SUSE-CU-2020:808-1: Security update of caasp/v4.5/389-ds

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Sat Dec 12 01:40:16 MST 2020


SUSE Container Update Advisory: caasp/v4.5/389-ds
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:808-1
Container Tags        : caasp/v4.5/389-ds:1.4.3 , caasp/v4.5/389-ds:1.4.3-rev3 , caasp/v4.5/389-ds:1.4.3-rev3-build5.5.1
Container Release     : 5.5.1
Severity              : important
Type                  : security
References            : 1011548 1100369 1104902 1109160 1118367 1118368 1128220 1142733
                        1146991 1153943 1153946 1154935 1156205 1157051 1158336 1158830
                        1161168 1161239 1165424 1165502 1167471 1170667 1170713 1170964
                        1171313 1171740 1171762 1172195 1172798 1172824 1172846 1172958
                        1173273 1173307 1173311 1173422 1173470 1173529 1173539 1173972
                        1173983 1174057 1174079 1174154 1174230 1174232 1174240 1174551
                        1174561 1174593 1174697 1174736 1174753 1174817 1174918 1174918
                        1175109 1175168 1175342 1175443 1175568 1175592 1175811 1175830
                        1175831 1175844 1176086 1176092 1176123 1176173 1176179 1176181
                        1176192 1176262 1176262 1176384 1176410 1176435 1176513 1176671
                        1176674 1176712 1176740 1176756 1176800 1176889 1176899 1176902
                        1177143 1177238 1177458 1177460 1177460 1177479 1177490 1177510
                        1177858 1177864 1177977 1178346 1178350 1178353 1178376 1178387
                        1178445 1178512 1178727 1179193 1179398 1179399 1179431 1179491
                        1179515 1179593 906079 935885 CVE-2017-3136 CVE-2018-5741 CVE-2019-20916
                        CVE-2019-20916 CVE-2019-6477 CVE-2020-13844 CVE-2020-15673 CVE-2020-15676
                        CVE-2020-15677 CVE-2020-15678 CVE-2020-15683 CVE-2020-15719 CVE-2020-15969
                        CVE-2020-1971 CVE-2020-24659 CVE-2020-24977 CVE-2020-25219 CVE-2020-25692
                        CVE-2020-26154 CVE-2020-28196 CVE-2020-8027 CVE-2020-8231 CVE-2020-8284
                        CVE-2020-8285 CVE-2020-8286 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618
                        CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623
                        CVE-2020-8624 
-----------------------------------------------------------------

The container caasp/v4.5/389-ds was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2384-1
Released:    Sat Aug 29 00:57:13 2020
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    low
References:  1170964
This update for e2fsprogs fixes the following issues:

- Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2411-1
Released:    Tue Sep  1 13:28:47 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1142733,1146991,1158336,1172195,1172824,1173539
This update for systemd fixes the following issues:

- Improve logging when PID1 fails at setting a namespace up when spawning a command specified by
  'Exec*='. (bsc#1172824, bsc#1142733)
  
  pid1: improve message when setting up namespace fails.
  
  execute: let's close glibc syslog channels too.
  
  execute: normalize logging in *execute.c*.
  
  execute: fix typo in error message.
  
  execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary.
  
  execute: make use of the new logging mode in *execute.c*
  
  log: add a mode where we open the log fds for every single log message.
  
  log: let's make use of the fact that our functions return the negative error code for *log_oom()* too.
  
  execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result.
  
  execute: rework logging in *setup_keyring()* to include unit info.
  
  execute: improve and augment execution log messages.
  
- vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539)
- fix infinite timeout. (bsc#1158336)
- bpf: mount bpffs by default on boot. (bsc#1146991)
- man: explain precedence for options which take a list.
- man: unify titling, fix description of precedence in sysusers.d(5)
- udev-event: fix timeout log messages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2413-1
Released:    Tue Sep  1 13:32:47 2020
Summary:     Recommended update for 389-ds
Type:        recommended
Severity:    moderate
References:  1174057
This update for 389-ds fixes the following issues:

Update from version 1.4.3.9~git0.3eb8617f6 to version 1.4.3.12~git0.9bc042902

- It should not be allowed to delete Managed Entry manually
- SSL alert: The value of sslVersionMax 'TLS1.3' is higher than the supported version
- Fix instance name length for interactive install
- JSON Error output has redundant messages
- If dbhome directory is set online backup fails
- Separate the BDB backend monitors
- entryUSN is duplicated after memberOf operation
- Fix disk_mon_check_diskspace types
- Resolve upstream stability and fix rollup. (bsc#1174057)
- Add option to reject internal unindexed searches
- dsidm ou delete fails
- add more logconv stats for the new access log keywords
- db2ldif crashes when LDIF file can't be accessed
- add new access log keywords for wtime and optime
- Fix Allowed and Denied Ciphers lists - WebUI
- UI - attr uniqueness - selecting empty subtree crashes cockpit
- log warning when thread number is very different from autotuned value
- Reindex task may create abandoned index file
- Log an error when a search is fully unindexed
- fix SLE15.2 install issps
- dsctl fails with instance names that contain slapd-
- Memory leaks in disk monitoring
- nsIndexIDListScanLimit accepts any value
- A distinguished value can be missing in an entry
- Healthcheck should look for notes=A/F in access log
- Set the default minimum worker threads
- pwdReset can be modified by a user
- Correct numSubordinates value for cn=monitor
- dsctl and dsidm do not errors correctly when using JSON
- Winsync setting winSyncWindowsFilter not working as expected
- improve autotune defaults
- Add option to healthcheck to list all the lint reports
- UI - improve modal validation when creating an instance

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2420-1
Released:    Tue Sep  1 13:48:35 2020
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1174551,1174736
This update for zlib provides the following fixes:

- Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
- Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2445-1
Released:    Wed Sep  2 09:33:02 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1175109,CVE-2020-8231
This update for curl fixes the following issues:

- An application that performs multiple requests with libcurl's
  multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in
  rare circumstances experience that when subsequently using the
  setup connect-only transfer, libcurl will pick and use the wrong
  connection and instead pick another one the application has
  created since then. [bsc#1175109, CVE-2020-8231]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2581-1
Released:    Wed Sep  9 13:07:07 2020
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1174154,CVE-2020-15719
This update for openldap2 fixes the following issues:

- bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509
  SAN's falling back to CN validation in violation of rfc6125.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2612-1
Released:    Fri Sep 11 11:18:01 2020
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1176179,CVE-2020-24977
This update for libxml2 fixes the following issues:

- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2616-1
Released:    Mon Sep 14 10:34:31 2020
Summary:     Recommended update for python-argparse-manpage
Type:        recommended
Severity:    low
References:  
This update for python-argparse-manpage fixes the following issues:

- Made the multiline text look better

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2651-1
Released:    Wed Sep 16 14:42:55 2020
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1175811,1175830,1175831
This update for zlib fixes the following issues:

- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
- Enable hardware compression on s390/s390x (jsc#SLE-13776)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2704-1
Released:    Tue Sep 22 15:06:36 2020
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1174079
This update for krb5 fixes the following issue:

- Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2712-1
Released:    Tue Sep 22 17:08:03 2020
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1175568,CVE-2020-8027
This update for openldap2 fixes the following issues:

- CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2819-1
Released:    Thu Oct  1 10:39:16 2020
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592
This update for libzypp, zypper provides the following fixes:

Changes in libzypp:
- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
  a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
- Make sure reading from lsof does not block forever. (bsc#1174240)
- Just collect details for the signatures found.

Changes in zypper:
- man: Enhance description of the global package cache. (bsc#1175592)
- man: Point out that plain rpm packages are not downloaded to the global package cache.
  (bsc#1173273)
- Directly list subcommands in 'zypper help'. (bsc#1165424)
- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
- Point out that plaindir repos do not follow symlinks. (bsc#1174561)
- Fix help command for list-patches.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2852-1
Released:    Fri Oct  2 16:55:39 2020
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1173470,1175844
This update for openssl-1_1 fixes the following issues:

FIPS:

* Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1175844, bsc#1173470).
* Add shared secret KAT to FIPS DH selftest (bsc#1175844).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2864-1
Released:    Tue Oct  6 10:34:14 2020
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1176086,1176181,1176671,CVE-2020-24659
This update for gnutls fixes the following issues:

- Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
- FIPS: Add TLS KDF selftest (bsc#1176671)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2869-1
Released:    Tue Oct  6 16:13:20 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1011548,1153943,1153946,1161239,1171762
This update for aaa_base fixes the following issues:

- DIR_COLORS (bug#1006973):
  
  - add screen.xterm-256color
  - add TERM rxvt-unicode-256color
  - sort and merge TERM entries in etc/DIR_COLORS
  
- check for Packages.db and use this instead of Packages. (bsc#1171762)
- Rename path() to _path() to avoid using a general name.
- refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
- etc/profile add some missing ;; in case esac statements
- profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
- backup-rpmdb: exit if zypper is running (bsc#1161239)
- Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2893-1
Released:    Mon Oct 12 14:14:55 2020
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1177479
This update for openssl-1_1 fixes the following issues:

- Restore private key check in EC_KEY_check_key (bsc#1177479)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2901-1
Released:    Tue Oct 13 14:22:43 2020
Summary:     Security update for libproxy
Type:        security
Severity:    important
References:  1176410,1177143,CVE-2020-25219,CVE-2020-26154
This update for libproxy fixes the following issues:

- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2914-1
Released:    Tue Oct 13 17:25:20 2020
Summary:     Security update for bind
Type:        security
Severity:    moderate
References:  1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
This update for bind fixes the following issues:

BIND was upgraded to version 9.16.6:

Note:

- bind is now more strict in regards to DNSSEC. If queries are not working,
  check for DNSSEC issues. For instance, if bind is used in a namserver
  forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues:

- CVE-2020-8616: Further limit the number of queries that can be triggered from
  a request.  Root and TLD servers are no longer exempt
  from max-recursion-queries.  Fetches for missing name server. (bsc#1171740)
  Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
  assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass 
  the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
  whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
  lib/dns/rbtdb.c:new_reference() with a particular zone content
  and query patterns (bsc#1172958).
- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were
  incorrectly treated as 'zonesub' rules, which allowed
  keys used in 'subdomain' rules to update names outside
  of the specified subdomains. The problem was fixed by
  making sure 'subdomain' rules are again processed as
  described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
  was possible to trigger an assertion failure in code
  determining the number of bits in the PKCS#11 RSA public
  key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
  where QNAME minimization and forwarding were both
  enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
  sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
  verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed:

- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created 
  chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
- 'rndc dnstap -roll <value>' did not limit the number of saved files to <value>.
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
  so that named, being a/the only member of the 'named' group
  has full r/w access yet cannot change directories owned by root
  in the case of a compromized named.
  [bsc#1173307, bind-chrootenv.conf]
- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed '-r /dev/urandom' from all invocations of rndc-confgen
  (init/named system/lwresd.init system/named.init in vendor-files)
  as this option is deprecated and causes rndc-confgen to fail.
  (bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
  of /usr/sbin/dnssec-keygen as BIND now uses the random number
  functions provided by the crypto library (i.e., OpenSSL or a
  PKCS#11 provider) as a source of randomness rather than /dev/random.
  Therefore the -r command line option no longer has any effect on
  dnssec-keygen. Leaving the option in genDDNSkey as to not break
  compatibility. Patch provided by Stefan Eisenwiener.
  [bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
  in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
  systemd context as well as legacy sysv, make use of start_daemon.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2947-1
Released:    Fri Oct 16 15:23:07 2020
Summary:     Security update for gcc10, nvptx-tools
Type:        security
Severity:    moderate
References:  1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
This update for gcc10, nvptx-tools fixes the following issues:

This update provides the GCC10 compiler suite and runtime libraries.

The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.

The new compiler variants are available with '-10' suffix, you can specify them
via:

	CC=gcc-10
	CXX=g++-10

or similar commands.

For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html

Changes in nvptx-tools:

- Enable build on aarch64
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2958-1
Released:    Tue Oct 20 12:24:55 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2983-1
Released:    Wed Oct 21 15:03:03 2020
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1176123
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)  
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3048-1
Released:    Tue Oct 27 16:04:52 2020
Summary:     Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type:        recommended
Severity:    moderate
References:  1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:

libzypp was updated to 17.25.1:

- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
  kernel-default-base has new packaging, where the kernel uname -r
  does not reflect the full package version anymore. This patch
  adds additional logic to use the most generic/shortest edition
  each package provides with %{packagename}=<version> to group the
  kernel packages instead of the rpm versions.
  This also changes how the keep-spec for specific versions is
  applied, instead of matching the package versions, each of the
  package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
  fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
  Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
  (as we link statically)

yaml-cpp:

- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
  channels, and the INSTALLER channels, as a new libzypp dependency.

  No source changes were done to yaml-cpp.

zypper was updated to 1.14.40:

- info: Assume descriptions starting with '<p>' are richtext
  (bsc#935885)
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
  searches case-insensitive (jsc#SLE-16271)

libsolv was updated to 0.7.15 to fix:

- make testcase_mangle_repo_names deal correctly with freed repos
  [bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3091-1
Released:    Thu Oct 29 16:35:37 2020
Summary:     Security update for MozillaThunderbird and mozilla-nspr
Type:        security
Severity:    important
References:  1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969
This update for MozillaThunderbird and mozilla-nspr fixes the following issues:

- Mozilla Thunderbird 78.4
  * new: MailExtensions: browser.tabs.sendMessage API added
  * new: MailExtensions: messageDisplayScripts API added
  * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2
  * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages
  * changed: MailExtensions: compose.begin functions now support creating a message with attachments
  * fixed: Thunderbird could freeze when updating global search index
  * fixed: Multiple issues with handling of self-signed SSL certificates addressed
  * fixed: Recipient address fields in compose window could expand to fill all available space
  * fixed: Inserting emoji characters in message compose window caused unexpected behavior
  * fixed: Button to restore default folder icon color was not keyboard accessible
  * fixed: Various keyboard navigation fixes
  * fixed: Various color-related theme fixes
  * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work
  MFSA 2020-47 (bsc#1177977)
  * CVE-2020-15969 Use-after-free in usersctp
  * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4
- Mozilla Thunderbird 78.3.3
  * OpenPGP: Improved support for encrypting with subkeys
  * OpenPGP message status icons were not visible in message header pane
  * Creating a new calendar event did not require an event title
- Mozilla Thunderbird 78.3.2 (bsc#1176899)
  * OpenPGP: Improved support for encrypting with subkeys
  * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
  * Single-click deletion of recipient pills with middle mouse button restored
  * Searching an address book list did not display results
  * Dark mode, high contrast, and Windows theming fixes
- Mozilla Thunderbird 78.3.1
  * fix crash in nsImapProtocol::CreateNewLineFromSocket
- Mozilla Thunderbird 78.3.0
  MFSA 2020-44 (bsc#1176756)
  * CVE-2020-15677 Download origin spoofing via redirect
  * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element
  * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario
  * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3

- update mozilla-nspr to version 4.25.1
  * The macOS platform code for shared library loading was
    changed to support macOS 11.
  * Dependency needed for the MozillaThunderbird udpate

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3099-1
Released:    Thu Oct 29 19:33:41 2020
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

- timezone update 2020b (bsc#1177460)
  * Revised predictions for Morocco's changes starting in 2023.
  * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.
  * Macquarie Island has stayed in sync with Tasmania since 2011.
  * Casey, Antarctica is at +08 in winter and +11 in summer.
  * zic no longer supports -y, nor the TYPE field of Rules.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3123-1
Released:    Tue Nov  3 09:48:13 2020
Summary:     Recommended update for timezone
Type:        recommended
Severity:    important
References:  1177460,1178346,1178350,1178353
This update for timezone fixes the following issues:

- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
- Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
- Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3138-1
Released:    Tue Nov  3 12:14:03 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1104902,1154935,1165502,1167471,1173422,1176513,1176800
This update for systemd fixes the following issues:

- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)
- test-seccomp: log function names
- test-seccomp: add log messages when skipping tests
- basic/virt: Detect PowerVM hypervisor (bsc#1176800)
- fs-util: suppress world-writable warnings if we read /dev/null
- udevadm: rename option '--log-priority' into '--log-level'
- udev: rename kernel option 'log_priority' into 'log_level'
- fstab-generator: add 'nofail' when  NFS 'bg' option is used (bsc#1176513)
- Fix memory protection default (bsc#1167471) 
- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)
- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3157-1
Released:    Wed Nov  4 15:37:05 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1177864
This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

  - EE Certification Centre Root CA
  - Taiwan GRCA

- Added CAs:

  - Trustwave Global Certification Authority
  - Trustwave Global ECC P256 Certification Authority
  - Trustwave Global ECC P384 Certification Authority

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3253-1
Released:    Mon Nov  9 07:45:04 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1174697,1176173
This update for mozilla-nss fixes the following issues:

- Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697)
- FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be
  NIST SP800-56Arev3 compliant (bsc#1176173).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3290-1
Released:    Wed Nov 11 12:25:32 2020
Summary:     Recommended update for findutils
Type:        recommended
Severity:    moderate
References:  1174232
This update for findutils fixes the following issues:

- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
  NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3313-1
Released:    Thu Nov 12 16:07:37 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3377-1
Released:    Thu Nov 19 09:29:32 2020
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3381-1
Released:    Thu Nov 19 10:53:38 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1177458,1177490,1177510
This update for systemd fixes the following issues:

- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
  This allows to drop the workaround that consisted in cleaning journal-upload files and
  {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package 
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
  These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3462-1
Released:    Fri Nov 20 13:14:35 2020
Summary:     Recommended update for pam and sudo
Type:        recommended
Severity:    moderate
References:  1174593,1177858,1178727
This update for pam and sudo fixes the following issue:

pam:

- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

sudo:

- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3566-1
Released:    Mon Nov 30 16:56:52 2020
Summary:     Security update for python-setuptools
Type:        security
Severity:    important
References:  1176262,CVE-2019-20916
This update for python-setuptools fixes the following issues:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3581-1
Released:    Tue Dec  1 14:40:22 2020
Summary:     Recommended update for libusb-1_0
Type:        recommended
Severity:    moderate
References:  1178376
This update for libusb-1_0 fixes the following issues:

- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3593-1
Released:    Wed Dec  2 10:33:49 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1176262,1179193,CVE-2019-20916
This update for python3 fixes the following issues:

Update to 3.6.12 (bsc#1179193), including:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3620-1
Released:    Thu Dec  3 17:03:55 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  
This update for pam fixes the following issues:

- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
  - Check whether the password contains a substring of of the user's name of at least `<N>` characters length in 
  some form. This is enabled by the new parameter `usersubstr=<N>`

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3626-1
Released:    Fri Dec  4 13:51:46 2020
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1179515
This update for audit fixes the following issues:

- Enable Aarch64 processor support. (bsc#1179515) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3703-1
Released:    Mon Dec  7 20:17:32 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1179431
This update for aaa_base fixes the following issue:

- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3711-1
Released:    Tue Dec  8 16:40:25 2020
Summary:     Recommended update for 389-ds
Type:        recommended
Severity:    important
References:  1176889,1178445
This update for 389-ds fixes the following issues:

Update from version 1.4.3.12~git0.9bc042902 to version 1.4.3.17~git0.3c2d054e1

- Crash in `paged` chaining search. (bsc#1178445)
- Mapping tree may be invalid. (bsc#1176889)
- Use `MONOTONIC` clock for all timing events and conditions
- Add `dsconf` replication monitor test case
- Fix test: `SyncRepl` plugin provides a wrong cookie
- Fix `lib389` and use system `TLS` policy
- During setup and remove add and remove the new instance to the global dsrc to enable transparent administration. 
- UI - Handle objectclasses that do not have `X-ORIGIN` set

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3721-1
Released:    Wed Dec  9 13:36:46 2020
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1179491,CVE-2020-1971
This update for openssl-1_1 fixes the following issues:
	  
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3735-1
Released:    Wed Dec  9 18:19:24 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
This update for curl fixes the following issues:

- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). 
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).	  



More information about the sle-security-updates mailing list