SUSE-CU-2020:166-1: Security update of caasp/v4/hyperkube

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed May 6 13:58:55 MDT 2020


SUSE Container Update Advisory: caasp/v4/hyperkube
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:166-1
Container Tags        : caasp/v4/hyperkube:v1.17.4 , caasp/v4/hyperkube:v1.17.4-rev5 , caasp/v4/hyperkube:v1.17.4-rev5-build3.12.1
Container Release     : 3.12.1
Severity              : important
Type                  : security
References            : 1002895 1013125 1027282 1029377 1029902 1040164 1042670 1070853
                        1079761 1081750 1083507 1084671 1086001 1088004 1088009 1088573
                        1092920 1094814 1102840 1106383 1107030 1107105 1109663 1109847
                        1120644 1121353 1122191 1124556 1125689 1129346 1130840 1131817
                        1132337 1133452 1133495 1134365 1135114 1137227 1137337 1137942
                        1138459 1138666 1139459 1139939 1140504 1140879 1141203 1141853
                        1145571 1145756 1146182 1146184 1148360 1148498 1148788 1149121
                        1149332 1149792 1149955 1150021 1151023 1151377 1151490 1151582
                        1152334 1152335 1152692 1153238 1153876 1154230 1154256 1154804
                        1154805 1155045 1155198 1155205 1155207 1155298 1155323 1155327
                        1155337 1155350 1155357 1155360 1155463 1155574 1155593 1155655
                        1155678 1155810 1155819 1155950 1156158 1156213 1156300 1156482
                        1156571 1157292 1157337 1157377 1157611 1157794 1157802 1157893
                        1158095 1158485 1158763 1158830 1158921 1158923 1158925 1158926
                        1158927 1158929 1158930 1158931 1158932 1158933 1158996 1159003
                        1159035 1159074 1159108 1159314 1159452 1159622 1159814 1160039
                        1160160 1160443 1160460 1160571 1160594 1160595 1160600 1160735
                        1160764 1160920 1160970 1160979 1161056 1161074 1161179 1161215
                        1161216 1161218 1161219 1161220 1161262 1161312 1161436 1161770
                        1161779 1161816 1161975 1162093 1162108 1162108 1162152 1162224
                        1162367 1162423 1162518 1162825 1163184 1163922 1164390 1164505
                        1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784
                        1165894 1166106 1166139 1166403 1166481 1166484 1166510 1166510
                        1166748 1166880 1166881 1167163 1167223 1167631 1167674 1167732
                        1168076 1168345 1168364 1168669 1168699 1168835 1169569 1169872
                        1169992 1170173 1170571 1170572 637176 658604 673071 709442 743787
                        747125 751718 754447 754677 787526 809831 831629 834601 871152
                        885662 885882 917607 942751 951166 983582 984751 985177 985348
                        989523 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150
                        CVE-2013-1752 CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2016-0772
                        CVE-2016-1000110 CVE-2016-5636 CVE-2016-5699 CVE-2017-18207 CVE-2018-1000802
                        CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-20406 CVE-2018-20852
                        CVE-2019-10160 CVE-2019-14889 CVE-2019-15903 CVE-2019-16056 CVE-2019-16935
                        CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687
                        CVE-2019-5010 CVE-2019-5188 CVE-2019-9511 CVE-2019-9513 CVE-2019-9636
                        CVE-2019-9674 CVE-2019-9947 CVE-2020-10029 CVE-2020-11501 CVE-2020-1699
                        CVE-2020-1700 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752
                        CVE-2020-1759 CVE-2020-1760 CVE-2020-8013 CVE-2020-8492 
-----------------------------------------------------------------

The container caasp/v4/hyperkube was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:114-1
Released:    Thu Jan 16 10:11:52 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
This update for python3 to version 3.6.10 fixes the following issues:

- CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507).
- CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955).
- CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:129-1
Released:    Mon Jan 20 09:21:13 2020
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1158095,CVE-2019-14889
This update for libssh fixes the following issues:

- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:158-1
Released:    Wed Jan 22 08:03:20 2020
Summary:     Recommended update for ceph
Type:        recommended
Severity:    moderate
References:  1124556,1131817,1132337,1134365,1137227,1140504,1140879,1141203,1145571,1145756,1148360,1148498,1153876,1154230,1155045,1155463,1155655,1155950,1156571,1157611,1158923,1158925,1158926,1158927,1158929,1158930,1158931,1158932,1158933,1160920
This update for ceph fixes the following issues:

Ceph was updated to 14.2.5-371-g3551250731:

This is the upstream Nautilus 14.2.5 point release, see https://ceph.io/releases/v14-2-5-nautilus-released/

* health warnings will be issued if daemons have recently crashed (bsc#1158923)
* pg_num must be a power of two, otherwise HEALTH_WARN (bsc#1158925)
* pool size must be > 1, otherwise HEALTH_WARN (bsc#1158926)
* health warning if average OSD heartbeat ping time exceeds threshold (bsc#1158927)
* changes in the telemetry MGR module (bsc#1158929)
* new OSD daemon command dump_recovery_reservations (bsc#1158930)
* new OSD daemon command dump_scrub_reservations (bsc#1158931)
* RGW now supports S3 Object Lock set of APIs (bsc#1158932)
* RGW now supports List Objects V2 (bsc#1158933)
* mon: keep v1 address type when explicitly (bsc#1140879)
* doc: mention --namespace option in rados manpage (bsc#1157611)
* mgr/dashboard: Remove env_build from e2e:ci 
* ceph-volume: check if we run in an selinux environment
* qa/dashboard_e2e_tests.sh: Automatically use correct chromedriver version (bsc#1155950)
* rebase on tip of upstream nautilus, SHA1 9989c20373e2294b7479ec4bd6ac5cce80b01645
    * rgw: add S3 object lock feature to support object worm (jsc#SES-582)
    * os/bluestore: apply garbage collection against excessive blob count growth (bsc#1124556)
    * doc: update bluestore cache settings and clarify data fraction (bsc#1131817)
    * mgr/dashboard: Allow the decrease of pg's of an existing pool (bsc#1132337) 
    * core: Improve health status for backfill_toofull and recovery_toofull and
      fix backfill_toofull seen on cluster where the most full OSD is at 1% (bsc#1134365)
    * mgr/dashboard: Set RO as the default access_type for RGW NFS exports (bsc#1137227)
    * mgr/dashboard: Allow disabling redirection on standby Dashboards (bsc#1140504)
    * rgw: dns name is not case sensitive (bsc#1141203) 
    * os/bluestore: shallow fsck mode and legacy statfs auto repair (bsc#1145571) 
    * mgr/dashboard: Display WWN and LUN number in iSCSI target details (bsc#1145756)
    * mgr/dashboard: access_control: add grafana scope read access to *-manager roles (bsc#1148360) 
    * mgr/dashboard: internationalization support with AOT enabled (bsc#1148498) 
    * mgr/dashboard: Fix data point alignment in MDS counters chart (bsc#1153876)
    * mgr/balancer: python3 compatibility issue (bsc#1154230) 
    * mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking (bsc#1155045) 
    * mgr/{dashboard,prometheus}: return FQDN instead of '0.0.0.0' (bsc#1155463)
    * core: Improve health status for backfill_toofull and recovery_toofull and
      fix backfill_toofull seen on cluster where the most full OSD is at 1% (bsc#1155655)
    * mon: ensure prepare_failure() marks no_reply on op (bsc#1156571) 
* mgr/dashboard: Automatically use correct chromedriver version
+ Revert 'rgw_file: introduce fast S3 Unix stats (immutable)'
  because it is incompatible with NFS-Ganesha 2.8
* include hotfix from upstream v14.2.6 release (bsc#1160920):
  * mon/PGMap.h: disable network stats in dump_osd_stats 
  * osd_stat_t::dump: Add option for ceph-mgr python callers to skip ping network

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:225-1
Released:    Fri Jan 24 06:49:07 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:256-1
Released:    Wed Jan 29 09:39:17 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1157794,1160970
This update for aaa_base fixes the following issues:

- Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794)
- Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:262-1
Released:    Thu Jan 30 11:02:42 2020
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1149332,1151582,1157292,1157893,1158996,CVE-2019-19126
This update for glibc fixes the following issues:

Security issue fixed:

- CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292).

Bug fixes:

- Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893).
- Fixed Hardware support in toolchain (bsc#1151582).
- Fixed syscalls during early process initialization (SLE-8348).
- Fixed an array overflow in backtrace for PowerPC (bsc#1158996).
- Moved to posix_spawn on popen (bsc#1149332).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:265-1
Released:    Thu Jan 30 14:05:34 2020
Summary:     Security update for e2fsprogs
Type:        security
Severity:    moderate
References:  1160571,CVE-2019-5188
This update for e2fsprogs fixes the following issues:

- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:279-1
Released:    Fri Jan 31 12:01:39 2020
Summary:     Recommended update for p11-kit
Type:        recommended
Severity:    moderate
References:  1013125
This update for p11-kit fixes the following issues:

- Also build documentation (bsc#1013125)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:296-1
Released:    Fri Jan 31 17:23:43 2020
Summary:     Security update for ceph
Type:        security
Severity:    moderate
References:  1161074,1161312,CVE-2020-1699,CVE-2020-1700
This update for ceph fixes the following issues:

- CVE-2020-1700: Fixed a denial of service against the RGW server via connection leakage (bsc#1161312).
- CVE-2020-1699: Fixed a information disclosure by improper URL checking (bsc#1161074).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:335-1
Released:    Thu Feb  6 11:37:24 2020
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712
This update for systemd fixes the following issues:

- CVE-2020-1712 (bsc#bsc#1162108)
  Fix a heap use-after-free vulnerability, when asynchronous
  Polkit queries were performed while handling Dbus messages. A local
  unprivileged attacker could have abused this flaw to crash systemd services or
  potentially execute code and elevate their privileges, by sending specially
  crafted Dbus messages.

- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)

- libblkid: open device in nonblock mode. (bsc#1084671)
- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)
- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)
- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)
- fileio: initialize errno to zero before we do fread()
- fileio: try to read one byte too much in read_full_stream()
- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)
- logind: never elect a session that is stopping as display

- journal: include kmsg lines from the systemd process which exec()d us (#8078)
- udevd: don't use monitor after manager_exit()
- udevd: capitalize log messages in on_sigchld()
- udevd: merge conditions to decrease indentation
- Revert 'udevd: fix crash when workers time out after exit is signal caught'
- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)
- udevd: fix crash when workers time out after exit is signal caught
- udevd: wait for workers to finish when exiting (bsc#1106383)

- Improve bash completion support (bsc#1155207)
  * shell-completion: systemctl: do not list template units in {re,}start
  * shell-completion: systemctl: pass current word to all list_unit*
  * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)
  * bash-completion: systemctl: use systemctl --no-pager
  * bash-completion: also suggest template unit files
  * bash-completion: systemctl: add missing options and verbs
  * bash-completion: use the first argument instead of the global variable (#6457)

- networkd: VXLan Make group and remote variable separate (bsc#1156213)
- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)
- fs-util: let's avoid unnecessary strerror()
- fs-util: introduce inotify_add_watch_and_warn() helper
- ask-password: improve log message when inotify limit is reached (bsc#1155574)
- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)
- man: alias names can't be used with enable command (bsc#1151377)

- Add boot option to not use swap at system start (jsc#SLE-7689)

- Allow YaST to select Iranian (Persian, Farsi) keyboard layout
  (bsc#1092920)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:339-1
Released:    Thu Feb  6 13:03:22 2020
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    low
References:  1158921
This update for openldap2 provides the following fix:

- Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:340-1
Released:    Thu Feb  6 13:03:56 2020
Summary:     Recommended update for python-rpm-macros
Type:        recommended
Severity:    moderate
References:  1161770
This update for python-rpm-macros fixes the following issues:

- Add macros related to the Python dist metadata dependency generator. (bsc#1161770)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:368-1
Released:    Fri Feb  7 13:49:41 2020
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1150021
This update for lvm2 fixes the following issues:

- Fix for LVM in KVM: The scsi presistent reservation scenario can trigger and error during LVM actions. (bsc#1150021)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:386-1
Released:    Mon Feb 17 11:41:23 2020
Summary:     Skuba bug fix, supportconfig update, cri-o and kubernetes fixes, and prometheus fixes
Type:        recommended
Severity:    important
References:  1137337,1152335,1155323,1155593,1155810,1157802,1159074,1159452,1160443,1160600,1161056,1161179,1161975
= Required Actions
Update skuba, kubernetes-client and kubernetes-kubeadm packages on your management workstation as you would do with any other package.

Refer to: https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup-update

Packages on your cluster nodes (cri-o, kubernetes, supportutils-plugin-suse-caasp) will be updated automatically by skuba-update link:https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_base_os_updates

Use `helm upgrade` command to fix prometheus kube-state-metrics image.

Finally, to apply the prometheus pushgateway fix, enable it in your helm chart https://github.com/SUSE/kubernetes-charts-suse-com/blob/master/stable/prometheus/values.yaml#L848 and use helm ugrade command link:https://helm.sh/docs/intro/using_helm/#helm-upgrade-and-helm-rollback-upgrading-a-release-and-recovering-on-failure.
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:432-1
Released:    Fri Feb 21 14:34:16 2020
Summary:     Security update for libsolv, libzypp, zypper
Type:        security
Severity:    moderate
References:  1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900
This update for libsolv, libzypp, zypper fixes the following issues:


Security issue fixed:

- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).

Bug fixes

- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).
- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).
- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).                                            
- Load only target resolvables for zypper rm (bsc#1157377).
- Fix broken search by filelist (bsc#1135114).
- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).
- Do not sort out requested locales which are not available (bsc#1155678).
- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).                                                              
- XML add patch issue-date and issue-list (bsc#1154805).
- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).
- Always execute commit when adding/removing locales (fixes bsc#1155205).
- Fix description of --table-style,-s in man page (bsc#1154804).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:451-1
Released:    Tue Feb 25 10:50:35 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1155337,1161215,1161216,1161218,1161219,1161220
This update for libgcrypt fixes the following issues:

- ECDSA: Check range of coordinates (bsc#1161216)
- FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219]
- FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215]
- FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220]
- FIPS: keywrap gives incorrect results [bsc#1161218]
- FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:467-1
Released:    Tue Feb 25 12:00:39 2020
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492
This update for python3 fixes the following issues:

Security issues fixed:

- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367).

Non-security issue fixed:

- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:476-1
Released:    Tue Feb 25 14:23:14 2020
Summary:     Recommended update for perl
Type:        recommended
Severity:    moderate
References:  1102840,1160039
This update for perl fixes the following issues:

- Some packages make assumptions about the date and time they are built. 
  This update will solve the issues caused by calling the perl function timelocal
  expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:480-1
Released:    Tue Feb 25 17:38:22 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1160735
This update for aaa_base fixes the following issues:

- Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:525-1
Released:    Fri Feb 28 11:49:36 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1164562
This update for pam fixes the following issues:

- Add libdb as build-time dependency to enable pam_userdb module.
  Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:547-1
Released:    Fri Feb 28 16:26:21 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013
This update for permissions fixes the following issues:

Security issues fixed:

- CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788)
- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).

Non-security issues fixed:

- Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:572-1
Released:    Tue Mar  3 13:25:41 2020
Summary:     Recommended update for cyrus-sasl
Type:        recommended
Severity:    moderate
References:  1162518
This update for cyrus-sasl fixes the following issues:

- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:573-1
Released:    Tue Mar  3 13:37:28 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1160160
This update for ca-certificates-mozilla to 2.40 fixes the following issues:

Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):

Removed certificates:

- Certplus Class 2 Primary CA
- Deutsche Telekom Root CA 2
- CN=Swisscom Root CA 2
- UTN-USERFirst-Client Authentication and Email

added certificates:

- Entrust Root Certification Authority - G4

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:597-1
Released:    Thu Mar  5 15:24:09 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1164950
This update for libgcrypt fixes the following issues:

- FIPS: Run the self-tests from the constructor [bsc#1164950]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:633-1
Released:    Tue Mar 10 16:23:08 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1139939,1151023
This update for aaa_base fixes the following issues:

- get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939)
- added '-h'/'--help' to the command old
- change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:668-1
Released:    Fri Mar 13 10:48:58 2020
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1163184,1164505,1165784,CVE-2020-10029
This update for glibc fixes the following issues:

- CVE-2020-10029: Fixed a potential overflow in  on-stack buffer 
  during range reduction (bsc#1165784).	  
- Fixed an issue where pthread were not always locked correctly (bsc#1164505).
- Document mprotect and introduce section on memory protection (bsc#1163184).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:689-1
Released:    Fri Mar 13 17:09:01 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1166510

This update for PAM fixes the following issue:

- The license of libdb linked against pam_userdb is not always wanted,
  so we temporary disabled pam_userdb again. It will be published
  in a different package at a later time. (bsc#1166510)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:475-1
Released:    Thu Mar 19 11:00:46 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1160595
This update for systemd fixes the following issues:

- Remove TasksMax limit for both user and system slices (jsc#SLE-10123)
- Backport IP filtering feature (jsc#SLE-7743 bsc#1160595)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:726-1
Released:    Thu Mar 19 13:23:03 2020
Summary:     Security update for nghttp2
Type:        security
Severity:    moderate
References:  1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513
This update for nghttp2 fixes the following issues:

Security issues fixed:

- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461).
- CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003)

Bug fixes and enhancements:

- Fixed mistake in spec file (bsc#1125689)

Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and
cilium-proxy (bsc#1166481)

  * lib: Add nghttp2_check_authority as public API
  * lib: Fix the bug that stream is closed with wrong error code
  * lib: Faster huffman encoding and decoding
  * build: Avoid filename collision of static and dynamic lib
  * build: Add new flag ENABLE_STATIC_CRT for Windows
  * build: cmake: Support building nghttpx with systemd
  * third-party: Update neverbleed to fix memory leak
  * nghttpx: Fix bug that mruby is incorrectly shared between
    backends
  * nghttpx: Reconnect h1 backend if it lost connection before
    sending headers
  * nghttpx: Returns 408 if backend timed out before sending
    headers
  * nghttpx: Fix request stal

- Conditionally remove dependecy on jemalloc for SLE-12 
- Require correct library from devel package - boo#1125689

Update to version 1.39.2 (bsc#1146184, bsc#1146182):

* This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
  “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
  frames cause Denial of Service by consuming CPU time. Check out
  https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
  for details. For nghttpx, additionally limiting inbound traffic by
  --read-rate and --read-burst options is quite effective against
  this kind of attack.

* Add nghttp2_option_set_max_outbound_ack API function
* nghttpx: Fix request stall

Update to version 1.39.1:

* This release fixes the bug that log-level is not set with
  cmd-line or configuration file. It also fixes FPE with default
  backend.

Changes for version 1.39.0:

* libnghttp2 now ignores content-length in 200 response to
  CONNECT request as per RFC 7230.
* mruby has been upgraded to 2.0.1.
* libnghttp2-asio now supports boost-1.70.
* http-parser has been replaced with llhttp.
* nghttpx now ignores Content-Length and Transfer-Encoding in 1xx
  or 200 to CONNECT.


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:729-1
Released:    Thu Mar 19 14:44:22 2020
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1166106
This update for glibc fixes the following issues:

- Allow dlopen of filter object to work (bsc#1166106, BZ #16272)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:777-1
Released:    Tue Mar 24 18:07:52 2020
Summary:     Recommended update for python3
Type:        recommended
Severity:    moderate
References:  1165894
This update for python3 fixes the following issue:

- Rename idle icons to idle3 in order to not conflict with python2
  variant of the package (bsc#1165894)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:793-1
Released:    Wed Mar 25 15:16:00 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1139459,1161262,1162108,1164717,1165579,CVE-2020-1712
This update for systemd fixes the following issues:

- manager: fix job mode when signalled to shutdown etc (bsc#1161262)
- remove fallback for user/exit.target
- dbus method Manager.Exit() does not start exit.target
- do not install rescue.target for alt-↑
- %j/%J unit specifiers


Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717).

Added the udev 60-ssd-scheduler.rules:

- This rules file which select the default IO scheduler for SSDs is
  being moved out from the git repo since this is not related to
  systemd or udev at all and is maintained by the kernel team.

- core: coldplug possible nop_job (bsc#1139459)
- Revert 'udev: use 'deadline' IO scheduler for SSD disks'
- Fix typo in function name
- polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712)
- sd-bus: introduce API for re-enqueuing incoming messages
- polkit: on async pk requests, re-validate action/details

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:814-1
Released:    Mon Mar 30 16:23:42 2020
Summary:     Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1
Type:        recommended
Severity:    moderate
References:  1161816,1162152,1167223
This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues:

libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223):

Full Release Notes can be found on:

	https://wiki.documentfoundation.org/ReleaseNotes/6.4

- Fixed broken handling of non-ASCII characters in the KDE filedialog
  (bsc#1161816)
- Move the animation library to core package bsc#1162152

xmlsec1 was updated to 1.2.28:

* Added BoringSSL support (chenbd).
* Added gnutls-3.6.x support (alonbl).
* Added DSA and ECDSA key size getter for MSCNG (vmiklos).
* Added --enable-mans configuration option (alonbl).
* Added coninuous build integration for MacOSX (vmiklos).
* Several other small fixes (more details).

- Make sure to recommend at least one backend when you install
  just xmlsec1

- Drop the gnutls backend as based on the tests it is quite borked:
  * We still have nss and openssl backend for people to use

Version update to 1.2.27:

* Added AES-GCM support for OpenSSL and MSCNG (snargit).
* Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos).
* Added RSA-OAEP support for MSCNG (vmiklos).
* Continuous build integration in Travis and Appveyor.
* Several other small fixes (more details).

myspell-dictionaries was updated to 20191219:

* Updated the English dictionaries: GB+US+CA+AU
* Bring shipped Spanish dictionary up to version 2.5


boost was updated to fix:
- add a backport of Boost.Optional::has_value() for LibreOffice

The QR-Code-generator is shipped:

- Initial commit, needed by libreoffice 6.4


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:820-1
Released:    Tue Mar 31 13:02:22 2020
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1167631,CVE-2020-1752
This update for glibc fixes the following issues:

- CVE-2020-1752: Fixed a use after free in glob which could have allowed
  a local attacker to create a specially crafted path that, when processed 
  by the glob function, could potentially have led to arbitrary code execution
  (bsc#1167631).
 
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:834-1
Released:    Tue Mar 31 17:21:34 2020
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1167163
This update for permissions fixes the following issue:

- whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:846-1
Released:    Thu Apr  2 07:24:07 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1164950,1166748,1167674
This update for libgcrypt fixes the following issues:

- FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950)
- FIPS: Fix drbg to be threadsafe (bsc#1167674)
- FIPS: Run self-tests from constructor during power-on [bsc#1166748]

  * Set up global_init as the constructor function:
  * Relax the entropy requirements on selftest. This is especially
    important for virtual machines to boot properly before the RNG
    is available:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:850-1
Released:    Thu Apr  2 14:37:31 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1155350,1155357,1155360,1166880
This update for mozilla-nss fixes the following issues:

Added various fixes related to FIPS certification:

* Use getrandom() to obtain entropy where possible.
* Make DSA KAT FIPS compliant.
* Use FIPS compliant hash when validating keypair.
* Enforce FIPS requirements on RSA key generation.
* Miscellaneous fixes to CAVS tests.
* Enforce FIPS limits on how much data can be processed without rekeying.
* Run self tests on library initialization in FIPS mode.
* Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher).
* Clear various temporary variables after use.
* Allow MD5 to be used in TLS PRF.
* Preferentially gather entropy from /dev/random over /dev/urandom.
* Allow enabling FIPS mode consistently with NSS_FIPS environment variable.
* Fix argument parsing bug in lowhashtest.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:917-1
Released:    Fri Apr  3 15:02:25 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1166510
This update for pam fixes the following issues:

- Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:930-1
Released:    Mon Apr  6 20:23:10 2020
Summary:     Security update for ceph
Type:        security
Severity:    important
References:  1166403,1166484,CVE-2020-1759,CVE-2020-1760
This update for ceph fixes the following issues:

- CVE-2020-1759: Fixed once reuse in msgr V2 secure mode (bsc#1166403)
- CVE-2020-1760: Fixed XSS due to RGW GetObject header-splitting (bsc#1166484).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:948-1
Released:    Wed Apr  8 07:44:21 2020
Summary:     Security update for gmp, gnutls, libnettle
Type:        security
Severity:    moderate
References:  1152692,1155327,1166881,1168345,CVE-2020-11501
This update for gmp, gnutls, libnettle fixes the following issues:

Security issue fixed:

- CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

FIPS related bugfixes:

- FIPS: Install checksums for binary integrity verification which are
  required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
- FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if
  input is shorter than block size. (bsc#1166881)
- FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:949-1
Released:    Wed Apr  8 07:45:48 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1168669
This update for mozilla-nss fixes the following issues:

- Use secure_getenv() to avoid PR_GetEnvSecure() being called when NSPR
  is unavailable, resulting in an abort (bsc#1168669).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:961-1
Released:    Wed Apr  8 13:34:06 2020
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1160979
This update for e2fsprogs fixes the following issues:

- e2fsck: clarify overflow link count error message (bsc#1160979)
- ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
- ext2fs: implement dir entry creation in htree directories (bsc#1160979)
- tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
- tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:967-1
Released:    Thu Apr  9 11:41:53 2020
Summary:     Security update for libssh
Type:        security
Severity:    moderate
References:  1168699,CVE-2020-1730
This update for libssh fixes the following issues:

- CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:969-1
Released:    Thu Apr  9 11:43:17 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1168364
This update for permissions fixes the following issues:

- Fixed spelling of icinga group (bsc#1168364)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:981-1
Released:    Mon Apr 13 15:43:44 2020
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  1156300
This update for rpm fixes the following issues:

- Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1026-1
Released:    Fri Apr 17 16:14:43 2020
Summary:     Recommended update for libsolv
Type:        recommended
Severity:    moderate
References:  1159314
This update for libsolv fixes the following issues:

libsolv was updated to version 0.7.11:

- fix solv_zchunk decoding error if large chunks are used (bsc#1159314)
- treat retracted pathes as irrelevant
- made add_update_target work with multiversion installs

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1037-1
Released:    Mon Apr 20 10:49:39 2020
Summary:     Recommended update for python-pytest
Type:        recommended
Severity:    low
References:  1002895,1107105,1138666,1167732

This update fixes the following issues:

New python-pytest versions are provided.

In Basesystem:

- python3-pexpect: updated to 4.8.0
- python3-py: updated to 1.8.1
- python3-zipp: shipped as dependency in version 0.6.0

In Python2:

- python2-pexpect: updated to 4.8.0
- python2-py: updated to 1.8.1

  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1047-1
Released:    Tue Apr 21 10:33:06 2020
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1168835
This update for gnutls fixes the following issues:

- Backport AES XTS support (bsc#1168835)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1061-1
Released:    Wed Apr 22 10:45:41 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1169872
This update for mozilla-nss fixes the following issues:

- This implements API mechanisms for performing DSA and ECDSA hash-and-sign in a single call, which will be required in future FIPS cycles (bsc#1169872).
- Always perform nssdbm checksumming on softoken load, even if nssdbm itself is not loaded. 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1063-1
Released:    Wed Apr 22 10:46:50 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1165539,1169569
This update for libgcrypt fixes the following issues:

This update for libgcrypt fixes the following issues:
    
- FIPS: Switch the PCT to use the new signature operation (bsc#1165539)
- FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539)
- Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates.
- Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1069-1
Released:    Wed Apr 22 16:48:00 2020
Summary:     Recommended update for python-six
Type:        recommended
Severity:    moderate
References:  1166139
This update for python-six fixes the following issues:

- Use setuptools for building to support pip 10.x and avoid packages to be unistalled. (bsc#1166139)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1108-1
Released:    Fri Apr 24 16:31:01 2020
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1169992
This update for gnutls fixes the following issues:

- FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1131-1
Released:    Tue Apr 28 11:59:17 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1170571,1170572
This update for mozilla-nss fixes the following issues:

- FIPS: Add Softoken POSTs for new DSA and ECDSA hash-and-sign update functions. (bsc#1170571)
- FIPS: Add pairwise consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks
  for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served
  by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224
  checks.
- FIPS: Replace bad attempt at unconditional nssdbm checksumming with
  a dlopen(), so it can be located consistently and perform its own
  self-tests.
- FIPS: This fixes an instance of inverted logic due to a boolean being mistaken for
  a SECStatus, which caused key derivation to fail when the caller
  provided a valid subprime.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1175-1
Released:    Tue May  5 08:33:43 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1165011,1168076
This update for systemd fixes the following issues:

- Fix check for address to keep interface names stable. (bsc#1168076)
- Fix for checking non-normalized WHAT for network FS. (bsc#1165011)
- Allow to specify an arbitrary string for when vfs is used. (bsc#1165011)

-----------------------------------------------------------------
Advisory ID: SUSE-feature-2020:1196-1
Released:    Wed May  6 13:35:05 2020
Summary:     Update to kubernetes 1.17, podman, cri-o and docs
Type:        feature
Severity:    moderate
References:  1121353,1152334,1157337,1159108,1160460,1162093,1164390,1170173
= Required Actions
== Kubernetes 1.17

In order to update to kubernetes 1.17, follow the instructions in the admin guide https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components .

Make sure you look at the Release Notes https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_3_0 for any known bug.

== conmon and cri-o

Conmon and cri-o will be updated by `skuba-update`. No action is required from your side. For more info see https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates

== skuba

In order to update skuba, you need to update the admin workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_update_management_workstation



More information about the sle-security-updates mailing list