SUSE-CU-2021:506-1: Security update of bci/golang

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Sat Nov 13 07:30:51 UTC 2021


SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:506-1
Container Tags        : bci/golang:1.16
Container Release     : 5.1
Severity              : important
Type                  : security
References            : 1172973 1172974 1177127 1179898 1179899 1179900 1179901 1179902
                        1179903 1180451 1180454 1180461 1181452 1182252 1183511 1183909
                        1184519 1184620 1184794 1186503 1186602 1187224 1187425 1187466
                        1187738 1187760 1188156 1188435 1188941 1189031 1190059 1190199
                        1190465 1190712 1190815 1190850 1191473 1191987 1192267 CVE-2019-20838
                        CVE-2020-14155 CVE-2020-16590 CVE-2020-16591 CVE-2020-16592 CVE-2020-16593
                        CVE-2020-16598 CVE-2020-16599 CVE-2020-35448 CVE-2020-35493 CVE-2020-35496
                        CVE-2020-35507 CVE-2021-20197 CVE-2021-20284 CVE-2021-20294 CVE-2021-3487
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2020:3026-1
Released:    Fri Oct 23 15:35:49 2020
Summary:     Optional update for the Public Cloud Module
Type:        optional
Severity:    moderate
References:  

This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398).
The following packages were included:

- python3-grpcio
- python3-protobuf
- python3-google-api-core
- python3-google-cloud-core
- python3-google-cloud-storage
- python3-google-resumable-media
- python3-googleapis-common-protos
- python3-grpcio-gcp
- python3-mock (updated to version 3.0.5)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:294-1
Released:    Wed Feb  3 12:54:28 2021
Summary:     Recommended update for libprotobuf
Type:        recommended
Severity:    moderate
References:  

libprotobuf was updated to fix:

- ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:656-1
Released:    Mon Mar  1 09:34:21 2021
Summary:     Recommended update for protobuf
Type:        recommended
Severity:    moderate
References:  1177127
This update for protobuf fixes the following issues:

- Add missing dependency of python subpackages on python-six. (bsc#1177127)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3501-1
Released:    Fri Oct 22 10:42:46 2021
Summary:     Recommended update for libzypp, zypper, libsolv, protobuf
Type:        recommended
Severity:    moderate
References:  1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815
This update for libzypp, zypper, libsolv and protobuf fixes the following issues:

- Choice rules: treat orphaned packages as newest (bsc#1190465)
- Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602)
- Do not check of signatures and keys two times(redundant) (bsc#1190059)
- Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760)
- Show key fpr from signature when signature check fails (bsc#1187224)
- Fix solver jobs for PTFs (bsc#1186503)
- Fix purge-kernels fails (bsc#1187738)
- Fix obs:// platform guessing for Leap (bsc#1187425)
- Make sure to keep states alives while transitioning. (bsc#1190199)
- Manpage: Improve description about patch updates(bsc#1187466)
- Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
- Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
- Fix crashes in logging code when shutting down (bsc#1189031)
- Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
- Add need reboot/restart hint to XML install summary (bsc#1188435)
- Prompt: choose exact match if prompt options are not prefix free (bsc#1188156)
- Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3510-1
Released:    Tue Oct 26 11:22:15 2021
Summary:     Recommended update for pam
Type:        recommended
Severity:    important
References:  1191987
This update for pam fixes the following issues:

- Fixed a bad directive file which resulted in
  the 'securetty' file to be installed as 'macros.pam'.
  (bsc#1191987)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3529-1
Released:    Wed Oct 27 09:23:32 2021
Summary:     Security update for pcre
Type:        security
Severity:    moderate
References:  1172973,1172974,CVE-2019-20838,CVE-2020-14155
This update for pcre fixes the following issues:

Update pcre to version 8.45:

- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3564-1
Released:    Wed Oct 27 16:12:08 2021
Summary:     Recommended update for rpm-config-SUSE
Type:        recommended
Severity:    moderate
References:  1190850
This update for rpm-config-SUSE fixes the following issues:

- Support ZSTD compressed kernel modules. (bsc#1190850)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3616-1
Released:    Thu Nov  4 12:29:16 2021
Summary:     Security update for binutils
Type:        security
Severity:    moderate
References:  1179898,1179899,1179900,1179901,1179902,1179903,1180451,1180454,1180461,1181452,1182252,1183511,1184620,1184794,CVE-2020-16590,CVE-2020-16591,CVE-2020-16592,CVE-2020-16593,CVE-2020-16598,CVE-2020-16599,CVE-2020-35448,CVE-2020-35493,CVE-2020-35496,CVE-2020-35507,CVE-2021-20197,CVE-2021-20284,CVE-2021-3487
This update for binutils fixes the following issues:

Update to binutils 2.37:

* The GNU Binutils sources now requires a C99 compiler and library to
  build.
* Support for Realm Management Extension (RME) for AArch64 has been
  added.
* A new linker option '-z report-relative-reloc' for x86 ELF targets
  has been added to report dynamic relative relocations.
* A new linker option '-z start-stop-gc' has been added to disable
  special treatment of __start_*/__stop_* references when
  --gc-sections.
* A new linker options '-Bno-symbolic' has been added which will
  cancel the '-Bsymbolic' and '-Bsymbolic-functions' options.
* The readelf tool has a new command line option which can be used to
  specify how the numeric values of symbols are reported.
  --sym-base=0|8|10|16 tells readelf to display the values in base 8,
  base 10 or base 16.  A sym base of 0 represents the default action
  of displaying values under 10000 in base 10 and values above that in
  base 16.
* A new format has been added to the nm program.  Specifying
  '--format=just-symbols' (or just using -j) will tell the program to
  only display symbol names and nothing else.
* A new command line option '--keep-section-symbols' has been added to
  objcopy and strip.  This stops the removal of unused section symbols
  when the file is copied.  Removing these symbols saves space, but
  sometimes they are needed by other tools.
* The '--weaken', '--weaken-symbol' and '--weaken-symbols' options
  supported by objcopy now make undefined symbols weak on targets that
  support weak symbols. 
* Readelf and objdump can now display and use the contents of .debug_sup
  sections.
* Readelf and objdump will now follow links to separate debug info
  files by default.  This behaviour can be stopped via the use of the
  new '-wN' or '--debug-dump=no-follow-links' options for readelf and
  the '-WN' or '--dwarf=no-follow-links' options for objdump.  Also
  the old behaviour can be restored by the use of the
  '--enable-follow-debug-links=no' configure time option.

  The semantics of the =follow-links option have also been slightly
  changed.  When enabled, the option allows for the loading of symbol
  tables and string tables from the separate files which can be used
  to enhance the information displayed when dumping other sections,
  but it does not automatically imply that information from the
  separate files should be displayed.

  If other debug section display options are also enabled (eg
  '--debug-dump=info') then the contents of matching sections in both
  the main file and the separate debuginfo file *will* be displayed.
  This is because in most cases the debug section will only be present
  in one of the files.

  If however non-debug section display options are enabled (eg
  '--sections') then the contents of matching parts of the separate
  debuginfo file will *not* be displayed.  This is because in most
  cases the user probably only wanted to load the symbol information
  from the separate debuginfo file.  In order to change this behaviour
  a new command line option --process-links can be used.  This will
  allow di0pslay options to applied to both the main file and any
  separate debuginfo files.

* Nm has a new command line option: '--quiet'.  This suppresses 'no
  symbols' diagnostic.

Update to binutils 2.36:

New features in the Assembler:

- General:

   * When setting the link order attribute of ELF sections, it is now
     possible to use a numeric section index instead of symbol name.
   * Added a .nop directive to generate a single no-op instruction in
     a target neutral manner.  This instruction does have an effect on
     DWARF line number generation, if that is active.
   * Removed --reduce-memory-overheads and --hash-size as gas now
     uses hash tables that can be expand and shrink automatically.

- X86/x86_64:

   * Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key
     Locker instructions. 
   * Support non-absolute segment values for lcall and ljmp.
   * Add {disp16} pseudo prefix to x86 assembler.
   * Configure with --enable-x86-used-note by default for Linux/x86.

-  ARM/AArch64:

   * Add support for Cortex-A78, Cortex-A78AE and Cortex-X1,
     Cortex-R82, Neoverse V1, and Neoverse N2 cores.
   * Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded
     Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call
     Stack Recorder Extension) and BRBE (Branch Record Buffer
     Extension) system registers.
   * Add support for Armv8-R and Armv8.7-A ISA extensions.
   * Add support for DSB memory nXS barrier, WFET and WFIT
     instruction for Armv8.7.
   * Add support for +csre feature for -march. Add CSR PDEC
     instruction for CSRE feature in AArch64.
   * Add support for +flagm feature for -march in Armv8.4 AArch64.
   * Add support for +ls64 feature for -march in Armv8.7
     AArch64. Add atomic 64-byte load/store instructions for this
     feature. 
   * Add support for +pauth (Pointer Authentication) feature for
     -march in AArch64.

New features in the Linker:

  * Add --error-handling-script=<NAME> command line option to allow
    a helper script to be invoked when an undefined symbol or a
    missing library is encountered.  This option can be suppressed
    via the configure time switch: --enable-error-handling-script=no.
  * Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark
    x86-64-{baseline|v[234]} ISA level as needed.
  * Add -z unique-symbol to avoid duplicated local symbol names.
  * The creation of PE format DLLs now defaults to using a more
    secure set of DLL characteristics.
  * The linker now deduplicates the types in .ctf sections.  The new 
     command-line option --ctf-share-types describes how to do this:
     its default value, share-unconflicted, produces the most compact
     output.
  * The linker now omits the 'variable section' from .ctf sections
    by default, saving space.  This is almost certainly what you
    want unless you are working on a project that has its own
    analogue of symbol tables that are not reflected in the ELF
    symtabs.

New features in other binary tools:

  * The ar tool's previously unused l modifier is now used for
    specifying dependencies of a static library. The arguments of
    this option (or --record-libdeps long form option) will be
    stored verbatim in the __.LIBDEP member of the archive, which
    the linker may read at link time.
  * Readelf can now display the contents of LTO symbol table
    sections when asked to do so via the --lto-syms command line
    option.
  * Readelf now accepts the -C command line option to enable the
    demangling of symbol names.  In addition the --demangle=<style>,
    --no-demangle, --recurse-limit and --no-recurse-limit options
    are also now availale.

The following security fixes are addressed by the update:

- CVE-2021-20197: Fixed a race condition which allows users to own arbitrary files (bsc#1181452).
- CVE-2021-20284: Fixed a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c (bsc#1183511).
- CVE-2021-3487: Fixed a denial of service via excessive debug section size causing excessive memory consumption in bfd's dwarf2.c read_section() (bsc#1184620).
- CVE-2020-35448: Fixed a heap-based buffer over-read in bfd_getl_signed_32() in libbfd.c (bsc#1184794).
- CVE-2020-16590: Fixed a double free vulnerability in process_symbol_table() (bsc#1179898).
- CVE-2020-16591: Fixed an invalid read in process_symbol_table() (bsc#1179899).
- CVE-2020-16592: Fixed an use-after-free in bfd_hash_lookup() (bsc#1179900).
- CVE-2020-16593: Fixed a null pointer dereference in scan_unit_for_symbols() (bsc#1179901).
- CVE-2020-16598: Fixed a null pointer dereference in debug_get_real_type() (bsc#1179902).
- CVE-2020-16599: Fixed a null pointer dereference in _bfd_elf_get_symbol_version_string() (bsc#1179903)
- CVE-2020-35493: Fixed heap-based buffer overflow in bfd_pef_parse_function_stubs function in bfd/pef.c via crafted PEF file (bsc#1180451).
- CVE-2020-35496: Fixed multiple null pointer dereferences in bfd module due to not checking return value of bfd_malloc (bsc#1180454).
- CVE-2020-35507: Fixed a null pointer dereference in bfd_pef_parse_function_stubs() (bsc#1180461).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3643-1
Released:    Tue Nov  9 19:32:18 2021
Summary:     Security update for binutils
Type:        security
Severity:    moderate
References:  1183909,1184519,1188941,1191473,1192267,CVE-2021-20294
This update for binutils fixes the following issues:

- For compatibility on old code stream that expect 'brcl 0,label' to
  not be disassembled as 'jgnop label' on s390x.  (bsc#1192267)
  This reverts IBM zSeries HLASM support for now.
- Fixed that ppc64 optflags did not enable LTO (bsc#1188941).
- Fix empty man-pages from broken release tarball
- Fixed a memory corruption with rpath option (bsc#1191473).
- Fixed slow performance of stripping some binaries (bsc#1183909).

Security issue fixed:

- CVE-2021-20294: Fixed out-of-bounds write in print_dynamic_symbol in readelf (bnc#1184519)



The following package changes have been done:

- binutils-2.37-7.26.1 updated
- libctf-nobfd0-2.37-7.26.1 updated
- libctf0-2.37-7.26.1 updated
- libpcre1-8.45-20.10.1 updated
- libprotobuf-lite20-3.9.2-4.9.1 added
- libsolv-tools-0.7.20-9.2 updated
- libzypp-17.28.5-15.2 updated
- pam-1.3.0-6.50.1 updated
- rpm-config-SUSE-1-5.3.1 updated
- zypper-1.14.49-16.1 updated
- container:sles15-image-15.0.0-17.8.31 updated


More information about the sle-security-updates mailing list