- openSUSE Bugs

[Bug 1216991] VUL-0: CVE-2023-47248: python-arrow: Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution
by bugzilla_noreply＠suse.com 07 Jun '24

07 Jun '24

1 0

[Bug 1226068] New: VUL-0: CVE-2024-37384: roundcubemail: allows XSS via list columns from user preferences.
by bugzilla_noreply＠suse.com 07 Jun '24

07 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1226068 Bug ID: 1226068 Summary: VUL-0: CVE-2024-37384: roundcubemail: allows XSS via list columns from user preferences. Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/409049/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: aj(a)ajaissle.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: abergmann(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. References: https://github.com/roundcube/roundcubemail/releases/tag/1.5.7 https://github.com/roundcube/roundcubemail/releases/tag/1.6.7 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37384 https://www.cve.org/CVERecord?id=CVE-2024-37384 https://github.com/roundcube/roundcubemail/commit/cde4522c5c95f13c6aeeb1600… -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1226069] New: VUL-0: CVE-2024-37385: roundcubemail: on Windows allows command injection via im_convert_path and im_identify_path
by bugzilla_noreply＠suse.com 07 Jun '24

07 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1226069 Bug ID: 1226069 Summary: VUL-0: CVE-2024-37385: roundcubemail: on Windows allows command injection via im_convert_path and im_identify_path Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/409050/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: aj(a)ajaissle.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: abergmann(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. References: https://github.com/roundcube/roundcubemail/releases/tag/1.5.7 https://github.com/roundcube/roundcubemail/releases/tag/1.6.7 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37385 https://www.cve.org/CVERecord?id=CVE-2024-37385 https://github.com/roundcube/roundcubemail/commit/5ea9f37ce39374b6124586c05… -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1226067] New: VUL-0: CVE-2024-37383: roundcubemail: allows XSS via SVG animate attributes
by bugzilla_noreply＠suse.com 07 Jun '24

07 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1226067 Bug ID: 1226067 Summary: VUL-0: CVE-2024-37383: roundcubemail: allows XSS via SVG animate attributes Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/409048/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: aj(a)ajaissle.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: abergmann(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37383 https://www.cve.org/CVERecord?id=CVE-2024-37383 https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d8… https://github.com/roundcube/roundcubemail/releases/tag/1.5.7 https://github.com/roundcube/roundcubemail/releases/tag/1.6.7 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1224781] New: VUL-0: CVE-2024-35192: trivy: credential leak via malicious registry
by bugzilla_noreply＠suse.com 07 Jun '24

07 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1224781 Bug ID: 1224781 Summary: VUL-0: CVE-2024-35192: trivy: credential leak via malicious registry Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/406773/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: dmueller(a)suse.com Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: carlos.lopez(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Trivy is a security scanner. Prior to 0.51.2, if a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR). These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. Systems are not affected if the default credential provider chain is unable to obtain valid credentials. This vulnerability only applies when scanning container images directly from a registry. This vulnerability is fixed in 0.51.2. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35192 https://www.cve.org/CVERecord?id=CVE-2024-35192 https://github.com/aquasecurity/trivy/commit/e7f14f729de259551203f313e57d2d… https://github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cm… -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1226017] fwupd fails TPM fw upgrade with 'Secure boot is enabled, but shim isn't installed to EFI/opensuse/shim.efi'
by bugzilla_noreply＠suse.com 07 Jun '24

07 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1226017 https://bugzilla.suse.com/show_bug.cgi?id=1226017#c3 Gary Ching-Pang Lin <glin(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|glin(a)suse.com |dennis.tseng(a)suse.com --- Comment #3 from Gary Ching-Pang Lin <glin(a)suse.com> --- Assign to fwupd maintainer. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1212909] New: unstripped-binary-or-object for binary libraries in Python directories
by bugzilla_noreply＠suse.com 07 Jun '24

07 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1212909 Bug ID: 1212909 Summary: unstripped-binary-or-object for binary libraries in Python directories Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Python Assignee: python-maintainers(a)suse.com Reporter: mcepl(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- There is a zillion packages which end up with the warning like python311-scipy.x86_64: W: unstripped-binary-or-object /usr/lib64/python3.11/site-packages/scipy/spatial/_qhull.cpython-311-x86_64-linux-gnu.so (this is from https://build.opensuse.org/package/live_build_log/home:gladiac:mailman/pyth…) Interestingly the same package in the devel project doesn’t seem to present the same problem (https://build.opensuse.org/build/devel:languages:python:numeric/openSUSE_Tu…). Could we find out why these happen and do something about it? -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1226065] New: Trackpad does not work after suspend/resume
by bugzilla_noreply＠suse.com 07 Jun '24

07 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1226065 Bug ID: 1226065 Summary: Trackpad does not work after suspend/resume Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs(a)opensuse.org Reporter: David(a)WalkerStreet.info QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- The trackpad on my Framework Gen 11 laptop stopped working after a suspend/resume cycle. The problem turned out to be that I had accidentally enabled secure boot: Jun 06 19:18:01 homelap8.WalkerStreet.info kernel: mousedev: PS/2 mouse device common for all mice Jun 06 19:18:05 homelap8.WalkerStreet.info kernel: Lockdown: vmmouse_detect: raw io port access is restricted; see man kernel_lockdown.7 Disabling secure boot fixes the trackpad problem and eliminates the lockdown log message. It looks like there's some issue in mousedev when secure boot is enabled. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1225289] Missing dependency for sane-airscan and libsane-airscan1
by bugzilla_noreply＠suse.com 07 Jun '24

07 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1225289 https://bugzilla.suse.com/show_bug.cgi?id=1225289#c2 --- Comment #2 from David Walker <David(a)WalkerStreet.info> --- Thanks! Everything's fine as of snapshot 20240605. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1226063] New: `nodejs-default` depends on `nodejs22` which doesn't exist in Slowroll
by bugzilla_noreply＠suse.com 07 Jun '24

07 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1226063 Bug ID: 1226063 Summary: `nodejs-default` depends on `nodejs22` which doesn't exist in Slowroll Classification: openSUSE Product: openSUSE Tumbleweed Version: Slowroll Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: marek(a)sapota.org QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- `nodejs-default` depends on `nodejs22` which is not available in Slowroll. This package https://build.opensuse.org/package/show/home:mareksapota/zsa-wally used to build fine on Slowroll but is now failing with: unresolvable: nothing provides nodejs22 needed by nodejs-default, nothing provides npm22 needed by npm-default, nothing provides nodejs22-devel needed by nodejs-devel-default I presume it's due to `nodejs22` being released, not yet available in Slowroll but the meta package has already been updated to the Tumbleweed version. How to reproduce: `zypper in nodejs-default` on Slowroll. -- You are receiving this mail because: You are on the CC list for the bug.

1 0