SUSE-IU-2024:1239-1: Security update of suse-sles-15-sp5-chost-byos-v20240912-hvm-ssd-x86_64
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sat Sep 14 07:01:30 UTC 2024
SUSE Image Update Advisory: suse-sles-15-sp5-chost-byos-v20240912-hvm-ssd-x86_64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2024:1239-1
Image Tags : suse-sles-15-sp5-chost-byos-v20240912-hvm-ssd-x86_64:20240912
Image Release :
Severity : critical
Type : security
References : 1027519 1081596 1200528 1214855 1217070 1218297 1219267 1219268
1219438 1221243 1221479 1221677 1221916 1222021 1223094 1223409
1224044 1224117 1224771 1225267 1226014 1226030 1226414 1226493
1227114 1227127 1227205 1227625 1227793 1228043 1228091 1228105
1228138 1228206 1228208 1228265 1228324 1228398 1228420 1228535
1228553 1228574 1228575 1228787 1228847 1229339 1229930 1229931
1229932 1230020 1230034 1230092 1230093 222971 CVE-2022-1996
CVE-2023-45142 CVE-2023-47108 CVE-2023-7008 CVE-2023-7256 CVE-2024-1753
CVE-2024-23651 CVE-2024-23652 CVE-2024-23653 CVE-2024-24786 CVE-2024-28180
CVE-2024-31145 CVE-2024-31146 CVE-2024-34397 CVE-2024-3727 CVE-2024-41110
CVE-2024-45310 CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 CVE-2024-6345
CVE-2024-7264 CVE-2024-8006 CVE-2024-8096
-----------------------------------------------------------------
The container suse-sles-15-sp5-chost-byos-v20240912-hvm-ssd-x86_64 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3026-1
Released: Tue Aug 27 13:20:03 2024
Summary: Recommended update for supportutils
Type: recommended
Severity: moderate
References: 1222021,1227127,1228265
This update for supportutils fixes the following issues:
Changes to version 3.2.8
+ Avoid getting duplicate kernel verifications in boot.text (pr#190)
+ lvm: suppress file descriptor leak warnings from lvm commands (pr#191)
+ docker_info: Add timestamps to container logs (pr#196)
+ Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198)
+ Update supportconfig get pam.d sorted (pr#199)
+ yast_files: Exclude .zcat (pr#201)
+ Sanitize grub bootloader (bsc#1227127, pr#203)
+ Sanitize regcodes (pr#204)
+ Improve product detection (pr#205)
+ Add read_values for s390x (bsc#1228265, pr#206)
+ hardware_info: Remove old alsa ver check (pr#209)
+ drbd_info: Fix incorrect escape of quotes (pr#210)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3054-1
Released: Wed Aug 28 14:48:31 2024
Summary: Security update for python3-setuptools
Type: security
Severity: important
References: 1228105,CVE-2024-6345
This update for python3-setuptools fixes the following issues:
- CVE-2024-6345: Fixed code execution via download functions in the package_index module (bsc#1228105)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3071-1
Released: Mon Sep 2 15:17:11 2024
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1229339
This update for suse-build-key fixes the following issue:
- extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028 (bsc#1229339).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3075-1
Released: Mon Sep 2 16:41:07 2024
Summary: Security update for xen
Type: security
Severity: important
References: 1027519,1228574,1228575,CVE-2024-31145,CVE-2024-31146
This update for xen fixes the following issues:
- CVE-2024-31145: Fixed error handling in x86 IOMMU identity mapping (XSA-460, bsc#1228574)
- CVE-2024-31146: Fixed PCI device pass-through with shared resources (XSA-461, bsc#1228575)
Other fixes:
- Update to Xen 4.17.5 security bug fix release (bsc#1027519)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3080-1
Released: Mon Sep 2 16:43:54 2024
Summary: Security update for curl
Type: security
Severity: moderate
References: 1228535,CVE-2024-7264
This update for curl fixes the following issues:
- CVE-2024-7264: Fixed out-of-bounds read in ASN.1 date parser GTime2str() (bsc#1228535)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3086-1
Released: Tue Sep 3 08:57:32 2024
Summary: Security update for glib2
Type: security
Severity: low
References: 1224044,CVE-2024-34397
This update for glib2 fixes the following issues:
- Fixed a possible use after free regression introduced by CVE-2024-34397 patch (bsc#1224044).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3120-1
Released: Tue Sep 3 17:12:57 2024
Summary: Security update for buildah, docker
Type: security
Severity: critical
References: 1214855,1219267,1219268,1219438,1221243,1221677,1221916,1223409,1224117,1228324,CVE-2024-1753,CVE-2024-23651,CVE-2024-23652,CVE-2024-23653,CVE-2024-24786,CVE-2024-28180,CVE-2024-3727,CVE-2024-41110
This update for buildah, docker fixes the following issues:
Changes in docker:
- CVE-2024-23651: Fixed arbitrary files write due to race condition on mounts (bsc#1219267)
- CVE-2024-23652: Fixed insufficient validation of parent directory on mount (bsc#1219268)
- CVE-2024-23653: Fixed insufficient validation on entitlement on container creation via buildkit (bsc#1219438)
- CVE-2024-41110: A Authz zero length regression that could lead to authentication bypass was fixed (bsc#1228324)
Other fixes:
- Update to Docker 25.0.6-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/25.0/#2506>
- Update to Docker 25.0.5-ce (bsc#1223409)
- Fix BuildKit's symlink resolution logic to correctly handle non-lexical
symlinks. (bsc#1221916)
- Write volume options atomically so sudden system crashes won't result in
future Docker starts failing due to empty files. (bsc#1214855)
Changes in buildah:
- Update to version 1.35.4:
* [release-1.35] Bump to Buildah v1.35.4
* [release-1.35] CVE-2024-3727 updates (bsc#1224117)
* integration test: handle new labels in 'bud and test --unsetlabel'
* [release-1.35] Bump go-jose CVE-2024-28180
* [release-1.35] Bump ocicrypt and go-jose CVE-2024-28180
- Update to version 1.35.3:
* [release-1.35] Bump to Buildah v1.35.3
* [release-1.35] correctly configure /etc/hosts and resolv.conf
* [release-1.35] buildah: refactor resolv/hosts setup.
* [release-1.35] rename the hostFile var to reflect
* [release-1.35] Bump c/common to v0.58.1
* [release-1.35] Bump Buildah to v1.35.2
* [release-1.35] CVE-2024-24786 protobuf to 1.33
* [release-1.35] Bump to v1.35.2-dev
- Update to version 1.35.1:
* [release-1.35] Bump to v1.35.1
* [release-1.35] CVE-2024-1753 container escape fix (bsc#1221677)
- Buildah dropped cni support, require netavark instead (bsc#1221243)
- Remove obsolete requires libcontainers-image & libcontainers-storage
- Require passt for rootless networking (poo#156955)
Buildah moved to passt/pasta for rootless networking from slirp4netns
(https://github.com/containers/common/pull/1846)
- Update to version 1.35.0:
* Bump v1.35.0
* Bump c/common v0.58.0, c/image v5.30.0, c/storage v1.53.0
* conformance tests: don't break on trailing zeroes in layer blobs
* Add a conformance test for copying to a mounted prior stage
* fix(deps): update module github.com/stretchr/testify to v1.9.0
* cgroups: reuse version check from c/common
* Update vendor of containers/(common,image)
* fix(deps): update github.com/containers/storage digest to eadc620
* fix(deps): update github.com/containers/luksy digest to ceb12d4
* fix(deps): update github.com/containers/image/v5 digest to cdc6802
* manifest add: complain if we get artifact flags without --artifact
* Use retry logic from containers/common
* Vendor in containers/(storage,image,common)
* Update module golang.org/x/crypto to v0.20.0
* Add comment re: Total Success task name
* tests: skip_if_no_unshare(): check for --setuid
* Properly handle build --pull=false
* [skip-ci] Update tim-actions/get-pr-commits action to v1.3.1
* Update module go.etcd.io/bbolt to v1.3.9
* Revert 'Reduce official image size'
* Update module github.com/opencontainers/image-spec to v1.1.0
* Reduce official image size
* Build with CNI support on FreeBSD
* build --all-platforms: skip some base 'image' platforms
* Bump main to v1.35.0-dev
* Vendor in latest containers/(storage,image,common)
* Split up error messages for missing --sbom related flags
* `buildah manifest`: add artifact-related options
* cmd/buildah/manifest.go: lock lists before adding/annotating/pushing
* cmd/buildah/manifest.go: don't make struct declarations aliases
* Use golang.org/x/exp/slices.Contains
* Disable loong64 again
* Fix a couple of typos in one-line comments
* egrep is obsolescent; use grep -E
* Try Cirrus with a newer VM version
* Set CONTAINERS_CONF in the chroot-mount-flags integration test
* Update to match dependency API update
* Update github.com/openshift/imagebuilder and containers/common
* docs: correct default authfile path
* fix(deps): update module github.com/containerd/containerd to v1.7.13
* tests: retrofit test for heredoc summary
* build, heredoc: show heredoc summary in build output
* manifest, push: add support for --retry and --retry-delay
* fix(deps): update github.com/openshift/imagebuilder digest to b767bc3
* imagebuildah: fix crash with empty RUN
* fix(deps): update github.com/containers/luksy digest to b62d551
* fix(deps): update module github.com/opencontainers/runc to v1.1.12 [security]
* fix(deps): update module github.com/moby/buildkit to v0.12.5 [security]
* Make buildah match podman for handling of ulimits
* docs: move footnotes to where they're applicable
* Allow users to specify no-dereference
* Run codespell on code
* Fix FreeBSD version parsing
* Fix a build break on FreeBSD
* Remove a bad FROM line
* fix(deps): update module github.com/onsi/gomega to v1.31.1
* fix(deps): update module github.com/opencontainers/image-spec to v1.1.0-rc6
* docs: use reversed logo for dark theme in README
* build,commit: add --sbom to scan and produce SBOMs when committing
* commit: force omitHistory if the parent has layers but no history
* docs: fix a couple of typos
* internal/mkcw.Archive(): handle extra image content
* stage_executor,heredoc: honor interpreter in heredoc
* stage_executor,layers: burst cache if heredoc content is changed
* fix(deps): update module golang.org/x/crypto to v0.18.0
* Replace map[K]bool with map[K]struct{} where it makes sense
* fix(deps): update module golang.org/x/sync to v0.6.0
* fix(deps): update module golang.org/x/term to v0.16.0
* Bump CI VMs
* Replace strings.SplitN with strings.Cut
* fix(deps): update github.com/containers/storage digest to ef81e9b
* fix(deps): update github.com/containers/image/v5 digest to 1b221d4
* fix(deps): update module github.com/fsouza/go-dockerclient to v1.10.1
* Document use of containers-transports values in buildah
* fix(deps): update module golang.org/x/crypto to v0.17.0 [security]
* chore(deps): update dependency containers/automation_images to v20231208
* manifest: addCompression use default from containers.conf
* commit: add a --add-file flag
* mkcw: populate the rootfs using an overlay
* chore(deps): update dependency containers/automation_images to v20230517
* [skip-ci] Update actions/stale action to v9
* fix(deps): update module github.com/containernetworking/plugins to v1.4.0
* fix(deps): update github.com/containers/image/v5 digest to 7a40fee
* Bump to v1.34.1-dev
* Ignore errors if label.Relabel returns ENOSUP
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3143-1
Released: Wed Sep 4 12:45:50 2024
Summary: Recommended update for sles-release
Type: recommended
Severity: moderate
References: 1227114
This update for sles-release fixes the following issue:
- Increment Codestream lifecycle by 3 years.
- Set Product EOL date.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3146-1
Released: Thu Sep 5 09:14:53 2024
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1228398,1228847
This update for dracut fixes the following issues:
- Version update with:
* feat(systemd*) include systemd config files from /usr/lib/systemd (bsc#1228398).
* fix(convertfs) error in conditional expressions (bsc#1228847).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3149-1
Released: Thu Sep 5 17:05:36 2024
Summary: Security update for systemd
Type: security
Severity: moderate
References: 1218297,1221479,1226414,1228091,CVE-2023-7008
This update for systemd fixes the following issues:
- CVE-2023-7008: Fixed man-in-the-middle due to unsigned name response in signed zone not refused when DNSSEC=yes (bsc#1218297)
Other fixes:
- Unit: drop ProtectClock=yes from systemd-udevd.service (bsc#1226414)
- Don't mention any rpm macros inside comments, even if escaped (bsc#1228091)
- Skip redundant dependencies specified the LSB description that references the file name of the service itself for early boot scripts (bsc#1221479).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3167-1
Released: Mon Sep 9 12:31:59 2024
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1228043
This update for glibc fixes the following issue:
- s390x: Fix segfault in wcsncmp (bsc#1228043).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3178-1
Released: Mon Sep 9 14:39:14 2024
Summary: Recommended update for libzypp, zypper, libsolv, zypp-plugin, PackageKit-branding-SLE, PackageKit, libyui, yast2-pkg-bindings
Type: recommended
Severity: important
References: 1081596,1223094,1224771,1225267,1226014,1226030,1226493,1227205,1227625,1227793,1228138,1228206,1228208,1228420,1228787,222971
This update for libzypp, zypper, libsolv, zypp-plugin, PackageKit-branding-SLE, PackageKit, libyui, yast2-pkg-bindings fixes the following issues:
- Make sure not to statically linked installed tools (bsc#1228787)
- MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208)
- Export asSolvable for YAST (bsc#1228420)
- Export CredentialManager for legacy YAST versions (bsc#1228420)
- Fix 4 typos in zypp.conf
- Fix typo in the geoip update pipeline (bsc#1228206)
- Export RepoVariablesStringReplacer for yast2 (bsc#1228138)
- Removed dependency on external find program in the repo2solv tool
- Fix return value of repodata.add_solv()
- New SOLVER_FLAG_FOCUS_NEW flag
- Fix return value of repodata.add_solv() in the bindings
- Fix SHA-224 oid in solv_pgpvrfy
- Translation: updated .pot file.
- Conflict with python zypp-plugin < 0.6.4 (bsc#1227793)
- Fix int overflow in Provider
- Fix error reporting on repoindex.xml parse error (bsc#1227625)
- Keep UrlResolverPlugin API public
- Blacklist /snap executables for 'zypper ps' (bsc#1226014)
- Fix handling of buddies when applying locks (bsc#1225267)
- Fix readline setup to handle Ctrl-C and Ctrl-D correctly (bsc#1227205)
- Show rpm install size before installing (bsc#1224771)
- Install zypp/APIConfig.h legacy include
- Update soname due to RepoManager refactoring and cleanup
- Workaround broken libsolv-tools-base requirements
- Strip ssl_clientkey from repo urls (bsc#1226030)
- Remove protobuf build dependency
- Lazily attach medium during refresh workflows (bsc#1223094)
- Refactor RepoManager and add Service workflows
- Let_readline_abort_on_Ctrl-C (bsc#1226493)
- packages: add '--system' to show @System packages (bsc#222971)
- Provide python3-zypp-plugin down to SLE12 (bsc#1081596)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3210-1
Released: Wed Sep 11 17:39:30 2024
Summary: Security update for libpcap
Type: security
Severity: moderate
References: 1230020,1230034,CVE-2023-7256,CVE-2024-8006
This update for libpcap fixes the following issues:
- CVE-2024-8006: NULL pointer dereference in function pcap_findalldevs_ex(). (bsc#1230034)
- CVE-2023-7256: double free via struct addrinfo in function sock_initaddress(). (bsc#1230020)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3211-1
Released: Wed Sep 11 17:40:13 2024
Summary: Security update for curl
Type: security
Severity: moderate
References: 1230093,CVE-2024-8096
This update for curl fixes the following issues:
- CVE-2024-8096: OCSP stapling bypass with GnuTLS. (bsc#1230093)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3216-1
Released: Thu Sep 12 13:05:20 2024
Summary: Security update for expat
Type: security
Severity: moderate
References: 1229930,1229931,1229932,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492
This update for expat fixes the following issues:
- CVE-2024-45492: integer overflow in function nextScaffoldPart. (bsc#1229932)
- CVE-2024-45491: integer overflow in dtdCopy. (bsc#1229931)
- CVE-2024-45490: negative length for XML_ParseBuffer not rejected. (bsc#1229930)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3221-1
Released: Thu Sep 12 13:18:18 2024
Summary: Security update for containerd
Type: security
Severity: important
References: 1200528,1217070,1228553,CVE-2022-1996,CVE-2023-45142,CVE-2023-47108
This update for containerd fixes the following issues:
- Update to containerd v1.7.21
- CVE-2023-47108: Fixed DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics. (bsc#1217070)
- CVE-2023-45142: Fixed DoS vulnerability in otelhttp. (bsc#1228553)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3222-1
Released: Thu Sep 12 13:20:47 2024
Summary: Security update for runc
Type: security
Severity: low
References: 1230092,CVE-2024-45310
This update for runc fixes the following issues:
- Update to runc v1.1.14
- CVE-2024-45310: Fixed an issue where runc can be tricked into creating empty files/directories on host. (bsc#1230092)
The following package changes have been done:
- containerd-ctr-1.7.21-150000.117.1 updated
- containerd-1.7.21-150000.117.1 updated
- curl-8.0.1-150400.5.50.1 updated
- docker-25.0.6_ce-150000.207.1 updated
- dracut-055+suse.392.g7930ab23-150500.3.24.2 updated
- glibc-locale-base-2.31-150300.86.3 updated
- glibc-locale-2.31-150300.86.3 updated
- glibc-2.31-150300.86.3 updated
- libcurl4-8.0.1-150400.5.50.1 updated
- libexpat1-2.4.4-150400.3.22.1 updated
- libglib-2_0-0-2.70.5-150400.3.14.1 updated
- libpcap1-1.10.1-150400.3.3.2 updated
- libsolv-tools-base-0.7.30-150400.3.27.2 updated
- libsolv-tools-0.7.30-150400.3.27.2 updated
- libsystemd0-249.17-150400.8.43.1 updated
- libudev1-249.17-150400.8.43.1 updated
- libzypp-17.35.8-150500.6.13.1 updated
- python3-setuptools-44.1.1-150400.9.9.1 updated
- runc-1.1.14-150000.70.1 updated
- sles-release-15.5-150500.61.4.1 updated
- supportutils-3.2.8-150300.7.35.33.1 updated
- suse-build-key-12.0-150000.8.52.3 updated
- systemd-sysvinit-249.17-150400.8.43.1 updated
- systemd-249.17-150400.8.43.1 updated
- udev-249.17-150400.8.43.1 updated
- xen-libs-4.17.5_02-150500.3.36.1 updated
- xen-tools-domU-4.17.5_02-150500.3.36.1 updated
- zypper-1.14.76-150500.6.6.15 updated
- libabsl2401_0_0-20240116.1-150500.13.7.8 removed
- libprotobuf-lite25_1_0-25.1-150500.12.2.2 removed
More information about the sle-container-updates
mailing list