Security update for osc

Announcement ID:	SUSE-SU-2022:4351-1
Rating:	important
References:	bsc#1089025 bsc#1097996 bsc#1122675 bsc#1125243 bsc#1126055 bsc#1126058 bsc#1127932 bsc#1129757 bsc#1129889 bsc#1131512 bsc#1136584 bsc#1137477 bsc#1138165 bsc#1138977 bsc#1140697 bsc#1142518 bsc#1142662 bsc#1144211 bsc#1154972 bsc#1155953 bsc#1156501 bsc#1160446 bsc#1166537 bsc#1173926 jsc#OBS-203
Cross-References:	CVE-2019-3681 CVE-2019-3685
CVSS scores:	CVE-2019-3681 ( SUSE ): 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L CVE-2019-3681 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-3685 ( SUSE ): 7.4 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2019-3685 ( NVD ): 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5

An update that solves two vulnerabilities, contains one feature and has 22 security fixes can now be installed.

Description:

This update for osc fixes the following issues:

osc was updated to version 0.182.0 (bsc#1154972, bsc#1144211, bsc#1142662, bsc#1140697, bsc#1138165):

Added MFA support (jsc#OBS-203).
CVE-2019-3681: Fixed vulnerability where osc stored downloaded RPMs in network controlled paths (bsc#1122675).
CVE-2019-3685: Fixed broken TLS certificate handling (bsc#1142518).

Bugfixes: - Removed use of chardet to guess encoding. Utf-8 or latin-1 is now assumed, which will speed up decoding (bsc#1173926). - Added helper method _html_escape to enable python3.8 and python2.* compatibility (bsc#1166537). - Added MR creation to honor orev (bsc#1160446). - Fixed local build outside of the working copy of a package (bsc#1136584). - Don't enforce password reuse (bsc#1156501). - osc vc --file=foo bar.changes now writes the content from foo into bar.changes instead of creating a new file (bsc#1155953). - Fixed decoding on osc lbl (bsc#1137477). - Simplified and fixed osc meta -e (bsc#1138977). - osc lbl now works with non utf8 encoding (bsc#1129889). - Added full python3 compatibility (bsc#1125243, bsc#1131512, bsc#1129757). - Fixed slowdown of rbl with readline(bufsize) function (bsc#1127932). - Fixed osc build -p dir TypeError (bsc#1126055). - Fixed osc buildinfo -p TypeError (bsc#1126058). - Added new options --unexpand and --meta to diff command (bsc#1089025). - Fixed Requires to python-base which does not contain ssl.py (bsc#1097996).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Linux Enterprise Software Development Kit 12 SP5
zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-4351=1

Package List:

SUSE Linux Enterprise Software Development Kit 12 SP5 (noarch)
- osc-0.182.0-15.12.1

Security update for osc

Description:

Patch Instructions:

Package List:

References: