October 2022 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1195018] New: VUL-0: CVE-2022-23808: phpMyAdmin: Multiple XSS and HTML injection attacks in setup script (PMASA-2022-2)
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1195018 Bug ID: 1195018 Summary: VUL-0: CVE-2022-23808: phpMyAdmin: Multiple XSS and HTML injection attacks in setup script (PMASA-2022-2) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: Andreas.Stieger(a)gmx.de QA Contact: security-team(a)suse.de CC: chris(a)computersalat.de, lang(a)b1-systems.de Found By: --- Blocker: --- It was discovered that phpMyAdmin versions prior to 5.1.2 are vulnerable to multiple XSS and HTML injection attacks in setup script. A series of weaknesses has been discovered that could allow an attacker to inject malicious code in to aspects of the setup script, which can allow XSS or HTML injection. Considered moderate upstream. If a configuration file config.inc.php exists these issues are mitigated. References: https://www.phpmyadmin.net/security/PMASA-2022-2/ https://github.com/phpmyadmin/phpmyadmin/commit/5118acce1dfcdb09cbc0f73927b… https://github.com/phpmyadmin/phpmyadmin/commit/44eb12f15a562718bbe54c9a16a… -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1195017] New: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1)
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 Bug ID: 1195017 Summary: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: Andreas.Stieger(a)gmx.de QA Contact: security-team(a)suse.de CC: chris(a)computersalat.de, lang(a)b1-systems.de Found By: --- Blocker: --- It was discovered that version of phpMyAdmin prior to 4.9.8 and 5.1.2 are subject to a bypass of two-factor authentication. There is a sequence of actions a valid user can take that will allow them to bypass two factor authentication for that account. A user must first connect to phpMyAdmin (presumably using their two factor authentication method) in order to prepare their account for the bypass. Note that a user is still able to disable two factor authentication through conventional means; this only addresses an unintentional security weakness in how phpMyAdmin processes a user's two factor status. References: https://www.phpmyadmin.net/security/PMASA-2022-1/ https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa… -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1167519] New: VUL-1: CVE-2020-10870: zim: creates temporary directories with predictable names, enabling malicious users to prevent other users from being able to start Zim
by bugzilla_noreply＠novell.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1167519 Bug ID: 1167519 Summary: VUL-1: CVE-2020-10870: zim: creates temporary directories with predictable names, enabling malicious users to prevent other users from being able to start Zim Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other URL: https://smash.suse.de/issue/255622/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: luke(a)ljones.dev Reporter: wolfgang.frisch(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2020-10870 Zim through 0.72.1 creates temporary directories with predictable names. A malicious user could predict and create Zim's temporary directories and prevent other users from being able to start Zim, resulting in a denial of service. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10870 https://github.com/zim-desktop-wiki/zim-desktop-wiki/issues/1028 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10870 -- You are receiving this mail because: You are on the CC list for the bug.

2 2

[Bug 1201510] New: libvirt must make use of nftables instead of iptables (if not already) and also reflect this in BuildRequires
by bugzilla_noreply＠suse.com 14 Feb '23

14 Feb '23

https://bugzilla.suse.com/show_bug.cgi?id=1201510 Bug ID: 1201510 Summary: libvirt must make use of nftables instead of iptables (if not already) and also reflect this in BuildRequires Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Virtualization:Tools Assignee: virt-bugs(a)suse.de Reporter: trenn(a)suse.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- We want to drop iptables support for the future in favor of nftables. firewalld already seem to make use of nftables and this has been fixed in dependencies: Thu Mar 3 14:26:57 UTC 2022 - Thorsten Kukuk <kukuk(a)suse.com> - Cleanup dependencies: - ipset, ebtables and iptables are purely optional and deprecated, so don't require them zypper search --requires iptables shows these libvirt related pacakges: i | libvirt-daemon-driver-network | Network driver plugin for the i | libvirt-daemon-driver-nwfilter | A nwfilter driver plugin for Can the dependencies (possibly also BuildRequires:) be fixes to not make use of iptables, please. -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1203938] New: Console: middle mouse button paste doesn't work + can't type after right-click paste without left-clicking the window again after pasting
by bugzilla_noreply＠suse.com 14 Feb '23

14 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1203938 Bug ID: 1203938 Summary: Console: middle mouse button paste doesn't work + can't type after right-click paste without left-clicking the window again after pasting Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: GNOME Assignee: gnome-bugs(a)suse.de Reporter: c.j(a)tuta.io QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- 2 PROBLEMS (with the Console terminal app): (using X11, Gnome TW). 1. middle mouse click paste doesn't work 2. after right click (popup menu) paste I can't type. -> after pasting something I always have to left click to be able to type. EXPECTED BEHAVIOR: 1. middle click should paste (like in every other app. It works in gnome-terminal). 2. After pasting with right click (popup menu) we should be able to immediately start typing (like gnome-terminal and everywhere else). Thanks. -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1197063] New: VUL-0: CVE-2022-24128: timescaledb: allow privilege escalation during extension installation
by bugzilla_noreply＠suse.com 14 Feb '23

14 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1197063 Bug ID: 1197063 Summary: VUL-0: CVE-2022-24128: timescaledb: allow privilege escalation during extension installation Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/326113/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Basesystem Assignee: bruno(a)ioda-net.ch Reporter: abergmann(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2022-24128 Timescale TimescaleDB 1.x and 2.x before 2.5.2 may allow privilege escalation during extension installation. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24128 http://www.cvedetails.com/cve/CVE-2022-24128/ https://docs.timescale.com/timescaledb/latest/overview/release-notes/ -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1200544] New: xbell no longer working
by bugzilla_noreply＠suse.com 14 Feb '23

14 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1200544 Bug ID: 1200544 Summary: xbell no longer working Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: x86-64 OS: openSUSE Leap 15.4 Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: agesen(a)cs.stanford.edu QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- I updated from 15.3 to 15.4 and all is well, well :-) mostly. Sound works when playing video in firefox, when playing musing with mplayer, etc. But xbell is no longer to be heard. I miss "vi" baking a beep when I hit escape at the wrong time. I miss xbiff making a sound when an email arrives (there is no sound but it still changes the icon to flag-up). How may we go about debugging missing "system sound" (or whatever it is? Just to clarify, I have checked pavucontrol and tried fiddling with all the sliders. No difference. Please let me know if I can upload log files that may help. Thanks, Ole Dell Inspiron from 2011ish. -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1195315] New: phpMyAdmin has issues with MariaDB privilege tables.
by bugzilla_noreply＠suse.com 13 Feb '23

13 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1195315 Bug ID: 1195315 Summary: phpMyAdmin has issues with MariaDB privilege tables. Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: 64bit OS: openSUSE Leap 15.3 Status: NEW Severity: Major Priority: P5 - None Component: Apache Assignee: bnc-team-apache(a)forge.provo.novell.com Reporter: zombie.ryushu(a)zoho.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- OpenSuse ships with a version of phpMyAdmin that does not handle privilege management in versions of MariaDB after 10.3. This is because MariaDB has deprecated the use of the mysql.user table and turned it into a view, resulting in broken privilege tables. -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1180471] New: diff-pdf has incorrect description in manpage
by bugzilla_noreply＠suse.com 13 Feb '23

13 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1180471 Bug ID: 1180471 Summary: diff-pdf has incorrect description in manpage Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: All Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: munix9(a)googlemail.com Reporter: bwiedemann(a)suse.com QA Contact: qa-bugs(a)suse.de Blocks: 1047218 Found By: Development Blocker: --- While working on reproducible builds for openSUSE, I found that our diff-pdf package varies across builds: +++ /usr/share/man/man1/diff-pdf.1 .SH DESCRIPTION -18:55:41: Error: Unable to initialize GTK+, is DISPLAY set properly? +08:12:21: Error: Unable to initialize GTK+, is DISPLAY set properly? This comes from help2man. -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1200030] New: slurmd can't load plugins
by bugzilla_noreply＠suse.com 13 Feb '23

13 Feb '23

https://bugzilla.suse.com/show_bug.cgi?id=1200030 Bug ID: 1200030 Summary: slurmd can't load plugins Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: screening-team-bugs(a)suse.de Reporter: cgoll(a)suse.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- Sicne some time the slurm rpm packages does not work any more in openSUSE tumbleweed. If a service should be started one gets following error: ``` slurmd: error: plugin_load_from_file: dlopen(/usr/lib64/slurm/select_linear.so): /usr/lib64/slurm/select_linear.so: undefined symbol: gres_ctld_job_build_details slurmd: error: Couldn't load specified plugin name for select/linear: Dlopen of plugin file failed slurmd: fatal: Can't find plugin for select/linear ``` This is not related to slurm itself, as if the package is compiled on the machine itself, everything works fine. (Used the *exact* same ./configure for building includng $CFLAGS.) This must have something to do with the symbol stripping in Tumblweed, the leap packages work fine. Any comments? -- You are receiving this mail because: You are on the CC list for the bug.

1 12