openSUSE Leap 15.5: How to update latest security update for "gstreamer-plugins-bad"

Hi everyone, I am on openSUSE Leap 15.5, everything is patched to latest. Strange thing, my latest gstreamer-plugins-bad are 1.22.0-lp155.3.7.1, whereas there is 1.22.0-150500.3.20.1 available: Security update for gstreamer-plugins-bad | SUSE Support | SUSE

zypper info gstreamer-plugins-bad
Version : 1.22.0-lp155.3.7.1
Arch : x86_64
Vendor : openSUSE
Installed Size : 8.2 MiB
Installed : Yes
Status : up-to-date
Source package : gstreamer-plugins-bad-1.22.0-lp155.3.7.1.src

zypper in -t patch SUSE-2024-89=1
Loading repository data…
Reading installed packages…
‘SUSE-2024-89=1’ not found in package names. Trying capabilities.
No provider of ‘SUSE-2024-89=1’ found.

Thanks!

1 Like

How is SUSE patch relevant for openSUSE?

1 Like

openSUSE Leap is based on SUSE, e.g. openSUSE Leap 15.6 ist based on SLES 15 SP6.
openSUSE Leap get updates form SLES 15 backports. This is the reason for the patchname “SUSE-2024-89”.

The patch is is for openSUSE Leap: gstreamer-plugins-bad-1.22.0-lp155.3.7.1 → lp stands for Leap.
155 → for openSUSE Leap 15.5 (more exactly it comes from SLES 15 SP5 backports.
The entry “Vendor : openSUSE” shows, that the patch is for openSUSE

I am also missing this patch and asked at the security mailing list:

1 Like

Thanks Carsten (Namensvetter) for this reflection and putting this on the security mailing list. I actually have another finding, maybe you can check on that, too?

zypper info busybox

Repository : openSUSE-Leap-15.5-Oss
Name : busybox
Version : 1.35.0-150500.8.2
Arch : x86_64
Vendor : SUSE LLC https://www.suse.com/
Installed Size : 1.2 MiB
Installed : Yes
Status : up-to-date

According to SUSE-SU-2023:3820-1: important: Security update for busybox this should be 1.35.0-150500.10.3.3.

Thanks,
Carsten

You can search in installed packages with:

rpm -q --changelog busybox-static | grep -i CVE-2022-48174
  in ash (CVE-2022-48174, bsc#1214538)

If you get any Output , its in the changelog…

The CVE is from here:

1 Like

Also the gstreamer

rpm -q --changelog gstreamer-plugins-bad | grep -i 'bsc#1218534'
    (ZDI-CAN-22300  bsc#1218534)
1 Like

This was really hepful, thank you.

Busybox:
rpm -q --changelog busybox-static | grep -i CVE-2022-48174
in ash (CVE-2022-48174, bsc#1214538)
→ We are good.

gstreamer:
rpm -q --changelog gstreamer-plugins-bad | grep -i ‘bsc#1218534’
→ Not.

Leap 15.5 is not patched, but Leap 15.6 has it.

Not every package in openSUSE originates in SLE (and not every package in SLE is available in openSUSE). Not every patch in openSUSE originates in SLE (and not every patch in SLE is available in openSUSE). And even patches that do originate in SLE are available from openSUSE repositories under different names.

1 Like

Thanks for checking on that, well I guess we still have a security flaw here with still supported Leap 15.5, right?

1 Like