Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 433
Alerts This Week
Warning Icon 1 433

openSUSE Leap 15.1: 2019:1844-1 Important: osc Man-in-the-Middle Fix

opensuse
Calendar Grey August 12, 2019
Dist Opensuse Esm H88
OpenSUSE: 2021:2390-2 Critical: Addressed SSL security flaw in zypper upgrade to improve system integrity
An update that solves one vulnerability and has 5 fixes is now available.

Description

This update for osc to version 0.165.4 fixes the following issues:

Security issue fixed:

- CVE-2019-3685: Fixed broken TLS certificate handling allowing for a

Man-in-the-middle attack (bsc#1142518).

Non-security issues fixed:

- support different token operations (runservice, release and rebuild)

(requires OBS 2.10)

- fix osc token decode error

- offline build mode is now really offline and does not try to download

the buildconfig

- osc build -define now works with python3

- fixes an issue where the error message on osc meta -e was not parsed

correctly

- osc maintainer -s now works with python3

- simplified and fixed osc meta -e (bsc#1138977)

- osc lbl now works with non utf8 encoding (bsc#1129889)

- add simpleimage as local build type

- allow optional fork when creating a maintenance request

- fix RPMError fallback

- fix local caching for all package formats

- fix appname for trusted cert store

- osc -h...

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-1844=1

Package List

- openSUSE Leap 15.1 (noarch):

osc-0.165.4-lp151.2.6.1

References

https://www.suse.com/security/cve/CVE-2019-3685.html

https://bugzilla.suse.com/1129889

https://bugzilla.suse.com/1138977

https://bugzilla.suse.com/1140697

https://bugzilla.suse.com/1142518

https://bugzilla.suse.com/1142662

https://bugzilla.suse.com/1144211

--

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2019:1844-1
Rating: important
Affected Products: openSUSE Leap 15.1 le.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.