SUSE-CU-2020:362-1: Security update of suse/sle15

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Jul 9 11:54:19 MDT 2020 

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:362-1
Container Tags        : suse/sle15:15.0 , suse/sle15:15.0.4.22.231
Container Release     : 4.22.231
Severity              : important
Type                  : security
References            : 1082318 1090047 1103678 1107116 1107121 1111499 1130873 1130873
                        1133297 1137001 1139959 1154803 1154803 1164543 1164543 1165476
                        1165476 1165573 1165573 1166610 1166610 1167122 1167122 1168990
                        1168990 1169947 1170801 1171224 1171883 1172135 1172698 1172704
                        1172925 CVE-2018-16428 CVE-2018-16429 CVE-2019-12450 CVE-2019-13012
                        CVE-2020-8023 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2780-1
Released:    Mon Nov 26 17:46:10 2018
Summary:     Security update for glib2
Type:        security
Severity:    moderate
References:  1107116,1107121,1111499,CVE-2018-16428,CVE-2018-16429
This update for glib2 fixes the following issues:

Security issues fixed:

- CVE-2018-16428: Do not do a NULL pointer dereference (crash).
  Avoid that, at the cost of introducing a new translatable error
  message (bsc#1107121).
- CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).

Non-security issue fixed:

- various GVariant parsing issues have been resolved (bsc#1111499)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:251-1
Released:    Wed Feb  6 11:22:43 2019
Summary:     Recommended update for glib2
Type:        recommended
Severity:    moderate
References:  1090047
This update for glib2 provides the following fix:

- Enable systemtap. (fate#326393, bsc#1090047)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1594-1
Released:    Fri Jun 21 10:17:15 2019
Summary:     Security update for glib2
Type:        security
Severity:    important
References:  1103678,1137001,CVE-2019-12450
This update for glib2 fixes the following issues:

Security issue fixed:    

- CVE-2019-12450: Fixed an improper file permission when copy operation
  takes place (bsc#1137001).   

Other issue addressed:    

- glib2 was handling an UNKNOWN connectivity state from NetworkManager as if there
  was a connection thus giving false positives to PackageKit (bsc#1103678)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1833-1
Released:    Fri Jul 12 17:53:51 2019
Summary:     Security update for glib2
Type:        security
Severity:    moderate
References:  1139959,CVE-2019-13012
This update for glib2 fixes the following issues:

Security issue fixed:

- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1611-1
Released:    Fri Jun 12 09:38:03 2020
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990
This update for libsolv, libzypp, zypper fixes the following issues:

libsolv was updated to 0.7.13 to fix:

- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin

libzypp was updated to 17.23.4 to fix:

- Get retracted patch status from updateinfo data (jsc#SLE-8770)
  libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
  (fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
  HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
  zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
  and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
  wants to be able to get rid of the nginx/FastCGI-devel build
  requirement. Use 'rpmbuild --without mediabackend_tests' or
  'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- update translations
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
  libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
  supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
  packages are available. Avoid using retracted items as candidate
  (jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
  It's actually not needed and for this to work also libsolv needs
  to support it. You can sill use a librpmDb::db_const_iterator to
  access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Reformat manpages to workaround asciidoctor shortcomings
  (bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
  (jsc#SLE-5116)

zypper was updated to  version 1.14.36:

- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
  legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
  supplementing zypper means zypper-aptitude gets installed by
  default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1396-1
Released:    Fri Jul  3 12:33:05 2020
Summary:     Security update for zstd
Type:        security
Severity:    moderate
References:  1082318,1133297
This update for zstd fixes the following issues:

- Fix for build error caused by wrong static libraries. (bsc#1133297)
- Correction in spec file marking the license as documentation. (bsc#1082318)
- Add new package for SLE-15. (jsc#ECO-1886)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1856-1
Released:    Mon Jul  6 17:05:51 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1172698,1172704,CVE-2020-8023
This update for openldap2 fixes the following issues:

- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).	  
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1858-1
Released:    Mon Jul  6 17:08:06 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1171883
This update for permissions fixes the following issues:

- Removed conflicting entries which might expose pcp to security issues (bsc#1171883) 	  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1869-1
Released:    Tue Jul  7 15:08:12 2020
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990,1169947,1170801,1171224,1172135,1172925
This update for libsolv, libzypp, zypper fixes the following issues:

libsolv was updated to 0.7.14:

- Enable zstd compression support
- Support blacklisted packages in solver_findproblemrule()
  (bnc#1172135)
- Support rules with multiple negative literals in choice rule
  generation
- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin

libzypp was updated to 17.23.7:

- Enable zchunk metadata download if libsolv supports it.
- Older kernel-devel packages are not properly purged (bsc#1171224)
- doc: enhance service plugin example.
- Get retracted patch status from updateinfo data (jsc#SLE-8770)
  libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
  (fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
  HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
  zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
  and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
  wants to be able to get rid of the nginx/FastCGI-devel build
  requirement. Use 'rpmbuild --without mediabackend_tests' or
  'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
  libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
  supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
  packages are available. Avoid using retracted items as candidate
  (jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
  It's actually not needed and for this to work also libsolv needs
  to support it. You can sill use a librpmDb::db_const_iterator to
  access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Fix core dump with corrupted history file (bsc#1170801)

zypper was updated to 1.14.37:

- Reformat manpages to workaround asciidoctor shortcomings
  (bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
  (jsc#SLE-5116)
- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
  legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
  supplementing zypper means zypper-aptitude gets installed by
  default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)
- Print switch abbrev warning to stderr (bsc#1172925)
- Fix typo in man page (bsc#1169947)

More information about the sle-security-updates mailing list