SUSE-CU-2020:165-1: Security update of caasp/v4/etcd

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed May 6 13:53:06 MDT 2020


SUSE Container Update Advisory: caasp/v4/etcd
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:165-1
Container Tags        : caasp/v4/etcd:3.4.3 , caasp/v4/etcd:3.4.3-rev3 , caasp/v4/etcd:3.4.3-rev3-build3.12.1
Container Release     : 3.12.1
Severity              : important
Type                  : security
References            : 1013125 1084671 1092920 1102840 1106383 1121353 1125689 1133495
                        1135114 1139459 1139939 1145003 1146182 1146184 1148788 1149332
                        1150021 1151023 1151377 1151582 1152334 1152692 1154256 1154804
                        1154805 1155198 1155205 1155207 1155298 1155327 1155337 1155574
                        1155678 1155819 1156158 1156213 1156300 1156482 1157292 1157323
                        1157337 1157377 1157794 1157893 1158095 1158485 1158763 1158830
                        1158921 1158996 1159003 1159082 1159108 1159314 1159814 1160039
                        1160160 1160460 1160463 1160571 1160594 1160595 1160735 1160764
                        1160970 1160979 1161056 1161110 1161179 1161215 1161216 1161218
                        1161219 1161220 1161225 1161262 1161436 1161779 1161816 1162093
                        1162093 1162108 1162108 1162152 1162518 1163184 1163922 1164390
                        1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579
                        1165784 1166106 1166481 1166510 1166510 1166748 1166881 1167163
                        1167223 1167631 1167674 1168076 1168345 1168364 1168699 1168835
                        1169569 1169992 1170173 CVE-2019-14889 CVE-2019-18802 CVE-2019-18900
                        CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-5188 CVE-2019-9511
                        CVE-2019-9513 CVE-2020-10029 CVE-2020-11501 CVE-2020-1712 CVE-2020-1712
                        CVE-2020-1730 CVE-2020-1752 CVE-2020-8013 
-----------------------------------------------------------------

The container caasp/v4/etcd was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:129-1
Released:    Mon Jan 20 09:21:13 2020
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1158095,CVE-2019-14889
This update for libssh fixes the following issues:

- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:225-1
Released:    Fri Jan 24 06:49:07 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:256-1
Released:    Wed Jan 29 09:39:17 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1157794,1160970
This update for aaa_base fixes the following issues:

- Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794)
- Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:262-1
Released:    Thu Jan 30 11:02:42 2020
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1149332,1151582,1157292,1157893,1158996,CVE-2019-19126
This update for glibc fixes the following issues:

Security issue fixed:

- CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292).

Bug fixes:

- Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893).
- Fixed Hardware support in toolchain (bsc#1151582).
- Fixed syscalls during early process initialization (SLE-8348).
- Fixed an array overflow in backtrace for PowerPC (bsc#1158996).
- Moved to posix_spawn on popen (bsc#1149332).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:265-1
Released:    Thu Jan 30 14:05:34 2020
Summary:     Security update for e2fsprogs
Type:        security
Severity:    moderate
References:  1160571,CVE-2019-5188
This update for e2fsprogs fixes the following issues:

- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:279-1
Released:    Fri Jan 31 12:01:39 2020
Summary:     Recommended update for p11-kit
Type:        recommended
Severity:    moderate
References:  1013125
This update for p11-kit fixes the following issues:

- Also build documentation (bsc#1013125)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:335-1
Released:    Thu Feb  6 11:37:24 2020
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712
This update for systemd fixes the following issues:

- CVE-2020-1712 (bsc#bsc#1162108)
  Fix a heap use-after-free vulnerability, when asynchronous
  Polkit queries were performed while handling Dbus messages. A local
  unprivileged attacker could have abused this flaw to crash systemd services or
  potentially execute code and elevate their privileges, by sending specially
  crafted Dbus messages.

- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)

- libblkid: open device in nonblock mode. (bsc#1084671)
- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)
- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)
- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)
- fileio: initialize errno to zero before we do fread()
- fileio: try to read one byte too much in read_full_stream()
- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)
- logind: never elect a session that is stopping as display

- journal: include kmsg lines from the systemd process which exec()d us (#8078)
- udevd: don't use monitor after manager_exit()
- udevd: capitalize log messages in on_sigchld()
- udevd: merge conditions to decrease indentation
- Revert 'udevd: fix crash when workers time out after exit is signal caught'
- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)
- udevd: fix crash when workers time out after exit is signal caught
- udevd: wait for workers to finish when exiting (bsc#1106383)

- Improve bash completion support (bsc#1155207)
  * shell-completion: systemctl: do not list template units in {re,}start
  * shell-completion: systemctl: pass current word to all list_unit*
  * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)
  * bash-completion: systemctl: use systemctl --no-pager
  * bash-completion: also suggest template unit files
  * bash-completion: systemctl: add missing options and verbs
  * bash-completion: use the first argument instead of the global variable (#6457)

- networkd: VXLan Make group and remote variable separate (bsc#1156213)
- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)
- fs-util: let's avoid unnecessary strerror()
- fs-util: introduce inotify_add_watch_and_warn() helper
- ask-password: improve log message when inotify limit is reached (bsc#1155574)
- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)
- man: alias names can't be used with enable command (bsc#1151377)

- Add boot option to not use swap at system start (jsc#SLE-7689)

- Allow YaST to select Iranian (Persian, Farsi) keyboard layout
  (bsc#1092920)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:339-1
Released:    Thu Feb  6 13:03:22 2020
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    low
References:  1158921
This update for openldap2 provides the following fix:

- Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:368-1
Released:    Fri Feb  7 13:49:41 2020
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1150021
This update for lvm2 fixes the following issues:

- Fix for LVM in KVM: The scsi presistent reservation scenario can trigger and error during LVM actions. (bsc#1150021)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:432-1
Released:    Fri Feb 21 14:34:16 2020
Summary:     Security update for libsolv, libzypp, zypper
Type:        security
Severity:    moderate
References:  1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900
This update for libsolv, libzypp, zypper fixes the following issues:


Security issue fixed:

- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).

Bug fixes

- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).
- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).
- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).                                            
- Load only target resolvables for zypper rm (bsc#1157377).
- Fix broken search by filelist (bsc#1135114).
- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).
- Do not sort out requested locales which are not available (bsc#1155678).
- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).                                                              
- XML add patch issue-date and issue-list (bsc#1154805).
- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).
- Always execute commit when adding/removing locales (fixes bsc#1155205).
- Fix description of --table-style,-s in man page (bsc#1154804).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:451-1
Released:    Tue Feb 25 10:50:35 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1155337,1161215,1161216,1161218,1161219,1161220
This update for libgcrypt fixes the following issues:

- ECDSA: Check range of coordinates (bsc#1161216)
- FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219]
- FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215]
- FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220]
- FIPS: keywrap gives incorrect results [bsc#1161218]
- FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:476-1
Released:    Tue Feb 25 14:23:14 2020
Summary:     Recommended update for perl
Type:        recommended
Severity:    moderate
References:  1102840,1160039
This update for perl fixes the following issues:

- Some packages make assumptions about the date and time they are built. 
  This update will solve the issues caused by calling the perl function timelocal
  expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:480-1
Released:    Tue Feb 25 17:38:22 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1160735
This update for aaa_base fixes the following issues:

- Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:525-1
Released:    Fri Feb 28 11:49:36 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1164562
This update for pam fixes the following issues:

- Add libdb as build-time dependency to enable pam_userdb module.
  Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:547-1
Released:    Fri Feb 28 16:26:21 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013
This update for permissions fixes the following issues:

Security issues fixed:

- CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788)
- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).

Non-security issues fixed:

- Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:572-1
Released:    Tue Mar  3 13:25:41 2020
Summary:     Recommended update for cyrus-sasl
Type:        recommended
Severity:    moderate
References:  1162518
This update for cyrus-sasl fixes the following issues:

- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:573-1
Released:    Tue Mar  3 13:37:28 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1160160
This update for ca-certificates-mozilla to 2.40 fixes the following issues:

Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):

Removed certificates:

- Certplus Class 2 Primary CA
- Deutsche Telekom Root CA 2
- CN=Swisscom Root CA 2
- UTN-USERFirst-Client Authentication and Email

added certificates:

- Entrust Root Certification Authority - G4

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:597-1
Released:    Thu Mar  5 15:24:09 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1164950
This update for libgcrypt fixes the following issues:

- FIPS: Run the self-tests from the constructor [bsc#1164950]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:633-1
Released:    Tue Mar 10 16:23:08 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1139939,1151023
This update for aaa_base fixes the following issues:

- get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939)
- added '-h'/'--help' to the command old
- change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:668-1
Released:    Fri Mar 13 10:48:58 2020
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1163184,1164505,1165784,CVE-2020-10029
This update for glibc fixes the following issues:

- CVE-2020-10029: Fixed a potential overflow in  on-stack buffer 
  during range reduction (bsc#1165784).	  
- Fixed an issue where pthread were not always locked correctly (bsc#1164505).
- Document mprotect and introduce section on memory protection (bsc#1163184).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:689-1
Released:    Fri Mar 13 17:09:01 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1166510

This update for PAM fixes the following issue:

- The license of libdb linked against pam_userdb is not always wanted,
  so we temporary disabled pam_userdb again. It will be published
  in a different package at a later time. (bsc#1166510)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:710-1
Released:    Wed Mar 18 07:32:24 2020
Summary:     Upgrading to Terraform 0.12 and fix issues in crio, grafana, kubelet, skuba, and terraform
Type:        recommended
Severity:    important
References:  1145003,1157323,1159082,1160463,1161056,1161110,1161179,1161225,1162093
Upgrade Terraform Files and State

In order to seamlessly switch to Terraform 0.12 you need to make sure that:

* all files follow the new syntax for the HashiCorp Configuration Language included in Terraform 0.12;
* all boolean values are `true` or `false` and *not* 0 or 1;
* all variables are explicitly declared;
* all dependencies are explicitly declared to reach the expected behavior.

Recommended Procedure

If you can tear down your existing cluster, do delete your cluster
before upgrading to Terraform 0.12. After that follow our documentation to create a new cluster.
That will lead to the cleanest upgrade result.

If you are using Terraform 0.11 and you cannot tear down your cluster, you will
need to update your Terraform files (and states) in place for Terraform 0.12.

To do this, enter your Terraform files/state folder and:

* Migrate Terraform files with the automatic migration tool by running `terraform 0.12upgrade`.
* For OpenStack, run the extra operations for in-place upgrade, which follow just below.
* For VMware, there is no extra operation.
* You can then run the `terraform init/plan/apply` commands as usual.

Extra Operations for In-place Upgrade of OpenStack Terraform Files

* Replace any boolean values written as a number with `false`/`true`.
  For example, for the variables in `openstack/variables.tf`
  (and their equivalent in your `terraform.tfvars` file), replace
  `default = 0` with `default = false` in the variables
  `workers_vol_enabled` and `dnsentry`. Do the same for
  any extra boolean variable you might have added.
* Introduce a `depends_on` on the resource `'openstack_compute_floatingip_associate_v2' 'master_ext_ip'` in `master-instance.tf`:

----
depends_on = [openstack_compute_instance_v2.master]
----

* Introduce a `depends_on` on the resource `'master_wait_cloudinit'` in `master-instance.tf`:

----
depends_on = [
  openstack_compute_instance_v2.master,
  openstack_compute_floatingip_associate_v2.master_ext_ip
]
----

* Introduce a `depends_on` on the resources
  `'openstack_compute_floatingip_associate_v2' 'worker_ext_ip'` and
  `'null_resource' 'worker_wait_cloudinit'` in `worker-instance.tf`, similarly to the ones for master.
  Replace `master` with `worker` in the examples above.
* Update the resources `resource 'openstack_compute_instance_v2' 'master'`
  and `resource 'openstack_compute_instance_v2' 'worker'` with
  `master-instance.tf` and `worker-instance.tf` respectively. Add the following resources:

----
lifecycle {
  ignore_changes = [user_data]
}
----

This will make it possible to update your cluster from a Terraform 0.11 state
into a Terraform 0.12 state without tearing it down completely.

[WARNING]
When adding `lifecycle { ignore_change = [user_data] }` in your master and
worker instances, you will effectively prevent updates of nodes, should you or
SUSE update the `user_data`. This should be removed as soon as possible after the
migration to Terraform 0.12.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:475-1
Released:    Thu Mar 19 11:00:46 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1160595
This update for systemd fixes the following issues:

- Remove TasksMax limit for both user and system slices (jsc#SLE-10123)
- Backport IP filtering feature (jsc#SLE-7743 bsc#1160595)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:726-1
Released:    Thu Mar 19 13:23:03 2020
Summary:     Security update for nghttp2
Type:        security
Severity:    moderate
References:  1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513
This update for nghttp2 fixes the following issues:

Security issues fixed:

- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461).
- CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003)

Bug fixes and enhancements:

- Fixed mistake in spec file (bsc#1125689)

Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and
cilium-proxy (bsc#1166481)

  * lib: Add nghttp2_check_authority as public API
  * lib: Fix the bug that stream is closed with wrong error code
  * lib: Faster huffman encoding and decoding
  * build: Avoid filename collision of static and dynamic lib
  * build: Add new flag ENABLE_STATIC_CRT for Windows
  * build: cmake: Support building nghttpx with systemd
  * third-party: Update neverbleed to fix memory leak
  * nghttpx: Fix bug that mruby is incorrectly shared between
    backends
  * nghttpx: Reconnect h1 backend if it lost connection before
    sending headers
  * nghttpx: Returns 408 if backend timed out before sending
    headers
  * nghttpx: Fix request stal

- Conditionally remove dependecy on jemalloc for SLE-12 
- Require correct library from devel package - boo#1125689

Update to version 1.39.2 (bsc#1146184, bsc#1146182):

* This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
  “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
  frames cause Denial of Service by consuming CPU time. Check out
  https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
  for details. For nghttpx, additionally limiting inbound traffic by
  --read-rate and --read-burst options is quite effective against
  this kind of attack.

* Add nghttp2_option_set_max_outbound_ack API function
* nghttpx: Fix request stall

Update to version 1.39.1:

* This release fixes the bug that log-level is not set with
  cmd-line or configuration file. It also fixes FPE with default
  backend.

Changes for version 1.39.0:

* libnghttp2 now ignores content-length in 200 response to
  CONNECT request as per RFC 7230.
* mruby has been upgraded to 2.0.1.
* libnghttp2-asio now supports boost-1.70.
* http-parser has been replaced with llhttp.
* nghttpx now ignores Content-Length and Transfer-Encoding in 1xx
  or 200 to CONNECT.


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:729-1
Released:    Thu Mar 19 14:44:22 2020
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1166106
This update for glibc fixes the following issues:

- Allow dlopen of filter object to work (bsc#1166106, BZ #16272)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:793-1
Released:    Wed Mar 25 15:16:00 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1139459,1161262,1162108,1164717,1165579,CVE-2020-1712
This update for systemd fixes the following issues:

- manager: fix job mode when signalled to shutdown etc (bsc#1161262)
- remove fallback for user/exit.target
- dbus method Manager.Exit() does not start exit.target
- do not install rescue.target for alt-↑
- %j/%J unit specifiers


Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717).

Added the udev 60-ssd-scheduler.rules:

- This rules file which select the default IO scheduler for SSDs is
  being moved out from the git repo since this is not related to
  systemd or udev at all and is maintained by the kernel team.

- core: coldplug possible nop_job (bsc#1139459)
- Revert 'udev: use 'deadline' IO scheduler for SSD disks'
- Fix typo in function name
- polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712)
- sd-bus: introduce API for re-enqueuing incoming messages
- polkit: on async pk requests, re-validate action/details

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:814-1
Released:    Mon Mar 30 16:23:42 2020
Summary:     Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1
Type:        recommended
Severity:    moderate
References:  1161816,1162152,1167223
This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues:

libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223):

Full Release Notes can be found on:

	https://wiki.documentfoundation.org/ReleaseNotes/6.4

- Fixed broken handling of non-ASCII characters in the KDE filedialog
  (bsc#1161816)
- Move the animation library to core package bsc#1162152

xmlsec1 was updated to 1.2.28:

* Added BoringSSL support (chenbd).
* Added gnutls-3.6.x support (alonbl).
* Added DSA and ECDSA key size getter for MSCNG (vmiklos).
* Added --enable-mans configuration option (alonbl).
* Added coninuous build integration for MacOSX (vmiklos).
* Several other small fixes (more details).

- Make sure to recommend at least one backend when you install
  just xmlsec1

- Drop the gnutls backend as based on the tests it is quite borked:
  * We still have nss and openssl backend for people to use

Version update to 1.2.27:

* Added AES-GCM support for OpenSSL and MSCNG (snargit).
* Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos).
* Added RSA-OAEP support for MSCNG (vmiklos).
* Continuous build integration in Travis and Appveyor.
* Several other small fixes (more details).

myspell-dictionaries was updated to 20191219:

* Updated the English dictionaries: GB+US+CA+AU
* Bring shipped Spanish dictionary up to version 2.5


boost was updated to fix:
- add a backport of Boost.Optional::has_value() for LibreOffice

The QR-Code-generator is shipped:

- Initial commit, needed by libreoffice 6.4


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:820-1
Released:    Tue Mar 31 13:02:22 2020
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1167631,CVE-2020-1752
This update for glibc fixes the following issues:

- CVE-2020-1752: Fixed a use after free in glob which could have allowed
  a local attacker to create a specially crafted path that, when processed 
  by the glob function, could potentially have led to arbitrary code execution
  (bsc#1167631).
 
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:834-1
Released:    Tue Mar 31 17:21:34 2020
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1167163
This update for permissions fixes the following issue:

- whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:846-1
Released:    Thu Apr  2 07:24:07 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1164950,1166748,1167674
This update for libgcrypt fixes the following issues:

- FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950)
- FIPS: Fix drbg to be threadsafe (bsc#1167674)
- FIPS: Run self-tests from constructor during power-on [bsc#1166748]

  * Set up global_init as the constructor function:
  * Relax the entropy requirements on selftest. This is especially
    important for virtual machines to boot properly before the RNG
    is available:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:917-1
Released:    Fri Apr  3 15:02:25 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1166510
This update for pam fixes the following issues:

- Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:948-1
Released:    Wed Apr  8 07:44:21 2020
Summary:     Security update for gmp, gnutls, libnettle
Type:        security
Severity:    moderate
References:  1152692,1155327,1166881,1168345,CVE-2020-11501
This update for gmp, gnutls, libnettle fixes the following issues:

Security issue fixed:

- CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

FIPS related bugfixes:

- FIPS: Install checksums for binary integrity verification which are
  required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
- FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if
  input is shorter than block size. (bsc#1166881)
- FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:961-1
Released:    Wed Apr  8 13:34:06 2020
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1160979
This update for e2fsprogs fixes the following issues:

- e2fsck: clarify overflow link count error message (bsc#1160979)
- ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
- ext2fs: implement dir entry creation in htree directories (bsc#1160979)
- tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
- tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:967-1
Released:    Thu Apr  9 11:41:53 2020
Summary:     Security update for libssh
Type:        security
Severity:    moderate
References:  1168699,CVE-2020-1730
This update for libssh fixes the following issues:

- CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:969-1
Released:    Thu Apr  9 11:43:17 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1168364
This update for permissions fixes the following issues:

- Fixed spelling of icinga group (bsc#1168364)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:981-1
Released:    Mon Apr 13 15:43:44 2020
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  1156300
This update for rpm fixes the following issues:

- Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1026-1
Released:    Fri Apr 17 16:14:43 2020
Summary:     Recommended update for libsolv
Type:        recommended
Severity:    moderate
References:  1159314
This update for libsolv fixes the following issues:

libsolv was updated to version 0.7.11:

- fix solv_zchunk decoding error if large chunks are used (bsc#1159314)
- treat retracted pathes as irrelevant
- made add_update_target work with multiversion installs

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1047-1
Released:    Tue Apr 21 10:33:06 2020
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1168835
This update for gnutls fixes the following issues:

- Backport AES XTS support (bsc#1168835)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1063-1
Released:    Wed Apr 22 10:46:50 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1165539,1169569
This update for libgcrypt fixes the following issues:

This update for libgcrypt fixes the following issues:
    
- FIPS: Switch the PCT to use the new signature operation (bsc#1165539)
- FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539)
- Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates.
- Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1108-1
Released:    Fri Apr 24 16:31:01 2020
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1169992
This update for gnutls fixes the following issues:

- FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1175-1
Released:    Tue May  5 08:33:43 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1165011,1168076
This update for systemd fixes the following issues:

- Fix check for address to keep interface names stable. (bsc#1168076)
- Fix for checking non-normalized WHAT for network FS. (bsc#1165011)
- Allow to specify an arbitrary string for when vfs is used. (bsc#1165011)

-----------------------------------------------------------------
Advisory ID: SUSE-feature-2020:1196-1
Released:    Wed May  6 13:35:05 2020
Summary:     Update to kubernetes 1.17, podman, cri-o and docs
Type:        feature
Severity:    moderate
References:  1121353,1152334,1157337,1159108,1160460,1162093,1164390,1170173
= Required Actions
== Kubernetes 1.17

In order to update to kubernetes 1.17, follow the instructions in the admin guide https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components .

Make sure you look at the Release Notes https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_3_0 for any known bug.

== conmon and cri-o

Conmon and cri-o will be updated by `skuba-update`. No action is required from your side. For more info see https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates

== skuba

In order to update skuba, you need to update the admin workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_update_management_workstation



More information about the sle-security-updates mailing list