openSUSE Local Security Checks : openSUSE Security Advisory (SUSE-SU-2024:2961-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.856380

Category: openSUSE Local Security Checks

Title: openSUSE Security Advisory (SUSE-SU-2024:2961-1)

Summary: The remote host is missing an update for the 'osc' package(s) announced via the SUSE-SU-2024:2961-1 advisory.

Description: Summary:
The remote host is missing an update for the 'osc' package(s) announced via the SUSE-SU-2024:2961-1 advisory.

Vulnerability Insight:
This update for osc fixes the following issues:

- 1.9.0
- Security:
- Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911)
Source files are now stored in the 'sources' subdirectory which prevents
name collisons. This requires changing version of '.osc' store to 2.0.
- Command-line:
- Introduce build --checks parameter
- Library:
- OscConfigParser: Remove automatic __name__ option

- 1.8.3
- Command-line:
- Change 'repairwc' command to always run all repair steps
- Library:
- Make most of the fields in KeyinfoPubkey and KeyinfoSslcert models optional
- Fix colorize() to avoid wrapping empty string into color escape sequences
- Provide default values for kwargs.get/pop in get_results() function

- 1.8.2
- Library:
- Change 'repairwc' command to fix missing .osc/_osclib_version
- Make error message in check_store_version() more generic to work for both projects and packages
- Fix check_store_version in project store

- 1.8.1
- Command-line:
- Fix 'linkpac' command crash when used with '--disable-build' or '--disable-publish' option

- 1.8.0
- Command-line:
- Improve 'submitrequest' command to inherit description from superseded request
- Fix 'mv' command when renaming a file multiple times
- Improve 'info' command to support projects
- Improve 'getbinaries' command by accepting '-M' / '--multibuild-package' option outside checkouts
- Add architecture filtering to 'release' command
- Change 'results' command so the normal and multibuild packages have the same output
- Change 'results' command to use csv writer instead of formatting csv as string
- Add couple mutually exclusive options errors to 'results' command
- Set a default value for 'results --format' only for the csv output
- Add support for 'results --format' for the default text mode
- Update help text for '--format' option in 'results' command
- Add 'results --fail-on-error/-F' flag
- Redirect venv warnings from stderr to debug output
- Configuration:
- Fix config parser to throw an exception on duplicate sections or options
- Modify conf.get_config() to print permissions warning to stderr rather than stdout
- Library:
- Run check_store_version() in obs_scm.Store and fix related code in Project and Package
- Forbid extracting files with absolute path from 'cpio' archives (bsc#1122683)
- Forbid extracting files with absolute path from 'ar' archives (bsc#1122683)
- Remove no longer valid warning from core.unpack_srcrpm()
- Make obs_api.KeyinfoSslcert keyid and fingerprint fields optional
- Fix return value in build build.create_build_descr_data()
- Fix core.get_package_results() to obey 'multibuild_packages' argument
- Tests:
- Fix tests so they don't modify fixtures

- 1.7.0
- Command-line:
- Add 'person search' command
- Add 'person register' command
- Add '-M/--multibuild-package' option to '[what]dependson' commands
- Update ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'osc' package(s) on openSUSE Leap 15.5, openSUSE Leap 15.6.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2024-22034

Copyright Copyright (C) 2024 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.856380
Category:	openSUSE Local Security Checks
Title:	openSUSE Security Advisory (SUSE-SU-2024:2961-1)
Summary:	The remote host is missing an update for the 'osc' package(s) announced via the SUSE-SU-2024:2961-1 advisory.
Description:	Summary: The remote host is missing an update for the 'osc' package(s) announced via the SUSE-SU-2024:2961-1 advisory. Vulnerability Insight: This update for osc fixes the following issues: - 1.9.0 - Security: - Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911) Source files are now stored in the 'sources' subdirectory which prevents name collisons. This requires changing version of '.osc' store to 2.0. - Command-line: - Introduce build --checks parameter - Library: - OscConfigParser: Remove automatic __name__ option - 1.8.3 - Command-line: - Change 'repairwc' command to always run all repair steps - Library: - Make most of the fields in KeyinfoPubkey and KeyinfoSslcert models optional - Fix colorize() to avoid wrapping empty string into color escape sequences - Provide default values for kwargs.get/pop in get_results() function - 1.8.2 - Library: - Change 'repairwc' command to fix missing .osc/_osclib_version - Make error message in check_store_version() more generic to work for both projects and packages - Fix check_store_version in project store - 1.8.1 - Command-line: - Fix 'linkpac' command crash when used with '--disable-build' or '--disable-publish' option - 1.8.0 - Command-line: - Improve 'submitrequest' command to inherit description from superseded request - Fix 'mv' command when renaming a file multiple times - Improve 'info' command to support projects - Improve 'getbinaries' command by accepting '-M' / '--multibuild-package' option outside checkouts - Add architecture filtering to 'release' command - Change 'results' command so the normal and multibuild packages have the same output - Change 'results' command to use csv writer instead of formatting csv as string - Add couple mutually exclusive options errors to 'results' command - Set a default value for 'results --format' only for the csv output - Add support for 'results --format' for the default text mode - Update help text for '--format' option in 'results' command - Add 'results --fail-on-error/-F' flag - Redirect venv warnings from stderr to debug output - Configuration: - Fix config parser to throw an exception on duplicate sections or options - Modify conf.get_config() to print permissions warning to stderr rather than stdout - Library: - Run check_store_version() in obs_scm.Store and fix related code in Project and Package - Forbid extracting files with absolute path from 'cpio' archives (bsc#1122683) - Forbid extracting files with absolute path from 'ar' archives (bsc#1122683) - Remove no longer valid warning from core.unpack_srcrpm() - Make obs_api.KeyinfoSslcert keyid and fingerprint fields optional - Fix return value in build build.create_build_descr_data() - Fix core.get_package_results() to obey 'multibuild_packages' argument - Tests: - Fix tests so they don't modify fixtures - 1.7.0 - Command-line: - Add 'person search' command - Add 'person register' command - Add '-M/--multibuild-package' option to '[what]dependson' commands - Update ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'osc' package(s) on openSUSE Leap 15.5, openSUSE Leap 15.6. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2024-22034
Copyright	Copyright (C) 2024 Greenbone AG