suse-su-2024:2961-1
Vulnerability from csaf_suse
Published
2024-08-19 12:06
Modified
2024-08-19 12:06
Summary
Security update for osc

Notes

Title of the patch
Security update for osc
Description of the patch
This update for osc fixes the following issues: - 1.9.0 - Security: - Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911) Source files are now stored in the 'sources' subdirectory which prevents name collisons. This requires changing version of '.osc' store to 2.0. - Command-line: - Introduce build --checks parameter - Library: - OscConfigParser: Remove automatic __name__ option - 1.8.3 - Command-line: - Change 'repairwc' command to always run all repair steps - Library: - Make most of the fields in KeyinfoPubkey and KeyinfoSslcert models optional - Fix colorize() to avoid wrapping empty string into color escape sequences - Provide default values for kwargs.get/pop in get_results() function - 1.8.2 - Library: - Change 'repairwc' command to fix missing .osc/_osclib_version - Make error message in check_store_version() more generic to work for both projects and packages - Fix check_store_version in project store - 1.8.1 - Command-line: - Fix 'linkpac' command crash when used with '--disable-build' or '--disable-publish' option - 1.8.0 - Command-line: - Improve 'submitrequest' command to inherit description from superseded request - Fix 'mv' command when renaming a file multiple times - Improve 'info' command to support projects - Improve 'getbinaries' command by accepting '-M' / '--multibuild-package' option outside checkouts - Add architecture filtering to 'release' command - Change 'results' command so the normal and multibuild packages have the same output - Change 'results' command to use csv writer instead of formatting csv as string - Add couple mutually exclusive options errors to 'results' command - Set a default value for 'results --format' only for the csv output - Add support for 'results --format' for the default text mode - Update help text for '--format' option in 'results' command - Add 'results --fail-on-error/-F' flag - Redirect venv warnings from stderr to debug output - Configuration: - Fix config parser to throw an exception on duplicate sections or options - Modify conf.get_config() to print permissions warning to stderr rather than stdout - Library: - Run check_store_version() in obs_scm.Store and fix related code in Project and Package - Forbid extracting files with absolute path from 'cpio' archives (bsc#1122683) - Forbid extracting files with absolute path from 'ar' archives (bsc#1122683) - Remove no longer valid warning from core.unpack_srcrpm() - Make obs_api.KeyinfoSslcert keyid and fingerprint fields optional - Fix return value in build build.create_build_descr_data() - Fix core.get_package_results() to obey 'multibuild_packages' argument - Tests: - Fix tests so they don't modify fixtures - 1.7.0 - Command-line: - Add 'person search' command - Add 'person register' command - Add '-M/--multibuild-package' option to '[what]dependson' commands - Update '-U/--user' option in 'maintainer' command to accept also an email address - Fix 'branch' command to allow using '--new-package' option on packages that do not exist - Fix 'buildinfo' command to include obs:cli_debug_packages by default - Fix 'buildinfo' command to send complete local build environment as the 'build' command does - Fix 'maintainer --devel-project' to raise an error if running outside a working copy without any arguments - Fix handling arguments in 'service remoterun prj/pac' - Fix 'rebuild' command so the '--all' option conflicts with the 'package' argument - Fix crash when removing 'scmsync' element from dst package meta in 'linkpac' command - Fix crash when reading dst package meta in 'linkpac' command - Allow `osc rpmlint` to infer prj/pkg from CWD - Propagate exit code from the run() and do_() commandline methods - Give a hint where a scmsync git is hosted - Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec - Improve 'updatepacmetafromspec' command to expand rpm spec macros by calling rpmspec to query the data - Improve 'build' and 'buildinfo' commands by uploading *.inc files to OBS for parsing BuildRequires (bsc#1221340) - Improve 'service' command by printing names of running services - Improve 'getbinaries' command by ignoring source and debuginfo filters when a binary name is specified - Change 'build' command to pass '--jobs' option to 'build' tool only if 'build_jobs' > 0 - Clarify 'list' command's help that that listing binaries doesn't contain md5 checksums - Improve 'log' command: produce proper CSV and XML outputs, add -p/--patch option for the text output - Allow setlinkrev to set a specific vrev - Document '--buildtool-opt=--noclean' example in 'build' command's help - Fix handling the default package argument on the command-line - Configuration: - Document loading configuration from env variables - Connection: - Don't retry on error 400 - Remove now unused 'retry_on_400' http_request() option from XmlModel - Revert 'Don't retry on 400 HTTP status code in core.server_diff()' - Revert 'connection: Allow disabling retry on 400 HTTP status code' - Authentication: - Update SignatureAuthHandler to support specifying ssh key by its fingerprint - Use ssh key from ssh agent that contains comment 'obs=<apiurl-hostname>' - Use strings instead of bytes in SignatureAuthHandler - Cache password from SecretService to avoid spamming user with an accept dialog - Never ask for credentials when displaying help - Remove unused SignatureAuthHandler.get_fingerprint() - Library: - Add rootless build support for 'qemu' VM type - Support package linking of packages from scmsync projects - Fix do_createrequest() function to return None instead of request id - Replace invalid 'if' with 'elif' in BaseModel.dict() - Fix crash when no prefered packages are defined - Add XmlModel class that encapsulates manipulation with XML - Add obs_api.Person.cmd_register() for registering new users - Fix conf.get_config() to ignore file type bits when comparing oscrc perms - Fix conf.get_config() to correctly handle overrides when env variables are set - Fix output.tty.IS_INTERACTIVE when os.isatty() throws OSError - Improve cmdln.HelpFormatter to obey newline characters - Update list of color codes in 'output.tty' module - Remove core.setDevelProject() in favor of core.set_devel_project() - Move removing control characters to output.sanitize_text() - Improve sanitize_text() to keep selected CSI escape sequences - Add output.pipe_to_pager() that pipes lines to a pager without creating an intermediate temporary file - Fix output.safe_write() in connection with NamedTemporaryFile - Modernize output.run_pager() - Extend output.print_msg() to accept 'error' and 'warning' values of 'to_print' argument - Add XPathQuery class for translating keyword arguments to an xpath query - Add obs_api.Keyinfo class - Add obs_api.Package class - Add Package.get_revision_list() for listing commit log - Add obs_api.PackageSources class for handling OBS SCM sources - Add obs_api.Person class - Add obs_api.Project class - Add obs_api.Request class - Add obs_api.Token class - Allow storing apiurl in the XmlModel instances - Allow retrieving default field value from top-level model - Fix BaseModel to convert dictionaries to objects on retrieving a model list - Fix BaseModel to always deepcopy mutable defaults on first use - Implement do_snapshot() and has_changed() methods to determine changes in BaseModel - Implement total ordering on BaseModel - Add comments with available attributes/elements to edited XML - Refactoring: - Migrate repo {list,add,remove} commands to obs_api.Project - Migrate core.show_package_disabled_repos() to obs_api.Package - Migrate core.Package.update_package_meta() to obs_api.Package - Migrate core.get_repos_of_project() to obs_api.Project - Migrate core.get_repositories_of_project() to obs_api.Project - Migrate core.show_scmsync() to obs_api.{Package,Project} - Migrate core.set_devel_project() to obs_api.Package - Migrate core.show_devel_project() to obs_api.Package - Migrate Fetcher.run() to obs_api.Keyinfo - Migrate core.create_submit_request() to obs_api.Request - Migrate 'token' command to obs_api.Token - Migrate 'whois/user' command to obs_api.Person - Migrate 'signkey' command to obs_api.Keyinfo - Move print_msg() to the 'osc.output' module - Move run_pager() and get_default_pager() from 'core' to 'output' module - Move core.Package to obs_scm.Package - Move core.Project to obs_scm.Project - Move functions manipulating store from core to obs_scm.store - Move store.Store to obs_scm.Store - Move core.Linkinfo to obs_scm.Linkinfo - Move core.Serviceinfo to obs_scm.Serviceinfo - Move core.File to obs_scm.File - Merge _private.project.ProjectMeta into obs_api.Project - Spec: - Remove dependency on /usr/bin/python3 using %python3_fix_shebang macro (bsc#1212476) - 1.6.2 - Command-line: - Fix 'branch' command to allow using '--new-package' option on packages that do not exist - Fix 'buildinfo' command to include obs:cli_debug_packages by default - Fix 'buildinfo' command to send complete local build environment as the 'build' command does - Allow `osc rpmlint` to infer prj/pkg from CWD - Propagate exit code from the run() and do_() commandline methods - Give a hint where a scmsync git is hosted - Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec - Authentication: - Cache password from SecretService to avoid spamming user with an accept dialog - Never ask for credentials when displaying help - Library: - Support package linking of packages from scmsync projects - Fix do_createrequest() function to return None instead of request id - Replace invalid 'if' with 'elif' in BaseModel.dict() - Fix crash when no prefered packages are defined - 1.6.1 - Command-line: - Use busybox compatible commands for completion - Change 'wipe' command to use the new get_user_input() function - Fix error 500 in running 'meta attribute <prj>' - Configuration: - Fix resolving config symlink to the actual config file - Honor XDG_CONFIG_HOME and XDG_CACHE_HOME env vars - Warn about ignoring XDG_CONFIG_HOME and ~/.config/osc/oscrc if ~/.oscrc exists - Library: - Error out when branching a scmsync package - New get_user_input() function for consistent handling of user input - Move xml_indent, xml_quote and xml_unquote to osc.util.xml module - Refactor makeurl(), deprecate query taking string or list arguments, drop osc_urlencode() - Remove all path quoting, rely on makeurl() - Always use dict query in makeurl() - Fix core.slash_split() to strip both leading and trailing slashes - 1.6.0 - Command-line: - The 'token --trigger' command no longer sets '--operation=runservice' by default. - Change 'token --create' command to require '--operation' - Fix 'linkdiff' command error 400: prj/pac/md5 not in repository - Update 'build' command to support building 'productcompose' build type with updateinfo.xml data - Don't show meter in terminals that are not interactive - Fix traceback when running osc from an arbitrary git repo that fails to map branch to a project (bsc#1218170) - Configuration: - Implement reading credentials from environmental variables - Allow starting with an empty config if --configfile is either empty or points to /dev/null - Implement 'quiet' conf option - Password can be an empty string (commonly used with ssh auth) - Connection: - Allow -X HEAD on osc api requests as well - Library: - Fix credentials managers to consistently return Password - Fix Password.encode() on python < 3.8 - Refactor 'meter' module, use config settings to pick the right class - Convert to using f-strings - Use Field.get_callback to handle quiet/verbose and http_debug/http_full_debug options - Implement get_callback that allows modifying returned value to the Field class - Add support for List[BaseModel] type to Field class - Report class name when reporting an error during instantiating BaseModel object - Fix exporting an empty model field in BaseModel.dict() - Fix initializing a sub-model instance from a dictionary - Implement 'Enum' support in models - Fix Field.origin_type for Optional types - Drop unused 'exclude_unset' argument from BaseModel.dict() method - Store cached model defaults in self._defaults, avoid sharing references to mutable defaults - Limit model attributes to predefined fields by forbidding creating new attributes on fly - Store model values in self._values dict instead of private attributes - Spec: - Recommend openssh-clients for ssh-add that is required during ssh auth - Add 0%{?amzn} macro that wasn't usptreamed
Patchnames
SUSE-2024-2961,SUSE-SLE-Module-Development-Tools-15-SP5-2024-2961,SUSE-SLE-Module-Development-Tools-15-SP6-2024-2961,openSUSE-SLE-15.5-2024-2961,openSUSE-SLE-15.6-2024-2961
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for osc",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for osc fixes the following issues:\n\n- 1.9.0\n  - Security:\n    - Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911)\n      Source files are now stored in the \u0027sources\u0027 subdirectory which prevents\n      name collisons. This requires changing version of \u0027.osc\u0027 store to 2.0.\n  - Command-line:\n    - Introduce build --checks parameter\n  - Library:\n    - OscConfigParser: Remove automatic __name__ option\n\n- 1.8.3\n  - Command-line:\n    - Change \u0027repairwc\u0027 command to always run all repair steps\n  - Library:\n    - Make most of the fields in KeyinfoPubkey and KeyinfoSslcert models optional\n    - Fix colorize() to avoid wrapping empty string into color escape sequences\n    - Provide default values for kwargs.get/pop in get_results() function\n\n- 1.8.2\n  - Library:\n    - Change \u0027repairwc\u0027 command to fix missing .osc/_osclib_version\n    - Make error message in check_store_version() more generic to work for both projects and packages\n    - Fix check_store_version in project store\n\n- 1.8.1\n  - Command-line:\n    - Fix \u0027linkpac\u0027 command crash when used with \u0027--disable-build\u0027 or \u0027--disable-publish\u0027 option\n\n- 1.8.0\n  - Command-line:\n    - Improve \u0027submitrequest\u0027 command to inherit description from superseded request\n    - Fix \u0027mv\u0027 command when renaming a file multiple times\n    - Improve \u0027info\u0027 command to support projects\n    - Improve \u0027getbinaries\u0027 command by accepting \u0027-M\u0027 / \u0027--multibuild-package\u0027 option outside checkouts\n    - Add architecture filtering to \u0027release\u0027 command\n    - Change \u0027results\u0027 command so the normal and multibuild packages have the same output\n    - Change \u0027results\u0027 command to use csv writer instead of formatting csv as string\n    - Add couple mutually exclusive options errors to \u0027results\u0027 command\n    - Set a default value for \u0027results --format\u0027 only for the csv output\n    - Add support for \u0027results --format\u0027 for the default text mode\n    - Update help text for \u0027--format\u0027 option in \u0027results\u0027 command\n    - Add \u0027results --fail-on-error/-F\u0027 flag\n    - Redirect venv warnings from stderr to debug output\n  - Configuration:\n    - Fix config parser to throw an exception on duplicate sections or options\n    - Modify conf.get_config() to print permissions warning to stderr rather than stdout\n  - Library:\n    - Run check_store_version() in obs_scm.Store and fix related code in Project and Package\n    - Forbid extracting files with absolute path from \u0027cpio\u0027 archives (bsc#1122683)\n    - Forbid extracting files with absolute path from \u0027ar\u0027 archives (bsc#1122683)\n    - Remove no longer valid warning from core.unpack_srcrpm()\n    - Make obs_api.KeyinfoSslcert keyid and fingerprint fields optional\n    - Fix return value in build build.create_build_descr_data()\n    - Fix core.get_package_results() to obey \u0027multibuild_packages\u0027 argument\n  - Tests:\n    - Fix tests so they don\u0027t modify fixtures\n\n- 1.7.0\n  - Command-line:\n    - Add \u0027person search\u0027 command\n    - Add \u0027person register\u0027 command\n    - Add \u0027-M/--multibuild-package\u0027 option to \u0027[what]dependson\u0027 commands\n    - Update \u0027-U/--user\u0027 option in \u0027maintainer\u0027 command to accept also an email address\n    - Fix \u0027branch\u0027 command to allow using \u0027--new-package\u0027 option on packages that do not exist\n    - Fix \u0027buildinfo\u0027 command to include obs:cli_debug_packages by default\n    - Fix \u0027buildinfo\u0027 command to send complete local build environment as the \u0027build\u0027 command does\n    - Fix \u0027maintainer --devel-project\u0027 to raise an error if running outside a working copy without any arguments\n    - Fix handling arguments in \u0027service remoterun prj/pac\u0027\n    - Fix \u0027rebuild\u0027 command so the \u0027--all\u0027 option conflicts with the \u0027package\u0027 argument\n    - Fix crash when removing \u0027scmsync\u0027 element from dst package meta in \u0027linkpac\u0027 command\n    - Fix crash when reading dst package meta in \u0027linkpac\u0027 command\n    - Allow `osc rpmlint` to infer prj/pkg from CWD\n    - Propagate exit code from the run() and do_() commandline methods\n    - Give a hint where a scmsync git is hosted\n    - Fix crash in \u0027updatepacmetafromspec\u0027 command when working with an incomplete spec\n    - Improve \u0027updatepacmetafromspec\u0027 command to expand rpm spec macros by calling rpmspec to query the data\n    - Improve \u0027build\u0027 and \u0027buildinfo\u0027 commands by uploading *.inc files to OBS for parsing BuildRequires (bsc#1221340)\n    - Improve \u0027service\u0027 command by printing names of running services\n    - Improve \u0027getbinaries\u0027 command by ignoring source and debuginfo filters when a binary name is specified\n    - Change \u0027build\u0027 command to pass \u0027--jobs\u0027 option to \u0027build\u0027 tool only if \u0027build_jobs\u0027 \u003e 0\n    - Clarify \u0027list\u0027 command\u0027s help that that listing binaries doesn\u0027t contain md5 checksums\n    - Improve \u0027log\u0027 command: produce proper CSV and XML outputs, add -p/--patch option for the text output\n    - Allow setlinkrev to set a specific vrev\n    - Document \u0027--buildtool-opt=--noclean\u0027 example in \u0027build\u0027 command\u0027s help\n    - Fix handling the default package argument on the command-line\n  - Configuration:\n    - Document loading configuration from env variables\n  - Connection:\n    - Don\u0027t retry on error 400\n    - Remove now unused \u0027retry_on_400\u0027 http_request() option from XmlModel\n    - Revert \u0027Don\u0027t retry on 400 HTTP status code in core.server_diff()\u0027\n    - Revert \u0027connection: Allow disabling retry on 400 HTTP status code\u0027\n  - Authentication:\n    - Update SignatureAuthHandler to support specifying ssh key by its fingerprint\n    - Use ssh key from ssh agent that contains comment \u0027obs=\u003capiurl-hostname\u003e\u0027\n    - Use strings instead of bytes in SignatureAuthHandler\n    - Cache password from SecretService to avoid spamming user with an accept dialog\n    - Never ask for credentials when displaying help\n    - Remove unused SignatureAuthHandler.get_fingerprint()\n  - Library:\n    - Add rootless build support for \u0027qemu\u0027 VM type\n    - Support package linking of packages from scmsync projects\n    - Fix do_createrequest() function to return None instead of request id\n    - Replace invalid \u0027if\u0027 with \u0027elif\u0027 in BaseModel.dict()\n    - Fix crash when no prefered packages are defined\n    - Add XmlModel class that encapsulates manipulation with XML\n    - Add obs_api.Person.cmd_register() for registering new users\n    - Fix conf.get_config() to ignore file type bits when comparing oscrc perms\n    - Fix conf.get_config() to correctly handle overrides when env variables are set\n    - Fix output.tty.IS_INTERACTIVE when os.isatty() throws OSError\n    - Improve cmdln.HelpFormatter to obey newline characters\n    - Update list of color codes in \u0027output.tty\u0027 module\n    - Remove core.setDevelProject() in favor of core.set_devel_project()\n    - Move removing control characters to output.sanitize_text()\n    - Improve sanitize_text() to keep selected CSI escape sequences\n    - Add output.pipe_to_pager() that pipes lines to a pager without creating an intermediate temporary file\n    - Fix output.safe_write() in connection with NamedTemporaryFile\n    - Modernize output.run_pager()\n    - Extend output.print_msg() to accept \u0027error\u0027 and \u0027warning\u0027 values of \u0027to_print\u0027 argument\n    - Add XPathQuery class for translating keyword arguments to an xpath query\n    - Add obs_api.Keyinfo class\n    - Add obs_api.Package class\n    - Add Package.get_revision_list() for listing commit log\n    - Add obs_api.PackageSources class for handling OBS SCM sources\n    - Add obs_api.Person class\n    - Add obs_api.Project class\n    - Add obs_api.Request class\n    - Add obs_api.Token class\n    - Allow storing apiurl in the XmlModel instances\n    - Allow retrieving default field value from top-level model\n    - Fix BaseModel to convert dictionaries to objects on retrieving a model list\n    - Fix BaseModel to always deepcopy mutable defaults on first use\n    - Implement do_snapshot() and has_changed() methods to determine changes in BaseModel\n    - Implement total ordering on BaseModel\n    - Add comments with available attributes/elements to edited XML\n  - Refactoring:\n    - Migrate repo {list,add,remove} commands to obs_api.Project\n    - Migrate core.show_package_disabled_repos() to obs_api.Package\n    - Migrate core.Package.update_package_meta() to obs_api.Package\n    - Migrate core.get_repos_of_project() to obs_api.Project\n    - Migrate core.get_repositories_of_project() to obs_api.Project\n    - Migrate core.show_scmsync() to obs_api.{Package,Project}\n    - Migrate core.set_devel_project() to obs_api.Package\n    - Migrate core.show_devel_project() to obs_api.Package\n    - Migrate Fetcher.run() to obs_api.Keyinfo\n    - Migrate core.create_submit_request() to obs_api.Request\n    - Migrate \u0027token\u0027 command to obs_api.Token\n    - Migrate \u0027whois/user\u0027 command to obs_api.Person\n    - Migrate \u0027signkey\u0027 command to obs_api.Keyinfo\n    - Move print_msg() to the \u0027osc.output\u0027 module\n    - Move run_pager() and get_default_pager() from \u0027core\u0027 to \u0027output\u0027 module\n    - Move core.Package to obs_scm.Package\n    - Move core.Project to obs_scm.Project\n    - Move functions manipulating store from core to obs_scm.store\n    - Move store.Store to obs_scm.Store\n    - Move core.Linkinfo to obs_scm.Linkinfo\n    - Move core.Serviceinfo to obs_scm.Serviceinfo\n    - Move core.File to obs_scm.File\n    - Merge _private.project.ProjectMeta into obs_api.Project\n  - Spec:\n    - Remove dependency on /usr/bin/python3 using %python3_fix_shebang macro (bsc#1212476)\n\n- 1.6.2\n  - Command-line:\n    - Fix \u0027branch\u0027 command to allow using \u0027--new-package\u0027 option on packages that do not exist\n    - Fix \u0027buildinfo\u0027 command to include obs:cli_debug_packages by default\n    - Fix \u0027buildinfo\u0027 command to send complete local build environment as the \u0027build\u0027 command does\n    - Allow `osc rpmlint` to infer prj/pkg from CWD\n    - Propagate exit code from the run() and do_() commandline methods\n    - Give a hint where a scmsync git is hosted\n    - Fix crash in \u0027updatepacmetafromspec\u0027 command when working with an incomplete spec\n  - Authentication:\n    - Cache password from SecretService to avoid spamming user with an accept dialog\n    - Never ask for credentials when displaying help\n  - Library:\n    - Support package linking of packages from scmsync projects\n    - Fix do_createrequest() function to return None instead of request id\n    - Replace invalid \u0027if\u0027 with \u0027elif\u0027 in BaseModel.dict()\n    - Fix crash when no prefered packages are defined\n\n- 1.6.1\n  - Command-line:\n    - Use busybox compatible commands for completion\n    - Change \u0027wipe\u0027 command to use the new get_user_input() function\n    - Fix error 500 in running \u0027meta attribute \u003cprj\u003e\u0027\n  - Configuration:\n    - Fix resolving config symlink to the actual config file\n    - Honor XDG_CONFIG_HOME and XDG_CACHE_HOME env vars\n    - Warn about ignoring XDG_CONFIG_HOME and ~/.config/osc/oscrc if ~/.oscrc exists\n  - Library:\n    - Error out when branching a scmsync package\n    - New get_user_input() function for consistent handling of user input\n    - Move xml_indent, xml_quote and xml_unquote to osc.util.xml module\n    - Refactor makeurl(), deprecate query taking string or list arguments, drop osc_urlencode()\n    - Remove all path quoting, rely on makeurl()\n    - Always use dict query in makeurl()\n    - Fix core.slash_split() to strip both leading and trailing slashes\n\n- 1.6.0\n  - Command-line:\n    - The \u0027token --trigger\u0027 command no longer sets \u0027--operation=runservice\u0027 by default.\n    - Change \u0027token --create\u0027 command to require \u0027--operation\u0027\n    - Fix \u0027linkdiff\u0027 command error 400: prj/pac/md5 not in repository\n    - Update \u0027build\u0027 command to support building \u0027productcompose\u0027 build type with updateinfo.xml data\n    - Don\u0027t show meter in terminals that are not interactive\n    - Fix traceback when running osc from an arbitrary git repo that fails to map branch to a project (bsc#1218170)\n  - Configuration:\n    - Implement reading credentials from environmental variables\n    - Allow starting with an empty config if --configfile is either empty or points to /dev/null\n    - Implement \u0027quiet\u0027 conf option\n    - Password can be an empty string (commonly used with ssh auth)\n  - Connection:\n    - Allow -X HEAD on osc api requests as well\n  - Library:\n    - Fix credentials managers to consistently return Password\n    - Fix Password.encode() on python \u003c 3.8\n    - Refactor \u0027meter\u0027 module, use config settings to pick the right class\n    - Convert to using f-strings\n    - Use Field.get_callback to handle quiet/verbose and http_debug/http_full_debug options\n    - Implement get_callback that allows modifying returned value to the Field class\n    - Add support for List[BaseModel] type to Field class\n    - Report class name when reporting an error during instantiating BaseModel object\n    - Fix exporting an empty model field in  BaseModel.dict()\n    - Fix initializing a sub-model instance from a dictionary\n    - Implement \u0027Enum\u0027 support in models\n    - Fix Field.origin_type for Optional types\n    - Drop unused \u0027exclude_unset\u0027 argument from BaseModel.dict() method\n    - Store cached model defaults in self._defaults, avoid sharing references to mutable defaults\n    - Limit model attributes to predefined fields by forbidding creating new attributes on fly\n    - Store model values in self._values dict instead of private attributes\n  - Spec:\n    - Recommend openssh-clients for ssh-add that is required during ssh auth\n    - Add 0%{?amzn} macro that wasn\u0027t usptreamed\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2024-2961,SUSE-SLE-Module-Development-Tools-15-SP5-2024-2961,SUSE-SLE-Module-Development-Tools-15-SP6-2024-2961,openSUSE-SLE-15.5-2024-2961,openSUSE-SLE-15.6-2024-2961",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_2961-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2024:2961-1",
        "url": "https://www.suse.com/support/update/announcement/2024/suse-su-20242961-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2024:2961-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2024-August/036632.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1122683",
        "url": "https://bugzilla.suse.com/1122683"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1212476",
        "url": "https://bugzilla.suse.com/1212476"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1218170",
        "url": "https://bugzilla.suse.com/1218170"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1221340",
        "url": "https://bugzilla.suse.com/1221340"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1225911",
        "url": "https://bugzilla.suse.com/1225911"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-22034 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-22034/"
      }
    ],
    "title": "Security update for osc",
    "tracking": {
      "current_release_date": "2024-08-19T12:06:41Z",
      "generator": {
        "date": "2024-08-19T12:06:41Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2024:2961-1",
      "initial_release_date": "2024-08-19T12:06:41Z",
      "revision_history": [
        {
          "date": "2024-08-19T12:06:41Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "osc-1.9.0-150400.10.6.1.noarch",
                "product": {
                  "name": "osc-1.9.0-150400.10.6.1.noarch",
                  "product_id": "osc-1.9.0-150400.10.6.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
                  "product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-development-tools:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Development Tools 15 SP6",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Development Tools 15 SP6",
                  "product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-development-tools:15:sp6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.5",
                "product": {
                  "name": "openSUSE Leap 15.5",
                  "product_id": "openSUSE Leap 15.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "osc-1.9.0-150400.10.6.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5",
          "product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5:osc-1.9.0-150400.10.6.1.noarch"
        },
        "product_reference": "osc-1.9.0-150400.10.6.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "osc-1.9.0-150400.10.6.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP6:osc-1.9.0-150400.10.6.1.noarch"
        },
        "product_reference": "osc-1.9.0-150400.10.6.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "osc-1.9.0-150400.10.6.1.noarch as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:osc-1.9.0-150400.10.6.1.noarch"
        },
        "product_reference": "osc-1.9.0-150400.10.6.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "osc-1.9.0-150400.10.6.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:osc-1.9.0-150400.10.6.1.noarch"
        },
        "product_reference": "osc-1.9.0-150400.10.6.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-22034",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-22034"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Development Tools 15 SP5:osc-1.9.0-150400.10.6.1.noarch",
          "SUSE Linux Enterprise Module for Development Tools 15 SP6:osc-1.9.0-150400.10.6.1.noarch",
          "openSUSE Leap 15.5:osc-1.9.0-150400.10.6.1.noarch",
          "openSUSE Leap 15.6:osc-1.9.0-150400.10.6.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-22034",
          "url": "https://www.suse.com/security/cve/CVE-2024-22034"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1225911 for CVE-2024-22034",
          "url": "https://bugzilla.suse.com/1225911"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Development Tools 15 SP5:osc-1.9.0-150400.10.6.1.noarch",
            "SUSE Linux Enterprise Module for Development Tools 15 SP6:osc-1.9.0-150400.10.6.1.noarch",
            "openSUSE Leap 15.5:osc-1.9.0-150400.10.6.1.noarch",
            "openSUSE Leap 15.6:osc-1.9.0-150400.10.6.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Development Tools 15 SP5:osc-1.9.0-150400.10.6.1.noarch",
            "SUSE Linux Enterprise Module for Development Tools 15 SP6:osc-1.9.0-150400.10.6.1.noarch",
            "openSUSE Leap 15.5:osc-1.9.0-150400.10.6.1.noarch",
            "openSUSE Leap 15.6:osc-1.9.0-150400.10.6.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-08-19T12:06:41Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-22034"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.