SUSE-CU-2020:785-1: Security update of caasp/v4/etcd
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Sat Dec 12 00:07:03 MST 2020
SUSE Container Update Advisory: caasp/v4/etcd
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:785-1
Container Tags : caasp/v4/etcd:3.4.13 , caasp/v4/etcd:3.4.13-rev3 , caasp/v4/etcd:3.4.13-rev3-build3.14.1
Container Release : 3.14.1
Severity : important
Type : security
References : 1010996 1011548 1071152 1071390 1082318 1087982 1090047 1100369
1103678 1104902 1107116 1107121 1109160 1111499 1118367 1118368
1123327 1128220 1130873 1130873 1133297 1137001 1138793 1139959
1142733 1145231 1146991 1149911 1149995 1150021 1151708 1152590
1153943 1153946 1154661 1154803 1154803 1154871 1154935 1155271
1156159 1156205 1156913 1157051 1157315 1158336 1158358 1158499
1158830 1159928 1160158 1161168 1161198 1161203 1161239 1161335
1161517 1161521 1162698 1162930 1163526 1163569 1164126 1164538
1164543 1164543 1164718 1165281 1165424 1165476 1165476 1165502
1165534 1165573 1165573 1165580 1166260 1166610 1166610 1166848
1167122 1167122 1167471 1167898 1168235 1168389 1168990 1168990
1169357 1169488 1169512 1169944 1169947 1169947 1170527 1170667
1170713 1170771 1170801 1170801 1170964 1171145 1171173 1171224
1171224 1171313 1171422 1171656 1171740 1171762 1171863 1171864
1171866 1171872 1171878 1171883 1172021 1172072 1172085 1172135
1172135 1172195 1172295 1172348 1172461 1172506 1172597 1172695
1172698 1172704 1172798 1172824 1172846 1172925 1172925 1172958
1173027 1173106 1173227 1173229 1173273 1173307 1173311 1173422
1173422 1173503 1173529 1173539 1173972 1173983 1174011 1174079
1174154 1174219 1174232 1174240 1174551 1174561 1174593 1174673
1174736 1174753 1174817 1174918 1174918 1174918 1174951 1175109
1175110 1175168 1175342 1175443 1175568 1175592 1175811 1175830
1175831 1175847 1176086 1176092 1176123 1176179 1176181 1176192
1176192 1176410 1176435 1176435 1176513 1176625 1176671 1176674
1176712 1176712 1176740 1176740 1176752 1176753 1176754 1176755
1176800 1176902 1176902 1177143 1177238 1177238 1177458 1177479
1177490 1177510 1177533 1177661 1177662 1177858 1177864 1178346
1178376 1178387 1178512 1178727 1179398 1179399 1179431 1179491
1179593 906079 935885 935885 973042 998893 CVE-2017-3136 CVE-2018-16428
CVE-2018-16429 CVE-2018-5741 CVE-2019-12450 CVE-2019-13012 CVE-2019-18218
CVE-2019-19956 CVE-2019-19956 CVE-2019-20388 CVE-2019-6477 CVE-2020-10543
CVE-2020-10878 CVE-2020-12243 CVE-2020-12723 CVE-2020-13777 CVE-2020-13844
CVE-2020-15106 CVE-2020-15112 CVE-2020-15184 CVE-2020-15185 CVE-2020-15186
CVE-2020-15187 CVE-2020-15719 CVE-2020-1971 CVE-2020-24659 CVE-2020-24977
CVE-2020-25219 CVE-2020-25692 CVE-2020-26154 CVE-2020-28196 CVE-2020-7595
CVE-2020-8023 CVE-2020-8027 CVE-2020-8177 CVE-2020-8231 CVE-2020-8284
CVE-2020-8285 CVE-2020-8286 CVE-2020-8565 CVE-2020-8566 CVE-2020-8616
CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621
CVE-2020-8622 CVE-2020-8623 CVE-2020-8624
-----------------------------------------------------------------
The container caasp/v4/etcd was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2780-1
Released: Mon Nov 26 17:46:10 2018
Summary: Security update for glib2
Type: security
Severity: moderate
References: 1107116,1107121,1111499,CVE-2018-16428,CVE-2018-16429
This update for glib2 fixes the following issues:
Security issues fixed:
- CVE-2018-16428: Do not do a NULL pointer dereference (crash).
Avoid that, at the cost of introducing a new translatable error
message (bsc#1107121).
- CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).
Non-security issue fixed:
- various GVariant parsing issues have been resolved (bsc#1111499)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:251-1
Released: Wed Feb 6 11:22:43 2019
Summary: Recommended update for glib2
Type: recommended
Severity: moderate
References: 1090047
This update for glib2 provides the following fix:
- Enable systemtap. (fate#326393, bsc#1090047)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1594-1
Released: Fri Jun 21 10:17:15 2019
Summary: Security update for glib2
Type: security
Severity: important
References: 1103678,1137001,CVE-2019-12450
This update for glib2 fixes the following issues:
Security issue fixed:
- CVE-2019-12450: Fixed an improper file permission when copy operation
takes place (bsc#1137001).
Other issue addressed:
- glib2 was handling an UNKNOWN connectivity state from NetworkManager as if there
was a connection thus giving false positives to PackageKit (bsc#1103678)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1833-1
Released: Fri Jul 12 17:53:51 2019
Summary: Security update for glib2
Type: security
Severity: moderate
References: 1139959,CVE-2019-13012
This update for glib2 fixes the following issues:
Security issue fixed:
- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1214-1
Released: Thu May 7 11:20:34 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1169944
This update for libgcrypt fixes the following issues:
- FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1219-1
Released: Thu May 7 17:10:42 2020
Summary: Security update for openldap2
Type: security
Severity: important
References: 1170771,CVE-2020-12243
This update for openldap2 fixes the following issues:
- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1226-1
Released: Fri May 8 10:51:05 2020
Summary: Recommended update for gcc9
Type: recommended
Severity: moderate
References: 1149995,1152590,1167898
This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.
- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1271-1
Released: Wed May 13 13:17:59 2020
Summary: Recommended update for permissions
Type: recommended
Severity: important
References: 1171173
This update for permissions fixes the following issues:
- Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1290-1
Released: Fri May 15 16:39:59 2020
Summary: Recommended update for gnutls
Type: recommended
Severity: moderate
References: 1171422
This update for gnutls fixes the following issues:
- Add RSA 4096 key generation support in FIPS mode (bsc#1171422)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1294-1
Released: Mon May 18 07:38:36 2020
Summary: Security update for file
Type: security
Severity: moderate
References: 1154661,1169512,CVE-2019-18218
This update for file fixes the following issues:
Security issues fixed:
- CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).
Non-security issue fixed:
- Fixed broken '--help' output (bsc#1169512).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1299-1
Released: Mon May 18 07:43:21 2020
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595
This update for libxml2 fixes the following issues:
- CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
- CVE-2019-19956: Fixed a memory leak (bsc#1159928).
- CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1328-1
Released: Mon May 18 17:16:04 2020
Summary: Recommended update for grep
Type: recommended
Severity: moderate
References: 1155271
This update for grep fixes the following issues:
- Update testsuite expectations, no functional changes (bsc#1155271)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1361-1
Released: Thu May 21 09:31:18 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1171872
This update for libgcrypt fixes the following issues:
- FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1370-1
Released: Thu May 21 19:06:00 2020
Summary: Recommended update for systemd-presets-branding-SLE
Type: recommended
Severity: moderate
References: 1171656
This update for systemd-presets-branding-SLE fixes the following issues:
Cleanup of outdated autostart services (bsc#1171656):
- Remove acpid.service. acpid is only available on SLE via openSUSE
backports. In openSUSE acpid.service is *not* autostarted. I see no
reason why it should be on SLE.
- Remove spamassassin.timer. This timer never seems to have existed.
Instead spamassassin ships a 'sa-update.timer'. But it is not
default-enabled and nobody ever complained about this.
- Remove snapd.apparmor.service: This service was proactively added a year
ago, but snapd didn't even make it into openSUSE yet. There's no reason
to keep this entry unless snapd actually enters SLE which is not
foreseeable.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1400-1
Released: Mon May 25 14:09:02 2020
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1162930
This update for glibc fixes the following issues:
- nptl: wait for pending setxid request also in detached thread. (bsc#1162930)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1404-1
Released: Mon May 25 15:32:34 2020
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1138793,1166260
This update for zlib fixes the following issues:
- Including the latest fixes from IBM (bsc#1166260)
IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements
deflate algorithm in hardware with estimated compression and decompression performance
orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
- Add SUSE specific fix to solve bsc#1138793.
The fix will avoid to test if the app was linked with exactly same version of zlib
like the one that is present on the runtime.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1506-1
Released: Fri May 29 17:22:11 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1087982,1170527
This update for aaa_base fixes the following issues:
- Not all XTerm based emulators do have a terminfo entry. (bsc#1087982)
- Better support of Midnight Commander. (bsc#1170527)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1532-1
Released: Thu Jun 4 10:16:12 2020
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1172021,CVE-2019-19956
This update for libxml2 fixes the following issues:
- CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1562-1
Released: Mon Jun 8 12:39:15 2020
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1145231,1150021,1158358,1163526,1164126,1164718
This update for lvm2 fixes the following issues:
- Fix heap memory leak in lvmetad. (bsc#1164126)
- lvmetad uses devices/global_filter but not devices/filter after lvm2 update. (bsc#1163526)
This config item global_filter_compat is a SUSE special.
The default value is 1, which means the devices/global_filter behaviour is same as before.
When the value is 0, user should use global_filter to control system-wide software,
e.g. udev and lvmetad global_filter_compat are not opened by LVM.
- Avoid creation of mixed-blocksize 'PV' on 'LVM' volume groups (LVM2). (bsc#1149408)
- Fix for LVM metadata when an error occurs writing device. (bsc#1150021)
- Fix for boot when it takes extremely long time with 400 LUN's. (bsc#1158358)
- Fix for LVM metadata to avoid faulty LVM detection. (bsc#1145231)
- Enhance block cache code to fix issues with 'lvmtad' and 'lvmcache'. (bsc#1164718)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1579-1
Released: Tue Jun 9 17:05:23 2020
Summary: Recommended update for audit
Type: recommended
Severity: important
References: 1156159,1172295
This update for audit fixes the following issues:
- Fix hang on startup. (bsc#1156159)
- Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1584-1
Released: Tue Jun 9 18:39:15 2020
Summary: Security update for gnutls
Type: security
Severity: important
References: 1172461,1172506,CVE-2020-13777
This update for gnutls fixes the following issues:
- CVE-2020-13777: Fixed an insecure session ticket key construction which could
have made the TLS server to not bind the session ticket encryption key with a
value supplied by the application until the initial key rotation, allowing
an attacker to bypass authentication in TLS 1.3 and recover previous
conversations in TLS 1.2 (bsc#1172506).
- Fixed an improper handling of certificate chain with cross-signed intermediate
CA certificates (bsc#1172461).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1611-1
Released: Fri Jun 12 09:38:03 2020
Summary: Recommended update for libsolv, libzypp, zypper
Type: recommended
Severity: moderate
References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990
This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to 0.7.13 to fix:
- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin
libzypp was updated to 17.23.4 to fix:
- Get retracted patch status from updateinfo data (jsc#SLE-8770)
libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
(fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
wants to be able to get rid of the nginx/FastCGI-devel build
requirement. Use 'rpmbuild --without mediabackend_tests' or
'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- update translations
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
packages are available. Avoid using retracted items as candidate
(jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
It's actually not needed and for this to work also libsolv needs
to support it. You can sill use a librpmDb::db_const_iterator to
access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Reformat manpages to workaround asciidoctor shortcomings
(bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
(jsc#SLE-5116)
zypper was updated to version 1.14.36:
- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
supplementing zypper means zypper-aptitude gets installed by
default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1637-1
Released: Wed Jun 17 15:07:58 2020
Summary: Recommended update for zypper
Type: recommended
Severity: important
References: 1169947,1172925
This update for zypper fixes the following issues:
- Print switch abbrev warning to stderr (bsc#1172925)
- Fix typo in man page (bsc#1169947)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1682-1
Released: Fri Jun 19 09:44:54 2020
Summary: Security update for perl
Type: security
Severity: important
References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723
This update for perl fixes the following issues:
- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have
allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of
instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a
compiled regular expression (bsc#1171866).
- Fixed a bad warning in features.ph (bsc#1172348).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1759-1
Released: Thu Jun 25 18:44:37 2020
Summary: Recommended update for krb5
Type: recommended
Severity: moderate
References: 1169357
This update for krb5 fixes the following issue:
- Call systemd to reload the services instead of init-scripts. (bsc#1169357)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1760-1
Released: Thu Jun 25 18:46:13 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1157315,1162698,1164538,1169488,1171145,1172072
This update for systemd fixes the following issues:
- Merge branch 'SUSE/v234' into SLE15
units: starting suspend.target should not fail when suspend is successful (bsc#1172072)
core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set
mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488)
mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too
udev: rename the persistent link for ATA devices (bsc#1164538)
shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
tmpfiles: remove unnecessary assert (bsc#1171145)
test-engine: manager_free() was called too early
pid1: by default make user units inherit their umask from the user manager (bsc#1162698)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1773-1
Released: Fri Jun 26 08:05:59 2020
Summary: Security update for curl
Type: security
Severity: important
References: 1173027,CVE-2020-8177
This update for curl fixes the following issues:
- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious
server to overwrite a local file when using the -J option (bsc#1173027).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1396-1
Released: Fri Jul 3 12:33:05 2020
Summary: Security update for zstd
Type: security
Severity: moderate
References: 1082318,1133297
This update for zstd fixes the following issues:
- Fix for build error caused by wrong static libraries. (bsc#1133297)
- Correction in spec file marking the license as documentation. (bsc#1082318)
- Add new package for SLE-15. (jsc#ECO-1886)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1856-1
Released: Mon Jul 6 17:05:51 2020
Summary: Security update for openldap2
Type: security
Severity: important
References: 1172698,1172704,CVE-2020-8023
This update for openldap2 fixes the following issues:
- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1860-1
Released: Mon Jul 6 17:09:44 2020
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1171883
This update for permissions fixes the following issues:
- Removed conflicting entries which might expose pcp to security issues (bsc#1171883)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1869-1
Released: Tue Jul 7 15:08:12 2020
Summary: Recommended update for libsolv, libzypp, zypper
Type: recommended
Severity: moderate
References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990,1169947,1170801,1171224,1172135,1172925
This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to 0.7.14:
- Enable zstd compression support
- Support blacklisted packages in solver_findproblemrule()
(bnc#1172135)
- Support rules with multiple negative literals in choice rule
generation
- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin
libzypp was updated to 17.23.7:
- Enable zchunk metadata download if libsolv supports it.
- Older kernel-devel packages are not properly purged (bsc#1171224)
- doc: enhance service plugin example.
- Get retracted patch status from updateinfo data (jsc#SLE-8770)
libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
(fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
wants to be able to get rid of the nginx/FastCGI-devel build
requirement. Use 'rpmbuild --without mediabackend_tests' or
'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
packages are available. Avoid using retracted items as candidate
(jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
It's actually not needed and for this to work also libsolv needs
to support it. You can sill use a librpmDb::db_const_iterator to
access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Fix core dump with corrupted history file (bsc#1170801)
zypper was updated to 1.14.37:
- Reformat manpages to workaround asciidoctor shortcomings
(bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
(jsc#SLE-5116)
- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
supplementing zypper means zypper-aptitude gets installed by
default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)
- Print switch abbrev warning to stderr (bsc#1172925)
- Fix typo in man page (bsc#1169947)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2040-1
Released: Fri Jul 24 13:58:53 2020
Summary: Recommended update for libsolv, libzypp
Type: recommended
Severity: moderate
References: 1170801,1171224,1172135,1173106,1174011
This update for libsolv, libzypp fixes the following issues:
libsolv was updated to version 0.7.14:
- Enable zstd compression support for sle15
- Support blacklisted packages in solver_findproblemrule() (bsc#1172135)
- Support rules with multiple negative literals in choice rule
generation
libzypp was updated to version 17.24.0:
- Enable zchunk metadata download if libsolv supports it.
- Older kernel-devel packages are not properly purged (bsc#1171224)
- doc: enhance service plugin example.
- Fix core dump with corrupted history file (bsc#1170801)
- Better handling of the purge-kernels algorithm. (bsc#1173106)
- Proactively send credentials if the URL specifes '?auth=basic' and a username.
(bsc#1174011)
- ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2083-1
Released: Thu Jul 30 10:27:59 2020
Summary: Recommended update for diffutils
Type: recommended
Severity: moderate
References: 1156913
This update for diffutils fixes the following issue:
- Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2099-1
Released: Fri Jul 31 08:06:40 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1173227,1173229,1173422
This update for systemd fixes the following issues:
- migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229)
The marker is used to make sure the script is run only once. Instead
of storing it in /usr, use /var which is more appropriate for such
file.
Also make it owned by systemd package.
- Fix inconsistent file modes for some ghost files (bsc#1173227)
Ghost files are assumed by rpm to have mode 000 by default which is
not consistent with file permissions set at runtime.
Also /var/lib/systemd/random-seed was tracked wrongly as a
directory.
Also don't track (ghost) /etc/systemd/system/runlevel*.target
aliases since we're not supposed to track units or aliases user
might define/override.
- Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2124-1
Released: Wed Aug 5 09:24:47 2020
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1172597
This update for lvm2 fixes the following issues:
- Fixed an issue where the system hangs for 90 seconds before it actually shuts down (bsc#1172597)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2224-1
Released: Thu Aug 13 09:15:47 2020
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1171878,1172085
This update for glibc fixes the following issues:
- Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178)
- Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2278-1
Released: Wed Aug 19 21:26:08 2020
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1149911,1151708,1168235,1168389
This update for util-linux fixes the following issues:
- blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
- nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
- Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
- mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2284-1
Released: Thu Aug 20 16:04:17 2020
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: important
References: 1010996,1071152,1071390,1154871,1174673,973042
This update for ca-certificates-mozilla fixes the following issues:
update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
Removed CAs:
* AddTrust External CA Root
* AddTrust Class 1 CA Root
* LuxTrust Global Root 2
* Staat der Nederlanden Root CA - G2
* Symantec Class 1 Public Primary Certification Authority - G4
* Symantec Class 2 Public Primary Certification Authority - G4
* VeriSign Class 3 Public Primary Certification Authority - G3
Added CAs:
* certSIGN Root CA G2
* e-Szigno Root CA 2017
* Microsoft ECC Root Certificate Authority 2017
* Microsoft RSA Root Certificate Authority 2017
- reverted p11-kit nss trust integration as it breaks in fresh installations (bsc#1154871)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2384-1
Released: Sat Aug 29 00:57:13 2020
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: low
References: 1170964
This update for e2fsprogs fixes the following issues:
- Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2411-1
Released: Tue Sep 1 13:28:47 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1142733,1146991,1158336,1172195,1172824,1173539
This update for systemd fixes the following issues:
- Improve logging when PID1 fails at setting a namespace up when spawning a command specified by
'Exec*='. (bsc#1172824, bsc#1142733)
pid1: improve message when setting up namespace fails.
execute: let's close glibc syslog channels too.
execute: normalize logging in *execute.c*.
execute: fix typo in error message.
execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary.
execute: make use of the new logging mode in *execute.c*
log: add a mode where we open the log fds for every single log message.
log: let's make use of the fact that our functions return the negative error code for *log_oom()* too.
execute: downgrade a log message ERR â WARNING, since we proceed ignoring its result.
execute: rework logging in *setup_keyring()* to include unit info.
execute: improve and augment execution log messages.
- vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539)
- fix infinite timeout. (bsc#1158336)
- bpf: mount bpffs by default on boot. (bsc#1146991)
- man: explain precedence for options which take a list.
- man: unify titling, fix description of precedence in sysusers.d(5)
- udev-event: fix timeout log messages.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2420-1
Released: Tue Sep 1 13:48:35 2020
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1174551,1174736
This update for zlib provides the following fixes:
- Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
- Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2446-1
Released: Wed Sep 2 09:33:22 2020
Summary: Security update for curl
Type: security
Severity: moderate
References: 1175109,CVE-2020-8231
This update for curl fixes the following issues:
- An application that performs multiple requests with libcurl's
multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in
rare circumstances experience that when subsequently using the
setup connect-only transfer, libcurl will pick and use the wrong
connection and instead pick another one the application has
created since then. [bsc#1175109, CVE-2020-8231]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2581-1
Released: Wed Sep 9 13:07:07 2020
Summary: Security update for openldap2
Type: security
Severity: moderate
References: 1174154,CVE-2020-15719
This update for openldap2 fixes the following issues:
- bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509
SAN's falling back to CN validation in violation of rfc6125.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2612-1
Released: Fri Sep 11 11:18:01 2020
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1176179,CVE-2020-24977
This update for libxml2 fixes the following issues:
- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2638-1
Released: Tue Sep 15 15:41:32 2020
Summary: Recommended update for cryptsetup
Type: recommended
Severity: moderate
References: 1165580
This update for cryptsetup fixes the following issues:
Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580)
- Fix support of larger metadata areas in *LUKS2* header.
This release properly supports all specified metadata areas, as documented
in *LUKS2* format description.
Currently, only default metadata area size is used (in format or convert).
Later cryptsetup versions will allow increasing this metadata area size.
- If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check
if the requested *AEAD* algorithm with specified key size is available in kernel crypto API.
This change avoids formatting a device that cannot be later activated.
For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled.
Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*)
are already mandatory for LUKS2.
- Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option.
- Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt.
- Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested
sector size. Previously it was possible, and the device was rejected to activate by kernel later.
- Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash
algorithm with invalid keyslot preventing the device from activation.
- Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used
both for data encryption and keyslot encryption in *LUKS1/2* devices.
For benchmark, use:
# cryptsetup benchmark -c xchacha12,aes-adiantum
# cryptsetup benchmark -c xchacha20,aes-adiantum
For LUKS format:
# cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 <device>
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2651-1
Released: Wed Sep 16 14:42:55 2020
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1175811,1175830,1175831
This update for zlib fixes the following issues:
- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
- Enable hardware compression on s390/s390x (jsc#SLE-13776)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2704-1
Released: Tue Sep 22 15:06:36 2020
Summary: Recommended update for krb5
Type: recommended
Severity: moderate
References: 1174079
This update for krb5 fixes the following issue:
- Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2712-1
Released: Tue Sep 22 17:08:03 2020
Summary: Security update for openldap2
Type: security
Severity: moderate
References: 1175568,CVE-2020-8027
This update for openldap2 fixes the following issues:
- CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2818-1
Released: Thu Oct 1 10:38:55 2020
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: moderate
References: 1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592
This update for libzypp, zypper provides the following fixes:
Changes in libzypp:
- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
- Make sure reading from lsof does not block forever. (bsc#1174240)
- Just collect details for the signatures found.
Changes in zypper:
- man: Enhance description of the global package cache. (bsc#1175592)
- man: Point out that plain rpm packages are not downloaded to the global package cache.
(bsc#1173273)
- Directly list subcommands in 'zypper help'. (bsc#1165424)
- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
- Point out that plaindir repos do not follow symlinks. (bsc#1174561)
- Fix help command for list-patches.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2830-1
Released: Fri Oct 2 10:34:26 2020
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1161335,1176625
This update for permissions fixes the following issues:
- whitelist WMP (bsc#1161335, bsc#1176625)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2869-1
Released: Tue Oct 6 16:13:20 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1011548,1153943,1153946,1161239,1171762
This update for aaa_base fixes the following issues:
- DIR_COLORS (bug#1006973):
- add screen.xterm-256color
- add TERM rxvt-unicode-256color
- sort and merge TERM entries in etc/DIR_COLORS
- check for Packages.db and use this instead of Packages. (bsc#1171762)
- Rename path() to _path() to avoid using a general name.
- refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
- etc/profile add some missing ;; in case esac statements
- profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
- backup-rpmdb: exit if zypper is running (bsc#1161239)
- Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2901-1
Released: Tue Oct 13 14:22:43 2020
Summary: Security update for libproxy
Type: security
Severity: important
References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154
This update for libproxy fixes the following issues:
- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2914-1
Released: Tue Oct 13 17:25:20 2020
Summary: Security update for bind
Type: security
Severity: moderate
References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
This update for bind fixes the following issues:
BIND was upgraded to version 9.16.6:
Note:
- bind is now more strict in regards to DNSSEC. If queries are not working,
check for DNSSEC issues. For instance, if bind is used in a namserver
forwarder chain, the forwarding DNS servers must support DNSSEC.
Fixing security issues:
- CVE-2020-8616: Further limit the number of queries that can be triggered from
a request. Root and TLD servers are no longer exempt
from max-recursion-queries. Fetches for missing name server. (bsc#1171740)
Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass
the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
lib/dns/rbtdb.c:new_reference() with a particular zone content
and query patterns (bsc#1172958).
- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were
incorrectly treated as 'zonesub' rules, which allowed
keys used in 'subdomain' rules to update names outside
of the specified subdomains. The problem was fixed by
making sure 'subdomain' rules are again processed as
described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
where QNAME minimization and forwarding were both
enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request (bsc#1175443).
Other issues fixed:
- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created
chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
- 'rndc dnstap -roll <value>' did not limit the number of saved files to <value>.
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
so that named, being a/the only member of the 'named' group
has full r/w access yet cannot change directories owned by root
in the case of a compromized named.
[bsc#1173307, bind-chrootenv.conf]
- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed '-r /dev/urandom' from all invocations of rndc-confgen
(init/named system/lwresd.init system/named.init in vendor-files)
as this option is deprecated and causes rndc-confgen to fail.
(bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
of /usr/sbin/dnssec-keygen as BIND now uses the random number
functions provided by the crypto library (i.e., OpenSSL or a
PKCS#11 provider) as a source of randomness rather than /dev/random.
Therefore the -r command line option no longer has any effect on
dnssec-keygen. Leaving the option in genDDNSkey as to not break
compatibility. Patch provided by Stefan Eisenwiener.
[bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
systemd context as well as legacy sysv, make use of start_daemon.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2947-1
Released: Fri Oct 16 15:23:07 2020
Summary: Security update for gcc10, nvptx-tools
Type: security
Severity: moderate
References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them
via:
CC=gcc-10
CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:
- Enable build on aarch64
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2958-1
Released: Tue Oct 20 12:24:55 2020
Summary: Recommended update for procps
Type: recommended
Severity: moderate
References: 1158830
This update for procps fixes the following issues:
- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2983-1
Released: Wed Oct 21 15:03:03 2020
Summary: Recommended update for file
Type: recommended
Severity: moderate
References: 1176123
This update for file fixes the following issues:
- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2988-1
Released: Wed Oct 21 17:35:34 2020
Summary: Security update for gnutls
Type: security
Severity: moderate
References: 1176086,1176181,1176671,CVE-2020-24659
This update for gnutls fixes the following issues:
- Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
- FIPS: Add TLS KDF selftest (bsc#1176671)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3048-1
Released: Tue Oct 27 16:04:52 2020
Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type: recommended
Severity: moderate
References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:
libzypp was updated to 17.25.1:
- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
kernel-default-base has new packaging, where the kernel uname -r
does not reflect the full package version anymore. This patch
adds additional logic to use the most generic/shortest edition
each package provides with %{packagename}=<version> to group the
kernel packages instead of the rpm versions.
This also changes how the keep-spec for specific versions is
applied, instead of matching the package versions, each of the
package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
(as we link statically)
yaml-cpp:
- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
channels, and the INSTALLER channels, as a new libzypp dependency.
No source changes were done to yaml-cpp.
zypper was updated to 1.14.40:
- info: Assume descriptions starting with '<p>' are richtext
(bsc#935885)
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
searches case-insensitive (jsc#SLE-16271)
libsolv was updated to 0.7.15 to fix:
- make testcase_mangle_repo_names deal correctly with freed repos
[bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3138-1
Released: Tue Nov 3 12:14:03 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800
This update for systemd fixes the following issues:
- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)
- test-seccomp: log function names
- test-seccomp: add log messages when skipping tests
- basic/virt: Detect PowerVM hypervisor (bsc#1176800)
- fs-util: suppress world-writable warnings if we read /dev/null
- udevadm: rename option '--log-priority' into '--log-level'
- udev: rename kernel option 'log_priority' into 'log_level'
- fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513)
- Fix memory protection default (bsc#1167471)
- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)
- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3234-1
Released: Fri Nov 6 16:01:36 2020
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1177864
This update for ca-certificates-mozilla fixes the following issues:
The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)
- Removed CAs:
- EE Certification Centre Root CA
- Taiwan GRCA
- Added CAs:
- Trustwave Global Certification Authority
- Trustwave Global ECC P256 Certification Authority
- Trustwave Global ECC P384 Certification Authority
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3285-1
Released: Wed Nov 11 11:22:14 2020
Summary: Recommended update for libsolv, libzypp, zypper
Type: recommended
Severity: moderate
References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, zypper fixes the following issues:
libzypp was updated to version 17.25.1:
- Fix bsc#1176902: When kernel-rt has been installed, the
purge-kernels service fails during boot.
- Use package name provides as group key in purge-kernel
(bsc#1176740 bsc#1176192)
kernel-default-base has new packaging, where the kernel uname -r
does not reflect the full package version anymore. This patch
adds additional logic to use the most generic/shortest edition
each package provides with %{packagename}=<version> to group the
kernel packages instead of the rpm versions.
This also changes how the keep-spec for specific versions is
applied, instead of matching the package versions, each of the
package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- New solver testcase format.
- Link against libzsd to close libsolvs open references
(as we link statically)
zypper was updated to version 1.14.40.
- info: Assume descriptions starting with '<p>' are richtext
(bsc#935885)
- Use new testcase API in libzypp.
- BuildRequires: libzypp-devel >= 17.25.0.
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
searches case-insensitive (jsc#SLE-16271)
libsolv was updated to version 0.7.16:
- do not ask the namespace callback for splitprovides when writing
a testcase
- fix add_complex_recommends() selecting conflicted packages in
rare cases leading to crashes
- improve choicerule generation so that package updates are
prefered in more cases
- make testcase_mangle_repo_names deal correctly with freed repos
[bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3290-1
Released: Wed Nov 11 12:25:32 2020
Summary: Recommended update for findutils
Type: recommended
Severity: moderate
References: 1174232
This update for findutils fixes the following issues:
- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3313-1
Released: Thu Nov 12 16:07:37 2020
Summary: Security update for openldap2
Type: security
Severity: important
References: 1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:
- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3377-1
Released: Thu Nov 19 09:29:32 2020
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:
- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3381-1
Released: Thu Nov 19 10:53:38 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1177458,1177490,1177510
This update for systemd fixes the following issues:
- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
This allows to drop the workaround that consisted in cleaning journal-upload files and
{sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3462-1
Released: Fri Nov 20 13:14:35 2020
Summary: Recommended update for pam and sudo
Type: recommended
Severity: moderate
References: 1174593,1177858,1178727
This update for pam and sudo fixes the following issue:
pam:
- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)
sudo:
- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3485-1
Released: Mon Nov 23 13:10:36 2020
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1123327,1173503,1175110,998893
This update for lvm2 fixes the following issues:
- Fixed an issue when the hot spares in LVM not added automatically. (bsc#1175110)
- Fixed an issue when lvm produces a large number of luns with error message 'Too many open files'. (bsc#1173503)
- Fixes an issue when LVM initialization failed during reboot. (bsc#998893)
- Fixed a misplaced parameter in the lvm configuration. (bsc#1123327)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3546-1
Released: Fri Nov 27 11:21:09 2020
Summary: Recommended update for gnutls
Type: recommended
Severity: moderate
References: 1172695
This update for gnutls fixes the following issue:
- Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3560-1
Released: Mon Nov 30 12:21:34 2020
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1158499,1160158,1161198,1161203,1163569,1165281,1165534,1166848,1175847,1177479
This update for openssl-1_1 fixes the following issues:
This update backports various bugfixes for FIPS:
- Restore private key check in EC_KEY_check_key [bsc#1177479]
- Add shared secret KAT to FIPS DH selftest [bsc#1175847]
- Include ECDH/DH Requirements from SP800-56Arev3 [bsc#1175847]
- Fix locking issue uncovered by python testsuite (bsc#1166848)
- Fix the sequence of locking operations in FIPS mode [bsc#1165534]
- Fix deadlock in FIPS rand code (bsc#1165281)
- Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569)
- Fix FIPS DRBG without derivation function (bsc#1161198)
- Allow md5_sha1 in FIPS mode to enable TLS 1.0 (bsc#1161203)
- Obsolete libopenssl-1_0_0-hmac for a clean upgrade from SLE-12
(bsc#1158499)
- Restore the EVP_PBE_scrypt() behavior from before the KDF patch
by treating salt=NULL as salt='' (bsc#1160158)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3572-1
Released: Mon Nov 30 18:12:34 2020
Summary: Recommended update for lvm2
Type: recommended
Severity: important
References: 1177533
This update for lvm2 fixes the following issues:
- Fixed an issue where /boot logical volume was accidentally unmounted (bsc#1177533)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3579-1
Released: Tue Dec 1 14:24:31 2020
Summary: Recommended update for glib2
Type: recommended
Severity: moderate
References: 1178346
This update for glib2 fixes the following issues:
- Add support for slim format of timezone. (bsc#1178346)
- Fix DST incorrect end day when using slim format. (bsc#1178346)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3581-1
Released: Tue Dec 1 14:40:22 2020
Summary: Recommended update for libusb-1_0
Type: recommended
Severity: moderate
References: 1178376
This update for libusb-1_0 fixes the following issues:
- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3620-1
Released: Thu Dec 3 17:03:55 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References:
This update for pam fixes the following issues:
- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
- Check whether the password contains a substring of of the user's name of at least `<N>` characters length in
some form. This is enabled by the new parameter `usersubstr=<N>`
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3703-1
Released: Mon Dec 7 20:17:32 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1179431
This update for aaa_base fixes the following issue:
- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3720-1
Released: Wed Dec 9 13:36:26 2020
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1179491,CVE-2020-1971
This update for openssl-1_1 fixes the following issues:
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3733-1
Released: Wed Dec 9 18:18:35 2020
Summary: Security update for curl
Type: security
Severity: moderate
References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
This update for curl fixes the following issues:
- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3760-1
Released: Fri Dec 11 13:28:32 2020
Summary: Security changes in Kubernetes, etcd, and helm; Bugfix in cri-o package
Type: security
Severity: moderate
References: 1174219,1174951,1176752,1176753,1176754,1176755,1177661,1177662,CVE-2020-15106,CVE-2020-15112,CVE-2020-15184,CVE-2020-15185,CVE-2020-15186,CVE-2020-15187,CVE-2020-8565,CVE-2020-8566
= Required Actions
== Kubernetes & etcd (Security fixes)
This fix involves an upgrade of Kubernetes and some add-ons. See https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components for the upgrade procedure.
== Skuba & helm/helm3
In order to update skuba and helm or helm 3, you need to update the management workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_update_management_workstation
= Known Issues
Modifying the file `/etc/sysconfig/kubelet` directly is not supported: documentation at https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_miscellaneous.html#_configuring_kubelet
Be sure to check the Release Notes at https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_2_4 for any additional known issues or behavioral changes.
More information about the sle-security-updates
mailing list