openSUSE Security

security@lists.opensuse.org

10543 discussions

openSUSE Leap 15.3 has reached end of life
by Marcus Meissner 25 Jan '23

25 Jan '23

Hi all, With the release of the last update (tor) on January 16th, 2023 the SUSE sponsored maintenance of openSUSE Leap 15.3 has ended. openSUSE Leap 15.3 is now officially discontinued and out of support by SUSE. The currently maintained stable release is openSUSE Leap 15.4, which will be maintained until around end of 2023 (same lifetime as SLES 15 SP4 regular support). See https://en.opensuse.org/Lifetime Upgrading is easy. See the links below for instructions: https://doc.opensuse.org/documentation/leap/startup/html/book-opensuse-star… https://en.opensuse.org/SDB:System_upgrade https://en.opensuse.org/SDB:Offline_upgrade openSUSE Leap 15.3 was released end of June 2nd 2020, making it 18 months of security and bugfix support. This was the first release in the new "Closing the Leap Gap" model, where we reuse SUSE Linux Enterprise binaries directly for Leap and no longer rebuild their sources. We faced some issues: - openSUSE Leap 15.3 now imports from 3 different package sources (openSUSE Leap + SLE + openSUSE Backports) instead of just one. The initial product setup did not have all the repositories configured, we fixed that via a openSUSE-release package update. - The initial SLE update export method was not working well (basically all existing RPMs, with concatenated updateinfo) and resulted in lots of version related errors, so we switched to a different method in the first weeks. - The SLE repo contains all 4 architectures, and is growing very big in metadata, causing computers to loads double digit megabytes every day of metadata. This is still an unsolved issue with Leap 15.4. Some statistics on the released patches (compared to Leap 15.2), now also split between repos. Agenda: current number (15.2 number / total diff) Total updates: 2486 (1976 / +510 ) - 330 from Backports (~13%) - 77 from Leap (~3%) - 2079 from SLE (~83%) Updates used from SUSE Linux Enterprise: 2079 (1454 / +625 ) Updates provided by community developers: 407 (522 / -115 ) Security: 1109 (778 / +331) - 161 from Backports (~14%) - 20 from Leap (~1%) - 928 from SLE (~83%) Recommended: 1284 (1172 / +112) - 169 from Backports (~13%) - 57 from Leap (~4%) - 1058 from SLE (~82%) Optional: 47 (23 / +24) - 0 from Backports - 0 from Leap - 47 from SLE Feature: 46 (3 / +43) - 0 from Backports - 0 from Leap - 46 from SLE Retracted updates: 5 (2 / +3) - 0 from Backports - 0 from Leap - 5 from SLE (multipath-tools, cpio, 2x Linux Kernel, libslirp) (excluding 2 x test updates) Fixed CVE-entries: 3234 (2357 / +877) - 857 from Backports (~26%) - 53 from Leap (~ 1%) - 2366 from SLE (~73%) (note that these numbers do not add up exactly as some CVEs are in more than one of the repos) Fixed Bugs (overall): 5672 (5669 / +3) - 384 from Backports (~6%) - 114 from Leap (~2%) - 5174 (~91%) A huge thanks to our awesome packagers, community, and all involved people, who made this possible! Your maintenance- and security-team. -- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg

1 0

Usage of Suse Security Data in VulnerableCode
by Tushar Goel 12 Jan '23

12 Jan '23

Hey, We would like to integrate the suse backport [1][2] and suse scoring [3][4] data in vulnerablecode [5] which is a FOSS db of FOSS vulnerability data. We were not able to know under which license this security data comes. We would be grateful to have your acknowledgement over usage of the suse security data in vulnerablecode and have some kind of licensing declaration from your side. [1] - http://ftp.suse.com/pub/projects/security/yaml/ [2] - https://github.com/nexB/vulnerablecode/pull/1053 [3] - https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml [4] - https://github.com/nexB/vulnerablecode/pull/1050 [5] - https://github.com/nexB/vulnerablecode Regards,

3 4

openssh 8.9p1 not building for Leap 15.3 or 15.4
by Bill Merriam 03 Sep '22

03 Sep '22

The most recent version for Leap seems to be 8.4p1. Does the newer version contain security fixes that we need to install? The problem with building seems related to the move to /usr/etc. If we need the security fixes can we could around the move to /usr/etc? Bill

2 1

Re: Chrome and derivatives update -- CVE-2022-1096
by Marcus Meissner 28 Mar '22

28 Mar '22

On Mon, Mar 28, 2022 at 04:52:45PM +0200, Ben Greiner wrote: > Hi, > > Two days ago, google released a critical security fix for a vulnerability > presumably already exploited in the wild. > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1096 > https://www.forbes.com/sites/daveywinder/2022/03/26/google-confirms-emergen… > https://www.heise.de/news/Webbrowser-Notfallupdate-fuer-Google-Chrome-66384… > (German) > > Packages e.g. for chromium have been fixed in Factory and SLE Backports, but > the current snapshot of Tumbleweed still does not have it. > > https://bugzilla.opensuse.org/show_bug.cgi?id=1197552 > > Shouldn't there be some fasttrack through OpenQA in order to prevent such > delays? I also submitted it to openSUSE:Factory:Update now, which is our bypass project. Ciao, Marcus

1 0

Security Update for Polkit - openSUSE 15.2
by Jan-Reupke＠web.de 16 Mar '22

16 Mar '22

Hi, will there be a Security Update for polkit (pkexec) CVE-2021-4034 for openSUSE 15.2? Latest Version i found on software.opensuse.org is polkit-0.116-lp152.2.3.1x86_64.rpm. Is the fix already included? thanks and best regards Jan Reupke

2 1

CVE-2022-25636 - privilege escalation through netfilter bug
by Mathias Homann 16 Mar '22

16 Mar '22

Hi, just came across CVE-2022-25636 in this article: https://www.zdnet.com/ article/nasty-linux-netfilter-firewall-security-hole-found/ Is there an update for Leap 15.3 and SLES in the works? Tumbleweed should be ok since the bug is "only" in kernels up to 5.6.10 and TW currently runs on 5.16.14. Cheers MH -- Mathias Homann Mathias.Homann(a)openSUSE.org Jabber (XMPP): lemmy(a)tuxonline.tech Matrix: @mathias:eregion.de IRC: [Lemmy] on freenode and ircnet (bouncer active) keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102

2 2

CVE-2022-0847
by Frank Steiner 08 Mar '22

08 Mar '22

Hi, given that (according to https://dirtypipe.cm4all.com/) distributors were informed about the CVE-2022-0847 patch on Feb 28th, shouldn't that have been enough time to release kernel patches *before* public disclosure? Isn't that why distributors get informed in advance? https://www.suse.com/de-de/security/cve/CVE-2022-0847.html states all active SLE products (expect the beta in 15 SP4 etc.) as "in progress". Considering the severity of this bug, it is not very impressive to have no kernel updates a week after getting notified about the bug and the patch :-( Maybe you can consider opening sth. like an "early updates" channel for SLE where you publish patched packages when they start their QA process (which I guess it what delays the releases), so that people can decide to work with untested but patched packages for severe bugs until they are officially released after QA? We are e.g. installing FF and TB packages from the mozilla repo when they are published and work with them for a few days until they are released in SLE, too. Being able to do so with all SLE packages for important patches would be a nice option. cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

2 1

Re: Your confirmation is needed to join the security@lists.opensuse.org mailing list.
by Marcus Meissner 04 Mar '22

04 Mar '22

Hi Andreas, I am not seeing you subscribed to either security(a)lists.opensuse.org or security-announce(a)lists.opensuse.org at this time. The below email is a request for a confirmation to subscribe, but you are not subscribed at this time. Ciao, Marcus On Fri, Mar 04, 2022 at 08:38:30AM +0000, Winkler, Andreas wrote: > Hello, > > I urgently need to be removed from ALL MAILING LISTS at opensuse.org - there is no way to do this from those countless emails I receive, no link to unsubscribe in your emails !! This is unacceptable. > > Please remove me from ALL MAILING LISTS immediately, especially from opensuse-security(a)opensuse.org with this email address (andreas.winkler(a)hpe.com) ! > > Thank you > > Andreas Winkler > > > -----Original Message----- > From: security-confirm+e7e7e9f4d01e1ebb4ade3e1514875b214b5987d6(a)lists.opensuse.org [mailto:security-confirm+e7e7e9f4d01e1ebb4ade3e1514875b214b5987d6@lists.opensuse.org] > Sent: Freitag, 4. März 2022 09:31 > To: Winkler, Andreas <andreas.winkler(a)hpe.com> > Subject: Your confirmation is needed to join the security(a)lists.opensuse.org mailing list. > > Email Address Registration Confirmation > > Hello, this is the GNU Mailman server at lists.opensuse.org. > > We have received a registration request for the email address > > andreas.winkler(a)hpe.com > > Before you can start using GNU Mailman at this site, you must first confirm that this is your email address. You can do this by replying to this message. > > Or you should include the following line -- and only the following line -- in a message to security-request(a)lists.opensuse.org: > > confirm e7e7e9f4d01e1ebb4ade3e1514875b214b5987d6 > > Note that simply sending a `reply' to this message should work from most mail readers. > > If you do not wish to register this email address, simply disregard this message. If you think you are being maliciously subscribed to the list, or have any other questions, you may contact > > security-owner(a)lists.opensuse.org

3 2

Re: openSUSE-SU-2022:0058-1: important: Security update for MozillaThunderbird
by Carlos E. R. 03 Mar '22

03 Mar '22

On 2022-03-01 21:23, opensuse-security(a)opensuse.org wrote: > openSUSE Security Update: Security update for MozillaThunderbird > ______________________________________________________________________________ > > Announcement ID: openSUSE-SU-2022:0058-1 > Rating: important > References: #1144018 #1181400 #1194020 #1194215 #1194681 > > Cross-References: CVE-2020-15803 CVE-2021-27927 CVE-2021-4126 > CVE-2021-44538 CVE-2022-23134 > CVSS scores: > CVE-2020-15803 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N > CVE-2020-15803 (SUSE): 6.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N > CVE-2021-4126 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N > CVE-2021-44538 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H > CVE-2022-23134 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N > CVE-2022-23134 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N > > Affected Products: > openSUSE Backports SLE-15-SP3 > openSUSE Leap 15.3 > ______________________________________________________________________________ > > An update that fixes 5 vulnerabilities is now available. > > Description: > > This update for MozillaThunderbird fixes the following issues: > > - Mozilla Thunderbird 91.4.1 I don't understand. Leap 15.3 is using 91.6.1 already. Delayed mail perhaps? -- Cheers / Saludos, Carlos E. R. (from 15.3 x86_64 at Telcontar)

1 0

Re: openSUSE Leap 15.1 has reached End of Life
by Joel Miller 10 Feb '21

10 Feb '21

Mr. Meissner - Thank you for your email on the upgrade. When I upgraded in place (not a fresh install) to openSuSE 15.1 as the native OS (from 15.0), I ran into problems with a virtualbox installation, ultimately losing the entire system and doing a complete reinstall. Upgrades in place on two other machines without virtualbox went smoothly - no issues. The problem may have been due to the presence of virtualbox or my use of the btrfs file system, but perhaps some other cause - an error on my part. Based on a post on the virtualbox forum, I learned that one fellow successfully performed the upgrade and I've inquired about the details. I did not find anything else relevant on either the openSuSE forums or after a search of the web. Are you aware of any issues I should consider? Any advice you might have would be greatly appreciated. Joel 973 736 8306 On Wed, Feb 3, 2021 at 3:27 AM Marcus Meissner <meissner(a)suse.de> wrote: > > Hi all, > > With the release of the last updates on Feb 2nd, 2021 the SUSE > sponsored maintenance of openSUSE Leap 15.1 has ended. > > openSUSE Leap 15.1 is now officially discontinued and out of support > by SUSE. > > The currently maintained stable release is openSUSE Leap 15.2, which will > be maintained until around Nov 2021. See https://en.opensuse.org/Lifetime > > Upgrading is easy. See the links below for instructions: > > > https://doc.opensuse.org/documentation/leap/startup/html/book-opensuse-star… > https://en.opensuse.org/SDB:System_upgrade > https://en.opensuse.org/SDB:Offline_upgrade > > openSUSE Leap 15.1 was released end of May 2019, making it 20 months of > security and bugfix support. > > It was the fifth hybrid distribution which used sources from SUSE Linux > Enterprise and from our community developers to bridge a gap between > matured packages and newer packages found in openSUSE Tumbleweed. > > Some statistics on the released patches (compared to Leap 15.0). > > Agenda: current number (15.0 number / total diff) > > Total updates: 1987 (1662 / +325 ) > Updates imported from SUSE Linux Enterprise: 1456 (1119 / +337 ) > Updates provided by community developers: 531 (543 / -12 ) > Security: 819 (700 / +119) > Recommended: 1150 (937 / +213) > Optional: 17 (25 / -8) > Feature: 1 (0 / +1) > > Fixed CVE-entries: 2866 (2218 / +648) > Fixed Bugs (overall): 5704 (5458 / +246) > > A huge thanks to our awesome packagers, community, and all involved > people, who made this possible! > > Your maintenance- and security-team. >

2 1

Jump to page:

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security