September 2024 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1224236] New: VUL-0: CVE-2024-31444: cacti: cross-site scripting vulnerability when reading tree rules with Automation API
by bugzilla_noreply＠suse.com 03 Sep '24

03 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224236 Bug ID: 1224236 Summary: VUL-0: CVE-2024-31444: cacti: cross-site scripting vulnerability when reading tree rules with Automation API Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405128/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-31444 https://www.cve.org/CVERecord?id=CVE-2024-31444 https://github.com/Cacti/cacti/security/advisories/GHSA-p4ch-7hjw-6m87 -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1224235] New: VUL-0: CVE-2024-31443: cacti: cross-site scripting vulnerability when managing data queries
by bugzilla_noreply＠suse.com 03 Sep '24

03 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224235 Bug ID: 1224235 Summary: VUL-0: CVE-2024-31443: cacti: cross-site scripting vulnerability when managing data queries Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405127/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-31443 https://www.cve.org/CVERecord?id=CVE-2024-31443 https://github.com/Cacti/cacti/commit/f946fa537d19678f938ddbd784a10e3290d27… https://github.com/Cacti/cacti/security/advisories/GHSA-rqc8-78cm-85j3 -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1224231] New: VUL-0: CVE-2024-29894: cacti: residual cross-site scripting vulnerability caused by incomplete fix
by bugzilla_noreply＠suse.com 03 Sep '24

03 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224231 Bug ID: 1224231 Summary: VUL-0: CVE-2024-29894: cacti: residual cross-site scripting vulnerability caused by incomplete fix Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405104/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue. References: https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-29894 https://www.cve.org/CVERecord?id=CVE-2024-29894 https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1224230] New: VUL-0: CVE-2024-27082: cacti: stored cross-site scripting vulnerability when managing trees
by bugzilla_noreply＠suse.com 03 Sep '24

03 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224230 Bug ID: 1224230 Summary: VUL-0: CVE-2024-27082: cacti: stored cross-site scripting vulnerability when managing trees Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405061/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who access a particular page. Version 1.2.27 contains a patch for the issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-27082 https://www.cve.org/CVERecord?id=CVE-2024-27082 https://github.com/Cacti/cacti/security/advisories/GHSA-j868-7vjp-rp9h -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1224229] New: VUL-0: CVE-2024-25641: cacti: arbitrary file write vulnerability in the "Package Import" feature
by bugzilla_noreply＠suse.com 03 Sep '24

03 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224229 Bug ID: 1224229 Summary: VUL-0: CVE-2024-25641: cacti: arbitrary file write vulnerability in the "Package Import" feature Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405057/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25641 https://www.cve.org/CVERecord?id=CVE-2024-25641 https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6… https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88 -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1214167] OBS: nothing provides lzip
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1214167 https://bugzilla.suse.com/show_bug.cgi?id=1214167#c5 Dirk Mueller <dmueller(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #5 from Dirk Mueller <dmueller(a)suse.com> --- was added for SP6 and SLE16/ALP/LeoNG/SLFO/yougettheidea -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1229672] VUL-0: CVE-2024-43785: gitoxide: newlines, backspaces and control characters that appear in metadata written to terminals are not neutralized
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1229672 https://bugzilla.suse.com/show_bug.cgi?id=1229672#c3 --- Comment #3 from OBSbugzilla Bot <bwiedemann+obsbugzillabot(a)suse.com> --- This is an autogenerated message for OBS integration: This bug (1229672) was mentioned in https://build.opensuse.org/request/show/1198385 Factory / gitoxide -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1230000] The NVIDIA driver was unable to open 'libnvidia-glvkspirv.so.470.256.02'. This library is required at run time.
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1230000 https://bugzilla.suse.com/show_bug.cgi?id=1230000#c8 Stefan Dirsch <sndirsch(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(zombie.ryushu@zoh | |o.com) | --- Comment #8 from Stefan Dirsch <sndirsch(a)suse.com> --- Oh well. Then this is really a confusing message. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1230004] Can't change the hostname via gnome-control-center
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1230004 https://bugzilla.suse.com/show_bug.cgi?id=1230004#c9 --- Comment #9 from Müller <hotel-brot.0z(a)icloud.com> --- hmm selinux on permissive doesn't seem to solve the problem. i can't find any logs with semodule or ausearch either. sorry for the misunderstandings, i was sure selinux is the problem when i saw gnome-control-center in combination with hostname in the audit.logs -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1229794] New: xembedsniproxy regularly dumping core
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1229794 Bug ID: 1229794 Summary: xembedsniproxy regularly dumping core Classification: openSUSE Product: openSUSE Tumbleweed Version: Slowroll Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: KDE Workspace (Plasma) Assignee: opensuse-kde-bugs(a)opensuse.org Reporter: opensuse(a)mike.franken.de QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Starting with Tumbleweed snapshot 20240808 xembedsniproxy is regularly dumping core: Aug 09 22:18:41 client kernel: xembedsniproxy[4086]: segfault at 10 ip 00007ff147f261a0 sp 00007ffe1877cb78 error 4 in libxcb.so.1.1.0[131a0,7ff147f20000+14000] likely on CPU 2 (core 2, socket 0) Aug 11 17:39:38 client kernel: xembedsniproxy[34868]: segfault at 10 ip 00007fe1afca31a0 sp 00007ffc442a88d8 error 4 in libxcb.so.1.1.0[131a0,7fe1afc9d000+14000] likely on CPU 7 (core 3, socket 0) Aug 11 20:51:31 client kernel: xembedsniproxy[25009]: segfault at 10 ip 00007fc5bbe431a0 sp 00007ffd2a725518 error 4 in libxcb.so.1.1.0[131a0,7fc5bbe3d000+14000] likely on CPU 5 (core 1, socket 0) Aug 12 17:22:59 client kernel: xembedsniproxy[36343]: segfault at 10 ip 00007fa0bdc381a0 sp 00007ffc7147d638 error 4 in libxcb.so.1.1.0[131a0,7fa0bdc32000+14000] likely on CPU 4 (core 0, socket 0) Aug 12 19:41:22 client kernel: xembedsniproxy[110394]: segfault at 10 ip 00007f42156981a0 sp 00007ffc4a30ef18 error 4 in libxcb.so.1.1.0[131a0,7f4215692000+14000] likely on CPU 4 (core 0, socket 0) Aug 14 17:12:00 client kernel: xembedsniproxy[4111]: segfault at 10 ip 00007f511697f1a0 sp 00007ffc2be88998 error 4 in libxcb.so.1.1.0[131a0,7f5116979000+14000] likely on CPU 5 (core 1, socket 0) Aug 14 20:06:24 client kernel: xembedsniproxy[31810]: segfault at 10 ip 00007f4a9200d1a0 sp 00007ffe6cadc938 error 4 in libxcb.so.1.1.0[131a0,7f4a92007000+14000] likely on CPU 2 (core 2, socket 0) Aug 17 20:32:38 client kernel: xembedsniproxy[9038]: segfault at 10 ip 00007fd1599e31a0 sp 00007ffe39dcf538 error 4 in libxcb.so.1.1.0[131a0,7fd1599dd000+14000] likely on CPU 6 (core 2, socket 0) Aug 18 17:13:45 client kernel: xembedsniproxy[81187]: segfault at 10 ip 00007efdd63bb1a0 sp 00007ffdafa497d8 error 4 in libxcb.so.1.1.0[131a0,7efdd63b5000+14000] likely on CPU 0 (core 0, socket 0) Aug 19 16:38:51 client kernel: xembedsniproxy[9319]: segfault at 10 ip 00007ff75b8671a0 sp 00007ffc80f513f8 error 4 in libxcb.so.1.1.0[131a0,7ff75b861000+14000] likely on CPU 5 (core 1, socket 0) Aug 19 20:12:17 client kernel: xembedsniproxy[34672]: segfault at 10 ip 00007f09fdd841a0 sp 00007fff8aaf1978 error 4 in libxcb.so.1.1.0[131a0,7f09fdd7e000+14000] likely on CPU 6 (core 2, socket 0) Aug 19 20:35:03 client kernel: xembedsniproxy[55667]: segfault at 10 ip 00007f4de96a41a0 sp 00007ffd29671558 error 4 in libxcb.so.1.1.0[131a0,7f4de969e000+14000] likely on CPU 7 (core 3, socket 0) Aug 21 18:03:16 client kernel: xembedsniproxy[58090]: segfault at 10 ip 00007fe14d1bf1a0 sp 00007ffe75529158 error 4 in libxcb.so.1.1.0[131a0,7fe14d1b9000+14000] likely on CPU 0 (core 0, socket 0) Aug 22 20:17:53 client kernel: xembedsniproxy[4131]: segfault at 10 ip 00007f6373dc41a0 sp 00007ffe2e2c5a58 error 4 in libxcb.so.1.1.0[131a0,7f6373dbe000+14000] likely on CPU 5 (core 1, socket 0) Aug 23 18:30:02 client kernel: xembedsniproxy[70695]: segfault at 10 ip 00007f68cb07c1a0 sp 00007ffddd78e598 error 4 in libxcb.so.1.1.0[131a0,7f68cb076000+14000] likely on CPU 5 (core 1, socket 0) Aug 24 16:24:05 client kernel: xembedsniproxy[4566]: segfault at 10 ip 00007f237d45b1a0 sp 00007fff7ed34e78 error 4 in libxcb.so.1.1.0[131a0,7f237d455000+14000] likely on CPU 1 (core 1, socket 0) Aug 24 17:28:30 client kernel: xembedsniproxy[30608]: segfault at 10 ip 00007f9ab2acc1a0 sp 00007ffcbd5871d8 error 4 in libxcb.so.1.1.0[131a0,7f9ab2ac6000+14000] likely on CPU 7 (core 3, socket 0) Aug 24 22:03:42 client kernel: xembedsniproxy[37464]: segfault at 10 ip 00007fc6589cb1a0 sp 00007fff5fb71f18 error 4 in libxcb.so.1.1.0[131a0,7fc6589c5000+14000] likely on CPU 3 (core 3, socket 0) Aug 25 14:59:19 client kernel: xembedsniproxy[4226]: segfault at 10 ip 00007f883cdaa1a0 sp 00007ffc86c877f8 error 4 in libxcb.so.1.1.0[131a0,7f883cda4000+14000] likely on CPU 0 (core 0, socket 0) Aug 25 16:26:59 client kernel: xembedsniproxy[23436]: segfault at 10 ip 00007f88ee8a71a0 sp 00007ffc9e33bbf8 error 4 in libxcb.so.1.1.0[131a0,7f88ee8a1000+14000] likely on CPU 4 (core 0, socket 0) Aug 26 16:52:43 client kernel: xembedsniproxy[31733]: segfault at 10 ip 00007f8a39adc1a0 sp 00007ffed69ee3b8 error 4 in libxcb.so.1.1.0[131a0,7f8a39ad6000+14000] likely on CPU 0 (core 0, socket 0) Aug 26 20:47:06 client kernel: xembedsniproxy[114124]: segfault at 10 ip 00007f8804c7f1a0 sp 00007ffd4e2b8f18 error 4 in libxcb.so.1.1.0[131a0,7f8804c79000+14000] likely on CPU 1 (core 1, socket 0) -- You are receiving this mail because: You are on the CC list for the bug.

1 2