SUSE-IU-2024:2011-1: Security update of sles-15-sp6-chost-byos-v20241211-arm64
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Dec 13 07:29:42 UTC 2024
SUSE Image Update Advisory: sles-15-sp6-chost-byos-v20241211-arm64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2024:2011-1
Image Tags : sles-15-sp6-chost-byos-v20241211-arm64:20241211
Image Release :
Severity : important
Type : security
References : 1027519 1216982 1219724 1225451 1225462 1226216 1229010 1229072
1229449 1229684 1230366 1230914 1231185 1231328 1231414 1231463
1231463 1231775 1231776 1231795 1232063 1232542 1232616 1232622
1232624 1233282 1233307 1233420 1233699 1233773 1234068 1234217
15280 15590 15624 15696 15699 15700 CVE-2024-10524 CVE-2024-11053
CVE-2024-11168 CVE-2024-24806 CVE-2024-45817 CVE-2024-45818 CVE-2024-45819
CVE-2024-52533 CVE-2024-52616 CVE-2024-54661
-----------------------------------------------------------------
The container sles-15-sp6-chost-byos-v20241211-arm64 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4043-1
Released: Mon Nov 25 08:22:47 2024
Summary: Recommended update for nfs-utils
Type: recommended
Severity: moderate
References: 1230914
This update for nfs-utils fixes the following issues:
- nfsd: Revert 'nfsd: Remove the ability to enable NFS v2.'
(bsc#1230914).
- mount.nfs: Revert 'mount: Remove NFS v2 support from mount.nfs'
(bsc#1230914).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4044-1
Released: Mon Nov 25 08:28:17 2024
Summary: Recommended update for hwdata
Type: recommended
Severity: moderate
References:
This update for hwdata fixes the following issue:
- Version update to v0.389:
* Update pci, usb and vendor ids
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4067-1
Released: Tue Nov 26 11:33:47 2024
Summary: Recommended update for openssh
Type: recommended
Severity: moderate
References: 1229010,1229072,1229449
This update for openssh fixes the following issues:
- Fixed a regression introduced in 9.6 that makes X11 forwarding very slow. (bsc#1229449)
- Fixed RFC4256 implementation so that keyboard-interactive authentication method can send
instructions and sshd shows them to users even before a prompt
is requested. This fixes MFA push notifications (bsc#1229010).
- Fix a dbus connection leaked in the logind patch that was missing a sd_bus_unref call.
- Fixed a small memory leak when parsing the subsystem configuration option.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4087-1
Released: Thu Nov 28 08:38:52 2024
Summary: Recommended update for google-guest-agent, google-guest-configs, google-osconfig-agent
Type: recommended
Severity: moderate
References: 1231775,1231776
This update for google-guest-agent, google-guest-configs, google-osconfig-agent fixes the following issues:
- Update to version 20241011.01 (bsc#1231775, bsc#1231776)
- Set enable regardless of previous check failed or not
- Avoid unnecessary reloads, check before overwriting configs
- network/netplan: Do generate instead of apply
- Skip SetupInterfaces if configs are already applied
- Repeated logging could be mistaken for a recurring issue, log mds mtls endpoint error only once
- Retry MDS PUT operation, reload netplan/networkctl only if configs are changed
- Log interface state after setting up network
- network: Debian 12 rollback only if default netplan is ok
- Change mtls mds defaults, update log message to assure error is harmless
- network: Restore Debian 12 netplan configuration
- network: Remove primary NIC left over configs
- Update VLAN interfaces format to match with MDS
- Fix panics in agent when setting up VLAN with netplan
- Add VLAN NIC support for NetworkManager
- Fix debian12 netplan config issue, use ptr receiver
- Introduce a configuration toggle for enabling/disabling cloud logging
- Adapt and update config key to be consistent with MDS
- Allow users to enable/disable the mds mtls via metadata key
- Make primary nic management config consistent across all network managers
- Avoid writing configuration files when they already exist on wicked
- Fix where agent panics on nil event
- Update NIC management strategy
- Only release dhclient leases for an interface if the respective dhclient is still running
- Disable OS Login without pruning off any extra suffix
- Skip root cert rotation if installed once
- Add ipv6 support to guest agent
- Update google-startup-scripts.service to enable logging
- Network subsystem remove os rules
- oslogin: Don't remove sshca watcher when oslogin is disabled
- Network manager netplan implementation
- Log current available routes on error
- Fix command monitor bugs
- windows account: Ignore 'user already belongs to group' error
- Add more error logging in snapshot handling requests, use common retry util
- All non-200 status code from MDS should raise error
- Change metadata key to enable-oslogin-certificates
- Update dhclient pid/lease file directory to abide apparmor rules
- Add require-oslogin-certificates logic to disable keys
- systemd-networkd: Support Debian 12's version
- NetworkManager: Only set secondary interfaces as up
- address manager: Make sure we check for oldMetadata
- network: Early setup network
- NetworkManager: Fix ipv6 and ipv4 mode attribute
- Network Manager: Make sure we clean up ifcfg files
- metadata script runner: Fix script download
- oslogin: Avoid adding extra empty line at the end of /etc/security/group.conf
- Dynamic vlan
- Check for nil response
- Create NetworkManager implementation
- Skip interface manager on Windows
- network: Remove ignore setup
- Create wicked network service implementation and its respective unit
- Update metadata script runner, add tests
- Refactor guest-agent to use common retry util
- Flush logs before exiting
- Implement retry util
- Refactor utils package to not dump everything unrelated into one file
- Set version on metadata script runner
- Implement cleanup of deprecated configuration directives
- Ignore DHCP offered routes only for secondary nics
- Deprecate DHClient in favor of systemd-networkd
- Generate windows and linux licenses
- Remove quintonamore from OWNERS
- Delete integration tests
- Add configuration toggle to enable/disable use of OS native certificate stores
- Avoid writing configuration files when they already exist on wicked and NetworkManager
- Get rid of deprecated dependencies in snapshot service generate code
- Configure primary nic if only set in cfg file
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4109-1
Released: Thu Nov 28 17:15:36 2024
Summary: Security update for libuv
Type: security
Severity: moderate
References: 1219724,CVE-2024-24806
This update for libuv fixes the following issues:
- CVE-2024-24806: Fixed improper Domain Lookup that potentially leads to SSRF attacks (bsc#1219724)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4130-1
Released: Mon Dec 2 10:56:25 2024
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1232063
This update for dracut fixes the following issue:
- Version update: 059+suse.543.g98d7f037
* fix: removing systemd 59-persistent-storage-dm.rules (bsc#1232063).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4145-1
Released: Tue Dec 3 10:07:28 2024
Summary: Security update for wget
Type: security
Severity: moderate
References: 1233773,CVE-2024-10524
This update for wget fixes the following issues:
- CVE-2024-10524: Fixed SSRF via shorthand HTTP URL (bsc#1233773)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4163-1
Released: Wed Dec 4 08:57:12 2024
Summary: Security update for xen
Type: security
Severity: important
References: 1027519,1230366,1232542,1232622,1232624,CVE-2024-45817,CVE-2024-45818,CVE-2024-45819
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2024-45818: xen: Deadlock in x86 HVM standard VGA handling (bsc#1232622)
- CVE-2024-45819: xen: libxl leaks data to PVH guests via ACPI tables (bsc#1232624)
- CVE-2024-45817: xen: x86: Deadlock in vlapic_error() (bsc#1230366)
Non-security issues fixed:
- Removed usage of net-tools-deprecated from supportconfig plugin (bsc#1232542)
- Upstream bug fixes (bsc#1027519)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4171-1
Released: Wed Dec 4 15:25:41 2024
Summary: Recommended update for ldb, samba
Type: recommended
Severity: moderate
References: 1229684,1231414,15280,15590,15624,15696,15699,15700
This update for ldb, samba fixes the following issues:
ldb:
- Update to 2.8.2
* libldb: fix performance issue with indexes (bso#15590)
samba:
- Update to 4.19.9
* DH reconnect error handling can lead to stale sharemode entries (bso#15624)
* Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated (bso#15699, bsc#1229684)
* irpc_destructor may crash during shutdown (bso#15280)
* Compound SMB2 requests don't return NT_STATUS_NETWORK_SESSION_EXPIRED for
all requests, confuses MacOSX clients (bso#15696)
* Crash when readlinkat fails (bso#15700)
- Adjust spec to split out rpcd_* binaries into a separate sub package
(bsc#1231414, jsc#PED-11015)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4181-1
Released: Thu Dec 5 05:59:03 2024
Summary: Recommended update for suseconnect-ng
Type: recommended
Severity: moderate
References: 1231185,1231328
This update for suseconnect-ng fixes the following issues:
- Integrating uptime-tracker
- Honor auto-import-gpg-keys flag on migration (bsc#1231328)
- Only send labels if targetting SCC
- Skip the docker auth generation on RMT (bsc#1231185)
- Add --set-labels to register command to set labels at registration time on SCC
- Add a new function to display suse-uptime-tracker version
- Add a command to show the info being gathered
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4193-1
Released: Thu Dec 5 12:01:40 2024
Summary: Security update for python3
Type: security
Severity: low
References: 1231795,1233307,CVE-2024-11168
This update for python3 fixes the following issues:
- CVE-2024-11168: Fixed improper validation of IPv6 and IPvFuture addresses (bsc#1233307)
Other fixes:
- Remove -IVendor/ from python-config (bsc#1231795)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4196-1
Released: Thu Dec 5 13:56:06 2024
Summary: Security update for avahi
Type: security
Severity: moderate
References: 1233420,CVE-2024-52616
This update for avahi fixes the following issues:
- CVE-2024-52616: Fixed Avahi Wide-Area DNS Predictable Transaction IDs (bsc#1233420)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4200-1
Released: Thu Dec 5 14:48:33 2024
Summary: Recommended update for libsolv, libzypp, zypper
Type: recommended
Severity: moderate
References: 1225451
This update for libsolv, libzypp, zypper fixes the following issues:
- Fix replaces_installed_package using the wrong solvable id when checking the noupdate map
- Make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard
- Add rpm_query_idarray query function
- Support rpm's 'orderwithrequires' dependency
- BuildCache: Don't try to retrieve missing raw metadata if no permission to write the cache (bsc#1225451)
- RepoManager: Throw RepoNoPermissionException if the user has no permission to update(write) the caches (bsc#1225451)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4224-1
Released: Fri Dec 6 10:24:50 2024
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1233699
This update for glibc fixes the following issue:
- Remove nss-systemd from default nsswitch.conf (bsc#1233699).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4244-1
Released: Fri Dec 6 14:04:39 2024
Summary: Recommended update for shared-mime-info
Type: recommended
Severity: moderate
References: 1231463
This update for shared-mime-info fixes the following issue:
- Uninstall silently if update-mime-database is not present (bsc#1231463).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4254-1
Released: Fri Dec 6 18:03:05 2024
Summary: Security update for glib2
Type: security
Severity: important
References: 1231463,1233282,CVE-2024-52533
This update for glib2 fixes the following issues:
Security issues fixed:
- CVE-2024-52533: Fix a single byte buffer overflow in set_connect_msg() (bsc#1233282).
Non-security issue fixed:
- Fix error when uninstalling packages (bsc#1231463).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4269-1
Released: Mon Dec 9 17:34:34 2024
Summary: Recommended update for libnvme, nvme-cli
Type: recommended
Severity: moderate
References: 1216982,1226216,1232616,1234217
This update for libnvme, nvme-cli fixes the following issues:
- Version update (1.8+79.g69e7772)
* docs: update check-tls-key arguments (bsc#1216982, bsc#1226216).
* docs: update gen-tls-key arguments (bsc#1216982, bsc#1226216).
* docs: update TLS options (bsc#1216982, bsc#1226216).
* fabrics: add support to connect to accept a PSK command line and configuration (bsc#1216982, bsc#1226216).
* fabrics: fix map error level in __nvmf_add_ctrl (bsc#1216982, bsc#1226216).
* fabrics: add ctrl connect interface (bsc#1216982, bsc#1226216).
* fabrics: use hex numbers when generating command line options (bsc#1216982, bsc#1226216).
* fabrics: rename first argument for argument macros (bsc#1216982, bsc#1226216).
* fabrics: do not attempt to import keys if tls is not enabled (bsc#1216982, bsc#1226216).
* fabrics: skip namespace scan for fabric commands (bsc#1232616).
* json: move keystore operations out of the JSON parser (bsc#1216982, bsc#1226216).
* json: do not escape strings when printing the configuration (bsc#1216982, bsc#1226216).
* linux: do not do any keyring ops when no key is provided (bsc#1216982, bsc#1226216).
* linux: do not return w/o OpenSSL support enabled (bsc#1216982, bsc#1226216).
* linux: fix derive_psk_digest OpenSSL 1.1 version (bsc#1216982, bsc#1226216).
* linux: fixup PSK HMAC type '0' handling (bsc#1216982, bsc#1226216).
* linux: handle key import correctly (bsc#1216982, bsc#1226216).
* linux: export keys to config (bsc#1216982, bsc#1226216).
* linux: only return the description of a key (bsc#1216982, bsc#1226216).
* linux: use ssize_t as return type for nvme_identity_len (bsc#1216982, bsc#1226216).
* linux: reorder variable declarations (bsc#1216982 bsc#1226216 (bsc#1216982, bsc#1226216).
* linux: Remove the use of OpenSSL Engine API.
* linux: add import/export function for TLS pre-shared keys (bsc#1216982, bsc#1226216).
* netapp-smdev: remove redundant code (bsc#1234217).
* netapp-smdev: add verbose output (bsc#1234217).
* netapp-smdev-doc: add verbose details (bsc#1234217).
* netapp-ontapdev: fix JSON output for nsze and nuse (bsc#1234217).
* netapp-ontapdev: fix fw version handling (bsc#1234217).
* netapp-ontapdev-doc: add verbose details (bsc#1232616).
* netapp-ontapdev: add verbose output (bsc#1232616).
* nvme: use unsigned char for hmac and identity (bsc#1216982, bsc#1226216).
* nvme: add support to append TLS PSK to keyfile for check-tls-key (bsc#1216982, bsc#1226216).
* nvme: return correct error code in append_keyfile (bsc#1216982, bsc#1226216).
* nvme: add support to add derive TLS PSK to keyfile (bsc#1216982, bsc#1226216).
* nvme: rename identity to version (bsc#1216982, bsc#1226216).
* nvme: set file permission for keyfile to owner only (bsc#1216982, bsc#1226216).
* nvme: export tls keys honoring version and hmac (bsc#1216982, bsc#1226216).
* nvme-netapp: update err messages (bsc#1234217).
* nvmf-keys: add udev rule to import tls keys (bsc#1216982, bsc#1226216).
* test: add pre-shared key json tests (bsc#1216982, bsc#1226216).
* test: extend psk to test new 'versioned' API (bsc#1216982, bsc#1226216).
* test: add test case for importing/exporting PSKs (bsc#1216982, bsc#1226216).
* test: make config-diff more flexible to use (bsc#1216982, bsc#1226216).
* tree: optionally skip namespaces during scanning (bsc#1232616).
* tree: do no export tls keys when not provided by user (bsc#1216982, bsc#1226216).
* tree: read tls_configured_key and tls_keyring from sysfs (bsc#1216982, bsc#1226216).
* tree: move dhchap and tls sysfs parser into separate functions (bsc#1216982, bsc#1226216).
* tree: add getter/setters for TLS PSK (bsc#1216982, bsc#1226216).
* util: added error code for ENOKEY (bsc#1216982, bsc#1226216).
* util: Add string constant for ENVME_CONNECT_IGNORED.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4288-1
Released: Wed Dec 11 09:31:32 2024
Summary: Security update for curl
Type: security
Severity: moderate
References: 1234068,CVE-2024-11053
This update for curl fixes the following issues:
- CVE-2024-11053: Fixed password leak used for the first host to the followed-to host under certain circumstances (bsc#1234068)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4295-1
Released: Wed Dec 11 15:40:56 2024
Summary: Security update for socat
Type: security
Severity: moderate
References: 1225462,CVE-2024-54661
This update for socat fixes the following issues:
- CVE-2024-54661: Fixed arbitrary file overwrite via predictable /tmp directory in socat readline.sh (bsc#1225462)
The following package changes have been done:
- dracut-059+suse.543.g98d7f037-150600.3.14.2 updated
- glib2-tools-2.78.6-150600.4.8.1 updated
- glibc-locale-base-2.38-150600.14.17.2 updated
- glibc-locale-2.38-150600.14.17.2 updated
- glibc-2.38-150600.14.17.2 updated
- google-guest-agent-20241011.01-150000.1.51.1 updated
- google-osconfig-agent-20240926.03-150000.1.38.1 updated
- hwdata-0.389-150000.3.71.2 updated
- libavahi-client3-0.8-150600.15.6.1 updated
- libavahi-common3-0.8-150600.15.6.1 updated
- libcurl4-8.6.0-150600.4.15.1 updated
- libgio-2_0-0-2.78.6-150600.4.8.1 updated
- libglib-2_0-0-2.78.6-150600.4.8.1 updated
- libgmodule-2_0-0-2.78.6-150600.4.8.1 updated
- libgobject-2_0-0-2.78.6-150600.4.8.1 updated
- libldb2-2.8.2-150600.3.6.1 updated
- libnfsidmap1-1.0-150600.28.6.2 updated
- libnvme-mi1-1.8+79.g69e7772-150600.3.12.2 updated
- libnvme1-1.8+79.g69e7772-150600.3.12.2 updated
- libpython3_6m1_0-3.6.15-150300.10.78.1 updated
- libsolv-tools-base-0.7.31-150600.8.7.2 updated
- libuv1-1.44.2-150500.3.5.1 updated
- libzypp-17.35.14-150600.3.32.2 updated
- nfs-client-2.6.4-150600.28.6.2 updated
- nvme-cli-2.8+87.g29df38e-150600.3.12.2 updated
- openssh-clients-9.6p1-150600.6.12.1 updated
- openssh-common-9.6p1-150600.6.12.1 updated
- openssh-server-9.6p1-150600.6.12.1 updated
- openssh-9.6p1-150600.6.12.1 updated
- python3-base-3.6.15-150300.10.78.1 updated
- python3-3.6.15-150300.10.78.1 updated
- samba-client-libs-4.19.8+git.399.71536ca297e-150600.3.9.6 updated
- shared-mime-info-2.4-150600.3.3.2 updated
- socat-1.8.0.0-150600.20.6.1 updated
- suseconnect-ng-1.13.0-150600.3.11.1 updated
- wget-1.20.3-150600.19.9.1 updated
- xen-libs-4.18.3_06-150600.3.12.1 updated
- zypper-1.14.78-150600.10.16.3 updated
More information about the sle-container-updates
mailing list