openSUSE Security Update: Security update for fossil ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:1478-1 Rating: important References: #1047218 #1175760 Cross-References: CVE-2020-24614 Affected Products: openSUSE Leap 15.2 openSUSE Leap 15.1 openSUSE Backports SLE-15-SP2 openSUSE Backports SLE-15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for fossil fixes the following issues: - fossil 2.12.1: * CVE-2020-24614: Remote authenticated users with check-in or administrative privileges could have executed arbitrary code [boo#1175760] * Security fix in the "fossil git export" command. New "safety-net" features were added to prevent similar problems in the future. * Enhancements to the graph display for cases when there are many cherry-pick merges into a single check-in. Example * Enhance the fossil open command with the new --workdir option and the ability to accept a URL as the repository name, causing the remote repository to be cloned automatically. Do not allow "fossil open" to open in a non-empty working directory unless the --keep option or the new --force option is used. * Enhance the markdown formatter to more closely follow the CommonMark specification with regard to text highlighting. Underscores in the middle of identifiers (ex: fossil_printf()) no longer need to be escaped. * The markdown-to-html translator can prevent unsafe HTML (for example: <script>) on user-contributed pages like forum and tickets and wiki. The admin can adjust this behavior using the safe-html setting on the Admin/Wiki page. The default is to disallow unsafe HTML everywhere. * Added the "collapse" and "expand" capability for long forum posts. * The "fossil remote" command now has options for specifying multiple persistent remotes with symbolic names. Currently only one remote can be used at a time, but that might change in the future. * Add the "Remember me?" checkbox on the login page. Use a session cookie for the login if it is not checked. * Added the experimental "fossil hook" command for managing "hook scripts" that run before checkin or after a push. * Enhance the fossil revert command so that it is able to revert all files beneath a directory. * Add the fossil bisect skip command. * Add the fossil backup command. * Enhance fossil bisect ui so that it shows all unchecked check-ins in between the innermost "good" and "bad" check-ins. * Added the --reset flag to the "fossil add", "fossil rm", and "fossil addremove" commands. * Added the "--min N" and "--logfile FILENAME" flags to the backoffice command, as well as other enhancements to make the backoffice command a viable replacement for automatic backoffice. Other incremental backoffice improvements. * Added the /fileedit page, which allows editing of text files online. Requires explicit activation by a setup user. * Translate built-in help text into HTML for display on web pages. * On the /timeline webpage, the combination of query parameters "p=CHECKIN" and "bt=ANCESTOR" draws all ancestors of CHECKIN going back to ANCESTOR. * Update the built-in SQLite so that the "fossil sql" command supports new output modes ".mode box" and ".mode json". * Add the "obscure()" SQL function to the "fossil sql" command. * Added virtual tables "helptext" and "builtin" to the "fossil sql" command, providing access to the dispatch table including all help text, and the builtin data files, respectively. * Delta compression is now applied to forum edits. * The wiki editor has been modernized and is now Ajax-based. - Package the fossil.1 manual page. - fossil 2.11.1: * Make the "fossil git export" command more restrictive about characters that it allows in the tag names - Add fossil-2.11-reproducible.patch to override build date (boo#1047218) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-1478=1 - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-1478=1 - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2020-1478=1 - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2020-1478=1 Package List: - openSUSE Leap 15.2 (x86_64): fossil-2.12.1-lp152.2.3.1 fossil-debuginfo-2.12.1-lp152.2.3.1 fossil-debugsource-2.12.1-lp152.2.3.1 - openSUSE Leap 15.1 (x86_64): fossil-2.12.1-lp151.3.6.1 fossil-debuginfo-2.12.1-lp151.3.6.1 fossil-debugsource-2.12.1-lp151.3.6.1 - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64): fossil-2.12.1-bp152.2.3.1 fossil-debuginfo-2.12.1-bp152.2.3.1 fossil-debugsource-2.12.1-bp152.2.3.1 - openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64): fossil-2.12.1-bp151.4.6.1 References: https://www.suse.com/security/cve/CVE-2020-24614.html https://bugzilla.suse.com/1047218 https://bugzilla.suse.com/1175760 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org