IBM published two Security Bulletins: - Information Disclosure and Denial of Service Vulnerabilities in IBM Spectrum Protect Backup-Archive Client (CVE-2022-22478, CVE-2022-22474) - Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments (CVE-2021-35550, CVE-2021-35603) Reproducible: Always The vulnerabilities are fixed in version 8.1.15
Created attachment 789176 [details] Ebuild I created this ebuild in my local overlay and installed it on my servers.
Note: - The new USE flag "tdpvmware" (off by default, as I don't use these part of the package) and it's RDEPEND line should solve bug 834431. - I didn't get the "Unsupported type of integrity check" warning from bug 837503 on installing my ebuild.
Thanks for reporting! Feel free to open a PR for the update. Do you have a link for the upstream documentation on how TSM itself is vulnerable?
(In reply to John Helmert III from comment #3) > Do you have a link for the upstream documentation on how TSM itself is vulnerable? https://www.ibm.com/support/pages/node/6596741 https://www.ibm.com/support/pages/node/6596379
(In reply to Horst Prote from comment #4) > (In reply to John Helmert III from comment #3) > > Do you have a link for the upstream documentation on how TSM itself is vulnerable? > https://www.ibm.com/support/pages/node/6596741 > https://www.ibm.com/support/pages/node/6596379 Sorry for my lack of familiarity with this stuff, but TSM doesn't seem to be mentioned here?
(In reply to John Helmert III from comment #5) > (In reply to Horst Prote from comment #4) > > (In reply to John Helmert III from comment #3) > > > Do you have a link for the upstream documentation on how TSM itself is vulnerable? > > https://www.ibm.com/support/pages/node/6596741 > > https://www.ibm.com/support/pages/node/6596379 > > Sorry for my lack of familiarity with this stuff, but TSM doesn't seem to be > mentioned here? Oh, sorry, TSM = IBM Spectrum Protect. Nice acronym :P ANyway, are we affected by the Java vulnerabilities? The ebuild seems to have functionality for pulling in a JRE, so I think it's not bundled here?
(In reply to John Helmert III from comment #6) > Oh, sorry, TSM = IBM Spectrum Protect. Nice acronym :P Not really an acronym. Whoever was the maintainer of the tsm package when IBM switched the name fron "Tivoli Storage Manager" to "IBM Spectrum Protect" years ago just didn't change the package name. > ANyway, are we affected by the Java vulnerabilities? The ebuild seems to > have functionality for pulling in a JRE, so I think it's not bundled here? I think you are right for https://www.ibm.com/support/pages/node/6596379 with its vulnerabilities CVE-2021-35550 and CVE-2021-35603 but the CVE-2022-22478 and CVE-2022-22474 of https://www.ibm.com/support/pages/node/6596741 both clearly state that the bugs are in the IBM Spectrum Protect Clients code.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f071a94b49db3e421a4ee6189c391d1b39a1eba commit 7f071a94b49db3e421a4ee6189c391d1b39a1eba Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2023-04-06 22:49:41 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2023-04-06 22:50:08 +0000 app-backup/tsm: add 8.1.15.0, 8.1.17.2 Bug: https://bugs.gentoo.org/855536 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> app-backup/tsm/Manifest | 2 + app-backup/tsm/metadata.xml | 1 + app-backup/tsm/tsm-8.1.15.0.ebuild | 249 +++++++++++++++++++++++++++++++++++++ app-backup/tsm/tsm-8.1.17.2.ebuild | 249 +++++++++++++++++++++++++++++++++++++ 4 files changed, 501 insertions(+)
Thanks. Finally catching up here. I didn't have the https URL when I last checked... Let's wait a bit and then immediately stabilize 8.1.17.2
("stable?" is usually how we denote that in security bug whiteboard)
Cleanup done
