June 2022 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1191055] New: aws-efs-utils: finish UsrMerge, install to /usr
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

https://bugzilla.suse.com/show_bug.cgi?id=1191055 Bug ID: 1191055 Summary: aws-efs-utils: finish UsrMerge, install to /usr Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: ikapelyukhin(a)suse.com Reporter: lnussel(a)suse.com QA Contact: qa-bugs(a)suse.de CC: adrian.glaubitz(a)suse.com, aosthof(a)suse.com, coolo(a)suse.com, dleuenberger(a)suse.com, dmueller(a)suse.com, james.mason(a)suse.com, jdsn(a)suse.com, ms(a)suse.com, rjschwei(a)suse.com, sean.marlow(a)suse.com, svollath(a)suse.com, thardeck(a)suse.com Blocks: 1191054 Found By: --- Blocker: --- Following up on the discussion on the Factory list https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message… All packages installing files into /bin, /sbin, /lib and /lib64 should change the location to the counterpart in /usr instead. If the package still needs to build for released distros you may keep the legacy locations within a "%if %suse_version < 1550" block of course. If you do that, please do *NOT* install symlinks from/to /usr as it was done with some packages in the past. Move the files in question instead. -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1175850] New: MicroOS Desktop can't reboot?
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1175850 Bug ID: 1175850 Summary: MicroOS Desktop can't reboot? Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: MicroOS Assignee: kubic-bugs(a)opensuse.org Reporter: mike(a)flingtoad.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- On a default install of MicroOS Desktop (KDE) (ALPHA) 20200824-0, there is no obvious way to reboot the machine after install packaged with transactional-update. Here's what I've tried. 1. 'transactional-update reboot' (notifies rebootmgrctl that a reboot is requested, but 'rebootmgrctl status' seems to be waiting for the scheduled maintenance time. 2. 'rebootmgrctl reboot now' does not seem to do anything. 3. 'rebootmgrctl reboot fast' does not seem to do anything. 4. Click "Leave" -> "Restart" from KDE menu does not seem to do anything. 5. Click "Leave" -> "Shutdown" from KDE menu does not seem to do anything. 6. Click "Leave" -> "Shutdown" from KDE menu does not seem to do anything. 7. 'systemctl reboot' drops to a non-graphical target with login prompt, but doesn't continue with a reboot. 8. 'shutdown -r now' drops to a non-graphical target with login prompt, but doesn't continue with a reboot. 9. 'shutdown -h now' complains about not being able to unmount /etc, but eventually does halt. 10. 'systemctl reboot' to drop to term and the ctrl-alt-delete several times does eventually reboot >From what I can tell, 4-6 only happen when running the X session for KDE. If you run the Wayland session, 4-6 work but the others still don't. I haven't tried Wayland (Full). Other notes and observations: 1. I don't think the X session is starting the org.kde.ksmserver, but it does get started for Wayland. 2. I'm using full-disk encryption. 3. No matter how I exit the KDE session, it never saved my display configuration. I have to reconfigure the displays each time. Perhaps another bug report for this one. -- You are receiving this mail because: You are on the CC list for the bug.

1 11

[Bug 1165830] New: [TRACKER] grand distro cleanup
by bugzilla_noreply＠novell.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1165830 Bug ID: 1165830 Summary: [TRACKER] grand distro cleanup Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: lnussel(a)suse.com Reporter: lnussel(a)suse.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- track efforts to clean up the distro like /usr move /etc cleanup dependency cleanup -- You are receiving this mail because: You are on the CC list for the bug.

2 21

[Bug 1197036] New: VUL-0: CVE-2022-0813: phpMyAdmin: sensitive information with invalid requests through the the lang parameter, the pma_parameter, and the cookie section
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1197036 Bug ID: 1197036 Summary: VUL-0: CVE-2022-0813: phpMyAdmin: sensitive information with invalid requests through the the lang parameter, the pma_parameter, and the cookie section Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/325919/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: thomas.leroy(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2022-0813 PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0813 https://www.phpmyadmin.net/news/2022/2/11/phpmyadmin-4910-and-513-are-relea… https://www.incibe-cert.es/en/early-warning/security-advisories/phpmyadmin-… -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1195018] New: VUL-0: CVE-2022-23808: phpMyAdmin: Multiple XSS and HTML injection attacks in setup script (PMASA-2022-2)
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1195018 Bug ID: 1195018 Summary: VUL-0: CVE-2022-23808: phpMyAdmin: Multiple XSS and HTML injection attacks in setup script (PMASA-2022-2) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: Andreas.Stieger(a)gmx.de QA Contact: security-team(a)suse.de CC: chris(a)computersalat.de, lang(a)b1-systems.de Found By: --- Blocker: --- It was discovered that phpMyAdmin versions prior to 5.1.2 are vulnerable to multiple XSS and HTML injection attacks in setup script. A series of weaknesses has been discovered that could allow an attacker to inject malicious code in to aspects of the setup script, which can allow XSS or HTML injection. Considered moderate upstream. If a configuration file config.inc.php exists these issues are mitigated. References: https://www.phpmyadmin.net/security/PMASA-2022-2/ https://github.com/phpmyadmin/phpmyadmin/commit/5118acce1dfcdb09cbc0f73927b… https://github.com/phpmyadmin/phpmyadmin/commit/44eb12f15a562718bbe54c9a16a… -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1195017] New: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1)
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 Bug ID: 1195017 Summary: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: Andreas.Stieger(a)gmx.de QA Contact: security-team(a)suse.de CC: chris(a)computersalat.de, lang(a)b1-systems.de Found By: --- Blocker: --- It was discovered that version of phpMyAdmin prior to 4.9.8 and 5.1.2 are subject to a bypass of two-factor authentication. There is a sequence of actions a valid user can take that will allow them to bypass two factor authentication for that account. A user must first connect to phpMyAdmin (presumably using their two factor authentication method) in order to prepare their account for the bypass. Note that a user is still able to disable two factor authentication through conventional means; this only addresses an unintentional security weakness in how phpMyAdmin processes a user's two factor status. References: https://www.phpmyadmin.net/security/PMASA-2022-1/ https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa… -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1167519] New: VUL-1: CVE-2020-10870: zim: creates temporary directories with predictable names, enabling malicious users to prevent other users from being able to start Zim
by bugzilla_noreply＠novell.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1167519 Bug ID: 1167519 Summary: VUL-1: CVE-2020-10870: zim: creates temporary directories with predictable names, enabling malicious users to prevent other users from being able to start Zim Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other URL: https://smash.suse.de/issue/255622/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: luke(a)ljones.dev Reporter: wolfgang.frisch(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2020-10870 Zim through 0.72.1 creates temporary directories with predictable names. A malicious user could predict and create Zim's temporary directories and prevent other users from being able to start Zim, resulting in a denial of service. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10870 https://github.com/zim-desktop-wiki/zim-desktop-wiki/issues/1028 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10870 -- You are receiving this mail because: You are on the CC list for the bug.

2 2

[Bug 1197063] New: VUL-0: CVE-2022-24128: timescaledb: allow privilege escalation during extension installation
by bugzilla_noreply＠suse.com 14 Feb '23

14 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1197063 Bug ID: 1197063 Summary: VUL-0: CVE-2022-24128: timescaledb: allow privilege escalation during extension installation Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/326113/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Basesystem Assignee: bruno(a)ioda-net.ch Reporter: abergmann(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2022-24128 Timescale TimescaleDB 1.x and 2.x before 2.5.2 may allow privilege escalation during extension installation. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24128 http://www.cvedetails.com/cve/CVE-2022-24128/ https://docs.timescale.com/timescaledb/latest/overview/release-notes/ -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1200544] New: xbell no longer working
by bugzilla_noreply＠suse.com 14 Feb '23

14 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1200544 Bug ID: 1200544 Summary: xbell no longer working Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: x86-64 OS: openSUSE Leap 15.4 Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: agesen(a)cs.stanford.edu QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- I updated from 15.3 to 15.4 and all is well, well :-) mostly. Sound works when playing video in firefox, when playing musing with mplayer, etc. But xbell is no longer to be heard. I miss "vi" baking a beep when I hit escape at the wrong time. I miss xbiff making a sound when an email arrives (there is no sound but it still changes the icon to flag-up). How may we go about debugging missing "system sound" (or whatever it is? Just to clarify, I have checked pavucontrol and tried fiddling with all the sliders. No difference. Please let me know if I can upload log files that may help. Thanks, Ole Dell Inspiron from 2011ish. -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1195315] New: phpMyAdmin has issues with MariaDB privilege tables.
by bugzilla_noreply＠suse.com 13 Feb '23

13 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1195315 Bug ID: 1195315 Summary: phpMyAdmin has issues with MariaDB privilege tables. Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: 64bit OS: openSUSE Leap 15.3 Status: NEW Severity: Major Priority: P5 - None Component: Apache Assignee: bnc-team-apache(a)forge.provo.novell.com Reporter: zombie.ryushu(a)zoho.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- OpenSuse ships with a version of phpMyAdmin that does not handle privilege management in versions of MariaDB after 10.3. This is because MariaDB has deprecated the use of the mysql.user table and turned it into a view, resulting in broken privilege tables. -- You are receiving this mail because: You are on the CC list for the bug.

1 1