Overview

File _patchinfo of Package patchinfo.29650

<patchinfo incident="29650">
  <issue tracker="bnc" id="1204769">RMT Mirror Warning product.license/directory.yast - File does not exist and Error while mirroring packages</issue>
  <issue tracker="bnc" id="1211398">smt-gce.susecloud.net is denied for SLEM 5.4 repository on GCE instance after some time</issue>
  <issue tracker="bnc" id="1204285">VUL-0: CVE-2022-31254: rmt-server: rmt-server-pubcloud allows to escalate from user _rmt to root</issue>
  <issue tracker="bnc" id="1203171">Mirroring RHEL channels results in  Error while moving directory read-only file system</issue>
  <issue tracker="bnc" id="1209507">VUL-0: CVE-2023-28120: rmt-server: rubygem-activesupport: Possible XSS in SafeBuffer#bytesplice</issue>
  <issue tracker="bnc" id="1209096">VUL-0: CVE-2023-27530: rmt-server: rubygem-rack: Denial of service in Multipart MIME parsing</issue>
  <issue tracker="bnc" id="1205089">RMT 2.9 breaks cloud client system registration</issue>
  <issue tracker="bnc" id="1207670">rmt: wrong permissions on /usr/share/rmt/config/secrets.yml.key after package installation 2.10 works with 2.9</issue>
  <issue tracker="bnc" id="1202053">Nokogiri was built against LibXML version 2.9.12, but has dynamically loaded 2.9.14</issue>
  <issue tracker="bnc" id="1206593">[Build :27148:rmt-server] openQA test fails in update_install - posttrans script failed, nginx.service not active, cannot reload</issue>
  <issue tracker="bnc" id="1209825">rmt-client-setup-res forces use of HTTP (without S)</issue>
  <issue tracker="cve" id="2022-31254"/>
  <issue tracker="cve" id="2023-28120"/>
  <issue tracker="cve" id="2023-27530"/>
  <packager>digitaltomm</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for rmt-server</summary>
  <description>This update for rmt-server fixes the following issues:

Update to version 2.13:

- CVE-2023-28120: Fixed a possible XSS Security Vulnerability in bytesliced strings for html_safe (bsc#1209507).
- CVE-2023-27530: Fixed a DoS in multipart mime parsing (bsc#1209096).
- CVE-2022-31254: Fixed escalation vector bug from user _rmt to root in the packaging file (bsc#1204285).

Bug fixes:

- Handle X-Original-URI header, partial fix for (bsc#1211398)
- Force rmt-client-setup-res script to use https (bsc#1209825)
- Mark secrets.yml.key file as part of the rpm to allow seamless downgrades (bsc#1207670)
- Adding -f to the file move command when moving the mirrored directory to its final location (bsc#1203171) 
- Fix %post install of pubcloud subpackage reload of nginx (bsc#1206593)
- Skip warnings regarding nokogiri libxml version mismatch (bsc#1202053)
- Add option to turn off system token support (bsc#1205089)
- Do not retry to import non-existing files in air-gapped mode (bsc#1204769)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places