SUSE-CU-2025:1339-1: Security update of rancher/seedimage-builder

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Thu Feb 27 08:06:20 UTC 2025


SUSE Container Update Advisory: rancher/seedimage-builder
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:1339-1
Container Tags        : rancher/seedimage-builder:1.6.6 , rancher/seedimage-builder:1.6.6-5.1 , rancher/seedimage-builder:latest
Container Release     : 5.1
Severity              : critical
Type                  : security
References            : 1194818 1218609 1220117 1220262 1221831 1223605 1225598 1230698
                        1230904 1231833 1232211 1232528 1232579 1233078 1234068 1234100
                        1234101 1234102 1234103 1234104 1234812 1234996 1235088 1235475
                        CVE-2023-50782 CVE-2024-10963 CVE-2024-11053 CVE-2024-12084 CVE-2024-12085
                        CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747 CVE-2024-28085
                        CVE-2024-40896 CVE-2024-41996 CVE-2024-50602 CVE-2024-9681 
-----------------------------------------------------------------

The container rancher/seedimage-builder was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 117
Released:    Mon Feb  3 09:46:07 2025
Summary:     Security update for util-linux
Type:        security
Severity:    important
References:  1218609,1220117,1221831,1223605,1225598,CVE-2024-28085
This update for util-linux fixes the following issues:

Security issue fixed:

-  CVE-2024-28085: Properly neutralize escape sequences in wall to avoid potential account takeover. (bsc#1221831)

Non-security issues fixed:
 
- Fix hang of lscpu -e (bsc#1225598)
- lscpu: Add more ARM cores (bsc#1223605)
- Document that chcpu -g is not supported on IBM z/VM (bsc#1218609)
- Processes not cleaned up after failed SSH session are using up 100% CPU (bsc#1220117)

-----------------------------------------------------------------
Advisory ID: 16
Released:    Mon Feb  3 09:50:28 2025
Summary:     Recommended update for elemental-system-agent, elemental, systemd-presets-branding-Elemental, elemental-toolkit, elemental-agent, elemental-operator
Type:        recommended
Severity:    moderate
References:  
This update for elemental-system-agent, elemental, systemd-presets-branding-Elemental, elemental-toolkit, elemental-agent, elemental-operator fixes the following issues:

elemental:
  - Update to version v2.1.2
    * Fix grub2-x86_64-efi installation
    * Removing syslinux from base image
    * Workaround to remove any pre-existing Elemental initrd

elemental-agent:
  - Update to version 0.5.0+git20240729.4482c01:
    * Fix rke2 cluster class (#80)
    * Fix rootfs layout (#76)
    * Exclude cloud-config-defaults feature (#75)
    * Use toolkit nightly builds (#74)
    * Align images to Elemental dev (#73)
    * Only use essential elemental services (#71)
    * Actualyze elemental init arguments and improve iso build setup (#70)
    * Fix missing mtools dependency (#68)
    * Unify root password
    * Prevent associating multiple ElementalHosts (#65)
    * Remove CodeQL github action workaround (#66)
    * upgrade elemental-toolkit to 2.1.0 version (#61)
    * tests: align Ginkgo version in the Makefile (#63)
    * Dockerfiles: ensure /usr/libexec is present on the image FS (#64)
    * minor/setup_kind_cluster.sh: print the command to write the my-config.yaml (#62)
    * Fix RKE2 ClusterClass and RKE2 default registration method (#60)
    * Remove unused Codecov config (#59)
    * Actualize RKE2 templates (#58)
    * Remove CodeCov action (#57)
    * Update codeql action (#56)
    * Display host phases (#51)
    * Bump CAPI version (#54)
    * Print test agent config by default (#55)
    * Deprecate release-action (#53)
    * Display association status (#49)
    * Add registration ready condition (#50)
    * Prevent kubelet and containerd from running in Recovery (#43)
    * Mitigate time sync issues on JWT validation (#41)
    * Improve kubeadm image (#39)
  - Update to version 0.5.0+git20240319.13ad570:
    * Update dependencies and fix CodeQL failure (#36)
    * Update to go 1.22 (#32)
    * Update k3s provider urls (#34)
    * Remove tumbleweed dracut patches (#33)
    * Refer to CONTROL_PLANE_ENDPOINT_HOST
    * Update metadata.yaml
    * Update quickstart (#30)
    * Remove uninitialized taint from nodes (#29)
    * Set providerid on nodes (#22)
    * Bump yip to v1.4.10
  - Initial version 0.5.0

elemental-operator:
  - Update to version 1.6.4:
    * register: always register when called (#816)

  - Update to version 1.6.3:
    * Backport to v1.6.x (#796)
    * Enable PR workflow for v1.6 maintenance branch
    * Add toggle to automatically delete no longer in sync versions (#780) (#783)
    * [v1.6.x] Add managedosversion finalizer (#775 & #784)  (#782)
    * Ensure re-sync is triggered
    * [v1.6.x][BACKPORT] operator: fix ManagedOSVersionChannel sync  (#771)
    * Use YAML content for Elemental Agent config (#765) (#770)
    * Allow yip configs (#751) (#762)
    * Update deployment.yaml (#757) (#761)
    * Flag no longer in sync ManagedOSVersions (#750) (#752)
    * Let elemental-register digest system hardware data (#748) (#749)
    * register: don't send new Disks and Controllers data (#741)
    * Added the ability to create a node reset marker for unmanaged hosts (#731) (#737)

  - Update to version 1.6.2:
    * chart: add chart name and version to the operator deployment (#694)
    * Add Metadata CRD (#717)

elemental-system-agent:
  - Update to version 0.3.7:
    * Add support for CATTLE_AGENT_VAR_DIR in suc plan
    * add the step for creating GH release, and fix typo in filename
    * Migrate from Drone to GitHub Action
    * Version bump for Alpine and Kubectl
    * Add support for CATTLE_AGENT_STRICT_VERIFY|STRICT_VERIFY environment variables to ensure kubeconfig CA data is valid (#171)

elemental-toolkit:
  - Update to version 2.1.1:
    * [backport] Disable boot entry if efivars is read-only (#2059) (#2145)
    * [backport] CI refactor to v2.1.x branch (#2146)
    * Remove pre-existing Elemental initrds

systemd-presets-branding-Elemental:
  - Include elemental-register.timer as service enabled by default


-----------------------------------------------------------------
Advisory ID: 68
Released:    Mon Feb  3 09:59:25 2025
Summary:     Recommended update for elemental-operator, elemental
Type:        recommended
Severity:    moderate
References:  1230904
This update for elemental-operator, elemental contains the following fixes:

elemental:
  - Include net.ifnames=0 kernel parameter. (bsc#1230904)

elemental-operator:
  - Update to version 1.6.5:
    * Add SeedImage.status.checksumURL.


-----------------------------------------------------------------
Advisory ID: 119
Released:    Mon Feb  3 10:05:40 2025
Summary:     Recommended update for gcc13
Type:        recommended
Severity:    moderate
References:  1231833
This update for gcc13 fixes the following issues:

- Fix for parsing tzdata 2024b [gcc#116657]


-----------------------------------------------------------------
Advisory ID: 94
Released:    Mon Feb  3 10:05:41 2025
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1194818
This update for pam fixes the following issue:

- Prevent cursor escape from the login prompt (bsc#1194818)

-----------------------------------------------------------------
Advisory ID: 201
Released:    Mon Feb  3 10:06:00 2025
Summary:     Security update for openssl-3
Type:        security
Severity:    important
References:  1220262,1230698,CVE-2023-50782,CVE-2024-41996
This update for openssl-3 fixes the following issues:

- CVE-2024-41996: Fixed a denial of service in the Diffie-Hellman Key Agreement Protocol (bsc#1230698).
- CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262)

-----------------------------------------------------------------
Advisory ID: 138
Released:    Mon Feb  3 10:07:41 2025
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1232528,CVE-2024-9681
This update for curl fixes the following issues:

- CVE-2024-9681: Fixed HSTS subdomain overwrites parent cache entry (bsc#1232528)

-----------------------------------------------------------------
Advisory ID: 120
Released:    Mon Feb  3 10:09:12 2025
Summary:     Security update for expat
Type:        security
Severity:    moderate
References:  1232579,CVE-2024-50602
This update for expat fixes the following issues:

- CVE-2024-50602: Fixed possible denial-of-service vulnerability inside XML_ResumeParser (bsc#1232579).

-----------------------------------------------------------------
Advisory ID: 124
Released:    Mon Feb  3 10:11:47 2025
Summary:     Recommended update for elemental-operator
Type:        recommended
Severity:    moderate
References:  1232211
This update for elemental-operator contains the following fixes:

- Update to version 1.6.6:
  * Do not include Config to MachineRegistration as pointer. (bsc#1232211)
  * Align values.yaml and questions.yaml.


-----------------------------------------------------------------
Advisory ID: 164
Released:    Mon Feb  3 10:17:47 2025
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1233078,CVE-2024-10963
This update for pam fixes the following issues:

- CVE-2024-10963: Fixed improper hostname interpretation in pam_access that could lead to access control bypass (bsc#1233078).

-----------------------------------------------------------------
Advisory ID: 166
Released:    Mon Feb  3 10:18:10 2025
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1234068,CVE-2024-11053
This update for curl fixes the following issues:

- CVE-2024-11053: Fixed password leak used for the first host to the followed-to host under certain circumstances (bsc#1234068)

-----------------------------------------------------------------
Advisory ID: 188
Released:    Mon Feb  3 10:21:01 2025
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1234812,CVE-2024-40896
This update for libxml2 fixes the following issues:

- CVE-2024-40896: Fixed XML external entity vulnerability (bsc#1234812)

-----------------------------------------------------------------
Advisory ID: 190
Released:    Mon Feb  3 10:24:20 2025
Summary:     Recommended update for iptables
Type:        recommended
Severity:    moderate
References:  1234996,1235088
This update for iptables fixes the following issues:

* Fixes checking existence of rules. Fixes issues with rule creation
 with podman/netavark. (bsc#1235088, bsc#1234996)


-----------------------------------------------------------------
Advisory ID: 203
Released:    Tue Feb  4 09:59:54 2025
Summary:     Security update for rsync
Type:        security
Severity:    critical
References:  1234100,1234101,1234102,1234103,1234104,1235475,CVE-2024-12084,CVE-2024-12085,CVE-2024-12086,CVE-2024-12087,CVE-2024-12088,CVE-2024-12747
This update for rsync fixes the following issues:

- CVE-2024-12084: Fixed Heap Buffer Overflow in Checksum Parsing (bsc#1234100).
- CVE-2024-12085: Fixed Info Leak via uninitialized Stack contents defeating ASLR (bsc#1234101).
- CVE-2024-12086: Fixed server leaking arbitrary client files (bsc#1234102).
- CVE-2024-12087: Fixed server use of symbolic links to  make client write files outside of destination directory (bsc#1234103).
- CVE-2024-12088: Fixed --safe-links bypass (bsc#1234104).
- CVE-2024-12747: Fixed Race Condition in rsync Handling Symbolic Links (bsc#1235475).


The following package changes have been done:

- btrfsprogs-udev-rules-6.1.3-6.19 added
- elemental-httpfy-1.6.6-1.1 added
- elemental-seedimage-hooks-1.6.6-1.1 added
- libxxhash0-0.8.1-2.194 added
- libuuid1-2.39.3-3.1 updated
- liburcu8-0.14.0-2.8 added
- libtextstyle0-0.21.1-5.1 added
- libsmartcols1-2.39.3-3.1 updated
- libparted-fs-resize0-3.5-2.11 added
- liblzo2-2-2.10-3.1 added
- libjson-c5-0.16-3.1 added
- libip4tc2-1.8.9-4.1 updated
- libgcc_s1-13.3.0+git8781-2.1 updated
- libfuse2-2.9.9-3.1 added
- libexpat1-2.5.0-4.1 updated
- libburn4-1.5.4-1.9 added
- libbtrfsutil1-6.1.3-6.19 added
- libbtrfs0-6.1.3-6.19 added
- libblkid1-2.39.3-3.1 updated
- libargon2-1-20190702-3.1 added
- libaio1-0.3.113-3.1 added
- dosfstools-4.2-2.9 added
- libpng16-16-1.6.43-1.1 added
- libxml2-2-2.11.6-4.1 updated
- squashfs-4.6.1-3.7 added
- libstdc++6-13.3.0+git8781-2.1 updated
- libext2fs2-1.47.0-2.3 added
- libjte2-1.22-1.8 added
- libfdisk1-2.39.3-3.1 updated
- libmount1-2.39.3-3.1 updated
- libinih0-56-3.1 added
- libisofs6-1.5.4-1.9 added
- libfreetype6-2.13.2-1.6 added
- libedit0-20210910.3.1-9.169 added
- gptfdisk-1.0.9-3.5 added
- libisoburn1-1.5.4-1.9 added
- libdevmapper1_03-2.03.22_1.02.196-1.8 added
- gzip-1.13-1.50 added
- gettext-runtime-0.21.1-5.1 added
- ALP-dummy-release-0.1-8.67 added
- libparted2-3.5-2.11 added
- libdevmapper-event1_03-2.03.22_1.02.196-1.8 added
- info-7.0.3-4.1 added
- xfsprogs-6.5.0-1.9 added
- thin-provisioning-tools-0.9.0-2.10 added
- systemd-rpm-macros-24-1.205 added
- e2fsprogs-1.47.0-2.3 added
- btrfsprogs-6.1.3-6.19 added
- parted-3.5-2.11 added
- liblvm2cmd2_03-2.03.22-1.8 added
- xorriso-1.5.4-1.9 added
- device-mapper-2.03.22_1.02.196-1.8 added
- mtools-4.0.43-4.9 added
- libopenssl3-3.1.4-7.1 updated
- pam-1.6.0-4.1 updated
- grub2-2.12~rc1-5.30 added
- grub2-i386-pc-2.12~rc1-5.30 added
- suse-module-tools-16.0.43-1.1 added
- kmod-30-10.56 added
- rsync-3.2.7-4.1 added
- libcryptsetup12-2.6.1-4.13 added
- util-linux-2.39.3-3.1 updated
- libsnapper7-0.10.5-2.10 added
- libcurl4-8.6.0-5.1 updated
- curl-8.6.0-5.1 updated
- system-group-kvm-20170617-2.197 added
- system-group-hardware-20170617-2.197 added
- udev-254.18-1.1 added
- snapper-0.10.5-2.10 added
- lvm2-2.03.22-1.8 added
- elemental-toolkit-2.1.1-1.1 added
- container:suse-toolbox-image-1.0.0-7.1 updated


More information about the sle-container-updates mailing list