SUSE-IU-2024:1899-1: Security update of suse/sl-micro/6.0/base-os-container
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Nov 29 08:04:01 UTC 2024
SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2024:1899-1
Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-4.14 , suse/sl-micro/6.0/base-os-container:latest
Image Release : 4.14
Severity : critical
Type : security
References : 1208690 1214980 1215064 1215064 1216198 1221470 1222804 1222807
1222811 1222813 1222814 1222821 1222822 1222826 1222828 1222830
1222833 1222834 1223724 1224113 1224115 1224116 1224118 1226412
1226529 1227918 1230070 1230904 1325335 1548723 1573097 1615555
1748105 1753026 1757758 1774659 1775046 1780432 1784253 1793811
1813401 1818766 1822450 1822935 1822936 1826451 1826652 1827224
1827303 1827444 1829112 1830415 1830978 1831552 1833270 1834851
1835357 1835425 1835828 1836781 1836925 1837431 1837617 1837987
1839327 1839795 1839992 1840429 1840437 1840505 1840510 1841029
1842928 1842932 1842935 1842937 1847845 1848183 1849077 1849471
1850598 1850982 1851044 1851049 1852011 1852179 1853737 1854438
1854439 1854795 1855318 1858241 1860670 1861265 1861728 1863605
1865450 1867408 1869378 1869408 1869642 1870673 1871152 1871219
1871630 1871631 1873095 1873296 1874017 1874111 1874458 1874937
1875356 1875506 1875965 1876179 1876390 1876800 1877344 1877730
1879513 1879945 1880857 1881027 1884276 1884444 1885404 1887996
1889671 1890069 1893029 1893162 1893334 1893404 1893752 1894572
1895012 1895032 1896353 1897487 1898074 1898627 1898825 1898830
1898858 1899593 1899759 1899883 1900413 1901080 1901932 1905691
215997 671060 676100 676118 864039 CVE-2023-5388
-----------------------------------------------------------------
The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 16
Released: Wed Aug 14 16:02:59 2024
Summary: Recommended update for elemental-system-agent, elemental, systemd-presets-branding-Elemental, elemental-toolkit, elemental-agent, elemental-operator
Type: recommended
Severity: moderate
References:
This update for elemental-system-agent, elemental, systemd-presets-branding-Elemental, elemental-toolkit, elemental-agent, elemental-operator fixes the following issues:
elemental:
- Update to version v2.1.2
* Fix grub2-x86_64-efi installation
* Removing syslinux from base image
* Workaround to remove any pre-existing Elemental initrd
elemental-agent:
- Update to version 0.5.0+git20240729.4482c01:
* Fix rke2 cluster class (#80)
* Fix rootfs layout (#76)
* Exclude cloud-config-defaults feature (#75)
* Use toolkit nightly builds (#74)
* Align images to Elemental dev (#73)
* Only use essential elemental services (#71)
* Actualyze elemental init arguments and improve iso build setup (#70)
* Fix missing mtools dependency (#68)
* Unify root password
* Prevent associating multiple ElementalHosts (#65)
* Remove CodeQL github action workaround (#66)
* upgrade elemental-toolkit to 2.1.0 version (#61)
* tests: align Ginkgo version in the Makefile (#63)
* Dockerfiles: ensure /usr/libexec is present on the image FS (#64)
* minor/setup_kind_cluster.sh: print the command to write the my-config.yaml (#62)
* Fix RKE2 ClusterClass and RKE2 default registration method (#60)
* Remove unused Codecov config (#59)
* Actualize RKE2 templates (#58)
* Remove CodeCov action (#57)
* Update codeql action (#56)
* Display host phases (#51)
* Bump CAPI version (#54)
* Print test agent config by default (#55)
* Deprecate release-action (#53)
* Display association status (#49)
* Add registration ready condition (#50)
* Prevent kubelet and containerd from running in Recovery (#43)
* Mitigate time sync issues on JWT validation (#41)
* Improve kubeadm image (#39)
- Update to version 0.5.0+git20240319.13ad570:
* Update dependencies and fix CodeQL failure (#36)
* Update to go 1.22 (#32)
* Update k3s provider urls (#34)
* Remove tumbleweed dracut patches (#33)
* Refer to CONTROL_PLANE_ENDPOINT_HOST
* Update metadata.yaml
* Update quickstart (#30)
* Remove uninitialized taint from nodes (#29)
* Set providerid on nodes (#22)
* Bump yip to v1.4.10
- Initial version 0.5.0
elemental-operator:
- Update to version 1.6.4:
* register: always register when called (#816)
- Update to version 1.6.3:
* Backport to v1.6.x (#796)
* Enable PR workflow for v1.6 maintenance branch
* Add toggle to automatically delete no longer in sync versions (#780) (#783)
* [v1.6.x] Add managedosversion finalizer (#775 & #784) (#782)
* Ensure re-sync is triggered
* [v1.6.x][BACKPORT] operator: fix ManagedOSVersionChannel sync (#771)
* Use YAML content for Elemental Agent config (#765) (#770)
* Allow yip configs (#751) (#762)
* Update deployment.yaml (#757) (#761)
* Flag no longer in sync ManagedOSVersions (#750) (#752)
* Let elemental-register digest system hardware data (#748) (#749)
* register: don't send new Disks and Controllers data (#741)
* Added the ability to create a node reset marker for unmanaged hosts (#731) (#737)
- Update to version 1.6.2:
* chart: add chart name and version to the operator deployment (#694)
* Add Metadata CRD (#717)
elemental-system-agent:
- Update to version 0.3.7:
* Add support for CATTLE_AGENT_VAR_DIR in suc plan
* add the step for creating GH release, and fix typo in filename
* Migrate from Drone to GitHub Action
* Version bump for Alpine and Kubectl
* Add support for CATTLE_AGENT_STRICT_VERIFY|STRICT_VERIFY environment variables to ensure kubeconfig CA data is valid (#171)
elemental-toolkit:
- Update to version 2.1.1:
* [backport] Disable boot entry if efivars is read-only (#2059) (#2145)
* [backport] CI refactor to v2.1.x branch (#2146)
* Remove pre-existing Elemental initrds
systemd-presets-branding-Elemental:
- Include elemental-register.timer as service enabled by default
-----------------------------------------------------------------
Advisory ID: 33
Released: Thu Sep 5 14:12:22 2024
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1208690,1226412,1226529
This update for dracut fixes the following issues:
- Update to version 059+suse.567.gadd3169d:
* feat(crypt): force the inclusion of crypttab entries with x-initrd.attach (bsc#1226529)
* fix(mdraid): try to assemble the missing raid device (bsc#1226412)
* fix(dracut-install): continue parsing if ldd prints 'cannot be preloaded' (bsc#1208690)
-----------------------------------------------------------------
Advisory ID: 42
Released: Tue Sep 10 11:43:35 2024
Summary: Recommended update for perl-Bootloader
Type: recommended
Severity: critical
References: 1215064
This update for perl-Bootloader fixes the following issues:
- bootloader_entry script can have an optional 'force-default' argument (bsc#1215064)
This fixes the %post section for kernel-rt.
-----------------------------------------------------------------
Advisory ID: 59
Released: Tue Oct 15 16:06:53 2024
Summary: Security update for mozilla-nss
Type: security
Severity: critical
References: 1214980,1216198,1222804,1222807,1222811,1222813,1222814,1222821,1222822,1222826,1222828,1222830,1222833,1222834,1223724,1224113,1224115,1224116,1224118,1227918,1325335,1548723,1573097,1615555,1748105,1753026,1757758,1774659,1775046,1780432,1784253,1793811,1813401,1818766,1822450,1822935,1822936,1826451,1826652,1827224,1827303,1827444,1829112,1830415,1830978,1831552,1833270,1834851,1835357,1835425,1835828,1836781,1836925,1837431,1837617,1837987,1839327,1839795,1839992,1840429,1840437,1840505,1840510,1841029,1842928,1842932,1842935,1842937,1847845,1848183,1849077,1849471,1850598,1850982,1851044,1851049,1852011,1852179,1853737,1854438,1854439,1854795,1855318,1858241,1860670,1861265,1861728,1863605,1865450,1867408,1869378,1869408,1869642,1870673,1871152,1871219,1871630,1871631,1873095,1873296,1874017,1874111,1874458,1874937,1875356,1875506,1875965,1876179,1876390,1876800,1877344,1877730,1879513,1879945,1880857,1881027,1884276,1884444,1885404,1887996,1889671,1890069,1893029,1
893162,1893334,1893404,1893752,1894572,1895012,1895032,1896353,1897487,1898074,1898627,1898825,1898830,1898858,1899593,1899759,1899883,1900413,1901080,1901932,1905691,215997,671060,676100,676118,864039,CVE-2023-5388
This update for mozilla-nss fixes the following issues:
- update to NSS 3.101.2
- ChaChaXor to return after the function
- update to NSS 3.101.1
- missing sqlite header.
- GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- update to NSS 3.101
- add diagnostic assertions for SFTKObject refcount.
- freeing the slot in DeleteCertAndKey if authentication failed
- fix formatting issues.
- Add Firmaprofesional CA Root-A Web to NSS.
- remove invalid acvp fuzz test vectors.
- pad short P-384 and P-521 signatures gtests.
- remove unused FreeBL ECC code.
- pad short P-384 and P-521 signatures.
- be less strict about ECDSA private key length.
- Integrate HACL* P-521.
- Integrate HACL* P-384.
- memory leak in create_objects_from_handles.
- ensure all input is consumed in a few places in mozilla::pkix
- SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
- clean up escape handling
- Use lib::pkix as default validator instead of the old-one
- Need to add high level support for PQ signing.
- Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
- SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
- Allow for non-full length ecdsa signature when using softoken
- Modification of .taskcluster.yml due to mozlint indent defects
- Implement support for PBMAC1 in PKCS#12
- disable VLA warnings for fuzz builds.
- remove redundant AllocItem implementation.
- add PK11_ReadDistrustAfterAttribute.
- Clang-formatting of SEC_GetMgfTypeByOidTag update
- Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
- sftk_getParameters(): Fix fallback to default variable after error with configfile.
- Switch to the mozillareleases/image_builder image
- update to NSS 3.100
- merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
- remove ckcapi.
- avoid a potential PK11GenericObject memory leak.
- Remove incomplete ESDH code.
- Decrypt RSA OAEP encrypted messages.
- Fix certutil CRLDP URI code.
- Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
- Add ability to encrypt and decrypt CMS messages using ECDH.
- Correct Templates for key agreement in smime/cmsasn.c.
- Moving the decodedCert allocation to NSS.
- Allow developers to speed up repeated local execution of NSS tests that depend on certificates.
- update to NSS 3.99
- Removing check for message len in ed25519
- add ed25519 to SECU_ecName2params.
- add EdDSA wycheproof tests.
- nss/lib layer code for EDDSA.
- Adding EdDSA implementation.
- Exporting Certificate Compression types
- Updating ACVP docker to rust 1.74
- Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552
- Add NSS_CMSRecipient_IsSupported.
- update to NSS 3.98
- CVE-2023-5388: Timing attack against RSA decryption in TLS
- Certificate Compression: enabling the check that the compression was advertised
- Move Windows workers to nss-1/b-win2022-alpha
- Remove Email trust bit from OISTE WISeKey Global Root GC CA
- Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`
- Certificate Compression: Updating nss_bogo_shim to support Certificate compression
- TLS Certificate Compression (RFC 8879) Implementation
- Add valgrind annotations to freebl kyber operations for constant-time execution tests
- Set nssckbi version number to 2.66
- Add Telekom Security roots
- Add D-Trust 2022 S/MIME roots
- Remove expired Security Communication RootCA1 root
- move keys to a slot that supports concatenation in PK11_ConcatSymKeys
- remove unmaintained tls-interop tests
- bogo: add support for the -ipv6 and -shim-id shim flags
- bogo: add support for the -curves shim flag and update Kyber expectations
- bogo: adjust expectation for a key usage bit test
- mozpkix: add option to ignore invalid subject alternative names
- Fix selfserv not stripping `publicname:` from -X value
- take ownership of ecckilla shims
- add valgrind annotations to freebl/ec.c
- PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
- Update zlib to 1.3.1
- update to NSS 3.97
- make Xyber768d00 opt-in by policy
- add libssl support for xyber768d00
- add PK11_ConcatSymKeys
- add Kyber and a PKCS#11 KEM interface to softoken
- add a FreeBL API for Kyber
- part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
- part 1: add a script for vendoring kyber from pq-crystals repo
- Removing the calls to RSA Blind from loader.*
- fix worker type for level3 mac tasks
- RSA Blind implementation
- Remove DSA selftests
- read KWP testvectors from JSON
- Backed out changeset dcb174139e4f
- Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
- Wrap CC shell commands in gyp expansions
- update to NSS 3.96.1
- Use pypi dependencies for MacOS worker in ./build_gyp.sh
- p7sign: add -a hash and -u certusage (also p7verify cleanups)
- add a defensive check for large ssl_DefSend return values
- Add dependency to the taskcluster script for Darwin
- Upgrade version of the MacOS worker for the CI
- update to NSS 3.95
- Bump builtins version number.
- Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
- Remove 4 DigiCert (Symantec/Verisign) Root Certificates
- Remove 3 TrustCor Root Certificates from NSS.
- Remove Camerfirma root certificates from NSS.
- Remove old Autoridad de Certificacion Firmaprofesional Certificate.
- Add four Commscope root certificates to NSS.
- Add TrustAsia Global Root CA G3 and G4 root certificates.
- Include P-384 and P-521 Scalar Validation from HACL*
- Include P-256 Scalar Validation from HACL*.
- After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
- Add means to provide library parameters to C_Initialize
- clang format
- add OSXSAVE and XCR0 tests to AVX2 detection.
- Typo in ssl3_AppendHandshakeNumber
- Introducing input check of ssl3_AppendHandshakeNumber
- Fix Invalid casts in instance.c
- update to NSS 3.94
- Updated code and commit ID for HACL*
- update ACVP fuzzed test vector: refuzzed with current NSS
- Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants
- NSS needs a database tool that can dump the low level representation of the database
- declare string literals using char in pkixnames_tests.cpp
- avoid implicit conversion for ByteString
- update rust version for acvp docker
- Moving the init function of the mpi_ints before clean-up in ec.c
- P-256 ECDH and ECDSA from HACL*
- Add ACVP test vectors to the repository
- Stop relying on std::basic_string<uint8_t>
- Transpose the PPC_ABI check from Makefile to gyp
- Update to NSS 3.93:
- Update zlib in NSS to 1.3.
- softoken: iterate hashUpdate calls for long inputs.
- regenerate NameConstraints test certificates (bsc#1214980).
- update to NSS 3.92
- Set nssckbi version number to 2.62
- Add 4 Atos TrustedRoot Root CA certificates to NSS
- Add 4 SSL.com Root CA certificates
- Add Sectigo E46 and R46 Root CA certificates
- Add LAWtrust Root CA2 (4096)
- Remove E-Tugra Certification Authority root
- Remove Camerfirma Chambers of Commerce Root.
- Remove Hongkong Post Root CA 1
- Remove E-Tugra Global Root CA ECC v3 and RSA v3
- Avoid redefining BYTE_ORDER on hppa Linux
- update to NSS 3.91
- Implementation of the HW support check for ADX instruction
- Removing the support of Curve25519
- Fix comment about the addition of ticketSupportsEarlyData
- Adding args to enable-legacy-db build
- dbtests.sh failure in 'certutil dump keys with explicit default trust flags'
- Initialize flags in slot structures
- Improve the length check of RSA input to avoid heap overflow
- Followup Fixes
- avoid processing unexpected inputs by checking for m_exptmod base sign
- add a limit check on order_k to avoid infinite loop
- Update HACL* to commit 5f6051d2
- add SHA3 to cryptohi and softoken
- HACL SHA3
- Disabling ASM C25519 for A but X86_64
- update to NSS 3.90.3
- GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- clean up escape handling.
- remove redundant AllocItem implementation.
- Disable ASM support for Curve25519.
- Disable ASM support for Curve25519 for all but X86_64.
-----------------------------------------------------------------
Advisory ID: 68
Released: Tue Oct 15 16:08:22 2024
Summary: Recommended update for elemental-operator, elemental
Type: recommended
Severity: moderate
References: 1230904
This update for elemental-operator, elemental contains the following fixes:
elemental:
- Include net.ifnames=0 kernel parameter. (bsc#1230904)
elemental-operator:
- Update to version 1.6.5:
* Add SeedImage.status.checksumURL.
-----------------------------------------------------------------
Advisory ID: 78
Released: Mon Nov 11 14:53:29 2024
Summary: Recommended update for perl-Bootloader
Type: recommended
Severity: critical
References: 1215064,1221470,1230070
This update for perl-Bootloader fixes the following issues:
- handle missing grub_installdevice on powerpc (bsc#1230070)
- log grub2-install errors correctly (bsc#1221470)
- skip warning about unsupported options when in compat mode
- bootloader_entry script can have an optional 'force-default' argument (bsc#1215064)
The following package changes have been done:
- libtextstyle0-0.21.1-5.1 added
- libjson-c5-0.16-3.1 added
- libfuse2-2.9.9-3.1 added
- libefivar1-38-3.1 added
- libargon2-1-20190702-3.1 added
- pigz-2.8-1.8 added
- libpng16-16-1.6.43-1.1 added
- efibootmgr-18-2.8 added
- libfreetype6-2.13.2-1.6 added
- libasm1-0.189-4.143 added
- zstd-1.5.5-8.142 added
- libdevmapper1_03-2.03.22_1.02.196-1.8 added
- gzip-1.13-1.50 added
- gettext-runtime-0.21.1-5.1 added
- elfutils-0.189-4.143 added
- cpio-2.15-1.3 added
- libcryptsetup12-2.6.1-4.13 added
- grub2-2.12~rc1-5.30 added
- grub2-i386-pc-2.12~rc1-5.30 added
- systemd-rpm-macros-24-1.205 added
- grub2-x86_64-efi-2.12~rc1-5.30 added
- systemd-presets-branding-Elemental-20240807-1.1 added
- perl-Bootloader-1.8.2-1.1 added
- shim-15.7-11.2 added
- util-linux-systemd-2.39.3-2.7 added
- system-group-kvm-20170617-2.197 added
- system-group-hardware-20170617-2.197 added
- suse-module-tools-16.0.43-1.1 added
- kmod-30-10.56 added
- udev-254.18-1.1 added
- dracut-059+suse.571.g32b61281-1.1 added
- suse-module-tools-scriptlets-16.0.43-1.1 added
- kernel-default-6.4.0-1.3 added
- libaio1-0.3.113-3.1 added
- libdevmapper-event1_03-2.03.22_1.02.196-1.8 added
- libfreebl3-3.101.2-1.1 added
- liblzo2-2-2.10-3.1 added
- libndp0-1.8-2.7 added
- libnl-config-3.7.0-3.1 added
- logrotate-3.21.0-2.12 added
- mozilla-nspr-4.35-3.11 added
- thin-provisioning-tools-0.9.0-2.10 added
- shared-mime-info-2.2-2.8 added
- libgobject-2_0-0-2.76.2-5.1 added
- squashfs-4.6.1-3.7 added
- libnl3-200-3.7.0-3.1 added
- mozilla-nss-certs-3.101.2-1.1 added
- device-mapper-2.03.22_1.02.196-1.8 added
- gio-branding-SLE-15-1.5 added
- libgio-2_0-0-2.76.2-5.1 added
- glib2-tools-2.76.2-5.1 added
- wpa_supplicant-2.10-4.18 added
- mozilla-nss-3.101.2-1.1 added
- libsoftokn3-3.101.2-1.1 added
- libnm0-1.42.6-5.14 added
- NetworkManager-branding-SLE-42.1-1.5 added
- NetworkManager-1.42.6-5.14 added
- btrfsprogs-udev-rules-6.1.3-6.19 added
- libauparse0-3.0.9-4.1 added
- libext2fs2-1.47.0-2.3 added
- libwrap0-7.6-2.193 added
- system-group-audit-3.0.9-5.15 added
- btrfsprogs-6.1.3-6.19 added
- btrfsmaintenance-0.5-2.8 added
- audit-3.0.9-5.15 added
- dmidecode-3.5-2.6 added
- liblvm2cmd2_03-2.03.22-1.8 added
- openssl-3.1.4-3.1 added
- openssl-3-3.1.4-6.1 added
- lvm2-2.03.22-1.8 added
- dosfstools-4.2-2.9 added
- e2fsprogs-1.47.0-2.3 added
- elemental-register-1.6.5-1.1 added
- elemental-support-1.6.5-1.1 added
- elemental-system-agent-0.3.7-1.1 added
- elemental-updater-2.1.3-1.1 added
- gptfdisk-1.0.9-3.5 added
- libbtrfs0-6.1.3-6.19 added
- libbtrfsutil1-6.1.3-6.19 added
- libburn4-1.5.4-1.9 added
- libedit0-20210910.3.1-9.169 added
- libinih0-56-3.1 added
- libjte2-1.22-1.8 added
- libparted-fs-resize0-3.5-2.11 added
- libparted2-3.5-2.11 added
- liburcu8-0.14.0-2.8 added
- libxxhash0-0.8.1-2.194 added
- mtools-4.0.43-4.9 added
- libisofs6-1.5.4-1.9 added
- parted-3.5-2.11 added
- xfsprogs-6.5.0-1.9 added
- rsync-3.2.7-3.8 added
- info-7.0.3-4.1 added
- libsnapper7-0.10.5-2.10 added
- libisoburn1-1.5.4-1.9 added
- snapper-0.10.5-2.10 added
- xorriso-1.5.4-1.9 added
- elemental-toolkit-2.1.1-1.1 added
- elemental-2.1.3-1.1 added
More information about the sle-container-updates
mailing list