openSUSE Security Update: Security update for fossil
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:1478-1
Rating: important
References: #1047218 #1175760
Cross-References: CVE-2020-24614
Affected Products:
openSUSE Leap 15.2
openSUSE Leap 15.1
openSUSE Backports SLE-15-SP2
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for fossil fixes the following issues:
– fossil 2.12.1:
* CVE-2020-24614: Remote authenticated users with check-in or
administrative privileges could have executed arbitrary code
[boo#1175760]
* Security fix in the “fossil git export” command. New “safety-net”
features were added to prevent similar problems in the future.
* Enhancements to the graph display for cases when there are many
cherry-pick merges into a single check-in. Example
* Enhance the fossil open command with the new –workdir option and the
ability to accept a URL as the repository name, causing the remote
repository to be cloned automatically. Do not allow “fossil open” to
open in a non-empty working directory unless the –keep option or the
new –force option is used.
* Enhance the markdown formatter to more closely follow the CommonMark
specification with regard to text highlighting. Underscores in the
middle of identifiers (ex: fossil_printf()) no longer need to be
escaped.
* The markdown-to-html translator can prevent unsafe HTML (for example:
<script>) on user-contributed pages like forum and tickets and wiki.
The admin can adjust this behavior using the safe-html setting on the
Admin/Wiki page. The default is to disallow unsafe HTML everywhere.
* Added the “collapse” and “expand” capability for long forum posts.
* The “fossil remote” command now has options for specifying multiple
persistent remotes with symbolic names. Currently
only one remote can be used at a time, but that might change in the
future.
* Add the “Remember me?” checkbox on the login page. Use a session
cookie for the login if it is not checked.
* Added the experimental “fossil hook” command for managing “hook
scripts” that run before checkin or after a push.
* Enhance the fossil revert command so that it is able to revert all
files beneath a directory.
* Add the fossil bisect skip command.
* Add the fossil backup command.
* Enhance fossil bisect ui so that it shows all unchecked check-ins in
between the innermost “good” and “bad” check-ins.
* Added the –reset flag to the “fossil add”, “fossil rm”, and “fossil
addremove” commands.
* Added the “–min N” and “–logfile FILENAME” flags to the backoffice
command, as well as other enhancements to make the backoffice command
a viable replacement for automatic backoffice. Other incremental
backoffice improvements.
* Added the /fileedit page, which allows editing of text files
online. Requires explicit activation by a setup user.
* Translate built-in help text into HTML for display on web pages.
* On the /timeline webpage, the combination of query parameters
“p=CHECKIN” and “bt=ANCESTOR” draws all ancestors of CHECKIN going
back to ANCESTOR.
* Update the built-in SQLite so that the “fossil sql” command supports
new output modes “.mode box” and “.mode json”.
* Add the “obscure()” SQL function to the “fossil sql” command.
* Added virtual tables “helptext” and “builtin” to the “fossil sql”
command, providing access to the dispatch table including all help
text, and the builtin data files, respectively.
* Delta compression is now applied to forum edits.
* The wiki editor has been modernized and is now Ajax-based.
– Package the fossil.1 manual page.
– fossil 2.11.1:
* Make the “fossil git export” command more restrictive about characters
that it allows in the tag names
– Add fossil-2.11-reproducible.patch to override build date (boo#1047218)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
– openSUSE Leap 15.2:
zypper in -t patch openSUSE-2020-1478=1
– openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-1478=1
– openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2020-1478=1
– openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2020-1478=1
Package List:
– openSUSE Leap 15.2 (x86_64):
fossil-2.12.1-lp152.2.3.1
fossil-debuginfo-2.12.1-lp152.2.3.1
fossil-debugsource-2.12.1-lp152.2.3.1
– openSUSE Leap 15.1 (x86_64):
fossil-2.12.1-lp151.3.6.1
fossil-debuginfo-2.12.1-lp151.3.6.1
fossil-debugsource-2.12.1-lp151.3.6.1
– openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):
fossil-2.12.1-bp152.2.3.1
fossil-debuginfo-2.12.1-bp152.2.3.1
fossil-debugsource-2.12.1-bp152.2.3.1
– openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):
fossil-2.12.1-bp151.4.6.1
References:
https://www.suse.com/security/cve/CVE-2020-24614.html
https://bugzilla.suse.com/1047218
https://bugzilla.suse.com/1175760
—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org