SUSE 5149 Published by

A liferea security update has been released for SUSE Linux Enterprise 15 SP4.



openSUSE-SU-2023:0096-1: important: Security update for liferea


openSUSE Security Update: Security update for liferea
______________________________________________________________________________

Announcement ID: openSUSE-SU-2023:0096-1
Rating: important
References: #1193579 #1209190
Cross-References: CVE-2023-1350
CVSS scores:
CVE-2023-1350 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-1350 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

liferea was updated to version 1.14.1:

+ Fix CVE-2023-1350 - Remote code execution on feed enrichment
(boo#1209190).

Update to version 1.14.0:

+ New 'Reader mode' preference that allows stripping all web content
+ Implement support for Webkits Intelligent Tracking Protection
+ New progress bar when loading websites
+ Youtube videos from media:video can be embedded now with a click on the
video preview picture.
+ Changes to UserAgent handling: same UA is now used for both feed
fetching and internal browsing.
+ New view mode 'Automatic' which switches between 'Normal' and 'Wide'
mode based on the window proportions.
+ Liferea now supports the new GTK dark theme logic, where in the
GTK/GNOME preferences you define wether you "prefer" dark mode or light
mode
+ Favicon discovery improvements: now detects all types of Apple Touch
Icons, MS Tile Images and Safari Mask Icons
+ Increase size of stored favicons to 128x128px to improve icon quality in
3-pane wide view.
+ Make several plugins support gettext
+ Allow mutiple feed in same libnotify notification
+ Redesign of the update message in the status bar. It now shows a update
counter of the feeds being in update.
+ You can now export a feed to XML file
+ Added an option to show news bins in reduced feed list
+ Added menu option to send item per mail
+ Default to https:// instead of http:// when user doesn't provide
protocol on subscribing feed
+ Implement support for subscribing to LD+Json metadata listings e.g.
concert or theater event listings
+ Implement support for subscribing to HTML5 websites
+ Support for media:description field of Youtube feeds
+ Improve HTML5 extraction: extract main tag if it exists and no article
was found.
+ Execute feed pipe/filter commands asynchronously
+ Better explanation of feed update errors.
+ Added generic Google Reader API support (allows using FeedHQ, FreshRSS,
Miniflux...)
+ Now allow converting TinyTinyRSS subscriptions to local subscriptions
+ New search folder rule to match podcasts
+ New search folder rule to match headline authors
+ New search folder rule to match subscription source
+ New search folder rule to match parent folder name
+ New search folder property that allows hiding read items
+ Now search folders are automatically rebuild when rules are changed
+ Added new plugin 'add-bookmark-site' that allows to configure a custom
bookmarking site.
+ Added new plugin 'getfocus' that adds transparency on the feed list when
it is not focussed.
+ Trayicon plugin has now a configuration option to change the behaviour
when closing Liferea.
+ Trayicon plugin has now an option to disable minimizing to tray
+ New hot key Ctrl-D for 'Open in External Browser'
+ New hot key F10 for headerbar plugin to allow triggering the hamburger
menu
+ New hot key Ctrl-0 to reset zoom
+ New hot key Ctrl-O to open enclosures
+ Fix hidden panes, Liferea will never allow the panes to be smaller than
5% in height or width
+ Wait for network to be fully available before updating
+ 2-pane mode was removed
+ Dropped CDF channel support
+ Dropped Atom 0.2/0.3 (aka Pie) support
+ Dropped blogChannel namespace support
+ Dropped photo namespace support

- Require python3-cairo; needed for tray icon (boo#1193579).

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP4:

zypper in -t patch openSUSE-2023-96=1


Package List:

- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):

liferea-1.14.1-bp154.2.3.1
liferea-debuginfo-1.14.1-bp154.2.3.1
liferea-debugsource-1.14.1-bp154.2.3.1

- openSUSE Backports SLE-15-SP4 (noarch):

liferea-lang-1.14.1-bp154.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2023-1350.html
  https://bugzilla.suse.com/1193579
  https://bugzilla.suse.com/1209190