SUSE-IU-2022:2-1: Security update of suse-sles-15-sp3-chost-byos-v20220103-hvm-ssd-x86_64

sle-security-updates at sle-security-updates at
Wed Jan 5 07:24:40 UTC 2022

SUSE Image Update Advisory: suse-sles-15-sp3-chost-byos-v20220103-hvm-ssd-x86_64
Image Advisory ID : SUSE-IU-2022:2-1
Image Tags        : suse-sles-15-sp3-chost-byos-v20220103-hvm-ssd-x86_64:20220103
Image Release     : 
Severity          : important
Type              : security
References        : 1027519 1029961 1071559 1113013 1152489 1161276 1162581 1169263
                        1170269 1174504 1174504 1177460 1180064 1180125 1183137 1183374
                        1183858 1183905 1184924 1185588 1185768 1187196 1187654 1187668
                        1187993 1189241 1189287 1189769 1189874 1190401 1190523 1190795
                        1190975 1191363 1191504 1191532 1191563 1191592 1191690 1191790
                        1191961 1192045 1192217 1192248 1192273 1192328 1192375 1192423
                        1192473 1192522 1192554 1192557 1192559 1192688 1192717 1192718
                        1192740 1192745 1192750 1192753 1192758 1192781 1192802 1192849
                        1192858 1192896 1192906 1192918 1193170 1193181 1193430 1193436
                        1193480 1193512 1193557 1193759 CVE-2020-25717 CVE-2020-29361
                        CVE-2021-0941 CVE-2021-20322 CVE-2021-28041 CVE-2021-28702 CVE-2021-28704
                        CVE-2021-28705 CVE-2021-28706 CVE-2021-28707 CVE-2021-28708 CVE-2021-28709
                        CVE-2021-31916 CVE-2021-3426 CVE-2021-34981 CVE-2021-3733 CVE-2021-3737
                        CVE-2021-41617 CVE-2021-42771 CVE-2021-43527 CVE-2021-43618 CVE-2021-43784

The container suse-sles-15-sp3-chost-byos-v20220103-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2021:3883-1
Released:    Thu Dec  2 11:47:07 2021
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

Update timezone to 2021e (bsc#1177460)

- Palestine will fall back 10-29 (not 10-30) at 01:00
- Fiji suspends DST for the 2021/2022 season
- 'zic -r' marks unspecified timestamps with '-00'
- Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
- Refresh timezone info for china

Advisory ID: SUSE-RU-2021:3891-1
Released:    Fri Dec  3 10:21:49 2021
Summary:     Recommended update for keyutils
Type:        recommended
Severity:    moderate
References:  1029961,1113013,1187654
This update for keyutils fixes the following issues:

- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

keyutils was updated to 1.6.3 (jsc#SLE-20016):

* Revert the change notifications that were using /dev/watch_queue.
* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
* Allow 'keyctl supports' to retrieve raw capability data.
* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
* Allow 'keyctl new_session' to name the keyring.
* Allow 'keyctl add/padd/etc.' to take hex-encoded data.
* Add 'keyctl watch*' to expose kernel change notifications on keys.
* Add caps for namespacing and notifications.
* Set a default TTL on keys that upcall for name resolution.
* Explicitly clear memory after it's held sensitive information.
* Various manual page fixes.
* Fix C++-related errors.
* Add support for keyctl_move().
* Add support for keyctl_capabilities().
* Make key=val list optional for various public-key ops.
* Fix system call signature for KEYCTL_PKEY_QUERY.
* Fix 'keyctl pkey_query' argument passing.
* Use keyctl_read_alloc() in dump_key_tree_aux().
* Various manual page fixes. 

Updated to 1.6:

* Apply various specfile cleanups from Fedora.
* request-key: Provide a command line option to suppress helper execution.
* request-key: Find least-wildcard match rather than first match.
* Remove the dependency on MIT Kerberos.
* Fix some error messages
* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
* Fix doc and comment typos.
* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
* Add pkg-config support for finding libkeyutils.
* upstream isn't offering PGP signatures for the source tarballs anymore

Updated to 1.5.11 (bsc#1113013)

* Add keyring restriction support.
* Add KDF support to the Diffie-Helman function.
* DNS: Add support for AFS config files and SRV records
Advisory ID: SUSE-SU-2021:3899-1
Released:    Fri Dec  3 11:27:41 2021
Summary:     Security update for aaa_base
Type:        security
Severity:    moderate
References:  1162581,1174504,1191563,1192248
This update for aaa_base fixes the following issues:

- Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
- Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
- Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
- Support xz compressed kernel (bsc#1162581)   

Advisory ID: SUSE-SU-2021:3934-1
Released:    Mon Dec  6 13:22:27 2021
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1193170,CVE-2021-43527
This update for mozilla-nss fixes the following issues:

Update to version 3.68.1:

- CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).

Advisory ID: SUSE-SU-2021:3941-1
Released:    Mon Dec  6 14:45:20 2021
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1152489,1169263,1170269,1184924,1190523,1190795,1191790,1191961,1192045,1192217,1192273,1192328,1192375,1192473,1192718,1192740,1192745,1192750,1192753,1192758,1192781,1192802,1192896,1192906,1192918,CVE-2021-0941,CVE-2021-20322,CVE-2021-31916,CVE-2021-34981

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past (jsc#SLE-22573)

  You can reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled to 0. (kernel.unprivileged_bpf_disabled = 0)

- CVE-2021-0941: In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1192045 ).
- CVE-2021-31916: An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel A bound check failure allowed an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability (bnc#1192781).
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
- CVE-2021-34981: Fixed file refcounting in cmtp when cmtp_attach_device fails  (bsc#1191961).

The following non-security bugs were fixed:

- ABI: sysfs-kernel-slab: Document some stats (git-fixes).
- ALSA: hda: fix general protection fault in azx_runtime_idle (git-fixes).
- ALSA: hda: Free card instance properly at probe errors (git-fixes).
- ALSA: usb-audio: Add Audient iD14 to mixer map quirk table (git-fixes).
- ALSA: usb-audio: Add minimal-mute notion in dB mapping table (bsc#1192375).
- ALSA: usb-audio: Add Schiit Hel device to mixer map quirk table (git-fixes).
- ALSA: usb-audio: Fix dB level of Bose Revolve+ SoundLink (bsc#1192375).
- ALSA: usb-audio: Use int for dB map values (bsc#1192375).
- ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE (bsc#1192473).
- auxdisplay: ht16k33: Connect backlight to fbdev (git-fixes).
- auxdisplay: ht16k33: Fix frame buffer device blanking (git-fixes).
- auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string (git-fixes).
- bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22573)
- bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22574)
- bpf: Disallow unprivileged bpf by default (jsc#SLE-22573).
- bpf: Disallow unprivileged bpf by default (jsc#SLE-22574).
- bpf: Fix BPF_JIT kconfig symbol dependency (git-fixes jsc#SLE-22574).
- bpf: Fix potential race in tail call compatibility check (git-fixes).
- bpf, kconfig: Add consolidated menu entry for bpf with core options (jsc#SLE-22574).
- btrfs: block-group: Rework documentation of check_system_chunk function (bsc#1192896).
- btrfs: fix deadlock between chunk allocation and chunk btree modifications (bsc#1192896).
- btrfs: fix memory ordering between normal and ordered work functions (git-fixes).
- btrfs: update comments for chunk allocation -ENOSPC cases (bsc#1192896).
- cgroup/cpuset: Change references of cpuset_mutex to cpuset_rwsem (git-fixes).
- config: disable unprivileged BPF by default (jsc#SLE-22573) Backport of mainline commit 8a03e56b253e ('bpf: Disallow unprivileged bpf by default') only changes kconfig default, used e.g. for 'make oldconfig' when the config option is missing, but does not update our kernel configs used for build. Update also these to make sure unprivileged BPF is really disabled by default.
- crypto: caam - disable pkc for non-E SoCs (git-fixes).
- crypto: qat - detect PFVF collision after ACK (git-fixes).
- crypto: qat - disregard spurious PFVF interrupts (git-fixes).
- drm/i915: Introduce intel_hpd_hotplug_irqs() (bsc#1192758).
- drm: prevent spectre issue in vmw_execbuf_ioctl (bsc#1192802).
- EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell (bsc#1152489).
- Eradicate Patch-mainline: No The pre-commit check can reject this deprecated tag then.
- exfat: fix erroneous discard when clear cluster bit (git-fixes).
- exfat: handle wrong stream entry size in exfat_readdir() (git-fixes).
- exfat: properly set s_time_gran (bsc#1192328).
- exfat: truncate atimes to 2s granularity (bsc#1192328).
- Fix problem with missing installkernel on Tumbleweed.
- fuse: fix page stealing (bsc#1192718).
- gpio: mpc8xxx: Use 'devm_gpiochip_add_data()' to simplify the code and avoid a leak (git-fixes).
- gpio/rockchip: add driver for rockchip gpio (bsc#1192217).
- gpio/rockchip: drop irq_gc_lock/irq_gc_unlock for irq set type (bsc#1192217).
- gpio/rockchip: extended debounce support is only available on v2 (bsc#1192217).
- gpio/rockchip: fetch deferred output settings on probe (bsc#1192217).
- gpio/rockchip: fix get_direction value handling (bsc#1192217).
- gpio/rockchip: support next version gpio controller (bsc#1192217).
- gpio/rockchip: use struct rockchip_gpio_regs for gpio controller (bsc#1192217).
- HID: u2fzero: clarify error check and length calculations (git-fixes).
- HID: u2fzero: properly handle timeouts in usb_submit_urb (git-fixes).
- ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510).
- ibmvnic: do not stop queue in xmit (bsc#1192273 ltc#194629).
- ibmvnic: Process crqs after enabling interrupts (bsc#1192273 ltc#194629).
- iio: dac: ad5446: Fix ad5622_write() return value (git-fixes).
- Input: elantench - fix misreporting trackpoint coordinates (bsc#1192918).
- kernel-*-subpackage: Add dependency on kernel scriptlets (bsc#1192740).
- mm/hugetlb: initialize hugetlb_usage in mm_init (bsc#1192906).
- Move upstreamed sound fix into sorted section
- net: dsa: felix: re-enable TX flow control in ocelot_port_flush() (git-fixes).
- net: mscc: ocelot: fix hardware timestamp dequeue logic.
- net: mscc: ocelot: warn when a PTP IRQ is raised for an unknown skb (git-fixes).
- net/smc: Correct smc link connection counter in case of smc client (git-fixes).
- net/smc: fix 'workqueue leaked lock' in smc_conn_abort_work (git-fixes).
- ocfs2: do not zero pages beyond i_size (bsc#1190795).
- ocfs2: fix data corruption on truncate (bsc#1190795).
- PCI: aardvark: Do not clear status bits of masked interrupts (git-fixes).
- PCI: aardvark: Do not spam about PIO Response Status (git-fixes).
- PCI: aardvark: Do not unmask unused interrupts (git-fixes).
- PCI: aardvark: Fix checking for link up via LTSSM state (git-fixes).
- PCI: aardvark: Fix reporting Data Link Layer Link Active (git-fixes).
- PCI: aardvark: Fix return value of MSI domain .alloc() method (git-fixes).
- PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG (git-fixes).
- PCI/ACPI: Check for _OSC support in acpi_pci_osc_control_set() (bsc#1169263).
- PCI/ACPI: Clarify message about _OSC failure (bsc#1169263).
- PCI/ACPI: Move _OSC query checks to separate function (bsc#1169263).
- PCI/ACPI: Move supported and control calculations to separate functions (bsc#1169263).
- PCI/ACPI: Remove unnecessary osc_lock (bsc#1169263).
- PCI: pci-bridge-emul: Fix emulation of W1C bits (git-fixes).
- PCI: uniphier: Serialize INTx masking/unmasking and fix the bit operation (git-fixes).
- pinctrl: core: fix possible memory leak in pinctrl_enable() (git-fixes).
- pinctrl: pinctrl-rockchip: Fix a bunch of kerneldoc misdemeanours (bsc#1192217).
- pinctrl/rockchip: add a queue for deferred pin output settings on probe (bsc#1192217).
- pinctrl/rockchip: add pinctrl device to gpio bank struct (bsc#1192217).
- pinctrl: rockchip: add rk3308 SoC support (bsc#1192217).
- pinctrl: rockchip: add support for rk3568 (bsc#1192217).
- pinctrl/rockchip: always enable clock for gpio controller (bsc#1192217).
- pinctrl: rockchip: clear int status when driver probed (bsc#1192217).
- pinctrl: rockchip: create irq mapping in gpio_to_irq (bsc#1192217).
- pinctrl: rockchip: do coding style for mux route struct (bsc#1192217).
- pinctrl/rockchip: drop the gpio related codes (bsc#1192217).
- pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq (bsc#1192217).
- pinctrl: rockchip: make driver be tristate module (bsc#1192217).
- pinctrl: rockchip: Replace HTTP links with HTTPS ones (bsc#1192217).
- pinctrl: rockchip: return ENOMEM instead of EINVAL if allocation fails (bsc#1192217).
- pinctrl/rockchip: separate struct rockchip_pin_bank to a head file (bsc#1192217).
- power: supply: bq27xxx: Fix kernel crash on IRQ handler register error (git-fixes).
- power: supply: max17042_battery: Prevent int underflow in set_soc_threshold (git-fixes).
- power: supply: max17042_battery: use VFSOC for capacity when no rsns (git-fixes).
- power: supply: rt5033-battery: Change voltage values to 5V (git-fixes).
- printk/console: Allow to disable console output by using console='' or console=null (bsc#1192753).
- printk: handle blank console arguments passed in (bsc#1192753).
- qtnfmac: fix potential Spectre vulnerabilities (bsc#1192802).
- r8152: add a helper function about setting EEE (git-fixes).
- r8152: Add macpassthru support for ThinkPad Thunderbolt 3 Dock Gen 2 (git-fixes).
- r8152: Disable PLA MCU clock speed down (git-fixes).
- r8152: disable U2P3 for RTL8153B (git-fixes).
- r8152: divide the tx and rx bottom functions (git-fixes).
- r8152: do not enable U1U2 with USB_SPEED_HIGH for RTL8153B (git-fixes).
- r8152: fix runtime resume for linking change (git-fixes).
- r8152: replace array with linking list for rx information (git-fixes).
- r8152: reset flow control patch when linking on for RTL8153B (git-fixes).
- r8152: saving the settings of EEE (git-fixes).
- r8152: separate the rx buffer size (git-fixes).
- r8152: use alloc_pages for rx buffer (git-fixes).
- random: fix crash on multiple early calls to add_bootloader_randomness() (bsc#1184924)
- Revert 'ibmvnic: check failover_pending in login response' (bsc#1190523 ltc#194510).
- Revert 'platform/x86: i2c-multi-instantiate: Do not create platform device for INT3515 ACPI nodes' (git-fixes).
- Revert 'r8152: adjust the settings about MAC clock speed down for RTL8153' (git-fixes).
- Revert 'scsi: ufs: fix a missing check of devm_reset_control_get' (git-fixes).
- Revert 'x86/kvm: fix vcpu-id indexed array sizes' (git-fixes).
- rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request (git-fixes).
- s390/dasd: fix use after free in dasd path handling (git-fixes).
- s390/pci: fix use after free of zpci_dev (git-fixes).
- s390/pci: fix zpci_zdev_put() on reserve (git-fixes).
- s390/qeth: fix deadlock during failing recovery (git-fixes).
- s390/qeth: Fix deadlock in remove_discipline (git-fixes).
- s390/qeth: fix NULL deref in qeth_clear_working_pool_list() (git-fixes).
- s390/topology: clear thread/group maps for offline cpus (git-fixes).
- scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe() (git-fixes).
- scsi: BusLogic: Fix missing pr_cont() use (git-fixes).
- scsi: core: Fix spelling in a source code comment (git-fixes).
- scsi: csiostor: Add module softdep on cxgb4 (git-fixes).
- scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn() (git-fixes).
- scsi: dc395: Fix error case unwinding (git-fixes).
- scsi: fdomain: Fix error return code in fdomain_probe() (git-fixes).
- scsi: FlashPoint: Rename si_flags field (git-fixes).
- scsi: iscsi: Fix iface sysfs attr detection (git-fixes).
- scsi: libsas: Use _safe() loop in sas_resume_port() (git-fixes).
- scsi: mpt3sas: Fix error return value in _scsih_expander_add() (git-fixes).
- scsi: qedf: Add pointer checks in qedf_update_link_speed() (git-fixes).
- scsi: qedf: Fix error codes in qedf_alloc_global_queues() (git-fixes).
- scsi: qedi: Fix error codes in qedi_alloc_global_queues() (git-fixes).
- scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els() (git-fixes).
- scsi: qla2xxx: Make sure that aborted commands are freed (git-fixes).
- scsi: smartpqi: Fix an error code in pqi_get_raid_map() (git-fixes).
- scsi: snic: Fix an error message (git-fixes).
- scsi: ufs-pci: Add quirk for broken auto-hibernate for Intel EHL (git-fixes).
- scsi: ufs: ufshcd-pltfrm: Fix memory leak due to probe defer (git-fixes).
- serial: 8250_dw: Drop wrong use of ACPI_PTR() (git-fixes).
- serial: xilinx_uartps: Fix race condition causing stuck TX (git-fixes).
- staging: r8712u: fix control-message timeout (git-fixes).
- staging: rtl8192u: fix control-message timeouts (git-fixes).
- stmmac: platform: Fix signedness bug in stmmac_probe_config_dt() (git-fixes).
- tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together (bsc#1192745).
- Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
- Update config files: pull BPF configs together
- usb: gadget: hid: fix error code in do_config() (git-fixes).
- USB: iowarrior: fix control-message timeouts (git-fixes).
- usb: max-3421: Use driver data instead of maintaining a list of bound devices (git-fixes).
- usb: musb: Balance list entry in musb_gadget_queue (git-fixes).
- USB: serial: keyspan: fix memleak on probe errors (git-fixes).
- video: fbdev: chipsfb: use memset_io() instead of memset() (git-fixes).
- x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c (bsc#1152489).
- x86/xen: Mark cpu_bringup_and_idle() as dead_end_function (git-fixes).
- xen-pciback: Fix return in pm_ctrl_init() (git-fixes).
- xen: Fix implicit type conversion (git-fixes).

Advisory ID: SUSE-SU-2021:3945-1
Released:    Mon Dec  6 14:56:55 2021
Summary:     Security update for python-Babel
Type:        security
Severity:    important
References:  1185768,CVE-2021-42771
This update for python-Babel fixes the following issues:

- CVE-2021-42771: Fixed relative path traversal that may lead to arbitrary locale files loading and arbitrary code execution (bsc#1185768).

Advisory ID: SUSE-SU-2021:3946-1
Released:    Mon Dec  6 14:57:42 2021
Summary:     Security update for gmp
Type:        security
Severity:    moderate
References:  1192717,CVE-2021-43618
This update for gmp fixes the following issues:
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

Advisory ID: SUSE-SU-2021:3950-1
Released:    Mon Dec  6 14:59:37 2021
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1190975,CVE-2021-41617
This update for openssh fixes the following issues:

- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).

Advisory ID: SUSE-RU-2021:3963-1
Released:    Mon Dec  6 19:57:39 2021
Summary:     Recommended update for system-users
Type:        recommended
Severity:    moderate
References:  1190401
This update for system-users fixes the following issues:

- system-user-tss.conf: Removed group entry because it's not needed and contained syntax errors (bsc#1190401)

Advisory ID: SUSE-SU-2021:3968-1
Released:    Tue Dec  7 15:31:00 2021
Summary:     Security update for xen
Type:        security
Severity:    moderate
References:  1027519,1191363,1192554,1192557,1192559,CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
This update for xen fixes the following issues:

- CVE-2021-28702: Fixed PCI devices with RMRRs not deassigned correctly (XSA-386) (bsc#1191363).
- CVE-2021-28704, CVE-2021-28707, CVE-2021-28708: Fixed PoD operations on misaligned GFNs (XSA-388) (bsc#1192557).
- CVE-2021-28705, CVE-2021-28709: Fixed issues with partially successful P2M updates on x86 (XSA-389) (bsc#1192559).
- CVE-2021-28706: Fixed guests may exceed their designated memory limit (XSA-385) (bsc#1192554).

- Update to Xen 4.14.3 bug fix release (bsc#1027519).

Advisory ID: SUSE-RU-2021:3980-1
Released:    Thu Dec  9 16:42:19 2021
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1191592

glibc was updated to fix the following issue:

- Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869)

Advisory ID: SUSE-RU-2021:3985-1
Released:    Fri Dec 10 06:08:24 2021
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1187196
This update for suse-module-tools fixes the following issues:

-  Blacklist isst_if_mbox_msr driver because uses hardware information based on 
   CPU family and model, which is too unspecific. On large systems, this causes a lot of 
   failing loading attempts for this driver, leading to slow or even stalled boot (bsc#1187196)

Advisory ID: SUSE-RU-2021:4014-1
Released:    Mon Dec 13 13:57:39 2021
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1191532,1191690
This update for apparmor fixes the following issues:

Changes in apparmor:

- Add a profile for 'samba-bgqd'. (bsc#1191532)
- Fix 'Requires' of python3 module. (bsc#1191690)

Advisory ID: SUSE-SU-2021:4104-1
Released:    Thu Dec 16 11:14:12 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1180125,1183374,1183858,1185588,1187668,1189241,1189287,CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
This update for python3 fixes the following issues:

- CVE-2021-3426: Fixed information disclosure via pydoc (bsc#1183374).
- CVE-2021-3733: Fixed infinitely reading potential HTTP headers after a 100 Continue status response from the server (bsc#1189241).
- CVE-2021-3737: Fixed ReDoS in urllib.request (bsc#1189287).

- We do not require python-rpm-macros package (bsc#1180125).
- Use versioned python-Sphinx to avoid dependency on other version of Python (bsc#1183858).
- Stop providing 'python' symbol, which means python2 currently (bsc#1185588).
- Modify Lib/ensurepip/ to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668).

Advisory ID: SUSE-RU-2021:4141-1
Released:    Wed Dec 22 05:22:23 2021
Summary:     Recommended update for dracut
Type:        recommended
Severity:    important
References:  1193512
This update for dracut fixes the following issues:

- Add iscsi-init.service requirements (bsc#1193512)

Advisory ID: SUSE-RU-2021:4145-1
Released:    Wed Dec 22 05:27:48 2021
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1161276
This update for openssl-1_1 fixes the following issues:

- Remove previously applied patch because it interferes with FIPS validation (bsc#1161276)

Advisory ID: SUSE-RU-2021:4149-1
Released:    Wed Dec 22 10:41:05 2021
Summary:     Recommended update for samba
Type:        recommended
Severity:    important
References:  1192849,CVE-2020-25717
This update for samba fixes the following issues:

The username map advice from the CVE-2020-25717 advisory
note has undesired side effects for the local nt token. Fallback
to a SID/UID based mapping if the name based lookup fails (bsc#1192849).

Advisory ID: SUSE-SU-2021:4153-1
Released:    Wed Dec 22 11:00:48 2021
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1183137,CVE-2021-28041
This update for openssh fixes the following issues:

- CVE-2021-28041: Fixed double free in ssh-agent (bsc#1183137).

Advisory ID: SUSE-SU-2021:4154-1
Released:    Wed Dec 22 11:02:38 2021
Summary:     Security update for p11-kit
Type:        security
Severity:    important
References:  1180064,1187993,CVE-2020-29361
This update for p11-kit fixes the following issues:

- CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).

Advisory ID: SUSE-RU-2021:4163-1
Released:    Wed Dec 22 22:36:00 2021
Summary:     Recommended update for grub2
Type:        recommended
Severity:    moderate
References:  1071559,1189769,1189874,1191504,1192522
This update for grub2 fixes the following issues:

- Fixed an issue when 'lvmid' disk cannot be found after second disk added to the root volume group. (bsc#1189874, bsc#1071559)
- Fix for an error when '/boot/grub2/locale/' not found. (bsc#1189769)
- Fix unknown TPM error on buggy uefi firmware. (bsc#1191504)
- Fix arm64 kernel image not aligned on 64k boundary. (bsc#1192522)

Advisory ID: SUSE-RU-2021:4165-1
Released:    Wed Dec 22 22:52:11 2021
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1193430
This update for kmod fixes the following issues:

- Ensure that kmod and packages linking to libkmod provide same features. (bsc#1193430)

Advisory ID: SUSE-SU-2021:4171-1
Released:    Thu Dec 23 09:55:13 2021
Summary:     Security update for runc
Type:        security
Severity:    moderate
References:  1193436,CVE-2021-43784
This update for runc fixes the following issues:

Update to runc v1.0.3. 
* CVE-2021-43784: Fixed a potential vulnerability related to the internal usage
  of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436)
* Fixed inability to start a container with read-write bind mount of a read-only fuse host mount.
* Fixed inability to start when read-only /dev in set in spec.
* Fixed not removing sub-cgroups upon container delete, when rootless cgroup
  v2 is used with older systemd.
* Fixed returning error from GetStats when hugetlb is unsupported (which
  causes excessive logging for kubernetes).

Advisory ID: SUSE-RU-2021:4175-1
Released:    Thu Dec 23 11:22:33 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1192423,1192858,1193759
This update for systemd fixes the following issues:

- Bump the max number of inodes for /dev to a million (bsc#1192858)
- sleep: don't skip resume device with low priority/available space (bsc#1192423)
- test: use kbd-mode-map we ship in one more test case
- test-keymap-util: always use kbd-model-map we ship
- Add rules for virtual devices and enforce 'none' for loop devices. (bsc#1193759)

Advisory ID: SUSE-RU-2021:4178-1
Released:    Thu Dec 23 11:47:22 2021
Summary:     Recommended update for cpupower
Type:        recommended
Severity:    important
References:  1193557
This update for cpupower fixes the following issues:

- Fix `turbostat` immediately exiting on AMD Zen machines (bsc#1193557)

Advisory ID: SUSE-RU-2021:4182-1
Released:    Thu Dec 23 11:51:51 2021
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1192688
This update for zlib fixes the following issues:

- Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

Advisory ID: SUSE-SU-2021:4192-1
Released:    Tue Dec 28 10:39:50 2021
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1174504
This update for permissions fixes the following issues:

- Update to version 20181225:
  * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)

Advisory ID: SUSE-RU-2022:2-1
Released:    Mon Jan  3 08:27:18 2022
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1183905,1193181
This update for lvm2 fixes the following issues:

- Fix lvconvert not taking `--stripes` option (bsc#1183905)
- Fix LVM vgimportclone not working on hardware snapshot (bsc#1193181)

Advisory ID: SUSE-RU-2022:4-1
Released:    Mon Jan  3 08:28:54 2022
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1193480
This update for libgcrypt fixes the following issues:

- Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-3.52.1 updated
- apparmor-abstractions-2.13.6-3.8.1 updated
- apparmor-parser-2.13.6-3.8.1 updated
- cpupower-5.10-3.6.1 updated
- dracut-049.1+suse.218.gca24e614-3.48.3 updated
- glibc-locale-base-2.31-9.6.1 updated
- glibc-locale-2.31-9.6.1 updated
- glibc-2.31-9.6.1 updated
- grub2-i386-pc-2.04-22.6.3 updated
- grub2-x86_64-efi-2.04-22.6.3 updated
- grub2-x86_64-xen-2.04-22.6.3 updated
- grub2-2.04-22.6.3 updated
- kernel-default-5.3.18-59.37.2 updated
- keyutils-1.6.3-5.6.1 updated
- kmod-29-4.15.1 updated
- libapparmor1-2.13.6-3.8.1 updated
- libcpupower0-5.10-3.6.1 updated
- libdcerpc-binding0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libdcerpc0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libdevmapper1_03-1.02.163-8.39.1 updated
- libfreebl3-3.68.1-3.61.1 updated
- libgcrypt20-1.8.2-8.42.1 updated
- libgmp10-6.1.2-4.9.1 updated
- libkeyutils1-1.6.3-5.6.1 updated
- libkmod2-29-4.15.1 updated
- libndr-krb5pac0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libndr-nbt0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libndr-standard0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libndr1-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libnetapi0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libopenssl1_1-1.1.1d-11.33.2 updated
- libp11-kit0-0.23.2-4.13.1 updated
- libpython3_6m1_0-3.6.15-10.9.1 updated
- libsamba-credentials0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libsamba-errors0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libsamba-hostconfig0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libsamba-passdb0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libsamba-util0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libsamdb0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libsmbconf0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libsmbldap2-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libsystemd0-246.16-7.28.1 updated
- libtevent-util0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libudev1-246.16-7.28.1 updated
- libwbclient0-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- libz1-1.2.11-3.24.1 updated
- openssh-clients-8.4p1-3.9.1 updated
- openssh-common-8.4p1-3.9.1 updated
- openssh-server-8.4p1-3.9.1 updated
- openssh-8.4p1-3.9.1 updated
- openssl-1_1-1.1.1d-11.33.2 updated
- p11-kit-tools-0.23.2-4.13.1 updated
- p11-kit-0.23.2-4.13.1 updated
- permissions-20181225-23.9.1 updated
- python3-Babel-2.8.0-3.3.1 updated
- python3-base-3.6.15-10.9.1 updated
- python3-3.6.15-10.9.1 updated
- runc-1.0.3-27.1 updated
- samba-libs-python3-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- samba-libs-4.13.13+git.539.fdbc44a8598-3.20.2 updated
- suse-module-tools-15.3.15-3.17.1 updated
- system-group-hardware-20170617-17.3.1 updated
- system-group-kvm-20170617-17.3.1 updated
- system-group-wheel-20170617-17.3.1 updated
- system-user-lp-20170617-17.3.1 updated
- system-user-nobody-20170617-17.3.1 updated
- systemd-sysvinit-246.16-7.28.1 updated
- systemd-246.16-7.28.1 updated
- timezone-2021e-75.4.1 updated
- udev-246.16-7.28.1 updated
- xen-libs-4.14.3_04-3.15.1 updated
- xen-tools-domU-4.14.3_04-3.15.1 updated
- python-rpm-macros-20200207.5feb6c1-3.11.1 removed

More information about the sle-security-updates mailing list