May 2020 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1148844] VUL-1: CVE-2019-15784: srt: array overflow if there are many SRT connections.
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.suse.com/show_bug.cgi?id=1148844 http://bugzilla.suse.com/show_bug.cgi?id=1148844#c4 Alexandros Toptsoglou <atoptsoglou(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #4 from Alexandros Toptsoglou <atoptsoglou(a)suse.com> --- Done -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1170376] New: Enable -moutline-atomics flag for GCC in Tumbleweed
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.opensuse.org/show_bug.cgi?id=1170376 Bug ID: 1170376 Summary: Enable -moutline-atomics flag for GCC in Tumbleweed Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: aarch64 OS: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: guillaume.gardet(a)arm.com QA Contact: qa-bugs(a)suse.de CC: afaerber(a)suse.com, dleuenberger(a)suse.com, dmueller(a)suse.com Found By: --- Blocker: --- GCC 10 and GCC 9.3.1+ support '-moutline-atomics' [0], so we could enable this flag in Tumbleweed to improve LSE atomic operations on armv8.1+ hardware, with very small overhead for armv8.0 hardware. The problem is llvm does not support this flag and returns an error if used: clang-10.0: error: unknown argument: '-moutline-atomics' The problem is optflags in Tumbleweed PrjConf targets both GCC and LLVM, so adding '-moutline-atomics' would break LLVM builds. I can see few solutions: 1) Enable '-moutline-atomics' by default in GCC packages [1] 2) Add '-moutline-atomics' to the list of ignored flags in LLVM 3) Split optflags to optflags_common, optflags_gcc and optflags_llvm [0]: https://gcc.gnu.org/onlinedocs/gcc/AArch64-Options.html#AArch64-Options [1]: https://gcc.gnu.org/legacy-ml/gcc-patches/2019-09/msg01035.html -- You are receiving this mail because: You are on the CC list for the bug.

1 9

[Bug 1094772] New: Distributed phpPgAdmin 5.1 does not support distributed PostgreSQL 10.3
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.opensuse.org/show_bug.cgi?id=1094772 Bug ID: 1094772 Summary: Distributed phpPgAdmin 5.1 does not support distributed PostgreSQL 10.3 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: x86-64 OS: SUSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening(a)forge.provo.novell.com Reporter: woe.2018(a)wizonet.ch QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- The phpPgSql tool shipped with openSuSE Leap15 does not support the shipped PostgreSQL version 10.3. Loggin into a 10.3 server ends up with this message: Ihre PostgreSQL-Version wird nicht unterstützt. Bitte stellen Sie Ihre Datenbank auf Version oder eine neuere Version um. I've tried to deinstal postgresql10-server and then install postgresql96-server, but postgresql10-server is an dependency of postgresql96-server and therefore this ends up in an installed postgres 10.3 server again. -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1165206] Xen 4.12 DomU hang / freeze / stall / NMI watchdog bug soft lockup CPU #0 stuck under high load / upstream with workaround
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.suse.com/show_bug.cgi?id=1165206 http://bugzilla.suse.com/show_bug.cgi?id=1165206#c24 Dario Faggioli <dfaggioli(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #24 from Dario Faggioli <dfaggioli(a)suse.com> --- (In reply to Glen Barney from comment #19) > Dario - > > I've been running this for a week now, and have not had any issues or > problems! Everything seems to be working just fine on my side, and I'll > continue running in this mode going forward! > So, based on this feedback, as well as on my own testing showing that the upstream patches are effective at solving the issue, I am closing this bug, declaring it fixed. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1171044] New: Incomplete list of alsa audio inputs
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.opensuse.org/show_bug.cgi?id=1171044 Bug ID: 1171044 Summary: Incomplete list of alsa audio inputs Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Factory Status: NEW Severity: Normal Priority: P5 - None Component: Sound Assignee: tiwai(a)suse.com Reporter: kv(a)kott.no-ip.biz QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- Hi, The system is TW 20200501 alsa-1.2.2-2.1 kernel-default-5.6.6-1.1 I have Echo Gina 3G soundcard. With one of recent update (unfortunately this system is not on btrfs) it cannot be used as sound input with some apps, especially with JUCE-apps, like Tracktion Waveform. I guess these apps relies on naming aliases of subinterfaces, so how it look before update: part of arecord -L sysdefault:CARD=Gina3G Gina3G, Gina3G Default Audio Device front:CARD=Gina3G,DEV=0 Gina3G, Gina3G Front speakers rear:CARD=Gina3G,DEV=0 Gina3G, Gina3G Rear speakers center_lfe:CARD=Gina3G,DEV=0 Gina3G, Gina3G Center and Subwoofer speakers side:CARD=Gina3G,DEV=0 Gina3G, Gina3G Side speakers surround21:CARD=Gina3G,DEV=0 Gina3G, Gina3G 2.1 Surround output to Front and Subwoofer speakers surround40:CARD=Gina3G,DEV=0 Gina3G, Gina3G 4.0 Surround output to Front and Rear speakers surround41:CARD=Gina3G,DEV=0 Gina3G, Gina3G 4.1 Surround output to Front, Rear and Subwoofer speakers surround50:CARD=Gina3G,DEV=0 Gina3G, Gina3G 5.0 Surround output to Front, Center and Rear speakers surround51:CARD=Gina3G,DEV=0 Gina3G, Gina3G 5.1 Surround output to Front, Center, Rear and Subwoofer speakers surround71:CARD=Gina3G,DEV=0 Gina3G, Gina3G 7.1 Surround output to Front, Center, Side, Rear and Woofer speakers iec958:CARD=Gina3G,DEV=0 Gina3G, Gina3G IEC958 (S/PDIF) Digital Audio Output How it looks now: part of arecord -L default:CARD=Gina3G Gina3G, Gina3G Default Audio Device sysdefault:CARD=Gina3G Gina3G, Gina3G Default Audio Device rear:CARD=Gina3G,DEV=0 Gina3G, Gina3G Rear speakers center_lfe:CARD=Gina3G,DEV=0 Gina3G, Gina3G Center and Subwoofer speakers side:CARD=Gina3G,DEV=0 Gina3G, Gina3G Side speakers usbstream:CARD=Gina3G Gina3G USB Stream Output Card has two inputs which were bind to the: front:CARD=Gina3G,DEV=0 Gina3G, Gina3G Front speakers Now this section is absent. Though card works fine, and it possible to select input via alsa API. For workaround I've put defaults.namehint.extended on into .asoundrc so it's possible to use inputs named as: hw:CARD=Gina3G,DEV=0 Gina3G, Gina3G Direct hardware device without any conversions I didn't look into alsa changes deeply. But, is it expected behavior and users should reconfigure that part manually now? -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1171009] bleachbit update for Leap 15.2
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.suse.com/show_bug.cgi?id=1171009 http://bugzilla.suse.com/show_bug.cgi?id=1171009#c5 Andreas Stieger <Andreas.Stieger(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED Assignee|ahz001(a)gmail.com |mvetter(a)suse.com --- Comment #5 from Andreas Stieger <Andreas.Stieger(a)gmx.de> --- so bleachbit should go in soon -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1164574] New: VUL-1: CVE-2020-9273: proftpd: possibility of corrupting memory pool by interrupting the data transfer channel
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.opensuse.org/show_bug.cgi?id=1164574 Bug ID: 1164574 Summary: VUL-1: CVE-2020-9273: proftpd: possibility of corrupting memory pool by interrupting the data transfer channel Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other URL: https://smash.suse.de/issue/253472/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: atoptsoglou(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2020-9273 In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9273 http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-9273.html -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1168028] New: VUL-0: CVE-2020-1773: otrs: authenticated user might guess other session IDs based on its own
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.opensuse.org/show_bug.cgi?id=1168028 Bug ID: 1168028 Summary: VUL-0: CVE-2020-1773: otrs: authenticated user might guess other session IDs based on its own Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other URL: https://smash.suse.de/issue/256041/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Basesystem Assignee: chris(a)computersalat.de Reporter: abergmann(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2020-1773 It's possible that an authenticated user guess other session IDs based on its own. Also it's possible to guess a password reset token or an automated password generated. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1773 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1773 https://otrs.com/release-notes/otrs-security-advisory-2020-10/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1168029] New: VUL-0: CVE-2020-1772: otrs: Lost Password requests with wildcard values could allow attacker to retrieve valid Token
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.opensuse.org/show_bug.cgi?id=1168029 Bug ID: 1168029 Summary: VUL-0: CVE-2020-1772: otrs: Lost Password requests with wildcard values could allow attacker to retrieve valid Token Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other URL: https://smash.suse.de/issue/256040/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Basesystem Assignee: chris(a)computersalat.de Reporter: abergmann(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2020-1772 It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1772 https://otrs.com/release-notes/otrs-security-advisory-2020-09/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1168030] New: VUL-0: CVE-2020-1771: otrs: Attacker is able craft an article with a link to the customer address book
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.opensuse.org/show_bug.cgi?id=1168030 Bug ID: 1168030 Summary: VUL-0: CVE-2020-1771: otrs: Attacker is able craft an article with a link to the customer address book Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other URL: https://smash.suse.de/issue/256039/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Basesystem Assignee: chris(a)computersalat.de Reporter: abergmann(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2020-1771 Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1771 http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1771.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1771 https://otrs.com/release-notes/otrs-security-advisory-2020-08/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3