SUSE 5183 Published by

A mc security update has been released for SUSE Linux Enterprise 15 SP3.



openSUSE-SU-2022:0061-1: moderate: Security update for mc


openSUSE Security Update: Security update for mc
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:0061-1
Rating: moderate
References: #1190180
Cross-References: CVE-2021-36370
CVSS scores:
CVE-2021-36370 (SUSE): 4.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Affected Products:
openSUSE Backports SLE-15-SP3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for mc fixes the following issues:

Midnight Commander 4.8.27:

* Core

- Reimplement version detection (#3603, #4249)
- Significantly reduce rebuilt time after version change (#2252, #4266)
- Drop automatic migration of configuration from ~/.mc to XDG-based
directories (#3682)
- zsh: support custom configuration file: ~/.local/share/mc/.zshrc
(#4203)
- Widgets: implement WST_VISIBLE state to show/hide widgets (#2919)
- Find File: add Follow symlinks option (#2020)

* VFS

- extfs: support unrar-6 (#4154)
- extfs: support official 7z binary (7zz) (#4239)
- ftpfs: apply file list parser from lftp project (#2841, #3174)

* Editor

- Word completion: get candidates from all open files (#4160)
- etags: get rid of hardcoded list length and window width (#4132)
- Update syntax files:
- python (#4140)
- Add syntax highlighting:
- Verilog and SystemVerilog? header files (#4215)
- JSON (#4250)
- openrc-run scripts (#4246)
* Misc

- Filehighlight of c++ and h++ files as sources (#4194)
- Filehighlight of JSON files as documents (#4250)
- Support of alacritty terminal emulator
(???  https://github.com/alacritty/alacritty) (#4248)
- Support of foot terminal emulator (???  https://codeberg.org/dnkl/foot)
(#4251)
- Support of (alt+)shift+arrow keys in st terminal emulator
(st.suckless.org) (#4267)
- Mouse support in screen: don't check variable (#4233)
- mc.ext: support fb2 e-books (#4167)
- ext.d: use mediainfo to view info about various media files (#4167)
- Remove OS/distro-specific package-related stuff from source tree
(#4217)

* Fixes

- FTBFS against NCurses on OS X 10.9.5 (#4181)
- Segfault on dialog before panels get visible (#4244)
- Crash if shadow is out of screen (build against NCurses) (#4192)
- Crash in search (#4222)
- Crash on startup with enabled subshell in FreeBSD (workaround) (#4213)
- Hang on start randomly with zsh as subshell (#4198)
- If command line is invisible it's partially displayed (#4182)
- Broken handling of zip archives (#4180, #4183)
- Broken handling of jar files as zip archives (#4223)
- Timestamps of symlinks, sockets, fifos, etc are not preserved after
copy/move (#3985)
- %view action in the user menu doesn't work on no-exec filesystem
(#4242)
- Hardlinks are not colored by file type or extension (#3375)
- mcedit: silent macro makes terminal disrupted (#4171)
- mcedit: disrupting of TAGS file path (#4207)
- vfs: unable to browse compressed tar archives (#4191)
- sftpfs vfs: CVE-2021-36370: server fingerprint isn't verified
(discovered by AUT-milCERT during an audit of open source software)
(#4259)
- ftpfs vfs: month of file is always January (#4260)
- Tests: log files are written by libcheck and automake simultaneously
(#3986)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP3:

zypper in -t patch openSUSE-2022-61=1


Package List:

- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

mc-4.8.27-bp153.2.3.1

- openSUSE Backports SLE-15-SP3 (noarch):

mc-lang-4.8.27-bp153.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2021-36370.html
  https://bugzilla.suse.com/1190180