SUSE-SU-2022:4351-1: important: Security update for osc

sle-updates at lists.suse.com sle-updates at lists.suse.com
Wed Dec 7 20:21:19 UTC 2022


   SUSE Security Update: Security update for osc
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:4351-1
Rating:             important
References:         #1089025 #1097996 #1122675 #1125243 #1126055 
                    #1126058 #1127932 #1129757 #1129889 #1131512 
                    #1136584 #1137477 #1138165 #1138977 #1140697 
                    #1142518 #1142662 #1144211 #1154972 #1155953 
                    #1156501 #1160446 #1166537 #1173926 OBS-203 
                    
Cross-References:   CVE-2019-3681 CVE-2019-3685
CVSS scores:
                    CVE-2019-3681 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2019-3681 (SUSE): 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
                    CVE-2019-3685 (NVD) : 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
                    CVE-2019-3685 (SUSE): 7.4 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server for SAP Applications 12-SP5
                    SUSE Linux Enterprise Software Development Kit 12-SP5
______________________________________________________________________________

   An update that solves two vulnerabilities, contains one
   feature and has 22 fixes is now available.

Description:

   This update for osc fixes the following issues:

     osc was updated to version 0.182.0 (bsc#1154972, bsc#1144211,
      bsc#1142662, bsc#1140697, bsc#1138165):

     - Added MFA support (jsc#OBS-203).
     - CVE-2019-3681: Fixed vulnerability where osc stored downloaded RPMs in
       network controlled paths (bsc#1122675).
     - CVE-2019-3685: Fixed broken TLS certificate handling (bsc#1142518).

     Bugfixes:
     - Removed use of chardet to guess encoding. Utf-8 or latin-1 is now
       assumed, which will speed up decoding (bsc#1173926).
     - Added helper method _html_escape to enable python3.8 and python2.*
       compatibility (bsc#1166537).
     - Added MR creation to honor orev (bsc#1160446).
     - Fixed local build outside of the working copy of a package
       (bsc#1136584).
     - Don't enforce password reuse (bsc#1156501).
     - osc vc --file=foo bar.changes now writes the content from foo into
       bar.changes instead of creating a new file (bsc#1155953).
     - Fixed decoding on osc lbl (bsc#1137477).
     - Simplified and fixed osc meta -e (bsc#1138977).
     - osc lbl now works with non utf8 encoding (bsc#1129889).
     - Added full python3 compatibility (bsc#1125243, bsc#1131512,
       bsc#1129757).
     - Fixed slowdown of rbl with readline(bufsize) function (bsc#1127932).
     - Fixed osc build -p dir TypeError (bsc#1126055).
     - Fixed osc buildinfo -p TypeError (bsc#1126058).
     - Added new options --unexpand and --meta to diff command (bsc#1089025).
     - Fixed Requires to python-base which does not contain ssl.py
       (bsc#1097996).


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12-SP5:

      zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-4351=1



Package List:

   - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch):

      osc-0.182.0-15.12.1


References:

   https://www.suse.com/security/cve/CVE-2019-3681.html
   https://www.suse.com/security/cve/CVE-2019-3685.html
   https://bugzilla.suse.com/1089025
   https://bugzilla.suse.com/1097996
   https://bugzilla.suse.com/1122675
   https://bugzilla.suse.com/1125243
   https://bugzilla.suse.com/1126055
   https://bugzilla.suse.com/1126058
   https://bugzilla.suse.com/1127932
   https://bugzilla.suse.com/1129757
   https://bugzilla.suse.com/1129889
   https://bugzilla.suse.com/1131512
   https://bugzilla.suse.com/1136584
   https://bugzilla.suse.com/1137477
   https://bugzilla.suse.com/1138165
   https://bugzilla.suse.com/1138977
   https://bugzilla.suse.com/1140697
   https://bugzilla.suse.com/1142518
   https://bugzilla.suse.com/1142662
   https://bugzilla.suse.com/1144211
   https://bugzilla.suse.com/1154972
   https://bugzilla.suse.com/1155953
   https://bugzilla.suse.com/1156501
   https://bugzilla.suse.com/1160446
   https://bugzilla.suse.com/1166537
   https://bugzilla.suse.com/1173926



More information about the sle-updates mailing list