SUSE-CU-2024:5801-1: Security update of containers/open-webui

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Wed Nov 27 08:01:45 UTC 2024 

SUSE Container Update Advisory: containers/open-webui
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:5801-1
Container Tags        : containers/open-webui:0.3 , containers/open-webui:0.3.32 , containers/open-webui:0.3.32-5.6
Container Release     : 5.6
Severity              : important
Type                  : security
References            : 1219340 1230423 1233323 1233325 1233326 1233327 CVE-2024-10976
                        CVE-2024-10977 CVE-2024-10978 CVE-2024-10979 
-----------------------------------------------------------------

The container containers/open-webui was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4045-1
Released:    Mon Nov 25 08:33:05 2024
Summary:     Recommended update for patterns-base
Type:        recommended
Severity:    moderate
References:  
This update for patterns-base fixes the following issue:

- Updated patterns-base, removing plymouth recommendation on s390x archs.
  Our certification team run into an issue (jsc#PED-10532), when they
  run bare metal installation with fully encrypted disk.
  If the whole disk is crypted, the prompt for the password is sent to
  plymouth, which is obviously showing nothing because for booting bare
  metal (LPAR) is used terminal in HMC. 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4063-1
Released:    Tue Nov 26 10:16:06 2024
Summary:     Security update for postgresql, postgresql16, postgresql17
Type:        security
Severity:    important
References:  1219340,1230423,1233323,1233325,1233326,1233327,CVE-2024-10976,CVE-2024-10977,CVE-2024-10978,CVE-2024-10979
This update for postgresql, postgresql16, postgresql17 fixes the following issues:

This update ships postgresql17 , and fixes security issues with postgresql16:

- bsc#1230423: Relax the dependency of extensions on the server
  version from exact major.minor to greater or equal, after Tom
  Lane confirmed on the PostgreSQL packagers list that ABI
  stability is being taken care of between minor releases.

- bsc#1219340: The last fix was not correct. Improve it by removing
  the dependency again and call fillup only if it is installed.

postgresql16 was updated to 16.6:
* Repair ABI break for extensions that work with struct
  ResultRelInfo.
* Restore functionality of ALTER {ROLE|DATABASE} SET role.
* Fix cases where a logical replication slot's restart_lsn could
  go backwards.
* Avoid deleting still-needed WAL files during pg_rewind.
* Fix race conditions associated with dropping shared statistics
  entries.
* Count index scans in contrib/bloom indexes in the statistics
  views, such as the pg_stat_user_indexes.idx_scan counter.
* Fix crash when checking to see if an index's opclass options
  have changed.
* Avoid assertion failure caused by disconnected NFA sub-graphs
  in regular expression parsing.
* https://www.postgresql.org/docs/release/16.6/

postgresql16 was updated to 16.5:

* CVE-2024-10976, bsc#1233323: Ensure cached plans are marked as
  dependent on the calling role when RLS applies to a
  non-top-level table reference.
* CVE-2024-10977, bsc#1233325: Make libpq discard error messages
  received during SSL or GSS protocol negotiation.
* CVE-2024-10978, bsc#1233326: Fix unintended interactions
  between SET SESSION AUTHORIZATION and SET ROLE
* CVE-2024-10979, bsc#1233327: Prevent trusted PL/Perl code from
  changing environment variables.
* https://www.postgresql.org/about/news/p-2955/
* https://www.postgresql.org/docs/release/16.5/

- Don't build the libs and mini flavor anymore to hand over to
  PostgreSQL 17.

  * https://www.postgresql.org/about/news/p-2910/

postgresql17 is shipped in version 17.2:

* CVE-2024-10976, bsc#1233323: Ensure cached plans are marked as
  dependent on the calling role when RLS applies to a
  non-top-level table reference.
* CVE-2024-10977, bsc#1233325: Make libpq discard error messages
  received during SSL or GSS protocol negotiation.
* CVE-2024-10978, bsc#1233326: Fix unintended interactions
  between SET SESSION AUTHORIZATION and SET ROLE
* CVE-2024-10979, bsc#1233327: Prevent trusted PL/Perl code from
  changing environment variables.
* https://www.postgresql.org/about/news/p-2955/
* https://www.postgresql.org/docs/release/17.1/
* https://www.postgresql.org/docs/release/17.2/

Upgrade to 17.2:

* Repair ABI break for extensions that work with struct
  ResultRelInfo.
* Restore functionality of ALTER {ROLE|DATABASE} SET role.
* Fix cases where a logical replication slot's restart_lsn could
  go backwards.
* Avoid deleting still-needed WAL files during pg_rewind.
* Fix race conditions associated with dropping shared statistics
  entries.
* Count index scans in contrib/bloom indexes in the statistics
  views, such as the pg_stat_user_indexes.idx_scan counter.
* Fix crash when checking to see if an index's opclass options
  have changed.
* Avoid assertion failure caused by disconnected NFA sub-graphs
  in regular expression parsing.

Upgrade to 17.0:

* New memory management system for VACUUM, which reduces memory
  consumption and can improve overall vacuuming performance.
* New SQL/JSON capabilities, including constructors, identity
  functions, and the JSON_TABLE() function, which converts JSON
  data into a table representation.
* Various query performance improvements, including for
  sequential reads using streaming I/O, write throughput under
  high concurrency, and searches over multiple values in a btree
  index.
* Logical replication enhancements, including:
  + Failover control
  + pg_createsubscriber, a utility that creates logical replicas
    from physical standbys
  + pg_upgrade now preserves replication slots on both publishers
    and subscribers
* New client-side connection option, sslnegotiation=direct, that
  performs a direct TLS handshake to avoid a round-trip
  negotiation.
* pg_basebackup now supports incremental backup.
* COPY adds a new option, ON_ERROR ignore, that allows a copy
  operation to continue in the event of an error.
* https://www.postgresql.org/about/news/p-2936/
* https://www.postgresql.org/docs/17/release-17.html


The following package changes have been done:

- patterns-base-fips-20200124-150600.32.3.2 updated
- libpq5-17.2-150600.13.5.1 updated
- libprotobuf25_5_0-25.5-150600.2.10 updated
- python311-psycopg2-2.9.9-150600.1.4 updated
- python311-protobuf-4.25.5-150600.2.10 updated
- python311-pyarrow-17.0.0-150600.2.6 updated
- python311-open-webui-0.3.32-150600.1.14 updated
- container:registry.suse.com-bci-bci-base-15.6-0fe22d4c030e2498f68dab4b8addfe10dc8719c895a9b27f7802df3dbbc5d9f0-0 updated

More information about the sle-container-updates mailing list