Security update for osc, obs-scm-bridge SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20361-1 Final 1 1 2026-03-12T20:54:40Z current 2026-03-12T20:54:40Z 2026-03-12T20:54:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for osc, obs-scm-bridge This update for osc, obs-scm-bridge fixes the following issues: Changes in osc: - 1.24.0 - Command-line: - Add '--target-owner' option to 'git-obs repo fork' command - Add '--self' parameter to fix 'no matching parent repo' error message in 'git-obs pr create' - Fix 'osc aggregatepac' for scmsync packages - Fix 'osc build' to retrieve buildconfig from git package's cache - Fix 'osc token' error handling for project wide trigger - Fix string formatting for id in obs-request.xml in 'git-obs pr dump' - Library: - Consolidate build types in build.py and commandline.py - Fix build.get_build_type() by comparing binary_type only if specified - Make use of queryconfig tool configurable and consistent - Fix how get_request_collection() filters the projects and packages - Support copying packages from an scmsync source, when target exists - Add timestamps to the DEBUG output - Update new project template - 1.23.0 - Command-line: - Add '--target-owner' option to 'git-obs pr create' to specify the target owner explicitly - Add '--target-branch' option to 'git-obs staging search' command - Added 'git-obs staging search' command to find project PRs with referenced package PRs that have all been approved - Change 'git-obs pr dump' to produce directories that match the specified pull request IDs - Change 'git-obs pr dump' to write STATUS file - Properly error out on invalid 'PR:' references in 'git-obs pr dump' - Fix 'git-obs pr create' when the source repo is not a fork - Fix 'git-obs api' command when server returns 'null' - Fix 'osc build --alternative-project=...' when there's no .osc in the current directory - Fix argument and store handling in 'osc results' command - Library: - Add Manifest.get_package_paths() method that lists all paths to existings packages in a project - Fix Manifest class to handle loading empty YAML files or strings - Fix working with meta during git rebase by determining the current branch from rebase head - Fix handling local branch when fetching remote - Move get_label_ids() from PullRequest to Repo class - Change GitStore not to require apiurl anymore - Fix storing last_buildroot for git packages - Store the last buildroot only if there's a store detected - Fix BuildRoot so it acts as a tuple and the individual values are accessible via indexes - Make PullReqest.parse_id() more permissive by accepting trailing whitespaces - Fix 'missingok' argument in server_diff() - Fix gitea_api.PullRequest ordering methods - Add return to gitea_api.Branch.list() - PKGBUILD changes * Remove redundant packages from makedepends. If a package depends on something, it implicitly makedepends on it as well * Add python-ruamel-yaml dependency * Build and install man pages * Add python-argparse-manpage and python-sphinx to makedepends for building man pages * Add check() to run the test suite * Add checkdepends for test suite dependencies * Add optdepends as an equivalent to RPM's Recommends, making it easier for users to find packages needed for optional features * Use $pkgname variable across the script * Install shell completion files * Bump pkgrel - 1.22.0 - Command-line: - Add 'git-obs staging' commands - Add '--gitea-fork-org' option to 'osc fork' command - Add '--git-branch' option to 'osc fork' command - Add 'DELETE' to 'git-obs api' allowed methods - Add commit messages as commented lines to the template in 'git-obs pr create' - Add filtering by label to 'git-obs pr list' - Properly handle fork mismatch in 'osc fork' - Change 'osc build' to build from any git repo if '--alternative-project' is specified - Fix 'osc service' for git based packages - Fix 'git-obs pr dump' to skip the dump if the target has the same updated_at timestamp as the pull request in Gitea - Fix 'git-obs pr dump' to do case insensitive check on owner and repo - Fix retrieving 'arch' argument in 'osc buildlog' - Library: - Add 'status' to the output of gitea_api.Git.get_submodules() - Add 'remote' argument to gitea_api.Repo.clone_or_update() - Add gitea_api.common.TemporaryDirectory class that supports 'delete' argument on python 3.6+ - Add gitea_api.GitDiffGenerator class for creating submodule diffs without a git checkout - Add 'depth' argument to gitea_api.Repo.clone() and clone_or_update() - Add gitea_api.StagingPullRequestWrapper class for handling staging - Add gitea_api.PullRequest.get_host_owner_repo_number() method - Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting 'dest' argument - Warn if the git package doesn't have the same branch as the parent project - Extend gitea_api.PullRequest with methods that work with 'PR:' references - Support setting labels in gitea_api.PullRequest.create() - Fix gitea_api to use pagination instead of limit -1 everywhere - Remove duplicate, unused PullRequestReview class from gitea_api.pr - Move clone_or_update() from 'git-obs pr dump' command to gitea_api.Repo - Change gitea_api.Repo.clone_or_update() to take 'ssh_private_key_path' argument - Improve performance of gitea_api.IssueTimelineEntry by listing and caching requests instead of fetching them one by one - Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting 'help' argument - Change gitea_api.Repo.clone() to stop borrowing objects when 'reference' or 'reference_if_able' is used - Fix the resulting dictionary in gitea_api.PullRequest._get_label_ids() - Make gitea_api.RepoExists exception more helpful by giving a hint to fork under a different name - Use server_diff() instead of server_diff_noex() to exit with a non-zero return code - Return preinstallimage.info and allow podman to use preinstallimage - 1.21.0 - Command-line: - Modify osc subcommands to error out if they don't work with git - Add 'git-obs meta' commands for managing the local metadata - Add 'git-obs meta info' command for printing resolved metadata about the current checkout - Add -b/--branch option to 'git-obs repo clone' command - Add 'git-obs pr dump' command to store pull request information on disk - Add 'git-obs --quiet' option (that mutes printing gitea settings now) - Automatially pull meta after 'git-obs repo clone' - Change 'git-obs pr review interactive' to write 'merge ok' comment instead of scheduling a merge - Mute stderr when creating a worktree in 'git-obs pr review interactive' - Change 'git-obs -G' to accept url to select a gitea login entry - Support substitutions in 'osc build --root' - Fix crash in 'osc build' when 'build_repositories' in store was None - Fix filtering by reviewers in 'git-obs pr list' - Update 'osc rq show' command to include history comments in verbose mode - Library: - Refactor GitStore - Migrate git_scm.Store over to gitea_api.Git - Store buildinfo and buildconfig files in GitStore's cache instead directly in the repo - Move code from 'git-obs meta pull' command to GitStore.pull() - Improve GitStore.pull() to support reading project from project.build - Rephrase the error message about detached HEAD in GitStore - Improve GitStore's error messages by adding instructions on how to fix missing metadata - Be more permissive when loading parent project_store in GitStore - Fix loading _manifest in a project git - Fix git store to check if all the required fields are present - Derive package name from topdir if a package is part of a project checkout - Change 'git-obs pr review interactive' to run pager process as a context manager - Change obs_api.TarDiff to spawn a process extracting archives as a context manager - Change 'commit' argument in gitea_api.Git.reset() to optional - Add gitea_api.Git.get_owner_repo_from_url() staticmethod - Add gitea_api.Git.urljoin() static method - Fix gitea_api.Git.get_branch_head() to raise a proper exception if the HEAD cannot be retrieved - Fix gitea_api.Git to work with the current remote instead of 'origin' - Fix get_store() to throw the exception from git store if .osc directory is not present - Introduce GitObsRuntimeError exception and use it where appropriate - Fix tardiff by removing directories with shutil.rmtree() and files by os.unlink() - Add 'quiet' option to gitea_api.Git.switch() - Mute stderr in git_obs.Git.lfs_cat_file() - Treat None flavor as "" in multibuild resolve - Make Token.triggered_at optional as it's not available in the oficially released OBS code - Add BaseModel.from_string() and BaseModel.to_string() methods - Add BaseModel.from_file() and BaseModel.to_file() methods - Fix BaseModel to initialize from a dictionary via __init__ instead of setattr - Docs: - Update docs for the new git metadata store - Update list of recommended gitea permissions in git-obs-quickstart - Spec: - Install git-obs-metadata man page - 1.20.0 - Command-line: - Fix 'osc fork' command to use the right tracking branch - Fix 'osc blt' command by checking if the working copy is a package - Make 'osc buildlog' work outside of osc package directory - Add 'git-obs pr close' and 'git-obs pr reopen' commands - Add 'close' option to 'git-obs pr review interactive' - Change 'git-obs pr review interactive' to work with all archives, not only those in Git LFS - Fix checkout of the base branch in 'git-obs pr review interactive' command - Library: - Support _manifest file in git store - Allow pull request IDs in '<owner>/<repo>!<number>' format - Properly handle deleted users and teams in the git-obs timeline - Handle situations when there's 'None' among timeline entries - Skip binary files in gitea_api.PullRequest.get_patch() - Change get_user_input(), add support for vertically printed list of answers - Spec: - Provide git-obs - 1.19.1 - Command-line: - Use OSC_PACKAGE_CACHE_DIR env var instead of deprecated OSC_PACKAGECACHEDIR - Connection: - Check for both upper and lowercase versions of HTTP_PROXY and HTTPS_PROXY env vars - Library: - Add 'trackingbranch' field to ScmsyncObsinfo model - Revert "Return None if GitStore cannot determine apiurl" - Throw a proper exception when 'apiurl' argument of 'makeurl()' is empty - Move code setting apiurl from store to 'osc.conf.get_config()' - Simplify 'osc.commandline.Osc.get_api_url()' to return the value from 'self.options' - Remove 'osc.commandline.Osc.post_argparse()' because it's no longer used - Fix unit tests to use the new code path to run osc - Fix osc.gitea_api.dt_sanitize() by replacing dateutil with datetime - 1.19.0 - Command-line: - Add 'git-obs pr cancel-scheduled-merge' command - Add timeline to 'git-obs pr review interactive' - Add '--timeline' option to 'git-obs pr get' - Fix 'git-obs pr search' by using pagination to retrieve all results - Extend '--message' option in git-obs subcommands with the '-m' short option - Add a different message for scheduled merges in 'git-obs pr merge' command - Library: - Add 'conn' parameter to gitea_api.common.GiteaModel - Add gitea_api.Connection.scheme attribute - Add gitea_api.PullRequest.merge_commit property - Add gitea_api.PullRequest.get_owner_repo_number() - Add gitea_api.common.dt_sanitize() for sanitizing datetime strings - Handle missing head repo in the PullRequest properties - Return None if GitStore cannot determine apiurl - Remove extra newline from store files - Fix the 'Move remaining imports in osc.babysitter into try-except block' change by preserving the order of handling the exceptions - Spec: - Use primary_python to define runtime requires matching the shebang lines - Provide %{use_python_pkg}-osc for all pythons and python3-osc for primary_python - Add conflict with obs-scm-bridge < 0.7.3 - 1.18.0 - Command-line: - Add 'git-obs pr comment [--message=...]' command - Add 'git-obs pr show-patch' command - Add '--reviewer' option to 'git-obs pr review {approve,decline,interactive}' to support group reviews via group review bot - Update 'git-obs pr review interactive' to return non-zero return codes for 'exit' and 'skip' actions - Make 'osc results --show-excluded' work in a project context - Add '--no-pager' global option - Fix 'osc fork' by copying whole query part to the new scmsync url - Fix 'osc buildinfo' for git packages by handing the 'build_repositories' files by store objects - Fix crash in 'git-obs pr get --patch' - Fix git-obs to exit with 130 on keyboard interrupt - Fix --sccache help typo in 'osc build' command - Connection: - Don't retry requests on 504 Gateway Timeout - Library: - If a devel project is not specified, try reading it from a mapping from URL set in OBS:GitDevelProjectMap project attribute - Improve detection of packages and projects in git - scmsync_obsinfo: Pass correct revision to obs-scm-bridge - Add obs_api.Request.search() method - Raise an exception if obs-scm-bridge fails - Fix obs_scm.Package.get_pulled_srcmd5() returning an empty string - Fix git store to support non-default remote - Extend 'gitea_api.User.get()' to take 'username' parameter - Move get_editor() and related functions from command-line module to gitea_api.common - Migrate subcommands from using Store() to get_store() that is git aware - Make imports lazy to imporove osc load times Changes in obs-scm-bridge: - use the system default python version (boo#1247410) - 0.7.4 * syntax fix - 0.7.3 * fix .gitsubmodule parser to handle space and tabs mixed - package /etc/obs/service directories - 0.7.2 * Improved error reporting of invalid files in package subdirs * Introducing a mechanic to limit asset handling - 0.7.1 * export trackingbranch to scmsync.obsinfo - 0.7.0 * supporting _manifest file as successor of _subdirs * record configured branch of submodules in package scmsync url * stay on the configured branch of a submodule on checkout - 0.6.3 * Allow ssh:// scm urls as used by osc * project mode: avoid unecessary changes in package meta url * code cleanup - fix dependency (it is python3-PyYAML) - fix missing dependency to PyYAML - 0.6.2 * Make project mode always look for _config in the top dir, also when using subdirs. - 0.6.1 * new noobsinfo query parameter (can be used to hide git informations in sources, binaries won't contain them either then). - 0.6.0 * project mode: switching to to track package sources using git sha sums instead of md5sum via download_assets - 0.5.4 * fixed support of subdir parameter usage on project level * Fix handling of projectscmsync in the package xml writers - 0.5.3 * Switch to ssh url when using the bridge via osc - 0.5.2 * Don't overwrite files from git, but complain instead with an error. For example _scmsync.obsinfo file must not be part of the git tree. boo#1230469 CVE-2024-22038 - 0.5.1 * Don't generate _scmsync.obsinfo outside of OBS source server import use case (eg. no more for osc co) * Enforce python 3.11 requirement * Fix export of _scmsync.obsinfo in project mode * Fix submodule detection * EXPERIMENTAL: support multiple package subdirs via _subdirs file. This syntax will change! (not documented on purpose therefore atm) * Using git credential manager * Report some errors as transient, so that OBS can re-try The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-packagehub-162 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1230469 SUSE Bug 1230469 https://bugzilla.suse.com/1247410 SUSE Bug 1247410 https://www.suse.com/security/cve/CVE-2024-22038/ SUSE CVE CVE-2024-22038 page openSUSE Leap 16.0 obs-scm-bridge-0.7.4-bp160.1.1 osc-1.24.0-bp160.1.1 obs-scm-bridge-0.7.4-bp160.1.1 as a component of openSUSE Leap 16.0 osc-1.24.0-bp160.1.1 as a component of openSUSE Leap 16.0 Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service. CVE-2024-22038 openSUSE Leap 16.0:obs-scm-bridge-0.7.4-bp160.1.1 openSUSE Leap 16.0:osc-1.24.0-bp160.1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-22038.html CVE-2024-22038 https://bugzilla.suse.com/1230469 SUSE Bug 1230469