SUSE-CU-2019:760-1: Security update of ses/6/rook/ceph

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Sat Feb 1 01:39:02 MST 2020


SUSE Container Update Advisory: ses/6/rook/ceph
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2019:760-1
Container Tags        : ses/6/rook/ceph:1.0.0.1862 , ses/6/rook/ceph:1.0.0.1862.1.5.2 , ses/6/rook/ceph:latest
Container Release     : 1.5.2
Severity              : important
Type                  : security
References            : 1005023 1009532 1033084 1033085 1033086 1033087 1033088 1033089
                        1033090 1036463 1036463 1038194 1039099 1044840 1045723 1047002
                        1063675 1065270 1071321 1072183 1073299 1073421 1076519 1076696
                        1080919 1082318 1082956 1083158 1084812 1084842 1084842 1086367
                        1086367 1087550 1088052 1088279 1088524 1089640 1089761 1089777
                        1090047 1090767 1090944 1091265 1091677 1092877 1093392 1093617
                        1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094735
                        1094814 1095096 1095148 1095661 1095670 1095973 1096191 1096515
                        1096718 1096745 1096974 1096984 1097073 1097158 1097370 1097410
                        1097595 1097643 1098217 1098569 1098697 1099119 1099192 1099793
                        1100396 1100415 1100488 1100779 1101040 1101470 1101470 1101591
                        1101797 1101820 1102046 1102310 1102526 1102564 1102908 1103320
                        1103678 1104531 1104700 1104780 1105031 1105068 1105166 1105396
                        1105435 1105437 1105459 1105460 1106019 1106390 1106873 1107030
                        1107066 1107067 1107116 1107121 1107617 1107640 1107941 1109197
                        1109252 1110304 1110435 1110445 1110700 1111019 1111342 1111345
                        1111345 1111498 1111499 1111622 1111657 1111973 1112024 1112310
                        1112570 1112723 1112726 1112758 1112780 1112928 1113083 1113100
                        1113554 1113632 1113660 1113665 1114135 1114407 1114592 1114674
                        1114675 1114681 1114686 1114933 1114984 1114993 1115640 1115929
                        1117025 1117063 1117354 1117993 1118086 1118087 1118087 1118364
                        1118629 1119063 1119069 1119069 1119105 1119414 1119687 1119937
                        1119971 1120279 1120323 1120346 1120374 1120402 1120472 1120644
                        1120689 1121045 1121051 1121207 1121446 1121563 1121563 1122000
                        1122191 1122208 1122271 1122361 1122729 1122983 1123043 1123333
                        1123371 1123377 1123378 1123685 1123710 1123727 1123820 1123892
                        1124122 1124153 1124223 1124644 1124847 1125007 1125352 1125352
                        1125410 1125439 1125604 1126056 1126096 1126117 1126118 1126119
                        1126327 1126377 1126590 1127073 1127155 1127223 1127308 1127557
                        1128246 1128323 1128383 1128598 1128794 1129346 1129389 1129576
                        1129598 1129753 1129859 1130045 1130230 1130325 1130326 1130557
                        1130681 1130682 1130840 1131060 1131264 1131330 1131686 1132348
                        1132400 1132721 1133452 1133506 1133509 1133808 1134193 1134217
                        1134524 1134659 1134819 1134856 1135123 1135170 1135709 1135751
                        1136717 1137001 1137053 1137624 1137832 1138459 1138939 1139083
                        1139083 1139937 1139959 1140016 1140647 1140868 1141059 1141093
                        1141322 1141853 1145433 915402 918346 937216 943457 953659 960273
                        969953 985657 991901 996146 CVE-2009-5155 CVE-2015-0247 CVE-2015-1572
                        CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-18269 CVE-2017-7500
                        CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611
                        CVE-2017-7612 CVE-2017-7613 CVE-2018-0495 CVE-2018-0500 CVE-2018-0732
                        CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844
                        CVE-2018-10845 CVE-2018-10846 CVE-2018-10903 CVE-2018-10906 CVE-2018-11236
                        CVE-2018-11237 CVE-2018-12015 CVE-2018-12020 CVE-2018-12384 CVE-2018-12404
                        CVE-2018-12404 CVE-2018-12405 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618
                        CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403
                        CVE-2018-16428 CVE-2018-16429 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842
                        CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868
                        CVE-2018-16869 CVE-2018-16890 CVE-2018-17466 CVE-2018-17953 CVE-2018-18074
                        CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314
                        CVE-2018-18492 CVE-2018-18493 CVE-2018-18494 CVE-2018-18498 CVE-2018-18500
                        CVE-2018-18501 CVE-2018-18505 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211
                        CVE-2018-20346 CVE-2018-20406 CVE-2018-20843 CVE-2018-20852 CVE-2018-6954
                        CVE-2018-9251 CVE-2019-10160 CVE-2019-11709 CVE-2019-11711 CVE-2019-11712
                        CVE-2019-11713 CVE-2019-11715 CVE-2019-11717 CVE-2019-11719 CVE-2019-11729
                        CVE-2019-11730 CVE-2019-12450 CVE-2019-12749 CVE-2019-12900 CVE-2019-12900
                        CVE-2019-12904 CVE-2019-13012 CVE-2019-13050 CVE-2019-3822 CVE-2019-3823
                        CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844
                        CVE-2019-3880 CVE-2019-5010 CVE-2019-5021 CVE-2019-5436 CVE-2019-6446
                        CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665
                        CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9636
                        CVE-2019-9811 CVE-2019-9936 CVE-2019-9937 CVE-2019-9947 SLE-3853
                        SLE-4117 SLE-5807 SLE-5933 SLE-6738 
-----------------------------------------------------------------

The container ses/6/rook/ceph was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:1223-1
Released:    Tue Jun 26 11:41:00 2018
Summary:     Security update for gpg2
Type:        security
Severity:    important
References:  1096745,CVE-2018-12020
Description:

This update for gpg2 fixes the following security issue:

- CVE-2018-12020: GnuPG mishandled the original filename during decryption and
  verification actions, which allowed remote attackers to spoof the output that
  GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2'
  option (bsc#1096745).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1264-1
Released:    Tue Jul  3 10:56:12 2018
Summary:     Recommended update for curl
Type:        recommended
Severity:    moderate
References:  1086367
Description:

This update for curl provides the following fix:

- Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting
  openssl engines. (bsc#1086367)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:1327-1
Released:    Tue Jul 17 08:07:24 2018
Summary:     Security update for perl
Type:        security
Severity:    moderate
References:  1096718,CVE-2018-12015
Description:

This update for perl fixes the following issues:

- CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a
  directory-traversal protection mechanism and overwrite arbitrary files
  (bsc#1096718)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1332-1
Released:    Tue Jul 17 09:01:19 2018
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1073299,1093392
Description:

This update for timezone provides the following fixes:

- North Korea switches back from +0830 to +09 on 2018-05-05.
- Ireland's standard time is in the summer, with negative DST offset to standard time used
  in Winter. (bsc#1073299)
- yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd
  timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid
  setting an incorrect timezone. (bsc#1093392)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1334-1
Released:    Tue Jul 17 09:06:41 2018
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1096515
Description:

This update for mozilla-nss provides the following fixes:

- Update to NSS 3.36.4 required by Firefox 60.0.2. (bsc#1096515)
- Fix a problem that would cause connections to a server that was recently upgraded to TLS
  1.3 to result in a SSL_RX_MALFORMED_SERVER_HELLO error.
- Fix a rare bug with PKCS#12 files.
- Use relro linker option.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:1346-1
Released:    Thu Jul 19 09:25:08 2018
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237
Description:

This update for glibc fixes the following security issues:

- CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not
  correctly perform the overlapping memory check if the source memory range
  spaned the middle of the address space, resulting in corrupt data being
  produced by the copy operation. This may have disclosed information to
  context-dependent attackers, resulted in a denial of service or code execution
  (bsc#1094150).
- CVE-2018-11236: Prevent integer overflow on 32-bit architectures when
  processing very long pathname arguments to the realpath function, leading to a
  stack-based buffer overflow (bsc#1094161).
- CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function
  may have writen data beyond the target buffer, leading to a buffer overflow in
  __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154).
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:1353-1
Released:    Thu Jul 19 09:50:32 2018
Summary:     Security update for e2fsprogs
Type:        security
Severity:    moderate
References:  1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572
Description:

This update for e2fsprogs fixes the following issues:

Security issues fixed:

- CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402).
- CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346).

Bug fixes:

- bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system.
- bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system.
- bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1362-1
Released:    Thu Jul 19 12:47:33 2018
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1100415
Description:



ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415)

Following CAs were removed:

* S-TRUST_Universal_Root_CA
* TC_TrustCenter_Class_3_CA_II
* TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5

  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:1396-1
Released:    Thu Jul 26 16:23:09 2018
Summary:     Security update for rpm
Type:        security
Severity:    moderate
References:  1094735,1095148,943457,CVE-2017-7500
Description:

This update for rpm fixes the following issues:

This security vulnerability was fixed:

- CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1409-1
Released:    Fri Jul 27 06:45:10 2018
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569
Description:

This update for systemd provides the following fixes:

- systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973)
- systemctl: Check the existence of all units, not just the first one.
- scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099)
- device: Make sure to always retroactively start device dependencies. (bsc#1088052)
- locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files.
- Fix pattern to detect distribution.
- install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851)
- install: Search for preset files in /run (#7715)
- install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851)
- install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement.
- install: Only consider names in Alias= as 'enabling'.
- udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule
  generator. (bsc#1083158)
- man: Updated systemd-analyze blame description for service-units with Type=simple.
  (bsc#1091265)
- fileio: Support writing atomic files with timestamp.
- fileio.c: Fix incorrect mtime
- Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the
  initrd even in container/chroot installations that don't have a kernel. For environments
  where initrd matters, dracut should be pulled via a pattern. (bsc#1098569)
- An update broke booting with encrypted partitions on NVMe (bsc#1095096)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:1685-1
Released:    Fri Aug 17 18:20:58 2018
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1099793,CVE-2018-0500
Description:

This update for curl fixes the following issues:

Security issue fixed:

- CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1754-1
Released:    Fri Aug 24 16:40:21 2018
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1104780
Description:


This update for ca-certificates-mozilla fixes the following issues:

Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780)

- removed server auth rights from following CAs:

  - Certplus Root CA G1
  - Certplus Root CA G2
  - OpenTrust Root CA G1
  - OpenTrust Root CA G2
  - OpenTrust Root CA G3

- removed CA

    - ComSign CA

- new CA added:

    - GlobalSign

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1760-1
Released:    Fri Aug 24 17:14:53 2018
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1072183
Description:

This update for libtirpc fixes the following issues:

- rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1775-1
Released:    Tue Aug 28 12:40:50 2018
Summary:     Recommended update for xfsprogs
Type:        recommended
Severity:    important
References:  1089777,1105396
Description:

This update for xfsprogs fixes the following issues:

- avoid divide-by-zero when hardware reports optimal i/o size as 0 (bsc#1089777)
- repair: shift inode back into place if corrupted by bad log replay (bsc#1105396).


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1887-1
Released:    Wed Sep 12 12:34:28 2018
Summary:     Recommended update for python-websocket-client
Type:        recommended
Severity:    moderate
References:  1076519
Description:

This update for python-websocket-client fixes the following issues:

- Use systems ca bundle file by default. (bsc#1076519)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:1904-1
Released:    Fri Sep 14 12:46:39 2018
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1086367,1106019,CVE-2018-14618
Description:

This update for curl fixes the following issues:

This security issue was fixed:

- CVE-2018-14618: Prevent integer overflow in the NTLM authentication code
  (bsc#1106019)

This non-security issue was fixed:

- Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due
  to openssl engines conflicts (bsc#1086367)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1999-1
Released:    Tue Sep 25 08:20:35 2018
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1071321
Description:

This update for zlib provides the following fixes:

- Speedup zlib on power8. (fate#325307)
- Add safeguard against negative values in uInt. (bsc#1071321)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2055-1
Released:    Thu Sep 27 14:30:14 2018
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1089640
Description:

This update for openldap2 provides the following fix:

- Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2070-1
Released:    Fri Sep 28 08:02:02 2018
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846
Description:

This update for gnutls fixes the following security issues:

- Improved mitigations against Lucky 13 class of attacks
- CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack
  can lead to plaintext recovery (bsc#1105460)
- CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use
  of wrong constant (bsc#1105459)
- CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not
  enough dummy function calls (bsc#1105437)
- CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL
  pointer dereference and crash (bsc#1047002)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2083-1
Released:    Sun Sep 30 14:06:33 2018
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1097158,1101470,CVE-2018-0732
Description:

This update for openssl-1_1 to 1.1.0i fixes the following issues:

These security issues were fixed:

- CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based
  ciphersuite a malicious server could have sent a very large prime value to the
  client. This caused the client to spend an unreasonably long period of time
  generating a key for this prime resulting in a hang until the client has
  finished. This could be exploited in a Denial Of Service attack (bsc#1097158)
- Make problematic ECDSA sign addition length-invariant
- Add blinding to ECDSA and DSA signatures to protect against side channel attacks

These non-security issues were fixed:

- When unlocking a pass phrase protected PEM file or PKCS#8 container, we now
  allow empty (zero character) pass phrases.
- Certificate time validation (X509_cmp_time) enforces stricter compliance with
  RFC 5280. Fractional seconds and timezone offsets are no longer allowed.
- Fixed a text canonicalisation bug in CMS
- Add openssl(cli) Provide so the packages that require the openssl binary can
  require this instead of the new openssl meta package (bsc#1101470)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2138-1
Released:    Thu Oct  4 15:52:15 2018
Summary:     Recommended update for sudo
Type:        recommended
Severity:    low
References:  1097643
Description:

This update for sudo fixes the following issues:

- fix permissions for /var/lib/sudo and /var/lib/sudo/ts (bsc#1097643)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2155-1
Released:    Fri Oct  5 14:41:17 2018
Summary:     Recommended update for ca-certificates
Type:        recommended
Severity:    moderate
References:  1101470
Description:

This update for ca-certificates fixes the following issues:

- Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2170-1
Released:    Mon Oct  8 10:31:14 2018
Summary:     Recommended update for python3
Type:        recommended
Severity:    moderate
References:  1107030
Description:

This update for python3 fixes the following issues:

- Add -fwrapv to OPTS, which is default for python3 for bugs which 
  are caused by avoiding it. (bsc#1107030)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2177-1
Released:    Tue Oct  9 09:00:13 2018
Summary:     Recommended update for bash
Type:        recommended
Severity:    moderate
References:  1095661,1095670,1100488
Description:

This update for bash provides the following fixes:

- Bugfix: Parse settings in inputrc for all screen TERM variables
  starting with 'screen.' (bsc#1095661)
- Make the generation of bash.html reproducible. (bsc#1100488)
- Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670)
- Fix a problem that could cause hash table bash uses to store exit statuses from
  asynchronous processes to develop loops in circumstances involving long-running scripts
  that create and reap many processes.
- Fix a problem that could cause the shell to loop if a SIGINT is received inside of a
  SIGINT trap handler.
- Fix cases where a failing readline command (e.g., delete-char at the end of a line) can
  cause a multi-character key sequence to 'back up' and attempt to re-read some of the
  characters in the sequence.
- Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT
  handler to the default and typing ^C would cause the shell to exit.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2182-1
Released:    Tue Oct  9 11:08:36 2018
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251
Description:

This update for libxml2 fixes the following security issues:

- CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a
  denial of service (infinite loop) via a crafted XML file that triggers
  LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279)
- CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML
  file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint
  (bsc#1105166)
- CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval()
  function when parsing an invalid XPath expression in the XPATH_OP_AND or
  XPATH_OP_OR case leading to a denial of service attack (bsc#1102046)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2340-1
Released:    Fri Oct 19 16:05:53 2018
Summary:     Security update for fuse
Type:        security
Severity:    moderate
References:  1101797,CVE-2018-10906
Description:

This update for fuse fixes the following issues:

- CVE-2018-10906: fusermount was vulnerable to a restriction bypass when
  SELinux is active. This allowed non-root users to mount a FUSE file system with
  the 'allow_other' mount option regardless of whether 'user_allow_other' is set
  in the fuse configuration. An attacker may use this flaw to mount a FUSE file
  system, accessible by other users, and trick them into accessing files on that
  file system, possibly causing Denial of Service or other unspecified effects
  (bsc#1101797)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2346-1
Released:    Mon Oct 22 09:40:46 2018
Summary:     Recommended update for logrotate
Type:        recommended
Severity:    moderate
References:  1093617
Description:

This update for logrotate provides the following fix:

- Ensure the HOME environment variable is set to /root when logrotate is started via
  systemd. This allows mariadb to rotate its logs when the database has a root password
  defined. (bsc#1093617)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2370-1
Released:    Mon Oct 22 14:02:01 2018
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1102310,1104531
Description:

This update for aaa_base provides the following fixes:

- Let bash.bashrc work even for (m)ksh. (bsc#1104531)
- Fix an error at login if java system directory is empty. (bsc#1102310)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2430-1
Released:    Wed Oct 24 13:05:18 2018
Summary:     Security update for python-cryptography
Type:        security
Severity:    moderate
References:  1101820,CVE-2018-10903
Description:

This update for python-cryptography fixes the following issues:

- CVE-2018-10903: The finalize_with_tag API did not enforce a minimum tag
  length. If a user did not validate the input length prior to passing it to
  finalize_with_tag an attacker could craft an invalid payload with a shortened
  tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the
  MAC check. GCM tag forgeries could have caused key leakage (bsc#1101820).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2454-1
Released:    Thu Oct 25 11:19:46 2018
Summary:     Recommended update for python-pyOpenSSL
Type:        recommended
Severity:    moderate
References:  1110435
Description:

This update for python-pyOpenSSL fixes the following issues:

- Handle duplicate certificate addition using X509_STORE_add_cert so
  it works after upgrading to openssl 1.1.1. (bsc#1110435)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2463-1
Released:    Thu Oct 25 14:48:34 2018
Summary:     Recommended update for timezone, timezone-java
Type:        recommended
Severity:    moderate
References:  1104700,1112310
Description:


  
This update for timezone, timezone-java fixes the following issues:

The timezone database was updated to 2018f:

- Volgograd moves from +03 to +04 on 2018-10-28.
- Fiji ends DST 2019-01-13, not 2019-01-20.
- Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
- Corrections to past timestamps of DST transitions
- Use 'PST' and 'PDT' for Philippine time
- minor code changes to zic handling of the TZif format
- documentation updates

Other bugfixes:

- Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2485-1
Released:    Fri Oct 26 12:38:01 2018
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1112928
Description:

This update for kmod provides the following fixes:

- Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2486-1
Released:    Fri Oct 26 12:38:27 2018
Summary:     Recommended update for xfsprogs
Type:        recommended
Severity:    moderate
References:  1105068
Description:

This update for xfsprogs fixes the following issues:

- Explictly disable systemd unit files for scrub (bsc#1105068).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2487-1
Released:    Fri Oct 26 12:39:07 2018
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1102526
Description:

This update for glibc fixes the following issues:

- Fix build on aarch64 with binutils newer than 2.30.
- Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2539-1
Released:    Tue Oct 30 16:17:23 2018
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  1113100
Description:

This update for rpm fixes the following issues:

- On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2550-1
Released:    Wed Oct 31 16:16:56 2018
Summary:     Recommended update for timezone, timezone-java
Type:        recommended
Severity:    moderate
References:  1113554
Description:

This update provides the latest time zone definitions (2018g), including the following change:

- Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2569-1
Released:    Fri Nov  2 19:00:18 2018
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1110700
Description:

This update for pam fixes the following issues:

- Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2578-1
Released:    Mon Nov  5 17:55:35 2018
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842
Description:

This update for curl fixes the following issues:

- CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758)
- CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758)
- CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2595-1
Released:    Wed Nov  7 11:14:42 2018
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688
Description:

This update for systemd fixes the following issues:

Security issues fixed:

- CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632)
- CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665)

Non security issues fixed:

- dhcp6: split assert_return() to be more debuggable when hit
- core: skip unit deserialization and move to the next one when unit_deserialize() fails
- core: properly handle deserialization of unknown unit types (#6476)
- core: don't create Requires for workdir if 'missing ok' (bsc#1113083)
- logind: use manager_get_user_by_pid() where appropriate
- logind: rework manager_get_{user|session}_by_pid() a bit
- login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024)
- core: be more defensive if we can't determine per-connection socket peer (#7329)
- core: introduce systemd.early_core_pattern= kernel cmdline option
- core: add missing 'continue' statement
- core/mount: fstype may be NULL
- journald: don't ship systemd-journald-audit.socket (bsc#1109252)
- core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445)
- mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076)
- detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197)
- emergency: make sure console password agents don't interfere with the emergency shell
- man: document that 'nofail' also has an effect on ordering
- journald: take leading spaces into account in syslog_parse_identifier
- journal: do not remove multiple spaces after identifier in syslog message
- syslog: fix segfault in syslog_parse_priority()
- journal: fix syslog_parse_identifier()
- install: drop left-over debug message (#6913)
- Ship systemd-sysv-install helper via the main package
  This script was part of systemd-sysvinit sub-package but it was
  wrong since systemd-sysv-install is a script used to redirect
  enable/disable operations to chkconfig when the unit targets are
  sysv init scripts. Therefore it's never been a SySV init tool.
- Add udev.no-partlabel-links kernel command-line option. This option can be used to disable
  the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761)
- man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040)
- systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908)
- core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944)
- Enable or disable machines.target according to the presets (bsc#1107941)
- cryptsetup: add support for sector-size= option (fate#325697)
- nspawn: always use permission mode 555 for /sys (bsc#1107640)
- Bugfix for a race condition between daemon-reload and other commands (bsc#1105031)
- Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677)
- Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901)
- Does no longer adjust qgroups on existing subvolumes (bsc#1093753)
- cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2607-1
Released:    Wed Nov  7 15:42:48 2018
Summary:     Optional update for gcc8
Type:        recommended
Severity:    low
References:  1084812,1084842,1087550,1094222,1102564
Description:


The GNU Compiler GCC 8 is being added to the Development Tools Module by this
update.

The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other
gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.

Various optimizers have been improved in GCC 8, several of bugs fixed,
quite some new warnings added and the error pin-pointing and
fix-suggestions have been greatly improved.

The GNU Compiler page for GCC 8 contains a summary of all the changes that
have happened:

   	https://gcc.gnu.org/gcc-8/changes.html

Also changes needed or common pitfalls when porting software are described on:

	https://gcc.gnu.org/gcc-8/porting_to.html


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2641-1
Released:    Mon Nov 12 20:39:30 2018
Summary:     Recommended update for nfsidmap
Type:        recommended
Severity:    moderate
References:  1098217
Description:

This update for nfsidmap fixes the following issues:

- Improve support for SAMBA with Active Directory. (bsc#1098217)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2644-1
Released:    Mon Nov 12 20:40:15 2018
Summary:     Recommended update for glib2-branding
Type:        recommended
Severity:    low
References:  1097595
Description:

This update for glib2-branding provides the following fix:

- Recommend sound-theme-freedesktop on SLE. (bsc#1097595)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2742-1
Released:    Thu Nov 22 13:28:36 2018
Summary:     Recommended update for rpcbind
Type:        recommended
Severity:    moderate
References:  969953
Description:

This update for rpcbind fixes the following issues:

- Fix tool stack buffer overflow aborting (bsc#969953)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2744-1
Released:    Thu Nov 22 14:30:38 2018
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1111345
Description:

This update for apparmor fixes the following issues:

- allow dnsmasq to open logfiles (bsc#1111345)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2780-1
Released:    Mon Nov 26 17:46:10 2018
Summary:     Security update for glib2
Type:        security
Severity:    moderate
References:  1107116,1107121,1111499,CVE-2018-16428,CVE-2018-16429
Description:

This update for glib2 fixes the following issues:

Security issues fixed:

- CVE-2018-16428: Do not do a NULL pointer dereference (crash).
  Avoid that, at the cost of introducing a new translatable error
  message (bsc#1107121).
- CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).

Non-security issue fixed:

- various GVariant parsing issues have been resolved (bsc#1111499)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2825-1
Released:    Mon Dec  3 15:35:02 2018
Summary:     Security update for pam
Type:        security
Severity:    important
References:  1115640,CVE-2018-17953
Description:

This update for pam fixes the following issue:

Security issue fixed:

- CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2861-1
Released:    Thu Dec  6 14:32:01 2018
Summary:     Security update for ncurses
Type:        security
Severity:    important
References:  1103320,1115929,CVE-2018-19211
Description:

This update for ncurses fixes the following issues:

Security issue fixed:

- CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

Non-security issue fixed:

- Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2873-1
Released:    Fri Dec  7 13:27:36 2018
Summary:     Recommended update for python-cffi
Type:        recommended
Severity:    moderate
References:  1111657
Description:

This update for python-cffi fixes the following issues:

- Fix the testsuite of python-cffi like upstream to solve corruption at build (bsc#1111657)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2961-1
Released:    Mon Dec 17 19:51:40 2018
Summary:     Recommended update for psmisc
Type:        recommended
Severity:    moderate
References:  1098697,1112780
Description:

This update for psmisc provides the following fix:

- Make the fuser option -m <block_device> work even with mountinfo. (bsc#1098697)
- Support also btrFS entries in mountinfo, that is use stat(2) to determine the device
  of the mounted subvolume (bsc#1098697, bsc#1112780)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2984-1
Released:    Wed Dec 19 11:32:39 2018
Summary:     Security update for perl
Type:        security
Severity:    moderate
References:  1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314
Description:

This update for perl fixes the following issues:

Secuirty issues fixed:

- CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).
- CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675).
- CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681).
- CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2986-1
Released:    Wed Dec 19 13:53:22 2018
Summary:     Security update for libnettle
Type:        security
Severity:    moderate
References:  1118086,CVE-2018-16869
Description:

This update for libnettle fixes the following issues:

Security issues fixed:

- CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:3044-1
Released:    Fri Dec 21 18:47:21 2018
Summary:     Security update for MozillaFirefox, mozilla-nspr and mozilla-nss
Type:        security
Severity:    important
References:  1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498
Description:

This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:

Issues fixed in MozillaFirefox:

- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
  to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs

Issues fixed in mozilla-nss:

- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
  SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code

Issues fixed in mozilla-nspr:

- Update mozilla-nspr to 4.20 (bsc#1119105)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:6-1
Released:    Wed Jan  2 20:25:25 2019
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1099119,1099192
Description:



GCC 7 was updated to the GCC 7.4 release.

- Fix AVR configuration to not use __cxa_atexit or libstdc++ headers.
  Point to /usr/avr/sys-root/include as system header include directory.
- Includes fix for build with ISL 0.20.
- Pulls fix for libcpp lexing bug on ppc64le manifesting during
  build with gcc8.  [bsc#1099119]
- Pulls fix for forcing compile-time tuning even when building
  with -march=z13 on s390x.  [bsc#1099192]
- Fixes support for 32bit ASAN with glibc 2.27+


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:23-1
Released:    Mon Jan  7 16:30:33 2019
Summary:     Security update for gpg2
Type:        security
Severity:    moderate
References:  1120346,CVE-2018-1000858
Description:

This update for gpg2 fixes the following issue:

Security issue fixed:

- CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr
  that can result in Attacker controlled CSRF (bsc#1120346).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:44-1
Released:    Tue Jan  8 13:07:32 2019
Summary:     Recommended update for acl
Type:        recommended
Severity:    low
References:  953659
Description:

This update for acl fixes the following issues:

- test: Add helper library to fake passwd/group files.
- quote: Escape literal backslashes. (bsc#953659)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:56-1
Released:    Thu Jan 10 15:04:46 2019
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1111345
Description:

This update for apparmor fixes the following issues:

- Update the last dnsmasq fix for logfiles when running under apparmor (bsc#1111345)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:62-1
Released:    Thu Jan 10 20:30:58 2019
Summary:     Recommended update for xfsprogs
Type:        recommended
Severity:    moderate
References:  1119063
Description:

This update for xfsprogs fixes the following issues:

- Fix root inode's parent when it's bogus for sf directory (xfs repair).
  (bsc#1119063)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:91-1
Released:    Tue Jan 15 14:14:43 2019
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1090767,1121045,1121207
Description:

This update for mozilla-nss fixes the following issues:

- The hmac packages used in FIPS certification inadvertently removed in last update: re-added. (bsc#1121207)
- Added 'Suggest:' for libfreebl3 and libsoftokn3 respective -hmac packages to avoid dependency issues during updates (bsc#1090767, bsc#1121045)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:102-1
Released:    Tue Jan 15 18:02:58 2019
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1120402
Description:

This update for timezone fixes the following issues:

- Update 2018i:
  São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
- Update 2018h:
  Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21
  New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move
  Metlakatla, Alaska observes PST this winter only
  Guess Morocco will continue to adjust clocks around Ramadan
  Add predictions for Iran from 2038 through 2090
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:137-1
Released:    Mon Jan 21 15:52:45 2019
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954
Description:

This update for systemd provides the following fixes:

Security issues fixed:

- CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323)
- CVE-2018-16866: Fixed an information leak in journald (bsc#1120323)
- CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919)
- Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971)

Non-security issues fixed:

- pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498)
- systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933)
- systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723)
- Fixed installation issue with /etc/machine-id during update (bsc#1117063)
- btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753)
- logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591)
- udev: Downgrade message when settting inotify watch up fails. (bsc#1005023)
- udev: Ignore the exit code of systemd-detect-virt for memory hot-add.  In SLE-12-SP3,
  80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to
  detect non-zvm environment. The systemd-detect-virt returns exit failure code when it
  detected _none_ state.  The exit failure code causes that the hot-add memory block can
  not be set to online. (bsc#1076696)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:147-1
Released:    Wed Jan 23 17:57:31 2019
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1121446
Description:

This update for ca-certificates-mozilla fixes the following issues:

The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446)

Removed Root CAs:

  - AC Raiz Certicamara S.A.
  - Certplus Root CA G1
  - Certplus Root CA G2
  - OpenTrust Root CA G1
  - OpenTrust Root CA G2
  - OpenTrust Root CA G3
  - Visa eCommerce Root

Added Root CAs:

  - Certigna Root CA (email and server auth)
  - GTS Root R1 (server auth)
  - GTS Root R2 (server auth)
  - GTS Root R3 (server auth)
  - GTS Root R4 (server auth)
  - OISTE WISeKey Global Root GC CA (email and server auth)
  - UCA Extended Validation Root (server auth)
  - UCA Global G2 Root (email and server auth)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:151-1
Released:    Wed Jan 23 17:58:59 2019
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1082956,1097370,1100779,1111342,1117354,1119937,1120472
Description:

This update for apparmor fixes the following issues:

- Change of path of rpm in lessopen.sh (bsc#1082956, bsc#1117354)
- allow network access in lessopen.sh for reading files on NFS (workaround
  for bsc#1119937 / lp#1784499)
- dropped check that lets aa-logprof error out in a corner-case (log
  event for a non-existing profile while a profile file with the default
  filename for that non-existing profile exists) (bsc#1120472)
- netconfig: write resolv.conf to /run with link to /etc (fate#325872,
  bsc#1097370) [patch apparmor-nameservice-resolv-conf-link.patch]

Update to AppArmor 2.12.2:

  - add profile names to most profiles
  - update dnsmasq profile (pid file and logfile path) (bsc#1111342)
  - add vulkan abstraction
  - add letsencrypt certificate path to abstractions/ssl_*
  - ignore *.orig and *.rej files when loading profiles
  - fix aa-complain etc. to handle named profiles
  - several bugfixes and small profile improvements
  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12.2
    for the detailed upstream changelog

Update to AppArmor 2.12.1:

  - add qt5 and qt5-compose-cache-write abstractions
  - add @{uid} and @{uids} kernel var placeholders
  - several profile and abstraction updates
  - add support for conditional includes ('include if exists')
  - ignore 'abi' rules in parser and tools (instead of erroring out)
  - utils: fix overwriting of child profile flags if they differ from
    the main profile
  - several bugfixes (including bsc#1100779)
  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12.1
    for detailed upstream release notes


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:170-1
Released:    Fri Jan 25 13:43:29 2019
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1118629
Description:

This update for kmod fixes the following issues:

- Fixes module dependency file corruption on parallel invocation (bsc#1118629).
- Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:189-1
Released:    Mon Jan 28 14:14:46 2019
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  
Description:

This update for rpm fixes the following issues:

- Add kmod(module) provides to kernel and KMPs (fate#326579).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:215-1
Released:    Thu Jan 31 15:59:57 2019
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1120644,1122191,CVE-2018-20406,CVE-2019-5010
Description:

This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191)
- CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:247-1
Released:    Wed Feb  6 07:18:45 2019
Summary:     Security update for lua53
Type:        security
Severity:    moderate
References:  1123043,CVE-2019-6706
Description:

This update for lua53 fixes the following issues:

Security issue fixed:

- CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:248-1
Released:    Wed Feb  6 08:35:20 2019
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823
Description:

This update for curl fixes the following issues:

Security issues fixed:

- CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378).
- CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377).
- CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:251-1
Released:    Wed Feb  6 11:22:43 2019
Summary:     Recommended update for glib2
Type:        recommended
Severity:    moderate
References:  1090047
Description:

This update for glib2 provides the following fix:

- Enable systemtap. (fate#326393, bsc#1090047)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:273-1
Released:    Wed Feb  6 16:48:18 2019
Summary:     Security update for MozillaFirefox
Type:        security
Severity:    important
References:  1119069,1120374,1122983,CVE-2018-12404,CVE-2018-18500,CVE-2018-18501,CVE-2018-18505
Description:

This update for MozillaFirefox, mozilla-nss fixes the following issues:

Security issues fixed:

- CVE-2018-18500: Fixed a use-after-free parsing HTML5 stream (bsc#1122983).
- CVE-2018-18501: Fixed multiple memory safety bugs (bsc#1122983).
- CVE-2018-18505: Fixed a privilege escalation through IPC channel messages (bsc#1122983).
- CVE-2018-12404: Cache side-channel variant of the Bleichenbacher attack (bsc#1119069).

Non-security issue fixed:

- Update to MozillaFirefox ESR 60.5.0
- Update to mozilla-nss 3.41.1

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:369-1
Released:    Wed Feb 13 14:01:42 2019
Summary:     Recommended update for itstool
Type:        recommended
Severity:    moderate
References:  1065270,1111019
Description:

This update for itstool and python-libxml2-python fixes the following issues:

Package: itstool
  - Updated version to support Python3. (bnc#1111019)

Package: python-libxml2-python
  - Fix segfault when parsing invalid data. (bsc#1065270)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:418-1
Released:    Sat Feb 16 11:33:57 2019
Summary:     Security update for python-numpy
Type:        security
Severity:    important
References:  1122208,CVE-2019-6446
Description:

This update for python-numpy fixes the following issue:

Security issue fixed:

- CVE-2019-6446: Set allow_pickle to false by default to restrict loading untrusted content (bsc#1122208).
  With this update we decrease the possibility of allowing remote attackers to execute arbitrary code by
  misusing numpy.load(). A warning during runtime will show-up when the allow_pickle is not explicitly set.
  
NOTE: By applying this update the behavior of python-numpy changes, which might break your application.
In order to get the old behaviour back, you have to explicitly set `allow_pickle` to True. Be aware
that this should only be done for trusted input, as loading untrusted input might lead to arbitrary code
execution.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:426-1
Released:    Mon Feb 18 17:46:55 2019
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454
Description:

This update for systemd fixes the following issues:

- CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352)

- units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333)
- logind: fix bad error propagation
- login: log session state 'closing' (as well as New/Removed)
- logind: fix borked r check
- login: don't remove all devices from PID1 when only one was removed
- login: we only allow opening character devices
- login: correct comment in session_device_free()
- login: remember that fds received from PID1 need to be removed eventually
- login: fix FDNAME in call to sd_pid_notify_with_fds()
- logind: fd 0 is a valid fd
- logind: rework sd_eviocrevoke()
- logind: check file is device node before using .st_rdev
- logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153)
- core: add a new sd_notify() message for removing fds from the FD store again
- logind: make sure we don't trip up on half-initialized session devices (bsc#1123727)
- fd-util: accept that kcmp might fail with EPERM/EACCES
- core: Fix use after free case in load_from_path() (bsc#1121563)
- core: include Found state in device dumps
- device: fix serialization and deserialization of DeviceFound
- fix path in btrfs rule (#6844)
- assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025)
- Update systemd-system.conf.xml (bsc#1122000)
- units: inform user that the default target is started after exiting from rescue or emergency mode
- core: free lines after reading them (bsc#1123892)
- sd-bus: if we receive an invalid dbus message, ignore and proceeed
- automount: don't pass non-blocking pipe to kernel.
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:532-1
Released:    Fri Mar  1 13:47:29 2019
Summary:     Recommended update for console-setup, kbd
Type:        recommended
Severity:    moderate
References:  1122361
Description:

This update for console-setup and kbd provides the following fix:

- Fix Shift-Tab mapping. (bsc#1122361)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:571-1
Released:    Thu Mar  7 18:13:46 2019
Summary:     Security update for file
Type:        security
Severity:    moderate
References:  1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Description:

This update for file fixes the following issues:

The following security vulnerabilities were addressed:

- CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in
  readelf.c, which allowed remote attackers to cause a denial of service
  (application crash) via a crafted ELF file (bsc#1096974)
- CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c
  (bsc#1126118)
- CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c
  (bsc#1126119)
- CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c
  (bsc#1126117)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:577-1
Released:    Mon Mar 11 12:03:49 2019
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    important
References:  1123820,1127073
Description:


This update for apparmor fixes the following issues:

- apparmor prevents libvirtd from starting (bsc#1127073)
- Start apparmor after filesystem remount (bsc#1123820)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:641-1
Released:    Tue Mar 19 13:17:28 2019
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1112570,1114984,1114993
Description:

This update for glibc provides the following fixes:

- Fix Haswell CPU string flags. (bsc#1114984)
- Fix waiters-after-spinning case. (bsc#1114993)
- Do not relocate absolute symbols. (bsc#1112570)
- Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales.
  (fate#326551)
- Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962)
- Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880,
  fate#325881, fate#325882)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:664-1
Released:    Wed Mar 20 14:54:12 2019
Summary:     Recommended update for gpgme
Type:        recommended
Severity:    low
References:  1121051
Description:

This update for gpgme provides the following fix:

- Re-generate keys in Qt tests to not expire. (bsc#1121051)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:700-1
Released:    Thu Mar 21 19:54:00 2019
Summary:     Recommended update for cyrus-sasl
Type:        recommended
Severity:    moderate
References:  1044840
Description:

This update for cyrus-sasl provides the following fix:

- Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'.
  By server context the connection will be sent to the log function but the client content
  does not have log level information, so there is no way to stop DEBUG level logs.
  (bsc#1044840)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:713-1
Released:    Fri Mar 22 15:55:05 2019
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1063675,1126590
Description:

This update for glibc fixes the following issues:

- Add MAP_SYNC from Linux 4.15 (bsc#1126590)
- Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590)
- nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:732-1
Released:    Mon Mar 25 14:10:04 2019
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1088524,1118364,1128246
Description:

This update for aaa_base fixes the following issues:

- Restore old position of ssh/sudo source of profile (bsc#1118364).
- Update logic for JRE_HOME env variable (bsc#1128246)
 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:788-1
Released:    Thu Mar 28 11:55:06 2019
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1119687,CVE-2018-20346
Description:

This update for sqlite3 to version 3.27.2 fixes the following issue:

Security issue fixed: 

- CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

Release notes: https://www.sqlite.org/releaselog/3_27_2.html

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:790-1
Released:    Thu Mar 28 12:06:17 2019
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1130557
Description:

This update for timezone fixes the following issues:

timezone was updated 2019a:

* Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
* Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
* Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
* zic now has an -r option to limit the time range of output data


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:791-1
Released:    Thu Mar 28 12:06:50 2019
Summary:     Security update for libnettle
Type:        recommended
Severity:    moderate
References:  1129598
Description:

This update for libnettle to version 3.4.1 fixes the following issues:

Issues addressed and new features:

- Updated to 3.4.1 (fate#327114 and bsc#1129598)
- Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv.
- Fixed a link error on the pss-mgf1-test which was affecting builds without public key support.
- All functions using RSA private keys are now side-channel silent. This applies both to the 
  bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of 
  PKCS#1 padding needed for RSA decryption.
- Changes in behavior:
   The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message 
   buffer, independent of the actual message length. They are side-channel silent, in that
   branches and memory accesses don't depend on the validity or length of the message. 
   Side-channel leakage from the caller's use of length and return value may still provide 
   an oracle useable for a Bleichenbacher-style chosen ciphertext attack. 
   Which is why the new function rsa_sec_decrypt is recommended.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:858-1
Released:    Wed Apr  3 15:50:37 2019
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1120689,1126096
Description:

This update for libtirpc fixes the following issues:

- Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096).
- add an option to enforce connection via protocol version 2 first (bsc#1120689).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:866-1
Released:    Thu Apr  4 11:24:48 2019
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1120279,1125439
Description:

This update for apparmor fixes the following issues:

- Add /proc/pid/tcp and /proc/pid/tcp6 entries to the apparmor profile. (bsc#1125439)
- allow network access and notify file creation/access (bsc#1120279)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:894-1
Released:    Fri Apr  5 17:16:23 2019
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  1119414,1126327,1129753,SLE-3853,SLE-4117
Description:

This update for rpm fixes the following issues:

- This update shortens RPM changelog to after a certain cut off date (bsc#1129753)
- Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414).
- Re-add symset-table from SLE 12 (bsc#1126327).


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:903-1
Released:    Mon Apr  8 15:41:44 2019
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1100396,1122729,1130045,CVE-2016-10739
Description:

This update for glibc fixes the following issues:

Security issue fixed: 

- CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow
  applications to incorrectly assume that had parsed a valid string, without the possibility of
  embedded HTTP headers or other potentially dangerous substrings (bsc#1122729).

Other issue fixed: 

- Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions 
  while maintained the robust mutex list due to missing compiler barriers (bsc#1130045).
- Added new Japanese Era name support (bsc#1100396).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:966-1
Released:    Wed Apr 17 12:20:13 2019
Summary:     Recommended update for python-rpm-macros
Type:        recommended
Severity:    moderate
References:  1128323
Description:

This update for python-rpm-macros fixes the following issues:

The Python RPM macros were updated to version 20190408.32abece, fixing
bugs (bsc#1128323)

* Add missing $ expansion on the pytest call
* Rewrite pytest and pytest_arch into Lua macros with multiple arguments.
* We should preserve existing PYTHONPATH.
* Add --ignore to pytest calls to ignore build directories.
* Actually make pytest into function to capture arguments as well
* Add pytest definitions.
* Use upstream-recommended %{_rpmconfigdir}/macros.d directory
  for the rpm macros.
* Fix an issue with epoch printing having too many \
* add epoch while printing 'Provides:'

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:971-1
Released:    Wed Apr 17 14:43:26 2019
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1129346,CVE-2019-9636
Description:

This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1002-1
Released:    Wed Apr 24 10:13:34 2019
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1110304,1129576
Description:

This update for zlib fixes the following issues:

- Fixes a segmentation fault error (bsc#1110304, bsc#1129576)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1040-1
Released:    Thu Apr 25 17:09:21 2019
Summary:     Security update for samba
Type:        security
Severity:    important
References:  1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880
Description:

This update for samba fixes the following issues:

Security issue fixed:

- CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).


ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686):

- Out of bound read in ldb_wildcard_compare
- Hold at most 10 outstanding paged result cookies
- Put 'results_store' into a doubly linked list
- Refuse to build Samba against a newer minor version of ldb


Non-security issues fixed:

- Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377).
- Abide to the load_printers parameter in smb.conf (bsc#1124223).
- Provide the 32bit samba winbind PAM module and its dependend 32bit libraries.
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1105-1
Released:    Tue Apr 30 12:10:58 2019
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1084842,1114592,1124644,1128794,1129389,1131264,SLE-6738
Description:

This update for gcc7 fixes the following issues:

Update to gcc-7-branch head (r270528).

- Disables switch jump-tables when retpolines are used. This restores
  some lost performance for kernel builds with retpolines.  (bsc#1131264,
  jsc#SLE-6738)
- Fix ICE compiling tensorflow on aarch64. (bsc#1129389)
- Fix for aarch64 FMA steering pass use-after-free. (bsc#1128794)
- Fix for s390x FP load-and-test issue. (bsc#1124644)
- Improve build reproducability by disabling address-space randomization
  during build.
- Adjust gnat manual entries in the info directory. (bsc#1114592)
- Includes fix to no longer try linking -lieee with -mieee-fp. (bsc#1084842)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1121-1
Released:    Tue Apr 30 18:02:43 2019
Summary:     Security update for gnutls
Type:        security
Severity:    important
References:  1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836
Description:

This update for gnutls fixes to version 3.6.7 the following issues:

Security issued fixed:

- CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682).
- CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681).
- CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087)

Non-security issue fixed:

- Update gnutls to support TLS 1.3 (fate#327114) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1127-1
Released:    Thu May  2 09:39:24 2019
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1130325,1130326,CVE-2019-9936,CVE-2019-9937
Description:

This update for sqlite3 to version 3.28.0 fixes the following issues:

Security issues fixed:

- CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix
  queries inside transaction (bsc#1130326).
- CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in
  a single transaction with an fts5 virtual table (bsc#1130325).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1206-1
Released:    Fri May 10 14:01:55 2019
Summary:     Security update for bzip2
Type:        security
Severity:    low
References:  985657,CVE-2016-3189
Description:

This update for bzip2 fixes the following issues:

Security issue fixed:

- CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1312-1
Released:    Wed May 22 12:19:12 2019
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1096191
Description:

This update for aaa_base fixes the following issue:

  * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers
    (bsc#1096191)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1351-1
Released:    Fri May 24 14:41:10 2019
Summary:     Security update for gnutls
Type:        security
Severity:    important
References:  1118087,1134856,CVE-2018-16868
Description:

This update for gnutls fixes the following issues:

Security issue fixed:

- CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087).

Non-security issue fixed:

- Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1352-1
Released:    Fri May 24 14:41:44 2019
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1130840,1133452,CVE-2019-9947
Description:

This update for python3 to version 3.6.8 fixes the following issues:

Security issue fixed:

- CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).

Non-security issue fixed:

- Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1357-1
Released:    Mon May 27 13:29:15 2019
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1135170,CVE-2019-5436
Description:

This update for curl fixes the following issues:

Security issue fixed:

- CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1364-1
Released:    Tue May 28 10:51:38 2019
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933
Description:

This update for systemd fixes the following issues:

Security issues fixed:

- CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348).
- CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352).
- CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509).

Non-security issued fixed:

- logind: fix killing of scopes (bsc#1125604)
- namespace: make MountFlags=shared work again (bsc#1124122)
- rules: load drivers only on 'add' events (bsc#1126056)
- sysctl: Don't pass null directive argument to '%s' (bsc#1121563)
- systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933)
- udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400)
- sd-bus: bump message queue size again (bsc#1132721)
- Do not automatically online memory on s390x (bsc#1127557)
- Removed sg.conf (bsc#1036463)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1368-1
Released:    Tue May 28 13:15:38 2019
Summary:     Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root
Type:        security
Severity:    important
References:  1134524,CVE-2019-5021
Description:

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

- CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1372-1
Released:    Tue May 28 16:53:28 2019
Summary:     Security update for libtasn1
Type:        security
Severity:    moderate
References:  1105435,CVE-2018-1000654
Description:

This update for libtasn1 fixes the following issues:

Security issue fixed:

- CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1484-1
Released:    Thu Jun 13 07:46:46 2019
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1128383
Description:

This update for e2fsprogs fixes the following issues:

- Check and fix tails of all bitmap blocks (bsc#1128383)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1486-1
Released:    Thu Jun 13 09:40:24 2019
Summary:     Security update for elfutils
Type:        security
Severity:    moderate
References:  1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Description:

This update for elfutils fixes the following issues:

Security issues fixed:  

- CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084)
- CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085)
- CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086)
- CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087)
- CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088)
- CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089)
- CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090)
- CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390)
- CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066)
- CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067)
- CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973)
- CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726)
- CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723)
- CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685)
- CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1487-1
Released:    Thu Jun 13 09:40:56 2019
Summary:     Security update for python-requests
Type:        security
Severity:    moderate
References:  1111622,CVE-2018-18074
Description:

This update for python-requests to version 2.20.1 fixes the following issues:

Security issue fixed:

- CVE-2018-18074: Fixed an information disclosure vulnerability of the HTTP Authorization header (bsc#1111622).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1590-1
Released:    Thu Jun 20 19:49:57 2019
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1128598
Description:

This update for permissions fixes the following issues:

- Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1594-1
Released:    Fri Jun 21 10:17:15 2019
Summary:     Security update for glib2
Type:        security
Severity:    important
References:  1103678,1137001,CVE-2019-12450
Description:

This update for glib2 fixes the following issues:

Security issue fixed:    

- CVE-2019-12450: Fixed an improper file permission when copy operation
  takes place (bsc#1137001).   

Other issue addressed:    

- glib2 was handling an UNKNOWN connectivity state from NetworkManager as if there
  was a connection thus giving false positives to PackageKit (bsc#1103678)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1595-1
Released:    Fri Jun 21 10:17:44 2019
Summary:     Security update for dbus-1
Type:        security
Severity:    important
References:  1137832,CVE-2019-12749
Description:

This update for dbus-1 fixes the following issues:

Security issue fixed:	  

- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which 
  could have allowed local attackers to bypass authentication (bsc#1137832).   
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1616-1
Released:    Fri Jun 21 11:04:39 2019
Summary:     Recommended update for rpcbind
Type:        recommended
Severity:    moderate
References:  1134659
Description:

This update for rpcbind fixes the following issues:

- Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659)
- Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1627-1
Released:    Fri Jun 21 11:15:11 2019
Summary:     Recommended update for xfsprogs
Type:        recommended
Severity:    moderate
References:  1073421,1122271,1129859
Description:

This update for xfsprogs fixes the following issues:

- xfs_repair: will now allow '/' in attribute names (bsc#1122271)
- xfs_repair: will now allow zeroing of corrupt log (bsc#1073421)
- enabdled offline (unmounted) filesystem geometry queries (bsc#1129859)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1631-1
Released:    Fri Jun 21 11:17:21 2019
Summary:     Recommended update for xz
Type:        recommended
Severity:    low
References:  1135709
Description:

This update for xz fixes the following issues:

  Add SUSE-Public-Domain licence as some parts of xz utils (liblzma,
  xz, xzdec, lzmadec, documentation, translated messages, tests,
  debug, extra directory) are in public domain licence [bsc#1135709]
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1635-1
Released:    Fri Jun 21 12:45:53 2019
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1134217
Description:

 This update for krb5 provides the following fix:
- Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap.
  (bsc#1134217)

  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1700-1
Released:    Tue Jun 25 13:19:21 2019
Summary:     Security update for libssh
Type:        recommended
Severity:    moderate
References:  1134193
Description:

This update for libssh fixes the following issue:

Issue addressed:

- Added support for new AES-GCM encryption types (bsc#1134193).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1737-1
Released:    Wed Jul  3 21:12:04 2019
Summary:     Recommended update for rdma-core
Type:        recommended
Severity:    moderate
References:  996146
Description:

This update for rdma-core fixes the following issues:
      
- Fix man page of mlx5dv_create_flow_action_modify_header. (bsc#996146)
- Fix libhns flush cqe in case multi-process. (bsc#996146)
- Fix ibacm: acme does not work if server_mode is not unix. (bsc#996146)
- Fix verbs: The ibv_xsrq_pingpong '-c' option is broken. (bsc#996146)
- Fix mlx5: Fix masking service level in mlx5_create_ah. (bsc#996146)
- Fix cmake: Explicitly convert build type to be STRING. (bsc#996146)
- Fix libhns: Bugfix for filtering zero length sge. (bsc#996146)
- Fix buildlib: Ensure stanza is properly sorted. (bsc#996146)
- Fix debian: Create empty pyverbs package for builds without pyverbs. (bsc#996146)
- Fix verbs: Fix attribute returning. (bsc#996146)
- Fix build: Fix pyverbs build issues on Debian. (bsc#996146)
- Fix travis: Change SuSE package target due to Travis CI failures. (bsc#996146)
- Fix verbs: Avoid inline send when using device memory in rc_pingpong. (bsc#996146)
- Fix mlx5: Use copy loop to read from device memory. (bsc#996146)
- Fix verbs: clear cmd buffer when creating indirection table. (bsc#996146)
- Fix libhns: Bugfix for using buffer length. (bsc#996146)
- Fix incorrect error handling when SQ wqe count is 0. (bsc#996146)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1808-1
Released:    Wed Jul 10 13:16:29 2019
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1133808
Description:

This update for libgcrypt fixes the following issues:

- Fixed redundant fips tests in some situations causing sudo to stop
  working when pam-kwallet is installed. bsc#1133808

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1815-1
Released:    Thu Jul 11 07:47:55 2019
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1140016
Description:

This update for timezone fixes the following issues:

- Timezone update 2019b. (bsc#1140016):
  - Brazil no longer observes DST.
  - 'zic -b slim' outputs smaller TZif files.
  - Palestine's 2019 spring-forward transition was on 03-29, not 03-30.
  - Add info about the Crimea situation.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1833-1
Released:    Fri Jul 12 17:53:51 2019
Summary:     Security update for glib2
Type:        security
Severity:    moderate
References:  1139959,CVE-2019-13012
Description:

This update for glib2 fixes the following issues:

Security issue fixed:

- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1835-1
Released:    Fri Jul 12 18:06:31 2019
Summary:     Security update for expat
Type:        security
Severity:    moderate
References:  1139937,CVE-2018-20843
Description:

This update for expat fixes the following issues:

Security issue fixed:

- CVE-2018-20843: Fixed a denial of service triggered by high resource consumption 
  in the XML parser when XML names contain a large amount of colons (bsc#1139937).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1846-1
Released:    Mon Jul 15 11:36:33 2019
Summary:     Security update for bzip2
Type:        security
Severity:    important
References:  1139083,CVE-2019-12900
Description:

This update for bzip2 fixes the following issues:

Security issue fixed:

- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1853-1
Released:    Mon Jul 15 16:03:36 2019
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1107617,1137053
Description:

This update for systemd fixes the following issues:

- conf-parse: remove 4K line length limit (bsc#1137053)
- udevd: change the default value of udev.children-max (again) (bsc#1107617)
- meson: stop creating enablement symlinks in /etc during installation (sequel)
- Fixed build for openSUSE Leap 15+
- Make sure we don't ship any static enablement symlinks in /etc
  Those symlinks must only be created by the presets. There are no
  changes in practice since systemd/udev doesn't ship such symlinks in
  /etc but let's make sure no future changes will introduce new ones
  by mistake.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1869-1
Released:    Wed Jul 17 14:03:20 2019
Summary:     Security update for MozillaFirefox
Type:        security
Severity:    important
References:  1140868,CVE-2019-11709,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11715,CVE-2019-11717,CVE-2019-11719,CVE-2019-11729,CVE-2019-11730,CVE-2019-9811
Description:

This update for MozillaFirefox, mozilla-nss fixes the following issues:

MozillaFirefox to version ESR 60.8:

- CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).

mozilla-nss to version 3.44.1:

* Added IPSEC IKE support to softoken 
* Many new FIPS test cases

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1877-1
Released:    Thu Jul 18 11:31:46 2019
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169
Description:

This update for glibc fixes the following issues:

Security issues fixed:

- CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308).
- CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223).

Non-security issues fixed:

- Does no longer compress debug sections in crt*.o files (bsc#1123710)
- Fixes a concurrency problem in ldconfig (bsc#1117993)
- Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1971-1
Released:    Thu Jul 25 14:58:52 2019
Summary:     Security update for libgcrypt
Type:        security
Severity:    moderate
References:  1138939,CVE-2019-12904
Description:

This update for libgcrypt fixes the following issues:

Security issue fixed:

- CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1984-1
Released:    Fri Jul 26 00:15:46 2019
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1036463,1127155,1134819,937216
Description:

This update for suse-module-tools fixes the following issues:

- Softdep of bridge on br_netfilter. (bsc#937216, bsc#1134819)

- Install sg.conf under /usr/lib/modules-load.d and avoid file conflict with systemd. (bsc#1036463)

- weak-modules2: Emit 'inconsistent' warning only if replacement fails. (bsc#1127155)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1994-1
Released:    Fri Jul 26 16:12:05 2019
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  1135123
Description:

This update for libxml2 fixes the following issues:

- Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2004-1
Released:    Mon Jul 29 13:01:59 2019
Summary:     Security update for bzip2
Type:        security
Severity:    important
References:  1139083,CVE-2019-12900
Description:

This update for bzip2 fixes the following issues:

- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
  with files that used many selectors (bsc#1139083).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2006-1
Released:    Mon Jul 29 13:02:49 2019
Summary:     Security update for gpg2
Type:        security
Severity:    important
References:  1124847,1141093,CVE-2019-13050
Description:

This update for gpg2 fixes the following issues:

Security issue fixed:

- CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093).

Non-security issue fixed:

- Allow coredumps in X11 desktop sessions (bsc#1124847)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2050-1
Released:    Tue Aug  6 09:42:37 2019
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160
Description:

This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).

Non-security issue fixed:

- Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2085-1
Released:    Wed Aug  7 13:58:43 2019
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1135751
Description:

This update for apparmor fixes the following issues:

- Profile updates for dnsmasq, dovecot, identd, syslog-ng
- Parser: fix 'Px -> foo-bar' (the '-' was rejected before)
- Add certbot paths to abstractions/ssl_certs and abstractions/ssl_keys.
- Fix build with swig 4.0. (bsc#1135751)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2097-1
Released:    Fri Aug  9 09:31:17 2019
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    important
References:  1097073
Description:

This update for libgcrypt fixes the following issues:

- Fixed a regression where system were unable to boot in fips mode, caused by an 
  incomplete implementation of previous change (bsc#1097073).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2134-1
Released:    Wed Aug 14 11:54:56 2019
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1136717,1137624,1141059,SLE-5807
Description:

This update for zlib fixes the following issues:

- Update the s390 patchset. (bsc#1137624)
- Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059)
- Use FAT LTO objects in order to provide proper static library.
- Do not enable the previous patchset on s390 but just s390x. (bsc#1137624)
- Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2142-1
Released:    Wed Aug 14 18:14:04 2019
Summary:     Recommended update for mozilla-nspr, mozilla-nss
Type:        recommended
Severity:    moderate
References:  1141322
Description:


  
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.45 (bsc#1141322) :

* New function in pk11pub.h: PK11_FindRawCertsWithSubject
* The following CA certificates were Removed:
  CN = Certinomis - Root CA (bmo#1552374)
* Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403)
  This adds a new experimental function SSL_DelegateCredential
  Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360).
  Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
* Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
* Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
* Add IPSEC IKE support to softoken (bmo#1546229)
* Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
* Expose an external clock for SSL (bmo#1543874)
  This adds new experimental functions: SSL_SetTimeFunc, 
  SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and 
  SSL_ReleaseAntiReplayContext.
  The experimental function SSL_InitAntiReplay is removed.
* Various changes in response to the ongoing FIPS review (bmo#1546477)
  Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.

mozilla-nspr was updated to version 4.21

* Changed prbit.h to use builtin function on aarch64.
* Removed Gonk/B2G references.  


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2188-1
Released:    Wed Aug 21 10:10:29 2019
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1140647
Description:

This update for aaa_base fixes the following issues:

- Make systemd detection cgroup oblivious. (bsc#1140647) 

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2019:2190-1
Released:    Wed Aug 21 17:00:34 2019
Summary:     SUSE Enterprise Storage 6 Technical Container Preview
Type:        optional
Severity:    low
References:  1145433
Description:

This is a technical preview for SUSE Enterprise Storage 6.


More information about the sle-security-updates mailing list