SUSE-SU-2022:4351-1: important: Security update for osc
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Dec 7 20:21:20 UTC 2022
SUSE Security Update: Security update for osc
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:4351-1
Rating: important
References: #1089025 #1097996 #1122675 #1125243 #1126055
#1126058 #1127932 #1129757 #1129889 #1131512
#1136584 #1137477 #1138165 #1138977 #1140697
#1142518 #1142662 #1144211 #1154972 #1155953
#1156501 #1160446 #1166537 #1173926 OBS-203
Cross-References: CVE-2019-3681 CVE-2019-3685
CVSS scores:
CVE-2019-3681 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2019-3681 (SUSE): 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
CVE-2019-3685 (NVD) : 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
CVE-2019-3685 (SUSE): 7.4 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products:
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12-SP5
SUSE Linux Enterprise Software Development Kit 12-SP5
______________________________________________________________________________
An update that solves two vulnerabilities, contains one
feature and has 22 fixes is now available.
Description:
This update for osc fixes the following issues:
osc was updated to version 0.182.0 (bsc#1154972, bsc#1144211,
bsc#1142662, bsc#1140697, bsc#1138165):
- Added MFA support (jsc#OBS-203).
- CVE-2019-3681: Fixed vulnerability where osc stored downloaded RPMs in
network controlled paths (bsc#1122675).
- CVE-2019-3685: Fixed broken TLS certificate handling (bsc#1142518).
Bugfixes:
- Removed use of chardet to guess encoding. Utf-8 or latin-1 is now
assumed, which will speed up decoding (bsc#1173926).
- Added helper method _html_escape to enable python3.8 and python2.*
compatibility (bsc#1166537).
- Added MR creation to honor orev (bsc#1160446).
- Fixed local build outside of the working copy of a package
(bsc#1136584).
- Don't enforce password reuse (bsc#1156501).
- osc vc --file=foo bar.changes now writes the content from foo into
bar.changes instead of creating a new file (bsc#1155953).
- Fixed decoding on osc lbl (bsc#1137477).
- Simplified and fixed osc meta -e (bsc#1138977).
- osc lbl now works with non utf8 encoding (bsc#1129889).
- Added full python3 compatibility (bsc#1125243, bsc#1131512,
bsc#1129757).
- Fixed slowdown of rbl with readline(bufsize) function (bsc#1127932).
- Fixed osc build -p dir TypeError (bsc#1126055).
- Fixed osc buildinfo -p TypeError (bsc#1126058).
- Added new options --unexpand and --meta to diff command (bsc#1089025).
- Fixed Requires to python-base which does not contain ssl.py
(bsc#1097996).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12-SP5:
zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-4351=1
Package List:
- SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch):
osc-0.182.0-15.12.1
References:
https://www.suse.com/security/cve/CVE-2019-3681.html
https://www.suse.com/security/cve/CVE-2019-3685.html
https://bugzilla.suse.com/1089025
https://bugzilla.suse.com/1097996
https://bugzilla.suse.com/1122675
https://bugzilla.suse.com/1125243
https://bugzilla.suse.com/1126055
https://bugzilla.suse.com/1126058
https://bugzilla.suse.com/1127932
https://bugzilla.suse.com/1129757
https://bugzilla.suse.com/1129889
https://bugzilla.suse.com/1131512
https://bugzilla.suse.com/1136584
https://bugzilla.suse.com/1137477
https://bugzilla.suse.com/1138165
https://bugzilla.suse.com/1138977
https://bugzilla.suse.com/1140697
https://bugzilla.suse.com/1142518
https://bugzilla.suse.com/1142662
https://bugzilla.suse.com/1144211
https://bugzilla.suse.com/1154972
https://bugzilla.suse.com/1155953
https://bugzilla.suse.com/1156501
https://bugzilla.suse.com/1160446
https://bugzilla.suse.com/1166537
https://bugzilla.suse.com/1173926
More information about the sle-security-updates
mailing list