Bug 1225537

Summary: openSUSE Leap 15.6 known security regressions
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Stieger <Andreas.Stieger>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None CC: lubos.kocman, meissner, mlin
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1212060, 1212061, 1212062, 1212063, 1216429, 1217153, 1217918, 1218199, 1219775, 1222593, 1222594    
Bug Blocks: 1224165    

Description Andreas Stieger 2024-05-28 21:15:56 UTC 
The packages listed blow are missing security maintenance in Leap 15.6 that we already released into openSUSE Leap 15.5. We should not release a new distribution release with known vulnerability regressions.

Specifically these are maintenance updates we already performed into penSUSE:Backports:SLE-15-SP5:Update, that are not in openSUSE:Backports:SLE-15-SP6 in one way or another. 

boo#1217918 tor           https://build.opensuse.org/request/show/1177405 to TW
boo#1223420 cJSON         https://build.opensuse.org/request/show/1176529 to devel project
boo#1216403 gifsicle      https://build.opensuse.org/request/show/1177406 to TW
boo#1216429 roundcubemail https://build.opensuse.org/request/show/1177407 to TW
boo#1222593,
boo#1222594 sngrep        https://build.opensuse.org/request/show/1177409 to TW
boo#1212060,
boo#1212061,
boo#1212062,
boo#1212063 sox           https://build.opensuse.org/request/show/1177410
boo#1217153 yt-dlp        https://build.opensuse.org/request/show/1177411
Bonus: CVE-2024-22423 not addressed
boo#1219775,
boo#1218199 zabbix        https://build.opensuse.org/request/show/1177412

This does not include a comparison as to what is fixed in in Tumbleweed and missing in Leap 15.6.

Ask to security and release team: monitor all of the above, and ensure that these or equivalent updates are submitted
Comment 1 Andreas Stieger 2024-05-28 21:28:41 UTC 
boo#1218473 libredwg https://build.opensuse.org/request/show/1177413
Comment 2 Andreas Stieger 2024-05-29 04:15:46 UTC 
(In reply to Andreas Stieger from comment #0)
> boo#1216403 gifsicle      https://build.opensuse.org/request/show/1177406

This is missing in 15.5 instead
Comment 3 Max Lin 2024-05-29 09:19:20 UTC 
(In reply to Andreas Stieger from comment #2)
> (In reply to Andreas Stieger from comment #0)
> > boo#1216403 gifsicle      https://build.opensuse.org/request/show/1177406
> 
> This is missing in 15.5 instead

gifsicle and boo#1218473 libredwg https://build.opensuse.org/request/show/1177413 change were in openSUSE:Backports:SLE-15-SP6 already.
Comment 4 Max Lin 2024-05-29 10:07:35 UTC 
@Andreas all pending changes in Backports staging regarding to this report were accepted to openSUSE:Backports:SLE-15-SP6, if there is any further security fixes, I think we can deliver them via maint update.
Comment 5 Andreas Stieger 2024-05-29 11:18:24 UTC 
lgtm. Closed or removed all blocking bugs, resolving