May 2020 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1168032] New: VUL-0: CVE-2020-1769: otrs: Username and Password fields use autocomplete
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.opensuse.org/show_bug.cgi?id=1168032 Bug ID: 1168032 Summary: VUL-0: CVE-2020-1769: otrs: Username and Password fields use autocomplete Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other URL: https://smash.suse.de/issue/256037/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Basesystem Assignee: chris(a)computersalat.de Reporter: abergmann(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2020-1769 In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1769 http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1769.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1769 https://otrs.com/release-notes/otrs-security-advisory-2020-06/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1168031] New: VUL-0: CVE-2020-1770: otrs: Support bundle generated files could contain sensitive information that might be unwanted to be disclosed
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.opensuse.org/show_bug.cgi?id=1168031 Bug ID: 1168031 Summary: VUL-0: CVE-2020-1770: otrs: Support bundle generated files could contain sensitive information that might be unwanted to be disclosed Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other URL: https://smash.suse.de/issue/256038/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Basesystem Assignee: chris(a)computersalat.de Reporter: abergmann(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2020-1770 Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1770 http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1770.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1770 https://otrs.com/release-notes/otrs-security-advisory-2020-07/ -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1133084] [META] GCC + LTO package failures
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.novell.com/show_bug.cgi?id=1133084 Bug 1133084 depends on bug 1141762, which changed state. Bug 1141762 Summary: LTO causes jack to crash http://bugzilla.novell.com/show_bug.cgi?id=1141762 What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1141762] LTO causes jack to crash
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.novell.com/show_bug.cgi?id=1141762 http://bugzilla.novell.com/show_bug.cgi?id=1141762#c39 Dave Plater <davejplater(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #39 from Dave Plater <davejplater(a)gmail.com> --- The macro disabling LTO has been silently removed from the spec file a while ago and no one has experienced any bad effects so I'm closing this as fixed. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1170443] su seems to not work any more
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.suse.com/show_bug.cgi?id=1170443 http://bugzilla.suse.com/show_bug.cgi?id=1170443#c18 Josef Möllers <josef.moellers(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED Flags|needinfo?(rainer.klier@gmx. | |at) | --- Comment #18 from Josef Möllers <josef.moellers(a)suse.com> --- (In reply to Rainer Klier from comment #17) > (In reply to Josef Möllers from comment #16) > > (In reply to Rainer Klier from comment #13) > > > (In reply to Stanislav Brabec from comment #12) > > > > Does your su binary have SUID flag? > > > > > > no: > > > "ll /usr/bin/su" > > > -rwxr-xr-x 1 root root 51320 15. Apr 20:10 /usr/bin/su > > > > Can you please try to change that to > > -rwsr-xr-x 1 root root 51320 15. Apr 20:10 /usr/bin/su > > eg by "chmod 4755 /usr/bin/su" and try to reproduce the error? > > it works now! :-D Good news. > "ll /usr/bin/su" > -rwsr-xr-x 1 root root 51320 Apr 15 20:10 /usr/bin/s > > also kdesu works. > > thanks. > so, could it be, that an update on 2020-04-24 changed the SUID flag on the > su command? This is highly unlikely: 1) It would need to be changed explicitly in the package's build infrastructure 2) As packages are tested before being released, this would definitely have shown up in these tests. So, in a nutshell: I'm (really!) afraid we won't know what the root cause for this problem is. So I'm closing this bug as FIXED. If you feel this is incorrect, please re-open. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1120410] No LVM snapshots support in yast-storage-ng
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.suse.com/show_bug.cgi?id=1120410 http://bugzilla.suse.com/show_bug.cgi?id=1120410#c11 Arvin Schnell <aschnell(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS --- Comment #11 from Arvin Schnell <aschnell(a)suse.com> --- We are now working on adding support for LVM snapshots. For the time being this will only allow to detect/probe and use snapshots but not to create them. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1171040] VUL-0: CVE-2020-12625: roundcubemail: XSS vulnerability in rcube_washtml.php
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.suse.com/show_bug.cgi?id=1171040 Maintenance Robot <maint-coord+maintenance_robot(a)suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1171039] VUL-0: CVE-2020-12626: roundcubemail: CSRF attack may lead to logging out an authenticated user
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.suse.com/show_bug.cgi?id=1171039 Maintenance Robot <maint-coord+maintenance_robot(a)suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1170461] susefirewall2-to-firewalld says invalid port
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.suse.com/show_bug.cgi?id=1170461 http://bugzilla.suse.com/show_bug.cgi?id=1170461#c11 Matthias Gerstner <matthias.gerstner(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #11 from Matthias Gerstner <matthias.gerstner(a)suse.com> --- I have submitted updates for Tumbleweed and one for SLE/Leap. The latter one will take a while longer until it can be installed by users. I'm closing this bug in the meantime. I've also opened a PR in our openSUSE GitHub repo: https://github.com/openSUSE/susefirewall2-to-firewalld/pull/9 However, there is probably nobody around that still manages this repo. And I personally don't intend to take over official maintenance of this package. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1171040] New: VUL-0: CVE-2020-12625: roundcubemail: XSS vulnerability in rcube_washtml.php
by bugzilla_noreply＠novell.com 04 May '20

04 May '20

http://bugzilla.opensuse.org/show_bug.cgi?id=1171040 Bug ID: 1171040 Summary: VUL-0: CVE-2020-12625: roundcubemail: XSS vulnerability in rcube_washtml.php Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other URL: https://smash.suse.de/issue/258956/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: aj(a)ajaissle.de Reporter: atoptsoglou(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2020-12625 An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12625 https://github.com/roundcube/roundcubemail/releases/tag/1.4.4 https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4 https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b9… http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12625 -- You are receiving this mail because: You are on the CC list for the bug.

1 0