October 2024 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1231686] AusweisApp and AusweisApp2 broken with OpenSSL 3.3
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1231686 https://bugzilla.suse.com/show_bug.cgi?id=1231686#c15 --- Comment #15 from Marcus Meissner <meissner(a)suse.com> --- I am happy with applying fedoras patch for now, testbuild here: home:msmeissn:branches:security/AusweisApp -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1232688] New: VUL-0: CVE-2024-21537: bitwarden: lilconfig: insecure usage of eval in the dynamicImport function
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232688 Bug ID: 1232688 Summary: VUL-0: CVE-2024-21537: bitwarden: lilconfig: insecure usage of eval in the dynamicImport function Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/426383/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: brunopitrus(a)hotmail.com, camila.matos(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1232672 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1232672 +++ Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537 https://www.cve.org/CVERecord?id=CVE-2024-21537 https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39… https://github.com/antonk52/lilconfig/pull/48 https://github.com/antonk52/lilconfig/releases/tag/v3.1.1 https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1232686] New: VUL-0: CVE-2024-21537: element-web: lilconfig: insecure usage of eval in the dynamicImport function
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232686 Bug ID: 1232686 Summary: VUL-0: CVE-2024-21537: element-web: lilconfig: insecure usage of eval in the dynamicImport function Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/426383/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, dheidler(a)suse.com, marius.kittler(a)suse.com, okurz(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1232672 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1232672 +++ Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537 https://www.cve.org/CVERecord?id=CVE-2024-21537 https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39… https://github.com/antonk52/lilconfig/pull/48 https://github.com/antonk52/lilconfig/releases/tag/v3.1.1 https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1230236] Opensuse 15.6 Tiger Lake-LP Smart Sound Technology Audio Controller no output
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1230236 https://bugzilla.suse.com/show_bug.cgi?id=1230236#c26 --- Comment #26 from Maintenance Automation <maint-coord+maintenance-robot(a)suse.de> --- SUSE-RU-2024:3845-1: An update that contains two features and has one fix can now be installed. URL: https://www.suse.com/support/update/announcement/2024/suse-ru-20243845-1 Category: recommended (moderate) Bug References: 1230236 Jira References: PED-10202, PED-9993 Maintenance Incident: [SUSE:Maintenance:36145](https://smelt.suse.de/incident/36145/) Sources used: openSUSE Leap 15.6 (src): sof-firmware-2024.09-150600.3.3.1 Desktop Applications Module 15-SP6 (src): sof-firmware-2024.09-150600.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1232685] New: VUL-0: CVE-2024-21537: forgejo: lilconfig: insecure usage of eval in the dynamicImport function
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232685 Bug ID: 1232685 Summary: VUL-0: CVE-2024-21537: forgejo: lilconfig: insecure usage of eval in the dynamicImport function Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/426383/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1232672 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1232672 +++ Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537 https://www.cve.org/CVERecord?id=CVE-2024-21537 https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39… https://github.com/antonk52/lilconfig/pull/48 https://github.com/antonk52/lilconfig/releases/tag/v3.1.1 https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1231686] AusweisApp and AusweisApp2 broken with OpenSSL 3.3
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1231686 https://bugzilla.suse.com/show_bug.cgi?id=1231686#c14 --- Comment #14 from John Paul Adrian Glaubitz <adrian.glaubitz(a)suse.com> --- (In reply to Michael Hirmke from comment #13) > So when will AusweisApp be usable again? > I urgently need to access my Justizpostfach authenticating via BundID, > Ausweisapp and my passport! Using my smartphone as a cardreader is not > possible, because I have to go through a wireguard vpn to access my network > from the smartphone. You can try to install AusweisApp via flatpak as a workaround in the meantime. Sorry for the inconvenience, but there is nothing I can do about OpenSSL. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1232684] New: VUL-0: CVE-2024-21537: jupyter-jupyterlab-latex: lilconfig: insecure usage of eval in the dynamicImport function
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232684 Bug ID: 1232684 Summary: VUL-0: CVE-2024-21537: jupyter-jupyterlab-latex: lilconfig: insecure usage of eval in the dynamicImport function Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/426383/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, code(a)bnavigator.de, daniel.garcia(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1232672 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1232672 +++ Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537 https://www.cve.org/CVERecord?id=CVE-2024-21537 https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39… https://github.com/antonk52/lilconfig/pull/48 https://github.com/antonk52/lilconfig/releases/tag/v3.1.1 https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1232489] YaST NTP Configuration generates improper Transmit Timestamp values in tcpdump
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232489 https://bugzilla.suse.com/show_bug.cgi?id=1232489#c9 Reinhard Max <max(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #9 from Reinhard Max <max(a)suse.com> --- I think I found hints in some of the comments in ntp_core.c that indicate that this behavior is intentional for security reasons: /* Don't reveal local time or state of the clock in client packets */ /* Don't reveal timestamps which are not necessary for the protocol */ -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1232683] New: VUL-0: CVE-2024-21537: nodejs-electron: lilconfig: insecure usage of eval in the dynamicImport function
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232683 Bug ID: 1232683 Summary: VUL-0: CVE-2024-21537: nodejs-electron: lilconfig: insecure usage of eval in the dynamicImport function Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/426383/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: brunopitrus(a)hotmail.com, camila.matos(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1232672 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1232672 +++ Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537 https://www.cve.org/CVERecord?id=CVE-2024-21537 https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39… https://github.com/antonk52/lilconfig/pull/48 https://github.com/antonk52/lilconfig/releases/tag/v3.1.1 https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1232682] New: VUL-0: CVE-2024-21537: python-jupyterlab-templates: lilconfig: insecure usage of eval in the dynamicImport function
by bugzilla_noreply＠suse.com 31 Oct '24

31 Oct '24

https://bugzilla.suse.com/show_bug.cgi?id=1232682 Bug ID: 1232682 Summary: VUL-0: CVE-2024-21537: python-jupyterlab-templates: lilconfig: insecure usage of eval in the dynamicImport function Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/426383/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, python-maintainers(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1232672 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1232672 +++ Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537 https://www.cve.org/CVERecord?id=CVE-2024-21537 https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39… https://github.com/antonk52/lilconfig/pull/48 https://github.com/antonk52/lilconfig/releases/tag/v3.1.1 https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789 -- You are receiving this mail because: You are on the CC list for the bug.

1 1