libgit2-1_7-1.7.2-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13661-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libgit2-1_7-1.7.2-1.1 on GA media These are all security issues fixed in the libgit2-1_7-1.7.2-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13661 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-24574/ SUSE CVE CVE-2024-24574 page https://www.suse.com/security/cve/CVE-2024-24577/ SUSE CVE CVE-2024-24577 page openSUSE Tumbleweed libgit2-1_7-1.7.2-1.1 libgit2-devel-1.7.2-1.1 libgit2-tools-1.7.2-1.1 libgit2-1_7-1.7.2-1.1 as a component of openSUSE Tumbleweed libgit2-devel-1.7.2-1.1 as a component of openSUSE Tumbleweed libgit2-tools-1.7.2-1.1 as a component of openSUSE Tumbleweed phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side (XSS). This vulnerability has been patched in version 3.2.5. CVE-2024-24574 openSUSE Tumbleweed:libgit2-1_7-1.7.2-1.1 openSUSE Tumbleweed:libgit2-devel-1.7.2-1.1 openSUSE Tumbleweed:libgit2-tools-1.7.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-24574.html CVE-2024-24574 libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2. CVE-2024-24577 openSUSE Tumbleweed:libgit2-1_7-1.7.2-1.1 openSUSE Tumbleweed:libgit2-devel-1.7.2-1.1 openSUSE Tumbleweed:libgit2-tools-1.7.2-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-24577.html CVE-2024-24577 https://bugzilla.suse.com/1219660 SUSE Bug 1219660