SUSE-CU-2020:200-1: Security update of caasp/v4/cilium-operator
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue Jun 16 11:32:06 MDT 2020
SUSE Container Update Advisory: caasp/v4/cilium-operator
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:200-1
Container Tags : caasp/v4/cilium-operator:1.6.6 , caasp/v4/cilium-operator:1.6.6-rev3 , caasp/v4/cilium-operator:1.6.6-rev3-build3.5.1
Container Release : 3.5.1
Severity : important
Type : security
References : 1007715 1013125 1041090 1047218 1048688 1049825 1051143 1073313
1081947 1081947 1082293 1084671 1084934 1085196 1086909 1087982
1092100 1092920 1093414 1094448 1095603 1102840 1102920 1103320
1106214 1106383 1110797 1111388 1114592 1114845 1116995 1120629
1120630 1120631 1121197 1121353 1121753 1122417 1123919 1125689
1125886 1127155 1127608 1127701 1129568 1130306 1131113 1131823
1133495 1133773 1134226 1135114 1135254 1135534 1135708 1135749
1137977 1138793 1138869 1138908 1139459 1139459 1139795 1139939
1140039 1140631 1141113 1141897 1142649 1142654 1143055 1143194
1143273 1144047 1144068 1144169 1145023 1145521 1145554 1145716
1146027 1146182 1146184 1146415 1146415 1146866 1146947 1148517
1148788 1148987 1149145 1149332 1149495 1149496 1149511 1149995
1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377
1151582 1151876 1152101 1152590 1152692 1152755 1153351 1153557
1153936 1154019 1154036 1154037 1154256 1154295 1154661 1154804
1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207
1155271 1155298 1155327 1155337 1155338 1155339 1155346 1155574
1155678 1155819 1156158 1156213 1156300 1156450 1156482 1157198
1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095
1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159002
1159003 1159003 1159004 1159314 1159539 1159814 1159928 1160039
1160160 1160571 1160594 1160595 1160735 1160764 1160970 1160979
1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517
1161521 1161779 1161816 1162108 1162108 1162152 1162518 1162651
1162930 1163184 1163922 1164505 1164562 1164717 1164950 1164950
1165011 1165539 1165579 1165784 1166106 1166260 1166481 1166510
1166510 1166748 1166881 1167073 1167163 1167223 1167631 1167674
1167898 1168076 1168345 1168364 1168699 1168835 1169506 1169512
1169569 1169944 1169992 1170527 1170771 1171173 1171422 1171872
1172021 353876 859480 CVE-2017-17740 CVE-2018-1122 CVE-2018-1123
CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-20532 CVE-2018-20533
CVE-2018-20534 CVE-2019-12290 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627
CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547
CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543
CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18224 CVE-2019-18801
CVE-2019-18802 CVE-2019-18802 CVE-2019-18836 CVE-2019-18838 CVE-2019-18900
CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388
CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5188
CVE-2019-5481 CVE-2019-5482 CVE-2019-9511 CVE-2019-9513 CVE-2020-10029
CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730
CVE-2020-1752 CVE-2020-7595 CVE-2020-8013 SLE-6533 SLE-6536 SLE-7687
SLE-8789 SLE-9132 SLE-9171
-----------------------------------------------------------------
The container caasp/v4/cilium-operator was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2241-1
Released: Wed Aug 28 14:58:49 2019
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1144169
This update for ca-certificates-mozilla fixes the following issues:
ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169)
Removed CAs:
- Certinomis - Root CA
Includes new root CAs from the 2.32 version:
- emSign ECC Root CA - C3 (email and server auth)
- emSign ECC Root CA - G3 (email and server auth)
- emSign Root CA - C1 (email and server auth)
- emSign Root CA - G1 (email and server auth)
- Hongkong Post Root CA 3 (server auth)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2307-1
Released: Thu Sep 5 14:45:08 2019
Summary: Security update for util-linux and shadow
Type: security
Severity: moderate
References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876
This update for util-linux and shadow fixes the following issues:
util-linux:
- Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197)
- Prevent outdated pam files (bsc#1082293).
- De-duplicate fstrim -A properly (bsc#1127701).
- Do not trim read-only volumes (bsc#1106214).
- Integrate pam_keyinit pam module to login (bsc#1081947).
- Perform one-time reset of /etc/default/su (bsc#1121197).
- Fix problems in reading of login.defs values (bsc#1121197)
- libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
- libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832)
- Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197).
shadow:
- Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197)
- Fix segfault in useradd during setting password inactivity period. (bsc#1141113)
- Hardening for su wrappers (bsc#353876)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2361-1
Released: Thu Sep 12 07:54:54 2019
Summary: Recommended update for krb5
Type: recommended
Severity: moderate
References: 1081947,1144047
This update for krb5 contains the following fixes:
- Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2373-1
Released: Thu Sep 12 14:18:53 2019
Summary: Security update for curl
Type: security
Severity: important
References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495).
- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2395-1
Released: Wed Sep 18 08:31:38 2019
Summary: Security update for openldap2
Type: security
Severity: moderate
References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565
This update for openldap2 fixes the following issues:
Security issue fixed:
- CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194).
- CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273).
- CVE-2017-17740: When both the nops module and the member of overlay
are enabled, attempts to free a buffer that was allocated on the stack,
which allows remote attackers to cause a denial of service (slapd crash)
via a member MODDN operation. (bsc#1073313)
Non-security issues fixed:
- Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845).
- Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388)
- Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2403-1
Released: Wed Sep 18 16:14:29 2019
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563
This update for openssl-1_1 fixes the following issues:
OpenSSL Security Advisory [10 September 2019]
* CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003)
* CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2423-1
Released: Fri Sep 20 16:41:45 2019
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1146866,SLE-9132
This update for aaa_base fixes the following issues:
Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132)
Following settings have been tightened (and set to 0):
- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
- net.ipv4.conf.default.accept_source_route
- net.ipv6.conf.all.accept_redirects
- net.ipv6.conf.default.accept_redirects
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2533-1
Released: Thu Oct 3 15:02:50 2019
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1150137,CVE-2019-16168
This update for sqlite3 fixes the following issues:
Security issue fixed:
- CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2626-1
Released: Thu Oct 10 17:22:35 2019
Summary: Recommended update for permissions
Type: recommended
Severity: moderate
References: 1110797
This update for permissions fixes the following issues:
- Updated permissons for amanda. (bsc#1110797)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2676-1
Released: Tue Oct 15 21:06:54 2019
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: moderate
References: 1145716,1152101,CVE-2019-5094
This update for e2fsprogs fixes the following issues:
Security issue fixed:
- CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101)
Non-security issue fixed:
- libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2730-1
Released: Mon Oct 21 16:04:57 2019
Summary: Security update for procps
Type: security
Severity: important
References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
This update for procps fixes the following issues:
procps was updated to 3.3.15. (bsc#1092100)
Following security issues were fixed:
- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
with HOME unset in an attacker-controlled directory, the attacker could have
achieved privilege escalation by exploiting one of several vulnerabilities in
the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
Inbuilt protection in ps maped a guard page at the end of the overflowed
buffer, ensuring that the impact of this flaw is limited to a crash (temporary
denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
corruption in file2strvec function. This allowed a privilege escalation for a
local attacker who can create entries in procfs by starting processes, which
could result in crashes or arbitrary code execution in proc utilities run by
other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
truncation/integer overflow issues (bsc#1092100).
Also this non-security issue was fixed:
- Fix CPU summary showing old data. (bsc#1121753)
The update to 3.3.15 contains the following fixes:
* library: Increment to 8:0:1
No removals, no new functions
Changes: slab and pid structures
* library: Just check for SIGLOST and don't delete it
* library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
* library: Use size_t for alloc functions CVE-2018-1126
* library: Increase comm size to 64
* pgrep: Fix stack-based buffer overflow CVE-2018-1125
* pgrep: Remove >15 warning as comm can be longer
* ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
* ps: Increase command name selection field to 64
* top: Don't use cwd for location of config CVE-2018-1122
* update translations
* library: build on non-glibc systems
* free: fix scaling on 32-bit systems
* Revert 'Support running with child namespaces'
* library: Increment to 7:0:1
No changes, no removals
New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
* doc: Document I idle state in ps.1 and top.1
* free: fix some of the SI multiples
* kill: -l space between name parses correctly
* library: dont use vm_min_free on non Linux
* library: don't strip off wchan prefixes (ps & top)
* pgrep: warn about 15+ char name only if -f not used
* pgrep/pkill: only match in same namespace by default
* pidof: specify separator between pids
* pkill: Return 0 only if we can kill process
* pmap: fix duplicate output line under '-x' option
* ps: avoid eip/esp address truncations
* ps: recognizes SCHED_DEADLINE as valid CPU scheduler
* ps: display NUMA node under which a thread ran
* ps: Add seconds display for cputime and time
* ps: Add LUID field
* sysctl: Permit empty string for value
* sysctl: Don't segv when file not available
* sysctl: Read and write large buffers
* top: add config file support for XDG specification
* top: eliminated minor libnuma memory leak
* top: show fewer memory decimal places (configurable)
* top: provide command line switch for memory scaling
* top: provide command line switch for CPU States
* top: provides more accurate cpu usage at startup
* top: display NUMA node under which a thread ran
* top: fix argument parsing quirk resulting in SEGV
* top: delay interval accepts non-locale radix point
* top: address a wishlist man page NLS suggestion
* top: fix potential distortion in 'Mem' graph display
* top: provide proper multi-byte string handling
* top: startup defaults are fully customizable
* watch: define HOST_NAME_MAX where not defined
* vmstat: Fix alignment for disk partition format
* watch: Support ANSI 39,49 reset sequences
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2742-1
Released: Tue Oct 22 15:40:16 2019
Summary: Recommended update for libzypp, zypper, libsolv and PackageKit
Type: recommended
Severity: important
References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
This update for libzypp, zypper, libsolv and PackageKit fixes the following issues:
Security issues fixed in libsolv:
- CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629).
- CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
- CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631).
Other issues addressed in libsolv:
- Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749).
- Fixed an issue with the package name (bsc#1131823).
- repo_add_rpmdb: do not copy bad solvables from the old solv file
- Fixed an issue with cleandeps updates in which all packages were not updated
- Experimental DISTTYPE_CONDA and REL_CONDA support
- Fixed cleandeps jobs when using patterns (bsc#1137977)
- Fixed favorq leaking between solver runs if the solver is reused
- Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason
- Be more correct with multiversion packages that obsolete their own name (bnc#1127155)
- Fix repository priority handling for multiversion packages
- Make code compatible with swig 4.0, remove obj0 instances
- repo2solv: support zchunk compressed data
- Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will
not strip debug info for archives
Issues fixed in libzypp:
- Fix empty metalink downloads if filesize is unknown (bsc#1153557)
- Recognize riscv64 as architecture
- Fix installation of new header file (fixes #185)
- zypp.conf: Introduce `solver.focus` to define the resolvers general
attitude when resolving jobs. (bsc#1146415)
- New container detection algorithm for zypper ps (bsc#1146947)
- Fix leaking filedescriptors in MediaCurl. (bsc#1116995)
- Run file conflict check on dry-run. (bsc#1140039)
- Do not remove orphan products if the .prod file is owned by
a package. (bsc#1139795)
- Rephrase file conflict check summary. (bsc#1140039)
- Fix bash completions option detection. (bsc#1049825)
- Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521)
- Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027)
- PublicKey::algoName: supply key algorithm and length
Issues fixed in zypper:
- Update to version 1.14.30
- Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521)
- Dump stacktrace on SIGPIPE (bsc#1145521)
- info: The requested info must be shown in QUIET mode (fixes #287)
- Fix local/remote url classification.
- Rephrase file conflict check summary (bsc#1140039)
- Fix bash completions option detection (bsc#1049825)
- man: split '--with[out]' like options to ease searching.
- Unhided 'ps' command in help
- Added option to show more conflict information
- Rephrased `zypper ps` hint (bsc#859480)
- Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED
if --root is used (bsc#1134226)
- Fixed unknown package handling in zypper install (bsc#1127608)
- Re-show progress bar after pressing retry upon install error (bsc#1131113)
Issues fixed in PackageKit:
- Port the cron configuration variables to the systemd timer script, and add -sendwait
parameter to mail in the script(bsc#1130306).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2757-1
Released: Wed Oct 23 17:21:17 2019
Summary: Security update for lz4
Type: security
Severity: moderate
References: 1153936,CVE-2019-17543
This update for lz4 fixes the following issues:
- CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2812-1
Released: Tue Oct 29 14:57:55 2019
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1139459,1140631,1145023,1150595,SLE-7687
This update for systemd provides the following fixes:
- Fix a problem that would cause invoking try-restart to an inactive service to hang when
a daemon-reload is invoked before the try-restart returned. (bsc#1139459)
- man: Add a note about _netdev usage.
- units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target.
- units: Add [Install] section to remote-cryptsetup.target.
- cryptsetup: Ignore _netdev, since it is used in generator.
- cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687)
- cryptsetup-generator: Add a helper utility to create symlinks.
- units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target.
- man: Add an explicit description of _netdev to systemd.mount(5).
- man: Order fields alphabetically in crypttab(5).
- man: Make crypttab(5) a bit easier to read.
- units: Order cryptsetup-pre.target before cryptsetup.target.
- Fix reporting of enabled-runtime units.
- sd-bus: Deal with cookie overruns. (bsc#1150595)
- rules: Add by-id symlinks for persistent memory. (bsc#1140631)
- Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit.
(bsc#1145023)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2870-1
Released: Thu Oct 31 08:09:14 2019
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1051143,1138869,1151023
This update for aaa_base provides the following fixes:
- Check if variables can be set before modifying them to avoid warnings on login with a
restricted shell. (bsc#1138869)
- Add s390x compressed kernel support. (bsc#1151023)
- service: Check if there is a second argument before using it. (bsc#1051143)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2418-1
Released: Thu Nov 14 11:53:03 2019
Summary: Recommended update for bash
Type: recommended
Severity: moderate
References: 1133773,1143055
This update for bash fixes the following issues:
- Rework patch readline-7.0-screen (bsc#1143055):
map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as
map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm'
- Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773)
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2019:2980-1
Released: Thu Nov 14 22:45:33 2019
Summary: Optional update for curl
Type: optional
Severity: low
References: 1154019
This update for curl doesn't address any user visible issues.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2997-1
Released: Mon Nov 18 15:16:38 2019
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595
This update for ncurses fixes the following issues:
Security issues fixed:
- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).
Non-security issue fixed:
- Removed screen.xterm from terminfo database (bsc#1103320).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3010-1
Released: Tue Nov 19 18:10:58 2019
Summary: Recommended update for zypper and libsolv
Type: recommended
Severity: moderate
References: 1145554,1146415,1149511,1153351,SLE-9171
This update for zypper and libsolv fixes the following issues:
Package: zypper
- Improved the documentation of $releasever and --releasever usescases (bsc#1149511)
- zypper will now ask only once when multiple packages share the same license text (bsc#1145554)
- Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus
mode when resolving jobs (bsc#1146415)
- Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351)
- Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171)
Package: libsolv
- Fixes issues when updating too many packages in focusbest mode
- Fixes the handling of disabled and installed packages in distupgrade
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3059-1
Released: Mon Nov 25 17:33:07 2019
Summary: Security update for cpio
Type: security
Severity: moderate
References: 1155199,CVE-2019-14866
This update for cpio fixes the following issues:
- CVE-2019-14866: Fixed an improper validation of the values written
in the header of a TAR file through the to_oct() function which could
have led to unexpected TAR generation (bsc#1155199).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3061-1
Released: Mon Nov 25 17:34:22 2019
Summary: Security update for gcc9
Type: security
Severity: moderate
References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536
This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html
The base system compiler libraries libgcc_s1, libstdc++6 and others are
now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 /
CXX=g++-9 during configuration for using it.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3070-1
Released: Tue Nov 26 12:39:29 2019
Summary: Recommended update for gpg2
Type: recommended
Severity: low
References: 1152755
This update for gpg2 provides the following fix:
- Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3086-1
Released: Thu Nov 28 10:02:24 2019
Summary: Security update for libidn2
Type: security
Severity: moderate
References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224
This update for libidn2 to version 2.2.0 fixes the following issues:
- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3087-1
Released: Thu Nov 28 10:03:00 2019
Summary: Security update for libxml2
Type: security
Severity: low
References: 1123919
This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect
all CVEs that have been fixed over the past.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3118-1
Released: Fri Nov 29 14:41:35 2019
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: moderate
References: 1154295
This update for e2fsprogs fixes the following issues:
- Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3166-1
Released: Wed Dec 4 11:24:42 2019
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1007715,1084934,1157278
This update for aaa_base fixes the following issues:
- Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
- Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715)
- Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3181-1
Released: Thu Dec 5 11:43:07 2019
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690
This update for permissions fixes the following issues:
- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
which could have allowed a squid user to gain persistence by changing the
binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic
links (bsc#1150734).
- Fixed a regression which caused sagmentation fault (bsc#1157198).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3240-1
Released: Tue Dec 10 10:40:19 2019
Summary: Recommended update for ca-certificates-mozilla, p11-kit
Type: recommended
Severity: moderate
References: 1154871
This update for ca-certificates-mozilla, p11-kit fixes the following issues:
Changes in ca-certificates-mozilla:
- export correct p11kit trust attributes so Firefox detects built in
certificates (bsc#1154871).
Changes in p11-kit:
- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
detects built in certificates (bsc#1154871)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3267-1
Released: Wed Dec 11 11:19:53 2019
Summary: Security update for libssh
Type: security
Severity: important
References: 1158095,CVE-2019-14889
This update for libssh fixes the following issues:
- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3392-1
Released: Fri Dec 27 13:33:29 2019
Summary: Security update for libgcrypt
Type: security
Severity: moderate
References: 1148987,1155338,1155339,CVE-2019-13627
This update for libgcrypt fixes the following issues:
Security issues fixed:
- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).
Bug fixes:
- Added CMAC AES self test (bsc#1155339).
- Added CMAC TDES self test missing (bsc#1155338).
- Fix test dsa-rfc6979 in FIPS mode.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:69-1
Released: Fri Jan 10 12:33:59 2020
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789
This update for openssl-1_1 fixes the following issues:
Security issue fixed:
- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).
Various FIPS related improvements were done:
- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).
- Port FIPS patches from SLE-12 (bsc#1158101).
- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:129-1
Released: Mon Jan 20 09:21:13 2020
Summary: Security update for libssh
Type: security
Severity: important
References: 1158095,CVE-2019-14889
This update for libssh fixes the following issues:
- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:225-1
Released: Fri Jan 24 06:49:07 2020
Summary: Recommended update for procps
Type: recommended
Severity: moderate
References: 1158830
This update for procps fixes the following issues:
- Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:256-1
Released: Wed Jan 29 09:39:17 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1157794,1160970
This update for aaa_base fixes the following issues:
- Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794)
- Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:262-1
Released: Thu Jan 30 11:02:42 2020
Summary: Security update for glibc
Type: security
Severity: moderate
References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126
This update for glibc fixes the following issues:
Security issue fixed:
- CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292).
Bug fixes:
- Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893).
- Fixed Hardware support in toolchain (bsc#1151582).
- Fixed syscalls during early process initialization (SLE-8348).
- Fixed an array overflow in backtrace for PowerPC (bsc#1158996).
- Moved to posix_spawn on popen (bsc#1149332).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:265-1
Released: Thu Jan 30 14:05:34 2020
Summary: Security update for e2fsprogs
Type: security
Severity: moderate
References: 1160571,CVE-2019-5188
This update for e2fsprogs fixes the following issues:
- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:279-1
Released: Fri Jan 31 12:01:39 2020
Summary: Recommended update for p11-kit
Type: recommended
Severity: moderate
References: 1013125
This update for p11-kit fixes the following issues:
- Also build documentation (bsc#1013125)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:335-1
Released: Thu Feb 6 11:37:24 2020
Summary: Security update for systemd
Type: security
Severity: important
References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712
This update for systemd fixes the following issues:
- CVE-2020-1712 (bsc#bsc#1162108)
Fix a heap use-after-free vulnerability, when asynchronous
Polkit queries were performed while handling Dbus messages. A local
unprivileged attacker could have abused this flaw to crash systemd services or
potentially execute code and elevate their privileges, by sending specially
crafted Dbus messages.
- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)
- libblkid: open device in nonblock mode. (bsc#1084671)
- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)
- bus_open leak sd_event_source when udevadm triggerã (bsc#1161436 CVE-2019-20386)
- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)
- fileio: initialize errno to zero before we do fread()
- fileio: try to read one byte too much in read_full_stream()
- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)
- logind: never elect a session that is stopping as display
- journal: include kmsg lines from the systemd process which exec()d us (#8078)
- udevd: don't use monitor after manager_exit()
- udevd: capitalize log messages in on_sigchld()
- udevd: merge conditions to decrease indentation
- Revert 'udevd: fix crash when workers time out after exit is signal caught'
- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)
- udevd: fix crash when workers time out after exit is signal caught
- udevd: wait for workers to finish when exiting (bsc#1106383)
- Improve bash completion support (bsc#1155207)
* shell-completion: systemctl: do not list template units in {re,}start
* shell-completion: systemctl: pass current word to all list_unit*
* bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)
* bash-completion: systemctl: use systemctl --no-pager
* bash-completion: also suggest template unit files
* bash-completion: systemctl: add missing options and verbs
* bash-completion: use the first argument instead of the global variable (#6457)
- networkd: VXLan Make group and remote variable separate (bsc#1156213)
- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)
- fs-util: let's avoid unnecessary strerror()
- fs-util: introduce inotify_add_watch_and_warn() helper
- ask-password: improve log message when inotify limit is reached (bsc#1155574)
- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)
- man: alias names can't be used with enable command (bsc#1151377)
- Add boot option to not use swap at system start (jsc#SLE-7689)
- Allow YaST to select Iranian (Persian, Farsi) keyboard layout
(bsc#1092920)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:339-1
Released: Thu Feb 6 13:03:22 2020
Summary: Recommended update for openldap2
Type: recommended
Severity: low
References: 1158921
This update for openldap2 provides the following fix:
- Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:432-1
Released: Fri Feb 21 14:34:16 2020
Summary: Security update for libsolv, libzypp, zypper
Type: security
Severity: moderate
References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900
This update for libsolv, libzypp, zypper fixes the following issues:
Security issue fixed:
- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).
Bug fixes
- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).
- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).
- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).
- Load only target resolvables for zypper rm (bsc#1157377).
- Fix broken search by filelist (bsc#1135114).
- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).
- Do not sort out requested locales which are not available (bsc#1155678).
- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).
- XML add patch issue-date and issue-list (bsc#1154805).
- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).
- Always execute commit when adding/removing locales (fixes bsc#1155205).
- Fix description of --table-style,-s in man page (bsc#1154804).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:451-1
Released: Tue Feb 25 10:50:35 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1155337,1161215,1161216,1161218,1161219,1161220
This update for libgcrypt fixes the following issues:
- ECDSA: Check range of coordinates (bsc#1161216)
- FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219]
- FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215]
- FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220]
- FIPS: keywrap gives incorrect results [bsc#1161218]
- FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:476-1
Released: Tue Feb 25 14:23:14 2020
Summary: Recommended update for perl
Type: recommended
Severity: moderate
References: 1102840,1160039
This update for perl fixes the following issues:
- Some packages make assumptions about the date and time they are built.
This update will solve the issues caused by calling the perl function timelocal
expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:480-1
Released: Tue Feb 25 17:38:22 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1160735
This update for aaa_base fixes the following issues:
- Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:525-1
Released: Fri Feb 28 11:49:36 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1164562
This update for pam fixes the following issues:
- Add libdb as build-time dependency to enable pam_userdb module.
Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:547-1
Released: Fri Feb 28 16:26:21 2020
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013
This update for permissions fixes the following issues:
Security issues fixed:
- CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788)
- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).
Non-security issues fixed:
- Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:572-1
Released: Tue Mar 3 13:25:41 2020
Summary: Recommended update for cyrus-sasl
Type: recommended
Severity: moderate
References: 1162518
This update for cyrus-sasl fixes the following issues:
- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:573-1
Released: Tue Mar 3 13:37:28 2020
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1160160
This update for ca-certificates-mozilla to 2.40 fixes the following issues:
Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):
Removed certificates:
- Certplus Class 2 Primary CA
- Deutsche Telekom Root CA 2
- CN=Swisscom Root CA 2
- UTN-USERFirst-Client Authentication and Email
added certificates:
- Entrust Root Certification Authority - G4
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:597-1
Released: Thu Mar 5 15:24:09 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1164950
This update for libgcrypt fixes the following issues:
- FIPS: Run the self-tests from the constructor [bsc#1164950]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:633-1
Released: Tue Mar 10 16:23:08 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1139939,1151023
This update for aaa_base fixes the following issues:
- get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939)
- added '-h'/'--help' to the command old
- change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:668-1
Released: Fri Mar 13 10:48:58 2020
Summary: Security update for glibc
Type: security
Severity: moderate
References: 1163184,1164505,1165784,CVE-2020-10029
This update for glibc fixes the following issues:
- CVE-2020-10029: Fixed a potential overflow in on-stack buffer
during range reduction (bsc#1165784).
- Fixed an issue where pthread were not always locked correctly (bsc#1164505).
- Document mprotect and introduce section on memory protection (bsc#1163184).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:689-1
Released: Fri Mar 13 17:09:01 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1166510
This update for PAM fixes the following issue:
- The license of libdb linked against pam_userdb is not always wanted,
so we temporary disabled pam_userdb again. It will be published
in a different package at a later time. (bsc#1166510)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:475-1
Released: Thu Mar 19 11:00:46 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1160595
This update for systemd fixes the following issues:
- Remove TasksMax limit for both user and system slices (jsc#SLE-10123)
- Backport IP filtering feature (jsc#SLE-7743 bsc#1160595)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:726-1
Released: Thu Mar 19 13:23:03 2020
Summary: Security update for nghttp2
Type: security
Severity: moderate
References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513
This update for nghttp2 fixes the following issues:
Security issues fixed:
- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461).
- CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003)
Bug fixes and enhancements:
- Fixed mistake in spec file (bsc#1125689)
Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and
cilium-proxy (bsc#1166481)
* lib: Add nghttp2_check_authority as public API
* lib: Fix the bug that stream is closed with wrong error code
* lib: Faster huffman encoding and decoding
* build: Avoid filename collision of static and dynamic lib
* build: Add new flag ENABLE_STATIC_CRT for Windows
* build: cmake: Support building nghttpx with systemd
* third-party: Update neverbleed to fix memory leak
* nghttpx: Fix bug that mruby is incorrectly shared between
backends
* nghttpx: Reconnect h1 backend if it lost connection before
sending headers
* nghttpx: Returns 408 if backend timed out before sending
headers
* nghttpx: Fix request stal
- Conditionally remove dependecy on jemalloc for SLE-12
- Require correct library from devel package - boo#1125689
Update to version 1.39.2 (bsc#1146184, bsc#1146182):
* This release fixes CVE-2019-9511 âData Dribbleâ and CVE-2019-9513
âResource Loopâ vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
frames cause Denial of Service by consuming CPU time. Check out
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for details. For nghttpx, additionally limiting inbound traffic by
--read-rate and --read-burst options is quite effective against
this kind of attack.
* Add nghttp2_option_set_max_outbound_ack API function
* nghttpx: Fix request stall
Update to version 1.39.1:
* This release fixes the bug that log-level is not set with
cmd-line or configuration file. It also fixes FPE with default
backend.
Changes for version 1.39.0:
* libnghttp2 now ignores content-length in 200 response to
CONNECT request as per RFC 7230.
* mruby has been upgraded to 2.0.1.
* libnghttp2-asio now supports boost-1.70.
* http-parser has been replaced with llhttp.
* nghttpx now ignores Content-Length and Transfer-Encoding in 1xx
or 200 to CONNECT.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:729-1
Released: Thu Mar 19 14:44:22 2020
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1166106
This update for glibc fixes the following issues:
- Allow dlopen of filter object to work (bsc#1166106, BZ #16272)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:793-1
Released: Wed Mar 25 15:16:00 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712
This update for systemd fixes the following issues:
- manager: fix job mode when signalled to shutdown etc (bsc#1161262)
- remove fallback for user/exit.target
- dbus method Manager.Exit() does not start exit.target
- do not install rescue.target for alt-â
- %j/%J unit specifiers
Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717).
Added the udev 60-ssd-scheduler.rules:
- This rules file which select the default IO scheduler for SSDs is
being moved out from the git repo since this is not related to
systemd or udev at all and is maintained by the kernel team.
- core: coldplug possible nop_job (bsc#1139459)
- Revert 'udev: use 'deadline' IO scheduler for SSD disks'
- Fix typo in function name
- polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712)
- sd-bus: introduce API for re-enqueuing incoming messages
- polkit: on async pk requests, re-validate action/details
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:814-1
Released: Mon Mar 30 16:23:42 2020
Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1
Type: recommended
Severity: moderate
References: 1161816,1162152,1167223
This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues:
libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223):
Full Release Notes can be found on:
https://wiki.documentfoundation.org/ReleaseNotes/6.4
- Fixed broken handling of non-ASCII characters in the KDE filedialog
(bsc#1161816)
- Move the animation library to core package bsc#1162152
xmlsec1 was updated to 1.2.28:
* Added BoringSSL support (chenbd).
* Added gnutls-3.6.x support (alonbl).
* Added DSA and ECDSA key size getter for MSCNG (vmiklos).
* Added --enable-mans configuration option (alonbl).
* Added coninuous build integration for MacOSX (vmiklos).
* Several other small fixes (more details).
- Make sure to recommend at least one backend when you install
just xmlsec1
- Drop the gnutls backend as based on the tests it is quite borked:
* We still have nss and openssl backend for people to use
Version update to 1.2.27:
* Added AES-GCM support for OpenSSL and MSCNG (snargit).
* Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos).
* Added RSA-OAEP support for MSCNG (vmiklos).
* Continuous build integration in Travis and Appveyor.
* Several other small fixes (more details).
myspell-dictionaries was updated to 20191219:
* Updated the English dictionaries: GB+US+CA+AU
* Bring shipped Spanish dictionary up to version 2.5
boost was updated to fix:
- add a backport of Boost.Optional::has_value() for LibreOffice
The QR-Code-generator is shipped:
- Initial commit, needed by libreoffice 6.4
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:820-1
Released: Tue Mar 31 13:02:22 2020
Summary: Security update for glibc
Type: security
Severity: important
References: 1167631,CVE-2020-1752
This update for glibc fixes the following issues:
- CVE-2020-1752: Fixed a use after free in glob which could have allowed
a local attacker to create a specially crafted path that, when processed
by the glob function, could potentially have led to arbitrary code execution
(bsc#1167631).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:834-1
Released: Tue Mar 31 17:21:34 2020
Summary: Recommended update for permissions
Type: recommended
Severity: moderate
References: 1167163
This update for permissions fixes the following issue:
- whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:846-1
Released: Thu Apr 2 07:24:07 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1164950,1166748,1167674
This update for libgcrypt fixes the following issues:
- FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950)
- FIPS: Fix drbg to be threadsafe (bsc#1167674)
- FIPS: Run self-tests from constructor during power-on [bsc#1166748]
* Set up global_init as the constructor function:
* Relax the entropy requirements on selftest. This is especially
important for virtual machines to boot properly before the RNG
is available:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:917-1
Released: Fri Apr 3 15:02:25 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1166510
This update for pam fixes the following issues:
- Moved pam_userdb into a separate package pam-extra. (bsc#1166510)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:948-1
Released: Wed Apr 8 07:44:21 2020
Summary: Security update for gmp, gnutls, libnettle
Type: security
Severity: moderate
References: 1152692,1155327,1166881,1168345,CVE-2020-11501
This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:
- CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)
FIPS related bugfixes:
- FIPS: Install checksums for binary integrity verification which are
required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
- FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if
input is shorter than block size. (bsc#1166881)
- FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:961-1
Released: Wed Apr 8 13:34:06 2020
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: moderate
References: 1160979
This update for e2fsprogs fixes the following issues:
- e2fsck: clarify overflow link count error message (bsc#1160979)
- ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
- ext2fs: implement dir entry creation in htree directories (bsc#1160979)
- tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
- tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:967-1
Released: Thu Apr 9 11:41:53 2020
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1168699,CVE-2020-1730
This update for libssh fixes the following issues:
- CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:969-1
Released: Thu Apr 9 11:43:17 2020
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1168364
This update for permissions fixes the following issues:
- Fixed spelling of icinga group (bsc#1168364)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:981-1
Released: Mon Apr 13 15:43:44 2020
Summary: Recommended update for rpm
Type: recommended
Severity: moderate
References: 1156300
This update for rpm fixes the following issues:
- Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1026-1
Released: Fri Apr 17 16:14:43 2020
Summary: Recommended update for libsolv
Type: recommended
Severity: moderate
References: 1159314
This update for libsolv fixes the following issues:
libsolv was updated to version 0.7.11:
- fix solv_zchunk decoding error if large chunks are used (bsc#1159314)
- treat retracted pathes as irrelevant
- made add_update_target work with multiversion installs
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1047-1
Released: Tue Apr 21 10:33:06 2020
Summary: Recommended update for gnutls
Type: recommended
Severity: moderate
References: 1168835
This update for gnutls fixes the following issues:
- Backport AES XTS support (bsc#1168835)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1063-1
Released: Wed Apr 22 10:46:50 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1165539,1169569
This update for libgcrypt fixes the following issues:
This update for libgcrypt fixes the following issues:
- FIPS: Switch the PCT to use the new signature operation (bsc#1165539)
- FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539)
- Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates.
- Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1108-1
Released: Fri Apr 24 16:31:01 2020
Summary: Recommended update for gnutls
Type: recommended
Severity: moderate
References: 1169992
This update for gnutls fixes the following issues:
- FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1175-1
Released: Tue May 5 08:33:43 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1165011,1168076
This update for systemd fixes the following issues:
- Fix check for address to keep interface names stable. (bsc#1168076)
- Fix for checking non-normalized WHAT for network FS. (bsc#1165011)
- Allow to specify an arbitrary string for when vfs is used. (bsc#1165011)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1214-1
Released: Thu May 7 11:20:34 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1169944
This update for libgcrypt fixes the following issues:
- FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1219-1
Released: Thu May 7 17:10:42 2020
Summary: Security update for openldap2
Type: security
Severity: important
References: 1170771,CVE-2020-12243
This update for openldap2 fixes the following issues:
- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1226-1
Released: Fri May 8 10:51:05 2020
Summary: Recommended update for gcc9
Type: recommended
Severity: moderate
References: 1149995,1152590,1167898
This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.
- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1271-1
Released: Wed May 13 13:17:59 2020
Summary: Recommended update for permissions
Type: recommended
Severity: important
References: 1171173
This update for permissions fixes the following issues:
- Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1290-1
Released: Fri May 15 16:39:59 2020
Summary: Recommended update for gnutls
Type: recommended
Severity: moderate
References: 1171422
This update for gnutls fixes the following issues:
- Add RSA 4096 key generation support in FIPS mode (bsc#1171422)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1294-1
Released: Mon May 18 07:38:36 2020
Summary: Security update for file
Type: security
Severity: moderate
References: 1154661,1169512,CVE-2019-18218
This update for file fixes the following issues:
Security issues fixed:
- CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).
Non-security issue fixed:
- Fixed broken '--help' output (bsc#1169512).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1299-1
Released: Mon May 18 07:43:21 2020
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595
This update for libxml2 fixes the following issues:
- CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
- CVE-2019-19956: Fixed a memory leak (bsc#1159928).
- CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1328-1
Released: Mon May 18 17:16:04 2020
Summary: Recommended update for grep
Type: recommended
Severity: moderate
References: 1155271
This update for grep fixes the following issues:
- Update testsuite expectations, no functional changes (bsc#1155271)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1361-1
Released: Thu May 21 09:31:18 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1171872
This update for libgcrypt fixes the following issues:
- FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1400-1
Released: Mon May 25 14:09:02 2020
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1162930
This update for glibc fixes the following issues:
- nptl: wait for pending setxid request also in detached thread. (bsc#1162930)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1404-1
Released: Mon May 25 15:32:34 2020
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1138793,1166260
This update for zlib fixes the following issues:
- Including the latest fixes from IBM (bsc#1166260)
IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements
deflate algorithm in hardware with estimated compression and decompression performance
orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
- Add SUSE specific fix to solve bsc#1138793.
The fix will avoid to test if the app was linked with exactly same version of zlib
like the one that is present on the runtime.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1506-1
Released: Fri May 29 17:22:11 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1087982,1170527
This update for aaa_base fixes the following issues:
- Not all XTerm based emulators do have a terminfo entry. (bsc#1087982)
- Better support of Midnight Commander. (bsc#1170527)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1532-1
Released: Thu Jun 4 10:16:12 2020
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1172021,CVE-2019-19956
This update for libxml2 fixes the following issues:
- CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1573-1
Released: Tue Jun 9 12:07:53 2020
Summary: Add features for Metrics Server, Cert Status Checker, VSphere VCP, and Cilium Envoy
Type: security
Severity: moderate
References: 1041090,1047218,1048688,1086909,1094448,1095603,1102920,1121353,1129568,1138908,1144068,1151876,1156450,1159002,1159003,1159004,1159539,1162651,1167073,1169506,CVE-2019-18801,CVE-2019-18802,CVE-2019-18836,CVE-2019-18838
Metrics Server
* Support monitoring of *CPU* and *memory* of a pod or node.
Cert Status Checker
* Exposes cluster-wide certificates status and use monitoring stack (Prometheus and Grafana) to receives alerts
by Prometheus Alertmanager and monitors certificate status by Grafana dashboard.
VSphere VCP
* Allow Kubernetes pods to use VMWare vSphere Virtual Machine Disk (VMDK) volumes as persistent storage.
Cilium Envoy
* Updated Cilium from version 1.5.3 to version 1.6.6
* Provide Envoy-proxy support for Cilium
* Envoy and its dependencies packaged for version 1.12.2
* Cilium uses CRD and ConfigMap points on etcd are removed
See release notes for installation instructions: https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/
Following CVE entries are relevant for the casp 4.2.1 update:
cilium-proxy:
CVE-2019-18801: An untrusted remote client might have been able to send HTTP/2 requests via cilium-proxyx
that could have written to the heap outside of the request buffers when the upstream is HTTP/1. (bsc#1159002)
CVE-2019-18802: A malformed request header may have caused bypass of route matchers resulting in escalation of
privileges or information disclosure (bsc#1159003)
CVE-2019-18838: A malformed HTTP request without the Host header may cause abnormal termination ofthe Envoy
process (bsc#1159004)
CVE-2019-18836: Excessive iteration due to listener filter timeout in envoy could lead to DoS (bsc#1156450)
kafka:
CVE-2018-1288: authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request. (bsc#1102920)
More information about the sle-security-updates
mailing list