October 2024 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1230236] Opensuse 15.6 Tiger Lake-LP Smart Sound Technology Audio Controller no output
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1230236 https://bugzilla.suse.com/show_bug.cgi?id=1230236#c26 --- Comment #26 from Maintenance Automation <maint-coord+maintenance-robot(a)suse.de> --- SUSE-RU-2024:3845-1: An update that contains two features and has one fix can now be installed. URL: https://www.suse.com/support/update/announcement/2024/suse-ru-20243845-1 Category: recommended (moderate) Bug References: 1230236 Jira References: PED-10202, PED-9993 Maintenance Incident: [SUSE:Maintenance:36145](https://smelt.suse.de/incident/36145/) Sources used: openSUSE Leap 15.6 (src): sof-firmware-2024.09-150600.3.3.1 Desktop Applications Module 15-SP6 (src): sof-firmware-2024.09-150600.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1232685] New: VUL-0: CVE-2024-21537: forgejo: lilconfig: insecure usage of eval in the dynamicImport function
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232685 Bug ID: 1232685 Summary: VUL-0: CVE-2024-21537: forgejo: lilconfig: insecure usage of eval in the dynamicImport function Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/426383/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1232672 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1232672 +++ Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537 https://www.cve.org/CVERecord?id=CVE-2024-21537 https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39… https://github.com/antonk52/lilconfig/pull/48 https://github.com/antonk52/lilconfig/releases/tag/v3.1.1 https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1231686] AusweisApp and AusweisApp2 broken with OpenSSL 3.3
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1231686 https://bugzilla.suse.com/show_bug.cgi?id=1231686#c14 --- Comment #14 from John Paul Adrian Glaubitz <adrian.glaubitz(a)suse.com> --- (In reply to Michael Hirmke from comment #13) > So when will AusweisApp be usable again? > I urgently need to access my Justizpostfach authenticating via BundID, > Ausweisapp and my passport! Using my smartphone as a cardreader is not > possible, because I have to go through a wireguard vpn to access my network > from the smartphone. You can try to install AusweisApp via flatpak as a workaround in the meantime. Sorry for the inconvenience, but there is nothing I can do about OpenSSL. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1232684] New: VUL-0: CVE-2024-21537: jupyter-jupyterlab-latex: lilconfig: insecure usage of eval in the dynamicImport function
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232684 Bug ID: 1232684 Summary: VUL-0: CVE-2024-21537: jupyter-jupyterlab-latex: lilconfig: insecure usage of eval in the dynamicImport function Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/426383/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, code(a)bnavigator.de, daniel.garcia(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1232672 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1232672 +++ Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537 https://www.cve.org/CVERecord?id=CVE-2024-21537 https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39… https://github.com/antonk52/lilconfig/pull/48 https://github.com/antonk52/lilconfig/releases/tag/v3.1.1 https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1232489] YaST NTP Configuration generates improper Transmit Timestamp values in tcpdump
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232489 https://bugzilla.suse.com/show_bug.cgi?id=1232489#c9 Reinhard Max <max(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #9 from Reinhard Max <max(a)suse.com> --- I think I found hints in some of the comments in ntp_core.c that indicate that this behavior is intentional for security reasons: /* Don't reveal local time or state of the clock in client packets */ /* Don't reveal timestamps which are not necessary for the protocol */ -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1232683] New: VUL-0: CVE-2024-21537: nodejs-electron: lilconfig: insecure usage of eval in the dynamicImport function
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232683 Bug ID: 1232683 Summary: VUL-0: CVE-2024-21537: nodejs-electron: lilconfig: insecure usage of eval in the dynamicImport function Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/426383/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: brunopitrus(a)hotmail.com, camila.matos(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1232672 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1232672 +++ Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537 https://www.cve.org/CVERecord?id=CVE-2024-21537 https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39… https://github.com/antonk52/lilconfig/pull/48 https://github.com/antonk52/lilconfig/releases/tag/v3.1.1 https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1231800] New: Many problems with kernel prior 6.9 release. AMD platform.
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1231800 Bug ID: 1231800 Summary: Many problems with kernel prior 6.9 release. AMD platform. Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Critical Priority: P5 - None Component: Kernel Assignee: kernel-bugs(a)opensuse.org Reporter: slawek(a)lach.art.pl QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0 Build Identifier: I currently must work on kernel 6.8, cause any newer causes serious problem. I trying many thinks, but nothing helps. Firstly, this bug may be related to closed source NVidia driver. Kernel many times do panic and print some debug info with NVidia string. I try to disable nvidia module. Blacklisting does nothing, so I removed it and try to ran 6.11 kernel. But, I do not disable NVidia service and maybe I unfortunately install it again. Meanwhile, I got information about update in discover and it hangs on installing updates. I try with zypper and I must accept license for NVidia. Discover do not ask for accepting license in previous event, so I think NVidia kernel was installed again, without my knowledge, as I described. When installing via zypper, system halt and sound was playing in loop. Fortunaty, I installed NVidia service and remove nvidia drivers via zypper and test 6.11 again. System many times complained about XFS (/home) filesystem error. Plasma 6.2 then reset and default settings was loaded. I currently, again working on 6.8. Related info: https://www.gamingonlinux.com/2024/08/nvidia-driver-with-linux-kernel-6-10-… . https://forums.opensuse.org/t/when-kernels-e8c6092e52f8-will-be-applied-on-… https://forums.opensuse.org/t/asus-zenbook-flip-15-kernel-6-9-fail-to-boot/… Thanks. Reproducible: Sometimes Steps to Reproduce: 1. Ran system, play many web games (freecivweb, total battle, forge of empires, the settlers: online, tentlan, etc.) at once, play video. Actual Results: On 6.8 no problems, but on newer multiple problems. I am not sure system is hanging, because it may be related to NVidia driver, but sometimes system complained about filesystem is mounted read only. Expected Results: Everything working without problems, like in 6.8. My laptop is ASUS ZenBook Flip 15. Operating System: openSUSE Tumbleweed 20241016 KDE Plasma Version: 6.2.1 KDE Frameworks Version: 6.7.0 Qt Version: 6.7.3 Kernel Version: 6.8.9-1-default (64-bit) Graphics Platform: Wayland Processors: 8 × AMD Ryzen 7 4700U with Radeon Graphics Memory: 15.0 GiB of RAM Graphics Processor: AMD Radeon Graphics Manufacturer: ASUSTeK COMPUTER INC. Product Name: ZenBook UX562IQ_UM562IQ System Version: 1.0 -- You are receiving this mail because: You are on the CC list for the bug.

1 22

[Bug 1232682] New: VUL-0: CVE-2024-21537: python-jupyterlab-templates: lilconfig: insecure usage of eval in the dynamicImport function
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232682 Bug ID: 1232682 Summary: VUL-0: CVE-2024-21537: python-jupyterlab-templates: lilconfig: insecure usage of eval in the dynamicImport function Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/426383/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, python-maintainers(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1232672 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1232672 +++ Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537 https://www.cve.org/CVERecord?id=CVE-2024-21537 https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39… https://github.com/antonk52/lilconfig/pull/48 https://github.com/antonk52/lilconfig/releases/tag/v3.1.1 https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1232681] New: VUL-0: CVE-2024-21537: python-pydata-sphinx-theme: lilconfig: insecure usage of eval in the dynamicImport function
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232681 Bug ID: 1232681 Summary: VUL-0: CVE-2024-21537: python-pydata-sphinx-theme: lilconfig: insecure usage of eval in the dynamicImport function Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/426383/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, python-maintainers(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Depends on: 1232672 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1232672 +++ Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537 https://www.cve.org/CVERecord?id=CVE-2024-21537 https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39… https://github.com/antonk52/lilconfig/pull/48 https://github.com/antonk52/lilconfig/releases/tag/v3.1.1 https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789 -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1232679] New: VUL-0: CVE-2024-21537: xpra-html5: lilconfig: insecure usage of eval in the dynamicImport function
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232679 Bug ID: 1232679 Summary: VUL-0: CVE-2024-21537: xpra-html5: lilconfig: insecure usage of eval in the dynamicImport function Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/426383/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, scott.bradnick(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1232672 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1232672 +++ Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537 https://www.cve.org/CVERecord?id=CVE-2024-21537 https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39… https://github.com/antonk52/lilconfig/pull/48 https://github.com/antonk52/lilconfig/releases/tag/v3.1.1 https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789 -- You are receiving this mail because: You are on the CC list for the bug.

1 1