July 2022 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1201482] New: GNOME:Factory/chrome-gnome-shell: Support for v6 API missing
by bugzilla_noreply＠suse.com 16 Feb '23

16 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1201482 Bug ID: 1201482 Summary: GNOME:Factory/chrome-gnome-shell: Support for v6 API missing Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: GNOME Assignee: gnome-bugs(a)suse.de Reporter: reiokorn(a)tutanota.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- When visiting https://extensions.gnome.org/ I get the following message: "Your native host connector does not support the following APIs: v6. You should probably update the Native Host Connector or install any missing extensions or APIs." This happened after a update to the related browser extension. https://wiki.gnome.org/action/show/Projects/GnomeShellIntegration?action=sh… -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1191055] New: aws-efs-utils: finish UsrMerge, install to /usr
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

https://bugzilla.suse.com/show_bug.cgi?id=1191055 Bug ID: 1191055 Summary: aws-efs-utils: finish UsrMerge, install to /usr Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: ikapelyukhin(a)suse.com Reporter: lnussel(a)suse.com QA Contact: qa-bugs(a)suse.de CC: adrian.glaubitz(a)suse.com, aosthof(a)suse.com, coolo(a)suse.com, dleuenberger(a)suse.com, dmueller(a)suse.com, james.mason(a)suse.com, jdsn(a)suse.com, ms(a)suse.com, rjschwei(a)suse.com, sean.marlow(a)suse.com, svollath(a)suse.com, thardeck(a)suse.com Blocks: 1191054 Found By: --- Blocker: --- Following up on the discussion on the Factory list https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message… All packages installing files into /bin, /sbin, /lib and /lib64 should change the location to the counterpart in /usr instead. If the package still needs to build for released distros you may keep the legacy locations within a "%if %suse_version < 1550" block of course. If you do that, please do *NOT* install symlinks from/to /usr as it was done with some packages in the past. Move the files in question instead. -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1175850] New: MicroOS Desktop can't reboot?
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1175850 Bug ID: 1175850 Summary: MicroOS Desktop can't reboot? Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: MicroOS Assignee: kubic-bugs(a)opensuse.org Reporter: mike(a)flingtoad.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- On a default install of MicroOS Desktop (KDE) (ALPHA) 20200824-0, there is no obvious way to reboot the machine after install packaged with transactional-update. Here's what I've tried. 1. 'transactional-update reboot' (notifies rebootmgrctl that a reboot is requested, but 'rebootmgrctl status' seems to be waiting for the scheduled maintenance time. 2. 'rebootmgrctl reboot now' does not seem to do anything. 3. 'rebootmgrctl reboot fast' does not seem to do anything. 4. Click "Leave" -> "Restart" from KDE menu does not seem to do anything. 5. Click "Leave" -> "Shutdown" from KDE menu does not seem to do anything. 6. Click "Leave" -> "Shutdown" from KDE menu does not seem to do anything. 7. 'systemctl reboot' drops to a non-graphical target with login prompt, but doesn't continue with a reboot. 8. 'shutdown -r now' drops to a non-graphical target with login prompt, but doesn't continue with a reboot. 9. 'shutdown -h now' complains about not being able to unmount /etc, but eventually does halt. 10. 'systemctl reboot' to drop to term and the ctrl-alt-delete several times does eventually reboot >From what I can tell, 4-6 only happen when running the X session for KDE. If you run the Wayland session, 4-6 work but the others still don't. I haven't tried Wayland (Full). Other notes and observations: 1. I don't think the X session is starting the org.kde.ksmserver, but it does get started for Wayland. 2. I'm using full-disk encryption. 3. No matter how I exit the KDE session, it never saved my display configuration. I have to reconfigure the displays each time. Perhaps another bug report for this one. -- You are receiving this mail because: You are on the CC list for the bug.

1 11

[Bug 1165830] New: [TRACKER] grand distro cleanup
by bugzilla_noreply＠novell.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1165830 Bug ID: 1165830 Summary: [TRACKER] grand distro cleanup Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: lnussel(a)suse.com Reporter: lnussel(a)suse.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- track efforts to clean up the distro like /usr move /etc cleanup dependency cleanup -- You are receiving this mail because: You are on the CC list for the bug.

2 21

[Bug 1197036] New: VUL-0: CVE-2022-0813: phpMyAdmin: sensitive information with invalid requests through the the lang parameter, the pma_parameter, and the cookie section
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1197036 Bug ID: 1197036 Summary: VUL-0: CVE-2022-0813: phpMyAdmin: sensitive information with invalid requests through the the lang parameter, the pma_parameter, and the cookie section Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/325919/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: thomas.leroy(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2022-0813 PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0813 https://www.phpmyadmin.net/news/2022/2/11/phpmyadmin-4910-and-513-are-relea… https://www.incibe-cert.es/en/early-warning/security-advisories/phpmyadmin-… -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1195018] New: VUL-0: CVE-2022-23808: phpMyAdmin: Multiple XSS and HTML injection attacks in setup script (PMASA-2022-2)
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1195018 Bug ID: 1195018 Summary: VUL-0: CVE-2022-23808: phpMyAdmin: Multiple XSS and HTML injection attacks in setup script (PMASA-2022-2) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: Andreas.Stieger(a)gmx.de QA Contact: security-team(a)suse.de CC: chris(a)computersalat.de, lang(a)b1-systems.de Found By: --- Blocker: --- It was discovered that phpMyAdmin versions prior to 5.1.2 are vulnerable to multiple XSS and HTML injection attacks in setup script. A series of weaknesses has been discovered that could allow an attacker to inject malicious code in to aspects of the setup script, which can allow XSS or HTML injection. Considered moderate upstream. If a configuration file config.inc.php exists these issues are mitigated. References: https://www.phpmyadmin.net/security/PMASA-2022-2/ https://github.com/phpmyadmin/phpmyadmin/commit/5118acce1dfcdb09cbc0f73927b… https://github.com/phpmyadmin/phpmyadmin/commit/44eb12f15a562718bbe54c9a16a… -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1195017] New: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1)
by bugzilla_noreply＠suse.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 Bug ID: 1195017 Summary: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: Andreas.Stieger(a)gmx.de QA Contact: security-team(a)suse.de CC: chris(a)computersalat.de, lang(a)b1-systems.de Found By: --- Blocker: --- It was discovered that version of phpMyAdmin prior to 4.9.8 and 5.1.2 are subject to a bypass of two-factor authentication. There is a sequence of actions a valid user can take that will allow them to bypass two factor authentication for that account. A user must first connect to phpMyAdmin (presumably using their two factor authentication method) in order to prepare their account for the bypass. Note that a user is still able to disable two factor authentication through conventional means; this only addresses an unintentional security weakness in how phpMyAdmin processes a user's two factor status. References: https://www.phpmyadmin.net/security/PMASA-2022-1/ https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa… -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1167519] New: VUL-1: CVE-2020-10870: zim: creates temporary directories with predictable names, enabling malicious users to prevent other users from being able to start Zim
by bugzilla_noreply＠novell.com 15 Feb '23

15 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1167519 Bug ID: 1167519 Summary: VUL-1: CVE-2020-10870: zim: creates temporary directories with predictable names, enabling malicious users to prevent other users from being able to start Zim Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other URL: https://smash.suse.de/issue/255622/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: luke(a)ljones.dev Reporter: wolfgang.frisch(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2020-10870 Zim through 0.72.1 creates temporary directories with predictable names. A malicious user could predict and create Zim's temporary directories and prevent other users from being able to start Zim, resulting in a denial of service. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10870 https://github.com/zim-desktop-wiki/zim-desktop-wiki/issues/1028 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10870 -- You are receiving this mail because: You are on the CC list for the bug.

2 2

[Bug 1201510] New: libvirt must make use of nftables instead of iptables (if not already) and also reflect this in BuildRequires
by bugzilla_noreply＠suse.com 14 Feb '23

14 Feb '23

https://bugzilla.suse.com/show_bug.cgi?id=1201510 Bug ID: 1201510 Summary: libvirt must make use of nftables instead of iptables (if not already) and also reflect this in BuildRequires Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Virtualization:Tools Assignee: virt-bugs(a)suse.de Reporter: trenn(a)suse.com QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- We want to drop iptables support for the future in favor of nftables. firewalld already seem to make use of nftables and this has been fixed in dependencies: Thu Mar 3 14:26:57 UTC 2022 - Thorsten Kukuk <kukuk(a)suse.com> - Cleanup dependencies: - ipset, ebtables and iptables are purely optional and deprecated, so don't require them zypper search --requires iptables shows these libvirt related pacakges: i | libvirt-daemon-driver-network | Network driver plugin for the i | libvirt-daemon-driver-nwfilter | A nwfilter driver plugin for Can the dependencies (possibly also BuildRequires:) be fixes to not make use of iptables, please. -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1197063] New: VUL-0: CVE-2022-24128: timescaledb: allow privilege escalation during extension installation
by bugzilla_noreply＠suse.com 14 Feb '23

14 Feb '23

http://bugzilla.opensuse.org/show_bug.cgi?id=1197063 Bug ID: 1197063 Summary: VUL-0: CVE-2022-24128: timescaledb: allow privilege escalation during extension installation Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/326113/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Basesystem Assignee: bruno(a)ioda-net.ch Reporter: abergmann(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2022-24128 Timescale TimescaleDB 1.x and 2.x before 2.5.2 may allow privilege escalation during extension installation. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24128 http://www.cvedetails.com/cve/CVE-2022-24128/ https://docs.timescale.com/timescaledb/latest/overview/release-notes/ -- You are receiving this mail because: You are on the CC list for the bug.

1 2