{"affected":[{"ecosystem_specific":{"binaries":[{"fossil":"2.12.1-bp152.2.3.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP1","name":"fossil","purl":"pkg:rpm/suse/fossil&distro=SUSE%20Package%20Hub%2015%20SP1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.1-bp152.2.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"fossil":"2.12.1-bp152.2.3.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP2","name":"fossil","purl":"pkg:rpm/suse/fossil&distro=SUSE%20Package%20Hub%2015%20SP2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.1-bp152.2.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"fossil":"2.12.1-bp152.2.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.1","name":"fossil","purl":"pkg:rpm/opensuse/fossil&distro=openSUSE%20Leap%2015.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.1-bp152.2.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"fossil":"2.12.1-bp152.2.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.2","name":"fossil","purl":"pkg:rpm/opensuse/fossil&distro=openSUSE%20Leap%2015.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.1-bp152.2.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for fossil fixes the following issues:\n\n- fossil 2.12.1:\n  * CVE-2020-24614: Remote authenticated users with check-in or\n    administrative privileges could have executed arbitrary code\n    [boo#1175760]\n  * Security fix in the 'fossil git export' command. New\n    'safety-net' features were added to prevent similar problems\n    in the future.\n  * Enhancements to the graph display for cases when there are\n    many cherry-pick merges into a single check-in. Example\n  * Enhance the fossil open command with the new --workdir option\n    and the ability to accept a URL as the repository name,\n    causing the remote repository to be cloned automatically. Do\n    not allow 'fossil open' to open in a non-empty working\n    directory unless the --keep option or the new --force option\n    is used.\n  * Enhance the markdown formatter to more closely follow the\n    CommonMark specification with regard to text\n    highlighting. Underscores in the middle of identifiers (ex:\n    fossil_printf()) no longer need to be escaped.\n  * The markdown-to-html translator can prevent unsafe HTML (for\n    example: <script>) on user-contributed pages like forum and\n    tickets and wiki. The admin can adjust this behavior using the\n    safe-html setting on the Admin/Wiki page. The default is to\n    disallow unsafe HTML everywhere.\n  * Added the 'collapse' and 'expand' capability for long forum\n    posts.\n  * The 'fossil remote' command now has options for specifying\n    multiple persistent remotes with symbolic names. Currently\n    only one remote can be used at a time, but that might change\n    in the future.\n  * Add the 'Remember me?' checkbox on the login page. Use a\n    session cookie for the login if it is not checked.\n  * Added the experimental 'fossil hook' command for managing\n    'hook scripts' that run before checkin or after a push.\n  * Enhance the fossil revert command so that it is able to revert\n    all files beneath a directory.\n  * Add the fossil bisect skip command.\n  * Add the fossil backup command.\n  * Enhance fossil bisect ui so that it shows all unchecked\n    check-ins in between the innermost 'good' and 'bad' check-ins.\n  * Added the --reset flag to the 'fossil add', 'fossil rm', and\n    'fossil addremove' commands.\n  * Added the '--min N' and '--logfile FILENAME' flags to the\n    backoffice command, as well as other enhancements to make the\n    backoffice command a viable replacement for automatic\n    backoffice. Other incremental backoffice improvements.\n  * Added the /fileedit page, which allows editing of text files\n    online. Requires explicit activation by a setup user.\n  * Translate built-in help text into HTML for display on web\n    pages.\n  * On the /timeline webpage, the combination of query parameters\n    'p=CHECKIN' and 'bt=ANCESTOR' draws all ancestors of CHECKIN\n    going back to ANCESTOR.\n  * Update the built-in SQLite so that the 'fossil sql' command\n    supports new output modes '.mode box' and '.mode json'.\n  * Add the 'obscure()' SQL function to the 'fossil sql' command.\n  * Added virtual tables 'helptext' and 'builtin' to the 'fossil\n    sql' command, providing access to the dispatch table including\n    all help text, and the builtin data files, respectively.\n  * Delta compression is now applied to forum edits.\n  * The wiki editor has been modernized and is now Ajax-based.\n- Package the fossil.1 manual page.\n\n- fossil 2.11.1:\n  * Make the 'fossil git export' command more restrictive about\n    characters that it allows in the tag names\n\n- Add fossil-2.11-reproducible.patch to override build date (boo#1047218)\n","id":"openSUSE-SU-2020:1478-1","modified":"2020-09-19T22:23:30Z","published":"2020-09-19T22:23:30Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UDTH7FFF6GQ4G6LJ7CMSIEYC7EJDH6MA/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1047218"},{"type":"REPORT","url":"https://bugzilla.suse.com/1175760"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-24614"}],"related":["CVE-2020-24614"],"summary":"Security update for fossil","upstream":["CVE-2020-24614"]}