SUSE-CU-2024:4563-1: Security update of suse/sle15

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Thu Sep 26 13:46:47 UTC 2024 

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:4563-1
Container Tags        : bci/bci-base:15.7 , bci/bci-base:15.7.50.18 , suse/sle15:15.7 , suse/sle15:15.7.50.18
Container Release     : 50.18
Severity              : important
Type                  : security
References            : 1081596 1202870 1207789 1209627 1220523 1220690 1220693 1220696
                        1221365 1221751 1221752 1221753 1221760 1221786 1221787 1221821
                        1221822 1221824 1221827 1223094 1224771 1225267 1226014 1226030
                        1226493 1227205 1227625 1227793 1228042 1228138 1228206 1228208
                        1228420 1228647 1228787 1228968 1229028 1229329 1229339 1229465
                        1229476 1230093 1230267 222971 CVE-2024-6119 CVE-2024-8096 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2796-1
Released:    Fri Aug 12 14:34:31 2022
Summary:     Recommended update for jitterentropy
Type:        recommended
Severity:    moderate
References:  
This update for jitterentropy fixes the following issues:

jitterentropy is included in version 3.4.0 (jsc#SLE-24941):

This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library, 
used by other FIPS libraries.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3328-1
Released:    Wed Sep 21 12:48:56 2022
Summary:     Recommended update for jitterentropy
Type:        recommended
Severity:    moderate
References:  1202870
This update for jitterentropy fixes the following issues:

- Hide the non-GNUC constructs that are library internal from the 
  exported header, to make it usable in builds with strict C99
  compliance. (bsc#1202870)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:617-1
Released:    Fri Mar  3 16:49:06 2023
Summary:     Recommended update for jitterentropy
Type:        recommended
Severity:    moderate
References:  1207789
This update for jitterentropy fixes the following issues:

- build jitterentropy library with debuginfo (bsc#1207789)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2024-1
Released:    Thu Jun 13 16:15:18 2024
Summary:     Recommended update for jitterentropy
Type:        recommended
Severity:    moderate
References:  1209627
This update for jitterentropy fixes the following issues:

- Fixed a stack corruption on s390x: [bsc#1209627]
  * Output size of the STCKE command on s390x is 16 bytes, compared
    to 8 bytes of the STCK command. Fix a stack corruption in the
    s390x version of jent_get_nstime(). Add some more detailed
    information on the STCKE command.

Updated to 3.4.1

* add FIPS 140 hints to man page
* simplify the test tool to search for optimal configurations
* fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0
* enhancement: add ARM64 assembler code to read high-res timer
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3071-1
Released:    Mon Sep  2 15:17:11 2024
Summary:     Recommended update for suse-build-key
Type:        recommended
Severity:    moderate
References:  1229339
This update for suse-build-key fixes the following issue:

- extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028 (bsc#1229339).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3106-1
Released:    Tue Sep  3 17:00:40 2024
Summary:     Security update for openssl-3
Type:        security
Severity:    moderate
References:  1220523,1220690,1220693,1220696,1221365,1221751,1221752,1221753,1221760,1221786,1221787,1221821,1221822,1221824,1221827,1229465,CVE-2024-6119
This update for openssl-3 fixes the following issues:

- CVE-2024-6119: Fixed denial of service in X.509 name checks (bsc#1229465)

Other fixes:    
    
- FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365).
- FIPS: RSA keygen PCT requirements.
- FIPS: Check that the fips provider is available before setting
  it as the default provider in FIPS mode (bsc#1220523).
- FIPS: Port openssl to use jitterentropy (bsc#1220523).
- FIPS: Block non-Approved Elliptic Curves (bsc#1221786).
- FIPS: Service Level Indicator (bsc#1221365).
- FIPS: Output the FIPS-validation name and module version which uniquely
  identify the FIPS validated module (bsc#1221751).
- FIPS: Add required selftests: (bsc#1221760).
- FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821).
- FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827).
- FIPS: Zero initialization required (bsc#1221752).
- FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696).
- FIPS: NIST SP 800-56Brev2 (bsc#1221824).
- FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787).
- FIPS: Port openssl to use jitterentropy (bsc#1220523).
- FIPS: NIST SP 800-56Arev3 (bsc#1221822).
- FIPS: Error state has to be enforced (bsc#1221753).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3132-1
Released:    Tue Sep  3 17:43:10 2024
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1228968,1229329
This update for permissions fixes the following issues:

- Update to version 20240826:
  * permissions: remove outdated entries (bsc#1228968)

- Update to version 20240826:
  * cockpit: revert path change (bsc#1229329)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3166-1
Released:    Mon Sep  9 12:25:30 2024
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1228042
This update for glibc fixes the following issue:

- s390x-wcsncmp patch for s390x: Fix segfault in wcsncmp (bsc#1228042).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3178-1
Released:    Mon Sep  9 14:39:12 2024
Summary:     Recommended update for libzypp, zypper, libsolv, zypp-plugin, PackageKit-branding-SLE, PackageKit, libyui, yast2-pkg-bindings
Type:        recommended
Severity:    important
References:  1081596,1223094,1224771,1225267,1226014,1226030,1226493,1227205,1227625,1227793,1228138,1228206,1228208,1228420,1228787,222971
This update for libzypp, zypper, libsolv, zypp-plugin, PackageKit-branding-SLE, PackageKit, libyui, yast2-pkg-bindings fixes the following issues:

- Make sure not to statically linked installed tools (bsc#1228787)
- MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208)
- Export asSolvable for YAST (bsc#1228420)
- Export CredentialManager for legacy YAST versions (bsc#1228420)
- Fix 4 typos in zypp.conf
- Fix typo in the geoip update pipeline (bsc#1228206)
- Export RepoVariablesStringReplacer for yast2 (bsc#1228138)
- Removed dependency on external find program in the repo2solv tool
- Fix return value of repodata.add_solv()
- New SOLVER_FLAG_FOCUS_NEW flag
- Fix return value of repodata.add_solv() in the bindings
- Fix SHA-224 oid in solv_pgpvrfy
- Translation: updated .pot file.
- Conflict with python zypp-plugin < 0.6.4 (bsc#1227793)
- Fix int overflow in Provider
- Fix error reporting on repoindex.xml parse error (bsc#1227625)
- Keep UrlResolverPlugin API public
- Blacklist /snap executables for 'zypper ps' (bsc#1226014)
- Fix handling of buddies when applying locks (bsc#1225267)
- Fix readline setup to handle Ctrl-C and Ctrl-D correctly (bsc#1227205)
- Show rpm install size before installing (bsc#1224771)
- Install zypp/APIConfig.h legacy include
- Update soname due to RepoManager refactoring and cleanup
- Workaround broken libsolv-tools-base requirements
- Strip ssl_clientkey from repo urls (bsc#1226030)
- Remove protobuf build dependency
- Lazily attach medium during refresh workflows (bsc#1223094)
- Refactor RepoManager and add Service workflows
- Let_readline_abort_on_Ctrl-C (bsc#1226493)
- packages: add '--system' to show @System packages (bsc#222971)
- Provide python3-zypp-plugin down to SLE12 (bsc#1081596)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3204-1
Released:    Wed Sep 11 10:55:22 2024
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1230093,CVE-2024-8096
This update for curl fixes the following issues:

- CVE-2024-8096: OCSP stapling bypass with GnuTLS. (bsc#1230093)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3239-1
Released:    Fri Sep 13 12:00:58 2024
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1229476
This update for util-linux fixes the following issue:

- Skip aarch64 decode path for rest of the architectures (bsc#1229476).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3300-1
Released:    Wed Sep 18 14:27:53 2024
Summary:     Recommended update for ncurses
Type:        recommended
Severity:    moderate
References:  1229028
This update for ncurses fixes the following issues:

- Allow the terminal description based on static fallback entries to be freed (bsc#1229028)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3346-1
Released:    Thu Sep 19 17:20:06 2024
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1228647,1230267
This update for libzypp, zypper fixes the following issues:

- API refactoring. Prevent zypper from using now private libzypp symbols (bsc#1230267)
- single_rpmtrans: fix installation of .src.rpms (bsc#1228647)


The following package changes have been done:

- curl-8.6.0-150600.4.6.1 updated
- glibc-2.38-150600.14.8.2 updated
- libblkid1-2.39.3-150600.4.12.2 updated
- libcurl4-8.6.0-150600.4.6.1 updated
- libfdisk1-2.39.3-150600.4.12.2 updated
- libjitterentropy3-3.4.1-150000.1.12.1 added
- libmount1-2.39.3-150600.4.12.2 updated
- libncurses6-6.1-150000.5.27.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.15.1 updated
- libopenssl3-3.1.4-150600.5.15.1 updated
- libsmartcols1-2.39.3-150600.4.12.2 updated
- libsolv-tools-base-0.7.30-150600.8.2.1 updated
- libuuid1-2.39.3-150600.4.12.2 updated
- libzypp-17.35.11-150600.3.24.1 updated
- ncurses-utils-6.1-150000.5.27.1 updated
- openssl-3-3.1.4-150600.5.15.1 updated
- permissions-20240826-150600.10.9.1 updated
- sle-module-basesystem-release-15.7-150700.6.1 updated
- sle-module-python3-release-15.7-150700.6.1 updated
- sle-module-server-applications-release-15.7-150700.6.1 updated
- sles-release-15.7-150700.6.1 updated
- suse-build-key-12.0-150000.8.52.3 updated
- terminfo-base-6.1-150000.5.27.1 updated
- util-linux-2.39.3-150600.4.12.2 updated
- zypper-1.14.77-150600.10.11.2 updated
- libabsl2401_0_0-20240116.1-150600.17.7 removed
- liblz4-1-1.9.4-150600.1.4 removed
- libprocps8-3.3.17-150000.7.39.1 removed
- libprotobuf-lite25_1_0-25.1-150600.16.4.2 removed
- libsystemd0-254.15-150600.4.8.1 removed
- procps-3.3.17-150000.7.39.1 removed

More information about the sle-container-updates mailing list