July 2024 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1196173] VUL-0: CVE-2022-23632: traefik: TLS configuration falls back to the default configuration that might not correspond to the configured one
by bugzilla_noreply＠suse.com 31 Jul '24

31 Jul '24

https://bugzilla.suse.com/show_bug.cgi?id=1196173 https://bugzilla.suse.com/show_bug.cgi?id=1196173#c2 Johannes Weberhofer <jweberhofer(a)weberhofer.at> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jweberhofer(a)weberhofer.at Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #2 from Johannes Weberhofer <jweberhofer(a)weberhofer.at> --- Has been resolved long ago with updates -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1227515] New: VUL-0: CVE-2024-39321: traefik: bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes
by bugzilla_noreply＠suse.com 31 Jul '24

31 Jul '24

https://bugzilla.suse.com/show_bug.cgi?id=1227515 Bug ID: 1227515 Summary: VUL-0: CVE-2024-39321: traefik: bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/412933/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: rbrown(a)suse.com Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: andrea.mattiazzo(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39321 https://www.cve.org/CVERecord?id=CVE-2024-39321 https://github.com/traefik/traefik/releases/tag/v2.11.6 https://github.com/traefik/traefik/releases/tag/v3.0.4 https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3 https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9 https://bugzilla.redhat.com/show_bug.cgi?id=2296009 -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1224384] New: VUL-0: CVE-2024-4068: traefik: the npm package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS)
by bugzilla_noreply＠suse.com 31 Jul '24

31 Jul '24

https://bugzilla.suse.com/show_bug.cgi?id=1224384 Bug ID: 1224384 Summary: VUL-0: CVE-2024-4068: traefik: the npm package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405384/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: alexandre.vicenzi(a)suse.com Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: gabriele.sonnu(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4067 https://www.cve.org/CVERecord?id=CVE-2024-4067 https://devhub.checkmarx.com/cve-details/CVE-2024-4067/ https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0… https://github.com/micromatch/micromatch/issues/243 https://github.com/micromatch/micromatch/pull/247 -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1189056] VUL-1: CVE-2021-32813: Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely,
by bugzilla_noreply＠suse.com 31 Jul '24

31 Jul '24

https://bugzilla.suse.com/show_bug.cgi?id=1189056 https://bugzilla.suse.com/show_bug.cgi?id=1189056#c2 Johannes Weberhofer <jweberhofer(a)weberhofer.at> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED CC| |jweberhofer(a)weberhofer.at Status|NEW |RESOLVED --- Comment #2 from Johannes Weberhofer <jweberhofer(a)weberhofer.at> --- Has been fixed with regular updates. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1224773] NVIDIA KMP: initrd not regenerated on transactional systems using systemd-boot like Aeon >= RC2
by bugzilla_noreply＠suse.com 31 Jul '24

31 Jul '24

https://bugzilla.suse.com/show_bug.cgi?id=1224773 https://bugzilla.suse.com/show_bug.cgi?id=1224773#c51 --- Comment #51 from Alberto Planas Dominguez <aplanas(a)suse.com> --- (In reply to Imo Hester from comment #50) > The initrd file from 30rd Jul (today) is the one which was automatically > generated. However it did not become the initrd of the boot entry: This is very interesting, as the command that generates the initrd is the same that creates the entry. What steps did you used to trigger this bug? For example, when I update the kernel or install a new dracut module I can see the new initrd and the new entry for the new snapshot, pointing to the correct initrd. How can I replicate this? -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1228683] New: apache2 failed to start because of apache2-mod_php 'AH00013: Pre-configuration failed'
by bugzilla_noreply＠suse.com 31 Jul '24

31 Jul '24

https://bugzilla.suse.com/show_bug.cgi?id=1228683 Bug ID: 1228683 Summary: apache2 failed to start because of apache2-mod_php 'AH00013: Pre-configuration failed' Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Apache Assignee: apache-bugs(a)suse.de Reporter: zluo(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 876413 --> https://bugzilla.suse.com/attachment.cgi?id=876413&action=edit yas install Tumbleweed on my RPi3 model B install apache2 with apache2-mod_php8. I got following message: p200300f8471eb2d9589ab694cafa7fe4:/etc/apache2 # systemctl status apache2 × apache2.service - The Apache Webserver Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; preset: disabled) Active: failed (Result: exit-code) since Wed 2024-07-31 15:28:56 CEST; 3h 3min ago Process: 5215 ExecStart=/usr/sbin/start_apache2 -DSYSTEMD -DFOREGROUND -k start (code=exited, status=1/FAILURE) Main PID: 5215 (code=exited, status=1/FAILURE) CPU: 460ms Jul 31 15:28:55 p200300f8471eb2d984092d3d703fb57a.dip0.t-ipconnect.de systemd[1]: Starting The Apache Webserver... Jul 31 15:28:56 p200300f8471eb2d984092d3d703fb57a.dip0.t-ipconnect.de start_apache2[5215]: [Wed Jul 31 15:28:56.064815 2024] [php:cri> Jul 31 15:28:56 p200300f8471eb2d984092d3d703fb57a.dip0.t-ipconnect.de start_apache2[5215]: AH00013: Pre-configuration failed Jul 31 15:28:56 p200300f8471eb2d984092d3d703fb57a.dip0.t-ipconnect.de systemd[1]: apache2.service: Main process exited, code=exited, > Jul 31 15:28:56 p200300f8471eb2d984092d3d703fb57a.dip0.t-ipconnect.de systemd[1]: apache2.service: Failed with result 'exit-code'. Jul 31 15:28:56 p200300f8471eb2d984092d3d703fb57a.dip0.t-ipconnect.de systemd[1]: Failed to start The Apache Webserver. check journalctl log: Jul 31 15:28:56 p200300f8471eb2d984092d3d703fb57a.dip0.t-ipconnect.de systemd[1]: Failed to start The Apache Webserver. ░░ Subject: A start job for unit apache2.service has failed ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ ░░ A start job for unit apache2.service has finished with a failure. ░░ ░░ The job identifier is 2925 and the job result is failed. -- After I removed apache2-mod_php8, it can start successfully. attache yast logs. -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1228245] Tumbleweed: rng-tools.service start fails with unrecognized option '--fill-watermark=3700'
by bugzilla_noreply＠suse.com 31 Jul '24

31 Jul '24

https://bugzilla.suse.com/show_bug.cgi?id=1228245 https://bugzilla.suse.com/show_bug.cgi?id=1228245#c2 Andreas Stieger <Andreas.Stieger(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS --- Comment #2 from Andreas Stieger <Andreas.Stieger(a)gmx.de> --- https://build.opensuse.org/request/show/1190786 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1206731] VUL-0: CVE-2021-4238: rio, terraform, traefik1.7, terraform-provider-openstack: Masterminds/goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be
by bugzilla_noreply＠suse.com 31 Jul '24

31 Jul '24

https://bugzilla.suse.com/show_bug.cgi?id=1206731 https://bugzilla.suse.com/show_bug.cgi?id=1206731#c3 Johannes Weberhofer <jweberhofer(a)weberhofer.at> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jweberhofer(a)weberhofer.at Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #3 from Johannes Weberhofer <jweberhofer(a)weberhofer.at> --- Leap 15.4 is in EOL state. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1194645] test fails in rootless_podman on RPi3
by bugzilla_noreply＠suse.com 31 Jul '24

31 Jul '24

https://bugzilla.suse.com/show_bug.cgi?id=1194645 https://bugzilla.suse.com/show_bug.cgi?id=1194645#c4 Alexandre Vicenzi <alexandre.vicenzi(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|containers-bugowner(a)suse.de |alexandre.vicenzi(a)suse.com Status|NEW |RESOLVED Resolution|--- |INVALID CC| |alexandre.vicenzi(a)suse.com, | |containers-bugowner(a)suse.de --- Comment #4 from Alexandre Vicenzi <alexandre.vicenzi(a)suse.com> --- This behavior is expected and running the command currently warns about it: WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available WARN[0000] For using systemd, you may need to log in using a user session WARN[0000] Alternatively, you can enable lingering with: `loginctl enable-linger 1001` (possibly as root) WARN[0000] Falling back to --cgroup-manager=cgroupfs There's a KB [1] about this behavior, and the solution is to log in directly as the user (as Fabian suggested), or alternatively execute loginctl (as Dan suggested). [1]: https://www.suse.com/support/kb/doc/?id=000021071 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1127610] package unbound-anchor installation error
by bugzilla_noreply＠suse.com 31 Jul '24

31 Jul '24

https://bugzilla.suse.com/show_bug.cgi?id=1127610 Stefano Torresi <stefano.torresi(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |stefano.torresi(a)suse.com Assignee|rtorreromarijnissen(a)suse.co |screening-team-bugs(a)suse.de |m | -- You are receiving this mail because: You are on the CC list for the bug.

1 0