Yes this is correct, updates of packages inherited from SLES are distributed in the sle-update repository. On Thu, 2023-07-20 at 17:24 +0100, Roger Whittaker wrote:
On Thu, Jul 20, 2023 at 03:44:07PM -0000, Christian K via openSUSE Factory wrote:
Thanks for pointing those out.
I am still confused, I reckon the fixed version for Leap 15.4 is package version 9.56 as seen at https://build.opensuse.org/package/binaries/Printing/ghostscript/15.4
yet I am unable to see that version it in the updates repo http://download.opensuse.org/update/leap/15.4/sle/x86_64/
Am I looking in the wrong place?
It's here I think:
https://download.opensuse.org/update/leap/15.4/sle/x86_64/ghostscript-9.52-1...
and the relevant changelog entry is:
* Thu Jun 29 2023 jsmeix@suse.com - CVE-2023-36664.patch fixes CVE-2023-36664 see https://bugs.ghostscript.com/show_bug.cgi?id=706761 "OS command injection in %pipe% access" and https://bugs.ghostscript.com/show_bug.cgi?id=706778 "%pipe% allowed_path bypass" and bsc#1212711 "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)"