SUSE-IU-2021:5-1: Security update of suse-sles-15-chost-byos-v20210202-hvm-ssd-x86_64

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Feb 10 06:41:43 UTC 2021


SUSE Image Update Advisory: suse-sles-15-chost-byos-v20210202-hvm-ssd-x86_64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2021:5-1
Image Tags        : suse-sles-15-chost-byos-v20210202-hvm-ssd-x86_64:20210202
Image Release     : 
Severity          : important
Type              : security
References        : 1027519 1047634 1050349 1093795 1094444 1108255 1108919 1111207
                        1112387 1116463 1123940 1125218 1135710 1136845 1141064 1141597
                        1145276 1148566 1153601 1155094 1170336 1173513 1173914 1174091
                        1174436 1174571 1174701 1175458 1176355 1176782 1177196 1177211
                        1177460 1177490 1178009 1178775 1178823 1178909 1179193 1179363
                        1179496 1179498 1179501 1179502 1179503 1179506 1179514 1179516
                        1179630 1179824 1180138 1180225 1180377 1180603 1180603 1180684
                        1180685 1180687 1180885 1181090 CVE-2019-16935 CVE-2019-18348
                        CVE-2019-20907 CVE-2019-5010 CVE-2020-14145 CVE-2020-14422 CVE-2020-25709
                        CVE-2020-25710 CVE-2020-26116 CVE-2020-27619 CVE-2020-29480 CVE-2020-29481
                        CVE-2020-29483 CVE-2020-29484 CVE-2020-29566 CVE-2020-29570 CVE-2020-29571
                        CVE-2020-8492 CVE-2021-23239 CVE-2021-23240 CVE-2021-3156 
-----------------------------------------------------------------

The container suse-sles-15-chost-byos-v20210202-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3774-1
Released:    Mon Dec 14 11:27:33 2020
Summary:     Recommended update for kdump
Type:        recommended
Severity:    moderate
References:  1047634,1050349,1093795,1094444,1108255,1108919,1111207,1112387,1116463,1123940,1125218,1141064,1153601,1170336,1173914,1177196
This update for kdump fixes the following issues:

- Fix multipath configuration with `user_friendly_names` and/or aliases. (bsc#1111207, bsc#1125218, bsc#1153601)
- Recover from missing `CRASHTIME=` in `VMCOREINFO`. (bsc#1112387)
- Clean up the use of current vs. boot network interface names. (bsc#1094444, bsc#1116463, bsc#1141064)
- Use a custom namespace for physical NICs. (bsc#1094444, bsc#1116463, bsc#1141064)
- Add `:force` option to `KDUMP_NETCONFIG`. (bsc#1108919)
- Add `fence_kdump_send` when `fence-agents` are installed. (bsc#1108919)
- Use var for path of `fence_kdump_send` and remove the unnecessary `PRESCRIPT` check. (bsc#1108919)
- Document kdump behaviour for `fence_kdump_send`. (bsc#1108919)
- Restore only static routes in kdump initrd. (bsc#1093795)
- Replace obsolete perl-Bootloader library with a simpler script. (bsc#1050349)
- Remove `console=hvc0` from command line. (bsc#1173914)
- Set serial console from Xen command line. (bsc#1173914)
- Remove `noefi` and `acpi_rsdp` for EFI firmware. (bsc#1123940, bsc#1170336)
- Add `skip_balance` option to BTRFS mounts. (bsc#1108255)
- Do not add `rd.neednet=1` to dracut command line. (bsc#1177196)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3792-1
Released:    Mon Dec 14 17:39:24 2020
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1145276
This update for gzip fixes the following issues:

Update from version 1.9 to version 1.10 (jsc#ECO-2217, jsc#SLE-12974)

- Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) 

  Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.
- Fix three data corruption issues. (bsc#1145276, jsc#SLE-5818, jsc#SLE-8914)
- Add support for `DFLTCC` (hardware-accelerated deflation) for s390x arch. (jsc#SLE-5818, jsc#SLE-8914)

  Enable it using the `--enable-dfltcc` option.
- Compressed gzip output no longer contains the current time as a timestamp when the input is not a regular file.  
  Instead, the output contains a `null` (zero) timestamp. This makes gzip's behavior more reproducible when 
  used as part of a pipeline.
- A use of uninitialized memory on some malformed inputs has been fixed.
- A few theoretical race conditions in signal handlers have been fixed.
- Update gnulib for `libio.h` removal.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3803-1
Released:    Tue Dec 15 09:40:41 2020
Summary:     Recommended update for rsyslog
Type:        recommended
Severity:    moderate
References:  1176355
This update for rsyslog fixes the following issues:

- Fixes a crash for imfile (bsc#1176355)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3882-1
Released:    Fri Dec 18 16:47:31 2020
Summary:     Security update for openssh
Type:        security
Severity:    moderate
References:  1148566,1173513,CVE-2020-14145
This update for openssh fixes the following issues:

- CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513).
- Fixed an issue where oracle cluster with cluvfy using 'scp' failing/missinterpreted (bsc#1148566).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3916-1
Released:    Tue Dec 22 14:16:38 2020
Summary:     Security update for xen
Type:        security
Severity:    moderate
References:  1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
This update for xen fixes the following issues:

- CVE-2020-29480: Fixed an issue which could have allowed leak of non-sensitive data to administrator guests (bsc#117949 XSA-115).
- CVE-2020-29481: Fixed an issue which could have allowd to new domains to inherit existing node permissions (bsc#1179498 XSA-322). 
- CVE-2020-29483: Fixed an issue where guests could disturb domain cleanup (bsc#1179502 XSA-325).
- CVE-2020-29484: Fixed an issue where guests could crash xenstored via watchs (bsc#1179501 XSA-324). 
- CVE-2020-29566: Fixed an undue recursion in x86 HVM context switch code (bsc#1179506 XSA-348).
- CVE-2020-29570: Fixed an issue where FIFO event channels control block related ordering (bsc#1179514 XSA-358).
- CVE-2020-29571: Fixed an issue where FIFO event channels control structure ordering (bsc#1179516 XSA-359).
- Fixed an issue where dump-core shows missing nr_pages during core (bsc#1176782).
- Multiple other bugs (bsc#1027519)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3930-1
Released:    Wed Dec 23 18:19:39 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492
This update for python3 fixes the following issues:

- Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support
  calls eval() on content retrieved via HTTP.
- Change setuptools and pip version numbers according to new wheels
- Handful of changes to make python36 compatible with SLE15 and SLE12
  (jsc#ECO-2799, jsc#SLE-13738)
- add triplets for mips-r6 and riscv
- RISC-V needs CTYPES_PASS_BY_REF_HACK

Update to 3.6.12 (bsc#1179193)

* Ensure python3.dll is loaded from correct locations when Python is embedded
* The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface 
  incorrectly generated constant hash values of 32 and 128 respectively. This 
  resulted in always causing hash collisions. The fix uses hash() to generate 
  hash values for the tuple of (address, mask length, network address).
* Prevent http header injection by rejecting control characters in 
  http.client.putrequest(…).
* Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now 
  UnpicklingError instead of crashing.
* Avoid infinite loop when reading specially crafted TAR files using the tarfile 
  module

- This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).

Update to 3.6.11:

- Disallow CR or LF in email.headerregistry. Address
  arguments to guard against header injection attacks.
- Disallow control characters in hostnames in http.client, addressing
  CVE-2019-18348. Such potentially malicious header injection URLs now
  cause a InvalidURL to be raised. (bsc#1155094)
- CVE-2020-8492: The AbstractBasicAuthHandler class
  of the urllib.request module uses an inefficient regular
  expression which can be exploited by an attacker to cause
  a denial of service. Fix the regex to prevent the
  catastrophic backtracking. Vulnerability reported by Ben
  Caller and Matt Schwager.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3942-1
Released:    Tue Dec 29 12:22:01 2020
Summary:     Recommended update for libidn2
Type:        recommended
Severity:    moderate
References:  1180138
This update for libidn2 fixes the following issues:

- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
  adjusted the RPM license tags (bsc#1180138)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3943-1
Released:    Tue Dec 29 12:24:45 2020
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  1178823
This update for libxml2 fixes the following issues:

Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823)
* key/unique/keyref schema attributes currently use quadratic loops
  to check their various constraints (that keys are unique and that
  keyrefs refer to existing keys).
* This fix uses a hash table to avoid the quadratic behaviour.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3946-1
Released:    Tue Dec 29 17:39:54 2020
Summary:     Recommended update for python3
Type:        recommended
Severity:    important
References:  1180377
This update for python3 fixes the following issues:

- A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3,
  which caused regressions in several applications. (bsc#1180377)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:76-1
Released:    Tue Jan 12 10:25:26 2021
Summary:     Recommended update for SUSEConnect
Type:        recommended
Severity:    low
References:  
This update for SUSEConnect fixes the following issue:

Update to version 0.3.29

- Replace the Ruby path with the native one during build phase.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:129-1
Released:    Thu Jan 14 12:26:15 2021
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1178909,1179503,CVE-2020-25709,CVE-2020-25710
This update for openldap2 fixes the following issues:

Security issues fixed:

- CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
- CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).

Non-security issue fixed:

- Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:177-1
Released:    Wed Jan 20 11:18:03 2021
Summary:     Recommended update for libselinux
Type:        recommended
Severity:    moderate
References:  1135710,1136845,1180603
This update for libselinux fixes the following issue:

Issues addressed: 	  

- Removed check for selinux-policy package as it is not shipped in this package(bsc#1136845).
- Added check that restorecond is installed and enabled
- adjusted licenses of packages. All packages are under Public Domain, only selinux-tools contains a GPL-2.0 tool.


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:179-1
Released:    Wed Jan 20 13:38:51 2021
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.

- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.

- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:220-1
Released:    Tue Jan 26 14:00:51 2021
Summary:     Recommended update for keyutils
Type:        recommended
Severity:    moderate
References:  1180603
This update for keyutils fixes the following issues:

- Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:227-1
Released:    Tue Jan 26 19:22:14 2021
Summary:     Security update for sudo
Type:        security
Severity:    important
References:  1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156
This update for sudo fixes the following issues:

- A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges 
  [bsc#1181090,CVE-2021-3156]
- It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit`
  [bsc#1180684,CVE-2021-23239]
- A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685,
  CVE-2021-23240]
- It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:233-1
Released:    Wed Jan 27 12:15:33 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1141597,1174436,1175458,1177490,1179363,1179824,1180225
This update for systemd fixes the following issues:

- Added a timestamp to the output of the busctl monitor command (bsc#1180225)
- Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824)
- Improved the caching of cgroups member mask (bsc#1175458)
- Fixed the dependency definition of sound.target (bsc#1179363)
- Fixed a bug that could lead to a potential error, when daemon-reload is called between
  StartTransientUnit and scope_start() (bsc#1174436)
- time-util: treat /etc/localtime missing as UTC (bsc#1141597)
- Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:265-1
Released:    Mon Feb  1 15:06:45 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1178775,1180885
This update for systemd fixes the following issues:

- Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998))
- Fix for an issue when container start causes interference in other containers. (bsc#1178775)



More information about the sle-security-updates mailing list