SUSE-CU-2024:457-1: Security update of rancher/elemental-teal-channel
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Tue Feb 6 08:01:39 UTC 2024
SUSE Container Update Advisory: rancher/elemental-teal-channel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:457-1
Container Tags : rancher/elemental-teal-channel:1.3.5 , rancher/elemental-teal-channel:1.3.5-4.5.109 , rancher/elemental-teal-channel:latest
Container Release : 4.5.109
Severity : important
Type : security
References : 1103893 1107342 1112183 1168481 1187364 1187364 1187365 1187366
1187366 1187367 1187367 1195391 1196647 1198773 1198773 1200441
1200441 1200528 1201384 1201519 1201551 1201551 1204844 1205161
1206346 1206480 1206480 1206684 1206684 1207004 1207778 1207987
1208074 1208962 1209884 1209888 1210004 1210298 1210557 1210557
1210660 1211079 1211124 1211188 1211190 1211418 1211419 1211427
1211427 1211578 1212101 1212101 1212475 1212475 1212475 1213240
1213915 1213915 1214025 1214052 1214052 1214140 1214460 1214460
1214668 1214806 1215229 1215241 1215291 1215313 1215323 1215427
1215434 1215496 1216006 1216123 1216129 1216174 1216378 1216664
1216862 1216922 1216987 1217000 1217212 1217460 1217472 1217573
1217574 1217969 1218014 1218126 1218186 1218209 1218475 1218571
1218894 CVE-2021-3592 CVE-2021-3592 CVE-2021-3593 CVE-2021-3594
CVE-2021-3594 CVE-2021-3595 CVE-2021-3595 CVE-2022-1996 CVE-2023-1667
CVE-2023-2137 CVE-2023-2283 CVE-2023-25809 CVE-2023-2602 CVE-2023-2603
CVE-2023-27561 CVE-2023-28642 CVE-2023-39804 CVE-2023-4039 CVE-2023-4039
CVE-2023-4156 CVE-2023-44487 CVE-2023-45322 CVE-2023-45853 CVE-2023-46218
CVE-2023-46219 CVE-2023-4641 CVE-2023-48795 CVE-2023-50495 CVE-2023-5678
CVE-2023-6004 CVE-2023-6918 CVE-2023-7207 CVE-2024-21626 CVE-2024-22365
-----------------------------------------------------------------
The container rancher/elemental-teal-channel was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1465-1
Released: Fri Apr 29 11:36:02 2022
Summary: Security update for libslirp
Type: security
Severity: important
References: 1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:
- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1730-1
Released: Wed May 18 16:56:21 2022
Summary: Security update for libslirp
Type: security
Severity: important
References: 1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:
- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2941-1
Released: Tue Aug 30 10:51:09 2022
Summary: Security update for libslirp
Type: security
Severity: moderate
References: 1187365,1201551,CVE-2021-3593
This update for libslirp fixes the following issues:
- CVE-2021-3593: Fixed invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365).
Non-security fixes:
- Fix the version header (bsc#1201551)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1913-1
Released: Wed Apr 19 14:23:14 2023
Summary: Recommended update for libslirp, slirp4netns
Type: recommended
Severity: moderate
References: 1201551
This update for libslirp and slirp4netns fixes the following issues:
libslirp was updated to version 4.7.0+44 (current git master):
* Fix vmstate regression
* Align outgoing packets
* Bump incoming packet alignment to 8 bytes
* vmstate: only enable when building under GNU C
* ncsitest: Fix build with msvc
* Separate out SLIRP_PACKED to SLIRP_PACKED_BEGIN/END
* ncsi: Add Mellanox Get Mac Address handler
* slirp: Add out-of-band ethernet address
* ncsi: Add OEM command handler
* ncsi: Add basic test for Get Version ID response
* ncsi: Use response header for payload length
* ncsi: Pass command header to response handlers
* ncsi: Add Get Version ID command
* ncsi: Pass Slirp structure to response handlers
* slirp: Add manufacturer's ID
Release v4.7.0
* slirp: invoke client callback before creating timers
* pingtest: port to timer_new_opaque
* introduce timer_new_opaque callback
* introduce slirp_timer_new wrapper
* icmp6: make ndp_send_ra static
* socket: Handle ECONNABORTED from recv
* bootp: fix g_str_has_prefix warning/critical
* slirp: Don't duplicate packet in tcp_reass
* Rename insque/remque -> slirp_[ins|rem]que
* mbuf: Use SLIRP_DEBUG to enable mbuf debugging instead of DEBUG
* Replace inet_ntoa() with safer inet_ntop()
* Add VMS_END marker
* bootp: add support for UEFI HTTP boot
* IPv6 DNS proxying support
* Add missing scope_id in caching
* socket: Move closesocket(so->s_aux) to sofree
* socket: Check so_type instead of so_tcpcb for Unix-to-inet translation
* socket: Add s_aux field to struct socket for storing auxilliary socket
* socket: Initialize so_type in socreate
* socket: Allocate Unix-to-TCP hostfwd port from OS by binding to port 0
* Allow to disable internal DHCP server
* slirp_pollfds_fill: Explain why dividing so_snd.sb_datalen by two
* CI: run integration tests with slirp4netns
* socket: Check address family for Unix-to-inet accept translation
* socket: Add debug args for tcpx_listen (inet and Unix sockets)
* socket: Restore original definition of fhost
* socket: Move <sys/un.h> include to socket.h
* Support Unix sockets in hostfwd
* resolv: fix IPv6 resolution on Darwin
* Use the exact sockaddr size in getnameinfo call
* Initialize sin6_scope_id to zero
* slirp_socketpair_with_oob: Connect pair through 127.0.0.1
* resolv: fix memory leak when using libresolv
* pingtest: Add a trivial ping test
* icmp: Support falling back on trying a SOCK_RAW socket
Update to version 4.6.1+7:
* Haiku: proper path to resolv.conf for DNS server
* Fix for Haiku
* dhcp: Always send DHCP_OPT_LEN bytes in options
Update to version 4.6.1:
* Fix 'DHCP broken in libslirp v4.6.0'
Update to version 4.6.0:
* udp: check upd_input buffer size
* tftp: introduce a header structure
* tftp: check tftp_input buffer size
* upd6: check udp6_input buffer size
* bootp: check bootp_input buffer size
* bootp: limit vendor-specific area to input packet memory buffer
Update to version 4.4.0:
* socket: consume empty packets
* slirp: check pkt_len before reading protocol header
* Add DNS resolving for iOS
* sosendoob: better document what urgc is used for
* TCPIPHDR_DELTA: Fix potential negative value
* udp, udp6, icmp, icmp6: Enable forwarding errors on Linux
* icmp, icmp6: Add icmp_forward_error and icmp6_forward_error
* udp, udp6, icmp: handle TTL value
* ip_stripoptions use memmove
slirp4netns was updated to 1.2.0:
* Add slirp4netns --target-type=bess /path/to/bess.sock for supporting UML (#281)
* Explicitly support DHCP (#270)
* Update parson to v1.1.3 (#273) kgabis/parson at 70dc239...2d7b3dd
Update to version 1.1.11:
* Add --macaddress option to specify the MAC address of the tap interface.
* Updated the man page.
Update to version 1.1.8:
Update to 1.0.0:
* --enable-sandbox is now out of experimental
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2003-1
Released: Tue Apr 25 18:05:42 2023
Summary: Security update for runc
Type: security
Severity: important
References: 1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642
This update for runc fixes the following issues:
Update to runc v1.1.5:
Security fixes:
- CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884).
- CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962).
- CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888).
Other fixes:
- Fix the inability to use `/dev/null` when inside a container.
- Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481).
- Fix rare runc exec/enter unshare error on older kernels.
- nsexec: Check for errors in `write_log()`.
- Drop version-specific Go requirement.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2256-1
Released: Fri May 19 15:26:43 2023
Summary: Security update for runc
Type: security
Severity: important
References: 1200441
This update of runc fixes the following issues:
- rebuild the package with the go 19.9 secure release (bsc#1200441).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2325-1
Released: Tue May 30 15:57:30 2023
Summary: Security update for cni
Type: security
Severity: important
References: 1200441
This update of cni fixes the following issues:
- rebuild the package with the go 1.19 security release (bsc#1200441).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2657-1
Released: Tue Jun 27 14:43:57 2023
Summary: Recommended update for libcontainers-common
Type: recommended
Severity: moderate
References: 1211124
This update for libcontainers-common fixes the following issues:
- New subpackage libcontainers-sles-mounts which adds SLE-specific mounts on SLE systems (bsc#1211124)
- Own /etc/containers/systemd and /usr/share/containers/systemd for podman quadlet
- Remove container-storage-driver.sh to default to the overlay driver instead of btrfs
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2658-1
Released: Tue Jun 27 14:46:15 2023
Summary: Recommended update for containerd, docker, runc
Type: recommended
Severity: moderate
References: 1207004,1208074,1210298,1211578
This update for containerd, docker, runc fixes the following issues:
- Update to containerd v1.6.21 (bsc#1211578)
- Update to Docker 23.0.6-ce (bsc#1211578)
- Update to runc v1.1.7
- Require a minimum Go version explicitly (bsc#1210298)
- Re-unify packaging for SLE-12 and SLE-15
- Fix build on SLE-12 by switching back to libbtrfs-devel headers
- Allow man pages to be built without internet access in OBS
- Add apparmor-parser as a Recommends to make sure that most users will end up with it installed
even if they are primarily running SELinux
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser
- Change to using systemd-sysusers
- Update runc.keyring to upstream version
- Fix the inability to use `/dev/null` when inside a container (bsc#1207004)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2765-1
Released: Mon Jul 3 20:28:14 2023
Summary: Security update for libcap
Type: security
Severity: moderate
References: 1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:
- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2847-1
Released: Mon Jul 17 08:40:42 2023
Summary: Recommended update for audit
Type: recommended
Severity: moderate
References: 1210004
This update for audit fixes the following issues:
- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2868-1
Released: Tue Jul 18 11:35:52 2023
Summary: Security update for cni
Type: security
Severity: important
References: 1206346
This update of cni fixes the following issues:
- rebuild the package with the go 1.20 security release (bsc#1206346).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3217-1
Released: Mon Aug 7 16:51:10 2023
Summary: Recommended update for cryptsetup
Type: recommended
Severity: moderate
References: 1211079
This update for cryptsetup fixes the following issues:
- Handle system with low memory and no swap space (bsc#1211079)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3410-1
Released: Thu Aug 24 06:56:32 2023
Summary: Recommended update for audit
Type: recommended
Severity: moderate
References: 1201519,1204844
This update for audit fixes the following issues:
- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3440-1
Released: Mon Aug 28 08:57:10 2023
Summary: Security update for gawk
Type: security
Severity: low
References: 1214025,CVE-2023-4156
This update for gawk fixes the following issues:
- CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3466-1
Released: Tue Aug 29 07:33:16 2023
Summary: Recommended update for icu
Type: recommended
Severity: moderate
References: 1103893,1112183
This update for icu fixes the following issues:
- Japanese era Reiwa (bsc#1112183, bsc#1103893, fate570, fate#325570, fate#325419)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3591-1
Released: Wed Sep 13 08:33:55 2023
Summary: Security update for shadow
Type: security
Severity: low
References: 1214806,CVE-2023-4641
This update for shadow fixes the following issues:
- CVE-2023-4641: Fixed potential password leak (bsc#1214806).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3611-1
Released: Fri Sep 15 09:28:36 2023
Summary: Recommended update for sysuser-tools
Type: recommended
Severity: moderate
References: 1195391,1205161,1207778,1213240,1214140
This update for sysuser-tools fixes the following issues:
- Update to version 3.2
- Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
- Add 'quilt setup' friendly hint to %sysusers_requires usage
- Use append so if a pre file already exists it isn't overridden
- Invoke bash for bash scripts (bsc#1195391)
- Remove all systemd requires not supported on SLE15 (bsc#1214140)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3736-1
Released: Fri Sep 22 20:30:59 2023
Summary: Recommended update for libcontainers-common
Type: recommended
Severity: important
References: 1215291
This update for libcontainers-common fixes the following issues:
- Require libcontainers-sles-mounts for *all* SUSE Linux Enterprise products,
and not just SUSE Linux Enterprise Server. (bsc#1215291)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3815-1
Released: Wed Sep 27 18:20:25 2023
Summary: Security update for cni
Type: security
Severity: important
References: 1212475
This update of cni fixes the following issues:
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3952-1
Released: Tue Oct 3 20:06:23 2023
Summary: Security update for runc
Type: security
Severity: important
References: 1212475
This update of runc fixes the following issues:
- Update to runc v1.1.8.
Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.8>.
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4126-1
Released: Thu Oct 19 09:38:31 2023
Summary: Security update for cni
Type: security
Severity: important
References: 1212475,1216006
This update of cni fixes the following issues:
- rebuild the package with the go 1.21 security release (bsc#1212475).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4139-1
Released: Fri Oct 20 10:06:58 2023
Summary: Recommended update for containerd, runc
Type: recommended
Severity: moderate
References: 1215323
This update for containerd, runc fixes the following issues:
runc was updated to v1.1.9. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.9
containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes:
- https://github.com/containerd/containerd/releases/tag/v1.7.7
- https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323
- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
Kubernetes packages
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4153-1
Released: Fri Oct 20 19:27:58 2023
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1215313
This update for systemd fixes the following issues:
- Fix mismatch of nss-resolve version in Package Hub (no source code changes)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4154-1
Released: Fri Oct 20 19:33:25 2023
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1107342,1215434
This update for aaa_base fixes the following issues:
- Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4162-1
Released: Mon Oct 23 15:33:03 2023
Summary: Security update for gcc13
Type: security
Severity: important
References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039
This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.
To use gcc13 compilers use:
- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.
For a full changelog with all new GCC13 features, check out
https://gcc.gnu.org/gcc-13/changes.html
Detailed changes:
* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
length stack allocations. (bsc#1214052)
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]
- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
building with LTO. [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
can be installed standalone. [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
the benefit of the former one is that the linker jobs are not
holding tokens of the make's jobserver.
- Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd
for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0.
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
package. Make libstdc++6 recommend timezone to get a fully
working std::chrono. Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
PRU architecture is used for real-time MCUs embedded into TI
armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
armv7l in order to build both host applications and PRU firmware
during the same build.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4200-1
Released: Wed Oct 25 12:04:29 2023
Summary: Security update for nghttp2
Type: security
Severity: important
References: 1216123,1216174,CVE-2023-44487
This update for nghttp2 fixes the following issues:
- CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4217-1
Released: Thu Oct 26 12:20:27 2023
Summary: Security update for zlib
Type: security
Severity: moderate
References: 1216378,CVE-2023-45853
This update for zlib fixes the following issues:
- CVE-2023-45853: Fixed an integer overflow that would lead to a
buffer overflow in the minizip subcomponent (bsc#1216378).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4310-1
Released: Tue Oct 31 14:10:47 2023
Summary: Recommended update for libtirpc
Type: recommended
Severity: moderate
References: 1196647
This Update for libtirpc to 1.3.4, fixing the following issues:
Update to 1.3.4 (bsc#1199467)
* binddynport.c honor ip_local_reserved_ports
- replaces: binddynport-honor-ip_local_reserved_ports.patch
* gss-api: expose gss major/minor error in authgss_refresh()
* rpcb_clnt.c: Eliminate double frees in delete_cache()
* rpcb_clnt.c: memory leak in destroy_addr
* portmapper: allow TCP-only portmapper
* getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
* clnt_raw.c: fix a possible null pointer dereference
* bindresvport.c: fix a potential resource leakage
Update to 1.3.3:
* Fix DoS vulnerability in libtirpc
- replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
* _rpc_dtablesize: use portable system call
* libtirpc: Fix use-after-free accessing the error number
* Fix potential memory leak of parms.r_addr
- replaces 0001-fix-parms.r_addr-memory-leak.patch
* rpcb_clnt.c add mechanism to try v2 protocol first
- preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
* Eliminate deadlocks in connects with an MT environment
* clnt_dg_freeres() uncleared set active state may deadlock
* thread safe clnt destruction
* SUNRPC: mutexed access blacklist_read state variable
* SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c
Update to 1.3.2:
* Replace the final SunRPC licenses with BSD licenses
* blacklist: Add a few more well known ports
* libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS
Update to 1.3.1:
* Remove AUTH_DES interfaces from auth_des.h
The unsupported AUTH_DES authentication has be
compiled out since commit d918e41d889 (Wed Oct 9 2019)
replaced by API routines that return errors.
* svc_dg: Free xp_netid during destroy
* Fix memory management issues of fd locks
* libtirpc: replace array with list for per-fd locks
* __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
* __rpc_dtbsize: rlim_cur instead of rlim_max
* pkg-config: use the correct replacements for libdir/includedir
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4458-1
Released: Thu Nov 16 14:38:48 2023
Summary: Security update for gcc13
Type: security
Severity: important
References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039
This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.
To use gcc13 compilers use:
- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.
For a full changelog with all new GCC13 features, check out
https://gcc.gnu.org/gcc-13/changes.html
Detailed changes:
* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
length stack allocations. (bsc#1214052)
- Work around third party app crash during C++ standard library initialization. [bsc#1216664]
- Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
- Bump included newlib to version 4.3.0.
- Update to GCC trunk head (r13-5254-g05b9868b182bb9)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]
- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
building with LTO. [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
can be installed standalone. [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
the benefit of the former one is that the linker jobs are not
holding tokens of the make's jobserver.
- Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd
for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0.
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
package. Make libstdc++6 recommend timezone to get a fully
working std::chrono. Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
PRU architecture is used for real-time MCUs embedded into TI
armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
armv7l in order to build both host applications and PRU firmware
during the same build.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4524-1
Released: Tue Nov 21 17:51:28 2023
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1216922,CVE-2023-5678
This update for openssl-1_1 fixes the following issues:
- CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4537-1
Released: Thu Nov 23 09:34:08 2023
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1216129,CVE-2023-45322
This update for libxml2 fixes the following issues:
- CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4615-1
Released: Wed Nov 29 20:33:38 2023
Summary: Recommended update for icu
Type: recommended
Severity: moderate
References: 1217472
This update of icu fixes the following issue:
- missing 32bit libraries in SLES 15 SP3 were added, required by xerces-c 32bit.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4619-1
Released: Thu Nov 30 10:13:52 2023
Summary: Security update for sqlite3
Type: security
Severity: important
References: 1210660,CVE-2023-2137
This update for sqlite3 fixes the following issues:
- CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4659-1
Released: Wed Dec 6 13:04:57 2023
Summary: Security update for curl
Type: security
Severity: moderate
References: 1217573,1217574,CVE-2023-46218,CVE-2023-46219
This update for curl fixes the following issues:
- CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
- CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4671-1
Released: Wed Dec 6 14:33:41 2023
Summary: Recommended update for man
Type: recommended
Severity: moderate
References:
This update of man fixes the following problem:
- The 'man' commands is delivered to SUSE Linux Enterprise Micro
to allow browsing man pages.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4699-1
Released: Mon Dec 11 07:02:10 2023
Summary: Recommended update for gpg2
Type: recommended
Severity: moderate
References: 1217212
This update for gpg2 fixes the following issues:
- `dirmngr-client --validate` is broken for DER-encoded files (bsc#1217212)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4723-1
Released: Tue Dec 12 09:57:51 2023
Summary: Recommended update for libtirpc
Type: recommended
Severity: moderate
References: 1216862
This update for libtirpc fixes the following issue:
- fix sed parsing in specfile (bsc#1216862)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4727-1
Released: Tue Dec 12 12:27:39 2023
Summary: Security update for catatonit, containerd, runc
Type: security
Severity: important
References: 1200528,CVE-2022-1996
This update of runc and containerd fixes the following issues:
containerd:
- Update to containerd v1.7.8. Upstream release notes:
https://github.com/containerd/containerd/releases/tag/v1.7.8
* CVE-2022-1996: Fixed CORS bypass in go-restful (bsc#1200528)
catatonit:
- Update to catatonit v0.2.0.
* Change license to GPL-2.0-or-later.
- Update to catatont v0.1.7
* This release adds the ability for catatonit to be used as the only
process in a pause container, by passing the -P flag (in this mode no
subprocess is spawned and thus no signal forwarding is done).
- Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to
socket activation or features somewhat adjacent to socket activation (such as
passing file descriptors).
runc:
- Update to runc v1.1.10. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.10
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4891-1
Released: Mon Dec 18 16:31:49 2023
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1201384,1218014,CVE-2023-50495
This update for ncurses fixes the following issues:
- CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
- Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4916-1
Released: Wed Dec 20 08:49:04 2023
Summary: Recommended update for lvm2
Type: recommended
Severity: important
References: 1215229
This update for lvm2 fixes the following issues:
- Fixed error creating linux volume on SAN device lvmlockd (bsc#1215229)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4962-1
Released: Fri Dec 22 13:45:06 2023
Summary: Recommended update for curl
Type: recommended
Severity: important
References: 1216987
This update for curl fixes the following issues:
- libssh: Implement SFTP packet size limit (bsc#1216987)
This update also ships curl to the INSTALLER channel.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:62-1
Released: Mon Jan 8 11:44:47 2024
Summary: Recommended update for libxcrypt
Type: recommended
Severity: moderate
References: 1215496
This update for libxcrypt fixes the following issues:
- fix variable name for datamember [bsc#1215496]
- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:70-1
Released: Tue Jan 9 18:29:39 2024
Summary: Security update for tar
Type: security
Severity: low
References: 1217969,CVE-2023-39804
This update for tar fixes the following issues:
- CVE-2023-39804: Fixed extension attributes in PAX archives incorrect hanling (bsc#1217969).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released: Thu Jan 18 09:53:47 2024
Summary: Security update for pam
Type: security
Severity: moderate
References: 1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:
- CVE-2024-22365: Fixed a local denial of service during PAM login
due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released: Thu Jan 18 11:34:58 2024
Summary: Security update for libssh
Type: security
Severity: important
References: 1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:
Security fixes:
- CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
- CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
- CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
- CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm guessing (bsc#1211188)
- CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)
Other fixes:
- Update to version 0.9.8
- Allow @ in usernames when parsing from URI composes
- Update to version 0.9.7
- Fix several memory leaks in GSSAPI handling code
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released: Wed Jan 24 16:01:31 2024
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1214668,1215241,1217460
This update for systemd fixes the following issues:
- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released: Fri Jan 26 10:56:41 2024
Summary: Security update for cpio
Type: security
Severity: moderate
References: 1218571,CVE-2023-7207
This update for cpio fixes the following issues:
- CVE-2023-7207: Fixed a path traversal issue that could lead to an
arbitrary file write during archive extraction (bsc#1218571).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:243-1
Released: Fri Jan 26 13:00:47 2024
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1207987
This update for util-linux fixes the following issues:
- Fix performance degradation (bsc#1207987)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:293-1
Released: Wed Jan 31 17:42:15 2024
Summary: Recommended update for elemental-operator
Type: recommended
Severity: important
References:
This update for elemental-operator contains the following fix:
- Bump Go to 1.20. (jsc#SURE-7083)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:295-1
Released: Thu Feb 1 08:23:17 2024
Summary: Security update for runc
Type: security
Severity: important
References: 1218894,CVE-2024-21626
This update for runc fixes the following issues:
Update to runc v1.1.11:
- CVE-2024-21626: Fixed container breakout. (bsc#1218894)
The following package changes have been done:
- libssh-config-0.9.8-150400.3.3.1 updated
- libsemanage-conf-3.4-150400.1.8 added
- libtirpc-netconfig-1.3.4-150300.3.23.1 updated
- libcrypt1-4.4.15-150300.4.7.1 updated
- libsepol2-3.4-150400.1.11 added
- libnghttp2-14-1.40.0-150200.12.1 updated
- libuuid1-2.37.2-150400.8.23.1 updated
- libudev1-249.17-150400.8.40.1 updated
- libsmartcols1-2.37.2-150400.8.23.1 updated
- libblkid1-2.37.2-150400.8.23.1 updated
- libfdisk1-2.37.2-150400.8.23.1 updated
- libz1-1.2.11-150000.3.48.1 updated
- libsqlite3-0-3.44.0-150000.3.23.1 updated
- libgcc_s1-13.2.1+git7813-150000.1.6.1 updated
- elemental-register-1.3.5-150400.4.6.1 updated
- libicu65_1-ledata-65.1-150200.4.10.1 updated
- libsemanage2-3.4-150400.1.8 added
- libxml2-2-2.9.14-150400.5.25.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- libmount1-2.37.2-150400.8.23.1 updated
- libstdc++6-13.2.1+git7813-150000.1.6.1 updated
- libncurses6-6.1-150000.5.20.1 updated
- terminfo-base-6.1-150000.5.20.1 updated
- ncurses-utils-6.1-150000.5.20.1 updated
- tar-1.34-150000.3.34.1 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.191.1 updated
- cpio-2.13-150400.3.3.1 updated
- gpg2-2.2.27-150300.3.8.1 updated
- libopenssl1_1-1.1.1l-150400.7.60.2 updated
- libssh4-0.9.8-150400.3.3.1 updated
- libcurl4-8.0.1-150400.5.41.1 updated
- libtirpc3-1.3.4-150300.3.23.1 updated
- pam-1.3.0-150000.6.66.1 updated
- system-user-nobody-20170617-150400.24.2.1 updated
- system-group-hardware-20170617-150400.24.2.1 updated
- util-linux-2.37.2-150400.8.23.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated
- systemd-249.17-150400.8.40.1 updated
- libcontainers-sles-mounts-20230214-150400.3.11.1 added
- libslirp0-4.7.0+44-150300.15.2 added
- runc-1.1.11-150000.58.1 updated
- cni-0.7.1-150100.3.16.1 updated
- libcontainers-common-20230214-150400.3.11.1 updated
- libicu-suse65_1-65.1-150200.4.10.1 updated
- slirp4netns-1.2.0-150300.8.5.2 updated
- util-linux-systemd-2.37.2-150400.8.20.1 removed
More information about the sle-container-updates
mailing list