Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

openSUSE 15.2 Security Update: Important Flatpak Issues Critical DoS

opensuse
Calendar Grey April 9, 2021
Dist Opensuse Esm H88
A recent patch tackles an urgent vulnerability in openSUSE, affecting the flatpak and xdg-desktop-portal modules.
An update that solves one vulnerability and has three fixes is now available

Description

This update for flatpak, libostree, xdg-desktop-portal,

xdg-desktop-portal-gtk fixes the following issues:

libostree:

Update to version 2020.8

- Enable LTO. (bsc#1133120)

- This update contains scalability improvements and bugfixes.

- Caching-related HTTP headers are now supported on summaries and

signatures, so that they do not have to be re-downloaded if not changed

in the meanwhile.

- Summaries and delta have been reworked to allow more fine-grained

fetching.

- Fixes several bugs related to atomic variables, HTTP timeouts, and

32-bit architectures.

- Static deltas can now be signed to more easily support offline

verification.

- There's now support for multiple initramfs images; Is it possible to

have a "main" initramfs image and a secondary one which represents local

configuration.

- The documentation is now moved to https://ostreedev.github.io/ostree/

- Fix for an assertion failure when upgrading from...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory critical important openSUSE flatpak libostree xdg-desktop-portal

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-520=1

Package List

- openSUSE Leap 15.2 (i586 x86_64):

libostree-1-1-2020.8-lp152.2.3.1

libostree-1-1-debuginfo-2020.8-lp152.2.3.1

libostree-2020.8-lp152.2.3.1

libostree-debuginfo-2020.8-lp152.2.3.1

libostree-debugsource-2020.8-lp152.2.3.1

libostree-devel-2020.8-lp152.2.3.1

libostree-grub2-2020.8-lp152.2.3.1

typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1

- openSUSE Leap 15.2 (x86_64):

flatpak-1.10.2-lp152.3.6.1

flatpak-debuginfo-1.10.2-lp152.3.6.1

flatpak-debugsource-1.10.2-lp152.3.6.1

flatpak-devel-1.10.2-lp152.3.6.1

flatpak-zsh-completion-1.10.2-lp152.3.6.1

libflatpak0-1.10.2-lp152.3.6.1

libflatpak0-debuginfo-1.10.2-lp152.3.6.1

system-user-flatpak-1.10.2-lp152.3.6.1

typelib-1_0-Flatpak-1_0-1.10.2-lp152.3.6.1

xdg-desktop-portal-1.8.0-lp152.4.3.1

xdg-desktop-portal-debuginfo-1.8.0-lp152.4.3.1

xdg-desktop-portal-debugsource-1.8.0-lp152.4.3.1

xdg-desktop-portal-devel-1.8.0-lp152.4.3.1

xdg-desktop-portal-gtk-1.8.0-lp152.2.3.1

xdg-desktop-portal-gtk-debuginfo-1.8.0-lp152.2.3.1

xdg-desktop-portal-gtk-debugsource-1.8.0-lp152.2.3.1

-...

Read the Full Advisory

References

https://www.suse.com/security/cve/CVE-2021-21261.html

https://bugzilla.suse.com/1133120

https://bugzilla.suse.com/1133124

https://bugzilla.suse.com/1175899

https://bugzilla.suse.com/1180996

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2021:0520-1
Rating: important
Affected Products: openSUSE Leap 15.2 ble.

Topics%20covered

Topics Covered

security advisory critical important openSUSE flatpak libostree xdg-desktop-portal

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here