Security update for liferea SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2023:0096-1 Final 1 1 2023-04-27T12:51:25Z current 2023-04-27T12:51:25Z 2023-04-27T12:51:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for liferea liferea was updated to version 1.14.1: + Fix CVE-2023-1350 - Remote code execution on feed enrichment (boo#1209190). Update to version 1.14.0: + New 'Reader mode' preference that allows stripping all web content + Implement support for Webkits Intelligent Tracking Protection + New progress bar when loading websites + Youtube videos from media:video can be embedded now with a click on the video preview picture. + Changes to UserAgent handling: same UA is now used for both feed fetching and internal browsing. + New view mode 'Automatic' which switches between 'Normal' and 'Wide' mode based on the window proportions. + Liferea now supports the new GTK dark theme logic, where in the GTK/GNOME preferences you define wether you 'prefer' dark mode or light mode + Favicon discovery improvements: now detects all types of Apple Touch Icons, MS Tile Images and Safari Mask Icons + Increase size of stored favicons to 128x128px to improve icon quality in 3-pane wide view. + Make several plugins support gettext + Allow mutiple feed in same libnotify notification + Redesign of the update message in the status bar. It now shows a update counter of the feeds being in update. + You can now export a feed to XML file + Added an option to show news bins in reduced feed list + Added menu option to send item per mail + Default to https:// instead of http:// when user doesn't provide protocol on subscribing feed + Implement support for subscribing to LD+Json metadata listings e.g. concert or theater event listings + Implement support for subscribing to HTML5 websites + Support for media:description field of Youtube feeds + Improve HTML5 extraction: extract main tag if it exists and no article was found. + Execute feed pipe/filter commands asynchronously + Better explanation of feed update errors. + Added generic Google Reader API support (allows using FeedHQ, FreshRSS, Miniflux...) + Now allow converting TinyTinyRSS subscriptions to local subscriptions + New search folder rule to match podcasts + New search folder rule to match headline authors + New search folder rule to match subscription source + New search folder rule to match parent folder name + New search folder property that allows hiding read items + Now search folders are automatically rebuild when rules are changed + Added new plugin 'add-bookmark-site' that allows to configure a custom bookmarking site. + Added new plugin 'getfocus' that adds transparency on the feed list when it is not focussed. + Trayicon plugin has now a configuration option to change the behaviour when closing Liferea. + Trayicon plugin has now an option to disable minimizing to tray + New hot key Ctrl-D for 'Open in External Browser' + New hot key F10 for headerbar plugin to allow triggering the hamburger menu + New hot key Ctrl-0 to reset zoom + New hot key Ctrl-O to open enclosures + Fix hidden panes, Liferea will never allow the panes to be smaller than 5% in height or width + Wait for network to be fully available before updating + 2-pane mode was removed + Dropped CDF channel support + Dropped Atom 0.2/0.3 (aka Pie) support + Dropped blogChannel namespace support + Dropped photo namespace support - Require python3-cairo; needed for tray icon (boo#1193579). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2023-96 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U2XWO532L7BXCMKLBA5M4DP7HIU4NSO2/ E-Mail link for openSUSE-SU-2023:0096-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1193579 SUSE Bug 1193579 https://bugzilla.suse.com/1209190 SUSE Bug 1209190 https://www.suse.com/security/cve/CVE-2023-1350/ SUSE CVE CVE-2023-1350 page SUSE Package Hub 15 SP4 openSUSE Leap 15.4 liferea-1.14.1-bp154.2.3.1 liferea-lang-1.14.1-bp154.2.3.1 liferea-1.14.1-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4 liferea-lang-1.14.1-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4 liferea-1.14.1-bp154.2.3.1 as a component of openSUSE Leap 15.4 liferea-lang-1.14.1-bp154.2.3.1 as a component of openSUSE Leap 15.4 A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848. CVE-2023-1350 SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1 SUSE Package Hub 15 SP4:liferea-lang-1.14.1-bp154.2.3.1 openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1 openSUSE Leap 15.4:liferea-lang-1.14.1-bp154.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U2XWO532L7BXCMKLBA5M4DP7HIU4NSO2/ https://www.suse.com/security/cve/CVE-2023-1350.html CVE-2023-1350 https://bugzilla.suse.com/1209190 SUSE Bug 1209190