Source: osc Version: 0.168.2-1 Severity: important Tags: security upstream Forwarded: https://bugzilla.suse.com/show_bug.cgi?id=1122675 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for osc. CVE-2019-3681[0]: | A External Control of File Name or Path vulnerability in osc of SUSE | Linux Enterprise Module for Development Tools 15, SUSE Linux | Enterprise Software Development Kit 12-SP5, SUSE Linux Enterprise | Software Development Kit 12-SP4; openSUSE Leap 15.1, openSUSE Factory | allowed remote attackers that can change downloaded packages to | overwrite arbitrary files. This issue affects: SUSE Linux Enterprise | Module for Development Tools 15 osc versions prior to 0.169.1-3.20.1. | SUSE Linux Enterprise Software Development Kit 12-SP5 osc versions | prior to 0.162.1-15.9.1. SUSE Linux Enterprise Software Development | Kit 12-SP4 osc versions prior to 0.162.1-15.9.1. openSUSE Leap 15.1 | osc versions prior to 0.169.1-lp151.2.15.1. openSUSE Factory osc | versions prior to 0.169.0 . If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-3681 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3681 [1] https://bugzilla.suse.com/show_bug.cgi?id=1122675 [2] https://github.com/openSUSE/osc/commit/a79c54418baf9b9785123bd07f350f12bd729ed3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

