A minetest security update has been released for SUSE Linux Enterprise 15 SP3 and SP4.

openSUSE-SU-2023:0001-1: important: Security update for minetest

openSUSE Security Update: Security update for minetest
______________________________________________________________________________

Announcement ID: openSUSE-SU-2023:0001-1
Rating: important
References: #1181400 #1193141 #1202423
Cross-References: CVE-2022-35978
CVSS scores:
CVE-2022-35978 (NVD) : 10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP3
openSUSE Backports SLE-15-SP4
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for minetest fixes the following issues:

Update to version 5.6.0

* Fix CVE-2022-35978 ( boo#1202423 ): Mod scripts can escape sandbox in
single player mode
* `name` in game.conf is deprecated for the game title, use `title`
instead
* Add depth sorting for node faces
* Various bug fixes
* Full changes:   https://dev.minetest.net/Changelog#5.5.0_.E2.86.92_5.6.0

- Introduced mbranch-protection=none CXX flag to resolve boo#1193141
(aarch64).

Update to version 5.5.0 & 5.5.1:

* Full log for version 5.5.0:
  https://dev.minetest.net/Changelog#5.4.0_.E2.86.92_5.5.0
* This release switches from Irrlicht to our own fork called IrrlichtMt.
* Full log for version 5.5.1:
  https://dev.minetest.net/Changelog#5.5.0_.E2.86.92_5.5.1
* This is a maintenance release based on 5.5.0, it contains bugfixes but
no new features.

- Added hardening to systemd service(s) (boo#1181400).

- Update to version 5.4.1:
* This is a maintenance release based on 5.4.0, it contains bugfixes but
no new features.

- Update to version 5.4.0
* Full log:   https://dev.minetest.net/Changelog#5.3.0_.E2.86.92_5.4.0
* Removed support for bumpmapping, generated normal maps and parallax
occlusion
* By default, the crosshair will now change to an "X" when pointing to
objects
* Prevent players accessing inventories of other players
* Prevent interacting with items out of the hotbar
* Prevent players from being able to modify ItemStack meta

- Update to version 5.3.0. (see
  https://dev.minetest.net/Changelog#5.2.0_.E2.86.92_5.3.0)
* Formspec improvements, including a scrolling GUI element
* Performance improvements to the Server and API
* Many bug fixes and small features
- Now requires desktop-file-utils version >= 0.25.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP4:

zypper in -t patch openSUSE-2023-1=1

- openSUSE Backports SLE-15-SP3:

zypper in -t patch openSUSE-2023-1=1


Package List:

- openSUSE Backports SLE-15-SP4 (aarch64 ppc64le s390x x86_64):

minetest-5.6.0-bp154.2.3.5
minetest-debuginfo-5.6.0-bp154.2.3.5
minetest-debugsource-5.6.0-bp154.2.3.5
minetestserver-5.6.0-bp154.2.3.5
minetestserver-debuginfo-5.6.0-bp154.2.3.5

- openSUSE Backports SLE-15-SP4 (noarch):

minetest-data-5.6.0-bp154.2.3.5
minetest-lang-5.6.0-bp154.2.3.5

- openSUSE Backports SLE-15-SP3 (aarch64 ppc64le s390x x86_64):

minetest-5.6.0-bp153.2.3.1
minetestserver-5.6.0-bp153.2.3.1

- openSUSE Backports SLE-15-SP3 (noarch):

minetest-data-5.6.0-bp153.2.3.1
minetest-lang-5.6.0-bp153.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2022-35978.html
  https://bugzilla.suse.com/1181400
  https://bugzilla.suse.com/1193141
  https://bugzilla.suse.com/1202423