SUSE-SU-2024:2961-1: moderate: Security update for osc
SLE-SECURITY-UPDATES
null at suse.de
Mon Aug 19 16:30:28 UTC 2024
# Security update for osc
Announcement ID: SUSE-SU-2024:2961-1
Rating: moderate
References:
* bsc#1122683
* bsc#1212476
* bsc#1218170
* bsc#1221340
* bsc#1225911
Cross-References:
* CVE-2024-22034
CVSS scores:
* CVE-2024-22034 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Affected Products:
* Development Tools Module 15-SP5
* Development Tools Module 15-SP6
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
An update that solves one vulnerability and has four security fixes can now be
installed.
## Description:
This update for osc fixes the following issues:
* 1.9.0
* Security:
* Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911) Source files are now stored in the 'sources' subdirectory which prevents name collisons. This requires changing version of '.osc' store to 2.0.
* Command-line:
* Introduce build --checks parameter
* Library:
* OscConfigParser: Remove automatic **name** option
* 1.8.3
* Command-line:
* Change 'repairwc' command to always run all repair steps
* Library:
* Make most of the fields in KeyinfoPubkey and KeyinfoSslcert models optional
* Fix colorize() to avoid wrapping empty string into color escape sequences
* Provide default values for kwargs.get/pop in get_results() function
* 1.8.2
* Library:
* Change 'repairwc' command to fix missing .osc/_osclib_version
* Make error message in check_store_version() more generic to work for both projects and packages
* Fix check_store_version in project store
* 1.8.1
* Command-line:
* Fix 'linkpac' command crash when used with '\--disable-build' or '\--disable-publish' option
* 1.8.0
* Command-line:
* Improve 'submitrequest' command to inherit description from superseded request
* Fix 'mv' command when renaming a file multiple times
* Improve 'info' command to support projects
* Improve 'getbinaries' command by accepting '-M' / '\--multibuild-package' option outside checkouts
* Add architecture filtering to 'release' command
* Change 'results' command so the normal and multibuild packages have the same output
* Change 'results' command to use csv writer instead of formatting csv as string
* Add couple mutually exclusive options errors to 'results' command
* Set a default value for 'results --format' only for the csv output
* Add support for 'results --format' for the default text mode
* Update help text for '\--format' option in 'results' command
* Add 'results --fail-on-error/-F' flag
* Redirect venv warnings from stderr to debug output
* Configuration:
* Fix config parser to throw an exception on duplicate sections or options
* Modify conf.get_config() to print permissions warning to stderr rather than stdout
* Library:
* Run check_store_version() in obs_scm.Store and fix related code in Project and Package
* Forbid extracting files with absolute path from 'cpio' archives (bsc#1122683)
* Forbid extracting files with absolute path from 'ar' archives (bsc#1122683)
* Remove no longer valid warning from core.unpack_srcrpm()
* Make obs_api.KeyinfoSslcert keyid and fingerprint fields optional
* Fix return value in build build.create_build_descr_data()
* Fix core.get_package_results() to obey 'multibuild_packages' argument
* Tests:
* Fix tests so they don't modify fixtures
* 1.7.0
* Command-line:
* Add 'person search' command
* Add 'person register' command
* Add '-M/--multibuild-package' option to '[what]dependson' commands
* Update '-U/--user' option in 'maintainer' command to accept also an email address
* Fix 'branch' command to allow using '\--new-package' option on packages that do not exist
* Fix 'buildinfo' command to include obs:cli_debug_packages by default
* Fix 'buildinfo' command to send complete local build environment as the 'build' command does
* Fix 'maintainer --devel-project' to raise an error if running outside a working copy without any arguments
* Fix handling arguments in 'service remoterun prj/pac'
* Fix 'rebuild' command so the '\--all' option conflicts with the 'package' argument
* Fix crash when removing 'scmsync' element from dst package meta in 'linkpac' command
* Fix crash when reading dst package meta in 'linkpac' command
* Allow `osc rpmlint` to infer prj/pkg from CWD
* Propagate exit code from the run() and do_() commandline methods
* Give a hint where a scmsync git is hosted
* Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec
* Improve 'updatepacmetafromspec' command to expand rpm spec macros by calling rpmspec to query the data
* Improve 'build' and 'buildinfo' commands by uploading *.inc files to OBS for parsing BuildRequires (bsc#1221340)
* Improve 'service' command by printing names of running services
* Improve 'getbinaries' command by ignoring source and debuginfo filters when a binary name is specified
* Change 'build' command to pass '\--jobs' option to 'build' tool only if 'build_jobs' > 0
* Clarify 'list' command's help that that listing binaries doesn't contain md5 checksums
* Improve 'log' command: produce proper CSV and XML outputs, add -p/--patch option for the text output
* Allow setlinkrev to set a specific vrev
* Document '\--buildtool-opt=--noclean' example in 'build' command's help
* Fix handling the default package argument on the command-line
* Configuration:
* Document loading configuration from env variables
* Connection:
* Don't retry on error 400
* Remove now unused 'retry_on_400' http_request() option from XmlModel
* Revert "Don't retry on 400 HTTP status code in core.server_diff()"
* Revert "connection: Allow disabling retry on 400 HTTP status code"
* Authentication:
* Update SignatureAuthHandler to support specifying ssh key by its fingerprint
* Use ssh key from ssh agent that contains comment 'obs=<apiurl-hostname>'
* Use strings instead of bytes in SignatureAuthHandler
* Cache password from SecretService to avoid spamming user with an accept dialog
* Never ask for credentials when displaying help
* Remove unused SignatureAuthHandler.get_fingerprint()
* Library:
* Add rootless build support for 'qemu' VM type
* Support package linking of packages from scmsync projects
* Fix do_createrequest() function to return None instead of request id
* Replace invalid 'if' with 'elif' in BaseModel.dict()
* Fix crash when no prefered packages are defined
* Add XmlModel class that encapsulates manipulation with XML
* Add obs_api.Person.cmd_register() for registering new users
* Fix conf.get_config() to ignore file type bits when comparing oscrc perms
* Fix conf.get_config() to correctly handle overrides when env variables are set
* Fix output.tty.IS_INTERACTIVE when os.isatty() throws OSError
* Improve cmdln.HelpFormatter to obey newline characters
* Update list of color codes in 'output.tty' module
* Remove core.setDevelProject() in favor of core.set_devel_project()
* Move removing control characters to output.sanitize_text()
* Improve sanitize_text() to keep selected CSI escape sequences
* Add output.pipe_to_pager() that pipes lines to a pager without creating an intermediate temporary file
* Fix output.safe_write() in connection with NamedTemporaryFile
* Modernize output.run_pager()
* Extend output.print_msg() to accept 'error' and 'warning' values of 'to_print' argument
* Add XPathQuery class for translating keyword arguments to an xpath query
* Add obs_api.Keyinfo class
* Add obs_api.Package class
* Add Package.get_revision_list() for listing commit log
* Add obs_api.PackageSources class for handling OBS SCM sources
* Add obs_api.Person class
* Add obs_api.Project class
* Add obs_api.Request class
* Add obs_api.Token class
* Allow storing apiurl in the XmlModel instances
* Allow retrieving default field value from top-level model
* Fix BaseModel to convert dictionaries to objects on retrieving a model list
* Fix BaseModel to always deepcopy mutable defaults on first use
* Implement do_snapshot() and has_changed() methods to determine changes in BaseModel
* Implement total ordering on BaseModel
* Add comments with available attributes/elements to edited XML
* Refactoring:
* Migrate repo {list,add,remove} commands to obs_api.Project
* Migrate core.show_package_disabled_repos() to obs_api.Package
* Migrate core.Package.update_package_meta() to obs_api.Package
* Migrate core.get_repos_of_project() to obs_api.Project
* Migrate core.get_repositories_of_project() to obs_api.Project
* Migrate core.show_scmsync() to obs_api.{Package,Project}
* Migrate core.set_devel_project() to obs_api.Package
* Migrate core.show_devel_project() to obs_api.Package
* Migrate Fetcher.run() to obs_api.Keyinfo
* Migrate core.create_submit_request() to obs_api.Request
* Migrate 'token' command to obs_api.Token
* Migrate 'whois/user' command to obs_api.Person
* Migrate 'signkey' command to obs_api.Keyinfo
* Move print_msg() to the 'osc.output' module
* Move run_pager() and get_default_pager() from 'core' to 'output' module
* Move core.Package to obs_scm.Package
* Move core.Project to obs_scm.Project
* Move functions manipulating store from core to obs_scm.store
* Move store.Store to obs_scm.Store
* Move core.Linkinfo to obs_scm.Linkinfo
* Move core.Serviceinfo to obs_scm.Serviceinfo
* Move core.File to obs_scm.File
* Merge _private.project.ProjectMeta into obs_api.Project
* Spec:
* Remove dependency on /usr/bin/python3 using %python3_fix_shebang macro (bsc#1212476)
* 1.6.2
* Command-line:
* Fix 'branch' command to allow using '\--new-package' option on packages that do not exist
* Fix 'buildinfo' command to include obs:cli_debug_packages by default
* Fix 'buildinfo' command to send complete local build environment as the 'build' command does
* Allow `osc rpmlint` to infer prj/pkg from CWD
* Propagate exit code from the run() and do_() commandline methods
* Give a hint where a scmsync git is hosted
* Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec
* Authentication:
* Cache password from SecretService to avoid spamming user with an accept dialog
* Never ask for credentials when displaying help
* Library:
* Support package linking of packages from scmsync projects
* Fix do_createrequest() function to return None instead of request id
* Replace invalid 'if' with 'elif' in BaseModel.dict()
* Fix crash when no prefered packages are defined
* 1.6.1
* Command-line:
* Use busybox compatible commands for completion
* Change 'wipe' command to use the new get_user_input() function
* Fix error 500 in running 'meta attribute <prj>'
* Configuration:
* Fix resolving config symlink to the actual config file
* Honor XDG_CONFIG_HOME and XDG_CACHE_HOME env vars
* Warn about ignoring XDG_CONFIG_HOME and ~/.config/osc/oscrc if ~/.oscrc exists
* Library:
* Error out when branching a scmsync package
* New get_user_input() function for consistent handling of user input
* Move xml_indent, xml_quote and xml_unquote to osc.util.xml module
* Refactor makeurl(), deprecate query taking string or list arguments, drop osc_urlencode()
* Remove all path quoting, rely on makeurl()
* Always use dict query in makeurl()
* Fix core.slash_split() to strip both leading and trailing slashes
* 1.6.0
* Command-line:
* The 'token --trigger' command no longer sets '\--operation=runservice' by default.
* Change 'token --create' command to require '\--operation'
* Fix 'linkdiff' command error 400: prj/pac/md5 not in repository
* Update 'build' command to support building 'productcompose' build type with updateinfo.xml data
* Don't show meter in terminals that are not interactive
* Fix traceback when running osc from an arbitrary git repo that fails to map branch to a project (bsc#1218170)
* Configuration:
* Implement reading credentials from environmental variables
* Allow starting with an empty config if --configfile is either empty or points to /dev/null
* Implement 'quiet' conf option
* Password can be an empty string (commonly used with ssh auth)
* Connection:
* Allow -X HEAD on osc api requests as well
* Library:
* Fix credentials managers to consistently return Password
* Fix Password.encode() on python < 3.8
* Refactor 'meter' module, use config settings to pick the right class
* Convert to using f-strings
* Use Field.get_callback to handle quiet/verbose and http_debug/http_full_debug options
* Implement get_callback that allows modifying returned value to the Field class
* Add support for List[BaseModel] type to Field class
* Report class name when reporting an error during instantiating BaseModel object
* Fix exporting an empty model field in BaseModel.dict()
* Fix initializing a sub-model instance from a dictionary
* Implement 'Enum' support in models
* Fix Field.origin_type for Optional types
* Drop unused 'exclude_unset' argument from BaseModel.dict() method
* Store cached model defaults in self._defaults, avoid sharing references to mutable defaults
* Limit model attributes to predefined fields by forbidding creating new attributes on fly
* Store model values in self._values dict instead of private attributes
* Spec:
* Recommend openssh-clients for ssh-add that is required during ssh auth
* Add 0%{?amzn} macro that wasn't usptreamed
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch SUSE-2024-2961=1
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-2961=1
* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-2961=1
* Development Tools Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-2961=1
* Development Tools Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-2961=1
## Package List:
* openSUSE Leap 15.4 (noarch)
* osc-1.9.0-150400.10.6.1
* openSUSE Leap 15.5 (noarch)
* osc-1.9.0-150400.10.6.1
* openSUSE Leap 15.6 (noarch)
* osc-1.9.0-150400.10.6.1
* Development Tools Module 15-SP5 (noarch)
* osc-1.9.0-150400.10.6.1
* Development Tools Module 15-SP6 (noarch)
* osc-1.9.0-150400.10.6.1
## References:
* https://www.suse.com/security/cve/CVE-2024-22034.html
* https://bugzilla.suse.com/show_bug.cgi?id=1122683
* https://bugzilla.suse.com/show_bug.cgi?id=1212476
* https://bugzilla.suse.com/show_bug.cgi?id=1218170
* https://bugzilla.suse.com/show_bug.cgi?id=1221340
* https://bugzilla.suse.com/show_bug.cgi?id=1225911
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20240819/75a67516/attachment.htm>
More information about the sle-security-updates
mailing list