May 2024 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1224133] New: element-desktop: garbage in app.asar
by bugzilla_noreply＠suse.com 15 May '24

15 May '24

https://bugzilla.suse.com/show_bug.cgi?id=1224133 Bug ID: 1224133 Summary: element-desktop: garbage in app.asar Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: X11 Applications Assignee: screening-team-bugs(a)suse.de Reporter: brunopitrus(a)hotmail.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- app.asar contains files that should not be shipped (source codes etc.) In particular the directories `npm-packages-offline-cache` and `.hak` take up several hundred MB. I suggest not using asar and instead shipping the app unpacked. Then many such problems would be detected by rpmlint. (Would help build reproducibility, too.) -- You are receiving this mail because: You are on the CC list for the bug.

1 9

[Bug 1224237] VUL-0: CVE-2024-31445: cacti: SQL injection vulnerability when retrieving graphs using Automation API
by bugzilla_noreply＠suse.com 15 May '24

15 May '24

https://bugzilla.suse.com/show_bug.cgi?id=1224237 https://bugzilla.suse.com/show_bug.cgi?id=1224237#c4 Andreas Stieger <Andreas.Stieger(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #4 from Andreas Stieger <Andreas.Stieger(a)gmx.de> --- done -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1224239] VUL-0: CVE-2024-31460: cacti: SQL injection vulnerability when using tree rules through Automation API
by bugzilla_noreply＠suse.com 15 May '24

15 May '24

https://bugzilla.suse.com/show_bug.cgi?id=1224239 https://bugzilla.suse.com/show_bug.cgi?id=1224239#c4 Andreas Stieger <Andreas.Stieger(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #4 from Andreas Stieger <Andreas.Stieger(a)gmx.de> --- done -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1224241] New: VUL-0: CVE-2024-34340: cacti: Authentication Bypass when using using older password hashes
by bugzilla_noreply＠suse.com 15 May '24

15 May '24

https://bugzilla.suse.com/show_bug.cgi?id=1224241 Bug ID: 1224241 Summary: VUL-0: CVE-2024-34340: cacti: Authentication Bypass when using using older password hashes Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: Andreas.Stieger(a)gmx.de QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- https://github.com/cacti/cacti/security/advisories/GHSA-37x7-mfjv-mm7m Md5-hashed user input is compared with correct password in database by $md5 == $hash. It is a loose comparison, not ===. It is a type juggling vulnerability. -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1224235] VUL-0: CVE-2024-31443: cacti: cross-site scripting vulnerability when managing data queries
by bugzilla_noreply＠suse.com 15 May '24

15 May '24

https://bugzilla.suse.com/show_bug.cgi?id=1224235 https://bugzilla.suse.com/show_bug.cgi?id=1224235#c4 Andreas Stieger <Andreas.Stieger(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #4 from Andreas Stieger <Andreas.Stieger(a)gmx.de> --- done -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1224230] VUL-0: CVE-2024-27082: cacti: stored cross-site scripting vulnerability when managing trees
by bugzilla_noreply＠suse.com 15 May '24

15 May '24

https://bugzilla.suse.com/show_bug.cgi?id=1224230 https://bugzilla.suse.com/show_bug.cgi?id=1224230#c4 Andreas Stieger <Andreas.Stieger(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #4 from Andreas Stieger <Andreas.Stieger(a)gmx.de> --- done -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1224238] VUL-0: CVE-2024-31459: cacti: file inclusion issue in the `lib/plugin.php` file
by bugzilla_noreply＠suse.com 15 May '24

15 May '24

https://bugzilla.suse.com/show_bug.cgi?id=1224238 https://bugzilla.suse.com/show_bug.cgi?id=1224238#c5 Andreas Stieger <Andreas.Stieger(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #5 from Andreas Stieger <Andreas.Stieger(a)gmx.de> --- done -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1224236] VUL-0: CVE-2024-31444: cacti: cross-site scripting vulnerability when reading tree rules with Automation API
by bugzilla_noreply＠suse.com 15 May '24

15 May '24

https://bugzilla.suse.com/show_bug.cgi?id=1224236 https://bugzilla.suse.com/show_bug.cgi?id=1224236#c4 Andreas Stieger <Andreas.Stieger(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #4 from Andreas Stieger <Andreas.Stieger(a)gmx.de> --- done -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1224231] VUL-0: CVE-2024-29894: cacti: residual cross-site scripting vulnerability caused by incomplete fix
by bugzilla_noreply＠suse.com 15 May '24

15 May '24

https://bugzilla.suse.com/show_bug.cgi?id=1224231 https://bugzilla.suse.com/show_bug.cgi?id=1224231#c4 Andreas Stieger <Andreas.Stieger(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #4 from Andreas Stieger <Andreas.Stieger(a)gmx.de> --- done -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1224240] New: VUL-0: CVE-2024-31458: cacti: SQL Injection vulnerability when using form templates
by bugzilla_noreply＠suse.com 15 May '24

15 May '24

https://bugzilla.suse.com/show_bug.cgi?id=1224240 Bug ID: 1224240 Summary: VUL-0: CVE-2024-31458: cacti: SQL Injection vulnerability when using form templates Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: Andreas.Stieger(a)gmx.de QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Fixed in 1.2.27 Some of the data stored in automation_tree_rules.php is not thoroughly checked and is used to concatenate the SQL statement in create_all_header_nodes() function from lib/api_automation.php , finally resulting in SQL injection. https://github.com/cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r -- You are receiving this mail because: You are on the CC list for the bug.

1 4