SUSE 5037 Published by

A fossil security update has been released for SUSE Linux Enterprise Linux 15 SP2.

openSUSE-SU-2021:1070-1: important: Security update for fossil

openSUSE Security Update: Security update for fossil

Announcement ID: openSUSE-SU-2021:1070-1
Rating: important
References: #1047218 #1175760
Cross-References: CVE-2020-24614
CVSS scores:
CVE-2020-24614 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP2

An update that solves one vulnerability and has one errata
is now available.


This update for fossil fixes the following issues:

- fossil 2.12.1:
* CVE-2020-24614: Remote authenticated users with check-in or
administrative privileges could have executed arbitrary code
* Security fix in the "fossil git export" command. New "safety-net"
features were added to prevent similar problems in the future.
* Enhancements to the graph display for cases when there are many
cherry-pick merges into a single check-in. Example
* Enhance the fossil open command with the new --workdir option and the
ability to accept a URL as the repository name, causing the remote
repository to be cloned automatically. Do not allow "fossil open" to
open in a non-empty working directory unless the --keep option or the
new --force option is used.
* Enhance the markdown formatter to more closely follow the CommonMark
specification with regard to text highlighting. Underscores in the
middle of identifiers (ex: fossil_printf()) no longer need to be
* The markdown-to-html translator can prevent unsafe HTML (for example:
) on user-contributed pages like forum and tickets and wiki.
The admin can adjust this behavior using the safe-html setting on the
Admin/Wiki page. The default is to disallow unsafe HTML everywhere.
* Added the "collapse" and "expand" capability for long forum posts.
* The "fossil remote" command now has options for specifying multiple
persistent remotes with symbolic names. Currently
only one remote can be used at a time, but that might change in the
* Add the "Remember me?" checkbox on the login page. Use a session
cookie for the login if it is not checked.
* Added the experimental "fossil hook" command for managing "hook
scripts" that run before checkin or after a push.
* Enhance the fossil revert command so that it is able to revert all
files beneath a directory.
* Add the fossil bisect skip command.
* Add the fossil backup command.
* Enhance fossil bisect ui so that it shows all unchecked check-ins in
between the innermost "good" and "bad" check-ins.
* Added the --reset flag to the "fossil add", "fossil rm", and "fossil
addremove" commands.
* Added the "--min N" and "--logfile FILENAME" flags to the backoffice
command, as well as other enhancements to make the backoffice command
a viable replacement for automatic backoffice. Other incremental
backoffice improvements.
* Added the /fileedit page, which allows editing of text files
online. Requires explicit activation by a setup user.
* Translate built-in help text into HTML for display on web pages.
* On the /timeline webpage, the combination of query parameters
"p=CHECKIN" and "bt=ANCESTOR" draws all ancestors of CHECKIN going
back to ANCESTOR.
* Update the built-in SQLite so that the "fossil sql" command supports
new output modes ".mode box" and ".mode json".
* Add the "obscure()" SQL function to the "fossil sql" command.
* Added virtual tables "helptext" and "builtin" to the "fossil sql"
command, providing access to the dispatch table including all help
text, and the builtin data files, respectively.
* Delta compression is now applied to forum edits.
* The wiki editor has been modernized and is now Ajax-based.
- Package the fossil.1 manual page.

- fossil 2.11.1:
* Make the "fossil git export" command more restrictive about characters
that it allows in the tag names

- Add fossil-2.11-reproducible.patch to override build date (boo#1047218)

This update was imported from the openSUSE:Leap:15.2:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP2:

zypper in -t patch openSUSE-2021-1070=1

Package List:

- openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):