OPENSUSE-SU-2026:20361-1

Vulnerability from csaf_opensuse - Published: 2026-03-12 20:54 - Updated: 2026-03-12 20:54
Summary
Security update for osc, obs-scm-bridge

Notes

Title of the patch
Security update for osc, obs-scm-bridge
Description of the patch
This update for osc, obs-scm-bridge fixes the following issues: Changes in osc: - 1.24.0 - Command-line: - Add '--target-owner' option to 'git-obs repo fork' command - Add '--self' parameter to fix 'no matching parent repo' error message in 'git-obs pr create' - Fix 'osc aggregatepac' for scmsync packages - Fix 'osc build' to retrieve buildconfig from git package's cache - Fix 'osc token' error handling for project wide trigger - Fix string formatting for id in obs-request.xml in 'git-obs pr dump' - Library: - Consolidate build types in build.py and commandline.py - Fix build.get_build_type() by comparing binary_type only if specified - Make use of queryconfig tool configurable and consistent - Fix how get_request_collection() filters the projects and packages - Support copying packages from an scmsync source, when target exists - Add timestamps to the DEBUG output - Update new project template - 1.23.0 - Command-line: - Add '--target-owner' option to 'git-obs pr create' to specify the target owner explicitly - Add '--target-branch' option to 'git-obs staging search' command - Added 'git-obs staging search' command to find project PRs with referenced package PRs that have all been approved - Change 'git-obs pr dump' to produce directories that match the specified pull request IDs - Change 'git-obs pr dump' to write STATUS file - Properly error out on invalid 'PR:' references in 'git-obs pr dump' - Fix 'git-obs pr create' when the source repo is not a fork - Fix 'git-obs api' command when server returns 'null' - Fix 'osc build --alternative-project=...' when there's no .osc in the current directory - Fix argument and store handling in 'osc results' command - Library: - Add Manifest.get_package_paths() method that lists all paths to existings packages in a project - Fix Manifest class to handle loading empty YAML files or strings - Fix working with meta during git rebase by determining the current branch from rebase head - Fix handling local branch when fetching remote - Move get_label_ids() from PullRequest to Repo class - Change GitStore not to require apiurl anymore - Fix storing last_buildroot for git packages - Store the last buildroot only if there's a store detected - Fix BuildRoot so it acts as a tuple and the individual values are accessible via indexes - Make PullReqest.parse_id() more permissive by accepting trailing whitespaces - Fix 'missingok' argument in server_diff() - Fix gitea_api.PullRequest ordering methods - Add return to gitea_api.Branch.list() - PKGBUILD changes * Remove redundant packages from makedepends. If a package depends on something, it implicitly makedepends on it as well * Add python-ruamel-yaml dependency * Build and install man pages * Add python-argparse-manpage and python-sphinx to makedepends for building man pages * Add check() to run the test suite * Add checkdepends for test suite dependencies * Add optdepends as an equivalent to RPM's Recommends, making it easier for users to find packages needed for optional features * Use $pkgname variable across the script * Install shell completion files * Bump pkgrel - 1.22.0 - Command-line: - Add 'git-obs staging' commands - Add '--gitea-fork-org' option to 'osc fork' command - Add '--git-branch' option to 'osc fork' command - Add 'DELETE' to 'git-obs api' allowed methods - Add commit messages as commented lines to the template in 'git-obs pr create' - Add filtering by label to 'git-obs pr list' - Properly handle fork mismatch in 'osc fork' - Change 'osc build' to build from any git repo if '--alternative-project' is specified - Fix 'osc service' for git based packages - Fix 'git-obs pr dump' to skip the dump if the target has the same updated_at timestamp as the pull request in Gitea - Fix 'git-obs pr dump' to do case insensitive check on owner and repo - Fix retrieving 'arch' argument in 'osc buildlog' - Library: - Add 'status' to the output of gitea_api.Git.get_submodules() - Add 'remote' argument to gitea_api.Repo.clone_or_update() - Add gitea_api.common.TemporaryDirectory class that supports 'delete' argument on python 3.6+ - Add gitea_api.GitDiffGenerator class for creating submodule diffs without a git checkout - Add 'depth' argument to gitea_api.Repo.clone() and clone_or_update() - Add gitea_api.StagingPullRequestWrapper class for handling staging - Add gitea_api.PullRequest.get_host_owner_repo_number() method - Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting 'dest' argument - Warn if the git package doesn't have the same branch as the parent project - Extend gitea_api.PullRequest with methods that work with 'PR:' references - Support setting labels in gitea_api.PullRequest.create() - Fix gitea_api to use pagination instead of limit -1 everywhere - Remove duplicate, unused PullRequestReview class from gitea_api.pr - Move clone_or_update() from 'git-obs pr dump' command to gitea_api.Repo - Change gitea_api.Repo.clone_or_update() to take 'ssh_private_key_path' argument - Improve performance of gitea_api.IssueTimelineEntry by listing and caching requests instead of fetching them one by one - Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting 'help' argument - Change gitea_api.Repo.clone() to stop borrowing objects when 'reference' or 'reference_if_able' is used - Fix the resulting dictionary in gitea_api.PullRequest._get_label_ids() - Make gitea_api.RepoExists exception more helpful by giving a hint to fork under a different name - Use server_diff() instead of server_diff_noex() to exit with a non-zero return code - Return preinstallimage.info and allow podman to use preinstallimage - 1.21.0 - Command-line: - Modify osc subcommands to error out if they don't work with git - Add 'git-obs meta' commands for managing the local metadata - Add 'git-obs meta info' command for printing resolved metadata about the current checkout - Add -b/--branch option to 'git-obs repo clone' command - Add 'git-obs pr dump' command to store pull request information on disk - Add 'git-obs --quiet' option (that mutes printing gitea settings now) - Automatially pull meta after 'git-obs repo clone' - Change 'git-obs pr review interactive' to write 'merge ok' comment instead of scheduling a merge - Mute stderr when creating a worktree in 'git-obs pr review interactive' - Change 'git-obs -G' to accept url to select a gitea login entry - Support substitutions in 'osc build --root' - Fix crash in 'osc build' when 'build_repositories' in store was None - Fix filtering by reviewers in 'git-obs pr list' - Update 'osc rq show' command to include history comments in verbose mode - Library: - Refactor GitStore - Migrate git_scm.Store over to gitea_api.Git - Store buildinfo and buildconfig files in GitStore's cache instead directly in the repo - Move code from 'git-obs meta pull' command to GitStore.pull() - Improve GitStore.pull() to support reading project from project.build - Rephrase the error message about detached HEAD in GitStore - Improve GitStore's error messages by adding instructions on how to fix missing metadata - Be more permissive when loading parent project_store in GitStore - Fix loading _manifest in a project git - Fix git store to check if all the required fields are present - Derive package name from topdir if a package is part of a project checkout - Change 'git-obs pr review interactive' to run pager process as a context manager - Change obs_api.TarDiff to spawn a process extracting archives as a context manager - Change 'commit' argument in gitea_api.Git.reset() to optional - Add gitea_api.Git.get_owner_repo_from_url() staticmethod - Add gitea_api.Git.urljoin() static method - Fix gitea_api.Git.get_branch_head() to raise a proper exception if the HEAD cannot be retrieved - Fix gitea_api.Git to work with the current remote instead of 'origin' - Fix get_store() to throw the exception from git store if .osc directory is not present - Introduce GitObsRuntimeError exception and use it where appropriate - Fix tardiff by removing directories with shutil.rmtree() and files by os.unlink() - Add 'quiet' option to gitea_api.Git.switch() - Mute stderr in git_obs.Git.lfs_cat_file() - Treat None flavor as "" in multibuild resolve - Make Token.triggered_at optional as it's not available in the oficially released OBS code - Add BaseModel.from_string() and BaseModel.to_string() methods - Add BaseModel.from_file() and BaseModel.to_file() methods - Fix BaseModel to initialize from a dictionary via __init__ instead of setattr - Docs: - Update docs for the new git metadata store - Update list of recommended gitea permissions in git-obs-quickstart - Spec: - Install git-obs-metadata man page - 1.20.0 - Command-line: - Fix 'osc fork' command to use the right tracking branch - Fix 'osc blt' command by checking if the working copy is a package - Make 'osc buildlog' work outside of osc package directory - Add 'git-obs pr close' and 'git-obs pr reopen' commands - Add 'close' option to 'git-obs pr review interactive' - Change 'git-obs pr review interactive' to work with all archives, not only those in Git LFS - Fix checkout of the base branch in 'git-obs pr review interactive' command - Library: - Support _manifest file in git store - Allow pull request IDs in '<owner>/<repo>!<number>' format - Properly handle deleted users and teams in the git-obs timeline - Handle situations when there's 'None' among timeline entries - Skip binary files in gitea_api.PullRequest.get_patch() - Change get_user_input(), add support for vertically printed list of answers - Spec: - Provide git-obs - 1.19.1 - Command-line: - Use OSC_PACKAGE_CACHE_DIR env var instead of deprecated OSC_PACKAGECACHEDIR - Connection: - Check for both upper and lowercase versions of HTTP_PROXY and HTTPS_PROXY env vars - Library: - Add 'trackingbranch' field to ScmsyncObsinfo model - Revert "Return None if GitStore cannot determine apiurl" - Throw a proper exception when 'apiurl' argument of 'makeurl()' is empty - Move code setting apiurl from store to 'osc.conf.get_config()' - Simplify 'osc.commandline.Osc.get_api_url()' to return the value from 'self.options' - Remove 'osc.commandline.Osc.post_argparse()' because it's no longer used - Fix unit tests to use the new code path to run osc - Fix osc.gitea_api.dt_sanitize() by replacing dateutil with datetime - 1.19.0 - Command-line: - Add 'git-obs pr cancel-scheduled-merge' command - Add timeline to 'git-obs pr review interactive' - Add '--timeline' option to 'git-obs pr get' - Fix 'git-obs pr search' by using pagination to retrieve all results - Extend '--message' option in git-obs subcommands with the '-m' short option - Add a different message for scheduled merges in 'git-obs pr merge' command - Library: - Add 'conn' parameter to gitea_api.common.GiteaModel - Add gitea_api.Connection.scheme attribute - Add gitea_api.PullRequest.merge_commit property - Add gitea_api.PullRequest.get_owner_repo_number() - Add gitea_api.common.dt_sanitize() for sanitizing datetime strings - Handle missing head repo in the PullRequest properties - Return None if GitStore cannot determine apiurl - Remove extra newline from store files - Fix the 'Move remaining imports in osc.babysitter into try-except block' change by preserving the order of handling the exceptions - Spec: - Use primary_python to define runtime requires matching the shebang lines - Provide %{use_python_pkg}-osc for all pythons and python3-osc for primary_python - Add conflict with obs-scm-bridge < 0.7.3 - 1.18.0 - Command-line: - Add 'git-obs pr comment [--message=...]' command - Add 'git-obs pr show-patch' command - Add '--reviewer' option to 'git-obs pr review {approve,decline,interactive}' to support group reviews via group review bot - Update 'git-obs pr review interactive' to return non-zero return codes for 'exit' and 'skip' actions - Make 'osc results --show-excluded' work in a project context - Add '--no-pager' global option - Fix 'osc fork' by copying whole query part to the new scmsync url - Fix 'osc buildinfo' for git packages by handing the 'build_repositories' files by store objects - Fix crash in 'git-obs pr get --patch' - Fix git-obs to exit with 130 on keyboard interrupt - Fix --sccache help typo in 'osc build' command - Connection: - Don't retry requests on 504 Gateway Timeout - Library: - If a devel project is not specified, try reading it from a mapping from URL set in OBS:GitDevelProjectMap project attribute - Improve detection of packages and projects in git - scmsync_obsinfo: Pass correct revision to obs-scm-bridge - Add obs_api.Request.search() method - Raise an exception if obs-scm-bridge fails - Fix obs_scm.Package.get_pulled_srcmd5() returning an empty string - Fix git store to support non-default remote - Extend 'gitea_api.User.get()' to take 'username' parameter - Move get_editor() and related functions from command-line module to gitea_api.common - Migrate subcommands from using Store() to get_store() that is git aware - Make imports lazy to imporove osc load times Changes in obs-scm-bridge: - use the system default python version (boo#1247410) - 0.7.4 * syntax fix - 0.7.3 * fix .gitsubmodule parser to handle space and tabs mixed - package /etc/obs/service directories - 0.7.2 * Improved error reporting of invalid files in package subdirs * Introducing a mechanic to limit asset handling - 0.7.1 * export trackingbranch to scmsync.obsinfo - 0.7.0 * supporting _manifest file as successor of _subdirs * record configured branch of submodules in package scmsync url * stay on the configured branch of a submodule on checkout - 0.6.3 * Allow ssh:// scm urls as used by osc * project mode: avoid unecessary changes in package meta url * code cleanup - fix dependency (it is python3-PyYAML) - fix missing dependency to PyYAML - 0.6.2 * Make project mode always look for _config in the top dir, also when using subdirs. - 0.6.1 * new noobsinfo query parameter (can be used to hide git informations in sources, binaries won't contain them either then). - 0.6.0 * project mode: switching to to track package sources using git sha sums instead of md5sum via download_assets - 0.5.4 * fixed support of subdir parameter usage on project level * Fix handling of projectscmsync in the package xml writers - 0.5.3 * Switch to ssh url when using the bridge via osc - 0.5.2 * Don't overwrite files from git, but complain instead with an error. For example _scmsync.obsinfo file must not be part of the git tree. boo#1230469 CVE-2024-22038 - 0.5.1 * Don't generate _scmsync.obsinfo outside of OBS source server import use case (eg. no more for osc co) * Enforce python 3.11 requirement * Fix export of _scmsync.obsinfo in project mode * Fix submodule detection * EXPERIMENTAL: support multiple package subdirs via _subdirs file. This syntax will change! (not documented on purpose therefore atm) * Using git credential manager * Report some errors as transient, so that OBS can re-try
Patchnames
openSUSE-Leap-16.0-packagehub-162
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for osc, obs-scm-bridge",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for osc, obs-scm-bridge fixes the following issues:\n\nChanges in osc:\n\n- 1.24.0\n  - Command-line:\n    - Add \u0027--target-owner\u0027 option to \u0027git-obs repo fork\u0027 command\n    - Add \u0027--self\u0027 parameter to fix \u0027no matching parent repo\u0027 error message in \u0027git-obs pr create\u0027\n    - Fix \u0027osc aggregatepac\u0027 for scmsync packages\n    - Fix \u0027osc build\u0027 to retrieve buildconfig from git package\u0027s cache\n    - Fix \u0027osc token\u0027 error handling for project wide trigger\n    - Fix string formatting for id in obs-request.xml in \u0027git-obs pr dump\u0027\n  - Library:\n    - Consolidate build types in build.py and commandline.py\n    - Fix build.get_build_type() by comparing binary_type only if specified\n    - Make use of queryconfig tool configurable and consistent\n    - Fix how get_request_collection() filters the projects and packages\n    - Support copying packages from an scmsync source, when target exists\n    - Add timestamps to the DEBUG output\n    - Update new project template\n\n- 1.23.0\n  - Command-line:\n    - Add \u0027--target-owner\u0027 option to \u0027git-obs pr create\u0027 to specify the target owner explicitly\n    - Add \u0027--target-branch\u0027 option to \u0027git-obs staging search\u0027 command\n    - Added \u0027git-obs staging search\u0027 command to find project PRs with referenced package PRs that have all been approved\n    - Change \u0027git-obs pr dump\u0027 to produce directories that match the specified pull request IDs\n    - Change \u0027git-obs pr dump\u0027 to write STATUS file\n    - Properly error out on invalid \u0027PR:\u0027 references in \u0027git-obs pr dump\u0027\n    - Fix \u0027git-obs pr create\u0027 when the source repo is not a fork\n    - Fix \u0027git-obs api\u0027 command when server returns \u0027null\u0027\n    - Fix \u0027osc build --alternative-project=...\u0027 when there\u0027s no .osc in the current directory\n    - Fix argument and store handling in \u0027osc results\u0027 command\n  - Library:\n    - Add Manifest.get_package_paths() method that lists all paths to existings packages in a project\n    - Fix Manifest class to handle loading empty YAML files or strings\n    - Fix working with meta during git rebase by determining the current branch from rebase head\n    - Fix handling local branch when fetching remote\n    - Move get_label_ids() from PullRequest to Repo class\n    - Change GitStore not to require apiurl anymore\n    - Fix storing last_buildroot for git packages\n    - Store the last buildroot only if there\u0027s a store detected\n    - Fix BuildRoot so it acts as a tuple and the individual values are accessible via indexes\n    - Make PullReqest.parse_id() more permissive by accepting trailing whitespaces\n    - Fix \u0027missingok\u0027 argument in server_diff()\n    - Fix gitea_api.PullRequest ordering methods\n    - Add return to gitea_api.Branch.list()\n\n- PKGBUILD changes\n  * Remove redundant packages from makedepends. If a package depends\n    on something, it implicitly makedepends on it as well\n  * Add python-ruamel-yaml dependency\n  * Build and install man pages\n  * Add python-argparse-manpage and python-sphinx to makedepends for\n    building man pages\n  * Add check() to run the test suite\n  * Add checkdepends for test suite dependencies\n  * Add optdepends as an equivalent to RPM\u0027s Recommends, making it\n    easier for users to find packages needed for optional features\n  * Use $pkgname variable across the script\n  * Install shell completion files\n  * Bump pkgrel\n\n- 1.22.0\n  - Command-line:\n    - Add \u0027git-obs staging\u0027 commands\n    - Add \u0027--gitea-fork-org\u0027 option to \u0027osc fork\u0027 command\n    - Add \u0027--git-branch\u0027 option to \u0027osc fork\u0027 command\n    - Add \u0027DELETE\u0027 to \u0027git-obs api\u0027 allowed methods\n    - Add commit messages as commented lines to the template in \u0027git-obs pr create\u0027\n    - Add filtering by label to \u0027git-obs pr list\u0027\n    - Properly handle fork mismatch in \u0027osc fork\u0027\n    - Change \u0027osc build\u0027 to build from any git repo if \u0027--alternative-project\u0027 is specified\n    - Fix \u0027osc service\u0027 for git based packages\n    - Fix \u0027git-obs pr dump\u0027 to skip the dump if the target has the same updated_at timestamp as the pull request in Gitea\n    - Fix \u0027git-obs pr dump\u0027 to do case insensitive check on owner and repo\n    - Fix retrieving \u0027arch\u0027 argument in \u0027osc buildlog\u0027\n  - Library:\n    - Add \u0027status\u0027 to the output of gitea_api.Git.get_submodules()\n    - Add \u0027remote\u0027 argument to gitea_api.Repo.clone_or_update()\n    - Add gitea_api.common.TemporaryDirectory class that supports \u0027delete\u0027 argument on python 3.6+\n    - Add gitea_api.GitDiffGenerator class for creating submodule diffs without a git checkout\n    - Add \u0027depth\u0027 argument to gitea_api.Repo.clone() and clone_or_update()\n    - Add gitea_api.StagingPullRequestWrapper class for handling staging\n    - Add gitea_api.PullRequest.get_host_owner_repo_number() method\n    - Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting \u0027dest\u0027 argument\n    - Warn if the git package doesn\u0027t have the same branch as the parent project\n    - Extend gitea_api.PullRequest with methods that work with \u0027PR:\u0027 references\n    - Support setting labels in gitea_api.PullRequest.create()\n    - Fix gitea_api to use pagination instead of limit -1 everywhere\n    - Remove duplicate, unused PullRequestReview class from gitea_api.pr\n    - Move clone_or_update() from \u0027git-obs pr dump\u0027 command to gitea_api.Repo\n    - Change gitea_api.Repo.clone_or_update() to take \u0027ssh_private_key_path\u0027 argument\n    - Improve performance of gitea_api.IssueTimelineEntry by listing and caching requests instead of fetching them one by one\n    - Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting \u0027help\u0027 argument\n    - Change gitea_api.Repo.clone() to stop borrowing objects when \u0027reference\u0027 or \u0027reference_if_able\u0027 is used\n    - Fix the resulting dictionary in gitea_api.PullRequest._get_label_ids()\n    - Make gitea_api.RepoExists exception more helpful by giving a hint to fork under a different name\n    - Use server_diff() instead of server_diff_noex() to exit with a non-zero return code\n    - Return preinstallimage.info and allow podman to use preinstallimage\n\n- 1.21.0\n  - Command-line:\n    - Modify osc subcommands to error out if they don\u0027t work with git\n    - Add \u0027git-obs meta\u0027 commands for managing the local metadata\n    - Add \u0027git-obs meta info\u0027 command for printing resolved metadata about the current checkout\n    - Add -b/--branch option to \u0027git-obs repo clone\u0027 command\n    - Add \u0027git-obs pr dump\u0027 command to store pull request information on disk\n    - Add \u0027git-obs --quiet\u0027 option (that mutes printing gitea settings now)\n    - Automatially pull meta after \u0027git-obs repo clone\u0027\n    - Change \u0027git-obs pr review interactive\u0027 to write \u0027merge ok\u0027 comment instead of scheduling a merge\n    - Mute stderr when creating a worktree in \u0027git-obs pr review interactive\u0027\n    - Change \u0027git-obs -G\u0027 to accept url to select a gitea login entry\n    - Support substitutions in \u0027osc build --root\u0027\n    - Fix crash in \u0027osc build\u0027 when \u0027build_repositories\u0027 in store was None\n    - Fix filtering by reviewers in \u0027git-obs pr list\u0027\n    - Update \u0027osc rq show\u0027 command to include history comments in verbose mode\n  - Library:\n    - Refactor GitStore\n      - Migrate git_scm.Store over to gitea_api.Git\n      - Store buildinfo and buildconfig files in GitStore\u0027s cache instead directly in the repo\n      - Move code from \u0027git-obs meta pull\u0027 command to GitStore.pull()\n      - Improve GitStore.pull() to support reading project from project.build\n      - Rephrase the error message about detached HEAD in GitStore\n      - Improve GitStore\u0027s error messages by adding instructions on how to fix missing metadata\n      - Be more permissive when loading parent project_store in GitStore\n      - Fix loading _manifest in a project git\n      - Fix git store to check if all the required fields are present\n    - Derive package name from topdir if a package is part of a project checkout\n    - Change \u0027git-obs pr review interactive\u0027 to run pager process as a context manager\n    - Change obs_api.TarDiff to spawn a process extracting archives as a context manager\n    - Change \u0027commit\u0027 argument in gitea_api.Git.reset() to optional\n    - Add gitea_api.Git.get_owner_repo_from_url() staticmethod\n    - Add gitea_api.Git.urljoin() static method\n    - Fix gitea_api.Git.get_branch_head() to raise a proper exception if the HEAD cannot be retrieved\n    - Fix gitea_api.Git to work with the current remote instead of \u0027origin\u0027\n    - Fix get_store() to throw the exception from git store if .osc directory is not present\n    - Introduce GitObsRuntimeError exception and use it where appropriate\n    - Fix tardiff by removing directories with shutil.rmtree() and files by os.unlink()\n    - Add \u0027quiet\u0027 option to gitea_api.Git.switch()\n    - Mute stderr in git_obs.Git.lfs_cat_file()\n    - Treat None flavor as \"\" in multibuild resolve\n    - Make Token.triggered_at optional as it\u0027s not available in the oficially released OBS code\n    - Add BaseModel.from_string() and BaseModel.to_string() methods\n    - Add BaseModel.from_file() and BaseModel.to_file() methods\n    - Fix BaseModel to initialize from a dictionary via __init__ instead of setattr\n  - Docs:\n    - Update docs for the new git metadata store\n    - Update list of recommended gitea permissions in git-obs-quickstart\n  - Spec:\n    - Install git-obs-metadata man page\n\n- 1.20.0\n  - Command-line:\n    - Fix \u0027osc fork\u0027 command to use the right tracking branch\n    - Fix \u0027osc blt\u0027 command by checking if the working copy is a package\n    - Make \u0027osc buildlog\u0027 work outside of osc package directory\n    - Add \u0027git-obs pr close\u0027 and \u0027git-obs pr reopen\u0027 commands\n    - Add \u0027close\u0027 option to \u0027git-obs pr review interactive\u0027\n    - Change \u0027git-obs pr review interactive\u0027 to work with all archives, not only those in Git LFS\n    - Fix checkout of the base branch in \u0027git-obs pr review interactive\u0027 command\n  - Library:\n    - Support _manifest file in git store\n    - Allow pull request IDs in \u0027\u003cowner\u003e/\u003crepo\u003e!\u003cnumber\u003e\u0027 format\n    - Properly handle deleted users and teams in the git-obs timeline\n    - Handle situations when there\u0027s \u0027None\u0027 among timeline entries\n    - Skip binary files in gitea_api.PullRequest.get_patch()\n    - Change get_user_input(), add support for vertically printed list of answers\n  - Spec:\n    - Provide git-obs\n\n- 1.19.1\n  - Command-line:\n    - Use OSC_PACKAGE_CACHE_DIR env var instead of deprecated OSC_PACKAGECACHEDIR\n  - Connection:\n    - Check for both upper and lowercase versions of HTTP_PROXY and HTTPS_PROXY env vars\n  - Library:\n    - Add \u0027trackingbranch\u0027 field to ScmsyncObsinfo model\n    - Revert \"Return None if GitStore cannot determine apiurl\"\n    - Throw a proper exception when \u0027apiurl\u0027 argument of \u0027makeurl()\u0027 is empty\n    - Move code setting apiurl from store to \u0027osc.conf.get_config()\u0027\n    - Simplify \u0027osc.commandline.Osc.get_api_url()\u0027 to return the value from \u0027self.options\u0027\n    - Remove \u0027osc.commandline.Osc.post_argparse()\u0027 because it\u0027s no longer used\n    - Fix unit tests to use the new code path to run osc\n    - Fix osc.gitea_api.dt_sanitize() by replacing dateutil with datetime\n\n- 1.19.0\n  - Command-line:\n    - Add \u0027git-obs pr cancel-scheduled-merge\u0027 command\n    - Add timeline to \u0027git-obs pr review interactive\u0027\n    - Add \u0027--timeline\u0027 option to \u0027git-obs pr get\u0027\n    - Fix \u0027git-obs pr search\u0027 by using pagination to retrieve all results\n    - Extend \u0027--message\u0027 option in git-obs subcommands with the \u0027-m\u0027 short option\n    - Add a different message for scheduled merges in \u0027git-obs pr merge\u0027 command\n  - Library:\n    - Add \u0027conn\u0027 parameter to gitea_api.common.GiteaModel\n    - Add gitea_api.Connection.scheme attribute\n    - Add gitea_api.PullRequest.merge_commit property\n    - Add gitea_api.PullRequest.get_owner_repo_number()\n    - Add gitea_api.common.dt_sanitize() for sanitizing datetime strings\n    - Handle missing head repo in the PullRequest properties\n    - Return None if GitStore cannot determine apiurl\n    - Remove extra newline from store files\n    - Fix the \u0027Move remaining imports in osc.babysitter into try-except block\u0027 change by preserving the order of handling the exceptions\n  - Spec:\n    - Use primary_python to define runtime requires matching the shebang lines\n    - Provide %{use_python_pkg}-osc for all pythons and python3-osc for primary_python\n    - Add conflict with obs-scm-bridge \u003c 0.7.3\n\n- 1.18.0\n  - Command-line:\n    - Add \u0027git-obs pr comment [--message=...]\u0027 command\n    - Add \u0027git-obs pr show-patch\u0027 command\n    - Add \u0027--reviewer\u0027 option to \u0027git-obs pr review {approve,decline,interactive}\u0027 to support group reviews via group review bot\n    - Update \u0027git-obs pr review interactive\u0027 to return non-zero return codes for \u0027exit\u0027 and \u0027skip\u0027 actions\n    - Make \u0027osc results --show-excluded\u0027 work in a project context\n    - Add \u0027--no-pager\u0027 global option\n    - Fix \u0027osc fork\u0027 by copying whole query part to the new scmsync url\n    - Fix \u0027osc buildinfo\u0027 for git packages by handing the \u0027build_repositories\u0027 files by store objects\n    - Fix crash in \u0027git-obs pr get --patch\u0027\n    - Fix git-obs to exit with 130 on keyboard interrupt\n    - Fix --sccache help typo in \u0027osc build\u0027 command\n  - Connection:\n    - Don\u0027t retry requests on 504 Gateway Timeout\n  - Library:\n    - If a devel project is not specified, try reading it from a mapping from URL set in OBS:GitDevelProjectMap project attribute\n    - Improve detection of packages and projects in git\n    - scmsync_obsinfo: Pass correct revision to obs-scm-bridge\n    - Add obs_api.Request.search() method\n    - Raise an exception if obs-scm-bridge fails\n    - Fix obs_scm.Package.get_pulled_srcmd5() returning an empty string\n    - Fix git store to support non-default remote\n    - Extend \u0027gitea_api.User.get()\u0027 to take \u0027username\u0027 parameter\n    - Move get_editor() and related functions from command-line module to gitea_api.common\n    - Migrate subcommands from using Store() to get_store() that is git aware\n    - Make imports lazy to imporove osc load times\n\nChanges in obs-scm-bridge:\n\n- use the system default python version (boo#1247410)\n\n- 0.7.4\n  * syntax fix\n\n- 0.7.3\n  * fix .gitsubmodule parser to handle space and tabs mixed\n\n- package /etc/obs/service directories\n\n- 0.7.2\n  * Improved error reporting of invalid files in package subdirs\n  * Introducing a mechanic to limit asset handling\n\n- 0.7.1\n  * export trackingbranch to scmsync.obsinfo\n\n- 0.7.0\n  * supporting _manifest file as successor of _subdirs\n  * record configured branch of submodules in package scmsync url\n  * stay on the configured branch of a submodule on checkout\n\n- 0.6.3\n  * Allow ssh:// scm urls as used by osc\n  * project mode: avoid unecessary changes in package meta url\n  * code cleanup\n\n- fix dependency (it is python3-PyYAML)\n\n- fix missing dependency to PyYAML\n\n- 0.6.2\n  * Make project mode always look for _config in the top dir, also\n    when using subdirs.\n\n- 0.6.1\n  * new noobsinfo query parameter\n    (can be used to hide git informations in sources, binaries\n     won\u0027t contain them either then).\n\n- 0.6.0\n  * project mode: switching to to track package sources using\n                  git sha sums instead of md5sum via download_assets\n\n- 0.5.4\n  * fixed support of subdir parameter usage on project level\n  * Fix handling of projectscmsync in the package xml writers\n\n- 0.5.3\n  * Switch to ssh url when using the bridge via osc\n\n- 0.5.2\n  * Don\u0027t overwrite files from git, but complain instead with\n    an error. For example _scmsync.obsinfo file must not be part\n    of the git tree. boo#1230469 CVE-2024-22038\n\n- 0.5.1\n  * Don\u0027t generate _scmsync.obsinfo outside of OBS source server\n    import use case (eg. no more for osc co)\n  * Enforce python 3.11 requirement\n  * Fix export of _scmsync.obsinfo in project mode\n  * Fix submodule detection\n  * EXPERIMENTAL: support multiple package subdirs via _subdirs\n                  file. This syntax will change!\n                  (not documented on purpose therefore atm)\n  * Using git credential manager\n  * Report some errors as transient, so that OBS can re-try\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Leap-16.0-packagehub-162",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20361-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1230469",
        "url": "https://bugzilla.suse.com/1230469"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1247410",
        "url": "https://bugzilla.suse.com/1247410"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-22038 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-22038/"
      }
    ],
    "title": "Security update for osc, obs-scm-bridge",
    "tracking": {
      "current_release_date": "2026-03-12T20:54:40Z",
      "generator": {
        "date": "2026-03-12T20:54:40Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:20361-1",
      "initial_release_date": "2026-03-12T20:54:40Z",
      "revision_history": [
        {
          "date": "2026-03-12T20:54:40Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "obs-scm-bridge-0.7.4-bp160.1.1.noarch",
                "product": {
                  "name": "obs-scm-bridge-0.7.4-bp160.1.1.noarch",
                  "product_id": "obs-scm-bridge-0.7.4-bp160.1.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "osc-1.24.0-bp160.1.1.noarch",
                "product": {
                  "name": "osc-1.24.0-bp160.1.1.noarch",
                  "product_id": "osc-1.24.0-bp160.1.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 16.0",
                "product": {
                  "name": "openSUSE Leap 16.0",
                  "product_id": "openSUSE Leap 16.0"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "obs-scm-bridge-0.7.4-bp160.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:obs-scm-bridge-0.7.4-bp160.1.1.noarch"
        },
        "product_reference": "obs-scm-bridge-0.7.4-bp160.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "osc-1.24.0-bp160.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:osc-1.24.0-bp160.1.1.noarch"
        },
        "product_reference": "osc-1.24.0-bp160.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-22038",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-22038"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:obs-scm-bridge-0.7.4-bp160.1.1.noarch",
          "openSUSE Leap 16.0:osc-1.24.0-bp160.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-22038",
          "url": "https://www.suse.com/security/cve/CVE-2024-22038"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1230469 for CVE-2024-22038",
          "url": "https://bugzilla.suse.com/1230469"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:obs-scm-bridge-0.7.4-bp160.1.1.noarch",
            "openSUSE Leap 16.0:osc-1.24.0-bp160.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:obs-scm-bridge-0.7.4-bp160.1.1.noarch",
            "openSUSE Leap 16.0:osc-1.24.0-bp160.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-12T20:54:40Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-22038"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.