SUSE-CU-2021:76-1: Security update of ses/7/rook/ceph

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Mar 12 07:19:02 UTC 2021


SUSE Container Update Advisory: ses/7/rook/ceph
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:76-1
Container Tags        : ses/7/rook/ceph:1.5.7 , ses/7/rook/ceph:1.5.7.4 , ses/7/rook/ceph:1.5.7.4.1.1512 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus
Container Release     : 1.1512
Severity              : important
Type                  : security
References            : 1050625 1084671 1098449 1141597 1144793 1155094 1168771 1169006
                        1171883 1172695 1173513 1173582 1174016 1174091 1174436 1174571
                        1174701 1174942 1175458 1175514 1175623 1176262 1177120 1177127
                        1177211 1177238 1177275 1177427 1177460 1177460 1177490 1177533
                        1177583 1177658 1177998 1178009 1178346 1178386 1178554 1178775
                        1178823 1178825 1178860 1178909 1178910 1178966 1179016 1179083
                        1179193 1179222 1179363 1179398 1179399 1179415 1179452 1179491
                        1179503 1179526 1179593 1179630 1179691 1179691 1179694 1179721
                        1179738 1179756 1179816 1179824 1179909 1180038 1180077 1180107
                        1180138 1180155 1180225 1180377 1180501 1180603 1180603 1180663
                        1180676 1180684 1180685 1180686 1180687 1180721 1180885 1181090
                        1181126 1181319 1181505 1181944 1182066 1182117 1182244 1182279
                        1182331 1182333 1182408 1182411 1182412 1182413 1182415 1182416
                        1182417 1182418 1182419 1182420 1182959 CVE-2017-9271 CVE-2019-16935
                        CVE-2019-18348 CVE-2019-20907 CVE-2019-20916 CVE-2019-25013 CVE-2019-5010
                        CVE-2020-14145 CVE-2020-14422 CVE-2020-1971 CVE-2020-25709 CVE-2020-25710
                        CVE-2020-26116 CVE-2020-26137 CVE-2020-27618 CVE-2020-27619 CVE-2020-27781
                        CVE-2020-28493 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222
                        CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227
                        CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-36242 CVE-2020-8025
                        CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8492 CVE-2021-23239
                        CVE-2021-23240 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 CVE-2021-3139
                        CVE-2021-3156 CVE-2021-3177 CVE-2021-3326 
-----------------------------------------------------------------

The container ses/7/rook/ceph was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1989-1
Released:    Tue Jul 21 17:58:58 2020
Summary:     Recommended update to SLES-releases
Type:        recommended
Severity:    important
References:  1173582
This update of SLES-release provides the following fix:
- Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3294-1
Released:    Wed Nov 11 12:28:46 2020
Summary:     Recommended update for SLES-release
Type:        recommended
Severity:    moderate
References:  1177998
This update for SLES-release fixes the following issue:

- Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3721-1
Released:    Wed Dec  9 13:36:46 2020
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1179491,CVE-2020-1971
This update for openssl-1_1 fixes the following issues:
	  
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3723-1
Released:    Wed Dec  9 13:37:55 2020
Summary:     Security update for python-urllib3
Type:        security
Severity:    moderate
References:  1177120,CVE-2020-26137
This update for python-urllib3 fixes the following issues:

- CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120).	  

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3735-1
Released:    Wed Dec  9 18:19:24 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
This update for curl fixes the following issues:

- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). 
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).	  

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3736-1
Released:    Wed Dec  9 18:19:58 2020
Summary:     Security update for openssh
Type:        security
Severity:    moderate
References:  1173513,CVE-2020-14145
This update for openssh fixes the following issues:

- CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3747-1
Released:    Thu Dec 10 13:54:49 2020
Summary:     Recommended update for ceph
Type:        recommended
Severity:    moderate
References:  1179452,1179526
This update for ceph fixes the following issues:
  
- Fixed an issue when reading a large 'RGW' object takes too long and can cause data loss. (bsc#1179526)
- Fixed a build issue caused by missing nautilus module named 'six'. (bsc#1179452)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3791-1
Released:    Mon Dec 14 17:39:19 2020
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  
This update for gzip fixes the following issue:

- Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)
  
  Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3809-1
Released:    Tue Dec 15 13:46:05 2020
Summary:     Recommended update for glib2
Type:        recommended
Severity:    moderate
References:  1178346
This update for glib2 fixes the following issues:

Update from version 2.62.5 to version 2.62.6:

- Support for slim format of timezone. (bsc#1178346)
- Fix DST incorrect end day when using slim format. (bsc#1178346)
- Fix SOCKS5 username/password authentication.
- Updated translations.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3853-1
Released:    Wed Dec 16 12:27:27 2020
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1084671,1169006,1174942,1175514,1175623,1178554,1178825
This update for util-linux fixes the following issue:

- Do not trigger the automatic close of CDROM. (bsc#1084671)
- Try to automatically configure broken serial lines. (bsc#1175514)
- Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514)
- Build with `libudev` support to support non-root users. (bsc#1169006)
- Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
- Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3894-1
Released:    Mon Dec 21 12:56:05 2020
Summary:     Security update for ceph
Type:        security
Severity:    important
References:  1178860,1179016,1180107,1180155,CVE-2020-27781
This update for ceph fixes the following issues:

Security issue fixed:

- CVE-2020-27781: Fixed a privilege escalation via the ceph_volume_client Python interface (bsc#1180155).

Non-security issues fixed:

- Update to 15.2.8-80-g1f4b6229ca:
  + Rebase on tip of upstream 'octopus' branch, SHA1 bdf3eebcd22d7d0b3dd4d5501bee5bac354d5b55
    * upstream Octopus v15.2.8 release, see https://ceph.io/releases/v15-2-8-octopus-released/

- Update to 15.2.7-776-g343cd10fe5:
  + Rebase on tip of upstream 'octopus' branch, SHA1 1b8a634fdcd94dfb3ba650793fb1b6d09af65e05
    * (bsc#1178860) mgr/dashboard: Disable TLS 1.0 and 1.1
  + (bsc#1179016) rpm: require smartmontools on SUSE
  + (bsc#1180107) ceph-volume: pass --filter-for-batch from drive-group subcommand

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3921-1
Released:    Tue Dec 22 15:19:17 2020
Summary:     Recommended update for libpwquality
Type:        recommended
Severity:    low
References:  
This update for libpwquality fixes the following issues:

- Implement alignment with 'pam_cracklib'. (jsc#SLE-16720)   

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3930-1
Released:    Wed Dec 23 18:19:39 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492
This update for python3 fixes the following issues:

- Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support
  calls eval() on content retrieved via HTTP.
- Change setuptools and pip version numbers according to new wheels
- Handful of changes to make python36 compatible with SLE15 and SLE12
  (jsc#ECO-2799, jsc#SLE-13738)
- add triplets for mips-r6 and riscv
- RISC-V needs CTYPES_PASS_BY_REF_HACK

Update to 3.6.12 (bsc#1179193)

* Ensure python3.dll is loaded from correct locations when Python is embedded
* The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface 
  incorrectly generated constant hash values of 32 and 128 respectively. This 
  resulted in always causing hash collisions. The fix uses hash() to generate 
  hash values for the tuple of (address, mask length, network address).
* Prevent http header injection by rejecting control characters in 
  http.client.putrequest(…).
* Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now 
  UnpicklingError instead of crashing.
* Avoid infinite loop when reading specially crafted TAR files using the tarfile 
  module

- This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).

Update to 3.6.11:

- Disallow CR or LF in email.headerregistry. Address
  arguments to guard against header injection attacks.
- Disallow control characters in hostnames in http.client, addressing
  CVE-2019-18348. Such potentially malicious header injection URLs now
  cause a InvalidURL to be raised. (bsc#1155094)
- CVE-2020-8492: The AbstractBasicAuthHandler class
  of the urllib.request module uses an inefficient regular
  expression which can be exploited by an attacker to cause
  a denial of service. Fix the regex to prevent the
  catastrophic backtracking. Vulnerability reported by Ben
  Caller and Matt Schwager.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3942-1
Released:    Tue Dec 29 12:22:01 2020
Summary:     Recommended update for libidn2
Type:        recommended
Severity:    moderate
References:  1180138
This update for libidn2 fixes the following issues:

- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
  adjusted the RPM license tags (bsc#1180138)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3943-1
Released:    Tue Dec 29 12:24:45 2020
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  1178823
This update for libxml2 fixes the following issues:

Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823)
* key/unique/keyref schema attributes currently use quadratic loops
  to check their various constraints (that keys are unique and that
  keyrefs refer to existing keys).
* This fix uses a hash table to avoid the quadratic behaviour.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3946-1
Released:    Tue Dec 29 17:39:54 2020
Summary:     Recommended update for python3
Type:        recommended
Severity:    important
References:  1180377
This update for python3 fixes the following issues:

- A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3,
  which caused regressions in several applications. (bsc#1180377)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:6-1
Released:    Mon Jan  4 07:05:06 2021
Summary:     Recommended update for libdlm
Type:        recommended
Severity:    moderate
References:  1098449,1144793,1168771,1177533,1177658
This update for libdlm fixes the following issues:

- Rework libdlm3 require with a shared library version tag instead so it propagates to all consuming packages.(bsc#1177658, bsc#1098449)
- Add support for type 'uint64_t' to corosync ringid. (bsc#1168771)
- Include some fixes/enhancements for dlm_controld. (bsc#1144793)
- Fixed an issue where /boot logical volume was accidentally unmounted. (bsc#1177533)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:109-1
Released:    Wed Jan 13 10:13:24 2021
Summary:     Security update for libzypp, zypper
Type:        security
Severity:    moderate
References:  1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271
This update for libzypp, zypper fixes the following issues:

Update zypper to version 1.14.41

Update libzypp to 17.25.4

- CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583)
- RepoManager: Force refresh if repo url has changed (bsc#1174016)
- RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966)
- RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427).
- RpmDb: If no database exists use the _dbpath configured in rpm.  Still makes sure a compat
  symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910)
- Fixed update of gpg keys with elongated expire date (bsc#179222)
- needreboot: remove udev from the list (bsc#1179083)
- Fix lsof monitoring (bsc#1179909)

yast-installation was updated to 4.2.48:

- Do not cleanup the libzypp cache when the system has low memory,
  incomplete cache confuses libzypp later (bsc#1179415)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:93-1
Released:    Wed Jan 13 16:45:40 2021
Summary:     Security update for tcmu-runner
Type:        security
Severity:    important
References:  1180676,CVE-2021-3139
This update for tcmu-runner fixes the following issues:

- CVE-2021-3139: Fixed a LIO security issue (bsc#1180676).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:129-1
Released:    Thu Jan 14 12:26:15 2021
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1178909,1179503,CVE-2020-25709,CVE-2020-25710
This update for openldap2 fixes the following issues:

Security issues fixed:

- CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
- CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).

Non-security issue fixed:

- Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:152-1
Released:    Fri Jan 15 17:04:47 2021
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1179691,1179738
This update for lvm2 fixes the following issues:

- Fix for lvm2 to use udev as external device by default. (bsc#1179691)
- Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:169-1
Released:    Tue Jan 19 16:18:46 2021
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1179816,1180077,1180663,1180721
This update for libsolv, libzypp, zypper fixes the following issues:

libzypp was updated to 17.25.6:

- Rephrase solver problem descriptions (jsc#SLE-8482)
- Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
- Multicurl backend breaks with with unknown filesize (fixes #277)

zypper was updated to 1.14.42:

- Fix source-download commnds help (bsc#1180663)
- man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816)
- Extend apt packagemap (fixes #366)
- --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077)

libsolv was updated to 0.7.16;

- do not ask the namespace callback for splitprovides when writing a testcase
- fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes
- improve choicerule generation so that package updates are prefered in more cases

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:174-1
Released:    Wed Jan 20 07:55:23 2021
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1172695
This update for gnutls fixes the following issue:

- Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:179-1
Released:    Wed Jan 20 13:38:51 2021
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.

- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.

- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:197-1
Released:    Fri Jan 22 15:17:42 2021
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1171883,CVE-2020-8025
This update for permissions fixes the following issues:

- Update to version 20181224:
  * pcp: remove no longer needed / conflicting entries
         (bsc#1171883, CVE-2020-8025)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:208-1
Released:    Mon Jan 25 16:17:09 2021
Summary:     Recommended update for rook
Type:        recommended
Severity:    moderate
References:  
This update for rook fixes the following issues:

- Update to v1.4.8
  * Ceph
    * Update base operator image and example manifests to Ceph v15.2.7 (#6690)
    * Merge custom labels properly with other labels in the spec (#6720)
    * Uninstall cleanup ignores ceph daemon pods that are in pending
      state (#6719)
    * Orchestration is aborted and restarted if the cluster CR is
      updated (#6693)
    * Restore mon clusterIP if the service is missing in disaster recovery
      scenarios (#6658)
    * Set the RGW deployment version label (#6610)
    * Add privileged securityContext to CephFS provisioner (#6561)

- Fix registry URL to SUSE for remaining example yaml's.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:220-1
Released:    Tue Jan 26 14:00:51 2021
Summary:     Recommended update for keyutils
Type:        recommended
Severity:    moderate
References:  1180603
This update for keyutils fixes the following issues:

- Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:227-1
Released:    Tue Jan 26 19:22:14 2021
Summary:     Security update for sudo
Type:        security
Severity:    important
References:  1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156
This update for sudo fixes the following issues:

- A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges 
  [bsc#1181090,CVE-2021-3156]
- It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit`
  [bsc#1180684,CVE-2021-23239]
- A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685,
  CVE-2021-23240]
- It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:233-1
Released:    Wed Jan 27 12:15:33 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1141597,1174436,1175458,1177490,1179363,1179824,1180225
This update for systemd fixes the following issues:

- Added a timestamp to the output of the busctl monitor command (bsc#1180225)
- Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824)
- Improved the caching of cgroups member mask (bsc#1175458)
- Fixed the dependency definition of sound.target (bsc#1179363)
- Fixed a bug that could lead to a potential error, when daemon-reload is called between
  StartTransientUnit and scope_start() (bsc#1174436)
- time-util: treat /etc/localtime missing as UTC (bsc#1141597)
- Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:265-1
Released:    Mon Feb  1 15:06:45 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1178775,1180885
This update for systemd fixes the following issues:

- Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998))
- Fix for an issue when container start causes interference in other containers. (bsc#1178775)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:278-1
Released:    Tue Feb  2 09:43:08 2021
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1181319
This update for lvm2 fixes the following issues:

- Backport 'lvmlockd' to adopt orphan locks feature. (bsc#1181319)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:293-1
Released:    Wed Feb  3 12:52:34 2021
Summary:     Recommended update for gmp
Type:        recommended
Severity:    moderate
References:  1180603
This update for gmp fixes the following issues:

- correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:301-1
Released:    Thu Feb  4 08:46:27 2021
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:302-1
Released:    Thu Feb  4 13:18:35 2021
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1179691
This update for lvm2 fixes the following issues:

- lvm2 will no longer use external_device_info_source='udev' as default because it introduced a
  regression (bsc#1179691).

  If this behavior is still wanted, please change this manually in the lvm.conf

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:339-1
Released:    Mon Feb  8 13:16:07 2021
Summary:     Optional update for pam
Type:        optional
Severity:    low
References:  
This update for pam fixes the following issues:

- Added rpm macros for this package, so that other packages can make use of it

This patch is optional to be installed - it doesn't fix any bugs.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:519-1
Released:    Fri Feb 19 09:44:53 2021
Summary:     Recommended update for openssh
Type:        recommended
Severity:    moderate
References:  1180501
This update for openssh fixes the following issues:

- Fixed a crash which sometimes occured on connection termination, caused
  by accessing freed memory (bsc#1180501)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:529-1
Released:    Fri Feb 19 14:53:47 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177
This update for python3 fixes the following issues:

- CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126).
- Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:594-1
Released:    Thu Feb 25 09:29:35 2021
Summary:     Security update for python-cryptography
Type:        security
Severity:    important
References:  1182066,CVE-2020-36242
This update for python-cryptography fixes the following issues:

- CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte
  values could result in an integer overflow and buffer overflow (bsc#1182066).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:653-1
Released:    Fri Feb 26 19:53:43 2021
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326
This update for glibc fixes the following issues:

- Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
- x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
- gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
- iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
- iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
- Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:654-1
Released:    Fri Feb 26 20:01:10 2021
Summary:     Security update for python-Jinja2
Type:        security
Severity:    important
References:  1181944,1182244,CVE-2020-28493
This update for python-Jinja2 fixes the following issues:

- CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have 
  been called with untrusted user data (bsc#1181944).  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:656-1
Released:    Mon Mar  1 09:34:21 2021
Summary:     Recommended update for protobuf
Type:        recommended
Severity:    moderate
References:  1177127
This update for protobuf fixes the following issues:

- Add missing dependency of python subpackages on python-six. (bsc#1177127)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:723-1
Released:    Mon Mar  8 16:45:27 2021
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212
This update for openldap2 fixes the following issues:

- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
  X.509 DN parsing in decode.c ber_next_element, resulting in denial
  of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
  parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
  in the Certificate List Exact Assertion processing, resulting in
  denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
  cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
  saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
  in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
  crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
  saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
  Assertion processing, resulting in denial of service (schema_init.c
  serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
  control handling, resulting in denial of service (double free and
  out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
    in the issuerAndThisUpdateCheck function via a crafted packet,
    resulting in a denial of service (daemon exit) via a short timestamp.
    This is related to schema_init.c and checkTime.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:754-1
Released:    Tue Mar  9 17:10:49 2021
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841
This update for openssl-1_1 fixes the following issues:

- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)
- Fixed unresolved error codes in FIPS (bsc#1182959).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:764-1
Released:    Thu Mar 11 13:17:18 2021
Summary:     Recommended update for rook
Type:        recommended
Severity:    moderate
References:  
This update for rook fixes the following issues:

- updated rook to version 1.5.7
  * CSI Troubleshooting Guide
  * Print device information in OSD prepare logs
  * Expose vault curl error in the OSD init container for KCS configurations
  * Prevent re-using a device to configure an OSD on PVC from a previous cluster
  * Remove crash collector if all Ceph pods moved off a node
  * Add helm annotation to keep CRDs in the helm chart during uninstall
  * Bind mgr modules to all interfaces instead of pod ip
  * Check for orchestration cancellation while waiting for all OSDs to start
  * Skip pdb reconcile on create and delete events
  * Silence harmless errors in log when the operator is still initializing
  * Add --extra-create-metadata flag to the CSI driver
  * Add deviceClass to the object store schema
  * Simplify the log-collector container name
  * Skip csi detection if CSI is disabled
  * Remove Rook pods stuck in terminating state on a failed node
  * Timeout for rgw configuration to prevent stuck object store when no healthy OSDs
  * Update lib bucket provisioner for OBCs



More information about the sle-security-updates mailing list