December 2021 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1088738] New: xhost setting fails to have affect in /etc/gdm/Xsession --- "no protocol specified"
by bugzilla_noreply＠novell.com 31 Mar '23

31 Mar '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1088738 Bug ID: 1088738 Summary: xhost setting fails to have affect in /etc/gdm/Xsession --- "no protocol specified" Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Major Priority: P5 - None Component: GNOME Assignee: bnc-team-gnome(a)forge.provo.novell.com Reporter: noah(a)chromakey.io QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- line 154 xhost+ si:localuser ... needs to be in /etc/X11/xinit/xinitrc.d/what-ever.sh ... ... or maybe somewhere else all I know is that in Xsession it fails to have any affect ... effectively breaking the X11 gnome access for remote logins/ssh/etc. I'd expect a lot of bug reports of people angry, confused .. and complaining about "no protocol specified" errors. Thanks! -noah -- You are receiving this mail because: You are on the CC list for the bug.

2 3

[Bug 1160249] New: VNC issues (meta bug)
by bugzilla_noreply＠novell.com 31 Mar '23

31 Mar '23

http://bugzilla.suse.com/show_bug.cgi?id=1160249 Bug ID: 1160249 Summary: VNC issues (meta bug) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: X.Org Assignee: xorg-maintainer-bugs(a)forge.provo.novell.com Reporter: sndirsch(a)suse.com QA Contact: xorg-maintainer-bugs(a)forge.provo.novell.com Found By: --- Blocker: --- VNC issues (meta bug) -- You are receiving this mail because: You are on the CC list for the bug.

2 62

[Bug 1193579] New: Lifearea misses python3-cairo dependency
by bugzilla_noreply＠suse.com 31 Mar '23

31 Mar '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1193579 Bug ID: 1193579 Summary: Lifearea misses python3-cairo dependency Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: X11 Applications Assignee: screening-team-bugs(a)suse.de Reporter: bluedzins(a)wp.pl QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- Lifearea misses python3-cairo dependency, without using TrayIcon plugin is impossible, and in turn it is not possible to close&stay Lifera window, which for such type of the program is basically a must. For the record -- my report in Lifearea github: https://github.com/lwindolf/liferea/issues/1025 -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1184334] New: Missing translation fixes for YaST and Welcome screen
by bugzilla_noreply＠suse.com 30 Mar '23

30 Mar '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1184334 Bug ID: 1184334 Summary: Missing translation fixes for YaST and Welcome screen Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Translations Assignee: ke(a)suse.com Reporter: noga.dany(a)gmail.com QA Contact: ke(a)suse.com Found By: --- Blocker: --- openSUSE-Leap-15.3-DVD-x86_64-Build117.13-Media.iso During installation via YaST with Czech translation I saw strange czech text "Zm��rn��n�� CPU" . I wanted to fix it, but it looks correct here https://l10n.opensuse.org/translate/yast-installation/master/cs/?checksum=6… Another wrong translation was with Welcome screen, where is czech text "Uk��zat p��i p��t��m sup��t��n��", where is typo, which I fixed almost year ago: https://l10n.opensuse.org/translate/opensuse-welcome/master/cs/?checksum=f7… -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1185441] New: "system is compromised" during boot after grub2+shim update
by bugzilla_noreply＠suse.com 30 Mar '23

30 Mar '23

https://bugzilla.suse.com/show_bug.cgi?id=1185441 Bug ID: 1185441 Summary: "system is compromised" during boot after grub2+shim update Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: screening-team-bugs(a)suse.de Reporter: robert.simai(a)suse.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- I installed the most recent kernel-default-5.3.18-lp152.72.1.x86_64 shim-15.4-lp152.4.8.1.x86_64 grub2-2.04-lp152.7.25.1.x86_64 on my Dell Precision 3620 this week and rebooted as required. The system doesn't come up but shows "system is compromised" for a second, followed by power down. If I change from "UEFI with secure boot" to "UEFI without secure boot" it behaves well again and just boots. I've set "mokutil --set-verbosity true" as advised which outputs a lot of messages, I unfortunately have no serial console at hand to connect and save them. I'll try to attach a video from the screen that shows the boot process and messages. -- You are receiving this mail because: You are on the CC list for the bug.

1 33

[Bug 1186315] New: Flatpak packages installed without pre-configured repo, making "out-of-the-box" usage impossible
by bugzilla_noreply＠suse.com 30 Mar '23

30 Mar '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1186315 Bug ID: 1186315 Summary: Flatpak packages installed without pre-configured repo, making "out-of-the-box" usage impossible Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: x86-64 OS: openSUSE Leap 15.2 Status: NEW Severity: Enhancement Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: blst(a)arcor.de QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- Flatpak's goal to make software installation easier on Linux systems. This approach was also designed for less experienced users. But the way it is implemented in Leap 15.2 makes it hard to use. 1) It is not installed per default (other distributions install the packages during the setup process) 2) The user can install the Flatpak system via the package manager, but after the installation it requires additional configuration. It seems that there are no Flatpak repos configured per default. The main source for Flakpak is flathub.org. To make at least the install command lines at Flathub working, I had to >flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo Suggestion a) add the Flathub repo per default or b) make a seperate flathub.org repo installation package available -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1188023] New: GNOME:Apps/fractal:
by bugzilla_noreply＠suse.com 30 Mar '23

30 Mar '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1188023 Bug ID: 1188023 Summary: GNOME:Apps/fractal: Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: os.gnome.maintainers(a)gmail.com Reporter: william.brown(a)suse.com QA Contact: screening-team-bugs(a)suse.de Found By: --- Blocker: --- I've recently started a project to automatically scan for potential security issues in rust packages with cargo audit. I noticed the following on fractal: * RUSTSEC-2021-0026 -> crate: comrak, cvss: None, class: ['format-injection'] * RUSTSEC-2021-0063 -> crate: comrak, cvss: None, class: ['format-injection'] * RUSTSEC-2020-0060 -> crate: futures-task, cvss: None, class: ['code-execution', 'memory-corruption'] * RUSTSEC-2020-0059 -> crate: futures-util, cvss: None, class: ['thread-safety'] * RUSTSEC-2020-0146 -> crate: generic-array, cvss: None, class: ['memory-corruption'] * RUSTSEC-2021-0020 -> crate: hyper, cvss: None, class: ['format-injection'] Most of these should be able to be resolved with cargo update and re-vendoring the dependencies. Alternately upstream may have released a Cargo.toml/Cargo.lock with updates for this. It would be great if you could look into updating and resolving these :) Thank you! -- more info https://github.com/openSUSE/obs-service-cargo_audit/blob/main/README.md https://en.opensuse.org/Packaging_Rust_Software -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1175219] New: OpenVPN fails with certificates on smart cards on Leap 15.2 and TW
by bugzilla_noreply＠suse.com 29 Mar '23

29 Mar '23

https://bugzilla.suse.com/show_bug.cgi?id=1175219 Bug ID: 1175219 Summary: OpenVPN fails with certificates on smart cards on Leap 15.2 and TW Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: bjoernv(a)arcor.de QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- After upgrading from Leap 15.1 to Leap 15.2 working OpenVPN setups with PKCS11 certificates on Yubikeys are failing. The same applies to openSUSE Tumbleweed. Also other smart card devices may be affected. OpenVPN does not show many details, even with highest logging level. # openvpn --cd /etc/openvpn --config openvpn-yubikey-test.ovpn [...] Thu Aug 13 10:21:21 2020 VERIFY OK: depth=1, CN=Test CA Thu Aug 13 10:21:21 2020 VERIFY KU OK Thu Aug 13 10:21:21 2020 Validating certificate extended key usage Thu Aug 13 10:21:21 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Aug 13 10:21:21 2020 VERIFY EKU OK Thu Aug 13 10:21:21 2020 VERIFY OK: depth=0, CN=host1.example.com Thu Aug 13 10:21:21 2020 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib Thu Aug 13 10:21:21 2020 TLS_ERROR: BIO read tls_read_plaintext error Thu Aug 13 10:21:21 2020 TLS Error: TLS object -> incoming plaintext read error Thu Aug 13 10:21:21 2020 TLS Error: TLS handshake failed Thu Aug 13 10:21:21 2020 Fatal TLS error (check_tls_errors_co), restarting Thu Aug 13 10:21:21 2020 SIGUSR1[soft,tls-error] received, process restarting Thu Aug 13 10:21:21 2020 Restart pause, 5 second(s) The bug can be resolved by upgrading the pkcs11-helper packages from pkcs11-helper-1.25.1 to pkcs11-helper-devel-1.26.0. # openvpn --cd /etc/openvpn --config openvpn-yubikey-test.ovpn [...] Thu Aug 13 10:32:36 2020 VERIFY OK: depth=1, CN=Test CA Thu Aug 13 10:32:36 2020 VERIFY KU OK Thu Aug 13 10:32:36 2020 Validating certificate extended key usage Thu Aug 13 10:32:36 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Aug 13 10:32:36 2020 VERIFY EKU OK Thu Aug 13 10:32:36 2020 VERIFY OK: depth=0, CN=host1.example.com Enter user1 token Password: (press TAB for no echo) There is a problem with inconsistent padding between OpenSSL 1.1.1 and pkcs11-helper-1.25.1. The details are described here: http://openssl.6102.n7.nabble.com/Issue-with-smartcard-authentication-for-o… The pkcs11-helper-devel-1.26.0 Changelog contains this line: - openssl: support RSA_NO_PADDING padding, thanks to Selva Nair -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1157881] New: mount.nfs improve error reporting: "Connection *WHERE*TO* timed out"
by bugzilla_noreply＠novell.com 29 Mar '23

29 Mar '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1157881 Bug ID: 1157881 Summary: mount.nfs improve error reporting: "Connection *WHERE*TO* timed out" Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: All OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Network Assignee: bnc-team-screening(a)forge.provo.novell.com Reporter: 7eggert(a)gmx.de QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- When one of the nfs mounts times out, it gets reported as "Connection timed out". This is semi-helpful and thus semi-qualifies as a bug as well as a feature request. Please forward this to upstream. (Also not being able to mount triggers a bug in systemd to unmount unrelated mounts. One of my nfs servers is currently unresponsive but the other servers do work, yet systemd unmounts several other mounts. mount.nfs not reporting the cause didn't help me to find the cause.) -- You are receiving this mail because: You are on the CC list for the bug.

2 1

[Bug 1127591] New: zypper option "ssl_capath" not working for mirror URLs from metalink file
by bugzilla_noreply＠novell.com 28 Mar '23

28 Mar '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1127591 Bug ID: 1127591 Summary: zypper option "ssl_capath" not working for mirror URLs from metalink file Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: x86-64 OS: SUSE Other Status: NEW Severity: Normal Priority: P5 - None Component: libzypp Assignee: zypp-maintainers(a)forge.provo.novell.com Reporter: cunix(a)bitmessage.ch QA Contact: qa-bugs(a)suse.de CC: security-team(a)suse.de Found By: --- Blocker: --- Using zypper (version: 1.14.12) for the update repository of openSUSE Leap 15.0 with the option baseurl=https://download.opensuse.org/update/leap/15.0/oss/?proxy=127.0.0.1… does not use the here configured trusted root certificates for mirror URLs, probably retrieved from a metalink file. The configured path is used for the initial connection to download.opensuse.org but following requests to mirrors seem to fallback to the system trusted certs from /etc/ssl/certs. If the mirrors' root CA is trusted in "ssl_capath=/path/to/directory/with/c_rehash/rootCAs" but not in /etc/ssl/certs, zypper,libzypp, multi-curl or something else aborts the TLS-Handshake with failure "Unknown CA (48)" and falls futher back to http (without transport layer encryption). Question for cc'ed security-team to answer: If using clear text is considered a security flaw where zypper is configured to use (https-)encryption, this might have security implications. Some Scenarios: Assume download.opensuse.org is signed by CA A and the mirror by CA B Assume further, ssl_capath=/path/to/directory/with/c_rehash/rootCAs is directory C and directory D is /etc/ssl/certs 1. If C includes A and B and in D at least B is not available, I would expect zypper to encrypt both connection, but the request to the mirror is not. 2. If A is not in C, no data (meta link file) is retrieved and therefore no mirror is connected - Good! No fallback of looking for A in D occurs. 3. If A is in C and B in D, both connections are encrypted. 4. If A is in C and B not in C and not in D, the mirror is contacted unencrypted - here I'm unsure if using plain text in this scenario is correct or if it should fail. So, in my opinion, 1. is the bug, 3. a workaround and 4. perhaps needs a zypper option to configure, if clear text fallback should be allowed. Another question is, if /etc/ssl/certs should actually be consulted when the option "ssl_capath" is used and pointing to a different directory. https://bugzilla.opensuse.org/show_bug.cgi?id=933839 might be related (similar setup). Problem and solution might be similar, too. By the way, is there a debugging option to dump the traffic from inside the encrypted connection? Especially being able to read the metalink file with the listed mirrors is of interest. -- You are receiving this mail because: You are on the CC list for the bug.

2 7