SUSE-CU-2020:699-1: Security update of ses/7/ceph/ceph

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Nov 26 00:12:54 MST 2020


SUSE Container Update Advisory: ses/7/ceph/ceph
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:699-1
Container Tags        : ses/7/ceph/ceph:15.2.5.514 , ses/7/ceph/ceph:15.2.5.514.4.18 , ses/7/ceph/ceph:latest , ses/7/ceph/ceph:sle15.2.octopus
Container Release     : 4.18
Severity              : important
Type                  : security
References            : 1090767 1096515 1097410 1106873 1119069 1119069 1119105 1120374
                        1121045 1121207 1122983 1140868 1141322 1141322 1149792 1155350
                        1155357 1155360 1158527 1159819 1159819 1160790 1161088 1161089
                        1161573 1161670 1164076 1165828 1166880 1167494 1168416 1168669
                        1168669 1169042 1169746 1169872 1169997 1170571 1170572 1170908
                        1171978 1172807 1172807 1172816 1173032 1173391 1173560 1174230
                        1174232 1174593 1174697 1176116 1176173 1176173 1176256 1176257
                        1176258 1176259 1176285 1176325 1176384 1176756 1176899 1177458
                        1177490 1177510 1177699 1177811 1177858 1177939 1177977 1178217
                        1178387 1178512 1178727 996146 CVE-2018-0495 CVE-2018-12384 CVE-2018-12404
                        CVE-2018-12404 CVE-2018-12405 CVE-2018-17466 CVE-2018-18492 CVE-2018-18493
                        CVE-2018-18494 CVE-2018-18498 CVE-2018-18500 CVE-2018-18501 CVE-2018-18505
                        CVE-2018-18508 CVE-2019-11709 CVE-2019-11711 CVE-2019-11712 CVE-2019-11713
                        CVE-2019-11715 CVE-2019-11717 CVE-2019-11719 CVE-2019-11729 CVE-2019-11730
                        CVE-2019-11745 CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792
                        CVE-2019-17006 CVE-2019-17006 CVE-2019-9811 CVE-2020-12399 CVE-2020-12402
                        CVE-2020-15166 CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678
                        CVE-2020-15683 CVE-2020-15969 CVE-2020-25692 CVE-2020-28196 
-----------------------------------------------------------------

The container ses/7/ceph/ceph was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1334-1
Released:    Tue Jul 17 09:06:41 2018
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1096515
This update for mozilla-nss provides the following fixes:

- Update to NSS 3.36.4 required by Firefox 60.0.2. (bsc#1096515)
- Fix a problem that would cause connections to a server that was recently upgraded to TLS
  1.3 to result in a SSL_RX_MALFORMED_SERVER_HELLO error.
- Fix a rare bug with PKCS#12 files.
- Use relro linker option.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:3044-1
Released:    Fri Dec 21 18:47:21 2018
Summary:     Security update for MozillaFirefox, mozilla-nspr and mozilla-nss
Type:        security
Severity:    important
References:  1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498
This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:

Issues fixed in MozillaFirefox:

- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
  to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs

Issues fixed in mozilla-nss:

- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
  SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code

Issues fixed in mozilla-nspr:

- Update mozilla-nspr to 4.20 (bsc#1119105)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:91-1
Released:    Tue Jan 15 14:14:43 2019
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1090767,1121045,1121207
This update for mozilla-nss fixes the following issues:

- The hmac packages used in FIPS certification inadvertently removed in last update: re-added. (bsc#1121207)
- Added 'Suggest:' for libfreebl3 and libsoftokn3 respective -hmac packages to avoid dependency issues during updates (bsc#1090767, bsc#1121045)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:273-1
Released:    Wed Feb  6 16:48:18 2019
Summary:     Security update for MozillaFirefox
Type:        security
Severity:    important
References:  1119069,1120374,1122983,CVE-2018-12404,CVE-2018-18500,CVE-2018-18501,CVE-2018-18505
This update for MozillaFirefox, mozilla-nss fixes the following issues:

Security issues fixed:

- CVE-2018-18500: Fixed a use-after-free parsing HTML5 stream (bsc#1122983).
- CVE-2018-18501: Fixed multiple memory safety bugs (bsc#1122983).
- CVE-2018-18505: Fixed a privilege escalation through IPC channel messages (bsc#1122983).
- CVE-2018-12404: Cache side-channel variant of the Bleichenbacher attack (bsc#1119069).

Non-security issue fixed:

- Update to MozillaFirefox ESR 60.5.0
- Update to mozilla-nss 3.41.1

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1869-1
Released:    Wed Jul 17 14:03:20 2019
Summary:     Security update for MozillaFirefox
Type:        security
Severity:    important
References:  1140868,CVE-2019-11709,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11715,CVE-2019-11717,CVE-2019-11719,CVE-2019-11729,CVE-2019-11730,CVE-2019-9811
This update for MozillaFirefox, mozilla-nss fixes the following issues:

MozillaFirefox to version ESR 60.8:

- CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).

mozilla-nss to version 3.44.1:

* Added IPSEC IKE support to softoken 
* Many new FIPS test cases

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2142-1
Released:    Wed Aug 14 18:14:04 2019
Summary:     Recommended update for mozilla-nspr, mozilla-nss
Type:        recommended
Severity:    moderate
References:  1141322

  
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.45 (bsc#1141322) :

* New function in pk11pub.h: PK11_FindRawCertsWithSubject
* The following CA certificates were Removed:
  CN = Certinomis - Root CA (bmo#1552374)
* Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403)
  This adds a new experimental function SSL_DelegateCredential
  Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360).
  Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
* Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
* Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
* Add IPSEC IKE support to softoken (bmo#1546229)
* Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
* Expose an external clock for SSL (bmo#1543874)
  This adds new experimental functions: SSL_SetTimeFunc, 
  SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and 
  SSL_ReleaseAntiReplayContext.
  The experimental function SSL_InitAntiReplay is removed.
* Various changes in response to the ongoing FIPS review (bmo#1546477)
  Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.

mozilla-nspr was updated to version 4.21

* Changed prbit.h to use builtin function on aarch64.
* Removed Gonk/B2G references.  


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2777-1
Released:    Thu Oct 24 16:13:20 2019
Summary:     Recommended update for fipscheck
Type:        recommended
Severity:    moderate
References:  1149792
This update for fipscheck fixes the following issues:

- Remove #include of unused fips.h to fix build with OpenSSL 1.1.1
  (bsc#1149792)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3395-1
Released:    Mon Dec 30 14:05:06 2019
Summary:     Security update for mozilla-nspr, mozilla-nss
Type:        security
Severity:    moderate
References:  1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.47.1:

Security issues fixed:

- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).

mozilla-nspr was updated to version 4.23:

- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:850-1
Released:    Thu Apr  2 14:37:31 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1155350,1155357,1155360,1166880
This update for mozilla-nss fixes the following issues:

Added various fixes related to FIPS certification:

* Use getrandom() to obtain entropy where possible.
* Make DSA KAT FIPS compliant.
* Use FIPS compliant hash when validating keypair.
* Enforce FIPS requirements on RSA key generation.
* Miscellaneous fixes to CAVS tests.
* Enforce FIPS limits on how much data can be processed without rekeying.
* Run self tests on library initialization in FIPS mode.
* Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher).
* Clear various temporary variables after use.
* Allow MD5 to be used in TLS PRF.
* Preferentially gather entropy from /dev/random over /dev/urandom.
* Allow enabling FIPS mode consistently with NSS_FIPS environment variable.
* Fix argument parsing bug in lowhashtest.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:949-1
Released:    Wed Apr  8 07:45:48 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1168669
This update for mozilla-nss fixes the following issues:

- Use secure_getenv() to avoid PR_GetEnvSecure() being called when NSPR
  is unavailable, resulting in an abort (bsc#1168669).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1055-1
Released:    Tue Apr 21 15:53:44 2020
Summary:     Recommended update for patterns-server-enterprise
Type:        recommended
Severity:    moderate
References:  1168416,1169042
This update for patterns-server-enterprise fixes the following issues:

- added libgnutls30-hmac to the FIPS pattern. (bsc#1169042 bsc#1168416)
- remove strongswan-hmac-32bit (not used currently)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1061-1
Released:    Wed Apr 22 10:45:41 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1169872
This update for mozilla-nss fixes the following issues:

- This implements API mechanisms for performing DSA and ECDSA hash-and-sign in a single call, which will be required in future FIPS cycles (bsc#1169872).
- Always perform nssdbm checksumming on softoken load, even if nssdbm itself is not loaded. 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1131-1
Released:    Tue Apr 28 11:59:17 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1170571,1170572
This update for mozilla-nss fixes the following issues:

- FIPS: Add Softoken POSTs for new DSA and ECDSA hash-and-sign update functions. (bsc#1170571)
- FIPS: Add pairwise consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks
  for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served
  by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224
  checks.
- FIPS: Replace bad attempt at unconditional nssdbm checksumming with
  a dlopen(), so it can be located consistently and perform its own
  self-tests.
- FIPS: This fixes an instance of inverted logic due to a boolean being mistaken for
  a SECStatus, which caused key derivation to fail when the caller
  provided a valid subprime.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1348-1
Released:    Wed May 20 11:37:41 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1170908
This update for mozilla-nss fixes the following issues:

The following issues are fixed:

- Add AES Keywrap POST.
- Accept EACCES in lieu of ENOENT when trying to access /proc/sys/crypto/fips_enabled (bsc#1170908).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1677-1
Released:    Thu Jun 18 18:16:39 2020
Summary:     Security update for mozilla-nspr, mozilla-nss
Type:        security
Severity:    important
References:  1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to version 3.53

- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes

mozilla-nspr to version 4.25

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1821-1
Released:    Thu Jul  2 08:39:34 2020
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1172807,1172816
This update for dracut fixes the following issues:

- 35network-legacy: Fix dual stack setups. (bsc#1172807)
- 95iscsi: fix missing space when compiling cmdline args. (bsc#1172816)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1850-1
Released:    Mon Jul  6 14:44:39 2020
Summary:     Security update for mozilla-nss
Type:        security
Severity:    moderate
References:  1168669,1173032,CVE-2020-12402
This update for mozilla-nss fixes the following issues:

mozilla-nss was updated to version 3.53.1
 
- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032)
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1950-1
Released:    Fri Jul 17 17:16:21 2020
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1161573,1165828,1169997,1172807,1173560
This update for dracut fixes the following issues:

- Update to version 049.1+suse.152.g8506e86f:
  * 01fips: modprobe failures during manual module loading is not fatal. (bsc#bsc#1169997)
  * 91zipl: parse-zipl.sh: honor SYSTEMD_READY. (bsc#1165828)
  * 95iscsi: fix ipv6 target discovery. (bsc#1172807)
  * 35network-legacy: correct conditional for creating did-setup file. (bsc#1172807)

- Update to version 049.1+suse.148.gc4a6c2dd:
  * 95fcoe: load 'libfcoe' module as a fallback. (bsc#1173560)
  * 99base: enable the initqueue in both 'dracut --add-device' and 'dracut --mount' cases. (bsc#1161573)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2451-1
Released:    Wed Sep  2 12:30:38 2020
Summary:     Recommended update for dracut
Type:        recommended
Severity:    important
References:  1167494,996146
This update for dracut fixes the following issues:

Update from version 049.1+suse.152.g8506e86f to version 049.1+suse.156.g7d852636:

- net-lib.sh: support infiniband network mac addresses (bsc#996146)
- 95nfs: use ip_params_for_remote_addr() (bsc#1167494)
- 95iscsi: use ip_params_for_remote_addr() (bsc#1167494)
- dracut-functions: add ip_params_for_remote_addr() helper (bsc#1167494)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2979-1
Released:    Wed Oct 21 11:37:14 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1176173

This update for mozilla-nss fixes the following issue:

- FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be
  NIST SP800-56Arev3 compliant (bsc#1176173).

  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3059-1
Released:    Wed Oct 28 06:11:23 2020
Summary:     Recommended update for sysconfig
Type:        recommended
Severity:    moderate
References:  1173391,1176285,1176325
This update for sysconfig fixes the following issues:

- Fix for 'netconfig' to run with a new library including fallback to the previous location. (bsc#1176285)
- Fix for changing content of such files like '/etc/resolv.conf' to avoid linked applications re-read them and unnecessarily re-initializes themselves accordingly. (bsc#1176325)
- Fix for 'chrony helper' calling in background. (bsc#1173391)
- Fix for configuration file by creating a symlink for it to prevent false ownership on the file. (bsc#1159566)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3091-1
Released:    Thu Oct 29 16:35:37 2020
Summary:     Security update for MozillaThunderbird and mozilla-nspr
Type:        security
Severity:    important
References:  1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969
This update for MozillaThunderbird and mozilla-nspr fixes the following issues:

- Mozilla Thunderbird 78.4
  * new: MailExtensions: browser.tabs.sendMessage API added
  * new: MailExtensions: messageDisplayScripts API added
  * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2
  * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages
  * changed: MailExtensions: compose.begin functions now support creating a message with attachments
  * fixed: Thunderbird could freeze when updating global search index
  * fixed: Multiple issues with handling of self-signed SSL certificates addressed
  * fixed: Recipient address fields in compose window could expand to fill all available space
  * fixed: Inserting emoji characters in message compose window caused unexpected behavior
  * fixed: Button to restore default folder icon color was not keyboard accessible
  * fixed: Various keyboard navigation fixes
  * fixed: Various color-related theme fixes
  * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work
  MFSA 2020-47 (bsc#1177977)
  * CVE-2020-15969 Use-after-free in usersctp
  * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4
- Mozilla Thunderbird 78.3.3
  * OpenPGP: Improved support for encrypting with subkeys
  * OpenPGP message status icons were not visible in message header pane
  * Creating a new calendar event did not require an event title
- Mozilla Thunderbird 78.3.2 (bsc#1176899)
  * OpenPGP: Improved support for encrypting with subkeys
  * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
  * Single-click deletion of recipient pills with middle mouse button restored
  * Searching an address book list did not display results
  * Dark mode, high contrast, and Windows theming fixes
- Mozilla Thunderbird 78.3.1
  * fix crash in nsImapProtocol::CreateNewLineFromSocket
- Mozilla Thunderbird 78.3.0
  MFSA 2020-44 (bsc#1176756)
  * CVE-2020-15677 Download origin spoofing via redirect
  * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element
  * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario
  * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3

- update mozilla-nspr to version 4.25.1
  * The macOS platform code for shared library loading was
    changed to support macOS 11.
  * Dependency needed for the MozillaThunderbird udpate

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3253-1
Released:    Mon Nov  9 07:45:04 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1174697,1176173
This update for mozilla-nss fixes the following issues:

- Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697)
- FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be
  NIST SP800-56Arev3 compliant (bsc#1176173).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3264-1
Released:    Tue Nov 10 09:50:29 2020
Summary:     Security update for zeromq
Type:        security
Severity:    moderate
References:  1176116,1176256,1176257,1176258,1176259,CVE-2020-15166
This update for zeromq fixes the following issues:

- CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116).
- Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256)
- Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257)
- Fixed memory leak when processing PUB messages with metadata (bsc#1176259)
- Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3269-1
Released:    Tue Nov 10 15:57:24 2020
Summary:     Security update for python-waitress
Type:        security
Severity:    moderate
References:  1160790,1161088,1161089,1161670,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792
This update for python-waitress to 1.4.3 fixes the following security issues:

- CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling (bsc#1161088).
- CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089).
- CVE-2019-16789: HTTP request smuggling through invalid whitespace characters (bsc#1160790).
- CVE-2019-16792: HTTP request smuggling by sending the Content-Length header twice (bsc#1161670).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3290-1
Released:    Wed Nov 11 12:25:32 2020
Summary:     Recommended update for findutils
Type:        recommended
Severity:    moderate
References:  1174232
This update for findutils fixes the following issues:

- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
  NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3301-1
Released:    Thu Nov 12 13:51:02 2020
Summary:     Recommended update for openssh
Type:        recommended
Severity:    moderate
References:  1177939
This update for openssh fixes the following issues:

- Ensure that only approved DH parameters are used in FIPS mode, to meet NIST 800-56arev3 restrictions. (bsc#1177939).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3307-1
Released:    Thu Nov 12 14:17:55 2020
Summary:     Recommended update for rdma-core
Type:        recommended
Severity:    moderate
References:  1177699
This update for rdma-core fixes the following issue:

- Move rxe_cfg to libibverbs-utils. (bsc#1177699)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3313-1
Released:    Thu Nov 12 16:07:37 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3377-1
Released:    Thu Nov 19 09:29:32 2020
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3381-1
Released:    Thu Nov 19 10:53:38 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1177458,1177490,1177510
This update for systemd fixes the following issues:

- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
  This allows to drop the workaround that consisted in cleaning journal-upload files and
  {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package 
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
  These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3462-1
Released:    Fri Nov 20 13:14:35 2020
Summary:     Recommended update for pam and sudo
Type:        recommended
Severity:    moderate
References:  1174593,1177858,1178727
This update for pam and sudo fixes the following issue:

pam:

- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

sudo:

- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3498-1
Released:    Tue Nov 24 13:07:16 2020
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1164076,1177811,1178217
This update for dracut fixes the following issues:

- Update from version 049.1+suse.156.g7d852636 to version 049.1+suse.171.g65b2addf:
  - dracut.sh: FIPS workaround for openssl-libs (bsc#1178217)
  - 01fips: turn info calls into fips_info calls (bsc#1164076)
  - 00systemd: add missing cryptsetup-related targets (bsc#1177811)



More information about the sle-security-updates mailing list