SUSE-CU-2020:10-1: Security update of caasp/v4/coredns
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue Jan 14 00:04:45 MST 2020
SUSE Container Update Advisory: caasp/v4/coredns
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:10-1
Container Tags : caasp/v4/coredns:1.6.2 , caasp/v4/coredns:1.6.2-rev3 , caasp/v4/coredns:1.6.2-rev3-build3.9.1
Severity : important
Type : security
References : 1007715 1049825 1051143 1073313 1081947 1081947 1082293 1084934
1085196 1092100 1093414 1100838 1103320 1106214 1110797 1111388
1114592 1114845 1116995 1118897 1118898 1118899 1120629 1120630
1120631 1121197 1121753 1122417 1123919 1125886 1127155 1127608
1127701 1130306 1131113 1131823 1133773 1134226 1135254 1135534
1135708 1135749 1137977 1138869 1139459 1139795 1140039 1140631
1141113 1141897 1142649 1142654 1143055 1143194 1143273 1143813
1144047 1144065 1144169 1145023 1145521 1145554 1145716 1146027
1146415 1146415 1146866 1146947 1146991 1147142 1148517 1148987
1149145 1149495 1149496 1149511 1150003 1150137 1150250 1150595
1150734 1151023 1152101 1152755 1152861 1153351 1153557 1153936
1154019 1154036 1154037 1154295 1154871 1154884 1154887 1155199
1155338 1155339 1155346 1155810 1156646 1157198 1157278 1157775
1158095 1158101 1158809 353876 859480 CVE-2017-17740 CVE-2018-1122
CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-20532
CVE-2018-20533 CVE-2018-20534 CVE-2019-12290 CVE-2019-13057 CVE-2019-13565
CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-1547
CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543
CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-3688 CVE-2019-3690
CVE-2019-5094 CVE-2019-5481 CVE-2019-5482 SLE-6533 SLE-6536 SLE-7687
SLE-8789 SLE-9132 SLE-9171
-----------------------------------------------------------------
The container caasp/v4/coredns was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2241-1
Released: Wed Aug 28 14:58:49 2019
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1144169
Description:
This update for ca-certificates-mozilla fixes the following issues:
ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169)
Removed CAs:
- Certinomis - Root CA
Includes new root CAs from the 2.32 version:
- emSign ECC Root CA - C3 (email and server auth)
- emSign ECC Root CA - G3 (email and server auth)
- emSign Root CA - C1 (email and server auth)
- emSign Root CA - G1 (email and server auth)
- Hongkong Post Root CA 3 (server auth)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2307-1
Released: Thu Sep 5 14:45:08 2019
Summary: Security update for util-linux and shadow
Type: security
Severity: moderate
References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876
Description:
This update for util-linux and shadow fixes the following issues:
util-linux:
- Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197)
- Prevent outdated pam files (bsc#1082293).
- De-duplicate fstrim -A properly (bsc#1127701).
- Do not trim read-only volumes (bsc#1106214).
- Integrate pam_keyinit pam module to login (bsc#1081947).
- Perform one-time reset of /etc/default/su (bsc#1121197).
- Fix problems in reading of login.defs values (bsc#1121197)
- libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
- libmount: print a blacklist hint for "unknown filesystem type" (jsc#SUSE-4085, fate#326832)
- Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197).
shadow:
- Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197)
- Fix segfault in useradd during setting password inactivity period. (bsc#1141113)
- Hardening for su wrappers (bsc#353876)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2361-1
Released: Thu Sep 12 07:54:54 2019
Summary: Recommended update for krb5
Type: recommended
Severity: moderate
References: 1081947,1144047
Description:
This update for krb5 contains the following fixes:
- Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2373-1
Released: Thu Sep 12 14:18:53 2019
Summary: Security update for curl
Type: security
Severity: important
References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482
Description:
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495).
- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2395-1
Released: Wed Sep 18 08:31:38 2019
Summary: Security update for openldap2
Type: security
Severity: moderate
References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565
Description:
This update for openldap2 fixes the following issues:
Security issue fixed:
- CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194).
- CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273).
- CVE-2017-17740: When both the nops module and the member of overlay
are enabled, attempts to free a buffer that was allocated on the stack,
which allows remote attackers to cause a denial of service (slapd crash)
via a member MODDN operation. (bsc#1073313)
Non-security issues fixed:
- Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845).
- Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388)
- Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2403-1
Released: Wed Sep 18 16:14:29 2019
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563
Description:
This update for openssl-1_1 fixes the following issues:
OpenSSL Security Advisory [10 September 2019]
* CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003)
* CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2423-1
Released: Fri Sep 20 16:41:45 2019
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1146866,SLE-9132
Description:
This update for aaa_base fixes the following issues:
Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132)
Following settings have been tightened (and set to 0):
- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
- net.ipv4.conf.default.accept_source_route
- net.ipv6.conf.all.accept_redirects
- net.ipv6.conf.default.accept_redirects
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2533-1
Released: Thu Oct 3 15:02:50 2019
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1150137,CVE-2019-16168
Description:
This update for sqlite3 fixes the following issues:
Security issue fixed:
- CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2626-1
Released: Thu Oct 10 17:22:35 2019
Summary: Recommended update for permissions
Type: recommended
Severity: moderate
References: 1110797
Description:
This update for permissions fixes the following issues:
- Updated permissons for amanda. (bsc#1110797)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2676-1
Released: Tue Oct 15 21:06:54 2019
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: moderate
References: 1145716,1152101,CVE-2019-5094
Description:
This update for e2fsprogs fixes the following issues:
Security issue fixed:
- CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101)
Non-security issue fixed:
- libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2730-1
Released: Mon Oct 21 16:04:57 2019
Summary: Security update for procps
Type: security
Severity: important
References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
Description:
This update for procps fixes the following issues:
procps was updated to 3.3.15. (bsc#1092100)
Following security issues were fixed:
- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
with HOME unset in an attacker-controlled directory, the attacker could have
achieved privilege escalation by exploiting one of several vulnerabilities in
the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
Inbuilt protection in ps maped a guard page at the end of the overflowed
buffer, ensuring that the impact of this flaw is limited to a crash (temporary
denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
corruption in file2strvec function. This allowed a privilege escalation for a
local attacker who can create entries in procfs by starting processes, which
could result in crashes or arbitrary code execution in proc utilities run by
other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
truncation/integer overflow issues (bsc#1092100).
Also this non-security issue was fixed:
- Fix CPU summary showing old data. (bsc#1121753)
The update to 3.3.15 contains the following fixes:
* library: Increment to 8:0:1
No removals, no new functions
Changes: slab and pid structures
* library: Just check for SIGLOST and don't delete it
* library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
* library: Use size_t for alloc functions CVE-2018-1126
* library: Increase comm size to 64
* pgrep: Fix stack-based buffer overflow CVE-2018-1125
* pgrep: Remove >15 warning as comm can be longer
* ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
* ps: Increase command name selection field to 64
* top: Don't use cwd for location of config CVE-2018-1122
* update translations
* library: build on non-glibc systems
* free: fix scaling on 32-bit systems
* Revert "Support running with child namespaces"
* library: Increment to 7:0:1
No changes, no removals
New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
* doc: Document I idle state in ps.1 and top.1
* free: fix some of the SI multiples
* kill: -l space between name parses correctly
* library: dont use vm_min_free on non Linux
* library: don't strip off wchan prefixes (ps & top)
* pgrep: warn about 15+ char name only if -f not used
* pgrep/pkill: only match in same namespace by default
* pidof: specify separator between pids
* pkill: Return 0 only if we can kill process
* pmap: fix duplicate output line under '-x' option
* ps: avoid eip/esp address truncations
* ps: recognizes SCHED_DEADLINE as valid CPU scheduler
* ps: display NUMA node under which a thread ran
* ps: Add seconds display for cputime and time
* ps: Add LUID field
* sysctl: Permit empty string for value
* sysctl: Don't segv when file not available
* sysctl: Read and write large buffers
* top: add config file support for XDG specification
* top: eliminated minor libnuma memory leak
* top: show fewer memory decimal places (configurable)
* top: provide command line switch for memory scaling
* top: provide command line switch for CPU States
* top: provides more accurate cpu usage at startup
* top: display NUMA node under which a thread ran
* top: fix argument parsing quirk resulting in SEGV
* top: delay interval accepts non-locale radix point
* top: address a wishlist man page NLS suggestion
* top: fix potential distortion in 'Mem' graph display
* top: provide proper multi-byte string handling
* top: startup defaults are fully customizable
* watch: define HOST_NAME_MAX where not defined
* vmstat: Fix alignment for disk partition format
* watch: Support ANSI 39,49 reset sequences
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2742-1
Released: Tue Oct 22 15:40:16 2019
Summary: Recommended update for libzypp, zypper, libsolv and PackageKit
Type: recommended
Severity: important
References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Description:
This update for libzypp, zypper, libsolv and PackageKit fixes the following issues:
Security issues fixed in libsolv:
- CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629).
- CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
- CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631).
Other issues addressed in libsolv:
- Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749).
- Fixed an issue with the package name (bsc#1131823).
- repo_add_rpmdb: do not copy bad solvables from the old solv file
- Fixed an issue with cleandeps updates in which all packages were not updated
- Experimental DISTTYPE_CONDA and REL_CONDA support
- Fixed cleandeps jobs when using patterns (bsc#1137977)
- Fixed favorq leaking between solver runs if the solver is reused
- Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason
- Be more correct with multiversion packages that obsolete their own name (bnc#1127155)
- Fix repository priority handling for multiversion packages
- Make code compatible with swig 4.0, remove obj0 instances
- repo2solv: support zchunk compressed data
- Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will
not strip debug info for archives
Issues fixed in libzypp:
- Fix empty metalink downloads if filesize is unknown (bsc#1153557)
- Recognize riscv64 as architecture
- Fix installation of new header file (fixes #185)
- zypp.conf: Introduce `solver.focus` to define the resolvers general
attitude when resolving jobs. (bsc#1146415)
- New container detection algorithm for zypper ps (bsc#1146947)
- Fix leaking filedescriptors in MediaCurl. (bsc#1116995)
- Run file conflict check on dry-run. (bsc#1140039)
- Do not remove orphan products if the .prod file is owned by
a package. (bsc#1139795)
- Rephrase file conflict check summary. (bsc#1140039)
- Fix bash completions option detection. (bsc#1049825)
- Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521)
- Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027)
- PublicKey::algoName: supply key algorithm and length
Issues fixed in zypper:
- Update to version 1.14.30
- Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521)
- Dump stacktrace on SIGPIPE (bsc#1145521)
- info: The requested info must be shown in QUIET mode (fixes #287)
- Fix local/remote url classification.
- Rephrase file conflict check summary (bsc#1140039)
- Fix bash completions option detection (bsc#1049825)
- man: split '--with[out]' like options to ease searching.
- Unhided 'ps' command in help
- Added option to show more conflict information
- Rephrased `zypper ps` hint (bsc#859480)
- Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED
if --root is used (bsc#1134226)
- Fixed unknown package handling in zypper install (bsc#1127608)
- Re-show progress bar after pressing retry upon install error (bsc#1131113)
Issues fixed in PackageKit:
- Port the cron configuration variables to the systemd timer script, and add -sendwait
parameter to mail in the script(bsc#1130306).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2757-1
Released: Wed Oct 23 17:21:17 2019
Summary: Security update for lz4
Type: security
Severity: moderate
References: 1153936,CVE-2019-17543
Description:
This update for lz4 fixes the following issues:
- CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2812-1
Released: Tue Oct 29 14:57:55 2019
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1139459,1140631,1145023,1150595,SLE-7687
Description:
This update for systemd provides the following fixes:
- Fix a problem that would cause invoking try-restart to an inactive service to hang when
a daemon-reload is invoked before the try-restart returned. (bsc#1139459)
- man: Add a note about _netdev usage.
- units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target.
- units: Add [Install] section to remote-cryptsetup.target.
- cryptsetup: Ignore _netdev, since it is used in generator.
- cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687)
- cryptsetup-generator: Add a helper utility to create symlinks.
- units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target.
- man: Add an explicit description of _netdev to systemd.mount(5).
- man: Order fields alphabetically in crypttab(5).
- man: Make crypttab(5) a bit easier to read.
- units: Order cryptsetup-pre.target before cryptsetup.target.
- Fix reporting of enabled-runtime units.
- sd-bus: Deal with cookie overruns. (bsc#1150595)
- rules: Add by-id symlinks for persistent memory. (bsc#1140631)
- Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit.
(bsc#1145023)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2870-1
Released: Thu Oct 31 08:09:14 2019
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1051143,1138869,1151023
Description:
This update for aaa_base provides the following fixes:
- Check if variables can be set before modifying them to avoid warnings on login with a
restricted shell. (bsc#1138869)
- Add s390x compressed kernel support. (bsc#1151023)
- service: Check if there is a second argument before using it. (bsc#1051143)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2418-1
Released: Thu Nov 14 11:53:03 2019
Summary: Recommended update for bash
Type: recommended
Severity: moderate
References: 1133773,1143055
Description:
This update for bash fixes the following issues:
- Rework patch readline-7.0-screen (bsc#1143055):
map all "screen(-xxx)?.yyy(-zzz)?" to "screen" as well as
map "konsole(-xxx)?" and "gnome(-xxx)?" to "xterm"
- Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773)
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2019:2980-1
Released: Thu Nov 14 22:45:33 2019
Summary: Optional update for curl
Type: optional
Severity: low
References: 1154019
Description:
This update for curl doesn't address any user visible issues.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2997-1
Released: Mon Nov 18 15:16:38 2019
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595
Description:
This update for ncurses fixes the following issues:
Security issues fixed:
- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).
Non-security issue fixed:
- Removed screen.xterm from terminfo database (bsc#1103320).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3010-1
Released: Tue Nov 19 18:10:58 2019
Summary: Recommended update for zypper and libsolv
Type: recommended
Severity: moderate
References: 1145554,1146415,1149511,1153351,SLE-9171
Description:
This update for zypper and libsolv fixes the following issues:
Package: zypper
- Improved the documentation of $releasever and --releasever usescases (bsc#1149511)
- zypper will now ask only once when multiple packages share the same license text (bsc#1145554)
- Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus
mode when resolving jobs (bsc#1146415)
- Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351)
- Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171)
Package: libsolv
- Fixes issues when updating too many packages in focusbest mode
- Fixes the handling of disabled and installed packages in distupgrade
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3059-1
Released: Mon Nov 25 17:33:07 2019
Summary: Security update for cpio
Type: security
Severity: moderate
References: 1155199,CVE-2019-14866
Description:
This update for cpio fixes the following issues:
- CVE-2019-14866: Fixed an improper validation of the values written
in the header of a TAR file through the to_oct() function which could
have led to unexpected TAR generation (bsc#1155199).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3061-1
Released: Mon Nov 25 17:34:22 2019
Summary: Security update for gcc9
Type: security
Severity: moderate
References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536
Description:
This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html
The base system compiler libraries libgcc_s1, libstdc++6 and others are
now built by the gcc 9 packages.
To use it, install "gcc9" or "gcc9-c++" or other compiler brands and use CC=gcc-9 /
CXX=g++-9 during configuration for using it.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3070-1
Released: Tue Nov 26 12:39:29 2019
Summary: Recommended update for gpg2
Type: recommended
Severity: low
References: 1152755
Description:
This update for gpg2 provides the following fix:
- Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3086-1
Released: Thu Nov 28 10:02:24 2019
Summary: Security update for libidn2
Type: security
Severity: moderate
References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224
Description:
This update for libidn2 to version 2.2.0 fixes the following issues:
- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3087-1
Released: Thu Nov 28 10:03:00 2019
Summary: Security update for libxml2
Type: security
Severity: low
References: 1123919
Description:
This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect
all CVEs that have been fixed over the past.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3118-1
Released: Fri Nov 29 14:41:35 2019
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: moderate
References: 1154295
Description:
This update for e2fsprogs fixes the following issues:
- Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3166-1
Released: Wed Dec 4 11:24:42 2019
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1007715,1084934,1157278
Description:
This update for aaa_base fixes the following issues:
- Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
- Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715)
- Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3181-1
Released: Thu Dec 5 11:43:07 2019
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690
Description:
This update for permissions fixes the following issues:
- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
which could have allowed a squid user to gain persistence by changing the
binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic
links (bsc#1150734).
- Fixed a regression which caused sagmentation fault (bsc#1157198).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3240-1
Released: Tue Dec 10 10:40:19 2019
Summary: Recommended update for ca-certificates-mozilla, p11-kit
Type: recommended
Severity: moderate
References: 1154871
Description:
This update for ca-certificates-mozilla, p11-kit fixes the following issues:
Changes in ca-certificates-mozilla:
- export correct p11kit trust attributes so Firefox detects built in
certificates (bsc#1154871).
Changes in p11-kit:
- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
detects built in certificates (bsc#1154871)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3267-1
Released: Wed Dec 11 11:19:53 2019
Summary: Security update for libssh
Type: security
Severity: important
References: 1158095,CVE-2019-14889
Description:
This update for libssh fixes the following issues:
- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3392-1
Released: Fri Dec 27 13:33:29 2019
Summary: Security update for libgcrypt
Type: security
Severity: moderate
References: 1148987,1155338,1155339,CVE-2019-13627
Description:
This update for libgcrypt fixes the following issues:
Security issues fixed:
- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).
Bug fixes:
- Added CMAC AES self test (bsc#1155339).
- Added CMAC TDES self test missing (bsc#1155338).
- Fix test dsa-rfc6979 in FIPS mode.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:69-1
Released: Fri Jan 10 12:33:59 2020
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789
Description:
This update for openssl-1_1 fixes the following issues:
Security issue fixed:
- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).
Various FIPS related improvements were done:
- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).
- Port FIPS patches from SLE-12 (bsc#1158101).
- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2020:89-1
Released: Mon Jan 13 16:07:20 2020
Summary: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658)
Type: feature
Severity: moderate
References: 1100838,1118897,1118898,1118899,1143813,1144065,1146991,1147142,1152861,1155810,1156646
Description:
= Required Actions
== Skuba and helm update Instructions
Update skuba and helm on your management workstation as you would do with any othe package.
Refer to: link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup
[WARNING]
====
When running helm-init you may hit a link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the certificate validation]:
----
https://kubernetes-charts.storage.googleapis.com is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate signed by unknown authority
----
In order to fix this, run:
----
sudo update-ca-certificates
----
====
After updating helm to latest version on the management host, you have to also upgrade the helm-tiller image in the cluster, by running:
----
helm init \
--tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \
--service-account tiller --upgrade
----
== Update Your Kubernetes Manifests for Kubernetes 1.16.2:
Some API resources are moved to stable, while others have been moved to different groups or deprecated.
The following will impact your deployment manifests:
* `DaemonSet`, `Deployment`, `StatefulSet`, and `ReplicaSet` in `extensions/` (both `v1beta1` and `v1beta2`) is deprecated. Migrate to `apps/v1` group instead for all those objects. Please note that `kubectl convert` can help you migrate all the necessary fields.
* `PodSecurityPolicy` in `extensions/v1beta1` is deprecated. Migrate to `policy/v1beta1` group for `PodSecurityPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields.
* `NetworkPolicy` in `extensions/v1beta1` is deprecated. Migrate to `networking.k8s.io/v1` group for `NetworkPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields.
* `Ingress` in `extensions/v1beta1` is being phased out. Migrate to `networking.k8s.io/v1beta1` as soon as possible. This new API does not need to update other API fields and therefore only a path change is necessary.
* Custom resource definitions have moved from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`.
Please also see https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details.
= Documentation Updates
* Switched examples to use SUSE supported helm, Prometheus, nginx-ingress and Grafana charts and images
* link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_custom_ca_certificate[Added instructions on how to replace {kube} certificates with custom CA certificate]
* link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certificate_signed_by_a_trusted_ca_certificate[Added instructions to configure custom certificates for gangway and dex]
* link:{docurl}caasp-admin/single-html/_software_management.html#_installing_tiller[Added instructions for secured Tiller deployment]
* link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about unique `machine-id` requirement]
* link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added timezone configuration example for {ay}]
* link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Aupdated-desc[Various minor bugfixes and improvements]
= Known issue: skuba upgrade could not parse "Unknown" as version ====
Running "skuba node upgrade plan" might fail with the error "could not parse "Unknown" as version" when a worker, after running "skuba node upgrade apply", had not fully started yet.
If you are running into this issue, please add some delay after running "skuba node upgrade apply" and prior to running "skuba node upgrade plan".
This is tracked in link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452]
More information about the sle-security-updates
mailing list