SUSE 5019 Published by

A nim security update has been released for SUSE Linux Enterprise 15 SP4.

openSUSE-SU-2022:10101-1: important: Security update for nim

openSUSE Security Update: Security update for nim

Announcement ID: openSUSE-SU-2022:10101-1
Rating: important
References: #1175332 #1175333 #1175334 #1181705 #1185083
#1185084 #1185085 #1185948 #1192712
Cross-References: CVE-2020-15690 CVE-2020-15692 CVE-2020-15693
CVE-2020-15694 CVE-2021-21372 CVE-2021-21373
CVE-2021-21374 CVE-2021-29495 CVE-2021-41259

CVSS scores:
CVE-2020-15690 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-15692 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-15693 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVE-2020-15694 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2021-21372 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-21373 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2021-21374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-29495 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2021-41259 (NVD) : 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected Products:
openSUSE Backports SLE-15-SP4

An update that fixes 9 vulnerabilities is now available.


This update for nim fixes the following issues:

Includes upstream security fixes for:

* (boo#1175333, CVE-2020-15693) httpClient is vulnerable to a CR-LF
* (boo#1175334, CVE-2020-15692) mishandle of argument to
* (boo#1175332, CVE-2020-15694) httpClient.get().contentLength() fails to
properly validate the server response
* (boo#1192712, CVE-2021-41259) null byte accepted in getContent function,
leading to URI validation bypass
* (boo#1185948, CVE-2021-29495) stdlib httpClient does not validate peer
certificates by default
* (boo#1185085, CVE-2021-21374) Improper verification of the SSL/TLS
* (boo#1185084, CVE-2021-21373) "nimble refresh" falls back to a non-TLS
URL in case of error
* (boo#1185083, CVE-2021-21372) doCmd can be leveraged to execute
arbitrary commands
* (boo#1181705, CVE-2020-15690) Standard library asyncftpclient lacks a
check for newline character

Update to 1.6.6

* standard library use consistent styles for variable names so it can be
used in projects which force a consistent style with
--styleCheck:usages option.
* ARC/ORC are now considerably faster at method dispatching, bringing its
performance back on the level of the refc memory management.
* Full changelog:
- Previous updates and changelogs:
* 1.6.4:
* 1.6.2:
* 1.6.0:
* 1.4.8:
* 1.4.6:
* 1.4.4:
* 1.4.2:
* 1.4.0:

update to 1.2.16

* oids: switch from PRNG to random module
* nimc.rst: fix table markup
* nimRawSetjmp: support Windows
* correctly enable chronos
* bigints are not supposed to work on 1.2.x
* disable nimpy
* misc bugfixes
* fixes a 'mixin' statement handling regression [backport:1.2

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP4:

zypper in -t patch openSUSE-2022-10101=1

Package List:

- openSUSE Backports SLE-15-SP4 (aarch64 ppc64le x86_64):