- openSUSE Security

Re: SUSE-SU-2024:2980-1: important: Security update for kernel-firmware
by Kevin Ivory 29 Aug '24

29 Aug '24

Hallo, Security-Mails kommen hier häufig mit mehreren Tagen Verzögerung an. Hier ein aktuelles Beispiel mit 7 Tagen Verzögerung. Eine Beipielmail mit allen Headern im Anhang. Darin erkennt man, dass die Verzögerung auf einer localhost-Weiterleitung auf dem Host mailman3.infra.opensuse.org passiert. Weiterhin sind in den Headern gleich 4 DKIM-Signaturen, von denen alle beim Empfang im Internet fehlschlagen. Am 20.08.24 um 14:30 schrieb OPENSUSE-SECURITY-UPDATES: > Security update for kernel-firmware > > Announcement ID: SUSE-SU-2024:2980-1 > Rating: important Beste Grüße Kevin Ivory -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: 0551-370000-0, mailto:kontakt@sernet.de Gesch.F.: Dr. Johannes Loxen und Reinhild Jung AG Göttingen: HR-B 2816 - http://www.sernet.de Datenschutz: https://www.sernet.de/datenschutz

4 5

Security update for gstreamer-plugins-bad - openSUSE Leap 15.5 - zypper in -t patch SUSE-2024-89=1
by Carsten Ziepke 12 Jul '24

12 Jul '24

Hello, I just stumbled about this thread at forums.opensuse.org: https://forums.opensuse.org/t/opensuse-leap-15-5-how-to-update-latest-secur… I checked my several openSUSE Leap 15.5 systems, but nowhere is the patch SUSE-2024-89=1 installed. https://www.suse.com/support/update/announcement/2024/suse-su-20240089-1/ openSUSE Leap 15.5 - zypper in -t patch SUSE-2024-89=1 Did I miss something? Thank you for taking your time. Carsten -- So in the future, one 'client' at a time or you'll be spending CPU time with lots of little 'child processes'. -- Kevin M. Bealer, commenting on the private life of a Linux nerd

3 4

CVE-2024-6387
by Frank Steiner 01 Jul '24

01 Jul '24

Hi, can you give a statement on this CVE? It's not yet listed at https://www.suse.com/de-de/security/cve/ Thanks! cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

2 2

goroshina
by jvegas883＠gmail.com 01 Jul '24

01 Jul '24

Hello all Hello all Hello all Hello all Hello all

1 0

Chromium Updates?
by Frank Steiner 14 Jan '24

14 Jan '24

Hi, usually the chromium updates are done quite fast via https://build.opensuse.org/package/show/network%3Achromium/chromium However, it's now 10 days that 119 was released, and another update appeared few days ago, both fixing some "high" security risks, but there is still only the old 118.0.5993.117 in all chromium obs channel. Is any reason known for this delay? Thanks a lot! cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

4 3

Re: unsubscribe AW: SUSE-SU-2023:3815-1: important: Security update for cni
by Marcus Meissner 28 Sep '23

28 Sep '23

Hi, I only see danny(a)dtnet.de subscribed, and i unsubscribed that address. Ciao, Marcus On Thu, Sep 28, 2023 at 09:30:42AM +0000, Daniel Schwager wrote: > unsubscribe > > Von: security(a)lists.opensuse.org <security(a)lists.opensuse.org> > Gesendet: Mittwoch, 27. September 2023 22:32 > An: security-announce(a)lists.opensuse.org > Betreff: SUSE-SU-2023:3815-1: important: Security update for cni > > Security update for cni > Announcement ID: > > SUSE-SU-2023:3815-1 > > Rating: > > important > > References: > > > * #1212475<https://bugzilla.suse.com/show_bug.cgi?id=1212475> > > Affected Products: > > > * Containers Module 15-SP4 > * openSUSE Leap 15.4 > * Public Cloud Module 15-SP2 > * Public Cloud Module 15-SP1 > * SUSE CaaS Platform 4.0 > * SUSE Enterprise Storage 7.1 > * SUSE Linux Enterprise High Performance Computing 15 SP1 > * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 > * SUSE Linux Enterprise High Performance Computing 15 SP2 > * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 > * SUSE Linux Enterprise High Performance Computing 15 SP3 > * SUSE Linux Enterprise High Performance Computing 15 SP4 > * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 > * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 > * SUSE Linux Enterprise Micro 5.1 > * SUSE Linux Enterprise Micro 5.2 > * SUSE Linux Enterprise Micro 5.3 > * SUSE Linux Enterprise Micro 5.4 > * SUSE Linux Enterprise Micro for Rancher 5.2 > * SUSE Linux Enterprise Micro for Rancher 5.3 > * SUSE Linux Enterprise Micro for Rancher 5.4 > * SUSE Linux Enterprise Real Time 15 SP4 > * SUSE Linux Enterprise Server 15 SP1 > * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 > * SUSE Linux Enterprise Server 15 SP2 > * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 > * SUSE Linux Enterprise Server 15 SP3 > * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 > * SUSE Linux Enterprise Server 15 SP4 > * SUSE Linux Enterprise Server for SAP Applications 15 SP1 > * SUSE Linux Enterprise Server for SAP Applications 15 SP2 > * SUSE Linux Enterprise Server for SAP Applications 15 SP3 > * SUSE Linux Enterprise Server for SAP Applications 15 SP4 > * SUSE Manager Proxy 4.0 > * SUSE Manager Proxy 4.1 > * SUSE Manager Proxy 4.3 > * SUSE Manager Retail Branch Server 4.0 > * SUSE Manager Retail Branch Server 4.1 > * SUSE Manager Retail Branch Server 4.3 > * SUSE Manager Server 4.0 > * SUSE Manager Server 4.1 > * SUSE Manager Server 4.3 > > > An update that has one security fix can now be installed. > > Description: > > This update of cni fixes the following issues: > > * rebuild the package with the go 1.21 security release (bsc#1212475). > > Patch Instructions: > > To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". > Alternatively you can run the command listed for your product: > > * openSUSE Leap 15.4 > zypper in -t patch openSUSE-SLE-15.4-2023-3815=1 > * SUSE Linux Enterprise Micro for Rancher 5.3 > zypper in -t patch SUSE-SLE-Micro-5.3-2023-3815=1 > * SUSE Linux Enterprise Micro 5.3 > zypper in -t patch SUSE-SLE-Micro-5.3-2023-3815=1 > * SUSE Linux Enterprise Micro for Rancher 5.4 > zypper in -t patch SUSE-SLE-Micro-5.4-2023-3815=1 > * SUSE Linux Enterprise Micro 5.4 > zypper in -t patch SUSE-SLE-Micro-5.4-2023-3815=1 > * Containers Module 15-SP4 > zypper in -t patch SUSE-SLE-Module-Containers-15-SP4-2023-3815=1 > * Public Cloud Module 15-SP1 > zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2023-3815=1 > * Public Cloud Module 15-SP2 > zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2023-3815=1 > * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 > zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-3815=1 > * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 > zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-3815=1 > * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 > zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-3815=1 > * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 > zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-3815=1 > * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 > zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-3815=1 > * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 > zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-3815=1 > * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 > zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-3815=1 > * SUSE Linux Enterprise Server for SAP Applications 15 SP1 > zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2023-3815=1 > * SUSE Linux Enterprise Server for SAP Applications 15 SP2 > zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-3815=1 > * SUSE Linux Enterprise Server for SAP Applications 15 SP3 > zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-3815=1 > * SUSE Enterprise Storage 7.1 > zypper in -t patch SUSE-Storage-7.1-2023-3815=1 > * SUSE CaaS Platform 4.0 > To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. > * SUSE Linux Enterprise Micro 5.1 > zypper in -t patch SUSE-SUSE-MicroOS-5.1-2023-3815=1 > * SUSE Linux Enterprise Micro 5.2 > zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-3815=1 > * SUSE Linux Enterprise Micro for Rancher 5.2 > zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-3815=1 > > Package List: > > * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * Containers Module 15-SP4 (aarch64 ppc64le s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * Public Cloud Module 15-SP1 (aarch64 ppc64le s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * Public Cloud Module 15-SP2 (aarch64 ppc64le s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64 x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64 x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (aarch64 ppc64le s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Server for SAP Applications 15 SP1 (ppc64le x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Enterprise Storage 7.1 (aarch64 x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE CaaS Platform 4.0 (x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > * SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64) > > * cni-0.7.1-150100.3.14.1 > > References: > > * https://bugzilla.suse.com/show_bug.cgi?id=1212475 -- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew McDonald, Werner Knoblich, HRB 36809, AG Nuernberg

1 0

Re: SUSE-SU-2023:2263-2: important: Security update for python-Flask
by Marcus Meissner 21 Jul '23

21 Jul '23

Hi, I unsubscribed you from the list On Thu, Jul 20, 2023 at 07:26:21PM +0200, a.scheepens wrote: > Go away. Stop spamming me!!!Verzonden vanaf mijn Galaxy > -------- Oorspronkelijk bericht --------Van: security(a)lists.opensuse.org Datum: 20-07-2023 17:36 (GMT+01:00) Aan: security-announce(a)lists.opensuse.org Onderwerp: SUSE-SU-2023:2263-2: important: Security update for python-Flask > > > > > Security update for python-Flask > > > > > Announcement ID: > SUSE-SU-2023:2263-2 > > > > Rating: > important > > > References: > > > > > #1211246 > > > > > > > > > Cross-References: > > > > > > CVE-2023-30861 > > > > > > > CVSS scores: > > > > > CVE-2023-30861 > > ( > > SUSE > > ): > > 7.5 > CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N > > > > CVE-2023-30861 > > ( > > NVD > > ): > > 7.5 > CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N > > > > > > > > Affected Products: > > > > openSUSE Leap 15.5 > > > > > > > > An update that solves one vulnerability can now be installed. > > Description: > This update for python-Flask fixes the following issues: > > CVE-2023-30861: Fixed a potential cookie confusion due to incorrect > caching (bsc#1211246). > > > > > Patch Instructions: > > To install this SUSE Important update use the SUSE recommended > installation methods like YaST online_update or "zypper patch". > > Alternatively you can run the command listed for your product: > > > > > openSUSE Leap 15.5 > > > > zypper in -t patch openSUSE-SLE-15.5-2023-2263=1 > > > > > > > > Package List: > > > > > openSUSE Leap 15.5 (noarch) > > > python3-Flask-1.0.4-150400.3.3.1 > > python3-Flask-doc-1.0.4-150400.3.3.1 > > > > > > > > > References: > > > > > https://www.suse.com/security/cve/CVE-2023-30861.html > > > > > > https://bugzilla.suse.com/show_bug.cgi?id=1211246 > > > > > > -- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg

1 0

openSUSE Leap 15.3 has reached end of life
by Marcus Meissner 25 Jan '23

25 Jan '23

Hi all, With the release of the last update (tor) on January 16th, 2023 the SUSE sponsored maintenance of openSUSE Leap 15.3 has ended. openSUSE Leap 15.3 is now officially discontinued and out of support by SUSE. The currently maintained stable release is openSUSE Leap 15.4, which will be maintained until around end of 2023 (same lifetime as SLES 15 SP4 regular support). See https://en.opensuse.org/Lifetime Upgrading is easy. See the links below for instructions: https://doc.opensuse.org/documentation/leap/startup/html/book-opensuse-star… https://en.opensuse.org/SDB:System_upgrade https://en.opensuse.org/SDB:Offline_upgrade openSUSE Leap 15.3 was released end of June 2nd 2020, making it 18 months of security and bugfix support. This was the first release in the new "Closing the Leap Gap" model, where we reuse SUSE Linux Enterprise binaries directly for Leap and no longer rebuild their sources. We faced some issues: - openSUSE Leap 15.3 now imports from 3 different package sources (openSUSE Leap + SLE + openSUSE Backports) instead of just one. The initial product setup did not have all the repositories configured, we fixed that via a openSUSE-release package update. - The initial SLE update export method was not working well (basically all existing RPMs, with concatenated updateinfo) and resulted in lots of version related errors, so we switched to a different method in the first weeks. - The SLE repo contains all 4 architectures, and is growing very big in metadata, causing computers to loads double digit megabytes every day of metadata. This is still an unsolved issue with Leap 15.4. Some statistics on the released patches (compared to Leap 15.2), now also split between repos. Agenda: current number (15.2 number / total diff) Total updates: 2486 (1976 / +510 ) - 330 from Backports (~13%) - 77 from Leap (~3%) - 2079 from SLE (~83%) Updates used from SUSE Linux Enterprise: 2079 (1454 / +625 ) Updates provided by community developers: 407 (522 / -115 ) Security: 1109 (778 / +331) - 161 from Backports (~14%) - 20 from Leap (~1%) - 928 from SLE (~83%) Recommended: 1284 (1172 / +112) - 169 from Backports (~13%) - 57 from Leap (~4%) - 1058 from SLE (~82%) Optional: 47 (23 / +24) - 0 from Backports - 0 from Leap - 47 from SLE Feature: 46 (3 / +43) - 0 from Backports - 0 from Leap - 46 from SLE Retracted updates: 5 (2 / +3) - 0 from Backports - 0 from Leap - 5 from SLE (multipath-tools, cpio, 2x Linux Kernel, libslirp) (excluding 2 x test updates) Fixed CVE-entries: 3234 (2357 / +877) - 857 from Backports (~26%) - 53 from Leap (~ 1%) - 2366 from SLE (~73%) (note that these numbers do not add up exactly as some CVEs are in more than one of the repos) Fixed Bugs (overall): 5672 (5669 / +3) - 384 from Backports (~6%) - 114 from Leap (~2%) - 5174 (~91%) A huge thanks to our awesome packagers, community, and all involved people, who made this possible! Your maintenance- and security-team. -- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg

1 0

Usage of Suse Security Data in VulnerableCode
by Tushar Goel 12 Jan '23

12 Jan '23

Hey, We would like to integrate the suse backport [1][2] and suse scoring [3][4] data in vulnerablecode [5] which is a FOSS db of FOSS vulnerability data. We were not able to know under which license this security data comes. We would be grateful to have your acknowledgement over usage of the suse security data in vulnerablecode and have some kind of licensing declaration from your side. [1] - http://ftp.suse.com/pub/projects/security/yaml/ [2] - https://github.com/nexB/vulnerablecode/pull/1053 [3] - https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml [4] - https://github.com/nexB/vulnerablecode/pull/1050 [5] - https://github.com/nexB/vulnerablecode Regards,

3 4

openssh 8.9p1 not building for Leap 15.3 or 15.4
by Bill Merriam 03 Sep '22

03 Sep '22

The most recent version for Leap seems to be 8.4p1. Does the newer version contain security fixes that we need to install? The problem with building seems related to the move to /usr/etc. If we need the security fixes can we could around the move to /usr/etc? Bill

2 1