SUSE 5149 Published by

SUSE Linux has been updated with several security enhancements, including moderate updates for libmozjs-128-0-128.4.0-1.1, htmldoc-1.9.18-3.1, libgsf, kmail-account-wizard, python-jupyterlab, and python-mysql-connector-python:

openSUSE-SU-2024:14461-1: moderate: libmozjs-128-0-128.4.0-1.1 on GA media
openSUSE-SU-2024:14460-1: moderate: htmldoc-1.9.18-3.1 on GA media
SUSE-SU-2024:3922-1: important: Security update for libgsf
openSUSE-SU-2024:0353-1: moderate: Security update for kmail-account-wizard
openSUSE-SU-2024:0352-1: moderate: Security update for python-jupyterlab
openSUSE-SU-2024:0351-1: important: Security update for python-mysql-connector-python




openSUSE-SU-2024:14461-1: moderate: libmozjs-128-0-128.4.0-1.1 on GA media


# libmozjs-128-0-128.4.0-1.1 on GA media

Announcement ID: openSUSE-SU-2024:14461-1
Rating: moderate

Cross-References:

* CVE-2024-10458
* CVE-2024-10459
* CVE-2024-10460
* CVE-2024-10461
* CVE-2024-10462
* CVE-2024-10463
* CVE-2024-10464
* CVE-2024-10465
* CVE-2024-10466
* CVE-2024-10467

CVSS scores:

* CVE-2024-10458 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
* CVE-2024-10458 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2024-10459 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-10459 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-10460 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2024-10460 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2024-10461 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2024-10461 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
* CVE-2024-10462 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2024-10462 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2024-10463 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2024-10463 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2024-10464 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2024-10464 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2024-10465 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2024-10465 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2024-10466 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2024-10466 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2024-10467 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-10467 ( SUSE ): 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 10 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the libmozjs-128-0-128.4.0-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* libmozjs-128-0 128.4.0-1.1
* mozjs128 128.4.0-1.1
* mozjs128-devel 128.4.0-1.1

## References:

* https://www.suse.com/security/cve/CVE-2024-10458.html
* https://www.suse.com/security/cve/CVE-2024-10459.html
* https://www.suse.com/security/cve/CVE-2024-10460.html
* https://www.suse.com/security/cve/CVE-2024-10461.html
* https://www.suse.com/security/cve/CVE-2024-10462.html
* https://www.suse.com/security/cve/CVE-2024-10463.html
* https://www.suse.com/security/cve/CVE-2024-10464.html
* https://www.suse.com/security/cve/CVE-2024-10465.html
* https://www.suse.com/security/cve/CVE-2024-10466.html
* https://www.suse.com/security/cve/CVE-2024-10467.html



openSUSE-SU-2024:14460-1: moderate: htmldoc-1.9.18-3.1 on GA media


# htmldoc-1.9.18-3.1 on GA media

Announcement ID: openSUSE-SU-2024:14460-1
Rating: moderate

Cross-References:

* CVE-2024-46478

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the htmldoc-1.9.18-3.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* htmldoc 1.9.18-3.1

## References:

* https://www.suse.com/security/cve/CVE-2024-46478.html



SUSE-SU-2024:3922-1: important: Security update for libgsf


# Security update for libgsf

Announcement ID: SUSE-SU-2024:3922-1
Release Date: 2024-11-06T10:12:34Z
Rating: important
References:

* bsc#1231282
* bsc#1231283

Cross-References:

* CVE-2024-36474
* CVE-2024-42415

CVSS scores:

* CVE-2024-36474 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2024-36474 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-36474 ( NVD ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-36474 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-42415 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2024-42415 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-42415 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-42415 ( NVD ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* Desktop Applications Module 15-SP5
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Workstation Extension 15 SP5

An update that solves two vulnerabilities can now be installed.

## Description:

This update for libgsf fixes the following issues:

* CVE-2024-42415, CVE-2024-36474: Fixed integer overflows affecting memory
allocation (bsc#1231282, bsc#1231283).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2024-3922=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-3922=1

* Desktop Applications Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP5-2024-3922=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-3922=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-3922=1

* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-3922=1

* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-3922=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-3922=1

* SUSE Linux Enterprise Workstation Extension 15 SP5
zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2024-3922=1

## Package List:

* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* libgsf-tools-1.14.50-150400.3.6.1
* libgsf-1-114-1.14.50-150400.3.6.1
* typelib-1_0-Gsf-1-1.14.50-150400.3.6.1
* gsf-office-thumbnailer-debuginfo-1.14.50-150400.3.6.1
* libgsf-1-114-debuginfo-1.14.50-150400.3.6.1
* libgsf-tools-debuginfo-1.14.50-150400.3.6.1
* libgsf-devel-1.14.50-150400.3.6.1
* libgsf-debugsource-1.14.50-150400.3.6.1
* gsf-office-thumbnailer-1.14.50-150400.3.6.1
* openSUSE Leap 15.4 (x86_64)
* libgsf-1-114-32bit-1.14.50-150400.3.6.1
* libgsf-1-114-32bit-debuginfo-1.14.50-150400.3.6.1
* openSUSE Leap 15.4 (noarch)
* libgsf-lang-1.14.50-150400.3.6.1
* openSUSE Leap 15.4 (aarch64_ilp32)
* libgsf-1-114-64bit-1.14.50-150400.3.6.1
* libgsf-1-114-64bit-debuginfo-1.14.50-150400.3.6.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* libgsf-tools-1.14.50-150400.3.6.1
* libgsf-1-114-1.14.50-150400.3.6.1
* typelib-1_0-Gsf-1-1.14.50-150400.3.6.1
* gsf-office-thumbnailer-debuginfo-1.14.50-150400.3.6.1
* libgsf-1-114-debuginfo-1.14.50-150400.3.6.1
* libgsf-tools-debuginfo-1.14.50-150400.3.6.1
* libgsf-devel-1.14.50-150400.3.6.1
* libgsf-debugsource-1.14.50-150400.3.6.1
* gsf-office-thumbnailer-1.14.50-150400.3.6.1
* openSUSE Leap 15.5 (x86_64)
* libgsf-1-114-32bit-1.14.50-150400.3.6.1
* libgsf-1-114-32bit-debuginfo-1.14.50-150400.3.6.1
* openSUSE Leap 15.5 (noarch)
* libgsf-lang-1.14.50-150400.3.6.1
* Desktop Applications Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* libgsf-1-114-1.14.50-150400.3.6.1
* libgsf-1-114-debuginfo-1.14.50-150400.3.6.1
* libgsf-debugsource-1.14.50-150400.3.6.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* libgsf-1-114-1.14.50-150400.3.6.1
* libgsf-1-114-debuginfo-1.14.50-150400.3.6.1
* libgsf-debugsource-1.14.50-150400.3.6.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* libgsf-1-114-1.14.50-150400.3.6.1
* libgsf-1-114-debuginfo-1.14.50-150400.3.6.1
* libgsf-debugsource-1.14.50-150400.3.6.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
* libgsf-1-114-1.14.50-150400.3.6.1
* typelib-1_0-Gsf-1-1.14.50-150400.3.6.1
* libgsf-1-114-debuginfo-1.14.50-150400.3.6.1
* libgsf-devel-1.14.50-150400.3.6.1
* libgsf-debugsource-1.14.50-150400.3.6.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (noarch)
* libgsf-lang-1.14.50-150400.3.6.1
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x
x86_64)
* libgsf-1-114-1.14.50-150400.3.6.1
* libgsf-1-114-debuginfo-1.14.50-150400.3.6.1
* libgsf-debugsource-1.14.50-150400.3.6.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* libgsf-1-114-1.14.50-150400.3.6.1
* libgsf-1-114-debuginfo-1.14.50-150400.3.6.1
* libgsf-debugsource-1.14.50-150400.3.6.1
* SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64)
* typelib-1_0-Gsf-1-1.14.50-150400.3.6.1
* libgsf-devel-1.14.50-150400.3.6.1
* libgsf-debugsource-1.14.50-150400.3.6.1
* SUSE Linux Enterprise Workstation Extension 15 SP5 (noarch)
* libgsf-lang-1.14.50-150400.3.6.1

## References:

* https://www.suse.com/security/cve/CVE-2024-36474.html
* https://www.suse.com/security/cve/CVE-2024-42415.html
* https://bugzilla.suse.com/show_bug.cgi?id=1231282
* https://bugzilla.suse.com/show_bug.cgi?id=1231283



openSUSE-SU-2024:0353-1: moderate: Security update for kmail-account-wizard


openSUSE Security Update: Security update for kmail-account-wizard
_______________________________

Announcement ID: openSUSE-SU-2024:0353-1
Rating: moderate
References: #1232454
Cross-References: CVE-2024-50624
Affected Products:
openSUSE Backports SLE-15-SP5
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for kmail-account-wizard fixes the following issues:

- CVE-2024-50624: Fixed that plaintext HTTP was used for URLs when
retrieving configuration files (boo#1232454, kde#487882)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-353=1

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-353=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 x86_64):

kmail-account-wizard-23.08.5-bp156.2.3.1
kmail-account-wizard-debuginfo-23.08.5-bp156.2.3.1
kmail-account-wizard-debugsource-23.08.5-bp156.2.3.1

- openSUSE Backports SLE-15-SP6 (noarch):

kmail-account-wizard-lang-23.08.5-bp156.2.3.1

- openSUSE Backports SLE-15-SP5 (aarch64 x86_64):

kmail-account-wizard-22.12.3-bp155.2.3.1

- openSUSE Backports SLE-15-SP5 (noarch):

kmail-account-wizard-lang-22.12.3-bp155.2.3.1

References:

https://www.suse.com/security/cve/CVE-2024-50624.html
https://bugzilla.suse.com/1232454



openSUSE-SU-2024:0352-1: moderate: Security update for python-jupyterlab


openSUSE Security Update: Security update for python-jupyterlab
_______________________________

Announcement ID: openSUSE-SU-2024:0352-1
Rating: moderate
References: #1229914
Cross-References: CVE-2024-43805
CVSS scores:
CVE-2024-43805 (SUSE): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Affected Products:
openSUSE Backports SLE-15-SP5
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-jupyterlab fixes the following issues:

- Build the full pacakge with the javascript dependencies as a new source
in vendor.tar.gz.
- CVE-2024-43805: Fixed data access via malicious Markdown due to HTML
injection leading to DOM clobbering (boo#1229914)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-352=1

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-352=1

Package List:

- openSUSE Backports SLE-15-SP6 (noarch):

jupyter-jupyterlab-2.2.10-bp156.3.3.1
python3-jupyterlab-2.2.10-bp156.3.3.1

- openSUSE Backports SLE-15-SP5 (noarch):

jupyter-jupyterlab-2.2.10-bp155.2.3.1
python3-jupyterlab-2.2.10-bp155.2.3.1

References:

https://www.suse.com/security/cve/CVE-2024-43805.html
https://bugzilla.suse.com/1229914



openSUSE-SU-2024:0351-1: important: Security update for python-mysql-connector-python


openSUSE Security Update: Security update for python-mysql-connector-python
_______________________________

Announcement ID: openSUSE-SU-2024:0351-1
Rating: important
References: #1231740
Cross-References: CVE-2024-21272
Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-mysql-connector-python fixes the following issues:

- Update to 9.1.0 (boo#1231740, CVE-2024-21272)
- WL#16452: Bundle all installable authentication plugins when building
the C-extension
- WL#16444: Drop build support for DEB packages
- WL#16442: Upgrade gssapi version to 1.8.3
- WL#16411: Improve wheel metadata information for Classic and XDevAPI
connectors
- WL#16341: OpenID Connect (Oauth2 - JWT) Authentication Support
- WL#16307: Remove Python 3.8 support
- WL#16306: Add support for Python 3.13
- BUG#37055435: Connection fails during the TLS negotiation when
specifying TLSv1.3 ciphers
- BUG#37013057: mysql-connector-python Parameterized query SQL injection
- BUG#36765200: python mysql connector 8.3.0 raise %-.100s:%u when input
a wrong host
- BUG#36577957: Update charset/collation description indicate this is 16
bits
- 9.0.0:
- WL#16350: Update dnspython version
- WL#16318: Deprecate Cursors Prepared Raw and Named Tuple
- WL#16284: Update the Python Protobuf version
- WL#16283: Remove OpenTelemetry Bundled Installation
- BUG#36664998: Packets out of order error is raised while changing user
in aio
- BUG#36611371: Update dnspython required versions to allow latest 2.6.1
- BUG#36570707: Collation set on connect using C-Extension is ignored
- BUG#36476195: Incorrect escaping in pure Python mode if sql_mode
includes NO_BACKSLASH_ESCAPES
- BUG#36289767: MySQLCursorBufferedRaw does not skip conversion
- 8.4.0
- WL#16203: GPL License Exception Update
- WL#16173: Update allowed cipher and cipher-suite lists
- WL#16164: Implement support for new vector data type
- WL#16127: Remove the FIDO authentication mechanism
- WL#16053: Support GSSAPI/Kerberos authentication on Windows using
authentication_ldap_sasl_client plug-in for C-extension
- BUG#36227964: Improve OpenTelemetry span coverage
- BUG#36167880: Massive memory leak mysqlx native Protobuf adding to
collection
- 8.3.0
- WL#16015: Remove use of removed COM_ commands
- WL#15985: Support GSSAPI/Kerberos authentication on Windows using
authentication_ldap_sasl_client plug-in for Pure Python
- WL#15983: Stop using mysql_ssl_set api
- WL#15982: Remove use of mysql_shutdown
- WL#15950: Support query parameters for prepared statements
- WL#15942: Improve type hints and standardize byte type handling
- WL#15836: Split mysql and mysqlx into different packages
- WL#15523: Support Python DB API asynchronous execution
- BUG#35912790: Binary strings are converted when using prepared
statements
- BUG#35832148: Fix Django timezone.utc deprecation warning
- BUG#35710145: Bad MySQLCursor.statement and result when query text
contains code comments
- BUG#21390859: STATEMENTS GET OUT OF SYNCH WITH RESULT SETS

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-351=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

python3-mysql-connector-python-9.1.0-bp155.3.3.1

References:

https://www.suse.com/security/cve/CVE-2024-21272.html
https://bugzilla.suse.com/1231740