May 2017 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1037004] New: home:ecsos: Bug
by bugzilla_noreply＠novell.com 01 May '17

01 May '17

http://bugzilla.opensuse.org/show_bug.cgi?id=1037004 Bug ID: 1037004 Summary: home:ecsos: Bug Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: 3rd party software Assignee: ecsos(a)schirra.net Reporter: christof.kihm(a)helbako.de QA Contact: opensuse-communityscreening(a)forge.provo.novell.com Found By: --- Blocker: --- LEAP 42.2: After installing the Joomla 3.7.0 package from https://software.opensuse.org/package/joomla, you can't configure the software. The needed directory 'installation' isn't present. Maybe it's intended. You have to download the respective zip from Joomla web page and extract this directory separately. After inserting it you can install Joomla. -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 906379] New: autofs - "Local domain name not set" during booting
by bugzilla_noreply＠novell.com 01 May '17

01 May '17

http://bugzilla.opensuse.org/show_bug.cgi?id=906379 Bug ID: 906379 Summary: autofs - "Local domain name not set" during booting Classification: openSUSE Product: openSUSE Factory Version: 201411* Hardware: x86-64 OS: openSUSE 13.2 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening(a)forge.provo.novell.com Reporter: renda.krell(a)gmail.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.65 Safari/537.36 Build Identifier: I use autofs for mounting some NFS and CIFS shares. In OpenSUSE 13.1 I haven't seen any error with the same configuration. In OpenSUSE 13.2 incl. Tumbleweed/Factory, 'systemctl status' returns: --- autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; enabled) Active: active (running) since Thu 2014-11-20 08:54:52 CET; 1h 47min ago Docs: man:automount(8) man:autofs(5) Process: 1709 ExecStart=/usr/sbin/automount ${AUTOFS_OPTIONS} -p /var/run/automount.pid (code=exited, status=0/SUCCESS) Main PID: 1712 (automount) CGroup: /system.slice/autofs.service └─1712 /usr/sbin/automount -p /var/run/automount.pid Nov 20 08:54:52 rkrell automount[1712]: lookup_init:139: lookup(yp): map auto.master: Local domain name not set --- In fact, the domain name is not set: rkrell:~ # hostname rkrell rkrell:~ # domainname (none) but the network is set up correctly using NetworkManager and a local LAN connection. Reproducible: Always Steps to Reproduce: 1. Boot the system 2. 3. -- You are receiving this mail because: You are on the CC list for the bug.

1 10

[Bug 1037003] New: Text in slide show during install incorrect
by bugzilla_noreply＠novell.com 01 May '17

01 May '17

http://bugzilla.opensuse.org/show_bug.cgi?id=1037003 Bug ID: 1037003 Summary: Text in slide show during install incorrect Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: SUSE Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Installation Assignee: yast2-maintainers(a)suse.de Reporter: tyrannis.hawk(a)gmail.com QA Contact: jsrain(a)suse.com Found By: --- Blocker: --- I noticed an error in the slide show text of the DVD install of openSUSE Tumbleweed (april 2017 image). It was in the section "Developers and Sysadmins". The text refers to openSUSE Tumbleweed four times, even though the text seems to make a comparison between Tumbleweed and Leap. It seems to me that two references to Tumbleweed need to be replaced with references to Leap and the text will be as intended. It's somewhat cosmetic, but you only have one chance to make a good first impression ;-) -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1035827] New: VUL-1: CVE-2017-7692: squirrelmail: SquirrelMail <= 1.4.23 Remote Code Execution
by bugzilla_noreply＠novell.com 01 May '17

01 May '17

http://bugzilla.opensuse.org/show_bug.cgi?id=1035827 Bug ID: 1035827 Summary: VUL-1: CVE-2017-7692: squirrelmail: SquirrelMail <= 1.4.23 Remote Code Execution Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: mikhail.kasimov(a)gmail.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q2/114 ============================================= SquirrelMail <= 1.4.23 Remote Code Execution (CVE-2017-7692) Desc.: SquirrelMail is affected by a critical Remote Code Execution vulnerability which stems from insufficient escaping of user-supplied data when SquirrelMail has been configured with Sendmail as the main transport. An authenticated attacker may be able to exploit the vulnerability to execute arbitrary commands on the target and compromise the remote system. Discovered by: Dawid Golunski (https://legalhackers.com : https://ExploitBox.io) , as well as Filippo Cavallarin (see attached advisory for details) Official solution: Vendor seems to have released a new version of 1.4.23 on squirrelmail-20170424_0200-SVN.stable.tar.gz which still seems to be vulnerable hence a new subject/thread. The exploit from my advisory was also confirmed to work on Ubuntu package: '1.4.23~svn20120406-2ubuntu1.16.04.1'. Hence the updated version in the subject/advisory title. Full advisory URL: https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-C… -- Regards, Dawid Golunski https://legalhackers.com https://ExploitBox.io t: @dawid_golunski ============================================= [1] http://seclists.org/oss-sec/2017/q2/att-114/SquirrelMail_RCE.txt [2] https://security-tracker.debian.org/tracker/CVE-2017-7692 (open-)SUSE: https://software.opensuse.org/package/squirrelmail 1.4.22 (TW, 42.{1,2}, server:php:applications repo) -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1036972] New: VUL-1: CVE-2017-8342: radicale: htpasswd authentication vulnerable to timing-based bruteforce attacks
by bugzilla_noreply＠novell.com 01 May '17

01 May '17

http://bugzilla.opensuse.org/show_bug.cgi?id=1036972 Bug ID: 1036972 Summary: VUL-1: CVE-2017-8342: radicale: htpasswd authentication vulnerable to timing-based bruteforce attacks Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: mikhail.kasimov(a)gmail.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-8342 =================================================== Description Radicale before 1.1.2 and 2.x before 2.0.0rc2 is prone to timing oracles and simple brute-force attacks when using the htpasswd authentication method. Source: MITRE Last Modified: 04/30/2017 =================================================== Hyperlink [1] https://github.com/Kozea/Radicale/commit/190b1dd795f0c552a4992445a231da7602… [2] https://github.com/Kozea/Radicale/commit/059ba8dec1f22ccbeab837e288b3833a09… [3] https://github.com/Kozea/Radicale/blob/1.1.2/NEWS.rst [4] https://bugs.debian.org/861514 (open-)SUSE: https://software.opensuse.org/package/Radicale 1.1.1 (TW, 42.{1,2}, network repo) -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1036995] wine failed to install application and hangs
by bugzilla_noreply＠novell.com 01 May '17

01 May '17

http://bugzilla.opensuse.org/show_bug.cgi?id=1036995 http://bugzilla.opensuse.org/show_bug.cgi?id=1036995#c2 Andreas Stieger <astieger(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bnc-team-screening(a)forge.pr |meissner(a)suse.com |ovo.novell.com | --- Comment #2 from Andreas Stieger <astieger(a)suse.com> --- https://appdb.winehq.org/objectManager.php?sClass=application&iId=3747 Assign to maintainer Note that since we ship the latest stable wine, the resolution of this bug may be to go upstream. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1035640] No keyboard or mouse input at KDE login screen
by bugzilla_noreply＠novell.com 01 May '17

01 May '17

http://bugzilla.suse.com/show_bug.cgi?id=1035640 http://bugzilla.suse.com/show_bug.cgi?id=1035640#c14 --- Comment #14 from Tudor Protopopescu <tprotopopescu(a)gmail.com> --- (In reply to Takashi Iwai from comment #13) > (In reply to Tudor Protopopescu from comment #12) > > (In reply to Takashi Iwai from comment #11) > > > It seems that, by some reason, the input driver isn't registered while USB > > > keyboard and mouse devices were detected properly with 4.10.x kernels. > > > Weird. > > > > > > Could you try the latest TW ISO and check whether the keyboard works with > > > the rescue system there? > > > > Okay, with TW Snapshot20170424 the keyboard does work at the rescue login > > prompt. > > What if you install the same kernel? If it doesn't bring up the input, it > means that it's not the kernel but something else got broken (e.g. udev > rules). I updated to 4.10.12-1-default, from the TW repo, and with it the keyboard and mouse work at login as expected, so whatever the problem was has been resolved. Many thanks for taking the time to look into this. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1037001] New: VUL-0: CVE-2017-6519: avahi: Multicast DNS responds to unicast queries outside of local network
by bugzilla_noreply＠novell.com 01 May '17

01 May '17

http://bugzilla.opensuse.org/show_bug.cgi?id=1037001 Bug ID: 1037001 Summary: VUL-0: CVE-2017-6519: avahi: Multicast DNS responds to unicast queries outside of local network Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: mikhail.kasimov(a)gmail.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-6519 ==================================================== Description avahi-daemon in Avahi through 0.6.32 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809. Source: MITRE Last Modified: 04/30/2017 ==================================================== Hyperlink [1] https://bugzilla.redhat.com/show_bug.cgi?id=1426712 [2] https://www.secfu.net/advisories (open-)SUSE: https://software.opensuse.org/package/avahi 0.6.32 (TW, 42.2, official repo) 0.6.31 (42.1, official repo) -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1037000] New: VUL-1: CVE-2017-8378: podofo: denial of service (application crash) vectors related to m_offsets.size (PdfParser::ReadObjects func in base/PdfParser.cpp)
by bugzilla_noreply＠novell.com 01 May '17

01 May '17

http://bugzilla.opensuse.org/show_bug.cgi?id=1037000 Bug ID: 1037000 Summary: VUL-1: CVE-2017-8378: podofo: denial of service (application crash) vectors related to m_offsets.size (PdfParser::ReadObjects func in base/PdfParser.cpp) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: mikhail.kasimov(a)gmail.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-8378 =================================================== Description Heap-based buffer overflow in the PdfParser::ReadObjects function in base/PdfParser.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors related to m_offsets.size. Source: MITRE Last Modified: 04/30/2017 =================================================== Hyperlink [1] https://github.com/xiangxiaobo/poc_and_report/tree/master/podofo_heapoverfl… -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1021082] NET installer not picking up WiFi connection
by bugzilla_noreply＠novell.com 01 May '17

01 May '17

http://bugzilla.suse.com/show_bug.cgi?id=1021082 http://bugzilla.suse.com/show_bug.cgi?id=1021082#c26 --- Comment #26 from Eli Wapniarski <eliwap(a)gmail.com> --- nvm... I just ran a live kubuntu dvd and was able to connect to my network via wireless... So it would seem that this is a different problem Sorry about the noise on this bug report... I will create a new one -- You are receiving this mail because: You are on the CC list for the bug.

1 0