Overview

Request 967749 accepted

- Additional changes:
* drop python-stem in favor of python-cepa
* relax-async-mode.patch added
* fix-test-cli-web.patch added
* fix for boo#1194866

- Update to version 2.5.0
* CVE-2022-21696: It was possible to change the username to that
of another chat participant with an additional space character
at the end of the name string.
* CVE-2022-21695: Authenticated users (or unauthenticated in
public mode) could send messages without being visible in the
list of chat participants
* CVE-2022-21694:
* CVE-2022-21693: An adversary with a primitive that allows for
filesystem access from the context of the Onionshare process
could access sensitive files in the entire user home folder.
* CVE-2022-21692: anyone with access to the chat environment
could write messages disguised as another chat participant
* CVE-2022-21691: chat participants could spoof their channel
leave message, tricking others into assuming they left the chatroom.
* CVE-2022-21690: The path parameter of the requested URL was not
sanitized before being passed to the QT frontend. This path is
used in all components for displaying the server access history.
* CVE-2022-21688, CVE-2022-21689: Use microseconds in Receive mode
directory creation to avoid potential DoS
* Major feature:
* Obtain bridges from Moat / BridgeDB
* Snowflake bridge support
* New feature:
* Tor connection settings, as well as general settings,
are now Tabs rather than dialogs
* User can customize the Content-Security-Policy header
in Website mode
* Built-in bridges are automatically updated from Tor's API
when the user has chosen to use them
* Switch to using stem fork called cepa
* Various bug fixes
- Drop desktop file, upstream already provides one
- Install metainfo file
- Adjust requirements
- Added relax-async-mode.patch


Axel Braun's avatar
author source maintainer

As python-cepa made it to Factory in between I created a new SR....


Request History
Axel Braun's avatar

DocB created request

- Additional changes:
* drop python-stem in favor of python-cepa
* relax-async-mode.patch added
* fix-test-cli-web.patch added
* fix for boo#1194866

- Update to version 2.5.0
* CVE-2022-21696: It was possible to change the username to that
of another chat participant with an additional space character
at the end of the name string.
* CVE-2022-21695: Authenticated users (or unauthenticated in
public mode) could send messages without being visible in the
list of chat participants
* CVE-2022-21694:
* CVE-2022-21693: An adversary with a primitive that allows for
filesystem access from the context of the Onionshare process
could access sensitive files in the entire user home folder.
* CVE-2022-21692: anyone with access to the chat environment
could write messages disguised as another chat participant
* CVE-2022-21691: chat participants could spoof their channel
leave message, tricking others into assuming they left the chatroom.
* CVE-2022-21690: The path parameter of the requested URL was not
sanitized before being passed to the QT frontend. This path is
used in all components for displaying the server access history.
* CVE-2022-21688, CVE-2022-21689: Use microseconds in Receive mode
directory creation to avoid potential DoS
* Major feature:
* Obtain bridges from Moat / BridgeDB
* Snowflake bridge support
* New feature:
* Tor connection settings, as well as general settings,
are now Tabs rather than dialogs
* User can customize the Content-Security-Policy header
in Website mode
* Built-in bridges are automatically updated from Tor's API
when the user has chosen to use them
* Switch to using stem fork called cepa
* Various bug fixes
- Drop desktop file, upstream already provides one
- Install metainfo file
- Adjust requirements
- Added relax-async-mode.patch


Factory Auto's avatar

factory-auto added opensuse-review-team as a reviewer

Please review sources


Factory Auto's avatar

factory-auto accepted review

Check script succeeded


Dominique Leuenberger's avatar

dimstar_suse added as a reviewer

Being evaluated by staging project "openSUSE:Factory:Staging:adi:29"


Dominique Leuenberger's avatar

dimstar_suse accepted review

Picked "openSUSE:Factory:Staging:adi:29"


Dominique Leuenberger's avatar

dimstar accepted review


Saul Goodman's avatar

licensedigger accepted review

The legal review is accepted preliminary. The package may require actions later on.


Dominique Leuenberger's avatar

dimstar_suse accepted review

Staging Project openSUSE:Factory:Staging:adi:29 got accepted.


Dominique Leuenberger's avatar

dimstar_suse approved review

Staging Project openSUSE:Factory:Staging:adi:29 got accepted.


Dominique Leuenberger's avatar

dimstar_suse accepted request

Staging Project openSUSE:Factory:Staging:adi:29 got accepted.

openSUSE Build Service is sponsored by