SUSE 5185 Published by

The following security updates have been released for SUSE Linux Enterprise 15 SP5:

openSUSE-SU-2024:0227-1: moderate: Security update for gh
openSUSE-SU-2024:0225-1: moderate: Security update for assimp




openSUSE-SU-2024:0227-1: moderate: Security update for gh


openSUSE Security Update: Security update for gh
_______________________________

Announcement ID: openSUSE-SU-2024:0227-1
Rating: moderate
References: #1227035
Cross-References: CVE-2024-6104
CVSS scores:
CVE-2024-6104 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2024-6104 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for gh fixes the following issues:

Update to version 2.53.0:

* CVE-2024-6104: gh: hashicorp/go-retryablehttp: url might write sensitive
information to log file (boo#1227035)

* Disable `TestGetTrustedRoot/successfully_verifies_TUF_root` test due to
https://github.com/cli/cli/issues/8928
* Rename package directory and files
* Rename package name to `update_branch`
* Rename `gh pr update` to `gh pr update-branch`
* Add test case for merge conflict error
* Handle merge conflict error
* Return error if PR is not mergeable
* Replace literals with consts for `Mergeable` field values
* Add separate type for `PullRequest.Mergeable` field
* Remove unused flag
* Print message on stdout instead of stderr
* Raise error if editor is used in non-tty mode
* Add tests for JSON field support on issue and pr view commands
* docs: Update documentation for `gh repo create` to clarify owner
* Ensure PR does not panic when stateReason is requested
* Add `createdAt` field to tests
* Add `createdAt` field to `Variable` type
* Add test for exporting as JSON
* Add test for JSON output
* Only populate selected repo information for JSON output
* Add test to verify JSON exporter gets set
* Add `--json` option support
* Use `Variable` type defined in `shared` package
* Add tests for JSON output
* Move `Variable` type and `PopulateSelectedRepositoryInformation` func to
shared
* Fix query parameter name
* Update tests to account for ref comparison step
* Improve query variable names
* Check if PR branch is already up-to-date
* Add `ComparePullRequestBaseBranchWith` function
* Run `go mod tidy`
* Add test to verify `--repo` requires non-empty selector
* Require non-empty selector when `--repo` override is used
* Run `go mod tidy`
* Register `update` command
* Add tests for `pr update` command
* Add `pr update` command
* Add `UpdatePullRequestBranch` method
* Upgrade `shurcooL/githubv4`

Update to version 2.52.0:

* Attestation Verification - Buffer Fix
* Remove beta note from attestation top level command
* Removed beta note from `gh at download`.
* Removed beta note from `gh at verify`, clarified reusable workflows use
case.
* add `-a` flag to `gh run list`

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-227=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

gh-2.53.0-bp155.2.12.1

- openSUSE Backports SLE-15-SP5 (noarch):

gh-bash-completion-2.53.0-bp155.2.12.1
gh-fish-completion-2.53.0-bp155.2.12.1
gh-zsh-completion-2.53.0-bp155.2.12.1

References:

https://www.suse.com/security/cve/CVE-2024-6104.html
https://bugzilla.suse.com/1227035



openSUSE-SU-2024:0225-1: moderate: Security update for assimp


openSUSE Security Update: Security update for assimp
_______________________________

Announcement ID: openSUSE-SU-2024:0225-1
Rating: moderate
References: #1218474 #1228142
Cross-References: CVE-2024-40724
CVSS scores:
CVE-2024-40724 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for assimp fixes the following issues:

- CVE-2024-40724: Fixed heap-based buffer overflow in the PLY importer
class (boo#1228142),

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-225=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 ppc64le s390x x86_64):

assimp-devel-5.2.5-bp155.2.3.1
libassimp5-5.2.5-bp155.2.3.1

References:

https://www.suse.com/security/cve/CVE-2024-40724.html
https://bugzilla.suse.com/1218474
https://bugzilla.suse.com/1228142