Security update for nim SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:10101-1 Final 1 1 2022-08-27T12:33:24Z current 2022-08-27T12:33:24Z 2022-08-27T12:33:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nim This update for nim fixes the following issues: Includes upstream security fixes for: * (boo#1175333, CVE-2020-15693) httpClient is vulnerable to a CR-LF injection * (boo#1175334, CVE-2020-15692) mishandle of argument to browsers.openDefaultBrowser * (boo#1175332, CVE-2020-15694) httpClient.get().contentLength() fails to properly validate the server response * (boo#1192712, CVE-2021-41259) null byte accepted in getContent function, leading to URI validation bypass * (boo#1185948, CVE-2021-29495) stdlib httpClient does not validate peer certificates by default * (boo#1185085, CVE-2021-21374) Improper verification of the SSL/TLS certificate * (boo#1185084, CVE-2021-21373) 'nimble refresh' falls back to a non-TLS URL in case of error * (boo#1185083, CVE-2021-21372) doCmd can be leveraged to execute arbitrary commands * (boo#1181705, CVE-2020-15690) Standard library asyncftpclient lacks a check for newline character Update to 1.6.6 * standard library use consistent styles for variable names so it can be used in projects which force a consistent style with --styleCheck:usages option. * ARC/ORC are now considerably faster at method dispatching, bringing its performance back on the level of the refc memory management. * Full changelog: https://nim-lang.org/blog/2022/05/05/version-166-released.html - Previous updates and changelogs: * 1.6.4: https://nim-lang.org/blog/2022/02/08/version-164-released.html * 1.6.2: https://nim-lang.org/blog/2021/12/17/version-162-released.html * 1.6.0: https://nim-lang.org/blog/2021/10/19/version-160-released.html * 1.4.8: https://nim-lang.org/blog/2021/05/25/version-148-released.html * 1.4.6: https://nim-lang.org/blog/2021/04/15/versions-146-and-1212-released.html * 1.4.4: https://nim-lang.org/blog/2021/02/23/versions-144-and-1210-released.html * 1.4.2: https://nim-lang.org/blog/2020/12/01/version-142-released.html * 1.4.0: https://nim-lang.org/blog/2020/10/16/version-140-released.html update to 1.2.16 * oids: switch from PRNG to random module * nimc.rst: fix table markup * nimRawSetjmp: support Windows * correctly enable chronos * bigints are not supposed to work on 1.2.x * disable nimpy * misc bugfixes * fixes a 'mixin' statement handling regression [backport:1.2 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-10101 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNDISR45BBTIWW5MDTIQOSRHOEV3XUKF/ E-Mail link for openSUSE-SU-2022:10101-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1175332 SUSE Bug 1175332 https://bugzilla.suse.com/1175333 SUSE Bug 1175333 https://bugzilla.suse.com/1175334 SUSE Bug 1175334 https://bugzilla.suse.com/1181705 SUSE Bug 1181705 https://bugzilla.suse.com/1185083 SUSE Bug 1185083 https://bugzilla.suse.com/1185084 SUSE Bug 1185084 https://bugzilla.suse.com/1185085 SUSE Bug 1185085 https://bugzilla.suse.com/1185948 SUSE Bug 1185948 https://bugzilla.suse.com/1192712 SUSE Bug 1192712 https://www.suse.com/security/cve/CVE-2020-15690/ SUSE CVE CVE-2020-15690 page https://www.suse.com/security/cve/CVE-2020-15692/ SUSE CVE CVE-2020-15692 page https://www.suse.com/security/cve/CVE-2020-15693/ SUSE CVE CVE-2020-15693 page https://www.suse.com/security/cve/CVE-2020-15694/ SUSE CVE CVE-2020-15694 page https://www.suse.com/security/cve/CVE-2021-21372/ SUSE CVE CVE-2021-21372 page https://www.suse.com/security/cve/CVE-2021-21373/ SUSE CVE CVE-2021-21373 page https://www.suse.com/security/cve/CVE-2021-21374/ SUSE CVE CVE-2021-21374 page https://www.suse.com/security/cve/CVE-2021-29495/ SUSE CVE CVE-2021-29495 page https://www.suse.com/security/cve/CVE-2021-41259/ SUSE CVE CVE-2021-41259 page SUSE Package Hub 15 SP4 openSUSE Leap 15.4 nim-1.6.6-bp154.2.3.1 nim-1.6.6-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4 nim-1.6.6-bp154.2.3.1 as a component of openSUSE Leap 15.4 In Nim before 1.2.6, the standard library asyncftpclient lacks a check for whether a message contains a newline character. CVE-2020-15690 SUSE Package Hub 15 SP4:nim-1.6.6-bp154.2.3.1 openSUSE Leap 15.4:nim-1.6.6-bp154.2.3.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNDISR45BBTIWW5MDTIQOSRHOEV3XUKF/ https://www.suse.com/security/cve/CVE-2020-15690.html CVE-2020-15690 https://bugzilla.suse.com/1181705 SUSE Bug 1181705 In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system commands. CVE-2020-15692 SUSE Package Hub 15 SP4:nim-1.6.6-bp154.2.3.1 openSUSE Leap 15.4:nim-1.6.6-bp154.2.3.1 critical 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNDISR45BBTIWW5MDTIQOSRHOEV3XUKF/ https://www.suse.com/security/cve/CVE-2020-15692.html CVE-2020-15692 https://bugzilla.suse.com/1175334 SUSE Bug 1175334 In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP header names or values. CVE-2020-15693 SUSE Package Hub 15 SP4:nim-1.6.6-bp154.2.3.1 openSUSE Leap 15.4:nim-1.6.6-bp154.2.3.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNDISR45BBTIWW5MDTIQOSRHOEV3XUKF/ https://www.suse.com/security/cve/CVE-2020-15693.html CVE-2020-15693 https://bugzilla.suse.com/1175333 SUSE Bug 1175333 In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length. CVE-2020-15694 SUSE Package Hub 15 SP4:nim-1.6.6-bp154.2.3.1 openSUSE Leap 15.4:nim-1.6.6-bp154.2.3.1 critical 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNDISR45BBTIWW5MDTIQOSRHOEV3XUKF/ https://www.suse.com/security/cve/CVE-2020-15694.html CVE-2020-15694 https://bugzilla.suse.com/1175332 SUSE Bug 1175332 Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution. CVE-2021-21372 SUSE Package Hub 15 SP4:nim-1.6.6-bp154.2.3.1 openSUSE Leap 15.4:nim-1.6.6-bp154.2.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNDISR45BBTIWW5MDTIQOSRHOEV3XUKF/ https://www.suse.com/security/cve/CVE-2021-21372.html CVE-2021-21372 https://bugzilla.suse.com/1185083 SUSE Bug 1185083 Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution. CVE-2021-21373 SUSE Package Hub 15 SP4:nim-1.6.6-bp154.2.3.1 openSUSE Leap 15.4:nim-1.6.6-bp154.2.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNDISR45BBTIWW5MDTIQOSRHOEV3XUKF/ https://www.suse.com/security/cve/CVE-2021-21373.html CVE-2021-21373 https://bugzilla.suse.com/1185084 SUSE Bug 1185084 Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution. CVE-2021-21374 SUSE Package Hub 15 SP4:nim-1.6.6-bp154.2.3.1 openSUSE Leap 15.4:nim-1.6.6-bp154.2.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNDISR45BBTIWW5MDTIQOSRHOEV3XUKF/ https://www.suse.com/security/cve/CVE-2021-21374.html CVE-2021-21374 https://bugzilla.suse.com/1185085 SUSE Bug 1185085 Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set "verifyMode = CVerifyPeer" as documented. CVE-2021-29495 SUSE Package Hub 15 SP4:nim-1.6.6-bp154.2.3.1 openSUSE Leap 15.4:nim-1.6.6-bp154.2.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNDISR45BBTIWW5MDTIQOSRHOEV3XUKF/ https://www.suse.com/security/cve/CVE-2021-29495.html CVE-2021-29495 https://bugzilla.suse.com/1185948 SUSE Bug 1185948 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Notes: None. CVE-2021-41259 SUSE Package Hub 15 SP4:nim-1.6.6-bp154.2.3.1 openSUSE Leap 15.4:nim-1.6.6-bp154.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNDISR45BBTIWW5MDTIQOSRHOEV3XUKF/ https://www.suse.com/security/cve/CVE-2021-41259.html CVE-2021-41259 https://bugzilla.suse.com/1192712 SUSE Bug 1192712