Detections
Analytics

openSUSE Security Update : nim (openSUSE-2021-618)

high Nessus Plugin ID 149589

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for nim fixes the following issues :

num was updated to version 1.2.12 :

 - Fixed GC crash resulting from inlining of the memory allocation procs

 - Fixed “incorrect raises effect for $(NimNode)” (#17454)

From version 1.2.10 :

 - Fixed “JS backend doesn’t handle float->int type conversion “ (#8404)

 - Fixed “The “try except” not work when the “OSError: Too many open files” error occurs!” (#15925)

 - Fixed “Nim emits #line 0 C preprocessor directives with –debugger:native, with ICE in gcc-10”
 (#15942)

 - Fixed “tfuturevar fails when activated”
 (#9695)

 - Fixed “nre.escapeRe is not gcsafe” (#16103)

 - Fixed ““Error: internal error:
 genRecordFieldAux” - in the “version-1-4” branch” (#16069)

 - Fixed “-d:fulldebug switch does not compile with gc:arc” (#16214)

 - Fixed “osLastError may randomly raise defect and crash” (#16359)

 - Fixed “generic importc proc’s don’t work (breaking lots of vmops procs for js)”
 (#16428)

 - Fixed “Concept: codegen ignores parameter passing” (#16897)

 - Fixed “(.push exportc.) interacts with anonymous functions” (#16967)

 - Fixed “memory allocation during (.global.) init breaks GC” (#17085)

 - Fixed 'Nimble arbitrary code execution for specially crafted package metadata'

 + https://github.com/nim-lang/security/security/advisories /GHSA-rg9f-w24h-962p

 + (boo#1185083, CVE-2021-21372)

 - Fixed 'Nimble falls back to insecure http url when fetching packages'

 + https://github.com/nim-lang/security/security/advisories /GHSA-8w52-r35x-rgp8

 + (boo#1185084, CVE-2021-21373)

 - Fixed 'Nimble fails to validate certificates due to insecure httpClient defaults'

 + https://github.com/nim-lang/security/security/advisories /GHSA-c2wm-v66h-xhxx

 + (boo#1185085, CVE-2021-21374)

from version 1.2.8

 - Fixed “Defer and –gc:arc” (#15071)

 - Fixed “Issue with –gc:arc at compile time” (#15129)

 - Fixed “Nil check on each field fails in generic function” (#15101)

 - Fixed “[strscans] scanf doesn’t match a single character with $+ if it’s the end of the string” (#15064)

 - Fixed “Crash and incorrect return values when using readPasswordFromStdin on Windows.” (#15207)

 - Fixed “Inconsistent unsigned -> signed RangeDefect usage across integer sizes” (#15210)

 - Fixed “toHex results in RangeDefect exception when used with large uint64” (#15257)

 - Fixed “Mixing ‘return’ with expressions is allowed in 1.2” (#15280)

 - Fixed “proc execCmdEx doesn’t work with
 -d:useWinAnsi” (#14203)

 - Fixed “memory corruption in tmarshall.nim”
 (#9754)

 - Fixed “Wrong number of variables” (#15360)

 - Fixed “defer doesnt work with block, break and await” (#15243)

 - Fixed “Sizeof of case object is incorrect.
 Showstopper” (#15516)

 - Fixed “Mixing ‘return’ with expressions is allowed in 1.2” (#15280)

 - Fixed “regression(1.0.2 => 1.0.4) VM register messed up depending on unrelated context” (#15704)

from version 1.2.6

 - Fixed “The pegs module doesn’t work with generics!” (#14718)

 - Fixed “[goto exceptions] (.noReturn.) pragma is not detected in a case expression” (#14458)

 - Fixed “[exceptions:goto] C compiler error with dynlib pragma calling a proc” (#14240)

 - Fixed “Nim source archive install:
 ‘install.sh’ fails with error: cp: cannot stat ‘bin/nim-gdb’: No such file or directory” (#14748)

 - Fixed “Stropped identifiers don’t work as field names in tuple literals” (#14911)

 - Fixed “uri.decodeUrl crashes on incorrectly formatted input” (#14082)

 - Fixed “odbcsql module has some wrong integer types” (#9771)

 - Fixed “[ARC] Compiler crash declaring a finalizer proc directly in ‘new’” (#15044)

 - Fixed “code with named arguments in proc of winim/com can not been compiled” (#15056)

 - Fixed “javascript backend produces JavaScript code with syntax error in object syntax” (#14534)

 - Fixed “[ARC] SIGSEGV when calling a closure as a tuple field in a seq” (#15038)

 - Fixed “Compiler crashes when using string as object variant selector with else branch” (#14189)

 - Fixed “Constructing a uint64 range on a 32-bit machine leads to incorrect codegen” (#14616)

Update to version 1.2.2 :

 - See https://nim-lang.org/blog.html for details

Update to version 1.0.2 :

 - See https://nim-lang.org/blog.html for details

Solution

Update the affected nim packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1185083

https://bugzilla.opensuse.org/show_bug.cgi?id=1185084

https://bugzilla.opensuse.org/show_bug.cgi?id=1185085

http://www.nessus.org/u?c8e0330b

http://www.nessus.org/u?0791b363

http://www.nessus.org/u?8d0b1bba

https://nim-lang.org/blog.html

Plugin Details

Severity: High

ID: 149589

File Name: openSUSE-2021-618.nasl

Version: 1.4

Type: local

Agent: unix

Published: 5/18/2021

Updated: 1/1/2024

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-21374

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2021-21372

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:nim, p-cpe:/a:novell:opensuse:nim-debuginfo, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/25/2021

Vulnerability Publication Date: 3/26/2021

Reference Information

CVE: CVE-2021-21372, CVE-2021-21373, CVE-2021-21374