December 2022 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1206018] VUL-0: CVE-2021-37533: apache-commons-net: FTP client trusts the host from PASV response by default
by bugzilla_noreply＠suse.com 05 Dec '22

05 Dec '22

https://bugzilla.suse.com/show_bug.cgi?id=1206018 Maintenance Automation <maint-coord+maintenance-robot(a)suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1206018] New: VUL-0: CVE-2021-37533: apache-commons-net: FTP client trusts the host from PASV response by default
by bugzilla_noreply＠suse.com 05 Dec '22

05 Dec '22

http://bugzilla.opensuse.org/show_bug.cgi?id=1206018 Bug ID: 1206018 Summary: VUL-0: CVE-2021-37533: apache-commons-net: FTP client trusts the host from PASV response by default Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/349715/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: fstrba(a)suse.com Reporter: thomas.leroy(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2021-37533 Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711. Upstream fix: https://github.com/apache/commons-net/commit/b0bff89f70cfea70009e22f8763981… References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37533 https://seclists.org/oss-sec/2022/q4/167 http://www.openwall.com/lists/oss-security/2022/12/03/1 https://www.cve.org/CVERecord?id=CVE-2021-37533 http://www.cvedetails.com/cve/CVE-2021-37533/ https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1205478] New: python3-pip: Upgrade needed to fix pip installations using pyproject.toml
by bugzilla_noreply＠suse.com 05 Dec '22

05 Dec '22

https://bugzilla.suse.com/show_bug.cgi?id=1205478 Bug ID: 1205478 Summary: python3-pip: Upgrade needed to fix pip installations using pyproject.toml Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: dheidler(a)suse.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- When running "python3 setup.py install" there is a deprecation warning as using setup.py seems to get deprecated in favor of using "pyproject.toml" using pip. The new way is running "sudo pip install ." in the git root where the pyproject.toml is. This however doesn't work because it is broken in the currently newest packaged version of python3-pip (22.0.4) - the issue doesn't happen eg. in an archlinux container with pip 22.3.1: sudo pip install . [sudo] Passwort f�r root: Processing /home/dheidler/devel/wifi_autologin Installing build dependencies ... done Getting requirements to build wheel ... done Preparing metadata (pyproject.toml) ... done Requirement already satisfied: requests in /usr/lib/python3.10/site-packages (from wifi-autologin==0.0.1) (2.28.1) Requirement already satisfied: certifi>=2017.4.17 in /usr/lib/python3.10/site-packages (from requests->wifi-autologin==0.0.1) (2021.10.8) Requirement already satisfied: charset_normalizer<4,>=2 in /usr/lib/python3.10/site-packages (from requests->wifi-autologin==0.0.1) (3.0.0) Requirement already satisfied: idna<4,>=2.5 in /usr/lib/python3.10/site-packages (from requests->wifi-autologin==0.0.1) (3.4) Requirement already satisfied: urllib3<1.27,>=1.21.1 in /usr/lib/python3.10/site-packages (from requests->wifi-autologin==0.0.1) (1.26.12) Building wheels for collected packages: wifi-autologin Building wheel for wifi-autologin (pyproject.toml) ... done Created wheel for wifi-autologin: filename=wifi_autologin-0.0.1-py3-none-any.whl size=4716 sha256=38217b300bc9ddeb58123ed664d1201d41929cd06541d3d052214e706c467f96 Stored in directory: /tmp/pip-ephem-wheel-cache-re2g65ip/wheels/21/87/aa/8ac76967d4592fa6501e37cc745792eb7a5bdb6f5d21ac7aeb Successfully built wifi-autologin Installing collected packages: wifi-autologin Attempting uninstall: wifi-autologin Found existing installation: wifi-autologin 0.0.1 ERROR: Exception: Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/pip/_internal/cli/base_command.py", line 167, in exc_logging_wrapper status = run_func(*args) File "/usr/lib/python3.10/site-packages/pip/_internal/cli/req_command.py", line 205, in wrapper return func(self, options, args) File "/usr/lib/python3.10/site-packages/pip/_internal/commands/install.py", line 405, in run installed = install_given_reqs( File "/usr/lib/python3.10/site-packages/pip/_internal/req/__init__.py", line 68, in install_given_reqs uninstalled_pathset = requirement.uninstall(auto_confirm=True) File "/usr/lib/python3.10/site-packages/pip/_internal/req/req_install.py", line 637, in uninstall uninstalled_pathset = UninstallPathSet.from_dist(dist) File "/usr/lib/python3.10/site-packages/pip/_internal/req/req_uninstall.py", line 554, in from_dist for script in dist.iterdir("scripts"): File "/usr/lib/python3.10/site-packages/pip/_internal/metadata/pkg_resources.py", line 156, in iterdir if not self._dist.isdir(name): File "/usr/lib/python3.10/site-packages/pip/_vendor/pkg_resources/__init__.py", line 2816, in __getattr__ return getattr(self._provider, attr) AttributeError: 'PathMetadata' object has no attribute 'isdir' -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1204905] bug backupninja duplicity due to python3-cryptography-3.3.2-150400.16.3.1.x86_64 and solution
by bugzilla_noreply＠suse.com 05 Dec '22

05 Dec '22

https://bugzilla.suse.com/show_bug.cgi?id=1204905 Matej Cepl <mcepl(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|mcepl(a)suse.com |steven.kowalik(a)suse.com -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1198953] VUL-0: CVE-2022-24736: redis: Lua NULL pointer dereference
by bugzilla_noreply＠suse.com 05 Dec '22

05 Dec '22

https://bugzilla.suse.com/show_bug.cgi?id=1198953 Stoyan Manolov <stoyan.manolov(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |stoyan.manolov(a)suse.com Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1198952] VUL-0: CVE-2022-24735: redis: Lua code injection
by bugzilla_noreply＠suse.com 05 Dec '22

05 Dec '22

https://bugzilla.suse.com/show_bug.cgi?id=1198952 Stoyan Manolov <stoyan.manolov(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |stoyan.manolov(a)suse.com Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1188115] New: Backintime: no snapshots possible anymore after (15.2->15.3) upgrade to 1.21
by bugzilla_noreply＠suse.com 05 Dec '22

05 Dec '22

http://bugzilla.opensuse.org/show_bug.cgi?id=1188115 Bug ID: 1188115 Summary: Backintime: no snapshots possible anymore after (15.2->15.3) upgrade to 1.21 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: x86-64 OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: michaelof(a)rocketmail.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- Backintime seem to process taking a snapshot, but stops at final step(s). Starting situation: zypper dup Leap from 15.2 to 15.3. After reboot, performed a zypper ref && zypper up, all pkgs current now. Made an initial Clonezilla image, to be sure. Reproducible: Wanted to make a first backintime snapshot, does NOT work Error on command line is: INFO: Remove leftover 'new_snapshot' folder from last run QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root' INFO: Call rsync to take the snapshot Traceback (most recent call last): File "/usr/share/backintime/common/backintime.py", line 1165, in <module> startApp() File "/usr/share/backintime/common/backintime.py", line 517, in startApp args.func(args) File "/usr/share/backintime/common/backintime.py", line 739, in backup ret = takeSnapshot(cfg, force) File "/usr/share/backintime/common/backintime.py", line 94, in takeSnapshot ret = snapshots.Snapshots(cfg).backup(force) File "/usr/share/backintime/common/snapshots.py", line 692, in backup ret_val, ret_error = self.takeSnapshot(sid, now, include_folders) File "/usr/share/backintime/common/snapshots.py", line 1036, in takeSnapshot proc.run() File "/usr/share/backintime/common/tools.py", line 1981, in run self.callback(line, self.user_data) File "/usr/share/backintime/common/snapshots.py", line 809, in rsyncCallback self.snapshotLog.append('[C] ' + line[12:], 2) File "/usr/share/backintime/common/snapshotlog.py", line 195, in append self.logFile.write(msg + '\n') File "/usr/share/backintime/common/tools.py", line 1513, in handler self.callback() File "/usr/share/backintime/common/snapshotlog.py", line 203, in flush self.logFile.flush() RuntimeError: reentrant call inside <_io.BufferedWriter name='/root/.local/share/backintime/takesnapshot_.log'> -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1205999] VUL-0: CVE-2022-4262: chromium: Type Confusion in V8
by bugzilla_noreply＠suse.com 05 Dec '22

05 Dec '22

https://bugzilla.suse.com/show_bug.cgi?id=1205999 Maintenance Automation <maint-coord+maintenance-robot(a)suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1024727] New: Cannot login to Bugzilla using Bugzilla "login" button
by bugzilla_noreply＠novell.com 04 Dec '22

04 Dec '22

http://bugzilla.opensuse.org/show_bug.cgi?id=1024727 Bug ID: 1024727 Summary: Cannot login to Bugzilla using Bugzilla "login" button Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bugzilla Assignee: bnc-team-screening(a)forge.provo.novell.com Reporter: qantas94heavy(a)gmail.com QA Contact: novbugzilla-bugs(a)forge.provo.novell.com Found By: --- Blocker: --- Created attachment 713674 --> http://bugzilla.opensuse.org/attachment.cgi?id=713674&action=edit Unprocessed PHP file I attempted to login to Bugzilla by clicking the "Login" button on the Bugzilla home page, which took me to the following URL: https://login.microfocus.com/nidp/idff/sso?id=132&sid=5&option=credential&s… Instead of receiving the page as usual, it appears to load some scripts from the following URL: https://www.suse.com/common/inc/include.php?file=headers/hdr_head.html The PHP file there appears to be unprocessed, which is most likely causing the issue here. I was only able to login by going through the openSUSE wiki then going back to Bugzilla. -- You are receiving this mail because: You are on the CC list for the bug.

2 3

[Bug 1205406] New: xdotool doesn't show the correcz titles of firefox windows any longer
by bugzilla_noreply＠suse.com 04 Dec '22

04 Dec '22

https://bugzilla.suse.com/show_bug.cgi?id=1205406 Bug ID: 1205406 Summary: xdotool doesn't show the correcz titles of firefox windows any longer Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Firefox Assignee: factory-mozilla(a)lists.opensuse.org Reporter: opensuse(a)mike.franken.de QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- Created attachment 862867 --> https://bugzilla.suse.com/attachment.cgi?id=862867&action=edit window properties Starting with openSUSE Tumbleweed 20221113 xdotool doesn't show the correct titles of firefox any longer, instead returns "Firefox" or an empty string. This worked as expected until I installed this snapshot a few minutes ago. xdotool search --classname firefox 45088769 45088831 45088954 $ xdotool getwindowname 45088769 Firefox $ xdotool getwindowname 45088831 $ xdotool getwindowname 45088954 Firefox Systemsettings / Window management / Window rules still shows the correct titles (see attachement). This breaks my complete window management 8-( -- You are receiving this mail because: You are on the CC list for the bug.

1 14