openSUSE Security Announce
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
March 2023
- 1 participants
- 10 discussions
openSUSE-SU-2023:0082-1: important: Security update for chromium
by opensuse-security@opensuse.org 27 Mar '23
by opensuse-security@opensuse.org 27 Mar '23
27 Mar '23
openSUSE Security Update: Security update for chromium
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0082-1
Rating: important
References: #1209598
Cross-References: CVE-2023-1528 CVE-2023-1529 CVE-2023-1530
CVE-2023-1531 CVE-2023-1532 CVE-2023-1533
CVE-2023-1534
CVSS scores:
CVE-2023-1528 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1529 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-1530 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1531 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1532 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1533 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1534 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes 7 vulnerabilities is now available.
Description:
This update for chromium fixes the following issues:
Chromium 111.0.5563.110 (boo#1209598)
* CVE-2023-1528: Use after free in Passwords
* CVE-2023-1529: Out of bounds memory access in WebHID
* CVE-2023-1530: Use after free in PDF
* CVE-2023-1531: Use after free in ANGLE
* CVE-2023-1532: Out of bounds read in GPU Video
* CVE-2023-1533: Use after free in WebProtect
* CVE-2023-1534: Out of bounds read in ANGLE
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-82=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 x86_64):
chromedriver-111.0.5563.110-bp154.2.76.1
chromium-111.0.5563.110-bp154.2.76.1
References:
https://www.suse.com/security/cve/CVE-2023-1528.html
https://www.suse.com/security/cve/CVE-2023-1529.html
https://www.suse.com/security/cve/CVE-2023-1530.html
https://www.suse.com/security/cve/CVE-2023-1531.html
https://www.suse.com/security/cve/CVE-2023-1532.html
https://www.suse.com/security/cve/CVE-2023-1533.html
https://www.suse.com/security/cve/CVE-2023-1534.html
https://bugzilla.suse.com/1209598
1
0
openSUSE-SU-2023:0080-1: moderate: Security update for squirrel
by opensuse-security@opensuse.org 23 Mar '23
by opensuse-security@opensuse.org 23 Mar '23
23 Mar '23
openSUSE Security Update: Security update for squirrel
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0080-1
Rating: moderate
References: #1201974
Cross-References: CVE-2021-41556
CVSS scores:
CVE-2021-41556 (NVD) : 10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for squirrel fixes the following issues:
- CVE-2021-41556: fix out-of-bounds read issue (boo#1201974)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-80=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):
squirrel-3.0.7-bp154.3.3.1
squirrel-devel-3.0.7-bp154.3.3.1
squirrel-devel-static-3.0.7-bp154.3.3.1
- openSUSE Backports SLE-15-SP4 (noarch):
squirrel-doc-3.0.7-bp154.3.3.1
squirrel-examples-3.0.7-bp154.3.3.1
References:
https://www.suse.com/security/cve/CVE-2021-41556.html
https://bugzilla.suse.com/1201974
1
0
openSUSE-SU-2023:0077-1: important: Security update for python-Django
by opensuse-security@opensuse.org 20 Mar '23
by opensuse-security@opensuse.org 20 Mar '23
20 Mar '23
openSUSE Security Update: Security update for python-Django
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0077-1
Rating: important
References: #1077714 #1102680 #1208082 #937524 #952198
#988420
Cross-References: CVE-2015-3982 CVE-2015-5145 CVE-2015-5963
CVE-2017-12794 CVE-2017-7233 CVE-2017-7234
CVE-2018-14574 CVE-2018-6188 CVE-2018-7536
CVE-2018-7537 CVE-2023-24580
CVSS scores:
CVE-2017-12794 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2017-7233 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2017-7234 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2018-14574 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2018-14574 (SUSE): 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
CVE-2018-6188 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2018-7536 (NVD) : 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2018-7537 (NVD) : 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2018-7537 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2023-24580 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2023-24580 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
SUSE Linux Enterprise High Performance Computing 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12-SP3
SUSE Linux Enterprise Server 12-SP4
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12
SUSE Linux Enterprise Server for SAP Applications 12-SP3
SUSE Linux Enterprise Server for SAP Applications 12-SP4
SUSE Linux Enterprise Server for SAP Applications 12-SP5
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________
An update that fixes 11 vulnerabilities is now available.
Description:
This update for python-Django fixes the following issues:
- CVE-2023-24580: Prevent DOS in file uploads. (boo#1208082)
update to 1.11.15
* CVE-2018-14574: Fixed Open redirect possibility in CommonMiddleware
(boo#1102680)
* Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS
3.6.1+
* Fixed a regression in Django 1.10 that could result in large memory
usage when making edits using ModelAdmin.list_editable
* Fixed a regression in Django 1.11.12 where QuerySet.values() or
values_list() after combining an annotated and unannotated queryset
with union(), difference(), or intersection() crashed due to
mismatching columns
* Fixed crashes in django.contrib.admindocs when a view is a callable
object, such as django.contrib.syndication.views.Feed
* Fixed a regression in Django 1.11.8 where altering a field with a
unique constraint may drop and rebuild more foreign keys than necessary
* Fixed a regression in Django 1.11.8 where combining two annotated
values_list() querysets with union(), difference(), or intersection()
crashed due to mismatching columns
* Fixed a regression in Django 1.11 where an empty choice could be
initially selected for the SelectMultiple and CheckboxSelectMultiple
widgets
- Update to 1.11.11
* Fixes CVE-2018-7536, CVE-2018-7537
- Update to 1.11.10 LTS
* Fixes CVE-2018-6188 boo#1077714, CVE-2017-7234, CVE-2017-7233,
CVE-2017-12794
- Change Requires: python-Pillow to python-imaging for compatibility with
SLE-12 which provides PIL instead of Pillow.
- Update to 1.9.9
Bugfixes
* Fixed invalid HTML in template postmortem on the debug page (#26938).
* Fixed some GIS database function crashes on MySQL 5.7 (#26657).
- Update to 1.9.8 Fix XSS in admin���s add/change related popup
(boo#988420) Unsafe usage of JavaScript���s Element.innerHTML could
result in XSS in the admin���s add/change related popup.
Element.textContent is now used to prevent execution of the data. The
debug view also used innerHTML. Although a security issue wasn���t
identified there, out of an abundance of caution it���s also updated to
use textContent. Bugfixes
* Fixed missing varchar/text_pattern_ops index on CharField and
TextField respectively when using AddField on PostgreSQL (#26889).
* Fixed makemessages crash on Python 2 with non-ASCII file names
(#26897).
- Update to 1.9.7 Bugfixes
* Removed the need for the request context processor on the admin login
page to fix a regression in 1.9 (#26558).
* Fixed translation of password validators��� help_text in forms
(#26544).
* Fixed a regression causing the cached template loader to crash when
using lazy template names (#26603).
* Fixed on_commit callbacks execution order when callbacks make
transactions (#26627).
* Fixed HStoreField to raise a ValidationError instead of crashing
on non-dictionary JSON input (#26672).
* Fixed dbshell crash on PostgreSQL with an empty database name (#26698).
* Fixed a regression in queries on a OneToOneField that has to_field and
primary_key=True (#26667).
- Update to 1.9.6 Bugfixes
* Added support for relative path redirects to the test client and to
SimpleTestCase.assertRedirects() because Django 1.9 no longer converts
redirects to absolute URIs (#26428).
* Fixed TimeField microseconds round-tripping on MySQL and SQLite
(#26498).
* Prevented makemigrations from generating infinite migrations for a
model field that references a functools.partial (#26475).
* Fixed a regression where SessionBase.pop() returned None rather than
raising a KeyError for nonexistent values (#26520).
* Fixed a regression causing the cached template loader to crash when
using template names starting with a dash (#26536).
* Restored conversion of an empty string to null when saving values
of GenericIPAddressField on SQLite and MySQL (#26557).
* Fixed a makemessages regression where temporary .py extensions were
leaked in source file paths (#26341).
- Update to 1.9.5
- Update to 1.9.2 Security issue
* User with "change" but not "add" permission can create objects for
ModelAdmin's with save_as=True Backwards incompatible change
* .py-tpl files rewritten in project/app templates Bugfixes
* Fixed a regression in ConditionalGetMiddleware causing If-None-Match
checks to always return HTTP 200 (#26024).
* Fixed a regression that caused the "user-tools" items to display
on the admin's logout page (#26035).
* Fixed a crash in the translations system when the current language has
no translations (#26046).
* Fixed a regression that caused the incorrect day to be selected when
opening the admin calendar widget for timezones from GMT+0100 to
GMT+1200 (#24980).
* Fixed a regression in the admin's edit related model popup that caused
an escaped value to be displayed in the select dropdown of the parent
window (#25997).
* Fixed a regression in 1.8.8 causing incorrect index handling in
migrations on PostgreSQL when adding db_index=True or unique=True to a
CharField or TextField that already had the other specified,
or when removing one of them from a field that had both, or when
adding unique=True to a field already listed in unique_together
(#26034).
* Fixed a regression where defining a relation on an abstract model's
field using a string model name without an app_label no longer
resolved that reference to the abstract model's app if using that
model in another application (#25858).
* Fixed a crash when destroying an existing test database on MySQL
or PostgreSQL (#26096).
* Fixed CSRF cookie check on POST requests when
USE_X_FORWARDED_PORT=True (#26094).
* Fixed a QuerySet.order_by() crash when ordering by a relational field
of a ManyToManyField through model (#26092).
* Fixed a regression that caused an exception when making database
queries on SQLite with more than 2000 parameters when DEBUG is True on
distributions that increase the SQLITE_MAX_VARIABLE_NUMBER
compile-time limit to over 2000, such as Debian (#26063).
* Fixed a crash when using a reverse OneToOneField in
ModelAdmin.readonly_fields (#26060).
* Fixed a crash when calling the migrate command in a test case with the
available_apps attribute pointing to an application with migrations
disabled using the MIGRATION_MODULES setting (#26135).
* Restored the ability for testing and debugging tools to determine the
template from which a node came from, even during template inheritance
or inclusion. Prior to Django 1.9, debugging tools could access the
template origin from the node via Node.token.source[0]. This was an
undocumented, private API. The
origin is now available directly on each node using the Node.origin
attribute (#25848).
* Fixed a regression in Django 1.8.5 that broke copying a
SimpleLazyObject with copy.copy() (#26122).
* Always included geometry_field in the GeoJSON serializer output
regardless of the fields parameter (#26138).
* Fixed the contrib.gis map widgets when using
USE_THOUSAND_SEPARATOR=True (#20415).
* Made invalid forms display the initial of values of their disabled
fields (#26129).
- Update to 1.9.1 Bugfixes
* Fixed BaseCache.get_or_set() with the DummyCache backend (#25840).
* Fixed a regression in FormMixin causing forms to be validated twice
(#25548, #26018).
* Fixed a system check crash with nested ArrayFields (#25867).
* Fixed a state bug when migrating a SeparateDatabaseAndState
operation backwards (#25896).
* Fixed a regression in CommonMiddleware causing If-None-Match checks to
always return HTTP 200 (#25900).
* Fixed missing varchar/text_pattern_ops index on CharField and
TextField respectively when using AlterField on PostgreSQL (#25412).
* Fixed admin���s delete confirmation page���s summary counts of related
objects (#25883).
* Added from __future__ import unicode_literals to the default apps.py
created by startapp on Python 2 (#25909). Add this line to your own
apps.py files created using Django 1.9 if you want your migrations to
work on both Python 2 and Python 3.
* Prevented QuerySet.delete() from crashing on MySQL when querying
across relations.
* Fixed evaluation of zero-length slices of QuerySet.values() (#25894).
* ...
* https://docs.djangoproject.com/en/1.9/releases/1.9.1/
- update to 1.9
* https://docs.djangoproject.com/en/1.9/releases/1.9/
* Performing actions after a transaction commit
* Password validation
* Permission mixins for class-based views
* New styling for "contrib.admin"
* Running tests in parallel
- update to 1.8.6:
* https://docs.djangoproject.com/en/1.8/releases/1.8.5/
* https://docs.djangoproject.com/en/1.8/releases/1.8.6/
- add missing Requires for python-setuptools (boo#952198)
/usr/bin/django-admin needs the pkg_resources framework from
python-setuptools to run properly.
- update to 1.8.4 (CVE-2015-5963):
* https://docs.djangoproject.com/en/1.8/releases/1.8.4/
- add keyring and verify source signature
- update to 1.8.3:
* https://docs.djangoproject.com/en/1.8/releases/1.8.3/ Various
bugfixes/security fixes (CVE-2015-5145, boo#937524)
- update to 1.8.2 (CVE-2015-3982):
* https://docs.djangoproject.com/en/1.8/releases/1.8.2/
* https://docs.djangoproject.com/en/1.8/releases/1.8.1/
- Update to Django 1.8
* "Long-Term Support" (LTS) release New features:
* Model._meta API
* Multiple template engines
* Security enhancements
* New PostgreSQL specific functionality
* New data types
* Query Expressions, Conditional Expressions, and Database Functions
* TestCase data setup Backwards incompatible changes:
* Related object operations are run in a transaction
* Assigning unsaved objects to relations raises an error
* Management commands that only accept positional arguments
* Custom test management command arguments through test runner
* Model check ensures auto-generated column names are within limits
specified by database
* Query relation lookups now check object types
* select_related() now checks given fields
* Default EmailField.max_length increased to 254
* (DROP) Support for PostgreSQL versions older than 9.0
* (DROP) Support for MySQL versions older than 5.5
* (DROP) Support for Oracle versions older than 11.1
* Specific privileges used instead of roles for tests on Oracle
* ...
- Update to Django 1.7.7: Security issues:
* Denial-of-service possibility with strip_tags()
* Mitigated possible XSS attack via user-supplied redirect URLs Bugfixes:
* Fixed renaming of classes in migrations where renaming a subclass
would cause incorrect state to be recorded for objects that referenced
the superclass (#24354).
* Stopped writing migration files in dry run mode when merging migration
conflicts. When makemigrations --merge is called with verbosity=3 the
migration file is written to stdout (:ticket: 24427).
- Update to Djano 1.7.6: Bugfixes
* Mitigated an XSS attack via properties in "ModelAdmin.readonly_fields"
* Fixed crash when coercing "ManyRelatedManager" to a string (#24352).
* Fixed a bug that prevented migrations from adding a foreign key
constraint when converting an existing field to a foreign key (#24447).
- Update to Django 1.7.5: Bugfixes
* Reverted a fix that prevented a migration crash when unapplying
contrib.contenttypes's or contrib.auth's first migration (#24075) due
to severe impact on the test performance (#24251) and problems in
multi-database setups (#24298).
* Fixed a regression that prevented custom fields inheriting from
ManyToManyField from being recognized in migrations (#24236).
* Fixed crash in contrib.sites migrations when a default database isn't
used (#24332).
* Added the ability to set the isolation level on PostgreSQL with
psycopg2 >= 2.4.2 (#24318). It was advertised as a new feature in
Django 1.6 but it didn't work in practice.
* Formats for the Azerbaijani locale (az) have been added.
- Update to Django 1.7.4: Bugfixes
* Fixed a migration crash when unapplying ``contrib.contenttypes``���s
or ``contrib.auth``���s first migration (:ticket:`24075`).
* Made the migration's ``RenameModel`` operation rename
``ManyToManyField`` tables (:ticket:`24135`).
* Fixed a migration crash on MySQL when migrating from a
``OneToOneField`` to a ``ForeignKey`` (:ticket:`24163`).
* Prevented the ``static.serve`` view from producing
``ResourceWarning``\s in certain circumstances (security fix
regression, :ticket:`24193`).
* Fixed schema check for ManyToManyField to look for internal type
instead of checking class instance, so you can write custom m2m-like
fields with the same behavior. (:ticket:`24104`).
- Update to Django 1.7.3: Security fixes:
* WSGI header spoofing via underscore/dash conflation.
* Mitigated possible XSS attack via user-supplied redirect URLs.
* Denial-of-service attack against django.views.static.serve.
* Database denial-of-service with ModelMultipleChoiceField. Bug fixes:
* The default iteration count for the PBKDF2 password hasher has been
increased by 25%. This part of the normal major release process was
inadvertently omitted in 1.7. This backwards compatible change will
not affect users who have subclassed
django.contrib.auth.hashers.PBKDF2PasswordHasher to change the default
value.
* Fixed a crash in the CSRF middleware when handling non-ASCII referer
header (#23815).
* Fixed a crash in the django.contrib.auth.redirect_to_login view when
passing a reverse_lazy() result on Python 3 (#24097).
* Added correct formats for Greek (el) (#23967).
* Fixed a migration crash when unapplying a migration where multiple
operations interact with the same model (#24110).
- South has been merged in main Django; provide and obsolete it
- Update to Django 1.7.2:
* Fixed migration���s renaming of auto-created many-to-many tables when
changing Meta.db_table (#23630).
* Fixed a migration crash when adding an explicit id field to a model on
SQLite (#23702).
* Added a warning for duplicate models when a module is reloaded.
Previously a RuntimeError was raised every time two models clashed in
the app registry. (#23621).
* Prevented flush from loading initial data for migrated apps (#23699).
* Fixed a makemessages regression in 1.7.1 when STATIC_ROOT has the
default None value (#23717).
* Added GeoDjango compatibility with mysqlclient database driver.
* Fixed MySQL 5.6+ crash with GeometryFields in migrations (#23719).
* Fixed a migration crash when removing a field that is referenced in
AlterIndexTogether or AlterUniqueTogether (#23614).
* Updated the first day of the week in the Ukrainian locale to Monday.
* Added support for transactional spatial metadata initialization on
SpatiaLite 4.1+ (#23152).
* Fixed a migration crash that prevented changing a nullable field with
a default to non-nullable with the same default (#23738).
* Fixed a migration crash when adding GeometryFields with blank=True
on PostGIS (#23731).
* Allowed usage of DateTimeField() as Transform.output_field (#23420).
* Fixed a migration serializing bug involving float("nan") and
float("inf") (#23770).
* Fixed a regression where custom form fields having a queryset
attribute but no limit_choices_to could not be used in a ModelForm
(#23795).
* Fixed a custom field type validation error with MySQL backend when
db_type returned None (#23761).
* Fixed a migration crash when a field is renamed that is part of an
index_together (#23859).
* Fixed squashmigrations to respect the --no-optimize parameter (#23799).
* Made RenameModel reversible (#22248)
* Avoided unnecessary rollbacks of migrations from other apps when
migrating backwards (#23410).
* Fixed a rare query error when using deeply nested subqueries (#23605).
* Fixed a crash in migrations when deleting a field that is part of a
index/unique_together constraint (#23794).
* Fixed django.core.files.File.__repr__() when the file���s name
contains Unicode characters (#23888).
* Added missing context to the admin���s delete_selected view that
prevented custom site header, etc. from appearing (#23898).
* Fixed a regression with dynamically generated inlines and allowed
field references in the admin (#23754).
* Fixed an infinite loop bug for certain cyclic migration dependencies,
and made the error message for cyclic dependencies much more helpful.
* Added missing index_together handling for SQLite (#23880).
* Fixed a crash when RunSQL SQL content was collected by the schema
editor, typically when using sqlmigrate (#23909).
* Fixed a regression in contrib.admin add/change views which caused some
ModelAdmin methods to receive the incorrect obj value (#23934).
* Fixed runserver crash when socket error message contained Unicode
characters (#23946).
* Fixed serialization of type when adding a deconstruct() method
(#23950).
* Prevented the SessionAuthenticationMiddleware from setting a "Vary:
Cookie" header on all responses (#23939).
* Fixed a crash when adding blank=True to TextField() on MySQL (#23920).
* Fixed index creation by the migration infrastructure, particularly
when dealing with PostgreSQL specific {text|varchar}_pattern_ops
indexes (#23954).
* Fixed bug in makemigrations that created broken migration files when
dealing with multiple table inheritance and inheriting from more than
one model (#23956).
* Fixed a crash when a MultiValueField has invalid data (#23674).
* Fixed a crash in the admin when using ���Save as new��� and also
deleting a related inline (#23857).
* Always converted related_name to text (unicode), since that is
required on Python 3 for interpolation. Removed conversion of
related_name to text in migration deconstruction (#23455 and #23982).
* Enlarged the sizes of tablespaces which are created by default for
testing on Oracle (the main tablespace was increased from 200M to 300M
and the temporary tablespace from 100M to 150M). This was required to
accommodate growth in Django���s own test suite (#23969).
* Fixed timesince filter translations in Korean (#23989).
* Fixed the SQLite SchemaEditor to properly add defaults in the absence
of a user specified default. For example, a CharField with blank=True
didn���t set existing rows to an empty string which resulted in a
crash when adding the NOT NULL constraint (#23987).
* makemigrations no longer prompts for a default value when adding
TextField() or CharField() without a default (#23405).
* Fixed a migration crash when adding order_with_respect_to to a table
with existing rows (#23983).
* Restored the pre_migrate signal if all apps have migrations (#23975).
* Made admin system checks run for custom AdminSites (#23497).
* Ensured the app registry is fully populated when unpickling models.
When an external script (like a queueing infrastructure) reloads
pickled models, it could crash with an AppRegistryNotReady exception
(#24007).
* Added quoting to field indexes in the SQL generated by migrations to
prevent a crash when the index name requires it (##24015).
* Added datetime.time support to migrations questioner (#23998).
* Fixed admindocs crash on apps installed as eggs (#23525).
* Changed migrations autodetector to generate an AlterModelOptions
operation instead of DeleteModel and CreateModel operations when
changing Meta.managed. This prevents data loss when changing managed
from False to True and vice versa (#24037).
* Enabled the sqlsequencereset command on apps with migrations (#24054).
* Added tablespace SQL to apps with migrations (#24051).
* Corrected contrib.sites default site creation in a multiple database
setup (#24000).
* Restored support for objects that aren���t str or bytes in
mark_for_escaping() on Python 3.
* Supported strings escaped by third-party libraries with the __html__
convention in the template engine (#23831).
* Prevented extraneous DROP DEFAULT SQL in migrations (#23581).
* Restored the ability to use more than five levels of subqueries
(#23758).
* Fixed crash when ValidationError is initialized with a ValidationError
that is initialized with a dictionary (#24008).
* Prevented a crash on apps without migrations when running migrate
--list (#23366).
- Update to Django 1.7.1
* Allowed related many-to-many fields to be referenced in the admin
(#23604).
* Added a more helpful error message if you try to migrate an app
without first creating the contenttypes table (#22411).
* Modified migrations dependency algorithm to avoid possible infinite
recursion.
* Fixed a UnicodeDecodeError when the flush error message contained
Unicode characters (#22882).
* Reinstated missing CHECK SQL clauses which were omitted on some
backends when not using migrations (#23416).
* Fixed serialization of type objects in migrations (#22951).
* Allowed inline and hidden references to admin fields (#23431).
* The @deconstructible decorator now fails with a ValueError if the
decorated object cannot automatically be imported (#23418).
* Fixed a typo in an inlineformset_factory() error message that caused a
crash (#23451).
* Restored the ability to use ABSOLUTE_URL_OVERRIDES with the
'auth.User' model (#11775). As a side effect, the setting now adds a
get_absolute_url() method to any model that appears in
ABSOLUTE_URL_OVERRIDES but doesn���t define get_absolute_url().
* Avoided masking some ImportError exceptions during application loading
(#22920).
* Empty index_together or unique_together model options no longer
results in infinite migrations (#23452).
* Fixed crash in contrib.sitemaps if lastmod returned a date rather than
a datetime (#23403).
* Allowed migrations to work with app_labels that have the same last
part (e.g. django.contrib.auth and vendor.auth) (#23483).
* Restored the ability to deepcopy F objects (#23492).
* Formats for Welsh (cy) and several Chinese locales (zh_CN, zh_Hans,
zh_Hant and zh_TW) have been added. Formats for Macedonian have been
fixed (trailing dot removed, #23532).
* Added quoting of constraint names in the SQL generated by migrations
to prevent crash with uppercase characters in the name (#23065).
* Fixed renaming of models with a self-referential many-to-many field
(ManyToManyField('self')) (#23503).
* Added the get_extra(), get_max_num(), and get_min_num() hooks to
GenericInlineModelAdmin (#23539).
* Made migrations.RunSQL no longer require percent sign escaping. This
is now consistent with cursor.execute() (#23426).
* Made the SERIALIZE entry in the TEST dictionary usable (#23421).
* Fixed bug in migrations that prevented foreign key constraints to
unmanaged models with a custom primary key (#23415).
* Added SchemaEditor for MySQL GIS backend so that spatial indexes will
be created for apps with migrations (#23538).
* Added SchemaEditor for Oracle GIS backend so that spatial metadata and
indexes will be created for apps with migrations (#23537).
* Coerced the related_name model field option to unicode during
migration generation to generate migrations that work with both Python
2 and 3 (#23455).
* Fixed MigrationWriter to handle builtin types without imports (#23560).
* Fixed deepcopy on ErrorList (#23594).
* Made the admindocs view to browse view details check if the view
specified in the URL exists in the URLconf. Previously it was possible
to import arbitrary packages from the Python path. This was not
considered a security issue because admindocs is only accessible to
staff users (#23601).
* Fixed UnicodeDecodeError crash in AdminEmailHandler with non-ASCII
characters in the request (#23593).
* Fixed missing get_or_create and update_or_create on related managers
causing IntegrityError (#23611).
* Made urlsafe_base64_decode() return the proper type (byte string)
on Python 3 (#23333).
* makemigrations can now serialize timezone-aware values (#23365).
* Added a prompt to the migrations questioner when removing the null
constraint from a field to prevent an IntegrityError on existing NULL
rows (#23609).
* Fixed generic relations in ModelAdmin.list_filter (#23616).
* Restored RFC compliance for the SMTP backend on Python 3 (#23063).
* Fixed a crash while parsing cookies containing invalid content
(#23638).
* The system check framework now raises error models.E020 when the class
method Model.check() is unreachable (#23615).
* Made the Oracle test database creation drop the test user in the event
of an unclean exit of a previous test run (#23649).
* Fixed makemigrations to detect changes to Meta.db_table (#23629).
* Fixed a regression when feeding the Django test client with an empty
data string (#21740).
* Fixed a regression in makemessages where static files were
unexpectedly ignored (#23583).
- Update to Django 1.7
* A new built-in database migration system. Notes on upgrading from
South (a popular third*party application providing migration
functionality) are also available.
* A refactored concept of Django applications. Django applications are
no longer tied to the existence of a models files, and can now specify
both configuration data and code to be executed as Django starts up.
* Improvements to the model Field API to support migrations and, in the
future, to enable easy addition of composite-key support to Django's
ORM.
* Improvements for custom Manager and QuerySet classes, allowing reverse
relationship traversal to specify the Manager to use, and creation of
a Manager from a custom QuerySet class.
* An extensible system check framework which can assist developers in
detecting and diagnosing errors. Please refer to the release notes for
all details and migration instructions:
https://docs.djangoproject.com/en/1.7/releases/1.7/
- Added python-setuptools as a BuildRequires.
- Fixed Source URL from Django Project site.
- Reordered sources.
- Fixed deduplication to avoid wrong mtimes in pyc files.
- Rename rpmlintrc to %{name}-rpmlintrc. Follow the packaging guidelines.
- Update to version 1.6.5, sercurity and important changes:
+ Unexpected code execution using reverse()
+ Caching of anonymous pages could reveal CSRF token
+ MySQL typecasting
+ select_for_update() requires a transaction
+ Issue: Caches may incorrectly be allowed to store and serve private
data
+ Issue: Malformed redirect URLs from user input not correctly validated
- Fix update-alternatives
- Update to version 1.6.2:
+ Prevented the base geometry object of a prepared geometry to be
garbage collected, which could lead to crash Django (#21662).
+ Fixed a crash when executing the changepassword command when the user
object representation contained non-ASCII characters (#21627).
+ The collectstatic command will raise an error rather than default to
using the current working directory if STATIC_ROOT is not set.
Combined with the --clear option, the previous behavior could wipe
anything below the current working directory (#21581).
+ Fixed mail encoding on Python 3.3.3+ (#21093).
+ Fixed an issue where when settings.DATABASES['default']['AUTOCOMMIT']
= False, the connection wasn���t in autocommit mode but Django
pretended it was.
+ Fixed a regression in multiple-table inheritance exclude() queries
(#21787).
+ Added missing items to django.utils.timezone.__all__ (#21880).
+ Fixed a field misalignment issue with select_related() and model
inheritance (#21413).
+ Fixed join promotion for negated AND conditions (#21748).
+ Oracle database introspection now works with boolean and float fields
(#19884).
+ Fixed an issue where lazy objects weren���t actually marked as safe
when passed through mark_safe() and could end up being double-escaped
(#21882).
- Update to version 1.6.1:
- Most bug fixes are minor; you can find a complete list in the Django
1.6.1 release notes.
- Update-alternatives also for bash-completion
- Only ghost /etc/alternatives on 12.3 or newer
- Require python-Pillow for image-related functionality
- Package was renamed from python-django
- Drop Django-1.2-completion-only-for-bash.patch: Useless
- Update to version 1.6:
- Please read the release notes
https://docs.djangoproject.com/en/1.6/releases/1.6
- Removed Patch2 as it is no needed anymore:
Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch
- Update to version 1.5.4:
+ Fixed denial-of-service via large passwords
- Changes from version 1.5.3:
+ Fixed directory traversal with ssi template tag
- Update to 1.5.2:
- Security release, please check release notes for details:
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
- Update to 1.5.1:
- Memory leak fix, please read release announcement at
https://www.djangoproject.com/weblog/2013/mar/28/django-151.
- Update to 1.5:
- Please read the release notes
https://docs.djangoproject.com/en/1.5/releases/1.5
- Update to 1.4.3:
- Security release:
- Host header poisoning
- Redirect poisoning
- Please check release notes for details:
https://www.djangoproject.com/weblog/2012/dec/10/security
- Add a symlink from /usr/bin/django-admin.py to /usr/bin/django-admin
- Update to 1.4.2:
- Security release:
- Host header poisoning
- Please check release notes for details:
https://www.djangoproject.com/weblog/2012/oct/17/security
- Update to 1.4.1:
- Security release:
- Cross-site scripting in authentication views
- Denial-of-service in image validation
- Denial-of-service via get_image_dimensions()
- Please check release notes for details:
https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued
- Add patch to support CSRF_COOKIE_HTTPONLY config
- Update to 1.4:
- Please read the release notes
https://docs.djangoproject.com/en/dev/releases/1.4
- Removed Patch2, it was merged on upstream,
- Set license to SDPX style (BSD-3-Clause)
- Package AUTHORS, LICENE and README files
- No CFLAGS for noarch package
- Drop runtime dependency on gettext-tools
- Update to 1.3.1 to fix security issues, please read
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued.
- Fix build on SLES_9.
- Update to 1.3 final;
- Refresh patch empty-ip-2.diff.
- Update to 1.3-rc1;
- Regenerated spec file with py2pack;
- No more need to fix wrong line endings;
- Refresh patch empty-ip-2.diff with -p0.
- Spec file cleanup:
* Removed empty lines, package authors from description
* Cleanup duplicates
* Corrected wrong file endings
* Added zero-length rpmlint filter
- Added AUTHORS, LICENSE and doc files
- Update to 1.2.5:
- This is a security update that fix:
- Flaw in CSRF handling;
- Potential XSS in file field rendering.
- Update to 1.2.4:
- Information leakage in Django administrative interface;
- Denial-of-service attack in password-reset mechanism.
- This is a mandatory security update.
- Update to 1.2.3:
- The patch applied for the security issue covered in Django 1.2.2
caused issues with non-ASCII responses using CSRF tokens. This has
been remedied;
- The patch also caused issues with some forms, most notably the
user-editing forms in the Django administrative interface. This has
been remedied.
- The packaging manifest did not contain the full list of required
files. This has been remedied.
- Update to 1.2.2.
- This is a ciritical security update fixing a default XSS bug!
- Added patch to fix upstream bug 5622: Empty ipaddress raises an error
- Update to 1.2.1.
- Update to 1.2.
- Update to 1.2-rc-1.
- Spec file cleaned with spec-cleaner;
- Minor manual adjusts on spec file.
- Moved autocomplete file path from /etc/profile.d to
/etc/bash_completion.d. Then it works with konsole too.
- Update to 1.2-beta-1;
- Using -q option on prep section of spec file;
- Using INSTALLED_FILES instead of declaring files;
- Removed dummy changelog section of spec file;
- Update completion bash patch.
- Update to 1.1.1 due to security issue described at
http://www.djangoproject.com/weblog/2009/oct/09/security/
- Removed old tarball file (Django-1.1.tar.bz2).
- Fix python version check.
- Don't require python-sqlite2 for python >= 2.6.
- Build as noarch on factory.
- don't run bash completion on shells other than bash. Avoiding error
messages produced at login when using other shells.
- Added bash auto-complete to openSUSE.
- update to version 1.1
- add python-django-rpmlintrc to quiet rpmlint complaints about -lang
- add python-xml to the Requires (./manage.py syncdb crashes
otherwise)
- update to version 1.0
- Fix build on SLES9
- update to version 1.0 final
- update to version 0.96.2
- The way simplejson is included in this package is not useful to other
packages. Removed from provides
- verion 0.96.1 fixes D.o.S attack in the i18n module
- update to version 0.96 see
http://www.djangoproject.com/documentation/release_notes_0.96 for details
- this package provides python-simplejson too.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Package Hub for SUSE Linux Enterprise 12:
zypper in -t patch openSUSE-2023-77=1
Package List:
- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):
python-Django-1.11.15-2.1
References:
https://www.suse.com/security/cve/CVE-2015-3982.html
https://www.suse.com/security/cve/CVE-2015-5145.html
https://www.suse.com/security/cve/CVE-2015-5963.html
https://www.suse.com/security/cve/CVE-2017-12794.html
https://www.suse.com/security/cve/CVE-2017-7233.html
https://www.suse.com/security/cve/CVE-2017-7234.html
https://www.suse.com/security/cve/CVE-2018-14574.html
https://www.suse.com/security/cve/CVE-2018-6188.html
https://www.suse.com/security/cve/CVE-2018-7536.html
https://www.suse.com/security/cve/CVE-2018-7537.html
https://www.suse.com/security/cve/CVE-2023-24580.html
https://bugzilla.suse.com/1077714
https://bugzilla.suse.com/1102680
https://bugzilla.suse.com/1208082
https://bugzilla.suse.com/937524
https://bugzilla.suse.com/952198
https://bugzilla.suse.com/988420
1
0
openSUSE-SU-2023:0071-1: moderate: Security update for peazip
by opensuse-security@opensuse.org 14 Mar '23
by opensuse-security@opensuse.org 14 Mar '23
14 Mar '23
openSUSE Security Update: Security update for peazip
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0071-1
Rating: moderate
References: #1202690 #1208468
Cross-References: CVE-2023-24785
CVSS scores:
CVE-2023-24785 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for peazip fixes the following issues:
peazip was updated to 9.1.0:
* Major restyle in application's look & feel and themes, and many
usability improvements for the file manager, and archiving /
extraction screens.
* The scripting engine was refined, with the ability to adapt the syntax
for a specific 7z version at runtime, and to export archive conversion
tasks as scripts.
* Support for TAR, Brotli, and Zstandard formats was improved.
* Pea was updated to 1.12, fixing for CVE-2023-24785 (this fixes
boo#1208468)
Update to 9.0.0:
BACKEND:
* Pea 1.11.
CODE:
* Fixes, clean up of legacy code.
* Improved speed and memory usage.
FILE MANAGER:
* GUI better adapts to size and preference changes.
* Selecting one of the available tool bars (archive manager, file
manager, image manager) restores its visibility if the Tool bar is
hidden.
EXTRACTION and ARCHIVING:
* Added new options for 7z/p7zip backend.
* Improved support for TAR format, and for formats used in combination
with TAR.
* Improved support for ZPAQ and *PAQ formats.
* Updated compression preset scripts.
* Updated plugin for PeaZip.
- Update to 8.9.0:
BACKEND
* Pea 1.10
CODE
* Password Manager is now re-set only from Options > Settings >
Privacy, Reset Password Manager link
* Various fixes and improvements
* Correctly displays folder size inside ZIP archives if applicable
* Cleanup of legacy code
* Improved performances and memory management for browsing archives
* Improved opening folders after task completition
* Improved detecting root extraction directory
* Archive conversion procedure now opens target directory only once,
after final compression step
* Task window can now show temporary extraction work path from context
menu right-clicking on input and output links
FILE MANAGER
* Added progress bar while opening archive files supported through 7z
backend; progress indicator is not visible when archive pre-browsing
is disabled in Options > Settings > General, Performance group
* Improved Clipboard panel, can display tems size and modification date
* Improved quick navigation menu (on the left of the Address bar)
* Can now set password/keyfile, and display if a password is set
* Can now display info on current archive / selection / clipboard
content duplicating function of staus bar; the new Info entry is
also featured in main menu, Navigation group
* Can now toggle bookmarks, history, and clipboard views in the Status
bar
* Improved Style button
* Right-clicking Style shows main menu as context menu
* Settings is now reachable from Style button in Tool / Address bar
* Updated theming engine
* Address bar color can now be changed separately from Address field
color
* Tab bar color has now more options
* Improved existing Themes to take advantage of the new options
* Updated Tuxedo theme
* New Droid theme
EXTRACTION and ARCHIVING
* Changed default working directory to output path, as more consistent
with behavior of similar applications on non-Windows systems
* Added context menu entry for "Add to separate archives" action,
shown when applicable in file browser screen
* Improved archiving and extraction context menu, to make easier to
add files and folders (or open search) from bookmarks abd history
items
* Improved test after archiving
* Empty archives are reported as warnings
* It is now possible to set the sequence of tasks to stop for
auto-test results (otherwise it will stop only in case of error)
from Options > Settings > Advanced
* More information is available clicking status bar string in archive
creation and extraction screens: task type details, temp work path
(if applicable), input zise, output path with total size and free
space
- Update to 8.8.0 (boo#1202690):
BACKEND
* 7z 22.01
* Pea 1.09
CODE
* Various fixes and improvements
FILE MANAGER
* Improved GUI for more flexibility to better adapt to multiple
environments with different visual styles
EXTRACTION and ARCHIVING
* Added option to test archive after creation, for formats supporting
test routine, in Options > Settings, Archive manager tab
* Added timestamp precision option in Archiving screen, Advanced tab,
applies to ZIP and TAR/pax formats
* Added timestamp precision option in Archiving screen, Advanced tab,
applies to ZIP and TAR/pax formats
* Added options to save owner/group ids and names, available in
Archiving screen, Advanced tab
- Set correct category in the desktop file (boo#1202690)
- Update to 8.7.0:
BACKEND
* 7z 22.00
* Pea 1.08
CODE
* Can now optionally check hash of backend binaries called by PeaZip
in order to detect modified ones
* Can now optionally hardcode paths of backend binaries,
configuration, and non-binary resources directories as absoulte
paths at compile time
FILE MANAGER
* Added "Open in a new tab" to breadcrumb navigation menu
* Can now export content of navigation/search filter as CSV, from
column's header menu, and Main menu > Navigation submenu
* CSV separator can now be customised from Options > Settings, General
Tab, on the right of Localization selector
* File manager now displays file size and compressed file size of
directories inside archives, CRC column displays files and
sub-directores count for directories
* Many visual enhancements
EXTRACTION and ARCHIVING
* Can now remember default archive creation action (force new archive,
add, update, sync...)
* Improved displaying directory size in archive creation screen: items
are now recursively enumerated asynchronously (non blocking) by
default, so it is possible to proceed with archiving operations
(confirm, cancel, modify parameters...) without needing the input
count to be completed
* Re-organized Archive manager settings page in Options > Settings
* For Zpaq format now "Absolute paths" extraction option is enabled by
default (in Advanced tab of extraction screen)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-71=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 x86_64):
peazip-9.1.0-bp154.2.3.1
- openSUSE Backports SLE-15-SP4 (noarch):
peazip-kf5-9.1.0-bp154.2.3.1
References:
https://www.suse.com/security/cve/CVE-2023-24785.html
https://bugzilla.suse.com/1202690
https://bugzilla.suse.com/1208468
1
0
openSUSE-SU-2023:0075-1: moderate: Security update for python-Django
by opensuse-security@opensuse.org 14 Mar '23
by opensuse-security@opensuse.org 14 Mar '23
14 Mar '23
openSUSE Security Update: Security update for python-Django
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0075-1
Rating: moderate
References: #1208082
Cross-References: CVE-2023-24580
CVSS scores:
CVE-2023-24580 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2023-24580 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
python-Django was update to fix:
- CVE-2023-24580: Prevent DOS in file uploads. (bsc#1208082)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-75=1
Package List:
- openSUSE Backports SLE-15-SP4 (noarch):
python3-Django1-1.11.29-bp154.2.3.1
References:
https://www.suse.com/security/cve/CVE-2023-24580.html
https://bugzilla.suse.com/1208082
1
0
openSUSE-SU-2023:0069-1: important: Security update for amanda
by opensuse-security@opensuse.org 14 Mar '23
by opensuse-security@opensuse.org 14 Mar '23
14 Mar '23
openSUSE Security Update: Security update for amanda
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0069-1
Rating: important
References: #1208032 #1208033
Cross-References: CVE-2022-37704 CVE-2022-37705
CVSS scores:
CVE-2022-37704 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-37705 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for amanda fixes the following issues:
- CVE-2022-37704: fix privilege escalation via rundump (boo#1208033,
gh#zmanda/amanda#195)
- CVE-2022-37705: fix privilege escalation via runtar suid binary
(boo#1208032, gh#zmanda/amanda#194)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-69=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 ppc64le s390x x86_64):
amanda-3.5.1-bp154.3.3.1
References:
https://www.suse.com/security/cve/CVE-2022-37704.html
https://www.suse.com/security/cve/CVE-2022-37705.html
https://bugzilla.suse.com/1208032
https://bugzilla.suse.com/1208033
1
0
openSUSE-SU-2023:0068-1: important: Security update for chromium
by opensuse-security@opensuse.org 13 Mar '23
by opensuse-security@opensuse.org 13 Mar '23
13 Mar '23
openSUSE Security Update: Security update for chromium
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0068-1
Rating: important
References: #1209040
Cross-References: CVE-2023-1213 CVE-2023-1214 CVE-2023-1215
CVE-2023-1216 CVE-2023-1217 CVE-2023-1218
CVE-2023-1219 CVE-2023-1220 CVE-2023-1221
CVE-2023-1222 CVE-2023-1223 CVE-2023-1224
CVE-2023-1225 CVE-2023-1226 CVE-2023-1227
CVE-2023-1228 CVE-2023-1229 CVE-2023-1230
CVE-2023-1231 CVE-2023-1232 CVE-2023-1233
CVE-2023-1234 CVE-2023-1235 CVE-2023-1236
CVSS scores:
CVE-2023-1213 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1214 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1215 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1216 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1217 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVE-2023-1218 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1219 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1220 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1221 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2023-1222 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1223 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE-2023-1224 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2023-1225 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2023-1226 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2023-1227 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1228 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2023-1229 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2023-1230 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2023-1231 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2023-1232 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE-2023-1233 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE-2023-1234 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2023-1235 (NVD) : 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CVE-2023-1236 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes 24 vulnerabilities is now available.
Description:
This update for chromium fixes the following issues:
Chromium 111.0.5563.64
* New View Transitions API
* CSS Color Level 4
* New developer tools in style panel for color functionality
* CSS added trigonometric functions, additional root font units and
extended the n-th child pseudo selector.
* previousslide and nextslide actions are now part of the Media Session API
* A number of security fixes (boo#1209040)
* CVE-2023-1213: Use after free in Swiftshader
* CVE-2023-1214: Type Confusion in V8
* CVE-2023-1215: Type Confusion in CSS
* CVE-2023-1216: Use after free in DevTools
* CVE-2023-1217: Stack buffer overflow in Crash reporting
* CVE-2023-1218: Use after free in WebRTC
* CVE-2023-1219: Heap buffer overflow in Metrics
* CVE-2023-1220: Heap buffer overflow in UMA
* CVE-2023-1221: Insufficient policy enforcement in Extensions API
* CVE-2023-1222: Heap buffer overflow in Web Audio API
* CVE-2023-1223: Insufficient policy enforcement in Autofill
* CVE-2023-1224: Insufficient policy enforcement in Web Payments API
* CVE-2023-1225: Insufficient policy enforcement in Navigation
* CVE-2023-1226: Insufficient policy enforcement in Web Payments API
* CVE-2023-1227: Use after free in Core
* CVE-2023-1228: Insufficient policy enforcement in Intents
* CVE-2023-1229: Inappropriate implementation in Permission prompts
* CVE-2023-1230: Inappropriate implementation in WebApp Installs
* CVE-2023-1231: Inappropriate implementation in Autofill
* CVE-2023-1232: Insufficient policy enforcement in Resource Timing
* CVE-2023-1233: Insufficient policy enforcement in Resource Timing
* CVE-2023-1234: Inappropriate implementation in Intents
* CVE-2023-1235: Type Confusion in DevTools
* CVE-2023-1236: Inappropriate implementation in Internals
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-68=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 x86_64):
chromedriver-111.0.5563.64-bp154.2.73.1
chromium-111.0.5563.64-bp154.2.73.1
References:
https://www.suse.com/security/cve/CVE-2023-1213.html
https://www.suse.com/security/cve/CVE-2023-1214.html
https://www.suse.com/security/cve/CVE-2023-1215.html
https://www.suse.com/security/cve/CVE-2023-1216.html
https://www.suse.com/security/cve/CVE-2023-1217.html
https://www.suse.com/security/cve/CVE-2023-1218.html
https://www.suse.com/security/cve/CVE-2023-1219.html
https://www.suse.com/security/cve/CVE-2023-1220.html
https://www.suse.com/security/cve/CVE-2023-1221.html
https://www.suse.com/security/cve/CVE-2023-1222.html
https://www.suse.com/security/cve/CVE-2023-1223.html
https://www.suse.com/security/cve/CVE-2023-1224.html
https://www.suse.com/security/cve/CVE-2023-1225.html
https://www.suse.com/security/cve/CVE-2023-1226.html
https://www.suse.com/security/cve/CVE-2023-1227.html
https://www.suse.com/security/cve/CVE-2023-1228.html
https://www.suse.com/security/cve/CVE-2023-1229.html
https://www.suse.com/security/cve/CVE-2023-1230.html
https://www.suse.com/security/cve/CVE-2023-1231.html
https://www.suse.com/security/cve/CVE-2023-1232.html
https://www.suse.com/security/cve/CVE-2023-1233.html
https://www.suse.com/security/cve/CVE-2023-1234.html
https://www.suse.com/security/cve/CVE-2023-1235.html
https://www.suse.com/security/cve/CVE-2023-1236.html
https://bugzilla.suse.com/1209040
1
0
openSUSE-SU-2023:0066-1: important: Security update for opera
by opensuse-security@opensuse.org 09 Mar '23
by opensuse-security@opensuse.org 09 Mar '23
09 Mar '23
openSUSE Security Update: Security update for opera
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0066-1
Rating: important
References:
Cross-References: CVE-2023-0927 CVE-2023-0928 CVE-2023-0929
CVE-2023-0930 CVE-2023-0931 CVE-2023-0932
CVE-2023-0933 CVE-2023-0941
CVSS scores:
CVE-2023-0927 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0928 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0929 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0930 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0931 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0932 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0933 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0941 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.4:NonFree
______________________________________________________________________________
An update that fixes 8 vulnerabilities is now available.
Description:
This update for opera fixes the following issues:
Update to 96.0.4693.31
* CHR-9206 Update Chromium on desktop-stable-110-4693 to 110.0.5481.178
* DNA-104492 [Stable A/B Test] React Start Page for Austria 50%
* DNA-104660 Browser crash when calling window.opr.authPrivate API in a
private mode
* DNA-105000 Crash at non-virtual thunk to
SadTabView::OnBoundsChanged(gfx::Rect const&)
* DNA-105138 Hang-up button is red in video popout
* DNA-105211 Johnny5 ��� Prepare extension to be usable in Desktop
* DNA-105377 Add API for extension to be able to open sidebar panel
* DNA-105378 Add "AI Shorten" functionality to search/copy tooltip
* DNA-105410 Change Popup functionality depending on number
of words selected
* DNA-105429 Fix privileges for Shodan api
* DNA-105434 Change popup depending on number of words
* DNA-105442 Fix Update & Recovery page styling
* DNA-105455 [Search box] Search box does not resize dynamically
* DNA-105606 Enabling news by default on SP test- 2
The update to chromium 110.0.5481.178 fixes following issues:
CVE-2023-0927, CVE-2023-0928, CVE-2023-0929, CVE-2023-0930, CVE-2023-0931,
CVE-2023-0932, CVE-2023-0933, CVE-2023-0941
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:NonFree:
zypper in -t patch openSUSE-2023-66=1
Package List:
- openSUSE Leap 15.4:NonFree (x86_64):
opera-96.0.4693.31-lp154.2.44.1
References:
https://www.suse.com/security/cve/CVE-2023-0927.html
https://www.suse.com/security/cve/CVE-2023-0928.html
https://www.suse.com/security/cve/CVE-2023-0929.html
https://www.suse.com/security/cve/CVE-2023-0930.html
https://www.suse.com/security/cve/CVE-2023-0931.html
https://www.suse.com/security/cve/CVE-2023-0932.html
https://www.suse.com/security/cve/CVE-2023-0933.html
https://www.suse.com/security/cve/CVE-2023-0941.html
1
0
openSUSE-SU-2023:0064-1: moderate: Security update for trivy
by opensuse-security@opensuse.org 05 Mar '23
by opensuse-security@opensuse.org 05 Mar '23
05 Mar '23
openSUSE Security Update: Security update for trivy
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0064-1
Rating: moderate
References: #1208091
Cross-References: CVE-2023-25165
CVSS scores:
CVE-2023-25165 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2023-25165 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for trivy fixes the following issues:
Update to version 0.37.3 (boo#1208091, CVE-2023-25165):
* chore(helm): update Trivy from v0.36.1 to v0.37.2 (#3574)
* ci: quote pros in c++ for semantic pr (#3605)
* fix(image): check proxy settings from env for remote images (#3604)
Update to version 0.37.2:
* BREAKING: use normalized trivy-java-db (#3583)
* fix(image): add timeout for remote images (#3582)
* fix(misconf): handle dot files better (#3550)
Update to version 0.37.1:
* fix(sbom): download the Java DB when generating SBOM (#3539)
* fix: use cgo free sqlite driver (#3521)
* ci: fix path to dist folder (#3527)
Update to version 0.37.0:
* fix(image): close layers (#3517)
* refactor: db client changed (#3515)
* feat(java): use trivy-java-db to get GAV (#3484)
* docs: add note about the limitation in Rekor (#3494)
* docs: aggregate targets (#3503)
* deps: updates wazero to 1.0.0-pre.8 (#3510)
* docs: add alma 9 and rocky 9 to supported os (#3513)
* chore: add missing target labels (#3504)
* docs: add java vulnerability page (#3429)
* feat(image): add support for Docker CIS Benchmark (#3496)
* feat(image): secret scanning on container image config (#3495)
* chore(deps): Upgrade defsec to v0.82.8 (#3488)
* feat(image): scan misconfigurations in image config (#3437)
* chore(helm): update Trivy from v0.30.4 to v0.36.1 (#3489)
* feat(k8s): add node info resource (#3482)
* perf(secret): optimize secret scanning memory usage (#3453)
* feat: support aliases in CLI flag, env and config (#3481)
* fix(k8s): migrate rbac k8s (#3459)
* feat(java): add implementationVendor and specificationVendor fields to
detect GroupID from MANIFEST.MF (#3480)
* refactor: rename security-checks to scanners (#3467)
* chore: display the troubleshooting URL for the DB denial error (#3474)
* docs: yaml tabs to spaces, auto create namespace (#3469)
* docs: adding show-and-tell template to GH discussions (#3391)
* fix: Fix a temporary file leak in case of error (#3465)
* fix(test): sort cyclonedx components (#3468)
* docs: fixing spelling mistakes (#3462)
* ci: set paths triggering VM tests in PR (#3438)
* docs: typo in --skip-files (#3454)
* feat(custom-forward): Extended advisory data (#3444)
* docs: fix spelling error (#3436)
* refactor(image): extend image config analyzer (#3434)
* fix(nodejs): add ignore protocols to yarn parser (#3433)
* fix(db): check proxy settings when using insecure flag (#3435)
* feat(misconf): Fetch policies from OCI registry (#3015)
* ci: downgrade Go to 1.18 and use stable and oldstable go versions for
unit tests (#3413)
* ci: store URLs to Github Releases in RPM repository (#3414)
* feat(server): add support of `skip-db-update` flag for hot db update
(#3416)
* fix(image): handle wrong empty layer detection (#3375)
* test: fix integration tests for spdx and cycloneDX (#3412)
* feat(python): Include Conda packages in SBOMs (#3379)
* feat: add support pubspec.lock files for dart (#3344)
* fix(image): parsePlatform is failing with UNAUTHORIZED error (#3326)
* fix(license): change normalize for GPL-3+-WITH-BISON-EXCEPTION (#3405)
* feat(server): log errors on server side (#3397)
* docs: rewrite installation docs and general improvements (#3368)
* chore: update code owners (#3393)
* chore: test docs separately from code (#3392)
* docs: use the formula maintained by Homebrew (#3389)
* docs: add `Security Management` section with SonarQube plugin
Update to version 0.36.1:
* fix(deps): fix errors on yarn.lock files that contain local file
reference (#3384)
* feat(flag): early fail when the format is invalid (#3370)
* docs(aws): fix broken links (#3374)
Update to version 0.36.0:
* docs: improve compliance docs (#3340)
* feat(deps): add yarn lock dependency tree (#3348)
* fix: compliance change id and title naming (#3349)
* feat: add support for mix.lock files for elixir language (#3328)
* feat: add k8s cis bench (#3315)
* test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch
(#3322)
* revert: cache merged layers (#3334)
* feat(cyclonedx): add recommendation (#3336)
* feat(ubuntu): added support ubuntu ESM versions (#1893)
* fix: change logic to build relative paths for skip-dirs and skip-files
(#3331)
* feat: Adding support for Windows testing (#3037)
* feat: add support for Alpine 3.17 (#3319)
* docs: change PodFile.lock to Podfile.lock (#3318)
* fix(sbom): support for the detection of old CycloneDX predicate type
(#3316)
* feat(secret): Use .trivyignore for filtering secret scanning result
(#3312)
* chore(go): remove experimental FS API usage in Wasm (#3299)
* ci: add workflow to add issues to roadmap project (#3292)
* fix(vuln): include duplicate vulnerabilities with different package
paths in the final report (#3275)
* feat(sbom): better support for third-party SBOMs (#3262)
* docs: add information about languages with support for dependency
locations (#3306)
* feat(vm): add `region` option to vm scan to be able to scan any region's
ami and ebs snapshots (#3284)
* fix(vuln): change severity vendor priority for ghsa-ids and vulns from
govuln (#3255)
* docs: remove comparisons (#3289)
* feat: add support for Wolfi Linux (#3215)
* ci: add go.mod to canary workflow (#3288)
* feat(python): skip dev dependencies (#3282)
* chore: update ubuntu version for Github action runnners (#3257)
* fix(go): skip dep without Path for go-binaries (#3254)
* feat(rust): add ID for cargo pgks (#3256)
* feat: add support for swift cocoapods lock files (#2956)
* fix(sbom): use proper constants (#3286)
* test(vm): import relevant analyzers (#3285)
* feat: support scan remote repository (#3131)
* docs: fix typo in fluxcd (#3268)
* docs: fix broken "ecosystem" link in readme (#3280)
* feat(misconf): Add compliance check support (#3130)
* docs: Adding Concourse resource for trivy (#3224)
* chore(deps): change golang from 1.19.2 to 1.19 (#3249)
* fix(sbom): duplicate dependson (#3261)
* chore(go): updates wazero to 1.0.0-pre.4 (#3242)
* feat(report): add dependency locations to sarif format (#3210)
* fix(rpm): add rocky to osVendors (#3241)
* docs: fix a typo (#3236)
* feat(dotnet): add dependency parsing for nuget lock files (#3222)
* docs: add pre-commit hook to community tools (#3203)
* feat(helm): pass arbitrary env vars to trivy (#3208)
Update to version 0.35.0:
* chore(vm): update xfs filesystem parser for change log (#3230)
* feat: add virtual machine scan command (#2910)
* docs: reorganize index and readme (#3026)
* fix: `slowSizeThreshold` should be less than `defaultSizeThreshold`
(#3225)
* feat: Export functions for trivy plugin (#3204)
* feat(image): add support wildcard for platform os (#3196)
* fix: load compliance report from file system (#3161)
* fix(suse): use package name to get advisories (#3199)
* docs(image): space issues during image scan (#3190)
* feat(containerd): scan image by digest (#3075)
* fix(vuln): add package name to title (#3183)
* fix: present control status instead of compliance percentage in
compliance report (#3181)
* perf(license): remove go-enry/go-license-detector. (#3187)
* fix: workdir command as empty layer (#3087)
* docs: reorganize ecosystem section (#3025)
* feat(dotnet): add support dependency location for dotnet-core files
(#3095)
* feat(dotnet): add support dependency location for nuget lock files
(#3032)
* chore: update code owners for misconfigurations (#3176)
* feat: add slow mode (#3084)
* docs: fix typo in enable-builin-rules mentions (#3118)
* feat: Add maintainer field to OS packages (#3149)
* docs: fix some typo (#3171)
* docs: fix links on Built-in Policies page (#3124)
* fix: Perform filepath.Clean first and then filepath.ToSlash for
skipFile/skipDirs settings (#3144)
* chore: use newline for semantic pr (#3172)
* fix(spdx): rename describes field in spdx (#3102)
* chore: handle GOPATH with several paths in make file (#3092)
* docs(flag): add "rego" configuration file options (#3165)
* chore(go): updates wazero to 1.0.0-pre.3 (#3090)
* docs(license): fix typo inside quick start (#3134)
* chore: update codeowners for docs (#3135)
* fix(cli): exclude --compliance flag from non supported sub-commands
(#3158)
* fix: remove --security-checks none from image help (#3156)
* fix: compliance flag description (#3160)
* docs(k8s): fix a typo (#3163)
Update to version 0.34.0:
* feat(vuln): support dependency graph for RHEL/CentOS (#3094)
* feat(vuln): support dependency graph for dpkg and apk (#3093)
* perf(license): enable license classifier only with "--license-full"
(#3086)
* feat(report): add secret scanning to ASFF template (#2860)
* feat: Allow override of containerd namespace (#3060)
* fix(vuln): In alpine use Name as SrcName (#3079)
* fix(secret): Alibaba AccessKey ID (#3083)
Update to version 0.33.0:
* refactor(k8s): custom reports (#3076)
* fix(misconf): Bump in-toto-golang with correct CycloneDX predicate
(#3068)
* feat(image): add support for passing architecture and OS (#3012)
* test: disable containerd integration tests for non-amd64 arch (#3073)
* feat(server): Add support for client/server mode to rootfs command
(#3021)
* feat(vuln): support non-packaged binaries (#3019)
* feat: compliance reports (#2951)
* fix(flag): disable flag parsing for each plugin command (#3074)
* feat(nodejs): add support dependency location for yarn.lock files (#3016)
* chore: Switch github.com/liamg dependencies to github.com/aquasecurity
(#3069)
* feat: add k8s components (#2589)
* fix(secret): update the regex for secrets scanning (#2964)
* fix: bump trivy-kubernetes (#3064)
* docs: fix missing 'image' subcommand (#3051)
* chore: Patch golang x/text vulnerability (#3046)
* chore: add licensed project logo (#3058)
* feat(ubuntu): set Ubuntu 22.10 EOL (#3054)
* refactor(analyzer): use strings.TrimSuffix instead of strings.HasSuffix
(#3028)
* feat(report): Use understandable value for shortDescription in SARIF
reports (#3009)
* docs(misconf): fix typo (#3043)
* feat: add support for scanning azure ARM (#3011)
* feat(report): add location.message to SARIF output (#3002) (#3003)
* feat(nodejs): add dependency line numbers for npm lock files (#2932)
* test(fs): add `--skip-files`, `--skip-dirs` (#2984)
* docs: add Woodpecker CI integrations example (#2823)
* fix(sbom): ref generation if serialNumber is empty when input is
cyclonedx file (#3000)
* fix(java): don't stop parsing jar file when wrong inner jar is found
(#2989)
* fix(sbom): use nuget purl type for dotnet-core (#2990)
* perf: retrieve rekor entries in bulk (#2987)
* feat(aws): Custom rego policies for AWS scanning (#2994)
* docs: jq cli formatting (#2881)
* docs(repo): troubleshooting $TMPDIR customization (#2985)
* chore: run `go fmt` (#2897)
* chore(go): updates wazero to 1.0.0-pre.2 (#2955)
* fix(aws): Less function for slice sorting always returns false #2967
* fix(java): fix unmarshal pom exclusions (#2936)
Update to version 0.32.1:
* fix(java): use fields of dependency from dependencyManagement from upper
pom.xml to parse deps (#2943)
* chore: expat lib and go binary deps vulns (#2940)
* wasm: Removes accidentally exported memory (#2950)
* fix(sbom): fix package name separation for gradle (#2906)
* docs(readme.md): fix broken integrations link (#2931)
* fix(image): handle images with single layer in rescan mergedLayers cache
(#2927)
* fix(cli): split env values with ',' for slice flags (#2926)
* fix(cli): config/helm: also take into account files with `.yml` (#2928)
* fix(flag): add file-patterns flag for config subcommand (#2925)
Update to version 0.32.0:
* docs: add Rekor SBOM attestation scanning (#2893)
* chore: narrow the owner scope (#2894)
* fix: remove a patch number from the recommendation link (#2891)
* fix: enable parsing of UUID-only rekor entry ID (#2887)
* docs(sbom): add SPDX scanning (#2885)
* docs: restructure docs and add tutorials (#2883)
* feat(sbom): scan sbom attestation in the rekor record (#2699)
* feat(k8s): support outdated-api (#2877)
* fix(c): support revisions in Conan parser (#2878)
* feat: dynamic links support for scan results (#2838)
* docs: update archlinux commands (#2876)
* feat(secret): add line from dockerfile where secret was added to secret
result (#2780)
* feat(sbom): Add unmarshal for spdx (#2868)
* fix: revert asff arn and add documentation (#2852)
* docs: batch-import-findings limit (#2851)
* feat(sbom): Add marshal for spdx (#2867)
* build: checkout before setting up Go (#2873)
* docs: azure doc and trivy (#2869)
* fix: Scan tarr'd dependencies (#2857)
* chore(helm): helm test with ingress (#2630)
* feat(report): add secrets to sarif format (#2820)
* refactor: add a new interface for initializing analyzers (#2835)
* fix: update ProductArn with account id (#2782)
* feat(helm): make cache TTL configurable (#2798)
* build(): Sign releaser artifacts, not only container manifests (#2789)
* chore: improve doc about azure devops (#2795)
* docs: don't push patch versions (#2824)
* feat: add support for conan.lock file (#2779)
* feat: cache merged layers
* feat: add support for gradle.lockfile (#2759)
* feat: move file patterns to a global level to be able to use it on any
analyzer (#2539)
* Fix url validaton failures (#2783)
* fix(image): add logic to detect empty layers (#2790)
* feat(rust): add dependency graph from Rust binaries (#2771)
Update to version 0.31.3:
* fix: handle empty OS family (#2768)
* fix: fix k8s summary report (#2777)
* fix: don't skip packages that don't contain vulns, when using
--list-all-pkgs flag (#2767)
* chore: bump trivy-kubernetes (#2770)
* fix(secret): Consider secrets in rpc calls (#2753)
* fix(java): check depManagement from upper pom's (#2747)
* fix(php): skip `composer.lock` inside `vendor` folder (#2718)
* fix: fix k8s rbac filter (#2765)
* feat(misconf): skipping misconfigurations by AVD ID (#2743)
* chore(deps): Upgrade Alpine to 3.16.2 to fix zlib issue (#2741)
* docs: add MacPorts install instructions (#2727)
* docs: typo (#2730)
Update to version 0.31.2:
* fix: Correctly handle recoverable AWS scanning errors (#2726)
* docs: Remove reference to SecurityAudit policy for AWS scanning (#2721)
Update to version 0.31.1:
* fix: upgrade defsec to v0.71.7 for elb scan panic (#2720)
Update to version 0.31.0:
* fix(flag): add error when there are no supported security checks (#2713)
* fix(vuln): continue scanning when no vuln found in the first application
(#2712)
* revert: add new classes for vulnerabilities (#2701)
* feat(secret): detect secrets removed or overwritten in upper layer
(#2611)
* fix(cli): secret scanning perf link fix (#2607)
* chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (#2650)
* feat: Add AWS Cloud scanning (#2493)
* docs: specify the type when verifying an attestation (#2697)
* docs(sbom): improve SBOM docs by adding a description for scanning SBOM
attestation (#2690)
* fix(rpc): scanResponse rpc conversion for custom resources (#2692)
* feat(rust): Add support for cargo-auditable (#2675)
* feat: Support passing value overrides for configuration checks (#2679)
* feat(sbom): add support for scanning a sbom attestation (#2652)
* chore(image): skip symlinks and hardlinks from tar scan (#2634)
* fix(report): Update junit.tpl (#2677)
* fix(cyclonedx): add nil check to metadata.component (#2673)
* docs(secret): fix missing and broken links (#2674)
* refactor(cyclonedx): implement json.Unmarshaler (#2662)
* feat(kubernetes): add option to specify kubeconfig file path (#2576)
* docs: follow Debian's "instructions to connect to a third-party
repository" (#2511)
* feat(alma): set AlmaLinux 9 EOL (#2653)
* fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative
dirs (#2636)
* test(misconf): add tests for misconf handler for dockerfiles (#2621)
* feat(oracle): set Oracle Linux 9 EOL (#2635)
* BREAKING: add new classes for vulnerabilities (#2541)
* fix(secret): add newline escaping for asymmetric private key (#2532)
* docs: improve formatting (#2572)
* feat(helm): allows users to define an existing secret for tokens (#2587)
* docs(mariner): use tdnf in fs usage example (#2616)
* docs: remove unnecessary double quotation marks (#2609)
* fix: Fix --file-patterns flag (#2625)
* feat(report): add support for Cosign vulnerability attestation (#2567)
* docs(mariner): use v2.0 in examples (#2602)
* feat(report): add secrets template for codequality report (#2461)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-64=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):
trivy-0.37.3-bp154.2.9.1
References:
https://www.suse.com/security/cve/CVE-2023-25165.html
https://bugzilla.suse.com/1208091
1
0
openSUSE-SU-2023:0063-1: important: Security update for opera
by opensuse-security@opensuse.org 02 Mar '23
by opensuse-security@opensuse.org 02 Mar '23
02 Mar '23
openSUSE Security Update: Security update for opera
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0063-1
Rating: important
References:
Cross-References: CVE-2023-0696 CVE-2023-0697 CVE-2023-0698
CVE-2023-0699 CVE-2023-0700 CVE-2023-0701
CVE-2023-0702 CVE-2023-0703 CVE-2023-0704
CVE-2023-0705
CVSS scores:
CVE-2023-0696 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0697 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2023-0698 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0699 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0700 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2023-0701 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0702 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0703 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-0704 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2023-0705 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.4:NonFree
______________________________________________________________________________
An update that fixes 10 vulnerabilities is now available.
Description:
This update for opera fixes the following issues:
Update to 96.0.4693.20
* CHR-9191 Update Chromium on desktop-stable-110-4693 to 110.0.5481.78
* CHR-9197 Update Chromium on desktop-stable-110-4693 to 110.0.5481.100
* DNA-105308 Translations for O96
* DNA-105395 Fix missing resources errors on About and Update & Recovery
pages
- Complete Opera 96.0 changelog at:
https://blogs.opera.com/desktop/changelog-for-96/
- The update to chromium 110.0.5481.78 fixes following issues:
CVE-2023-0696, CVE-2023-0697, CVE-2023-0698, CVE-2023-0699,
CVE-2023-0700, CVE-2023-0701, CVE-2023-0702, CVE-2023-0703,
CVE-2023-0704, CVE-2023-0705
Update to 95.0.4635.46
* DNA-104601 Crash at
opera::EasyShareButtonControllerTabHelper::StartOnboarding()
* DNA-104936 Set new Baidu search string
* DNA-105084 Prepare to turning on 'Rich entities'
Update to 95.0.4635.37
* DNA-104366 Turn #speed-dial-custom-image on developer
* DNA-104370 Pictures in news don���t show
* DNA-104384 [News] Change News to be disabled by default
* DNA-104393 [Continue on] Weird look of item counter in collapsed
Continue shopping after refreshing page
* DNA-104394 [Continue on] Continue shopping show up collapsed
* DNA-104421 Mechanism to detect installed player
* DNA-104439 Merge with GX implementation
* DNA-104492 [Stable A/B Test] React Start Page for Austria 50%
* DNA-104523 [Add to Opera][Folders][Edit] Black font on dark background
in modals when light theme with dark wallpaper is selected
* DNA-104525 [Choose language and country] Modal does not adapt when
wallpaper does not match theme
* DNA-104609 [SD][Folders] Incorrect order of tiles in folder when
merging folder with single tile
* DNA-104612 [News] Invisible button in news category.
* DNA-104614 Do not allow to create folder with the same name to prevent
automerging
* DNA-104898 [Edit tile] Adjust icon size of tile in edit-form-modal
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:NonFree:
zypper in -t patch openSUSE-2023-63=1
Package List:
- openSUSE Leap 15.4:NonFree (x86_64):
opera-96.0.4693.20-lp154.2.41.1
References:
https://www.suse.com/security/cve/CVE-2023-0696.html
https://www.suse.com/security/cve/CVE-2023-0697.html
https://www.suse.com/security/cve/CVE-2023-0698.html
https://www.suse.com/security/cve/CVE-2023-0699.html
https://www.suse.com/security/cve/CVE-2023-0700.html
https://www.suse.com/security/cve/CVE-2023-0701.html
https://www.suse.com/security/cve/CVE-2023-0702.html
https://www.suse.com/security/cve/CVE-2023-0703.html
https://www.suse.com/security/cve/CVE-2023-0704.html
https://www.suse.com/security/cve/CVE-2023-0705.html
1
0