July 2024 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1224231] New: VUL-0: CVE-2024-29894: cacti: residual cross-site scripting vulnerability caused by incomplete fix
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224231 Bug ID: 1224231 Summary: VUL-0: CVE-2024-29894: cacti: residual cross-site scripting vulnerability caused by incomplete fix Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405104/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue. References: https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-29894 https://www.cve.org/CVERecord?id=CVE-2024-29894 https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1224230] New: VUL-0: CVE-2024-27082: cacti: stored cross-site scripting vulnerability when managing trees
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224230 Bug ID: 1224230 Summary: VUL-0: CVE-2024-27082: cacti: stored cross-site scripting vulnerability when managing trees Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405061/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who access a particular page. Version 1.2.27 contains a patch for the issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-27082 https://www.cve.org/CVERecord?id=CVE-2024-27082 https://github.com/Cacti/cacti/security/advisories/GHSA-j868-7vjp-rp9h -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1224229] New: VUL-0: CVE-2024-25641: cacti: arbitrary file write vulnerability in the "Package Import" feature
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224229 Bug ID: 1224229 Summary: VUL-0: CVE-2024-25641: cacti: arbitrary file write vulnerability in the "Package Import" feature Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405057/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25641 https://www.cve.org/CVERecord?id=CVE-2024-25641 https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6… https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88 -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1226615] New: python3-pyside2 stuck with ancient llvm build requirement
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1226615 Bug ID: 1226615 Summary: python3-pyside2 stuck with ancient llvm build requirement Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: KDE Applications Assignee: opensuse-kde-bugs(a)opensuse.org Reporter: rguenther(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- python3-pyside2 requires llvm15 (or llvm14 on SLE) as one of the very few packages still hanging onto this old and unsupported version of LLVM. There is a new upstream version (5.15.14), but I don't know whether this changes the situation. -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1215641] New: XDG Portal File Picker not working on latest snapshot
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1215641 Bug ID: 1215641 Summary: XDG Portal File Picker not working on latest snapshot Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Usability Assignee: screening-team-bugs(a)suse.de Reporter: socvirnyl.estela(a)gmail.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Snapshot 20230921 has a bug where a user cannot open a filechooser/filepicker. A snippet of the log through `journalctl -f` is shown below: ``` Sep 24 12:29:37 sentient-slate firefox-bin[3253]: Server is missing xdg_foreign support Sep 24 12:29:37 sentient-slate firefox-bin[3253]: Failed to export handle, could not set transient for Sep 24 12:29:37 sentient-slate firefox-bin[3253]: Can't open portal file chooser: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.FileChooser” on object at path /org/freedesktop/portal/desktop ``` I have to rollback for now to a previous snapshot. -- You are receiving this mail because: You are on the CC list for the bug.

1 18

[Bug 1226118] New: Salt "The django returner is broken and deprecated, and will be removed after 2024-01-01"
by bugzilla_noreply＠suse.com 01 Sep '24

01 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1226118 Bug ID: 1226118 Summary: Salt "The django returner is broken and deprecated, and will be removed after 2024-01-01" Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other OS: openSUSE Leap 15.5 Status: NEW Severity: Normal Priority: P5 - None Component: Salt Assignee: salt-maintainers(a)suse.de Reporter: georg.pfuetzenreuter(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Hi, setting ``` master_job_cache: redis job_cache_store_endtime: True ``` in the master configuration causes some runner commands to return: ``` salt-run mine.get witch1.infra.opensuse.org roles [ERROR ] Exception raised when processing __virtual__ function for salt.loaded.int.returner.django_return. Module will not be loaded: The django returner is broken and deprecated, and will be removed after 2024-01-01. This warning(now exception) triggered on filename '/usr/lib/python3.6/site-packages/salt/returners/django_return.py', line number 61, is supposed to be shown until 2024-01-01. Today is 2024-06-09. Please remove the warning. [WARNING ] salt.loaded.int.returner.django_return.__virtual__() is wrongly returning `None`. It should either return `True`, `False` or a new name. If you're the developer of the module 'django_return', please fix this. witch1.infra.opensuse.org: # expected mine results show up ``` ``` $ rpm -q salt-master salt-master-3006.0-150500.4.35.1.x86_64 ``` Hotpatch is changing `20240101` to `20250101` in `/usr/lib/python3.6/site-packages/salt/returners/django_return.py`. Upstream no longer ship the Django returner at all, but the patch removing it is rather big: https://github.com/saltstack/salt/commit/3b24505b3a344cf6a0fa16428090e8ad74…. Not sure if that is feasible to backport or too breaking of a change. Best, Georg -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1227111] New: KDE Plasma freezes when restoring from hibernation
by bugzilla_noreply＠suse.com 01 Sep '24

01 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1227111 Bug ID: 1227111 Summary: KDE Plasma freezes when restoring from hibernation Classification: openSUSE Product: openSUSE Tumbleweed Version: Slowroll Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs(a)opensuse.org Reporter: heitormoreira(a)yahoo.com.br QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 875725 --> https://bugzilla.suse.com/attachment.cgi?id=875725&action=edit Environment information I frequently put my PC to sleep and hibernate. For at least two, times in last 20 days, KDE Plasma frozen in lock "screensaver mode" screen when restoring. The virtual terminal (TTY) still working normally while Plasma is frozen. I tried to restart Plasma (systemctl --user restart plasma-plasmashell.service), but execution timed out. A regular reboot make things back to normal. -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1228275] New: i915 0000:00:02.0: [drm] *ERROR* Unexpected DE Misc interrupt: 0x00080000
by bugzilla_noreply＠suse.com 31 Aug '24

31 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1228275 Bug ID: 1228275 Summary: i915 0000:00:02.0: [drm] *ERROR* Unexpected DE Misc interrupt: 0x00080000 Classification: openSUSE Product: openSUSE Tumbleweed Version: Slowroll Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs(a)opensuse.org Reporter: opensuse(a)mike.franken.de QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Starting with kernel 6.9.9 I got the error message from the subject about every two minutes. I found the setting i915.enable_dc=0 as a workaround, which stopped the error messages on my system, too, but a more permanent solution would be great. System is Operating System: openSUSE Tumbleweed 20240716 KDE Plasma Version: 6.1.2 KDE Frameworks Version: 6.4.0 Qt Version: 6.7.2 Kernel Version: 6.9.9-1-default (64-bit) Graphics Platform: X11 Processors: 8 × 11th Gen Intel® Core™ i7-1165G7 @ 2.80GHz Memory: 15,0 GiB of RAM Graphics Processor: Mesa Intel® Xe Graphics Manufacturer: Dell Inc. Product Name: XPS 13 9310 2-in-1 -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1213162] New: kf.kio.core: Invalid URL: QUrl("//@/<smtp>.xfb")
by bugzilla_noreply＠suse.com 31 Aug '24

31 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1213162 Bug ID: 1213162 Summary: kf.kio.core: Invalid URL: QUrl("//@/<smtp>.xfb") Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: KDE Workspace (Plasma) Assignee: opensuse-kde-bugs(a)opensuse.org Reporter: opensuse(a)mike.franken.de QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Starting on 06/272023, probably after installing Tumbleweed snapshot 20230625, I no longer can invite people using korganizer, if the invitation mail address has a format like "lastname, firstname" <opensuse(a)mike.franken.de> "firstname lastname" <opensuse(a)mike.franken.de> "anything" <opensuse(a)mike.franken.de> Using such an address produces the following warning messages in my log: kontact[4212]: kf.kio.core: Invalid URL: QUrl("//@/opensuse@mike.franken.de.xfb") kontact[4212]: kf.kio.core: Invalid URL: QUrl("//@/opensuse@mike.franken.de.ifb") kontact[4212]: kf.kio.core: Invalid URL: QUrl("//@/opensuse@mike.franken.de.vfb") No invitation mail is sent in this case. Using just <opensuse(a)mike.franken.de> works ok. -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1227450] New: JeOS-efi-pxe.aarch64 fails to build on 15.5
by bugzilla_noreply＠suse.com 30 Aug '24

30 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1227450 Bug ID: 1227450 Summary: JeOS-efi-pxe.aarch64 fails to build on 15.5 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Live Medium Assignee: fvogt(a)suse.com Reporter: fvogt(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- For some reason the image fails to build now because "pgrep" is missing, which is needed indirectly: [ 419s] dracut: dracut module 'network-legacy' will not be installed, because command 'pgrep' could not be found! [ 419s] dracut: 62bluetooth: Could not find any command of '/usr/lib/bluetooth/bluetoothd /usr/libexec/bluetooth/bluetoothd'! [ 419s] dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! [ 419s] dracut: dracut module 'network-legacy' will not be installed, because command 'pgrep' could not be found! [ 419s] dracut: dracut module 'network' depends on 'network-legacy', which can't be installed [ 419s] dracut: dracut module 'kiwi-dump' depends on 'network', which can't be installed I don't know which change causes this, but the easiest fix is probably to just add it to the image? -- You are receiving this mail because: You are on the CC list for the bug.

1 7