From opensuse-security@opensuse.org Sun Sep 20 04:15:21 2020
From: opensuse-security@opensuse.org
To: security-announce@lists.opensuse.org
Subject: [security-announce] openSUSE-SU-2020:1478-1: important: Security
 update for fossil
Date: Sun, 20 Sep 2020 06:15:21 +0200
Message-ID: <20200920041521.598B0FCFD@maintenance.suse.de>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7889093549592947830=="

--===============7889093549592947830==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

   openSUSE Security Update: Security update for fossil
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2020:1478-1
Rating:             important
References:         #1047218 #1175760=20
Cross-References:   CVE-2020-24614
Affected Products:
                    openSUSE Leap 15.2
                    openSUSE Leap 15.1
                    openSUSE Backports SLE-15-SP2
                    openSUSE Backports SLE-15-SP1
______________________________________________________________________________

   An update that solves one vulnerability and has one errata
   is now available.

Description:

   This update for fossil fixes the following issues:

   - fossil 2.12.1:
     * CVE-2020-24614: Remote authenticated users with check-in or
       administrative privileges could have executed arbitrary code
       [boo#1175760]
     * Security fix in the "fossil git export" command. New "safety-net"
       features were added to prevent similar problems in the future.
     * Enhancements to the graph display for cases when there are many
       cherry-pick merges into a single check-in. Example
     * Enhance the fossil open command with the new --workdir option and the
       ability to accept a URL as the repository name, causing the remote
       repository to be cloned automatically. Do not allow "fossil open" to
       open in a non-empty working directory unless the --keep option or the
       new --force option is used.
     * Enhance the markdown formatter to more closely follow the CommonMark
       specification with regard to text highlighting. Underscores in the
       middle of identifiers (ex: fossil_printf()) no longer need to be
       escaped.
     * The markdown-to-html translator can prevent unsafe HTML (for example:
       <script>) on user-contributed pages like forum and tickets and wiki.
       The admin can adjust this behavior using the safe-html setting on the
       Admin/Wiki page. The default is to disallow unsafe HTML everywhere.
     * Added the "collapse" and "expand" capability for long forum posts.
     * The "fossil remote" command now has options for specifying multiple
       persistent remotes with symbolic names. Currently
       only one remote can be used at a time, but that might change in the
        future.
     * Add the "Remember me?" checkbox on the login page. Use a session
       cookie for the login if it is not checked.
     * Added the experimental "fossil hook" command for managing "hook
       scripts" that run before checkin or after a push.
     * Enhance the fossil revert command so that it is able to revert all
       files beneath a directory.
     * Add the fossil bisect skip command.
     * Add the fossil backup command.
     * Enhance fossil bisect ui so that it shows all unchecked check-ins in
       between the innermost "good" and "bad" check-ins.
     * Added the --reset flag to the "fossil add", "fossil rm", and "fossil
       addremove" commands.
     * Added the "--min N" and "--logfile FILENAME" flags to the backoffice
       command, as well as other enhancements to make the backoffice command
       a viable replacement for automatic backoffice. Other incremental
       backoffice improvements.
     * Added the /fileedit page, which allows editing of text files
       online. Requires explicit activation by a setup user.
     * Translate built-in help text into HTML for display on web pages.
     * On the /timeline webpage, the combination of query parameters
       "p=3DCHECKIN" and "bt=3DANCESTOR" draws all ancestors of CHECKIN going
       back to ANCESTOR.
     * Update the built-in SQLite so that the "fossil sql" command supports
       new output modes ".mode box" and ".mode json".
     * Add the "obscure()" SQL function to the "fossil sql" command.
     * Added virtual tables "helptext" and "builtin" to the "fossil sql"
       command, providing access to the dispatch table including all help
       text, and the builtin data files, respectively.
     * Delta compression is now applied to forum edits.
     * The wiki editor has been modernized and is now Ajax-based.
   - Package the fossil.1 manual page.

   - fossil 2.11.1:
     * Make the "fossil git export" command more restrictive about characters
       that it allows in the tag names

   - Add fossil-2.11-reproducible.patch to override build date (boo#1047218)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installa=
tion methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2020-1478=3D1

   - openSUSE Leap 15.1:

      zypper in -t patch openSUSE-2020-1478=3D1

   - openSUSE Backports SLE-15-SP2:

      zypper in -t patch openSUSE-2020-1478=3D1

   - openSUSE Backports SLE-15-SP1:

      zypper in -t patch openSUSE-2020-1478=3D1



Package List:

   - openSUSE Leap 15.2 (x86_64):

      fossil-2.12.1-lp152.2.3.1
      fossil-debuginfo-2.12.1-lp152.2.3.1
      fossil-debugsource-2.12.1-lp152.2.3.1

   - openSUSE Leap 15.1 (x86_64):

      fossil-2.12.1-lp151.3.6.1
      fossil-debuginfo-2.12.1-lp151.3.6.1
      fossil-debugsource-2.12.1-lp151.3.6.1

   - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):

      fossil-2.12.1-bp152.2.3.1
      fossil-debuginfo-2.12.1-bp152.2.3.1
      fossil-debugsource-2.12.1-bp152.2.3.1

   - openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

      fossil-2.12.1-bp151.4.6.1


References:

   https://www.suse.com/security/cve/CVE-2020-24614.html
   https://bugzilla.suse.com/1047218
   https://bugzilla.suse.com/1175760

--=20
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.o=
rg

--===============7889093549592947830==--