Bug 1225537 - openSUSE Leap 15.6 known security regressions
Summary: openSUSE Leap 15.6 known security regressions
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P5 - None : Major (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on: CVE-2023-26590 CVE-2023-32627 CVE-2023-34318 CVE-2023-34432 CVE-2023-46267 CVE-2023-46121 1217918 CVE-2023-32727 CVE-2024-22119 CVE-2024-3119 CVE-2024-3120
Blocks: 1224165
  Show dependency treegraph
 
Reported: 2024-05-28 21:15 UTC by Andreas Stieger
Modified: 2024-05-29 11:18 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2024-05-28 21:15:56 UTC 
The packages listed blow are missing security maintenance in Leap 15.6 that we already released into openSUSE Leap 15.5. We should not release a new distribution release with known vulnerability regressions.

Specifically these are maintenance updates we already performed into penSUSE:Backports:SLE-15-SP5:Update, that are not in openSUSE:Backports:SLE-15-SP6 in one way or another. 

boo#1217918 tor           https://build.opensuse.org/request/show/1177405 to TW
boo#1223420 cJSON         https://build.opensuse.org/request/show/1176529 to devel project
boo#1216403 gifsicle      https://build.opensuse.org/request/show/1177406 to TW
boo#1216429 roundcubemail https://build.opensuse.org/request/show/1177407 to TW
boo#1222593,
boo#1222594 sngrep        https://build.opensuse.org/request/show/1177409 to TW
boo#1212060,
boo#1212061,
boo#1212062,
boo#1212063 sox           https://build.opensuse.org/request/show/1177410
boo#1217153 yt-dlp        https://build.opensuse.org/request/show/1177411
Bonus: CVE-2024-22423 not addressed
boo#1219775,
boo#1218199 zabbix        https://build.opensuse.org/request/show/1177412

This does not include a comparison as to what is fixed in in Tumbleweed and missing in Leap 15.6.

Ask to security and release team: monitor all of the above, and ensure that these or equivalent updates are submitted
Comment 1 Andreas Stieger 2024-05-28 21:28:41 UTC 
boo#1218473 libredwg https://build.opensuse.org/request/show/1177413
Comment 2 Andreas Stieger 2024-05-29 04:15:46 UTC 
(In reply to Andreas Stieger from comment #0)
> boo#1216403 gifsicle      https://build.opensuse.org/request/show/1177406

This is missing in 15.5 instead
Comment 3 Max Lin 2024-05-29 09:19:20 UTC 
(In reply to Andreas Stieger from comment #2)
> (In reply to Andreas Stieger from comment #0)
> > boo#1216403 gifsicle      https://build.opensuse.org/request/show/1177406
> 
> This is missing in 15.5 instead

gifsicle and boo#1218473 libredwg https://build.opensuse.org/request/show/1177413 change were in openSUSE:Backports:SLE-15-SP6 already.
Comment 4 Max Lin 2024-05-29 10:07:35 UTC 
@Andreas all pending changes in Backports staging regarding to this report were accepted to openSUSE:Backports:SLE-15-SP6, if there is any further security fixes, I think we can deliver them via maint update.
Comment 5 Andreas Stieger 2024-05-29 11:18:24 UTC 
lgtm. Closed or removed all blocking bugs, resolving