SUSE-SU-2018:0053-1: moderate: Security update for CaaS Platform 2.0 images
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue Jan 9 13:08:34 MST 2018
SUSE Security Update: Security update for CaaS Platform 2.0 images
______________________________________________________________________________
Announcement ID: SUSE-SU-2018:0053-1
Rating: moderate
References: #1003846 #1004995 #1009966 #1022404 #1025282
#1025891 #1026567 #1029907 #1029908 #1029909
#1029995 #1030623 #1035386 #1036619 #1039099
#1039276 #1039513 #1040800 #1040968 #1041090
#1043059 #1043590 #1043883 #1043966 #1044016
#1045472 #1045522 #1045732 #1047178 #1047233
#1048605 #1048861 #1050152 #1050258 #1050487
#1052503 #1052507 #1052509 #1052511 #1052514
#1052518 #1053137 #1053347 #1053595 #1053671
#1055446 #1055641 #1055825 #1056058 #1056312
#1056381 #1057007 #1057139 #1057144 #1057149
#1057188 #1057634 #1057721 #1057724 #1058480
#1058695 #1058783 #1059050 #1059065 #1059075
#1059292 #1059723 #1060599 #1060621 #1061241
#1061384 #1062561 #1063249 #1063269 #1064571
#1064999 #1065363 #1066242 #1066371 #1066500
#1066611 #1067891 #1070878 #1070958 #1071905
#1071906
Cross-References: CVE-2014-3710 CVE-2014-8116 CVE-2014-8117
CVE-2014-9620 CVE-2014-9621 CVE-2014-9653
CVE-2017-12448 CVE-2017-12450 CVE-2017-12452
CVE-2017-12453 CVE-2017-12454 CVE-2017-12456
CVE-2017-12799 CVE-2017-12837 CVE-2017-12883
CVE-2017-13757 CVE-2017-14128 CVE-2017-14129
CVE-2017-14130 CVE-2017-14333 CVE-2017-14529
CVE-2017-14729 CVE-2017-14745 CVE-2017-14974
CVE-2017-3735 CVE-2017-3736 CVE-2017-3737
CVE-2017-3738 CVE-2017-6512
Affected Products:
SUSE CaaS Platform ALL
______________________________________________________________________________
An update that solves 29 vulnerabilities and has 57 fixes
is now available.
Description:
The Docker images provided with SUSE CaaS Platform 2.0 have been updated
to include the following updates:
binutils:
* Update to version 2.29
* 18750 bsc#1030296 CVE-2014-9939
* 20891 bsc#1030585 CVE-2017-7225
* 20892 bsc#1030588 CVE-2017-7224
* 20898 bsc#1030589 CVE-2017-7223
* 20905 bsc#1030584 CVE-2017-7226
* 20908 bsc#1031644 CVE-2017-7299
* 20909 bsc#1031656 CVE-2017-7300
* 20921 bsc#1031595 CVE-2017-7302
* 20922 bsc#1031593 CVE-2017-7303
* 20924 bsc#1031638 CVE-2017-7301
* 20931 bsc#1031590 CVE-2017-7304
* 21135 bsc#1030298 CVE-2017-7209
* 21137 bsc#1029909 CVE-2017-6965
* 21139 bsc#1029908 CVE-2017-6966
* 21156 bsc#1029907 CVE-2017-6969
* 21157 bsc#1030297 CVE-2017-7210
* 21409 bsc#1037052 CVE-2017-8392
* 21412 bsc#1037057 CVE-2017-8393
* 21414 bsc#1037061 CVE-2017-8394
* 21432 bsc#1037066 CVE-2017-8396
* 21440 bsc#1037273 CVE-2017-8421
* 21580 bsc#1044891 CVE-2017-9746
* 21581 bsc#1044897 CVE-2017-9747
* 21582 bsc#1044901 CVE-2017-9748
* 21587 bsc#1044909 CVE-2017-9750
* 21594 bsc#1044925 CVE-2017-9755
* 21595 bsc#1044927 CVE-2017-9756
* 21787 bsc#1052518 CVE-2017-12448
* 21813 bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454,
bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514,
CVE-2017-12450, bsc#1052503, CVE-2017-12456, bsc#1052507,
CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511,
CVE-2017-12452, bsc#1052514, CVE-2017-12450
* 21933 bsc#1053347 CVE-2017-12799
* 21990 bsc#1058480 CVE-2017-14333
* 22018 bsc#1056312 CVE-2017-13757
* 22047 bsc#1057144 CVE-2017-14129
* 22058 bsc#1057149 CVE-2017-14130
* 22059 bsc#1057139 CVE-2017-14128
* 22113 bsc#1059050 CVE-2017-14529
* 22148 bsc#1060599 CVE-2017-14745
* 22163 bsc#1061241 CVE-2017-14974
* 22170 bsc#1060621 CVE-2017-14729
* Make compressed debug section handling explicit, disable for
old products and enable for gas on all architectures otherwise.
[bsc#1029995]
* Remove empty rpath component removal optimization from to workaround
CMake rpath handling. [bsc#1025282]
* Fix alignment frags for aarch64 (bsc#1003846)
coreutils:
* Fix df(1) to no longer interact with excluded file system types, so for
example specifying -x nfs no longer hangs with problematic nfs mounts.
(bsc#1026567)
* Ensure df -l no longer interacts with dummy file system types, so for
example no longer hangs with problematic NFS mounted via
system.automount(5). (bsc#1043059)
* Significantly speed up df(1) for huge mount lists. (bsc#965780)
file:
* update to version 5.22.
* CVE-2014-9621: The ELF parser in file allowed remote attackers to cause
a denial of service via a long string. (bsc#913650)
* CVE-2014-9620: The ELF parser in file allowed remote attackers to cause
a denial of service via a large number of notes. (bsc#913651)
* CVE-2014-9653: readelf.c in file did not consider that pread calls
sometimes read only a subset of the available data, which allows remote
attackers to cause a denial of service (uninitialized memory access) or
possibly have unspecified other impact via a crafted ELF file.
(bsc#917152)
* CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote
attackers to cause a denial of service (CPU consumption or crash) via a
large number
of (1) program or (2) section headers or (3) invalid capabilities.
(bsc#910253)
* CVE-2014-8117: softmagic.c in file did not properly limit recursion,
which allowed remote attackers to cause a denial of service (CPU
consumption or crash) via unspecified vectors. (bsc#910253)
* Fixed a memory corruption during rpmbuild (bsc#1063269)
* Backport of a fix for an increased printable string length as found in
file 5.30 (bsc#996511)
* file command throws "Composite Document File V2 Document, corrupt: Can't
read SSAT" error against excel 97/2003 file format. (bsc#1009966)
gcc7:
* Support for specific IBM Power9 processor instructions.
* Support for specific IBM zSeries z14 processor instructions.
* New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain
Module for specific NVIDIA Card offload support.
gzip:
* fix mishandling of leading zeros in the end-of-block code (bsc#1067891)
libsolv:
* Many fixes and improvements for cleandeps.
* Always create dup rules for "distupgrade" jobs.
* Use recommends also for ordering packages.
* Fix splitprovides handling with addalreadyrecommended turned off.
(bsc#1059065)
* Expose solver_get_recommendations() in bindings.
* Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output
from solver_get_recommendations().
* Support 'without' and 'unless' dependencies.
* Use same heuristic as upstream to determine source RPMs.
* Fix memory leak in bindings.
* Add pool_best_solvables() function.
* Fix 64bit integer parsing from RPM headers.
* Enable bzip2 and xz/lzma compression support.
* Enable complex/rich dependencies on distributions with RPM 4.13+.
libtool:
* Add missing dependencies and provides to baselibs.conf to make sure
libltdl libraries are properly installed. (bsc#1056381)
libzypp:
* Fix media handling in presence of a repo path prefix. (bsc#1062561)
* Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561)
* Remove unused legacy notify-message script. (bsc#1058783)
* Support multiple product licenses in repomd. (fate#322276)
* Propagate 'rpm --import' errors. (bsc#1057188)
* Fix typos in zypp.conf.
openssl:
* CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could
cause OOB read (bsc#1056058)
* CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64
(bsc#1066242)
* Out of bounds read+crash in DES_fcrypt (bsc#1065363)
* openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers
(bsc#1055825)
perl:
Security issues for perl:
* CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in
regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1
allows remote attackers to cause a denial of service (out-of-bounds
write) via a regular expression with a escape and the case-insensitive
modifier. (bnc#1057724)
* CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in
regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1
allows remote attackers to disclose sensitive information or cause a
denial of service (application crash) via a crafted regular expression
with an invalid escape. (bnc#1057721)
* CVE-2017-6512: Race condition in the rmtree and remove_tree functions in
the File-Path module before 2.13 for Perl allows attackers to set the
mode on arbitrary files via vectors involving directory-permission
loosening logic. (bnc#1047178)
Bug fixes for perl:
* backport set_capture_string changes from upstream (bsc#999735)
* reformat baselibs.conf as source validator workaround
systemd:
* unit: When JobTimeoutSec= is turned off, implicitly turn off
JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995)
* compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing
and warn users that have broken symlinks. (bsc#1063249)
* compat-rules: Allow to specify the generation number through the kernel
command line.
* scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099)
* tmpfiles: Remove old ICE and X11 sockets at boot.
* tmpfiles: Silently ignore any path that passes through autofs.
(bsc#1045472)
* pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on.
* shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595)
* shutdown: Fix incorrect fscanf() result check.
* shutdown: Don't remount,ro network filesystems. (bsc#1035386)
* shutdown: Don't be fooled when detaching DM devices with BTRFS.
(bsc#1055641)
* bash-completion: Add support for --now. (bsc#1053137)
* Add convert-lib-udev-path.sh script to convert /lib/udev directory into
a symlink pointing to /usr/lib/udev when upgrading from SLE11.
(bsc#1050152)
* Add a rule to teach hotplug to offline containers transparently.
(bsc#1040800)
timezone:
* Northern Cyprus switches from +03 to +02/+03 on 2017-10-29
* Fiji ends DST 2018-01-14, not 2018-01-21
* Namibia switches from +01/+02 to +02 on 2018-04-01
* Sudan switches from +03 to +02 on 2017-11-01
* Tonga likely switches from +13/+14 to +13 on 2017-11-05
* Turks and Caicos switches from -04 to -05/-04 on 2018-11-04
* Corrections to past DST transitions
* Move oversized Canada/East-Saskatchewan to 'backward' file
* zic(8) and the reference runtime now reject multiple leap seconds within
28 days of each other, or leap seconds before the Epoch.
util-linux:
- Allow unmounting of filesystems without calling stat() on the mount
point, when "-c" is used. (bsc#1040968)
- Fix an infinite loop, a crash and report the correct minimum and maximum
frequencies in lscpu for some processors. (bsc#1055446)
- Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500)
- If multiple subvolumes are mounted, report the default subvolume.
(bsc#1039276)
velum:
* Fix logout issue on DEX download page * page doesn't exist (bsc#1066611)
* Handle invalid sessions more user friendly
* Fix undesired minimum nodes alert blink (bsc#1066371)
wicked:
- A regression in wicked was causing the hostname not to be set correctly
via DHCP in some cases (bsc#1057007,bsc#1050258)
- Configure the interface MTU correctly even in cases where the interface
was up already (bsc#1059292)
- Don't abort the process that adds configures routes if one route fails
(bsc#1036619)
- Handle DHCP4 user-class ids properly (bsc#1045522)
- ethtool: handle channels parameters (bsc#1043883)
zypper:
* Locale: Fix possible segmentation fault. (bsc#1064999)
* Add summary hint if product is better updated by a different command.
This is mainly used by rolling distributions like openSUSE Tumbleweed to
remind their users to use 'zypper dup' to update (not zypper up or
patch). (bsc#1061384)
* Unify '(add|modify)(repo|service)' property related arguments.
* Fixed 'add' commands supporting to set only a subset of properties.
* Introduced '-f/-F' as preferred short option for --[no-]refresh in all
four commands. (bsc#661410, bsc#1053671)
* Fix missing package names in installation report. (bsc#1058695)
* Differ between unsupported and packages with unknown support status.
(bsc#1057634)
* Return error code '107' if an RPM's %post configuration script fails,
but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment.
(bsc#1047233)
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE CaaS Platform ALL:
zypper in -t patch SUSE-CAASP-ALL-2018-40=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE CaaS Platform ALL (x86_64):
sles12-caasp-dex-image-2.0.0-3.3.11
sles12-dnsmasq-nanny-image-2.0.1-2.3.15
sles12-haproxy-image-2.0.1-2.3.16
sles12-kubedns-image-2.0.1-2.3.11
sles12-mariadb-image-2.0.1-2.3.15
sles12-openldap-image-2.0.0-2.3.11
sles12-pause-image-2.0.1-2.3.9
sles12-pv-recycler-node-image-2.0.1-2.3.10
sles12-salt-api-image-2.0.1-2.3.10
sles12-salt-master-image-2.0.1-2.3.10
sles12-salt-minion-image-2.0.1-2.3.14
sles12-sidecar-image-2.0.1-2.3.11
sles12-tiller-image-2.0.0-2.3.11
sles12-velum-image-2.0.1-2.3.13
References:
https://www.suse.com/security/cve/CVE-2014-3710.html
https://www.suse.com/security/cve/CVE-2014-8116.html
https://www.suse.com/security/cve/CVE-2014-8117.html
https://www.suse.com/security/cve/CVE-2014-9620.html
https://www.suse.com/security/cve/CVE-2014-9621.html
https://www.suse.com/security/cve/CVE-2014-9653.html
https://www.suse.com/security/cve/CVE-2017-12448.html
https://www.suse.com/security/cve/CVE-2017-12450.html
https://www.suse.com/security/cve/CVE-2017-12452.html
https://www.suse.com/security/cve/CVE-2017-12453.html
https://www.suse.com/security/cve/CVE-2017-12454.html
https://www.suse.com/security/cve/CVE-2017-12456.html
https://www.suse.com/security/cve/CVE-2017-12799.html
https://www.suse.com/security/cve/CVE-2017-12837.html
https://www.suse.com/security/cve/CVE-2017-12883.html
https://www.suse.com/security/cve/CVE-2017-13757.html
https://www.suse.com/security/cve/CVE-2017-14128.html
https://www.suse.com/security/cve/CVE-2017-14129.html
https://www.suse.com/security/cve/CVE-2017-14130.html
https://www.suse.com/security/cve/CVE-2017-14333.html
https://www.suse.com/security/cve/CVE-2017-14529.html
https://www.suse.com/security/cve/CVE-2017-14729.html
https://www.suse.com/security/cve/CVE-2017-14745.html
https://www.suse.com/security/cve/CVE-2017-14974.html
https://www.suse.com/security/cve/CVE-2017-3735.html
https://www.suse.com/security/cve/CVE-2017-3736.html
https://www.suse.com/security/cve/CVE-2017-3737.html
https://www.suse.com/security/cve/CVE-2017-3738.html
https://www.suse.com/security/cve/CVE-2017-6512.html
https://bugzilla.suse.com/1003846
https://bugzilla.suse.com/1004995
https://bugzilla.suse.com/1009966
https://bugzilla.suse.com/1022404
https://bugzilla.suse.com/1025282
https://bugzilla.suse.com/1025891
https://bugzilla.suse.com/1026567
https://bugzilla.suse.com/1029907
https://bugzilla.suse.com/1029908
https://bugzilla.suse.com/1029909
https://bugzilla.suse.com/1029995
https://bugzilla.suse.com/1030623
https://bugzilla.suse.com/1035386
https://bugzilla.suse.com/1036619
https://bugzilla.suse.com/1039099
https://bugzilla.suse.com/1039276
https://bugzilla.suse.com/1039513
https://bugzilla.suse.com/1040800
https://bugzilla.suse.com/1040968
https://bugzilla.suse.com/1041090
https://bugzilla.suse.com/1043059
https://bugzilla.suse.com/1043590
https://bugzilla.suse.com/1043883
https://bugzilla.suse.com/1043966
https://bugzilla.suse.com/1044016
https://bugzilla.suse.com/1045472
https://bugzilla.suse.com/1045522
https://bugzilla.suse.com/1045732
https://bugzilla.suse.com/1047178
https://bugzilla.suse.com/1047233
https://bugzilla.suse.com/1048605
https://bugzilla.suse.com/1048861
https://bugzilla.suse.com/1050152
https://bugzilla.suse.com/1050258
https://bugzilla.suse.com/1050487
https://bugzilla.suse.com/1052503
https://bugzilla.suse.com/1052507
https://bugzilla.suse.com/1052509
https://bugzilla.suse.com/1052511
https://bugzilla.suse.com/1052514
https://bugzilla.suse.com/1052518
https://bugzilla.suse.com/1053137
https://bugzilla.suse.com/1053347
https://bugzilla.suse.com/1053595
https://bugzilla.suse.com/1053671
https://bugzilla.suse.com/1055446
https://bugzilla.suse.com/1055641
https://bugzilla.suse.com/1055825
https://bugzilla.suse.com/1056058
https://bugzilla.suse.com/1056312
https://bugzilla.suse.com/1056381
https://bugzilla.suse.com/1057007
https://bugzilla.suse.com/1057139
https://bugzilla.suse.com/1057144
https://bugzilla.suse.com/1057149
https://bugzilla.suse.com/1057188
https://bugzilla.suse.com/1057634
https://bugzilla.suse.com/1057721
https://bugzilla.suse.com/1057724
https://bugzilla.suse.com/1058480
https://bugzilla.suse.com/1058695
https://bugzilla.suse.com/1058783
https://bugzilla.suse.com/1059050
https://bugzilla.suse.com/1059065
https://bugzilla.suse.com/1059075
https://bugzilla.suse.com/1059292
https://bugzilla.suse.com/1059723
https://bugzilla.suse.com/1060599
https://bugzilla.suse.com/1060621
https://bugzilla.suse.com/1061241
https://bugzilla.suse.com/1061384
https://bugzilla.suse.com/1062561
https://bugzilla.suse.com/1063249
https://bugzilla.suse.com/1063269
https://bugzilla.suse.com/1064571
https://bugzilla.suse.com/1064999
https://bugzilla.suse.com/1065363
https://bugzilla.suse.com/1066242
https://bugzilla.suse.com/1066371
https://bugzilla.suse.com/1066500
https://bugzilla.suse.com/1066611
https://bugzilla.suse.com/1067891
https://bugzilla.suse.com/1070878
https://bugzilla.suse.com/1070958
https://bugzilla.suse.com/1071905
https://bugzilla.suse.com/1071906
More information about the sle-security-updates
mailing list