Alerts This Week
Warning Icon 1 687
Alerts This Week
Warning Icon 1 687

openSUSE 2019:0329-1 Important Update: obs-service-tar_scm Security Fixes

opensuse
Calendar Grey March 15, 2019
Dist Opensuse Esm H88
openSUSE Security Update: Security update for obs-service-tar_scm __________________________________
An update that solves three vulnerabilities and has two fixes is now available.

Description

This update for obs-service-tar_scm fixes the following issues:

Security vulnerabilities addressed:

- CVE-2018-12473: Fixed a path traversal issue, which allowed users to

access files outside of the repository using relative paths (bsc#1105361)

- CVE-2018-12474: Fixed an issue whereby crafted service parameters allowed for unexpected behaviour (bsc#1107507)

- CVE-2018-12476: Fixed an issue whereby the outfilename parameter allowed

to write files outside of package directory (bsc#1107944)

Other bug fixes and changes made:

- Prefer UTF-8 locale as output format for changes

- added KankuFile

- fix problems with unicode source files

- added python-six to Requires in specfile

- better encoding handling

- fixes bsc#1082696 and bsc#1076410

- fix unicode in containers - move to python3

- added logging for better debugging changesgenerate

- raise exception if no changesauthor given

- Stop using @opensuse.org addresses to...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory file access bug fixes path traversal openSUSE service parameters utf-8 locale

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-329=1

Package List

- openSUSE Backports SLE-15 (noarch):

obs-service-appimage-0.10.5.1551309990.79898c7-bp150.3.3.1

obs-service-obs_scm-0.10.5.1551309990.79898c7-bp150.3.3.1

obs-service-obs_scm-common-0.10.5.1551309990.79898c7-bp150.3.3.1

obs-service-snapcraft-0.10.5.1551309990.79898c7-bp150.3.3.1

obs-service-tar-0.10.5.1551309990.79898c7-bp150.3.3.1

obs-service-tar_scm-0.10.5.1551309990.79898c7-bp150.3.3.1

References

https://www.suse.com/security/cve/CVE-2018-12473.html

https://www.suse.com/security/cve/CVE-2018-12474.html

https://www.suse.com/security/cve/CVE-2018-12476.html

https://bugzilla.suse.com/1076410

https://bugzilla.suse.com/1082696

https://bugzilla.suse.com/1105361

https://bugzilla.suse.com/1107507

https://bugzilla.suse.com/1107944

--

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2019:0329-1
Rating: important
Affected Products: openSUSE Backports SLE-15 le.

Topics%20covered

Topics Covered

security advisory file access bug fixes path traversal openSUSE service parameters utf-8 locale

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here