SUSE 5180 Published by

The following security updates have been released for SUSE Linux Enterprise 15 SP6:

openSUSE-SU-2024:0258-1: important: Security update for chromium
openSUSE-SU-2024:0194-2: moderate: Security update for keybase-client
openSUSE-SU-2024:0258-2: important: Security update for chromium
openSUSE-SU-2024:0231-1: moderate: Security update for python-notebook
openSUSE-SU-2024:0155-1: important: Security update for chromium
openSUSE-SU-2024:0221-1: important: Security update for python-nltk
openSUSE-SU-2024:0220-1: moderate: Security update for caddy
openSUSE-SU-2024:0206-1: moderate: Security update for cockpit
openSUSE-SU-2024:0226-1: moderate: Security update for gh
openSUSE-SU-2024:0157-2: important: Security update for nano
openSUSE-SU-2024:0254-2: important: Security update for chromium, gn, rust-bindgen
openSUSE-SU-2024:0161-1: moderate: Security update for plasma5-workspace
openSUSE-SU-2024:0203-1: critical: Security update for znc
openSUSE-SU-2024:0150-2: moderate: Security update for libhtp
openSUSE-SU-2024:0224-2: moderate: Security update for keybase-client
openSUSE-SU-2024:0168-1: important: Security update for gdcm
openSUSE-SU-2024:0212-2: important: Security update for chromium




openSUSE-SU-2024:0258-1: important: Security update for chromium


openSUSE Security Update: Security update for chromium
_______________________________

Announcement ID: openSUSE-SU-2024:0258-1
Rating: important
References: #1229426 #1229591
Cross-References: CVE-2024-7964 CVE-2024-7965 CVE-2024-7966
CVE-2024-7967 CVE-2024-7968 CVE-2024-7969
CVE-2024-7971 CVE-2024-7972 CVE-2024-7973
CVE-2024-7974 CVE-2024-7975 CVE-2024-7976
CVE-2024-7977 CVE-2024-7978 CVE-2024-7979
CVE-2024-7980 CVE-2024-7981 CVE-2024-8033
CVE-2024-8034 CVE-2024-8035
CVSS scores:
CVE-2024-7964 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7966 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7968 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7969 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7974 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7975 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-7976 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-7977 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7978 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE-2024-7981 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-8033 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-8034 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-8035 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes 20 vulnerabilities is now available.

Description:

This update for chromium fixes the following issues:

- Chromium 128.0.6613.84 (boo#1229591)
* CVE-2024-7964: Use after free in Passwords
* CVE-2024-7965: Inappropriate implementation in V8
* CVE-2024-7966: Out of bounds memory access in Skia
* CVE-2024-7967: Heap buffer overflow in Fonts
* CVE-2024-7968: Use after free in Autofill
* CVE-2024-7969: Type Confusion in V8
* CVE-2024-7971: Type confusion in V8
* CVE-2024-7972: Inappropriate implementation in V8
* CVE-2024-7973: Heap buffer overflow in PDFium
* CVE-2024-7974: Insufficient data validation in V8 API
* CVE-2024-7975: Inappropriate implementation in Permissions
* CVE-2024-7976: Inappropriate implementation in FedCM
* CVE-2024-7977: Insufficient data validation in Installer
* CVE-2024-7978: Insufficient policy enforcement in Data Transfer
* CVE-2024-7979: Insufficient data validation in Installer
* CVE-2024-7980: Insufficient data validation in Installer
* CVE-2024-7981: Inappropriate implementation in Views
* CVE-2024-8033: Inappropriate implementation in WebApp Installs
* CVE-2024-8034: Inappropriate implementation in Custom Tabs
* CVE-2024-8035: Inappropriate implementation in Extensions
* Various fixes from internal audits, fuzzing and other initiatives

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-258=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 x86_64):

chromedriver-128.0.6613.84-bp155.2.105.1
chromium-128.0.6613.84-bp155.2.105.1

References:

https://www.suse.com/security/cve/CVE-2024-7964.html
https://www.suse.com/security/cve/CVE-2024-7965.html
https://www.suse.com/security/cve/CVE-2024-7966.html
https://www.suse.com/security/cve/CVE-2024-7967.html
https://www.suse.com/security/cve/CVE-2024-7968.html
https://www.suse.com/security/cve/CVE-2024-7969.html
https://www.suse.com/security/cve/CVE-2024-7971.html
https://www.suse.com/security/cve/CVE-2024-7972.html
https://www.suse.com/security/cve/CVE-2024-7973.html
https://www.suse.com/security/cve/CVE-2024-7974.html
https://www.suse.com/security/cve/CVE-2024-7975.html
https://www.suse.com/security/cve/CVE-2024-7976.html
https://www.suse.com/security/cve/CVE-2024-7977.html
https://www.suse.com/security/cve/CVE-2024-7978.html
https://www.suse.com/security/cve/CVE-2024-7979.html
https://www.suse.com/security/cve/CVE-2024-7980.html
https://www.suse.com/security/cve/CVE-2024-7981.html
https://www.suse.com/security/cve/CVE-2024-8033.html
https://www.suse.com/security/cve/CVE-2024-8034.html
https://www.suse.com/security/cve/CVE-2024-8035.html
https://bugzilla.suse.com/1229426
https://bugzilla.suse.com/1229591



openSUSE-SU-2024:0194-2: moderate: Security update for keybase-client


openSUSE Security Update: Security update for keybase-client
_______________________________

Announcement ID: openSUSE-SU-2024:0194-2
Rating: moderate
References: #1213928
Cross-References: CVE-2023-29408
CVSS scores:
CVE-2023-29408 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2023-29408 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for keybase-client fixes the following issues:

Update to version 6.2.8

* Update client CA
* Fix incomplete locking in config file handling.

- Update the Image dependency to address CVE-2023-29408 / boo#1213928.
This is done via the new update-image-tiff.patch.
- Limit parallel test execution as that seems to cause failing builds on
OBS that don't occur locally.
- Integrate KBFS packages previously build via own source package
* Upstream integrated these into the same source.
* Also includes adding kbfs-related patches
ensure-mount-dir-exists.patch and
ensure-service-stop-unmounts-filesystem.patch.
- Upgrade Go version used for compilation to 1.19.
- Use Systemd unit file from upstream source.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-194=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

kbfs-6.2.8-bp156.2.3.1
kbfs-debuginfo-6.2.8-bp156.2.3.1
kbfs-git-6.2.8-bp156.2.3.1
kbfs-git-debuginfo-6.2.8-bp156.2.3.1
kbfs-tool-6.2.8-bp156.2.3.1
kbfs-tool-debuginfo-6.2.8-bp156.2.3.1
keybase-client-6.2.8-bp156.2.3.1
keybase-client-debuginfo-6.2.8-bp156.2.3.1

References:

https://www.suse.com/security/cve/CVE-2023-29408.html
https://bugzilla.suse.com/1213928



openSUSE-SU-2024:0258-2: important: Security update for chromium


openSUSE Security Update: Security update for chromium
_______________________________

Announcement ID: openSUSE-SU-2024:0258-2
Rating: important
References: #1229426 #1229591
Cross-References: CVE-2024-7964 CVE-2024-7965 CVE-2024-7966
CVE-2024-7967 CVE-2024-7968 CVE-2024-7969
CVE-2024-7971 CVE-2024-7972 CVE-2024-7973
CVE-2024-7974 CVE-2024-7975 CVE-2024-7976
CVE-2024-7977 CVE-2024-7978 CVE-2024-7979
CVE-2024-7980 CVE-2024-7981 CVE-2024-8033
CVE-2024-8034 CVE-2024-8035
CVSS scores:
CVE-2024-7964 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7966 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7968 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7969 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7974 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7975 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-7976 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-7977 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7978 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE-2024-7981 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-8033 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-8034 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-8035 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes 20 vulnerabilities is now available.

Description:

This update for chromium fixes the following issues:

- Chromium 128.0.6613.84 (boo#1229591)
* CVE-2024-7964: Use after free in Passwords
* CVE-2024-7965: Inappropriate implementation in V8
* CVE-2024-7966: Out of bounds memory access in Skia
* CVE-2024-7967: Heap buffer overflow in Fonts
* CVE-2024-7968: Use after free in Autofill
* CVE-2024-7969: Type Confusion in V8
* CVE-2024-7971: Type confusion in V8
* CVE-2024-7972: Inappropriate implementation in V8
* CVE-2024-7973: Heap buffer overflow in PDFium
* CVE-2024-7974: Insufficient data validation in V8 API
* CVE-2024-7975: Inappropriate implementation in Permissions
* CVE-2024-7976: Inappropriate implementation in FedCM
* CVE-2024-7977: Insufficient data validation in Installer
* CVE-2024-7978: Insufficient policy enforcement in Data Transfer
* CVE-2024-7979: Insufficient data validation in Installer
* CVE-2024-7980: Insufficient data validation in Installer
* CVE-2024-7981: Inappropriate implementation in Views
* CVE-2024-8033: Inappropriate implementation in WebApp Installs
* CVE-2024-8034: Inappropriate implementation in Custom Tabs
* CVE-2024-8035: Inappropriate implementation in Extensions
* Various fixes from internal audits, fuzzing and other initiatives

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-258=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 x86_64):

chromedriver-128.0.6613.84-bp156.2.17.1
chromedriver-debuginfo-128.0.6613.84-bp156.2.17.1
chromium-128.0.6613.84-bp156.2.17.1
chromium-debuginfo-128.0.6613.84-bp156.2.17.1

References:

https://www.suse.com/security/cve/CVE-2024-7964.html
https://www.suse.com/security/cve/CVE-2024-7965.html
https://www.suse.com/security/cve/CVE-2024-7966.html
https://www.suse.com/security/cve/CVE-2024-7967.html
https://www.suse.com/security/cve/CVE-2024-7968.html
https://www.suse.com/security/cve/CVE-2024-7969.html
https://www.suse.com/security/cve/CVE-2024-7971.html
https://www.suse.com/security/cve/CVE-2024-7972.html
https://www.suse.com/security/cve/CVE-2024-7973.html
https://www.suse.com/security/cve/CVE-2024-7974.html
https://www.suse.com/security/cve/CVE-2024-7975.html
https://www.suse.com/security/cve/CVE-2024-7976.html
https://www.suse.com/security/cve/CVE-2024-7977.html
https://www.suse.com/security/cve/CVE-2024-7978.html
https://www.suse.com/security/cve/CVE-2024-7979.html
https://www.suse.com/security/cve/CVE-2024-7980.html
https://www.suse.com/security/cve/CVE-2024-7981.html
https://www.suse.com/security/cve/CVE-2024-8033.html
https://www.suse.com/security/cve/CVE-2024-8034.html
https://www.suse.com/security/cve/CVE-2024-8035.html
https://bugzilla.suse.com/1229426
https://bugzilla.suse.com/1229591



openSUSE-SU-2024:0231-1: moderate: Security update for python-notebook


openSUSE Security Update: Security update for python-notebook
_______________________________

Announcement ID: openSUSE-SU-2024:0231-1
Rating: moderate
References: #1227583
Cross-References: CVE-2019-11358 CVE-2021-32798
CVSS scores:
CVE-2019-11358 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-32798 (NVD) : 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for python-notebook fixes the following issues:

- Update to 5.7.11
* sanitizer fix CVE-2021-32798 (boo#1227583)
- Update to 5.7.10
* no upstream changelog
- Update to 5.7.9
* Update JQuery dependency to version 3.4.1 to fix security
vulnerability (CVE-2019-11358)
* Update from preact to React

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-231=1

Package List:

- openSUSE Backports SLE-15-SP6 (noarch):

jupyter-notebook-5.7.11-bp156.4.3.1
jupyter-notebook-doc-5.7.11-bp156.4.3.1
jupyter-notebook-lang-5.7.11-bp156.4.3.1
jupyter-notebook-latex-5.7.11-bp156.4.3.1
python3-notebook-5.7.11-bp156.4.3.1
python3-notebook-lang-5.7.11-bp156.4.3.1

References:

https://www.suse.com/security/cve/CVE-2019-11358.html
https://www.suse.com/security/cve/CVE-2021-32798.html
https://bugzilla.suse.com/1227583



openSUSE-SU-2024:0155-1: important: Security update for chromium


openSUSE Security Update: Security update for chromium
_______________________________

Announcement ID: openSUSE-SU-2024:0155-1
Rating: important
References: #1225690
Cross-References: CVE-2024-5493 CVE-2024-5494 CVE-2024-5495
CVE-2024-5496 CVE-2024-5497 CVE-2024-5498
CVE-2024-5499
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes 7 vulnerabilities is now available.

Description:

This update for chromium fixes the following issues:

Chromium 125.0.6422.141 (boo#1225690)

* CVE-2024-5493: Heap buffer overflow in WebRTC
* CVE-2024-5494: Use after free in Dawn
* CVE-2024-5495: Use after free in Dawn
* CVE-2024-5496: Use after free in Media Session
* CVE-2024-5497: Out of bounds memory access in Keyboard Inputs
* CVE-2024-5498: Use after free in Presentation API
* CVE-2024-5499: Out of bounds write in Streams API

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-155=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 x86_64):

chromedriver-125.0.6422.141-bp156.2.3.1
chromium-125.0.6422.141-bp156.2.3.1

References:

https://www.suse.com/security/cve/CVE-2024-5493.html
https://www.suse.com/security/cve/CVE-2024-5494.html
https://www.suse.com/security/cve/CVE-2024-5495.html
https://www.suse.com/security/cve/CVE-2024-5496.html
https://www.suse.com/security/cve/CVE-2024-5497.html
https://www.suse.com/security/cve/CVE-2024-5498.html
https://www.suse.com/security/cve/CVE-2024-5499.html
https://bugzilla.suse.com/1225690



openSUSE-SU-2024:0221-1: important: Security update for python-nltk


openSUSE Security Update: Security update for python-nltk
_______________________________

Announcement ID: openSUSE-SU-2024:0221-1
Rating: important
References: #1227174
Cross-References: CVE-2024-39705
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-nltk fixes the following issues:

- CVE-2024-39705: Fixed remote code execution through unsafe pickle usage
(boo#1227174).

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-221=1

Package List:

- openSUSE Backports SLE-15-SP6 (noarch):

python3-nltk-3.7-bp156.4.3.1

References:

https://www.suse.com/security/cve/CVE-2024-39705.html
https://bugzilla.suse.com/1227174



openSUSE-SU-2024:0220-1: moderate: Security update for caddy


openSUSE Security Update: Security update for caddy
_______________________________

Announcement ID: openSUSE-SU-2024:0220-1
Rating: moderate
References: #1222468
Cross-References: CVE-2023-45142 CVE-2024-22189
CVSS scores:
CVE-2023-45142 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2023-45142 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2024-22189 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for caddy fixes the following issues:

- Update to version 2.8.4:

* cmd: fix regression in auto-detect of Caddyfile (#6362)
* Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped

- Update to version 2.8.2:

* cmd: fix auto-detetction of .caddyfile extension (#6356)
* caddyhttp: properly sanitize requests for root path (#6360)
* caddytls: Implement certmagic.RenewalInfoGetter
* build(deps): bump golangci/golangci-lint-action from 5 to 6 (#6361)

- Update to version 2.8.1:

* caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers
(#6350)
* core: MkdirAll appDataDir in InstanceID with 0o700 (#6340)

- Update to version 2.8.0:

* acmeserver: Add `sign_with_root` for Caddyfile (#6345)
* caddyfile: Reject global request matchers earlier (#6339)
* core: Fix bug in AppIfConfigured (fix #6336)
* fix a typo (#6333)
* autohttps: Move log WARN to INFO, reduce confusion (#6185)
* reverseproxy: Support HTTP/3 transport to backend (#6312)
* context: AppIfConfigured returns error; consider not-yet-provisioned
modules (#6292)
* Fix lint error about deprecated method in
smallstep/certificates/authority
* go.mod: Upgrade dependencies
* caddytls: fix permission requirement with AutomationPolicy (#6328)
* caddytls: remove ClientHelloSNICtxKey (#6326)
* caddyhttp: Trace individual middleware handlers (#6313)
* templates: Add `pathEscape` template function and use it in file
browser (#6278)
* caddytls: set server name in context (#6324)
* chore: downgrade minimum Go version in go.mod (#6318)
* caddytest: normalize the JSON config (#6316)
* caddyhttp: New experimental handler for intercepting responses (#6232)
* httpcaddyfile: Set challenge ports when http_port or https_port are
used
* logging: Add support for additional logger filters other than hostname
(#6082)
* caddyhttp: Log 4xx as INFO; 5xx as ERROR (close #6106)
* Second half of 6dce493
* caddyhttp: Alter log message when request is unhandled (close #5182)
* chore: Bump Go version in CI (#6310)
* go.mod: go 1.22.3
* Fix typos (#6311)
* reverseproxy: Pointer to struct when loading modules; remove
LazyCertPool (#6307)
* tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308)
* go.mod: CertMagic v0.21.0
* reverseproxy: Implement health_follow_redirects (#6302)
* caddypki: Allow use of root CA without a key. Fixes #6290 (#6298)
* go.mod: Upgrade to quic-go v0.43.1
* reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301)
* caddytls: Ability to drop connections (close #6294)
* build(deps): bump golangci/golangci-lint-action from 4 to 5 (#6289)
* httpcaddyfile: Fix expression matcher shortcut in snippets (#6288)
* caddytls: Evict internal certs from cache based on issuer (#6266)
* chore: add warn logs when using deprecated fields (#6276)
* caddyhttp: Fix linter warning about deprecation
* go.mod: Upgrade to quic-go v0.43.0
* fileserver: Set "Vary: Accept-Encoding" header (see #5849)
* events: Add debug log
* reverseproxy: handle buffered data during hijack (#6274)
* ci: remove `android` and `plan9` from cross-build workflow (#6268)
* run `golangci-lint run --fix --fast` (#6270)
* caddytls: Option to configure certificate lifetime (#6253)
* replacer: Implement `file.*` global replacements (#5463)
* caddyhttp: Address some Go 1.20 features (#6252)
* Quell linter (false positive)
* reverse_proxy: Add grace_period for SRV upstreams to Caddyfile (#6264)
* doc: add `verifier` in `ClientAuthentication` caddyfile marshaler doc
(#6263)
* caddytls: Add Caddyfile support for on-demand permission module (close
#6260)
* reverseproxy: Remove long-deprecated buffering properties
* reverseproxy: Reuse buffered request body even if partially drained
* reverseproxy: Accept EOF when buffering
* logging: Fix default access logger (#6251)
* fileserver: Improve Vary handling (#5849)
* cmd: Only validate config is proper JSON if config slice has data
(#6250)
* staticresp: Use the evaluated response body for sniffing JSON
content-type (#6249)
* encode: Slight fix for the previous commit
* encode: Improve Etag handling (fix #5849)
* httpcaddyfile: Skip automate loader if disable_certs is specified (fix
#6148)
* caddyfile: Populate regexp matcher names by default (#6145)
* caddyhttp: record num. bytes read when response writer is hijacked
(#6173)
* caddyhttp: Support multiple logger names per host (#6088)
* chore: fix some typos in comments (#6243)
* encode: Configurable compression level for zstd (#6140)
* caddytls: Remove shim code supporting deprecated lego-dns (#6231)
* connection policy: add `local_ip` matcher (#6074)
* reverseproxy: Wait for both ends of websocket to close (#6175)
* caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes
(#6229)
* caddytls: Still provision permission module if ask is specified
* fileserver: read etags from precomputed files (#6222)
* fileserver: Escape # and ? in img src (fix #6237)
* reverseproxy: Implement modular CA provider for TLS transport (#6065)
* caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226)
* cmd: Fix panic related to config filename (fix #5919)
* cmd: Assume Caddyfile based on filename prefix and suffix (#5919)
* admin: Make `Etag` a header, not a trailer (#6208)
* caddyhttp: remove duplicate strings.Count in path matcher (fixes
#6233) (#6234)
* caddyconfig: Use empty struct instead of bool in map (close #6224)
(#6227)
* gitignore: Add rule for caddyfile.go (#6225)
* chore: Fix broken links in README.md (#6223)
* chore: Upgrade some dependencies (#6221)
* caddyhttp: Add plaintext response to `file_server browse` (#6093)
* admin: Use xxhash for etag (#6207)
* modules: fix some typo in conments (#6206)
* caddyhttp: Replace sensitive headers with REDACTED (close #5669)
* caddyhttp: close quic connections when server closes (#6202)
* reverseproxy: Use xxhash instead of fnv32 for LB (#6203)
* caddyhttp: add http.request.local{,.host,.port} placeholder (#6182)
* chore: upgrade deps (#6198)
* chore: remove repetitive word (#6193)
* Added a null check to avoid segfault on rewrite query ops (#6191)
* rewrite: `uri query` replace operation (#6165)
* logging: support `ms` duration format and add docs (#6187)
* replacer: use RWMutex to protect static provider (#6184)
* caddyhttp: Allow `header` replacement with empty string (#6163)
* vars: Make nil values act as empty string instead of `""` (#6174)
* chore: Update quic-go to v0.42.0 (#6176)
* caddyhttp: Accept XFF header values with ports, when parsing client IP
(#6183)
* reverseproxy: configurable active health_passes and health_fails
(#6154)
* reverseproxy: Configurable forward proxy URL (#6114)
* caddyhttp: upgrade to cel v0.20.0 (#6161)
* chore: Bump Chroma to v2.13.0, includes new Caddyfile lexer (#6169)
* caddyhttp: suppress flushing if the response is being buffered (#6150)
* chore: encode: use FlushError instead of Flush (#6168)
* encode: write status immediately when status code is informational
(#6164)
* httpcaddyfile: Keep deprecated `skip_log` in directive order (#6153)
* httpcaddyfile: Add `RegisterDirectiveOrder` function for plugin
authors (#5865)
* rewrite: Implement `uri query` operations (#6120)
* fix struct names (#6151)
* fileserver: Preserve query during canonicalization redirect (#6109)
* logging: Implement `log_append` handler (#6066)
* httpcaddyfile: Allow nameless regexp placeholder shorthand (#6113)
* logging: Implement `append` encoder, allow flatter filters config
(#6069)
* ci: fix the integration test `TestLeafCertLoaders` (#6149)
* vars: Allow overriding `http.auth.user.id` in replacer as a special
case (#6108)
* caddytls: clientauth: leaf verifier: make trusted leaf certs source
pluggable (#6050)
* cmd: Adjust config load logs/errors (#6032)
* reverseproxy: SRV dynamic upstream failover (#5832)
* ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)
* core: OnExit hooks (#6128)
* cmd: fix the output of the `Usage` section (#6138)
* caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)
* acmeserver: add policy field to define allow/deny rules (#5796)
* reverseproxy: cookie should be Secure and SameSite=None when TLS
(#6115)
* caddytest: Rename adapt tests to `*.caddyfiletest` extension (#6119)
* tests: uses testing.TB interface for helper to be able to use test
server in benchmarks. (#6103)
* caddyfile: Assert having a space after heredoc marker to simply check
(#6117)
* chore: Update Chroma to get the new Caddyfile lexer (#6118)
* reverseproxy: use context.WithoutCancel (#6116)
* caddyfile: Reject directives in the place of site addresses (#6104)
* caddyhttp: Register post-shutdown callbacks (#5948)
* caddyhttp: Only attempt to enable full duplex for HTTP/1.x (#6102)
* caddyauth: Drop support for `scrypt` (#6091)
* Revert "caddyfile: Reject long heredoc markers (#6098)" (#6100)
* caddyauth: Rename `basicauth` to `basic_auth` (#6092)
* logging: Inline Caddyfile syntax for `ip_mask` filter (#6094)
* caddyfile: Reject long heredoc markers (#6098)
* chore: Rename CI jobs, run on M1 mac (#6089)
* update comment
* improved list
* fix: add back text/*
* fix: add more media types to the compressed by default list
* acmeserver: support specifying the allowed challenge types (#5794)
* matchers: Drop `forwarded` option from `remote_ip` matcher (#6085)
* caddyhttp: Test cases for `%2F` and `%252F` (#6084)
* bump to golang 1.22 (#6083)
* fileserver: Browse can show symlink target if enabled (#5973)
* core: Support NO_COLOR env var to disable log coloring (#6078)
* build(deps): bump peter-evans/repository-dispatch from 2 to 3 (#6080)
* Update comment in setcap helper script
* caddytls: Make on-demand 'ask' permission modular (#6055)
* core: Add `ctx.Slogger()` which returns an `slog` logger (#5945)
* chore: Update quic-go to v0.41.0, bump Go minimum to 1.21 (#6043)
* chore: enabling a few more linters (#5961)
* caddyfile: Correctly close the heredoc when the closing marker appears
immediately (#6062)
* caddyfile: Switch to slices.Equal for better performance (#6061)
* tls: modularize trusted CA providers (#5784)
* logging: Automatic `wrap` default for `filter` encoder (#5980)
* caddyhttp: Fix panic when request missing ClientIPVarKey (#6040)
* caddyfile: Normalize & flatten all unmarshalers (#6037)
* cmd: reverseproxy: log: use caddy logger (#6042)
* matchers: `query` now ANDs multiple keys (#6054)
* caddyfile: Add heredoc support to `fmt` command (#6056)
* refactor: move automaxprocs init in caddycmd.Main()
* caddyfile: Allow heredoc blank lines (#6051)
* httpcaddyfile: Add optional status code argument to `handle_errors`
directive (#5965)
* httpcaddyfile: Rewrite `root` and `rewrite` parsing to allow omitting
matcher (#5844)
* fileserver: Implement caddyfile.Unmarshaler interface (#5850)
* reverseproxy: Add `tls_curves` option to HTTP transport (#5851)
* caddyhttp: Security enhancements for client IP parsing (#5805)
* replacer: Fix escaped closing braces (#5995)
* filesystem: Globally declared filesystems, `fs` directive (#5833)
* ci/cd: use the build tag `nobadger` to exclude badgerdb (#6031)
* httpcaddyfile: Fix redir html (#6001)
* httpcaddyfile: Support client auth verifiers (#6022)
* tls: add reuse_private_keys (#6025)
* reverseproxy: Only change Content-Length when full request is buffered
(#5830)
* Switch Solaris-derivatives away from listen_unix (#6021)
* build(deps): bump actions/upload-artifact from 3 to 4 (#6013)
* build(deps): bump actions/setup-go from 4 to 5 (#6012)
* chore: check against errors of `io/fs` instead of `os` (#6011)
* caddyhttp: support unix sockets in `caddy respond` command (#6010)
* fileserver: Add total file size to directory listing (#6003)
* httpcaddyfile: Fix cert file decoding to load multiple PEM in one file
(#5997)
* build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#5994)
* cmd: use automaxprocs for better perf in containers (#5711)
* logging: Add `zap.Option` support (#5944)
* httpcaddyfile: Sort skip_hosts for deterministic JSON (#5990)
* metrics: Record request metrics on HTTP errors (#5979)
* go.mod: Updated quic-go to v0.40.1 (#5983)
* fileserver: Enable compression for command by default (#5855)
* fileserver: New --precompressed flag (#5880)
* caddyhttp: Add `uuid` to access logs when used (#5859)
* proxyprotocol: use github.com/pires/go-proxyproto (#5915)
* cmd: Preserve LastModified date when exporting storage (#5968)
* core: Always make AppDataDir for InstanceID (#5976)
* chore: cross-build for AIX (#5971)
* caddytls: Sync distributed storage cleaning (#5940)
* caddytls: Context to DecisionFunc (#5923)
* tls: accept placeholders in string values of certificate loaders
(#5963)
* templates: Offically make templates extensible (#5939)
* http2 uses new round-robin scheduler (#5946)
* panic when reading from backend failed to propagate stream error
(#5952)
* chore: Bump otel to v1.21.0. (#5949)
* httpredirectlistener: Only set read limit for when request is HTTP
(#5917)
* fileserver: Add .m4v for browse template icon
* Revert "caddyhttp: Use sync.Pool to reduce lengthReader allocations
(#5848)" (#5924)
* go.mod: update quic-go version to v0.40.0 (#5922)
* update quic-go to v0.39.3 (#5918)
* chore: Fix usage pool comment (#5916)
* test: acmeserver: add smoke test for the ACME server directory (#5914)
* Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
* caddyhttp: Adjust `scheme` placeholder docs (#5910)
* go.mod: Upgrade quic-go to v0.39.1
* go.mod: CVE-2023-45142 Update opentelemetry (#5908)
* templates: Delete headers on `httpError` to reset to clean slate
(#5905)
* httpcaddyfile: Remove port from logger names (#5881)
* core: Apply SO_REUSEPORT to UDP sockets (#5725)
* caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
* cmd: Add newline character to version string in CLI output (#5895)
* core: quic listener will manage the underlying socket by itself (#5749)
* templates: Clarify `include` args docs, add `.ClientIP` (#5898)
* httpcaddyfile: Fix TLS automation policy merging with get_certificate
(#5896)
* cmd: upgrade: resolve symlink of the executable (#5891)
* caddyfile: Fix variadic placeholder false positive when token contains
`:` (#5883)

- CVEs:
* CVE-2024-22189 (boo#1222468)
* CVE-2023-45142

- Update to version 2.7.6:

* caddytls: Sync distributed storage cleaning (#5940)
* caddytls: Context to DecisionFunc (#5923)
* tls: accept placeholders in string values of certificate loaders
(#5963)
* templates: Offically make templates extensible (#5939)
* http2 uses new round-robin scheduler (#5946)
* panic when reading from backend failed to propagate stream error
(#5952)
* chore: Bump otel to v1.21.0. (#5949)
* httpredirectlistener: Only set read limit for when request is HTTP
(#5917)
* fileserver: Add .m4v for browse template icon
* Revert "caddyhttp: Use sync.Pool to reduce lengthReader allocations
(#5848)" (#5924)
* go.mod: update quic-go version to v0.40.0 (#5922)
* update quic-go to v0.39.3 (#5918)
* chore: Fix usage pool comment (#5916)
* test: acmeserver: add smoke test for the ACME server directory (#5914)
* Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
* caddyhttp: Adjust `scheme` placeholder docs (#5910)
* go.mod: Upgrade quic-go to v0.39.1
* go.mod: CVE-2023-45142 Update opentelemetry (#5908)
* templates: Delete headers on `httpError` to reset to clean slate
(#5905)
* httpcaddyfile: Remove port from logger names (#5881)
* core: Apply SO_REUSEPORT to UDP sockets (#5725)
* caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
* cmd: Add newline character to version string in CLI output (#5895)
* core: quic listener will manage the underlying socket by itself (#5749)
* templates: Clarify `include` args docs, add `.ClientIP` (#5898)
* httpcaddyfile: Fix TLS automation policy merging with get_certificate
(#5896)
* cmd: upgrade: resolve symlink of the executable (#5891)
* caddyfile: Fix variadic placeholder false positive when token contains
`:` (#5883)

- Update to version 2.7.5:

* admin: Respond with 4xx on non-existing config path (#5870)
* ci: Force the Go version for govulncheck (#5879)
* fileserver: Set canonical URL on browse template (#5867)
* tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag (#5852)
* reverseproxy: Add more debug logs (#5793)
* reverseproxy: Fix `least_conn` policy regression (#5862)
* reverseproxy: Add logging for dynamic A upstreams (#5857)
* reverseproxy: Replace health header placeholders (#5861)
* httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output
(#5860)
* cmd: Fix exiting with custom status code, add `caddy -v` (#5874)
* reverseproxy: fix parsing Caddyfile fails for unlimited
request/response buffers (#5828)
* reverseproxy: Fix retries on "upstreams unavailable" error (#5841)
* httpcaddyfile: Enable TLS for catch-all site if `tls` directive is
specified (#5808)
* encode: Add `application/wasm*` to the default content types (#5869)
* fileserver: Add command shortcuts `-l` and `-a` (#5854)
* go.mod: Upgrade dependencies incl. x/net/http
* templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy
compatibility (#5845)
* reverseproxy: Allow fallthrough for response handlers without routes
(#5780)
* fix: caddytest.AssertResponseCode error message (#5853)
* build(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5847)
* build(deps): bump actions/checkout from 3 to 4 (#5846)
* caddyhttp: Use LimitedReader for HTTPRedirectListener
* fileserver: browse template SVG icons and UI tweaks (#5812)
* reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams
(#5811)
* httpcaddyfile: fix placeholder shorthands in named routes (#5791)
* cmd: Prevent overwriting existing env vars with `--envfile` (#5803)
* ci: Run govulncheck (#5790)
* logging: query filter for array of strings (#5779)
* logging: Clone array on log filters, prevent side-effects (#5786)
* fileserver: Export BrowseTemplate
* ci: ensure short-sha is exported correctly on all platforms (#5781)
* caddyfile: Fix case where heredoc marker is empty after newline (#5769)
* go.mod: Update quic-go to v0.38.0 (#5772)
* chore: Appease gosec linter (#5777)
* replacer: change timezone to UTC for "time.now.http" placeholders
(#5774)
* caddyfile: Adjust error formatting (#5765)
* update quic-go to v0.37.6 (#5767)
* httpcaddyfile: Stricter errors for site and upstream address schemes
(#5757)
* caddyfile: Loosen heredoc parsing (#5761)
* fileserver: docs: clarify the ability to produce JSON array with
`browse` (#5751)
* fix package typo (#5764)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-220=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

caddy-2.8.4-bp156.3.3.1

- openSUSE Backports SLE-15-SP6 (noarch):

caddy-bash-completion-2.8.4-bp156.3.3.1
caddy-fish-completion-2.8.4-bp156.3.3.1
caddy-zsh-completion-2.8.4-bp156.3.3.1

References:

https://www.suse.com/security/cve/CVE-2023-45142.html
https://www.suse.com/security/cve/CVE-2024-22189.html
https://bugzilla.suse.com/1222468



openSUSE-SU-2024:0206-1: moderate: Security update for cockpit


openSUSE Security Update: Security update for cockpit
_______________________________

Announcement ID: openSUSE-SU-2024:0206-1
Rating: moderate
References: #1226040 #1227299
Cross-References: CVE-2024-6126
CVSS scores:
CVE-2024-6126 (SUSE): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for cockpit fixes the following issues:

- new version 320:

* pam-ssh-add: Fix insecure killing of session ssh-agent (boo#1226040,
CVE-2024-6126)

- changes in older versions:

* Storage: Btrfs snapshots
* Podman: Add image pull action
* Files: Bookmark support
* webserver: System user changes
* Metrics: Grafana setup now prefers Valkey
- Invalid json against the storaged manifest boo#1227299

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-206=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 ppc64le s390x x86_64):

cockpit-320-bp156.2.6.3
cockpit-bridge-320-bp156.2.6.3
cockpit-devel-320-bp156.2.6.3
cockpit-pcp-320-bp156.2.6.3
cockpit-ws-320-bp156.2.6.3

- openSUSE Backports SLE-15-SP6 (noarch):

cockpit-doc-320-bp156.2.6.3
cockpit-kdump-320-bp156.2.6.3
cockpit-networkmanager-320-bp156.2.6.3
cockpit-packagekit-320-bp156.2.6.3
cockpit-selinux-320-bp156.2.6.3
cockpit-storaged-320-bp156.2.6.3
cockpit-system-320-bp156.2.6.3

References:

https://www.suse.com/security/cve/CVE-2024-6126.html
https://bugzilla.suse.com/1226040
https://bugzilla.suse.com/1227299



openSUSE-SU-2024:0226-1: moderate: Security update for gh


openSUSE Security Update: Security update for gh
_______________________________

Announcement ID: openSUSE-SU-2024:0226-1
Rating: moderate
References: #1227035
Cross-References: CVE-2024-6104
CVSS scores:
CVE-2024-6104 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2024-6104 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for gh fixes the following issues:

Update to version 2.53.0:

* CVE-2024-6104: gh: hashicorp/go-retryablehttp: url might write
sensitive information to log file (boo#1227035)

* Disable `TestGetTrustedRoot/successfully_verifies_TUF_root` test due
to https://github.com/cli/cli/issues/8928
* Rename package directory and files
* Rename package name to `update_branch`
* Rename `gh pr update` to `gh pr update-branch`
* Add test case for merge conflict error
* Handle merge conflict error
* Return error if PR is not mergeable
* Replace literals with consts for `Mergeable` field values
* Add separate type for `PullRequest.Mergeable` field
* Remove unused flag
* Print message on stdout instead of stderr
* Raise error if editor is used in non-tty mode
* Add tests for JSON field support on issue and pr view commands
* docs: Update documentation for `gh repo create` to clarify owner
* Ensure PR does not panic when stateReason is requested
* Enable to use --web even though editor is enabled by config
* Add editor hint message
* Use prefer_editor_prompt config by `issue create`
* Add prefer_editor_prompt config
* Add `issue create --editor`
* Update create.go
* gh attestation trusted-root subcommand (#9206)
* Fetch variable selected repo relationship when required
* Add `createdAt` field to tests
* Add `createdAt` field to `Variable` type
* Add test for exporting as JSON
* Add test for JSON output
* Only populate selected repo information for JSON output
* Add test to verify JSON exporter gets set
* Add `--json` option support
* Use `Variable` type defined in `shared` package
* Add tests for JSON output
* Move `Variable` type and `PopulateSelectedRepositoryInformation` func
to shared
* Fix query parameter name
* Update tests to account for ref comparison step
* Improve query variable names
* Check if PR branch is already up-to-date
* Add `ComparePullRequestBaseBranchWith` function
* Run `go mod tidy`
* Add test to verify `--repo` requires non-empty selector
* Require non-empty selector when `--repo` override is used
* Run `go mod tidy`
* Register `update` command
* Add tests for `pr update` command
* Add `pr update` command
* Add `UpdatePullRequestBranch` method
* Upgrade `shurcooL/githubv4`

Update to version 2.52.0:

* Attestation Verification - Buffer Fix
* Remove beta note from attestation top level command
* Removed beta note from `gh at download`.
* Removed beta note from `gh at verify`, clarified reusable workflows
use case.
* add `-a` flag to `gh run list`

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-226=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

gh-2.53.0-bp156.2.6.1

- openSUSE Backports SLE-15-SP6 (noarch):

gh-bash-completion-2.53.0-bp156.2.6.1
gh-fish-completion-2.53.0-bp156.2.6.1
gh-zsh-completion-2.53.0-bp156.2.6.1

References:

https://www.suse.com/security/cve/CVE-2024-6104.html
https://bugzilla.suse.com/1227035



openSUSE-SU-2024:0157-2: important: Security update for nano


openSUSE Security Update: Security update for nano
_______________________________

Announcement ID: openSUSE-SU-2024:0157-2
Rating: important
References: #1226099
Cross-References: CVE-2024-5742
CVSS scores:
CVE-2024-5742 (SUSE): 6.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for nano fixes the following issues:

- CVE-2024-5742: Avoid privilege escalations via symlink attacks on
emergency save file (boo#1226099)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-157=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

nano-7.2-bp156.3.3.1
nano-debuginfo-7.2-bp156.3.3.1
nano-debugsource-7.2-bp156.3.3.1

- openSUSE Backports SLE-15-SP6 (noarch):

nano-lang-7.2-bp156.3.3.1

References:

https://www.suse.com/security/cve/CVE-2024-5742.html
https://bugzilla.suse.com/1226099



openSUSE-SU-2024:0254-2: important: Security update for chromium, gn, rust-bindgen


openSUSE Security Update: Security update for chromium, gn, rust-bindgen
_______________________________

Announcement ID: openSUSE-SU-2024:0254-2
Rating: important
References: #1228628 #1228940 #1228941 #1228942
Cross-References: CVE-2024-6988 CVE-2024-6989 CVE-2024-6990
CVE-2024-6991 CVE-2024-6992 CVE-2024-6993
CVE-2024-6994 CVE-2024-6995 CVE-2024-6996
CVE-2024-6997 CVE-2024-6998 CVE-2024-6999
CVE-2024-7000 CVE-2024-7001 CVE-2024-7003
CVE-2024-7004 CVE-2024-7005 CVE-2024-7255
CVE-2024-7256 CVE-2024-7532 CVE-2024-7533
CVE-2024-7534 CVE-2024-7535 CVE-2024-7536
CVE-2024-7550
CVSS scores:
CVE-2024-6988 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-6989 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-6990 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-6991 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-6994 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-6995 (NVD) : 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CVE-2024-6996 (NVD) : 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-6997 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-6998 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-6999 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-7000 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7001 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-7003 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-7004 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-7005 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-7255 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7532 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7533 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7534 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7535 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7536 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-7550 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes 25 vulnerabilities is now available.

Description:

This update for chromium, gn, rust-bindgen fixes the following issues:

- Chromium 127.0.6533.119 (boo#1228941)

* CVE-2024-7532: Out of bounds memory access in ANGLE
* CVE-2024-7533: Use after free in Sharing
* CVE-2024-7550: Type Confusion in V8
* CVE-2024-7534: Heap buffer overflow in Layout
* CVE-2024-7535: Inappropriate implementation in V8
* CVE-2024-7536: Use after free in WebAudio

- Chromium 127.0.6533.88 (boo#1228628, boo#1228940, boo#1228942)

* CVE-2024-6988: Use after free in Downloads
* CVE-2024-6989: Use after free in Loader
* CVE-2024-6991: Use after free in Dawn
* CVE-2024-6992: Out of bounds memory access in ANGLE
* CVE-2024-6993: Inappropriate implementation in Canvas
* CVE-2024-6994: Heap buffer overflow in Layout
* CVE-2024-6995: Inappropriate implementation in Fullscreen
* CVE-2024-6996: Race in Frames
* CVE-2024-6997: Use after free in Tabs
* CVE-2024-6998: Use after free in User Education
* CVE-2024-6999: Inappropriate implementation in FedCM
* CVE-2024-7000: Use after free in CSS. Reported by Anonymous
* CVE-2024-7001: Inappropriate implementation in HTML
* CVE-2024-7003: Inappropriate implementation in FedCM
* CVE-2024-7004: Insufficient validation of untrusted input in Safe
Browsing
* CVE-2024-7005: Insufficient validation of untrusted input in Safe
Browsing
* CVE-2024-6990: Uninitialized Use in Dawn
* CVE-2024-7255: Out of bounds read in WebTransport
* CVE-2024-7256: Insufficient data validation in Dawn

gh:

- Update to version 0.20240730:
* Rust: link_output, depend_output and runtime_outputs for dylibs
* Add missing reference section to function_toolchain.cc
* Do not cleanup args.gn imports located in the output directory.
* Fix expectations in NinjaRustBinaryTargetWriterTest.SwiftModule
* Do not add native dependencies to the library search path
* Support linking frameworks and swiftmodules in Rust targets
* [desc] Silence print() statements when outputing json
* infra: Move CI/try builds to Ubuntu-22.04
* [MinGW] Fix mingw building issues
* [gn] Fix "link" in the //examples/simple_build/build/toolchain/BUILD.gn
* [template] Fix "rule alink_thin" in the
//build/build_linux.ninja.template
* Allow multiple --ide switches
* [src] Add "#include " in the
//src/base/files/file_enumerator_win.cc
* Get updates to infra/recipes.py from upstream
* Revert "Teach gn to handle systems with > 64 processors"
* [apple] Rename the code-signing properties of create_bundle
* Fix a typo in "gn help refs" output
* Revert "[bundle] Use "phony" builtin tool for create_bundle targets"
* [bundle] Use "phony" builtin tool for create_bundle targets
* [ios] Simplify handling of assets catalog
* [swift] List all outputs as deps of "source_set" stamp file
* [swift] Update `gn check ...` to consider the generated header
* [swift] Set `restat = 1` to swift build rules
* Fix build with gcc12
* [label_matches] Add new functions label_matches(),
filter_labels_include() and filter_labels_exclude()
* [swift] Remove problematic use of "stamp" tool
* Implement new --ninja-outputs-file option.
* Add NinjaOutputsWriter class
* Move InvokePython() function to its own source file.
* zos: build with -DZOSLIB_OVERRIDE_CLIB to override creat
* Enable C++ runtime assertions in debug mode.
* Fix regression in MakeRelativePath()
* fix: Fix Windows MakeRelativePath.
* Add long path support for windows
* Ensure read_file() files are considered by "gn analyze"
* apply 2to3 to for some Python scripts
* Add rustflags to desc and help output
* strings: support case insensitive check only in StartsWith/EndsWith
* add .git-blame-ignore-revs
* use std::{string,string_view}::{starts_with,ends_with}
* apply clang-format to all C++ sources
* add forward declaration in rust_values.h
* Add `root_patterns` list to build configuration.
* Use c++20 in GN build
* update windows sdk to 2024-01-11
* update windows sdk
* Add linux-riscv64.
* Update OWNERS list.
* remove unused function
* Ignore build warning -Werror=redundant-move
* Fix --as=buildfile `gn desc deps` output.
* Update recipe engine to 9dea1246.
* treewide: Fix spelling mistakes

Added rust-bindgen:

- Version 0.69.1

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-254=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

gn-0.20240730-bp156.2.3.1
gn-debuginfo-0.20240730-bp156.2.3.1
gn-debugsource-0.20240730-bp156.2.3.1
rust-bindgen-0.69.1-bp156.2.1
rust-bindgen-debuginfo-0.69.1-bp156.2.1

- openSUSE Backports SLE-15-SP6 (aarch64 x86_64):

chromedriver-127.0.6533.119-bp156.2.14.1
chromedriver-debuginfo-127.0.6533.119-bp156.2.14.1
chromium-127.0.6533.119-bp156.2.14.1
chromium-debuginfo-127.0.6533.119-bp156.2.14.1

References:

https://www.suse.com/security/cve/CVE-2024-6988.html
https://www.suse.com/security/cve/CVE-2024-6989.html
https://www.suse.com/security/cve/CVE-2024-6990.html
https://www.suse.com/security/cve/CVE-2024-6991.html
https://www.suse.com/security/cve/CVE-2024-6992.html
https://www.suse.com/security/cve/CVE-2024-6993.html
https://www.suse.com/security/cve/CVE-2024-6994.html
https://www.suse.com/security/cve/CVE-2024-6995.html
https://www.suse.com/security/cve/CVE-2024-6996.html
https://www.suse.com/security/cve/CVE-2024-6997.html
https://www.suse.com/security/cve/CVE-2024-6998.html
https://www.suse.com/security/cve/CVE-2024-6999.html
https://www.suse.com/security/cve/CVE-2024-7000.html
https://www.suse.com/security/cve/CVE-2024-7001.html
https://www.suse.com/security/cve/CVE-2024-7003.html
https://www.suse.com/security/cve/CVE-2024-7004.html
https://www.suse.com/security/cve/CVE-2024-7005.html
https://www.suse.com/security/cve/CVE-2024-7255.html
https://www.suse.com/security/cve/CVE-2024-7256.html
https://www.suse.com/security/cve/CVE-2024-7532.html
https://www.suse.com/security/cve/CVE-2024-7533.html
https://www.suse.com/security/cve/CVE-2024-7534.html
https://www.suse.com/security/cve/CVE-2024-7535.html
https://www.suse.com/security/cve/CVE-2024-7536.html
https://www.suse.com/security/cve/CVE-2024-7550.html
https://bugzilla.suse.com/1228628
https://bugzilla.suse.com/1228940
https://bugzilla.suse.com/1228941
https://bugzilla.suse.com/1228942



openSUSE-SU-2024:0161-1: moderate: Security update for plasma5-workspace


openSUSE Security Update: Security update for plasma5-workspace
_______________________________

Announcement ID: openSUSE-SU-2024:0161-1
Rating: moderate
References: #1225774 #1226110
Cross-References: CVE-2024-36041
CVSS scores:
CVE-2024-36041 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

plasma5-workspace was updated to fix the following issue:

- Fixed ksmserver authentication (CVE-2024-36041, boo#1225774).

- Fixed a regression introduced by the preceding change (kde#487912,
boo#1226110):

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-161=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 ppc64le x86_64):

gmenudbusmenuproxy-5.27.11-bp156.3.3.1
plasma5-session-wayland-5.27.11-bp156.3.3.1
plasma5-workspace-5.27.11-bp156.3.3.1
plasma5-workspace-devel-5.27.11-bp156.3.3.1
plasma5-workspace-libs-5.27.11-bp156.3.3.1
xembedsniproxy-5.27.11-bp156.3.3.1

- openSUSE Backports SLE-15-SP6 (noarch):

plasma5-session-5.27.11-bp156.3.3.1
plasma5-workspace-lang-5.27.11-bp156.3.3.1

References:

https://www.suse.com/security/cve/CVE-2024-36041.html
https://bugzilla.suse.com/1225774
https://bugzilla.suse.com/1226110



openSUSE-SU-2024:0203-1: critical: Security update for znc


openSUSE Security Update: Security update for znc
_______________________________

Announcement ID: openSUSE-SU-2024:0203-1
Rating: critical
References: #1227393
Cross-References: CVE-2024-39844
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for znc fixes the following issues:

Update to 1.9.1 (boo#1227393, CVE-2024-39844)

* This is a security release to fix CVE-2024-39844: remote code
execution vulnerability in modtcl. To mitigate this for existing
installations, simply unload the modtcl module for every user, if it's
loaded. Note that only users with admin rights can load modtcl at all.
* Improve tooltips in webadmin.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-203=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

znc-1.9.1-bp156.2.3.1
znc-devel-1.9.1-bp156.2.3.1
znc-perl-1.9.1-bp156.2.3.1
znc-python3-1.9.1-bp156.2.3.1
znc-tcl-1.9.1-bp156.2.3.1

- openSUSE Backports SLE-15-SP6 (noarch):

znc-lang-1.9.1-bp156.2.3.1

References:

https://www.suse.com/security/cve/CVE-2024-39844.html
https://bugzilla.suse.com/1227393



openSUSE-SU-2024:0150-2: moderate: Security update for libhtp


openSUSE Security Update: Security update for libhtp
_______________________________

Announcement ID: openSUSE-SU-2024:0150-2
Rating: moderate
References: #1220403
Cross-References: CVE-2024-23837
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for libhtp fixes the following issues:

- CVE-2024-23837: excessive processing time of HTTP headers can lead to
denial of service (boo#1220403)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-150=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

libhtp-debugsource-0.5.42-bp156.3.3.1
libhtp-devel-0.5.42-bp156.3.3.1
libhtp2-0.5.42-bp156.3.3.1
libhtp2-debuginfo-0.5.42-bp156.3.3.1

References:

https://www.suse.com/security/cve/CVE-2024-23837.html
https://bugzilla.suse.com/1220403



openSUSE-SU-2024:0224-2: moderate: Security update for keybase-client


openSUSE Security Update: Security update for keybase-client
_______________________________

Announcement ID: openSUSE-SU-2024:0224-2
Rating: moderate
References: #1227167
Cross-References: CVE-2024-24792
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for keybase-client fixes the following issues:

- Update the Image dependency to address CVE-2024-24792 (boo#1227167).

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-224=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

kbfs-6.2.8-bp156.2.6.1
kbfs-debuginfo-6.2.8-bp156.2.6.1
kbfs-git-6.2.8-bp156.2.6.1
kbfs-git-debuginfo-6.2.8-bp156.2.6.1
kbfs-tool-6.2.8-bp156.2.6.1
kbfs-tool-debuginfo-6.2.8-bp156.2.6.1
keybase-client-6.2.8-bp156.2.6.1
keybase-client-debuginfo-6.2.8-bp156.2.6.1

References:

https://www.suse.com/security/cve/CVE-2024-24792.html
https://bugzilla.suse.com/1227167



openSUSE-SU-2024:0168-1: important: Security update for gdcm


openSUSE Security Update: Security update for gdcm
_______________________________

Announcement ID: openSUSE-SU-2024:0168-1
Rating: important
References: #1223398
Cross-References: CVE-2024-22373
CVSS scores:
CVE-2024-22373 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for gdcm fixes the following issues:

- CVE-2024-22373: Fixed out-of-bounds write vulnerability in
JPEG2000Codec::DecodeByStreamsCommon (boo#1223398).

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-168=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 ppc64le s390x x86_64):

gdcm-3.0.24-bp156.2.4.1
gdcm-applications-3.0.24-bp156.2.4.1
gdcm-devel-3.0.24-bp156.2.4.1
gdcm-examples-3.0.24-bp156.2.4.1
libgdcm3_0-3.0.24-bp156.2.4.1
libsocketxx1_2-3.0.24-bp156.2.4.1
python3-gdcm-3.0.24-bp156.2.4.1

References:

https://www.suse.com/security/cve/CVE-2024-22373.html
https://bugzilla.suse.com/1223398



openSUSE-SU-2024:0212-2: important: Security update for chromium


openSUSE Security Update: Security update for chromium
_______________________________

Announcement ID: openSUSE-SU-2024:0212-2
Rating: important
References: #1227979
Cross-References: CVE-2024-6772 CVE-2024-6773 CVE-2024-6774
CVE-2024-6775 CVE-2024-6776 CVE-2024-6777
CVE-2024-6778 CVE-2024-6779
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes 8 vulnerabilities is now available.

Description:

This update for chromium fixes the following issues:

Chromium 126.0.6478.182 (boo#1227979):

- CVE-2024-6772: Inappropriate implementation in V8
- CVE-2024-6773: Type Confusion in V8
- CVE-2024-6774: Use after free in Screen Capture
- CVE-2024-6775: Use after free in Media Stream
- CVE-2024-6776: Use after free in Audio
- CVE-2024-6777: Use after free in Navigation
- CVE-2024-6778: Race in DevTools
- CVE-2024-6779: Out of bounds memory access in V8

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-212=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 x86_64):

chromedriver-126.0.6478.182-bp156.2.11.1
chromedriver-debuginfo-126.0.6478.182-bp156.2.11.1
chromium-126.0.6478.182-bp156.2.11.1
chromium-debuginfo-126.0.6478.182-bp156.2.11.1

References:

https://www.suse.com/security/cve/CVE-2024-6772.html
https://www.suse.com/security/cve/CVE-2024-6773.html
https://www.suse.com/security/cve/CVE-2024-6774.html
https://www.suse.com/security/cve/CVE-2024-6775.html
https://www.suse.com/security/cve/CVE-2024-6776.html
https://www.suse.com/security/cve/CVE-2024-6777.html
https://www.suse.com/security/cve/CVE-2024-6778.html
https://www.suse.com/security/cve/CVE-2024-6779.html
https://bugzilla.suse.com/1227979