
   openSUSE Security Update: Security update for nim
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:10095-1
Rating:             important
References:         #1175332 #1175333 #1175334 #1181705 #1185083 
                    #1185084 #1185085 #1185948 #1192712 
Cross-References:   CVE-2020-15690 CVE-2020-15692 CVE-2020-15693
                    CVE-2020-15694 CVE-2021-21372 CVE-2021-21373
                    CVE-2021-21374 CVE-2021-29495 CVE-2021-41259
                   
CVSS scores:
                    CVE-2020-15690 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2020-15692 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2020-15693 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
                    CVE-2020-15694 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2021-21372 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2021-21373 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2021-21374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-29495 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2021-41259 (NVD) : 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected Products:
                    openSUSE Backports SLE-15-SP3
______________________________________________________________________________

   An update that fixes 9 vulnerabilities is now available.

Description:

   This update for nim fixes the following issues:

   Includes upstream security fixes for:

   * (boo#1175333, CVE-2020-15693) httpClient is vulnerable to a CR-LF
     injection
   * (boo#1175334, CVE-2020-15692) mishandle of argument to
     browsers.openDefaultBrowser
   * (boo#1175332, CVE-2020-15694) httpClient.get().contentLength() fails to
     properly validate the server response
   * (boo#1192712, CVE-2021-41259) null byte accepted in getContent function,
     leading to URI validation bypass
   * (boo#1185948, CVE-2021-29495) stdlib httpClient does not validate peer
     certificates by default
   * (boo#1185085, CVE-2021-21374) Improper verification of the SSL/TLS
     certificate
   * (boo#1185084, CVE-2021-21373) "nimble refresh" falls back to a non-TLS
     URL in case of error
   * (boo#1185083, CVE-2021-21372) doCmd can be leveraged to execute
     arbitrary commands
   * (boo#1181705, CVE-2020-15690) Standard library asyncftpclient lacks a
     check for newline character

   Following nim tools now work as expected:

   * nim_dbg is now installed.
   * nim-gdb can be successfully launched as it finds and loads nim-gdb.py
     correctly under gdb.
   * nimble package manager stores package information per user.
   * compiler package can be found and used, as it may be required by other
     packages.

   Update to 1.6.6

   * standard library use consistent styles for variable names so it can be
     used in projects which force a consistent style with
     --styleCheck:usages option.
   * ARC/ORC are now considerably faster at method dispatching, bringing its
     performance back on the level of the refc memory management.
   * Full changelog:
     https://nim-lang.org/blog/2022/05/05/version-166-released.html
   - Previous updates and changelogs:
   * 1.6.4: https://nim-lang.org/blog/2022/02/08/version-164-released.html
   * 1.6.2: https://nim-lang.org/blog/2021/12/17/version-162-released.html
   * 1.6.0: https://nim-lang.org/blog/2021/10/19/version-160-released.html
   * 1.4.8: https://nim-lang.org/blog/2021/05/25/version-148-released.html
   * 1.4.6:
     https://nim-lang.org/blog/2021/04/15/versions-146-and-1212-released.html
   * 1.4.4:
     https://nim-lang.org/blog/2021/02/23/versions-144-and-1210-released.html
   * 1.4.2: https://nim-lang.org/blog/2020/12/01/version-142-released.html
   * 1.4.0: https://nim-lang.org/blog/2020/10/16/version-140-released.html

   Update to 1.2.16

   * oids: switch from PRNG to random module
   * nimc.rst: fix table markup
   * nimRawSetjmp: support Windows
   * correctly enable chronos
   * bigints are not supposed to work on 1.2.x
   * disable nimpy
   * misc bugfixes
   * fixes a 'mixin' statement handling regression [backport:1.2

   Update to version 1.2.12

   * Fixed GC crash resulting from inlining of the memory allocation procs
   * Fixed ???incorrect raises effect for $(NimNode)??? (#17454)
   - from version 1.2.10
   * Fixed ???JS backend doesn???t handle float->int type conversion ???
     (#8404)
   * Fixed ???The ???try except??? not work when the ???OSError: Too many
     open files??? error occurs!??? (#15925)
   * Fixed ???Nim emits #line 0 C preprocessor directives with
     ???debugger:native, with ICE in gcc-10??? (#15942)
   * Fixed ???tfuturevar fails when activated??? (#9695)
   * Fixed ???nre.escapeRe is not gcsafe??? (#16103)
   * Fixed ??????Error: internal error: genRecordFieldAux??? - in the
     ???version-1-4??? branch??? (#16069)
   * Fixed ???-d:fulldebug switch does not compile with gc:arc??? (#16214)
   * Fixed ???osLastError may randomly raise defect and crash??? (#16359)
   * Fixed ???generic importc proc???s don???t work (breaking lots
     of vmops procs for js)??? (#16428)
   * Fixed ???Concept: codegen ignores parameter passing??? (#16897)
   * Fixed ???{.push exportc.} interacts with anonymous functions??? (#16967)
   * Fixed ???memory allocation during {.global.} init breaks GC??? (#17085)
   * Fixed "Nimble arbitrary code execution for specially crafted package
     metadata"
     +
          p
     + (boo#1185083, CVE-2021-21372)
   * Fixed "Nimble falls back to insecure http url when fetching packages"
     +
          8
     + (boo#1185084, CVE-2021-21373)
   * Fixed "Nimble fails to validate certificates due to insecure httpClient
     defaults"
     +
          x
     + (boo#1185085, CVE-2021-21374)
   - from version 1.2.8
   * Fixed ???Defer and ???gc:arc??? (#15071)
   * Fixed ???Issue with ???gc:arc at compile time??? (#15129)
   * Fixed ???Nil check on each field fails in generic function??? (#15101)
   * Fixed ???[strscans] scanf doesn???t match a single character with $+ if
     it???s the end of the string??? (#15064)
   * Fixed ???Crash and incorrect return values when using
     readPasswordFromStdin on Windows.??? (#15207)
   * Fixed ???Inconsistent unsigned -> signed RangeDefect usage across
     integer sizes??? (#15210)
   * Fixed ???toHex results in RangeDefect exception when used with large
     uint64??? (#15257)
   * Fixed ???Mixing ???return??? with expressions is allowed in 1.2???
     (#15280)
   * Fixed ???proc execCmdEx doesn???t work with -d:useWinAnsi??? (#14203)
   * Fixed ???memory corruption in tmarshall.nim??? (#9754)
   * Fixed ???Wrong number of variables??? (#15360)
   * Fixed ???defer doesnt work with block, break and await??? (#15243)
   * Fixed ???Sizeof of case object is incorrect. Showstopper??? (#15516)
   * Fixed ???Mixing ???return??? with expressions is allowed in 1.2???
     (#15280)
   * Fixed ???regression(1.0.2 => 1.0.4) VM register messed up depending on
     unrelated context??? (#15704)
   - from version 1.2.6
   * Fixed ???The pegs module doesn???t work with generics!??? (#14718)
   * Fixed ???[goto exceptions] {.noReturn.} pragma is not detected in a case
     expression??? (#14458)
   * Fixed ???[exceptions:goto] C compiler error with dynlib pragma calling a
     proc??? (#14240)
   * Fixed ???Nim source archive install: ???install.sh??? fails with error:
     cp: cannot stat ???bin/nim-gdb???: No such file or directory??? (#14748)
   * Fixed ???Stropped identifiers don???t work as field names in tuple
     literals??? (#14911)
   * Fixed ???uri.decodeUrl crashes on incorrectly formatted input??? (#14082)
   * Fixed ???odbcsql module has some wrong integer types??? (#9771)
   * Fixed ???[ARC] Compiler crash declaring a finalizer proc directly in
     ???new?????? (#15044)
   * Fixed ???code with named arguments in proc of winim/com can not been
     compiled??? (#15056)
   * Fixed ???javascript backend produces javascript code with syntax error
     in object syntax??? (#14534)
   * Fixed ???[ARC] SIGSEGV when calling a closure as a tuple field in a
     seq??? (#15038)
   * Fixed ???Compiler crashes when using string as object variant selector
     with else branch??? (#14189)
   * Fixed ???Constructing a uint64 range on a 32-bit machine leads to
     incorrect codegen??? (#14616)

   Update to version 1.2.2:

   * See https://nim-lang.org/blog.html for details
   - Enable the full testsuite in the %check section
   * Add build dependencies to run the testsuite
   * Whitelists a few tests that are not passing yet

   Update to version 1.0.2:

   * See https://nim-lang.org/blog.html for details
   - Update dependencies (based on changes by Federico Ceratto


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-10095=1



Package List:

   - openSUSE Backports SLE-15-SP3 (aarch64 ppc64le x86_64):

      nim-1.6.6-bp153.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2020-15690.html
   https://www.suse.com/security/cve/CVE-2020-15692.html
   https://www.suse.com/security/cve/CVE-2020-15693.html
   https://www.suse.com/security/cve/CVE-2020-15694.html
   https://www.suse.com/security/cve/CVE-2021-21372.html
   https://www.suse.com/security/cve/CVE-2021-21373.html
   https://www.suse.com/security/cve/CVE-2021-21374.html
   https://www.suse.com/security/cve/CVE-2021-29495.html
   https://www.suse.com/security/cve/CVE-2021-41259.html
   https://bugzilla.suse.com/1175332
   https://bugzilla.suse.com/1175333
   https://bugzilla.suse.com/1175334
   https://bugzilla.suse.com/1181705
   https://bugzilla.suse.com/1185083
   https://bugzilla.suse.com/1185084
   https://bugzilla.suse.com/1185085
   https://bugzilla.suse.com/1185948
   https://bugzilla.suse.com/1192712

openSUSE: 2022:10095-1 important: nim

August 24, 2022

An update that fixes 9 vulnerabilities is now available

Description

This update for nim fixes the following issues: Includes upstream security fixes for: * (boo#1175333, CVE-2020-15693) httpClient is vulnerable to a CR-LF injection * (boo#1175334, CVE-2020-15692) mishandle of argument to browsers.openDefaultBrowser * (boo#1175332, CVE-2020-15694) httpClient.get().contentLength() fails to properly validate the server response * (boo#1192712, CVE-2021-41259) null byte accepted in getContent function, leading to URI validation bypass * (boo#1185948, CVE-2021-29495) stdlib httpClient does not validate peer certificates by default * (boo#1185085, CVE-2021-21374) Improper verification of the SSL/TLS certificate * (boo#1185084, CVE-2021-21373) "nimble refresh" falls back to a non-TLS URL in case of error * (boo#1185083, CVE-2021-21372) doCmd can be leveraged to execute arbitrary commands * (boo#1181705, CVE-2020-15690) Standard library asyncftpclient lacks a check for newline character Following nim tools now work as expected: * nim_dbg is now installed. * nim-gdb can be successfully launched as it finds and loads nim-gdb.py correctly under gdb. * nimble package manager stores package information per user. * compiler package can be found and used, as it may be required by other packages. Update to 1.6.6 * standard library use consistent styles for variable names so it can be used in projects which force a consistent style with --styleCheck:usages option. * ARC/ORC are now considerably faster at method dispatching, bringing its performance back on the level of the refc memory management. * Full changelog: https://nim-lang.org/blog/2022/05/05/version-166-released.html - Previous updates and changelogs: * 1.6.4: https://nim-lang.org/blog/2022/02/08/version-164-released.html * 1.6.2: https://nim-lang.org/blog/2021/12/17/version-162-released.html * 1.6.0: https://nim-lang.org/blog/2021/10/19/version-160-released.html * 1.4.8: https://nim-lang.org/blog/2021/05/25/version-148-released.html * 1.4.6: https://nim-lang.org/blog/2021/04/15/versions-146-and-1212-released.html * 1.4.4: https://nim-lang.org/blog/2021/02/23/versions-144-and-1210-released.html * 1.4.2: https://nim-lang.org/blog/2020/12/01/version-142-released.html * 1.4.0: https://nim-lang.org/blog/2020/10/16/version-140-released.html Update to 1.2.16 * oids: switch from PRNG to random module * nimc.rst: fix table markup * nimRawSetjmp: support Windows * correctly enable chronos * bigints are not supposed to work on 1.2.x * disable nimpy * misc bugfixes * fixes a 'mixin' statement handling regression [backport:1.2 Update to version 1.2.12 * Fixed GC crash resulting from inlining of the memory allocation procs * Fixed ???incorrect raises effect for $(NimNode)??? (#17454) - from version 1.2.10 * Fixed ???JS backend doesn???t handle float->int type conversion ??? (#8404) * Fixed ???The ???try except??? not work when the ???OSError: Too many open files??? error occurs!??? (#15925) * Fixed ???Nim emits #line 0 C preprocessor directives with ???debugger:native, with ICE in gcc-10??? (#15942) * Fixed ???tfuturevar fails when activated??? (#9695) * Fixed ???nre.escapeRe is not gcsafe??? (#16103) * Fixed ??????Error: internal error: genRecordFieldAux??? - in the ???version-1-4??? branch??? (#16069) * Fixed ???-d:fulldebug switch does not compile with gc:arc??? (#16214) * Fixed ???osLastError may randomly raise defect and crash??? (#16359) * Fixed ???generic importc proc???s don???t work (breaking lots of vmops procs for js)??? (#16428) * Fixed ???Concept: codegen ignores parameter passing??? (#16897) * Fixed ???{.push exportc.} interacts with anonymous functions??? (#16967) * Fixed ???memory allocation during {.global.} init breaks GC??? (#17085) * Fixed "Nimble arbitrary code execution for specially crafted package metadata" + p + (boo#1185083, CVE-2021-21372) * Fixed "Nimble falls back to insecure http url when fetching packages" + 8 + (boo#1185084, CVE-2021-21373) * Fixed "Nimble fails to validate certificates due to insecure httpClient defaults" + x + (boo#1185085, CVE-2021-21374) - from version 1.2.8 * Fixed ???Defer and ???gc:arc??? (#15071) * Fixed ???Issue with ???gc:arc at compile time??? (#15129) * Fixed ???Nil check on each field fails in generic function??? (#15101) * Fixed ???[strscans] scanf doesn???t match a single character with $+ if it???s the end of the string??? (#15064) * Fixed ???Crash and incorrect return values when using readPasswordFromStdin on Windows.??? (#15207) * Fixed ???Inconsistent unsigned -> signed RangeDefect usage across integer sizes??? (#15210) * Fixed ???toHex results in RangeDefect exception when used with large uint64??? (#15257) * Fixed ???Mixing ???return??? with expressions is allowed in 1.2??? (#15280) * Fixed ???proc execCmdEx doesn???t work with -d:useWinAnsi??? (#14203) * Fixed ???memory corruption in tmarshall.nim??? (#9754) * Fixed ???Wrong number of variables??? (#15360) * Fixed ???defer doesnt work with block, break and await??? (#15243) * Fixed ???Sizeof of case object is incorrect. Showstopper??? (#15516) * Fixed ???Mixing ???return??? with expressions is allowed in 1.2??? (#15280) * Fixed ???regression(1.0.2 => 1.0.4) VM register messed up depending on unrelated context??? (#15704) - from version 1.2.6 * Fixed ???The pegs module doesn???t work with generics!??? (#14718) * Fixed ???[goto exceptions] {.noReturn.} pragma is not detected in a case expression??? (#14458) * Fixed ???[exceptions:goto] C compiler error with dynlib pragma calling a proc??? (#14240) * Fixed ???Nim source archive install: ???install.sh??? fails with error: cp: cannot stat ???bin/nim-gdb???: No such file or directory??? (#14748) * Fixed ???Stropped identifiers don???t work as field names in tuple literals??? (#14911) * Fixed ???uri.decodeUrl crashes on incorrectly formatted input??? (#14082) * Fixed ???odbcsql module has some wrong integer types??? (#9771) * Fixed ???[ARC] Compiler crash declaring a finalizer proc directly in ???new?????? (#15044) * Fixed ???code with named arguments in proc of winim/com can not been compiled??? (#15056) * Fixed ???javascript backend produces javascript code with syntax error in object syntax??? (#14534) * Fixed ???[ARC] SIGSEGV when calling a closure as a tuple field in a seq??? (#15038) * Fixed ???Compiler crashes when using string as object variant selector with else branch??? (#14189) * Fixed ???Constructing a uint64 range on a 32-bit machine leads to incorrect codegen??? (#14616) Update to version 1.2.2: * See https://nim-lang.org/blog.html for details - Enable the full testsuite in the %check section * Add build dependencies to run the testsuite * Whitelists a few tests that are not passing yet Update to version 1.0.2: * See https://nim-lang.org/blog.html for details - Update dependencies (based on changes by Federico Ceratto

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-10095=1

Package List

- openSUSE Backports SLE-15-SP3 (aarch64 ppc64le x86_64): nim-1.6.6-bp153.2.3.1

References

https://www.suse.com/security/cve/CVE-2020-15690.html https://www.suse.com/security/cve/CVE-2020-15692.html https://www.suse.com/security/cve/CVE-2020-15693.html https://www.suse.com/security/cve/CVE-2020-15694.html https://www.suse.com/security/cve/CVE-2021-21372.html https://www.suse.com/security/cve/CVE-2021-21373.html https://www.suse.com/security/cve/CVE-2021-21374.html https://www.suse.com/security/cve/CVE-2021-29495.html https://www.suse.com/security/cve/CVE-2021-41259.html https://bugzilla.suse.com/1175332 https://bugzilla.suse.com/1175333 https://bugzilla.suse.com/1175334 https://bugzilla.suse.com/1181705 https://bugzilla.suse.com/1185083 https://bugzilla.suse.com/1185084 https://bugzilla.suse.com/1185085 https://bugzilla.suse.com/1185948 https://bugzilla.suse.com/1192712