Security update for fossil (important)

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for fossil fixes the following issues:

• fossil 2.12.1:

  • CVE-2020-24614: Remote authenticated users with check-in or
    administrative privileges could have executed arbitrary code
    [boo#1175760]
  • Security fix in the “fossil git export” command. New “safety-net”
    features were added to prevent similar problems in the future.
  • Enhancements to the graph display for cases when there are many
    cherry-pick merges into a single check-in. Example
  • Enhance the fossil open command with the new --workdir option and the
    ability to accept a URL as the repository name, causing the remote
    repository to be cloned automatically. Do not allow “fossil open” to
    open in a non-empty working directory unless the --keep option or the
    new --force option is used.
  • Enhance the markdown formatter to more closely follow the CommonMark
    specification with regard to text highlighting. Underscores in the
    middle of identifiers (ex: fossil_printf()) no longer need to be
    escaped.
  • The markdown-to-html translator can prevent unsafe HTML (for example:
    <script>) on user-contributed pages like forum and tickets and wiki.
    The admin can adjust this behavior using the safe-html setting on the
    Admin/Wiki page. The default is to disallow unsafe HTML everywhere.
  • Added the “collapse” and “expand” capability for long forum posts.
  • The “fossil remote” command now has options for specifying multiple
    persistent remotes with symbolic names. Currently
    only one remote can be used at a time, but that might change in the
    future.
  • Add the “Remember me?” checkbox on the login page. Use a session
    cookie for the login if it is not checked.
  • Added the experimental “fossil hook” command for managing “hook
    scripts” that run before checkin or after a push.
  • Enhance the fossil revert command so that it is able to revert all
    files beneath a directory.
  • Add the fossil bisect skip command.
  • Add the fossil backup command.
  • Enhance fossil bisect ui so that it shows all unchecked check-ins in
    between the innermost “good” and “bad” check-ins.
  • Added the --reset flag to the “fossil add”, “fossil rm”, and “fossil
    addremove” commands.
  • Added the “–min N” and “–logfile FILENAME” flags to the backoffice
    command, as well as other enhancements to make the backoffice command
    a viable replacement for automatic backoffice. Other incremental
    backoffice improvements.
  • Added the /fileedit page, which allows editing of text files
    online. Requires explicit activation by a setup user.
  • Translate built-in help text into HTML for display on web pages.
  • On the /timeline webpage, the combination of query parameters
    “p=CHECKIN” and “bt=ANCESTOR” draws all ancestors of CHECKIN going
    back to ANCESTOR.
  • Update the built-in SQLite so that the “fossil sql” command supports
    new output modes “.mode box” and “.mode json”.
  • Add the “obscure()” SQL function to the “fossil sql” command.
  • Added virtual tables “helptext” and “builtin” to the “fossil sql”
    command, providing access to the dispatch table including all help
    text, and the builtin data files, respectively.
  • Delta compression is now applied to forum edits.
  • The wiki editor has been modernized and is now Ajax-based.

• Package the fossil.1 manual page.

• fossil 2.11.1:

  • Make the “fossil git export” command more restrictive about characters
    that it allows in the tag names

• Add fossil-2.11-reproducible.patch to override build date (boo#1047218)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.2:

  zypper in -t patch openSUSE-2020-1478=1

• openSUSE Leap 15.1:

  zypper in -t patch openSUSE-2020-1478=1

• openSUSE Backports SLE-15-SP2:

  zypper in -t patch openSUSE-2020-1478=1

• openSUSE Backports SLE-15-SP1:

  zypper in -t patch openSUSE-2020-1478=1