openSUSE-SU-2022:10101-1: important: Security update for nim

27 Aug 2022

      openSUSE Security Update: Security update for nim
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:10101-1
Rating:             important
References:         #1175332 #1175333 #1175334 #1181705 #1185083 
                    #1185084 #1185085 #1185948 #1192712 
Cross-References:   CVE-2020-15690 CVE-2020-15692 CVE-2020-15693
                    CVE-2020-15694 CVE-2021-21372 CVE-2021-21373
                    CVE-2021-21374 CVE-2021-29495 CVE-2021-41259

CVSS scores:
                    CVE-2020-15690 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2020-15692 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2020-15693 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
                    CVE-2020-15694 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2021-21372 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2021-21373 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2021-21374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-29495 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2021-41259 (NVD) : 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected Products:
                    openSUSE Backports SLE-15-SP4
______________________________________________________________________________

   An update that fixes 9 vulnerabilities is now available.

Description:

   This update for nim fixes the following issues:

   Includes upstream security fixes for:

   * (boo#1175333, CVE-2020-15693) httpClient is vulnerable to a CR-LF
     injection
   * (boo#1175334, CVE-2020-15692) mishandle of argument to
     browsers.openDefaultBrowser
   * (boo#1175332, CVE-2020-15694) httpClient.get().contentLength() fails to
     properly validate the server response
   * (boo#1192712, CVE-2021-41259) null byte accepted in getContent function,
     leading to URI validation bypass
   * (boo#1185948, CVE-2021-29495) stdlib httpClient does not validate peer
     certificates by default
   * (boo#1185085, CVE-2021-21374) Improper verification of the SSL/TLS
     certificate
   * (boo#1185084, CVE-2021-21373) "nimble refresh" falls back to a non-TLS
     URL in case of error
   * (boo#1185083, CVE-2021-21372) doCmd can be leveraged to execute
     arbitrary commands
   * (boo#1181705, CVE-2020-15690) Standard library asyncftpclient lacks a
     check for newline character

   Update to 1.6.6

   * standard library use consistent styles for variable names so it can be
     used in projects which force a consistent style with
     --styleCheck:usages option.
   * ARC/ORC are now considerably faster at method dispatching, bringing its
     performance back on the level of the refc memory management.
   * Full changelog:
     https://nim-lang.org/blog/2022/05/05/version-166-released.html
   - Previous updates and changelogs:
   * 1.6.4: https://nim-lang.org/blog/2022/02/08/version-164-released.html
   * 1.6.2: https://nim-lang.org/blog/2021/12/17/version-162-released.html
   * 1.6.0: https://nim-lang.org/blog/2021/10/19/version-160-released.html
   * 1.4.8: https://nim-lang.org/blog/2021/05/25/version-148-released.html
   * 1.4.6:
     https://nim-lang.org/blog/2021/04/15/versions-146-and-1212-released.html
   * 1.4.4:
     https://nim-lang.org/blog/2021/02/23/versions-144-and-1210-released.html
   * 1.4.2: https://nim-lang.org/blog/2020/12/01/version-142-released.html
   * 1.4.0: https://nim-lang.org/blog/2020/10/16/version-140-released.html

   update to 1.2.16

   * oids: switch from PRNG to random module
   * nimc.rst: fix table markup
   * nimRawSetjmp: support Windows
   * correctly enable chronos
   * bigints are not supposed to work on 1.2.x
   * disable nimpy
   * misc bugfixes
   * fixes a 'mixin' statement handling regression [backport:1.2

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP4:

      zypper in -t patch openSUSE-2022-10101=1

Package List:

   - openSUSE Backports SLE-15-SP4 (aarch64 ppc64le x86_64):

      nim-1.6.6-bp154.2.3.1

References:

   https://www.suse.com/security/cve/CVE-2020-15690.html
   https://www.suse.com/security/cve/CVE-2020-15692.html
   https://www.suse.com/security/cve/CVE-2020-15693.html
   https://www.suse.com/security/cve/CVE-2020-15694.html
   https://www.suse.com/security/cve/CVE-2021-21372.html
   https://www.suse.com/security/cve/CVE-2021-21373.html
   https://www.suse.com/security/cve/CVE-2021-21374.html
   https://www.suse.com/security/cve/CVE-2021-29495.html
   https://www.suse.com/security/cve/CVE-2021-41259.html
   https://bugzilla.suse.com/1175332
   https://bugzilla.suse.com/1175333
   https://bugzilla.suse.com/1175334
   https://bugzilla.suse.com/1181705
   https://bugzilla.suse.com/1185083
   https://bugzilla.suse.com/1185084
   https://bugzilla.suse.com/1185085
   https://bugzilla.suse.com/1185948
   https://bugzilla.suse.com/1192712

openSUSE-SU-2022:10101-1: important: Security update for nim

opensuse-security＠opensuse.org