SUSE-CU-2024:4069-1: Security update of suse/sle15

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Sep 6 11:49:21 UTC 2024 

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:4069-1
Container Tags        : bci/bci-base:15.7 , bci/bci-base:15.7.50.8 , suse/sle15:15.7 , suse/sle15:15.7.50.8
Container Release     : 50.8
Severity              : important
Type                  : security
References            : 1220356 1222899 1223336 1226463 1227138 1227525 1227681 1227888
                        1228322 1228535 1228548 1228770 916845 CVE-2013-4235 CVE-2013-4235
                        CVE-2024-5535 CVE-2024-6197 CVE-2024-7264 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2609-1
Released:    Fri Jul 26 18:07:05 2024
Summary:     Recommended update for suse-build-key
Type:        recommended
Severity:    moderate
References:  1227681
This update for suse-build-key fixes the following issue:

- fixed syntax error in auto import shell script (bsc#1227681)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2630-1
Released:    Tue Jul 30 09:12:44 2024
Summary:     Security update for shadow
Type:        security
Severity:    important
References:  916845,CVE-2013-4235
This update for shadow fixes the following issues:

- CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2635-1
Released:    Tue Jul 30 09:14:09 2024
Summary:     Security update for openssl-3
Type:        security
Severity:    important
References:  1222899,1223336,1226463,1227138,CVE-2024-5535
This update for openssl-3 fixes the following issues:

Security fixes:

- CVE-2024-5535: Fixed SSL_select_next_proto buffer overread (bsc#1227138)

Other fixes:

- Build with no-afalgeng (bsc#1226463)
- Build with enabled sm2 and sm4 support (bsc#1222899)
- Fix non-reproducibility issue (bsc#1223336)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2641-1
Released:    Tue Jul 30 09:29:36 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  
This update for systemd fixes the following issues:

systemd was updated from version 254.13 to version 254.15:
    
- Changes in version 254.15:

  * boot: cover for hardware keys on phones/tablets
  * Conditional PSI check to reflect changes done in 5.13
  * core/dbus-manager: refuse SoftReboot() for user managers
  * core/exec-invoke: reopen OpenFile= fds with O_NOCTTY
  * core/exec-invoke: use sched_setattr instead of sched_setscheduler
  * core/unit: follow merged units before updating SourcePath= timestamp too
  * coredump: correctly take tmpfs size into account for compression
  * cryptsetup: improve TPM2 blob display
  * docs: Add section to HACKING.md on distribution packages
  * docs: fixed dead link to GNOME documentation
  * docs/CODING_STYLE: document that we nowadays prefer (const char*) for func ret type
  * Fixed typo in CAP_BPF description
  * LICENSES/README: expand text to summarize state for binaries and libs
  * man: fully adopt ~/.local/state/
  * man/systemd.exec: list inaccessible files for ProtectKernelTunables
  * man/tmpfiles: remove outdated behavior regarding symlink ownership
  * meson: bpf: propagate 'sysroot' for cross compilation
  * meson: Define __TARGET_ARCH macros required by bpf
  * mkfs-util: Set sector size for btrfs as well
  * mkosi: drop CentOS 8 from CI
  * mkosi: Enable hyperscale-packages-experimental for CentOS
  * mountpoint-util: do not assume symlinks are not mountpoints
  * os-util: avoid matching on the wrong extension-release file
  * README: add missing CONFIG_MEMCG kernel config option for oomd
  * README: update requirements for signed dm-verity
  * resolved: allow the full TTL to be used by OPT records
  * resolved: correct parsing of OPT extended RCODEs
  * sysusers: handle NSS errors gracefully
  * TEST-58-REPART: reverse order of diff args
  * TEST-64-UDEV-STORAGE: Make nvme_subsystem expected pci symlinks more generic
  * test: fixed TEST-24-CRYPTSETUP on SUSE
  * test: install /etc/hosts
  * Use consistent spelling of systemd.condition_first_boot argument
  * util: make file_read() 64bit offset safe
  * vmm: make sure we can handle smbios objects without variable part
    
- Changes in version 254.14:

  * analyze: show pcrs also in sha384 bank
  * chase: Tighten '.' and './' check
  * core/service: fixed accept-socket deserialization
  * efi-api: check /sys/class/tpm/tpm0/tpm_version_major, too
  * executor: check for all permission related errnos when setting up IPC namespace
  * install: allow removing symlinks even for units that are gone
  * json: use secure un{base64,hex}mem for sensitive variants
  * man,units: drop 'temporary' from description of systemd-tmpfiles
  * missing_loop.h: fixed LOOP_SET_STATUS_SETTABLE_FLAGS
  * repart: fixed memory leak
  * repart: Use CRYPT_ACTIVATE_PRIVATE
  * resolved: permit dnssec rrtype questions when we aren't validating
  * rules: Limit the number of device units generated for serial ttys
  * run: do not pass the pty slave fd to transient service in a machine
  * sd-dhcp-server: clear buffer before receive
  * strbuf: use GREEDY_REALLOC to grow the buffer

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2779-1
Released:    Tue Aug  6 14:35:49 2024
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1228548

This update for permissions fixes the following issue:

* cockpit: moved setuid executable (bsc#1228548)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2784-1
Released:    Tue Aug  6 14:58:38 2024
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1227888,1228535,CVE-2024-6197,CVE-2024-7264
This update for curl fixes the following issues:

- CVE-2024-7264: Fixed ASN.1 date parser overread (bsc#1228535)
- CVE-2024-6197: Fixed freeing stack buffer in utf8asn1str (bsc#1227888)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2791-1
Released:    Tue Aug  6 16:35:06 2024
Summary:     Recommended update for various 32bit packages
Type:        recommended
Severity:    moderate
References:  1228322

This update of various packages delivers 32bit variants to allow running Wine
on SLE PackageHub 15 SP6.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2808-1
Released:    Wed Aug  7 09:49:32 2024
Summary:     Security update for shadow
Type:        security
Severity:    moderate
References:  1228770,CVE-2013-4235
This update for shadow fixes the following issues:

- Fixed not copying of skel files (bsc#1228770)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2869-1
Released:    Fri Aug  9 15:59:29 2024
Summary:     Security update for ca-certificates-mozilla
Type:        security
Severity:    important
References:  1220356,1227525
This update for ca-certificates-mozilla fixes the following issues:

- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
  - Added: FIRMAPROFESIONAL CA ROOT-A WEB
  - Distrust: GLOBALTRUST 2020

- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
  Added:
  - CommScope Public Trust ECC Root-01
  - CommScope Public Trust ECC Root-02
  - CommScope Public Trust RSA Root-01
  - CommScope Public Trust RSA Root-02
  - D-Trust SBR Root CA 1 2022
  - D-Trust SBR Root CA 2 2022
  - Telekom Security SMIME ECC Root 2021
  - Telekom Security SMIME RSA Root 2023
  - Telekom Security TLS ECC Root 2020
  - Telekom Security TLS RSA Root 2023
  - TrustAsia Global Root CA G3
  - TrustAsia Global Root CA G4
  Removed:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - Chambers of Commerce Root - 2008
  - Global Chambersign Root - 2008
  - Security Communication Root CA
  - Symantec Class 1 Public Primary Certification Authority - G6
  - Symantec Class 2 Public Primary Certification Authority - G6
  - TrustCor ECA-1
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - VeriSign Class 1 Public Primary Certification Authority - G3
  - VeriSign Class 2 Public Primary Certification Authority - G3


The following package changes have been done:

- ca-certificates-mozilla-2.68-150200.33.1 updated
- curl-8.6.0-150600.4.3.1 updated
- libassuan0-2.5.5-150000.4.7.1 updated
- libcurl4-8.6.0-150600.4.3.1 updated
- libgpgme11-1.23.0-150600.3.2.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.10.1 updated
- libopenssl3-3.1.4-150600.5.10.1 updated
- libsystemd0-254.15-150600.4.8.1 updated
- libudev1-254.15-150600.4.8.1 updated
- login_defs-4.8.1-150600.17.6.1 updated
- openssl-3-3.1.4-150600.5.10.1 updated
- permissions-20240801-150600.10.4.1 updated
- shadow-4.8.1-150600.17.6.1 updated
- sle-module-basesystem-release-15.7-150700.3.1 updated
- sle-module-python3-release-15.7-150700.3.1 updated
- sle-module-server-applications-release-15.7-150700.3.1 updated
- sles-release-15.7-150700.3.1 updated
- suse-build-key-12.0-150000.8.49.2 updated

More information about the sle-container-updates mailing list