SUSE-CU-2024:454-1: Security update of rancher/elemental-teal/5.4
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Tue Feb 6 08:01:35 UTC 2024
SUSE Container Update Advisory: rancher/elemental-teal/5.4
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:454-1
Container Tags : rancher/elemental-teal/5.4:1.2.3 , rancher/elemental-teal/5.4:1.2.3-3.2.78 , rancher/elemental-teal/5.4:latest
Container Release : 3.2.78
Severity : important
Type : security
References : 1103893 1107342 1112183 1168481 1182142 1187364 1187364 1187365
1187366 1187366 1187367 1187367 1192986 1193412 1195391 1196647
1197093 1198773 1198773 1200441 1200441 1200441 1200441 1200528
1201300 1201384 1201519 1201551 1201551 1204844 1205161 1206346
1206346 1206480 1206480 1206684 1206684 1207004 1207778 1207987
1208074 1208364 1208510 1208737 1208962 1209282 1209307 1209495
1209884 1209888 1210004 1210298 1210299 1210557 1210557 1210660
1211079 1211124 1211188 1211190 1211418 1211419 1211427 1211427
1211578 1212101 1212101 1212475 1212475 1212475 1212475 1212475
1213240 1213915 1213915 1214025 1214052 1214052 1214140 1214460
1214460 1214668 1214806 1214980 1215229 1215241 1215291 1215313
1215323 1215427 1215434 1215496 1215806 1215806 1215823 1215831
1215935 1215936 1216006 1216006 1216010 1216075 1216123 1216129
1216174 1216253 1216378 1216664 1216862 1216922 1216987 1217000
1217031 1217212 1217237 1217460 1217472 1217573 1217574 1217773
1217775 1217969 1218014 1218126 1218186 1218209 1218475 1218571
1218894 CVE-2021-26345 CVE-2021-3592 CVE-2021-3592 CVE-2021-3593
CVE-2021-3594 CVE-2021-3594 CVE-2021-3595 CVE-2021-3595 CVE-2021-46766
CVE-2021-46774 CVE-2022-1996 CVE-2022-23820 CVE-2022-23830 CVE-2023-0778
CVE-2023-1667 CVE-2023-20519 CVE-2023-20521 CVE-2023-20526 CVE-2023-20533
CVE-2023-20566 CVE-2023-20592 CVE-2023-2137 CVE-2023-2283 CVE-2023-25809
CVE-2023-2602 CVE-2023-2603 CVE-2023-27561 CVE-2023-28642 CVE-2023-39804
CVE-2023-4039 CVE-2023-4039 CVE-2023-4156 CVE-2023-44487 CVE-2023-45322
CVE-2023-45853 CVE-2023-46218 CVE-2023-46219 CVE-2023-4641 CVE-2023-4692
CVE-2023-4693 CVE-2023-48795 CVE-2023-50495 CVE-2023-5678 CVE-2023-6004
CVE-2023-6918 CVE-2023-7207 CVE-2024-21626 CVE-2024-22365
-----------------------------------------------------------------
The container rancher/elemental-teal/5.4 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1465-1
Released: Fri Apr 29 11:36:02 2022
Summary: Security update for libslirp
Type: security
Severity: important
References: 1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:
- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1730-1
Released: Wed May 18 16:56:21 2022
Summary: Security update for libslirp
Type: security
Severity: important
References: 1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:
- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2941-1
Released: Tue Aug 30 10:51:09 2022
Summary: Security update for libslirp
Type: security
Severity: moderate
References: 1187365,1201551,CVE-2021-3593
This update for libslirp fixes the following issues:
- CVE-2021-3593: Fixed invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365).
Non-security fixes:
- Fix the version header (bsc#1201551)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1814-1
Released: Tue Apr 11 14:40:34 2023
Summary: Security update for podman
Type: security
Severity: important
References: 1197093,1208364,1208510,1209495,CVE-2023-0778
This update for podman fixes the following issues:
Update to version 4.4.4:
* libpod: always use direct mapping
* macos pkginstaller: do not fail when podman-mac-helper fails
* podman-mac-helper: install: do not error if already installed
- podman.spec: Bump required version for libcontainers-common (bsc#1209495)
Update to version 4.4.3:
* compat: /auth: parse server address correctly
* vendor github.com/containers/common at v0.51.1
* pkginstaller: bump Qemu to version 7.2.0
* podman machine: Adjust Chrony makestep config
* [v4.4] fix --health-on-failure=restart in transient unit
* podman logs passthrough driver support --cgroups=split
* journald logs: simplify entry parsing
* podman logs: read journald with passthrough
* journald: remove initializeJournal()
* netavark: only use aardvark ip as nameserver
* compat API: network create return 409 for duplicate
* fix 'podman logs --since --follow' flake
* system service --log-level=trace: support hijack
* podman-mac-helper: exit 1 on error
* bump golang.org/x/net to v0.8.0
* Fix package restore
* Quadlet - use the default runtime
Update to version 4.4.2:
* Revert 'CI: Temporarily disable all AWS EC2-based tasks'
* kube play: only enforce passthrough in Quadlet
* Emergency fix for man pages: check for broken includes
* CI: Temporarily disable all AWS EC2-based tasks
* quadlet system tests: add useful defaults, logging
* volume,container: chroot to source before exporting content
* install sigproxy before start/attach
* Update to c/image 5.24.1
* events + container inspect test: RHEL fixes
- podman.spec: add `crun` requirement for quadlet
- podman.spec: set PREFIX at build stage (bsc#1208510)
- CVE-2023-0778: Fixed symlink exchange attack in podman export volume (bsc#1208364)
Update to version 4.4.1:
* kube play: do not teardown unconditionally on error
* Resolve symlink path for qemu directory if possible
* events: document journald identifiers
* Quadlet: exit 0 when there are no files to process
* Cleanup podman-systemd.unit file
* Install podman-systemd.unit man page, make quadlet discoverable
* Add missing return after errors
* oci: bind mount /sys with --userns=(auto|pod:)
* docs: specify order preference for FROM
* Cirrus: Fix & remove GraphQL API tests
* test: adapt test to work on cgroupv1
* make hack/markdown-preprocess parallel-safe
* Fix default handling of pids-limit
* system tests: fix volume exec/noexec test
Update to version 4.4.0:
* Emergency fix for RHEL8 gating tests
* Do not mount /dev/tty into rootless containers
* Fixes port collision issue on use of --publish-all
* Fix usage of absolute windows paths with --image-path
* fix #17244: use /etc/timezone where `timedatectl` is missing on Linux
* podman-events: document verbose create events
* Making gvproxy.exe optional for building Windows installer
* Add gvproxy to Windows packages
* Match VT device paths to be blocked from mounting exactly
* Clean up more language for inclusiveness
* Set runAsNonRoot=true in gen kube
* quadlet: Add device support for .volume files
* fix: running check error when podman is default in wsl
* fix: don't output 'ago' when container is currently up and running
* journald: podman logs only show logs for current user
* journald: podman events only show events for current user
* Add (podman {image,manifest} push --sign-by-sigstore=param-file.yaml)
* DB: make loading container states optional
* ps: do not sync container
* Allow --device-cgroup-rule to be passed in by docker API
* Create release notes for v4.4.0
* Cirrus: Update operating branch
* fix APIv2 python attach test flake
* ps: query health check in batch mode
* make example volume import, not import volume
* Correct output when inspecting containers created with --ipc
* Vendor containers/(storage, image, common, buildah)
* Get correct username in pod when using --userns=keep-id
* ps: get network data in batch mode
* build(deps): bump github.com/onsi/gomega from 1.25.0 to 1.26.0
* add hack/perf for comparing two container engines
* systems: retrofit dns options test to honor other search domains
* ps: do not create copy of container config
* libpod: set search domain independently of nameservers
* libpod,netavark: correctly populate /etc/resolv.conf with custom dns server
* podman: relay custom DNS servers to network stack
* (fix) mount_program is in storage.options.overlay
* Change example target to default in doc
* network create: do not allow `default` as name
* kube-play: add support for HostPID in podSpec
* build(deps): bump github.com/docker/docker
* Let's see if #14653 is fixed or not
* Add support for podman build --group-add
* vendor in latests containers/(storage, common, build, image)
* unskip network update test
* do not install swagger by default
* pasta: skip 'Local forwarder, IPv4' test
* add testbindings Makefile target
* update CI images to include pasta
* [CI:DOCS] Add CNI deprecation notices to documentation
* Cirrus: preserve podman-server logs
* waitPidStop: reduce sleep time to 10ms
* StopContainer: return if cleanup process changed state
* StopSignal: add a comment
* StopContainer: small refactor
* waitPidStop: simplify code
* e2e tests: reenable long-skipped build test
* Add openssh-clients to podmanimage
* Reworks Windows smoke test to tunnel through interactive session.
* fix bud-multiple-platform-with-base-as-default-arg flake
* Remove ReservedAnnotations from kube generate specification
* e2e: update test/README.md
* e2e: use isRootless() instead of rootless.IsRootless()
* Cleanup documentation on --userns=auto
* Vendor in latest c/common
* sig-proxy system test: bump timeout
* build(deps): bump github.com/containernetworking/plugins
* rootless: rename auth-scripts to preexec-hooks
* Docs: version-check updates
* commit: use libimage code to parse changes
* [CI:DOCS] Remove experimental mac tutorial
* man: Document the interaction between --systemd and --privileged
* Make rootless privileged containers share the same tty devices as rootfull ones
* container kill: handle stopped/exited container
* Vendor in latest containers/(image,ocicrypt)
* add a comment to container removal
* Vendor in latest containers/storage
* Cirrus: Run machine tests on PR merge
* fix flake in kube system test
* kube play: complete container spec
* E2E Tests: Use inspect instead of actual data to avoid UDP flake
* Use containers/storage/pkg/regexp in place of regexp
* Vendor in latest containers/storage
* Cirrus: Support using updated/latest NV/AV in PRs
* Limit replica count to 1 when deploying from kubernetes YAML
* Set StoppedByUser earlier in the process of stopping
* podman-play system test: refactor
* network: add support for podman network update and --network-dns-server
* service container: less verbose error logs
* Quadlet Kube - add support for PublishPort key
* e2e: fix systemd_activate_test
* Compile regex on demand not in init
* [docker compat] Don't overwrite the NetworkMode if containers.conf overrides netns.
* E2E Test: Play Kube set deadline to connection to avoid hangs
* Only prevent VTs to be mounted inside privileged systemd containers
* e2e: fix play_kube_test
* Updated error message for supported VolumeSource types
* Introduce pkg retry logic in win installer task
* logformatter: include base SHA, with history link
* Network tests: ping redhat.com, not podman.io
* cobra: move engine shutdown to Execute
* Updated options for QEMU on Windows hosts
* Update Mac installer to use gvproxy v0.5.0
* podman: podman rm -f doesn't leave processes
* oci: check for valid PID before kill(pid, 0)
* linux: add /sys/fs/cgroup if /sys is a bind mount
* Quadlet: Add support for ConfigMap key in Kube section
* remove service container _after_ pods
* Kube Play - allow setting and overriding published host ports
* oci: terminate all container processes on cleanup
* Update win-sshproxy to 0.5.0 gvisor tag
* Vendor in latest containers/common
* Fix a potential defer logic error around locking
* logformatter: nicer formatting for bats failures
* logformatter: refactor verbose line-print
* e2e tests: stop using UBI images
* k8s-file: podman logs --until --follow exit after time
* journald: podman logs --until --follow exit after time
* journald: seek to time when --since is used
* podman logs: journald fix --since and --follow
* Preprocess files in UTF-8 mode
* Vendor in latest containers/(common, image, storage)
* Switch to C based msi hooks for win installer
* hack/bats: improve usage message
* hack/bats: add --remote option
* hack/bats: fix root/rootless logic
* Describe copy volume options
* Support sig-proxy for podman-remote attach and start
* libpod: fix race condition rm'ing stopping containers
* e2e: fix run_volume_test
* Add support for Windows ARM64
* Add shared --compress to man pages
* Add container error message to ContainerState
* Man page checker: require canonical name in SEE ALSO
* system df: improve json output code
* kube play: fix the error logic with --quiet
* System tests: quadlet network test
* Fix: List container with volume filter
* adding -dryrun flag
* Quadlet Container: Add support for EnvironmentFile and EnvironmentHost
* Kube Play: use passthrough as the default log-driver if service-container is set
* System tests: add missing cleanup
* System tests: fix unquoted question marks
* Build and use a newer systemd image
* Quadlet Network - Fix the name of the required network service
* System Test Quadlet - Volume dependency test did not test the dependency
* fix `podman system connection - tcp` flake
* vendor: bump c/storage to a747b27
* Fix instructions about setting storage driver on command-line
* Test README - point users to hack/bats
* System test: quadlet kube basic test
* Fixed `podman update --pids-limit`
* podman-remote,bindings: trim context path correctly when its emptydir
* Quadlet Doc: Add section for .kube files
* e2e: fix containers_conf_test
* Allow '/' to prefix container names to match Docker
* Remove references to qcow2
* Fix typos in man page regarding transient storage mode.
* make: Use PYTHON var for .install.pre-commit
* Add containers.conf read-only flag support
* Explain that relabeling/chowning of volumes can take along time
* events: support 'die' filter
* infra/abi: refactor ContainerRm
* When in transient store mode, use rundir for bundlepath
* quadlet: Support Type=oneshot container files
* hacks/bats: keep QUADLET env var in test env
* New system tests for conflicting options
* Vendor in latest containers/(buildah, image, common)
* Output Size and Reclaimable in human form for json output
* podman service: close duplicated /dev/null fd
* ginkgo tests: apply ginkgolinter fixes
* Add support for hostPath and configMap subpath usage
* export: use io.Writer instead of file
* rootless: always create userns with euid != 0
* rootless: inhibit copy mapping for euid != 0
* pkg/domain/infra/abi: introduce `type containerWrapper`
* vendor: bump to buildah ca578b290144 and use new cache API
* quadlet: Handle booleans that have defaults better
* quadlet: Rename parser.LookupBoolean to LookupBooleanWithDefault
* Add podman-clean-transient.service service
* Stop recording annotations set to false
* Unify --noheading and -n to be consistent on all commands
* pkg/domain/infra/abi: add `getContainers`
* Update vendor of containters/(common, image)
* specfile: Drop user-add depedency from quadlet subpackage.
* quadlet: Default BINDIR to /usr/bin if tag not specified
* Quadlet: add network support
* Add comment for jsonMarshal command
* Always allow pushing from containers-storage
* libpod: move NetNS into state db instead of extra bucket
* Add initial system tests for quadlets
* quadlet: Add --user option
* libpod: remove CNI word were no longer applicable
* libpod: fix header length in http attach with logs
* podman-kube@ template: use `podman kube`
* build(deps): bump github.com/docker/docker
* wait: add --ignore option
* qudlet: Respect $PODMAN env var for podman binary
* e2e: Add assert-key-is-regex check to quadlet e2e testsuite
* e2e: Add some assert to quadlet test to make sure testcases are sane
* remove unmapped ports from inspect port bindings
* update podman-network-create for clarity
* Vendor in latest containers/common with default capabilities
* pkg/rootless: Change error text ...
* rootless: add cli validator
* rootless: define LIBEXECPODMAN
* doc: fix documentation for idmapped mounts
* bump golangci-lint to v1.50.1
* build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2
* [CI:DOCS] podman-mount: s/umount/unmount/
* create/pull --help: list pull policies
* Network Create: Add --ignore flag to support idempotent script
* Make qemu security model none
* libpod: use OCI idmappings for mounts
* stop reporting errors removing containers that don't exist
* test: added test from wait endpoint with to long label
* quadlet: Default VolatileTmp to off
* build(deps): bump github.com/ulikunitz/xz from 0.5.10 to 0.5.11
* docs/options/ipc: fix list syntax
* Docs: Add dedicated DOWNLOAD doc w/ links to bins
* Make a consistently-named windows installer
* checkpoint restore: fix --ignore-static-ip/mac
* add support for subpath in play kube for named volumes
* build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0
* golangci-lint: remove three deprecated linters
* parse-localbenchmarks: separate standard deviation
* build(deps): bump golang.org/x/term from 0.2.0 to 0.3.0
* podman play kube support container startup probe
* Add podman buildx version support
* Cirrus: Collect benchmarks on machine instances
* Cirrus: Remove escape codes from log files
* [CI:DOCS] Clarify secret target behavior
* Fix typo on network docs
* podman-remote build add --volume support
* remote: allow --http-proxy for remote clients
* Cleanup kube play workloads if error happens
* health check: ignore dependencies of transient systemd units/timers
* fix: event read from syslog
* Fixes secret (un)marshaling for kube play.
* Remove 'you' from man pages
* build(deps): bump golang.org/x/tools from 0.3.0 to 0.4.0 in /test/tools
* [CI:DOCS] test/README.md: run tests with podman-remote
* e2e: keeps the http_proxy value
* Makefile: Add podman-mac-helper to darwin client zip
* test/e2e: enable 'podman run with ipam none driver' for nv
* [skip-ci] GHA/Cirrus-cron: Fix execution order
* kube sdnotify: run proxies for the lifespan of the service
* Update containers common package
* podman manpage: Use man-page links instead of file names
* e2e: fix e2e tests in proxy environment
* Fix test
* disable healthchecks automatically on non systemd systems
* Quadlet Kube: Add support for userns flag
* [CI:DOCS] Add warning about --opts,o with mount's -o
* Add podman system prune --external
* Add some tests for transient store
* runtime: In transient_store mode, move bolt_state.db to rundir
* runtime: Handle the transient store options
* libpod: Move the creation of TmpDir to an earlier time
* network create: support '-o parent=XXX' for ipvlan
* compat API: allow MacAddress on container config
* Quadlet Kube: Add support for relative path for YAML file
* notify k8s system test: move sending message into exec
* runtime: do not chown idmapped volumes
* quadlet: Drop ExecStartPre=rm %t/%N.cid
* Quadlet Kube: Set SyslogIdentifier if was not set
* Add a FreeBSD cross build to the cirrus alt build task
* Add completion for --init-ctr
* Fix handling of readonly containers when defined in kube.yaml
* Build cross-compilation fixes
* libpod: Track healthcheck API changes in healthcheck_unsupported.go
* quadlet: Use same default capability set as podman run
* quadlet: Drop --pull=never
* quadlet: Change default of ReadOnly to no
* quadlet: Change RunInit default to no
* quadlet: Change NoNewPrivileges default to false
* test: podman run with checkpoint image
* Enable 'podman run' for checkpoint images
* test: Add tests for checkpoint images
* CI setup: simplify environment passthrough code
* Init containers should not be restarted
* Update c/storage after https://github.com/containers/storage/pull/1436
* Set the latest release explicitly
* add friendly comment
* fix an overriding logic and load config problem
* Update the issue templates
* Update vendor of containers/(image, buildah)
* [CI:DOCS] Skip windows-smoke when not useful
* [CI:DOCS] Remove broken gate-container docs
* OWNERS: add Jason T. Greene
* hack/podmansnoop: print arguments
* Improve atomicity of VM state persistence on Windows
* [CI:BUILD] copr: enable podman-restart.service on rpm installation
* macos: pkg: Use -arm64 suffix instead of -aarch64
* linux: Add -linux suffix to podman-remote-static binaries
* linux: Build amd64 and arm64 podman-remote-static binaries
* container create: add inspect data to event
* Allow manual override of install location
* Run codespell on code
* Add missing parameters for checkpoint/restore endpoint
* Add support for startup healthchecks
* Add information on metrics to the `network create` docs
* Introduce podman machine os commands
* Document that ignoreRootFS depends on export/import
* Document ignoreVolumes in checkpoint/restore endpoint
* Remove leaveRunning from swagger restore endpoint
* libpod: Add checks to avoid nil pointer dereference if network setup fails
* Address golangci-lint issues
* Documenting Hyper-V QEMU acceleration settings
* Kube Play: fix the handling of the optional field of SecretVolumeSource
* Update Vendor of containers/(common, image, buildah)
* Fix swapped NetInput/-Output stats
* libpod: Use O_CLOEXEC for descriptors returned by (*Container).openDirectory
* chore: Fix MD for Troubleshooting Guide link in GitHub Issue Template
* test/tools: rebuild when files are changed
* ginkgo tests: apply ginkgolinter fixes
* ginkgo: restructure install work flow
* Fix manpage emphasis
* specgen: support CDI devices from containers.conf
* vendor: update containers/common
* pkg/trust: Take the default policy path from c/common/pkg/config
* Add validate-in-container target
* Adding encryption decryption feature
* container restart: clean up healthcheck state
* Add support for podman-remote manifest annotate
* Quadlet: Add support for .kube files
* Update vendor of containers/(buildah, common, storage, image)
* specgen: honor user namespace value
* [CI:DOCS] Migrate OSX Cross to M1
* quadlet: Rework uid/gid remapping
* GHA: Fix cirrus re-run workflow for other repos.
* ssh system test: skip until it becomes a test
* shell completion: fix hard coded network drivers
* libpod: Report network setup errors properly on FreeBSD
* E2E Tests: change the registry for the search test to avoid authentication
* pkginstaller: install podman-mac-helper by default
* Fix language. Mostly spelling a -> an
* podman machine: Propagate SSL_CERT_FILE and SSL_CERT_DIR to systemd environment.
* [CI:DOCS] Fix spelling and typos
* Modify man page of '--pids-limit' option to correct a default value.
* Update docs/source/markdown/podman-remote.1.md
* Update pkg/bindings/connection.go
* Add more documentation on UID/GID Mappings with --userns=keep-id
* support podman-remote to connect tcpURL with proxy
* Removing the RawInput from the API output
* fix port issues for CONTAINER_HOST
* CI: Package versions: run in the 'main' step
* build(deps): bump github.com/rootless-containers/rootlesskit
* pkg/domain: Make checkExecPreserveFDs platform-specific
* e2e tests: fix restart race
* Fix podman --noout to suppress all output
* remove pod if creation has failed
* pkg/rootless: Implement rootless.IsFdInherited on FreeBSD
* Fix more podman-logs flakes
* healthcheck system tests: try to fix flake
* libpod: treat ESRCH from /proc/PID/cgroup as ENOENT
* GHA: Configure workflows for reuse
* compat,build: handle docker's preconfigured cacheTo,cacheFrom
* docs: deprecate pasta network name
* utils: Enable cgroup utils for FreeBSD
* pkg/specgen: Disable kube play tests on FreeBSD
* libpod/lock: Fix build and tests for SHM locks on FreeBSD
* podman cp: fix copying with '.' suffix
* pkginstaller: bump Qemu to version 7.1.0
* specgen,wasm: switch to crun-wasm wherever applicable
* vendor: bump c/common to v0.50.2-0.20221111184705-791b83e1cdf1
* libpod: Make unit test for statToPercent Linux only
* Update vendor of containers/storage
* fix connection usage with containers.conf
* Add --quiet and --no-info flags to podman machine start
* Add hidden podman manifest inspect -v option
* Add podman volume create -d short option for driver
* Vendor in latest containers/(common,image,storage)
* Add podman system events alias to podman events
* Fix search_test to return correct version of alpine
* GHA: Fix undefined secret env. var.
* Release notes for 4.3.1
* GHA: Fix make_email-body script reference
* Add release keys to README
* GHA: Fix typo setting output parameter
* GHA: Fix typo.
* New tool, docs/version-check
* Formalize our compare-against-docker mechanism
* Add restart-sec for container service files
* test/tools: bump module to go 1.17
* contrib/cirrus/check_go_changes.sh: ignore test/tools/vendor
* build(deps): bump golang.org/x/tools from 0.1.12 to 0.2.0 in /test/tools
* libpod: Add FreeBSD support in packageVersion
* Allow podman manigest push --purge|-p as alias for --rm
* [CI:DOCS] Add performance tutorial
* [CI:DOCS] Fix build targets in build_osx.md.
* fix --format {{json .}} output to match docker
* remote: fix manifest add --annotation
* Skip test if `--events-backend` is necessary with podman-remote
* kube play: update the handling of PersistentVolumeClaim
* system tests: fix a system test in proxy environment
* Use single unqualified search registry on Windows
* test/system: Add, use tcp_port_probe() to check for listeners rather than binds
* test/system: Add tests for pasta(1) connectivity
* test/system: Move network-related helpers to helpers.network.bash
* test/system: Use procfs to find bound ports, with optional address and protocol
* test/system: Use port_is_free() from wait_for_port()
* libpod: Add pasta networking mode
* More log-flake work
* Fix test flakes caused by improper podman-logs
* fix incorrect systemd booted check
* Cirrus: Add tests for GHA scripts
* GHA: Update scripts to pass shellcheck
* Cirrus: Shellcheck github-action scripts
* Cirrus: shellcheck support for github-action scripts
* GHA: Fix cirrus-cron scripts
* Makefile: don't install to tmpfiles.d on FreeBSD
* Make sure we can build and read each line of docker py's api client
* Docker compat build api - make sure only one line appears per flush
* Run codespell on code
* Update vendor of containers/(image, storage, common)
* Allow namespace path network option for pods.
* Cirrus: Never skip running Windows Cross task
* GHA: Auto. re-run failed cirrus-cron builds once
* GHA: Migrate inline script to file
* GHA: Simplify script reference
* test/e2e: do not use apk in builds
* remove container/pod id file along with container/pod
* Cirrus: Synchronize windows image
* Add --insecure,--tls-verify,--verbose flags to podman manifest inspect
* runtime: add check for valid pod systemd cgroup
* CI: set and verify DESIRED_NETWORK (netavark, cni)
* [CI:DOCS] troubleshooting: document keep-id options
* Man pages: refactor common options: --security-opt
* Cirrus: Guarantee CNI testing w/o nv/av present
* Cirrus: temp. disable all Ubuntu testing
* Cirrus: Update to F37beta
* buildah bud tests: better handling of remote
* quadlet: Warn in generator if using short names
* Add Windows Smoke Testing
* Add podman kube apply command
* docs: offer advice on installing test dependencies
* Fix documentation on read-only-tmpfs
* version bump to 4.4.0-dev
* deps: bump go-criu to v6
* Makefile: Add cross build targets for freebsd
* pkg/machine: Make this build on FreeBSD/arm64
* pkg/rctl: Remove unused cgo dependency
* man pages: assorted underscore fixes
* Upgrade GitHub actions packages from v2 to v3
* vendor github.com/godbus/dbus/v5 at 4b691ce
* [CI:DOCS] fix --tmpdir typos
* Do not report that /usr/share/containers/storage.conf has been edited.
* Eval symlinks on XDG_RUNTIME_DIR
* hack/podmansnoop
* rootless: support keep-id with one mapping
* rootless: add argument to GetConfiguredMappings
* Update vendor containers/(common,storage,buildah,image)
* Fix deadlock between 'podman ps' and 'container inspect' commands
* Add information about where the libpod/boltdb database lives
* Consolidate the dependencies for the IsTerminal() API
* Ensure that StartAndAttach locks while sending signals
* ginkgo testing: fix podman usernamespace join
* Test runners: nuke podman from $PATH before tests
* volumes: Fix idmap not working for volumes
* FIXME: Temporary workaround for ubi8 CI breakage
* System tests: teardown: clean up volumes
* update api versions on docs.podman.io
* system tests: runlabel: use podman-under-test
* system tests: podman network create: use random port
* sig-proxy test: bump timeout
* play kube: Allow the user to import the contents of a tar file into a volume
* Clarify the docs on DropCapability
* quadlet tests: Disable kmsg logging while testing
* quadlet: Support multiple Network=
* quadlet: Add support for Network=...
* Fix manpage for podman run --network option
* quadlet: Add support for AddDevice=
* quadlet: Add support for setting seccomp profile
* quadlet: Allow multiple elements on each Add/DropCaps line
* quadlet: Embed the correct binary name in the generated comment
* quadlet: Drop the SocketActivated key
* quadlet: Switch log-driver to passthrough
* quadlet: Change ReadOnly to default to enabled
* quadlet tests: Run the tests even for (exected) failed tests
* quadlet tests: Fix handling of stderr checks
* Remove unused script file
* notifyproxy: fix container watcher
* container/pod id file: truncate instead of throwing an error
* quadlet: Use the new podman create volume --ignore
* Add podman volume create --ignore
* logcollector: include aardvark-dns
* build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1
* build(deps): bump github.com/BurntSushi/toml from 1.2.0 to 1.2.1
* docs: generate systemd: point to kube template
* docs: kube play: mention restart policy
* Fixes: 15858 (podman system reset --force destroy machine)
* fix search flake
* use cached containers.conf
* adding regex support to the ancestor ps filter function
* Fix `system df` issues with `-f` and `-v`
* markdown-preprocess: cross-reference where opts are used
* Default qemu flags for Windows amd64
* build(deps): bump golang.org/x/text from 0.3.8 to 0.4.0
* Update main to reflect v4.3.0 release
* build(deps): bump github.com/docker/docker
* move quadlet packages into pkg/systemd
* system df: fix image-size calculations
* Add man page for quadlet
* Fix small typo
* testimage: add iproute2 & socat, for pasta networking
* Set up minikube for k8s testing
* Makefile: don't install systemd generator binaries on FreeBSD
* [CI:BUILD] copr: podman rpm should depend on containers-common-extra
* Podman image: Set default_sysctls to empty for rootless containers
* Don't use github.com/docker/distribution
* libpod: Add support for 'podman top' on FreeBSD
* libpod: Factor out jail name construction from stats_freebsd.go
* pkg/util: Add pid information descriptors for FreeBSD
* Initial quadlet version integrated in golang
* bump golangci-lint to v1.49.0
* Update vendor containers/(common,image,storage)
* Allow volume mount dups, iff source and dest dirs
* rootless: fix return value handling
* Change to correct break statements
* vendor containers/psgo at v1.8.0
* Clarify that MacOSX docs are client specific
* libpod: Factor out the call to PidFdOpen from (*Container).WaitForExit
* Add swagger install + allow version updates in CI
* Cirrus: Fix windows clone race
* build(deps): bump github.com/docker/docker
* kill: wait for the container
* generate systemd: set --stop-timeout for stopping containers
* hack/tree_status.sh: print diff at the end
* Fix markdown header typo
* markdown-preprocess: add generic include mechanism
* markdown-preprocess: almost complete OO rewrite
* Update tests for changed error messages
* Update c/image after https://github.com/containers/image/pull/1299
* Man pages: refactor common options (misc)
* Man pages: Refactor common options: --detach-keys
* vendor containers/storage at main
* Man pages: refactor common options: --attach
* build(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0
* KillContainer: improve error message
* docs: add missing options
* Man pages: refactor common options: --annotation (manifest)
* build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.0
* system tests: health-on-failure: fix broken logic
* build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8
* build(deps): bump github.com/onsi/gomega from 1.20.2 to 1.22.1
* ContainerEngine.SetupRootless(): Avoid calling container.Config()
* Container filters: Avoid use of ctr.Config()
* Avoid unnecessary calls to Container.Spec()
* Add and use Container.LinuxResource() helper
* play kube: notifyproxy: listen before starting the pod
* play kube: add support for configmap binaryData
* Add and use libpod/Container.Terminal() helper
* Revert 'Add checkpoint image tests'
* Revert 'cmd/podman: add support for checkpoint images'
* healthcheck: fix --on-failure=stop
* Man pages: Add mention of behavior due to XDG_CONFIG_HOME
* build(deps): bump github.com/containers/ocicrypt from 1.1.5 to 1.1.6
* Avoid unnecessary timeout of 250msec when waiting on container shutdown
* health checks: make on-failure action retry aware
* libpod: Remove 100msec delay during shutdown
* libpod: Add support for 'podman pod' on FreeBSD
* libpod: Factor out cgroup validation from (*Runtime).NewPod
* libpod: Move runtime_pod_linux.go to runtime_pod_common.go
* specgen/generate: Avoid a nil dereference in MakePod
* libpod: Factor out cgroups handling from (*Pod).refresh
* Adds a link to OSX docs in CONTRIBUTING.md
* Man pages: refactor common options: --os-version
* Create full path to a directory when DirectoryOrCreate is used with play kube
* Return error in podman system service if URI scheme is not unix/tcp
* Man pages: refactor common options: --time
* man pages: document some --format options: images
* Clean up when stopping pods
* Update vendor of containers/buildah v1.28.0
* Proof of concept: nightly dependency treadmill
- Make the priority for picking the storage driver configurable (bsc#1197093)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1913-1
Released: Wed Apr 19 14:23:14 2023
Summary: Recommended update for libslirp, slirp4netns
Type: recommended
Severity: moderate
References: 1201551
This update for libslirp and slirp4netns fixes the following issues:
libslirp was updated to version 4.7.0+44 (current git master):
* Fix vmstate regression
* Align outgoing packets
* Bump incoming packet alignment to 8 bytes
* vmstate: only enable when building under GNU C
* ncsitest: Fix build with msvc
* Separate out SLIRP_PACKED to SLIRP_PACKED_BEGIN/END
* ncsi: Add Mellanox Get Mac Address handler
* slirp: Add out-of-band ethernet address
* ncsi: Add OEM command handler
* ncsi: Add basic test for Get Version ID response
* ncsi: Use response header for payload length
* ncsi: Pass command header to response handlers
* ncsi: Add Get Version ID command
* ncsi: Pass Slirp structure to response handlers
* slirp: Add manufacturer's ID
Release v4.7.0
* slirp: invoke client callback before creating timers
* pingtest: port to timer_new_opaque
* introduce timer_new_opaque callback
* introduce slirp_timer_new wrapper
* icmp6: make ndp_send_ra static
* socket: Handle ECONNABORTED from recv
* bootp: fix g_str_has_prefix warning/critical
* slirp: Don't duplicate packet in tcp_reass
* Rename insque/remque -> slirp_[ins|rem]que
* mbuf: Use SLIRP_DEBUG to enable mbuf debugging instead of DEBUG
* Replace inet_ntoa() with safer inet_ntop()
* Add VMS_END marker
* bootp: add support for UEFI HTTP boot
* IPv6 DNS proxying support
* Add missing scope_id in caching
* socket: Move closesocket(so->s_aux) to sofree
* socket: Check so_type instead of so_tcpcb for Unix-to-inet translation
* socket: Add s_aux field to struct socket for storing auxilliary socket
* socket: Initialize so_type in socreate
* socket: Allocate Unix-to-TCP hostfwd port from OS by binding to port 0
* Allow to disable internal DHCP server
* slirp_pollfds_fill: Explain why dividing so_snd.sb_datalen by two
* CI: run integration tests with slirp4netns
* socket: Check address family for Unix-to-inet accept translation
* socket: Add debug args for tcpx_listen (inet and Unix sockets)
* socket: Restore original definition of fhost
* socket: Move <sys/un.h> include to socket.h
* Support Unix sockets in hostfwd
* resolv: fix IPv6 resolution on Darwin
* Use the exact sockaddr size in getnameinfo call
* Initialize sin6_scope_id to zero
* slirp_socketpair_with_oob: Connect pair through 127.0.0.1
* resolv: fix memory leak when using libresolv
* pingtest: Add a trivial ping test
* icmp: Support falling back on trying a SOCK_RAW socket
Update to version 4.6.1+7:
* Haiku: proper path to resolv.conf for DNS server
* Fix for Haiku
* dhcp: Always send DHCP_OPT_LEN bytes in options
Update to version 4.6.1:
* Fix 'DHCP broken in libslirp v4.6.0'
Update to version 4.6.0:
* udp: check upd_input buffer size
* tftp: introduce a header structure
* tftp: check tftp_input buffer size
* upd6: check udp6_input buffer size
* bootp: check bootp_input buffer size
* bootp: limit vendor-specific area to input packet memory buffer
Update to version 4.4.0:
* socket: consume empty packets
* slirp: check pkt_len before reading protocol header
* Add DNS resolving for iOS
* sosendoob: better document what urgc is used for
* TCPIPHDR_DELTA: Fix potential negative value
* udp, udp6, icmp, icmp6: Enable forwarding errors on Linux
* icmp, icmp6: Add icmp_forward_error and icmp6_forward_error
* udp, udp6, icmp: handle TTL value
* ip_stripoptions use memmove
slirp4netns was updated to 1.2.0:
* Add slirp4netns --target-type=bess /path/to/bess.sock for supporting UML (#281)
* Explicitly support DHCP (#270)
* Update parson to v1.1.3 (#273) kgabis/parson at 70dc239...2d7b3dd
Update to version 1.1.11:
* Add --macaddress option to specify the MAC address of the tap interface.
* Updated the man page.
Update to version 1.1.8:
Update to 1.0.0:
* --enable-sandbox is now out of experimental
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2003-1
Released: Tue Apr 25 18:05:42 2023
Summary: Security update for runc
Type: security
Severity: important
References: 1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642
This update for runc fixes the following issues:
Update to runc v1.1.5:
Security fixes:
- CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884).
- CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962).
- CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888).
Other fixes:
- Fix the inability to use `/dev/null` when inside a container.
- Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481).
- Fix rare runc exec/enter unshare error on older kernels.
- nsexec: Check for errors in `write_log()`.
- Drop version-specific Go requirement.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2157-1
Released: Wed May 10 13:21:20 2023
Summary: Security update for conmon
Type: security
Severity: important
References: 1200441
This update of conmon fixes the following issues:
- rebuild the package with the go 19.9 secure release (bsc#1200441).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2256-1
Released: Fri May 19 15:26:43 2023
Summary: Security update for runc
Type: security
Severity: important
References: 1200441
This update of runc fixes the following issues:
- rebuild the package with the go 19.9 secure release (bsc#1200441).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2324-1
Released: Tue May 30 15:52:17 2023
Summary: Security update for cni-plugins
Type: security
Severity: important
References: 1200441
This update of cni-plugins fixes the following issues:
- rebuild the package with the go 1.19 security release (bsc#1200441).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2325-1
Released: Tue May 30 15:57:30 2023
Summary: Security update for cni
Type: security
Severity: important
References: 1200441
This update of cni fixes the following issues:
- rebuild the package with the go 1.19 security release (bsc#1200441).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2527-1
Released: Fri Jun 16 19:04:57 2023
Summary: Recommended update for NetworkManager
Type: recommended
Severity: moderate
References:
This update for NetworkManager fixes the following issues:
- Create /etc/NetworkManager/conf.d by default, allowing easy override for NetworkManager.conf file with drop-in
- Move default config file to /usr/lib/NetworkManager/NetworkManager.conf, as part of main package
- Ensure /usr/lib/NetworkManager/conf.d is part of the package
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2657-1
Released: Tue Jun 27 14:43:57 2023
Summary: Recommended update for libcontainers-common
Type: recommended
Severity: moderate
References: 1211124
This update for libcontainers-common fixes the following issues:
- New subpackage libcontainers-sles-mounts which adds SLE-specific mounts on SLE systems (bsc#1211124)
- Own /etc/containers/systemd and /usr/share/containers/systemd for podman quadlet
- Remove container-storage-driver.sh to default to the overlay driver instead of btrfs
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2658-1
Released: Tue Jun 27 14:46:15 2023
Summary: Recommended update for containerd, docker, runc
Type: recommended
Severity: moderate
References: 1207004,1208074,1210298,1211578
This update for containerd, docker, runc fixes the following issues:
- Update to containerd v1.6.21 (bsc#1211578)
- Update to Docker 23.0.6-ce (bsc#1211578)
- Update to runc v1.1.7
- Require a minimum Go version explicitly (bsc#1210298)
- Re-unify packaging for SLE-12 and SLE-15
- Fix build on SLE-12 by switching back to libbtrfs-devel headers
- Allow man pages to be built without internet access in OBS
- Add apparmor-parser as a Recommends to make sure that most users will end up with it installed
even if they are primarily running SELinux
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser
- Change to using systemd-sysusers
- Update runc.keyring to upstream version
- Fix the inability to use `/dev/null` when inside a container (bsc#1207004)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2765-1
Released: Mon Jul 3 20:28:14 2023
Summary: Security update for libcap
Type: security
Severity: moderate
References: 1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:
- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2847-1
Released: Mon Jul 17 08:40:42 2023
Summary: Recommended update for audit
Type: recommended
Severity: moderate
References: 1210004
This update for audit fixes the following issues:
- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2868-1
Released: Tue Jul 18 11:35:52 2023
Summary: Security update for cni
Type: security
Severity: important
References: 1206346
This update of cni fixes the following issues:
- rebuild the package with the go 1.20 security release (bsc#1206346).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2869-1
Released: Tue Jul 18 11:39:26 2023
Summary: Security update for cni-plugins
Type: security
Severity: important
References: 1206346
This update of cni-plugins fixes the following issues:
- rebuild the package with the go 1.20 security release (bsc#1206346).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2989-1
Released: Wed Jul 26 16:33:56 2023
Summary: Security update for conmon
Type: security
Severity: important
References: 1208737,1209307
This update for conmon fixes the following issues:
conmon was updated to version 2.1.7:
- Bumped go version to 1.19 (bsc#1209307).
Bugfixes:
- Fixed leaking symbolic links in the opt_socket_path directory.
- Fixed cgroup oom issues (bsc#1208737).
- Fixed OOM watcher for cgroupv2 `oom_kill` events.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3217-1
Released: Mon Aug 7 16:51:10 2023
Summary: Recommended update for cryptsetup
Type: recommended
Severity: moderate
References: 1211079
This update for cryptsetup fixes the following issues:
- Handle system with low memory and no swap space (bsc#1211079)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3410-1
Released: Thu Aug 24 06:56:32 2023
Summary: Recommended update for audit
Type: recommended
Severity: moderate
References: 1201519,1204844
This update for audit fixes the following issues:
- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3440-1
Released: Mon Aug 28 08:57:10 2023
Summary: Security update for gawk
Type: security
Severity: low
References: 1214025,CVE-2023-4156
This update for gawk fixes the following issues:
- CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3466-1
Released: Tue Aug 29 07:33:16 2023
Summary: Recommended update for icu
Type: recommended
Severity: moderate
References: 1103893,1112183
This update for icu fixes the following issues:
- Japanese era Reiwa (bsc#1112183, bsc#1103893, fate570, fate#325570, fate#325419)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3470-1
Released: Tue Aug 29 10:49:33 2023
Summary: Recommended update for parted
Type: recommended
Severity: low
References: 1182142,1193412
This update for parted fixes the following issues:
- fix null pointer dereference (bsc#1193412)
- update mkpart options in manpage (bsc#1182142)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3591-1
Released: Wed Sep 13 08:33:55 2023
Summary: Security update for shadow
Type: security
Severity: low
References: 1214806,CVE-2023-4641
This update for shadow fixes the following issues:
- CVE-2023-4641: Fixed potential password leak (bsc#1214806).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3611-1
Released: Fri Sep 15 09:28:36 2023
Summary: Recommended update for sysuser-tools
Type: recommended
Severity: moderate
References: 1195391,1205161,1207778,1213240,1214140
This update for sysuser-tools fixes the following issues:
- Update to version 3.2
- Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
- Add 'quilt setup' friendly hint to %sysusers_requires usage
- Use append so if a pre file already exists it isn't overridden
- Invoke bash for bash scripts (bsc#1195391)
- Remove all systemd requires not supported on SLE15 (bsc#1214140)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3736-1
Released: Fri Sep 22 20:30:59 2023
Summary: Recommended update for libcontainers-common
Type: recommended
Severity: important
References: 1215291
This update for libcontainers-common fixes the following issues:
- Require libcontainers-sles-mounts for *all* SUSE Linux Enterprise products,
and not just SUSE Linux Enterprise Server. (bsc#1215291)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3815-1
Released: Wed Sep 27 18:20:25 2023
Summary: Security update for cni
Type: security
Severity: important
References: 1212475
This update of cni fixes the following issues:
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3816-1
Released: Wed Sep 27 18:25:44 2023
Summary: Security update for cni-plugins
Type: security
Severity: important
References: 1212475
This update of cni-plugins fixes the following issues:
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3952-1
Released: Tue Oct 3 20:06:23 2023
Summary: Security update for runc
Type: security
Severity: important
References: 1212475
This update of runc fixes the following issues:
- Update to runc v1.1.8.
Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.8>.
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4042-1
Released: Tue Oct 10 19:11:00 2023
Summary: Security update for conmon
Type: security
Severity: important
References: 1215806
This update for conmon fixes the following issues:
conmon was rebuilt using go1.21 (bsc#1215806)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4126-1
Released: Thu Oct 19 09:38:31 2023
Summary: Security update for cni
Type: security
Severity: important
References: 1212475,1216006
This update of cni fixes the following issues:
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4127-1
Released: Thu Oct 19 09:43:23 2023
Summary: Security update for cni-plugins
Type: security
Severity: important
References: 1212475,1216006
This update of cni-plugins fixes the following issues:
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4139-1
Released: Fri Oct 20 10:06:58 2023
Summary: Recommended update for containerd, runc
Type: recommended
Severity: moderate
References: 1215323
This update for containerd, runc fixes the following issues:
runc was updated to v1.1.9. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.9
containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes:
- https://github.com/containerd/containerd/releases/tag/v1.7.7
- https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323
- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
Kubernetes packages
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4140-1
Released: Fri Oct 20 11:34:03 2023
Summary: Security update for grub2
Type: security
Severity: important
References: 1201300,1215935,1215936,CVE-2023-4692,CVE-2023-4693
This update for grub2 fixes the following issues:
Security fixes:
- CVE-2023-4692: Fixed an out-of-bounds write at fs/ntfs.c which may lead to unsigned code execution. (bsc#1215935)
- CVE-2023-4693: Fixed an out-of-bounds read at fs/ntfs.c which may lead to leak sensitive information. (bsc#1215936)
Other fixes:
- Fix a boot delay issue in PowerPC PXE boot (bsc#1201300)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4153-1
Released: Fri Oct 20 19:27:58 2023
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1215313
This update for systemd fixes the following issues:
- Fix mismatch of nss-resolve version in Package Hub (no source code changes)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4154-1
Released: Fri Oct 20 19:33:25 2023
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1107342,1215434
This update for aaa_base fixes the following issues:
- Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4162-1
Released: Mon Oct 23 15:33:03 2023
Summary: Security update for gcc13
Type: security
Severity: important
References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039
This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.
To use gcc13 compilers use:
- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.
For a full changelog with all new GCC13 features, check out
https://gcc.gnu.org/gcc-13/changes.html
Detailed changes:
* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
length stack allocations. (bsc#1214052)
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]
- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
building with LTO. [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
can be installed standalone. [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
the benefit of the former one is that the linker jobs are not
holding tokens of the make's jobserver.
- Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd
for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0.
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
package. Make libstdc++6 recommend timezone to get a fully
working std::chrono. Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
PRU architecture is used for real-time MCUs embedded into TI
armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
armv7l in order to build both host applications and PRU firmware
during the same build.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4200-1
Released: Wed Oct 25 12:04:29 2023
Summary: Security update for nghttp2
Type: security
Severity: important
References: 1216123,1216174,CVE-2023-44487
This update for nghttp2 fixes the following issues:
- CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4217-1
Released: Thu Oct 26 12:20:27 2023
Summary: Security update for zlib
Type: security
Severity: moderate
References: 1216378,CVE-2023-45853
This update for zlib fixes the following issues:
- CVE-2023-45853: Fixed an integer overflow that would lead to a
buffer overflow in the minizip subcomponent (bsc#1216378).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4310-1
Released: Tue Oct 31 14:10:47 2023
Summary: Recommended update for libtirpc
Type: recommended
Severity: moderate
References: 1196647
This Update for libtirpc to 1.3.4, fixing the following issues:
Update to 1.3.4 (bsc#1199467)
* binddynport.c honor ip_local_reserved_ports
- replaces: binddynport-honor-ip_local_reserved_ports.patch
* gss-api: expose gss major/minor error in authgss_refresh()
* rpcb_clnt.c: Eliminate double frees in delete_cache()
* rpcb_clnt.c: memory leak in destroy_addr
* portmapper: allow TCP-only portmapper
* getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
* clnt_raw.c: fix a possible null pointer dereference
* bindresvport.c: fix a potential resource leakage
Update to 1.3.3:
* Fix DoS vulnerability in libtirpc
- replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
* _rpc_dtablesize: use portable system call
* libtirpc: Fix use-after-free accessing the error number
* Fix potential memory leak of parms.r_addr
- replaces 0001-fix-parms.r_addr-memory-leak.patch
* rpcb_clnt.c add mechanism to try v2 protocol first
- preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
* Eliminate deadlocks in connects with an MT environment
* clnt_dg_freeres() uncleared set active state may deadlock
* thread safe clnt destruction
* SUNRPC: mutexed access blacklist_read state variable
* SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c
Update to 1.3.2:
* Replace the final SunRPC licenses with BSD licenses
* blacklist: Add a few more well known ports
* libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS
Update to 1.3.1:
* Remove AUTH_DES interfaces from auth_des.h
The unsupported AUTH_DES authentication has be
compiled out since commit d918e41d889 (Wed Oct 9 2019)
replaced by API routines that return errors.
* svc_dg: Free xp_netid during destroy
* Fix memory management issues of fd locks
* libtirpc: replace array with list for per-fd locks
* __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
* __rpc_dtbsize: rlim_cur instead of rlim_max
* pkg-config: use the correct replacements for libdir/includedir
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4458-1
Released: Thu Nov 16 14:38:48 2023
Summary: Security update for gcc13
Type: security
Severity: important
References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039
This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.
To use gcc13 compilers use:
- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.
For a full changelog with all new GCC13 features, check out
https://gcc.gnu.org/gcc-13/changes.html
Detailed changes:
* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
length stack allocations. (bsc#1214052)
- Work around third party app crash during C++ standard library initialization. [bsc#1216664]
- Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
- Bump included newlib to version 4.3.0.
- Update to GCC trunk head (r13-5254-g05b9868b182bb9)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]
- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
building with LTO. [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
can be installed standalone. [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
the benefit of the former one is that the linker jobs are not
holding tokens of the make's jobserver.
- Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd
for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0.
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
package. Make libstdc++6 recommend timezone to get a fully
working std::chrono. Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
PRU architecture is used for real-time MCUs embedded into TI
armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
armv7l in order to build both host applications and PRU firmware
during the same build.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4477-1
Released: Fri Nov 17 10:21:21 2023
Summary: Recommended update for grub2
Type: recommended
Severity: moderate
References: 1216010,1216075,1216253
This update for grub2 fixes the following issues:
- Fix failure to identify recent ext4 filesystem (bsc#1216010)
- Fix reading files from btrfs with 'implicit' holes
- Fix fadump not working with 1GB/2GB/4GB LMB[P10] (bsc#1216253)
- Fix detection of encrypted disk's uuid in powerpc (bsc#1216075)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4524-1
Released: Tue Nov 21 17:51:28 2023
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1216922,CVE-2023-5678
This update for openssl-1_1 fixes the following issues:
- CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4537-1
Released: Thu Nov 23 09:34:08 2023
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1216129,CVE-2023-45322
This update for libxml2 fixes the following issues:
- CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4615-1
Released: Wed Nov 29 20:33:38 2023
Summary: Recommended update for icu
Type: recommended
Severity: moderate
References: 1217472
This update of icu fixes the following issue:
- missing 32bit libraries in SLES 15 SP3 were added, required by xerces-c 32bit.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4619-1
Released: Thu Nov 30 10:13:52 2023
Summary: Security update for sqlite3
Type: security
Severity: important
References: 1210660,CVE-2023-2137
This update for sqlite3 fixes the following issues:
- CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4659-1
Released: Wed Dec 6 13:04:57 2023
Summary: Security update for curl
Type: security
Severity: moderate
References: 1217573,1217574,CVE-2023-46218,CVE-2023-46219
This update for curl fixes the following issues:
- CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
- CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4664-1
Released: Wed Dec 6 13:33:47 2023
Summary: Security update for kernel-firmware
Type: security
Severity: important
References: 1215823,1215831,CVE-2021-26345,CVE-2021-46766,CVE-2021-46774,CVE-2022-23820,CVE-2022-23830,CVE-2023-20519,CVE-2023-20521,CVE-2023-20526,CVE-2023-20533,CVE-2023-20566,CVE-2023-20592
This update for kernel-firmware fixes the following issues:
Update AMD ucode to 20231030 (bsc#1215831):
- CVE-2022-23820: Failure to validate the AMD SMM communication buffer may allow an attacker to corrupt the SMRAM potentially leading to arbitrary code execution.
- CVE-2021-46774: Insufficient input validation in ABL may enable a privileged attacker to perform arbitrary DRAM writes, potentially resulting in code execution and privilege escalation.
- CVE-2023-20533: Insufficient DRAM address validation in System Management Unit (SMU) may allow an attacker using DMA to read/write from/to invalid DRAM address potentially resulting in denial-of-service.
0 CVE-2023-20519: A Use-After-Free vulnerability in the management of an SNP guest context page may allow a malicious hypervisor to masquerade as the guest's migration agent resulting in a potential loss of guest integrity.
- CVE-2023-20566: Improper address validation in ASP with SNP enabled may potentially allow an attacker to compromise guest memory integrity.
- CVE-2023-20521: TOCTOU in the ASP Bootloader may allow an attacker with physical access to tamper with SPI ROM records after memory content verification, potentially leading to loss of confidentiality or a denial of service.
- CVE-2021-46766: Improper clearing of sensitive data in the ASP Bootloader may expose secret keys to a privileged attacker accessing ASP SRAM, potentially leading to a loss of confidentiality.
- CVE-2022-23830: SMM configuration may not be immutable, as intended, when SNP is enabled resulting in a potential limited loss of guest memory integrity.
- CVE-2023-20526: Insufficient input validation in the ASP Bootloader may enable a privileged attacker with physical access to expose the contents of ASP memory potentially leading to a loss of confidentiality.
- CVE-2021-26345: Failure to validate the value in APCB may allow an attacker with physical access to tamper with the APCB token to force an out-of-bounds memory read potentially resulting in a denial of service.
- CVE-2023-20592: Issue with INVD instruction aka CacheWarpAttack (bsc#1215823).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4671-1
Released: Wed Dec 6 14:33:41 2023
Summary: Recommended update for man
Type: recommended
Severity: moderate
References:
This update of man fixes the following problem:
- The 'man' commands is delivered to SUSE Linux Enterprise Micro
to allow browsing man pages.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4699-1
Released: Mon Dec 11 07:02:10 2023
Summary: Recommended update for gpg2
Type: recommended
Severity: moderate
References: 1217212
This update for gpg2 fixes the following issues:
- `dirmngr-client --validate` is broken for DER-encoded files (bsc#1217212)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4705-1
Released: Mon Dec 11 07:21:46 2023
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1192986,1217031
This update for dracut fixes the following issues:
- Update to version 055+suse.351.g30f0cda6
- Fix network device naming in udev-rules (bsc#1192986)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4723-1
Released: Tue Dec 12 09:57:51 2023
Summary: Recommended update for libtirpc
Type: recommended
Severity: moderate
References: 1216862
This update for libtirpc fixes the following issue:
- fix sed parsing in specfile (bsc#1216862)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4726-1
Released: Tue Dec 12 12:11:02 2023
Summary: Recommended update for podman
Type: recommended
Severity: low
References: 1210299
This update for podman fixes the following issues:
- Build against latest stable Go version (bsc#1210299)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4727-1
Released: Tue Dec 12 12:27:39 2023
Summary: Security update for catatonit, containerd, runc
Type: security
Severity: important
References: 1200528,CVE-2022-1996
This update of runc and containerd fixes the following issues:
containerd:
- Update to containerd v1.7.8. Upstream release notes:
https://github.com/containerd/containerd/releases/tag/v1.7.8
* CVE-2022-1996: Fixed CORS bypass in go-restful (bsc#1200528)
catatonit:
- Update to catatonit v0.2.0.
* Change license to GPL-2.0-or-later.
- Update to catatont v0.1.7
* This release adds the ability for catatonit to be used as the only
process in a pause container, by passing the -P flag (in this mode no
subprocess is spawned and thus no signal forwarding is done).
- Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to
socket activation or features somewhat adjacent to socket activation (such as
passing file descriptors).
runc:
- Update to runc v1.1.10. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.10
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4891-1
Released: Mon Dec 18 16:31:49 2023
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1201384,1218014,CVE-2023-50495
This update for ncurses fixes the following issues:
- CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
- Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4897-1
Released: Tue Dec 19 08:22:36 2023
Summary: Optional update for openslp
Type: recommended
Severity: low
References:
This update for openslp bumps the version number to ensure a clean upgrade path from SLE-12 to SLE-15.
This is a no-change rebuild of the packages already available in SLE-15.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4916-1
Released: Wed Dec 20 08:49:04 2023
Summary: Recommended update for lvm2
Type: recommended
Severity: important
References: 1215229
This update for lvm2 fixes the following issues:
- Fixed error creating linux volume on SAN device lvmlockd (bsc#1215229)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4962-1
Released: Fri Dec 22 13:45:06 2023
Summary: Recommended update for curl
Type: recommended
Severity: important
References: 1216987
This update for curl fixes the following issues:
- libssh: Implement SFTP packet size limit (bsc#1216987)
This update also ships curl to the INSTALLER channel.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:10-1
Released: Tue Jan 2 13:21:05 2024
Summary: Security update for polkit
Type: security
Severity: moderate
References: 1209282
This update for polkit fixes the following issues:
- Change permissions for rules folders (bsc#1209282)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:26-1
Released: Thu Jan 4 11:15:24 2024
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1214980
This update for mozilla-nss fixes the following issues:
Mozilla NSS was updated to NSS 3.90.1
* regenerate NameConstraints test certificates.
* add OSXSAVE and XCR0 tests to AVX2 detection.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:62-1
Released: Mon Jan 8 11:44:47 2024
Summary: Recommended update for libxcrypt
Type: recommended
Severity: moderate
References: 1215496
This update for libxcrypt fixes the following issues:
- fix variable name for datamember [bsc#1215496]
- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:70-1
Released: Tue Jan 9 18:29:39 2024
Summary: Security update for tar
Type: security
Severity: low
References: 1217969,CVE-2023-39804
This update for tar fixes the following issues:
- CVE-2023-39804: Fixed extension attributes in PAX archives incorrect hanling (bsc#1217969).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:105-1
Released: Mon Jan 15 15:41:05 2024
Summary: Recommended update for grub2 and efibootmgr
Type: recommended
Severity: important
References: 1217237
This update for grub2 and efibootmgr fixes the following issues:
grub2:
- Deliver missing grub2-arm64-efi and grub2-powerpc-ieee1275 to SUSE Manager 4.3 (no source changes) (bsc#1217237)
efibootmgr:
- Deliver missing efibootmgr to SUSE Manager 4.3 (no source changes) (bsc#1217237)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released: Thu Jan 18 09:53:47 2024
Summary: Security update for pam
Type: security
Severity: moderate
References: 1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:
- CVE-2024-22365: Fixed a local denial of service during PAM login
due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released: Thu Jan 18 11:34:58 2024
Summary: Security update for libssh
Type: security
Severity: important
References: 1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:
Security fixes:
- CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
- CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
- CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
- CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm guessing (bsc#1211188)
- CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)
Other fixes:
- Update to version 0.9.8
- Allow @ in usernames when parsing from URI composes
- Update to version 0.9.7
- Fix several memory leaks in GSSAPI handling code
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released: Wed Jan 24 16:01:31 2024
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1214668,1215241,1217460
This update for systemd fixes the following issues:
- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:233-1
Released: Thu Jan 25 11:58:47 2024
Summary: Recommended update for suse-module-tools
Type: recommended
Severity: moderate
References: 1217775
This update for suse-module-tools fixes the following issues:
- Update to version 15.4.19
- Add symlink /boot/.vmlinuz.hmac (bsc#1217775)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released: Fri Jan 26 10:56:41 2024
Summary: Security update for cpio
Type: security
Severity: moderate
References: 1218571,CVE-2023-7207
This update for cpio fixes the following issues:
- CVE-2023-7207: Fixed a path traversal issue that could lead to an
arbitrary file write during archive extraction (bsc#1218571).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:243-1
Released: Fri Jan 26 13:00:47 2024
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1207987
This update for util-linux fixes the following issues:
- Fix performance degradation (bsc#1207987)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:261-1
Released: Tue Jan 30 08:20:36 2024
Summary: Recommended update for conmon
Type: recommended
Severity: moderate
References: 1215806,1217773
This update for conmon fixes the following issues:
- New upstream release 2.1.10
Bug fixes:
* Fix incorrect free in conn_sock
* logging: Respect log-size-max immediately after open
- Add patch for fixing regression in v2.1.9
(https://github.com/containers/conmon/issues/475 and
https://github.com/containers/conmon/issues/477)
- New upstream release 2.1.9
### Bug fixes
* fix some issues flagged by SAST scan
* src: fix write after end of buffer
* src: open all files with O_CLOEXEC
* oom-score: restore oom score before running exit command
### Features
* Forward more messages on the sd-notify socket
* logging: -l passthrough accepts TTYs
* [bsc#1215806]
- Update to version 2.1.8:
* stdio: ignore EIO for terminals (bsc#1217773)
* ensure console socket buffers are properly sized
* conmon: drop return after pexit()
* ctrl: make accept4 failures fatal
* logging: avoid opening /dev/null for each write
* oom: restore old OOM score
* Use default umask 0022
* cli: log parsing errors to stderr
* Changes to build conmon for riscv64
* Changes to build conmon for ppc64le
* Fix close_other_fds on FreeBSD
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:293-1
Released: Wed Jan 31 17:42:15 2024
Summary: Recommended update for elemental-operator
Type: recommended
Severity: important
References:
This update for elemental-operator contains the following fix:
- Bump Go to 1.20. (jsc#SURE-7083)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:295-1
Released: Thu Feb 1 08:23:17 2024
Summary: Security update for runc
Type: security
Severity: important
References: 1218894,CVE-2024-21626
This update for runc fixes the following issues:
Update to runc v1.1.11:
- CVE-2024-21626: Fixed container breakout. (bsc#1218894)
The following package changes have been done:
- libssh-config-0.9.8-150400.3.3.1 updated
- libsemanage-conf-3.4-150400.1.8 added
- libtirpc-netconfig-1.3.4-150300.3.23.1 updated
- libcrypt1-4.4.15-150300.4.7.1 updated
- libsepol2-3.4-150400.1.11 added
- libnghttp2-14-1.40.0-150200.12.1 updated
- libuuid1-2.37.2-150400.8.23.1 updated
- libudev1-249.17-150400.8.40.1 updated
- libsmartcols1-2.37.2-150400.8.23.1 updated
- libblkid1-2.37.2-150400.8.23.1 updated
- libfdisk1-2.37.2-150400.8.23.1 updated
- libz1-1.2.11-150000.3.48.1 updated
- libsqlite3-0-3.44.0-150000.3.23.1 updated
- libgcc_s1-13.2.1+git7813-150000.1.6.1 updated
- conmon-2.1.10-150400.3.17.1 updated
- elemental-register-1.3.5-150400.4.6.1 updated
- elemental-support-1.3.5-150400.4.6.1 updated
- kernel-firmware-ath10k-20220509-150400.4.25.1 updated
- libicu65_1-ledata-65.1-150200.4.10.1 updated
- libsemanage2-3.4-150400.1.8 added
- mozilla-nss-certs-3.90.1-150400.3.35.2 updated
- libxml2-2-2.9.14-150400.5.25.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- libfreebl3-3.90.1-150400.3.35.2 updated
- libmount1-2.37.2-150400.8.23.1 updated
- liblvm2cmd2_03-2.03.05-150400.191.1 updated
- libsoftokn3-3.90.1-150400.3.35.2 updated
- mozilla-nss-3.90.1-150400.3.35.2 updated
- libstdc++6-13.2.1+git7813-150000.1.6.1 updated
- libncurses6-6.1-150000.5.20.1 updated
- terminfo-base-6.1-150000.5.20.1 updated
- ncurses-utils-6.1-150000.5.20.1 updated
- tar-1.34-150000.3.34.1 updated
- libqrtr-glib0-1.2.2-150400.1.3 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.191.1 updated
- cpio-2.13-150400.3.3.1 updated
- libdevmapper-event1_03-2.03.05_1.02.163-150400.191.1 updated
- device-mapper-2.03.05_1.02.163-150400.191.1 updated
- grub2-2.06-150400.11.43.2 updated
- grub2-i386-pc-2.06-150400.11.43.2 updated
- gpg2-2.2.27-150300.3.8.1 updated
- libopenssl1_1-1.1.1l-150400.7.60.2 updated
- libssh4-0.9.8-150400.3.3.1 updated
- libcurl4-8.0.1-150400.5.41.1 updated
- openslp-2.0.0-150000.6.17.1 updated
- libtirpc3-1.3.4-150300.3.23.1 updated
- pam-1.3.0-150000.6.66.1 updated
- system-user-nobody-20170617-150400.24.2.1 updated
- system-group-kvm-20170617-150400.24.2.1 updated
- system-group-hardware-20170617-150400.24.2.1 updated
- util-linux-2.37.2-150400.8.23.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated
- systemd-249.17-150400.8.40.1 updated
- udev-249.17-150400.8.40.1 updated
- util-linux-systemd-2.37.2-150400.8.23.1 updated
- systemd-sysvinit-249.17-150400.8.40.1 updated
- suse-module-tools-15.4.19-150400.3.17.1 updated
- dracut-055+suse.351.g30f0cda6-150400.3.31.1 updated
- lvm2-2.03.05-150400.191.1 updated
- kernel-firmware-usb-network-20220509-150400.4.25.1 updated
- kernel-firmware-realtek-20220509-150400.4.25.1 updated
- kernel-firmware-qlogic-20220509-150400.4.25.1 updated
- kernel-firmware-platform-20220509-150400.4.25.1 updated
- kernel-firmware-network-20220509-150400.4.25.1 updated
- kernel-firmware-mellanox-20220509-150400.4.25.1 updated
- kernel-firmware-mediatek-20220509-150400.4.25.1 updated
- kernel-firmware-marvell-20220509-150400.4.25.1 updated
- kernel-firmware-liquidio-20220509-150400.4.25.1 updated
- kernel-firmware-iwlwifi-20220509-150400.4.25.1 updated
- kernel-firmware-intel-20220509-150400.4.25.1 updated
- kernel-firmware-i915-20220509-150400.4.25.1 updated
- kernel-firmware-chelsio-20220509-150400.4.25.1 updated
- kernel-firmware-bnx2-20220509-150400.4.25.1 updated
- kernel-firmware-amdgpu-20220509-150400.4.25.1 updated
- kernel-firmware-ath11k-20220509-150400.4.25.1 updated
- kernel-firmware-atheros-20220509-150400.4.25.1 updated
- kernel-firmware-bluetooth-20220509-150400.4.25.1 updated
- kernel-firmware-brcm-20220509-150400.4.25.1 updated
- kernel-firmware-dpaa2-20220509-150400.4.25.1 updated
- kernel-firmware-media-20220509-150400.4.25.1 updated
- kernel-firmware-mwifiex-20220509-150400.4.25.1 updated
- kernel-firmware-nfp-20220509-150400.4.25.1 updated
- kernel-firmware-nvidia-20220509-150400.4.25.1 updated
- kernel-firmware-prestera-20220509-150400.4.25.1 updated
- kernel-firmware-qcom-20220509-150400.4.25.1 updated
- kernel-firmware-radeon-20220509-150400.4.25.1 updated
- kernel-firmware-serial-20220509-150400.4.25.1 updated
- kernel-firmware-sound-20220509-150400.4.25.1 updated
- kernel-firmware-ti-20220509-150400.4.25.1 updated
- kernel-firmware-ueagle-20220509-150400.4.25.1 updated
- libcontainers-sles-mounts-20230214-150400.3.11.1 added
- libmbim-glib4-1.26.4-150400.1.2 updated
- libmm-glib0-1.18.10-150400.1.2 updated
- libslirp0-4.7.0+44-150300.15.2 added
- runc-1.1.11-150000.58.1 updated
- cni-0.7.1-150100.3.16.1 updated
- cni-plugins-0.8.6-150100.3.20.1 updated
- kernel-firmware-all-20220509-150400.4.25.1 updated
- libcontainers-common-20230214-150400.3.11.1 updated
- libicu-suse65_1-65.1-150200.4.10.1 updated
- cryptsetup-2.4.3-150400.3.3.1 updated
- libqmi-glib5-1.30.8-150400.1.2 updated
- slirp4netns-1.2.0-150300.8.5.2 updated
- podman-4.4.4-150400.4.19.1 updated
- libpolkit0-0.116-150200.3.12.1 updated
- polkit-0.116-150200.3.12.1 updated
- ModemManager-1.18.10-150400.1.2 updated
- NetworkManager-wwan-1.38.2-150400.3.3.1 updated
More information about the sle-container-updates
mailing list