SUSE-CU-2020:858-1: Security update of caasp/v4/nginx-ingress-controller

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Dec 18 07:54:43 MST 2020


SUSE Container Update Advisory: caasp/v4/nginx-ingress-controller
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:858-1
Container Tags        : caasp/v4/nginx-ingress-controller:0.15.0 , caasp/v4/nginx-ingress-controller:0.15.0-rev1 , caasp/v4/nginx-ingress-controller:0.15.0-rev1-build2.305 , caasp/v4/nginx-ingress-controller:beta1
Container Release     : 2.305
Severity              : important
Type                  : security
References            : 1005063 1010675 1010996 1010996 1030472 1030476 1033084 1033085
                        1033087 1033088 1033089 1033090 1040621 1042781 1049825 1050241
                        1069384 1071152 1071152 1071390 1071390 1080919 1082318 1082318
                        1083571 1084671 1085003 1087481 1091236 1092034 1092100 1093414
                        1096209 1096974 1096984 1097869 1098155 1100078 1100396 1100415
                        1100415 1100989 1102840 1103244 1104780 1104902 1105435 1105495
                        1106383 1106390 1107067 1107617 1108606 1109893 1110146 1110542
                        1110797 1110929 1111300 1111319 1111498 1111973 1112300 1112723
                        1112726 1112758 1112911 1113296 1113975 1114592 1114674 1114835
                        1115500 1116544 1116995 1117025 1117382 1117951 1117951 1118629
                        1118629 1119296 1120629 1120629 1120630 1120630 1120631 1120631
                        1120658 1121446 1121563 1121626 1121753 1122000 1122344 1123333
                        1123361 1123371 1123377 1123378 1123522 1123685 1123697 1123704
                        1123886 1123892 1123919 1124211 1124847 1125007 1125113 1125352
                        1125352 1125535 1126056 1126117 1126118 1126119 1126613 1127080
                        1127155 1127155 1127155 1127223 1127308 1127557 1127891 1128383
                        1128471 1128472 1128474 1128476 1128480 1128481 1128481 1128490
                        1128492 1128493 1128574 1128657 1128712 1128828 1130103 1130230
                        1130324 1131291 1131635 1131823 1131823 1131830 1131886 1131982
                        1132160 1132348 1132400 1132721 1133418 1133495 1133528 1134226
                        1134550 1135170 1135254 1135261 1135709 1136298 1136570 1137053
                        1137832 1137977 1137977 1139083 1139083 1139459 1139459 1139870
                        1139937 1139942 1140039 1140095 1140101 1140120 1140631 1140914
                        1141093 1141493 1141897 1142614 1142649 1142654 1142661 1143194
                        1143273 1144169 1145521 1146415 1146608 1148517 1148987 1149145
                        1149332 1149429 1149496 1149995 1150003 1150250 1150595 1150734
                        1151377 1151506 1151577 1152590 1153386 1153557 1154036 1154037
                        1154043 1154043 1154256 1154609 1154862 1154871 1154871 1154948
                        1155199 1155338 1155339 1155574 1156159 1156194 1156276 1156402
                        1156482 1157198 1157315 1157578 1158586 1158763 1158809 1159162
                        1159814 1159928 1160039 1160160 1160163 1160571 1160594 1160613
                        1160614 1160764 1161262 1161436 1161517 1161521 1161779 1162108
                        1162518 1162698 1162879 1163834 1163922 1164538 1165471 1165633
                        1165784 1165915 1165915 1165919 1165919 1166301 1166510 1167622
                        1167898 1168195 1169488 1169766 1169947 1170601 1170715 1170771
                        1171145 1171863 1171864 1171866 1171878 1172021 1172085 1172265
                        1172295 1172491 1172698 1172704 1172798 1172846 1173027 1173227
                        1173593 1173972 1174080 1174537 1174628 1174628 1174660 1174673
                        1174753 1174817 1175168 1175239 1176013 1176123 1176179 1176410
                        1176513 1176800 1177143 1177458 1177510 1177864 1177914 1178038
                        1178387 1178512 888534 941922 954600 955942 973042 983268 985657
                        CVE-2009-5155 CVE-2015-5186 CVE-2016-10254 CVE-2016-10255 CVE-2016-3189
                        CVE-2016-5102 CVE-2016-9318 CVE-2017-12652 CVE-2017-6891 CVE-2017-7607
                        CVE-2017-7608 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613
                        CVE-2017-7890 CVE-2017-9103 CVE-2017-9104 CVE-2017-9105 CVE-2017-9106
                        CVE-2017-9107 CVE-2017-9108 CVE-2017-9109 CVE-2018-1000654 CVE-2018-10360
                        CVE-2018-10754 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125
                        CVE-2018-1126 CVE-2018-1152 CVE-2018-11813 CVE-2018-14498 CVE-2018-14553
                        CVE-2018-16062 CVE-2018-16403 CVE-2018-16839 CVE-2018-16890 CVE-2018-17000
                        CVE-2018-18310 CVE-2018-18311 CVE-2018-18520 CVE-2018-18521 CVE-2018-20532
                        CVE-2018-20532 CVE-2018-20533 CVE-2018-20533 CVE-2018-20534 CVE-2018-20534
                        CVE-2018-20843 CVE-2018-6954 CVE-2019-11038 CVE-2019-11068 CVE-2019-12749
                        CVE-2019-12900 CVE-2019-12900 CVE-2019-13050 CVE-2019-13057 CVE-2019-13117
                        CVE-2019-13118 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866
                        CVE-2019-14973 CVE-2019-1547 CVE-2019-1551 CVE-2019-1559 CVE-2019-1563
                        CVE-2019-15847 CVE-2019-15903 CVE-2019-17498 CVE-2019-17594 CVE-2019-17595
                        CVE-2019-18197 CVE-2019-18900 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388
                        CVE-2019-2201 CVE-2019-3688 CVE-2019-3690 CVE-2019-3822 CVE-2019-3823
                        CVE-2019-3842 CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858
                        CVE-2019-3859 CVE-2019-3859 CVE-2019-3860 CVE-2019-3860 CVE-2019-3861
                        CVE-2019-3862 CVE-2019-3863 CVE-2019-5188 CVE-2019-5436 CVE-2019-5482
                        CVE-2019-6128 CVE-2019-6454 CVE-2019-6454 CVE-2019-6977 CVE-2019-6978
                        CVE-2019-7150 CVE-2019-7317 CVE-2019-7663 CVE-2019-7665 CVE-2019-8905
                        CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9232 CVE-2019-9433
                        CVE-2019-9893 CVE-2019-9924 CVE-2020-10029 CVE-2020-10543 CVE-2020-10878
                        CVE-2020-12243 CVE-2020-12723 CVE-2020-13790 CVE-2020-13844 CVE-2020-14344
                        CVE-2020-14344 CVE-2020-14363 CVE-2020-15999 CVE-2020-1712 CVE-2020-24977
                        CVE-2020-25219 CVE-2020-25692 CVE-2020-26154 CVE-2020-28196 CVE-2020-7595
                        CVE-2020-8013 CVE-2020-8023 CVE-2020-8177 SLE-10396 SLE-5933
                        SLE-7081 SLE-7257 
-----------------------------------------------------------------

The container caasp/v4/nginx-ingress-controller was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2015:50-1
Released:    Thu Jan 15 16:33:18 2015
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  888534

The system root SSL certificates were updated to match Mozilla NSS 2.2.

Some removed/disabled 1024 bit certificates were temporarily reenabled/readded,
as openssl and gnutls have a different handling of intermediates than
mozilla nss and would otherwise not recognize SSL certificates from commonly used
sites like Amazon.

Updated to 2.2 (bnc#888534)
- The following CAs were added:
  + COMODO_RSA_Certification_Authority
    codeSigning emailProtection serverAuth
  + GlobalSign_ECC_Root_CA_-_R4
    codeSigning emailProtection serverAuth
  + GlobalSign_ECC_Root_CA_-_R5
    codeSigning emailProtection serverAuth
  + USERTrust_ECC_Certification_Authority
    codeSigning emailProtection serverAuth
  + USERTrust_RSA_Certification_Authority
    codeSigning emailProtection serverAuth
  + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal
- The following CAs were changed:
  + Equifax_Secure_eBusiness_CA_1
    remote code signing and https trust, leave email trust
  + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2
    only trust emailProtection
- Updated to 2.1 (bnc#888534)
- The following 1024-bit CA certificates were removed
  - Entrust.net Secure Server Certification Authority
  - ValiCert Class 1 Policy Validation Authority
  - ValiCert Class 2 Policy Validation Authority
  - ValiCert Class 3 Policy Validation Authority
  - TDC Internet Root CA
- The following CA certificates were added:
  - Certification Authority of WoSign
  - CA 沃通根证书
  - DigiCert Assured ID Root G2
  - DigiCert Assured ID Root G3
  - DigiCert Global Root G2
  - DigiCert Global Root G3
  - DigiCert Trusted Root G4
  - QuoVadis Root CA 1 G3
  - QuoVadis Root CA 2 G3
  - QuoVadis Root CA 3 G3
- The Trust Bits were changed for the following CA certificates
  - Class 3 Public Primary Certification Authority
  - Class 3 Public Primary Certification Authority
  - Class 2 Public Primary Certification Authority - G2
  - VeriSign Class 2 Public Primary Certification Authority - G3
  - AC Raíz Certicámara S.A.
  - NetLock Uzleti (Class B) Tanusitvanykiado
  - NetLock Expressz (Class C) Tanusitvanykiado

Temporary reenable some root ca trusts, as openssl/gnutls
have trouble using intermediates as root CA.
  - GTE CyberTrust Global Root
  - Thawte Server CA
  - Thawte Premium Server CA
  - ValiCert Class 1 VA
  - ValiCert Class 2 VA
  - RSA Root Certificate 1
  - Entrust.net Secure Server CA
  - America Online Root Certification Authority 1
  - America Online Root Certification Authority 2

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2016:587-1
Released:    Fri Apr  8 17:06:56 2016
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  973042

The root SSL certificate store ca-certificates-mozilla was updated
to version 2.7 of the Mozilla NSS equivalent. (bsc#973042)

- Newly added CAs:
  * CA WoSign ECC Root
  * Certification Authority of WoSign
  * Certification Authority of WoSign G2
  * Certinomis - Root CA
  * Certum Trusted Network CA 2
  * CFCA EV ROOT
  * COMODO RSA Certification Authority
  * DigiCert Assured ID Root G2
  * DigiCert Assured ID Root G3
  * DigiCert Global Root G2
  * DigiCert Global Root G3
  * DigiCert Trusted Root G4
  * Entrust Root Certification Authority - EC1
  * Entrust Root Certification Authority - G2
  * GlobalSign
  * IdenTrust Commercial Root CA 1
  * IdenTrust Public Sector Root CA 1
  * OISTE WISeKey Global Root GB CA
  * QuoVadis Root CA 1 G3
  * QuoVadis Root CA 2 G3
  * QuoVadis Root CA 3 G3
  * Staat der Nederlanden EV Root CA
  * Staat der Nederlanden Root CA - G3
  * S-TRUST Universal Root CA
  * SZAFIR ROOT CA2
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  * USERTrust ECC Certification Authority
  * USERTrust RSA Certification Authority
  * 沃通根证书

- Removed CAs:
  * AOL CA
  * A Trust nQual 03
  * Buypass Class 3 CA 1
  * CA Disig
  * Digital Signature Trust Co Global CA 1
  * Digital Signature Trust Co Global CA 3
  * E Guven Kok Elektronik Sertifika Hizmet Saglayicisi
  * NetLock Expressz (Class C) Tanusitvanykiado
  * NetLock Kozjegyzoi (Class A) Tanusitvanykiado
  * NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
  * NetLock Uzleti (Class B) Tanusitvanykiado
  * SG TRUST SERVICES RACINE
  * Staat der Nederlanden Root CA
  * TC TrustCenter Class 2 CA II
  * TC TrustCenter Universal CA I
  * TDC Internet Root CA
  * UTN DATACorp SGC Root CA
  * Verisign Class 1 Public Primary Certification Authority - G2
  * Verisign Class 3 Public Primary Certification Authority
  * Verisign Class 3 Public Primary Certification Authority - G2

- Removed server trust from:
  * AC Raíz Certicámara S.A.
  * ComSign Secured CA
  * NetLock Uzleti (Class B) Tanusitvanykiado
  * NetLock Business (Class B) Root
  * NetLock Expressz (Class C) Tanusitvanykiado
  * TC TrustCenter Class 3 CA II
  * TURKTRUST Certificate Services Provider Root 1
  * TURKTRUST Certificate Services Provider Root 2
  * Equifax Secure Global eBusiness CA-1
  * Verisign Class 4 Public Primary Certification Authority G3

- Enable server trust for:
  * Actalis Authentication Root CA

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:265-1
Released:    Tue Feb  6 14:58:28 2018
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1010996,1071152,1071390

  
This update for ca-certificates-mozilla fixes the following issues:

The system SSL root certificate store was updated to Mozilla certificate
version 2.22 from January 2018.  (bsc#1071152 bsc#1071390 bsc#1010996)

We removed the old 1024 bit legacy CAs that were temporary left in to allow
in-chain root certificates as openssl is now able to handle it.

Further changes coming from Mozilla:

- New Root CAs added:

  * Amazon Root CA 1: (email protection, server auth)
  * Amazon Root CA 2: (email protection, server auth)
  * Amazon Root CA 3: (email protection, server auth)
  * Amazon Root CA 4: (email protection, server auth)
  * Certplus Root CA G1: (email protection, server auth)
  * Certplus Root CA G2: (email protection, server auth)
  * D-TRUST Root CA 3 2013: (email protection)
  * GDCA TrustAUTH R5 ROOT: (server auth)
  * Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth)
  * Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth)
  * ISRG Root X1: (server auth)
  * LuxTrust Global Root 2: (server auth)
  * OpenTrust Root CA G1: (email protection, server auth)
  * OpenTrust Root CA G2: (email protection, server auth)
  * OpenTrust Root CA G3: (email protection, server auth)
  * SSL.com EV Root Certification Authority ECC: (server auth)
  * SSL.com EV Root Certification Authority RSA R2: (server auth)
  * SSL.com Root Certification Authority ECC: (email protection, server auth)
  * SSL.com Root Certification Authority RSA: (email protection, server auth)
  * Symantec Class 1 Public Primary Certification Authority - G4: (email protection)
  * Symantec Class 1 Public Primary Certification Authority - G6: (email protection)
  * Symantec Class 2 Public Primary Certification Authority - G4: (email protection)
  * Symantec Class 2 Public Primary Certification Authority - G6: (email protection)
  * TrustCor ECA-1: (email protection, server auth)
  * TrustCor RootCert CA-1: (email protection, server auth)
  * TrustCor RootCert CA-2: (email protection, server auth)
  * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth)

- Removed root CAs:

  * AddTrust Public Services Root
  * AddTrust Public CA Root
  * AddTrust Qualified CA Root
  * ApplicationCA - Japanese Government
  * Buypass Class 2 CA 1
  * CA Disig Root R1
  * CA WoSign ECC Root
  * Certification Authority of WoSign G2
  * Certinomis - Autorité Racine
  * Certum Root CA
  * China Internet Network Information Center EV Certificates Root
  * CNNIC ROOT
  * Comodo Secure Services root
  * Comodo Trusted Services root
  * ComSign Secured CA
  * EBG Elektronik Sertifika Hizmet Sağlayıcısı
  * Equifax Secure CA
  * Equifax Secure eBusiness CA 1
  * Equifax Secure Global eBusiness CA
  * GeoTrust Global CA 2
  * IGC/A
  * Juur-SK
  * Microsec e-Szigno Root CA
  * PSCProcert
  * Root CA Generalitat Valenciana
  * RSA Security 2048 v3
  * Security Communication EV RootCA1
  * Sonera Class 1 Root CA
  * StartCom Certification Authority
  * StartCom Certification Authority G2
  * S-TRUST Authentication and Encryption Root CA 2005 PN
  * Swisscom Root CA 1
  * Swisscom Root EV CA 2
  * TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  * UTN USERFirst Hardware Root CA
  * UTN USERFirst Object Root CA
  * VeriSign Class 3 Secure Server CA - G2
  * Verisign Class 1 Public Primary Certification Authority
  * Verisign Class 2 Public Primary Certification Authority - G2
  * Verisign Class 3 Public Primary Certification Authority
  * WellsSecure Public Root Certificate Authority
  * Certification Authority of WoSign
  * WoSign China

- Removed Code Signing rights from a lot of CAs (not listed here).

- Removed Server Auth rights from:

  * AddTrust Low-Value Services Root
  * Camerfirma Chambers of Commerce Root
  * Camerfirma Global Chambersign Root
  * Swisscom Root CA 2


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1643-1
Released:    Thu Aug 16 17:41:07 2018
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1100415

The systemwide Root CA certificates were updated to the 2.24 state of the Mozilla NSS Certificate store.

Following CAs were removed:

* S-TRUST_Universal_Root_CA
* TC_TrustCenter_Class_3_CA_II
* TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1763-1
Released:    Mon Aug 27 09:30:15 2018
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1104780
This update for ca-certificates-mozilla fixes the following issues:

The Root CA store was updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780)

- Removed server auth from following CAs:

  - Certplus Root CA G1
  - Certplus Root CA G2
  - OpenTrust Root CA G1
   - OpenTrust Root CA G2
   - OpenTrust Root CA G3

- Removed CAs

    - ComSign CA

- Added new CAs

    - GlobalSign

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:149-1
Released:    Wed Jan 23 17:58:18 2019
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1121446
This update for ca-certificates-mozilla fixes the following issues:

The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446)

Removed Root CAs:

- AC Raiz Certicamara S.A.
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3
- Visa eCommerce Root

Added Root CAs:

- Certigna Root CA (email and server auth)
- GTS Root R1 (server auth)
- GTS Root R2 (server auth)
- GTS Root R3 (server auth)
- GTS Root R4 (server auth)
- OISTE WISeKey Global Root GC CA (email and server auth)
- UCA Extended Validation Root (server auth)
- UCA Global G2 Root (email and server auth)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:218-1
Released:    Thu Jan 31 20:30:20 2019
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1118629
This update for kmod fixes the following issues:

- Fix module dependency file corruption on parallel invocation (bsc#1118629).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:249-1
Released:    Wed Feb  6 08:36:16 2019
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823
This update for curl fixes the following issues:

Security issues fixed:

- CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378).
- CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377).
- CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:261-1
Released:    Wed Feb  6 11:26:21 2019
Summary:     Recommended update for pam-config
Type:        recommended
Severity:    moderate
References:  1114835
This update for pam-config fixes the following issues:

- Adds support for more pam_cracklib options. (bsc#1114835)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:428-1
Released:    Tue Feb 19 10:59:59 2019
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1111498,1117025,1117382,1120658,1122000,1122344,1123333,1123892,1125352,CVE-2019-6454
This update for systemd fixes the following issues:

Security vulnerability fixed:

- CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS
  message on the system bus by an unprivileged user (bsc#1125352)

Other bug fixes and changes:

- journal-remote: set a limit on the number of fields in a message
- journal-remote: verify entry length from header
- journald: set a limit on the number of fields (1k)
- journald: do not store the iovec entry for process commandline on stack
- core: include Found state in device dumps
- device: fix serialization and deserialization of DeviceFound
- fix path in btrfs rule (#6844)
- assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025)
- Update systemd-system.conf.xml (bsc#1122000)
- units: inform user that the default target is started after exiting from rescue or emergency mode
- manager: don't skip sigchld handler for main and control pid for services (#3738)
- core: Add helper functions unit_{main, control}_pid
- manager: Fixing a debug printf formatting mistake (#3640)
- manager: Only invoke a single sigchld per unit within a cleanup cycle (bsc#1117382)
- core: update invoke_sigchld_event() to handle NULL ->sigchld_event()
- sd-event: expose the event loop iteration counter via sd_event_get_iteration() (#3631)
- unit: rework a bit how we keep the service fdstore from being destroyed during service restart (bsc#1122344)
- core: when restarting services, don't close fds
- cryptsetup: Add dependency on loopback setup to generated units
- journal-gateway: use localStorage['cursor'] only when it has valid value
- journal-gateway: explicitly declare local variables
- analyze: actually select longest activated-time of services
- sd-bus: fix implicit downcast of bitfield reported by LGTM
- core: free lines after reading them (bsc#1123892)
- pam_systemd: reword message about not creating a session (bsc#1111498)
- pam_systemd: suppress LOG_DEBUG log messages if debugging is off (bsc#1111498)
- main: improve RLIMIT_NOFILE handling (#5795) (bsc#1120658)
- sd-bus: if we receive an invalid dbus message, ignore and proceeed
- automount: don't pass non-blocking pipe to kernel.
- units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333)
- units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345) (bsc#1123333)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:434-1
Released:    Tue Feb 19 12:19:02 2019
Summary:     Recommended update for libsemanage
Type:        recommended
Severity:    moderate
References:  1115500
This update for libsemanage provides the following fix:

- Prevent an error message when reading module version if the directory does not exist.
  (bsc#1115500)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:450-1
Released:    Wed Feb 20 16:42:38 2019
Summary:     Security update for procps
Type:        security
Severity:    important
References:  1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126

  
This update for procps fixes the following security issues:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).

(These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.)

Also the following non-security issue was fixed:

- Fix CPU summary showing old data. (bsc#1121753)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:514-1
Released:    Thu Feb 28 15:39:05 2019
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1112300
This update for apparmor fixes the following issues:

- Fix erroneously generated audit records: include status* files in dnsmasq. (bsc#1112300)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:655-1
Released:    Wed Mar 20 10:30:49 2019
Summary:     Security update for libssh2_org
Type:        security
Severity:    moderate
References:  1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493,CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
This update for libssh2_org fixes the following issues:

Security issues fixed: 	  

- CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH packets (bsc#1128490).
- CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially crafted message channel request packet (bsc#1128492).
- CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP packets (bsc#1128481).
- CVE-2019-3863: Fixed an Integer overflow in user authenticate keyboard interactive which could allow out-of-bounds writes 
  with specially crafted keyboard responses (bsc#1128493).
- CVE-2019-3856: Fixed a potential Integer overflow in keyboard interactive handling which could allow out-of-bounds write 
  with specially crafted payload (bsc#1128472).
- CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require 
  and _libssh2_packet_requirev (bsc#1128480).
- CVE-2019-3855: Fixed a potential Integer overflow in transport read which could allow out-of-bounds write with specially 
  crafted payload (bsc#1128471).
- CVE-2019-3858: Fixed a potential zero-byte allocation which could lead to an out-of-bounds read with a specially crafted 
  SFTP packet (bsc#1128476).
- CVE-2019-3857: Fixed a potential Integer overflow which could lead to zero-byte allocation and out-of-bounds with specially 
  crafted message channel request SSH packet (bsc#1128474).

Other issue addressed: 

- Libbssh2 will stop using keys unsupported types in the known_hosts file (bsc#1091236).
 
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:747-1
Released:    Tue Mar 26 14:35:16 2019
Summary:     Security update for gd
Type:        security
Severity:    moderate
References:  1123361,1123522,CVE-2019-6977,CVE-2019-6978
This update for gd fixes the following issues:

Security issues fixed:

- CVE-2019-6977: Fixed a heap-based buffer overflow the GD Graphics Library used in the imagecolormatch function (bsc#1123361).
- CVE-2019-6978: Fixed a double free in the gdImage*Ptr() functions (bsc#1123522).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:794-1
Released:    Thu Mar 28 12:09:29 2019
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1087481
This update for krb5 fixes the following issues:

- Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
  suppress sending the confidentiality and integrity flags in GSS
  initiator tokens unless they are requested by the caller. These
  flags control the negotiated SASL security layer for the Microsoft
  GSS-SPNEGO SASL mechanism. (bsc#1087481).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:803-1
Released:    Fri Mar 29 13:14:21 2019
Summary:     Security update for openssl
Type:        security
Severity:    moderate
References:  1100078,1113975,1117951,1127080,CVE-2019-1559
This update for openssl fixes the following issues:

Security issues fixed: 

- The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951)
- CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances
  a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).

Other issues addressed: 

- Fixed IV handling in SHAEXT paths: aes/asm/aesni-sha*-x86_64.pl (bsc#1113975).
- Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:838-1
Released:    Tue Apr  2 09:52:06 2019
Summary:     Security update for bash
Type:        security
Severity:    important
References:  1130324,CVE-2019-9924
This update for bash fixes the following issues:
	  
Security issue fixed: 

- CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS 
  allowing the user to execute any command with the permissions of the shell (bsc#1130324).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:839-1
Released:    Tue Apr  2 13:13:21 2019
Summary:     Security update for file
Type:        security
Severity:    moderate
References:  1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
This update for file fixes the following issues:

The following security vulnerabilities were addressed:

- Fixed an out-of-bounds read in the function do_core_note in readelf.c, which
  allowed remote attackers to cause a denial of service (application crash) via
  a crafted ELF file (bsc#1096974 CVE-2018-10360).
- CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c
  (bsc#1126118)
- CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c
  (bsc#1126119)
- CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c
  (bsc#1126117)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:979-1
Released:    Thu Apr 18 08:23:19 2019
Summary:     Recommended update for sg3_utils
Type:        recommended
Severity:    moderate
References:  1069384
This update for sg3_utils fixes the following issues:

- rescan-scsi-bus.sh: use LUN wildcard in idlist (bsc#1069384)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:996-1
Released:    Tue Apr 23 18:42:35 2019
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1112758,1131886,CVE-2018-16839
This update for curl fixes the following issues:

Security issue fixed:

- CVE-2018-16839: Fixed a buffer overflow in the SASL authentication code (bsc#1112758).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1060-1
Released:    Sat Apr 27 09:45:38 2019
Summary:     Security update for libssh2_org
Type:        security
Severity:    important
References:  1130103,1133528,CVE-2019-3859
This update for libssh2_org fixes the following issues:

 - Incorrect upstream fix for CVE-2019-3859 broke public key authentication [bsc#1133528, bsc#1130103]


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1111-1
Released:    Tue Apr 30 12:59:27 2019
Summary:     Security update for libjpeg-turbo
Type:        security
Severity:    moderate
References:  1096209,1098155,1128712,CVE-2018-1152,CVE-2018-11813,CVE-2018-14498
This update for libjpeg-turbo fixes the following issues:

The following security vulnerabilities were addressed:

- CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row function
  which could allow to an attacker to cause denial of service (bsc#1128712).
- CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in rdtarga.c,
  which allowed remote attackers to cause a denial-of-service via crafted JPG
  files due to a large loop (bsc#1096209)
- CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c caused
  by a divide by zero when processing a crafted BMP image (bsc#1098155)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1125-1
Released:    Tue Apr 30 18:50:59 2019
Summary:     Recommended update for glibc
Type:        recommended
Severity:    important
References:  1100396,1103244
This update for glibc fixes the following issues:

- Add support for the new Japanese time era name that comes into
  effect on 2019-05-01. [bsc#1100396, bsc#1103244]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1131-1
Released:    Thu May  2 15:39:59 2019
Summary:     Recommended update for libidn
Type:        recommended
Severity:    moderate
References:  1092034
This update for libidn fixes the following issues:

- Obsoletes now the libidn 32bit package (bsc#1092034)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1136-1
Released:    Fri May  3 10:27:57 2019
Summary:     Security update for openssl
Type:        security
Severity:    moderate
References:  1131291
This update for openssl fixes the following issues:

- Reject invalid EC point coordinates (bsc#1131291)

  This helps openssl using services that do not do this verification on their own.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1166-1
Released:    Tue May  7 11:01:39 2019
Summary:     Security update for audit
Type:        security
Severity:    moderate
References:  1042781,1085003,1125535,941922,CVE-2015-5186

This update for audit fixes the following issues:

Audit on SUSE Linux Enterprise 12 SP3 was updated to 2.8.1 to bring
new features and bugfixes.  (bsc#1125535 FATE#326346)

* Many features were added to auparse_normalize
* cli option added to auditd and audispd for setting config dir
* In auditd, restore the umask after creating a log file
* Option added to auditd for skipping email verification

The full changelog can be found here: http://people.redhat.com/sgrubb/audit/ChangeLog


- Change openldap dependency to client only (bsc#1085003)

Minor security issue fixed:

- CVE-2015-5186: Audit: log terminal emulator escape sequences handling (bsc#941922)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1232-1
Released:    Tue May 14 17:07:56 2019
Summary:     Security update for libxslt
Type:        security
Severity:    moderate
References:  1132160,CVE-2019-11068
This update for libxslt fixes the following issues:

- CVE-2019-11068: Fixed a protection mechanism bypass where callers of 
  xsltCheckRead() and xsltCheckWrite() would permit access upon receiving an
  error (bsc#1132160).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1259-1
Released:    Wed May 15 14:06:20 2019
Summary:     Recommended update for sysvinit
Type:        recommended
Severity:    moderate
References:  1131982
This update for sysvinit fixes the following issues:

- Handle various optional fields of /proc/<pid>/mountinfo on the entry/ies before the hyphen
  (bsc#1131982)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1265-1
Released:    Thu May 16 09:52:22 2019
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1080919,1121563,1125352,1126056,1127557,1128657,1130230,1132348,1132400,1132721,955942,CVE-2018-6954,CVE-2019-3842,CVE-2019-6454,SLE-5933
This update for systemd fixes the following issues:

Security issues fixed:

- CVE-2018-6954: Fixed a vulnerability in the symlink handling of systemd-tmpfiles 
  which allowed a local user to obtain ownership of arbitrary files (bsc#1080919).
- CVE-2019-3842: Fixed a vulnerability in pam_systemd which allowed a local user to escalate privileges (bsc#1132348).
- CVE-2019-6454: Fixed a denial of service caused by long dbus messages (bsc#1125352).

Non-security issues fixed:

- systemd-coredump: generate a stack trace of all core dumps (jsc#SLE-5933)
- udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400)
- sd-bus: bump message queue size again (bsc#1132721)
- core: only watch processes when it's really necessary (bsc#955942 bsc#1128657)
- rules: load drivers only on 'add' events (bsc#1126056)
- sysctl: Don't pass null directive argument to '%s' (bsc#1121563)
- Do not automatically online memory on s390x (bsc#1127557)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1363-1
Released:    Tue May 28 10:50:53 2019
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1135170,CVE-2019-5436
This update for curl fixes the following issues:

Security issue fixed:

- CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1379-1
Released:    Wed May 29 15:07:04 2019
Summary:     Security update for libtasn1
Type:        security
Severity:    moderate
References:  1040621,1105435,CVE-2017-6891,CVE-2018-1000654
This update for libtasn1 fixes the following issues:

Security issues fixed:

- CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).
- CVE-2017-6891: Fixed a stack overflow in asn1_find_node() (bsc#1040621).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1402-1
Released:    Mon Jun  3 09:12:38 2019
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1097869,1118629
This update for kmod fixes the following issues:

- Fixes a potential buffer overflow in libkmod (bsc#1118629).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1431-1
Released:    Wed Jun  5 16:50:13 2019
Summary:     Recommended update for xz
Type:        recommended
Severity:    moderate
References:  1135709
This update for xz does only update the license:

- Add SUSE-Public-Domain license as some parts of xz utils (liblzma,
  xz, xzdec, lzmadec, documentation, translated messages, tests,
  debug, extra directory) are in public domain license (bsc#1135709)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1474-1
Released:    Wed Jun 12 14:46:20 2019
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1110797
This update for permissions fixes the following issues:

- Updated permissons for amanda (bsc#1110797)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1481-1
Released:    Thu Jun 13 07:46:01 2019
Summary:     Recommended update for sg3_utils
Type:        recommended
Severity:    moderate
References:  1005063,1119296,1133418,954600
This update for sg3_utils provides the following fixes:
- Fix regression for page 0xa. (bsc#1119296)
- Add pre/post scripts for lunmask.service. (bsc#954600)
- Will now generate by-path links for fibrechannel. (bsc#1005063)
- Fixes a syntax error for rule 59-fc-wwpn-id.rules. (bsc#1133418)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1733-1
Released:    Wed Jul  3 13:54:39 2019
Summary:     Security update for elfutils
Type:        security
Severity:    low
References:  1030472,1030476,1033084,1033085,1033087,1033088,1033089,1033090,1106390,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2016-10254,CVE-2016-10255,CVE-2017-7607,CVE-2017-7608,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
This update for elfutils fixes the following issues:

Security issues fixed: 	  

- CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067).  
- CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472).
- CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007).
- CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476).
- CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files 
  to be read (bsc#1123685).
- CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390).
- CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088).
- CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections 
  and the number of segments in a crafted ELF file (bsc#1033090).
- CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084).
- CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085).
- CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087).
- CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723).
- CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089).
- CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973).
- CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1761-1
Released:    Fri Jul  5 14:10:34 2019
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1128383,1135261
This update for e2fsprogs fixes the following issues:

- Revert 'mke2fs: prevent creation of unmountable ext4 with large flex_bg count'. (bsc#1135261)

- Place metadata blocks in the last flex_bg so they are contiguous. (bsc#1135261)

- Check and fix tails of all bitmaps. (bsc#1128383)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1834-1
Released:    Fri Jul 12 17:55:14 2019
Summary:     Security update for expat
Type:        security
Severity:    moderate
References:  1139937,CVE-2018-20843
This update for expat fixes the following issues:

Security issue fixed:

- CVE-2018-20843: Fixed a denial of service triggered by high resource consumption 
  in the XML parser when XML names contain a large amount of colons (bsc#1139937).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1844-1
Released:    Mon Jul 15 07:13:09 2019
Summary:     Recommended update for pam
Type:        recommended
Severity:    low
References:  1116544
This update for pam fixes the following issues:

- restricted the number of file descriptors to close to a more sensible number based upon resource limits (bsc#1116544)
    
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1867-1
Released:    Wed Jul 17 13:11:03 2019
Summary:     Security update for libxslt
Type:        security
Severity:    moderate
References:  1140095,1140101,CVE-2019-13117,CVE-2019-13118
This update for libxslt fixes the following issues:

Security issues fixed:

- CVE-2019-13118: Fixed a read of uninitialized stack data (bsc#1140101).
- CVE-2019-13117: Fixed a uninitialized read which allowed to discern whether a byte on the stack contains certain special characters (bsc#1140095).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1896-1
Released:    Thu Jul 18 16:26:45 2019
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1010675,1110146,1126613,CVE-2016-9318
This update for libxml2 fixes the following issues:

Issue fixed:

- Fixed a bug related to the fix for CVE-2016-9318 which allowed xsltproc to access 
  the internet even when --nonet was given and also was making docbook-xsl-stylesheets to have 
  incomplete xml catalog file (bsc#1010675, bsc#1126613 and bsc#1110146).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1955-1
Released:    Tue Jul 23 11:42:41 2019
Summary:     Security update for bzip2
Type:        security
Severity:    important
References:  1139083,985657,CVE-2016-3189,CVE-2019-12900
This update for bzip2 fixes the following issues:

Security issue fixed:

- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).
- CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1958-1
Released:    Tue Jul 23 13:18:12 2019
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1127223,1127308,1128574,CVE-2009-5155,CVE-2019-9169
This update for glibc fixes the following issues:

Security issues fixed:

- CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308).
- CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223).

Non-security issues fixed:

- Added cfi information for start routines in order to stop unwinding on S390 (bsc#1128574).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1972-1
Released:    Thu Jul 25 15:00:03 2019
Summary:     Security update for libsolv, libzypp, zypper
Type:        security
Severity:    moderate
References:  1109893,1110542,1111319,1112911,1113296,1120629,1120630,1120631,1127155,1131823,1134226,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
This update for libsolv, libzypp and zypper fixes the following issues:

libsolv was updated to version 0.6.36 fixes the following issues:

Security issues fixed:

- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

Non-security issues fixed:

- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).

libzypp received following fixes:

- Fixes a bug where locking the kernel was not possible (bsc#1113296)

zypper received following fixes:

- Fixes a bug where the wrong exit code was set when refreshing
  repos if --root was used (bsc#1134226)
- Improved the displaying of locks (bsc#1112911)
- Fixes an issue where `https` repository urls caused an error prompt to
   appear twice (bsc#1110542)
- zypper will now always warn when no repositories are defined (bsc#1109893)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2013-1
Released:    Mon Jul 29 15:42:41 2019
Summary:     Security update for bzip2
Type:        security
Severity:    important
References:  1139083,CVE-2019-12900
This update for bzip2 fixes the following issues:

- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
  with files that used many selectors (bsc#1139083).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2101-1
Released:    Fri Aug  9 10:38:55 2019
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1100989,1105495,1111300,1123697,1123704,1127155,1127891,1131635
This update for suse-module-tools to version 12.6 fixes the following issues:

- weak-modules2: emit 'inconsistent' warning only if replacement fails (bsc#1127155)
- modprobe.conf.common: add csiostor->cxgb4 dependency (bsc#1100989, bsc#1131635)
- Fix driver-check.sh (bsc#1123697, bsc#1123704)
- modsign-verify: support for parsing PKCS#7 signatures (bsc#1111300, bsc#1105495)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2120-1
Released:    Wed Aug 14 11:17:39 2019
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1136298,SLE-7257
This update for pam fixes the following issues:

- Enable pam_userdb.so (SLE-7257,bsc#1136298)
- Upgraded pam_userdb to 1.3.1.  (bsc#1136298)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1606-1
Released:    Wed Aug 21 13:36:49 2019
Summary:     Security update for libssh2_org
Type:        security
Severity:    moderate
References:  1128481,1136570,CVE-2019-3860
This update for libssh2_org fixes the following issues:

- Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481)
  (Out-of-bounds reads with specially crafted SFTP packets)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2240-1
Released:    Wed Aug 28 14:57:51 2019
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1144169
This update for ca-certificates-mozilla fixes the following issues:

- Update to 2.34 state of the Mozilla NSS Certificate store. (bsc#1144169)

- Removed Root CAs:

  - Certinomis - Root CA

- Added root CAs from the 2.32 version:
  - emSign ECC Root CA - C3 (email and server auth)
  - emSign ECC Root CA - G3 (email and server auth)
  - emSign Root CA - C1 (email and server auth)
  - emSign Root CA - G1 (email and server auth)
  - Hongkong Post Root CA 3 (server auth)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2264-1
Released:    Mon Sep  2 09:07:12 2019
Summary:     Security update for perl
Type:        security
Severity:    important
References:  1114674,CVE-2018-18311
This update for perl fixes the following issues:

Security issue fixed:

- CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2288-1
Released:    Wed Sep  4 14:22:47 2019
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1104902,1107617,1137053,1142661
This update for systemd fixes the following issues:

- Fixes an issue where the Kernel took very long to unmount a user's runtime directory (bsc#1104902)
- udevd: changed the default value of udev.children-max (again) (bsc#1107617)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2372-1
Released:    Thu Sep 12 14:01:27 2019
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1139942,1140914,SLE-7081
This update for krb5 fixes the following issues:

- Fix missing responder if there is no pre-auth; (bsc#1139942)
- Load mechglue config files from /etc/gss/mech.d; (bsc#1140914, jsc#SLE-7081)
- Fix impersonate_name to work with interposers; (bsc#1140914, jsc#SLE-7081)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2339-1
Released:    Thu Sep 12 14:17:53 2019
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1149496,CVE-2019-5482
This update for curl fixes the following issues:

Security issue fixed:

- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2390-1
Released:    Tue Sep 17 15:46:02 2019
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1143194,1143273,CVE-2019-13057,CVE-2019-13565
This update for openldap2 fixes the following issues:

Security issues fixed:

- CVE-2019-13565: Fixed ssf memory reuse that leads to incorrect authorization of another connection, granting excess connection rights (ssf) (bsc#1143194).
- CVE-2019-13057: Fixed rootDN of a backend that may proxyauth incorrectly to another backend, violating multi-tenant isolation (bsc#1143273).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2413-1
Released:    Fri Sep 20 10:44:26 2019
Summary:     Security update for openssl
Type:        security
Severity:    moderate
References:  1150003,1150250,CVE-2019-1547,CVE-2019-1563
This update for openssl fixes the following issues:

OpenSSL Security Advisory [10 September 2019]

- CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003).
- CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2440-1
Released:    Mon Sep 23 17:15:13 2019
Summary:     Security update for expat
Type:        security
Severity:    moderate
References:  1149429,CVE-2019-15903
This update for expat fixes the following issues:

Security issue fixed:

- CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2480-1
Released:    Fri Sep 27 13:12:08 2019
Summary:     Security update for gpg2
Type:        security
Severity:    moderate
References:  1124847,1141093,CVE-2019-13050
This update for gpg2 fixes the following issues:

Security issue fixed:

- CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093)

Non-security issue fixed:

- Allow coredumps in X11 desktop sessions (bsc#1124847).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2510-1
Released:    Tue Oct  1 17:37:12 2019
Summary:     Security update for libgcrypt
Type:        security
Severity:    moderate
References:  1148987,CVE-2019-13627
This update for libgcrypt fixes the following issues:

Security issues fixed:
	  
- CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2818-1
Released:    Tue Oct 29 17:22:01 2019
Summary:     Recommended update for zypper and libzypp
Type:        recommended
Severity:    important
References:  1049825,1116995,1140039,1145521,1146415,1153557
This update for zypper and libzypp fixes the following issues:

Package: zypper

- Fixed an issue where zypper exited on a SIGPIPE during package download (bsc#1145521)
- Rephrased the file conflicts check summary (bsc#1140039)
- Fixes an issue where the bash completion was wrongly expanded (bsc#1049825)

Package: libzypp

- Fixed an issue where YaST2 was not able to find base products via libzypp (bsc#1153557)
- Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus
  mode when resolving jobs (bsc#1146415)
- Fixes a file descriptor leak in the media backend (bsc#1116995)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2887-1
Released:    Mon Nov  4 17:31:49 2019
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1139870
This update for apparmor provides the following fix:

- Change pathname in logprof.conf and use check_qualifiers() in autodep to make sure
  apparmor does not generate profiles for programs marked as not having their own
  profiles. (bsc#1139870)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2898-1
Released:    Tue Nov  5 17:00:27 2019
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1140631,1150595,1154948
This update for systemd fixes the following issues:

- sd-bus: deal with cookie overruns (bsc#1150595)
- rules: Add by-id symlinks for persistent memory (bsc#1140631)
- Drop the old fds used for logging and reopen them in the
  sub process before doing any new logging.  (bsc#1154948)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2936-1
Released:    Fri Nov  8 13:19:55 2019
Summary:     Security update for libssh2_org
Type:        security
Severity:    moderate
References:  1154862,CVE-2019-17498
This update for libssh2_org fixes the following issue:

- CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2941-1
Released:    Tue Nov 12 10:03:32 2019
Summary:     Security update for libseccomp
Type:        security
Severity:    moderate
References:  1082318,1128828,1142614,CVE-2019-9893
This update for libseccomp fixes the following issues:

Update to new upstream release 2.4.1:

* Fix a BPF generation bug where the optimizer mistakenly
  identified duplicate BPF code blocks.

Updated to 2.4.0 (bsc#1128828 CVE-2019-9893):

* Update the syscall table for Linux v5.0-rc5
* Added support for the SCMP_ACT_KILL_PROCESS action
* Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
* Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
* Added support for the parisc and parisc64 architectures
* Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
* Return -EDOM on an endian mismatch when adding an architecture to a filter
* Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
* Fix PFC generation when a syscall is prioritized, but no rule exists
* Numerous fixes to the seccomp-bpf filter generation code
* Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
* Numerous tests added to the included test suite, coverage now at ~92%
* Update our Travis CI configuration to use Ubuntu 16.04
* Numerous documentation fixes and updates

Update to release 2.3.3:

* Updated the syscall table for Linux v4.15-rc7

Update to release 2.3.2:

* Achieved full compliance with the CII Best Practices program
* Added Travis CI builds to the GitHub repository
* Added code coverage reporting with the '--enable-code-coverage' configure
  flag and added Coveralls to the GitHub repository
* Updated the syscall tables to match Linux v4.10-rc6+
* Support for building with Python v3.x
* Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is
  set to true
* Several small documentation fixes

- ignore make check error for ppc64/ppc64le, bypass bsc#1142614

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2972-1
Released:    Thu Nov 14 12:04:52 2019
Summary:     Security update for libjpeg-turbo
Type:        security
Severity:    important
References:  1156402,CVE-2019-2201
This update for libjpeg-turbo fixes the following issues:

- CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo,
  when attempting to compress or decompress gigapixel images. [bsc#1156402]


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3003-1
Released:    Tue Nov 19 10:12:33 2019
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1153386,SLE-10396
This update for procps provides the following fixes:

- Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396)
- Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3058-1
Released:    Mon Nov 25 17:32:43 2019
Summary:     Security update for tiff
Type:        security
Severity:    moderate
References:  1108606,1121626,1125113,1146608,983268,CVE-2016-5102,CVE-2018-17000,CVE-2019-14973,CVE-2019-6128,CVE-2019-7663
This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2019-14973: Fixed an improper check which was depended on the compiler
  which could have led to integer overflow (bsc#1146608).
- CVE-2016-5102: Fixed a buffer overflow in readgifimage() (bsc#983268)
- CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606).
- CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626).
- CVE-2019-7663: Fixed an invalid address dereference in the
  TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3064-1
Released:    Mon Nov 25 18:44:36 2019
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1155199,CVE-2019-14866
This update for cpio fixes the following issues:
	  
- CVE-2019-14866: Fixed an improper validation of the values written 
  in the header of a TAR file through the to_oct() function which could 
  have led to unexpected TAR generation (bsc#1155199).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3085-1
Released:    Thu Nov 28 10:01:53 2019
Summary:     Security update for libxml2
Type:        security
Severity:    low
References:  1123919
This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect
all CVEs that have been fixed over the past.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3094-1
Released:    Thu Nov 28 16:47:52 2019
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1131830,1134550,1154036,1154037,CVE-2018-10754,CVE-2019-17594,CVE-2019-17595
This update for ncurses fixes the following issues:

Security issue fixed:

- CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830).
- CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037).

Bug fixes:

- Fixed ppc64le build configuration (bsc#1134550).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3132-1
Released:    Tue Dec  3 10:52:14 2019
Summary:     Recommended update for update-alternatives
Type:        recommended
Severity:    moderate
References:  1154043
This update for update-alternatives fixes the following issues:

- Fix post install scripts: test if there is actual file before calling update-alternatives. (bsc#1154043)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3180-1
Released:    Thu Dec  5 11:42:40 2019
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690
This update for permissions fixes the following issues:

- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
  which could have allowed a squid user to gain persistence by changing the 
  binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic 
  links (bsc#1150734).
- Fixed a regression which caused segmentation fault (bsc#1157198).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3342-1
Released:    Thu Dec 19 11:04:35 2019
Summary:     Recommended update for elfutils
Type:        recommended
Severity:    moderate
References:  1151577
This update for elfutils fixes the following issues:

- Add require of 'libebl1' for 'libelf1'. (bsc#1151577)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3364-1
Released:    Thu Dec 19 19:20:52 2019
Summary:     Recommended update for ncurses
Type:        recommended
Severity:    moderate
References:  1158586,1159162
This update for ncurses fixes the following issues:

- Work around a bug of old upstream gen-pkgconfig (bsc#1159162) 
- Remove doubled library path options (bsc#1159162)
- Also remove private requirements as (lib)tinfo are binary compatible
  with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162)
- Fix last change, that is add missed library linker paths as well
  as missed include directories for none standard paths (bsc#1158586,
  bsc#1159162)
- Do not mix include directories of different ncurses ABI (bsc#1158586) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:86-1
Released:    Mon Jan 13 14:12:22 2020
Summary:     Security update for e2fsprogs
Type:        security
Severity:    moderate
References:  1160571,CVE-2019-5188
This update for e2fsprogs fixes the following issues:

- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:106-1
Released:    Wed Jan 15 12:50:55 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    important
References:  1155338,1155339
This update for libgcrypt fixes the following issues:

- Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode
- Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:373-1
Released:    Tue Feb 18 15:06:18 2020
Summary:     Security update for dbus-1
Type:        security
Severity:    important
References:  1137832,CVE-2019-12749
This update for dbus-1 fixes the following issues:
	  
Security issue fixed:     
    
- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which 
  could have allowed local attackers to bypass authentication (bsc#1137832).   

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:404-1
Released:    Wed Feb 19 09:05:47 2020
Summary:     Recommended update for p11-kit
Type:        recommended
Severity:    moderate
References:  1154871
This update for p11-kit fixes the following issues:

- Support loading NSS attribute 'CKA_NSS_MOZILLA_CA_POLICY' so Firefox detects built-in certificates. (bsc#1154871)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:459-1
Released:    Tue Feb 25 11:02:12 2020
Summary:     Security update for libvpx
Type:        security
Severity:    moderate
References:  1160613,1160614,CVE-2019-9232,CVE-2019-9433
This update for libvpx fixes the following issues:

- CVE-2019-9232: Fixed an out of bound memory access (bsc#1160613).
- CVE-2019-9433: Fixdd a use-after-free in vp8_deblock() (bsc#1160614).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:474-1
Released:    Tue Feb 25 13:24:15 2020
Summary:     Security update for openssl
Type:        security
Severity:    moderate
References:  1117951,1158809,1160163,CVE-2019-1551
This update for openssl fixes the following issues:

Security issue fixed:

- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).

Non-security issue fixed:

- Fixed a crash in BN_copy (bsc#1160163).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:545-1
Released:    Fri Feb 28 15:50:46 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1123886,1160594,1160764,1161779,1163922,CVE-2020-8013
This update for permissions fixes the following issues:

Security issues fixed:

- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).

Non-security issues fixed:

- Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:561-1
Released:    Mon Mar  2 17:24:59 2020
Summary:     Recommended update for elfutils
Type:        recommended
Severity:    moderate
References:  1110929,1157578
This update for elfutils fixes the following issues:

- Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578)
- Fix for '.ko' file corruption in debug info. (bsc#1110929)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:569-1
Released:    Tue Mar  3 11:43:43 2020
Summary:     Security update for libpng16
Type:        security
Severity:    moderate
References:  1124211,1141493,CVE-2017-12652,CVE-2019-7317
This update for libpng16 fixes the following issues:

Security issues fixed:

- CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when
  png_image_free() was called under png_safe_execute (bsc#1124211).
- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:571-1
Released:    Tue Mar  3 13:23:35 2020
Summary:     Recommended update for cyrus-sasl
Type:        recommended
Severity:    moderate
References:  1162518
This update for cyrus-sasl fixes the following issues:

- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:596-1
Released:    Thu Mar  5 15:23:51 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1010996,1071152,1071390,1082318,1100415,1154871,1160160
This update for ca-certificates-mozilla fixes the following issues:

The following non-security bugs were fixed:

Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):

Removed certificates:

- Certplus Class 2 Primary CA
- Deutsche Telekom Root CA 2
- CN=Swisscom Root CA 2
- UTN-USERFirst-Client Authentication and Email

Added certificates:

- Entrust Root Certification Authority - G4

- Export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871).
- Updated to 2.24 state of the Mozilla NSS Certificate store (bsc#1100415).
- Use %license instead of %doc (bsc#1082318).
- Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152, bsc#1071390, bsc#1010996).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:623-1
Released:    Mon Mar  9 16:17:26 2020
Summary:     Security update for gd
Type:        security
Severity:    moderate
References:  1050241,1140120,1165471,CVE-2017-7890,CVE-2018-14553,CVE-2019-11038
This update for gd fixes the following issues:

- CVE-2017-7890: Fixed a buffer over-read into uninitialized memory (bsc#1050241).
- CVE-2018-14553: Fixed a null pointer dereference in gdImageClone() (bsc#1165471).
- CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:652-1
Released:    Thu Mar 12 09:53:23 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    important
References:  1165915,1165919,1166301
This update for ca-certificates-mozilla fixes the following issues:

This reverts a previous change to the generated pem structure, as it
require a p11-kit tools update installed first, which can not always
ensured correctly. (bsc#1166301 bsc#1165915 bsc#1165919)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:331-1
Released:    Wed Mar 18 12:52:46 2020
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1106383,1133495,1139459,1151377,1151506,1154043,1155574,1156482,1159814,1162108,CVE-2020-1712
This update for systemd fixes the following issues:

- CVE-2020-1712 (bsc#bsc#1162108)
  Fix a heap use-after-free vulnerability, when asynchronous
  Polkit queries were performed while handling Dbus messages. A local
  unprivileged attacker could have abused this flaw to crash systemd services or
  potentially execute code and elevate their privileges, by sending specially
  crafted Dbus messages.

- Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459)
- Fix warnings thrown during package installation. (bsc#1154043)
- Fix for system-udevd prevent crash within OES2018. (bsc#1151506)
- Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482)
- Wait for workers to finish when exiting. (bsc#1106383)
- Improve log message when inotify limit is reached. (bsc#1155574)
- Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377)
- Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:786-1
Released:    Wed Mar 25 06:47:18 2020
Summary:     Recommended update for p11-kit
Type:        recommended
Severity:    moderate
References:  1165915,1165919
This update for p11-kit fixes the following issues:

- tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY'
  provides so we can pull it in. (bsc#1165915 bsc#1165919)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:915-1
Released:    Fri Apr  3 13:15:11 2020
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1168195

This update for openldap2 fixes the following issue:

- The openldap2-ppolicy-check-password plugin is now included (FATE#319461 bsc#1168195)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:920-1
Released:    Fri Apr  3 17:13:04 2020
Summary:     Security update for libxslt
Type:        security
Severity:    moderate
References:  1154609,CVE-2019-18197
This update for libxslt fixes the following issue:

- CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:394-1
Released:    Tue Apr 14 17:25:16 2020
Summary:     Security update for gcc9
Type:        security
Severity:    moderate
References:  1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847
This update for gcc9 fixes the following issues:

The GNU Compiler Collection is shipped in version 9.

A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html

The compilers have been added to the SUSE Linux Enterprise Toolchain Module.

To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9
CXX=g++-9 set.


For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and
other compiler libraries have been switched from their gcc8 variants to
their gcc9 variants.

Security issues fixed:

- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

Non-security issues fixed:

- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1168-1
Released:    Mon May  4 14:06:46 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1162879
This update for libgcrypt fixes the following issues:

- FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1193-1
Released:    Tue May  5 16:26:05 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1170771,CVE-2020-12243
This update for openldap2 fixes the following issues:

- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1254-1
Released:    Tue May 12 11:17:06 2020
Summary:     Recommended update for geolite2legacy, geoipupdate
Type:        recommended
Severity:    moderate
References:  1156194,1169766
This update for geolite2legacy and geoipupdate fixes the following issues:

- Create the initial package of GeoIP 2 Legacy, as the GeoIP is discontinued. (bsc#1156194)
- Update README.SUSE in GeoIP with a description how to get the latest Geo IP data after the distribution changes. (jsc#SLE-11184, bsc#1156194, jsc#ECO-1405)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1325-1
Released:    Mon May 18 11:50:19 2020
Summary:     Recommended update for coreutils
Type:        recommended
Severity:    moderate
References:  1156276
This update for coreutils fixes the following issues:

-Fix for an issue when using sort with '--human-numeric-sort-key' option the column containig the values can be faulty. (bsc#1156276)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1329-1
Released:    Mon May 18 17:17:54 2020
Summary:     Recommended update for gcc9
Type:        recommended
Severity:    moderate
References:  1149995,1152590,1167898
This update for gcc9 fixes the following issues:

This update ships the GCC 9.3 release.

- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
  with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:822-1
Released:    Fri May 22 10:59:33 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1166510
This update for pam fixes the following issues:

- Moved pam_userdb to a separate package pam-extra  (bsc#1166510)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1612-1
Released:    Fri Jun 12 09:43:17 2020
Summary:     Security update for adns
Type:        security
Severity:    important
References:  1172265,CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9106,CVE-2017-9107,CVE-2017-9108,CVE-2017-9109
This update for adns fixes the following issues:
	  
- CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver
  which could have led to remote code execution (bsc#1172265).
- CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of 
  service (bsc#1172265).
- CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
- CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1662-1
Released:    Thu Jun 18 11:13:05 2020
Summary:     Security update for perl
Type:        security
Severity:    important
References:  1102840,1160039,1170601,1171863,1171864,1171866,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723
This update for perl fixes the following issues:

- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have 
  allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of 
  instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a 
  compiled regular expression (bsc#1171866).
- Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
- Some packages make assumptions about the date and time they are built. 
  This update will solve the issues caused by calling the perl function timelocal
  expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1689-1
Released:    Fri Jun 19 11:03:49 2020
Summary:     Recommended update for audit
Type:        recommended
Severity:    important
References:  1156159,1172295
This update for audit fixes the following issues:

- Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)
- Fix hang on startup. (bsc#1156159)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1732-1
Released:    Wed Jun 24 09:42:55 2020
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1173027,CVE-2020-8177
This update for curl fixes the following issues:

- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1842-1
Released:    Fri Jul  3 22:40:42 2020
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1084671,1154256,1157315,1161262,1161436,1162698,1164538,1165633,1167622,1171145,CVE-2019-20386
This update for systemd fixes the following issues:

- CVE-2019-20386: Fixed a memory leak when executing the udevadm trigger command (bsc#1161436).
- Renamed the persistent link for ATA devices (bsc#1164538)
- shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
- tmpfiles: removed unnecessary assert (bsc#1171145)
- pid1: by default make user units inherit their umask from the user manager (bsc#1162698)
- manager: fixed job mode when signalled to shutdown etc (bsc#1161262)
- coredump: fixed bug that loses core dump files when core dumps are compressed and disk space is low. (bsc#1167622)
- udev: inform systemd how many workers we can potentially spawn (#4036) (bsc#1165633)
- libblkid: open device in nonblock mode. (bsc#1084671)
- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1859-1
Released:    Mon Jul  6 17:08:28 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1170715,1172698,1172704,CVE-2020-8023
This update for openldap2 fixes the following issues:

- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).	  
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).	 
- Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2059-1
Released:    Tue Jul 28 11:32:56 2020
Summary:     Recommended update for grep
Type:        recommended
Severity:    moderate
References:  1163834
This update for grep fixes the following issues:

Fix for an issue when command 'grep -i' produces bad performance by using multibyte with 'non-utf8' encoding. (bsc#1163834)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2117-1
Released:    Tue Aug  4 15:14:39 2020
Summary:     Security update for libX11
Type:        security
Severity:    important
References:  1174628,CVE-2020-14344
This update for libX11 fixes the following issues:

- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2196-1
Released:    Tue Aug 11 13:31:24 2020
Summary:     Security update for libX11
Type:        security
Severity:    important
References:  1174628,CVE-2020-14344
This update for libX11 fixes the following issues:

- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2287-1
Released:    Thu Aug 20 16:07:37 2020
Summary:     Recommended update for grep
Type:        recommended
Severity:    moderate
References:  1174080
This update for grep fixes the following issues:

- Fix for -P treating invalid UTF-8 input and causing incosistency. (bsc#1174080)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2294-1
Released:    Fri Aug 21 16:59:17 2020
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    important
References:  1174537
This update for openldap2 fixes the following issues:

- Fixes an issue where slapd failed to start due to the missing pwdMaxRecordedFailure attribute (bsc#1174537)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2410-1
Released:    Tue Sep  1 13:15:48 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    low
References:  1173593

This update of pam fixes the following issue:

- On some SUSE Linux Enterprise 12 SP5 based media from build.suse.com
  a pam version with a higher release number than the last update of pam
  was delivered. This update releases pam with a  higher release number
  to align it with this media. (bsc#1173593)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2428-1
Released:    Tue Sep  1 22:07:35 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1174673
This update for ca-certificates-mozilla fixes the following issues:

Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)

Removed CAs:

- AddTrust External CA Root
- AddTrust Class 1 CA Root
- LuxTrust Global Root 2
- Staat der Nederlanden Root CA - G2
- Symantec Class 1 Public Primary Certification Authority - G4
- Symantec Class 2 Public Primary Certification Authority - G4
- VeriSign Class 3 Public Primary Certification Authority - G3

Added CAs:

- certSIGN Root CA G2
- e-Szigno Root CA 2017
- Microsoft ECC Root Certificate Authority 2017
- Microsoft RSA Root Certificate Authority 2017

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2475-1
Released:    Thu Sep  3 12:10:58 2020
Summary:     Security update for libX11
Type:        security
Severity:    moderate
References:  1175239,CVE-2020-14363
This update for libX11 fixes the following issues:

- CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2570-1
Released:    Tue Sep  8 14:59:35 2020
Summary:     Security update for libjpeg-turbo
Type:        security
Severity:    moderate
References:  1172491,CVE-2020-13790
This update for libjpeg-turbo fixes the following issues:

- CVE-2020-13790: Fixed a heap-based buffer over-read via a malformed PPM input file (bsc#1172491).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2587-1
Released:    Wed Sep  9 22:03:04 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1174660
This update for procps fixes the following issues:

- Add fix for procps and its libraries to avoid issues with the 'free' tool. (bsc#1174660)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2609-1
Released:    Fri Sep 11 10:58:59 2020
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1159928,1161517,1161521,1172021,1176179,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595
This update for libxml2 fixes the following issues:

- CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
- CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).
- Fixed invalid xmlns references due to CVE-2019-19956 (bsc#1172021).
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2660-1
Released:    Wed Sep 16 16:15:10 2020
Summary:     Security update for libsolv
Type:        security
Severity:    moderate
References:  1120629,1120630,1120631,1127155,1131823,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
This update for libsolv fixes the following issues:

This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.

libsolv was updated to version 0.6.36 fixes the following issues:

Security issues fixed:

- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

Non-security issues fixed:

- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:79-1
Released:    Wed Sep 16 16:17:11 2020
Summary:     Security update for libzypp
Type:        security
Severity:    moderate
References:  1158763,CVE-2019-18900
This update for libzypp fixes the following issues:

Security issue fixed:

- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2777-1
Released:    Tue Sep 29 11:26:41 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1169488,1173227
This update for systemd fixes the following issues:

- Fixes some file mode inconsistencies  for some ghost files (bsc#1173227)
- Fixes an issue where the system could hang on reboot (bsc#1169488)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2900-1
Released:    Tue Oct 13 14:20:15 2020
Summary:     Security update for libproxy
Type:        security
Severity:    important
References:  1176410,1177143,CVE-2020-25219,CVE-2020-26154
This update for libproxy fixes the following issues:

- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).	  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2959-1
Released:    Tue Oct 20 12:33:48 2020
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1176123
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2998-1
Released:    Thu Oct 22 10:04:33 2020
Summary:     Security update for freetype2
Type:        security
Severity:    important
References:  1177914,CVE-2020-15999
This update for freetype2 fixes the following issues:

- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3024-1
Released:    Fri Oct 23 14:21:54 2020
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1149332,1165784,1171878,1172085,1176013,CVE-2020-10029
This update for glibc fixes the following issues:
	  
- CVE-2020-10029: Fixed a stack corruption from range reduction of pseudo-zero (bsc#1165784)
- Use posix_spawn on popen (bsc#1149332, bsc#1176013)
- Correct locking and cancellation cleanup in syslog functions (bsc#1172085)
- Fixed concurrent changes on nscd aware files (bsc#1171878)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3156-1
Released:    Wed Nov  4 15:21:49 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1177864
This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

  - EE Certification Centre Root CA
  - Taiwan GRCA

- Added CAs:

  - Trustwave Global Certification Authority
  - Trustwave Global ECC P256 Certification Authority
  - Trustwave Global ECC P384 Certification Authority

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3263-1
Released:    Tue Nov 10 09:48:14 2020
Summary:     Security update for gcc10
Type:        security
Severity:    moderate
References:  1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
This update for gcc10 fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.

The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.

The new compiler variants are available with '-10' suffix, you can specify them
via:

        CC=gcc-10
        CXX=g++-10

or similar commands.

For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3314-1
Released:    Thu Nov 12 16:10:36 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3346-1
Released:    Mon Nov 16 17:44:39 2020
Summary:     Recommended update for zypper
Type:        recommended
Severity:    moderate
References:  1169947,1178038
This update for zypper fixes the following issues:

- Fixed an issue, where zypper crashed when the system language is set to Spanish and the user
  tried to patch their system with 'zypper patch --category security' (bsc#1178038)
- Fixed a typo in man page (bsc#1169947)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3379-1
Released:    Thu Nov 19 09:30:16 2020
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3489-1
Released:    Mon Nov 23 14:07:29 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1083571,1139459,1176513,1176800,1177458,1177510
This update for systemd fixes the following issues:

- Create systemd-remote user only if journal-remote is included with the package (bsc#1177458)
- Fixed a buffer overflow in systemd ask-password (bsc#1177510)
- Fixed an issue in the boot process, when the system has an NFS moiunt on fstab that uses
  the 'bg' option while the NFS server is not reachable (bsc#1176513)
- Fixed an issue with the try-restart command, where services won't restart (bsc#1139459)

Exclusively for SUSE Linux Enterprise 12 SP5:

- cryptsetup: support LUKS2 on-disk format (bsc#1083571, jsc#SLE-13842)



More information about the sle-security-updates mailing list