SUSE-CU-2024:933-1: Security update of suse/sle15
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed Mar 13 08:06:51 UTC 2024
SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:933-1
Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.45.2.72 , suse/sle15:15.6 , suse/sle15:15.6.45.2.72
Container Release : 45.2.72
Severity : important
Type : security
References : 1200734 1200735 1200736 1200737 1202593 1202870 1204383 1204386
1206308 1206309 1207789 1207990 1207991 1207992 1209209 1209210
1209211 1209212 1209214 1211230 1211231 1211232 1211233 1211886
1212475 1213237 1215026 1215888 1215889 1216752 1216987 1217573
1217574 1219123 1219189 CVE-2022-32205 CVE-2022-32206 CVE-2022-32207
CVE-2022-32208 CVE-2022-32221 CVE-2022-35252 CVE-2022-42916 CVE-2022-43551
CVE-2022-43552 CVE-2023-23914 CVE-2023-23915 CVE-2023-23916 CVE-2023-27533
CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538 CVE-2023-28319
CVE-2023-28320 CVE-2023-28321 CVE-2023-28322 CVE-2023-32001 CVE-2023-38039
CVE-2023-38545 CVE-2023-38546 CVE-2023-46218 CVE-2023-46219
-----------------------------------------------------------------
The container suse/sle15 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2305-1
Released: Wed Jul 6 13:38:42 2022
Summary: Security update for curl
Type: security
Severity: important
References: 1200734,1200735,1200736,1200737,CVE-2022-32205,CVE-2022-32206,CVE-2022-32207,CVE-2022-32208
This update for curl fixes the following issues:
- CVE-2022-32205: Set-Cookie denial of service (bsc#1200734)
- CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
- CVE-2022-32207: Unpreserved file permissions (bsc#1200736)
- CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2796-1
Released: Fri Aug 12 14:34:31 2022
Summary: Recommended update for jitterentropy
Type: recommended
Severity: moderate
References:
This update for jitterentropy fixes the following issues:
jitterentropy is included in version 3.4.0 (jsc#SLE-24941):
This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library,
used by other FIPS libraries.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3003-1
Released: Fri Sep 2 15:01:44 2022
Summary: Security update for curl
Type: security
Severity: low
References: 1202593,CVE-2022-35252
This update for curl fixes the following issues:
- CVE-2022-35252: Fixed a potential injection of control characters
into cookies, which could be exploited by sister sites to cause a
denial of service (bsc#1202593).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3328-1
Released: Wed Sep 21 12:48:56 2022
Summary: Recommended update for jitterentropy
Type: recommended
Severity: moderate
References: 1202870
This update for jitterentropy fixes the following issues:
- Hide the non-GNUC constructs that are library internal from the
exported header, to make it usable in builds with strict C99
compliance. (bsc#1202870)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3785-1
Released: Wed Oct 26 20:20:19 2022
Summary: Security update for curl
Type: security
Severity: important
References: 1204383,1204386,CVE-2022-32221,CVE-2022-42916
This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).
- CVE-2022-42916: Fixed HSTS bypass via IDN (bsc#1204386).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4597-1
Released: Wed Dec 21 10:13:11 2022
Summary: Security update for curl
Type: security
Severity: important
References: 1206308,1206309,CVE-2022-43551,CVE-2022-43552
This update for curl fixes the following issues:
- CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).
- CVE-2022-43551: Fixed HSTS bypass via IDN (bsc#1206308).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:429-1
Released: Wed Feb 15 17:41:22 2023
Summary: Security update for curl
Type: security
Severity: important
References: 1207990,1207991,1207992,CVE-2023-23914,CVE-2023-23915,CVE-2023-23916
This update for curl fixes the following issues:
- CVE-2023-23914: Fixed HSTS ignored on multiple requests (bsc#1207990).
- CVE-2023-23915: Fixed HSTS amnesia with --parallel (bsc#1207991).
- CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:617-1
Released: Fri Mar 3 16:49:06 2023
Summary: Recommended update for jitterentropy
Type: recommended
Severity: moderate
References: 1207789
This update for jitterentropy fixes the following issues:
- build jitterentropy library with debuginfo (bsc#1207789)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1582-1
Released: Mon Mar 27 10:31:52 2023
Summary: Security update for curl
Type: security
Severity: moderate
References: 1209209,1209210,1209211,1209212,1209214,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538
This update for curl fixes the following issues:
- CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
- CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
- CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
- CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
- CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2224-1
Released: Wed May 17 09:53:54 2023
Summary: Security update for curl
Type: security
Severity: important
References: 1211230,1211231,1211232,1211233,CVE-2023-28319,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322
This update for curl adds the following feature:
Update to version 8.0.1 (jsc#PED-2580)
- CVE-2023-28319: use-after-free in SSH sha256 fingerprint check (bsc#1211230).
- CVE-2023-28320: siglongjmp race condition (bsc#1211231).
- CVE-2023-28321: IDN wildcard matching (bsc#1211232).
- CVE-2023-28322: POST-after-PUT confusion (bsc#1211233).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2891-1
Released: Wed Jul 19 21:14:33 2023
Summary: Security update for curl
Type: security
Severity: moderate
References: 1213237,CVE-2023-32001
This update for curl fixes the following issues:
- CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3823-1
Released: Wed Sep 27 18:42:38 2023
Summary: Security update for curl
Type: security
Severity: important
References: 1215026,CVE-2023-38039
This update for curl fixes the following issues:
- CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. (bsc#1215026)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4044-1
Released: Wed Oct 11 09:01:14 2023
Summary: Security update for curl
Type: security
Severity: important
References: 1215888,1215889,CVE-2023-38545,CVE-2023-38546
This update for curl fixes the following issues:
- CVE-2023-38545: Fixed a heap buffer overflow in SOCKS5. (bsc#1215888)
- CVE-2023-38546: Fixed a cookie injection with none file. (bsc#1215889)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4659-1
Released: Wed Dec 6 13:04:57 2023
Summary: Security update for curl
Type: security
Severity: moderate
References: 1217573,1217574,CVE-2023-46218,CVE-2023-46219
This update for curl fixes the following issues:
- CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
- CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4962-1
Released: Fri Dec 22 13:45:06 2023
Summary: Recommended update for curl
Type: recommended
Severity: important
References: 1216987
This update for curl fixes the following issues:
- libssh: Implement SFTP packet size limit (bsc#1216987)
This update also ships curl to the INSTALLER channel.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released: Mon Feb 26 11:31:18 2024
Summary: Recommended update for rpm
Type: recommended
Severity: important
References: 1216752
This update for rpm fixes the following issues:
- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:615-1
Released: Mon Feb 26 11:32:32 2024
Summary: Recommended update for netcfg
Type: recommended
Severity: moderate
References: 1211886
This update for netcfg fixes the following issues:
- Add krb-prop entry (bsc#1211886)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:725-1
Released: Thu Feb 29 11:03:34 2024
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1219123,1219189
This update for suse-build-key fixes the following issues:
- Switch container key to be default RSA 4096bit. (jsc#PED-2777)
- run import script also in %posttrans section, but only when
libzypp is not active. bsc#1219189 bsc#1219123
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:734-1
Released: Thu Feb 29 13:16:38 2024
Summary: Recommended update for go1.21
Type: recommended
Severity: moderate
References: 1212475
This update for go1.21 fixes the following issues:
go1.21.7 (released 2024-02-06) includes fixes to the compiler,
the go command, the runtime, and the crypto/x509 package.
(bsc#1212475 go1.21 release tracking)
* go#63209 runtime: 'fatal: morestack on g0' on amd64 after upgrade to Go 1.21
* go#63768 runtime: pinner.Pin doesn't panic when it says it will
* go#64497 cmd/go: flag modcacherw does not take effect in the target package
* go#64761 staticlockranking builders failing on release branches on LUCI
* go#64935 runtime: 'traceback: unexpected SPWRITE function runtime.systemstack'
* go#65023 x/tools/go/analysis/unitchecker,slices: TestVetStdlib failing due to vet errors in panic tests
* go#65053 cmd/compile: //go:build file version ignored when calling generic fn which has related type params
* go#65323 crypto: rollback BoringCrypto fips-20220613 update
* go#65351 cmd/go: go generate fails silently when run on a package in a nested workspace module
* go#65380 crypto/x509: TestIssue51759 consistently failing on gotip-darwin-amd64_10.15 LUCI builder
* go#65449 runtime/trace: frame pointer unwinding crash on arm64 during async preemption
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:792-1
Released: Thu Mar 7 09:55:23 2024
Summary: Recommended update for timezone
Type: recommended
Severity: moderate
References:
This update for timezone fixes the following issues:
- Update to version 2024a
- Kazakhstan unifies on UTC+5
- Palestine springs forward a week later than previously predicted in 2024 and 2025
- Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 not 00:00
- From 1947 through 1949, Toronto's transitions occurred at 02:00 not 00:00
- In 1911 Miquelon adopted standard time on June 15, not May 15
- The FROM and TO columns of Rule lines can no longer be 'minimum'
- localtime no longer mishandle some timestamps
- strftime %s now uses tm_gmtoff if available
- Ittoqqortoormiit, Greenland changes time zones on 2024-03-31
- Vostok, Antarctica changed time zones on 2023-12-18
- Casey, Antarctica changed time zones five times since 2020
- Code and data fixes for Palestine timestamps starting in 2072
- A new data file zonenow.tab for timestamps starting now
- Much of Greenland changed its standard time from -03 to -02 on 2023-03-25
- localtime.c no longer mishandles TZif files that contain a single transition into a DST regime
- tzselect no longer creates temporary files
- tzselect no longer mishandles the following:
* Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION.
* TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/
* ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments
* Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension
* zic no longer mishandles data for Palestine after the year 2075
The following package changes have been done:
- branding-SLE-15-150600.43.4 updated
- container-suseconnect-2.4.0-150000.4.50.2 updated
- cracklib-dict-small-2.9.11-150600.1.89 updated
- cracklib-2.9.11-150600.1.89 updated
- crypto-policies-20230920.570ea89-150600.1.9 updated
- curl-8.0.1-150400.5.41.1 updated
- glibc-2.38-150600.6.2 updated
- gpg2-2.4.4-150600.1.3 updated
- krb5-1.20.1-150600.8.4 updated
- kubic-locale-archive-2.38-150600.18.3 updated
- libaugeas0-1.14.1-150600.1.2 updated
- libblkid1-2.39.3-150600.1.15 updated
- libcom_err2-1.47.0-150600.2.25 updated
- libcrack2-2.9.11-150600.1.89 updated
- libcurl4-8.0.1-150400.5.41.1 updated
- libfa1-1.14.1-150600.1.2 updated
- libfdisk1-2.39.3-150600.1.15 updated
- libgcrypt20-1.10.3-150600.1.9 updated
- libglib-2_0-0-2.78.3-150600.1.6 updated
- libgpg-error0-1.47-150600.1.2 updated
- libgpgme11-1.23.0-150600.1.24 updated
- libjitterentropy3-3.4.0-150000.1.9.1 added
- libksba8-1.6.4-150600.1.2 updated
- libldap-2_4-2-2.4.46-150600.23.6 updated
- libldap-data-2.4.46-150600.23.6 updated
- liblz4-1-1.9.4-150600.1.3 updated
- liblzma5-5.4.6-150600.1.16 updated
- libmount1-2.39.3-150600.1.15 updated
- libnghttp2-14-1.40.0-150600.22.2 updated
- libopenssl-3-fips-provider-3.1.4-150600.1.17 updated
- libopenssl1_1-1.1.1w-150600.1.8 added
- libopenssl3-3.1.4-150600.1.17 updated
- libpcre2-8-0-10.42-150600.1.25 updated
- libsasl2-3-2.1.28-150600.5.2 updated
- libselinux1-3.5-150600.1.45 updated
- libsemanage-conf-3.5-150600.1.48 updated
- libsemanage2-3.5-150600.1.48 updated
- libsepol2-3.5-150600.1.48 updated
- libsigc-2_0-0-2.12.1-150600.1.2 updated
- libsmartcols1-2.39.3-150600.1.15 updated
- libssh-config-0.9.8-150600.8.2 updated
- libssh4-0.9.8-150600.8.2 updated
- libsystemd0-254.9-150600.2.8 updated
- libudev1-254.9-150600.2.8 updated
- libuuid1-2.39.3-150600.1.15 updated
- libzck1-1.1.16-150600.9.2 updated
- libzstd1-1.5.5-150600.1.2 updated
- libzypp-17.31.31-150600.8.4 updated
- login_defs-4.8.1-150600.15.44 updated
- netcfg-11.6-150000.3.6.1 updated
- openssl-3-3.1.4-150600.1.17 updated
- openssl-3.1.4-150600.1.18 updated
- patterns-base-fips-20200124-150600.29.2 updated
- patterns-base-minimal_base-20200124-150600.29.2 updated
- rpm-ndb-4.14.3-150400.59.7.1 updated
- sed-4.9-150600.1.3 updated
- shadow-4.8.1-150600.15.44 updated
- skelcd-EULA-bci-2023.03.06-150600.7.2 updated
- sle-module-basesystem-release-15.6-150600.26.3 updated
- sle-module-python3-release-15.6-150600.26.3 updated
- sle-module-server-applications-release-15.6-150600.26.3 updated
- sles-release-15.6-150600.26.8 updated
- suse-build-key-12.0-150000.8.43.1 updated
- timezone-2024a-150000.75.28.1 updated
- util-linux-2.39.3-150600.1.15 updated
More information about the sle-container-updates
mailing list