Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-22038 (GCVE-0-2024-22038)
Vulnerability from cvelistv5 – Published: 2024-11-28 09:38 – Updated: 2024-11-28 12:15
VLAI?
EPSS
Title
DoS attacks, information leaks etc. with crafted Git repositories in obs-scm-bridge
Summary
Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.
Severity ?
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SUSE | openSUSE Factory |
Affected:
0 , < 0.5.2
(semver)
|
Date Public ?
2024-11-14 10:32
Credits
Matthias Gerstner of SUSE
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-28T12:09:30.908633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-28T12:15:16.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "obs-scm-bridge",
"product": "openSUSE Factory",
"vendor": "SUSE",
"versions": [
{
"lessThan": "0.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthias Gerstner of SUSE"
}
],
"datePublic": "2024-11-14T10:32:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.\u003cbr\u003e"
}
],
"value": "Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-28T09:38:03.449Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22038"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DoS attacks, information leaks etc. with crafted Git repositories in obs-scm-bridge",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2024-22038",
"datePublished": "2024-11-28T09:38:03.449Z",
"dateReserved": "2024-01-04T12:38:34.026Z",
"dateUpdated": "2024-11-28T12:15:16.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.\"}, {\"lang\": \"es\", \"value\": \"Varios problemas en obs-scm-bridge permiten a atacantes que crean repositorios git especialmente manipulados filtrar informaci\\u00f3n o provocar una denegaci\\u00f3n de servicio.\"}]",
"id": "CVE-2024-22038",
"lastModified": "2024-11-28T10:15:07.567",
"metrics": "{\"cvssMetricV40\": [{\"source\": \"meissner@suse.de\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"ACTIVE\", \"vulnerableSystemConfidentiality\": \"LOW\", \"vulnerableSystemIntegrity\": \"HIGH\", \"vulnerableSystemAvailability\": \"HIGH\", \"subsequentSystemConfidentiality\": \"NONE\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}], \"cvssMetricV31\": [{\"source\": \"meissner@suse.de\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.5}]}",
"published": "2024-11-28T10:15:07.567",
"references": "[{\"url\": \"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22038\", \"source\": \"meissner@suse.de\"}]",
"sourceIdentifier": "meissner@suse.de",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"meissner@suse.de\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-59\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-22038\",\"sourceIdentifier\":\"meissner@suse.de\",\"published\":\"2024-11-28T10:15:07.567\",\"lastModified\":\"2024-11-28T10:15:07.567\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.\"},{\"lang\":\"es\",\"value\":\"Varios problemas en obs-scm-bridge permiten a atacantes que crean repositorios git especialmente manipulados filtrar informaci\u00f3n o provocar una denegaci\u00f3n de servicio.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"meissner@suse.de\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"meissner@suse.de\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"meissner@suse.de\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"references\":[{\"url\":\"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22038\",\"source\":\"meissner@suse.de\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-22038\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-28T12:09:30.908633Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-28T12:09:33.307Z\"}}], \"cna\": {\"title\": \"DoS attacks, information leaks etc. with crafted Git repositories in obs-scm-bridge\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Matthias Gerstner of SUSE\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.8, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SUSE\", \"product\": \"openSUSE Factory\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.5.2\", \"versionType\": \"semver\"}], \"packageName\": \"obs-scm-bridge\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-11-14T10:32:00.000Z\", \"references\": [{\"url\": \"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22038\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-59\", \"description\": \"CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"404e59f5-483d-4b8a-8e7a-e67604dd8afb\", \"shortName\": \"suse\", \"dateUpdated\": \"2024-11-28T09:38:03.449Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-22038\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-28T12:15:16.693Z\", \"dateReserved\": \"2024-01-04T12:38:34.026Z\", \"assignerOrgId\": \"404e59f5-483d-4b8a-8e7a-e67604dd8afb\", \"datePublished\": \"2024-11-28T09:38:03.449Z\", \"assignerShortName\": \"suse\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
OPENSUSE-SU-2026:20361-1
Vulnerability from csaf_opensuse - Published: 2026-03-12 20:54 - Updated: 2026-03-12 20:54Summary
Security update for osc, obs-scm-bridge
Notes
Title of the patch
Security update for osc, obs-scm-bridge
Description of the patch
This update for osc, obs-scm-bridge fixes the following issues:
Changes in osc:
- 1.24.0
- Command-line:
- Add '--target-owner' option to 'git-obs repo fork' command
- Add '--self' parameter to fix 'no matching parent repo' error message in 'git-obs pr create'
- Fix 'osc aggregatepac' for scmsync packages
- Fix 'osc build' to retrieve buildconfig from git package's cache
- Fix 'osc token' error handling for project wide trigger
- Fix string formatting for id in obs-request.xml in 'git-obs pr dump'
- Library:
- Consolidate build types in build.py and commandline.py
- Fix build.get_build_type() by comparing binary_type only if specified
- Make use of queryconfig tool configurable and consistent
- Fix how get_request_collection() filters the projects and packages
- Support copying packages from an scmsync source, when target exists
- Add timestamps to the DEBUG output
- Update new project template
- 1.23.0
- Command-line:
- Add '--target-owner' option to 'git-obs pr create' to specify the target owner explicitly
- Add '--target-branch' option to 'git-obs staging search' command
- Added 'git-obs staging search' command to find project PRs with referenced package PRs that have all been approved
- Change 'git-obs pr dump' to produce directories that match the specified pull request IDs
- Change 'git-obs pr dump' to write STATUS file
- Properly error out on invalid 'PR:' references in 'git-obs pr dump'
- Fix 'git-obs pr create' when the source repo is not a fork
- Fix 'git-obs api' command when server returns 'null'
- Fix 'osc build --alternative-project=...' when there's no .osc in the current directory
- Fix argument and store handling in 'osc results' command
- Library:
- Add Manifest.get_package_paths() method that lists all paths to existings packages in a project
- Fix Manifest class to handle loading empty YAML files or strings
- Fix working with meta during git rebase by determining the current branch from rebase head
- Fix handling local branch when fetching remote
- Move get_label_ids() from PullRequest to Repo class
- Change GitStore not to require apiurl anymore
- Fix storing last_buildroot for git packages
- Store the last buildroot only if there's a store detected
- Fix BuildRoot so it acts as a tuple and the individual values are accessible via indexes
- Make PullReqest.parse_id() more permissive by accepting trailing whitespaces
- Fix 'missingok' argument in server_diff()
- Fix gitea_api.PullRequest ordering methods
- Add return to gitea_api.Branch.list()
- PKGBUILD changes
* Remove redundant packages from makedepends. If a package depends
on something, it implicitly makedepends on it as well
* Add python-ruamel-yaml dependency
* Build and install man pages
* Add python-argparse-manpage and python-sphinx to makedepends for
building man pages
* Add check() to run the test suite
* Add checkdepends for test suite dependencies
* Add optdepends as an equivalent to RPM's Recommends, making it
easier for users to find packages needed for optional features
* Use $pkgname variable across the script
* Install shell completion files
* Bump pkgrel
- 1.22.0
- Command-line:
- Add 'git-obs staging' commands
- Add '--gitea-fork-org' option to 'osc fork' command
- Add '--git-branch' option to 'osc fork' command
- Add 'DELETE' to 'git-obs api' allowed methods
- Add commit messages as commented lines to the template in 'git-obs pr create'
- Add filtering by label to 'git-obs pr list'
- Properly handle fork mismatch in 'osc fork'
- Change 'osc build' to build from any git repo if '--alternative-project' is specified
- Fix 'osc service' for git based packages
- Fix 'git-obs pr dump' to skip the dump if the target has the same updated_at timestamp as the pull request in Gitea
- Fix 'git-obs pr dump' to do case insensitive check on owner and repo
- Fix retrieving 'arch' argument in 'osc buildlog'
- Library:
- Add 'status' to the output of gitea_api.Git.get_submodules()
- Add 'remote' argument to gitea_api.Repo.clone_or_update()
- Add gitea_api.common.TemporaryDirectory class that supports 'delete' argument on python 3.6+
- Add gitea_api.GitDiffGenerator class for creating submodule diffs without a git checkout
- Add 'depth' argument to gitea_api.Repo.clone() and clone_or_update()
- Add gitea_api.StagingPullRequestWrapper class for handling staging
- Add gitea_api.PullRequest.get_host_owner_repo_number() method
- Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting 'dest' argument
- Warn if the git package doesn't have the same branch as the parent project
- Extend gitea_api.PullRequest with methods that work with 'PR:' references
- Support setting labels in gitea_api.PullRequest.create()
- Fix gitea_api to use pagination instead of limit -1 everywhere
- Remove duplicate, unused PullRequestReview class from gitea_api.pr
- Move clone_or_update() from 'git-obs pr dump' command to gitea_api.Repo
- Change gitea_api.Repo.clone_or_update() to take 'ssh_private_key_path' argument
- Improve performance of gitea_api.IssueTimelineEntry by listing and caching requests instead of fetching them one by one
- Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting 'help' argument
- Change gitea_api.Repo.clone() to stop borrowing objects when 'reference' or 'reference_if_able' is used
- Fix the resulting dictionary in gitea_api.PullRequest._get_label_ids()
- Make gitea_api.RepoExists exception more helpful by giving a hint to fork under a different name
- Use server_diff() instead of server_diff_noex() to exit with a non-zero return code
- Return preinstallimage.info and allow podman to use preinstallimage
- 1.21.0
- Command-line:
- Modify osc subcommands to error out if they don't work with git
- Add 'git-obs meta' commands for managing the local metadata
- Add 'git-obs meta info' command for printing resolved metadata about the current checkout
- Add -b/--branch option to 'git-obs repo clone' command
- Add 'git-obs pr dump' command to store pull request information on disk
- Add 'git-obs --quiet' option (that mutes printing gitea settings now)
- Automatially pull meta after 'git-obs repo clone'
- Change 'git-obs pr review interactive' to write 'merge ok' comment instead of scheduling a merge
- Mute stderr when creating a worktree in 'git-obs pr review interactive'
- Change 'git-obs -G' to accept url to select a gitea login entry
- Support substitutions in 'osc build --root'
- Fix crash in 'osc build' when 'build_repositories' in store was None
- Fix filtering by reviewers in 'git-obs pr list'
- Update 'osc rq show' command to include history comments in verbose mode
- Library:
- Refactor GitStore
- Migrate git_scm.Store over to gitea_api.Git
- Store buildinfo and buildconfig files in GitStore's cache instead directly in the repo
- Move code from 'git-obs meta pull' command to GitStore.pull()
- Improve GitStore.pull() to support reading project from project.build
- Rephrase the error message about detached HEAD in GitStore
- Improve GitStore's error messages by adding instructions on how to fix missing metadata
- Be more permissive when loading parent project_store in GitStore
- Fix loading _manifest in a project git
- Fix git store to check if all the required fields are present
- Derive package name from topdir if a package is part of a project checkout
- Change 'git-obs pr review interactive' to run pager process as a context manager
- Change obs_api.TarDiff to spawn a process extracting archives as a context manager
- Change 'commit' argument in gitea_api.Git.reset() to optional
- Add gitea_api.Git.get_owner_repo_from_url() staticmethod
- Add gitea_api.Git.urljoin() static method
- Fix gitea_api.Git.get_branch_head() to raise a proper exception if the HEAD cannot be retrieved
- Fix gitea_api.Git to work with the current remote instead of 'origin'
- Fix get_store() to throw the exception from git store if .osc directory is not present
- Introduce GitObsRuntimeError exception and use it where appropriate
- Fix tardiff by removing directories with shutil.rmtree() and files by os.unlink()
- Add 'quiet' option to gitea_api.Git.switch()
- Mute stderr in git_obs.Git.lfs_cat_file()
- Treat None flavor as "" in multibuild resolve
- Make Token.triggered_at optional as it's not available in the oficially released OBS code
- Add BaseModel.from_string() and BaseModel.to_string() methods
- Add BaseModel.from_file() and BaseModel.to_file() methods
- Fix BaseModel to initialize from a dictionary via __init__ instead of setattr
- Docs:
- Update docs for the new git metadata store
- Update list of recommended gitea permissions in git-obs-quickstart
- Spec:
- Install git-obs-metadata man page
- 1.20.0
- Command-line:
- Fix 'osc fork' command to use the right tracking branch
- Fix 'osc blt' command by checking if the working copy is a package
- Make 'osc buildlog' work outside of osc package directory
- Add 'git-obs pr close' and 'git-obs pr reopen' commands
- Add 'close' option to 'git-obs pr review interactive'
- Change 'git-obs pr review interactive' to work with all archives, not only those in Git LFS
- Fix checkout of the base branch in 'git-obs pr review interactive' command
- Library:
- Support _manifest file in git store
- Allow pull request IDs in '<owner>/<repo>!<number>' format
- Properly handle deleted users and teams in the git-obs timeline
- Handle situations when there's 'None' among timeline entries
- Skip binary files in gitea_api.PullRequest.get_patch()
- Change get_user_input(), add support for vertically printed list of answers
- Spec:
- Provide git-obs
- 1.19.1
- Command-line:
- Use OSC_PACKAGE_CACHE_DIR env var instead of deprecated OSC_PACKAGECACHEDIR
- Connection:
- Check for both upper and lowercase versions of HTTP_PROXY and HTTPS_PROXY env vars
- Library:
- Add 'trackingbranch' field to ScmsyncObsinfo model
- Revert "Return None if GitStore cannot determine apiurl"
- Throw a proper exception when 'apiurl' argument of 'makeurl()' is empty
- Move code setting apiurl from store to 'osc.conf.get_config()'
- Simplify 'osc.commandline.Osc.get_api_url()' to return the value from 'self.options'
- Remove 'osc.commandline.Osc.post_argparse()' because it's no longer used
- Fix unit tests to use the new code path to run osc
- Fix osc.gitea_api.dt_sanitize() by replacing dateutil with datetime
- 1.19.0
- Command-line:
- Add 'git-obs pr cancel-scheduled-merge' command
- Add timeline to 'git-obs pr review interactive'
- Add '--timeline' option to 'git-obs pr get'
- Fix 'git-obs pr search' by using pagination to retrieve all results
- Extend '--message' option in git-obs subcommands with the '-m' short option
- Add a different message for scheduled merges in 'git-obs pr merge' command
- Library:
- Add 'conn' parameter to gitea_api.common.GiteaModel
- Add gitea_api.Connection.scheme attribute
- Add gitea_api.PullRequest.merge_commit property
- Add gitea_api.PullRequest.get_owner_repo_number()
- Add gitea_api.common.dt_sanitize() for sanitizing datetime strings
- Handle missing head repo in the PullRequest properties
- Return None if GitStore cannot determine apiurl
- Remove extra newline from store files
- Fix the 'Move remaining imports in osc.babysitter into try-except block' change by preserving the order of handling the exceptions
- Spec:
- Use primary_python to define runtime requires matching the shebang lines
- Provide %{use_python_pkg}-osc for all pythons and python3-osc for primary_python
- Add conflict with obs-scm-bridge < 0.7.3
- 1.18.0
- Command-line:
- Add 'git-obs pr comment [--message=...]' command
- Add 'git-obs pr show-patch' command
- Add '--reviewer' option to 'git-obs pr review {approve,decline,interactive}' to support group reviews via group review bot
- Update 'git-obs pr review interactive' to return non-zero return codes for 'exit' and 'skip' actions
- Make 'osc results --show-excluded' work in a project context
- Add '--no-pager' global option
- Fix 'osc fork' by copying whole query part to the new scmsync url
- Fix 'osc buildinfo' for git packages by handing the 'build_repositories' files by store objects
- Fix crash in 'git-obs pr get --patch'
- Fix git-obs to exit with 130 on keyboard interrupt
- Fix --sccache help typo in 'osc build' command
- Connection:
- Don't retry requests on 504 Gateway Timeout
- Library:
- If a devel project is not specified, try reading it from a mapping from URL set in OBS:GitDevelProjectMap project attribute
- Improve detection of packages and projects in git
- scmsync_obsinfo: Pass correct revision to obs-scm-bridge
- Add obs_api.Request.search() method
- Raise an exception if obs-scm-bridge fails
- Fix obs_scm.Package.get_pulled_srcmd5() returning an empty string
- Fix git store to support non-default remote
- Extend 'gitea_api.User.get()' to take 'username' parameter
- Move get_editor() and related functions from command-line module to gitea_api.common
- Migrate subcommands from using Store() to get_store() that is git aware
- Make imports lazy to imporove osc load times
Changes in obs-scm-bridge:
- use the system default python version (boo#1247410)
- 0.7.4
* syntax fix
- 0.7.3
* fix .gitsubmodule parser to handle space and tabs mixed
- package /etc/obs/service directories
- 0.7.2
* Improved error reporting of invalid files in package subdirs
* Introducing a mechanic to limit asset handling
- 0.7.1
* export trackingbranch to scmsync.obsinfo
- 0.7.0
* supporting _manifest file as successor of _subdirs
* record configured branch of submodules in package scmsync url
* stay on the configured branch of a submodule on checkout
- 0.6.3
* Allow ssh:// scm urls as used by osc
* project mode: avoid unecessary changes in package meta url
* code cleanup
- fix dependency (it is python3-PyYAML)
- fix missing dependency to PyYAML
- 0.6.2
* Make project mode always look for _config in the top dir, also
when using subdirs.
- 0.6.1
* new noobsinfo query parameter
(can be used to hide git informations in sources, binaries
won't contain them either then).
- 0.6.0
* project mode: switching to to track package sources using
git sha sums instead of md5sum via download_assets
- 0.5.4
* fixed support of subdir parameter usage on project level
* Fix handling of projectscmsync in the package xml writers
- 0.5.3
* Switch to ssh url when using the bridge via osc
- 0.5.2
* Don't overwrite files from git, but complain instead with
an error. For example _scmsync.obsinfo file must not be part
of the git tree. boo#1230469 CVE-2024-22038
- 0.5.1
* Don't generate _scmsync.obsinfo outside of OBS source server
import use case (eg. no more for osc co)
* Enforce python 3.11 requirement
* Fix export of _scmsync.obsinfo in project mode
* Fix submodule detection
* EXPERIMENTAL: support multiple package subdirs via _subdirs
file. This syntax will change!
(not documented on purpose therefore atm)
* Using git credential manager
* Report some errors as transient, so that OBS can re-try
Patchnames
openSUSE-Leap-16.0-packagehub-162
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for osc, obs-scm-bridge",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for osc, obs-scm-bridge fixes the following issues:\n\nChanges in osc:\n\n- 1.24.0\n - Command-line:\n - Add \u0027--target-owner\u0027 option to \u0027git-obs repo fork\u0027 command\n - Add \u0027--self\u0027 parameter to fix \u0027no matching parent repo\u0027 error message in \u0027git-obs pr create\u0027\n - Fix \u0027osc aggregatepac\u0027 for scmsync packages\n - Fix \u0027osc build\u0027 to retrieve buildconfig from git package\u0027s cache\n - Fix \u0027osc token\u0027 error handling for project wide trigger\n - Fix string formatting for id in obs-request.xml in \u0027git-obs pr dump\u0027\n - Library:\n - Consolidate build types in build.py and commandline.py\n - Fix build.get_build_type() by comparing binary_type only if specified\n - Make use of queryconfig tool configurable and consistent\n - Fix how get_request_collection() filters the projects and packages\n - Support copying packages from an scmsync source, when target exists\n - Add timestamps to the DEBUG output\n - Update new project template\n\n- 1.23.0\n - Command-line:\n - Add \u0027--target-owner\u0027 option to \u0027git-obs pr create\u0027 to specify the target owner explicitly\n - Add \u0027--target-branch\u0027 option to \u0027git-obs staging search\u0027 command\n - Added \u0027git-obs staging search\u0027 command to find project PRs with referenced package PRs that have all been approved\n - Change \u0027git-obs pr dump\u0027 to produce directories that match the specified pull request IDs\n - Change \u0027git-obs pr dump\u0027 to write STATUS file\n - Properly error out on invalid \u0027PR:\u0027 references in \u0027git-obs pr dump\u0027\n - Fix \u0027git-obs pr create\u0027 when the source repo is not a fork\n - Fix \u0027git-obs api\u0027 command when server returns \u0027null\u0027\n - Fix \u0027osc build --alternative-project=...\u0027 when there\u0027s no .osc in the current directory\n - Fix argument and store handling in \u0027osc results\u0027 command\n - Library:\n - Add Manifest.get_package_paths() method that lists all paths to existings packages in a project\n - Fix Manifest class to handle loading empty YAML files or strings\n - Fix working with meta during git rebase by determining the current branch from rebase head\n - Fix handling local branch when fetching remote\n - Move get_label_ids() from PullRequest to Repo class\n - Change GitStore not to require apiurl anymore\n - Fix storing last_buildroot for git packages\n - Store the last buildroot only if there\u0027s a store detected\n - Fix BuildRoot so it acts as a tuple and the individual values are accessible via indexes\n - Make PullReqest.parse_id() more permissive by accepting trailing whitespaces\n - Fix \u0027missingok\u0027 argument in server_diff()\n - Fix gitea_api.PullRequest ordering methods\n - Add return to gitea_api.Branch.list()\n\n- PKGBUILD changes\n * Remove redundant packages from makedepends. If a package depends\n on something, it implicitly makedepends on it as well\n * Add python-ruamel-yaml dependency\n * Build and install man pages\n * Add python-argparse-manpage and python-sphinx to makedepends for\n building man pages\n * Add check() to run the test suite\n * Add checkdepends for test suite dependencies\n * Add optdepends as an equivalent to RPM\u0027s Recommends, making it\n easier for users to find packages needed for optional features\n * Use $pkgname variable across the script\n * Install shell completion files\n * Bump pkgrel\n\n- 1.22.0\n - Command-line:\n - Add \u0027git-obs staging\u0027 commands\n - Add \u0027--gitea-fork-org\u0027 option to \u0027osc fork\u0027 command\n - Add \u0027--git-branch\u0027 option to \u0027osc fork\u0027 command\n - Add \u0027DELETE\u0027 to \u0027git-obs api\u0027 allowed methods\n - Add commit messages as commented lines to the template in \u0027git-obs pr create\u0027\n - Add filtering by label to \u0027git-obs pr list\u0027\n - Properly handle fork mismatch in \u0027osc fork\u0027\n - Change \u0027osc build\u0027 to build from any git repo if \u0027--alternative-project\u0027 is specified\n - Fix \u0027osc service\u0027 for git based packages\n - Fix \u0027git-obs pr dump\u0027 to skip the dump if the target has the same updated_at timestamp as the pull request in Gitea\n - Fix \u0027git-obs pr dump\u0027 to do case insensitive check on owner and repo\n - Fix retrieving \u0027arch\u0027 argument in \u0027osc buildlog\u0027\n - Library:\n - Add \u0027status\u0027 to the output of gitea_api.Git.get_submodules()\n - Add \u0027remote\u0027 argument to gitea_api.Repo.clone_or_update()\n - Add gitea_api.common.TemporaryDirectory class that supports \u0027delete\u0027 argument on python 3.6+\n - Add gitea_api.GitDiffGenerator class for creating submodule diffs without a git checkout\n - Add \u0027depth\u0027 argument to gitea_api.Repo.clone() and clone_or_update()\n - Add gitea_api.StagingPullRequestWrapper class for handling staging\n - Add gitea_api.PullRequest.get_host_owner_repo_number() method\n - Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting \u0027dest\u0027 argument\n - Warn if the git package doesn\u0027t have the same branch as the parent project\n - Extend gitea_api.PullRequest with methods that work with \u0027PR:\u0027 references\n - Support setting labels in gitea_api.PullRequest.create()\n - Fix gitea_api to use pagination instead of limit -1 everywhere\n - Remove duplicate, unused PullRequestReview class from gitea_api.pr\n - Move clone_or_update() from \u0027git-obs pr dump\u0027 command to gitea_api.Repo\n - Change gitea_api.Repo.clone_or_update() to take \u0027ssh_private_key_path\u0027 argument\n - Improve performance of gitea_api.IssueTimelineEntry by listing and caching requests instead of fetching them one by one\n - Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting \u0027help\u0027 argument\n - Change gitea_api.Repo.clone() to stop borrowing objects when \u0027reference\u0027 or \u0027reference_if_able\u0027 is used\n - Fix the resulting dictionary in gitea_api.PullRequest._get_label_ids()\n - Make gitea_api.RepoExists exception more helpful by giving a hint to fork under a different name\n - Use server_diff() instead of server_diff_noex() to exit with a non-zero return code\n - Return preinstallimage.info and allow podman to use preinstallimage\n\n- 1.21.0\n - Command-line:\n - Modify osc subcommands to error out if they don\u0027t work with git\n - Add \u0027git-obs meta\u0027 commands for managing the local metadata\n - Add \u0027git-obs meta info\u0027 command for printing resolved metadata about the current checkout\n - Add -b/--branch option to \u0027git-obs repo clone\u0027 command\n - Add \u0027git-obs pr dump\u0027 command to store pull request information on disk\n - Add \u0027git-obs --quiet\u0027 option (that mutes printing gitea settings now)\n - Automatially pull meta after \u0027git-obs repo clone\u0027\n - Change \u0027git-obs pr review interactive\u0027 to write \u0027merge ok\u0027 comment instead of scheduling a merge\n - Mute stderr when creating a worktree in \u0027git-obs pr review interactive\u0027\n - Change \u0027git-obs -G\u0027 to accept url to select a gitea login entry\n - Support substitutions in \u0027osc build --root\u0027\n - Fix crash in \u0027osc build\u0027 when \u0027build_repositories\u0027 in store was None\n - Fix filtering by reviewers in \u0027git-obs pr list\u0027\n - Update \u0027osc rq show\u0027 command to include history comments in verbose mode\n - Library:\n - Refactor GitStore\n - Migrate git_scm.Store over to gitea_api.Git\n - Store buildinfo and buildconfig files in GitStore\u0027s cache instead directly in the repo\n - Move code from \u0027git-obs meta pull\u0027 command to GitStore.pull()\n - Improve GitStore.pull() to support reading project from project.build\n - Rephrase the error message about detached HEAD in GitStore\n - Improve GitStore\u0027s error messages by adding instructions on how to fix missing metadata\n - Be more permissive when loading parent project_store in GitStore\n - Fix loading _manifest in a project git\n - Fix git store to check if all the required fields are present\n - Derive package name from topdir if a package is part of a project checkout\n - Change \u0027git-obs pr review interactive\u0027 to run pager process as a context manager\n - Change obs_api.TarDiff to spawn a process extracting archives as a context manager\n - Change \u0027commit\u0027 argument in gitea_api.Git.reset() to optional\n - Add gitea_api.Git.get_owner_repo_from_url() staticmethod\n - Add gitea_api.Git.urljoin() static method\n - Fix gitea_api.Git.get_branch_head() to raise a proper exception if the HEAD cannot be retrieved\n - Fix gitea_api.Git to work with the current remote instead of \u0027origin\u0027\n - Fix get_store() to throw the exception from git store if .osc directory is not present\n - Introduce GitObsRuntimeError exception and use it where appropriate\n - Fix tardiff by removing directories with shutil.rmtree() and files by os.unlink()\n - Add \u0027quiet\u0027 option to gitea_api.Git.switch()\n - Mute stderr in git_obs.Git.lfs_cat_file()\n - Treat None flavor as \"\" in multibuild resolve\n - Make Token.triggered_at optional as it\u0027s not available in the oficially released OBS code\n - Add BaseModel.from_string() and BaseModel.to_string() methods\n - Add BaseModel.from_file() and BaseModel.to_file() methods\n - Fix BaseModel to initialize from a dictionary via __init__ instead of setattr\n - Docs:\n - Update docs for the new git metadata store\n - Update list of recommended gitea permissions in git-obs-quickstart\n - Spec:\n - Install git-obs-metadata man page\n\n- 1.20.0\n - Command-line:\n - Fix \u0027osc fork\u0027 command to use the right tracking branch\n - Fix \u0027osc blt\u0027 command by checking if the working copy is a package\n - Make \u0027osc buildlog\u0027 work outside of osc package directory\n - Add \u0027git-obs pr close\u0027 and \u0027git-obs pr reopen\u0027 commands\n - Add \u0027close\u0027 option to \u0027git-obs pr review interactive\u0027\n - Change \u0027git-obs pr review interactive\u0027 to work with all archives, not only those in Git LFS\n - Fix checkout of the base branch in \u0027git-obs pr review interactive\u0027 command\n - Library:\n - Support _manifest file in git store\n - Allow pull request IDs in \u0027\u003cowner\u003e/\u003crepo\u003e!\u003cnumber\u003e\u0027 format\n - Properly handle deleted users and teams in the git-obs timeline\n - Handle situations when there\u0027s \u0027None\u0027 among timeline entries\n - Skip binary files in gitea_api.PullRequest.get_patch()\n - Change get_user_input(), add support for vertically printed list of answers\n - Spec:\n - Provide git-obs\n\n- 1.19.1\n - Command-line:\n - Use OSC_PACKAGE_CACHE_DIR env var instead of deprecated OSC_PACKAGECACHEDIR\n - Connection:\n - Check for both upper and lowercase versions of HTTP_PROXY and HTTPS_PROXY env vars\n - Library:\n - Add \u0027trackingbranch\u0027 field to ScmsyncObsinfo model\n - Revert \"Return None if GitStore cannot determine apiurl\"\n - Throw a proper exception when \u0027apiurl\u0027 argument of \u0027makeurl()\u0027 is empty\n - Move code setting apiurl from store to \u0027osc.conf.get_config()\u0027\n - Simplify \u0027osc.commandline.Osc.get_api_url()\u0027 to return the value from \u0027self.options\u0027\n - Remove \u0027osc.commandline.Osc.post_argparse()\u0027 because it\u0027s no longer used\n - Fix unit tests to use the new code path to run osc\n - Fix osc.gitea_api.dt_sanitize() by replacing dateutil with datetime\n\n- 1.19.0\n - Command-line:\n - Add \u0027git-obs pr cancel-scheduled-merge\u0027 command\n - Add timeline to \u0027git-obs pr review interactive\u0027\n - Add \u0027--timeline\u0027 option to \u0027git-obs pr get\u0027\n - Fix \u0027git-obs pr search\u0027 by using pagination to retrieve all results\n - Extend \u0027--message\u0027 option in git-obs subcommands with the \u0027-m\u0027 short option\n - Add a different message for scheduled merges in \u0027git-obs pr merge\u0027 command\n - Library:\n - Add \u0027conn\u0027 parameter to gitea_api.common.GiteaModel\n - Add gitea_api.Connection.scheme attribute\n - Add gitea_api.PullRequest.merge_commit property\n - Add gitea_api.PullRequest.get_owner_repo_number()\n - Add gitea_api.common.dt_sanitize() for sanitizing datetime strings\n - Handle missing head repo in the PullRequest properties\n - Return None if GitStore cannot determine apiurl\n - Remove extra newline from store files\n - Fix the \u0027Move remaining imports in osc.babysitter into try-except block\u0027 change by preserving the order of handling the exceptions\n - Spec:\n - Use primary_python to define runtime requires matching the shebang lines\n - Provide %{use_python_pkg}-osc for all pythons and python3-osc for primary_python\n - Add conflict with obs-scm-bridge \u003c 0.7.3\n\n- 1.18.0\n - Command-line:\n - Add \u0027git-obs pr comment [--message=...]\u0027 command\n - Add \u0027git-obs pr show-patch\u0027 command\n - Add \u0027--reviewer\u0027 option to \u0027git-obs pr review {approve,decline,interactive}\u0027 to support group reviews via group review bot\n - Update \u0027git-obs pr review interactive\u0027 to return non-zero return codes for \u0027exit\u0027 and \u0027skip\u0027 actions\n - Make \u0027osc results --show-excluded\u0027 work in a project context\n - Add \u0027--no-pager\u0027 global option\n - Fix \u0027osc fork\u0027 by copying whole query part to the new scmsync url\n - Fix \u0027osc buildinfo\u0027 for git packages by handing the \u0027build_repositories\u0027 files by store objects\n - Fix crash in \u0027git-obs pr get --patch\u0027\n - Fix git-obs to exit with 130 on keyboard interrupt\n - Fix --sccache help typo in \u0027osc build\u0027 command\n - Connection:\n - Don\u0027t retry requests on 504 Gateway Timeout\n - Library:\n - If a devel project is not specified, try reading it from a mapping from URL set in OBS:GitDevelProjectMap project attribute\n - Improve detection of packages and projects in git\n - scmsync_obsinfo: Pass correct revision to obs-scm-bridge\n - Add obs_api.Request.search() method\n - Raise an exception if obs-scm-bridge fails\n - Fix obs_scm.Package.get_pulled_srcmd5() returning an empty string\n - Fix git store to support non-default remote\n - Extend \u0027gitea_api.User.get()\u0027 to take \u0027username\u0027 parameter\n - Move get_editor() and related functions from command-line module to gitea_api.common\n - Migrate subcommands from using Store() to get_store() that is git aware\n - Make imports lazy to imporove osc load times\n\nChanges in obs-scm-bridge:\n\n- use the system default python version (boo#1247410)\n\n- 0.7.4\n * syntax fix\n\n- 0.7.3\n * fix .gitsubmodule parser to handle space and tabs mixed\n\n- package /etc/obs/service directories\n\n- 0.7.2\n * Improved error reporting of invalid files in package subdirs\n * Introducing a mechanic to limit asset handling\n\n- 0.7.1\n * export trackingbranch to scmsync.obsinfo\n\n- 0.7.0\n * supporting _manifest file as successor of _subdirs\n * record configured branch of submodules in package scmsync url\n * stay on the configured branch of a submodule on checkout\n\n- 0.6.3\n * Allow ssh:// scm urls as used by osc\n * project mode: avoid unecessary changes in package meta url\n * code cleanup\n\n- fix dependency (it is python3-PyYAML)\n\n- fix missing dependency to PyYAML\n\n- 0.6.2\n * Make project mode always look for _config in the top dir, also\n when using subdirs.\n\n- 0.6.1\n * new noobsinfo query parameter\n (can be used to hide git informations in sources, binaries\n won\u0027t contain them either then).\n\n- 0.6.0\n * project mode: switching to to track package sources using\n git sha sums instead of md5sum via download_assets\n\n- 0.5.4\n * fixed support of subdir parameter usage on project level\n * Fix handling of projectscmsync in the package xml writers\n\n- 0.5.3\n * Switch to ssh url when using the bridge via osc\n\n- 0.5.2\n * Don\u0027t overwrite files from git, but complain instead with\n an error. For example _scmsync.obsinfo file must not be part\n of the git tree. boo#1230469 CVE-2024-22038\n\n- 0.5.1\n * Don\u0027t generate _scmsync.obsinfo outside of OBS source server\n import use case (eg. no more for osc co)\n * Enforce python 3.11 requirement\n * Fix export of _scmsync.obsinfo in project mode\n * Fix submodule detection\n * EXPERIMENTAL: support multiple package subdirs via _subdirs\n file. This syntax will change!\n (not documented on purpose therefore atm)\n * Using git credential manager\n * Report some errors as transient, so that OBS can re-try\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-162",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20361-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1230469",
"url": "https://bugzilla.suse.com/1230469"
},
{
"category": "self",
"summary": "SUSE Bug 1247410",
"url": "https://bugzilla.suse.com/1247410"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-22038 page",
"url": "https://www.suse.com/security/cve/CVE-2024-22038/"
}
],
"title": "Security update for osc, obs-scm-bridge",
"tracking": {
"current_release_date": "2026-03-12T20:54:40Z",
"generator": {
"date": "2026-03-12T20:54:40Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20361-1",
"initial_release_date": "2026-03-12T20:54:40Z",
"revision_history": [
{
"date": "2026-03-12T20:54:40Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "obs-scm-bridge-0.7.4-bp160.1.1.noarch",
"product": {
"name": "obs-scm-bridge-0.7.4-bp160.1.1.noarch",
"product_id": "obs-scm-bridge-0.7.4-bp160.1.1.noarch"
}
},
{
"category": "product_version",
"name": "osc-1.24.0-bp160.1.1.noarch",
"product": {
"name": "osc-1.24.0-bp160.1.1.noarch",
"product_id": "osc-1.24.0-bp160.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.7.4-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:obs-scm-bridge-0.7.4-bp160.1.1.noarch"
},
"product_reference": "obs-scm-bridge-0.7.4-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osc-1.24.0-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:osc-1.24.0-bp160.1.1.noarch"
},
"product_reference": "osc-1.24.0-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-22038",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-22038"
}
],
"notes": [
{
"category": "general",
"text": "Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:obs-scm-bridge-0.7.4-bp160.1.1.noarch",
"openSUSE Leap 16.0:osc-1.24.0-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-22038",
"url": "https://www.suse.com/security/cve/CVE-2024-22038"
},
{
"category": "external",
"summary": "SUSE Bug 1230469 for CVE-2024-22038",
"url": "https://bugzilla.suse.com/1230469"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:obs-scm-bridge-0.7.4-bp160.1.1.noarch",
"openSUSE Leap 16.0:osc-1.24.0-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:obs-scm-bridge-0.7.4-bp160.1.1.noarch",
"openSUSE Leap 16.0:osc-1.24.0-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-12T20:54:40Z",
"details": "important"
}
],
"title": "CVE-2024-22038"
}
]
}
OPENSUSE-SU-2026:10183-1
Vulnerability from csaf_opensuse - Published: 2026-02-12 00:00 - Updated: 2026-02-12 00:00Summary
build-20260202-2.1 on GA media
Notes
Title of the patch
build-20260202-2.1 on GA media
Description of the patch
These are all security issues fixed in the build-20260202-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2026-10183
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "build-20260202-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the build-20260202-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10183",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10183-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-22038 page",
"url": "https://www.suse.com/security/cve/CVE-2024-22038/"
}
],
"title": "build-20260202-2.1 on GA media",
"tracking": {
"current_release_date": "2026-02-12T00:00:00Z",
"generator": {
"date": "2026-02-12T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10183-1",
"initial_release_date": "2026-02-12T00:00:00Z",
"revision_history": [
{
"date": "2026-02-12T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "build-20260202-2.1.aarch64",
"product": {
"name": "build-20260202-2.1.aarch64",
"product_id": "build-20260202-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "build-initvm-i586-20260202-2.1.aarch64",
"product": {
"name": "build-initvm-i586-20260202-2.1.aarch64",
"product_id": "build-initvm-i586-20260202-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "build-initvm-x86_64-20260202-2.1.aarch64",
"product": {
"name": "build-initvm-x86_64-20260202-2.1.aarch64",
"product_id": "build-initvm-x86_64-20260202-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "build-mkbaselibs-20260202-2.1.aarch64",
"product": {
"name": "build-mkbaselibs-20260202-2.1.aarch64",
"product_id": "build-mkbaselibs-20260202-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "build-mkdrpms-20260202-2.1.aarch64",
"product": {
"name": "build-mkdrpms-20260202-2.1.aarch64",
"product_id": "build-mkdrpms-20260202-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "build-20260202-2.1.ppc64le",
"product": {
"name": "build-20260202-2.1.ppc64le",
"product_id": "build-20260202-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "build-initvm-i586-20260202-2.1.ppc64le",
"product": {
"name": "build-initvm-i586-20260202-2.1.ppc64le",
"product_id": "build-initvm-i586-20260202-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "build-initvm-x86_64-20260202-2.1.ppc64le",
"product": {
"name": "build-initvm-x86_64-20260202-2.1.ppc64le",
"product_id": "build-initvm-x86_64-20260202-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "build-mkbaselibs-20260202-2.1.ppc64le",
"product": {
"name": "build-mkbaselibs-20260202-2.1.ppc64le",
"product_id": "build-mkbaselibs-20260202-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "build-mkdrpms-20260202-2.1.ppc64le",
"product": {
"name": "build-mkdrpms-20260202-2.1.ppc64le",
"product_id": "build-mkdrpms-20260202-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "build-20260202-2.1.s390x",
"product": {
"name": "build-20260202-2.1.s390x",
"product_id": "build-20260202-2.1.s390x"
}
},
{
"category": "product_version",
"name": "build-initvm-i586-20260202-2.1.s390x",
"product": {
"name": "build-initvm-i586-20260202-2.1.s390x",
"product_id": "build-initvm-i586-20260202-2.1.s390x"
}
},
{
"category": "product_version",
"name": "build-initvm-x86_64-20260202-2.1.s390x",
"product": {
"name": "build-initvm-x86_64-20260202-2.1.s390x",
"product_id": "build-initvm-x86_64-20260202-2.1.s390x"
}
},
{
"category": "product_version",
"name": "build-mkbaselibs-20260202-2.1.s390x",
"product": {
"name": "build-mkbaselibs-20260202-2.1.s390x",
"product_id": "build-mkbaselibs-20260202-2.1.s390x"
}
},
{
"category": "product_version",
"name": "build-mkdrpms-20260202-2.1.s390x",
"product": {
"name": "build-mkdrpms-20260202-2.1.s390x",
"product_id": "build-mkdrpms-20260202-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "build-20260202-2.1.x86_64",
"product": {
"name": "build-20260202-2.1.x86_64",
"product_id": "build-20260202-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "build-initvm-i586-20260202-2.1.x86_64",
"product": {
"name": "build-initvm-i586-20260202-2.1.x86_64",
"product_id": "build-initvm-i586-20260202-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "build-initvm-x86_64-20260202-2.1.x86_64",
"product": {
"name": "build-initvm-x86_64-20260202-2.1.x86_64",
"product_id": "build-initvm-x86_64-20260202-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "build-mkbaselibs-20260202-2.1.x86_64",
"product": {
"name": "build-mkbaselibs-20260202-2.1.x86_64",
"product_id": "build-mkbaselibs-20260202-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "build-mkdrpms-20260202-2.1.x86_64",
"product": {
"name": "build-mkdrpms-20260202-2.1.x86_64",
"product_id": "build-mkdrpms-20260202-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20260202-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-20260202-2.1.aarch64"
},
"product_reference": "build-20260202-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20260202-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-20260202-2.1.ppc64le"
},
"product_reference": "build-20260202-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20260202-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-20260202-2.1.s390x"
},
"product_reference": "build-20260202-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20260202-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-20260202-2.1.x86_64"
},
"product_reference": "build-20260202-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-initvm-i586-20260202-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.aarch64"
},
"product_reference": "build-initvm-i586-20260202-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-initvm-i586-20260202-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.ppc64le"
},
"product_reference": "build-initvm-i586-20260202-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-initvm-i586-20260202-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.s390x"
},
"product_reference": "build-initvm-i586-20260202-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-initvm-i586-20260202-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.x86_64"
},
"product_reference": "build-initvm-i586-20260202-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-initvm-x86_64-20260202-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.aarch64"
},
"product_reference": "build-initvm-x86_64-20260202-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-initvm-x86_64-20260202-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.ppc64le"
},
"product_reference": "build-initvm-x86_64-20260202-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-initvm-x86_64-20260202-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.s390x"
},
"product_reference": "build-initvm-x86_64-20260202-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-initvm-x86_64-20260202-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.x86_64"
},
"product_reference": "build-initvm-x86_64-20260202-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20260202-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.aarch64"
},
"product_reference": "build-mkbaselibs-20260202-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20260202-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.ppc64le"
},
"product_reference": "build-mkbaselibs-20260202-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20260202-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.s390x"
},
"product_reference": "build-mkbaselibs-20260202-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20260202-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.x86_64"
},
"product_reference": "build-mkbaselibs-20260202-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkdrpms-20260202-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.aarch64"
},
"product_reference": "build-mkdrpms-20260202-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkdrpms-20260202-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.ppc64le"
},
"product_reference": "build-mkdrpms-20260202-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkdrpms-20260202-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.s390x"
},
"product_reference": "build-mkdrpms-20260202-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkdrpms-20260202-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.x86_64"
},
"product_reference": "build-mkdrpms-20260202-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-22038",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-22038"
}
],
"notes": [
{
"category": "general",
"text": "Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:build-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-20260202-2.1.x86_64",
"openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.x86_64",
"openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.x86_64",
"openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.x86_64",
"openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-22038",
"url": "https://www.suse.com/security/cve/CVE-2024-22038"
},
{
"category": "external",
"summary": "SUSE Bug 1230469 for CVE-2024-22038",
"url": "https://bugzilla.suse.com/1230469"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:build-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-20260202-2.1.x86_64",
"openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.x86_64",
"openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.x86_64",
"openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.x86_64",
"openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:build-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-20260202-2.1.x86_64",
"openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-initvm-i586-20260202-2.1.x86_64",
"openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-initvm-x86_64-20260202-2.1.x86_64",
"openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-mkbaselibs-20260202-2.1.x86_64",
"openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.aarch64",
"openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.ppc64le",
"openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.s390x",
"openSUSE Tumbleweed:build-mkdrpms-20260202-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-12T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-22038"
}
]
}
OPENSUSE-SU-2024:14543-1
Vulnerability from csaf_opensuse - Published: 2024-12-04 00:00 - Updated: 2024-12-04 00:00Summary
obs-scm-bridge-0.5.4-1.1 on GA media
Notes
Title of the patch
obs-scm-bridge-0.5.4-1.1 on GA media
Description of the patch
These are all security issues fixed in the obs-scm-bridge-0.5.4-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14543
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "obs-scm-bridge-0.5.4-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the obs-scm-bridge-0.5.4-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14543",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14543-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14543-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SSIRMKVEDVCU2OCQMQLG2IJZ4RGLG656/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14543-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SSIRMKVEDVCU2OCQMQLG2IJZ4RGLG656/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-22038 page",
"url": "https://www.suse.com/security/cve/CVE-2024-22038/"
}
],
"title": "obs-scm-bridge-0.5.4-1.1 on GA media",
"tracking": {
"current_release_date": "2024-12-04T00:00:00Z",
"generator": {
"date": "2024-12-04T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14543-1",
"initial_release_date": "2024-12-04T00:00:00Z",
"revision_history": [
{
"date": "2024-12-04T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "obs-scm-bridge-0.5.4-1.1.aarch64",
"product": {
"name": "obs-scm-bridge-0.5.4-1.1.aarch64",
"product_id": "obs-scm-bridge-0.5.4-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "obs-scm-bridge-0.5.4-1.1.ppc64le",
"product": {
"name": "obs-scm-bridge-0.5.4-1.1.ppc64le",
"product_id": "obs-scm-bridge-0.5.4-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "obs-scm-bridge-0.5.4-1.1.s390x",
"product": {
"name": "obs-scm-bridge-0.5.4-1.1.s390x",
"product_id": "obs-scm-bridge-0.5.4-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "obs-scm-bridge-0.5.4-1.1.x86_64",
"product": {
"name": "obs-scm-bridge-0.5.4-1.1.x86_64",
"product_id": "obs-scm-bridge-0.5.4-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.aarch64"
},
"product_reference": "obs-scm-bridge-0.5.4-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.ppc64le"
},
"product_reference": "obs-scm-bridge-0.5.4-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.s390x"
},
"product_reference": "obs-scm-bridge-0.5.4-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.x86_64"
},
"product_reference": "obs-scm-bridge-0.5.4-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-22038",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-22038"
}
],
"notes": [
{
"category": "general",
"text": "Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.aarch64",
"openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.s390x",
"openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-22038",
"url": "https://www.suse.com/security/cve/CVE-2024-22038"
},
{
"category": "external",
"summary": "SUSE Bug 1230469 for CVE-2024-22038",
"url": "https://bugzilla.suse.com/1230469"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.aarch64",
"openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.s390x",
"openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.aarch64",
"openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.s390x",
"openSUSE Tumbleweed:obs-scm-bridge-0.5.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-04T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-22038"
}
]
}
GSD-2024-22038
Vulnerability from gsd - Updated: 2024-01-05 06:02Details
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-22038"
],
"id": "GSD-2024-22038",
"modified": "2024-01-05T06:02:20.498546Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2024-22038",
"STATE": "RESERVED"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
}
}
SUSE-SU-2025:0857-1
Vulnerability from csaf_suse - Published: 2025-03-13 17:58 - Updated: 2025-03-13 17:58Summary
Security update for build
Notes
Title of the patch
Security update for build
Description of the patch
This update for build fixes the following issues:
- CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469)
Other fixes:
- Fixed behaviour when using '--shell' aka 'osc shell' option
in a VM build. Startup is faster and permissions stay intact
now.
- fixes for POSIX compatibility for obs-docker-support adn
mkbaselibs
- Add support for apk in docker/podman builds
- Add support for 'wget' in Docker images
- Fix debian support for Dockerfile builds
- Fix preinstallimages in containers
- mkosi: add back system-packages used by build-recipe directly
- pbuild: parse the Release files for debian repos
- mkosi: drop most systemd/build-packages deps and use obs_scm
directory as source if present
- improve source copy handling
- Introduce --repos-directory and --containers-directory options
- productcompose: support of building against a baseiso
- preinstallimage: avoid inclusion of build script generated files
- preserve timestamps on sources copy-in for kiwi and productcompose
- alpine package support updates
- tumbleweed config update
- debian: Support installation of foreign architecture packages
(required for armv7l setups)
- Parse unknown timezones as UTC
- Apk (Alpine Linux) format support added
- Implement default value in parameter expansion
- Also support supplements that use & as 'and'
- Add workaround for skopeo's argument parser
- add cap-htm=off on power9
- Fixed usage of chown calls
- Remove leading `go` from `purl` locators
- container related:
* Implement support for the new <containers> element in kiwi recipes
* Fixes for SBOM and dependencies of multi stage container builds
* obs-docker-support: enable dnf and yum substitutions
- Arch Linux:
* fix file path for Arch repo
* exclude unsupported arch
* Use root as download user
- build-vm-qemu: force sv48 satp mode on riscv64
- mkosi:
* Create .sha256 files after mkosi builds
* Always pass --image-version to mkosi
- General improvements and bugfixes (mkosi, pbuild, appimage/livebuild,
obs work detection, documention, SBOM)
- Support slsa v1 in unpack_slsa_provenance
- generate_sbom: do not clobber spdx supplier
- Harden export_debian_orig_from_git (bsc#1230469)
- SBOM generation:
- Adding golang introspection support
- Adding rust binary introspection support
- Keep track of unknwon licenses and add a 'hasExtractedLicensingInfos'
section
- Also normalize licenses for cyclonedx
- Make generate_sbom errors fatal
- general improvements
- Fix noprep building not working because the buildir is removed
- kiwi image: also detect a debian build if /var/lib/dpkg/status is present
- Do not use the Encode module to convert a code point to utf8
- Fix personality syscall number for riscv
- add more required recommendations for KVM builds
- set PACKAGER field in build-recipe-arch
- fix writing _modulemd.yaml
- pbuild: support --release and --baselibs option
- container:
- copy base container information from the annotation into the
containerinfo
- track base containers over multiple stages
- always put the base container last in the dependencies
- providing fileprovides in createdirdeps tool
- Introduce buildflag nochecks
- productcompose: support __all__ option
- config update: tumbleweed using preinstallexpand
- minor improvements
- tumbleweed build config update
- support the %load macro
- improve container filename generation (docker)
- fix hanging curl calls during build (docker)
- productcompose: fix milestone query
- tumbleweed build config update
- 15.6 build config fixes
- sourcerpm & sourcedep handling fixes
- productcompose:
- Fix milestone handling
- Support bcntsynctag
- Adding debian support to generate_sbom
- Add syscall for personality switch on loongarch64 kernel
- vm-build: ext3 & ext4: fix disk space allocation
- mkosi format updates, not fully working yet
- pbuild exception fixes
- Fixes for current fedora and centos distros
- Don't copy original dsc sources if OBS-DCH-RELEASE set
- Unbreak parsing of sources/patches
- Support ForceMultiVersion in the dockerfile parser
- Support %bcond of rpm 4.17.1
- Add a hack for systemd 255.3, creating an empty /etc/os-release
if missing after preinstall.
- docker: Fix HEAD request in dummyhttpserver
- pbuild: Make docker-nobasepackages expand flag the default
- rpm: Support a couple of builtin rpm macros
- rpm: Implement argument expansion for define/with/bcond...
- Fix multiline macro handling
- Accept -N parameter of %autosetup
- documentation updates
- various code cleanup and speedup work.
- ProductCompose: multiple improvements
- Add buildflags:define_specfile support
- Fix copy-in of git subdirectory sources
- pbuild: Speed up XML parsing
- pubild: product compose support
- generate_sbom: add help option
- podman: enforce runtime=runc
- Implement direct conflicts from the distro config
- changelog2spec: fix time zone handling
- Do not unmount /proc/sys/fs/binfmt_misc before runnint the check scripts
- spec file cleanup
- documentation updates
- productcompose:
- support schema 0.1
- support milestones
- Leap 15.6 config
- SLE 15 SP6 config
- productcompose: follow incompatible flavor syntax change
- pbuild: support for zstd
- fixed handling for cmdline parameters via kernel packages
- productcompose:
* BREAKING: support new schema
* adapt flavor architecture parsing
- productcompose:
* support filtered package lists
* support default architecture listing
* fix copy in binaries in VM builds^
- obsproduct build type got renamed to productcompose
- Support zstd compressed rpm-md meta data (bsc#1217269)
- Added Debian 12 configuration
- First ObsProduct build format support
- fix SLE 15 SP5 build configuration
- Improve user agent handling for obs repositories
- Docker:
- Support flavor specific build descriptions via Dockerfile.$flavor
- support 'PlusRecommended' hint to also provide recommended packages
- use the name/version as filename if both are known
- Produce docker format containers by default
- pbuild: Support for signature authentification of OBS resources
- Fix wiping build root for --vm-type podman
- Put BUILD_RELEASE and BUILD_CHANGELOG_TIMESTAMP in the /.buildenv
- build-vm-kvm: use -cpu host on riscv64
- small fixes and cleanups
- Added parser for BcntSyncTag in sources
- pbuild:
* fix dependency expansion for build types other than spec
* Reworked cycle handling code
* add --extra-packs option
* add debugflags option
- Pass-through --buildtool-opt
- Parse Patch and Source lines more accurately
- fix tunefs functionality
- minor bugfixes
- --vm-type=podman added (supports also root-less builds)
- Also support build constraints in the Dockerfile
- minor fixes
- Add SUSE ALP build config
- BREAKING: Record errors when parsing the project config
former behaviour was undefined
- container: Support compression format configuration option
- Don't setup ccache with --no-init
- improved loongarch64 support
- sbom: SPDX supplier tag added
- kiwi: support different versions per profile
- preinstallimage: fail when recompression fails
- Add support for recommends and supplements dependencies
- Support the 'keepfilerequires' expand flag
- add '--buildtool-opt=OPTIONS' to pass options to the used build tool
- distro config updates
* ArchLinux
* Tumbleweed
- documentation updates
- openSUSE Tumbleweed: sync config and move to suse_version 1699.
- universal post-build hook, just place a file in /usr/lib/build/post_build.d/
- mkbaselibs/hwcaps, fix pattern name once again (x86_64_v3)
- KiwiProduct: add --use-newest-package hint if the option is set
- Dockerfile support:
* export multibuild flavor as argument
* allow parameters in FROM .. scratch lines
* include OS name in build result if != linux
- Workaround directory->symlink usrmerge problems for cross arch sysroot
- multiple fixes for SBOM support
- KIWI VM image SBOM support added
Patchnames
SUSE-2025-857,SUSE-SLE-Module-Development-Tools-15-SP6-2025-857,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-857,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-857,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-857,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-857,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-857,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-857,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-857,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-857,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-857,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-857,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-857,SUSE-Storage-7.1-2025-857,openSUSE-SLE-15.6-2025-857
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for build",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for build fixes the following issues:\n- CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469) \n\nOther fixes:\n- Fixed behaviour when using \u0027--shell\u0027 aka \u0027osc shell\u0027 option\n in a VM build. Startup is faster and permissions stay intact\n now.\n\n- fixes for POSIX compatibility for obs-docker-support adn\n mkbaselibs\n- Add support for apk in docker/podman builds\n- Add support for \u0027wget\u0027 in Docker images\n- Fix debian support for Dockerfile builds\n- Fix preinstallimages in containers\n- mkosi: add back system-packages used by build-recipe directly\n- pbuild: parse the Release files for debian repos\n\n- mkosi: drop most systemd/build-packages deps and use obs_scm\n directory as source if present\n- improve source copy handling\n- Introduce --repos-directory and --containers-directory options\n\n- productcompose: support of building against a baseiso\n- preinstallimage: avoid inclusion of build script generated files\n- preserve timestamps on sources copy-in for kiwi and productcompose\n- alpine package support updates\n- tumbleweed config update\n\n- debian: Support installation of foreign architecture packages\n (required for armv7l setups)\n- Parse unknown timezones as UTC\n- Apk (Alpine Linux) format support added\n- Implement default value in parameter expansion\n- Also support supplements that use \u0026 as \u0027and\u0027\n- Add workaround for skopeo\u0027s argument parser\n- add cap-htm=off on power9\n- Fixed usage of chown calls\n- Remove leading `go` from `purl` locators\n\n- container related:\n * Implement support for the new \u003ccontainers\u003e element in kiwi recipes\n * Fixes for SBOM and dependencies of multi stage container builds\n * obs-docker-support: enable dnf and yum substitutions\n- Arch Linux:\n * fix file path for Arch repo\n * exclude unsupported arch\n * Use root as download user\n- build-vm-qemu: force sv48 satp mode on riscv64\n- mkosi:\n * Create .sha256 files after mkosi builds\n * Always pass --image-version to mkosi\n- General improvements and bugfixes (mkosi, pbuild, appimage/livebuild,\n obs work detection, documention, SBOM)\n- Support slsa v1 in unpack_slsa_provenance\n- generate_sbom: do not clobber spdx supplier\n- Harden export_debian_orig_from_git (bsc#1230469)\n\n- SBOM generation:\n - Adding golang introspection support\n - Adding rust binary introspection support\n - Keep track of unknwon licenses and add a \u0027hasExtractedLicensingInfos\u0027\n section\n - Also normalize licenses for cyclonedx\n - Make generate_sbom errors fatal\n - general improvements\n- Fix noprep building not working because the buildir is removed\n- kiwi image: also detect a debian build if /var/lib/dpkg/status is present\n- Do not use the Encode module to convert a code point to utf8\n- Fix personality syscall number for riscv\n- add more required recommendations for KVM builds\n- set PACKAGER field in build-recipe-arch\n- fix writing _modulemd.yaml\n- pbuild: support --release and --baselibs option\n- container:\n - copy base container information from the annotation into the\n containerinfo\n - track base containers over multiple stages\n - always put the base container last in the dependencies\n\n- providing fileprovides in createdirdeps tool\n- Introduce buildflag nochecks\n\n- productcompose: support __all__ option\n- config update: tumbleweed using preinstallexpand\n- minor improvements\n\n- tumbleweed build config update\n- support the %load macro\n- improve container filename generation (docker)\n- fix hanging curl calls during build (docker)\n- productcompose: fix milestone query\n\n- tumbleweed build config update\n- 15.6 build config fixes\n- sourcerpm \u0026 sourcedep handling fixes\n- productcompose:\n - Fix milestone handling\n - Support bcntsynctag\n- Adding debian support to generate_sbom\n- Add syscall for personality switch on loongarch64 kernel\n- vm-build: ext3 \u0026 ext4: fix disk space allocation\n- mkosi format updates, not fully working yet\n- pbuild exception fixes\n- Fixes for current fedora and centos distros\n- Don\u0027t copy original dsc sources if OBS-DCH-RELEASE set\n- Unbreak parsing of sources/patches\n- Support ForceMultiVersion in the dockerfile parser\n- Support %bcond of rpm 4.17.1\n\n- Add a hack for systemd 255.3, creating an empty /etc/os-release\n if missing after preinstall.\n- docker: Fix HEAD request in dummyhttpserver\n- pbuild: Make docker-nobasepackages expand flag the default\n- rpm: Support a couple of builtin rpm macros\n- rpm: Implement argument expansion for define/with/bcond...\n- Fix multiline macro handling\n- Accept -N parameter of %autosetup\n- documentation updates\n- various code cleanup and speedup work.\n\n- ProductCompose: multiple improvements\n- Add buildflags:define_specfile support\n- Fix copy-in of git subdirectory sources\n- pbuild: Speed up XML parsing\n- pubild: product compose support\n- generate_sbom: add help option\n- podman: enforce runtime=runc\n- Implement direct conflicts from the distro config\n- changelog2spec: fix time zone handling\n- Do not unmount /proc/sys/fs/binfmt_misc before runnint the check scripts\n- spec file cleanup\n- documentation updates\n\n- productcompose:\n - support schema 0.1\n - support milestones\n- Leap 15.6 config\n- SLE 15 SP6 config\n\n- productcompose: follow incompatible flavor syntax change\n- pbuild: support for zstd\n\n- fixed handling for cmdline parameters via kernel packages\n\n- productcompose:\n * BREAKING: support new schema\n * adapt flavor architecture parsing\n\n- productcompose:\n * support filtered package lists\n * support default architecture listing\n * fix copy in binaries in VM builds^\n\n- obsproduct build type got renamed to productcompose\n\n- Support zstd compressed rpm-md meta data (bsc#1217269)\n- Added Debian 12 configuration\n- First ObsProduct build format support\n\n- fix SLE 15 SP5 build configuration\n- Improve user agent handling for obs repositories\n\n- Docker:\n - Support flavor specific build descriptions via Dockerfile.$flavor\n - support \u0027PlusRecommended\u0027 hint to also provide recommended packages\n - use the name/version as filename if both are known\n - Produce docker format containers by default\n- pbuild: Support for signature authentification of OBS resources\n- Fix wiping build root for --vm-type podman\n- Put BUILD_RELEASE and BUILD_CHANGELOG_TIMESTAMP in the /.buildenv\n- build-vm-kvm: use -cpu host on riscv64\n- small fixes and cleanups\n\n- Added parser for BcntSyncTag in sources\n\n- pbuild:\n * fix dependency expansion for build types other than spec\n * Reworked cycle handling code\n * add --extra-packs option\n * add debugflags option\n- Pass-through --buildtool-opt\n- Parse Patch and Source lines more accurately\n- fix tunefs functionality\n- minor bugfixes\n\n- --vm-type=podman added (supports also root-less builds)\n- Also support build constraints in the Dockerfile\n- minor fixes\n\n- Add SUSE ALP build config\n\n- BREAKING: Record errors when parsing the project config\n former behaviour was undefined\n- container: Support compression format configuration option\n- Don\u0027t setup ccache with --no-init\n- improved loongarch64 support\n- sbom: SPDX supplier tag added\n- kiwi: support different versions per profile\n- preinstallimage: fail when recompression fails\n- Add support for recommends and supplements dependencies\n- Support the \u0027keepfilerequires\u0027 expand flag\n- add \u0027--buildtool-opt=OPTIONS\u0027 to pass options to the used build tool\n- distro config updates\n * ArchLinux\n * Tumbleweed\n- documentation updates\n\n- openSUSE Tumbleweed: sync config and move to suse_version 1699.\n\n- universal post-build hook, just place a file in /usr/lib/build/post_build.d/\n- mkbaselibs/hwcaps, fix pattern name once again (x86_64_v3)\n- KiwiProduct: add --use-newest-package hint if the option is set\n\n- Dockerfile support:\n * export multibuild flavor as argument\n * allow parameters in FROM .. scratch lines\n * include OS name in build result if != linux\n- Workaround directory-\u003esymlink usrmerge problems for cross arch sysroot\n- multiple fixes for SBOM support\n\n- KIWI VM image SBOM support added\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-857,SUSE-SLE-Module-Development-Tools-15-SP6-2025-857,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-857,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-857,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-857,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-857,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-857,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-857,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-857,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-857,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-857,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-857,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-857,SUSE-Storage-7.1-2025-857,openSUSE-SLE-15.6-2025-857",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_0857-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:0857-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20250857-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:0857-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-March/020511.html"
},
{
"category": "self",
"summary": "SUSE Bug 1217269",
"url": "https://bugzilla.suse.com/1217269"
},
{
"category": "self",
"summary": "SUSE Bug 1230469",
"url": "https://bugzilla.suse.com/1230469"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-22038 page",
"url": "https://www.suse.com/security/cve/CVE-2024-22038/"
}
],
"title": "Security update for build",
"tracking": {
"current_release_date": "2025-03-13T17:58:06Z",
"generator": {
"date": "2025-03-13T17:58:06Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:0857-1",
"initial_release_date": "2025-03-13T17:58:06Z",
"revision_history": [
{
"date": "2025-03-13T17:58:06Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "build-20250306-150200.19.1.noarch",
"product": {
"name": "build-20250306-150200.19.1.noarch",
"product_id": "build-20250306-150200.19.1.noarch"
}
},
{
"category": "product_version",
"name": "build-initvm-aarch64-20250306-150200.19.1.noarch",
"product": {
"name": "build-initvm-aarch64-20250306-150200.19.1.noarch",
"product_id": "build-initvm-aarch64-20250306-150200.19.1.noarch"
}
},
{
"category": "product_version",
"name": "build-initvm-i586-20250306-150200.19.1.noarch",
"product": {
"name": "build-initvm-i586-20250306-150200.19.1.noarch",
"product_id": "build-initvm-i586-20250306-150200.19.1.noarch"
}
},
{
"category": "product_version",
"name": "build-initvm-powerpc64le-20250306-150200.19.1.noarch",
"product": {
"name": "build-initvm-powerpc64le-20250306-150200.19.1.noarch",
"product_id": "build-initvm-powerpc64le-20250306-150200.19.1.noarch"
}
},
{
"category": "product_version",
"name": "build-initvm-s390x-20250306-150200.19.1.noarch",
"product": {
"name": "build-initvm-s390x-20250306-150200.19.1.noarch",
"product_id": "build-initvm-s390x-20250306-150200.19.1.noarch"
}
},
{
"category": "product_version",
"name": "build-initvm-x86_64-20250306-150200.19.1.noarch",
"product": {
"name": "build-initvm-x86_64-20250306-150200.19.1.noarch",
"product_id": "build-initvm-x86_64-20250306-150200.19.1.noarch"
}
},
{
"category": "product_version",
"name": "build-mkbaselibs-20250306-150200.19.1.noarch",
"product": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch",
"product_id": "build-mkbaselibs-20250306-150200.19.1.noarch"
}
},
{
"category": "product_version",
"name": "build-mkdrpms-20250306-150200.19.1.noarch",
"product": {
"name": "build-mkdrpms-20250306-150200.19.1.noarch",
"product_id": "build-mkdrpms-20250306-150200.19.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 7.1",
"product": {
"name": "SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:7.1"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP6:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP6:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 7.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 7.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-20250306-150200.19.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:build-20250306-150200.19.1.noarch"
},
"product_reference": "build-20250306-150200.19.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-initvm-aarch64-20250306-150200.19.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:build-initvm-aarch64-20250306-150200.19.1.noarch"
},
"product_reference": "build-initvm-aarch64-20250306-150200.19.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-initvm-powerpc64le-20250306-150200.19.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:build-initvm-powerpc64le-20250306-150200.19.1.noarch"
},
"product_reference": "build-initvm-powerpc64le-20250306-150200.19.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-initvm-s390x-20250306-150200.19.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:build-initvm-s390x-20250306-150200.19.1.noarch"
},
"product_reference": "build-initvm-s390x-20250306-150200.19.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-initvm-x86_64-20250306-150200.19.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:build-initvm-x86_64-20250306-150200.19.1.noarch"
},
"product_reference": "build-initvm-x86_64-20250306-150200.19.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkbaselibs-20250306-150200.19.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:build-mkbaselibs-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkbaselibs-20250306-150200.19.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "build-mkdrpms-20250306-150200.19.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:build-mkdrpms-20250306-150200.19.1.noarch"
},
"product_reference": "build-mkdrpms-20250306-150200.19.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-22038",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-22038"
}
],
"notes": [
{
"category": "general",
"text": "Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 7.1:build-20250306-150200.19.1.noarch",
"SUSE Enterprise Storage 7.1:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP6:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP6:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:build-mkbaselibs-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-initvm-aarch64-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-initvm-powerpc64le-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-initvm-s390x-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-initvm-x86_64-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-mkbaselibs-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-mkdrpms-20250306-150200.19.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-22038",
"url": "https://www.suse.com/security/cve/CVE-2024-22038"
},
{
"category": "external",
"summary": "SUSE Bug 1230469 for CVE-2024-22038",
"url": "https://bugzilla.suse.com/1230469"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 7.1:build-20250306-150200.19.1.noarch",
"SUSE Enterprise Storage 7.1:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP6:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP6:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:build-mkbaselibs-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-initvm-aarch64-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-initvm-powerpc64le-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-initvm-s390x-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-initvm-x86_64-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-mkbaselibs-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-mkdrpms-20250306-150200.19.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Enterprise Storage 7.1:build-20250306-150200.19.1.noarch",
"SUSE Enterprise Storage 7.1:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP6:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP6:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:build-mkbaselibs-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:build-20250306-150200.19.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:build-mkbaselibs-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-initvm-aarch64-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-initvm-powerpc64le-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-initvm-s390x-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-initvm-x86_64-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-mkbaselibs-20250306-150200.19.1.noarch",
"openSUSE Leap 15.6:build-mkdrpms-20250306-150200.19.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T17:58:06Z",
"details": "important"
}
],
"title": "CVE-2024-22038"
}
]
}
SUSE-SU-2024:4212-1
Vulnerability from csaf_suse - Published: 2024-12-05 16:04 - Updated: 2024-12-05 16:04Summary
Security update for obs-scm-bridge
Notes
Title of the patch
Security update for obs-scm-bridge
Description of the patch
This update for obs-scm-bridge fixes the following issues:
Updated to version 0.5.4:
- CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469)
Patchnames
SUSE-2024-4212,SUSE-SLE-Module-Development-Tools-15-SP5-2024-4212,SUSE-SLE-Module-Development-Tools-15-SP6-2024-4212,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-4212,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-4212,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-4212,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-4212,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-4212,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-4212,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-4212,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-4212,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-4212,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-4212,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-4212,SUSE-Storage-7.1-2024-4212,openSUSE-SLE-15.5-2024-4212,openSUSE-SLE-15.6-2024-4212
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for obs-scm-bridge",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for obs-scm-bridge fixes the following issues:\n\n Updated to version 0.5.4:\n - CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469)\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-4212,SUSE-SLE-Module-Development-Tools-15-SP5-2024-4212,SUSE-SLE-Module-Development-Tools-15-SP6-2024-4212,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-4212,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-4212,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-4212,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-4212,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-4212,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-4212,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-4212,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-4212,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-4212,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-4212,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-4212,SUSE-Storage-7.1-2024-4212,openSUSE-SLE-15.5-2024-4212,openSUSE-SLE-15.6-2024-4212",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_4212-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:4212-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20244212-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:4212-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019937.html"
},
{
"category": "self",
"summary": "SUSE Bug 1230469",
"url": "https://bugzilla.suse.com/1230469"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-22038 page",
"url": "https://www.suse.com/security/cve/CVE-2024-22038/"
}
],
"title": "Security update for obs-scm-bridge",
"tracking": {
"current_release_date": "2024-12-05T16:04:31Z",
"generator": {
"date": "2024-12-05T16:04:31Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:4212-1",
"initial_release_date": "2024-12-05T16:04:31Z",
"revision_history": [
{
"date": "2024-12-05T16:04:31Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"product": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"product_id": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP2-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 7.1",
"product": {
"name": "SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:7.1"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP6:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 7.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
},
"product_reference": "obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-22038",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-22038"
}
],
"notes": [
{
"category": "general",
"text": "Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 7.1:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP6:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"openSUSE Leap 15.5:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"openSUSE Leap 15.6:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-22038",
"url": "https://www.suse.com/security/cve/CVE-2024-22038"
},
{
"category": "external",
"summary": "SUSE Bug 1230469 for CVE-2024-22038",
"url": "https://bugzilla.suse.com/1230469"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 7.1:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP6:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"openSUSE Leap 15.5:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"openSUSE Leap 15.6:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Enterprise Storage 7.1:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP6:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"openSUSE Leap 15.5:obs-scm-bridge-0.5.4-150100.3.6.1.noarch",
"openSUSE Leap 15.6:obs-scm-bridge-0.5.4-150100.3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-05T16:04:31Z",
"details": "important"
}
],
"title": "CVE-2024-22038"
}
]
}
GHSA-4HX2-H4M6-QCHX
Vulnerability from github – Published: 2024-11-28 18:38 – Updated: 2024-11-28 18:38
VLAI?
Details
Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.
Severity ?
{
"affected": [],
"aliases": [
"CVE-2024-22038"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-28T10:15:07Z",
"severity": "MODERATE"
},
"details": "Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.",
"id": "GHSA-4hx2-h4m6-qchx",
"modified": "2024-11-28T18:38:36Z",
"published": "2024-11-28T18:38:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22038"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22038"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
FKIE_CVE-2024-22038
Vulnerability from fkie_nvd - Published: 2024-11-28 10:15 - Updated: 2024-11-28 10:15
Severity ?
Summary
Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service."
},
{
"lang": "es",
"value": "Varios problemas en obs-scm-bridge permiten a atacantes que crean repositorios git especialmente manipulados filtrar informaci\u00f3n o provocar una denegaci\u00f3n de servicio."
}
],
"id": "CVE-2024-22038",
"lastModified": "2024-11-28T10:15:07.567",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.5,
"source": "meissner@suse.de",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "meissner@suse.de",
"type": "Secondary"
}
]
},
"published": "2024-11-28T10:15:07.567",
"references": [
{
"source": "meissner@suse.de",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22038"
}
],
"sourceIdentifier": "meissner@suse.de",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "meissner@suse.de",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…