openSUSE: 2022:10230-1 moderate: cherrytree | LinuxSecurity.com

   openSUSE Security Update: Security update for cherrytree
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:10230-1
Rating:             moderate
References:         #1202513 
Cross-References:   CVE-2022-35133
CVSS scores:
                    CVE-2022-35133 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products:
                    openSUSE Backports SLE-15-SP4
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:


   cherrytree was updated to version 0.99.49+3:

     * Legacy_canonicalize_filename: manage empty filename,
       (gh#giuspen/cherrytree#2118)
     * added command line option '--anchor AnchorName' that in addition to
       existing '--node NodeName' allows to open a document focusing an
       anchor in a node.
     * Changed non configurable keyboard shortcuts for codebox width and
       table column width to use parenthesis open instead of backslash,
       (gh#giuspen/cherrytree#2113).
     * Fixed crash on double exit from systray icon right click menu,
       (gh#giuspen/cherrytree#2114).
     * Added keyboard shortcuts to toolbar tooltips,
       (gh#giuspen/cherrytree#2106).
     * Fixed export to HTML crash, (gh#giuspen/cherrytree#2109).
     * Force turning off portal usage since it does not work on all distros,
       (gh#giuspen/cherrytree#2111).
     * Improved dialog confirmation before executing the code.
     * Additonal changes for core22, (gh#giuspen/cherrytree#2110).
     * Allow to disable the dialog asking for confirmation before executing
       the code.
     * Fixed bulleted list unindent (Shift+Tab) crash,
       (gh#giuspen/cherrytree#2103).
     * Add home plug, (gh#giuspen/cherrytree#2101 and
       gh#giuspen/cherrytree#2102).
     * Linux menu launcher run cherrytree in a new instance,
       (gh#giuspen/cherrytree#2077).
     * Fixed crash on print/export as pdf of a sequence of characters without
       spaces longer that the page width, such as a very long URL,
       (gh#giuspen/cherrytree#2045).
     * Fixed wrongly entering column mode when using keyboard shortcuts with
        such as insert codebox, (gh#giuspen/cherrytree#2075).
     * Added syntax highlighting support for GDScript.
     * Fixed tooltip and cursor not reset after hovering link and then
       navigating to non rich text node.
     * Support for accent insensitive search - added letters with subordinate
       dots, (gh#giuspen/cherrytree#1981).
     * Translation updates.
   - Developer advised fixed cross-site scripting (XSS) vulnerability that
     allows attackers to execute arbitrary web scripts or HTML via a crafted
     payload injected into the Name text field when creating a node,
     (boo#1202513, gh#giuspen/cherrytree#2099 and CVE-2022-35133).

   Update to version 0.99.48:

     * Added support for right to left languages in export to html and pdf
       (gh#giuspen/cherrytree#2044, gh#giuspen/cherrytree#1668 and
       gh#giuspen/cherrytree# #698).
     * In order to support the right to left languages in export to html, the
       resulting html text lines are no longer LINE
but

LINE

. * Fixed in export to pdf the link to node+anchor with non ascii anchor name. * Improved detection of missing executables required for rendering LatexBoxes. These dependencies are no longer mandatory (gh#giuspen/cherrytree#2033). * Added help to the user to show again a hidden menubar (gh#giuspen/cherrytree#1927 and gh#giuspen/cherrytree#2054). * Pressing Tab on the very latest table cell now adds a new table line and moves to its first cell. * Fixed issue with relative links to files and folders and documents moved between linux and windows. * In export to html and txt multiple files, now appending the node id to the file names to support multiple nodes with the same name. * Added syntax highlight support for solidity (gh#giuspen/cherrytree#2030). * After issues with the domain giuspen.com, the domain changed to giuspen.net and giuspen.com will eventually go. Update to version 0.99.47+2: * Added support for latex math equations. * Added copy/paste of tree nodes and subnodes between multiple opened files. * Restored support for drag and drop of text selection. Now rich text content is preserved. * Added syntax highlighting for HCL. * Fixed issue at reset toolbar in preferences dialog when menubar in titlebar. * Added command line option (-S/--secondary_session) to run in isolation from a possibly already running main instance. * Updated flatpak script. Update to version 0.99.46+6: * Fixed time created/modified filter on searches for node name and tags. * Changed default keyboard shortcuts using Ctrl+Period to Ctrl+Backslash for clash with latest linux desktops. * Fixed restore window position on Windows and dual screen. * Added strip trailing spaces action to rich text right click menu. * Fixed issue restoring hpaned tree/text position with tree on the right. * Added command line option to pass the password to open an encrypted document. Update to version 0.99.45+10: * added language Arabic * fixed time created/modified filter on searches for node name and tags * just ninja build debug print * added strip trailing spaces action to rich text right click menu * minor improvement to previous commit * fixed copy fromm codebox and pasting to rich text unwanted additional characters Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10230=1 Package List: - openSUSE Backports SLE-15-SP4 (aarch64 s390x x86_64): cherrytree-0.99.49+3-bp154.2.3.2 - openSUSE Backports SLE-15-SP4 (noarch): cherrytree-lang-0.99.49+3-bp154.2.3.2 References: https://www.suse.com/security/cve/CVE-2022-35133.html https://bugzilla.suse.com/1202513

openSUSE: 2022:10230-1 moderate: cherrytree

December 4, 2022
An update that fixes one vulnerability is now available

Description

cherrytree was updated to version 0.99.49+3: * Legacy_canonicalize_filename: manage empty filename, (gh#giuspen/cherrytree#2118) * added command line option '--anchor AnchorName' that in addition to existing '--node NodeName' allows to open a document focusing an anchor in a node. * Changed non configurable keyboard shortcuts for codebox width and table column width to use parenthesis open instead of backslash, (gh#giuspen/cherrytree#2113). * Fixed crash on double exit from systray icon right click menu, (gh#giuspen/cherrytree#2114). * Added keyboard shortcuts to toolbar tooltips, (gh#giuspen/cherrytree#2106). * Fixed export to HTML crash, (gh#giuspen/cherrytree#2109). * Force turning off portal usage since it does not work on all distros, (gh#giuspen/cherrytree#2111). * Improved dialog confirmation before executing the code. * Additonal changes for core22, (gh#giuspen/cherrytree#2110). * Allow to disable the dialog asking for confirmation before executing the code. * Fixed bulleted list unindent (Shift+Tab) crash, (gh#giuspen/cherrytree#2103). * Add home plug, (gh#giuspen/cherrytree#2101 and gh#giuspen/cherrytree#2102). * Linux menu launcher run cherrytree in a new instance, (gh#giuspen/cherrytree#2077). * Fixed crash on print/export as pdf of a sequence of characters without spaces longer that the page width, such as a very long URL, (gh#giuspen/cherrytree#2045). * Fixed wrongly entering column mode when using keyboard shortcuts with such as insert codebox, (gh#giuspen/cherrytree#2075). * Added syntax highlighting support for GDScript. * Fixed tooltip and cursor not reset after hovering link and then navigating to non rich text node. * Support for accent insensitive search - added letters with subordinate dots, (gh#giuspen/cherrytree#1981). * Translation updates. - Developer advised fixed cross-site scripting (XSS) vulnerability that allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field when creating a node, (boo#1202513, gh#giuspen/cherrytree#2099 and CVE-2022-35133). Update to version 0.99.48: * Added support for right to left languages in export to html and pdf (gh#giuspen/cherrytree#2044, gh#giuspen/cherrytree#1668 and gh#giuspen/cherrytree# #698). * In order to support the right to left languages in export to html, the resulting html text lines are no longer LINE
but

LINE

. * Fixed in export to pdf the link to node+anchor with non ascii anchor name. * Improved detection of missing executables required for rendering LatexBoxes. These dependencies are no longer mandatory (gh#giuspen/cherrytree#2033). * Added help to the user to show again a hidden menubar (gh#giuspen/cherrytree#1927 and gh#giuspen/cherrytree#2054). * Pressing Tab on the very latest table cell now adds a new table line and moves to its first cell. * Fixed issue with relative links to files and folders and documents moved between linux and windows. * In export to html and txt multiple files, now appending the node id to the file names to support multiple nodes with the same name. * Added syntax highlight support for solidity (gh#giuspen/cherrytree#2030). * After issues with the domain giuspen.com, the domain changed to giuspen.net and giuspen.com will eventually go. Update to version 0.99.47+2: * Added support for latex math equations. * Added copy/paste of tree nodes and subnodes between multiple opened files. * Restored support for drag and drop of text selection. Now rich text content is preserved. * Added syntax highlighting for HCL. * Fixed issue at reset toolbar in preferences dialog when menubar in titlebar. * Added command line option (-S/--secondary_session) to run in isolation from a possibly already running main instance. * Updated flatpak script. Update to version 0.99.46+6: * Fixed time created/modified filter on searches for node name and tags. * Changed default keyboard shortcuts using Ctrl+Period to Ctrl+Backslash for clash with latest linux desktops. * Fixed restore window position on Windows and dual screen. * Added strip trailing spaces action to rich text right click menu. * Fixed issue restoring hpaned tree/text position with tree on the right. * Added command line option to pass the password to open an encrypted document. Update to version 0.99.45+10: * added language Arabic * fixed time created/modified filter on searches for node name and tags * just ninja build debug print * added strip trailing spaces action to rich text right click menu * minor improvement to previous commit * fixed copy fromm codebox and pasting to rich text unwanted additional characters

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10230=1


Package List

- openSUSE Backports SLE-15-SP4 (aarch64 s390x x86_64): cherrytree-0.99.49+3-bp154.2.3.2 - openSUSE Backports SLE-15-SP4 (noarch): cherrytree-lang-0.99.49+3-bp154.2.3.2


References

https://www.suse.com/security/cve/CVE-2022-35133.html https://bugzilla.suse.com/1202513


Severity
Announcement ID: openSUSE-SU-2022:10230-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP4 .

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.