May 2024 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1222137] New: SeaMonkey: update to 2.53.18.2
by bugzilla_noreply＠suse.com 05 Sep '24

05 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1222137 Bug ID: 1222137 Summary: SeaMonkey: update to 2.53.18.2 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Firefox Assignee: factory-mozilla(a)lists.opensuse.org Reporter: psychonaut(a)nothingisreal.com QA Contact: qa-bugs(a)suse.de CC: factory-mozilla(a)lists.opensuse.org, linux(a)daniel-bauer.com, maintenance(a)opensuse.org, Manfred.Haertel(a)rz-online.de, meissner(a)suse.com, qa-bugs(a)suse.de, security-team(a)suse.de, wolfgang.engel(a)suse.com Depends on: 1218961 Target Milestone: --- Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #1218961 +++ Please update the SeaMonkey package in 15.5 and 15.6 to the SeaMonkey 2.53.18.2 packages provided by the mozilla/seamonkey package on OBS: <https://build.opensuse.org/package/show/mozilla/seamonkey> The latest version of SeaMonkey, 2.53.18.2, released on 28 March 2024, contains new backports of important security fixes from Firefox 115.9 and Thunderbird 115.9 ESR. -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1213521] New: shairport-sync: missing dependency: avahi
by bugzilla_noreply＠suse.com 05 Sep '24

05 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1213521 Bug ID: 1213521 Summary: shairport-sync: missing dependency: avahi Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Sound Assignee: tiwai(a)suse.com Reporter: wolfgang.frisch(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- openSUSE:Factory/shairport-sync shairport-sync.spec is missing: Requires: avahi Steps to reproduce on a minimal Tumbleweed installation: # zypper in shairport-sync # systemctl start shairport-sync > Failed to start shairport-sync.service: Unit avahi-daemon.service not found. `zypper in avahi` fixes this. -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1213486] New: [Build 44.3] openQA test fails in fanotify14
by bugzilla_noreply＠suse.com 04 Sep '24

04 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1213486 Bug ID: 1213486 Summary: [Build 44.3] openQA test fails in fanotify14 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://openqa.opensuse.org/tests/3439183/modules/fano tify14/steps/7 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs(a)opensuse.org Reporter: fvogt(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: openQA Blocker: Yes ## Observation openQA test in scenario opensuse-15.4-JeOS-for-kvm-and-xen-x86_64-jeos-ltp-syscalls@64bit_virtio fails in [fanotify14](https://openqa.opensuse.org/tests/3439183/modules/fanotify14/st… ## Test suite description ## Reproducible Fails since (at least) Build [44.2](https://openqa.opensuse.org/tests/3438422) ## Expected result Last good: [44.1](https://openqa.opensuse.org/tests/3436580) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensus… -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1216121] New: rust1.7{1,2,3} fail to build with newest binutils
by bugzilla_noreply＠suse.com 04 Sep '24

04 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1216121 Bug ID: 1216121 Summary: rust1.7{1,2,3} fail to build with newest binutils Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Keywords: build Severity: Normal Priority: P5 - None Component: Development Assignee: screening-team-bugs(a)suse.de Reporter: burnus(a)gmx.de QA Contact: qa-bugs(a)suse.de CC: william.brown(a)suse.com Target Milestone: --- Found By: --- Blocker: --- I have no idea why rust1.7{1,2,3} fails, I just note that with the new binutils https://build.opensuse.org/request/show/1113885 as shown below. The current error message does not point to anything obvious with regards to binutils - but looks more like a generic Rust build issue. But it as it does compile on opensuse:Factory, it must have something to do with binutils. The fails is: [ 191s] Finished release [optimized] target(s) in 1m 54s [ 192s] Building LLD for x86_64-unknown-linux-gnu ... [ 192s] CMake Deprecation Warning at /home/abuild/rpmbuild/BUILD/rustc-1.73.0-src/src/llvm-project/cmake/Modules/CMakePolicy.cmake:6 (cmake_policy): [ 192s] The OLD behavior for policy CMP0114 will be removed from a future version [ 192s] of CMake. [ 192s] [ 192s] The cmake-policies(7) manual explains that the OLD behaviors of all [ 192s] policies are deprecated and that a policy should be set to OLD only under [ 192s] specific short-term circumstances. Projects should be ported to the NEW [ 192s] behavior and not rely on setting a policy to OLD. [ 192s] Call Stack (most recent call first): [ 192s] CMakeLists.txt:6 (include) [ 192s] [ 192s] [ 192s] -- The C compiler identification is GNU 13.2.1 [ 192s] -- The CXX compiler identification is GNU 13.2.1 [ 192s] -- Detecting C compiler ABI info [ 192s] -- Detecting C compiler ABI info - done ... [ 194s] -- Configuring done (2.2s) [ 194s] CMake Error at /usr/lib64/cmake/llvm/AddLLVM.cmake:714 (target_link_libraries): [ 194s] Target "lldELF" links to: [ 194s] [ 194s] zstd::libzstd_static [ 194s] [ 194s] but the target was not found. Possible reasons include: [ 194s] [ 194s] * There is a typo in the target name. [ 194s] * A find_package call is missing for an IMPORTED target. [ 194s] * An ALIAS target is missing. [ 194s] [ 194s] Call Stack (most recent call first): [ 194s] cmake/modules/AddLLD.cmake:13 (llvm_add_library) [ 194s] ELF/CMakeLists.txt:21 (add_lld_library) [ 194s] [ 194s] [ 194s] -- Generating done (0.0s) [ 194s] CMake Warning: [ 194s] Manually-specified variables were not used by the project: [ 194s] [ 194s] CMAKE_ASM_COMPILER [ 194s] [ 194s] [ 194s] CMake Generate step failed. Build files cannot be regenerated correctly. [ 194s] thread 'main' panicked at /home/abuild/rpmbuild/BUILD/rustc-1.73.0-src/vendor/cmake/src/lib.rs:975:5: [ 194s] [ 194s] command did not execute successfully, got: exit status: 1 [ 194s] [ 194s] build script failed, must exit now [ 194s] note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace [ 194s] finished in 2.256 seconds [ 194s] Build completed unsuccessfully in 0:02:30 [ 194s] error: Bad exit status from /var/tmp/rpm-tmp.YhjGx1 (%build) -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1219882] New: Adapt package dd_rescue to build with OpenSSL 3
by bugzilla_noreply＠suse.com 03 Sep '24

03 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1219882 Bug ID: 1219882 Summary: Adapt package dd_rescue to build with OpenSSL 3 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: otto.hollmann(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Package dd_rescue requires openssl 1.1.1 that is EOL and we would like to remove it from Factory. > # Workaround for bsc#1193438 > BuildRequires: libopenssl-1_1-devel Please check tracker bug 1219879 for more details. -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1215937] New: VUL-0: CVE-2023-43907: optipng: global buffer overflow via the 'buffer' variable at gifread.c
by bugzilla_noreply＠suse.com 03 Sep '24

03 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1215937 Bug ID: 1215937 Summary: VUL-0: CVE-2023-43907: optipng: global buffer overflow via the 'buffer' variable at gifread.c Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/380479/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: pgajdos(a)suse.com Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: gabriele.sonnu(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- OptiPNG v0.7.7 was discovered to contain a global buffer overflow via the 'buffer' variable at gifread.c. References: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/optipng-global-buffe… http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43907 -- You are receiving this mail because: You are on the CC list for the bug.

1 17

[Bug 1224065] New: spectacle doesn't work anymore since update to 24.02.2
by bugzilla_noreply＠suse.com 03 Sep '24

03 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224065 Bug ID: 1224065 Summary: spectacle doesn't work anymore since update to 24.02.2 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: KDE Applications Assignee: opensuse-kde-bugs(a)opensuse.org Reporter: alex.hucke(a)gmail.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- /usr/bin/spectacle doesn't start /usr/bin/spectacle starts, but disappears as soon as you try to do a screenshot System: Operating System: openSUSE Tumbleweed-Slowroll 20240429 KDE Plasma Version: 6.0.4 KDE Frameworks Version: 6.1.0 Qt Version: 6.7.0 Kernel Version: 6.8.8-1-default (64-bit) Graphics Platform: X11 Processors: 12 × AMD Ryzen 5 3600 6-Core Processor Memory: 15.6 GiB of RAM Graphics Processor: AMD Radeon RX 6600 Manufacturer: Micro-Star International Co., Ltd Product Name: MS-7B86 System Version: 4.0 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1224239] New: VUL-0: CVE-2024-31460: cacti: SQL injection vulnerability when using tree rules through Automation API
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224239 Bug ID: 1224239 Summary: VUL-0: CVE-2024-31460: cacti: SQL injection vulnerability when using tree rules through Automation API Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405132/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue. References: https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-31460 https://www.cve.org/CVERecord?id=CVE-2024-31460 -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1224238] New: VUL-0: CVE-2024-31459: cacti: file inclusion issue in the `lib/plugin.php` file
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224238 Bug ID: 1224238 Summary: VUL-0: CVE-2024-31459: cacti: file inclusion issue in the `lib/plugin.php` file Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405131/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue. References: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-31459 https://www.cve.org/CVERecord?id=CVE-2024-31459 https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1224237] New: VUL-0: CVE-2024-31445: cacti: SQL injection vulnerability when retrieving graphs using Automation API
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224237 Bug ID: 1224237 Summary: VUL-0: CVE-2024-31445: cacti: SQL injection vulnerability when retrieving graphs using Automation API Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405129/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-31445 https://www.cve.org/CVERecord?id=CVE-2024-31445 https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd1… https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd1… https://github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e… https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc -- You are receiving this mail because: You are on the CC list for the bug.

1 3