SUSE-CU-2020:113-1: Security update of ses/6/rook/ceph
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue Apr 7 03:58:36 MDT 2020
SUSE Container Update Advisory: ses/6/rook/ceph
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:113-1
Container Tags : ses/6/rook/ceph:1.1.1.0 , ses/6/rook/ceph:1.1.1.0.1.5.157 , ses/6/rook/ceph:latest
Container Release : 1.5.157
Severity : important
Type : security
References : 1084671 1092920 1102840 1106383 1122669 1133495 1135114 1136184
1139459 1139939 1146853 1146854 1148788 1150021 1151023 1151377
1154256 1154804 1154805 1155198 1155205 1155207 1155298 1155337
1155350 1155357 1155360 1155574 1155678 1155819 1155951 1156158
1156213 1156482 1157377 1158485 1158504 1158509 1158630 1158630
1158758 1158763 1158921 1159003 1159018 1159814 1160039 1160086
1160160 1160590 1160594 1160595 1160735 1160764 1161215 1161216
1161218 1161219 1161220 1161262 1161436 1161770 1161779 1161783
1161816 1162108 1162108 1162152 1162202 1162224 1162367 1162423
1162518 1162675 1162825 1163184 1163922 1164260 1164505 1164562
1164717 1164950 1164950 1165579 1165784 1165894 1166106 1166403
1166481 1166484 1166510 1166510 1166748 1166880 1167163 1167205
1167206 1167223 1167631 1167674 CVE-2019-18634 CVE-2019-18802
CVE-2019-18900 CVE-2019-20386 CVE-2019-3687 CVE-2019-9674 CVE-2020-10029
CVE-2020-1712 CVE-2020-1712 CVE-2020-1752 CVE-2020-1759 CVE-2020-1760
CVE-2020-8013 CVE-2020-8492
-----------------------------------------------------------------
The container ses/6/rook/ceph was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:335-1
Released: Thu Feb 6 11:37:24 2020
Summary: Security update for systemd
Type: security
Severity: important
References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712
This update for systemd fixes the following issues:
- CVE-2020-1712 (bsc#bsc#1162108)
Fix a heap use-after-free vulnerability, when asynchronous
Polkit queries were performed while handling Dbus messages. A local
unprivileged attacker could have abused this flaw to crash systemd services or
potentially execute code and elevate their privileges, by sending specially
crafted Dbus messages.
- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)
- libblkid: open device in nonblock mode. (bsc#1084671)
- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)
- bus_open leak sd_event_source when udevadm triggerã (bsc#1161436 CVE-2019-20386)
- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)
- fileio: initialize errno to zero before we do fread()
- fileio: try to read one byte too much in read_full_stream()
- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)
- logind: never elect a session that is stopping as display
- journal: include kmsg lines from the systemd process which exec()d us (#8078)
- udevd: don't use monitor after manager_exit()
- udevd: capitalize log messages in on_sigchld()
- udevd: merge conditions to decrease indentation
- Revert 'udevd: fix crash when workers time out after exit is signal caught'
- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)
- udevd: fix crash when workers time out after exit is signal caught
- udevd: wait for workers to finish when exiting (bsc#1106383)
- Improve bash completion support (bsc#1155207)
* shell-completion: systemctl: do not list template units in {re,}start
* shell-completion: systemctl: pass current word to all list_unit*
* bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)
* bash-completion: systemctl: use systemctl --no-pager
* bash-completion: also suggest template unit files
* bash-completion: systemctl: add missing options and verbs
* bash-completion: use the first argument instead of the global variable (#6457)
- networkd: VXLan Make group and remote variable separate (bsc#1156213)
- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)
- fs-util: let's avoid unnecessary strerror()
- fs-util: introduce inotify_add_watch_and_warn() helper
- ask-password: improve log message when inotify limit is reached (bsc#1155574)
- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)
- man: alias names can't be used with enable command (bsc#1151377)
- Add boot option to not use swap at system start (jsc#SLE-7689)
- Allow YaST to select Iranian (Persian, Farsi) keyboard layout
(bsc#1092920)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:339-1
Released: Thu Feb 6 13:03:22 2020
Summary: Recommended update for openldap2
Type: recommended
Severity: low
References: 1158921
This update for openldap2 provides the following fix:
- Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:340-1
Released: Thu Feb 6 13:03:56 2020
Summary: Recommended update for python-rpm-macros
Type: recommended
Severity: moderate
References: 1161770
This update for python-rpm-macros fixes the following issues:
- Add macros related to the Python dist metadata dependency generator. (bsc#1161770)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:368-1
Released: Fri Feb 7 13:49:41 2020
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1150021
This update for lvm2 fixes the following issues:
- Fix for LVM in KVM: The scsi presistent reservation scenario can trigger and error during LVM actions. (bsc#1150021)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:395-1
Released: Tue Feb 18 14:16:48 2020
Summary: Recommended update for gcc7
Type: recommended
Severity: moderate
References: 1160086
This update for gcc7 fixes the following issue:
- Fixed a miscompilation in zSeries code (bsc#1160086)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:408-1
Released: Wed Feb 19 09:32:46 2020
Summary: Security update for sudo
Type: security
Severity: important
References: 1162202,1162675,CVE-2019-18634
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202).
Non-security issue fixed:
- Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:432-1
Released: Fri Feb 21 14:34:16 2020
Summary: Security update for libsolv, libzypp, zypper
Type: security
Severity: moderate
References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900
This update for libsolv, libzypp, zypper fixes the following issues:
Security issue fixed:
- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).
Bug fixes
- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).
- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).
- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).
- Load only target resolvables for zypper rm (bsc#1157377).
- Fix broken search by filelist (bsc#1135114).
- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).
- Do not sort out requested locales which are not available (bsc#1155678).
- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).
- XML add patch issue-date and issue-list (bsc#1154805).
- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).
- Always execute commit when adding/removing locales (fixes bsc#1155205).
- Fix description of --table-style,-s in man page (bsc#1154804).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:451-1
Released: Tue Feb 25 10:50:35 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1155337,1161215,1161216,1161218,1161219,1161220
This update for libgcrypt fixes the following issues:
- ECDSA: Check range of coordinates (bsc#1161216)
- FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219]
- FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215]
- FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220]
- FIPS: keywrap gives incorrect results [bsc#1161218]
- FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:453-1
Released: Tue Feb 25 10:51:53 2020
Summary: Recommended update for binutils
Type: recommended
Severity: moderate
References: 1160590
This update for binutils fixes the following issues:
- Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:462-1
Released: Tue Feb 25 11:49:30 2020
Summary: Recommended update for xfsprogs
Type: recommended
Severity: moderate
References: 1158504,1158509,1158630,1158758
This update for xfsprogs fixes the following issues:
- Allow the filesystem utility xfs_io to suffix sizes with k,m,g for kilobytes, megabytes or gigabytes respectively. (bsc#1158630)
- Validate extent size hint parameters through libxfs to avoid output mismatch. (bsc#1158509)
- Fix for 'xfs_repair' not to fail recovery of orphaned shortform directories. (bsc#1158504)
- Fix for 'xfs_quota' to avoid false error reporting of project inheritance flag is not set. (bsc#1158758)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:467-1
Released: Tue Feb 25 12:00:39 2020
Summary: Security update for python3
Type: security
Severity: moderate
References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492
This update for python3 fixes the following issues:
Security issues fixed:
- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367).
Non-security issue fixed:
- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:476-1
Released: Tue Feb 25 14:23:14 2020
Summary: Recommended update for perl
Type: recommended
Severity: moderate
References: 1102840,1160039
This update for perl fixes the following issues:
- Some packages make assumptions about the date and time they are built.
This update will solve the issues caused by calling the perl function timelocal
expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:480-1
Released: Tue Feb 25 17:38:22 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1160735
This update for aaa_base fixes the following issues:
- Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:498-1
Released: Wed Feb 26 17:59:44 2020
Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized
Type: recommended
Severity: moderate
References: 1122669,1136184,1146853,1146854,1159018
This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues:
python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507):
Upgrade to 1.11.0:
* Add ReservedConcurrentExecutions to globals
* Fix ElasticsearchHttpPostPolicy resource reference
* Support using AWS::Region in Ref and Sub
* Documentation and examples updates
* Add VersionDescription property to Serverless::Function
* Update ServerlessRepoReadWriteAccessPolicy
* Add additional template validation
Upgrade to 1.10.0:
* Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
* Add DynamoDBReconfigurePolicy
* Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
* Add EKSDescribePolicy
* Add SESBulkTemplatedCrudPolicy
* Add FilterLogEventsPolicy
* Add SSMParameterReadPolicy
* Add SESEmailTemplateCrudPolicy
* Add s3:PutObjectAcl to S3CrudPolicy
* Add allow_credentials CORS option
* Add support for AccessLogSetting and CanarySetting Serverless::Api properties
* Add support for X-Ray in Serverless::Api
* Add support for MinimumCompressionSize in Serverless::Api
* Add Auth to Serverless::Api globals
* Remove trailing slashes from APIGW permissions
* Add SNS FilterPolicy and an example application
* Add Enabled property to Serverless::Function event sources
* Add support for PermissionsBoundary in Serverless::Function
* Fix boto3 client initialization
* Add PublicAccessBlockConfiguration property to S3 bucket resource
* Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
* Add limited support for resolving intrinsics in Serverless::LayerVersion
* SAM now uses Flake8
* Add example application for S3 Events written in Go
* Updated several example applications
python-cfn-lint was added in version 0.21.4:
- Add upstream patch to fix EOL dates for lambda runtimes
- Add upstream patch to fix test_config_expand_paths test
- Rename to python-cfn-lint. This package has a python API, which
is required by python-moto.
Update to version 0.21.4:
+ Features
* Include more resource types in W3037
+ CloudFormation Specifications
* Add Resource Type `AWS::CDK::Metadata`
+ Fixes
* Uncap requests dependency in setup.py
* Check Join functions have lists in the correct sections
* Pass a parameter value for AutoPublishAlias when doing a Transform
* Show usage examples when displaying the help
Update to version 0.21.3
+ Fixes
* Support dumping strings for datetime objects when doing a Transform
Update to version 0.21.2
+ CloudFormation Specifications
* Update CloudFormation specs to 3.3.0
* Update instance types from pricing API as of 2019.05.23
Update to version 0.21.1
+ Features
* Add `Info` logging capability and set the default logging to `NotSet`
+ Fixes
* Only do rule logging (start/stop/time) when the rule is going to be called
* Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub`
* Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub`
* Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type
Update to version 0.21.0
+ Features
* New rule E3038 to check if a Serverless resource includes the appropriate Transform
* New rule E2531 to validate a Lambda's runtime against the deprecated dates
* New rule W2531 to validate a Lambda's runtime against the EOL dates
* Update rule E2541 to include updates to Code Pipeline capabilities
* Update rule E2503 to include checking of values for load balancer attributes
+ CloudFormation Specifications
* Update CloudFormation specs to 3.2.0
* Update instance types from pricing API as of 2019.05.20
+ Fixes
* Include setuptools in setup.py requires
Update to version 0.20.3
+ CloudFormation Specifications
* Update instance types from pricing API as of 2019.05.16
+ Fixes
* Update E7001 to allow float/doubles for mapping values
* Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed
* Pin requests to be below or equal to 2.21.0 to prevent issues with botocore
Update to version 0.20.2
+ Features
* Add support for List<String> Parameter types
+ CloudFormation Specifications
* Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet
* Create new property type for Security Group IDs or Names
* Add new Lambda runtime environment for NodeJs 10.x
* Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive
* Update Glue Crawler Role to take an ARN or a name
* Remove PrimitiveType from MaintenanceWindowTarget Targets
* Add Min/Max values for Load Balancer Ports to be between 1-65535
+ Fixes
* Include License file in the pypi package to help with downstream projects
* Filter out dynamic references from rule E3031 and E3030
* Convert Python linting and Code Coverage from Python 3.6 to 3.7
Update to version 0.20.1
+ Fixes
* Update rule E8003 to support more functions inside a Fn::Equals
Update to version 0.20.0
+ Features
* Allow a rule's exception to be defined in a resource's metadata
* Add rule configuration capabilities
* Update rule E3012 to allow for non strict property checking
* Add rule E8003 to test Fn::Equals structure and syntax
* Add rule E8004 to test Fn::And structure and syntax
* Add rule E8005 to test Fn::Not structure and syntax
* Add rule E8006 to test Fn::Or structure and syntax
* Include Path to error in the JSON output
* Update documentation to describe how to install cfn-lint from brew
+ CloudFormation Specifications
* Update CloudFormation specs to version 3.0.0
* Add new region ap-east-1
* Add list min/max and string min/max for CloudWatch Alarm Actions
* Add allowed values for EC2::LaunchTemplate
* Add allowed values for EC2::Host
* Update allowed values for Amazon MQ to include 5.15.9
* Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions
* Add AWS::EC2::VPCEndpointService to all regions
* Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN
* Patch spec files for SSM MaintenanceWindow to look for Target and not Targets
* Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit.
+ Fixes
* Fix rule E3033 to check the string size when the string is inside a list
* Fix an issue in which AWS::NotificationARNs was not a list
* Add AWS::EC2::Volume to rule W3010
* Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger
* Fix rule W3010 to not error when the availability zone is 'all'
Update to version 0.19.1
+ Fixes
* Fix core Condition processing to support direct Condition in another Condition
* Fix the W2030 to check numbers against string allowed values
Update to version 0.19.0
+ Features
* Add NS and PTR Route53 record checking to rule E3020
* New rule E3050 to check if a Ref to IAM Role has a Role path of '/'
* New rule E3037 to look for duplicates in a list that doesn't support duplicates
* New rule I3037 to look for duplicates in a list when duplicates are allowed
+ CloudFormation Specifications
* Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds
* Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument
* Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl
NetworkInterface, PlacementGroup, and Volume
* Add Min/max values to AWS::Budgets::Budget.Notification Threshold
* Update RDS Instance types by database engine and license definitions using the pricing API
* Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN
* Update AWS::ECS::Service Role to support Role Name or ARN
+ Fixes
* Update E3025 to support the new structure of data in the RDS instance type json
* Update E2540 to remove all nested conditions from the object
* Update E3030 to not do strict type checking
* Update E3020 to support conditions nested in the record sets
* Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats
Update to version 0.18.1
+ CloudFormation Specifications
* Update CloudFormation Specs to 2.30.0
* Fix IAM Regex Path to support more character types
* Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an
InstanceProfile or GetAtt the InstanceProfile Arn
* Allow VPC IDs to Ref a Parameter of type String
+ Fixes
* Fix E3502 to check the size of the property instead of the parent object
Update to version 0.18.0
+ Features
* New rule E3032 to check the size of lists
* New rule E3502 to check JSON Object Size using definitions in the spec file
* New rule E3033 to test the minimum and maximum length of a string
* New rule E3034 to validate the min and max of a number
* Remove Ebs Iops check from E2504 and use rule E3034 instead
* Remove rule E2509 and use rule E3033 instead
* Remove rule E2508 as it replaced by E3032 and E3502
* Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs
* SAM requirement upped to minimal version of 1.10.0
+ CloudFormation Specifications
* Extend specs to include:
> `ListMin` and `ListMax` for the minimum and maximum size of a list
> `JsonMax` to check the max size of a JSON Object
> `StringMin` and `StringMax` to check the minimum and maximum length of a String
> `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long
* Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy
* Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance
* Add AllowedValues for the AWS::GuardDuty Resources
* Add AllowedValues for AWS::EC2 VPC and VPN Resources
* Switch IAM Instance Profiles for certain resources to the type that only takes the name
* Add regex pattern for IAM Instance Profile when a name (not Arn) is used
* Add regex pattern for IAM Paths
* Add Regex pattern for IAM Role Arn
* Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2
+ Fixes
* Fix serverless transform to use DefinitionBody when Auth is in the API definition
* Fix rule W2030 to not error when checking SSM or List Parameters
Update to version 0.17.1
+ Features
* Update rule E2503 to make sure NLBs don't have a Security Group configured
+ CloudFormation Specifications
* Add all the allowed values of the `AWS::Glue` Resources
* Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics`
* Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic`
* Update CloudFormation specs to 2.29.0
* Fix type with MariaDB in the AllowedValues
* Update pricing information for data available on 2018.3.29
+ Fixes
* Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies
* Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+`
* Fix rule E2532 to allow for `Parameters` inside a `Pass` action
* Fix an issue when getting the location of an error in which numbers are causing an attribute error
Update to version 0.17.0
+ Features
* Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released
* Add new rule W3037 to validate IAM resource policies. Status: Experimental
* Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released
+ CloudFormation Specifications
* Update Spec files to 2.28.0
* Add all the allowed values of the AWS::Redshift::* Resources
* Add all the allowed values of the AWS::Neptune::* Resources
* Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required
* Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required
+ Fixes
* Remove extra blank lines when there is no errors in the output
* Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition
* Update rule E1029 to allow for literals in a Sub
* Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check
* Correct typos for errors in rule W1001
* Switch from parsing a template as Yaml to Json when finding an escape character
* Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers
* Fix an issue with rule E2541 when non strings were used for Stage Names
Update to version 0.16.0
+ Features
* Add rule E3031 to look for regex patterns based on the patched spec file
* Remove regex checks from rule E2509
* Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting
+ CloudFormation Specifications
* Update Spec files to 2.26.0
* Add all the allowed values of the AWS::DirectoryService::* Resources
* Add all the allowed values of the AWS::DynamoDB::* Resources
* Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2
* Patch the spec file with regex patterns
* Add all the allowed values of the AWS::DocDb::* Resources
+ Fixes
* Update rule E2504 to have '20000' as the max value
* Update rule E1016 to not allow ImportValue inside of Conditions
* Update rule E2508 to check conditions when providing limit checks on managed policies
* Convert unicode to strings when in Py 3.4/3.5 and updating specs
* Convert from `awslabs` to `aws-cloudformation` organization
* Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with
samtranslator 1.10.0
Update to version 0.15.0
+ Features
* Add scaffolding for arbitrary Match attributes, adding attributes for Type checks
* Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST
+ CloudFormation Specifications
* Update Spec files to 2.24.0
* Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName
* Add all the allowed values of the AWS::CloudFront::* Resources
* Add all the allowed values of the AWS::DAX::* Resources
+ Fixes
* Update config parsing to use the builtin Yaml decoder
* Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules
* Update rule E1029 to better check Resource strings inside IAM Policies
* Improve the line/column information of a Match with array support
Update to version 0.14.1
+ CloudFormation Specifications
* Update CloudFormation Specs to version 2.23.0
* Add allowed values for AWS::Config::* resources
* Add allowed values for AWS::ServiceDiscovery::* resources
* Fix allowed values for Apache MQ
+ Fixes
* Update rule E3008 to not error when using a list from a custom resource
* Support simple types in the CloudFormation spec
* Add tests for the formatters
Update to version 0.14.0
+ Features
* Add rule E3035 to check the values of DeletionPolicy
* Add rule E3036 to check the values of UpdateReplacePolicy
* Add rule E2014 to check that there are no REFs in the Parameter section
* Update rule E2503 to support TLS on NLBs
+ CloudFormation Specifications
* Update CloudFormation spec to version 2.22.0
* Add allowed values for AWS::Cognito::* resources
+ Fixes
* Update rule E3002 to allow GetAtts to Custom Resources under a Condition
Update to version 0.13.2
+ Features
* Introducing the cfn-lint logo!
* Update SAM dependency version
+ Fixes
* Fix CloudWatchAlarmComparisonOperator allowed values.
* Fix typo resoruce_type_spec in several files
* Better support for nested And, Or, and Not when processing Conditions
Update to version 0.13.1
+ CloudFormation Specifications
* Add allowed values for AWS::CloudTrail::Trail resources
* Patch spec to have AWS::CodePipeline::CustomActionType Version included
+ Fixes
* Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified
Update to version 0.13.0
+ Features
* New rule W1011 to check if a FindInMap is using the correct map name and keys
* New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used
* Removed logic in E1011 and moved it to W1011 for validating keys
* Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne
* Update rule E2505 to check the netmask bit
* Include the ability to update the CloudFormation Specs using the Pricing API
+ CloudFormation Specifications
* Update to version 2.21.0
* Add allowed values for AWS::Budgets::Budget
* Add allowed values for AWS::CertificateManager resources
* Add allowed values for AWS::CodePipeline resources
* Add allowed values for AWS::CodeCommit resources
* Add allowed values for EC2 InstanceTypes from pricing API
* Add allowed values for RedShift InstanceTypes from pricing API
* Add allowed values for MQ InstanceTypes from pricing API
* Add allowed values for RDS InstanceTypes from pricing API
+ Fixes
* Fixed README indentation issue with .pre-commit-config.yaml
* Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task
* Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record
* Update rule E3001 to support UpdateReplacePolicy
* Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder
* Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content
- Initial build
+ Version 0.12.1
Update to 0.9.1
* the prof plugin now uses cProfile instead of hotshot for profiling
* skipped tests now include the user's reason in junit XML's message field
* the prettyassert plugin mishandled multi-line function definitions
* Using a plugin's CLI flag when the plugin is already enabled via config
no longer errors
* nose2.plugins.prettyassert, enabled with --pretty-assert
* Cleanup code for EOLed python versions
* Dropped support for distutils.
* Result reporter respects failure status set by other plugins
* JUnit XML plugin now includes the skip reason in its output
Upgrade to 0.8.0:
- List of changes is too long to show here, see
https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst
changes between 0.6.5 and 0.8.0
Update to 0.7.0:
* Added parameterized_class feature, for parameterizing entire test
classes (many thanks to @TobyLL for their suggestions and help testing!)
* Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh;
https://github.com/wolever/parameterized/issues/67)
* Make sure that `setUp` and `tearDown` methods work correctly (#40)
* Raise a ValueError when input is empty (thanks @danielbradburn;
https://github.com/wolever/parameterized/pull/48)
* Fix the order when number of cases exceeds 10 (thanks @ntflc;
https://github.com/wolever/parameterized/pull/49)
aws-cli was updated to version 1.16.223:
For detailed changes see the changes entries:
https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst
https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst
https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst
https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst
https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst
https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst
https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst
python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing
lots of bugs and adding features (bsc#1146853, bsc#1146854)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:525-1
Released: Fri Feb 28 11:49:36 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1164562
This update for pam fixes the following issues:
- Add libdb as build-time dependency to enable pam_userdb module.
Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:547-1
Released: Fri Feb 28 16:26:21 2020
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013
This update for permissions fixes the following issues:
Security issues fixed:
- CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788)
- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).
Non-security issues fixed:
- Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:556-1
Released: Mon Mar 2 13:32:11 2020
Summary: Recommended update for 389-ds
Type: recommended
Severity: moderate
References: 1155951
This update for 389-ds to version 1.4.2.2 fixes the following issues:
389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes.
Issue addressed:
- Enabled python lib389 installer tooling to match upstream and
suse documentation.
More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:572-1
Released: Tue Mar 3 13:25:41 2020
Summary: Recommended update for cyrus-sasl
Type: recommended
Severity: moderate
References: 1162518
This update for cyrus-sasl fixes the following issues:
- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:573-1
Released: Tue Mar 3 13:37:28 2020
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1160160
This update for ca-certificates-mozilla to 2.40 fixes the following issues:
Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):
Removed certificates:
- Certplus Class 2 Primary CA
- Deutsche Telekom Root CA 2
- CN=Swisscom Root CA 2
- UTN-USERFirst-Client Authentication and Email
added certificates:
- Entrust Root Certification Authority - G4
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:597-1
Released: Thu Mar 5 15:24:09 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1164950
This update for libgcrypt fixes the following issues:
- FIPS: Run the self-tests from the constructor [bsc#1164950]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:633-1
Released: Tue Mar 10 16:23:08 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1139939,1151023
This update for aaa_base fixes the following issues:
- get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939)
- added '-h'/'--help' to the command old
- change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:668-1
Released: Fri Mar 13 10:48:58 2020
Summary: Security update for glibc
Type: security
Severity: moderate
References: 1163184,1164505,1165784,CVE-2020-10029
This update for glibc fixes the following issues:
- CVE-2020-10029: Fixed a potential overflow in on-stack buffer
during range reduction (bsc#1165784).
- Fixed an issue where pthread were not always locked correctly (bsc#1164505).
- Document mprotect and introduce section on memory protection (bsc#1163184).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:689-1
Released: Fri Mar 13 17:09:01 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1166510
This update for PAM fixes the following issue:
- The license of libdb linked against pam_userdb is not always wanted,
so we temporary disabled pam_userdb again. It will be published
in a different package at a later time. (bsc#1166510)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:475-1
Released: Thu Mar 19 11:00:46 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1160595
This update for systemd fixes the following issues:
- Remove TasksMax limit for both user and system slices (jsc#SLE-10123)
- Backport IP filtering feature (jsc#SLE-7743 bsc#1160595)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:722-1
Released: Thu Mar 19 11:21:57 2020
Summary: Security update for nghttp2
Type: security
Severity: moderate
References: 1159003,1166481,CVE-2019-18802
This update for nghttp2 fixes the following issues:
nghttp2 was update to version 1.40.0 (bsc#1166481)
- lib: Add nghttp2_check_authority as public API
- lib: Fix the bug that stream is closed with wrong error code
- lib: Faster huffman encoding and decoding
- build: Avoid filename collision of static and dynamic lib
- build: Add new flag ENABLE_STATIC_CRT for Windows
- build: cmake: Support building nghttpx with systemd
- third-party: Update neverbleed to fix memory leak
- nghttpx: Fix bug that mruby is incorrectly shared between backends
- nghttpx: Reconnect h1 backend if it lost connection before sending headers
- nghttpx: Returns 408 if backend timed out before sending headers
- nghttpx: Fix request stal
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:729-1
Released: Thu Mar 19 14:44:22 2020
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1166106
This update for glibc fixes the following issues:
- Allow dlopen of filter object to work (bsc#1166106, BZ #16272)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:777-1
Released: Tue Mar 24 18:07:52 2020
Summary: Recommended update for python3
Type: recommended
Severity: moderate
References: 1165894
This update for python3 fixes the following issue:
- Rename idle icons to idle3 in order to not conflict with python2
variant of the package (bsc#1165894)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:793-1
Released: Wed Mar 25 15:16:00 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712
This update for systemd fixes the following issues:
- manager: fix job mode when signalled to shutdown etc (bsc#1161262)
- remove fallback for user/exit.target
- dbus method Manager.Exit() does not start exit.target
- do not install rescue.target for alt-â
- %j/%J unit specifiers
Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717).
Added the udev 60-ssd-scheduler.rules:
- This rules file which select the default IO scheduler for SSDs is
being moved out from the git repo since this is not related to
systemd or udev at all and is maintained by the kernel team.
- core: coldplug possible nop_job (bsc#1139459)
- Revert 'udev: use 'deadline' IO scheduler for SSD disks'
- Fix typo in function name
- polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712)
- sd-bus: introduce API for re-enqueuing incoming messages
- polkit: on async pk requests, re-validate action/details
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:814-1
Released: Mon Mar 30 16:23:42 2020
Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1
Type: recommended
Severity: moderate
References: 1161816,1162152,1167223
This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues:
libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223):
Full Release Notes can be found on:
https://wiki.documentfoundation.org/ReleaseNotes/6.4
- Fixed broken handling of non-ASCII characters in the KDE filedialog
(bsc#1161816)
- Move the animation library to core package bsc#1162152
xmlsec1 was updated to 1.2.28:
* Added BoringSSL support (chenbd).
* Added gnutls-3.6.x support (alonbl).
* Added DSA and ECDSA key size getter for MSCNG (vmiklos).
* Added --enable-mans configuration option (alonbl).
* Added coninuous build integration for MacOSX (vmiklos).
* Several other small fixes (more details).
- Make sure to recommend at least one backend when you install
just xmlsec1
- Drop the gnutls backend as based on the tests it is quite borked:
* We still have nss and openssl backend for people to use
Version update to 1.2.27:
* Added AES-GCM support for OpenSSL and MSCNG (snargit).
* Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos).
* Added RSA-OAEP support for MSCNG (vmiklos).
* Continuous build integration in Travis and Appveyor.
* Several other small fixes (more details).
myspell-dictionaries was updated to 20191219:
* Updated the English dictionaries: GB+US+CA+AU
* Bring shipped Spanish dictionary up to version 2.5
boost was updated to fix:
- add a backport of Boost.Optional::has_value() for LibreOffice
The QR-Code-generator is shipped:
- Initial commit, needed by libreoffice 6.4
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:820-1
Released: Tue Mar 31 13:02:22 2020
Summary: Security update for glibc
Type: security
Severity: important
References: 1167631,CVE-2020-1752
This update for glibc fixes the following issues:
- CVE-2020-1752: Fixed a use after free in glob which could have allowed
a local attacker to create a specially crafted path that, when processed
by the glob function, could potentially have led to arbitrary code execution
(bsc#1167631).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:823-1
Released: Tue Mar 31 13:28:14 2020
Summary: Recommended update for parted
Type: recommended
Severity: moderate
References: 1161783,1164260
This update for parted fixes the following issue:
- Make parted work with pmemXs devices. (bsc#1164260)
- Fix for error when parted output size crashing parted in yast. (bsc#1161783)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:834-1
Released: Tue Mar 31 17:21:34 2020
Summary: Recommended update for permissions
Type: recommended
Severity: moderate
References: 1167163
This update for permissions fixes the following issue:
- whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:846-1
Released: Thu Apr 2 07:24:07 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1164950,1166748,1167674
This update for libgcrypt fixes the following issues:
- FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950)
- FIPS: Fix drbg to be threadsafe (bsc#1167674)
- FIPS: Run self-tests from constructor during power-on [bsc#1166748]
* Set up global_init as the constructor function:
* Relax the entropy requirements on selftest. This is especially
important for virtual machines to boot properly before the RNG
is available:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:850-1
Released: Thu Apr 2 14:37:31 2020
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1155350,1155357,1155360,1166880
This update for mozilla-nss fixes the following issues:
Added various fixes related to FIPS certification:
* Use getrandom() to obtain entropy where possible.
* Make DSA KAT FIPS compliant.
* Use FIPS compliant hash when validating keypair.
* Enforce FIPS requirements on RSA key generation.
* Miscellaneous fixes to CAVS tests.
* Enforce FIPS limits on how much data can be processed without rekeying.
* Run self tests on library initialization in FIPS mode.
* Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher).
* Clear various temporary variables after use.
* Allow MD5 to be used in TLS PRF.
* Preferentially gather entropy from /dev/random over /dev/urandom.
* Allow enabling FIPS mode consistently with NSS_FIPS environment variable.
* Fix argument parsing bug in lowhashtest.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:917-1
Released: Fri Apr 3 15:02:25 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1166510
This update for pam fixes the following issues:
- Moved pam_userdb into a separate package pam-extra. (bsc#1166510)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:931-1
Released: Mon Apr 6 20:23:35 2020
Summary: Security update for ceph
Type: security
Severity: important
References: 1166403,1166484,CVE-2020-1759,CVE-2020-1760
This update for ceph fixes the following issues:
- CVE-2020-1759: Fixed once reuse in msgr V2 secure mode (bsc#1166403)
- CVE-2020-1760: Fixed XSS due to RGW GetObject header-splitting (bsc#1166484).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:935-1
Released: Tue Apr 7 03:46:39 2020
Summary: Recommended update for xfsprogs
Type: recommended
Severity: moderate
References: 1158630,1167205,1167206
This update for xfsprogs fixes the following issues:
- xfs_quota: reformat commands in the manpage. (bsc#1167206)
Reformat commands in the manpage so that fstest can check that each command is actually documented.
- xfs_db: document missing commands. (bsc#1167205)
Document the commands 'attr_set', 'attr_remove', 'logformat' in the manpage.
- xfs_io: allow size suffixes for the copy_range command. (bsc#1158630)
Allow the usage of size suffixes k,m,g for kilobytes, megabytes or gigabytes respectively for the copy_range command
More information about the sle-security-updates
mailing list