SUSE-CU-2019:764-1: Security update of ses/6/rook/ceph

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Sat Feb 1 01:39:36 MST 2020


SUSE Container Update Advisory: ses/6/rook/ceph
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2019:764-1
Container Tags        : ses/6/rook/ceph:1.1.1.0 , ses/6/rook/ceph:1.1.1.0.1.5.57 , ses/6/rook/ceph:latest
Container Release     : 1.5.57
Severity              : important
Type                  : security
References            : 1049825 1051143 1071995 1092100 1109412 1109413 1109414 1110797
                        1111996 1112534 1112535 1113247 1113252 1113255 1116827 1116995
                        1118644 1118830 1118831 1120629 1120630 1120631 1120640 1121034
                        1121035 1121056 1121753 1127155 1127608 1130306 1131113 1131823
                        1133131 1133232 1134226 1135749 1137977 1138869 1139459 1139795
                        1140039 1140631 1141897 1141913 1142343 1142649 1142772 1145023
                        1145521 1145716 1146027 1146415 1146947 1148517 1149121 1149145
                        1149792 1149792 1149792 1149955 1150451 1150595 1150733 1151023
                        1151490 1152101 1152590 1153165 1153238 1153557 1153674 1153936
                        1154016 1154025 1154217 859480 CVE-2018-1000876 CVE-2018-1122
                        CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-17358
                        CVE-2018-17359 CVE-2018-17360 CVE-2018-17985 CVE-2018-18309 CVE-2018-18483
                        CVE-2018-18484 CVE-2018-18605 CVE-2018-18606 CVE-2018-18607 CVE-2018-19931
                        CVE-2018-19932 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-20623
                        CVE-2018-20651 CVE-2018-20671 CVE-2018-6323 CVE-2018-6543 CVE-2018-6759
                        CVE-2018-6872 CVE-2018-7208 CVE-2018-7568 CVE-2018-7569 CVE-2018-7570
                        CVE-2018-7642 CVE-2018-7643 CVE-2018-8945 CVE-2019-1010180 CVE-2019-14250
                        CVE-2019-14287 CVE-2019-14853 CVE-2019-14859 CVE-2019-15847 CVE-2019-16056
                        CVE-2019-16935 CVE-2019-17543 CVE-2019-3689 CVE-2019-5094 ECO-368
                        PM-1350 SLE-6206 SLE-7687 SLE-9426 
-----------------------------------------------------------------

The container ses/6/rook/ceph was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2626-1
Released:    Thu Oct 10 17:22:35 2019
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1110797
Description:

This update for permissions fixes the following issues:
- Updated permissons for amanda. (bsc#1110797)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2645-1
Released:    Fri Oct 11 17:11:23 2019
Summary:     Recommended update for python-cryptography
Type:        recommended
Severity:    moderate
References:  1149792
Description:

This update for python-cryptography fixes the following issues:

- Adds compatibility to openSSL 1.1.1d (bsc#1149792)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2647-1
Released:    Fri Oct 11 17:12:06 2019
Summary:     Recommended update for python-pyOpenSSL
Type:        recommended
Severity:    moderate
References:  1149792
Description:

This update for python-pyOpenSSL fixes the following issues:

- Adds compatibility for openSSL 1.1.1d (bsc#1149792)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2656-1
Released:    Mon Oct 14 17:02:24 2019
Summary:     Security update for sudo
Type:        security
Severity:    important
References:  1153674,CVE-2019-14287
Description:

This update for sudo fixes the following issue:

- CVE-2019-14287: Fixed an issue where a user with sudo privileges 
  that allowed them to run commands with an arbitrary uid, could 
  run commands as root, despite being forbidden to do so in sudoers
  (bsc#1153674).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2676-1
Released:    Tue Oct 15 21:06:54 2019
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1145716,1152101,CVE-2019-5094
Description:

This update for e2fsprogs fixes the following issues:

Security issue fixed:

- CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101)

Non-security issue fixed:

- libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2693-1
Released:    Wed Oct 16 16:43:30 2019
Summary:     Recommended update for rpcbind
Type:        recommended
Severity:    moderate
References:  1142343
Description:

This update for rpcbind fixes the following issues:

- Return correct IP address with multiple ip addresses in the same
  subnet. (bsc#1142343)
  

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2702-1
Released:    Wed Oct 16 18:41:30 2019
Summary:     Security update for gcc7
Type:        security
Severity:    moderate
References:  1071995,1141897,1142649,1148517,1149145,CVE-2019-14250,CVE-2019-15847
Description:

This update for gcc7 to r275405 fixes the following issues:

Security issues fixed:

- CVE-2019-14250: Fixed an integer overflow in binutils (bsc#1142649).
- CVE-2019-15847: Fixed an optimization in the POWER9 backend of gcc that could reduce the entropy of the random number generator (bsc#1149145).

Non-security issue fixed:

- Move Live Patching technology stack from kGraft to upstream klp (bsc#1071995, fate#323487).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2730-1
Released:    Mon Oct 21 16:04:57 2019
Summary:     Security update for procps
Type:        security
Severity:    important
References:  1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
Description:

This update for procps fixes the following issues:

procps was updated to 3.3.15. (bsc#1092100)

Following security issues were fixed:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).


Also this non-security issue was fixed:

- Fix CPU summary showing old data. (bsc#1121753)

The update to 3.3.15 contains the following fixes:

* library: Increment to 8:0:1
  No removals, no new functions
  Changes: slab and pid structures
* library: Just check for SIGLOST and don't delete it
* library: Fix integer overflow and LPE in file2strvec   CVE-2018-1124
* library: Use size_t for alloc functions                CVE-2018-1126
* library: Increase comm size to 64
* pgrep: Fix stack-based buffer overflow                 CVE-2018-1125
* pgrep: Remove >15 warning as comm can be longer
* ps: Fix buffer overflow in output buffer, causing DOS  CVE-2018-1123
* ps: Increase command name selection field to 64
* top: Don't use cwd for location of config              CVE-2018-1122
* update translations
* library: build on non-glibc systems
* free: fix scaling on 32-bit systems
* Revert 'Support running with child namespaces'
* library: Increment to 7:0:1
  No changes, no removals
  New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
* doc: Document I idle state in ps.1 and top.1
* free: fix some of the SI multiples
* kill: -l space between name parses correctly
* library: dont use vm_min_free on non Linux
* library: don't strip off wchan prefixes (ps & top)
* pgrep: warn about 15+ char name only if -f not used
* pgrep/pkill: only match in same namespace by default
* pidof: specify separator between pids
* pkill: Return 0 only if we can kill process
* pmap: fix duplicate output line under '-x' option
* ps: avoid eip/esp address truncations
* ps: recognizes SCHED_DEADLINE as valid CPU scheduler
* ps: display NUMA node under which a thread ran
* ps: Add seconds display for cputime and time
* ps: Add LUID field
* sysctl: Permit empty string for value
* sysctl: Don't segv when file not available
* sysctl: Read and write large buffers
* top: add config file support for XDG specification
* top: eliminated minor libnuma memory leak
* top: show fewer memory decimal places (configurable)
* top: provide command line switch for memory scaling
* top: provide command line switch for CPU States
* top: provides more accurate cpu usage at startup
* top: display NUMA node under which a thread ran
* top: fix argument parsing quirk resulting in SEGV
* top: delay interval accepts non-locale radix point
* top: address a wishlist man page NLS suggestion
* top: fix potential distortion in 'Mem' graph display
* top: provide proper multi-byte string handling
* top: startup defaults are fully customizable
* watch: define HOST_NAME_MAX where not defined
* vmstat: Fix alignment for disk partition format
* watch: Support ANSI 39,49 reset sequences

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2742-1
Released:    Tue Oct 22 15:40:16 2019
Summary:     Recommended update for libzypp, zypper, libsolv and PackageKit
Type:        recommended
Severity:    important
References:  1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Description:

This update for libzypp, zypper, libsolv and PackageKit fixes the following issues:

Security issues fixed in libsolv:

- CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629).
- CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
- CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631).

Other issues addressed in libsolv:

- Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749).
- Fixed an issue with the package name (bsc#1131823).
- repo_add_rpmdb: do not copy bad solvables from the old solv file
- Fixed an issue with  cleandeps updates in which all packages were not updated
- Experimental DISTTYPE_CONDA and REL_CONDA support
- Fixed cleandeps jobs when using patterns (bsc#1137977)
- Fixed favorq leaking between solver runs if the solver is reused
- Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason
- Be more correct with multiversion packages that obsolete their own name (bnc#1127155)
- Fix repository priority handling for multiversion packages
- Make code compatible with swig 4.0, remove obj0 instances
- repo2solv: support zchunk compressed data
- Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will
  not strip debug info for archives

Issues fixed in libzypp:

- Fix empty metalink downloads if filesize is unknown (bsc#1153557)
- Recognize riscv64 as architecture
- Fix installation of new header file (fixes #185)
- zypp.conf: Introduce `solver.focus` to define the resolvers general
  attitude when resolving jobs. (bsc#1146415)
- New container detection algorithm for zypper ps (bsc#1146947)
- Fix leaking filedescriptors in MediaCurl. (bsc#1116995)
- Run file conflict check on dry-run. (bsc#1140039)
- Do not remove orphan products if the .prod file is owned by
  a package. (bsc#1139795)
- Rephrase file conflict check summary. (bsc#1140039)
- Fix bash completions option detection. (bsc#1049825)
- Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521)
- Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027)
- PublicKey::algoName: supply key algorithm and length

Issues fixed in zypper:

- Update to version 1.14.30
- Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521)
- Dump stacktrace on SIGPIPE (bsc#1145521)
- info: The requested info must be shown in QUIET mode (fixes #287)
- Fix local/remote url classification.
- Rephrase file conflict check summary (bsc#1140039)
- Fix bash completions option detection (bsc#1049825)
- man: split '--with[out]' like options to ease searching.
- Unhided 'ps' command in help
- Added option to show more conflict information
- Rephrased `zypper ps` hint (bsc#859480)
- Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED
  if --root is used (bsc#1134226)
- Fixed unknown package handling in zypper install (bsc#1127608)
- Re-show progress bar after pressing retry upon install error (bsc#1131113)


Issues fixed in PackageKit:

- Port the cron configuration variables to the systemd timer script, and add -sendwait
  parameter to mail in the script(bsc#1130306).


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2757-1
Released:    Wed Oct 23 17:21:17 2019
Summary:     Security update for lz4
Type:        security
Severity:    moderate
References:  1153936,CVE-2019-17543
Description:

This update for lz4 fixes the following issues:

- CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2762-1
Released:    Thu Oct 24 07:08:44 2019
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1150451
Description:

This update for timezone fixes the following issues:

- Fiji observes DST from 2019-11-10 to 2020-01-12.
- Norfolk Island starts observing Australian-style DST.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2779-1
Released:    Thu Oct 24 16:57:42 2019
Summary:     Security update for binutils
Type:        security
Severity:    moderate
References:  1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206
Description:

This update for binutils fixes the following issues:

binutils was updated to current 2.32 branch [jsc#ECO-368].

Includes following security fixes:

- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in  load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)

- enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
  (bsc#1141913).
- Fixed some LTO build issues (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section
- Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016).
- Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590).

Update to binutils 2.32:

* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
  encoding of VEX.W-ignored (WIG) VEX instructions.
  It also has a new -mx86-used-note=[yes|no] option to generate (or
  not) x86 GNU property notes.  
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
  the Loongson EXTensions (EXT) instructions, the Loongson Content
  Address Memory (CAM) ASE and the Loongson MultiMedia extensions
  Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
  limit on the maximum amount of recursion that is allowed whilst
  demangling strings.  This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
  specifying the starting symbol for disassembly.  Disassembly will
  continue from this symbol up to the next symbol or the end of the
  function.
* The BFD linker will now report property change in linker map file
  when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
  archives, unless -t is given twice.  This makes it more useful
  when generating a list of files that should be packaged for a
  linker bug report.
* The GOLD linker has improved warning messages for relocations that
  refer to discarded sections.

- Improve relro support on s390 [fate#326356]
- Fix broken debug symbols (bsc#1118644)
- Handle ELF compressed header alignment correctly.


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2782-1
Released:    Fri Oct 25 14:27:52 2019
Summary:     Security update for nfs-utils
Type:        security
Severity:    moderate
References:  1150733,CVE-2019-3689
Description:

This update for nfs-utils fixes the following issues:

- CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2802-1
Released:    Tue Oct 29 11:39:05 2019
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426
Description:

This update for python3 to 3.6.9 fixes the following issues:

Security issues fixed:

- CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955)
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).

Non-security issues fixed:

- Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490)
- Improved locale handling by implementing PEP 538.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2812-1
Released:    Tue Oct 29 14:57:55 2019
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1139459,1140631,1145023,1150595,SLE-7687
Description:

This update for systemd provides the following fixes:

- Fix a problem that would cause invoking try-restart to an inactive service to hang when
  a daemon-reload is invoked before the try-restart returned. (bsc#1139459)
- man: Add a note about _netdev usage.
- units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target.
- units: Add [Install] section to remote-cryptsetup.target.
- cryptsetup: Ignore _netdev, since it is used in generator.
- cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687)
- cryptsetup-generator: Add a helper utility to create symlinks.
- units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target.
- man: Add an explicit description of _netdev to systemd.mount(5).
- man: Order fields alphabetically in crypttab(5).
- man: Make crypttab(5) a bit easier to read.
- units: Order cryptsetup-pre.target before cryptsetup.target.
- Fix reporting of enabled-runtime units.
- sd-bus: Deal with cookie overruns. (bsc#1150595)
- rules: Add by-id symlinks for persistent memory. (bsc#1140631)
- Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit.
  (bsc#1145023)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2870-1
Released:    Thu Oct 31 08:09:14 2019
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1051143,1138869,1151023
Description:

This update for aaa_base provides the following fixes:

- Check if variables can be set before modifying them to avoid warnings on login with a
  restricted shell. (bsc#1138869)
- Add s390x compressed kernel support. (bsc#1151023)
- service: Check if there is a second argument before using it. (bsc#1051143)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2891-1
Released:    Mon Nov  4 17:47:10 2019
Summary:     Security update for python-ecdsa
Type:        security
Severity:    moderate
References:  1153165,1154217,CVE-2019-14853,CVE-2019-14859
Description:

This update for python-ecdsa to version 0.13.3 fixes the following issues:

Security issues fixed:

- CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165).
- CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217).



More information about the sle-security-updates mailing list