SUSE-CU-2020:616-1: Security update of harbor/harbor-trivy-adapter

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Nov 4 00:21:26 MST 2020


SUSE Container Update Advisory: harbor/harbor-trivy-adapter
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:616-1
Container Tags        : harbor/harbor-trivy-adapter:2.1.1 , harbor/harbor-trivy-adapter:2.1.1-rev1 , harbor/harbor-trivy-adapter:2.1.1-rev1-build3.11
Container Release     : 3.11
Severity              : important
Type                  : security
References            : 1063412 1082023 1082318 1090638 1095218 1095218 1095219 1095219
                        1100786 1104902 1108562 1110949 1110949 1112230 1112928 1114225
                        1117257 1117969 1118629 1128828 1132350 1136136 1137832 1139937
                        1142614 1148244 1149429 1149792 1149792 1149792 1149792 1154935
                        1156651 1158785 1158785 1158787 1158787 1158788 1158788 1158789
                        1158789 1158790 1158790 1158791 1158791 1158792 1158792 1158793
                        1158793 1158795 1158795 1165050 1165121 1165502 1165580 1167471
                        1167890 1168930 1168930 1169605 1169786 1169786 1169936 1169936
                        1170302 1170741 1170939 1171656 1172040 1172566 1173422 1173799
                        1174918 1175110 1176192 1176435 1176513 1176712 1176740 1176800
                        1176902 1177238 935885 CVE-2017-15298 CVE-2017-17833 CVE-2018-11233
                        CVE-2018-11233 CVE-2018-11235 CVE-2018-11235 CVE-2018-17456 CVE-2018-17456
                        CVE-2018-19486 CVE-2018-20843 CVE-2019-12749 CVE-2019-1348 CVE-2019-1348
                        CVE-2019-1349 CVE-2019-1349 CVE-2019-1350 CVE-2019-1350 CVE-2019-1351
                        CVE-2019-1351 CVE-2019-1352 CVE-2019-1352 CVE-2019-1353 CVE-2019-1353
                        CVE-2019-1354 CVE-2019-1354 CVE-2019-1387 CVE-2019-1387 CVE-2019-15903
                        CVE-2019-19604 CVE-2019-19604 CVE-2019-9893 CVE-2020-11008 CVE-2020-5260
                        CVE-2020-5260 
-----------------------------------------------------------------

The container harbor/harbor-trivy-adapter was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:1267-1
Released:    Tue Jul  3 18:09:32 2018
Summary:     Security update for git
Type:        security
Severity:    important
References:  1095218,1095219,CVE-2018-11233,CVE-2018-11235
This update for git to version 2.16.4 fixes several issue.

These security issue were fixed:

- CVE-2018-11233: Path sanity-checks on NTFS allowed attackers to read arbitrary memory (bsc#1095218)
- CVE-2018-11235: Arbitrary code execution when recursively cloning a malicious repository (bsc#1095219)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:1292-1
Released:    Mon Jul  9 11:57:14 2018
Summary:     Security update for openslp
Type:        security
Severity:    important
References:  1090638,CVE-2017-17833
This update for openslp fixes the following issue:

- CVE-2017-17833: Prevent heap-related memory corruption issuewhich may have
  manifested itself as a denial-of-service or a remote code-execution
  vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2232-1
Released:    Mon Oct 15 14:57:55 2018
Summary:     Security update for git
Type:        security
Severity:    important
References:  1110949,CVE-2018-17456
This update for git fixes the following issue:

- CVE-2018-17456: Git allowed remote code execution during processing of a recursive 'git clone' of a superproject if a .gitmodules file has a URL field beginning with a '-' character. (boo#1110949).


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2485-1
Released:    Fri Oct 26 12:38:01 2018
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1112928
This update for kmod provides the following fixes:

- Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2990-1
Released:    Wed Dec 19 14:16:40 2018
Summary:     Security update for git
Type:        security
Severity:    moderate
References:  1117257,CVE-2018-19486
This update for git fixes the following issue:

Security issuefixed:

- CVE-2018-19486: Fixed git that executed commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was (bsc#1117257).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:170-1
Released:    Fri Jan 25 13:43:29 2019
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1118629
This update for kmod fixes the following issue:

- Fixes module dependency file corruption on parallel invocation (bsc#1118629).
- Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1358-1
Released:    Mon May 27 13:51:26 2019
Summary:     Recommended update for rsync
Type:        recommended
Severity:    moderate
References:  1100786,1108562
This update for rsync fixes the following issue:

- rsync invoked with --sparse and --preallocate could have resulted in
  a failure (bsc#1108562)

- Don't require systemd explicitly as it's not present in containers [bsc#1100786].


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1595-1
Released:    Fri Jun 21 10:17:44 2019
Summary:     Security update for dbus-1
Type:        security
Severity:    important
References:  1137832,CVE-2019-12749
This update for dbus-1 fixes the following issue:

Security issuefixed:	  

- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which 
  could have allowed local attackers to bypass authentication (bsc#1137832).   
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1835-1
Released:    Fri Jul 12 18:06:31 2019
Summary:     Security update for expat
Type:        security
Severity:    moderate
References:  1139937,CVE-2018-20843
This update for expat fixes the following issue:

Security issuefixed:

- CVE-2018-20843: Fixed a denial of service triggered by high resource consumption 
  in the XML parser when XML names contain a large amount of colons (bsc#1139937).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1892-1
Released:    Thu Jul 18 15:54:35 2019
Summary:     Recommended update for openslp
Type:        recommended
Severity:    moderate
References:  1117969,1136136
This update for openslp fixes the following issue:

- Use tcp connects to talk with other directory agents (DAs) (bsc#1117969)
- Fix segfault in predicate match if a registered service has
  a malformed attribute list (bsc#1136136)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2429-1
Released:    Mon Sep 23 09:28:40 2019
Summary:     Security update for expat
Type:        security
Severity:    moderate
References:  1149429,CVE-2019-15903
This update for expat fixes the following issue:

Security issue fixed:

- CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2517-1
Released:    Wed Oct  2 10:49:20 2019
Summary:     Security update for libseccomp
Type:        security
Severity:    moderate
References:  1082318,1128828,1142614,CVE-2019-9893
This update for libseccomp fixes the following issue:

Security issue fixed:

- CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828)

libseccomp was updated to new upstream release 2.4.1:

- Fix a BPF generation bug where the optimizer mistakenly
  identified duplicate BPF code blocks.

libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893):

- Update the syscall table for Linux v5.0-rc5
- Added support for the SCMP_ACT_KILL_PROCESS action
- Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
- Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
- Added support for the parisc and parisc64 architectures
- Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
- Return -EDOM on an endian mismatch when adding an architecture to a filter
- Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
- Fix PFC generation when a syscall is prioritized, but no rule exists
- Numerous fixes to the seccomp-bpf filter generation code
- Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
- Numerous tests added to the included test suite, coverage now at ~92%
- Update our Travis CI configuration to use Ubuntu 16.04
- Numerous documentation fixes and updates

libseccomp was updated to release 2.3.3:

- Updated the syscall table for Linux v4.15-rc7


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2681-1
Released:    Tue Oct 15 22:01:40 2019
Summary:     Recommended update for libdb-4_8
Type:        recommended
Severity:    moderate
References:  1148244
This update for libdb-4_8 fixes the following issue:

- Add off-page deadlock patch as found and documented by Red Hat.
  (bsc#1148244)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:45-1
Released:    Wed Jan  8 14:56:48 2020
Summary:     Security update for git
Type:        security
Severity:    important
References:  1082023,1149792,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604
This update for git fixes the following issue:

Security issue fixed:

- CVE-2019-1349: Fixed issueon Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (bsc#1158787).
- CVE-2019-19604: Fixed a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (bsc#1158795).
- CVE-2019-1387: Fixed recursive clones that are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (bsc#1158793).
- CVE-2019-1354: Fixed issueon Windows that refuses to write tracked files with filenames that contain backslashes (bsc#1158792).
- CVE-2019-1353: Fixed issuewhen run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (bsc#1158791).
- CVE-2019-1352: Fixed issueon Windows was unaware of NTFS Alternate Data Streams (bsc#1158790).
- CVE-2019-1351: Fixed issueon Windows mistakes drive letters outside of the US-English alphabet as relative paths (bsc#1158789).
- CVE-2019-1350: Fixed incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (bsc#1158788).
- CVE-2019-1348: Fixed the --export-marks option of fast-import is exposed also via  the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (bsc#1158785).
- Fixes an issuewhere git send-email failed to authenticate with SMTP server (bsc#1082023)

Bug fixes:

- Add zlib dependency, which used to be provided by openssl-devel, so that package can compile successfully after openssl upgrade to 1.1.1. (bsc#1149792).

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2020:52-1
Released:    Thu Jan  9 10:09:11 2020
Summary:     Optional update for openslp
Type:        optional
Severity:    low
References:  1149792
This update for openslp doesn't fix any user visible bugs.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:825-1
Released:    Tue Mar 31 13:30:37 2020
Summary:     Recommended update for openslp
Type:        recommended
Severity:    moderate
References:  1165050,1165121
This update for openslp fixes the following issue:

- Add missing group prerequisites to the openslp-server package. (bsc#1165050)
- Add missing openslp prerequisites to the openslp-server package. (bsc#1165121)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:991-1
Released:    Tue Apr 14 20:07:08 2020
Summary:     Security update for git
Type:        security
Severity:    important
References:  1168930,CVE-2020-5260
This update for git fixes the following issue:

- CVE-2020-5260: With a crafted URL that contains a newline in it, the credential
  helper machinery can be fooled to give credential information for a wrong host (bsc#1168930). 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1121-1
Released:    Tue Apr 28 07:15:43 2020
Summary:     Security update for git
Type:        security
Severity:    moderate
References:  1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936,CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260
This update for git fixes the following issue:

Security issue fixed:

* CVE-2020-11008: Specially crafted URLs may have tricked the
  credentials helper to providing credential information that
  is not appropriate for the protocol in use and host being
  contacted (bsc#1169936)

git was updated to 2.26.1 (bsc#1169786, jsc#ECO-1628, bsc#1149792)

- Fix git-daemon not starting after conversion from sysvinit to systemd service
  (bsc#1169605).

* CVE-2020-5260: Specially crafted URLs with newline characters
  could have been used to make the Git client to send credential
  information for a wrong host to the attacker's site bsc#1168930

git 2.26.0 (bsc#1167890, jsc#SLE-11608):

* 'git rebase' now uses a different backend that is based on the
  'merge' machinery by default. The 'rebase.backend' configuration
   variable reverts to old behaviour when set to  'apply'
* Improved handling of sparse checkouts
* Improvements to many commands and internal features

git 2.25.2:

* bug fixes to various subcommands in specific operations

git 2.25.1:

* 'git commit' now honors advise.statusHints
* various updates, bug fixes and documentation updates

git 2.25.0

* The branch description ('git branch --edit-description') has been
  used to fill the body of the cover letters by the format-patch
  command; this has been enhanced so that the subject can also be
  filled.
* A few commands learned to take the pathspec from the standard input
  or a named file, instead of taking it as the command line
  arguments, with the '--pathspec-from-file' option.
* Test updates to prepare for SHA-2 transition continues.
* Redo 'git name-rev' to avoid recursive calls.
* When all files from some subdirectory were renamed to the root
  directory, the directory rename heuristics would fail to detect that
  as a rename/merge of the subdirectory to the root directory, which has
  been corrected.
* HTTP transport had possible allocator/deallocator mismatch, which
  has been corrected.

git 2.24.1:

* CVE-2019-1348: The --export-marks option of fast-import is
  exposed also via the in-stream command feature export-marks=...
  and it allows overwriting arbitrary paths (bsc#1158785)
* CVE-2019-1349: on Windows, when submodules are cloned
  recursively, under certain circumstances Git could be fooled
  into using the same Git directory twice (bsc#1158787)
* CVE-2019-1350: Incorrect quoting of command-line arguments
  allowed remote code execution during a recursive clone in
  conjunction with SSH URLs (bsc#1158788)
* CVE-2019-1351: on Windows mistakes drive letters outside of
  the US-English alphabet as relative paths (bsc#1158789)
* CVE-2019-1352: on Windows was unaware of NTFS Alternate Data
  Streams (bsc#1158790)
* CVE-2019-1353: when run in the Windows Subsystem for Linux
  while accessing a working directory on a regular Windows
  drive, none of the NTFS protections were active (bsc#1158791)
* CVE-2019-1354: on Windows refuses to write tracked files with
  filenames that contain backslashes (bsc#1158792)
* CVE-2019-1387: Recursive clones vulnerability that is caused
  by too-lax validation of submodule names, allowing very
  targeted attacks via remote code execution in recursive
  clones (bsc#1158793)
* CVE-2019-19604: a recursive clone followed by a submodule
  update could execute code contained within the repository
  without the user explicitly having asked for that (bsc#1158795)

git 2.24.0

* The command line parser learned '--end-of-options' notation.
* A mechanism to affect the default setting for a (related) group of
  configuration variables is introduced.
* 'git fetch' learned '--set-upstream' option to help those who first
  clone from their private fork they intend to push to, add the true
  upstream via 'git remote add' and then 'git fetch' from it.
* fixes and improvements to UI, workflow and features, bash completion fixes

git 2.23.0:

* The '--base' option of 'format-patch' computed the patch-ids for
  prerequisite patches in an unstable way, which has been updated
  to compute in a way that is compatible with 'git patch-id
  --stable'.
* The 'git log' command by default behaves as if the --mailmap
  option was given.
* fixes and improvements to UI, workflow and features

git 2.22.1

* A relative pathname given to 'git init --template=<path> <repo>'
  ought to be relative to the directory 'git init' gets invoked in,
  but it instead was made relative to the repository, which has been
  corrected.
* 'git worktree add' used to fail when another worktree connected to
  the same repository was corrupt, which has been corrected.
* 'git am -i --resolved' segfaulted after trying to see a commit as
  if it were a tree, which has been corrected.
* 'git merge --squash' is designed to update the working tree and the
  index without creating the commit, and this cannot be countermanded
  by adding the '--commit' option; the command now refuses to work
  when both options are given.
* Update to Unicode 12.1 width table.
* 'git request-pull' learned to warn when the ref we ask them to pull
  from in the local repository and in the published repository are
  different.
* 'git fetch' into a lazy clone forgot to fetch base objects that are
  necessary to complete delta in a thin packfile, which has been
  corrected.
* The URL decoding code has been updated to avoid going past the end
  of the string while parsing %-<hex>-<hex> sequence.
* 'git clean' silently skipped a path when it cannot lstat() it; now
  it gives a warning.
* 'git rm' to resolve a conflicted path leaked an internal message
  'needs merge' before actually removing the path, which was
  confusing. This has been corrected.
* Many more bugfixes and code cleanups.

- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
  firewalld.

- partial fix for git instaweb giving 500 error (bsc#1112230)

git 2.22.0 

* The filter specification '--filter=sparse:path=<path>' used to
  create a lazy/partial clone has been removed. Using a blob that is
  part of the project as sparse specification is still supported with
  the '--filter=sparse:oid=<blob>' option
* 'git checkout --no-overlay' can be used to trigger a new mode of
  checking out paths out of the tree-ish, that allows paths that
  match the pathspec that are in the current index and working tree
  and are not in the tree-ish.
* Four new configuration variables {author,committer}.{name,email}
  have been introduced to override user.{name,email} in more specific
  cases.
* 'git branch' learned a new subcommand '--show-current'.
* The command line completion (in contrib/) has been taught to
  complete more subcommand parameters.
* The completion helper code now pays attention to repository-local
  configuration (when available), which allows --list-cmds to honour
  a repository specific setting of completion.commands, for example.
* The list of conflicted paths shown in the editor while concluding a
  conflicted merge was shown above the scissors line when the
  clean-up mode is set to 'scissors', even though it was commented
  out just like the list of updated paths and other information to
  help the user explain the merge better.
* 'git rebase' that was reimplemented in C did not set ORIG_HEAD
  correctly, which has been corrected.
* 'git worktree add' used to do a 'find an available name with stat
  and then mkdir', which is race-prone. This has been fixed by using
  mkdir and reacting to EEXIST in a loop. 

- Move to DocBook 5.x. Asciidoctor 2.x no longer supports the legacy
  DocBook 4.5 format.

- update git-web AppArmor profile for bash and tar usrMerge (bsc#1132350)

git 2.21.0

* Historically, the '-m' (mainline) option can only be used for 'git
  cherry-pick' and 'git revert' when working with a merge commit.
  This version of Git no longer warns or errors out when working with
  a single-parent commit, as long as the argument to the '-m' option
  is 1 (i.e. it has only one parent, and the request is to pick or
  revert relative to that first parent). Scripts that relied on the
  behaviour may get broken with this change.
* Small fixes and features for fast-export and fast-import.
* The 'http.version' configuration variable can be used with recent
  enough versions of cURL library to force the version of HTTP used
  to talk when fetching and pushing.
* 'git push $there $src:$dst' rejects when $dst is not a fully
    qualified refname and it is not clear what the end user meant.
* Update 'git multimail' from the upstream.
* A new date format '--date=human' that morphs its output depending
  on how far the time is from the current time has been introduced.
  '--date=auto:human' can be used to use this new format (or any
  existing format) when the output is going to the pager or to the
  terminal, and otherwise the default format.

- Fix worktree creation race (bsc#1114225).
- add shadow build dependency to the -daemon subpackage.


git 2.20.1:

* portability fixes
* 'git help -a' did not work well when an overly long alias was
  defined
* no longer squelched an error message when the run_command API
  failed to run a missing command

git 2.20.0

* 'git help -a' now gives verbose output (same as 'git help -av').
  Those who want the old output may say 'git help --no-verbose -a'..
* 'git send-email' learned to grab address-looking string on any
  trailer whose name ends with '-by'.
* 'git format-patch' learned new '--interdiff' and '--range-diff'
  options to explain the difference between this version and the
  previous attempt in the cover letter (or after the three-dashes as
   a comment).
* Developer builds now use -Wunused-function compilation option.
* Fix a bug in which the same path could be registered under multiple
  worktree entries if the path was missing (for instance, was removed
  manually).  Also, as a convenience, expand the number of cases in
  which --force is applicable.
* The overly large Documentation/config.txt file have been split into
  million little pieces.  This potentially allows each individual piece
  to be included into the manual page of the command it affects more easily.
* Malformed or crafted data in packstream can make our code attempt
  to read or write past the allocated buffer and abort, instead of
  reporting an error, which has been fixed.
* Fix for a long-standing bug that leaves the index file corrupt when
  it shrinks during a partial commit.
* 'git merge' and 'git pull' that merges into an unborn branch used
  to completely ignore '--verify-signatures', which has been
  corrected.
* ...and much more features and fixes

git 2.19.2:

* various bug fixes for multiple subcommands and operations

git 2.19.1:

* CVE-2018-17456: Specially crafted .gitmodules files may have
  allowed arbitrary code execution when the repository is cloned
  with --recurse-submodules (bsc#1110949)

git 2.19.0:

* 'git diff' compares the index and the working tree.  For paths
  added with intent-to-add bit, the command shows the full contents
  of them as added, but the paths themselves were not marked as new
  files.  They are now shown as new by default.
* 'git apply' learned the '--intent-to-add' option so that an
  otherwise working-tree-only application of a patch will add new
  paths to the index marked with the 'intent-to-add' bit.
* 'git grep' learned the '--column' option that gives not just the
  line number but the column number of the hit.
* The '-l' option in 'git branch -l' is an unfortunate short-hand for
  '--create-reflog', but many users, both old and new, somehow expect
  it to be something else, perhaps '--list'.  This step warns when '-l'
  is used as a short-hand for '--create-reflog' and warns about the
  future repurposing of the it when it is used.
* The userdiff pattern for .php has been updated.
* The content-transfer-encoding of the message 'git send-email' sends
  out by default was 8bit, which can cause trouble when there is an
  overlong line to bust RFC 5322/2822 limit.  A new option 'auto' to
  automatically switch to quoted-printable when there is such a line
  in the payload has been introduced and is made the default.
* 'git checkout' and 'git worktree add' learned to honor
  checkout.defaultRemote when auto-vivifying a local branch out of a
  remote tracking branch in a repository with multiple remotes that
  have tracking branches that share the same names.
  (merge 8d7b558bae ab/checkout-default-remote later to maint).
* 'git grep' learned the '--only-matching' option.
* 'git rebase --rebase-merges' mode now handles octopus merges as
  well.
* Add a server-side knob to skip commits in exponential/fibbonacci
  stride in an attempt to cover wider swath of history with a smaller
  number of iterations, potentially accepting a larger packfile
  transfer, instead of going back one commit a time during common
  ancestor discovery during the 'git fetch' transaction.
  (merge 42cc7485a2 jt/fetch-negotiator-skipping later to maint).
* A new configuration variable core.usereplacerefs has been added,
  primarily to help server installations that want to ignore the
  replace mechanism altogether.
* Teach 'git tag -s' etc. a few configuration variables (gpg.format
  that can be set to 'openpgp' or 'x509', and gpg.<format>.program
  that is used to specify what program to use to deal with the format)
  to allow x.509 certs with CMS via 'gpgsm' to be used instead of
  openpgp via 'gnupg'.
* Many more strings are prepared for l10n.
* 'git p4 submit' learns to ask its own pre-submit hook if it should
  continue with submitting.
* The test performed at the receiving end of 'git push' to prevent
  bad objects from entering repository can be customized via
  receive.fsck.* configuration variables; we now have gained a
  counterpart to do the same on the 'git fetch' side, with
  fetch.fsck.* configuration variables.
* 'git pull --rebase=interactive' learned 'i' as a short-hand for
  'interactive'.
* 'git instaweb' has been adjusted to run better with newer Apache on
  RedHat based distros.
* 'git range-diff' is a reimplementation of 'git tbdiff' that lets us
  compare individual patches in two iterations of a topic.
* The sideband code learned to optionally paint selected keywords at
  the beginning of incoming lines on the receiving end.
* 'git branch --list' learned to take the default sort order from the
  'branch.sort' configuration variable, just like 'git tag --list'
  pays attention to 'tag.sort'.
* 'git worktree' command learned '--quiet' option to make it less
  verbose.

git 2.18.0:

* improvements to rename detection logic
* When built with more recent cURL, GIT_SSL_VERSION can now
  specify 'tlsv1.3' as its value.
* 'git mergetools' learned talking to guiffy.
* various other workflow improvements and fixes
* performance improvements and other developer visible fixes

git 2.17.1

* Submodule 'names' come from the untrusted .gitmodules file, but
  we blindly append them to $GIT_DIR/modules to create our on-disk
  repo paths. This means you can do bad things by putting '../'
  into the name. We now enforce some rules for submodule names
  which will cause Git to ignore these malicious names
  (CVE-2018-11235, bsc#1095219)
* It was possible to trick the code that sanity-checks paths on
  NTFS into reading random piece of memory
  (CVE-2018-11233, bsc#1095218)
* Support on the server side to reject pushes to repositories
  that attempt to create such problematic .gitmodules file etc.
  as tracked contents, to help hosting sites protect their
  customers by preventing malicious contents from spreading.

git 2.17.0:

* 'diff' family of commands learned '--find-object=<object-id>' option
   to limit the findings to changes that involve the named object.
* 'git format-patch' learned to give 72-cols to diffstat, which is
  consistent with other line length limits the subcommand uses for
  its output meant for e-mails.
* The log from 'git daemon' can be redirected with a new option; one
  relevant use case is to send the log to standard error (instead of
  syslog) when running it from inetd.
* 'git rebase' learned to take '--allow-empty-message' option.
* 'git am' has learned the '--quit' option, in addition to the
  existing '--abort' option; having the pair mirrors a few other
  commands like 'rebase' and 'cherry-pick'.
* 'git worktree add' learned to run the post-checkout hook, just like
  'git clone' runs it upon the initial checkout.
* 'git tag' learned an explicit '--edit' option that allows the
  message given via '-m' and '-F' to be further edited.
* 'git fetch --prune-tags' may be used as a handy short-hand for
  getting rid of stale tags that are locally held.
* The new '--show-current-patch' option gives an end-user facing way
  to get the diff being applied when 'git rebase' (and 'git am')
  stops with a conflict.
* 'git add -p' used to offer '/' (look for a matching hunk) as a
  choice, even there was only one hunk, which has been corrected.
  Also the single-key help is now given only for keys that are
  enabled (e.g. help for '/' won't be shown when there is only one
  hunk).
* Since Git 1.7.9, 'git merge' defaulted to --no-ff (i.e. even when
  the side branch being merged is a descendant of the current commit,
  create a merge commit instead of fast-forwarding) when merging a
  tag object.  This was appropriate default for integrators who pull
  signed tags from their downstream contributors, but caused an
  unnecessary merges when used by downstream contributors who
  habitually 'catch up' their topic branches with tagged releases
  from the upstream.  Update 'git merge' to default to --no-ff only
  when merging a tag object that does *not* sit at its usual place in
  refs/tags/ hierarchy, and allow fast-forwarding otherwise, to
  mitigate the problem.
* 'git status' can spend a lot of cycles to compute the relation
  between the current branch and its upstream, which can now be
  disabled with '--no-ahead-behind' option.
* 'git diff' and friends learned funcname patterns for Go language
  source files.
* 'git send-email' learned '--reply-to=<address>' option.
* Funcname pattern used for C# now recognizes 'async' keyword.
* In a way similar to how 'git tag' learned to honor the pager
  setting only in the list mode, 'git config' learned to ignore the
  pager setting when it is used for setting values (i.e. when the
  purpose of the operation is not to 'show').

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1340-1
Released:    Tue May 19 13:26:34 2020
Summary:     Recommended update for git
Type:        recommended
Severity:    moderate
References:  1149792,1169786,1169936,1170302,1170741,1170939
This update for git to version 2.26.2 fixes the following issue:

- Fixed git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605).
- Enabled access for git-daemon in firewall configuration (bsc#1170302).
- Fixed problems with recent switch to protocol v2, which caused fetches transferring unreasonable amount of data (bsc#1170741).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1370-1
Released:    Thu May 21 19:06:00 2020
Summary:     Recommended update for systemd-presets-branding-SLE
Type:        recommended
Severity:    moderate
References:  1171656
This update for systemd-presets-branding-SLE fixes the following issue:

Cleanup of outdated autostart services (bsc#1171656):
- Remove acpid.service. acpid is only available on SLE via openSUSE
  backports.  In openSUSE acpid.service is *not* autostarted. I see no
  reason why it should be on SLE.
- Remove spamassassin.timer. This timer never seems to have existed.
  Instead spamassassin ships a 'sa-update.timer'. But it is not
  default-enabled and nobody ever complained about this.
- Remove snapd.apparmor.service: This service was proactively added a year
  ago, but snapd didn't even make it into openSUSE yet. There's no reason
  to keep this entry unless snapd actually enters SLE which is not
  foreseeable.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1795-1
Released:    Mon Jun 29 11:22:45 2020
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1172566
This update for lvm2 fixes the following issue:

- Fix potential data loss problem with LVM cache (bsc#1172566)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2018-1
Released:    Thu Jul 23 09:35:42 2020
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1172040
This update for apparmor fixes the following issue:

- Add 'UI_Showfile' so Yast shows the profile correctly. (bsc#1172040)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2638-1
Released:    Tue Sep 15 15:41:32 2020
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1165580
This update for cryptsetup fixes the following issue:

Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580)

- Fix support of larger metadata areas in *LUKS2* header.

  This release properly supports all specified metadata areas, as documented
  in *LUKS2* format description.
  Currently, only default metadata area size is used (in format or convert).
  Later cryptsetup versions will allow increasing this metadata area size.

- If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check
  if the requested *AEAD* algorithm with specified key size is available in kernel crypto API.
  This change avoids formatting a device that cannot be later activated.

  For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. 
  Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) 
  are already mandatory for LUKS2.

- Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option.

- Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt.

- Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested 
  sector size. Previously it was possible, and the device was rejected to activate by kernel later.

- Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash 
  algorithm with invalid keyslot preventing the device from activation.

- Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used
  both for data encryption and keyslot encryption in *LUKS1/2* devices.

  For benchmark, use:
    
      # cryptsetup benchmark -c xchacha12,aes-adiantum
      # cryptsetup benchmark -c xchacha20,aes-adiantum

  For LUKS format:
  
      # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 <device>

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2781-1
Released:    Tue Sep 29 11:29:34 2020
Summary:     Recommended update for openssh
Type:        recommended
Severity:    moderate
References:  1173799
This update for openssh fixes the following issue:

- This uses OpenSSL's RAND_bytes() directly instead of the internal
  ChaCha20-based implementation to obtain random bytes for Ed25519
  curve computations. This is required for FIPS compliance. (bsc#1173799).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2850-1
Released:    Fri Oct  2 12:26:03 2020
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1175110
This update for lvm2 fixes the following issue:

- Fixed an issuewhen the hot spares in LVM not added automatically. (bsc#1175110)  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3048-1
Released:    Tue Oct 27 16:04:52 2020
Summary:     Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type:        recommended
Severity:    moderate
References:  1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issue:

libzypp was updated to 17.25.1:

- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
  kernel-default-base has new packaging, where the kernel uname -r
  does not reflect the full package version anymore. This patch
  adds additional logic to use the most generic/shortest edition
  each package provides with %{packagename}=<version> to group the
  kernel packages instead of the rpm versions.
  This also changes how the keep-spec for specific versions is
  applied, instead of matching the package versions, each of the
  package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
  fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
  Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
  (as we link statically)

yaml-cpp:

- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
  channels, and the INSTALLER channels, as a new libzypp dependency.

  No source changes were done to yaml-cpp.

zypper was updated to 1.14.40:

- info: Assume descriptions starting with '<p>' are richtext
  (bsc#935885)
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
  searches case-insensitive (jsc#SLE-16271)

libsolv was updated to 0.7.15 to fix:

- make testcase_mangle_repo_names deal correctly with freed repos
  [bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3138-1
Released:    Tue Nov  3 12:14:03 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1104902,1154935,1165502,1167471,1173422,1176513,1176800
This update for systemd fixes the following issue:

- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)
- test-seccomp: log function names
- test-seccomp: add log messages when skipping tests
- basic/virt: Detect PowerVM hypervisor (bsc#1176800)
- fs-util: suppress world-writable warnings if we read /dev/null
- udevadm: rename option '--log-priority' into '--log-level'
- udev: rename kernel option 'log_priority' into 'log_level'
- fstab-generator: add 'nofail' when  NFS 'bg' option is used (bsc#1176513)
- Fix memory protection default (bsc#1167471) 
- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)
- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)



More information about the sle-security-updates mailing list