SUSE-CU-2020:816-1: Security update of caasp/v4.5/cilium

sle-security-updates at sle-security-updates at
Sat Dec 12 02:16:15 MST 2020

SUSE Container Update Advisory: caasp/v4.5/cilium
Container Advisory ID : SUSE-CU-2020:816-1
Container Tags        : caasp/v4.5/cilium:1.7.6 , caasp/v4.5/cilium:1.7.6-rev4 , caasp/v4.5/cilium:1.7.6-rev4-build5.10.1
Container Release     : 5.10.1
Severity              : important
Type                  : security
References            : 1104902 1126826 1126829 1126831 1140126 1142649 1143609 1150164
                        1153768 1153770 1154935 1157755 1158830 1160254 1160590 1161913
                        1163333 1163744 1165502 1167471 1167939 1172798 1173422 1174232
                        1174593 1174918 1176123 1176192 1176435 1176513 1176712 1176740
                        1176800 1176902 1177238 1177458 1177490 1177510 1177858 1177864
                        1178376 1178387 1178512 1178577 1178614 1178624 1178675 1178727
                        1179036 1179341 1179398 1179399 1179431 1179491 1179515 1179593
                        935885 CVE-2019-12972 CVE-2019-14250 CVE-2019-14444 CVE-2019-17450
                        CVE-2019-17451 CVE-2019-9074 CVE-2019-9075 CVE-2019-9077 CVE-2020-13844
                        CVE-2020-1971 CVE-2020-25692 CVE-2020-28196 CVE-2020-8284 CVE-2020-8285

The container caasp/v4.5/cilium was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2020:2958-1
Released:    Tue Oct 20 12:24:55 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

Advisory ID: SUSE-RU-2020:2983-1
Released:    Wed Oct 21 15:03:03 2020
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1176123
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)  
Advisory ID: SUSE-OU-2020:3026-1
Released:    Fri Oct 23 15:35:49 2020
Summary:     Optional update for the Public Cloud Module
Type:        optional
Severity:    moderate

This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398).
The following packages were included:

- python3-grpcio
- python3-protobuf
- python3-google-api-core
- python3-google-cloud-core
- python3-google-cloud-storage
- python3-google-resumable-media
- python3-googleapis-common-protos
- python3-grpcio-gcp
- python3-mock (updated to version 3.0.5)

Advisory ID: SUSE-RU-2020:3048-1
Released:    Tue Oct 27 16:04:52 2020
Summary:     Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type:        recommended
Severity:    moderate
References:  1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:

libzypp was updated to 17.25.1:

- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
  kernel-default-base has new packaging, where the kernel uname -r
  does not reflect the full package version anymore. This patch
  adds additional logic to use the most generic/shortest edition
  each package provides with %{packagename}=<version> to group the
  kernel packages instead of the rpm versions.
  This also changes how the keep-spec for specific versions is
  applied, instead of matching the package versions, each of the
  package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
  fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
  Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
  (as we link statically)


- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
  channels, and the INSTALLER channels, as a new libzypp dependency.

  No source changes were done to yaml-cpp.

zypper was updated to 1.14.40:

- info: Assume descriptions starting with '<p>' are richtext
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
  searches case-insensitive (jsc#SLE-16271)

libsolv was updated to 0.7.15 to fix:

- make testcase_mangle_repo_names deal correctly with freed repos
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function

Advisory ID: SUSE-SU-2020:3060-1
Released:    Wed Oct 28 08:09:21 2020
Summary:     Security update for binutils
Type:        security
Severity:    moderate
References:  1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077
This update for binutils fixes the following issues:

binutils was updated to version 2.35. (jsc#ECO-2373)

Update to binutils 2.35:

* The assembler can now produce DWARF-5 format line number tables.
* Readelf now has a 'lint' mode to enable extra checks of the files it is processing.
* Readelf will now display '[...]' when it has to truncate a symbol name.  
  The old behaviour - of displaying as many characters as possible, up to
  the 80 column limit - can be restored by the use of the --silent-truncation
* The linker can now produce a dependency file listing the inputs that it
  has processed, much like the -M -MP option supported by the compiler.

- fix DT_NEEDED order with -flto [bsc#1163744]

Update to binutils 2.34:

* The disassembler (objdump --disassemble) now has an option to
  generate ascii art thats show the arcs between that start and end
  points of control flow instructions.
* The binutils tools now have support for debuginfod.  Debuginfod is a 
  HTTP service for distributing ELF/DWARF debugging information as
  well as source code.  The tools can now connect to debuginfod
  servers in order to download debug information about the files that
  they are processing.
* The assembler and linker now support the generation of ELF format
  files for the Z80 architecture.

- Add new subpackages for libctf and libctf-nobfd.
- Disable LTO due to bsc#1163333.
- Includes fixes for these CVEs:
  bsc#1153768 aka CVE-2019-17451 aka PR25070
  bsc#1153770 aka CVE-2019-17450 aka PR25078

- fix various build fails on aarch64 (PR25210, bsc#1157755).

Update to binutils 2.33.1:

* Adds support for the Arm Scalable Vector Extension version 2
  (SVE2) instructions, the Arm Transactional Memory Extension (TME)
  instructions and the Armv8.1-M Mainline and M-profile Vector
  Extension (MVE) instructions.
* Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P
  processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE,
  Cortex-A76AE, and Cortex-A77 processors.
* Adds a .float16 directive for both Arm and AArch64 to allow
  encoding of 16-bit floating point literals.
* For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not)
  Loongson3 LLSC Errata.  Add a --enable-mips-fix-loongson3-llsc=[yes|no]
  configure time option to set the default behavior. Set the default
  if the configure option is not used to 'no'.
* The Cortex-A53 Erratum 843419 workaround now supports a choice of
  which workaround to use.  The option --fix-cortex-a53-843419 now
  takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp]
  which can be used to force a particular workaround to be used.
  See --help for AArch64 for more details.
* Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and
  GNU_PROPERTY_AARCH64_FEATURE_1_PAC  in ELF GNU program properties
  in the AArch64 ELF linker. 
* Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI
  on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI 
  on inputs and use PLTs protected with BTI.
* Add -z pac-plt for AArch64 to pick PAC enabled PLTs.
* Add --source-comment[=<txt>] option to objdump which if present,
  provides a prefix to source code lines displayed in a disassembly.
* Add --set-section-alignment <section-name>=<power-of-2-align>
  option to objcopy to allow the changing of section alignments.
* Add --verilog-data-width option to objcopy for verilog targets to
  control width of data elements in verilog hex format.
* The separate debug info file options of readelf (--debug-dump=links
  and --debug-dump=follow) and objdump (--dwarf=links and
  --dwarf=follow-links) will now display and/or follow multiple
  links if more than one are present in a file.  (This usually
  happens when gcc's -gsplit-dwarf option is used).
  In addition objdump's --dwarf=follow-links now also affects its
  other display options, so that for example, when combined with
  --syms it will cause the symbol tables in any linked debug info
  files to also be displayed.  In addition when combined with
  --disassemble the --dwarf= follow-links option will ensure that
  any symbol tables in the linked files are read and used when
  disassembling code in the main file.
* Add support for dumping types encoded in the Compact Type Format
  to objdump and readelf.
- Includes fixes for these CVEs:
  bsc#1126826 aka CVE-2019-9077 aka PR1126826
  bsc#1126829 aka CVE-2019-9075 aka PR1126829
  bsc#1126831 aka CVE-2019-9074 aka PR24235
  bsc#1140126 aka CVE-2019-12972 aka PR23405
  bsc#1143609 aka CVE-2019-14444 aka PR24829
  bsc#1142649 aka CVE-2019-14250 aka PR90924

* Add xBPF target
* Fix various problems with DWARF 5 support in gas
* fix nm -B for objects compiled with -flto and -fcommon.

Advisory ID: SUSE-RU-2020:3138-1
Released:    Tue Nov  3 12:14:03 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1104902,1154935,1165502,1167471,1173422,1176513,1176800
This update for systemd fixes the following issues:

- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)
- test-seccomp: log function names
- test-seccomp: add log messages when skipping tests
- basic/virt: Detect PowerVM hypervisor (bsc#1176800)
- fs-util: suppress world-writable warnings if we read /dev/null
- udevadm: rename option '--log-priority' into '--log-level'
- udev: rename kernel option 'log_priority' into 'log_level'
- fstab-generator: add 'nofail' when  NFS 'bg' option is used (bsc#1176513)
- Fix memory protection default (bsc#1167471) 
- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)
- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)

Advisory ID: SUSE-RU-2020:3157-1
Released:    Wed Nov  4 15:37:05 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1177864
This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

  - EE Certification Centre Root CA
  - Taiwan GRCA

- Added CAs:

  - Trustwave Global Certification Authority
  - Trustwave Global ECC P256 Certification Authority
  - Trustwave Global ECC P384 Certification Authority

Advisory ID: SUSE-RU-2020:3290-1
Released:    Wed Nov 11 12:25:32 2020
Summary:     Recommended update for findutils
Type:        recommended
Severity:    moderate
References:  1174232
This update for findutils fixes the following issues:

- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
  NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.

Advisory ID: SUSE-SU-2020:3313-1
Released:    Thu Nov 12 16:07:37 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

Advisory ID: SUSE-SU-2020:3377-1
Released:    Thu Nov 19 09:29:32 2020
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

Advisory ID: SUSE-RU-2020:3381-1
Released:    Thu Nov 19 10:53:38 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1177458,1177490,1177510
This update for systemd fixes the following issues:

- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
  This allows to drop the workaround that consisted in cleaning journal-upload files and
  {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package 
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
  These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

Advisory ID: SUSE-RU-2020:3462-1
Released:    Fri Nov 20 13:14:35 2020
Summary:     Recommended update for pam and sudo
Type:        recommended
Severity:    moderate
References:  1174593,1177858,1178727
This update for pam and sudo fixes the following issue:


- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)


- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

Advisory ID: SUSE-RU-2020:3581-1
Released:    Tue Dec  1 14:40:22 2020
Summary:     Recommended update for libusb-1_0
Type:        recommended
Severity:    moderate
References:  1178376
This update for libusb-1_0 fixes the following issues:

- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)

Advisory ID: SUSE-RU-2020:3620-1
Released:    Thu Dec  3 17:03:55 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
This update for pam fixes the following issues:

- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
  - Check whether the password contains a substring of of the user's name of at least `<N>` characters length in 
  some form. This is enabled by the new parameter `usersubstr=<N>`

Advisory ID: SUSE-RU-2020:3626-1
Released:    Fri Dec  4 13:51:46 2020
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1179515
This update for audit fixes the following issues:

- Enable Aarch64 processor support. (bsc#1179515) 

Advisory ID: SUSE-RU-2020:3640-1
Released:    Mon Dec  7 13:24:41 2020
Summary:     Recommended update for binutils
Type:        recommended
Severity:    important
References:  1179036,1179341
This update for binutils fixes the following issues:

Update binutils 2.35 branch to commit 1c5243df:

* Fixes PR26520, aka [bsc#1179036], a problem in addr2line with
  certain DWARF variable descriptions.
* Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878,
  PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869,
* The above includes fixes for dwo files produced by modern dwp,
  fixing several problems in the DWARF reader.

Update binutils to 2.35.1 and rebased branch diff:

* This is a point release over the previous 2.35 version, containing bug
  fixes, and as an exception to the usual rule, one new feature.  The
  new feature is the support for a new directive in the assembler:
  '.nop'.  This directive creates a single no-op instruction in whatever
  encoding is correct for the target architecture.  Unlike the .space or
  .fill this is a real instruction, and it does affect the generation of
  DWARF line number tables, should they be enabled. This fixes an 
  incompatibility introduced in the latest update that broke the install
  scripts of the Oracle server. [bsc#1179341]

Advisory ID: SUSE-RU-2020:3703-1
Released:    Mon Dec  7 20:17:32 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1179431
This update for aaa_base fixes the following issue:

- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)

Advisory ID: SUSE-SU-2020:3721-1
Released:    Wed Dec  9 13:36:46 2020
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1179491,CVE-2020-1971
This update for openssl-1_1 fixes the following issues:
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

Advisory ID: SUSE-SU-2020:3735-1
Released:    Wed Dec  9 18:19:24 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
This update for curl fixes the following issues:

- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). 
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).	  

Advisory ID: SUSE-SU-2020:3749-1
Released:    Thu Dec 10 14:39:28 2020
Summary:     Security update for gcc7
Type:        security
Severity:    moderate
References:  1150164,1161913,1167939,1172798,1178577,1178614,1178624,1178675,CVE-2020-13844
This update for gcc7 fixes the following issues:

- CVE-2020-13844: Added mitigation for aarch64 Straight Line Speculation issue (bsc#1172798)
- Enable fortran for the nvptx offload compiler. 
- Update README.First-for.SuSE.packagers
- avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel.
- Backport the aarch64 -moutline-atomics feature and accumulated fixes but not its
  default enabling.  [jsc#SLE-12209, bsc#1167939]
- Fixed 32bit link.  [bsc#1178675]
- Fixed memcpy miscompilation on aarch64. [bsc#1178624, bsc#1178577]
- Fixed debug line info for try/catch.  [bsc#1178614]
- Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is used to build gcc7 (ie when ada is enabled)
- Fixed corruption of pass private ->aux via DF. [gcc#94148]
- Fixed debug information issue with inlined functions and passed by reference arguments.  [gcc#93888]
- Fixed binutils release date detection issue.
- Fixed register allocation issue with exception handling code on s390x.  [bsc#1161913] 
- Fixed miscompilation of some atomic code on aarch64. [bsc#1150164]

More information about the sle-security-updates mailing list