OPENSUSE-SU-2023:0096-1
Vulnerability from csaf_opensuse - Published: 2023-04-27 12:51 - Updated: 2023-04-27 12:51Summary
Security update for liferea
Notes
Title of the patch
Security update for liferea
Description of the patch
liferea was updated to version 1.14.1:
+ Fix CVE-2023-1350 - Remote code execution on feed enrichment (boo#1209190).
Update to version 1.14.0:
+ New 'Reader mode' preference that allows stripping all web
content
+ Implement support for Webkits Intelligent Tracking Protection
+ New progress bar when loading websites
+ Youtube videos from media:video can be embedded now with a
click on the video preview picture.
+ Changes to UserAgent handling: same UA is now used for both
feed fetching and internal browsing.
+ New view mode 'Automatic' which switches between 'Normal' and
'Wide' mode based on the window proportions.
+ Liferea now supports the new GTK dark theme logic, where in
the GTK/GNOME preferences you define wether you 'prefer' dark
mode or light mode
+ Favicon discovery improvements: now detects all types of Apple
Touch Icons, MS Tile Images and Safari Mask Icons
+ Increase size of stored favicons to 128x128px to improve icon
quality in 3-pane wide view.
+ Make several plugins support gettext
+ Allow mutiple feed in same libnotify notification
+ Redesign of the update message in the status bar. It now shows
a update counter of the feeds being in update.
+ You can now export a feed to XML file
+ Added an option to show news bins in reduced feed list
+ Added menu option to send item per mail
+ Default to https:// instead of http:// when user doesn't
provide protocol on subscribing feed
+ Implement support for subscribing to LD+Json metadata listings
e.g. concert or theater event listings
+ Implement support for subscribing to HTML5 websites
+ Support for media:description field of Youtube feeds
+ Improve HTML5 extraction: extract main tag if it exists and
no article was found.
+ Execute feed pipe/filter commands asynchronously
+ Better explanation of feed update errors.
+ Added generic Google Reader API support (allows using FeedHQ,
FreshRSS, Miniflux...)
+ Now allow converting TinyTinyRSS subscriptions to
local subscriptions
+ New search folder rule to match podcasts
+ New search folder rule to match headline authors
+ New search folder rule to match subscription source
+ New search folder rule to match parent folder name
+ New search folder property that allows hiding read items
+ Now search folders are automatically rebuild when rules are
changed
+ Added new plugin 'add-bookmark-site' that allows to configure
a custom bookmarking site.
+ Added new plugin 'getfocus' that adds transparency on the feed
list when it is not focussed.
+ Trayicon plugin has now a configuration option to change the
behaviour when closing Liferea.
+ Trayicon plugin has now an option to disable minimizing to tray
+ New hot key Ctrl-D for 'Open in External Browser'
+ New hot key F10 for headerbar plugin to allow triggering the
hamburger menu
+ New hot key Ctrl-0 to reset zoom
+ New hot key Ctrl-O to open enclosures
+ Fix hidden panes, Liferea will never allow the panes to be
smaller than 5% in height or width
+ Wait for network to be fully available before updating
+ 2-pane mode was removed
+ Dropped CDF channel support
+ Dropped Atom 0.2/0.3 (aka Pie) support
+ Dropped blogChannel namespace support
+ Dropped photo namespace support
- Require python3-cairo; needed for tray icon (boo#1193579).
Patchnames
openSUSE-2023-96
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for liferea",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nliferea was updated to version 1.14.1:\n\n+ Fix CVE-2023-1350 - Remote code execution on feed enrichment (boo#1209190).\n\nUpdate to version 1.14.0:\n\n+ New \u0027Reader mode\u0027 preference that allows stripping all web\n content\n+ Implement support for Webkits Intelligent Tracking Protection\n+ New progress bar when loading websites\n+ Youtube videos from media:video can be embedded now with a\n click on the video preview picture.\n+ Changes to UserAgent handling: same UA is now used for both\n feed fetching and internal browsing.\n+ New view mode \u0027Automatic\u0027 which switches between \u0027Normal\u0027 and\n \u0027Wide\u0027 mode based on the window proportions.\n+ Liferea now supports the new GTK dark theme logic, where in\n the GTK/GNOME preferences you define wether you \u0027prefer\u0027 dark\n mode or light mode\n+ Favicon discovery improvements: now detects all types of Apple\n Touch Icons, MS Tile Images and Safari Mask Icons\n+ Increase size of stored favicons to 128x128px to improve icon\n quality in 3-pane wide view.\n+ Make several plugins support gettext\n+ Allow mutiple feed in same libnotify notification\n+ Redesign of the update message in the status bar. It now shows\n a update counter of the feeds being in update.\n+ You can now export a feed to XML file\n+ Added an option to show news bins in reduced feed list\n+ Added menu option to send item per mail\n+ Default to https:// instead of http:// when user doesn\u0027t\n provide protocol on subscribing feed\n+ Implement support for subscribing to LD+Json metadata listings\n e.g. concert or theater event listings\n+ Implement support for subscribing to HTML5 websites\n+ Support for media:description field of Youtube feeds\n+ Improve HTML5 extraction: extract main tag if it exists and\n no article was found.\n+ Execute feed pipe/filter commands asynchronously\n+ Better explanation of feed update errors.\n+ Added generic Google Reader API support (allows using FeedHQ,\n FreshRSS, Miniflux...)\n+ Now allow converting TinyTinyRSS subscriptions to\n local subscriptions\n+ New search folder rule to match podcasts\n+ New search folder rule to match headline authors\n+ New search folder rule to match subscription source\n+ New search folder rule to match parent folder name\n+ New search folder property that allows hiding read items\n+ Now search folders are automatically rebuild when rules are\n changed\n+ Added new plugin \u0027add-bookmark-site\u0027 that allows to configure\n a custom bookmarking site.\n+ Added new plugin \u0027getfocus\u0027 that adds transparency on the feed\n list when it is not focussed.\n+ Trayicon plugin has now a configuration option to change the\n behaviour when closing Liferea.\n+ Trayicon plugin has now an option to disable minimizing to tray\n+ New hot key Ctrl-D for \u0027Open in External Browser\u0027\n+ New hot key F10 for headerbar plugin to allow triggering the\n hamburger menu\n+ New hot key Ctrl-0 to reset zoom\n+ New hot key Ctrl-O to open enclosures\n+ Fix hidden panes, Liferea will never allow the panes to be\n smaller than 5% in height or width\n+ Wait for network to be fully available before updating\n+ 2-pane mode was removed\n+ Dropped CDF channel support\n+ Dropped Atom 0.2/0.3 (aka Pie) support\n+ Dropped blogChannel namespace support\n+ Dropped photo namespace support\n\n- Require python3-cairo; needed for tray icon (boo#1193579).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2023-96",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0096-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2023:0096-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U2XWO532L7BXCMKLBA5M4DP7HIU4NSO2/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2023:0096-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U2XWO532L7BXCMKLBA5M4DP7HIU4NSO2/"
},
{
"category": "self",
"summary": "SUSE Bug 1193579",
"url": "https://bugzilla.suse.com/1193579"
},
{
"category": "self",
"summary": "SUSE Bug 1209190",
"url": "https://bugzilla.suse.com/1209190"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-1350 page",
"url": "https://www.suse.com/security/cve/CVE-2023-1350/"
}
],
"title": "Security update for liferea",
"tracking": {
"current_release_date": "2023-04-27T12:51:25Z",
"generator": {
"date": "2023-04-27T12:51:25Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2023:0096-1",
"initial_release_date": "2023-04-27T12:51:25Z",
"revision_history": [
{
"date": "2023-04-27T12:51:25Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "liferea-1.14.1-bp154.2.3.1.aarch64",
"product": {
"name": "liferea-1.14.1-bp154.2.3.1.aarch64",
"product_id": "liferea-1.14.1-bp154.2.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "liferea-1.14.1-bp154.2.3.1.i586",
"product": {
"name": "liferea-1.14.1-bp154.2.3.1.i586",
"product_id": "liferea-1.14.1-bp154.2.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "liferea-lang-1.14.1-bp154.2.3.1.noarch",
"product": {
"name": "liferea-lang-1.14.1-bp154.2.3.1.noarch",
"product_id": "liferea-lang-1.14.1-bp154.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "liferea-1.14.1-bp154.2.3.1.ppc64le",
"product": {
"name": "liferea-1.14.1-bp154.2.3.1.ppc64le",
"product_id": "liferea-1.14.1-bp154.2.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "liferea-1.14.1-bp154.2.3.1.s390x",
"product": {
"name": "liferea-1.14.1-bp154.2.3.1.s390x",
"product_id": "liferea-1.14.1-bp154.2.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "liferea-1.14.1-bp154.2.3.1.x86_64",
"product": {
"name": "liferea-1.14.1-bp154.2.3.1.x86_64",
"product_id": "liferea-1.14.1-bp154.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP4",
"product": {
"name": "SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "liferea-1.14.1-bp154.2.3.1.aarch64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.aarch64"
},
"product_reference": "liferea-1.14.1-bp154.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liferea-1.14.1-bp154.2.3.1.i586 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.i586"
},
"product_reference": "liferea-1.14.1-bp154.2.3.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liferea-1.14.1-bp154.2.3.1.ppc64le as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.ppc64le"
},
"product_reference": "liferea-1.14.1-bp154.2.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liferea-1.14.1-bp154.2.3.1.s390x as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.s390x"
},
"product_reference": "liferea-1.14.1-bp154.2.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liferea-1.14.1-bp154.2.3.1.x86_64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.x86_64"
},
"product_reference": "liferea-1.14.1-bp154.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liferea-lang-1.14.1-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:liferea-lang-1.14.1-bp154.2.3.1.noarch"
},
"product_reference": "liferea-lang-1.14.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liferea-1.14.1-bp154.2.3.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.aarch64"
},
"product_reference": "liferea-1.14.1-bp154.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liferea-1.14.1-bp154.2.3.1.i586 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.i586"
},
"product_reference": "liferea-1.14.1-bp154.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liferea-1.14.1-bp154.2.3.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.ppc64le"
},
"product_reference": "liferea-1.14.1-bp154.2.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liferea-1.14.1-bp154.2.3.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.s390x"
},
"product_reference": "liferea-1.14.1-bp154.2.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liferea-1.14.1-bp154.2.3.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.x86_64"
},
"product_reference": "liferea-1.14.1-bp154.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liferea-lang-1.14.1-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:liferea-lang-1.14.1-bp154.2.3.1.noarch"
},
"product_reference": "liferea-lang-1.14.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-1350",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-1350"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date \u0026gt;/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.i586",
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.ppc64le",
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.s390x",
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:liferea-lang-1.14.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.i586",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.ppc64le",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.s390x",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:liferea-lang-1.14.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-1350",
"url": "https://www.suse.com/security/cve/CVE-2023-1350"
},
{
"category": "external",
"summary": "SUSE Bug 1209190 for CVE-2023-1350",
"url": "https://bugzilla.suse.com/1209190"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.i586",
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.ppc64le",
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.s390x",
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:liferea-lang-1.14.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.i586",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.ppc64le",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.s390x",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:liferea-lang-1.14.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.i586",
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.ppc64le",
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.s390x",
"SUSE Package Hub 15 SP4:liferea-1.14.1-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:liferea-lang-1.14.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.i586",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.ppc64le",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.s390x",
"openSUSE Leap 15.4:liferea-1.14.1-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:liferea-lang-1.14.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-04-27T12:51:25Z",
"details": "important"
}
],
"title": "CVE-2023-1350"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…