SUSE-CU-2025:1339-1: Security update of rancher/seedimage-builder
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Feb 27 08:06:20 UTC 2025
SUSE Container Update Advisory: rancher/seedimage-builder
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:1339-1
Container Tags : rancher/seedimage-builder:1.6.6 , rancher/seedimage-builder:1.6.6-5.1 , rancher/seedimage-builder:latest
Container Release : 5.1
Severity : critical
Type : security
References : 1194818 1218609 1220117 1220262 1221831 1223605 1225598 1230698
1230904 1231833 1232211 1232528 1232579 1233078 1234068 1234100
1234101 1234102 1234103 1234104 1234812 1234996 1235088 1235475
CVE-2023-50782 CVE-2024-10963 CVE-2024-11053 CVE-2024-12084 CVE-2024-12085
CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747 CVE-2024-28085
CVE-2024-40896 CVE-2024-41996 CVE-2024-50602 CVE-2024-9681
-----------------------------------------------------------------
The container rancher/seedimage-builder was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 117
Released: Mon Feb 3 09:46:07 2025
Summary: Security update for util-linux
Type: security
Severity: important
References: 1218609,1220117,1221831,1223605,1225598,CVE-2024-28085
This update for util-linux fixes the following issues:
Security issue fixed:
- CVE-2024-28085: Properly neutralize escape sequences in wall to avoid potential account takeover. (bsc#1221831)
Non-security issues fixed:
- Fix hang of lscpu -e (bsc#1225598)
- lscpu: Add more ARM cores (bsc#1223605)
- Document that chcpu -g is not supported on IBM z/VM (bsc#1218609)
- Processes not cleaned up after failed SSH session are using up 100% CPU (bsc#1220117)
-----------------------------------------------------------------
Advisory ID: 16
Released: Mon Feb 3 09:50:28 2025
Summary: Recommended update for elemental-system-agent, elemental, systemd-presets-branding-Elemental, elemental-toolkit, elemental-agent, elemental-operator
Type: recommended
Severity: moderate
References:
This update for elemental-system-agent, elemental, systemd-presets-branding-Elemental, elemental-toolkit, elemental-agent, elemental-operator fixes the following issues:
elemental:
- Update to version v2.1.2
* Fix grub2-x86_64-efi installation
* Removing syslinux from base image
* Workaround to remove any pre-existing Elemental initrd
elemental-agent:
- Update to version 0.5.0+git20240729.4482c01:
* Fix rke2 cluster class (#80)
* Fix rootfs layout (#76)
* Exclude cloud-config-defaults feature (#75)
* Use toolkit nightly builds (#74)
* Align images to Elemental dev (#73)
* Only use essential elemental services (#71)
* Actualyze elemental init arguments and improve iso build setup (#70)
* Fix missing mtools dependency (#68)
* Unify root password
* Prevent associating multiple ElementalHosts (#65)
* Remove CodeQL github action workaround (#66)
* upgrade elemental-toolkit to 2.1.0 version (#61)
* tests: align Ginkgo version in the Makefile (#63)
* Dockerfiles: ensure /usr/libexec is present on the image FS (#64)
* minor/setup_kind_cluster.sh: print the command to write the my-config.yaml (#62)
* Fix RKE2 ClusterClass and RKE2 default registration method (#60)
* Remove unused Codecov config (#59)
* Actualize RKE2 templates (#58)
* Remove CodeCov action (#57)
* Update codeql action (#56)
* Display host phases (#51)
* Bump CAPI version (#54)
* Print test agent config by default (#55)
* Deprecate release-action (#53)
* Display association status (#49)
* Add registration ready condition (#50)
* Prevent kubelet and containerd from running in Recovery (#43)
* Mitigate time sync issues on JWT validation (#41)
* Improve kubeadm image (#39)
- Update to version 0.5.0+git20240319.13ad570:
* Update dependencies and fix CodeQL failure (#36)
* Update to go 1.22 (#32)
* Update k3s provider urls (#34)
* Remove tumbleweed dracut patches (#33)
* Refer to CONTROL_PLANE_ENDPOINT_HOST
* Update metadata.yaml
* Update quickstart (#30)
* Remove uninitialized taint from nodes (#29)
* Set providerid on nodes (#22)
* Bump yip to v1.4.10
- Initial version 0.5.0
elemental-operator:
- Update to version 1.6.4:
* register: always register when called (#816)
- Update to version 1.6.3:
* Backport to v1.6.x (#796)
* Enable PR workflow for v1.6 maintenance branch
* Add toggle to automatically delete no longer in sync versions (#780) (#783)
* [v1.6.x] Add managedosversion finalizer (#775 & #784) (#782)
* Ensure re-sync is triggered
* [v1.6.x][BACKPORT] operator: fix ManagedOSVersionChannel sync (#771)
* Use YAML content for Elemental Agent config (#765) (#770)
* Allow yip configs (#751) (#762)
* Update deployment.yaml (#757) (#761)
* Flag no longer in sync ManagedOSVersions (#750) (#752)
* Let elemental-register digest system hardware data (#748) (#749)
* register: don't send new Disks and Controllers data (#741)
* Added the ability to create a node reset marker for unmanaged hosts (#731) (#737)
- Update to version 1.6.2:
* chart: add chart name and version to the operator deployment (#694)
* Add Metadata CRD (#717)
elemental-system-agent:
- Update to version 0.3.7:
* Add support for CATTLE_AGENT_VAR_DIR in suc plan
* add the step for creating GH release, and fix typo in filename
* Migrate from Drone to GitHub Action
* Version bump for Alpine and Kubectl
* Add support for CATTLE_AGENT_STRICT_VERIFY|STRICT_VERIFY environment variables to ensure kubeconfig CA data is valid (#171)
elemental-toolkit:
- Update to version 2.1.1:
* [backport] Disable boot entry if efivars is read-only (#2059) (#2145)
* [backport] CI refactor to v2.1.x branch (#2146)
* Remove pre-existing Elemental initrds
systemd-presets-branding-Elemental:
- Include elemental-register.timer as service enabled by default
-----------------------------------------------------------------
Advisory ID: 68
Released: Mon Feb 3 09:59:25 2025
Summary: Recommended update for elemental-operator, elemental
Type: recommended
Severity: moderate
References: 1230904
This update for elemental-operator, elemental contains the following fixes:
elemental:
- Include net.ifnames=0 kernel parameter. (bsc#1230904)
elemental-operator:
- Update to version 1.6.5:
* Add SeedImage.status.checksumURL.
-----------------------------------------------------------------
Advisory ID: 119
Released: Mon Feb 3 10:05:40 2025
Summary: Recommended update for gcc13
Type: recommended
Severity: moderate
References: 1231833
This update for gcc13 fixes the following issues:
- Fix for parsing tzdata 2024b [gcc#116657]
-----------------------------------------------------------------
Advisory ID: 94
Released: Mon Feb 3 10:05:41 2025
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1194818
This update for pam fixes the following issue:
- Prevent cursor escape from the login prompt (bsc#1194818)
-----------------------------------------------------------------
Advisory ID: 201
Released: Mon Feb 3 10:06:00 2025
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1220262,1230698,CVE-2023-50782,CVE-2024-41996
This update for openssl-3 fixes the following issues:
- CVE-2024-41996: Fixed a denial of service in the Diffie-Hellman Key Agreement Protocol (bsc#1230698).
- CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262)
-----------------------------------------------------------------
Advisory ID: 138
Released: Mon Feb 3 10:07:41 2025
Summary: Security update for curl
Type: security
Severity: moderate
References: 1232528,CVE-2024-9681
This update for curl fixes the following issues:
- CVE-2024-9681: Fixed HSTS subdomain overwrites parent cache entry (bsc#1232528)
-----------------------------------------------------------------
Advisory ID: 120
Released: Mon Feb 3 10:09:12 2025
Summary: Security update for expat
Type: security
Severity: moderate
References: 1232579,CVE-2024-50602
This update for expat fixes the following issues:
- CVE-2024-50602: Fixed possible denial-of-service vulnerability inside XML_ResumeParser (bsc#1232579).
-----------------------------------------------------------------
Advisory ID: 124
Released: Mon Feb 3 10:11:47 2025
Summary: Recommended update for elemental-operator
Type: recommended
Severity: moderate
References: 1232211
This update for elemental-operator contains the following fixes:
- Update to version 1.6.6:
* Do not include Config to MachineRegistration as pointer. (bsc#1232211)
* Align values.yaml and questions.yaml.
-----------------------------------------------------------------
Advisory ID: 164
Released: Mon Feb 3 10:17:47 2025
Summary: Security update for pam
Type: security
Severity: moderate
References: 1233078,CVE-2024-10963
This update for pam fixes the following issues:
- CVE-2024-10963: Fixed improper hostname interpretation in pam_access that could lead to access control bypass (bsc#1233078).
-----------------------------------------------------------------
Advisory ID: 166
Released: Mon Feb 3 10:18:10 2025
Summary: Security update for curl
Type: security
Severity: moderate
References: 1234068,CVE-2024-11053
This update for curl fixes the following issues:
- CVE-2024-11053: Fixed password leak used for the first host to the followed-to host under certain circumstances (bsc#1234068)
-----------------------------------------------------------------
Advisory ID: 188
Released: Mon Feb 3 10:21:01 2025
Summary: Security update for libxml2
Type: security
Severity: important
References: 1234812,CVE-2024-40896
This update for libxml2 fixes the following issues:
- CVE-2024-40896: Fixed XML external entity vulnerability (bsc#1234812)
-----------------------------------------------------------------
Advisory ID: 190
Released: Mon Feb 3 10:24:20 2025
Summary: Recommended update for iptables
Type: recommended
Severity: moderate
References: 1234996,1235088
This update for iptables fixes the following issues:
* Fixes checking existence of rules. Fixes issues with rule creation
with podman/netavark. (bsc#1235088, bsc#1234996)
-----------------------------------------------------------------
Advisory ID: 203
Released: Tue Feb 4 09:59:54 2025
Summary: Security update for rsync
Type: security
Severity: critical
References: 1234100,1234101,1234102,1234103,1234104,1235475,CVE-2024-12084,CVE-2024-12085,CVE-2024-12086,CVE-2024-12087,CVE-2024-12088,CVE-2024-12747
This update for rsync fixes the following issues:
- CVE-2024-12084: Fixed Heap Buffer Overflow in Checksum Parsing (bsc#1234100).
- CVE-2024-12085: Fixed Info Leak via uninitialized Stack contents defeating ASLR (bsc#1234101).
- CVE-2024-12086: Fixed server leaking arbitrary client files (bsc#1234102).
- CVE-2024-12087: Fixed server use of symbolic links to make client write files outside of destination directory (bsc#1234103).
- CVE-2024-12088: Fixed --safe-links bypass (bsc#1234104).
- CVE-2024-12747: Fixed Race Condition in rsync Handling Symbolic Links (bsc#1235475).
The following package changes have been done:
- btrfsprogs-udev-rules-6.1.3-6.19 added
- elemental-httpfy-1.6.6-1.1 added
- elemental-seedimage-hooks-1.6.6-1.1 added
- libxxhash0-0.8.1-2.194 added
- libuuid1-2.39.3-3.1 updated
- liburcu8-0.14.0-2.8 added
- libtextstyle0-0.21.1-5.1 added
- libsmartcols1-2.39.3-3.1 updated
- libparted-fs-resize0-3.5-2.11 added
- liblzo2-2-2.10-3.1 added
- libjson-c5-0.16-3.1 added
- libip4tc2-1.8.9-4.1 updated
- libgcc_s1-13.3.0+git8781-2.1 updated
- libfuse2-2.9.9-3.1 added
- libexpat1-2.5.0-4.1 updated
- libburn4-1.5.4-1.9 added
- libbtrfsutil1-6.1.3-6.19 added
- libbtrfs0-6.1.3-6.19 added
- libblkid1-2.39.3-3.1 updated
- libargon2-1-20190702-3.1 added
- libaio1-0.3.113-3.1 added
- dosfstools-4.2-2.9 added
- libpng16-16-1.6.43-1.1 added
- libxml2-2-2.11.6-4.1 updated
- squashfs-4.6.1-3.7 added
- libstdc++6-13.3.0+git8781-2.1 updated
- libext2fs2-1.47.0-2.3 added
- libjte2-1.22-1.8 added
- libfdisk1-2.39.3-3.1 updated
- libmount1-2.39.3-3.1 updated
- libinih0-56-3.1 added
- libisofs6-1.5.4-1.9 added
- libfreetype6-2.13.2-1.6 added
- libedit0-20210910.3.1-9.169 added
- gptfdisk-1.0.9-3.5 added
- libisoburn1-1.5.4-1.9 added
- libdevmapper1_03-2.03.22_1.02.196-1.8 added
- gzip-1.13-1.50 added
- gettext-runtime-0.21.1-5.1 added
- ALP-dummy-release-0.1-8.67 added
- libparted2-3.5-2.11 added
- libdevmapper-event1_03-2.03.22_1.02.196-1.8 added
- info-7.0.3-4.1 added
- xfsprogs-6.5.0-1.9 added
- thin-provisioning-tools-0.9.0-2.10 added
- systemd-rpm-macros-24-1.205 added
- e2fsprogs-1.47.0-2.3 added
- btrfsprogs-6.1.3-6.19 added
- parted-3.5-2.11 added
- liblvm2cmd2_03-2.03.22-1.8 added
- xorriso-1.5.4-1.9 added
- device-mapper-2.03.22_1.02.196-1.8 added
- mtools-4.0.43-4.9 added
- libopenssl3-3.1.4-7.1 updated
- pam-1.6.0-4.1 updated
- grub2-2.12~rc1-5.30 added
- grub2-i386-pc-2.12~rc1-5.30 added
- suse-module-tools-16.0.43-1.1 added
- kmod-30-10.56 added
- rsync-3.2.7-4.1 added
- libcryptsetup12-2.6.1-4.13 added
- util-linux-2.39.3-3.1 updated
- libsnapper7-0.10.5-2.10 added
- libcurl4-8.6.0-5.1 updated
- curl-8.6.0-5.1 updated
- system-group-kvm-20170617-2.197 added
- system-group-hardware-20170617-2.197 added
- udev-254.18-1.1 added
- snapper-0.10.5-2.10 added
- lvm2-2.03.22-1.8 added
- elemental-toolkit-2.1.1-1.1 added
- container:suse-toolbox-image-1.0.0-7.1 updated
More information about the sle-container-updates
mailing list