December 2023 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1214176] New: VUL-0: CVE-2023-39959: nextcloud: calendar or address book existence leak via DAV
by bugzilla_noreply＠suse.com 16 Apr '24

16 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1214176 Bug ID: 1214176 Summary: VUL-0: CVE-2023-39959: nextcloud: calendar or address book existence leak via DAV Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/374996/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ecsos(a)schirra.net Reporter: carlos.lopez(a)suse.com QA Contact: security-team(a)suse.de Target Milestone: --- Found By: --- Blocker: --- CVE-2023-39959 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39959 https://www.cve.org/CVERecord?id=CVE-2023-39959 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g… https://github.com/nextcloud/server/pull/38747 https://hackerone.com/reports/1832126 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1214175] New: VUL-0: CVE-2023-39958: nextcloud: missing bruteforce protection for client secrets of configured OAuth2 clients
by bugzilla_noreply＠suse.com 16 Apr '24

16 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1214175 Bug ID: 1214175 Summary: VUL-0: CVE-2023-39958: nextcloud: missing bruteforce protection for client secrets of configured OAuth2 clients Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/374995/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ecsos(a)schirra.net Reporter: carlos.lopez(a)suse.com QA Contact: security-team(a)suse.de Target Milestone: --- Found By: --- Blocker: --- CVE-2023-39958 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39958 https://www.cve.org/CVERecord?id=CVE-2023-39958 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v… https://github.com/nextcloud/server/pull/38773 https://hackerone.com/reports/1258448 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1214177] New: VUL-0: CVE-2023-39961: nextcloud: image download restriction bypass
by bugzilla_noreply＠suse.com 16 Apr '24

16 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1214177 Bug ID: 1214177 Summary: VUL-0: CVE-2023-39961: nextcloud: image download restriction bypass Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/374997/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ecsos(a)schirra.net Reporter: carlos.lopez(a)suse.com QA Contact: security-team(a)suse.de Target Milestone: --- Found By: --- Blocker: --- CVE-2023-39961 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 24.0.4 and prior to versions 25.0.9, 26.0.4, and 27.0.1, when a folder with images or an image was shared without download permissions, the user could add the image inline into a text file and download it. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39961 https://www.cve.org/CVERecord?id=CVE-2023-39961 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q… https://github.com/nextcloud/text/pull/4481 https://hackerone.com/reports/1965156 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1214178] New: VUL-0: CVE-2023-39962: nextcloud: unrestricted external storage deletion
by bugzilla_noreply＠suse.com 16 Apr '24

16 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1214178 Bug ID: 1214178 Summary: VUL-0: CVE-2023-39962: nextcloud: unrestricted external storage deletion Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/374998/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ecsos(a)schirra.net Reporter: carlos.lopez(a)suse.com QA Contact: security-team(a)suse.de Target Milestone: --- Found By: --- Blocker: --- CVE-2023-39962 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. As a workaround, disable app files_external. This also makes the external storage inaccessible but retains the configurations until a patched version has been deployed. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39962 https://www.cve.org/CVERecord?id=CVE-2023-39962 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x… https://github.com/nextcloud/server/pull/39323 https://hackerone.com/reports/2047168 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1214179] New: VUL-0: CVE-2023-39963: nextcloud: missing password check allows attackers to add app passwords on compromised accounts
by bugzilla_noreply＠suse.com 16 Apr '24

16 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1214179 Bug ID: 1214179 Summary: VUL-0: CVE-2023-39963: nextcloud: missing password check allows attackers to add app passwords on compromised accounts Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/374999/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ecsos(a)schirra.net Reporter: carlos.lopez(a)suse.com QA Contact: security-team(a)suse.de Target Milestone: --- Found By: --- Blocker: --- CVE-2023-39963 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39963 https://www.cve.org/CVERecord?id=CVE-2023-39963 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j… https://github.com/nextcloud/server/pull/39416 https://hackerone.com/reports/2067572 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1214181] New: VUL-0: CVE-2023-39952: nextcloud: unrestricted subfolder access despite advanced permission checks
by bugzilla_noreply＠suse.com 16 Apr '24

16 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1214181 Bug ID: 1214181 Summary: VUL-0: CVE-2023-39952: nextcloud: unrestricted subfolder access despite advanced permission checks Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/374976/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ecsos(a)schirra.net Reporter: carlos.lopez(a)suse.com QA Contact: security-team(a)suse.de Target Milestone: --- Found By: --- Blocker: --- CVE-2023-39952 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced permissions would block access to the subfolder. Nextcloud Server versions 25.0.8, 26.0.3, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1 contain a patch for this issue. No known workarounds are available. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39952 https://bugzilla.redhat.com/show_bug.cgi?id=2231145 https://www.cve.org/CVERecord?id=CVE-2023-39952 https://github.com/nextcloud/groupfolders/issues/1906 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c… https://github.com/nextcloud/server/pull/38890 https://hackerone.com/reports/1808079 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1215343] New: Aeon does not support webp images.
by bugzilla_noreply＠suse.com 15 Apr '24

15 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1215343 Bug ID: 1215343 Summary: Aeon does not support webp images. Classification: openSUSE Product: openSUSE Aeon Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Desktop Environment Assignee: rbrown(a)suse.com Reporter: gchm2(a)quicknet.nl QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Aeon dows not support webp images so those images cannot be set as a wallpaper in GNOME and nautilus cannot create thumbnails of those images. I think the package webp-pixbuf-loader should be part of the base system for a better out of the box experience. -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1213496] New: Man pages and documentation in general missing
by bugzilla_noreply＠suse.com 15 Apr '24

15 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1213496 Bug ID: 1213496 Summary: Man pages and documentation in general missing Classification: openSUSE Product: openSUSE Aeon Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Distrobox Assignee: rbrown(a)suse.com Reporter: kjong+lists(a)neobits.nl QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- In Aeon the system is immutable and shouldn't be touched. However, there are no man pages installed. This is not really user-friendly. But maybe it's on purpose to make sure people don't touch their base install? But even after doing `distrobox enter` and you download and enter the default distrobox, which is `registry.opensuse.org/opensuse/distrobox:latest`, I still don't get manual pages. This makes using the system harder than it should be. What's the reasoning to not include documentation? On production non-interactive containers I get why man pages are a waste of disk space. But distrobox is meant to be used as a normal user environment. In such an environment people expect to find man pages. Otherwise the system is in the way of getting things done. In contrast, Fedora Silverblue has the man pages installed in the base OS, but also in their default toolbox image. Which to me makes perfect sense. Humans are going to use those environment interactively. Googling/Ducking for man pages online would be weird and the `--help` output isn't always complete or fully helpful. Can man pages be included in Aeon and in the toolbox containers? -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1214614] New: [suggested] add "sane-backends" in default install
by bugzilla_noreply＠suse.com 15 Apr '24

15 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1214614 Bug ID: 1214614 Summary: [suggested] add "sane-backends" in default install Classification: openSUSE Product: openSUSE Aeon Version: Current Hardware: All OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Base Assignee: rbrown(a)suse.com Reporter: christophe.durand(a)my.mail.fr QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0 Build Identifier: Usb Scanners are not recognized by default Aeon installation. Simple-scan flatpak complains about missing drivers. To have fonctionnal usb scanner, I need to add san-backends and san-backends-autoconfig. Reproducible: Always Steps to Reproduce: install simple-scan flatpak try to use USB scanner Actual Results: missing drivers Expected Results: USB scanner should work out of the box (at least for a desktop environnement) no Scanner drivers installed by default in Aeon. Can be solved with sane-backends installation. -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1212951] New: AUDIT-1: nqptp: precision time protocol daemon
by bugzilla_noreply＠suse.com 15 Apr '24

15 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1212951 Bug ID: 1212951 Summary: AUDIT-1: nqptp: precision time protocol daemon Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: wolfgang.frisch(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- nqptp is a Precision Time Protocol daemon. Upstream: https://github.com/mikebrady/nqptp This daemon runs as root and, according to upstream: > nqptp has not been checked or audited for security issues. Note that it must run in root mode. -- You are receiving this mail because: You are on the CC list for the bug.

1 3