September 2022 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1201770] VUL-0: CVE-2014-9862: libostree: bundled bsdiff Improper checking of input allows arbitrary write on heap
by bugzilla_noreply＠suse.com 06 Sep '22

06 Sep '22

https://bugzilla.suse.com/show_bug.cgi?id=1201770 Michael Gorse <mgorse(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|mgorse(a)suse.com |security-team(a)suse.de -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 952799] New: bogofilter-{db,sqlite3} insists on using wordlist.tc
by bugzilla_noreply＠novell.com 06 Sep '22

06 Sep '22

http://bugzilla.opensuse.org/show_bug.cgi?id=952799 Bug ID: 952799 Summary: bogofilter-{db,sqlite3} insists on using wordlist.tc Classification: openSUSE Product: openSUSE Tumbleweed Version: 2015* Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening(a)forge.provo.novell.com Reporter: gour(a)atmarama.net QA Contact: qa-bugs(a)suse.de Found By: --- Blocker: --- In the past, when using other Linux distros I was mostly using bogofilter with sqlite3 back-end, but after switching to openSUSE I've decided to convert to 'default' (Berkeley) DB backend. Unfortunately, after bogofilter package was updated in openSUSE, it looks it does insist on using $HOME/.bogofilter/wordlist.tc for the database name even if one uses Berkeley DB or Sqlite3 back-ends? When I try to use my old wordlist.db, Bogofilter plugin (Claws & Evolution) starts from the scratch and creates wordlist.tc. I wonder about this line in *.spec: %if 0%{?suse_version} > 1320 iow. whether the new Bogofilter package is ready to use existing setup with appropriate back-end (not equal to TokyoCabinet)? -- You are receiving this mail because: You are on the CC list for the bug.

2 9

[Bug 1202492] Audio devices missing when running kernel 5.19.x
by bugzilla_noreply＠suse.com 06 Sep '22

06 Sep '22

https://bugzilla.suse.com/show_bug.cgi?id=1202492 https://bugzilla.suse.com/show_bug.cgi?id=1202492#c48 Takashi Iwai <tiwai(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo? --- Comment #48 from Takashi Iwai <tiwai(a)suse.com> --- Now I'm building a test kernel with a test patch suggested by the upstream dev. It's being built in OBS home:tiwai:bsc1202492-4 repo. Once after the build finishes, it'll appear at http://download.opensuse.org/repositories/home:/tiwai:/bsc1202492-4/standar… Can anyone check it later and report back whether it fixes the problem or not? -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1199895] PackageKit does not honor zypper package locks
by bugzilla_noreply＠suse.com 06 Sep '22

06 Sep '22

https://bugzilla.suse.com/show_bug.cgi?id=1199895 https://bugzilla.suse.com/show_bug.cgi?id=1199895#c34 --- Comment #34 from Swamp Workflow Management <swamp(a)suse.de> --- SUSE-RU-2022:3114-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1199895 CVE References: JIRA References: Sources used: openSUSE Leap 15.3 (src): PackageKit-1.1.13-150200.4.26.1 SUSE Linux Enterprise Workstation Extension 15-SP3 (src): PackageKit-1.1.13-150200.4.26.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): PackageKit-1.1.13-150200.4.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1199895] PackageKit does not honor zypper package locks
by bugzilla_noreply＠suse.com 06 Sep '22

06 Sep '22

https://bugzilla.suse.com/show_bug.cgi?id=1199895 https://bugzilla.suse.com/show_bug.cgi?id=1199895#c33 --- Comment #33 from Swamp Workflow Management <swamp(a)suse.de> --- SUSE-RU-2022:3113-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1199895 CVE References: JIRA References: Sources used: openSUSE Leap 15.4 (src): PackageKit-1.2.4-150400.3.3.1 SUSE Linux Enterprise Workstation Extension 15-SP4 (src): PackageKit-1.2.4-150400.3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): PackageKit-1.2.4-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1203103] Kernel oops on BPF trace after AMD retbleed patch
by bugzilla_noreply＠suse.com 06 Sep '22

06 Sep '22

https://bugzilla.suse.com/show_bug.cgi?id=1203103 https://bugzilla.suse.com/show_bug.cgi?id=1203103#c1 Takashi Iwai <tiwai(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bpetkov(a)suse.com, | |pk-dev-bzilla.rcd10@simplel | |ogin.com, tiwai(a)suse.com Flags| |needinfo?(pk-dev-bzilla.rcd | |10(a)simplelogin.com) --- Comment #1 from Takashi Iwai <tiwai(a)suse.com> --- Adding Boris to Cc. Just to be sure: could you check whether the latest kernel in OBS Kernel:SLE15-SP4 repo still shows the same problem? http://download.opensuse.org/repositories/Kernel:/SLE15-SP4/pool/ -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1203131] New: VUL-0: CVE-2022-39050: otrs: Possible XSS stored in customer information
by bugzilla_noreply＠suse.com 06 Sep '22

06 Sep '22

http://bugzilla.opensuse.org/show_bug.cgi?id=1203131 Bug ID: 1203131 Summary: VUL-0: CVE-2022-39050: otrs: Possible XSS stored in customer information Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/341496/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: thomas.leroy(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2022-39050 An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39050 https://www.cve.org/CVERecord?id=CVE-2022-39050 https://otrs.com/release-notes/otrs-security-advisory-2022-11/ -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1203130] New: VUL-0: CVE-2022-39049: otrs: An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.
by bugzilla_noreply＠suse.com 06 Sep '22

06 Sep '22

http://bugzilla.opensuse.org/show_bug.cgi?id=1203130 Bug ID: 1203130 Summary: VUL-0: CVE-2022-39049: otrs: An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/341497/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: thomas.leroy(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2022-39049 An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39049 https://www.cve.org/CVERecord?id=CVE-2022-39049 https://otrs.com/release-notes/otrs-security-advisory-2022-10/ -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1203132] New: VUL-0: CVE-2022-39051: otrs: Perl Code execution in Template Toolkit
by bugzilla_noreply＠suse.com 06 Sep '22

06 Sep '22

http://bugzilla.opensuse.org/show_bug.cgi?id=1203132 Bug ID: 1203132 Summary: VUL-0: CVE-2022-39051: otrs: Perl Code execution in Template Toolkit Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/341495/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris(a)computersalat.de Reporter: thomas.leroy(a)suse.com QA Contact: security-team(a)suse.de Found By: Security Response Team Blocker: --- CVE-2022-39051 Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39051 https://www.cve.org/CVERecord?id=CVE-2022-39051 https://otrs.com/release-notes/otrs-security-advisory-2022-12/ -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1201066] kernel upgrade fails with Failed to enroll new keys
by bugzilla_noreply＠suse.com 06 Sep '22

06 Sep '22

https://bugzilla.suse.com/show_bug.cgi?id=1201066 Matthias Brugger <mbrugger(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |afaerber(a)suse.com, | |chester.lin(a)suse.com, | |ivan.ivanov(a)suse.com, | |mbrugger(a)suse.com -- You are receiving this mail because: You are on the CC list for the bug.

1 0