SUSE-CU-2022:765-1: Security update of bci/golang

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Apr 27 08:45:40 UTC 2022


SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:765-1
Container Tags        : bci/golang:1.17 , bci/golang:1.17-15.2
Container Release     : 15.2
Severity              : important
Type                  : security
References            : 1102408 1115550 1139937 1149429 1168930 1174162 1183026 1183137
                        1183580 1187937 1190552 1190649 1190975 1191157 1192023 1193722
                        1194251 1194362 1194474 1194476 1194477 1194478 1194479 1194480
                        1195054 1195217 1195628 1196025 1196025 1196026 1196107 1196168
                        1196169 1196171 1196647 1196784 1196939 1197004 1198423 1198424
                        CVE-2018-20843 CVE-2019-15903 CVE-2021-21300 CVE-2021-28041 CVE-2021-41617
                        CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824
                        CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990
                        CVE-2022-24675 CVE-2022-25235 CVE-2022-25236 CVE-2022-25236 CVE-2022-25313
                        CVE-2022-25314 CVE-2022-25315 CVE-2022-28327 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1835-1
Released:    Fri Jul 12 18:06:31 2019
Summary:     Security update for expat
Type:        security
Severity:    moderate
References:  1139937,CVE-2018-20843
This update for expat fixes the following issues:

Security issue fixed:

- CVE-2018-20843: Fixed a denial of service triggered by high resource consumption 
  in the XML parser when XML names contain a large amount of colons (bsc#1139937).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2429-1
Released:    Mon Sep 23 09:28:40 2019
Summary:     Security update for expat
Type:        security
Severity:    moderate
References:  1149429,CVE-2019-15903
This update for expat fixes the following issues:

Security issues fixed:

- CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2146-1
Released:    Wed Jun 23 17:55:14 2021
Summary:     Recommended update for openssh
Type:        recommended
Severity:    moderate
References:  1115550,1174162
This update for openssh fixes the following issues:

- Fixed a race condition leading to a sshd termination of multichannel sessions with non-root users (bsc#1115550, bsc#1174162).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2555-1
Released:    Thu Jul 29 08:29:55 2021
Summary:     Security update for git
Type:        security
Severity:    moderate
References:  1168930,1183026,1183580,CVE-2021-21300
This update for git fixes the following issues:

Update from version 2.26.2 to version 2.31.1 (jsc#SLE-18152)

Security fixes:

- CVE-2021-21300: On case-insensitive file systems with support for symbolic links, if Git is configured globally 
  to apply delay-capable clean/smudge filters (such as Git LFS), Git could run remote code during a clone. (bsc#1183026)

Non security changes:

- Add `sysusers` file to create `git-daemon` user.
- Remove `perl-base` and `openssh-server` dependency on `git-core`and provide a `perl-Git` package. (jsc#SLE-17838)
- `fsmonitor` bug fixes
- Fix `git bisect` to take an annotated tag as a good/bad endpoint
- Fix a corner case in `git mv` on case insensitive systems
- Require only `openssh-clients` where possible (like Tumbleweed or SUSE Linux Enterprise >= 15 SP3). (bsc#1183580)
- Drop `rsync` requirement, not necessary anymore.
- Use of `pack-redundant` command is discouraged and will trigger a warning. The replacement is `repack -d`.
- The `--format=%(trailers)` mechanism gets enhanced to make it easier to design output for machine consumption.
- No longer give message to choose between rebase or merge upon pull if the history `fast-forwards`.
- The configuration variable `core.abbrev` can be set to `no` to force no abbreviation regardless of the hash algorithm
- `git rev-parse` can be explicitly told to give output as absolute or relative path with the 
  `--path-format=(absolute|relative)` option.
- Bash completion update to make it easier for end-users to add completion for their custom `git` subcommands.
- `git maintenance` learned to drive scheduled maintenance on platforms whose native scheduling methods are not 'cron'.
- After expiring a reflog and making a single commit, the reflog for the branch would record a single entry that 
  knows both `@{0}` and `@{1}`, but we failed to answer 'what commit were we on?', i.e. `@{1}`
- `git bundle` learns `--stdin` option to read its refs from the standard input.  
  Also, it now does not lose refs when they point at the same object.
- `git log` learned a new `--diff-merges=<how>` option.
- `git ls-files` can and does show multiple entries when the index is unmerged, which is a source for confusion 
  unless `-s/-u` option is in use.  A new option `--deduplicate` has been introduced.
- `git worktree list` now annotates worktrees as prunable, shows locked and prunable attributes 
  in `--porcelain mode`, and gained a `--verbose` option.
- `git clone` tries to locally check out the branch pointed at by HEAD of the remote repository after it 
  is done, but the protocol did not convey the information necessary to do so when copying an empty repository.  
  The protocol v2 learned how to do so.
- There are other ways than `..` for a single token to denote a `commit range', namely `<rev>^!` 
   and `<rev>^-<n>`, but `git range-diff` did not understand them.
- The `git range-diff` command learned `--(left|right)-only` option to show only one side of the compared range.
- `git mergetool` feeds three versions (base, local and remote) of a conflicted path unmodified. 
  The command learned to optionally prepare these files with unconflicted parts already resolved.
- The `.mailmap` is documented to be read only from the root level of a working tree, but a stray file 
  in a bare repository also was read by accident, which has been corrected.
- `git maintenance` tool learned a new `pack-refs` maintenance task.
- Improved error message given when a configuration variable that is expected to have a boolean value.
- Signed commits and tags now allow verification of objects, whose two object names 
  (one in SHA-1, the other in SHA-256) are both signed.
- `git rev-list` command learned `--disk-usage` option.
- `git diff`, `git log` `--{skip,rotate}-to=<path>` allows the user to discard diff output for early 
  paths or move them to the end of the output.
- `git difftool` learned `--skip-to=<path>` option to restart an interrupted session from an arbitrary path.
- `git grep` has been tweaked to be limited to the sparse checkout paths.
- `git rebase --[no-]fork-point` gained a configuration variable `rebase.forkPoint` so that users do not have 
  to keep specifying a non-default setting.
- `git stash` did not work well in a sparsely checked out working tree.
- Newline characters in the host and path part of `git://` URL are now forbidden.
- `Userdiff` updates for PHP, Rust, CSS
- Avoid administrator error leading to data loss with `git push --force-with-lease[=<ref>]` by 
  introducing `--force-if-includes`
- only pull `asciidoctor` for the default ruby version
- The `--committer-date-is-author-date` option of `rebase` and `am` subcommands lost the e-mail address by 
  mistake in 2.29
- The transport protocol v2 has become the default again
- `git worktree` gained a `repair` subcommand, `git init --separate-git-dir` no longer corrupts administrative data 
  related to linked worktrees
- `git maintenance` introduced for repository maintenance tasks
- `fetch.writeCommitGraph` is deemed to be still a bit too risky and is no longer part of the 
  `feature.experimental` set.
- The commands in the `diff` family honors the `diff.relative` configuration variable.
- `git diff-files` has been taught to say paths that are marked as `intent-to-add` are new files, 
  not modified from an empty blob.
- `git gui` now allows opening work trees from the start-up dialog.
- `git bugreport` reports what shell is in use.
- Some repositories have commits that record wrong committer timezone; `git fast-import` has an option to pass 
  these timestamps intact to allow recreating existing repositories as-is.
- `git describe` will always use the `long` version when giving its output based misplaced tags 
- `git pull` issues a warning message until the `pull.rebase` configuration variable is explicitly given
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2606-1
Released:    Wed Aug  4 13:16:09 2021
Summary:     Recommended update for libcbor
Type:        recommended
Severity:    moderate
References:  1102408
This update for libcbor fixes the following issues:

- Implement a fix to avoid building shared library twice. (bsc#1102408)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2950-1
Released:    Fri Sep  3 11:59:19 2021
Summary:     Recommended update for pcre2
Type:        recommended
Severity:    moderate
References:  1187937
This update for pcre2 fixes the following issue:

- Equalizes the result of a function that may have different output on s390x if compared to older (bsc#1187937)
PHP versions.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3545-1
Released:    Wed Oct 27 14:46:39 2021
Summary:     Recommended update for less
Type:        recommended
Severity:    low
References:  1190552
This update for less fixes the following issues:

- Add missing runtime dependency on package 'which', that is used by
  lessopen.sh (bsc#1190552)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3766-1
Released:    Tue Nov 23 07:07:43 2021
Summary:     Recommended update for git
Type:        recommended
Severity:    moderate
References:  1192023
This update for git fixes the following issues:

- Installation of the 'git-daemon' package needs nogroup group dependency (bsc#1192023)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3950-1
Released:    Mon Dec  6 14:59:37 2021
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1190975,CVE-2021-41617
This update for openssh fixes the following issues:

- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4153-1
Released:    Wed Dec 22 11:00:48 2021
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1183137,CVE-2021-28041
This update for openssh fixes the following issues:

- CVE-2021-28041: Fixed double free in ssh-agent (bsc#1183137).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:178-1
Released:    Tue Jan 25 14:16:23 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1194251,1194362,1194474,1194476,1194477,1194478,1194479,1194480,CVE-2021-45960,CVE-2021-46143,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827
This update for expat fixes the following issues:
  
- CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
- CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
- CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
- CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
- CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
- CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
- CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
- CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:227-1
Released:    Mon Jan 31 06:05:25 2022
Summary:     Recommended update for git
Type:        recommended
Severity:    moderate
References:  1193722
This update for git fixes the following issues:

- update to 2.34.1 (bsc#1193722):
  * 'git grep' looking in a blob that has non-UTF8 payload was
    completely broken when linked with certain versions of PCREv2
    library in the latest release.
  * 'git pull' with any strategy when the other side is behind us
    should succeed as it is a no-op, but doesn't.
  * An earlier change in 2.34.0 caused JGit application (that abused
    GIT_EDITOR mechanism when invoking 'git config') to get stuck with
    a SIGTTOU signal; it has been reverted.
  * An earlier change that broke .gitignore matching has been reverted.
  * SubmittingPatches document gained a syntactically incorrect mark-up,
    which has been corrected.

- git 2.33.0:
  * 'git send-email' learned the '--sendmail-cmd' command line option
    and the 'sendemail.sendmailCmd' configuration variable, which is a
    more sensible approach than the current way of repurposing the
    'smtp-server' that is meant to name the server to instead name the
    command to talk to the server.
  * The userdiff pattern for C# learned the token 'record'.
  * 'git rev-list' learns to omit the 'commit <object-name>' header
    lines from the output with the `--no-commit-header` option.
  * 'git worktree add --lock' learned to record why the worktree is
    locked with a custom message.
  * internal improvements including performance optimizations
  * a number of bug fixes

- git 2.32.0:
  * '.gitattributes', '.gitignore', and '.mailmap' files that are
    symbolic links are ignored
  * 'git apply --3way' used to first attempt a straight
    application, and only fell back to the 3-way merge algorithm
    when the straight application failed.  Starting with this
    version, the command will first try the 3-way merge algorithm
    and only when it fails (either resulting with conflict or the
    base versions of blobs are missing), falls back to the usual
    patch application.
  * 'git stash show' can now show the untracked part of the stash
  * Improved 'git repack' strategy
  * http code can now unlock a certificate with a cached password
    respectively.
  * 'git clone --reject-shallow' option fails the clone as soon as
    we notice that we are cloning from a shallow repository.
  * 'gitweb' learned 'e-mail privacy' feature
  * Multiple improvements to output and configuration options
  * Bug fixes and developer visible fixes
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:498-1
Released:    Fri Feb 18 10:46:56 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1195054,1195217,CVE-2022-23852,CVE-2022-23990
This update for expat fixes the following issues:

- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:713-1
Released:    Fri Mar  4 09:34:17 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:
  
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:844-1
Released:    Tue Mar 15 11:33:57 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196784,CVE-2022-25236
This update for expat fixes the following issues:

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1281-1
Released:    Wed Apr 20 12:26:38 2022
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1196647
This update for libtirpc fixes the following issues:

- Add option to enforce connection via protocol version 2 first (bsc#1196647)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1302-1
Released:    Fri Apr 22 10:04:46 2022
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1196939
This update for e2fsprogs fixes the following issues:

- Add support for 'libreadline7' for Leap. (bsc#1196939)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1374-1
Released:    Mon Apr 25 15:02:13 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1191157,1197004
This update for openldap2 fixes the following issues:

- allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
- libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol
  resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
- restore CLDAP functionality in CLI tools (jsc#PM-3288)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1409-1
Released:    Tue Apr 26 12:54:57 2022
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1195628,1196107
This update for gcc11 fixes the following issues:

- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
  packages provided by older GCC work.  Add a requires from that
  package to the corresponding libstc++6 package to keep those
  at the same version.  [bsc#1196107]
- Fixed memory corruption when creating dependences with the D language frontend.
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
  to Recommends.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1411-1
Released:    Tue Apr 26 17:48:58 2022
Summary:     Security update for go1.17
Type:        security
Severity:    moderate
References:  1190649,1198423,1198424,CVE-2022-24675,CVE-2022-28327
This update for go1.17 fixes the following issues:

- Updated to version 1.17.9 (bsc#1190649):
  - CVE-2022-24675: Fixed a stack overflow via crafted PEM file (bsc#1198423).
  - CVE-2022-28327: Fixed a potential panic when using big P-256 scalars in the
    crypto/elliptic module (bsc#1198424).


The following package changes have been done:

- file-5.32-7.14.1 added
- git-core-2.34.1-10.9.1 added
- go1.17-1.17.9-150000.1.28.1 updated
- less-530-3.3.2 added
- libatomic1-11.2.1+git610-150000.1.6.6 updated
- libcbor0-0.5.0-4.3.1 added
- libcom_err2-1.43.8-150000.4.29.1 updated
- libedit0-3.1.snap20150325-2.12 added
- libexpat1-2.2.5-3.19.1 added
- libfido2-1-1.5.0-1.30 added
- libfido2-udev-1.5.0-1.30 added
- libgcc_s1-11.2.1+git610-150000.1.6.6 updated
- libgomp1-11.2.1+git610-150000.1.6.6 updated
- libitm1-11.2.1+git610-150000.1.6.6 updated
- libldap-2_4-2-2.4.46-150200.14.5.1 updated
- libldap-data-2.4.46-150200.14.5.1 updated
- liblsan0-11.2.1+git610-150000.1.6.6 updated
- libpcre2-8-0-10.31-3.3.1 added
- libsha1detectcoll1-1.0.3-2.18 added
- libstdc++6-11.2.1+git610-150000.1.6.6 updated
- libtirpc-netconfig-1.2.6-150300.3.3.1 updated
- libtirpc3-1.2.6-150300.3.3.1 updated
- libtsan0-11.2.1+git610-150000.1.6.6 updated
- openssh-clients-8.4p1-3.9.1 added
- openssh-common-8.4p1-3.9.1 added
- openssh-fips-8.4p1-3.9.1 added
- which-2.21-2.20 added
- container:sles15-image-15.0.0-17.14.4 updated


More information about the sle-security-updates mailing list