SUSE-CU-2020:386-1: Security update of caasp/v4/cilium
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Aug 12 01:48:03 MDT 2020
SUSE Container Update Advisory: caasp/v4/cilium
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:386-1
Container Tags : caasp/v4/cilium:1.6.6 , caasp/v4/cilium:1.6.6-rev5 , caasp/v4/cilium:1.6.6-rev5-build3.12.1
Container Release : 3.12.1
Severity : important
Type : security
References : 1082318 1090047 1103678 1107116 1107121 1111499 1130873 1130873
1133297 1137001 1139959 1146991 1154803 1154803 1156159 1156913
1157315 1162698 1164538 1164543 1164543 1165476 1165476 1165573
1165573 1166610 1166610 1167122 1167122 1168990 1168990 1169357
1169488 1169947 1169947 1170801 1170801 1171145 1171224 1171224
1171863 1171864 1171866 1171883 1172072 1172135 1172135 1172295
1172348 1172410 1172461 1172506 1172597 1172698 1172704 1172925
1172925 1173027 1173039 1173055 1173106 1173165 1173202 1173227
1173229 1173422 1173984 1174011 CVE-2018-16428 CVE-2018-16429
CVE-2019-12450 CVE-2019-13012 CVE-2020-10543 CVE-2020-10749 CVE-2020-10878
CVE-2020-12723 CVE-2020-13777 CVE-2020-8023 CVE-2020-8177 CVE-2020-8557
-----------------------------------------------------------------
The container caasp/v4/cilium was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2780-1
Released: Mon Nov 26 17:46:10 2018
Summary: Security update for glib2
Type: security
Severity: moderate
References: 1107116,1107121,1111499,CVE-2018-16428,CVE-2018-16429
This update for glib2 fixes the following issues:
Security issues fixed:
- CVE-2018-16428: Do not do a NULL pointer dereference (crash).
Avoid that, at the cost of introducing a new translatable error
message (bsc#1107121).
- CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).
Non-security issue fixed:
- various GVariant parsing issues have been resolved (bsc#1111499)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:251-1
Released: Wed Feb 6 11:22:43 2019
Summary: Recommended update for glib2
Type: recommended
Severity: moderate
References: 1090047
This update for glib2 provides the following fix:
- Enable systemtap. (fate#326393, bsc#1090047)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1594-1
Released: Fri Jun 21 10:17:15 2019
Summary: Security update for glib2
Type: security
Severity: important
References: 1103678,1137001,CVE-2019-12450
This update for glib2 fixes the following issues:
Security issue fixed:
- CVE-2019-12450: Fixed an improper file permission when copy operation
takes place (bsc#1137001).
Other issue addressed:
- glib2 was handling an UNKNOWN connectivity state from NetworkManager as if there
was a connection thus giving false positives to PackageKit (bsc#1103678)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1833-1
Released: Fri Jul 12 17:53:51 2019
Summary: Security update for glib2
Type: security
Severity: moderate
References: 1139959,CVE-2019-13012
This update for glib2 fixes the following issues:
Security issue fixed:
- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1579-1
Released: Tue Jun 9 17:05:23 2020
Summary: Recommended update for audit
Type: recommended
Severity: important
References: 1156159,1172295
This update for audit fixes the following issues:
- Fix hang on startup. (bsc#1156159)
- Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1584-1
Released: Tue Jun 9 18:39:15 2020
Summary: Security update for gnutls
Type: security
Severity: important
References: 1172461,1172506,CVE-2020-13777
This update for gnutls fixes the following issues:
- CVE-2020-13777: Fixed an insecure session ticket key construction which could
have made the TLS server to not bind the session ticket encryption key with a
value supplied by the application until the initial key rotation, allowing
an attacker to bypass authentication in TLS 1.3 and recover previous
conversations in TLS 1.2 (bsc#1172506).
- Fixed an improper handling of certificate chain with cross-signed intermediate
CA certificates (bsc#1172461).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1611-1
Released: Fri Jun 12 09:38:03 2020
Summary: Recommended update for libsolv, libzypp, zypper
Type: recommended
Severity: moderate
References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990
This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to 0.7.13 to fix:
- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin
libzypp was updated to 17.23.4 to fix:
- Get retracted patch status from updateinfo data (jsc#SLE-8770)
libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
(fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
wants to be able to get rid of the nginx/FastCGI-devel build
requirement. Use 'rpmbuild --without mediabackend_tests' or
'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- update translations
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
packages are available. Avoid using retracted items as candidate
(jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
It's actually not needed and for this to work also libsolv needs
to support it. You can sill use a librpmDb::db_const_iterator to
access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Reformat manpages to workaround asciidoctor shortcomings
(bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
(jsc#SLE-5116)
zypper was updated to version 1.14.36:
- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
supplementing zypper means zypper-aptitude gets installed by
default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1637-1
Released: Wed Jun 17 15:07:58 2020
Summary: Recommended update for zypper
Type: recommended
Severity: important
References: 1169947,1172925
This update for zypper fixes the following issues:
- Print switch abbrev warning to stderr (bsc#1172925)
- Fix typo in man page (bsc#1169947)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1682-1
Released: Fri Jun 19 09:44:54 2020
Summary: Security update for perl
Type: security
Severity: important
References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723
This update for perl fixes the following issues:
- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have
allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of
instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a
compiled regular expression (bsc#1171866).
- Fixed a bad warning in features.ph (bsc#1172348).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1759-1
Released: Thu Jun 25 18:44:37 2020
Summary: Recommended update for krb5
Type: recommended
Severity: moderate
References: 1169357
This update for krb5 fixes the following issue:
- Call systemd to reload the services instead of init-scripts. (bsc#1169357)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1760-1
Released: Thu Jun 25 18:46:13 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1157315,1162698,1164538,1169488,1171145,1172072
This update for systemd fixes the following issues:
- Merge branch 'SUSE/v234' into SLE15
units: starting suspend.target should not fail when suspend is successful (bsc#1172072)
core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set
mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488)
mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too
udev: rename the persistent link for ATA devices (bsc#1164538)
shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
tmpfiles: remove unnecessary assert (bsc#1171145)
test-engine: manager_free() was called too early
pid1: by default make user units inherit their umask from the user manager (bsc#1162698)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1773-1
Released: Fri Jun 26 08:05:59 2020
Summary: Security update for curl
Type: security
Severity: important
References: 1173027,CVE-2020-8177
This update for curl fixes the following issues:
- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious
server to overwrite a local file when using the -J option (bsc#1173027).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1396-1
Released: Fri Jul 3 12:33:05 2020
Summary: Security update for zstd
Type: security
Severity: moderate
References: 1082318,1133297
This update for zstd fixes the following issues:
- Fix for build error caused by wrong static libraries. (bsc#1133297)
- Correction in spec file marking the license as documentation. (bsc#1082318)
- Add new package for SLE-15. (jsc#ECO-1886)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1856-1
Released: Mon Jul 6 17:05:51 2020
Summary: Security update for openldap2
Type: security
Severity: important
References: 1172698,1172704,CVE-2020-8023
This update for openldap2 fixes the following issues:
- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1860-1
Released: Mon Jul 6 17:09:44 2020
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1171883
This update for permissions fixes the following issues:
- Removed conflicting entries which might expose pcp to security issues (bsc#1171883)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1869-1
Released: Tue Jul 7 15:08:12 2020
Summary: Recommended update for libsolv, libzypp, zypper
Type: recommended
Severity: moderate
References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990,1169947,1170801,1171224,1172135,1172925
This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to 0.7.14:
- Enable zstd compression support
- Support blacklisted packages in solver_findproblemrule()
(bnc#1172135)
- Support rules with multiple negative literals in choice rule
generation
- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin
libzypp was updated to 17.23.7:
- Enable zchunk metadata download if libsolv supports it.
- Older kernel-devel packages are not properly purged (bsc#1171224)
- doc: enhance service plugin example.
- Get retracted patch status from updateinfo data (jsc#SLE-8770)
libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
(fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
wants to be able to get rid of the nginx/FastCGI-devel build
requirement. Use 'rpmbuild --without mediabackend_tests' or
'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
packages are available. Avoid using retracted items as candidate
(jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
It's actually not needed and for this to work also libsolv needs
to support it. You can sill use a librpmDb::db_const_iterator to
access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Fix core dump with corrupted history file (bsc#1170801)
zypper was updated to 1.14.37:
- Reformat manpages to workaround asciidoctor shortcomings
(bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
(jsc#SLE-5116)
- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
supplementing zypper means zypper-aptitude gets installed by
default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)
- Print switch abbrev warning to stderr (bsc#1172925)
- Fix typo in man page (bsc#1169947)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1871-1
Released: Tue Jul 7 15:14:11 2020
Summary: Recommended update for llvm7
Type: recommended
Severity: moderate
References: 1173202
This update for llvm7 fixes the following issues:
- Fix miscompilations with rustc 1.43 that lead to LTO failures (bsc#1173202)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1957-1
Released: Mon Jul 20 13:47:31 2020
Summary: Security update for cni-plugins
Type: security
Severity: moderate
References: 1172410,CVE-2020-10749
This update for cni-plugins fixes the following issues:
cni-plugins updated to version 0.8.6
- CVE-2020-10749: Fixed a potential Man-in-the-Middle attacks in IPv4 clusters by spoofing IPv6 router advertisements (bsc#1172410).
Release notes:
https://github.com/containernetworking/plugins/releases/tag/v0.8.6
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2040-1
Released: Fri Jul 24 13:58:53 2020
Summary: Recommended update for libsolv, libzypp
Type: recommended
Severity: moderate
References: 1170801,1171224,1172135,1173106,1174011
This update for libsolv, libzypp fixes the following issues:
libsolv was updated to version 0.7.14:
- Enable zstd compression support for sle15
- Support blacklisted packages in solver_findproblemrule() (bsc#1172135)
- Support rules with multiple negative literals in choice rule
generation
libzypp was updated to version 17.24.0:
- Enable zchunk metadata download if libsolv supports it.
- Older kernel-devel packages are not properly purged (bsc#1171224)
- doc: enhance service plugin example.
- Fix core dump with corrupted history file (bsc#1170801)
- Better handling of the purge-kernels algorithm. (bsc#1173106)
- Proactively send credentials if the URL specifes '?auth=basic' and a username.
(bsc#1174011)
- ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2083-1
Released: Thu Jul 30 10:27:59 2020
Summary: Recommended update for diffutils
Type: recommended
Severity: moderate
References: 1156913
This update for diffutils fixes the following issue:
- Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2099-1
Released: Fri Jul 31 08:06:40 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1173227,1173229,1173422
This update for systemd fixes the following issues:
- migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229)
The marker is used to make sure the script is run only once. Instead
of storing it in /usr, use /var which is more appropriate for such
file.
Also make it owned by systemd package.
- Fix inconsistent file modes for some ghost files (bsc#1173227)
Ghost files are assumed by rpm to have mode 000 by default which is
not consistent with file permissions set at runtime.
Also /var/lib/systemd/random-seed was tracked wrongly as a
directory.
Also don't track (ghost) /etc/systemd/system/runlevel*.target
aliases since we're not supposed to track units or aliases user
might define/override.
- Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2124-1
Released: Wed Aug 5 09:24:47 2020
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1172597
This update for lvm2 fixes the following issues:
- Fixed an issue where the system hangs for 90 seconds before it actually shuts down (bsc#1172597)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2204-1
Released: Tue Aug 11 14:33:37 2020
Summary: Bugfixes on cilium, gangway and skuba and security fix for Kubernetes (cve-2020-8557)
Type: recommended
Severity: moderate
References: 1146991,1173039,1173055,1173165,1173984,CVE-2020-8557
= Required Actions
== Kubernetes (Security fix)
This fix will be applied to the kubelet daemon running on the nodes by `skuba-update`.
See https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates for more details.
Make sure you look at the Release Notes https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_2_2 for any known bug.
== Cilium Bugfix
Cilium will be updated by `skuba addon upgrade`. No action is required from your side.
For more info see https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_generating_an_overview_of_available_addon_updates
== Gangway bugfix
Gangway will be updated by `skuba addon upgrade`. No action is required from your side.
For more info see https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_generating_an_overview_of_available_addon_updates
== Skuba
In order to update skuba, you need to update the admin workstation.
See detailed instructions at https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_update_management_workstation
More information about the sle-security-updates
mailing list