September 2024 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1230007] [Possibly firmware bug] openSUSE Tumbleweed doesen't boot properly after 20240830 snapshot
by bugzilla_noreply＠suse.com 03 Sep '24

03 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1230007 https://bugzilla.suse.com/show_bug.cgi?id=1230007#c4 Takashi Iwai <tiwai(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |egor.kuznetsov.26(a)gmail.com | |, tiwai(a)suse.com Flags| |needinfo?(egor.kuznetsov.26 | |(a)gmail.com) --- Comment #4 from Takashi Iwai <tiwai(a)suse.com> --- Could you try to downgrade kernel-firmware-* packages from TW history repo? http://download.opensuse.org/history/ You can boot with nomodeset option so that it boots without native graphics, then downgrade packages, and retest. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1225969] New: kdig in knot does not support DoH(+https) query
by bugzilla_noreply＠suse.com 03 Sep '24

03 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1225969 Bug ID: 1225969 Summary: kdig in knot does not support DoH(+https) query Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: screening-team-bugs(a)suse.de Reporter: smbd.jp(a)gmail.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- An upstream kdig supports DoH(DNS over HTTPS) query and its option is "+https". But, SuSE's does not. Please enable it. --- upstream$ kdig +https @8.8.8.8 www.google.com ;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) ;; HTTP session (HTTP/2-POST)-(8.8.8.8/dns-query)-(status: 200) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 0 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR ;; PADDING: 405 B ;; QUESTION SECTION: ;; www.google.com. IN A ;; ANSWER SECTION: www.google.com. 300 IN A 142.250.207.4 ;; Received 468 B ;; Time 2024-06-05 11:17:21 JST ;; From 8.8.8.8@443(HTTPS) in 56.9 ms upstream$ kdig --help | grep https +[no]https[=URL] Use HTTPS protocol. It's also possible to specify +[no]https-get Use HTTPS protocol with GET method instead of POST. upstream$ $ ldd /usr/bin/kdig|grep http libnghttp2.so.14 => /usr/lib64/libnghttp2.so.14 (0x00007f1912178000) --- suse$ kdig +https @8.8.8.8 www.google.com Usage: kdig [-4] [-6] [-d] [-b address] [-c class] [-p port] [-q name] [-t type] [-x address] [-k keyfile] [-y [algo:]keyname:key] [-E tapfile] [-G tapfile] name [type] [class] [@server] +[no]multiline Wrap long records to more lines. +[no]short Show record data only. (snip) suse$ kdig --help | grep https (not match) suse$ ldd /usr/bin/kdig|grep http (not match) -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1228621] [Build 9.32] openSUSE agama live installer iso failed to boot for dracut report error and entered emergency mode
by bugzilla_noreply＠suse.com 03 Sep '24

03 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1228621 https://bugzilla.suse.com/show_bug.cgi?id=1228621#c23 --- Comment #23 from Lemon Li <leli(a)suse.com> --- (In reply to Imobach Gonzalez Sosa from comment #22) > Thank you, Thomas. We have merged and submitted the fix to OBS. > https://build.opensuse.org/package/show/systemsmanagement:Agama:Devel/agama- > installer does not have an images.sh file anymore. > > I guess we can close this bug, right? Yes, on latest build 13.2, this issue fixed https://openqa.opensuse.org/tests/4450480#step/agama/1. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1229980] [backintime] Cannot open encrypted backup disk - segfault after reading ".encfs6.xml"
by bugzilla_noreply＠suse.com 03 Sep '24

03 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1229980 https://bugzilla.suse.com/show_bug.cgi?id=1229980#c1 Arun Persaud <arun(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arun(a)gmx.de Resolution|--- |DUPLICATE Status|NEW |RESOLVED --- Comment #1 from Arun Persaud <arun(a)gmx.de> --- Looks like a duplicate of bug 1229933 (encfs segfaults in recent snapshots) *** This bug has been marked as a duplicate of bug 1229933 *** -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1224241] VUL-0: CVE-2024-34340: cacti: Authentication Bypass when using using older password hashes
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224241 https://bugzilla.suse.com/show_bug.cgi?id=1224241#c6 --- Comment #6 from Marcus Meissner <meissner(a)suse.com> --- openSUSE-SU-2024:0276-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 1224229,1224230,1224231,1224235,1224236,1224237,1224238,1224239,1224240,1224241 CVE References: CVE-2024-25641,CVE-2024-27082,CVE-2024-29894,CVE-2024-31443,CVE-2024-31444,CVE-2024-31445,CVE-2024-31458,CVE-2024-31459,CVE-2024-31460,CVE-2024-34340 JIRA References: Sources used: openSUSE Backports SLE-15-SP6 (src): cacti-1.2.27-bp156.2.3.1, cacti-spine-1.2.27-bp156.2.3.1 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1224240] VUL-0: CVE-2024-31458: cacti: SQL Injection vulnerability when using form templates
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224240 https://bugzilla.suse.com/show_bug.cgi?id=1224240#c6 --- Comment #6 from Marcus Meissner <meissner(a)suse.com> --- openSUSE-SU-2024:0276-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 1224229,1224230,1224231,1224235,1224236,1224237,1224238,1224239,1224240,1224241 CVE References: CVE-2024-25641,CVE-2024-27082,CVE-2024-29894,CVE-2024-31443,CVE-2024-31444,CVE-2024-31445,CVE-2024-31458,CVE-2024-31459,CVE-2024-31460,CVE-2024-34340 JIRA References: Sources used: openSUSE Backports SLE-15-SP6 (src): cacti-1.2.27-bp156.2.3.1, cacti-spine-1.2.27-bp156.2.3.1 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1224239] New: VUL-0: CVE-2024-31460: cacti: SQL injection vulnerability when using tree rules through Automation API
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224239 Bug ID: 1224239 Summary: VUL-0: CVE-2024-31460: cacti: SQL injection vulnerability when using tree rules through Automation API Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405132/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue. References: https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-31460 https://www.cve.org/CVERecord?id=CVE-2024-31460 -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1224238] New: VUL-0: CVE-2024-31459: cacti: file inclusion issue in the `lib/plugin.php` file
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224238 Bug ID: 1224238 Summary: VUL-0: CVE-2024-31459: cacti: file inclusion issue in the `lib/plugin.php` file Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405131/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue. References: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-31459 https://www.cve.org/CVERecord?id=CVE-2024-31459 https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1224237] New: VUL-0: CVE-2024-31445: cacti: SQL injection vulnerability when retrieving graphs using Automation API
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224237 Bug ID: 1224237 Summary: VUL-0: CVE-2024-31445: cacti: SQL injection vulnerability when retrieving graphs using Automation API Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405129/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-31445 https://www.cve.org/CVERecord?id=CVE-2024-31445 https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd1… https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd1… https://github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e… https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1224236] New: VUL-0: CVE-2024-31444: cacti: cross-site scripting vulnerability when reading tree rules with Automation API
by bugzilla_noreply＠suse.com 02 Sep '24

02 Sep '24

https://bugzilla.suse.com/show_bug.cgi?id=1224236 Bug ID: 1224236 Summary: VUL-0: CVE-2024-31444: cacti: cross-site scripting vulnerability when reading tree rules with Automation API Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405128/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-31444 https://www.cve.org/CVERecord?id=CVE-2024-31444 https://github.com/Cacti/cacti/security/advisories/GHSA-p4ch-7hjw-6m87 -- You are receiving this mail because: You are on the CC list for the bug.

1 3