SUSE-IU-2024:837-1: Security update of sles-15-sp5-chost-byos-v20240809-arm64
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sat Aug 10 07:02:59 UTC 2024
SUSE Image Update Advisory: sles-15-sp5-chost-byos-v20240809-arm64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2024:837-1
Image Tags : sles-15-sp5-chost-byos-v20240809-arm64:20240809
Image Release :
Severity : important
Type : security
References : 1027519 1208690 1214718 1214960 1219004 1221984 1222075 1223107
1225976 1226125 1226128 1226412 1226469 1226529 1226664 1227067
1227106 1227355 1227711 1228256 1228257 1228258 1228322 1228770
916845 CVE-2013-4235 CVE-2013-4235 CVE-2023-46842 CVE-2024-1737
CVE-2024-1975 CVE-2024-31143 CVE-2024-37891 CVE-2024-4076
-----------------------------------------------------------------
The container sles-15-sp5-chost-byos-v20240809-arm64 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2654-1
Released: Tue Jul 30 15:33:33 2024
Summary: Security update for xen
Type: security
Severity: important
References: 1027519,1214718,1221984,1227355,CVE-2023-46842,CVE-2024-31143
This update for xen fixes the following issues:
- CVE-2023-46842: Fixed x86 HVM hypercalls may trigger Xen bug check (XSA-454, bsc#1221984).
- CVE-2024-31143: Fixed double unlock in x86 guest IRQ handling (XSA-458, bsc#1227355).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2658-1
Released: Tue Jul 30 15:37:26 2024
Summary: Security update for shadow
Type: security
Severity: important
References: 916845,CVE-2013-4235
This update for shadow fixes the following issues:
- CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2662-1
Released: Tue Jul 30 15:41:34 2024
Summary: Security update for python-urllib3
Type: security
Severity: moderate
References: 1226469,CVE-2024-37891
This update for python-urllib3 fixes the following issues:
- CVE-2024-37891: Fixed proxy-authorization request header is not stripped during cross-origin redirects (bsc#1226469)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2678-1
Released: Wed Jul 31 06:59:12 2024
Summary: Recommended update for wicked
Type: recommended
Severity: important
References: 1225976,1226125,1226664
This update for wicked fixes the following issues:
- Update to version 0.6.76
- compat-suse: warn user and create missing parent config of infiniband children
- client: fix origin in loaded xml-config with obsolete port references but missing port interface config, causing a no-carrier of master (bsc#1226125)
- ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976)
- wireless: add frequency-list in station mode (jsc#PED-8715)
- client: fix crash while hierarchy traversing due to loop in e.g. systemd-nspawn containers (bsc#1226664)
- man: add supported bonding options to ifcfg-bonding(5) man page
- arputil: Document minimal interval for getopts
- man: (re)generate man pages from md sources
- client: warn on interface wait time reached
- compat-suse: fix dummy type detection from ifname to not cause conflicts with e.g. correct vlan config on dummy0.42 interfaces
- compat-suse: fix infiniband and infiniband child type detection from ifname
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2024:2688-1
Released: Thu Aug 1 07:00:59 2024
Summary: Feature update for Public Cloud
Type: feature
Severity: important
References: 1222075,1227067,1227106,1227711
This update for Public Cloud fixes the following issues:
- Added Public Cloud packages and dependencies to SLE Micro 5.5 to enhance SUSE Manager 5.0 (jsc#SMO-345):
* google-guest-agent (no source changes)
* google-guest-configs (no source changes)
* google-guest-oslogin (no source changes)
* google-osconfig-agent (no source changes)
* growpart-rootgrow (no source changes)
* python-azure-agent (includes bug fixes see below)
* python-cssselect (no source changes)
* python-instance-billing-flavor-check (no source changes)
* python-toml (no source changes)
* python3-lxml (inlcudes a bug fix, see below)
- python-azure-agent received the following fixes:
* Use the proper option to force btrfs to overwrite a file system on the resource disk if one already exists
(bsc#1227711)
* Set Provisioning.Agent parameter to 'cloud-init' in SLE Micro 5.5 and newer (bsc#1227106)
* Do not package `waagent2.0` in Python 3 builds
* Do not require `wicked` in non-SUSE build environments
* Apply python3 interpreter patch in non SLE build environments (bcs#1227067)
- python3-lxml also received the following fix:
* Fixed compatibility with system libexpat in tests (bnc#1222075)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2696-1
Released: Thu Aug 1 15:20:51 2024
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1208690,1226412,1226529
This update for dracut fixes the following issues:
- Version update:
* feat(crypt): force the inclusion of crypttab entries with x-initrd.attach (bsc#1226529)
* fix(mdraid): try to assemble the missing raid device (bsc#1226412)
* fix(dracut-install): continue parsing if ldd prints 'cannot be preloaded' (bsc#1208690)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2742-1
Released: Mon Aug 5 17:35:36 2024
Summary: Recommended update for suseconnect-ng
Type: recommended
Severity: important
References: 1219004,1223107,1226128
This update for suseconnect-ng fixes the following issues:
- Version update
* Added uname as collector
* Added SAP workload detection
* Added detection of container runtimes
* Multiple fixes on ARM64 detection
* Use `read_values` for the CPU collector on Z
* Fixed data collection for ppc64le
* Grab the home directory from /etc/passwd if needed (bsc#1226128)
* Build zypper-migration and zypper-packages-search as standalone
binaries rather then one single binary
* Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004)
* Include /etc/products.d in directories whose content are backed
up and restored if a zypper-migration rollback happens (bsc#1219004)
* Add the ability to upload the system uptime logs, produced by the
suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report
(jsc#PED-7982) (jsc#PED-8018)
* Add support for third party packages in SUSEConnect
* Refactor existing system information collection implementation
self-signed SSL certificate (bsc#1223107)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2791-1
Released: Tue Aug 6 16:35:05 2024
Summary: Recommended update for various 32bit packages
Type: recommended
Severity: moderate
References: 1228322
This update of various packages delivers 32bit variants to allow running Wine
on SLE PackageHub 15 SP6.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2799-1
Released: Wed Aug 7 08:19:10 2024
Summary: Recommended update for runc
Type: recommended
Severity: important
References: 1214960
This update for runc fixes the following issues:
- Update to runc v1.1.13, changelog is available at https://github.com/opencontainers/runc/releases/tag/v1.1.13
- Fix a performance issue when running lots of containers caused by too many mount notifications (bsc#1214960)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2804-1
Released: Wed Aug 7 09:48:29 2024
Summary: Security update for shadow
Type: security
Severity: moderate
References: 1228770,CVE-2013-4235
This update for shadow fixes the following issues:
- Fixed not copying of skel files (bsc#1228770)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2862-1
Released: Fri Aug 9 09:20:34 2024
Summary: Security update for bind
Type: security
Severity: important
References: 1228256,1228257,1228258,CVE-2024-1737,CVE-2024-1975,CVE-2024-4076
This update for bind fixes the following issues:
Update to 9.16.50:
- Bug Fixes:
* A regression in cache-cleaning code enabled memory use to grow
significantly more quickly than before, until the configured
max-cache-size limit was reached. This has been fixed.
* Using rndc flush inadvertently caused cache cleaning to become
less effective. This could ultimately lead to the configured
max-cache-size limit being exceeded and has now been fixed.
* The logic for cleaning up expired cached DNS records was
tweaked to be more aggressive. This change helps with enforcing
max-cache-ttl and max-ncache-ttl in a timely manner.
* It was possible to trigger a use-after-free assertion when the
overmem cache cleaning was initiated. This has been fixed.
New Features:
* Added RESOLVER.ARPA to the built in empty zones.
- Security Fixes:
* It is possible to craft excessively large numbers of resource
record types for a given owner name, which has the effect of
slowing down database processing. This has been addressed by
adding a configurable limit to the number of records that can
be stored per name and type in a cache or zone database. The
default is 100, which can be tuned with the new
max-types-per-name option. (CVE-2024-1737, bsc#1228256)
* Validating DNS messages signed using the SIG(0) protocol (RFC
2931) could cause excessive CPU load, leading to a
denial-of-service condition. Support for SIG(0) message
validation was removed from this version of named.
(CVE-2024-1975, bsc#1228257)
* When looking up the NS records of parent zones as part of
looking up DS records, it was possible for named to trigger an
assertion failure if serve-stale was enabled. This has been
fixed. (CVE-2024-4076, bsc#1228258)
The following package changes have been done:
- bind-utils-9.16.50-150500.8.21.1 updated
- docker-25.0.6_ce-150000.203.1 updated
- dracut-055+suse.388.g70c21afa-150500.3.21.2 updated
- google-guest-agent-20240314.00-150400.1.48.7 updated
- google-guest-configs-20240307.00-150400.13.11.6 updated
- google-guest-oslogin-20240311.00-150400.1.45.7 updated
- google-osconfig-agent-20240320.00-150400.1.35.7 updated
- growpart-rootgrow-1.0.7-150400.1.14.7 updated
- libassuan0-2.5.5-150000.4.7.1 updated
- login_defs-4.8.1-150400.10.21.1 updated
- python-instance-billing-flavor-check-0.0.6-150400.1.11.7 updated
- python3-bind-9.16.50-150500.8.21.1 updated
- python3-cssselect-1.0.3-150400.3.7.4 updated
- python3-lxml-4.9.1-150500.3.4.3 updated
- python3-urllib3-1.25.10-150300.4.12.1 updated
- runc-1.1.13-150000.67.1 updated
- shadow-4.8.1-150400.10.21.1 updated
- suseconnect-ng-1.11.0-150500.3.26.4 updated
- wicked-service-0.6.76-150500.3.33.1 updated
- wicked-0.6.76-150500.3.33.1 updated
- xen-libs-4.17.4_04-150500.3.33.1 updated
More information about the sle-container-updates
mailing list