Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 524
Alerts This Week
Warning Icon 1 524

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 4 articles for you...
100

SUSE: 2024:2961-1 Moderate: osc Security Update Addresses Issues

* bsc#1122683 * bsc#1212476 * bsc#1218170 * bsc#1221340 * bsc#1225911 . # Security update for osc Announcement ID: SUSE-SU-2024:2961-1 Rating: moderate References: * bsc#1122683 * bsc#1212476 * bsc#1218170 * bsc#1221340 * bsc#1225911 Cross-References: * CVE-2024-22034 CVSS scores: * CVE-2024-22034 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Affected Products: * Development Tools Module 15-SP5 * Development Tools Module 15-SP6 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves one vulnerability and has four security fixes can now be installed. ## Description: This update for osc fixes the following issues: * 1.9.0 * Security: * Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911) Source files are now stored in the 'sources' subdirectory which prevents name collisons. This requires changing version of '.osc' store to 2.0. * Command-line: * Introduce build --checks parameter * Library: * OscConfigParser: Remove automatic **name** option * 1.8.3 * Command-line: * Change 'repairwc' command to always run all repair steps * Library: * Make most of the fields in KeyinfoPubkey and KeyinfoSslcert models optional * Fix colorize() to avoid wrapping empty string into color escape sequences * Provide default values for kwargs.get/pop in get_results() function * 1.8.2 * Library: * Change 'repairwc' command to fix missing .osc/_osclib_version * Make error message in check_store_version() more generic to work forboth projects and packages * Fix check_store_version in project store * 1.8.1 * Command-line: * Fix 'linkpac' command crash when used with '\--disable-build' or '\--disable-publish' option * 1.8.0 * Command-line: * Improve 'submitrequest' command to inherit description from superseded request * Fix 'mv' command when renaming a file multiple times * Improve 'info' command to support projects * Improve 'getbinaries' command by accepting '-M' / '\--multibuild-package' option outside checkouts * Add architecture filtering to 'release' command * Change 'results' command so the normal and multibuild packages have the same output * Change 'results' command to use csv writer instead of formatting csv as string * Add couple mutually exclusive options errors to 'results' command * Set a default value for 'results --format' only for the csv output * Add support for 'results --format' for the default text mode * Update help text for '\--format' option in 'results' command * Add 'results --fail-on-error/-F' flag * Redirect venv warnings from stderr to debug output * Configuration: * Fix config parser to throw an exception on duplicate sections or options * Modify conf.get_config() to print permissions warning to stderr rather than stdout * Library: * Run check_store_version() in obs_scm.Store and fix related code in Project and Package * Forbid extracting files with absolute path from 'cpio' archives (bsc#1122683) * Forbid extracting files with absolute path from 'ar' archives (bsc#1122683) * Remove no longer valid warning from core.unpack_srcrpm() * Make obs_api.KeyinfoSslcert keyid and fingerprint fields optional * Fix return value in build build.create_build_descr_data() * Fix core.get_package_results() to obey 'multibuild_packages' argument * Tests: * Fix tests so they don't modify fixtures * 1.7.0 * Command-line: * Add 'person search' command * Add 'person register' command * Add'-M/--multibuild-package' option to '[what]dependson' commands * Update '-U/--user' option in 'maintainer' command to accept also an email address * Fix 'branch' command to allow using '\--new-package' option on packages that do not exist * Fix 'buildinfo' command to include obs:cli_debug_packages by default * Fix 'buildinfo' command to send complete local build environment as the 'build' command does * Fix 'maintainer --devel-project' to raise an error if running outside a working copy without any arguments * Fix handling arguments in 'service remoterun prj/pac' * Fix 'rebuild' command so the '\--all' option conflicts with the 'package' argument * Fix crash when removing 'scmsync' element from dst package meta in 'linkpac' command * Fix crash when reading dst package meta in 'linkpac' command * Allow `osc rpmlint` to infer prj/pkg from CWD * Propagate exit code from the run() and do_() commandline methods * Give a hint where a scmsync git is hosted * Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec * Improve 'updatepacmetafromspec' command to expand rpm spec macros by calling rpmspec to query the data * Improve 'build' and 'buildinfo' commands by uploading *.inc files to OBS for parsing BuildRequires (bsc#1221340) * Improve 'service' command by printing names of running services * Improve 'getbinaries' command by ignoring source and debuginfo filters when a binary name is specified * Change 'build' command to pass '\--jobs' option to 'build' tool only if 'build_jobs' > 0 * Clarify 'list' command's help that that listing binaries doesn't contain md5 checksums * Improve 'log' command: produce proper CSV and XML outputs, add -p/--patch option for the text output * Allow setlinkrev to set a specific vrev * Document '\--buildtool-opt=--noclean' example in 'build' command's help * Fix handling the default package argument on the command-line * Configuration: * Document loadingconfiguration from env variables * Connection: * Don't retry on error 400 * Remove now unused 'retry_on_400' http_request() option from XmlModel * Revert "Don't retry on 400 HTTP status code in core.server_diff()" * Revert "connection: Allow disabling retry on 400 HTTP status code" * Authentication: * Update SignatureAuthHandler to support specifying ssh key by its fingerprint * Use ssh key from ssh agent that contains comment 'obs= ' * Use strings instead of bytes in SignatureAuthHandler * Cache password from SecretService to avoid spamming user with an accept dialog * Never ask for credentials when displaying help * Remove unused SignatureAuthHandler.get_fingerprint() * Library: * Add rootless build support for 'qemu' VM type * Support package linking of packages from scmsync projects * Fix do_createrequest() function to return None instead of request id * Replace invalid 'if' with 'elif' in BaseModel.dict() * Fix crash when no prefered packages are defined * Add XmlModel class that encapsulates manipulation with XML * Add obs_api.Person.cmd_register() for registering new users * Fix conf.get_config() to ignore file type bits when comparing oscrc perms * Fix conf.get_config() to correctly handle overrides when env variables are set * Fix output.tty.IS_INTERACTIVE when os.isatty() throws OSError * Improve cmdln.HelpFormatter to obey newline characters * Update list of color codes in 'output.tty' module * Remove core.setDevelProject() in favor of core.set_devel_project() * Move removing control characters to output.sanitize_text() * Improve sanitize_text() to keep selected CSI escape sequences * Add output.pipe_to_pager() that pipes lines to a pager without creating an intermediate temporary file * Fix output.safe_write() in connection with NamedTemporaryFile * Modernize output.run_pager() * Extend output.print_msg() to accept 'error' and 'warning' values of 'to_print' argument * AddXPathQuery class for translating keyword arguments to an xpath query * Add obs_api.Keyinfo class * Add obs_api.Package class * Add Package.get_revision_list() for listing commit log * Add obs_api.PackageSources class for handling OBS SCM sources * Add obs_api.Person class * Add obs_api.Project class * Add obs_api.Request class * Add obs_api.Token class * Allow storing apiurl in the XmlModel instances * Allow retrieving default field value from top-level model * Fix BaseModel to convert dictionaries to objects on retrieving a model list * Fix BaseModel to always deepcopy mutable defaults on first use * Implement do_snapshot() and has_changed() methods to determine changes in BaseModel * Implement total ordering on BaseModel * Add comments with available attributes/elements to edited XML * Refactoring: * Migrate repo {list,add,remove} commands to obs_api.Project * Migrate core.show_package_disabled_repos() to obs_api.Package * Migrate core.Package.update_package_meta() to obs_api.Package * Migrate core.get_repos_of_project() to obs_api.Project * Migrate core.get_repositories_of_project() to obs_api.Project * Migrate core.show_scmsync() to obs_api.{Package,Project} * Migrate core.set_devel_project() to obs_api.Package * Migrate core.show_devel_project() to obs_api.Package * Migrate Fetcher.run() to obs_api.Keyinfo * Migrate core.create_submit_request() to obs_api.Request * Migrate 'token' command to obs_api.Token * Migrate 'whois/user' command to obs_api.Person * Migrate 'signkey' command to obs_api.Keyinfo * Move print_msg() to the 'osc.output' module * Move run_pager() and get_default_pager() from 'core' to 'output' module * Move core.Package to obs_scm.Package * Move core.Project to obs_scm.Project * Move functions manipulating store from core to obs_scm.store * Move store.Store to obs_scm.Store * Move core.Linkinfo to obs_scm.Linkinfo * Move core.Serviceinfo toobs_scm.Serviceinfo * Move core.File to obs_scm.File * Merge _private.project.ProjectMeta into obs_api.Project * Spec: * Remove dependency on /usr/bin/python3 using %python3_fix_shebang macro (bsc#1212476) * 1.6.2 * Command-line: * Fix 'branch' command to allow using '\--new-package' option on packages that do not exist * Fix 'buildinfo' command to include obs:cli_debug_packages by default * Fix 'buildinfo' command to send complete local build environment as the 'build' command does * Allow `osc rpmlint` to infer prj/pkg from CWD * Propagate exit code from the run() and do_() commandline methods * Give a hint where a scmsync git is hosted * Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec * Authentication: * Cache password from SecretService to avoid spamming user with an accept dialog * Never ask for credentials when displaying help * Library: * Support package linking of packages from scmsync projects * Fix do_createrequest() function to return None instead of request id * Replace invalid 'if' with 'elif' in BaseModel.dict() * Fix crash when no prefered packages are defined * 1.6.1 * Command-line: * Use busybox compatible commands for completion * Change 'wipe' command to use the new get_user_input() function * Fix error 500 in running 'meta attribute ' * Configuration: * Fix resolving config symlink to the actual config file * Honor XDG_CONFIG_HOME and XDG_CACHE_HOME env vars * Warn about ignoring XDG_CONFIG_HOME and ~/.config/osc/oscrc if ~/.oscrc exists * Library: * Error out when branching a scmsync package * New get_user_input() function for consistent handling of user input * Move xml_indent, xml_quote and xml_unquote to osc.util.xml module * Refactor makeurl(), deprecate query taking string or list arguments, drop osc_urlencode() * Remove all path quoting, rely on makeurl() * Always use dict query in makeurl() * Fixcore.slash_split() to strip both leading and trailing slashes * 1.6.0 * Command-line: * The 'token --trigger' command no longer sets '\--operation=runservice' by default. * Change 'token --create' command to require '\--operation' * Fix 'linkdiff' command error 400: prj/pac/md5 not in repository * Update 'build' command to support building 'productcompose' build type with updateinfo.xml data * Don't show meter in terminals that are not interactive * Fix traceback when running osc from an arbitrary git repo that fails to map branch to a project (bsc#1218170) * Configuration: * Implement reading credentials from environmental variables * Allow starting with an empty config if --configfile is either empty or points to /dev/null * Implement 'quiet' conf option * Password can be an empty string (commonly used with ssh auth) * Connection: * Allow -X HEAD on osc api requests as well * Library: * Fix credentials managers to consistently return Password * Fix Password.encode() on python < 3.8 * Refactor 'meter' module, use config settings to pick the right class * Convert to using f-strings * Use Field.get_callback to handle quiet/verbose and http_debug/http_full_debug options * Implement get_callback that allows modifying returned value to the Field class * Add support for List[BaseModel] type to Field class * Report class name when reporting an error during instantiating BaseModel object * Fix exporting an empty model field in BaseModel.dict() * Fix initializing a sub-model instance from a dictionary * Implement 'Enum' support in models * Fix Field.origin_type for Optional types * Drop unused 'exclude_unset' argument from BaseModel.dict() method * Store cached model defaults in self._defaults, avoid sharing references to mutable defaults * Limit model attributes to predefined fields by forbidding creating new attributes on fly * Store model values in self._values dict instead of private attributes *Spec: * Recommend openssh-clients for ssh-add that is required during ssh auth * Add 0%{?amzn} macro that wasn't usptreamed ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2024-2961=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-2961=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2024-2961=1 * Development Tools Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-2961=1 * Development Tools Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-2961=1 ## Package List: * openSUSE Leap 15.4 (noarch) * osc-1.9.0-150400.10.6.1 * openSUSE Leap 15.5 (noarch) * osc-1.9.0-150400.10.6.1 * openSUSE Leap 15.6 (noarch) * osc-1.9.0-150400.10.6.1 * Development Tools Module 15-SP5 (noarch) * osc-1.9.0-150400.10.6.1 * Development Tools Module 15-SP6 (noarch) * osc-1.9.0-150400.10.6.1 ## References: * https://www.suse.com/security/cve/CVE-2024-22034.html * https://bugzilla.suse.com/show_bug.cgi?id=1122683 * https://bugzilla.suse.com/show_bug.cgi?id=1212476 * https://bugzilla.suse.com/show_bug.cgi?id=1218170 * https://bugzilla.suse.com/show_bug.cgi?id=1221340 * https://bugzilla.suse.com/show_bug.cgi?id=1225911 . Enhancements rolled out for osc strengthen security by resolving various vulnerabilities in SUSE offerings, leading to improved reliability and defense.. SUSE Update, osc Security, SUSE Advisory, Security Fixes. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Aug 19, 2024 Important SuSE
100

SUSE 2024:2963-1 Moderate: osc Security Advisory for CVE-2024-22034

* bsc#1225911 Cross-References: * CVE-2024-22034 . # Security update for osc Announcement ID: SUSE-SU-2024:2963-1 Rating: moderate References: * bsc#1225911 Cross-References: * CVE-2024-22034 CVSS scores: * CVE-2024-22034 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Affected Products: * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 * SUSE Linux Enterprise Software Development Kit 12 SP5 An update that solves one vulnerability can now be installed. ## Description: This update for osc fixes the following issues: 0.183.0 \- Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911) Source files are now stored in the 'sources' subdirectory which prevents name collisons. This requires changing version of '.osc' store to 2.0. \- Fix errorneous double quotes in core.py ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Software Development Kit 12 SP5 zypper in -t patch SUSE-SLE-SDK-12-SP5-2024-2963=1 ## Package List: * SUSE Linux Enterprise Software Development Kit 12 SP5 (noarch) * osc-0.183.0-15.18.1 ## References: * https://www.suse.com/security/cve/CVE-2024-22034.html * https://bugzilla.suse.com/show_bug.cgi?id=1225911 . Oversee the osc security advisory notifications pertaining to SUSE: 2024:2963-1, which targets CVE-2024-22034 and is classified with a moderate severity level.. SUSE Update, osc Security Patch, CVE-2024-22034, Security Update, Package Management. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Aug 19, 2024 Important SuSE
100

SUSE: 2020:1695-2 Moderate: osc Insufficient Validation Fix

An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for osc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1695-2 Rating: moderate References: #1122675 Cross-References: CVE-2019-3681 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for osc to 0.169.1 fixes the following issues: Security issue fixed: - CVE-2019-3681: Fixed an insufficient validation of network-controlled filesystem paths (bsc#1122675). Non-security issues fixed: - Improved the speed and usability of osc bash completion. - improved some error messages. - osc add: support git@ (private github) or git:// URLs correctly. - Split dependson and whatdependson commands. - Added support for osc build --shell-cmd. - Added pkg-ccache support for osc build. - Added --ccache option to osc getbinaries Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-1695=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): osc-0.169.1-3.20.1 References: https://www.suse.com/security/cve/CVE-2019-3681.html https://bugzilla.suse.com/1122675 _______________________________________________ sle-security-updates mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. http://lists.suse.com/mailman/listinfo/sle-security-updates . SUSE Security Alert: osc upgrade addresses a significant risk flaw and improves efficiency. Discover more!.SUSE Linux Enterprise, osc security update, development tools patch, moderate risk vulnerability. . LinuxSecurity.com Team

Calendar%202 Jul 08, 2020 SuSE
202

openSUSE Leap 15.1: 2020:0852-1 Moderate: osc Insufficient Validation Fix

An update that fixes one vulnerability is now available.. openSUSE Security Update: Security update for osc ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0852-1 Rating: moderate References: #1122675 Cross-References: CVE-2019-3681 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for osc to 0.169.1 fixes the following issues: Security issue fixed: - CVE-2019-3681: Fixed an insufficient validation of network-controlled filesystem paths (bsc#1122675). Non-security issues fixed: - Improved the speed and usability of osc bash completion. - improved some error messages. - osc add: support git@ (private github) or git:// URLs correctly. - Split dependson and whatdependson commands. - Added support for osc build --shell-cmd. - Added pkg-ccache support for osc build. - Added --ccache option to osc getbinaries This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-852=1 Package List: - openSUSE Leap 15.1 (noarch): osc-0.169.1-lp151.2.15.1 References: https://www.suse.com/security/cve/CVE-2019-3681.html https://bugzilla.suse.com/1122675 -- . A patch for osc routes CVE-2019-3681, enhancing network protection in openSUSE. Resolution incorporated in the notification.. osc Security Update, openSUSE Network Security, Vulnerability Fixing, Insufficient Validation Issue. . LinuxSecurity.com Team

Calendar%202 Jun 22, 2020 OpenSUSE
100

SUSE: 2020:1528-1 Moderate: osc Network Path Validation Fix

An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for osc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1528-1 Rating: moderate References: #1122675 Cross-References: CVE-2019-3681 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for osc fixes the following issues: Security issue fixed: - CVE-2019-3681: Fixed an insufficient validation of network-controlled filesystem paths (bsc#1122675). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1528=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1528=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): osc-0.162.1-15.9.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): osc-0.162.1-15.9.1 References: https://www.suse.com/security/cve/CVE-2019-3681.html https://bugzilla.suse.com/1122675 _______________________________________________ sle-security-updates mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. http://lists.suse.com/mailman/listinfo/sle-security-updates . SUSE Security Patch for osc; addresses a moderate vulnerability stemming from inadequate verification of paths managed via network.. SUSE Security Update, osc Fix, Software Development Kit, Network Validation Issue. . LinuxSecurity.com Team

Calendar%202 Jun 03, 2020 SuSE
202

openSUSE Leap 15.1: 2019:1844-1 Important: osc Man-in-the-Middle Fix

An update that solves one vulnerability and has 5 fixes is now available.. openSUSE Security Update: Security update for osc ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:1844-1 Rating: important References: #1129889 #1138977 #1140697 #1142518 #1142662 #1144211 Cross-References: CVE-2019-3685 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for osc to version 0.165.4 fixes the following issues: Security issue fixed: - CVE-2019-3685: Fixed broken TLS certificate handling allowing for a Man-in-the-middle attack (bsc#1142518). Non-security issues fixed: - support different token operations (runservice, release and rebuild) (requires OBS 2.10) - fix osc token decode error - offline build mode is now really offline and does not try to download the buildconfig - osc build -define now works with python3 - fixes an issue where the error message on osc meta -e was not parsed correctly - osc maintainer -s now works with python3 - simplified and fixed osc meta -e (bsc#1138977) - osc lbl now works with non utf8 encoding (bsc#1129889) - add simpleimage as local build type - allow optional fork when creating a maintenance request - fix RPMError fallback - fix local caching for all package formats - fix appname for trusted cert store - osc -h does not break anymore when using plugins - switch to difflib.diff_bytes and sys.stdout.buffer.write for diffing. This will fix all decoding issues with osc diff, osc ci and osc rq -d - fix osc ls -lb handling empty size and mtime - removed decoding on osc api command. This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install thisopenSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2019-1844=1 Package List: - openSUSE Leap 15.1 (noarch): osc-0.165.4-lp151.2.6.1 References: https://www.suse.com/security/cve/CVE-2019-3685.html https://bugzilla.suse.com/1129889 https://bugzilla.suse.com/1138977 https://bugzilla.suse.com/1140697 https://bugzilla.suse.com/1142518 https://bugzilla.suse.com/1142662 https://bugzilla.suse.com/1144211 -- . OpenSUSE: 2021:2390-2 Critical: Addressed SSL security flaw in zypper upgrade to improve system integrity. openSUSE Security Update, osc TLS Fix, 2019 Update, Man-in-the-Middle Protection, Security Advisory. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Aug 12, 2019 Important OpenSUSE
100

SUSE: 2019:2067-1 Important: osc TLS Man-in-the-Middle Issue

An update that solves one vulnerability and has 5 fixes is now available. . SUSE Security Update: Security update for osc ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2067-1 Rating: important References: #1129889 #1138977 #1140697 #1142518 #1142662 #1144211 Cross-References: CVE-2019-3685 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for osc to version 0.165.4 fixes the following issues: Security issue fixed: - CVE-2019-3685: Fixed broken TLS certificate handling allowing for a Man-in-the-middle attack (bsc#1142518). Non-security issues fixed: - support different token operations (runservice, release and rebuild) (requires OBS 2.10) - fix osc token decode error - offline build mode is now really offline and does not try to download the buildconfig - osc build -define now works with python3 - fixes an issue where the error message on osc meta -e was not parsed correctly - osc maintainer -s now works with python3 - simplified and fixed osc meta -e (bsc#1138977) - osc lbl now works with non utf8 encoding (bsc#1129889) - add simpleimage as local build type - allow optional fork when creating a maintenance request - fix RPMError fallback - fix local caching for all package formats - fix appname for trusted cert store - osc -h does not break anymore when using plugins - switch to difflib.diff_bytes and sys.stdout.buffer.write for diffing. This will fix all decoding issues with osc diff, osc ci and osc rq -d - fix osc ls -lb handling empty size and mtime - removed decoding on osc api command. Patch Instructions: To install this SUSE Security Update use the SUSE recommendedinstallation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2019-2067=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): osc-0.165.4-3.9.1 References: https://www.suse.com/security/cve/CVE-2019-3685.html https://bugzilla.suse.com/1129889 https://bugzilla.suse.com/1138977 https://bugzilla.suse.com/1140697 https://bugzilla.suse.com/1142518 https://bugzilla.suse.com/1142662 https://bugzilla.suse.com/1144211 _______________________________________________ sle-security-updates mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. http://lists.suse.com/mailman/listinfo/sle-security-updates . SUSE has released a Security Update for osc that addresses a vulnerability in TLS, which could enable man-in-the-middle attacks, along with significant patches included.. SUSE Security Update, osc TLS Fix, SUSE Development Tools, patch installation, security issues. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Aug 06, 2019 Important SuSE
89

Fedora 27: Security Update for osc-source_validator Critical Code Execution

Rebase `osc` and `osc-source_validator` to new versions for security fixes for CVE-2017-9274. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-ac8aab1f7a 2018-01-16 14:15:39.904099 --------------------------------------------------------------------------------Name : osc-source_validator Product : Fedora 27 Version : 0.10 Release : 1.fc27 URL : https://github.com/openSUSE/obs-service-source_validator Summary : OBS source service to validate sources Description : This is a source service for openSUSE Build Service. This service runs all checks as required by openSUSE:Factory project. This can be used to guarantee that all checks succeed also on the service side. This plugin can be used via project wide defined services. --------------------------------------------------------------------------------Update Information: Rebase `osc` and `osc-source_validator` to new versions for security fixes for CVE-2017-9274 --------------------------------------------------------------------------------References: [ 1 ] Bug #1533743 - CVE-2017-9274 osc: Macro expansion can lead to arbitray code execution https://bugzilla.redhat.com/show_bug.cgi?id=1533743 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade osc-source_validator' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email This email address is being protected from spambots. You need JavaScript enabled to view it. . Patch release for osc and osc-source_validator in Fedora 27 rectifying CVE-2017-9274 to mitigate potential code execution vulnerabilities.. osc-source_validator, security update, Fedora 27, code execution, openSUSE. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jan 16, 2018 Critical Fedora
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200