Detections
Analytics

openSUSE 16 Security Update : osc, obs-scm-bridge (openSUSE-SU-2026:20361-1)

medium Nessus Plugin ID 302340

Synopsis

The remote openSUSE host is missing a security update.

Description

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20361-1 advisory.

 Changes in osc:

 - 1.24.0
 - Command-line:
 - Add '--target-owner' option to 'git-obs repo fork' command
 - Add '--self' parameter to fix 'no matching parent repo' error message in 'git-obs pr create'
 - Fix 'osc aggregatepac' for scmsync packages
 - Fix 'osc build' to retrieve buildconfig from git package's cache
 - Fix 'osc token' error handling for project wide trigger
 - Fix string formatting for id in obs-request.xml in 'git-obs pr dump'
 - Library:
 - Consolidate build types in build.py and commandline.py
 - Fix build.get_build_type() by comparing binary_type only if specified
 - Make use of queryconfig tool configurable and consistent
 - Fix how get_request_collection() filters the projects and packages
 - Support copying packages from an scmsync source, when target exists
 - Add timestamps to the DEBUG output
 - Update new project template

 - 1.23.0
 - Command-line:
 - Add '--target-owner' option to 'git-obs pr create' to specify the target owner explicitly
 - Add '--target-branch' option to 'git-obs staging search' command
 - Added 'git-obs staging search' command to find project PRs with referenced package PRs that have all been approved
 - Change 'git-obs pr dump' to produce directories that match the specified pull request IDs
 - Change 'git-obs pr dump' to write STATUS file
 - Properly error out on invalid 'PR:' references in 'git-obs pr dump'
 - Fix 'git-obs pr create' when the source repo is not a fork
 - Fix 'git-obs api' command when server returns 'null'
 - Fix 'osc build --alternative-project=...' when there's no .osc in the current directory
 - Fix argument and store handling in 'osc results' command
 - Library:
 - Add Manifest.get_package_paths() method that lists all paths to existings packages in a project
 - Fix Manifest class to handle loading empty YAML files or strings
 - Fix working with meta during git rebase by determining the current branch from rebase head
 - Fix handling local branch when fetching remote
 - Move get_label_ids() from PullRequest to Repo class
 - Change GitStore not to require apiurl anymore
 - Fix storing last_buildroot for git packages
 - Store the last buildroot only if there's a store detected
 - Fix BuildRoot so it acts as a tuple and the individual values are accessible via indexes
 - Make PullReqest.parse_id() more permissive by accepting trailing whitespaces
 - Fix 'missingok' argument in server_diff()
 - Fix gitea_api.PullRequest ordering methods
 - Add return to gitea_api.Branch.list()

 - PKGBUILD changes
 * Remove redundant packages from makedepends. If a package depends on something, it implicitly makedepends on it as well
 * Add python-ruamel-yaml dependency
 * Build and install man pages
 * Add python-argparse-manpage and python-sphinx to makedepends for building man pages
 * Add check() to run the test suite
 * Add checkdepends for test suite dependencies
 * Add optdepends as an equivalent to RPM's Recommends, making it easier for users to find packages needed for optional features
 * Use $pkgname variable across the script
 * Install shell completion files
 * Bump pkgrel

 - 1.22.0
 - Command-line:
 - Add 'git-obs staging' commands
 - Add '--gitea-fork-org' option to 'osc fork' command
 - Add '--git-branch' option to 'osc fork' command
 - Add 'DELETE' to 'git-obs api' allowed methods
 - Add commit messages as commented lines to the template in 'git-obs pr create'
 - Add filtering by label to 'git-obs pr list'
 - Properly handle fork mismatch in 'osc fork'
 - Change 'osc build' to build from any git repo if '--alternative-project' is specified
 - Fix 'osc service' for git based packages
 - Fix 'git-obs pr dump' to skip the dump if the target has the same updated_at timestamp as the pull request in Gitea
 - Fix 'git-obs pr dump' to do case insensitive check on owner and repo
 - Fix retrieving 'arch' argument in 'osc buildlog'
 - Library:
 - Add 'status' to the output of gitea_api.Git.get_submodules()
 - Add 'remote' argument to gitea_api.Repo.clone_or_update()
 - Add gitea_api.common.TemporaryDirectory class that supports 'delete' argument on python 3.6+
 - Add gitea_api.GitDiffGenerator class for creating submodule diffs without a git checkout
 - Add 'depth' argument to gitea_api.Repo.clone() and clone_or_update()
 - Add gitea_api.StagingPullRequestWrapper class for handling staging
 - Add gitea_api.PullRequest.get_host_owner_repo_number() method
 - Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting 'dest' argument
 - Warn if the git package doesn't have the same branch as the parent project
 - Extend gitea_api.PullRequest with methods that work with 'PR:' references
 - Support setting labels in gitea_api.PullRequest.create()
 - Fix gitea_api to use pagination instead of limit -1 everywhere
 - Remove duplicate, unused PullRequestReview class from gitea_api.pr
 - Move clone_or_update() from 'git-obs pr dump' command to gitea_api.Repo
 - Change gitea_api.Repo.clone_or_update() to take 'ssh_private_key_path' argument
 - Improve performance of gitea_api.IssueTimelineEntry by listing and caching requests instead of fetching them one by one
 - Make GitObsCommand.add_argument_owner_repo() and add_argument_owner_repo_pull() reusable by allowing setting 'help' argument
 - Change gitea_api.Repo.clone() to stop borrowing objects when 'reference' or 'reference_if_able' is used
 - Fix the resulting dictionary in gitea_api.PullRequest._get_label_ids()
 - Make gitea_api.RepoExists exception more helpful by giving a hint to fork under a different name
 - Use server_diff() instead of server_diff_noex() to exit with a non-zero return code
 - Return preinstallimage.info and allow podman to use preinstallimage

 - 1.21.0
 - Command-line:
 - Modify osc subcommands to error out if they don't work with git
 - Add 'git-obs meta' commands for managing the local metadata
 - Add 'git-obs meta info' command for printing resolved metadata about the current checkout
 - Add -b/--branch option to 'git-obs repo clone' command
 - Add 'git-obs pr dump' command to store pull request information on disk
 - Add 'git-obs --quiet' option (that mutes printing gitea settings now)
 - Automatially pull meta after 'git-obs repo clone'
 - Change 'git-obs pr review interactive' to write 'merge ok' comment instead of scheduling a merge
 - Mute stderr when creating a worktree in 'git-obs pr review interactive'
 - Change 'git-obs -G' to accept url to select a gitea login entry
 - Support substitutions in 'osc build --root'
 - Fix crash in 'osc build' when 'build_repositories' in store was None
 - Fix filtering by reviewers in 'git-obs pr list'
 - Update 'osc rq show' command to include history comments in verbose mode
 - Library:
 - Refactor GitStore
 - Migrate git_scm.Store over to gitea_api.Git
 - Store buildinfo and buildconfig files in GitStore's cache instead directly in the repo
 - Move code from 'git-obs meta pull' command to GitStore.pull()
 - Improve GitStore.pull() to support reading project from project.build
 - Rephrase the error message about detached HEAD in GitStore
 - Improve GitStore's error messages by adding instructions on how to fix missing metadata
 - Be more permissive when loading parent project_store in GitStore
 - Fix loading _manifest in a project git
 - Fix git store to check if all the required fields are present
 - Derive package name from topdir if a package is part of a project checkout
 - Change 'git-obs pr review interactive' to run pager process as a context manager
 - Change obs_api.TarDiff to spawn a process extracting archives as a context manager
 - Change 'commit' argument in gitea_api.Git.reset() to optional
 - Add gitea_api.Git.get_owner_repo_from_url() staticmethod
 - Add gitea_api.Git.urljoin() static method
 - Fix gitea_api.Git.get_branch_head() to raise a proper exception if the HEAD cannot be retrieved
 - Fix gitea_api.Git to work with the current remote instead of 'origin'
 - Fix get_store() to throw the exception from git store if .osc directory is not present
 - Introduce GitObsRuntimeError exception and use it where appropriate
 - Fix tardiff by removing directories with shutil.rmtree() and files by os.unlink()
 - Add 'quiet' option to gitea_api.Git.switch()
 - Mute stderr in git_obs.Git.lfs_cat_file()
 - Treat None flavor as in multibuild resolve
 - Make Token.triggered_at optional as it's not available in the oficially released OBS code
 - Add BaseModel.from_string() and BaseModel.to_string() methods
 - Add BaseModel.from_file() and BaseModel.to_file() methods
 - Fix BaseModel to initialize from a dictionary via __init__ instead of setattr
 - Docs:
 - Update docs for the new git metadata store
 - Update list of recommended gitea permissions in git-obs-quickstart
 - Spec:
 - Install git-obs-metadata man page

 - 1.20.0
 - Command-line:
 - Fix 'osc fork' command to use the right tracking branch
 - Fix 'osc blt' command by checking if the working copy is a package
 - Make 'osc buildlog' work outside of osc package directory
 - Add 'git-obs pr close' and 'git-obs pr reopen' commands
 - Add 'close' option to 'git-obs pr review interactive'
 - Change 'git-obs pr review interactive' to work with all archives, not only those in Git LFS
 - Fix checkout of the base branch in 'git-obs pr review interactive' command
 - Library:
 - Support _manifest file in git store
 - Allow pull request IDs in '<owner>/<repo>!<number>' format
 - Properly handle deleted users and teams in the git-obs timeline
 - Handle situations when there's 'None' among timeline entries
 - Skip binary files in gitea_api.PullRequest.get_patch()
 - Change get_user_input(), add support for vertically printed list of answers
 - Spec:
 - Provide git-obs

 - 1.19.1
 - Command-line:
 - Use OSC_PACKAGE_CACHE_DIR env var instead of deprecated OSC_PACKAGECACHEDIR
 - Connection:
 - Check for both upper and lowercase versions of HTTP_PROXY and HTTPS_PROXY env vars
 - Library:
 - Add 'trackingbranch' field to ScmsyncObsinfo model
 - Revert Return None if GitStore cannot determine apiurl
 - Throw a proper exception when 'apiurl' argument of 'makeurl()' is empty
 - Move code setting apiurl from store to 'osc.conf.get_config()'
 - Simplify 'osc.commandline.Osc.get_api_url()' to return the value from 'self.options'
 - Remove 'osc.commandline.Osc.post_argparse()' because it's no longer used
 - Fix unit tests to use the new code path to run osc
 - Fix osc.gitea_api.dt_sanitize() by replacing dateutil with datetime

 - 1.19.0
 - Command-line:
 - Add 'git-obs pr cancel-scheduled-merge' command
 - Add timeline to 'git-obs pr review interactive'
 - Add '--timeline' option to 'git-obs pr get'
 - Fix 'git-obs pr search' by using pagination to retrieve all results
 - Extend '--message' option in git-obs subcommands with the '-m' short option
 - Add a different message for scheduled merges in 'git-obs pr merge' command
 - Library:
 - Add 'conn' parameter to gitea_api.common.GiteaModel
 - Add gitea_api.Connection.scheme attribute
 - Add gitea_api.PullRequest.merge_commit property
 - Add gitea_api.PullRequest.get_owner_repo_number()
 - Add gitea_api.common.dt_sanitize() for sanitizing datetime strings
 - Handle missing head repo in the PullRequest properties
 - Return None if GitStore cannot determine apiurl
 - Remove extra newline from store files
 - Fix the 'Move remaining imports in osc.babysitter into try-except block' change by preserving the order of handling the exceptions
 - Spec:
 - Use primary_python to define runtime requires matching the shebang lines
 - Provide %{use_python_pkg}-osc for all pythons and python3-osc for primary_python
 - Add conflict with obs-scm-bridge < 0.7.3

 - 1.18.0
 - Command-line:
 - Add 'git-obs pr comment [--message=...]' command
 - Add 'git-obs pr show-patch' command
 - Add '--reviewer' option to 'git-obs pr review {approve,decline,interactive}' to support group reviews via group review bot
 - Update 'git-obs pr review interactive' to return non-zero return codes for 'exit' and 'skip' actions
 - Make 'osc results --show-excluded' work in a project context
 - Add '--no-pager' global option
 - Fix 'osc fork' by copying whole query part to the new scmsync url
 - Fix 'osc buildinfo' for git packages by handing the 'build_repositories' files by store objects
 - Fix crash in 'git-obs pr get --patch'
 - Fix git-obs to exit with 130 on keyboard interrupt
 - Fix --sccache help typo in 'osc build' command
 - Connection:
 - Don't retry requests on 504 Gateway Timeout
 - Library:
 - If a devel project is not specified, try reading it from a mapping from URL set in OBS:GitDevelProjectMap project attribute
 - Improve detection of packages and projects in git
 - scmsync_obsinfo: Pass correct revision to obs-scm-bridge
 - Add obs_api.Request.search() method
 - Raise an exception if obs-scm-bridge fails
 - Fix obs_scm.Package.get_pulled_srcmd5() returning an empty string
 - Fix git store to support non-default remote
 - Extend 'gitea_api.User.get()' to take 'username' parameter
 - Move get_editor() and related functions from command-line module to gitea_api.common
 - Migrate subcommands from using Store() to get_store() that is git aware
 - Make imports lazy to imporove osc load times

 Changes in obs-scm-bridge:

 - use the system default python version (boo#1247410)

 - 0.7.4
 * syntax fix

 - 0.7.3
 * fix .gitsubmodule parser to handle space and tabs mixed

 - package /etc/obs/service directories

 - 0.7.2
 * Improved error reporting of invalid files in package subdirs
 * Introducing a mechanic to limit asset handling

 - 0.7.1
 * export trackingbranch to scmsync.obsinfo

 - 0.7.0
 * supporting _manifest file as successor of _subdirs
 * record configured branch of submodules in package scmsync url
 * stay on the configured branch of a submodule on checkout

 - 0.6.3
 * Allow ssh:// scm urls as used by osc
 * project mode: avoid unecessary changes in package meta url
 * code cleanup

 - fix dependency (it is python3-PyYAML)

 - fix missing dependency to PyYAML

 - 0.6.2
 * Make project mode always look for _config in the top dir, also when using subdirs.

 - 0.6.1
 * new noobsinfo query parameter (can be used to hide git informations in sources, binaries won't contain them either then).

 - 0.6.0
 * project mode: switching to to track package sources using git sha sums instead of md5sum via download_assets

 - 0.5.4
 * fixed support of subdir parameter usage on project level
 * Fix handling of projectscmsync in the package xml writers

 - 0.5.3
 * Switch to ssh url when using the bridge via osc

 - 0.5.2
 * Don't overwrite files from git, but complain instead with an error. For example _scmsync.obsinfo file must not be part of the git tree. boo#1230469 CVE-2024-22038

 - 0.5.1
 * Don't generate _scmsync.obsinfo outside of OBS source server import use case (eg. no more for osc co)
 * Enforce python 3.11 requirement
 * Fix export of _scmsync.obsinfo in project mode
 * Fix submodule detection
 * EXPERIMENTAL: support multiple package subdirs via _subdirs file. This syntax will change! (not documented on purpose therefore atm)
 * Using git credential manager
 * Report some errors as transient, so that OBS can re-try

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected obs-scm-bridge and / or osc packages.

See Also

https://bugzilla.suse.com/1230469

https://www.suse.com/security/cve/CVE-2024-22038

https://bugzilla.suse.com/1247410

Plugin Details

Severity: Medium

ID: 302340

File Name: openSUSE-2026-20361-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 3/15/2026

Updated: 3/15/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:C/A:C

CVSS Score Source: CVE-2024-22038

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.8

Threat Score: 4.4

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:osc, p-cpe:/a:novell:opensuse:obs-scm-bridge, cpe:/o:novell:opensuse:16.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/12/2026

Vulnerability Publication Date: 11/28/2024

Reference Information

CVE: CVE-2024-22038