

# Security update for osc

Announcement ID: SUSE-SU-2024:2961-1  
Rating: moderate  
References:

  * bsc#1122683
  * bsc#1212476
  * bsc#1218170
  * bsc#1221340
  * bsc#1225911

  
Cross-References:

  * CVE-2024-22034

  
CVSS scores:

  * CVE-2024-22034 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

  
Affected Products:

  * Development Tools Module 15-SP5
  * Development Tools Module 15-SP6
  * openSUSE Leap 15.4
  * openSUSE Leap 15.5
  * openSUSE Leap 15.6
  * SUSE Linux Enterprise Desktop 15 SP5
  * SUSE Linux Enterprise Desktop 15 SP6
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise Real Time 15 SP5
  * SUSE Linux Enterprise Real Time 15 SP6
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server 15 SP6
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP6

  
  
An update that solves one vulnerability and has four security fixes can now be
installed.

## Description:

This update for osc fixes the following issues:

  * 1.9.0
  * Security:
    * Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911) Source files are now stored in the 'sources' subdirectory which prevents name collisons. This requires changing version of '.osc' store to 2.0.
  * Command-line:
    * Introduce build --checks parameter
  * Library:

    * OscConfigParser: Remove automatic **name** option
  * 1.8.3

  * Command-line:
    * Change 'repairwc' command to always run all repair steps
  * Library:

    * Make most of the fields in KeyinfoPubkey and KeyinfoSslcert models optional
    * Fix colorize() to avoid wrapping empty string into color escape sequences
    * Provide default values for kwargs.get/pop in get_results() function
  * 1.8.2

  * Library:

    * Change 'repairwc' command to fix missing .osc/_osclib_version
    * Make error message in check_store_version() more generic to work for both projects and packages
    * Fix check_store_version in project store
  * 1.8.1

  * Command-line:

    * Fix 'linkpac' command crash when used with '\--disable-build' or '\--disable-publish' option
  * 1.8.0

  * Command-line:
    * Improve 'submitrequest' command to inherit description from superseded request
    * Fix 'mv' command when renaming a file multiple times
    * Improve 'info' command to support projects
    * Improve 'getbinaries' command by accepting '-M' / '\--multibuild-package' option outside checkouts
    * Add architecture filtering to 'release' command
    * Change 'results' command so the normal and multibuild packages have the same output
    * Change 'results' command to use csv writer instead of formatting csv as string
    * Add couple mutually exclusive options errors to 'results' command
    * Set a default value for 'results --format' only for the csv output
    * Add support for 'results --format' for the default text mode
    * Update help text for '\--format' option in 'results' command
    * Add 'results --fail-on-error/-F' flag
    * Redirect venv warnings from stderr to debug output
  * Configuration:
    * Fix config parser to throw an exception on duplicate sections or options
    * Modify conf.get_config() to print permissions warning to stderr rather than stdout
  * Library:
    * Run check_store_version() in obs_scm.Store and fix related code in Project and Package
    * Forbid extracting files with absolute path from 'cpio' archives (bsc#1122683)
    * Forbid extracting files with absolute path from 'ar' archives (bsc#1122683)
    * Remove no longer valid warning from core.unpack_srcrpm()
    * Make obs_api.KeyinfoSslcert keyid and fingerprint fields optional
    * Fix return value in build build.create_build_descr_data()
    * Fix core.get_package_results() to obey 'multibuild_packages' argument
  * Tests:

    * Fix tests so they don't modify fixtures
  * 1.7.0

  * Command-line:
    * Add 'person search' command
    * Add 'person register' command
    * Add '-M/--multibuild-package' option to '[what]dependson' commands
    * Update '-U/--user' option in 'maintainer' command to accept also an email address
    * Fix 'branch' command to allow using '\--new-package' option on packages that do not exist
    * Fix 'buildinfo' command to include obs:cli_debug_packages by default
    * Fix 'buildinfo' command to send complete local build environment as the 'build' command does
    * Fix 'maintainer --devel-project' to raise an error if running outside a working copy without any arguments
    * Fix handling arguments in 'service remoterun prj/pac'
    * Fix 'rebuild' command so the '\--all' option conflicts with the 'package' argument
    * Fix crash when removing 'scmsync' element from dst package meta in 'linkpac' command
    * Fix crash when reading dst package meta in 'linkpac' command
    * Allow `osc rpmlint` to infer prj/pkg from CWD
    * Propagate exit code from the run() and do_() commandline methods
    * Give a hint where a scmsync git is hosted
    * Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec
    * Improve 'updatepacmetafromspec' command to expand rpm spec macros by calling rpmspec to query the data
    * Improve 'build' and 'buildinfo' commands by uploading *.inc files to OBS for parsing BuildRequires (bsc#1221340)
    * Improve 'service' command by printing names of running services
    * Improve 'getbinaries' command by ignoring source and debuginfo filters when a binary name is specified
    * Change 'build' command to pass '\--jobs' option to 'build' tool only if 'build_jobs' > 0
    * Clarify 'list' command's help that that listing binaries doesn't contain md5 checksums
    * Improve 'log' command: produce proper CSV and XML outputs, add -p/--patch option for the text output
    * Allow setlinkrev to set a specific vrev
    * Document '\--buildtool-opt=--noclean' example in 'build' command's help
    * Fix handling the default package argument on the command-line
  * Configuration:
    * Document loading configuration from env variables
  * Connection:
    * Don't retry on error 400
    * Remove now unused 'retry_on_400' http_request() option from XmlModel
    * Revert "Don't retry on 400 HTTP status code in core.server_diff()"
    * Revert "connection: Allow disabling retry on 400 HTTP status code"
  * Authentication:
    * Update SignatureAuthHandler to support specifying ssh key by its fingerprint
    * Use ssh key from ssh agent that contains comment 'obs='
    * Use strings instead of bytes in SignatureAuthHandler
    * Cache password from SecretService to avoid spamming user with an accept dialog
    * Never ask for credentials when displaying help
    * Remove unused SignatureAuthHandler.get_fingerprint()
  * Library:
    * Add rootless build support for 'qemu' VM type
    * Support package linking of packages from scmsync projects
    * Fix do_createrequest() function to return None instead of request id
    * Replace invalid 'if' with 'elif' in BaseModel.dict()
    * Fix crash when no prefered packages are defined
    * Add XmlModel class that encapsulates manipulation with XML
    * Add obs_api.Person.cmd_register() for registering new users
    * Fix conf.get_config() to ignore file type bits when comparing oscrc perms
    * Fix conf.get_config() to correctly handle overrides when env variables are set
    * Fix output.tty.IS_INTERACTIVE when os.isatty() throws OSError
    * Improve cmdln.HelpFormatter to obey newline characters
    * Update list of color codes in 'output.tty' module
    * Remove core.setDevelProject() in favor of core.set_devel_project()
    * Move removing control characters to output.sanitize_text()
    * Improve sanitize_text() to keep selected CSI escape sequences
    * Add output.pipe_to_pager() that pipes lines to a pager without creating an intermediate temporary file
    * Fix output.safe_write() in connection with NamedTemporaryFile
    * Modernize output.run_pager()
    * Extend output.print_msg() to accept 'error' and 'warning' values of 'to_print' argument
    * Add XPathQuery class for translating keyword arguments to an xpath query
    * Add obs_api.Keyinfo class
    * Add obs_api.Package class
    * Add Package.get_revision_list() for listing commit log
    * Add obs_api.PackageSources class for handling OBS SCM sources
    * Add obs_api.Person class
    * Add obs_api.Project class
    * Add obs_api.Request class
    * Add obs_api.Token class
    * Allow storing apiurl in the XmlModel instances
    * Allow retrieving default field value from top-level model
    * Fix BaseModel to convert dictionaries to objects on retrieving a model list
    * Fix BaseModel to always deepcopy mutable defaults on first use
    * Implement do_snapshot() and has_changed() methods to determine changes in BaseModel
    * Implement total ordering on BaseModel
    * Add comments with available attributes/elements to edited XML
  * Refactoring:
    * Migrate repo {list,add,remove} commands to obs_api.Project
    * Migrate core.show_package_disabled_repos() to obs_api.Package
    * Migrate core.Package.update_package_meta() to obs_api.Package
    * Migrate core.get_repos_of_project() to obs_api.Project
    * Migrate core.get_repositories_of_project() to obs_api.Project
    * Migrate core.show_scmsync() to obs_api.{Package,Project}
    * Migrate core.set_devel_project() to obs_api.Package
    * Migrate core.show_devel_project() to obs_api.Package
    * Migrate Fetcher.run() to obs_api.Keyinfo
    * Migrate core.create_submit_request() to obs_api.Request
    * Migrate 'token' command to obs_api.Token
    * Migrate 'whois/user' command to obs_api.Person
    * Migrate 'signkey' command to obs_api.Keyinfo
    * Move print_msg() to the 'osc.output' module
    * Move run_pager() and get_default_pager() from 'core' to 'output' module
    * Move core.Package to obs_scm.Package
    * Move core.Project to obs_scm.Project
    * Move functions manipulating store from core to obs_scm.store
    * Move store.Store to obs_scm.Store
    * Move core.Linkinfo to obs_scm.Linkinfo
    * Move core.Serviceinfo to obs_scm.Serviceinfo
    * Move core.File to obs_scm.File
    * Merge _private.project.ProjectMeta into obs_api.Project
  * Spec:

    * Remove dependency on /usr/bin/python3 using %python3_fix_shebang macro (bsc#1212476)
  * 1.6.2

  * Command-line:
    * Fix 'branch' command to allow using '\--new-package' option on packages that do not exist
    * Fix 'buildinfo' command to include obs:cli_debug_packages by default
    * Fix 'buildinfo' command to send complete local build environment as the 'build' command does
    * Allow `osc rpmlint` to infer prj/pkg from CWD
    * Propagate exit code from the run() and do_() commandline methods
    * Give a hint where a scmsync git is hosted
    * Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec
  * Authentication:
    * Cache password from SecretService to avoid spamming user with an accept dialog
    * Never ask for credentials when displaying help
  * Library:

    * Support package linking of packages from scmsync projects
    * Fix do_createrequest() function to return None instead of request id
    * Replace invalid 'if' with 'elif' in BaseModel.dict()
    * Fix crash when no prefered packages are defined
  * 1.6.1

  * Command-line:
    * Use busybox compatible commands for completion
    * Change 'wipe' command to use the new get_user_input() function
    * Fix error 500 in running 'meta attribute '
  * Configuration:
    * Fix resolving config symlink to the actual config file
    * Honor XDG_CONFIG_HOME and XDG_CACHE_HOME env vars
    * Warn about ignoring XDG_CONFIG_HOME and ~/.config/osc/oscrc if ~/.oscrc exists
  * Library:

    * Error out when branching a scmsync package
    * New get_user_input() function for consistent handling of user input
    * Move xml_indent, xml_quote and xml_unquote to osc.util.xml module
    * Refactor makeurl(), deprecate query taking string or list arguments, drop osc_urlencode()
    * Remove all path quoting, rely on makeurl()
    * Always use dict query in makeurl()
    * Fix core.slash_split() to strip both leading and trailing slashes
  * 1.6.0

  * Command-line:
    * The 'token --trigger' command no longer sets '\--operation=runservice' by default.
    * Change 'token --create' command to require '\--operation'
    * Fix 'linkdiff' command error 400: prj/pac/md5 not in repository
    * Update 'build' command to support building 'productcompose' build type with updateinfo.xml data
    * Don't show meter in terminals that are not interactive
    * Fix traceback when running osc from an arbitrary git repo that fails to map branch to a project (bsc#1218170)
  * Configuration:
    * Implement reading credentials from environmental variables
    * Allow starting with an empty config if --configfile is either empty or points to /dev/null
    * Implement 'quiet' conf option
    * Password can be an empty string (commonly used with ssh auth)
  * Connection:
    * Allow -X HEAD on osc api requests as well
  * Library:
    * Fix credentials managers to consistently return Password
    * Fix Password.encode() on python < 3.8
    * Refactor 'meter' module, use config settings to pick the right class
    * Convert to using f-strings
    * Use Field.get_callback to handle quiet/verbose and http_debug/http_full_debug options
    * Implement get_callback that allows modifying returned value to the Field class
    * Add support for List[BaseModel] type to Field class
    * Report class name when reporting an error during instantiating BaseModel object
    * Fix exporting an empty model field in BaseModel.dict()
    * Fix initializing a sub-model instance from a dictionary
    * Implement 'Enum' support in models
    * Fix Field.origin_type for Optional types
    * Drop unused 'exclude_unset' argument from BaseModel.dict() method
    * Store cached model defaults in self._defaults, avoid sharing references to mutable defaults
    * Limit model attributes to predefined fields by forbidding creating new attributes on fly
    * Store model values in self._values dict instead of private attributes
  * Spec:
    * Recommend openssh-clients for ssh-add that is required during ssh auth
    * Add 0%{?amzn} macro that wasn't usptreamed

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.4  
    zypper in -t patch SUSE-2024-2961=1

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2024-2961=1

  * openSUSE Leap 15.6  
    zypper in -t patch openSUSE-SLE-15.6-2024-2961=1

  * Development Tools Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-2961=1

  * Development Tools Module 15-SP6  
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-2961=1

## Package List:

  * openSUSE Leap 15.4 (noarch)
    * osc-1.9.0-150400.10.6.1
  * openSUSE Leap 15.5 (noarch)
    * osc-1.9.0-150400.10.6.1
  * openSUSE Leap 15.6 (noarch)
    * osc-1.9.0-150400.10.6.1
  * Development Tools Module 15-SP5 (noarch)
    * osc-1.9.0-150400.10.6.1
  * Development Tools Module 15-SP6 (noarch)
    * osc-1.9.0-150400.10.6.1

## References:

  * https://www.suse.com/security/cve/CVE-2024-22034.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1122683
  * https://bugzilla.suse.com/show_bug.cgi?id=1212476
  * https://bugzilla.suse.com/show_bug.cgi?id=1218170
  * https://bugzilla.suse.com/show_bug.cgi?id=1221340
  * https://bugzilla.suse.com/show_bug.cgi?id=1225911

SUSE: 2024:2961-1 moderate: osc Security Advisory Updates

August 19, 2024

* bsc#1122683 * bsc#1212476 * bsc#1218170 * bsc#1221340 * bsc#1225911

Summary

## This update for osc fixes the following issues: * 1.9.0 * Security: * Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911) Source files are now stored in the 'sources' subdirectory which prevents name collisons. This requires changing version of '.osc' store to 2.0. * Command-line: * Introduce build --checks parameter * Library: * OscConfigParser: Remove automatic **name** option * 1.8.3 * Command-line: * Change 'repairwc' command to always run all repair steps * Library: * Make most of the fields in KeyinfoPubkey and KeyinfoSslcert models optional * Fix colorize() to avoid wrapping empty string into color escape sequences * Provide default values for kwargs.get/pop in get_results() function * 1.8.2 * Library: * Change 'repairwc' command to fix missing .osc/_osclib_version * Make error message in check_store_version() more generic to work for both projects and packages * Fix check_store_version in project store * 1.8.1 * Command-line: * Fix 'linkpac' command crash when used with '\--disable-build' or '\--disable-publish' option * 1.8.0 * Command-line: * Improve 'submitrequest' command to inherit description from superseded request * Fix 'mv' command when renaming a file multiple times * Improve 'info' command to support projects * Improve 'getbinaries' command by accepting '-M' / '\--multibuild-package' option outside checkouts * Add architecture filtering to 'release' command * Change 'results' command so the normal and multibuild packages have the same output * Change 'results' command to use csv writer instead of formatting csv as string * Add couple mutually exclusive options errors to 'results' command * Set a default value for 'results --format' only for the csv output * Add support for 'results --format' for the default text mode * Update help text for '\--format' option in 'results' command * Add 'results --fail-on-error/-F' flag * Redirect venv warnings from stderr to debug output * Configuration: * Fix config parser to throw an exception on duplicate sections or options * Modify conf.get_config() to print permissions warning to stderr rather than stdout * Library: * Run check_store_version() in obs_scm.Store and fix related code in Project and Package * Forbid extracting files with absolute path from 'cpio' archives (bsc#1122683) * Forbid extracting files with absolute path from 'ar' archives (bsc#1122683) * Remove no longer valid warning from core.unpack_srcrpm() * Make obs_api.KeyinfoSslcert keyid and fingerprint fields optional * Fix return value in build build.create_build_descr_data() * Fix core.get_package_results() to obey 'multibuild_packages' argument * Tests: * Fix tests so they don't modify fixtures * 1.7.0 * Command-line: * Add 'person search' command * Add 'person register' command * Add '-M/--multibuild-package' option to '[what]dependson' commands * Update '-U/--user' option in 'maintainer' command to accept also an email address * Fix 'branch' command to allow using '\--new-package' option on packages that do not exist * Fix 'buildinfo' command to include obs:cli_debug_packages by default * Fix 'buildinfo' command to send complete local build environment as the 'build' command does * Fix 'maintainer --devel-project' to raise an error if running outside a working copy without any arguments * Fix handling arguments in 'service remoterun prj/pac' * Fix 'rebuild' command so the '\--all' option conflicts with the 'package' argument * Fix crash when removing 'scmsync' element from dst package meta in 'linkpac' command * Fix crash when reading dst package meta in 'linkpac' command * Allow `osc rpmlint` to infer prj/pkg from CWD * Propagate exit code from the run() and do_() commandline methods * Give a hint where a scmsync git is hosted * Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec * Improve 'updatepacmetafromspec' command to expand rpm spec macros by calling rpmspec to query the data * Improve 'build' and 'buildinfo' commands by uploading *.inc files to OBS for parsing BuildRequires (bsc#1221340) * Improve 'service' command by printing names of running services * Improve 'getbinaries' command by ignoring source and debuginfo filters when a binary name is specified * Change 'build' command to pass '\--jobs' option to 'build' tool only if 'build_jobs' > 0 * Clarify 'list' command's help that that listing binaries doesn't contain md5 checksums * Improve 'log' command: produce proper CSV and XML outputs, add -p/--patch option for the text output * Allow setlinkrev to set a specific vrev * Document '\--buildtool-opt=--noclean' example in 'build' command's help * Fix handling the default package argument on the command-line * Configuration: * Document loading configuration from env variables * Connection: * Don't retry on error 400 * Remove now unused 'retry_on_400' http_request() option from XmlModel * Revert "Don't retry on 400 HTTP status code in core.server_diff()" * Revert "connection: Allow disabling retry on 400 HTTP status code" * Authentication: * Update SignatureAuthHandler to support specifying ssh key by its fingerprint * Use ssh key from ssh agent that contains comment 'obs=' * Use strings instead of bytes in SignatureAuthHandler * Cache password from SecretService to avoid spamming user with an accept dialog * Never ask for credentials when displaying help * Remove unused SignatureAuthHandler.get_fingerprint() * Library: * Add rootless build support for 'qemu' VM type * Support package linking of packages from scmsync projects * Fix do_createrequest() function to return None instead of request id * Replace invalid 'if' with 'elif' in BaseModel.dict() * Fix crash when no prefered packages are defined * Add XmlModel class that encapsulates manipulation with XML * Add obs_api.Person.cmd_register() for registering new users * Fix conf.get_config() to ignore file type bits when comparing oscrc perms * Fix conf.get_config() to correctly handle overrides when env variables are set * Fix output.tty.IS_INTERACTIVE when os.isatty() throws OSError * Improve cmdln.HelpFormatter to obey newline characters * Update list of color codes in 'output.tty' module * Remove core.setDevelProject() in favor of core.set_devel_project() * Move removing control characters to output.sanitize_text() * Improve sanitize_text() to keep selected CSI escape sequences * Add output.pipe_to_pager() that pipes lines to a pager without creating an intermediate temporary file * Fix output.safe_write() in connection with NamedTemporaryFile * Modernize output.run_pager() * Extend output.print_msg() to accept 'error' and 'warning' values of 'to_print' argument * Add XPathQuery class for translating keyword arguments to an xpath query * Add obs_api.Keyinfo class * Add obs_api.Package class * Add Package.get_revision_list() for listing commit log * Add obs_api.PackageSources class for handling OBS SCM sources * Add obs_api.Person class * Add obs_api.Project class * Add obs_api.Request class * Add obs_api.Token class * Allow storing apiurl in the XmlModel instances * Allow retrieving default field value from top-level model * Fix BaseModel to convert dictionaries to objects on retrieving a model list * Fix BaseModel to always deepcopy mutable defaults on first use * Implement do_snapshot() and has_changed() methods to determine changes in BaseModel * Implement total ordering on BaseModel * Add comments with available attributes/elements to edited XML * Refactoring: * Migrate repo {list,add,remove} commands to obs_api.Project * Migrate core.show_package_disabled_repos() to obs_api.Package * Migrate core.Package.update_package_meta() to obs_api.Package * Migrate core.get_repos_of_project() to obs_api.Project * Migrate core.get_repositories_of_project() to obs_api.Project * Migrate core.show_scmsync() to obs_api.{Package,Project} * Migrate core.set_devel_project() to obs_api.Package * Migrate core.show_devel_project() to obs_api.Package * Migrate Fetcher.run() to obs_api.Keyinfo * Migrate core.create_submit_request() to obs_api.Request * Migrate 'token' command to obs_api.Token * Migrate 'whois/user' command to obs_api.Person * Migrate 'signkey' command to obs_api.Keyinfo * Move print_msg() to the 'osc.output' module * Move run_pager() and get_default_pager() from 'core' to 'output' module * Move core.Package to obs_scm.Package * Move core.Project to obs_scm.Project * Move functions manipulating store from core to obs_scm.store * Move store.Store to obs_scm.Store * Move core.Linkinfo to obs_scm.Linkinfo * Move core.Serviceinfo to obs_scm.Serviceinfo * Move core.File to obs_scm.File * Merge _private.project.ProjectMeta into obs_api.Project * Spec: * Remove dependency on /usr/bin/python3 using %python3_fix_shebang macro (bsc#1212476) * 1.6.2 * Command-line: * Fix 'branch' command to allow using '\--new-package' option on packages that do not exist * Fix 'buildinfo' command to include obs:cli_debug_packages by default * Fix 'buildinfo' command to send complete local build environment as the 'build' command does * Allow `osc rpmlint` to infer prj/pkg from CWD * Propagate exit code from the run() and do_() commandline methods * Give a hint where a scmsync git is hosted * Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec * Authentication: * Cache password from SecretService to avoid spamming user with an accept dialog * Never ask for credentials when displaying help * Library: * Support package linking of packages from scmsync projects * Fix do_createrequest() function to return None instead of request id * Replace invalid 'if' with 'elif' in BaseModel.dict() * Fix crash when no prefered packages are defined * 1.6.1 * Command-line: * Use busybox compatible commands for completion * Change 'wipe' command to use the new get_user_input() function * Fix error 500 in running 'meta attribute ' * Configuration: * Fix resolving config symlink to the actual config file * Honor XDG_CONFIG_HOME and XDG_CACHE_HOME env vars * Warn about ignoring XDG_CONFIG_HOME and ~/.config/osc/oscrc if ~/.oscrc exists * Library: * Error out when branching a scmsync package * New get_user_input() function for consistent handling of user input * Move xml_indent, xml_quote and xml_unquote to osc.util.xml module * Refactor makeurl(), deprecate query taking string or list arguments, drop osc_urlencode() * Remove all path quoting, rely on makeurl() * Always use dict query in makeurl() * Fix core.slash_split() to strip both leading and trailing slashes * 1.6.0 * Command-line: * The 'token --trigger' command no longer sets '\--operation=runservice' by default. * Change 'token --create' command to require '\--operation' * Fix 'linkdiff' command error 400: prj/pac/md5 not in repository * Update 'build' command to support building 'productcompose' build type with updateinfo.xml data * Don't show meter in terminals that are not interactive * Fix traceback when running osc from an arbitrary git repo that fails to map branch to a project (bsc#1218170) * Configuration: * Implement reading credentials from environmental variables * Allow starting with an empty config if --configfile is either empty or points to /dev/null * Implement 'quiet' conf option * Password can be an empty string (commonly used with ssh auth) * Connection: * Allow -X HEAD on osc api requests as well * Library: * Fix credentials managers to consistently return Password * Fix Password.encode() on python < 3.8 * Refactor 'meter' module, use config settings to pick the right class * Convert to using f-strings * Use Field.get_callback to handle quiet/verbose and http_debug/http_full_debug options * Implement get_callback that allows modifying returned value to the Field class * Add support for List[BaseModel] type to Field class * Report class name when reporting an error during instantiating BaseModel object * Fix exporting an empty model field in BaseModel.dict() * Fix initializing a sub-model instance from a dictionary * Implement 'Enum' support in models * Fix Field.origin_type for Optional types * Drop unused 'exclude_unset' argument from BaseModel.dict() method * Store cached model defaults in self._defaults, avoid sharing references to mutable defaults * Limit model attributes to predefined fields by forbidding creating new attributes on fly * Store model values in self._values dict instead of private attributes * Spec: * Recommend openssh-clients for ssh-add that is required during ssh auth * Add 0%{?amzn} macro that wasn't usptreamed ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2024-2961=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-2961=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2024-2961=1 * Development Tools Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-2961=1 * Development Tools Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-2961=1 ## Package List: * openSUSE Leap 15.4 (noarch) * osc-1.9.0-150400.10.6.1 * openSUSE Leap 15.5 (noarch) * osc-1.9.0-150400.10.6.1 * openSUSE Leap 15.6 (noarch) * osc-1.9.0-150400.10.6.1 * Development Tools Module 15-SP5 (noarch) * osc-1.9.0-150400.10.6.1 * Development Tools Module 15-SP6 (noarch) * osc-1.9.0-150400.10.6.1

References

* bsc#1122683

* bsc#1212476

* bsc#1218170

* bsc#1221340

* bsc#1225911

Cross-

* CVE-2024-22034

CVSS scores:

* CVE-2024-22034 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Affected Products:

* Development Tools Module 15-SP5

* Development Tools Module 15-SP6

* openSUSE Leap 15.4

* openSUSE Leap 15.5

* openSUSE Leap 15.6

* SUSE Linux Enterprise Desktop 15 SP5

* SUSE Linux Enterprise Desktop 15 SP6

* SUSE Linux Enterprise High Performance Computing 15 SP5

* SUSE Linux Enterprise Real Time 15 SP5

* SUSE Linux Enterprise Real Time 15 SP6

* SUSE Linux Enterprise Server 15 SP5

* SUSE Linux Enterprise Server 15 SP6

* SUSE Linux Enterprise Server for SAP Applications 15 SP5

* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves one vulnerability and has four security fixes can now be

installed.

* https://www.suse.com/security/cve/CVE-2024-22034.html

* https://bugzilla.suse.com/show_bug.cgi?id=1122683

* https://bugzilla.suse.com/show_bug.cgi?id=1212476

* https://bugzilla.suse.com/show_bug.cgi?id=1218170

* https://bugzilla.suse.com/show_bug.cgi?id=1221340

* https://bugzilla.suse.com/show_bug.cgi?id=1225911

Severity

Announcement ID: SUSE-SU-2024:2961-1

Rating: moderate

Get the Latest News & Insights

SUSE: 2024:2961-1 moderate: osc Security Advisory Updates

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By