SUSE-CU-2021:17-1: Security update of ses/6/cephcsi/cephcsi
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Jan 7 23:52:42 MST 2021
SUSE Container Update Advisory: ses/6/cephcsi/cephcsi
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:17-1
Container Tags : ses/6/cephcsi/cephcsi:1.2.0.0 , ses/6/cephcsi/cephcsi:1.2.0.0.1.5.338 , ses/6/cephcsi/cephcsi:latest
Container Release : 1.5.338
Severity : important
Type : security
References : 1084671 1123327 1145276 1150164 1155094 1158499 1160158 1160790
1161088 1161089 1161198 1161203 1161670 1161913 1163569 1165281
1165534 1166848 1167939 1169006 1169134 1170487 1172546 1172695
1172798 1173503 1174091 1174232 1174571 1174591 1174593 1174701
1174918 1174918 1174942 1175061 1175110 1175240 1175514 1175585
1175623 1175781 1175847 1176116 1176192 1176192 1176256 1176257
1176258 1176259 1176262 1176262 1176435 1176435 1176712 1176712
1176740 1176740 1176902 1176902 1176988 1177120 1177211 1177238
1177238 1177458 1177479 1177490 1177510 1177533 1177843 1177858
1178009 1178346 1178376 1178387 1178512 1178554 1178577 1178614
1178624 1178675 1178727 1178823 1178825 1178837 1179036 1179139
1179193 1179193 1179341 1179398 1179399 1179431 1179452 1179491
1179593 1179630 1179802 1180118 1180138 1180155 1180377 935885
935885 998893 CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792
CVE-2019-16935 CVE-2019-18348 CVE-2019-20907 CVE-2019-20916 CVE-2019-20916
CVE-2019-5010 CVE-2020-13844 CVE-2020-14422 CVE-2020-15166 CVE-2020-1971
CVE-2020-25660 CVE-2020-25692 CVE-2020-26116 CVE-2020-26137 CVE-2020-27619
CVE-2020-27781 CVE-2020-28196 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286
CVE-2020-8492
-----------------------------------------------------------------
The container ses/6/cephcsi/cephcsi was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3048-1
Released: Tue Oct 27 16:04:52 2020
Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type: recommended
Severity: moderate
References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:
libzypp was updated to 17.25.1:
- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
kernel-default-base has new packaging, where the kernel uname -r
does not reflect the full package version anymore. This patch
adds additional logic to use the most generic/shortest edition
each package provides with %{packagename}=<version> to group the
kernel packages instead of the rpm versions.
This also changes how the keep-spec for specific versions is
applied, instead of matching the package versions, each of the
package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
(as we link statically)
yaml-cpp:
- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
channels, and the INSTALLER channels, as a new libzypp dependency.
No source changes were done to yaml-cpp.
zypper was updated to 1.14.40:
- info: Assume descriptions starting with '<p>' are richtext
(bsc#935885)
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
searches case-insensitive (jsc#SLE-16271)
libsolv was updated to 0.7.15 to fix:
- make testcase_mangle_repo_names deal correctly with freed repos
[bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3264-1
Released: Tue Nov 10 09:50:29 2020
Summary: Security update for zeromq
Type: security
Severity: moderate
References: 1176116,1176256,1176257,1176258,1176259,CVE-2020-15166
This update for zeromq fixes the following issues:
- CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116).
- Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256)
- Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257)
- Fixed memory leak when processing PUB messages with metadata (bsc#1176259)
- Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3269-1
Released: Tue Nov 10 15:57:24 2020
Summary: Security update for python-waitress
Type: security
Severity: moderate
References: 1160790,1161088,1161089,1161670,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792
This update for python-waitress to 1.4.3 fixes the following security issues:
- CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling (bsc#1161088).
- CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089).
- CVE-2019-16789: HTTP request smuggling through invalid whitespace characters (bsc#1160790).
- CVE-2019-16792: HTTP request smuggling by sending the Content-Length header twice (bsc#1161670).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3285-1
Released: Wed Nov 11 11:22:14 2020
Summary: Recommended update for libsolv, libzypp, zypper
Type: recommended
Severity: moderate
References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, zypper fixes the following issues:
libzypp was updated to version 17.25.1:
- Fix bsc#1176902: When kernel-rt has been installed, the
purge-kernels service fails during boot.
- Use package name provides as group key in purge-kernel
(bsc#1176740 bsc#1176192)
kernel-default-base has new packaging, where the kernel uname -r
does not reflect the full package version anymore. This patch
adds additional logic to use the most generic/shortest edition
each package provides with %{packagename}=<version> to group the
kernel packages instead of the rpm versions.
This also changes how the keep-spec for specific versions is
applied, instead of matching the package versions, each of the
package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- New solver testcase format.
- Link against libzsd to close libsolvs open references
(as we link statically)
zypper was updated to version 1.14.40.
- info: Assume descriptions starting with '<p>' are richtext
(bsc#935885)
- Use new testcase API in libzypp.
- BuildRequires: libzypp-devel >= 17.25.0.
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
searches case-insensitive (jsc#SLE-16271)
libsolv was updated to version 0.7.16:
- do not ask the namespace callback for splitprovides when writing
a testcase
- fix add_complex_recommends() selecting conflicted packages in
rare cases leading to crashes
- improve choicerule generation so that package updates are
prefered in more cases
- make testcase_mangle_repo_names deal correctly with freed repos
[bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3289-1
Released: Wed Nov 11 12:25:19 2020
Summary: Recommended update for python-cheroot
Type: recommended
Severity: moderate
References: 1176988
This update for python-cheroot fixes the following issue:
- Ignore OpenSSL's 1.1+ Error 0 under any Python while wrapping a socket. (bsc#1176988)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3290-1
Released: Wed Nov 11 12:25:32 2020
Summary: Recommended update for findutils
Type: recommended
Severity: moderate
References: 1174232
This update for findutils fixes the following issues:
- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3313-1
Released: Thu Nov 12 16:07:37 2020
Summary: Security update for openldap2
Type: security
Severity: important
References: 1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:
- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3377-1
Released: Thu Nov 19 09:29:32 2020
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:
- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3381-1
Released: Thu Nov 19 10:53:38 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1177458,1177490,1177510
This update for systemd fixes the following issues:
- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
This allows to drop the workaround that consisted in cleaning journal-upload files and
{sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3462-1
Released: Fri Nov 20 13:14:35 2020
Summary: Recommended update for pam and sudo
Type: recommended
Severity: moderate
References: 1174593,1177858,1178727
This update for pam and sudo fixes the following issue:
pam:
- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)
sudo:
- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3485-1
Released: Mon Nov 23 13:10:36 2020
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1123327,1173503,1175110,998893
This update for lvm2 fixes the following issues:
- Fixed an issue when the hot spares in LVM not added automatically. (bsc#1175110)
- Fixed an issue when lvm produces a large number of luns with error message 'Too many open files'. (bsc#1173503)
- Fixes an issue when LVM initialization failed during reboot. (bsc#998893)
- Fixed a misplaced parameter in the lvm configuration. (bsc#1123327)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3546-1
Released: Fri Nov 27 11:21:09 2020
Summary: Recommended update for gnutls
Type: recommended
Severity: moderate
References: 1172695
This update for gnutls fixes the following issue:
- Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3560-1
Released: Mon Nov 30 12:21:34 2020
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1158499,1160158,1161198,1161203,1163569,1165281,1165534,1166848,1175847,1177479
This update for openssl-1_1 fixes the following issues:
This update backports various bugfixes for FIPS:
- Restore private key check in EC_KEY_check_key [bsc#1177479]
- Add shared secret KAT to FIPS DH selftest [bsc#1175847]
- Include ECDH/DH Requirements from SP800-56Arev3 [bsc#1175847]
- Fix locking issue uncovered by python testsuite (bsc#1166848)
- Fix the sequence of locking operations in FIPS mode [bsc#1165534]
- Fix deadlock in FIPS rand code (bsc#1165281)
- Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569)
- Fix FIPS DRBG without derivation function (bsc#1161198)
- Allow md5_sha1 in FIPS mode to enable TLS 1.0 (bsc#1161203)
- Obsolete libopenssl-1_0_0-hmac for a clean upgrade from SLE-12
(bsc#1158499)
- Restore the EVP_PBE_scrypt() behavior from before the KDF patch
by treating salt=NULL as salt='' (bsc#1160158)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3566-1
Released: Mon Nov 30 16:56:52 2020
Summary: Security update for python-setuptools
Type: security
Severity: important
References: 1176262,CVE-2019-20916
This update for python-setuptools fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3572-1
Released: Mon Nov 30 18:12:34 2020
Summary: Recommended update for lvm2
Type: recommended
Severity: important
References: 1177533
This update for lvm2 fixes the following issues:
- Fixed an issue where /boot logical volume was accidentally unmounted (bsc#1177533)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3579-1
Released: Tue Dec 1 14:24:31 2020
Summary: Recommended update for glib2
Type: recommended
Severity: moderate
References: 1178346
This update for glib2 fixes the following issues:
- Add support for slim format of timezone. (bsc#1178346)
- Fix DST incorrect end day when using slim format. (bsc#1178346)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3581-1
Released: Tue Dec 1 14:40:22 2020
Summary: Recommended update for libusb-1_0
Type: recommended
Severity: moderate
References: 1178376
This update for libusb-1_0 fixes the following issues:
- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3593-1
Released: Wed Dec 2 10:33:49 2020
Summary: Security update for python3
Type: security
Severity: important
References: 1176262,1179193,CVE-2019-20916
This update for python3 fixes the following issues:
Update to 3.6.12 (bsc#1179193), including:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3620-1
Released: Thu Dec 3 17:03:55 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References:
This update for pam fixes the following issues:
- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
- Check whether the password contains a substring of of the user's name of at least `<N>` characters length in
some form. This is enabled by the new parameter `usersubstr=<N>`
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3640-1
Released: Mon Dec 7 13:24:41 2020
Summary: Recommended update for binutils
Type: recommended
Severity: important
References: 1179036,1179341
This update for binutils fixes the following issues:
Update binutils 2.35 branch to commit 1c5243df:
* Fixes PR26520, aka [bsc#1179036], a problem in addr2line with
certain DWARF variable descriptions.
* Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878,
PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869,
PR26711
* The above includes fixes for dwo files produced by modern dwp,
fixing several problems in the DWARF reader.
Update binutils to 2.35.1 and rebased branch diff:
* This is a point release over the previous 2.35 version, containing bug
fixes, and as an exception to the usual rule, one new feature. The
new feature is the support for a new directive in the assembler:
'.nop'. This directive creates a single no-op instruction in whatever
encoding is correct for the target architecture. Unlike the .space or
.fill this is a real instruction, and it does affect the generation of
DWARF line number tables, should they be enabled. This fixes an
incompatibility introduced in the latest update that broke the install
scripts of the Oracle server. [bsc#1179341]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3703-1
Released: Mon Dec 7 20:17:32 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1179431
This update for aaa_base fixes the following issue:
- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3720-1
Released: Wed Dec 9 13:36:26 2020
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1179491,CVE-2020-1971
This update for openssl-1_1 fixes the following issues:
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3723-1
Released: Wed Dec 9 13:37:55 2020
Summary: Security update for python-urllib3
Type: security
Severity: moderate
References: 1177120,CVE-2020-26137
This update for python-urllib3 fixes the following issues:
- CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3733-1
Released: Wed Dec 9 18:18:35 2020
Summary: Security update for curl
Type: security
Severity: moderate
References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
This update for curl fixes the following issues:
- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3749-1
Released: Thu Dec 10 14:39:28 2020
Summary: Security update for gcc7
Type: security
Severity: moderate
References: 1150164,1161913,1167939,1172798,1178577,1178614,1178624,1178675,CVE-2020-13844
This update for gcc7 fixes the following issues:
- CVE-2020-13844: Added mitigation for aarch64 Straight Line Speculation issue (bsc#1172798)
- Enable fortran for the nvptx offload compiler.
- Update README.First-for.SuSE.packagers
- avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel.
- Backport the aarch64 -moutline-atomics feature and accumulated fixes but not its
default enabling. [jsc#SLE-12209, bsc#1167939]
- Fixed 32bit libgnat.so link. [bsc#1178675]
- Fixed memcpy miscompilation on aarch64. [bsc#1178624, bsc#1178577]
- Fixed debug line info for try/catch. [bsc#1178614]
- Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is used to build gcc7 (ie when ada is enabled)
- Fixed corruption of pass private ->aux via DF. [gcc#94148]
- Fixed debug information issue with inlined functions and passed by reference arguments. [gcc#93888]
- Fixed binutils release date detection issue.
- Fixed register allocation issue with exception handling code on s390x. [bsc#1161913]
- Fixed miscompilation of some atomic code on aarch64. [bsc#1150164]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3792-1
Released: Mon Dec 14 17:39:24 2020
Summary: Recommended update for gzip
Type: recommended
Severity: moderate
References: 1145276
This update for gzip fixes the following issues:
Update from version 1.9 to version 1.10 (jsc#ECO-2217, jsc#SLE-12974)
- Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)
Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.
- Fix three data corruption issues. (bsc#1145276, jsc#SLE-5818, jsc#SLE-8914)
- Add support for `DFLTCC` (hardware-accelerated deflation) for s390x arch. (jsc#SLE-5818, jsc#SLE-8914)
Enable it using the `--enable-dfltcc` option.
- Compressed gzip output no longer contains the current time as a timestamp when the input is not a regular file.
Instead, the output contains a `null` (zero) timestamp. This makes gzip's behavior more reproducible when
used as part of a pipeline.
- A use of uninitialized memory on some malformed inputs has been fixed.
- A few theoretical race conditions in signal handlers have been fixed.
- Update gnulib for `libio.h` removal.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3853-1
Released: Wed Dec 16 12:27:27 2020
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825
This update for util-linux fixes the following issue:
- Do not trigger the automatic close of CDROM. (bsc#1084671)
- Try to automatically configure broken serial lines. (bsc#1175514)
- Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514)
- Build with `libudev` support to support non-root users. (bsc#1169006)
- Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
- Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3921-1
Released: Tue Dec 22 15:19:17 2020
Summary: Recommended update for libpwquality
Type: recommended
Severity: low
References:
This update for libpwquality fixes the following issues:
- Implement alignment with 'pam_cracklib'. (jsc#SLE-16720)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3930-1
Released: Wed Dec 23 18:19:39 2020
Summary: Security update for python3
Type: security
Severity: important
References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492
This update for python3 fixes the following issues:
- Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support
calls eval() on content retrieved via HTTP.
- Change setuptools and pip version numbers according to new wheels
- Handful of changes to make python36 compatible with SLE15 and SLE12
(jsc#ECO-2799, jsc#SLE-13738)
- add triplets for mips-r6 and riscv
- RISC-V needs CTYPES_PASS_BY_REF_HACK
Update to 3.6.12 (bsc#1179193)
* Ensure python3.dll is loaded from correct locations when Python is embedded
* The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface
incorrectly generated constant hash values of 32 and 128 respectively. This
resulted in always causing hash collisions. The fix uses hash() to generate
hash values for the tuple of (address, mask length, network address).
* Prevent http header injection by rejecting control characters in
http.client.putrequest(…).
* Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now
UnpicklingError instead of crashing.
* Avoid infinite loop when reading specially crafted TAR files using the tarfile
module
- This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).
Update to 3.6.11:
- Disallow CR or LF in email.headerregistry. Address
arguments to guard against header injection attacks.
- Disallow control characters in hostnames in http.client, addressing
CVE-2019-18348. Such potentially malicious header injection URLs now
cause a InvalidURL to be raised. (bsc#1155094)
- CVE-2020-8492: The AbstractBasicAuthHandler class
of the urllib.request module uses an inefficient regular
expression which can be exploited by an attacker to cause
a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben
Caller and Matt Schwager.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3942-1
Released: Tue Dec 29 12:22:01 2020
Summary: Recommended update for libidn2
Type: recommended
Severity: moderate
References: 1180138
This update for libidn2 fixes the following issues:
- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
adjusted the RPM license tags (bsc#1180138)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3943-1
Released: Tue Dec 29 12:24:45 2020
Summary: Recommended update for libxml2
Type: recommended
Severity: moderate
References: 1178823
This update for libxml2 fixes the following issues:
Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823)
* key/unique/keyref schema attributes currently use quadratic loops
to check their various constraints (that keys are unique and that
keyrefs refer to existing keys).
* This fix uses a hash table to avoid the quadratic behaviour.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3946-1
Released: Tue Dec 29 17:39:54 2020
Summary: Recommended update for python3
Type: recommended
Severity: important
References: 1180377
This update for python3 fixes the following issues:
- A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3,
which caused regressions in several applications. (bsc#1180377)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:24-1
Released: Tue Jan 5 11:02:26 2021
Summary: Security update for ceph
Type: security
Severity: moderate
References: 1169134,1170487,1172546,1174591,1175061,1175240,1175585,1175781,1177843,1178837,1179139,1179452,1179802,1180118,1180155,CVE-2020-25660,CVE-2020-27781
This update for ceph fixes the following issues:
- CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843).
- CVE-2020-27781: Fixed a privilege escalation via the ceph_volume_client Python interface (bsc#1179802 bsc#1180155).
- Fixes an issue when check in legacy collection reaches end. (bsc#1179139)
- Fixes an issue when storage service stops. (bsc#1178837)
- Fix for failing test run due to missing module 'six'. (bsc#1179452)
- Documented Prometheus' security model (bsc#1169134)
- monclient: Fixed an issue where executing several ceph commands in a short amount of time led to a segmentation fault (bsc#1170487)
- Fixed an issue, where it was not possible to edit an iSCSI logged-in client (bsc#1174591)
- Fixed an issue, where OSDs could not get started after they failed (bsc#1175061)
- Fixed an issue with the restful module, where it aborted on execution for POST calls (bsc#1175240)
- Fixed a many-to-many issue in host-details Grafana dashboard (bsc#1175585)
- Fixed collection_list ordering in os/bluestore (bsc#1172546)
- Fixed help output of lvmcache (bsc#1175781)
- Provide a different name for the fallback allocator in bluestore. (bsc#1180118)
More information about the sle-security-updates
mailing list