SUSE Security Update: Security update for osc
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:4351-1
Rating:             important
References:         #1089025 #1097996 #1122675 #1125243 #1126055 
                    #1126058 #1127932 #1129757 #1129889 #1131512 
                    #1136584 #1137477 #1138165 #1138977 #1140697 
                    #1142518 #1142662 #1144211 #1154972 #1155953 
                    #1156501 #1160446 #1166537 #1173926 OBS-203 
                    
Cross-References:   CVE-2019-3681 CVE-2019-3685
CVSS scores:
                    CVE-2019-3681 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2019-3681 (SUSE): 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
                    CVE-2019-3685 (NVD) : 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
                    CVE-2019-3685 (SUSE): 7.4 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server for SAP Applications 12-SP5
                    SUSE Linux Enterprise Software Development Kit 12-SP5
______________________________________________________________________________

   An update that solves two vulnerabilities, contains one
   feature and has 22 fixes is now available.

Description:

   This update for osc fixes the following issues:

     osc was updated to version 0.182.0 (bsc#1154972, bsc#1144211,
      bsc#1142662, bsc#1140697, bsc#1138165):

     - Added MFA support (jsc#OBS-203).
     - CVE-2019-3681: Fixed vulnerability where osc stored downloaded RPMs in
       network controlled paths (bsc#1122675).
     - CVE-2019-3685: Fixed broken TLS certificate handling (bsc#1142518).

     Bugfixes:
     - Removed use of chardet to guess encoding. Utf-8 or latin-1 is now
       assumed, which will speed up decoding (bsc#1173926).
     - Added helper method _html_escape to enable python3.8 and python2.*
       compatibility (bsc#1166537).
     - Added MR creation to honor orev (bsc#1160446).
     - Fixed local build outside of the working copy of a package
       (bsc#1136584).
     - Don't enforce password reuse (bsc#1156501).
     - osc vc --file=foo bar.changes now writes the content from foo into
       bar.changes instead of creating a new file (bsc#1155953).
     - Fixed decoding on osc lbl (bsc#1137477).
     - Simplified and fixed osc meta -e (bsc#1138977).
     - osc lbl now works with non utf8 encoding (bsc#1129889).
     - Added full python3 compatibility (bsc#1125243, bsc#1131512,
       bsc#1129757).
     - Fixed slowdown of rbl with readline(bufsize) function (bsc#1127932).
     - Fixed osc build -p dir TypeError (bsc#1126055).
     - Fixed osc buildinfo -p TypeError (bsc#1126058).
     - Added new options --unexpand and --meta to diff command (bsc#1089025).
     - Fixed Requires to python-base which does not contain ssl.py
       (bsc#1097996).


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12-SP5:

      zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-4351=1



Package List:

   - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch):

      osc-0.182.0-15.12.1


References:

   https://www.suse.com/security/cve/CVE-2019-3681.html
   https://www.suse.com/security/cve/CVE-2019-3685.html
   https://bugzilla.suse.com/1089025
   https://bugzilla.suse.com/1097996
   https://bugzilla.suse.com/1122675
   https://bugzilla.suse.com/1125243
   https://bugzilla.suse.com/1126055
   https://bugzilla.suse.com/1126058
   https://bugzilla.suse.com/1127932
   https://bugzilla.suse.com/1129757
   https://bugzilla.suse.com/1129889
   https://bugzilla.suse.com/1131512
   https://bugzilla.suse.com/1136584
   https://bugzilla.suse.com/1137477
   https://bugzilla.suse.com/1138165
   https://bugzilla.suse.com/1138977
   https://bugzilla.suse.com/1140697
   https://bugzilla.suse.com/1142518
   https://bugzilla.suse.com/1142662
   https://bugzilla.suse.com/1144211
   https://bugzilla.suse.com/1154972
   https://bugzilla.suse.com/1155953
   https://bugzilla.suse.com/1156501
   https://bugzilla.suse.com/1160446
   https://bugzilla.suse.com/1166537
   https://bugzilla.suse.com/1173926

SUSE: 2022:4351-1 important: osc

December 7, 2022
An update that solves two vulnerabilities, contains one feature and has 22 fixes is now available

Summary

This update for osc fixes the following issues: osc was updated to version 0.182.0 (bsc#1154972, bsc#1144211, bsc#1142662, bsc#1140697, bsc#1138165): - Added MFA support (jsc#OBS-203). - CVE-2019-3681: Fixed vulnerability where osc stored downloaded RPMs in network controlled paths (bsc#1122675). - CVE-2019-3685: Fixed broken TLS certificate handling (bsc#1142518). Bugfixes: - Removed use of chardet to guess encoding. Utf-8 or latin-1 is now assumed, which will speed up decoding (bsc#1173926). - Added helper method _html_escape to enable python3.8 and python2.* compatibility (bsc#1166537). - Added MR creation to honor orev (bsc#1160446). - Fixed local build outside of the working copy of a package (bsc#1136584). - Don't enforce password reuse (bsc#1156501). - osc vc --file=foo bar.changes now writes the content from foo into bar.changes instead of creating a new file (bsc#1155953). - Fixed decoding on osc lbl (bsc#1137477). - Simplified and fixed osc meta -e (bsc#1138977). - osc lbl now works with non utf8 encoding (bsc#1129889). - Added full python3 compatibility (bsc#1125243, bsc#1131512, bsc#1129757). - Fixed slowdown of rbl with readline(bufsize) function (bsc#1127932). - Fixed osc build -p dir TypeError (bsc#1126055). - Fixed osc buildinfo -p TypeError (bsc#1126058). - Added new options --unexpand and --meta to diff command (bsc#1089025). - Fixed Requires to python-base which does not contain ssl.py (bsc#1097996). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-4351=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): osc-0.182.0-15.12.1

References

#1089025 #1097996 #1122675 #1125243 #1126055

#1126058 #1127932 #1129757 #1129889 #1131512

#1136584 #1137477 #1138165 #1138977 #1140697

#1142518 #1142662 #1144211 #1154972 #1155953

#1156501 #1160446 #1166537 #1173926 OBS-203

Cross- CVE-2019-3681 CVE-2019-3685

CVSS scores:

CVE-2019-3681 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2019-3681 (SUSE): 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L

CVE-2019-3685 (NVD) : 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE-2019-3685 (SUSE): 7.4 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:

SUSE Linux Enterprise Server 12-SP5

SUSE Linux Enterprise Server for SAP Applications 12-SP5

SUSE Linux Enterprise Software Development Kit 12-SP5

https://www.suse.com/security/cve/CVE-2019-3681.html

https://www.suse.com/security/cve/CVE-2019-3685.html

https://bugzilla.suse.com/1089025

https://bugzilla.suse.com/1097996

https://bugzilla.suse.com/1122675

https://bugzilla.suse.com/1125243

https://bugzilla.suse.com/1126055

https://bugzilla.suse.com/1126058

https://bugzilla.suse.com/1127932

https://bugzilla.suse.com/1129757

https://bugzilla.suse.com/1129889

https://bugzilla.suse.com/1131512

https://bugzilla.suse.com/1136584

https://bugzilla.suse.com/1137477

https://bugzilla.suse.com/1138165

https://bugzilla.suse.com/1138977

https://bugzilla.suse.com/1140697

https://bugzilla.suse.com/1142518

https://bugzilla.suse.com/1142662

https://bugzilla.suse.com/1144211

https://bugzilla.suse.com/1154972

https://bugzilla.suse.com/1155953

https://bugzilla.suse.com/1156501

https://bugzilla.suse.com/1160446

https://bugzilla.suse.com/1166537

https://bugzilla.suse.com/1173926

Severity
Announcement ID: SUSE-SU-2022:4351-1
Rating: important

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved