SUSE 5165 Published by

The following security updates are available for SUSE Linux:

openSUSE-SU-2024:0274-1: important: Security update for cacti, cacti-spine
openSUSE-SU-2024:0275-1: important: Security update for opera
openSUSE-SU-2024:0276-1: important: Security update for cacti, cacti-spine




openSUSE-SU-2024:0274-1: important: Security update for cacti, cacti-spine


openSUSE Security Update: Security update for cacti, cacti-spine
_______________________________

Announcement ID: openSUSE-SU-2024:0274-1
Rating: important
References: #1224229 #1224230 #1224231 #1224235 #1224236
#1224237 #1224238 #1224239 #1224240 #1224241

Cross-References: CVE-2024-25641 CVE-2024-27082 CVE-2024-29894
CVE-2024-31443 CVE-2024-31444 CVE-2024-31445
CVE-2024-31458 CVE-2024-31459 CVE-2024-31460
CVE-2024-34340
Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes 10 vulnerabilities is now available.

Description:

This update for cacti, cacti-spine fixes the following issues:

- cacti 1.2.27:
* CVE-2024-34340: Authentication Bypass when using using older password
hashes (boo#1224240)
* CVE-2024-25641: RCE vulnerability when importing packages (boo#1224229)
* CVE-2024-31459: RCE vulnerability when plugins include files
(boo#1224238)
* CVE-2024-31460: SQL Injection vulnerability when using tree rules
through Automation API (boo#1224239)
* CVE-2024-29894: XSS vulnerability when using JavaScript based
messaging API (boo#1224231)
* CVE-2024-31458: SQL Injection vulnerability when using form templates
(boo#1224241)
* CVE-2024-31444: XSS vulnerability when reading tree rules with
Automation API (boo#1224236)
* CVE-2024-31443: XSS vulnerability when managing data queries
(boo#1224235)
* CVE-2024-31445: SQL Injection vulnerability when retrieving graphs
using Automation API (boo#1224237)
* CVE-2024-27082: XSS vulnerability when managing trees (boo#1224230)
* Improve PHP 8.3 support
* When importing packages via command line, data source profile could
not be selected
* When changing password, returning to previous page does not always work
* When using LDAP authentication the first time, warnings may appear in
logs
* When editing/viewing devices, add IPv6 info to hostname tooltip
* Improve speed of polling when Boost is enabled
* Improve support for Half-Hour time zones
* When user session not found, device lists can be incorrectly returned
* On import, legacy templates may generate warnings
* Improve support for alternate locations of Ping
* Improve PHP 8.1 support for Installer
* Fix issues with number formatting
* Improve PHP 8.1 support when SpikeKill is run first time
* Improve PHP 8.1 support for SpikeKill
* When using Chinese to search for graphics, garbled characters appear.
* When importing templates, preview mode will not always load
* When remote poller is installed, MySQL TimeZone DB checks are not
performed
* When Remote Poller installation completes, no finish button is shown
* Unauthorized agents should be recorded into logs
* Poller cache may not always update if hostname changes
* When using CMD poller, Failure and Recovery dates may have incorrect
values
* Saving a Tree can cause the tree to become unpublished
* Web Basic Authentication does not record user logins
* When using Accent-based languages, translations may not work properly
* Fix automation expressions for device rules
* Improve PHP 8.1 Support during fresh install with boost
* Add a device "enabled/disabled" indicator next to the graphs
* Notify the admin periodically when a remote data collector goes into
heartbeat status
* Add template for Aruba Clearpass
* Add fliter/sort of Device Templates by Graph Templates

- cacti-spine 1.2.27:
* Restore AES Support

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-274=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

cacti-spine-1.2.27-bp155.2.9.1

- openSUSE Backports SLE-15-SP5 (noarch):

cacti-1.2.27-bp155.2.9.1

References:

https://www.suse.com/security/cve/CVE-2024-25641.html
https://www.suse.com/security/cve/CVE-2024-27082.html
https://www.suse.com/security/cve/CVE-2024-29894.html
https://www.suse.com/security/cve/CVE-2024-31443.html
https://www.suse.com/security/cve/CVE-2024-31444.html
https://www.suse.com/security/cve/CVE-2024-31445.html
https://www.suse.com/security/cve/CVE-2024-31458.html
https://www.suse.com/security/cve/CVE-2024-31459.html
https://www.suse.com/security/cve/CVE-2024-31460.html
https://www.suse.com/security/cve/CVE-2024-34340.html
https://bugzilla.suse.com/1224229
https://bugzilla.suse.com/1224230
https://bugzilla.suse.com/1224231
https://bugzilla.suse.com/1224235
https://bugzilla.suse.com/1224236
https://bugzilla.suse.com/1224237
https://bugzilla.suse.com/1224238
https://bugzilla.suse.com/1224239
https://bugzilla.suse.com/1224240
https://bugzilla.suse.com/1224241



openSUSE-SU-2024:0275-1: important: Security update for opera


openSUSE Security Update: Security update for opera
_______________________________

Announcement ID: openSUSE-SU-2024:0275-1
Rating: important
References:
Cross-References: CVE-2024-7971
CVSS scores:
CVE-2024-7971 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Leap 15.6:NonFree
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for opera fixes the following issues:

- Update to 113.0.5230.32

* DNA-118250 Backport fix for CVE-2024-7971 from Chrome to Opera 113

- Changes in 113.0.5230.31

* CHR-9819 Update Chromium on desktop-stable-127-5230 to 127.0.6533.120
* DNA-116113 Print window boxes have frames and text is not vertically
centered
* DNA-117467 Crash at static void views::Combobox::
PaintIconAndText(class gfx::Canvas*)
* DNA-117557 Fix detected dangling ptr in WorkspacesTabCycler
ControllerIndexInCycleOrderTest.IndexInCyclingOrder
* DNA-117721 [Lin] When I drag a tab out of the tab strip and drop it,
it is not possible to do so without creating a new window.
* DNA-117854 Pinned tab takes whole tab strip
* DNA-117857 [Sync][Lost password] After profile error canât add
passwords and sync canât display synced passwords
* DNA-118215 Promote 113 to stable

- Complete Opera 113 changelog at:
https://blogs.opera.com/desktop/changelog-for-113

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.6:NonFree:

zypper in -t patch openSUSE-2024-275=1

Package List:

- openSUSE Leap 15.6:NonFree (x86_64):

opera-113.0.5230.32-lp156.2.17.1

References:

https://www.suse.com/security/cve/CVE-2024-7971.html



openSUSE-SU-2024:0276-1: important: Security update for cacti, cacti-spine


openSUSE Security Update: Security update for cacti, cacti-spine
_______________________________

Announcement ID: openSUSE-SU-2024:0276-1
Rating: important
References: #1224229 #1224230 #1224231 #1224235 #1224236
#1224237 #1224238 #1224239 #1224240 #1224241

Cross-References: CVE-2024-25641 CVE-2024-27082 CVE-2024-29894
CVE-2024-31443 CVE-2024-31444 CVE-2024-31445
CVE-2024-31458 CVE-2024-31459 CVE-2024-31460
CVE-2024-34340
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes 10 vulnerabilities is now available.

Description:

This update for cacti, cacti-spine fixes the following issues:

- cacti 1.2.27:
* CVE-2024-34340: Authentication Bypass when using using older password
hashes (boo#1224240)
* CVE-2024-25641: RCE vulnerability when importing packages (boo#1224229)
* CVE-2024-31459: RCE vulnerability when plugins include files
(boo#1224238)
* CVE-2024-31460: SQL Injection vulnerability when using tree rules
through Automation API (boo#1224239)
* CVE-2024-29894: XSS vulnerability when using JavaScript based
messaging API (boo#1224231)
* CVE-2024-31458: SQL Injection vulnerability when using form templates
(boo#1224241)
* CVE-2024-31444: XSS vulnerability when reading tree rules with
Automation API (boo#1224236)
* CVE-2024-31443: XSS vulnerability when managing data queries
(boo#1224235)
* CVE-2024-31445: SQL Injection vulnerability when retrieving graphs
using Automation API (boo#1224237)
* CVE-2024-27082: XSS vulnerability when managing trees (boo#1224230)
* Improve PHP 8.3 support
* When importing packages via command line, data source profile could
not be selected
* When changing password, returning to previous page does not always work
* When using LDAP authentication the first time, warnings may appear in
logs
* When editing/viewing devices, add IPv6 info to hostname tooltip
* Improve speed of polling when Boost is enabled
* Improve support for Half-Hour time zones
* When user session not found, device lists can be incorrectly returned
* On import, legacy templates may generate warnings
* Improve support for alternate locations of Ping
* Improve PHP 8.1 support for Installer
* Fix issues with number formatting
* Improve PHP 8.1 support when SpikeKill is run first time
* Improve PHP 8.1 support for SpikeKill
* When using Chinese to search for graphics, garbled characters appear.
* When importing templates, preview mode will not always load
* When remote poller is installed, MySQL TimeZone DB checks are not
performed
* When Remote Poller installation completes, no finish button is shown
* Unauthorized agents should be recorded into logs
* Poller cache may not always update if hostname changes
* When using CMD poller, Failure and Recovery dates may have incorrect
values
* Saving a Tree can cause the tree to become unpublished
* Web Basic Authentication does not record user logins
* When using Accent-based languages, translations may not work properly
* Fix automation expressions for device rules
* Improve PHP 8.1 Support during fresh install with boost
* Add a device "enabled/disabled" indicator next to the graphs
* Notify the admin periodically when a remote data collector goes into
heartbeat status
* Add template for Aruba Clearpass
* Add fliter/sort of Device Templates by Graph Templates

- cacti-spine 1.2.27:
* Restore AES Support

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-276=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

cacti-spine-1.2.27-bp156.2.3.1
cacti-spine-debuginfo-1.2.27-bp156.2.3.1
cacti-spine-debugsource-1.2.27-bp156.2.3.1

- openSUSE Backports SLE-15-SP6 (noarch):

cacti-1.2.27-bp156.2.3.1

References:

https://www.suse.com/security/cve/CVE-2024-25641.html
https://www.suse.com/security/cve/CVE-2024-27082.html
https://www.suse.com/security/cve/CVE-2024-29894.html
https://www.suse.com/security/cve/CVE-2024-31443.html
https://www.suse.com/security/cve/CVE-2024-31444.html
https://www.suse.com/security/cve/CVE-2024-31445.html
https://www.suse.com/security/cve/CVE-2024-31458.html
https://www.suse.com/security/cve/CVE-2024-31459.html
https://www.suse.com/security/cve/CVE-2024-31460.html
https://www.suse.com/security/cve/CVE-2024-34340.html
https://bugzilla.suse.com/1224229
https://bugzilla.suse.com/1224230
https://bugzilla.suse.com/1224231
https://bugzilla.suse.com/1224235
https://bugzilla.suse.com/1224236
https://bugzilla.suse.com/1224237
https://bugzilla.suse.com/1224238
https://bugzilla.suse.com/1224239
https://bugzilla.suse.com/1224240
https://bugzilla.suse.com/1224241