SUSE-CU-2020:192-1: Security update of suse/sle15

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Jun 12 07:28:29 MDT 2020 

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:192-1
Container Tags        : suse/sle15:15.1 , suse/sle15:15.1.6.2.251
Container Release     : 6.2.251
Severity              : important
Type                  : security
References            : 1090047 1103678 1107116 1107121 1111499 1130873 1137001 1139959
                        1154803 1156159 1164543 1165476 1165573 1166610 1167122 1168990
                        1172295 1172461 1172506 CVE-2018-16428 CVE-2018-16429 CVE-2019-12450
                        CVE-2019-13012 CVE-2020-13777 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2780-1
Released:    Mon Nov 26 17:46:10 2018
Summary:     Security update for glib2
Type:        security
Severity:    moderate
References:  1107116,1107121,1111499,CVE-2018-16428,CVE-2018-16429
This update for glib2 fixes the following issues:

Security issues fixed:

- CVE-2018-16428: Do not do a NULL pointer dereference (crash).
  Avoid that, at the cost of introducing a new translatable error
  message (bsc#1107121).
- CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).

Non-security issue fixed:

- various GVariant parsing issues have been resolved (bsc#1111499)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:251-1
Released:    Wed Feb  6 11:22:43 2019
Summary:     Recommended update for glib2
Type:        recommended
Severity:    moderate
References:  1090047
This update for glib2 provides the following fix:

- Enable systemtap. (fate#326393, bsc#1090047)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1594-1
Released:    Fri Jun 21 10:17:15 2019
Summary:     Security update for glib2
Type:        security
Severity:    important
References:  1103678,1137001,CVE-2019-12450
This update for glib2 fixes the following issues:

Security issue fixed:    

- CVE-2019-12450: Fixed an improper file permission when copy operation
  takes place (bsc#1137001).   

Other issue addressed:    

- glib2 was handling an UNKNOWN connectivity state from NetworkManager as if there
  was a connection thus giving false positives to PackageKit (bsc#1103678)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1833-1
Released:    Fri Jul 12 17:53:51 2019
Summary:     Security update for glib2
Type:        security
Severity:    moderate
References:  1139959,CVE-2019-13012
This update for glib2 fixes the following issues:

Security issue fixed:

- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1579-1
Released:    Tue Jun  9 17:05:23 2020
Summary:     Recommended update for audit
Type:        recommended
Severity:    important
References:  1156159,1172295
This update for audit fixes the following issues:

- Fix hang on startup. (bsc#1156159)
- Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1584-1
Released:    Tue Jun  9 18:39:15 2020
Summary:     Security update for gnutls
Type:        security
Severity:    important
References:  1172461,1172506,CVE-2020-13777
This update for gnutls fixes the following issues:

- CVE-2020-13777: Fixed an insecure session ticket key construction which could 
  have made the TLS server to not bind the session ticket encryption key with a
  value supplied by the application until the initial key rotation, allowing
  an attacker to bypass authentication in TLS 1.3 and recover previous
  conversations in TLS 1.2 (bsc#1172506).
- Fixed an  improper handling of certificate chain with cross-signed intermediate
  CA certificates (bsc#1172461).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1611-1
Released:    Fri Jun 12 09:38:03 2020
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990
This update for libsolv, libzypp, zypper fixes the following issues:

libsolv was updated to 0.7.13 to fix:

- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin

libzypp was updated to 17.23.4 to fix:

- Get retracted patch status from updateinfo data (jsc#SLE-8770)
  libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
  (fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
  HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
  zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
  and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
  wants to be able to get rid of the nginx/FastCGI-devel build
  requirement. Use 'rpmbuild --without mediabackend_tests' or
  'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- update translations
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
  libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
  supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
  packages are available. Avoid using retracted items as candidate
  (jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
  It's actually not needed and for this to work also libsolv needs
  to support it. You can sill use a librpmDb::db_const_iterator to
  access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Reformat manpages to workaround asciidoctor shortcomings
  (bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
  (jsc#SLE-5116)

zypper was updated to  version 1.14.36:

- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
  legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
  supplementing zypper means zypper-aptitude gets installed by
  default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)

More information about the sle-security-updates mailing list