Security update for fossil SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1478-1 Final 1 1 2020-09-19T22:23:30Z current 2020-09-19T22:23:30Z 2020-09-19T22:23:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for fossil This update for fossil fixes the following issues: - fossil 2.12.1: * CVE-2020-24614: Remote authenticated users with check-in or administrative privileges could have executed arbitrary code [boo#1175760] * Security fix in the 'fossil git export' command. New 'safety-net' features were added to prevent similar problems in the future. * Enhancements to the graph display for cases when there are many cherry-pick merges into a single check-in. Example * Enhance the fossil open command with the new --workdir option and the ability to accept a URL as the repository name, causing the remote repository to be cloned automatically. Do not allow 'fossil open' to open in a non-empty working directory unless the --keep option or the new --force option is used. * Enhance the markdown formatter to more closely follow the CommonMark specification with regard to text highlighting. Underscores in the middle of identifiers (ex: fossil_printf()) no longer need to be escaped. * The markdown-to-html translator can prevent unsafe HTML (for example: <script>) on user-contributed pages like forum and tickets and wiki. The admin can adjust this behavior using the safe-html setting on the Admin/Wiki page. The default is to disallow unsafe HTML everywhere. * Added the 'collapse' and 'expand' capability for long forum posts. * The 'fossil remote' command now has options for specifying multiple persistent remotes with symbolic names. Currently only one remote can be used at a time, but that might change in the future. * Add the 'Remember me?' checkbox on the login page. Use a session cookie for the login if it is not checked. * Added the experimental 'fossil hook' command for managing 'hook scripts' that run before checkin or after a push. * Enhance the fossil revert command so that it is able to revert all files beneath a directory. * Add the fossil bisect skip command. * Add the fossil backup command. * Enhance fossil bisect ui so that it shows all unchecked check-ins in between the innermost 'good' and 'bad' check-ins. * Added the --reset flag to the 'fossil add', 'fossil rm', and 'fossil addremove' commands. * Added the '--min N' and '--logfile FILENAME' flags to the backoffice command, as well as other enhancements to make the backoffice command a viable replacement for automatic backoffice. Other incremental backoffice improvements. * Added the /fileedit page, which allows editing of text files online. Requires explicit activation by a setup user. * Translate built-in help text into HTML for display on web pages. * On the /timeline webpage, the combination of query parameters 'p=CHECKIN' and 'bt=ANCESTOR' draws all ancestors of CHECKIN going back to ANCESTOR. * Update the built-in SQLite so that the 'fossil sql' command supports new output modes '.mode box' and '.mode json'. * Add the 'obscure()' SQL function to the 'fossil sql' command. * Added virtual tables 'helptext' and 'builtin' to the 'fossil sql' command, providing access to the dispatch table including all help text, and the builtin data files, respectively. * Delta compression is now applied to forum edits. * The wiki editor has been modernized and is now Ajax-based. - Package the fossil.1 manual page. - fossil 2.11.1: * Make the 'fossil git export' command more restrictive about characters that it allows in the tag names - Add fossil-2.11-reproducible.patch to override build date (boo#1047218) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1478 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00065.html E-Mail link for openSUSE-SU-2020:1478-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1047218 SUSE Bug 1047218 https://bugzilla.suse.com/1175760 SUSE Bug 1175760 https://www.suse.com/security/cve/CVE-2020-24614/ SUSE CVE CVE-2020-24614 page SUSE Package Hub 15 SP1 SUSE Package Hub 15 SP2 openSUSE Leap 15.1 openSUSE Leap 15.2 fossil-2.12.1-bp152.2.3.1 fossil-2.12.1-bp152.2.3.1 as a component of SUSE Package Hub 15 SP1 fossil-2.12.1-bp152.2.3.1 as a component of SUSE Package Hub 15 SP2 fossil-2.12.1-bp152.2.3.1 as a component of openSUSE Leap 15.1 fossil-2.12.1-bp152.2.3.1 as a component of openSUSE Leap 15.2 Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows remote authenticated users to execute arbitrary code. An attacker must have check-in privileges on the repository. CVE-2020-24614 SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1 SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1 openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1 openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00065.html https://www.suse.com/security/cve/CVE-2020-24614.html CVE-2020-24614 https://bugzilla.suse.com/1175760 SUSE Bug 1175760