SUSE-CU-2024:1275-1: Security update of suse/sle-micro/5.1/toolbox
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Apr 4 07:06:14 UTC 2024
SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:1275-1
Container Tags : suse/sle-micro/5.1/toolbox:13.2 , suse/sle-micro/5.1/toolbox:13.2-3.8.1 , suse/sle-micro/5.1/toolbox:latest
Container Release : 3.8.1
Severity : critical
Type : security
References : 1013125 1044232 1105435 1107342 1114407 1119496 1124223 1125410
1126377 1131060 1131686 1138731 1138731 1154247 1154871 1157960
1158095 1166334 1168699 1170347 1170347 1173474 1173475 1174673
1174713 1176759 1177864 1180064 1180065 1181994 1186791 1186827
1187993 1188006 1189608 1190858 1194845 1196494 1196495 1197293
1198504 1199079 1199915 1200441 1200441 1202868 1204397 1204690
1204706 1206134 1206212 1206346 1206346 1206346 1206622 1208270
1208271 1208272 1209030 1211188 1211190 1211886 1212475 1212475
1212475 1212475 1212475 1212475 1212475 1212475 1214248 1215434
1215496 1215698 1216410 1217000 1217215 1218126 1218186 1218209
1218232 1218475 1218571 1218782 1218831 1219123 1219123 1219189
1219189 1219238 1219243 1219442 1219576 1220770 1220771 1221218
CVE-2018-1000654 CVE-2019-14889 CVE-2019-3880 CVE-2020-16135
CVE-2020-1730 CVE-2020-29361 CVE-2020-29362 CVE-2021-3634 CVE-2021-46848
CVE-2022-41720 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-1667
CVE-2023-2283 CVE-2023-24532 CVE-2023-48795 CVE-2023-6004 CVE-2023-6918
CVE-2023-7207 CVE-2024-0727 CVE-2024-22365 CVE-2024-25062 CVE-2024-26458
CVE-2024-26461
-----------------------------------------------------------------
The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:82-1
Released: Fri Jan 11 17:16:48 2019
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1044232
This update for suse-build-key fixes the following issues:
- Include the SUSE PTF GPG key in the key directory to avoid it being
stripped via %doc stripping in CAASP. (bsc#1044232)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:207-1
Released: Tue Jan 29 20:20:24 2019
Summary: Recommended update for container-suseconnect
Type: recommended
Severity: moderate
References: 1119496
This update for container-suseconnect fixes the following issues:
container-suseconnect was updated to 2.0.0 (bsc#1119496):
- Added command line interface
- Added `ADDITIONAL_MODULES` capability to enable further extension modules during image build and run
- Added documentation about how to build docker images on non SLE distributions
- Improve documentation to clarify how container-suseconnect works in a Dockerfile
- Improve error handling on non SLE hosts
- Fix bug which makes container-suseconnect work on SLE15 based distributions
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1040-1
Released: Thu Apr 25 17:09:21 2019
Summary: Security update for samba
Type: security
Severity: important
References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880
This update for samba fixes the following issues:
Security issue fixed:
- CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).
ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686):
- Out of bound read in ldb_wildcard_compare
- Hold at most 10 outstanding paged result cookies
- Put 'results_store' into a doubly linked list
- Refuse to build Samba against a newer minor version of ldb
Non-security issues fixed:
- Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377).
- Abide to the load_printers parameter in smb.conf (bsc#1124223).
- Provide the 32bit samba winbind PAM module and its dependend 32bit libraries.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1372-1
Released: Tue May 28 16:53:28 2019
Summary: Security update for libtasn1
Type: security
Severity: moderate
References: 1105435,CVE-2018-1000654
This update for libtasn1 fixes the following issues:
Security issue fixed:
- CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2095-1
Released: Fri Aug 9 06:56:48 2019
Summary: Recommended update for container-suseconnect
Type: recommended
Severity: moderate
References: 1138731
This update for container-suseconnect fixes the following issues:
container-suseconnect was updated to 2.1.0 (bsc#1138731), fixing interacting with SCC behind proxy and SMT.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3240-1
Released: Tue Dec 10 10:40:19 2019
Summary: Recommended update for ca-certificates-mozilla, p11-kit
Type: recommended
Severity: moderate
References: 1154871
This update for ca-certificates-mozilla, p11-kit fixes the following issues:
Changes in ca-certificates-mozilla:
- export correct p11kit trust attributes so Firefox detects built in
certificates (bsc#1154871).
Changes in p11-kit:
- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
detects built in certificates (bsc#1154871)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:122-1
Released: Fri Jan 17 10:56:07 2020
Summary: Recommended update for container-suseconnect
Type: recommended
Severity: moderate
References: 1138731,1154247,1157960
This update for container-suseconnect fixes the following issues:
- Fix usage with RMT and SMT. (bsc#1157960)
- Parse the /etc/products.d/*.prod files.
- Fix function comments based on best practices from Effective Go. (bsc#1138731)
- Implement interacting with SCC behind proxy and SMT. (bsc#1154247)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:279-1
Released: Fri Jan 31 12:01:39 2020
Summary: Recommended update for p11-kit
Type: recommended
Severity: moderate
References: 1013125
This update for p11-kit fixes the following issues:
- Also build documentation (bsc#1013125)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:690-1
Released: Fri Mar 13 17:09:28 2020
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1166334
This update for suse-build-key fixes the following issues:
- created a new security at suse.de communication key (bsc#1166334)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1112-1
Released: Fri Apr 24 16:44:20 2020
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1170347
This update for suse-build-key fixes the following issues:
- add a /usr/share/container-keys/ directory for GPG based Container
verification.
- Add the SUSE build key as 'suse-container-key.asc'. (PM-1845 bsc#1170347)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2126-1
Released: Wed Aug 5 09:26:46 2020
Summary: Recommended update for cloud-regionsrv-client
Type: recommended
Severity: moderate
References: 1173474,1173475
This update for cloud-regionsrv-client fixes the following issues:
- Introduce containerbuild-regionsrv service to allow container building tools to access
required data for accessing Public Cloud RMTs (bsc#1173474, bsc#1173475)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2148-1
Released: Thu Aug 6 13:36:17 2020
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: important
References: 1174673
This update for ca-certificates-mozilla fixes the following issues:
Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
Removed CAs:
* AddTrust External CA Root
* AddTrust Class 1 CA Root
* LuxTrust Global Root 2
* Staat der Nederlanden Root CA - G2
* Symantec Class 1 Public Primary Certification Authority - G4
* Symantec Class 2 Public Primary Certification Authority - G4
* VeriSign Class 3 Public Primary Certification Authority - G3
Added CAs:
* certSIGN Root CA G2
* e-Szigno Root CA 2017
* Microsoft ECC Root Certificate Authority 2017
* Microsoft RSA Root Certificate Authority 2017
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2825-1
Released: Fri Oct 2 08:44:28 2020
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1170347,1176759
This update for suse-build-key fixes the following issues:
- The SUSE Notary Container key is different from the build signing
key, include this key instead as suse-container-key. (PM-1845 bsc#1170347)
- The SUSE build key for SUSE Linux Enterprise 12 and 15 is extended by 4 more years. (bsc#1176759)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3157-1
Released: Wed Nov 4 15:37:05 2020
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1177864
This update for ca-certificates-mozilla fixes the following issues:
The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)
- Removed CAs:
- EE Certification Centre Root CA
- Taiwan GRCA
- Added CAs:
- Trustwave Global Certification Authority
- Trustwave Global ECC P256 Certification Authority
- Trustwave Global ECC P384 Certification Authority
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:1988-1
Released: Wed Jun 16 15:31:57 2021
Summary: Optional update for skelcd
Type: optional
Severity: low
References:
This update for skelcd fixes the following issues:
- add Czech EULA translation (jsc#SLE-17925)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2191-1
Released: Mon Jun 28 18:38:12 2021
Summary: Recommended update for patterns-microos
Type: recommended
Severity: moderate
References: 1186791
This update for patterns-microos provides the following fix:
- Add zypper-migration-plugin to the default pattern. (bsc#1186791)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3274-1
Released: Fri Oct 1 10:34:17 2021
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: important
References: 1190858
This update for ca-certificates-mozilla fixes the following issues:
- remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires
September 30th 2021 and openssl certificate chain handling does not
handle this correctly in openssl 1.0.2 and older.
(bsc#1190858)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3382-1
Released: Tue Oct 12 14:30:17 2021
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References:
This update for ca-certificates-mozilla fixes the following issues:
- A new sub-package for minimal base containers (jsc#SLE-22162)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4154-1
Released: Wed Dec 22 11:02:38 2021
Summary: Security update for p11-kit
Type: security
Severity: important
References: 1180064,1187993,CVE-2020-29361
This update for p11-kit fixes the following issues:
- CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:71-1
Released: Thu Jan 13 15:37:28 2022
Summary: Recommended update for container-suseconnect
Type: recommended
Severity: moderate
References:
This update for container-suseconnect is a rebuild against updated
go toolchain to ensure an up to date GO runtime.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:792-1
Released: Thu Mar 10 11:58:18 2022
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1194845,1196494,1196495
This update for suse-build-key fixes the following issues:
- The old SUSE PTF key was extended, but also move it to suse_ptf_key_old.asc (as it is a DSA1024 key).
- Added a new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
- Extended the expiry of SUSE Linux Enterprise 11 key (bsc#1194845)
- Added SUSE Container signing key in PEM format for use e.g. by cosign.
- The SUSE security key was replaced with 2022 edition (E-Mail usage only). (bsc#1196495)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1150-1
Released: Mon Apr 11 17:34:19 2022
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1197293
This update for suse-build-key fixes the following issues:
No longer install 1024bit keys by default. (bsc#1197293)
- The SLE11 key has been moved to documentation directory, and is obsoleted / removed by the package.
- The old PTF (pre March 2022) key moved to documentation directory.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1843-1
Released: Wed May 25 15:25:44 2022
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1198504
This update for suse-build-key fixes the following issues:
- still ship the old ptf key in the documentation directory (bsc#1198504)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2332-1
Released: Thu Jul 7 22:54:56 2022
Summary: Recommended update for dracut
Type: recommended
Severity: low
References: 1199915
This update for skelcd fixes the following issues:
- Ship skelcd-EULA-bci to SLE-Module-Development-Tools-OBS_15-SP3 (bsc#1199915)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2405-1
Released: Fri Jul 15 11:47:57 2022
Summary: Security update for p11-kit
Type: security
Severity: moderate
References: 1180065,CVE-2020-29362
This update for p11-kit fixes the following issues:
- CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3395-1
Released: Mon Sep 26 16:35:18 2022
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1181994,1188006,1199079,1202868
This update for ca-certificates-mozilla fixes the following issues:
Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)
- Added:
- Certainly Root E1
- Certainly Root R1
- DigiCert SMIME ECC P384 Root G5
- DigiCert SMIME RSA4096 Root G5
- DigiCert TLS ECC P384 Root G5
- DigiCert TLS RSA4096 Root G5
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
- Removed:
- Hellenic Academic and Research Institutions RootCA 2011
Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)
- Added:
- Autoridad de Certificacion Firmaprofesional CIF A62634068
- D-TRUST BR Root CA 1 2020
- D-TRUST EV Root CA 1 2020
- GlobalSign ECC Root CA R4
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- HiPKI Root CA - G1
- ISRG Root X2
- Telia Root CA v2
- vTrus ECC Root CA
- vTrus Root CA
- Removed:
- Cybertrust Global Root
- DST Root CA X3
- DigiNotar PKIoverheid CA Organisatie - G2
- GlobalSign ECC Root CA R4
- GlobalSign Root CA R2
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
Updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)
- Added:
- HARICA Client ECC Root CA 2021
- HARICA Client RSA Root CA 2021
- HARICA TLS ECC Root CA 2021
- HARICA TLS RSA Root CA 2021
- TunTrust Root CA
Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)
- Added new root CAs:
- NAVER Global Root Certification Authority
- Removed old root CAs:
- GeoTrust Global CA
- GeoTrust Primary Certification Authority
- GeoTrust Primary Certification Authority - G3
- GeoTrust Universal CA
- GeoTrust Universal CA 2
- thawte Primary Root CA
- thawte Primary Root CA - G2
- thawte Primary Root CA - G3
- VeriSign Class 3 Public Primary Certification Authority - G4
- VeriSign Class 3 Public Primary Certification Authority - G5
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3781-1
Released: Wed Oct 26 17:50:44 2022
Summary: Security update for container-suseconnect
Type: security
Severity: moderate
References: 1204397
This update of container-suseconnect is a rebuilt of the previous sources against the current security updated go compiler.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3784-1
Released: Wed Oct 26 18:03:28 2022
Summary: Security update for libtasn1
Type: security
Severity: critical
References: 1204690,CVE-2021-46848
This update for libtasn1 fixes the following issues:
- CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4412-1
Released: Tue Dec 13 04:47:03 2022
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1204706
This update for suse-build-key fixes the following issues:
- added /usr/share/pki/containers directory for container pem keys
(cosign/sigstore style), put the SUSE Container signing PEM key there too (bsc#1204706)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4448-1
Released: Tue Dec 13 10:16:48 2022
Summary: Initial shipment of package sles-ltss-release
Type: recommended
Severity: important
References:
This patch ships the sles-ltss-release package to SUSE Linux Enterprise Server 15 SP3 customers
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4458-1
Released: Tue Dec 13 13:16:04 2022
Summary: Recommended update for container-suseconnect
Type: recommended
Severity: moderate
References: 1186827
This update for container-suseconnect fixes the following issues:
container-suseconnect was updated to 2.4.0 (jsc#PED-1710):
* Fix docker build example for non-SLE hosts
* Minor fixes to --help and README
* Improve documentation when building with podman on non-SLE host
* Add flag --log-credentials-errors
* Update capture to the 1.0.0 release
* Use URL.Redacted() to avoid security scanner warning
* Regcode fix
- strip binaries (removes 4MB/25% of the uncompressed size) (bsc#1186827)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:37-1
Released: Fri Jan 6 15:35:49 2023
Summary: Security update for ca-certificates-mozilla
Type: security
Severity: important
References: 1206212,1206622
This update for ca-certificates-mozilla fixes the following issues:
- Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622)
Removed CAs:
- Global Chambersign Root
- EC-ACC
- Network Solutions Certificate Authority
- Staat der Nederlanden EV Root CA
- SwissSign Platinum CA - G2
Added CAs:
- DIGITALSIGN GLOBAL ROOT ECDSA CA
- DIGITALSIGN GLOBAL ROOT RSA CA
- Security Communication ECC RootCA1
- Security Communication RootCA3
Changed trust:
- TrustCor certificates only trusted up to Nov 30 (bsc#1206212)
- Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022'
and it is not clear how many certs were issued for SSL middleware by TrustCor:
- TrustCor RootCert CA-1
- TrustCor RootCert CA-2
- TrustCor ECA-1
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:713-1
Released: Mon Mar 13 10:25:04 2023
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References:
This update for suse-build-key fixes the following issues:
This update provides multiple new 4096 RSA keys for SUSE Linux Enterprise
15, SUSE Manager 4.2/4.3, Storage 7.1, SUSE Registry) that we will switch
to mid of 2023. (jsc#PED-2777)
- gpg-pubkey-3fa1d6ce-63c9481c.asc: new 4096 RSA signing key for SUSE Linux Enterprise (RPM and repositories).
- gpg-pubkey-d588dc46-63c939db.asc: new 4096 RSA reserve key for SUSE Linux Enterprise (RPM and repositories).
- suse_ptf_key_4096.asc: new 4096 RSA signing key for PTF packages.
- build-container-8fd6c337-63c94b45.asc/build-container-8fd6c337-63c94b45.pem:
New RSA 4096 key for the SUSE registry registry.suse.com, installed as
suse-container-key-2023.pem and suse-container-key-2023.asc
- suse_ptf_containerkey_2023.asc suse_ptf_containerkey_2023.pem:
New PTF container signing key for registry.suse.com/ptf/ space.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:871-1
Released: Wed Mar 22 14:32:45 2023
Summary: Security update for container-suseconnect
Type: security
Severity: important
References: 1200441,1206134,1208270,1208271,1208272,1209030,CVE-2022-41720,CVE-2022-41723,CVE-2022-41724,CVE-2022-41725,CVE-2023-24532
This update of container-suseconnect fixes the following issue:
- container-suseconnect was rebuilt against the current go1.19 release, fixing security issues and other bugs fixed in go1.19.7.
- CVE-2022-41723: Fixed quadratic complexity in HPACK decoding (bsc#1208270).
- CVE-2022-41724: Fixed panic with arge handshake records in crypto/tls (bsc#1208271).
- CVE-2022-41725: Fixed denial of service from excessive resource consumption in net/http and mime/multipart (bsc#1208272).
- CVE-2023-24532: Fixed incorrect P-256 ScalarMult and ScalarBaseMult results (bsc#1209030).
- CVE-2022-41720: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows (bsc#1206134).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1851-1
Released: Fri Apr 14 15:08:38 2023
Summary: Security update for container-suseconnect
Type: security
Severity: important
References:
This update for container-suseconnect fixes the following issue:
- rebuilt against current go version.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2174-1
Released: Thu May 11 13:08:09 2023
Summary: Security update for container-suseconnect
Type: security
Severity: important
References: 1200441
This update of container-suseconnect fixes the following issues:
- rebuild the package with the go 19.9 secure release (bsc#1200441).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2600-1
Released: Wed Jun 21 15:24:36 2023
Summary: Security update for container-suseconnect
Type: security
Severity: important
References: 1206346
This update of container-suseconnect fixes the following issues:
- rebuild the package with the go 1.20 security release (bsc#1206346).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2923-1
Released: Thu Jul 20 19:34:50 2023
Summary: Security update for container-suseconnect
Type: security
Severity: important
References: 1206346
This update of container-suseconnect fixes the following issues:
- rebuild the package with the go 1.20 security release (bsc#1206346).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3264-1
Released: Thu Aug 10 16:05:20 2023
Summary: Security update for container-suseconnect
Type: security
Severity: important
References: 1206346
This update of container-suseconnect fixes the following issues:
- rebuild the package with the go 1.20 security release (bsc#1206346).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3454-1
Released: Mon Aug 28 13:43:18 2023
Summary: Security update for ca-certificates-mozilla
Type: security
Severity: important
References: 1214248
This update for ca-certificates-mozilla fixes the following issues:
- Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248)
Added:
- Atos TrustedRoot Root CA ECC G2 2020
- Atos TrustedRoot Root CA ECC TLS 2021
- Atos TrustedRoot Root CA RSA G2 2020
- Atos TrustedRoot Root CA RSA TLS 2021
- BJCA Global Root CA1
- BJCA Global Root CA2
- LAWtrust Root CA2 (4096)
- Sectigo Public Email Protection Root E46
- Sectigo Public Email Protection Root R46
- Sectigo Public Server Authentication Root E46
- Sectigo Public Server Authentication Root R46
- SSL.com Client ECC Root CA 2022
- SSL.com Client RSA Root CA 2022
- SSL.com TLS ECC Root CA 2022
- SSL.com TLS RSA Root CA 2022
Removed CAs:
- Chambers of Commerce Root
- E-Tugra Certification Authority
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
- Hongkong Post Root CA 1
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3539-1
Released: Tue Sep 5 16:41:09 2023
Summary: Security update for container-suseconnect
Type: security
Severity: important
References: 1212475
This update of container-suseconnect fixes the following issues:
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3834-1
Released: Wed Sep 27 19:18:33 2023
Summary: Security update for container-suseconnect
Type: security
Severity: important
References: 1212475
This update of container-suseconnect fixes the following issues:
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3843-1
Released: Wed Sep 27 20:18:06 2023
Summary: Recommended update for suse-build-key
Type: recommended
Severity: important
References:
This update for suse-build-key fixes the following issues:
This update adds and runs a import-suse-build-key script.
It is run after installation with libzypp based installers. (jsc#PED-2777)
It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys.
To manually import them you can also run:
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4125-1
Released: Thu Oct 19 09:34:58 2023
Summary: Security update for container-suseconnect
Type: security
Severity: important
References: 1212475
This update of container-suseconnect fixes the following issues:
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4309-1
Released: Tue Oct 31 14:09:03 2023
Summary: Security update for container-suseconnect
Type: security
Severity: important
References: 1212475
This update of container-suseconnect fixes the following issues:
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4511-1
Released: Tue Nov 21 16:43:08 2023
Summary: Security update for container-suseconnect
Type: security
Severity: important
References: 1212475
This update of container-suseconnect fixes the following issues:
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4672-1
Released: Wed Dec 6 14:37:37 2023
Summary: Security update for suse-build-key
Type: security
Severity: important
References: 1216410,1217215
This update for suse-build-key fixes the following issues:
This update runs a import-suse-build-key script.
The previous libzypp-post-script based installation is replaced
with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777).
- suse-build-key-import.service
- suse-build-key-import.timer
It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys.
After successful import the timer is disabled.
To manually import them you can also run:
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4807-1
Released: Wed Dec 13 18:07:37 2023
Summary: Security update for container-suseconnect
Type: security
Severity: important
References: 1212475
This update of container-suseconnect fixes the following issues:
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:62-1
Released: Mon Jan 8 11:44:47 2024
Summary: Recommended update for libxcrypt
Type: recommended
Severity: moderate
References: 1215496
This update for libxcrypt fixes the following issues:
- fix variable name for datamember [bsc#1215496]
- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released: Thu Jan 18 09:53:47 2024
Summary: Security update for pam
Type: security
Severity: moderate
References: 1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:
- CVE-2024-22365: Fixed a local denial of service during PAM login
due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:139-1
Released: Thu Jan 18 11:33:54 2024
Summary: Recommended update for go1.21
Type: recommended
Severity: moderate
References: 1212475
This update for go1.21 fixes the following issues:
go1.21.6 (released 2024-01-09) includes fixes to the compiler,
the runtime, and the crypto/tls, maps, and runtime/pprof
packages. (bsc#1212475)
* x/build,os/signal: TestDetectNohup and TestNohup fail on replacement darwin LUCI builders
* runtime: ReadMemStats fatal error: mappedReady and other memstats are not equal
* cmd/compile: linux/s390x: inlining bug in s390x
* maps: maps.Clone reference semantics when cloning a map with large value types
* runtime: excessive memory use between 1.21.0 -> 1.21.1
* cmd/compile: max/min builtin broken when used with string(byte) conversions
* runtime/pprof: incorrect function names for generics functions
* crypto: upgrade to BoringCrypto fips-20220613 and enable TLS 1.3
* runtime: race condition raised with parallel tests, panic(nil) and -race
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released: Fri Feb 2 15:13:26 2024
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1107342,1215434
This update for aaa_base fixes the following issues:
- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:444-1
Released: Fri Feb 9 16:39:32 2024
Summary: Security update for suse-build-key
Type: security
Severity: important
References: 1219123,1219189
This update for suse-build-key fixes the following issues:
This update runs a import-suse-build-key script.
The previous libzypp-post-script based installation is replaced
with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777).
- suse-build-key-import.service
- suse-build-key-import.timer
It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys.
After successful import the timer is disabled.
To manually import them you can also run:
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc
Bugfix added since last update:
- run rpm commands in import script only when libzypp is not
active. bsc#1219189 bsc#1219123
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:461-1
Released: Tue Feb 13 15:30:06 2024
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:
- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:475-1
Released: Wed Feb 14 19:08:44 2024
Summary: Recommended update for libsolv
Type: recommended
Severity: important
References: 1215698,1218782,1218831,1219442
This update for libsolv, libzypp fixes the following issues:
- build for multiple python versions [jsc#PED-6218]
- applydeltaprm: Create target directory if it does not exist (bsc#1219442)
- Fix problems with EINTR in ExternalDataSource::getline (bsc#1215698)
- CheckAccessDeleted: fix running_in_container detection (bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime (bsc#1218831)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:525-1
Released: Mon Feb 19 08:03:59 2024
Summary: Security update for libssh
Type: security
Severity: important
References: 1158095,1168699,1174713,1189608,1211188,1211190,1218126,1218186,1218209,CVE-2019-14889,CVE-2020-16135,CVE-2020-1730,CVE-2021-3634,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:
Update to version 0.9.8 (jsc#PED-7719):
* Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209)
* Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126)
* Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186)
* Allow @ in usernames when parsing from URI composes
Update to version 0.9.7:
* Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
guessing (bsc#1211188)
* Fix CVE-2023-2283: a possible authorization bypass in
pki_verify_data_signature under low-memory conditions (bsc#1211190)
* Fix several memory leaks in GSSAPI handling code
Update to version 0.9.6 (bsc#1189608, CVE-2021-3634):
* https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6
Update to 0.9.5 (bsc#1174713, CVE-2020-16135):
* CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
* Improve handling of library initialization (T222)
* Fix parsing of subsecond times in SFTP (T219)
* Make the documentation reproducible
* Remove deprecated API usage in OpenSSL
* Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
* Define version in one place (T226)
* Prevent invalid free when using different C runtimes than OpenSSL (T229)
* Compatibility improvements to testsuite
Update to version 0.9.4
* https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
* Fix possible Denial of Service attack when using AES-CTR-ciphers
CVE-2020-1730 (bsc#1168699)
Update to version 0.9.3
* Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution (bsc#1158095)
* SSH-01-003 Client: Missing NULL check leads to crash in erroneous state
* SSH-01-006 General: Various unchecked Null-derefs cause DOS
* SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys
* SSH-01-010 SSH: Deprecated hash function in fingerprinting
* SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS
* SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access
* SSH-01-001 State Machine: Initial machine states should be set explicitly
* SSH-01-002 Kex: Differently bound macros used to iterate same array
* SSH-01-005 Code-Quality: Integer sign confusion during assignments
* SSH-01-008 SCP: Protocol Injection via unescaped File Names
* SSH-01-009 SSH: Update documentation which RFCs are implemented
* SSH-01-012 PKI: Information leak via uninitialized stack buffer
Update to version 0.9.2
* Fixed libssh-config.cmake
* Fixed issues with rsa algorithm negotiation (T191)
* Fixed detection of OpenSSL ed25519 support (T197)
Update to version 0.9.1
* Added support for Ed25519 via OpenSSL
* Added support for X25519 via OpenSSL
* Added support for localuser in Match keyword
* Fixed Match keyword to be case sensitive
* Fixed compilation with LibreSSL
* Fixed error report of channel open (T75)
* Fixed sftp documentation (T137)
* Fixed known_hosts parsing (T156)
* Fixed build issue with MinGW (T157)
* Fixed build with gcc 9 (T164)
* Fixed deprecation issues (T165)
* Fixed known_hosts directory creation (T166)
- Split out configuration to separate package to not mess up the
library packaging and coinstallation
Update to verion 0.9.0
* Added support for AES-GCM
* Added improved rekeying support
* Added performance improvements
* Disabled blowfish support by default
* Fixed several ssh config parsing issues
* Added support for DH Group Exchange KEX
* Added support for Encrypt-then-MAC mode
* Added support for parsing server side configuration file
* Added support for ECDSA/Ed25519 certificates
* Added FIPS 140-2 compatibility
* Improved known_hosts parsing
* Improved documentation
* Improved OpenSSL API usage for KEX, DH, and signatures
- Add libssh client and server config files
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:615-1
Released: Mon Feb 26 11:32:32 2024
Summary: Recommended update for netcfg
Type: recommended
Severity: moderate
References: 1211886
This update for netcfg fixes the following issues:
- Add krb-prop entry (bsc#1211886)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:725-1
Released: Thu Feb 29 11:03:34 2024
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1219123,1219189
This update for suse-build-key fixes the following issues:
- Switch container key to be default RSA 4096bit. (jsc#PED-2777)
- run import script also in %posttrans section, but only when
libzypp is not active. bsc#1219189 bsc#1219123
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:734-1
Released: Thu Feb 29 13:16:38 2024
Summary: Recommended update for go1.21
Type: recommended
Severity: moderate
References: 1212475
This update for go1.21 fixes the following issues:
go1.21.7 (released 2024-02-06) includes fixes to the compiler,
the go command, the runtime, and the crypto/x509 package.
(bsc#1212475 go1.21 release tracking)
* go#63209 runtime: 'fatal: morestack on g0' on amd64 after upgrade to Go 1.21
* go#63768 runtime: pinner.Pin doesn't panic when it says it will
* go#64497 cmd/go: flag modcacherw does not take effect in the target package
* go#64761 staticlockranking builders failing on release branches on LUCI
* go#64935 runtime: 'traceback: unexpected SPWRITE function runtime.systemstack'
* go#65023 x/tools/go/analysis/unitchecker,slices: TestVetStdlib failing due to vet errors in panic tests
* go#65053 cmd/compile: //go:build file version ignored when calling generic fn which has related type params
* go#65323 crypto: rollback BoringCrypto fips-20220613 update
* go#65351 cmd/go: go generate fails silently when run on a package in a nested workspace module
* go#65380 crypto/x509: TestIssue51759 consistently failing on gotip-darwin-amd64_10.15 LUCI builder
* go#65449 runtime/trace: frame pointer unwinding crash on arm64 during async preemption
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:792-1
Released: Thu Mar 7 09:55:23 2024
Summary: Recommended update for timezone
Type: recommended
Severity: moderate
References:
This update for timezone fixes the following issues:
- Update to version 2024a
- Kazakhstan unifies on UTC+5
- Palestine springs forward a week later than previously predicted in 2024 and 2025
- Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 not 00:00
- From 1947 through 1949, Toronto's transitions occurred at 02:00 not 00:00
- In 1911 Miquelon adopted standard time on June 15, not May 15
- The FROM and TO columns of Rule lines can no longer be 'minimum'
- localtime no longer mishandle some timestamps
- strftime %s now uses tm_gmtoff if available
- Ittoqqortoormiit, Greenland changes time zones on 2024-03-31
- Vostok, Antarctica changed time zones on 2023-12-18
- Casey, Antarctica changed time zones five times since 2020
- Code and data fixes for Palestine timestamps starting in 2072
- A new data file zonenow.tab for timestamps starting now
- Much of Greenland changed its standard time from -03 to -02 on 2023-03-25
- localtime.c no longer mishandles TZif files that contain a single transition into a DST regime
- tzselect no longer creates temporary files
- tzselect no longer mishandles the following:
* Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION.
* TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/
* ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments
* Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension
* zic no longer mishandles data for Palestine after the year 2075
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:824-1
Released: Fri Mar 8 17:34:36 2024
Summary: Security update for cpio
Type: security
Severity: moderate
References: 1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:
- CVE-2023-7207: Fixed path traversal vulnerability (bsc#1218571, bsc#1219238)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:832-1
Released: Mon Mar 11 10:30:30 2024
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:
- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:861-1
Released: Wed Mar 13 09:12:30 2024
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1218232
This update for aaa_base fixes the following issues:
- Silence the output in the case of broken symlinks (bsc#1218232)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1001-1
Released: Wed Mar 27 01:48:30 2024
Summary: Security update for krb5
Type: security
Severity: important
References: 1220770,1220771,CVE-2024-26458,CVE-2024-26461
This update for krb5 fixes the following issues:
- CVE-2024-26458: Fixed memory leak at /krb5/src/lib/rpc/pmap_rmt.c (bsc#1220770).
- CVE-2024-26461: Fixed memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c (bsc#1220771).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:1015-1
Released: Thu Mar 28 06:08:11 2024
Summary: Recommended update for sed
Type: recommended
Severity: important
References: 1221218
This update for sed fixes the following issues:
- 'sed -i' now creates temporary files with correct umask (bsc#1221218)
The following package changes have been done:
- aaa_base-84.87+git20180409.04c9dae-150300.10.12.1 updated
- ca-certificates-mozilla-2.62-150200.30.1 added
- ca-certificates-2+git20210309.21162a6-2.1 added
- container-suseconnect-2.4.0-150000.4.50.2 added
- cpio-2.12-150000.3.12.1 updated
- curl-7.66.0-150200.4.66.1 added
- glibc-2.31-150300.68.1 updated
- krb5-1.19.2-150300.16.1 updated
- kubic-locale-archive-2.31-10.36 added
- libblkid1-2.36.2-150300.4.38.1 updated
- libcrypt1-4.4.15-150300.4.7.1 updated
- libfdisk1-2.36.2-150300.4.38.1 updated
- libmount1-2.36.2-150300.4.38.1 updated
- libopenssl1_1-hmac-1.1.1d-150200.11.85.1 updated
- libopenssl1_1-1.1.1d-150200.11.85.1 updated
- libp11-kit0-0.23.2-150000.4.16.1 added
- libsmartcols1-2.36.2-150300.4.38.1 updated
- libsolv-tools-0.7.28-150200.26.1 updated
- libssh-config-0.9.8-150200.13.3.1 added
- libssh4-0.9.8-150200.13.3.1 updated
- libtasn1-6-4.13-150000.4.8.1 added
- libtasn1-4.13-150000.4.8.1 added
- libuuid1-2.36.2-150300.4.38.1 updated
- libxml2-2-2.9.7-150000.3.66.1 updated
- libzypp-17.31.31-150200.87.1 updated
- netcfg-11.6-150000.3.6.1 added
- openssl-1_1-1.1.1d-150200.11.85.1 updated
- p11-kit-tools-0.23.2-150000.4.16.1 added
- p11-kit-0.23.2-150000.4.16.1 added
- pam-1.3.0-150000.6.66.1 updated
- sed-4.4-150300.13.3.1 updated
- skelcd-EULA-sles-2021.05.14-150300.4.8.1 added
- sles-ltss-release-15.3-150300.10.3.1 added
- suse-build-key-12.0-150000.8.43.1 added
- timezone-2024a-150000.75.28.1 updated
- util-linux-2.36.2-150300.4.38.1 updated
- container:sles15-image-15.0.0-17.20.233 removed
More information about the sle-container-updates
mailing list