NAME + ", confirm it's status") + else: + Core.updateStatus(Core.ERROR, "No configuration change found") +else: + Core.updateStatus(Core.ERROR, "ERROR: RPM package " + PACKAGE + " not installed") + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp0/ucodeintel_150-000019635.py new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15sp0/ucodeintel_150-000019635.py --- old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp0/ucodeintel_150-000019635.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15sp0/ucodeintel_150-000019635.py 2021-04-07 15:55:42.349467250 +0200 @@ -0,0 +1,81 @@ +#!/usr/bin/python +# +# Title: Pattern for TID000019635 +# Description: Security vulnerability: L1D data cache eviction and Vector Register sampling - CVE-2020-0548, CVE-2020-0549 +# Source: Package Version Pattern Template v0.3.7 +# Options: SLE,Security,CPU,000019635,1156353,ucodeintel_151,ucode-intel,20200602-3.25.1,0,1 +# Distro: SLES15 SP0 +# Modified: 2021 Apr 07 +# +############################################################################## +# Copyright (C) 2021 SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <[email protected]> +# +############################################################################## + +import re +import os +import Core +import SUSE + +META_CLASS = "SLE" +META_CATEGORY = "Security" +META_COMPONENT = "CPU" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019635|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1156353|META_LINK_CVE-2020-0548=https://www.suse.com/security/cve/CVE-2020-0548/|META_LINK_CVE-2020-0549=https://www.suse.com/security/cve/CVE-2020-0549/|META_LINK_Intel=https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00329.html"; + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) + +############################################################################## +# Local Function Definitions +############################################################################## + +def intelCPU(): + fileOpen = "hardware.txt" + section = "/proc/cpuinfo" + content = [] + CONFIRMED = re.compile("vendor_id.*GenuineIntel", re.IGNORECASE) + if Core.getRegExSection(fileOpen, section, content): + for line in content: + if CONFIRMED.search(line): + return True + return False + +############################################################################## +# Main Program Execution +############################################################################## + +RPM_NAME = 'ucode-intel' +RPM_VERSION_FIXED = '20200602-3.43.1' +if( SUSE.packageInstalled(RPM_NAME) ): + INSTALLED_VERSION = SUSE.compareRPM(RPM_NAME, RPM_VERSION_FIXED) + if( INSTALLED_VERSION >= 0 ): + Core.updateStatus(Core.IGNORE, "Bug fixes applied for " + RPM_NAME + "") + else: + if( intelCPU() ): + Core.updateStatus(Core.WARN, "Risk of L1D data cache eviction and vector register sampling, update system to avoid") + else: + Core.updateStatus(Core.IGNORE, "No Genuine Intel CPUs found") +else: + Core.updateStatus(Core.ERROR, "ERROR: " + RPM_NAME + " not installed") + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/crosstalk_151-000019643.py new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15sp1/crosstalk_151-000019643.py --- old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/crosstalk_151-000019643.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15sp1/crosstalk_151-000019643.py 2021-04-21 19:18:03.124311401 +0200 @@ -0,0 +1,90 @@ +#!/usr/bin/python +# +# Title: Pattern for TID000019643 +# Description: Security Vulnerability: Special Register Buffer Data Sampling aka CrossTalk (CVE-2020-0543) +# Source: Kernel Package Version Pattern Template v0.1.1 +# Options: SLE,Security,Crosstalk,crosstalk_151,000019643,1154824,4.12.14-197.45,0,1 +# Distro: SLES15 SP1 +# Modified: 2021 Apr 21 +# +############################################################################## +# Copyright (C) 2021, SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <[email protected]> +# +############################################################################## + +import re +import os +import Core +import SUSE + +META_CLASS = "SLE" +META_CATEGORY = "Security" +META_COMPONENT = "Crosstalk" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019643|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1154824|META_LINK_CVE-2020-0543=https://www.suse.com/security/cve/CVE-2020-0543/"; + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) + +############################################################################## +# Local Function Definitions +############################################################################## + +def intelCPU(): + fileOpen = "hardware.txt" + section = "/proc/cpuinfo" + content = [] + CONFIRMED = re.compile("vendor_id.*GenuineIntel", re.IGNORECASE) + if Core.getRegExSection(fileOpen, section, content): + for line in content: + if CONFIRMED.search(line): + return True + return False + +############################################################################## +# Main Program Execution +############################################################################## + +RPM_NAME = 'ucode-intel' +RPM_VERSION_FIXED = '20200602-3.25.1' +KERNEL_VERSION_FIXED = '4.12.14-197.45' + +if( SUSE.packageInstalled(RPM_NAME) ): + if( intelCPU() ): + INSTALLED_VERSION_RPM = SUSE.compareRPM(RPM_NAME, RPM_VERSION_FIXED) + INSTALLED_VERSION_KERN = SUSE.compareKernel(KERNEL_VERSION_FIXED) + if( INSTALLED_VERSION_RPM >= 0 ): + if( INSTALLED_VERSION_KERN >= 0 ): + Core.updateStatus(Core.IGNORE, "Bug fixes applied for " + RPM_NAME + " and kernel version") + else: + Core.updateStatus(Core.WARN, "Risk of L1D data cache eviction and vector register sampling, update kernel to avoid") + else: + if( INSTALLED_VERSION_KERN >= 0 ): + Core.updateStatus(Core.WARN, "Risk of L1D data cache eviction and vector register sampling, update " + RPM_NAME + " to avoid") + else: + Core.updateStatus(Core.WARN, "Risk of L1D data cache eviction and vector register sampling, update system to avoid") + else: + Core.updateStatus(Core.ERROR, "ERROR: Intel CPU not found") +else: + Core.updateStatus(Core.ERROR, "ERROR: " + RPM_NAME + " not installed") + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/qlogic-000019630.py new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15sp1/qlogic-000019630.py --- old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/qlogic-000019630.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15sp1/qlogic-000019630.py 2021-04-07 19:13:54.190765776 +0200 @@ -0,0 +1,78 @@ +#!/usr/bin/python +# +# Title: Pattern for TID000019630 +# Description: System crashes when the system is rebooted with SR-IOV enabled QLogic cards +# Source: Kernel Package Version Pattern Template v0.1.1 +# Options: SLE,Kernel,QLogic,qlogic,000019630,1155990,4.12.14-197.37,0,1 +# Distro: SLES15 SP1 +# Modified: 2021 Apr 07 +# +############################################################################## +# Copyright (C) 2021, SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <[email protected]> +# +############################################################################## + +import re +import os +import Core +import SUSE + +META_CLASS = "SLE" +META_CATEGORY = "Kernel" +META_COMPONENT = "QLogic" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019630|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1155990"; + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) + +############################################################################## +# Local Function Definitions +############################################################################## + +def conditionConfirmed(): + fileOpen = "hardware.txt" + section = "lspci" + content = [] + CONFIRMED = re.compile("QL41", re.IGNORECASE) + if Core.getRegExSection(fileOpen, section, content): + for line in content: + if CONFIRMED.search(line): + return True + return False + +############################################################################## +# Main Program Execution +############################################################################## + +KERNEL_VERSION_FIXED = '4.12.14-197.37' + +INSTALLED_VERSION = SUSE.compareKernel(KERNEL_VERSION_FIXED) +if( INSTALLED_VERSION >= 0 ): + Core.updateStatus(Core.IGNORE, "Bug fixes applied in kernel version " + KERNEL_VERSION_FIXED + " or higher") +else: + if( conditionConfirmed() ): + Core.updateStatus(Core.WARN, "Systems with QL41000 series devices and SRIOV enabled may crash after reboot, please confirm your configuration") + else: + Core.updateStatus(Core.ERROR, "Cannot find QL41000 service device") + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/ucodeintel_151-000019635.py new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15sp1/ucodeintel_151-000019635.py --- old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp1/ucodeintel_151-000019635.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15sp1/ucodeintel_151-000019635.py 2021-04-07 15:51:29.535609520 +0200 @@ -0,0 +1,81 @@ +#!/usr/bin/python +# +# Title: Pattern for TID000019635 +# Description: Security vulnerability: L1D data cache eviction and Vector Register sampling - CVE-2020-0548, CVE-2020-0549 +# Source: Package Version Pattern Template v0.3.7 +# Options: SLE,Security,CPU,000019635,1156353,ucodeintel_151,ucode-intel,20200602-3.25.1,0,1 +# Distro: SLES15 SP1 +# Modified: 2021 Apr 07 +# +############################################################################## +# Copyright (C) 2021 SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <[email protected]> +# +############################################################################## + +import re +import os +import Core +import SUSE + +META_CLASS = "SLE" +META_CATEGORY = "Security" +META_COMPONENT = "CPU" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019635|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1156353|META_LINK_CVE-2020-0548=https://www.suse.com/security/cve/CVE-2020-0548/|META_LINK_CVE-2020-0549=https://www.suse.com/security/cve/CVE-2020-0549/|META_LINK_Intel=https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00329.html"; + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) + +############################################################################## +# Local Function Definitions +############################################################################## + +def intelCPU(): + fileOpen = "hardware.txt" + section = "/proc/cpuinfo" + content = [] + CONFIRMED = re.compile("vendor_id.*GenuineIntel", re.IGNORECASE) + if Core.getRegExSection(fileOpen, section, content): + for line in content: + if CONFIRMED.search(line): + return True + return False + +############################################################################## +# Main Program Execution +############################################################################## + +RPM_NAME = 'ucode-intel' +RPM_VERSION_FIXED = '20200602-3.25.1' +if( SUSE.packageInstalled(RPM_NAME) ): + INSTALLED_VERSION = SUSE.compareRPM(RPM_NAME, RPM_VERSION_FIXED) + if( INSTALLED_VERSION >= 0 ): + Core.updateStatus(Core.IGNORE, "Bug fixes applied for " + RPM_NAME + "") + else: + if( intelCPU() ): + Core.updateStatus(Core.WARN, "Risk of L1D data cache eviction and vector register sampling, update system to avoid") + else: + Core.updateStatus(Core.IGNORE, "No Genuine Intel CPUs found") +else: + Core.updateStatus(Core.ERROR, "ERROR: " + RPM_NAME + " not installed") + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp2/crosstalk_152-000019643.py new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15sp2/crosstalk_152-000019643.py --- old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp2/crosstalk_152-000019643.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15sp2/crosstalk_152-000019643.py 2021-04-21 19:19:06.854659757 +0200 @@ -0,0 +1,90 @@ +#!/usr/bin/python +# +# Title: Pattern for TID000019643 +# Description: Security Vulnerability: Special Register Buffer Data Sampling aka CrossTalk (CVE-2020-0543) +# Source: Kernel Package Version Pattern Template v0.1.1 +# Options: SLE,Security,Crosstalk,crosstalk_151,000019643,1154824,4.12.14-197.45,0,1 +# Distro: SLES15 SP2 +# Modified: 2021 Apr 21 +# +############################################################################## +# Copyright (C) 2021, SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <[email protected]> +# +############################################################################## + +import re +import os +import Core +import SUSE + +META_CLASS = "SLE" +META_CATEGORY = "Security" +META_COMPONENT = "Crosstalk" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019643|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1154824|META_LINK_CVE-2020-0543=https://www.suse.com/security/cve/CVE-2020-0543/"; + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) + +############################################################################## +# Local Function Definitions +############################################################################## + +def intelCPU(): + fileOpen = "hardware.txt" + section = "/proc/cpuinfo" + content = [] + CONFIRMED = re.compile("vendor_id.*GenuineIntel", re.IGNORECASE) + if Core.getRegExSection(fileOpen, section, content): + for line in content: + if CONFIRMED.search(line): + return True + return False + +############################################################################## +# Main Program Execution +############################################################################## + +RPM_NAME = 'ucode-intel' +RPM_VERSION_FIXED = '20200602-1.2' +KERNEL_VERSION_FIXED = '5.3.18-22.2' + +if( SUSE.packageInstalled(RPM_NAME) ): + if( intelCPU() ): + INSTALLED_VERSION_RPM = SUSE.compareRPM(RPM_NAME, RPM_VERSION_FIXED) + INSTALLED_VERSION_KERN = SUSE.compareKernel(KERNEL_VERSION_FIXED) + if( INSTALLED_VERSION_RPM >= 0 ): + if( INSTALLED_VERSION_KERN >= 0 ): + Core.updateStatus(Core.IGNORE, "Bug fixes applied for " + RPM_NAME + " and kernel version") + else: + Core.updateStatus(Core.WARN, "Risk of L1D data cache eviction and vector register sampling, update kernel to avoid") + else: + if( INSTALLED_VERSION_KERN >= 0 ): + Core.updateStatus(Core.WARN, "Risk of L1D data cache eviction and vector register sampling, update " + RPM_NAME + " to avoid") + else: + Core.updateStatus(Core.WARN, "Risk of L1D data cache eviction and vector register sampling, update system to avoid") + else: + Core.updateStatus(Core.ERROR, "ERROR: Intel CPU not found") +else: + Core.updateStatus(Core.ERROR, "ERROR: " + RPM_NAME + " not installed") + +Core.printPatternResults() + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp2/ucodeintel_152-000019635.py new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15sp2/ucodeintel_152-000019635.py --- old/sca-patterns-sle15-1.0.1/patterns/SLE/sle15sp2/ucodeintel_152-000019635.py 1970-01-01 01:00:00.000000000 +0100 +++ new/sca-patterns-sle15-1.0.2/patterns/SLE/sle15sp2/ucodeintel_152-000019635.py 2021-04-07 15:51:58.702930001 +0200 @@ -0,0 +1,81 @@ +#!/usr/bin/python +# +# Title: Pattern for TID000019635 +# Description: Security vulnerability: L1D data cache eviction and Vector Register sampling - CVE-2020-0548, CVE-2020-0549 +# Source: Package Version Pattern Template v0.3.7 +# Options: SLE,Security,CPU,000019635,1156353,ucodeintel_151,ucode-intel,20200602-3.25.1,0,1 +# Distro: SLES15 SP2 +# Modified: 2021 Apr 07 +# +############################################################################## +# Copyright (C) 2021 SUSE LLC +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Authors/Contributors: +# Jason Record <[email protected]> +# +############################################################################## + +import re +import os +import Core +import SUSE + +META_CLASS = "SLE" +META_CATEGORY = "Security" +META_COMPONENT = "CPU" +PATTERN_ID = os.path.basename(__file__) +PRIMARY_LINK = "META_LINK_TID" +OVERALL = Core.TEMP +OVERALL_INFO = "NOT SET" +OTHER_LINKS = "META_LINK_TID=https://www.suse.com/support/kb/doc/?id=000019635|META_LINK_BUG=https://bugzilla.suse.com/show_bug.cgi?id=1156353|META_LINK_CVE-2020-0548=https://www.suse.com/security/cve/CVE-2020-0548/|META_LINK_CVE-2020-0549=https://www.suse.com/security/cve/CVE-2020-0549/|META_LINK_Intel=https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00329.html"; + +Core.init(META_CLASS, META_CATEGORY, META_COMPONENT, PATTERN_ID, PRIMARY_LINK, OVERALL, OVERALL_INFO, OTHER_LINKS) + +############################################################################## +# Local Function Definitions +############################################################################## + +def intelCPU(): + fileOpen = "hardware.txt" + section = "/proc/cpuinfo" + content = [] + CONFIRMED = re.compile("vendor_id.*GenuineIntel", re.IGNORECASE) + if Core.getRegExSection(fileOpen, section, content): + for line in content: + if CONFIRMED.search(line): + return True + return False + +############################################################################## +# Main Program Execution +############################################################################## + +RPM_NAME = 'ucode-intel' +RPM_VERSION_FIXED = '20200602-1.2' +if( SUSE.packageInstalled(RPM_NAME) ): + INSTALLED_VERSION = SUSE.compareRPM(RPM_NAME, RPM_VERSION_FIXED) + if( INSTALLED_VERSION >= 0 ): + Core.updateStatus(Core.IGNORE, "Bug fixes applied for " + RPM_NAME + "") + else: + if( intelCPU() ): + Core.updateStatus(Core.WARN, "Risk of L1D data cache eviction and vector register sampling, update system to avoid") + else: + Core.updateStatus(Core.IGNORE, "No Genuine Intel CPUs found") +else: + Core.updateStatus(Core.ERROR, "ERROR: " + RPM_NAME + " not installed") + +Core.printPatternResults() +
