SUSE-CU-2021:320-1: Security update of caasp/v4.5/kube-proxy
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Sep 16 06:25:21 UTC 2021
SUSE Container Update Advisory: caasp/v4.5/kube-proxy
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:320-1
Container Tags : caasp/v4.5/kube-proxy:v1.18.10 , caasp/v4.5/kube-proxy:v1.18.10-rev4 , caasp/v4.5/kube-proxy:v1.18.10-rev4-build5.8.53
Container Release : 5.8.53
Severity : critical
Type : security
References : 1029961 1040589 1047218 1047218 1099521 1106014 1153687 1154935
1157818 1158812 1158958 1158959 1158960 1159491 1159715 1159847
1159850 1160309 1160438 1160439 1161268 1164719 1167471 1172091
1172115 1172234 1172236 1172240 1172308 1172505 1173641 1175448
1175449 1178561 1178577 1178624 1178675 1180851 1181874 1182016
1182372 1182604 1182936 1183268 1183589 1183628 1184124 1184326
1184399 1184614 1184761 1184967 1184994 1184997 1184997 1185046
1185221 1185239 1185325 1185331 1185540 1185807 1185958 1186015
1186049 1186114 1186447 1186503 1186561 1186579 1187060 1187091
1187105 1187210 1187212 1187292 1187400 1188063 1188217 1188218
1188219 1188220 1188571 1189206 1189465 1189465 1189520 1189521
1189521 1189534 1189554 1189683 928700 928701 CVE-2015-3414 CVE-2015-3415
CVE-2019-19244 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646
CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926
CVE-2019-19959 CVE-2019-20218 CVE-2020-12049 CVE-2020-13434 CVE-2020-13435
CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-15358 CVE-2020-24370
CVE-2020-24371 CVE-2020-35512 CVE-2020-9327 CVE-2021-22898 CVE-2021-22922
CVE-2021-22923 CVE-2021-22924 CVE-2021-22925 CVE-2021-33560 CVE-2021-33910
CVE-2021-3541 CVE-2021-3580 CVE-2021-36222 CVE-2021-3711 CVE-2021-3712
CVE-2021-3712 CVE-2021-38185 CVE-2021-38185
-----------------------------------------------------------------
The container caasp/v4.5/kube-proxy was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1762-1
Released: Wed May 26 12:30:01 2021
Summary: Security update for curl
Type: security
Severity: moderate
References: 1186114,CVE-2021-22898
This update for curl fixes the following issues:
- CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
- Allow partial chain verification [jsc#SLE-17956]
* Have intermediate certificates in the trust store be treated
as trust-anchors, in the same way as self-signed root CA
certificates are. This allows users to verify servers using
the intermediate cert only, instead of needing the whole chain.
* Set FLAG_TRUSTED_FIRST unconditionally.
* Do not check partial chains with CRL check.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1833-1
Released: Wed Jun 2 15:32:28 2021
Summary: Recommended update for zypper
Type: recommended
Severity: moderate
References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239
This update for zypper fixes the following issues:
zypper was upgraded to 1.14.44:
- man page: Recommend the needs-rebooting command to test whether a system reboot is suggested.
- patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268)
- Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687)
- Protect against strict/relaxed user umask via sudo. (bsc#1183589)
- xml summary: Add solvables repository alias. (bsc#1182372)
libzypp was upgraded from version 17.25.8 to version 17.25.10
- Properly handle permission denied when providing optional files. (bsc#1185239)
- Fix service detection with `cgroupv2`. (bsc#1184997)
- Add missing includes for GCC 11. (bsc#1181874)
- Fix unsafe usage of static in media verifier.
- `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
- `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
- Do no cleanup in custom cache dirs. (bsc#1182936)
- `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1861-1
Released: Fri Jun 4 09:59:40 2021
Summary: Recommended update for gcc10
Type: recommended
Severity: moderate
References: 1029961,1106014,1178577,1178624,1178675,1182016
This update for gcc10 fixes the following issues:
- Disable nvptx offloading for aarch64 again since it doesn't work
- Fixed a build failure issue. (bsc#1182016)
- Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
- Fix 32bit 'libgnat.so' link. (bsc#1178675)
- prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
- Build complete set of multilibs for arm-none target. (bsc#1106014)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1879-1
Released: Tue Jun 8 09:16:09 2021
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: important
References: 1184326,1184399,1184997,1185325
This update for libzypp, zypper fixes the following issues:
libzypp was updated to 17.26.0:
- Work around download.o.o broken https redirects.
- Allow trusted repos to add additional signing keys (bsc#1184326)
Repositories signed with a trusted gpg key may import additional
package signing keys. This is needed if different keys were used
to sign the the packages shipped by the repository.
- MediaCurl: Fix logging of redirects.
- Use 15.3 resolver problem and solution texts on all distros.
- $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the
zypp lock (bsc#1184399)
Helps boot time services like 'zypper purge-kernels' to wait for
the zypp lock until other services using zypper have completed.
- Fix purge-kernels is broken in Leap 15.3 (bsc#1185325)
Leap 15.3 introduces a new kernel package called
kernel-flavour-extra, which contain kmp's. Currently kmp's are
detected by name '.*-kmp(-.*)?' but this does not work which
those new packages. This patch fixes the problem by checking
packages for kmod(*) and ksym(*) provides and only falls back to
name checking if the package in question does not provide one of
those.
- Introduce zypp-runpurge, a tool to run purge-kernels on
testcases.
zypper was updated to 1.14.45:
- Fix service detection with cgroupv2 (bsc#1184997)
- Add hints to 'trust GPG key' prompt.
- Add report when receiving new package signing keys from a
trusted repo (bsc#1184326)
- Added translation using Weblate (Kabyle)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1917-1
Released: Wed Jun 9 14:48:05 2021
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1186015,CVE-2021-3541
This update for libxml2 fixes the following issues:
- CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1953-1
Released: Thu Jun 10 16:18:50 2021
Summary: Recommended update for gpg2
Type: recommended
Severity: moderate
References: 1161268,1172308
This update for gpg2 fixes the following issues:
- Fixed an issue where the gpg-agent's ssh-agent does not handle flags
in signing requests properly (bsc#1161268 and bsc#1172308).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2143-1
Released: Wed Jun 23 16:27:04 2021
Summary: Security update for libnettle
Type: security
Severity: important
References: 1187060,CVE-2021-3580
This update for libnettle fixes the following issues:
- CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2157-1
Released: Thu Jun 24 15:40:14 2021
Summary: Security update for libgcrypt
Type: security
Severity: important
References: 1187212,CVE-2021-33560
This update for libgcrypt fixes the following issues:
- CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2173-1
Released: Mon Jun 28 14:59:45 2021
Summary: Recommended update for automake
Type: recommended
Severity: moderate
References: 1040589,1047218,1182604,1185540,1186049
This update for automake fixes the following issues:
- Implement generated autoconf makefiles reproducible (bsc#1182604)
- Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
- Avoid bashisms in test-driver script. (bsc#1185540)
This update for pcre fixes the following issues:
- Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)
This update for brp-check-suse fixes the following issues:
- Add fixes to support reproducible builds. (bsc#1186049)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2178-1
Released: Mon Jun 28 15:56:15 2021
Summary: Recommended update for systemd-presets-common-SUSE
Type: recommended
Severity: moderate
References: 1186561
This update for systemd-presets-common-SUSE fixes the following issues:
When installing the systemd-presets-common-SUSE package for the
first time in a new system, it might happen that some services
are installed before systemd so the %systemd_pre/post macros
would not work. This is handled by enabling all preset services
in this package's %posttrans section but it wasn't enabling
user services, just system services. Now it enables also the
user services installed before this package (bsc#1186561)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2196-1
Released: Tue Jun 29 09:41:39 2021
Summary: Security update for lua53
Type: security
Severity: moderate
References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371
This update for lua53 fixes the following issues:
Update to version 5.3.6:
- CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
- CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
- Long brackets with a huge number of '=' overflow some internal buffer arithmetic.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2205-1
Released: Wed Jun 30 09:17:41 2021
Summary: Recommended update for openldap2
Type: recommended
Severity: important
References: 1187210
This update for openldap2 fixes the following issues:
- Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2210-1
Released: Wed Jun 30 13:00:09 2021
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1184124
This update for lvm2 fixes the following issues:
- Link test as position independent executable and update packages with non-PIE binaries. (bsc#1184124)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2229-1
Released: Thu Jul 1 20:40:37 2021
Summary: Recommended update for release packages
Type: recommended
Severity: moderate
References: 1099521,1185221
This update for the release packages provides the following fix:
- Fix grub menu entries after migration from SLE-12*. (bsc#1099521)
- Adjust the sles-release changelog to include an entry for the previous release that was
reverting a broken change. (bsc#1185221)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2246-1
Released: Mon Jul 5 15:17:49 2021
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400
This update for systemd fixes the following issues:
cgroup: Parse infinity properly for memory protections. (bsc#1167471)
cgroup: Make empty assignments reset to default. (bsc#1167471)
cgroup: Support 0-value for memory protection directives. (bsc#1167471)
core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935)
bus-unit-util: Add proper 'MemorySwapMax' serialization.
core: Accept MemorySwapMax= properties that are scaled.
execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967)
core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331)
Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046)
rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561)
write_net_rules: Set execute bits. (bsc#1178561)
udev: Rework network device renaming.
Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available''
mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761)
core: fix output (logging) for mount units (#7603) (bsc#1187400)
udev requires systemd in its %post (bsc#1185958)
cgroup: Parse infinity properly for memory protections (bsc#1167471)
cgroup: Make empty assignments reset to default (bsc#1167471)
cgroup: Support 0-value for memory protection directives (bsc#1167471)
Create /run/lock/subsys again (bsc#1187292)
The creation of this directory was mistakenly dropped when
'filesystem' package took the initialization of the generic paths
over.
Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:2249-1
Released: Mon Jul 5 15:40:46 2021
Summary: Optional update for gnutls
Type: optional
Severity: low
References: 1047218,1186579
This update for gnutls does not fix any user visible issues. It is therefore optional to install.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2273-1
Released: Thu Jul 8 09:48:48 2021
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: moderate
References: 1186447,1186503
This update for libzypp, zypper fixes the following issues:
- Enhance XML output of repo GPG options
- Add optional attributes showing the raw values actually present in the '.repo' file.
- Link all executables with -PIE (bsc#1186447)
- Ship an empty '/etc/zypp/needreboot' per default (jsc#PM-2645)
- Add 'Solvable::isBlacklisted' as superset of retracted and ptf packages (bsc#1186503)
- Fix segv if 'ZYPP_FULLOG' is set.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2292-1
Released: Mon Jul 12 08:25:20 2021
Summary: Security update for dbus-1
Type: security
Severity: important
References: 1187105,CVE-2020-35512
This update for dbus-1 fixes the following issues:
- CVE-2020-35512: Fixed a use-after-free or potential undefined behaviour caused by shared UID's (bsc#1187105)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2320-1
Released: Wed Jul 14 17:01:06 2021
Summary: Security update for sqlite3
Type: security
Severity: important
References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327
This update for sqlite3 fixes the following issues:
- Update to version 3.36.0
- CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener
optimization (bsc#1173641)
- CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in
isAuxiliaryVtabOperator (bsc#1164719)
- CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
- CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
- CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer
dereference (bsc#1160309)
- CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
- CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
- CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
- CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference
(bsc#1159491)
- CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with
a shadow table name (bsc#1158960)
- CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated
columns (bsc#1158959)
- CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views
in conjunction with ALTER TABLE statements (bsc#1158958)
- CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column,
which allows attackers to cause a denial of service (bsc#1158812)
- CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a
sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
- CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
- CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
- CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
- CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
- CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
- CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
- CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2404-1
Released: Tue Jul 20 14:21:30 2021
Summary: Security update for systemd
Type: security
Severity: moderate
References: 1184994,1188063,CVE-2021-33910
This update for systemd fixes the following issues:
- CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063)
- Skip udev rules if 'elevator=' is used (bsc#1184994)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2439-1
Released: Wed Jul 21 13:46:48 2021
Summary: Security update for curl
Type: security
Severity: moderate
References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925
This update for curl fixes the following issues:
- CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
- CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
- CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
- CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2456-1
Released: Thu Jul 22 15:28:39 2021
Summary: Recommended update for pam-config
Type: recommended
Severity: moderate
References: 1187091
This update for pam-config fixes the following issues:
- Add 'revoke' to the option list for 'pam_keyinit'.
- Fixed an issue when pam-config fails to create a new service config file. (bsc#1187091)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2689-1
Released: Mon Aug 16 10:54:52 2021
Summary: Security update for cpio
Type: security
Severity: important
References: 1189206,CVE-2021-38185
This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2763-1
Released: Tue Aug 17 17:16:22 2021
Summary: Recommended update for cpio
Type: recommended
Severity: critical
References: 1189465
This update for cpio fixes the following issues:
- A regression in last update would cause builds to hang on various architectures(bsc#1189465)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2780-1
Released: Thu Aug 19 16:09:15 2021
Summary: Recommended update for cpio
Type: recommended
Severity: critical
References: 1189465,CVE-2021-38185
This update for cpio fixes the following issues:
- A regression in the previous update could lead to crashes (bsc#1189465)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2800-1
Released: Fri Aug 20 10:43:04 2021
Summary: Security update for krb5
Type: security
Severity: important
References: 1188571,CVE-2021-36222
This update for krb5 fixes the following issues:
- CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2810-1
Released: Mon Aug 23 12:14:30 2021
Summary: Security update for dbus-1
Type: security
Severity: moderate
References: 1172505,CVE-2020-12049
This update for dbus-1 fixes the following issues:
- CVE-2020-12049: truncated messages lead to resource exhaustion. (bsc#1172505)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2830-1
Released: Tue Aug 24 16:20:18 2021
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1189520,1189521,CVE-2021-3711,CVE-2021-3712
This update for openssl-1_1 fixes the following security issues:
- CVE-2021-3711: A bug in the implementation of the SM2 decryption code
could lead to buffer overflows. [bsc#1189520]
- CVE-2021-3712: a bug in the code for printing certificate details could
lead to a buffer overrun that a malicious actor could exploit to crash
the application, causing a denial-of-service attack. [bsc#1189521]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2938-1
Released: Fri Sep 3 09:19:36 2021
Summary: Recommended update for openldap2
Type: recommended
Severity: moderate
References: 1184614
This update for openldap2 fixes the following issue:
- openldap2-contrib is shipped to the Legacy Module. (bsc#1184614)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2966-1
Released: Tue Sep 7 09:49:14 2021
Summary: Security update for openssl-1_1
Type: security
Severity: low
References: 1189521,CVE-2021-3712
This update for openssl-1_1 fixes the following issues:
- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712.
Read buffer overruns processing ASN.1 strings (bsc#1189521).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3001-1
Released: Thu Sep 9 15:08:13 2021
Summary: Recommended update for netcfg
Type: recommended
Severity: moderate
References: 1189683
This update for netcfg fixes the following issues:
- add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3030-1
Released: Tue Sep 14 09:27:45 2021
Summary: Recommended update for patterns-base
Type: recommended
Severity: moderate
References: 1189534,1189554
This update of patterns-base fixes the following issue:
- The fips pattern should also install 'openssh-fips' if 'openssh' is installed (bsc#1189554 bsc#1189534)
More information about the sle-security-updates
mailing list