nim-1.6.6-3.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12253 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z nim-1.6.6-3.1 on GA media These are all security issues fixed in the nim-1.6.6-3.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12253 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12253 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-15690/ SUSE CVE CVE-2020-15690 page https://www.suse.com/security/cve/CVE-2020-15692/ SUSE CVE CVE-2020-15692 page https://www.suse.com/security/cve/CVE-2020-15693/ SUSE CVE CVE-2020-15693 page https://www.suse.com/security/cve/CVE-2020-15694/ SUSE CVE CVE-2020-15694 page https://www.suse.com/security/cve/CVE-2021-29495/ SUSE CVE CVE-2021-29495 page https://www.suse.com/security/cve/CVE-2021-41259/ SUSE CVE CVE-2021-41259 page openSUSE Tumbleweed nim-1.6.6-3.1 nim-1.6.6-3.1 as a component of openSUSE Tumbleweed In Nim before 1.2.6, the standard library asyncftpclient lacks a check for whether a message contains a newline character. CVE-2020-15690 openSUSE Tumbleweed:nim-1.6.6-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15690.html CVE-2020-15690 https://bugzilla.suse.com/1181705 SUSE Bug 1181705 In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system commands. CVE-2020-15692 openSUSE Tumbleweed:nim-1.6.6-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15692.html CVE-2020-15692 https://bugzilla.suse.com/1175334 SUSE Bug 1175334 In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP header names or values. CVE-2020-15693 openSUSE Tumbleweed:nim-1.6.6-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15693.html CVE-2020-15693 https://bugzilla.suse.com/1175333 SUSE Bug 1175333 In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length. CVE-2020-15694 openSUSE Tumbleweed:nim-1.6.6-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15694.html CVE-2020-15694 https://bugzilla.suse.com/1175332 SUSE Bug 1175332 Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set "verifyMode = CVerifyPeer" as documented. CVE-2021-29495 openSUSE Tumbleweed:nim-1.6.6-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29495.html CVE-2021-29495 https://bugzilla.suse.com/1185948 SUSE Bug 1185948 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Notes: None. CVE-2021-41259 openSUSE Tumbleweed:nim-1.6.6-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41259.html CVE-2021-41259 https://bugzilla.suse.com/1192712 SUSE Bug 1192712