SUSE-CU-2020:13-1: Security update of caasp/v4/hyperkube

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Jan 14 00:09:17 MST 2020


SUSE Container Update Advisory: caasp/v4/hyperkube
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:13-1
Container Tags        : caasp/v4/hyperkube:v1.16.2 , caasp/v4/hyperkube:v1.16.2-rev5 , caasp/v4/hyperkube:v1.16.2-rev5-build3.9.1
Severity              : important
Type                  : security
References            : 1007715 1049825 1051143 1073313 1081947 1081947 1082293 1082318
                        1084934 1085196 1092100 1093414 1100838 1103320 1106214 1110797
                        1111388 1114592 1114845 1116995 1118897 1118898 1118899 1120629
                        1120630 1120631 1121197 1121753 1122417 1122666 1123919 1125886
                        1127155 1127608 1127701 1128828 1129071 1130306 1131113 1131823
                        1132663 1132767 1132900 1133773 1134226 1134444 1135254 1135534
                        1135584 1135708 1135749 1135984 1137131 1137132 1137189 1137296
                        1137503 1137977 1138869 1139459 1139795 1140039 1140491 1140601
                        1140631 1141113 1141174 1141322 1141897 1142614 1142649 1142654
                        1143055 1143194 1143273 1143813 1144047 1144065 1145023 1145093
                        1145231 1145521 1145554 1145617 1145618 1145716 1145759 1146027
                        1146415 1146415 1146656 1146866 1146947 1146991 1147132 1147142
                        1148244 1148517 1148987 1149093 1149121 1149145 1149429 1149495
                        1149496 1149511 1149792 1149955 1150003 1150137 1150250 1150406
                        1150595 1150734 1150895 1151023 1151439 1151490 1151990 1151991
                        1151992 1151993 1151994 1151995 1152002 1152101 1152755 1152861
                        1153238 1153351 1153557 1153936 1154019 1154036 1154037 1154295
                        1154871 1154884 1154887 1155199 1155338 1155339 1155346 1155668
                        1155810 1156282 1156646 1157198 1157278 1157775 1157891 1158095
                        1158101 1158527 1158809 1159819 353876 859480 CVE-2017-17740
                        CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126
                        CVE-2018-18508 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2019-10222
                        CVE-2019-11236 CVE-2019-11324 CVE-2019-11745 CVE-2019-12290 CVE-2019-13057
                        CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889
                        CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-15903
                        CVE-2019-16056 CVE-2019-16168 CVE-2019-16935 CVE-2019-17006 CVE-2019-17543
                        CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-3688 CVE-2019-3690
                        CVE-2019-5094 CVE-2019-5481 CVE-2019-5482 CVE-2019-9740 CVE-2019-9893
                        PM-1350 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171
                        SLE-9426 
-----------------------------------------------------------------

The container caasp/v4/hyperkube was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2307-1
Released:    Thu Sep  5 14:45:08 2019
Summary:     Security update for util-linux and shadow
Type:        security
Severity:    moderate
References:  1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876
Description:

This update for util-linux and shadow fixes the following issues:

util-linux:

- Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197)
- Prevent outdated pam files (bsc#1082293).
- De-duplicate fstrim -A properly (bsc#1127701).
- Do not trim read-only volumes (bsc#1106214).
- Integrate pam_keyinit pam module to login (bsc#1081947).
- Perform one-time reset of /etc/default/su (bsc#1121197).
- Fix problems in reading of login.defs values (bsc#1121197)
- libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
- libmount: print a blacklist hint for "unknown filesystem type" (jsc#SUSE-4085, fate#326832)
- Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197).

shadow:

- Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197)
- Fix segfault in useradd during setting password inactivity period. (bsc#1141113)
- Hardening for su wrappers (bsc#353876)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2332-1
Released:    Mon Sep  9 10:17:16 2019
Summary:     Security update for python-urllib3
Type:        security
Severity:    moderate
References:  1129071,1132663,1132900,CVE-2019-11236,CVE-2019-11324,CVE-2019-9740
Description:

This update for python-urllib3 fixes the following issues:

Security issues fixed:

- CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071).
- CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900).
- CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2361-1
Released:    Thu Sep 12 07:54:54 2019
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1081947,1144047
Description:

This update for krb5 contains the following fixes:

- Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2367-1
Released:    Thu Sep 12 12:59:37 2019
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1122666,1135984,1137296
Description:

This update for lvm2 fixes the following issues:

- Fix unknown feature in status message (bsc#1135984)
- Fix using device aliases with lvmetad (bsc#1137296)
- Fix devices drop open error message (bsc#1122666)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2373-1
Released:    Thu Sep 12 14:18:53 2019
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1149495,1149496,CVE-2019-5481,CVE-2019-5482
Description:

This update for curl fixes the following issues:

Security issues fixed:

- CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495).
- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2394-1
Released:    Tue Sep 17 22:39:07 2019
Summary:     Recommended update for ceph
Type:        recommended
Severity:    important
References:  1137189
Description:

This update for ceph fixes the following issues:
 
- rgw: Move upload_info declaration out of conditional. (bsc#1137189)
- rgw: asio: Check the remote endpoint before processing requests.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2395-1
Released:    Wed Sep 18 08:31:38 2019
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565
Description:

This update for openldap2 fixes the following issues:

Security issue fixed:

- CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194).
- CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273).
- CVE-2017-17740: When both the nops module and the member of overlay
  are enabled, attempts to free a buffer that was allocated on the stack,
  which allows remote attackers to cause a denial of service (slapd crash)
  via a member MODDN operation. (bsc#1073313)

Non-security issues fixed:

- Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845).
- Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388)
- Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2403-1
Released:    Wed Sep 18 16:14:29 2019
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1150003,1150250,CVE-2019-1547,CVE-2019-1563
Description:

This update for openssl-1_1 fixes the following issues:

OpenSSL Security Advisory [10 September 2019]

* CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003)
* CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2422-1
Released:    Fri Sep 20 16:36:43 2019
Summary:     Recommended update for python-urllib3
Type:        recommended
Severity:    moderate
References:  1150895
Description:

This update for python-urllib3 fixes the following issues:

- Add missing dependency on python-six (bsc#1150895)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2423-1
Released:    Fri Sep 20 16:41:45 2019
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1146866,SLE-9132
Description:

This update for aaa_base fixes the following issues:

Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132)

Following settings have been tightened (and set to 0):

- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
- net.ipv4.conf.default.accept_source_route
- net.ipv6.conf.all.accept_redirects
- net.ipv6.conf.default.accept_redirects


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2429-1
Released:    Mon Sep 23 09:28:40 2019
Summary:     Security update for expat
Type:        security
Severity:    moderate
References:  1149429,CVE-2019-15903
Description:

This update for expat fixes the following issues:

Security issues fixed:

- CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2517-1
Released:    Wed Oct  2 10:49:20 2019
Summary:     Security update for libseccomp
Type:        security
Severity:    moderate
References:  1082318,1128828,1142614,CVE-2019-9893
Description:

This update for libseccomp fixes the following issues:

Security issues fixed:

- CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828)

libseccomp was updated to new upstream release 2.4.1:

- Fix a BPF generation bug where the optimizer mistakenly
  identified duplicate BPF code blocks.

libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893):

- Update the syscall table for Linux v5.0-rc5
- Added support for the SCMP_ACT_KILL_PROCESS action
- Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
- Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
- Added support for the parisc and parisc64 architectures
- Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
- Return -EDOM on an endian mismatch when adding an architecture to a filter
- Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
- Fix PFC generation when a syscall is prioritized, but no rule exists
- Numerous fixes to the seccomp-bpf filter generation code
- Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
- Numerous tests added to the included test suite, coverage now at ~92%
- Update our Travis CI configuration to use Ubuntu 16.04
- Numerous documentation fixes and updates

libseccomp was updated to release 2.3.3:

- Updated the syscall table for Linux v4.15-rc7


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2533-1
Released:    Thu Oct  3 15:02:50 2019
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1150137,CVE-2019-16168
Description:

This update for sqlite3 fixes the following issues:

Security issue fixed:

- CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2626-1
Released:    Thu Oct 10 17:22:35 2019
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1110797
Description:

This update for permissions fixes the following issues:
- Updated permissons for amanda. (bsc#1110797)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2676-1
Released:    Tue Oct 15 21:06:54 2019
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1145716,1152101,CVE-2019-5094
Description:

This update for e2fsprogs fixes the following issues:

Security issue fixed:

- CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101)

Non-security issue fixed:

- libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2681-1
Released:    Tue Oct 15 22:01:40 2019
Summary:     Recommended update for libdb-4_8
Type:        recommended
Severity:    moderate
References:  1148244
Description:

This update for libdb-4_8 fixes the following issues:

- Add off-page deadlock patch as found and documented by Red Hat.
  (bsc#1148244)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2730-1
Released:    Mon Oct 21 16:04:57 2019
Summary:     Security update for procps
Type:        security
Severity:    important
References:  1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
Description:

This update for procps fixes the following issues:

procps was updated to 3.3.15. (bsc#1092100)

Following security issues were fixed:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).


Also this non-security issue was fixed:

- Fix CPU summary showing old data. (bsc#1121753)

The update to 3.3.15 contains the following fixes:

* library: Increment to 8:0:1
  No removals, no new functions
  Changes: slab and pid structures
* library: Just check for SIGLOST and don't delete it
* library: Fix integer overflow and LPE in file2strvec   CVE-2018-1124
* library: Use size_t for alloc functions                CVE-2018-1126
* library: Increase comm size to 64
* pgrep: Fix stack-based buffer overflow                 CVE-2018-1125
* pgrep: Remove >15 warning as comm can be longer
* ps: Fix buffer overflow in output buffer, causing DOS  CVE-2018-1123
* ps: Increase command name selection field to 64
* top: Don't use cwd for location of config              CVE-2018-1122
* update translations
* library: build on non-glibc systems
* free: fix scaling on 32-bit systems
* Revert "Support running with child namespaces"
* library: Increment to 7:0:1
  No changes, no removals
  New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
* doc: Document I idle state in ps.1 and top.1
* free: fix some of the SI multiples
* kill: -l space between name parses correctly
* library: dont use vm_min_free on non Linux
* library: don't strip off wchan prefixes (ps & top)
* pgrep: warn about 15+ char name only if -f not used
* pgrep/pkill: only match in same namespace by default
* pidof: specify separator between pids
* pkill: Return 0 only if we can kill process
* pmap: fix duplicate output line under '-x' option
* ps: avoid eip/esp address truncations
* ps: recognizes SCHED_DEADLINE as valid CPU scheduler
* ps: display NUMA node under which a thread ran
* ps: Add seconds display for cputime and time
* ps: Add LUID field
* sysctl: Permit empty string for value
* sysctl: Don't segv when file not available
* sysctl: Read and write large buffers
* top: add config file support for XDG specification
* top: eliminated minor libnuma memory leak
* top: show fewer memory decimal places (configurable)
* top: provide command line switch for memory scaling
* top: provide command line switch for CPU States
* top: provides more accurate cpu usage at startup
* top: display NUMA node under which a thread ran
* top: fix argument parsing quirk resulting in SEGV
* top: delay interval accepts non-locale radix point
* top: address a wishlist man page NLS suggestion
* top: fix potential distortion in 'Mem' graph display
* top: provide proper multi-byte string handling
* top: startup defaults are fully customizable
* watch: define HOST_NAME_MAX where not defined
* vmstat: Fix alignment for disk partition format
* watch: Support ANSI 39,49 reset sequences

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2736-1
Released:    Tue Oct 22 11:07:31 2019
Summary:     Security update for ceph, ceph-iscsi, ses-manual_en
Type:        security
Severity:    moderate
References:  1132767,1134444,1135584,1137503,1140491,1141174,1145093,1145617,1145618,1145759,1146656,1147132,1149093,1150406,1151439,1151990,1151991,1151992,1151993,1151994,1151995,1152002,CVE-2019-10222
Description:

This update for ceph, ceph-iscsi and ses-manual_en fixes the following issues:

Security issues fixed:

- CVE-2019-10222: Fixed RGW crash caused by unauthenticated clients. (bsc#1145093)

Non-security issues-fixed:

- ceph-volume: prints errors to stdout with --format json (bsc#1132767)
- mgr/dashboard: Changing rgw-api-host does not get effective without disable/enable
  dashboard mgr module (bsc#1137503)
- mgr/dashboard: Silence Alertmanager alerts (bsc#1141174)
- mgr/dashboard: Fix e2e failures caused by webdriver version (bsc#1145759) 
- librbd: always try to acquire exclusive lock when removing image (bsc#1149093)
- The no{up,down,in,out} related commands have been revamped (bsc#1151990)
- radosgw-admin gets two new subcommands for managing expire-stale objects. (bsc#1151991)
- Deploying a single new BlueStore OSD on a cluster upgraded to SES6 from SES5 breaks pool utilization stats reported by ceph df (bsc#1151992)
- Ceph cluster will no longer issue a health warning if CRUSH tunables are older than "hammer" (bsc#1151993)
- Nautilus-based librbd clients can not open images on Jewel clusters (bsc#1151994)
- The RGW num_rados_handles has been removed in Ceph 14.2.3 (bsc#1151995)
- "osd_deep_scrub_large_omap_object_key_threshold" has been lowered in Nautilus 14.2.3 (bsc#1152002)
- Support iSCSI target-level CHAP authentication (bsc#1145617)
- Validation and render of iSCSI controls based "type" (bsc#1140491)
- Fix error editing iSCSI image advanced settings (bsc#1146656)
- Fix error during iSCSI target edit

Fixes in ses-manual_en:

- Added a new chapter with changelogs of Ceph releases. (bsc#1135584)
- Rewrote rolling updates and replaced running stage.0 with manual commands to prevent infinite loop. (bsc#1134444)
- Improved name of CaaSP to its fuller version. (bsc#1151439)
- Verify which OSD's are going to be removed before running stage.5. (bsc#1150406)
- Added two additional steps to recovering an OSD. (bsc#1147132)

Fixes in ceph-iscsi:

- Validate kernel LIO controls type and value (bsc#1140491)
- TPG lun_id persistence (bsc#1145618)
- Target level CHAP authentication (bsc#1145617)

ceph-iscsi was updated to the upstream 3.2 release:

- Always use host FQDN instead of shortname
- Validate min/max value for target controls and rbd:user/tcmu-runner image
  controls (bsc#1140491)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2742-1
Released:    Tue Oct 22 15:40:16 2019
Summary:     Recommended update for libzypp, zypper, libsolv and PackageKit
Type:        recommended
Severity:    important
References:  1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Description:

This update for libzypp, zypper, libsolv and PackageKit fixes the following issues:

Security issues fixed in libsolv:

- CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629).
- CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
- CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631).

Other issues addressed in libsolv:

- Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749).
- Fixed an issue with the package name (bsc#1131823).
- repo_add_rpmdb: do not copy bad solvables from the old solv file
- Fixed an issue with  cleandeps updates in which all packages were not updated
- Experimental DISTTYPE_CONDA and REL_CONDA support
- Fixed cleandeps jobs when using patterns (bsc#1137977)
- Fixed favorq leaking between solver runs if the solver is reused
- Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason
- Be more correct with multiversion packages that obsolete their own name (bnc#1127155)
- Fix repository priority handling for multiversion packages
- Make code compatible with swig 4.0, remove obj0 instances
- repo2solv: support zchunk compressed data
- Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will
  not strip debug info for archives

Issues fixed in libzypp:

- Fix empty metalink downloads if filesize is unknown (bsc#1153557)
- Recognize riscv64 as architecture
- Fix installation of new header file (fixes #185)
- zypp.conf: Introduce `solver.focus` to define the resolvers general
  attitude when resolving jobs. (bsc#1146415)
- New container detection algorithm for zypper ps (bsc#1146947)
- Fix leaking filedescriptors in MediaCurl. (bsc#1116995)
- Run file conflict check on dry-run. (bsc#1140039)
- Do not remove orphan products if the .prod file is owned by
  a package. (bsc#1139795)
- Rephrase file conflict check summary. (bsc#1140039)
- Fix bash completions option detection. (bsc#1049825)
- Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521)
- Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027)
- PublicKey::algoName: supply key algorithm and length

Issues fixed in zypper:

- Update to version 1.14.30
- Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521)
- Dump stacktrace on SIGPIPE (bsc#1145521)
- info: The requested info must be shown in QUIET mode (fixes #287)
- Fix local/remote url classification.
- Rephrase file conflict check summary (bsc#1140039)
- Fix bash completions option detection (bsc#1049825)
- man: split '--with[out]' like options to ease searching.
- Unhided 'ps' command in help
- Added option to show more conflict information
- Rephrased `zypper ps` hint (bsc#859480)
- Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED
  if --root is used (bsc#1134226)
- Fixed unknown package handling in zypper install (bsc#1127608)
- Re-show progress bar after pressing retry upon install error (bsc#1131113)


Issues fixed in PackageKit:

- Port the cron configuration variables to the systemd timer script, and add -sendwait
  parameter to mail in the script(bsc#1130306).


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2757-1
Released:    Wed Oct 23 17:21:17 2019
Summary:     Security update for lz4
Type:        security
Severity:    moderate
References:  1153936,CVE-2019-17543
Description:

This update for lz4 fixes the following issues:

- CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2802-1
Released:    Tue Oct 29 11:39:05 2019
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426
Description:

This update for python3 to 3.6.9 fixes the following issues:

Security issues fixed:

- CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955)
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).

Non-security issues fixed:

- Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490)
- Improved locale handling by implementing PEP 538.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2812-1
Released:    Tue Oct 29 14:57:55 2019
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1139459,1140631,1145023,1150595,SLE-7687
Description:

This update for systemd provides the following fixes:

- Fix a problem that would cause invoking try-restart to an inactive service to hang when
  a daemon-reload is invoked before the try-restart returned. (bsc#1139459)
- man: Add a note about _netdev usage.
- units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target.
- units: Add [Install] section to remote-cryptsetup.target.
- cryptsetup: Ignore _netdev, since it is used in generator.
- cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687)
- cryptsetup-generator: Add a helper utility to create symlinks.
- units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target.
- man: Add an explicit description of _netdev to systemd.mount(5).
- man: Order fields alphabetically in crypttab(5).
- man: Make crypttab(5) a bit easier to read.
- units: Order cryptsetup-pre.target before cryptsetup.target.
- Fix reporting of enabled-runtime units.
- sd-bus: Deal with cookie overruns. (bsc#1150595)
- rules: Add by-id symlinks for persistent memory. (bsc#1140631)
- Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit.
  (bsc#1145023)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2870-1
Released:    Thu Oct 31 08:09:14 2019
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1051143,1138869,1151023
Description:

This update for aaa_base provides the following fixes:

- Check if variables can be set before modifying them to avoid warnings on login with a
  restricted shell. (bsc#1138869)
- Add s390x compressed kernel support. (bsc#1151023)
- service: Check if there is a second argument before using it. (bsc#1051143)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2418-1
Released:    Thu Nov 14 11:53:03 2019
Summary:     Recommended update for bash
Type:        recommended
Severity:    moderate
References:  1133773,1143055
Description:

This update for bash fixes the following issues:

- Rework patch readline-7.0-screen (bsc#1143055):
   map all "screen(-xxx)?.yyy(-zzz)?" to "screen" as well as
   map "konsole(-xxx)?" and "gnome(-xxx)?" to "xterm"
- Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773)

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2019:2980-1
Released:    Thu Nov 14 22:45:33 2019
Summary:     Optional update for curl
Type:        optional
Severity:    low
References:  1154019
Description:

This update for curl doesn't address any user visible issues.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2990-1
Released:    Mon Nov 18 09:35:01 2019
Summary:     Recommended update for ceph
Type:        recommended
Severity:    important
References:  1156282
Description:

This update for ceph fixes the following issue:

- A previous update introduced a regression with the potential to cause RocksDB
  data corruption in Nautilus (bsc#1156282).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2997-1
Released:    Mon Nov 18 15:16:38 2019
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595
Description:

This update for ncurses fixes the following issues:

Security issues fixed:

- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

Non-security issue fixed:

- Removed screen.xterm from terminfo database (bsc#1103320).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3010-1
Released:    Tue Nov 19 18:10:58 2019
Summary:     Recommended update for zypper and libsolv
Type:        recommended
Severity:    moderate
References:  1145554,1146415,1149511,1153351,SLE-9171
Description:

This update for zypper and libsolv fixes the following issues:

Package: zypper

- Improved the documentation of $releasever and --releasever usescases (bsc#1149511)
- zypper will now ask only once when multiple packages share the same license text (bsc#1145554)
- Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus
  mode when resolving jobs (bsc#1146415)
- Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351)
- Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171)

Package: libsolv

- Fixes issues when updating too many packages in focusbest mode
- Fixes the handling of disabled and installed packages in distupgrade

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3040-1
Released:    Fri Nov 22 11:59:52 2019
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1145231
Description:

This update for lvm2 fixes the following issues:

- Adds a fix to detect MD devices by LVM2 with metadata=1.0/0.9 (bsc#1145231)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3059-1
Released:    Mon Nov 25 17:33:07 2019
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1155199,CVE-2019-14866
Description:

This update for cpio fixes the following issues:

- CVE-2019-14866: Fixed an improper validation of the values written 
  in the header of a TAR file through the to_oct() function which could 
  have led to unexpected TAR generation (bsc#1155199).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3061-1
Released:    Mon Nov 25 17:34:22 2019
Summary:     Security update for gcc9
Type:        security
Severity:    moderate
References:  1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536
Description:



This update includes the GNU Compiler Collection 9.

A full changelog is provided by the GCC team on:

   https://www.gnu.org/software/gcc/gcc-9/changes.html


The base system compiler libraries libgcc_s1, libstdc++6 and others are
now built by the gcc 9 packages.

To use it, install "gcc9" or "gcc9-c++" or other compiler brands and use CC=gcc-9 /
CXX=g++-9 during configuration for using it.


Security issues fixed:

- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

Non-security issues fixed:

- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3070-1
Released:    Tue Nov 26 12:39:29 2019
Summary:     Recommended update for gpg2
Type:        recommended
Severity:    low
References:  1152755
Description:

This update for gpg2 provides the following fix:

- Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3086-1
Released:    Thu Nov 28 10:02:24 2019
Summary:     Security update for libidn2
Type:        security
Severity:    moderate
References:  1154884,1154887,CVE-2019-12290,CVE-2019-18224
Description:

This update for libidn2 to version 2.2.0 fixes the following issues:

- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3087-1
Released:    Thu Nov 28 10:03:00 2019
Summary:     Security update for libxml2
Type:        security
Severity:    low
References:  1123919
Description:

This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect
all CVEs that have been fixed over the past.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3118-1
Released:    Fri Nov 29 14:41:35 2019
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1154295
Description:

This update for e2fsprogs fixes the following issues:

- Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3166-1
Released:    Wed Dec  4 11:24:42 2019
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1007715,1084934,1157278
Description:

This update for aaa_base fixes the following issues:

- Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
- Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715)
- Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3181-1
Released:    Thu Dec  5 11:43:07 2019
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690
Description:

This update for permissions fixes the following issues:

- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
  which could have allowed a squid user to gain persistence by changing the 
  binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic 
  links (bsc#1150734).
- Fixed a regression which caused sagmentation fault (bsc#1157198).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3240-1
Released:    Tue Dec 10 10:40:19 2019
Summary:     Recommended update for ca-certificates-mozilla, p11-kit
Type:        recommended
Severity:    moderate
References:  1154871
Description:

This update for ca-certificates-mozilla, p11-kit fixes the following issues:

Changes in ca-certificates-mozilla:

- export correct p11kit trust attributes so Firefox detects built in
  certificates (bsc#1154871).

Changes in p11-kit:

- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
  detects built in certificates (bsc#1154871)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3267-1
Released:    Wed Dec 11 11:19:53 2019
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1158095,CVE-2019-14889
Description:

This update for libssh fixes the following issues:

- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3343-1
Released:    Thu Dec 19 11:05:27 2019
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1155668
Description:

This update for lvm2 fixes the following issues:

- Fix seeing a 90 Second delay during shutdown and reboot. (bsc#1155668)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3392-1
Released:    Fri Dec 27 13:33:29 2019
Summary:     Security update for libgcrypt
Type:        security
Severity:    moderate
References:  1148987,1155338,1155339,CVE-2019-13627
Description:

This update for libgcrypt fixes the following issues:

Security issues fixed:

- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).

Bug fixes:

- Added CMAC AES self test (bsc#1155339).
- Added CMAC TDES self test missing (bsc#1155338).
- Fix test dsa-rfc6979 in FIPS mode.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3395-1
Released:    Mon Dec 30 14:05:06 2019
Summary:     Security update for mozilla-nspr, mozilla-nss
Type:        security
Severity:    moderate
References:  1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006
Description:

This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.47.1:

Security issues fixed:

- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).

mozilla-nspr was updated to version 4.23:

- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:27-1
Released:    Tue Jan  7 14:47:07 2020
Summary:     Recommended update for rdma-core
Type:        recommended
Severity:    moderate
References:  1137131,1137132,1140601,1157891
Description:

This update for rdma-core fixes the following issues:

- Add Broadcom fixes for libbnxtre. (bsc#1157891)
- Disable libmlx dependencies for libibverbs on s390x 32 bits. (bsc#1140601)
- Fix baselibs configuration removing conflict with -32b and older (early rdma-core) libraries.
- Add missing Obsoletes/Conflicts/Provides to handle updates from SP2. (bsc#1137131, bsc#1137132)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:69-1
Released:    Fri Jan 10 12:33:59 2020
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789
Description:

This update for openssl-1_1 fixes the following issues:

Security issue fixed:

- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).                             

Various FIPS related improvements were done:

- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).
- Port FIPS patches from SLE-12 (bsc#1158101).
- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).

-----------------------------------------------------------------
Advisory ID: SUSE-feature-2020:89-1
Released:    Mon Jan 13 16:07:20 2020
Summary:     Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658)
Type:        feature
Severity:    moderate
References:  1100838,1118897,1118898,1118899,1143813,1144065,1146991,1147142,1152861,1155810,1156646
Description:

= Required Actions

== Skuba and helm update Instructions                                         
                                                                                
Update skuba and helm on your management workstation as you would do with any othe package.
                                                                                
Refer to: link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup
                                                                                
[WARNING]                                                                       
====                                                                            
When running helm-init you may hit a link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the certificate validation]:
                                                                                
----                                                                            
https://kubernetes-charts.storage.googleapis.com is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate signed by unknown authority
----                                                                            
                                                                                
In order to fix this, run:                                                      
                                                                                
----                                                                            
sudo update-ca-certificates                                                     
----                                                                            
                                                                                
====                                                                            
                                                                                
                                                                                
After updating helm to latest version on the management host, you have to also upgrade the helm-tiller image in the cluster, by running:
                                                                                
----                                                                            
helm init \                                                                     
    --tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \              
    --service-account tiller --upgrade                                          
----                                                                            


== Update Your Kubernetes Manifests for Kubernetes 1.16.2:

Some API resources are moved to stable, while others have been moved to different groups or deprecated.

The following will impact your deployment manifests:

*  `DaemonSet`, `Deployment`, `StatefulSet`, and `ReplicaSet` in `extensions/` (both `v1beta1` and `v1beta2`) is deprecated.  Migrate to `apps/v1` group instead for all those objects.  Please note that `kubectl convert` can help you migrate all the necessary fields.
*  `PodSecurityPolicy` in `extensions/v1beta1` is deprecated. Migrate to `policy/v1beta1` group for `PodSecurityPolicy`.  Please note that `kubectl convert` can help you migrate all the necessary fields.
*  `NetworkPolicy` in `extensions/v1beta1` is deprecated. Migrate to `networking.k8s.io/v1` group for `NetworkPolicy`.  Please note that `kubectl convert` can help you migrate all the necessary fields.
*  `Ingress` in `extensions/v1beta1` is being phased out. Migrate to `networking.k8s.io/v1beta1` as soon as possible.  This new API does not need to update other API fields and therefore only a path change is necessary.
*  Custom resource definitions have moved from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`.

Please also see https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details.


= Documentation Updates                                                       
                                                                                
* Switched examples to use SUSE supported helm, Prometheus, nginx-ingress and Grafana charts and images
* link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_custom_ca_certificate[Added instructions on how to replace {kube} certificates with custom CA certificate]
* link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certificate_signed_by_a_trusted_ca_certificate[Added instructions to configure custom certificates for gangway and dex]
* link:{docurl}caasp-admin/single-html/_software_management.html#_installing_tiller[Added instructions for secured Tiller deployment]
* link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about unique `machine-id` requirement]
* link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added timezone configuration example for {ay}]
* link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Aupdated-desc[Various minor bugfixes and improvements]
                                                                                
= Known issue: skuba upgrade could not parse "Unknown" as version ====        
                                                                                
Running "skuba node upgrade plan" might fail with the error "could not parse "Unknown" as version" when a  worker, after running "skuba node upgrade apply", had not fully started yet.
                                                                                
If you are running into this issue, please add some delay after running "skuba node upgrade apply" and prior to running "skuba node upgrade plan".
                                                                                
This is tracked in link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452] 



More information about the sle-security-updates mailing list