SUSE-CU-2024:3716-1: Security update of suse/sles/15.7/libguestfs-tools
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed Aug 14 16:54:32 UTC 2024
SUSE Container Update Advisory: suse/sles/15.7/libguestfs-tools
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:3716-1
Container Tags : suse/sles/15.7/libguestfs-tools:1.1.1 , suse/sles/15.7/libguestfs-tools:1.1.1-150700.9.4 , suse/sles/15.7/libguestfs-tools:1.1.1.28.15
Container Release : 28.15
Severity : important
Type : security
References : 1208690 1218640 1222768 1222899 1223336 1225976 1226125 1226412
1226463 1226529 1226664 1227138 1227888 1228255 1228256 1228257
1228258 1228322 1228322 1228535 1228548 1228770 916845 CVE-2013-4235
CVE-2013-4235 CVE-2024-0760 CVE-2024-1737 CVE-2024-1975 CVE-2024-4076
CVE-2024-5535 CVE-2024-6197 CVE-2024-7264
-----------------------------------------------------------------
The container suse/sles/15.7/libguestfs-tools was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2573-1
Released: Mon Jul 22 12:35:01 2024
Summary: Recommended update for libkcapi
Type: recommended
Severity: moderate
References: 1222768
This update for libkcapi fixes the following issues:
- FIPS: kcapi-hasher: zeroise temporary values for FIPS 140-3
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2630-1
Released: Tue Jul 30 09:12:44 2024
Summary: Security update for shadow
Type: security
Severity: important
References: 916845,CVE-2013-4235
This update for shadow fixes the following issues:
- CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2635-1
Released: Tue Jul 30 09:14:09 2024
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1222899,1223336,1226463,1227138,CVE-2024-5535
This update for openssl-3 fixes the following issues:
Security fixes:
- CVE-2024-5535: Fixed SSL_select_next_proto buffer overread (bsc#1227138)
Other fixes:
- Build with no-afalgeng (bsc#1226463)
- Build with enabled sm2 and sm4 support (bsc#1222899)
- Fix non-reproducibility issue (bsc#1223336)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2636-1
Released: Tue Jul 30 09:14:22 2024
Summary: Security update for bind
Type: security
Severity: important
References: 1228255,1228256,1228257,1228258,CVE-2024-0760,CVE-2024-1737,CVE-2024-1975,CVE-2024-4076
This update for bind fixes the following issues:
Update to release 9.18.28
Security fixes:
- CVE-2024-0760: Fixed a flood of DNS messages over TCP may make the server unstable (bsc#1228255)
- CVE-2024-1737: Fixed BIND's database will be slow if a very large number of RRs exist at the same name (bsc#1228256)
- CVE-2024-1975: Fixed SIG(0) can be used to exhaust CPU resources (bsc#1228257)
- CVE-2024-4076: Fixed assertion failure when serving both stale cache data and authoritative zone content (bsc#1228258)
Changelog:
* Command-line options for IPv4-only (named -4) and IPv6-only
(named -6) modes are now respected for zone primaries,
also-notify, and parental-agents.
* An RPZ response’s SOA record TTL was set to 1 instead of the
SOA TTL, if add-soa was used. This has been fixed.
* When a query related to zone maintenance (NOTIFY, SOA) timed
out close to a view shutdown (triggered e.g. by rndc reload),
named could crash with an assertion failure. This has been
fixed.
* The statistics channel counters that indicated the number of
currently connected TCP IPv4/IPv6 clients were not properly
adjusted in certain failure scenarios. This has been fixed.
* Some servers that could not be reached due to EHOSTDOWN or
ENETDOWN conditions were incorrectly prioritized during server
selection. These are now properly handled as unreachable.
* On some systems the libuv call may return an error code when
sending a TCP reset for a connection, which triggers an
assertion failure in named. This error condition is now dealt
with in a more graceful manner, by logging the incident and
shutting down the connection.
* Changes to listen-on statements were ignored on reconfiguration
unless the port or interface address was changed, making it
impossible to change a related listener transport type. That
issue has been fixed.
* A bug in the keymgr code unintentionally slowed down some
DNSSEC key rollovers. This has been fixed.
* Some ISO 8601 durations were accepted erroneously, leading to
shorter durations than expected. This has been fixed
* A regression in cache-cleaning code enabled memory use to grow
significantly more quickly than before, until the configured
max-cache-size limit was reached. This has been fixed.
* Using rndc flush inadvertently caused cache cleaning to become
less effective. This could ultimately lead to the configured
max-cache-size limit being exceeded and has now been fixed.
* The logic for cleaning up expired cached DNS records was
tweaked to be more aggressive. This change helps with enforcing
max-cache-ttl and max-ncache-ttl in a timely manner.
* It was possible to trigger a use-after-free assertion when the
overmem cache cleaning was initiated. This has been fixed.
New Features:
* A new option signatures-jitter has been added to dnssec-policy
to allow signature expirations to be spread out over a period
of time.
* The statistics channel now includes counters that indicate the
number of currently connected TCP IPv4/IPv6 clients.
* Added RESOLVER.ARPA to the built in empty zones.
Feature Changes:
* DNSSEC signatures that are not valid because the current time
falls outside the signature inception and expiration dates are
skipped instead of causing an immediate validation failure.
Security Fixes:
* A malicious DNS client that sent many queries over TCP but
never read the responses could cause a server to respond slowly
or not at all for other clients. This has been fixed.
(CVE-2024-0760)
* It is possible to craft excessively large resource records
sets, which have the effect of slowing down database
processing. This has been addressed by adding a configurable
limit to the number of records that can be stored per name and
type in a cache or zone database. The default is 100, which can
be tuned with the new max-records-per-type option.
* It is possible to craft excessively large numbers of resource
record types for a given owner name, which has the effect of
slowing down database processing. This has been addressed by
adding a configurable limit to the number of records that can
be stored per name and type in a cache or zone database. The
default is 100, which can be tuned with the new
max-types-per-name option. (CVE-2024-1737)
* Validating DNS messages signed using the SIG(0) protocol (RFC
2931) could cause excessive CPU load, leading to a
denial-of-service condition. Support for SIG(0) message
validation was removed from this version of named.
(CVE-2024-1975)
* Due to a logic error, lookups that triggered serving stale data
and required lookups in local authoritative zone data could
have resulted in an assertion failure. This has been fixed.
* Potential data races were found in our DoH implementation,
related to HTTP/2 session object management and endpoints set
object management after reconfiguration. These issues have been
fixed.
* When looking up the NS records of parent zones as part of
looking up DS records, it was possible for named to trigger an
assertion failure if serve-stale was enabled. This has been
fixed. (CVE-2024-4076)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2637-1
Released: Tue Jul 30 09:17:25 2024
Summary: Recommended update for qemu
Type: recommended
Severity: moderate
References:
This update for qemu fixes the following issues:
qemu was updated to version 8.2.5:
- For the full list of changes (from the various releases) please consult the following:
* https://lore.kernel.org/qemu-devel/1718081047.648425.1238605.nullmailer@tls.msk.ru/
- Main changes:
* disas/riscv: Decode all of the pmpcfg and pmpaddr CSRs
* dockerfiles: Added 'MAKE' env variable to remaining containers
* gitlab: Update msys2-64bit runner tags
* gitlab: Use 'setarch -R' to workaround tsan bug
* gitlab: Use $MAKE instead of 'make'
* hvf: arm: Fixed encodings for ID_AA64PFR1_EL1 and debug System registers
* hw/intc/arm_gic: Fixed handling of NS view of GICC_APR<n>
* hw/intc/riscv_aplic: APLICs should add child earlier than realize
* iotests: test NBD+TLS+iothread
* qio: Inherit follow_coroutine_ctx across TLS
* target/arm: Disable SVE extensions when SVE is disabled
* target/i386: Fixed SSE and SSE2 feature check
* target/i386: Fixed xsave.flat from kvm-unit-tests
* target/i386: No single-step exception after MOV or POP SS
* target/loongarch: Fixed a wrong print in cpu dump
* target/riscv: Do not set mtval2 for non guest-page faults
* target/riscv: Fixed the element agnostic function problem
* target/riscv: Prioritize pmp errors in raise_mmu_exception()
* target/riscv: rvv: Check single width operator for vector fp widen instructions
* target/riscv: rvv: Check single width operator for vfncvt.rod.f.f.w
* target/riscv: rvv: Fixed Zvfhmin checking for vfwcvt.f.f.v and vfncvt.f.f.w instructions
* target/riscv: rvv: Removed redudant SEW checking for vector fp narrow/widen instructions
* target/riscv: rvzicbo: Fixed CBO extension register calculation
* target/riscv/cpu.c: Fixed Zvkb extension config
* target/riscv/kvm: Tolerate KVM disable ext errors
* target/riscv/kvm.c: Fixed the hart bit setting of AIA
* ui/sdl2: Allow host to power down screen
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2641-1
Released: Tue Jul 30 09:29:36 2024
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References:
This update for systemd fixes the following issues:
systemd was updated from version 254.13 to version 254.15:
- Changes in version 254.15:
* boot: cover for hardware keys on phones/tablets
* Conditional PSI check to reflect changes done in 5.13
* core/dbus-manager: refuse SoftReboot() for user managers
* core/exec-invoke: reopen OpenFile= fds with O_NOCTTY
* core/exec-invoke: use sched_setattr instead of sched_setscheduler
* core/unit: follow merged units before updating SourcePath= timestamp too
* coredump: correctly take tmpfs size into account for compression
* cryptsetup: improve TPM2 blob display
* docs: Add section to HACKING.md on distribution packages
* docs: fixed dead link to GNOME documentation
* docs/CODING_STYLE: document that we nowadays prefer (const char*) for func ret type
* Fixed typo in CAP_BPF description
* LICENSES/README: expand text to summarize state for binaries and libs
* man: fully adopt ~/.local/state/
* man/systemd.exec: list inaccessible files for ProtectKernelTunables
* man/tmpfiles: remove outdated behavior regarding symlink ownership
* meson: bpf: propagate 'sysroot' for cross compilation
* meson: Define __TARGET_ARCH macros required by bpf
* mkfs-util: Set sector size for btrfs as well
* mkosi: drop CentOS 8 from CI
* mkosi: Enable hyperscale-packages-experimental for CentOS
* mountpoint-util: do not assume symlinks are not mountpoints
* os-util: avoid matching on the wrong extension-release file
* README: add missing CONFIG_MEMCG kernel config option for oomd
* README: update requirements for signed dm-verity
* resolved: allow the full TTL to be used by OPT records
* resolved: correct parsing of OPT extended RCODEs
* sysusers: handle NSS errors gracefully
* TEST-58-REPART: reverse order of diff args
* TEST-64-UDEV-STORAGE: Make nvme_subsystem expected pci symlinks more generic
* test: fixed TEST-24-CRYPTSETUP on SUSE
* test: install /etc/hosts
* Use consistent spelling of systemd.condition_first_boot argument
* util: make file_read() 64bit offset safe
* vmm: make sure we can handle smbios objects without variable part
- Changes in version 254.14:
* analyze: show pcrs also in sha384 bank
* chase: Tighten '.' and './' check
* core/service: fixed accept-socket deserialization
* efi-api: check /sys/class/tpm/tpm0/tpm_version_major, too
* executor: check for all permission related errnos when setting up IPC namespace
* install: allow removing symlinks even for units that are gone
* json: use secure un{base64,hex}mem for sensitive variants
* man,units: drop 'temporary' from description of systemd-tmpfiles
* missing_loop.h: fixed LOOP_SET_STATUS_SETTABLE_FLAGS
* repart: fixed memory leak
* repart: Use CRYPT_ACTIVATE_PRIVATE
* resolved: permit dnssec rrtype questions when we aren't validating
* rules: Limit the number of device units generated for serial ttys
* run: do not pass the pty slave fd to transient service in a machine
* sd-dhcp-server: clear buffer before receive
* strbuf: use GREEDY_REALLOC to grow the buffer
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2667-1
Released: Tue Jul 30 16:14:01 2024
Summary: Recommended update for libxkbcommon
Type: recommended
Severity: moderate
References: 1218640,1228322
This update of libxkbcommon fixes the following issue:
- ship libxkbregistry0-32bit and libxbkregistry-devel-32bit for use by Wine. (bsc#1218640 bsc#1228322)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2677-1
Released: Wed Jul 31 06:58:52 2024
Summary: Recommended update for wicked
Type: recommended
Severity: important
References: 1225976,1226125,1226664
This update for wicked fixes the following issues:
- Update to version 0.6.76
- compat-suse: warn user and create missing parent config of infiniband children
- client: fix origin in loaded xml-config with obsolete port references but missing port interface config, causing a no-carrier of master (bsc#1226125)
- ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976)
- wireless: add frequency-list in station mode (jsc#PED-8715)
- client: fix crash while hierarchy traversing due to loop in e.g. systemd-nspawn containers (bsc#1226664)
- man: add supported bonding options to ifcfg-bonding(5) man page
- arputil: Document minimal interval for getopts
- man: (re)generate man pages from md sources
- client: warn on interface wait time reached
- compat-suse: fix dummy type detection from ifname to not cause conflicts with e.g. correct vlan config on dummy0.42 interfaces
- compat-suse: fix infiniband and infiniband child type detection from ifname
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2695-1
Released: Thu Aug 1 15:06:12 2024
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1208690,1226412,1226529
This update for dracut fixes the following issues:
- Version update:
* feat(crypt): force the inclusion of crypttab entries with x-initrd.attach (bsc#1226529)
* fix(mdraid): try to assemble the missing raid device (bsc#1226412)
* fix(dracut-install): continue parsing if ldd prints 'cannot be preloaded' (bsc#1208690)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2779-1
Released: Tue Aug 6 14:35:49 2024
Summary: Recommended update for permissions
Type: recommended
Severity: moderate
References: 1228548
This update for permissions fixes the following issue:
* cockpit: moved setuid executable (bsc#1228548)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2784-1
Released: Tue Aug 6 14:58:38 2024
Summary: Security update for curl
Type: security
Severity: important
References: 1227888,1228535,CVE-2024-6197,CVE-2024-7264
This update for curl fixes the following issues:
- CVE-2024-7264: Fixed ASN.1 date parser overread (bsc#1228535)
- CVE-2024-6197: Fixed freeing stack buffer in utf8asn1str (bsc#1227888)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2791-1
Released: Tue Aug 6 16:35:06 2024
Summary: Recommended update for various 32bit packages
Type: recommended
Severity: moderate
References: 1228322
This update of various packages delivers 32bit variants to allow running Wine
on SLE PackageHub 15 SP6.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2808-1
Released: Wed Aug 7 09:49:32 2024
Summary: Security update for shadow
Type: security
Severity: moderate
References: 1228770,CVE-2013-4235
This update for shadow fixes the following issues:
- Fixed not copying of skel files (bsc#1228770)
The following package changes have been done:
- libassuan0-2.5.5-150000.4.7.1 updated
- libudev1-254.15-150600.4.8.1 updated
- libsystemd0-254.15-150600.4.8.1 updated
- libopenssl3-3.1.4-150600.5.10.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.10.1 updated
- login_defs-4.8.1-150600.17.6.1 updated
- libcurl4-8.6.0-150600.4.3.1 updated
- sles-release-15.7-150700.3.1 updated
- permissions-20240801-150600.10.4.1 updated
- libgpgme11-1.23.0-150600.3.2.1 updated
- shadow-4.8.1-150600.17.6.1 updated
- curl-8.6.0-150600.4.3.1 updated
- libkcapi-tools-0.13.0-150600.17.3.1 updated
- qemu-accel-tcg-x86-8.2.5-150600.3.6.1 updated
- qemu-ipxe-8.2.5-150600.3.6.1 updated
- qemu-seabios-8.2.51.16.3_3_ga95067eb-150600.3.6.1 updated
- qemu-vgabios-8.2.51.16.3_3_ga95067eb-150600.3.6.1 updated
- bind-utils-9.18.28-150600.3.3.1 updated
- libxkbcommon0-1.5.0-150600.3.3.1 updated
- systemd-254.15-150600.4.8.1 updated
- qemu-pr-helper-8.2.5-150600.3.6.1 updated
- qemu-img-8.2.5-150600.3.6.1 updated
- qemu-tools-8.2.5-150600.3.6.1 updated
- wicked-0.6.76-150600.11.9.1 updated
- wicked-service-0.6.76-150600.11.9.1 updated
- udev-254.15-150600.4.8.1 updated
- dracut-059+suse.527.g7870f083-150600.3.3.2 updated
- dracut-fips-059+suse.527.g7870f083-150600.3.3.2 updated
- qemu-x86-8.2.5-150600.3.6.1 updated
- qemu-8.2.5-150600.3.6.1 updated
- container:sles15-image-15.0.0-50.8 updated
More information about the sle-container-updates
mailing list