SUSE-CU-2020:816-1: Security update of caasp/v4.5/cilium
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Sat Dec 12 02:16:15 MST 2020
SUSE Container Update Advisory: caasp/v4.5/cilium
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:816-1
Container Tags : caasp/v4.5/cilium:1.7.6 , caasp/v4.5/cilium:1.7.6-rev4 , caasp/v4.5/cilium:1.7.6-rev4-build5.10.1
Container Release : 5.10.1
Severity : important
Type : security
References : 1104902 1126826 1126829 1126831 1140126 1142649 1143609 1150164
1153768 1153770 1154935 1157755 1158830 1160254 1160590 1161913
1163333 1163744 1165502 1167471 1167939 1172798 1173422 1174232
1174593 1174918 1176123 1176192 1176435 1176513 1176712 1176740
1176800 1176902 1177238 1177458 1177490 1177510 1177858 1177864
1178376 1178387 1178512 1178577 1178614 1178624 1178675 1178727
1179036 1179341 1179398 1179399 1179431 1179491 1179515 1179593
935885 CVE-2019-12972 CVE-2019-14250 CVE-2019-14444 CVE-2019-17450
CVE-2019-17451 CVE-2019-9074 CVE-2019-9075 CVE-2019-9077 CVE-2020-13844
CVE-2020-1971 CVE-2020-25692 CVE-2020-28196 CVE-2020-8284 CVE-2020-8285
CVE-2020-8286
-----------------------------------------------------------------
The container caasp/v4.5/cilium was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2958-1
Released: Tue Oct 20 12:24:55 2020
Summary: Recommended update for procps
Type: recommended
Severity: moderate
References: 1158830
This update for procps fixes the following issues:
- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2983-1
Released: Wed Oct 21 15:03:03 2020
Summary: Recommended update for file
Type: recommended
Severity: moderate
References: 1176123
This update for file fixes the following issues:
- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2020:3026-1
Released: Fri Oct 23 15:35:49 2020
Summary: Optional update for the Public Cloud Module
Type: optional
Severity: moderate
References:
This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398).
The following packages were included:
- python3-grpcio
- python3-protobuf
- python3-google-api-core
- python3-google-cloud-core
- python3-google-cloud-storage
- python3-google-resumable-media
- python3-googleapis-common-protos
- python3-grpcio-gcp
- python3-mock (updated to version 3.0.5)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3048-1
Released: Tue Oct 27 16:04:52 2020
Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type: recommended
Severity: moderate
References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:
libzypp was updated to 17.25.1:
- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
kernel-default-base has new packaging, where the kernel uname -r
does not reflect the full package version anymore. This patch
adds additional logic to use the most generic/shortest edition
each package provides with %{packagename}=<version> to group the
kernel packages instead of the rpm versions.
This also changes how the keep-spec for specific versions is
applied, instead of matching the package versions, each of the
package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
(as we link statically)
yaml-cpp:
- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
channels, and the INSTALLER channels, as a new libzypp dependency.
No source changes were done to yaml-cpp.
zypper was updated to 1.14.40:
- info: Assume descriptions starting with '<p>' are richtext
(bsc#935885)
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
searches case-insensitive (jsc#SLE-16271)
libsolv was updated to 0.7.15 to fix:
- make testcase_mangle_repo_names deal correctly with freed repos
[bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3060-1
Released: Wed Oct 28 08:09:21 2020
Summary: Security update for binutils
Type: security
Severity: moderate
References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077
This update for binutils fixes the following issues:
binutils was updated to version 2.35. (jsc#ECO-2373)
Update to binutils 2.35:
* The assembler can now produce DWARF-5 format line number tables.
* Readelf now has a 'lint' mode to enable extra checks of the files it is processing.
* Readelf will now display '[...]' when it has to truncate a symbol name.
The old behaviour - of displaying as many characters as possible, up to
the 80 column limit - can be restored by the use of the --silent-truncation
option.
* The linker can now produce a dependency file listing the inputs that it
has processed, much like the -M -MP option supported by the compiler.
- fix DT_NEEDED order with -flto [bsc#1163744]
Update to binutils 2.34:
* The disassembler (objdump --disassemble) now has an option to
generate ascii art thats show the arcs between that start and end
points of control flow instructions.
* The binutils tools now have support for debuginfod. Debuginfod is a
HTTP service for distributing ELF/DWARF debugging information as
well as source code. The tools can now connect to debuginfod
servers in order to download debug information about the files that
they are processing.
* The assembler and linker now support the generation of ELF format
files for the Z80 architecture.
- Add new subpackages for libctf and libctf-nobfd.
- Disable LTO due to bsc#1163333.
- Includes fixes for these CVEs:
bsc#1153768 aka CVE-2019-17451 aka PR25070
bsc#1153770 aka CVE-2019-17450 aka PR25078
- fix various build fails on aarch64 (PR25210, bsc#1157755).
Update to binutils 2.33.1:
* Adds support for the Arm Scalable Vector Extension version 2
(SVE2) instructions, the Arm Transactional Memory Extension (TME)
instructions and the Armv8.1-M Mainline and M-profile Vector
Extension (MVE) instructions.
* Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P
processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE,
Cortex-A76AE, and Cortex-A77 processors.
* Adds a .float16 directive for both Arm and AArch64 to allow
encoding of 16-bit floating point literals.
* For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not)
Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no]
configure time option to set the default behavior. Set the default
if the configure option is not used to 'no'.
* The Cortex-A53 Erratum 843419 workaround now supports a choice of
which workaround to use. The option --fix-cortex-a53-843419 now
takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp]
which can be used to force a particular workaround to be used.
See --help for AArch64 for more details.
* Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and
GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties
in the AArch64 ELF linker.
* Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on inputs and use PLTs protected with BTI.
* Add -z pac-plt for AArch64 to pick PAC enabled PLTs.
* Add --source-comment[=<txt>] option to objdump which if present,
provides a prefix to source code lines displayed in a disassembly.
* Add --set-section-alignment <section-name>=<power-of-2-align>
option to objcopy to allow the changing of section alignments.
* Add --verilog-data-width option to objcopy for verilog targets to
control width of data elements in verilog hex format.
* The separate debug info file options of readelf (--debug-dump=links
and --debug-dump=follow) and objdump (--dwarf=links and
--dwarf=follow-links) will now display and/or follow multiple
links if more than one are present in a file. (This usually
happens when gcc's -gsplit-dwarf option is used).
In addition objdump's --dwarf=follow-links now also affects its
other display options, so that for example, when combined with
--syms it will cause the symbol tables in any linked debug info
files to also be displayed. In addition when combined with
--disassemble the --dwarf= follow-links option will ensure that
any symbol tables in the linked files are read and used when
disassembling code in the main file.
* Add support for dumping types encoded in the Compact Type Format
to objdump and readelf.
- Includes fixes for these CVEs:
bsc#1126826 aka CVE-2019-9077 aka PR1126826
bsc#1126829 aka CVE-2019-9075 aka PR1126829
bsc#1126831 aka CVE-2019-9074 aka PR24235
bsc#1140126 aka CVE-2019-12972 aka PR23405
bsc#1143609 aka CVE-2019-14444 aka PR24829
bsc#1142649 aka CVE-2019-14250 aka PR90924
* Add xBPF target
* Fix various problems with DWARF 5 support in gas
* fix nm -B for objects compiled with -flto and -fcommon.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3138-1
Released: Tue Nov 3 12:14:03 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800
This update for systemd fixes the following issues:
- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)
- test-seccomp: log function names
- test-seccomp: add log messages when skipping tests
- basic/virt: Detect PowerVM hypervisor (bsc#1176800)
- fs-util: suppress world-writable warnings if we read /dev/null
- udevadm: rename option '--log-priority' into '--log-level'
- udev: rename kernel option 'log_priority' into 'log_level'
- fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513)
- Fix memory protection default (bsc#1167471)
- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)
- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3157-1
Released: Wed Nov 4 15:37:05 2020
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1177864
This update for ca-certificates-mozilla fixes the following issues:
The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)
- Removed CAs:
- EE Certification Centre Root CA
- Taiwan GRCA
- Added CAs:
- Trustwave Global Certification Authority
- Trustwave Global ECC P256 Certification Authority
- Trustwave Global ECC P384 Certification Authority
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3290-1
Released: Wed Nov 11 12:25:32 2020
Summary: Recommended update for findutils
Type: recommended
Severity: moderate
References: 1174232
This update for findutils fixes the following issues:
- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3313-1
Released: Thu Nov 12 16:07:37 2020
Summary: Security update for openldap2
Type: security
Severity: important
References: 1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:
- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3377-1
Released: Thu Nov 19 09:29:32 2020
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:
- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3381-1
Released: Thu Nov 19 10:53:38 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1177458,1177490,1177510
This update for systemd fixes the following issues:
- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
This allows to drop the workaround that consisted in cleaning journal-upload files and
{sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3462-1
Released: Fri Nov 20 13:14:35 2020
Summary: Recommended update for pam and sudo
Type: recommended
Severity: moderate
References: 1174593,1177858,1178727
This update for pam and sudo fixes the following issue:
pam:
- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)
sudo:
- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3581-1
Released: Tue Dec 1 14:40:22 2020
Summary: Recommended update for libusb-1_0
Type: recommended
Severity: moderate
References: 1178376
This update for libusb-1_0 fixes the following issues:
- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3620-1
Released: Thu Dec 3 17:03:55 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References:
This update for pam fixes the following issues:
- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
- Check whether the password contains a substring of of the user's name of at least `<N>` characters length in
some form. This is enabled by the new parameter `usersubstr=<N>`
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3626-1
Released: Fri Dec 4 13:51:46 2020
Summary: Recommended update for audit
Type: recommended
Severity: moderate
References: 1179515
This update for audit fixes the following issues:
- Enable Aarch64 processor support. (bsc#1179515)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3640-1
Released: Mon Dec 7 13:24:41 2020
Summary: Recommended update for binutils
Type: recommended
Severity: important
References: 1179036,1179341
This update for binutils fixes the following issues:
Update binutils 2.35 branch to commit 1c5243df:
* Fixes PR26520, aka [bsc#1179036], a problem in addr2line with
certain DWARF variable descriptions.
* Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878,
PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869,
PR26711
* The above includes fixes for dwo files produced by modern dwp,
fixing several problems in the DWARF reader.
Update binutils to 2.35.1 and rebased branch diff:
* This is a point release over the previous 2.35 version, containing bug
fixes, and as an exception to the usual rule, one new feature. The
new feature is the support for a new directive in the assembler:
'.nop'. This directive creates a single no-op instruction in whatever
encoding is correct for the target architecture. Unlike the .space or
.fill this is a real instruction, and it does affect the generation of
DWARF line number tables, should they be enabled. This fixes an
incompatibility introduced in the latest update that broke the install
scripts of the Oracle server. [bsc#1179341]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3703-1
Released: Mon Dec 7 20:17:32 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1179431
This update for aaa_base fixes the following issue:
- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3721-1
Released: Wed Dec 9 13:36:46 2020
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1179491,CVE-2020-1971
This update for openssl-1_1 fixes the following issues:
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3735-1
Released: Wed Dec 9 18:19:24 2020
Summary: Security update for curl
Type: security
Severity: moderate
References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
This update for curl fixes the following issues:
- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3749-1
Released: Thu Dec 10 14:39:28 2020
Summary: Security update for gcc7
Type: security
Severity: moderate
References: 1150164,1161913,1167939,1172798,1178577,1178614,1178624,1178675,CVE-2020-13844
This update for gcc7 fixes the following issues:
- CVE-2020-13844: Added mitigation for aarch64 Straight Line Speculation issue (bsc#1172798)
- Enable fortran for the nvptx offload compiler.
- Update README.First-for.SuSE.packagers
- avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel.
- Backport the aarch64 -moutline-atomics feature and accumulated fixes but not its
default enabling. [jsc#SLE-12209, bsc#1167939]
- Fixed 32bit libgnat.so link. [bsc#1178675]
- Fixed memcpy miscompilation on aarch64. [bsc#1178624, bsc#1178577]
- Fixed debug line info for try/catch. [bsc#1178614]
- Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is used to build gcc7 (ie when ada is enabled)
- Fixed corruption of pass private ->aux via DF. [gcc#94148]
- Fixed debug information issue with inlined functions and passed by reference arguments. [gcc#93888]
- Fixed binutils release date detection issue.
- Fixed register allocation issue with exception handling code on s390x. [bsc#1161913]
- Fixed miscompilation of some atomic code on aarch64. [bsc#1150164]
More information about the sle-security-updates
mailing list