SUSE: 2024:2961-1 moderate: osc Security Advisory Updates
Summary
##
This update for osc fixes the following issues:
* 1.9.0
* Security:
* Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911) Source files are now stored in the 'sources' subdirectory which prevents name collisons. This requires changing version of '.osc' store to 2.0.
* Command-line:
* Introduce build --checks parameter
* Library:
* OscConfigParser: Remove automatic **name** option
* 1.8.3
* Command-line:
* Change 'repairwc' command to always run all repair steps
* Library:
* Make most of the fields in KeyinfoPubkey and KeyinfoSslcert models optional
* Fix colorize() to avoid wrapping empty string into color escape sequences
* Provide default values for kwargs.get/pop in get_results() function
* 1.8.2
* Library:
* Change 'repairwc' command to fix missing .osc/_osclib_version
* Make error message in check_store_version() more generic to work for both projects and packages
* Fix check_store_version in project store
* 1.8.1
* Command-line:
* Fix 'linkpac' command crash when used with '\--disable-build' or '\--disable-publish' option
* 1.8.0
* Command-line:
* Improve 'submitrequest' command to inherit description from superseded request
* Fix 'mv' command when renaming a file multiple times
* Improve 'info' command to support projects
* Improve 'getbinaries' command by accepting '-M' / '\--multibuild-package' option outside checkouts
* Add architecture filtering to 'release' command
* Change 'results' command so the normal and multibuild packages have the same output
* Change 'results' command to use csv writer instead of formatting csv as string
* Add couple mutually exclusive options errors to 'results' command
* Set a default value for 'results --format' only for the csv output
* Add support for 'results --format' for the default text mode
* Update help text for '\--format' option in 'results' command
* Add 'results --fail-on-error/-F' flag
* Redirect venv warnings from stderr to debug output
* Configuration:
* Fix config parser to throw an exception on duplicate sections or options
* Modify conf.get_config() to print permissions warning to stderr rather than stdout
* Library:
* Run check_store_version() in obs_scm.Store and fix related code in Project and Package
* Forbid extracting files with absolute path from 'cpio' archives (bsc#1122683)
* Forbid extracting files with absolute path from 'ar' archives (bsc#1122683)
* Remove no longer valid warning from core.unpack_srcrpm()
* Make obs_api.KeyinfoSslcert keyid and fingerprint fields optional
* Fix return value in build build.create_build_descr_data()
* Fix core.get_package_results() to obey 'multibuild_packages' argument
* Tests:
* Fix tests so they don't modify fixtures
* 1.7.0
* Command-line:
* Add 'person search' command
* Add 'person register' command
* Add '-M/--multibuild-package' option to '[what]dependson' commands
* Update '-U/--user' option in 'maintainer' command to accept also an email address
* Fix 'branch' command to allow using '\--new-package' option on packages that do not exist
* Fix 'buildinfo' command to include obs:cli_debug_packages by default
* Fix 'buildinfo' command to send complete local build environment as the 'build' command does
* Fix 'maintainer --devel-project' to raise an error if running outside a working copy without any arguments
* Fix handling arguments in 'service remoterun prj/pac'
* Fix 'rebuild' command so the '\--all' option conflicts with the 'package' argument
* Fix crash when removing 'scmsync' element from dst package meta in 'linkpac' command
* Fix crash when reading dst package meta in 'linkpac' command
* Allow `osc rpmlint` to infer prj/pkg from CWD
* Propagate exit code from the run() and do_() commandline methods
* Give a hint where a scmsync git is hosted
* Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec
* Improve 'updatepacmetafromspec' command to expand rpm spec macros by calling rpmspec to query the data
* Improve 'build' and 'buildinfo' commands by uploading *.inc files to OBS for parsing BuildRequires (bsc#1221340)
* Improve 'service' command by printing names of running services
* Improve 'getbinaries' command by ignoring source and debuginfo filters when a binary name is specified
* Change 'build' command to pass '\--jobs' option to 'build' tool only if 'build_jobs' > 0
* Clarify 'list' command's help that that listing binaries doesn't contain md5 checksums
* Improve 'log' command: produce proper CSV and XML outputs, add -p/--patch option for the text output
* Allow setlinkrev to set a specific vrev
* Document '\--buildtool-opt=--noclean' example in 'build' command's help
* Fix handling the default package argument on the command-line
* Configuration:
* Document loading configuration from env variables
* Connection:
* Don't retry on error 400
* Remove now unused 'retry_on_400' http_request() option from XmlModel
* Revert "Don't retry on 400 HTTP status code in core.server_diff()"
* Revert "connection: Allow disabling retry on 400 HTTP status code"
* Authentication:
* Update SignatureAuthHandler to support specifying ssh key by its fingerprint
* Use ssh key from ssh agent that contains comment 'obs=
References
* bsc#1122683
* bsc#1212476
* bsc#1218170
* bsc#1221340
* bsc#1225911
Cross-
* CVE-2024-22034
CVSS scores:
* CVE-2024-22034 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Affected Products:
* Development Tools Module 15-SP5
* Development Tools Module 15-SP6
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
An update that solves one vulnerability and has four security fixes can now be
installed.
##
* https://www.suse.com/security/cve/CVE-2024-22034.html
* https://bugzilla.suse.com/show_bug.cgi?id=1122683
* https://bugzilla.suse.com/show_bug.cgi?id=1212476
* https://bugzilla.suse.com/show_bug.cgi?id=1218170
* https://bugzilla.suse.com/show_bug.cgi?id=1221340
* https://bugzilla.suse.com/show_bug.cgi?id=1225911