SUSE-CU-2025:960-1: Security update of suse/manager/5.0/x86_64/server-migration-14-16

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Mon Feb 17 08:10:02 UTC 2025


SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-migration-14-16
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:960-1
Container Tags        : suse/manager/5.0/x86_64/server-migration-14-16:5.0.3 , suse/manager/5.0/x86_64/server-migration-14-16:5.0.3.7.11.3 , suse/manager/5.0/x86_64/server-migration-14-16:latest
Container Release     : 7.11.3
Severity              : important
Type                  : security
References            : 1219340 1219736 1220262 1220338 1230423 1230972 1231048 1231795
                        1231833 1232227 1232579 1232844 1233307 1233323 1233323 1233325
                        1233325 1233326 1233326 1233327 1233327 1233699 1234015 1234665
                        1236705 CVE-2023-50782 CVE-2024-10976 CVE-2024-10976 CVE-2024-10977
                        CVE-2024-10977 CVE-2024-10978 CVE-2024-10978 CVE-2024-10979 CVE-2024-10979
                        CVE-2024-11168 CVE-2024-50602 CVE-2025-0938 
-----------------------------------------------------------------

The container suse/manager/5.0/x86_64/server-migration-14-16 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3865-1
Released:    Fri Nov  1 16:10:37 2024
Summary:     Recommended update for gcc14
Type:        recommended
Severity:    moderate
References:  1231833
This update for gcc14 fixes the following issues:

- Fixed parsing timezone tzdata 2024b [gcc#116657 bsc#1231833]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3896-1
Released:    Mon Nov  4 12:08:29 2024
Summary:     Recommended update for shadow
Type:        recommended
Severity:    moderate
References:  1230972
This update for shadow fixes the following issues:

- Add useradd warnings when requested UID is outside the default range (bsc#1230972)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3943-1
Released:    Thu Nov  7 11:12:00 2024
Summary:     Security update for openssl-3
Type:        security
Severity:    moderate
References:  1220262,CVE-2023-50782
This update for openssl-3 fixes the following issues:

- CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4035-1
Released:    Mon Nov 18 16:22:57 2024
Summary:     Security update for expat
Type:        security
Severity:    moderate
References:  1232579,CVE-2024-50602
This update for expat fixes the following issues:

- CVE-2024-50602: Fixed a denial of service via XML_ResumeParser (bsc#1232579).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4045-1
Released:    Mon Nov 25 08:33:05 2024
Summary:     Recommended update for patterns-base
Type:        recommended
Severity:    moderate
References:  
This update for patterns-base fixes the following issue:

- Updated patterns-base, removing plymouth recommendation on s390x archs.
  Our certification team run into an issue (jsc#PED-10532), when they
  run bare metal installation with fully encrypted disk.
  If the whole disk is crypted, the prompt for the password is sent to
  plymouth, which is obviously showing nothing because for booting bare
  metal (LPAR) is used terminal in HMC. 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4063-1
Released:    Tue Nov 26 10:16:06 2024
Summary:     Security update for postgresql, postgresql16, postgresql17
Type:        security
Severity:    important
References:  1219340,1230423,1233323,1233325,1233326,1233327,CVE-2024-10976,CVE-2024-10977,CVE-2024-10978,CVE-2024-10979
This update for postgresql, postgresql16, postgresql17 fixes the following issues:

This update ships postgresql17 , and fixes security issues with postgresql16:

- bsc#1230423: Relax the dependency of extensions on the server
  version from exact major.minor to greater or equal, after Tom
  Lane confirmed on the PostgreSQL packagers list that ABI
  stability is being taken care of between minor releases.

- bsc#1219340: The last fix was not correct. Improve it by removing
  the dependency again and call fillup only if it is installed.

postgresql16 was updated to 16.6:
* Repair ABI break for extensions that work with struct
  ResultRelInfo.
* Restore functionality of ALTER {ROLE|DATABASE} SET role.
* Fix cases where a logical replication slot's restart_lsn could
  go backwards.
* Avoid deleting still-needed WAL files during pg_rewind.
* Fix race conditions associated with dropping shared statistics
  entries.
* Count index scans in contrib/bloom indexes in the statistics
  views, such as the pg_stat_user_indexes.idx_scan counter.
* Fix crash when checking to see if an index's opclass options
  have changed.
* Avoid assertion failure caused by disconnected NFA sub-graphs
  in regular expression parsing.
* https://www.postgresql.org/docs/release/16.6/

postgresql16 was updated to 16.5:

* CVE-2024-10976, bsc#1233323: Ensure cached plans are marked as
  dependent on the calling role when RLS applies to a
  non-top-level table reference.
* CVE-2024-10977, bsc#1233325: Make libpq discard error messages
  received during SSL or GSS protocol negotiation.
* CVE-2024-10978, bsc#1233326: Fix unintended interactions
  between SET SESSION AUTHORIZATION and SET ROLE
* CVE-2024-10979, bsc#1233327: Prevent trusted PL/Perl code from
  changing environment variables.
* https://www.postgresql.org/about/news/p-2955/
* https://www.postgresql.org/docs/release/16.5/

- Don't build the libs and mini flavor anymore to hand over to
  PostgreSQL 17.

  * https://www.postgresql.org/about/news/p-2910/

postgresql17 is shipped in version 17.2:

* CVE-2024-10976, bsc#1233323: Ensure cached plans are marked as
  dependent on the calling role when RLS applies to a
  non-top-level table reference.
* CVE-2024-10977, bsc#1233325: Make libpq discard error messages
  received during SSL or GSS protocol negotiation.
* CVE-2024-10978, bsc#1233326: Fix unintended interactions
  between SET SESSION AUTHORIZATION and SET ROLE
* CVE-2024-10979, bsc#1233327: Prevent trusted PL/Perl code from
  changing environment variables.
* https://www.postgresql.org/about/news/p-2955/
* https://www.postgresql.org/docs/release/17.1/
* https://www.postgresql.org/docs/release/17.2/

Upgrade to 17.2:

* Repair ABI break for extensions that work with struct
  ResultRelInfo.
* Restore functionality of ALTER {ROLE|DATABASE} SET role.
* Fix cases where a logical replication slot's restart_lsn could
  go backwards.
* Avoid deleting still-needed WAL files during pg_rewind.
* Fix race conditions associated with dropping shared statistics
  entries.
* Count index scans in contrib/bloom indexes in the statistics
  views, such as the pg_stat_user_indexes.idx_scan counter.
* Fix crash when checking to see if an index's opclass options
  have changed.
* Avoid assertion failure caused by disconnected NFA sub-graphs
  in regular expression parsing.

Upgrade to 17.0:

* New memory management system for VACUUM, which reduces memory
  consumption and can improve overall vacuuming performance.
* New SQL/JSON capabilities, including constructors, identity
  functions, and the JSON_TABLE() function, which converts JSON
  data into a table representation.
* Various query performance improvements, including for
  sequential reads using streaming I/O, write throughput under
  high concurrency, and searches over multiple values in a btree
  index.
* Logical replication enhancements, including:
  + Failover control
  + pg_createsubscriber, a utility that creates logical replicas
    from physical standbys
  + pg_upgrade now preserves replication slots on both publishers
    and subscribers
* New client-side connection option, sslnegotiation=direct, that
  performs a direct TLS handshake to avoid a round-trip
  negotiation.
* pg_basebackup now supports incremental backup.
* COPY adds a new option, ON_ERROR ignore, that allows a copy
  operation to continue in the event of an error.
* https://www.postgresql.org/about/news/p-2936/
* https://www.postgresql.org/docs/17/release-17.html

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4118-1
Released:    Fri Nov 29 17:23:56 2024
Summary:     Security update for postgresql14
Type:        security
Severity:    important
References:  1233323,1233325,1233326,1233327,CVE-2024-10976,CVE-2024-10977,CVE-2024-10978,CVE-2024-10979
This update for postgresql14 fixes the following issues:

- CVE-2024-10976: Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (bsc#1233323).
- CVE-2024-10977: Make libpq discard error messages received during SSL or GSS protocol negotiation (bsc#1233325).
- CVE-2024-10978: Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (bsc#1233326).
- CVE-2024-10979: Prevent trusted PL/Perl code from changing environment variables (bsc#1233327).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4193-1
Released:    Thu Dec  5 12:01:40 2024
Summary:     Security update for python3
Type:        security
Severity:    low
References:  1231795,1233307,CVE-2024-11168
This update for python3 fixes the following issues:

- CVE-2024-11168: Fixed improper validation of IPv6 and IPvFuture addresses (bsc#1233307)

Other fixes:
- Remove -IVendor/ from python-config (bsc#1231795)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4224-1
Released:    Fri Dec  6 10:24:50 2024
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1233699
This update for glibc fixes the following issue:

- Remove nss-systemd from default nsswitch.conf (bsc#1233699).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4337-1
Released:    Tue Dec 17 08:17:39 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1231048,1232844
This update for systemd fixes the following issues:

- udev: skipping empty udev rules file while collecting the stats (bsc#1232844)
- Clean up some remnants from when homed was in the experimental sub-package (bsc#1231048)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:10-1
Released:    Fri Jan  3 14:53:56 2025
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1220338,1232227,1234015
This update for systemd fixes the following issues:

- Drop support for efivar SystemdOptions (bsc#1220338)
- pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary (bsc#1232227)
- udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
- udev: add new builtin net_driver
- udev-builtin-net_id: split-out pci_get_onboard_index() from dev_pci_onboard()
- udev-builtin-net_id: split-out get_pci_slot_specifiers()
- udev-builtin-net_id: introduce get_port_specifier() helper function
- udev-builtin-net_id: split out get_dev_port() and make its failure critical
- udev-builtin-net_id: split-out pci_get_hotplug_slot() and pci_get_hotplug_slot_from_address()
- udev-builtin-net_id: return earlier when hotplug slot is not found
- udev-builtin-net_id: skip non-directory entry earlier
- udev-builtin-net_id: make names_xen() self-contained
- udev-builtin-net_id: use sd_device_get_sysnum() to get index of netdevsim
- udev-builtin-net_id: make names_netdevsim() self-contained
- udev-builtin-net_id: make names_platform() self-contained
- udev-builtin-net_id: make names_vio() self-contained
- udev-builtin-net_id: make names_ccw() self-contained
- udev-builtin-net_id: make dev_devicetree_onboard() self-contained
- udev-builtin-net_id: make names_mac() self-contained
- udev-builtin-net_id: split out get_ifname_prefix()
- udev-builtin-net_id: swap arguments for streq() and friends
- udev-builtin-net_id: drop unused value from NetNameType

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:42-1
Released:    Thu Jan  9 16:04:03 2025
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1219736
This update for permissions fixes the following issues:

- Update to version 20240826:

  * chkstat: backport support to operate in insecure mode via envvar opt-in (bsc#1219736)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:135-1
Released:    Thu Jan 16 11:20:40 2025
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1234665
This update for glibc fixes the following issues:

- Linux: Switch back to assembly syscall wrapper for prctl (bsc#1234665).
- Correctly determine livepatching support.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:554-1
Released:    Fri Feb 14 16:10:40 2025
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1236705,CVE-2025-0938
This update for python3 fixes the following issues:

- CVE-2025-0938: domain names containing square brackets are not identified as incorrect by urlparse. (bsc#1236705)


The following package changes have been done:

- glibc-2.38-150600.14.20.3 updated
- libgcc_s1-14.2.0+git10526-150000.1.6.1 updated
- libstdc++6-14.2.0+git10526-150000.1.6.1 updated
- libopenssl3-3.1.4-150600.5.21.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.21.1 updated
- patterns-base-fips-20200124-150600.32.3.2 updated
- login_defs-4.8.1-150600.17.9.1 updated
- permissions-20240826-150600.10.12.1 updated
- shadow-4.8.1-150600.17.9.1 updated
- libexpat1-2.4.4-150400.3.25.1 updated
- libsystemd0-254.21-150600.4.21.1 updated
- glibc-locale-base-2.38-150600.14.20.3 updated
- libpq5-17.2-150600.13.5.1 updated
- glibc-locale-2.38-150600.14.20.3 updated
- libpython3_6m1_0-3.6.15-150300.10.81.1 updated
- python3-base-3.6.15-150300.10.81.1 updated
- postgresql-17-150600.17.6.1 updated
- postgresql14-14.15-150600.16.9.1 updated
- postgresql16-16.6-150600.16.10.1 updated
- postgresql-server-17-150600.17.6.1 updated
- postgresql14-server-14.15-150600.16.9.1 updated
- postgresql16-server-16.6-150600.16.10.1 updated
- postgresql16-contrib-16.6-150600.16.10.1 updated
- postgresql-contrib-17-150600.17.6.1 updated
- postgresql14-contrib-14.15-150600.16.9.1 updated
- container:suse-manager-5.0-init-5.0.3-5.0.3-7.9.5 added
- container:suse-manager-5.0-init-5.0.2-5.0.2-7.6.16 removed


More information about the sle-container-updates mailing list