{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for fossil","title":"Title of the patch"},{"category":"description","text":"This update for fossil fixes the following issues:\n\n- fossil 2.12.1:\n  * CVE-2020-24614: Remote authenticated users with check-in or\n    administrative privileges could have executed arbitrary code\n    [boo#1175760]\n  * Security fix in the 'fossil git export' command. New\n    'safety-net' features were added to prevent similar problems\n    in the future.\n  * Enhancements to the graph display for cases when there are\n    many cherry-pick merges into a single check-in. Example\n  * Enhance the fossil open command with the new --workdir option\n    and the ability to accept a URL as the repository name,\n    causing the remote repository to be cloned automatically. Do\n    not allow 'fossil open' to open in a non-empty working\n    directory unless the --keep option or the new --force option\n    is used.\n  * Enhance the markdown formatter to more closely follow the\n    CommonMark specification with regard to text\n    highlighting. Underscores in the middle of identifiers (ex:\n    fossil_printf()) no longer need to be escaped.\n  * The markdown-to-html translator can prevent unsafe HTML (for\n    example: <script>) on user-contributed pages like forum and\n    tickets and wiki. The admin can adjust this behavior using the\n    safe-html setting on the Admin/Wiki page. The default is to\n    disallow unsafe HTML everywhere.\n  * Added the 'collapse' and 'expand' capability for long forum\n    posts.\n  * The 'fossil remote' command now has options for specifying\n    multiple persistent remotes with symbolic names. Currently\n    only one remote can be used at a time, but that might change\n    in the future.\n  * Add the 'Remember me?' checkbox on the login page. Use a\n    session cookie for the login if it is not checked.\n  * Added the experimental 'fossil hook' command for managing\n    'hook scripts' that run before checkin or after a push.\n  * Enhance the fossil revert command so that it is able to revert\n    all files beneath a directory.\n  * Add the fossil bisect skip command.\n  * Add the fossil backup command.\n  * Enhance fossil bisect ui so that it shows all unchecked\n    check-ins in between the innermost 'good' and 'bad' check-ins.\n  * Added the --reset flag to the 'fossil add', 'fossil rm', and\n    'fossil addremove' commands.\n  * Added the '--min N' and '--logfile FILENAME' flags to the\n    backoffice command, as well as other enhancements to make the\n    backoffice command a viable replacement for automatic\n    backoffice. Other incremental backoffice improvements.\n  * Added the /fileedit page, which allows editing of text files\n    online. Requires explicit activation by a setup user.\n  * Translate built-in help text into HTML for display on web\n    pages.\n  * On the /timeline webpage, the combination of query parameters\n    'p=CHECKIN' and 'bt=ANCESTOR' draws all ancestors of CHECKIN\n    going back to ANCESTOR.\n  * Update the built-in SQLite so that the 'fossil sql' command\n    supports new output modes '.mode box' and '.mode json'.\n  * Add the 'obscure()' SQL function to the 'fossil sql' command.\n  * Added virtual tables 'helptext' and 'builtin' to the 'fossil\n    sql' command, providing access to the dispatch table including\n    all help text, and the builtin data files, respectively.\n  * Delta compression is now applied to forum edits.\n  * The wiki editor has been modernized and is now Ajax-based.\n- Package the fossil.1 manual page.\n\n- fossil 2.11.1:\n  * Make the 'fossil git export' command more restrictive about\n    characters that it allows in the tag names\n\n- Add fossil-2.11-reproducible.patch to override build date (boo#1047218)\n","title":"Description of the patch"},{"category":"details","text":"openSUSE-2020-1478","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1478-1.json"},{"category":"self","summary":"URL for openSUSE-SU-2020:1478-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UDTH7FFF6GQ4G6LJ7CMSIEYC7EJDH6MA/"},{"category":"self","summary":"E-Mail link for openSUSE-SU-2020:1478-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UDTH7FFF6GQ4G6LJ7CMSIEYC7EJDH6MA/"},{"category":"self","summary":"SUSE Bug 1047218","url":"https://bugzilla.suse.com/1047218"},{"category":"self","summary":"SUSE Bug 1175760","url":"https://bugzilla.suse.com/1175760"},{"category":"self","summary":"SUSE CVE CVE-2020-24614 page","url":"https://www.suse.com/security/cve/CVE-2020-24614/"}],"title":"Security update for fossil","tracking":{"current_release_date":"2020-09-19T22:23:30Z","generator":{"date":"2020-09-19T22:23:30Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"openSUSE-SU-2020:1478-1","initial_release_date":"2020-09-19T22:23:30Z","revision_history":[{"date":"2020-09-19T22:23:30Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"fossil-2.12.1-bp152.2.3.1.aarch64","product":{"name":"fossil-2.12.1-bp152.2.3.1.aarch64","product_id":"fossil-2.12.1-bp152.2.3.1.aarch64"}}],"category":"architecture","name":"aarch64"},{"branches":[{"category":"product_version","name":"fossil-2.12.1-bp152.2.3.1.ppc64le","product":{"name":"fossil-2.12.1-bp152.2.3.1.ppc64le","product_id":"fossil-2.12.1-bp152.2.3.1.ppc64le"}}],"category":"architecture","name":"ppc64le"},{"branches":[{"category":"product_version","name":"fossil-2.12.1-bp152.2.3.1.s390x","product":{"name":"fossil-2.12.1-bp152.2.3.1.s390x","product_id":"fossil-2.12.1-bp152.2.3.1.s390x"}}],"category":"architecture","name":"s390x"},{"branches":[{"category":"product_version","name":"fossil-2.12.1-bp152.2.3.1.x86_64","product":{"name":"fossil-2.12.1-bp152.2.3.1.x86_64","product_id":"fossil-2.12.1-bp152.2.3.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"SUSE Package Hub 15 SP1","product":{"name":"SUSE Package Hub 15 SP1","product_id":"SUSE Package Hub 15 SP1"}},{"category":"product_name","name":"SUSE Package Hub 15 SP2","product":{"name":"SUSE Package Hub 15 SP2","product_id":"SUSE Package Hub 15 SP2"}},{"category":"product_name","name":"openSUSE Leap 15.1","product":{"name":"openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.1"}}},{"category":"product_name","name":"openSUSE Leap 15.2","product":{"name":"openSUSE Leap 15.2","product_id":"openSUSE Leap 15.2","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.2"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.aarch64 as component of SUSE Package Hub 15 SP1","product_id":"SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.aarch64"},"product_reference":"fossil-2.12.1-bp152.2.3.1.aarch64","relates_to_product_reference":"SUSE Package Hub 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.ppc64le as component of SUSE Package Hub 15 SP1","product_id":"SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.ppc64le"},"product_reference":"fossil-2.12.1-bp152.2.3.1.ppc64le","relates_to_product_reference":"SUSE Package Hub 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.s390x as component of SUSE Package Hub 15 SP1","product_id":"SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.s390x"},"product_reference":"fossil-2.12.1-bp152.2.3.1.s390x","relates_to_product_reference":"SUSE Package Hub 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.x86_64 as component of SUSE Package Hub 15 SP1","product_id":"SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.x86_64"},"product_reference":"fossil-2.12.1-bp152.2.3.1.x86_64","relates_to_product_reference":"SUSE Package Hub 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.aarch64 as component of SUSE Package Hub 15 SP2","product_id":"SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.aarch64"},"product_reference":"fossil-2.12.1-bp152.2.3.1.aarch64","relates_to_product_reference":"SUSE Package Hub 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.ppc64le as component of SUSE Package Hub 15 SP2","product_id":"SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.ppc64le"},"product_reference":"fossil-2.12.1-bp152.2.3.1.ppc64le","relates_to_product_reference":"SUSE Package Hub 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.s390x as component of SUSE Package Hub 15 SP2","product_id":"SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.s390x"},"product_reference":"fossil-2.12.1-bp152.2.3.1.s390x","relates_to_product_reference":"SUSE Package Hub 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.x86_64 as component of SUSE Package Hub 15 SP2","product_id":"SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.x86_64"},"product_reference":"fossil-2.12.1-bp152.2.3.1.x86_64","relates_to_product_reference":"SUSE Package Hub 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.aarch64 as component of openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.aarch64"},"product_reference":"fossil-2.12.1-bp152.2.3.1.aarch64","relates_to_product_reference":"openSUSE Leap 15.1"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.ppc64le as component of openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.ppc64le"},"product_reference":"fossil-2.12.1-bp152.2.3.1.ppc64le","relates_to_product_reference":"openSUSE Leap 15.1"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.s390x as component of openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.s390x"},"product_reference":"fossil-2.12.1-bp152.2.3.1.s390x","relates_to_product_reference":"openSUSE Leap 15.1"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.x86_64 as component of openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.x86_64"},"product_reference":"fossil-2.12.1-bp152.2.3.1.x86_64","relates_to_product_reference":"openSUSE Leap 15.1"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.aarch64 as component of openSUSE Leap 15.2","product_id":"openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.aarch64"},"product_reference":"fossil-2.12.1-bp152.2.3.1.aarch64","relates_to_product_reference":"openSUSE Leap 15.2"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.ppc64le as component of openSUSE Leap 15.2","product_id":"openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.ppc64le"},"product_reference":"fossil-2.12.1-bp152.2.3.1.ppc64le","relates_to_product_reference":"openSUSE Leap 15.2"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.s390x as component of openSUSE Leap 15.2","product_id":"openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.s390x"},"product_reference":"fossil-2.12.1-bp152.2.3.1.s390x","relates_to_product_reference":"openSUSE Leap 15.2"},{"category":"default_component_of","full_product_name":{"name":"fossil-2.12.1-bp152.2.3.1.x86_64 as component of openSUSE Leap 15.2","product_id":"openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.x86_64"},"product_reference":"fossil-2.12.1-bp152.2.3.1.x86_64","relates_to_product_reference":"openSUSE Leap 15.2"}]},"vulnerabilities":[{"cve":"CVE-2020-24614","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-24614"}],"notes":[{"category":"general","text":"Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows remote authenticated users to execute arbitrary code. An attacker must have check-in privileges on the repository.","title":"CVE description"}],"product_status":{"recommended":["SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.aarch64","SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.ppc64le","SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.s390x","SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.x86_64","SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.aarch64","SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.ppc64le","SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.s390x","SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.x86_64","openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.aarch64","openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.ppc64le","openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.s390x","openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.x86_64","openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.aarch64","openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.ppc64le","openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.s390x","openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2020-24614","url":"https://www.suse.com/security/cve/CVE-2020-24614"},{"category":"external","summary":"SUSE Bug 1175760 for CVE-2020-24614","url":"https://bugzilla.suse.com/1175760"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.aarch64","SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.ppc64le","SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.s390x","SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.x86_64","SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.aarch64","SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.ppc64le","SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.s390x","SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.x86_64","openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.aarch64","openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.ppc64le","openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.s390x","openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.x86_64","openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.aarch64","openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.ppc64le","openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.s390x","openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.aarch64","SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.ppc64le","SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.s390x","SUSE Package Hub 15 SP1:fossil-2.12.1-bp152.2.3.1.x86_64","SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.aarch64","SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.ppc64le","SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.s390x","SUSE Package Hub 15 SP2:fossil-2.12.1-bp152.2.3.1.x86_64","openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.aarch64","openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.ppc64le","openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.s390x","openSUSE Leap 15.1:fossil-2.12.1-bp152.2.3.1.x86_64","openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.aarch64","openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.ppc64le","openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.s390x","openSUSE Leap 15.2:fossil-2.12.1-bp152.2.3.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-09-19T22:23:30Z","details":"moderate"}],"title":"CVE-2020-24614"}]}