May 2022 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1197036] New: VUL-0: CVE-2022-0813: phpMyAdmin: sensitive information with invalid requests through the the lang parameter, the pma_parameter, and the cookie section
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1197036 Bug ID: 1197036 Summary: VUL-0: CVE-2022-0813: phpMyAdmin: sensitive information with invalid requests through the the lang parameter, the pma_parameter, and the cookie section Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/325919/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: thomas.leroy(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2022-0813 PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0813 https://www.phpmyadmin.net/news/2022/2/11/phpmyadmin-4910-and-513-are-relea… https://www.incibe-cert.es/en/early-warning/security-advisories/phpmyadmin-… -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1195018] New: VUL-0: CVE-2022-23808: phpMyAdmin: Multiple XSS and HTML injection attacks in setup script (PMASA-2022-2)
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1195018 Bug ID: 1195018 Summary: VUL-0: CVE-2022-23808: phpMyAdmin: Multiple XSS and HTML injection attacks in setup script (PMASA-2022-2) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: Andreas.Stieger(a)gmx.de QA Contact: security-team(a)suse.de CC: chris(a)computersalat.de, lang(a)b1-systems.de Found By: --- Blocker: --- It was discovered that phpMyAdmin versions prior to 5.1.2 are vulnerable to multiple XSS and HTML injection attacks in setup script. A series of weaknesses has been discovered that could allow an attacker to inject malicious code in to aspects of the setup script, which can allow XSS or HTML injection. Considered moderate upstream. If a configuration file config.inc.php exists these issues are mitigated. References: https://www.phpmyadmin.net/security/PMASA-2022-2/ https://github.com/phpmyadmin/phpmyadmin/commit/5118acce1dfcdb09cbc0f73927b… https://github.com/phpmyadmin/phpmyadmin/commit/44eb12f15a562718bbe54c9a16a… -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1195017] New: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1)
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 Bug ID: 1195017 Summary: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: Andreas.Stieger(a)gmx.de QA Contact: security-team(a)suse.de CC: chris(a)computersalat.de, lang(a)b1-systems.de Found By: --- Blocker: --- It was discovered that version of phpMyAdmin prior to 4.9.8 and 5.1.2 are subject to a bypass of two-factor authentication. There is a sequence of actions a valid user can take that will allow them to bypass two factor authentication for that account. A user must first connect to phpMyAdmin (presumably using their two factor authentication method) in order to prepare their account for the bypass. Note that a user is still able to disable two factor authentication through conventional means; this only addresses an unintentional security weakness in how phpMyAdmin processes a user's two factor status. References: https://www.phpmyadmin.net/security/PMASA-2022-1/ https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa… -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1167519] New: VUL-1: CVE-2020-10870: zim: creates temporary directories with predictable names, enabling malicious users to prevent other users from being able to start Zim
by bugzilla_noreply＠novell.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1167519 Bug ID: 1167519 Summary: VUL-1: CVE-2020-10870: zim: creates temporary directories with predictable names, enabling malicious users to prevent other users from being able to start Zim Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other URL: https://smash.suse.de/issue/255622/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: luke(a)ljones.dev Reporter: wolfgang.frisch(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2020-10870 Zim through 0.72.1 creates temporary directories with predictable names. A malicious user could predict and create Zim's temporary directories and prevent other users from being able to start Zim, resulting in a denial of service. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10870 https://github.com/zim-desktop-wiki/zim-desktop-wiki/issues/1028 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10870 -- You are receiving this mail because: You are on the CC list for the bug.

2 2

[Bug 1197063] New: VUL-0: CVE-2022-24128: timescaledb: allow privilege escalation during extension installation
by bugzilla_noreply＠suse.com 14 Feb '23

14 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1197063 Bug ID: 1197063 Summary: VUL-0: CVE-2022-24128: timescaledb: allow privilege escalation during extension installation Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/326113/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Basesystem Assignee: bruno(a)ioda-net.ch Reporter: abergmann(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2022-24128 Timescale TimescaleDB 1.x and 2.x before 2.5.2 may allow privilege escalation during extension installation. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24128 http://www.cvedetails.com/cve/CVE-2022-24128/ https://docs.timescale.com/timescaledb/latest/overview/release-notes/ -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1195315] New: phpMyAdmin has issues with MariaDB privilege tables.
by bugzilla_noreply＠suse.com 13 Feb '23

13 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1195315 Bug ID: 1195315 Summary: phpMyAdmin has issues with MariaDB privilege tables. Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: 64bit OS: openSUSE Leap 15.3 Status: NEW Severity: Major Priority: P5 - None Component: Apache Assignee: bnc-team-apache(a)forge.provo.novell.com Reporter: zombie.ryushu(a)zoho.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- OpenSuse ships with a version of phpMyAdmin that does not handle privilege management in versions of MariaDB after 10.3. This is because MariaDB has deprecated the use of the mysql.user table and turned it into a view, resulting in broken privilege tables. -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1180471] New: diff-pdf has incorrect description in manpage
by bugzilla_noreply＠suse.com 13 Feb '23

13 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1180471 Bug ID: 1180471 Summary: diff-pdf has incorrect description in manpage Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: All Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: munix9(a)googlemail.com Reporter: bwiedemann(a)suse.com QA Contact: qa-bugs(a)suse.de Blocks: 1047218 Found By: Development Blocker: --- While working on reproducible builds for openSUSE, I found that our diff-pdf package varies across builds: +++ /usr/share/man/man1/diff-pdf.1 .SH DESCRIPTION -18:55:41: Error: Unable to initialize GTK+, is DISPLAY set properly? +08:12:21: Error: Unable to initialize GTK+, is DISPLAY set properly? This comes from help2man. -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1200030] New: slurmd can't load plugins
by bugzilla_noreply＠suse.com 13 Feb '23

13 Feb '23

https://bugzilla.suse.com/show_bug.cgi?id=1200030 Bug ID: 1200030 Summary: slurmd can't load plugins Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: screening-team-bugs(a)suse.de Reporter: cgoll(a)suse.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- Sicne some time the slurm rpm packages does not work any more in openSUSE tumbleweed. If a service should be started one gets following error: ``` slurmd: error: plugin_load_from_file: dlopen(/usr/lib64/slurm/select_linear.so): /usr/lib64/slurm/select_linear.so: undefined symbol: gres_ctld_job_build_details slurmd: error: Couldn't load specified plugin name for select/linear: Dlopen of plugin file failed slurmd: fatal: Can't find plugin for select/linear ``` This is not related to slurm itself, as if the package is compiled on the machine itself, everything works fine. (Used the *exact* same ./configure for building includng $CFLAGS.) This must have something to do with the symbol stripping in Tumblweed, the leap packages work fine. Any comments? -- You are receiving this mail because: You are on the CC list for the bug.

1 12

[Bug 1178453] New: [Build 20201103] gnuhealth_client crashes on start
by bugzilla_noreply＠suse.com 12 Feb '23

12 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1178453 Bug ID: 1178453 Summary: [Build 20201103] gnuhealth_client crashes on start Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://openqa.opensuse.org/tests/1460183/modules/gnuh ealth_client_first_time/steps/2 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: dimstar(a)opensuse.org QA Contact: qa-bugs(a)suse.de Found By: openQA Blocker: Yes ## Observation openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-gnuhealth@64bit fails in [gnuhealth_client_first_time](https://openqa.opensuse.org/tests/1460183/modu… ## Test suite description Maintainer: okurz(a)suse.de Test scenario for gnuhealth software stack ## Reproducible Fails since (at least) Build [20201103](https://openqa.opensuse.org/tests/1458960) ## Expected result Last good: [20201030](https://openqa.opensuse.org/tests/1456811) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensus… -- You are receiving this mail because: You are on the CC list for the bug.

1 15

[Bug 1170553] New: [Build 20200425] gnuhealth UI looks broken with GNOME 3.36
by bugzilla_noreply＠novell.com 12 Feb '23

12 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1170553 Bug ID: 1170553 Summary: [Build 20200425] gnuhealth UI looks broken with GNOME 3.36 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://openqa.opensuse.org/tests/1245677/modules/gnuh ealth_client_preconfigure/steps/6 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: dimstar(a)opensuse.org QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- ## Observation openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-gnuhealth@64bit fails in [gnuhealth_client_preconfigure](https://openqa.opensuse.org/tests/1245677/mo… ## Test suite description Maintainer: okurz(a)suse.de Test scenario for gnuhealth software stack ## Reproducible Fails since (at least) Build [20200423](https://openqa.opensuse.org/tests/1245318) ## Expected result Last good: [20200422](https://openqa.opensuse.org/tests/1243312) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensus… -- You are receiving this mail because: You are on the CC list for the bug.

2 6