openSUSE: 2019:0329-1: important: obs-service-tar_scm

    Date15 Mar 2019
    Posted ByLinuxSecurity Advisories
    An update that solves three vulnerabilities and has two fixes is now available.
       openSUSE Security Update: Security update for obs-service-tar_scm
    Announcement ID:    openSUSE-SU-2019:0329-1
    Rating:             important
    References:         #1076410 #1082696 #1105361 #1107507 #1107944 
    Cross-References:   CVE-2018-12473 CVE-2018-12474 CVE-2018-12476
    Affected Products:
                        openSUSE Backports SLE-15
       An update that solves three vulnerabilities and has two
       fixes is now available.
       This update for obs-service-tar_scm fixes the following issues:
       Security vulnerabilities addressed:
       - CVE-2018-12473: Fixed a path traversal issue, which allowed users to
         access files outside of the repository using relative paths (bsc#1105361)
       - CVE-2018-12474: Fixed an issue whereby crafted service parameters
         allowed for unexpected behaviour (bsc#1107507)
       - CVE-2018-12476: Fixed an issue whereby the outfilename parameter allowed
         to write files outside of package directory (bsc#1107944)
       Other bug fixes and changes made:
       - Prefer UTF-8 locale as output format for changes
       - added KankuFile
       - fix problems with unicode source files
       - added python-six to Requires in specfile
       - better encoding handling
       - fixes bsc#1082696 and bsc#1076410
       - fix unicode in containers
       - move to python3
       - added logging for better debugging changesgenerate
       - raise exception if no changesauthor given
       - Stop using addresses to indicate a missing address
       - move argparse dep to -common package
       - allow submodule and ssl options in appimage
       - sync spec file as used in openSUSE:Tools project
       - check encoding problems for svn and print proper error msg
       - added new param '--locale'
       - separate service file installation in GNUmakefile
       - added glibc as Recommends in spec file
       - cleanup for broken svn caches
       - another fix for unicode problem in obs_scm
       - Final fix for unicode in filenames
       - Another attempt to fix unicode filenames in prep_tree_for_archive
       - Another attempt to fix unicode filenames in prep_tree_for_archive
       - fix bug with unicode filenames in prep_tree_for_archive
       - reuse _service*_servicedata/changes files from previous service runs
       - fix problems with  unicode characters in commit messages for
       - fix encoding issues if commit message contains utf8 char
       - revert encoding for old changes file
       - remove hardcoded utf-8 encodings
       - Add support for extract globbing
       - split pylint2 in GNUmakefile
       - fix check for "--reproducible"
       - create reproducible obscpio archives
       - fix regression from 44b3bee
       - Support also SSH urls for Git
       - check name/version option in obsinfo for slashes
       - check url for remote url
       - check symlinks in subdir parameter
       - check filename for slashes
       - disable follow_symlinks in extract feature
       - switch to obs_scm for this package
       - run download_files in appimage and snapcraft case
       - check --extract file path for parent dir
       - Fix parameter descriptions
       - changed os.removedirs -> shutil.rmtree
       - Adding information regarding the *package-metadata* option for the *tar*
         service The tar service is highly useful in combination with the
         *obscpio* service. After the fix for the metadata for the latter one, it
         is important to inform the users of the *tar* service that metadata is
         kept only if the flag *package-metadata* is enabled. Add the flag to the
         .service file for mentioning that.
       - Allow metadata packing for CPIO archives when desired As of now,
         metadata are always excluded from *obscpio* packages. This is because
         the *package-metadata* flag is ignored; this change (should) make
         *obscpio* aware of it.
       - improve handling of corrupt git cache directories
       - only do git stash save/pop if we have a non-empty working tree (#228)
       - don't allow DEBUG_TAR_SCM to change behaviour (#240)
       - add stub user docs in lieu of something proper (#238)
       - Remove clone_dir if clone fails
       - python-unittest2 is only required for the optional make check
       - move python-unittest2 dep to test suite only part (submission by olh)
       - Removing redundant pass statement
       - missing import for logging functions.
       - [backend] Adding http proxy support
       - python-unittest2 is only required for the optional make check
       - make installation of scm's optional
       - add a lot more detail to README
       - Git clone with --no-checkout in prepare_working_copy
       - Refactor and simplify git prepare_working_copy
       - Only use current dir if it actually looks like git (Fixes #202)
       - reactivate test_obscpio_extract_d
       - fix broken test create_archive
       - fix broken tests for broken-links
       - changed PREFIX in Gnumakefile to /usr
       - new cli option --skip-cleanup
       - fix for broken links
       - fix reference to snapcraft YAML file
       - fix docstring typo in TarSCM.scm.tar.fetch_upstream
       - acknowledge deficiencies in dev docs
       - wrap long lines in README
       This update was imported from the SUSE:SLE-15:Update update project. This
       update was imported from the openSUSE:Leap:15.0:Update update project.
    Patch Instructions:
       To install this openSUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
       Alternatively you can run the command listed for your product:
       - openSUSE Backports SLE-15:
          zypper in -t patch openSUSE-2019-329=1
    Package List:
       - openSUSE Backports SLE-15 (noarch):

    LinuxSecurity Poll

    What is your favorite feature?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"65","title":"Feature articles","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"66","title":"News","votes":"1","type":"x","order":"2","pct":33.33,"resources":[]},{"id":"67","title":"HOWTOs","votes":"2","type":"x","order":"3","pct":66.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.