SUSE-CU-2024:4379-1: Security update of suse/manager/5.0/x86_64/server-migration-14-16
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Tue Sep 17 11:36:58 UTC 2024
SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-migration-14-16
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:4379-1
Container Tags : suse/manager/5.0/x86_64/server-migration-14-16:5.0.1 , suse/manager/5.0/x86_64/server-migration-14-16:5.0.1.7.5.1 , suse/manager/5.0/x86_64/server-migration-14-16:latest
Container Release : 7.5.1
Severity : critical
Type : security
References : 1159034 1188441 1194818 1194818 1218609 1218609 1219559 1220117
1220523 1220664 1220690 1220693 1220696 1221365 1221563 1221751
1221752 1221753 1221760 1221786 1221787 1221821 1221822 1221824
1221827 1221831 1221854 1222075 1222285 1222899 1223336 1223428
1223596 1223605 1224038 1224051 1224282 1224388 1225291 1225551
1225598 1225907 1226415 1226447 1226448 1226463 1226463 1227138
1227138 1227186 1227187 1228042 1228548 1228770 1228968 1229013
1229013 1229329 1229465 916845 CVE-2013-4235 CVE-2013-4235 CVE-2023-52425
CVE-2024-0397 CVE-2024-0450 CVE-2024-28085 CVE-2024-34459 CVE-2024-37370
CVE-2024-37371 CVE-2024-4032 CVE-2024-4317 CVE-2024-4603 CVE-2024-4741
CVE-2024-5535 CVE-2024-5535 CVE-2024-6119 CVE-2024-7348 CVE-2024-7348
-----------------------------------------------------------------
The container suse/manager/5.0/x86_64/server-migration-14-16 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1943-1
Released: Fri Jun 7 17:04:06 2024
Summary: Security update for util-linux
Type: security
Severity: important
References: 1218609,1220117,1221831,1223605,CVE-2024-28085
This update for util-linux fixes the following issues:
- CVE-2024-28085: Properly neutralize escape sequences in wall to avoid potential account takeover. (bsc#1221831)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:1997-1
Released: Tue Jun 11 17:24:32 2024
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: moderate
References: 1223596
This update for e2fsprogs fixes the following issues:
- EA Inode handling fixes:
- e2fsck: add more checks for ea inode consistency (bsc#1223596)
- e2fsck: fix golden output of several tests (bsc#1223596)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2066-1
Released: Tue Jun 18 13:16:09 2024
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1223428,1224388,1225291,1225551,CVE-2024-4603,CVE-2024-4741
This update for openssl-3 fixes the following issues:
Security issues fixed:
- CVE-2024-4603: Check DSA parameters for excessive sizes before validating (bsc#1224388)
- CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)
Other issues fixed:
- Enable livepatching support (bsc#1223428)
- Fix HDKF key derivation (bsc#1225291, gh#openssl/openssl#23448, + gh#openssl/openssl#23456)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2086-1
Released: Wed Jun 19 11:48:24 2024
Summary: Recommended update for gcc13
Type: recommended
Severity: moderate
References: 1188441
This update for gcc13 fixes the following issues:
Update to GCC 13.3 release
- Removed Fiji support from the GCN offload compiler as that is requiring
Code Object version 3 which is no longer supported by llvm18.
- Avoid combine spending too much compile-time and memory doing nothing
on s390x. [bsc#1188441]
- Make requirement to lld version specific to avoid requiring the
meta-package.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2214-1
Released: Tue Jun 25 17:11:26 2024
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1225598
This update for util-linux fixes the following issue:
- Fix hang of lscpu -e (bsc#1225598)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2239-1
Released: Wed Jun 26 13:09:10 2024
Summary: Recommended update for systemd
Type: recommended
Severity: critical
References: 1226415
This update for systemd contains the following fixes:
- testsuite: move a misplaced %endif
- Do not remove existing configuration files in /etc. If these files were
modified on the systemd, that may cause unwanted side effects (bsc#1226415).
- Import upstream commit (merge of v254.13)
Use the pty slave fd opened from the namespace when transient service is running in a container.
This revert the backport of the broken commit until a fix is released in the v254-stable tree.
- Import upstream commit (merge of v254.11)
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/e8d77af4240894da620de74fbc7823aaaa448fef...85db84ee440eac202c4b5507e96e1704269179bc
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2290-1
Released: Wed Jul 3 11:35:00 2024
Summary: Security update for libxml2
Type: security
Severity: low
References: 1224282,CVE-2024-34459
This update for libxml2 fixes the following issues:
- CVE-2024-34459: Fixed buffer over-read in xmlHTMLPrintFileContext in xmllint.c (bsc#1224282).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2307-1
Released: Fri Jul 5 12:04:34 2024
Summary: Security update for krb5
Type: security
Severity: important
References: 1227186,1227187,CVE-2024-37370,CVE-2024-37371
This update for krb5 fixes the following issues:
- CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186).
- CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2479-1
Released: Mon Jul 15 10:33:22 2024
Summary: Security update for python3
Type: security
Severity: important
References: 1219559,1220664,1221563,1221854,1222075,1226447,1226448,CVE-2023-52425,CVE-2024-0397,CVE-2024-0450,CVE-2024-4032
This update for python3 fixes the following issues:
- CVE-2023-52425: Fixed backport so it uses features sniffing, not just comparing version number (bsc#1219559).
- CVE-2024-0450: Fixed detecting the vulnerability of 'quoted-overlap' zipbomb (bsc#1221854).
- CVE-2024-4032: Rearranging definition of private v global IP. (bsc#1226448)
- CVE-2024-0397: Remove a memory race condition in ssl.SSLContext certificate store methods. (bsc#1226447)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2630-1
Released: Tue Jul 30 09:12:44 2024
Summary: Security update for shadow
Type: security
Severity: important
References: 916845,CVE-2013-4235
This update for shadow fixes the following issues:
- CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2635-1
Released: Tue Jul 30 09:14:09 2024
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1222899,1223336,1226463,1227138,CVE-2024-5535
This update for openssl-3 fixes the following issues:
Security fixes:
- CVE-2024-5535: Fixed SSL_select_next_proto buffer overread (bsc#1227138)
Other fixes:
- Build with no-afalgeng (bsc#1226463)
- Build with enabled sm2 and sm4 support (bsc#1222899)
- Fix non-reproducibility issue (bsc#1223336)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2641-1
Released: Tue Jul 30 09:29:36 2024
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References:
This update for systemd fixes the following issues:
systemd was updated from version 254.13 to version 254.15:
- Changes in version 254.15:
* boot: cover for hardware keys on phones/tablets
* Conditional PSI check to reflect changes done in 5.13
* core/dbus-manager: refuse SoftReboot() for user managers
* core/exec-invoke: reopen OpenFile= fds with O_NOCTTY
* core/exec-invoke: use sched_setattr instead of sched_setscheduler
* core/unit: follow merged units before updating SourcePath= timestamp too
* coredump: correctly take tmpfs size into account for compression
* cryptsetup: improve TPM2 blob display
* docs: Add section to HACKING.md on distribution packages
* docs: fixed dead link to GNOME documentation
* docs/CODING_STYLE: document that we nowadays prefer (const char*) for func ret type
* Fixed typo in CAP_BPF description
* LICENSES/README: expand text to summarize state for binaries and libs
* man: fully adopt ~/.local/state/
* man/systemd.exec: list inaccessible files for ProtectKernelTunables
* man/tmpfiles: remove outdated behavior regarding symlink ownership
* meson: bpf: propagate 'sysroot' for cross compilation
* meson: Define __TARGET_ARCH macros required by bpf
* mkfs-util: Set sector size for btrfs as well
* mkosi: drop CentOS 8 from CI
* mkosi: Enable hyperscale-packages-experimental for CentOS
* mountpoint-util: do not assume symlinks are not mountpoints
* os-util: avoid matching on the wrong extension-release file
* README: add missing CONFIG_MEMCG kernel config option for oomd
* README: update requirements for signed dm-verity
* resolved: allow the full TTL to be used by OPT records
* resolved: correct parsing of OPT extended RCODEs
* sysusers: handle NSS errors gracefully
* TEST-58-REPART: reverse order of diff args
* TEST-64-UDEV-STORAGE: Make nvme_subsystem expected pci symlinks more generic
* test: fixed TEST-24-CRYPTSETUP on SUSE
* test: install /etc/hosts
* Use consistent spelling of systemd.condition_first_boot argument
* util: make file_read() 64bit offset safe
* vmm: make sure we can handle smbios objects without variable part
- Changes in version 254.14:
* analyze: show pcrs also in sha384 bank
* chase: Tighten '.' and './' check
* core/service: fixed accept-socket deserialization
* efi-api: check /sys/class/tpm/tpm0/tpm_version_major, too
* executor: check for all permission related errnos when setting up IPC namespace
* install: allow removing symlinks even for units that are gone
* json: use secure un{base64,hex}mem for sensitive variants
* man,units: drop 'temporary' from description of systemd-tmpfiles
* missing_loop.h: fixed LOOP_SET_STATUS_SETTABLE_FLAGS
* repart: fixed memory leak
* repart: Use CRYPT_ACTIVATE_PRIVATE
* resolved: permit dnssec rrtype questions when we aren't validating
* rules: Limit the number of device units generated for serial ttys
* run: do not pass the pty slave fd to transient service in a machine
* sd-dhcp-server: clear buffer before receive
* strbuf: use GREEDY_REALLOC to grow the buffer
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2779-1
Released: Tue Aug 6 14:35:49 2024
Summary: Recommended update for permissions
Type: recommended
Severity: moderate
References: 1228548
This update for permissions fixes the following issue:
* cockpit: moved setuid executable (bsc#1228548)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2808-1
Released: Wed Aug 7 09:49:32 2024
Summary: Security update for shadow
Type: security
Severity: moderate
References: 1228770,CVE-2013-4235
This update for shadow fixes the following issues:
- Fixed not copying of skel files (bsc#1228770)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2888-1
Released: Tue Aug 13 11:07:41 2024
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1159034,1194818,1218609,1222285
This update for util-linux fixes the following issues:
- agetty: Prevent login cursor escape (bsc#1194818).
- Document unexpected side effects of lazy destruction (bsc#1159034).
- Don't delete binaries not common for all architectures. Create an
util-linux-extra subpackage instead, so users of third party
tools can use them (bsc#1222285).
- Improved man page for chcpu (bsc#1218609).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2933-1
Released: Thu Aug 15 12:12:50 2024
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1225907,1226463,1227138,CVE-2024-5535
This update for openssl-1_1 fixes the following issues:
- CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138)
Other fixes:
- Build with no-afalgeng. (bsc#1226463)
- Fixed C99 violations to allow the package to build with GCC 14. (bsc#1225907)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2967-1
Released: Mon Aug 19 15:41:29 2024
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1194818
This update for pam fixes the following issue:
- Prevent cursor escape from the login prompt (bsc#1194818).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3106-1
Released: Tue Sep 3 17:00:40 2024
Summary: Security update for openssl-3
Type: security
Severity: moderate
References: 1220523,1220690,1220693,1220696,1221365,1221751,1221752,1221753,1221760,1221786,1221787,1221821,1221822,1221824,1221827,1229465,CVE-2024-6119
This update for openssl-3 fixes the following issues:
- CVE-2024-6119: Fixed denial of service in X.509 name checks (bsc#1229465)
Other fixes:
- FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365).
- FIPS: RSA keygen PCT requirements.
- FIPS: Check that the fips provider is available before setting
it as the default provider in FIPS mode (bsc#1220523).
- FIPS: Port openssl to use jitterentropy (bsc#1220523).
- FIPS: Block non-Approved Elliptic Curves (bsc#1221786).
- FIPS: Service Level Indicator (bsc#1221365).
- FIPS: Output the FIPS-validation name and module version which uniquely
identify the FIPS validated module (bsc#1221751).
- FIPS: Add required selftests: (bsc#1221760).
- FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821).
- FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827).
- FIPS: Zero initialization required (bsc#1221752).
- FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696).
- FIPS: NIST SP 800-56Brev2 (bsc#1221824).
- FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787).
- FIPS: Port openssl to use jitterentropy (bsc#1220523).
- FIPS: NIST SP 800-56Arev3 (bsc#1221822).
- FIPS: Error state has to be enforced (bsc#1221753).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3132-1
Released: Tue Sep 3 17:43:10 2024
Summary: Recommended update for permissions
Type: recommended
Severity: moderate
References: 1228968,1229329
This update for permissions fixes the following issues:
- Update to version 20240826:
* permissions: remove outdated entries (bsc#1228968)
- Update to version 20240826:
* cockpit: revert path change (bsc#1229329)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3159-1
Released: Fri Sep 6 12:15:52 2024
Summary: Security update for postgresql16
Type: security
Severity: important
References: 1224038,1224051,1229013,CVE-2024-4317,CVE-2024-7348
This update for postgresql16 fixes the following issues:
- Upgrade to 16.4 (bsc#1229013)
- CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL. (bsc#1229013)
- CVE-2024-4317: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner. See the release notes for the steps that have to be taken to fix existing PostgreSQL instances. (bsc#1224038)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3160-1
Released: Fri Sep 6 12:16:19 2024
Summary: Security update for postgresql16
Type: security
Severity: important
References: 1229013,CVE-2024-7348
This update for postgresql16 fixes the following issues:
- Upgrade to 14.13 (bsc#1229013)
- CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL. (bsc#1229013)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3166-1
Released: Mon Sep 9 12:25:30 2024
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1228042
This update for glibc fixes the following issue:
- s390x-wcsncmp patch for s390x: Fix segfault in wcsncmp (bsc#1228042).
The following package changes have been done:
- glibc-2.38-150600.14.8.2 updated
- libuuid1-2.39.3-150600.4.9.4 updated
- libcom_err2-1.47.0-150600.4.3.2 updated
- libxml2-2-2.10.3-150500.5.17.1 updated
- libgcc_s1-13.3.0+git8781-150000.1.12.1 updated
- libstdc++6-13.3.0+git8781-150000.1.12.1 updated
- libopenssl3-3.1.4-150600.5.15.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.15.1 updated
- krb5-1.20.1-150600.11.3.1 updated
- login_defs-4.8.1-150600.17.6.1 updated
- permissions-20240826-150600.10.9.1 updated
- pam-1.3.0-150000.6.71.2 updated
- shadow-4.8.1-150600.17.6.1 updated
- libsystemd0-254.15-150600.4.8.1 updated
- glibc-locale-base-2.38-150600.14.8.2 updated
- libopenssl1_1-1.1.1w-150600.5.6.1 updated
- libpq5-16.4-150600.16.5.1 updated
- glibc-locale-2.38-150600.14.8.2 updated
- libpython3_6m1_0-3.6.15-150300.10.65.1 updated
- python3-base-3.6.15-150300.10.65.1 updated
- postgresql14-14.13-150600.16.6.1 updated
- postgresql16-16.4-150600.16.5.1 updated
- postgresql14-server-14.13-150600.16.6.1 updated
- postgresql16-server-16.4-150600.16.5.1 updated
- postgresql16-contrib-16.4-150600.16.5.1 updated
- postgresql14-contrib-14.13-150600.16.6.1 updated
- container:suse-manager-5.0-init-5.0.1-5.0.1-7.3.17 added
- container:suse-manager-5.0-init-5.0.0-5.0.0-5.19 removed
More information about the sle-container-updates
mailing list