SUSE-CU-2022:29-1: Security update of bci/openjdk-devel

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Jan 6 07:33:19 UTC 2022


SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:29-1
Container Tags        : bci/openjdk-devel:11
Container Release     : 6.1
Severity              : important
Type                  : security
References            : 1029961 1113013 1161276 1162581 1174504 1174504 1180064 1183137
                        1186071 1187153 1187273 1187654 1187993 1188623 1190356 1190401
                        1190440 1190975 1190984 1191286 1191324 1191370 1191563 1191592
                        1191609 1191736 1192023 1192160 1192161 1192248 1192337 1192423
                        1192436 1192688 1192717 1192858 1193170 1193480 1193759 CVE-2020-29361
                        CVE-2021-28041 CVE-2021-41617 CVE-2021-43527 CVE-2021-43618 
-----------------------------------------------------------------

The container bci/openjdk-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3766-1
Released:    Tue Nov 23 07:07:43 2021
Summary:     Recommended update for git
Type:        recommended
Severity:    moderate
References:  1192023
This update for git fixes the following issues:

- Installation of the 'git-daemon' package needs nogroup group dependency (bsc#1192023)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3786-1
Released:    Wed Nov 24 05:59:13 2021
Summary:     Recommended update for rpm-config-SUSE
Type:        recommended
Severity:    important
References:  1192160
This update for rpm-config-SUSE fixes the following issues:

- Add support for the kernel xz-compressed firmware files (bsc#1192160)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3799-1
Released:    Wed Nov 24 18:07:54 2021
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1187153,1187273,1188623
This update for gcc11 fixes the following issues:

The additional GNU compiler collection GCC 11 is provided:

To select these compilers install the packages:

- gcc11
- gcc-c++11
- and others with 11 prefix.

to select them for building:

- CC='gcc-11'
- CXX='g++-11'

The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3808-1
Released:    Fri Nov 26 00:30:54 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1186071,1190440,1190984,1192161
This update for systemd fixes the following issues:

- Add timestamp to D-Bus events to improve traceability (jsc#SLE-17798)
- Fix fd_is_mount_point() when both the parent and directory are network file systems (bsc#1190984)
- Support detection for ARM64 Hyper-V guests (bsc#1186071)
- Fix systemd-detect-virt not detecting Amazon EC2 Nitro instance (bsc#1190440)
- Enable support for Portable Services in openSUSE Leap only (jsc#SLE-21694)
- Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3870-1
Released:    Thu Dec  2 07:11:50 2021
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1190356,1191286,1191324,1191370,1191609,1192337,1192436
This update for libzypp, zypper fixes the following issues:

libzypp:

- Check log writer before accessing it (bsc#1192337)
- Zypper should keep cached files if transaction is aborted (bsc#1190356)
- Require a minimum number of mirrors for multicurl (bsc#1191609)
- Fixed slowdowns when rlimit is too high by using procfs to detect niumber of 
  open file descriptors (bsc#1191324)
- Fixed zypper incomplete messages when using non English localization (bsc#1191370)
- RepoManager: Don't probe for plaindir repository if the URL schema is a plugin (bsc#1191286)
- Disable logger in the child process after fork (bsc#1192436)

zypper:

- Fixed Zypper removing a kernel explicitely pinned that uses uname -r output format as name (openSUSE/zypper#418)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3872-1
Released:    Thu Dec  2 07:25:55 2021
Summary:     Recommended update for cracklib
Type:        recommended
Severity:    moderate
References:  1191736
This update for cracklib fixes the following issues:

- Enable build time tests (bsc#1191736)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3891-1
Released:    Fri Dec  3 10:21:49 2021
Summary:     Recommended update for keyutils
Type:        recommended
Severity:    moderate
References:  1029961,1113013,1187654
This update for keyutils fixes the following issues:

- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

keyutils was updated to 1.6.3 (jsc#SLE-20016):

* Revert the change notifications that were using /dev/watch_queue.
* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
* Allow 'keyctl supports' to retrieve raw capability data.
* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
* Allow 'keyctl new_session' to name the keyring.
* Allow 'keyctl add/padd/etc.' to take hex-encoded data.
* Add 'keyctl watch*' to expose kernel change notifications on keys.
* Add caps for namespacing and notifications.
* Set a default TTL on keys that upcall for name resolution.
* Explicitly clear memory after it's held sensitive information.
* Various manual page fixes.
* Fix C++-related errors.
* Add support for keyctl_move().
* Add support for keyctl_capabilities().
* Make key=val list optional for various public-key ops.
* Fix system call signature for KEYCTL_PKEY_QUERY.
* Fix 'keyctl pkey_query' argument passing.
* Use keyctl_read_alloc() in dump_key_tree_aux().
* Various manual page fixes. 

Updated to 1.6:

* Apply various specfile cleanups from Fedora.
* request-key: Provide a command line option to suppress helper execution.
* request-key: Find least-wildcard match rather than first match.
* Remove the dependency on MIT Kerberos.
* Fix some error messages
* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
* Fix doc and comment typos.
* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
* Add pkg-config support for finding libkeyutils.
* upstream isn't offering PGP signatures for the source tarballs anymore

Updated to 1.5.11 (bsc#1113013)

* Add keyring restriction support.
* Add KDF support to the Diffie-Helman function.
* DNS: Add support for AFS config files and SRV records
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3899-1
Released:    Fri Dec  3 11:27:41 2021
Summary:     Security update for aaa_base
Type:        security
Severity:    moderate
References:  1162581,1174504,1191563,1192248
This update for aaa_base fixes the following issues:

- Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
- Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
- Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
- Support xz compressed kernel (bsc#1162581)   

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3934-1
Released:    Mon Dec  6 13:22:27 2021
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1193170,CVE-2021-43527
This update for mozilla-nss fixes the following issues:

Update to version 3.68.1:

- CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3946-1
Released:    Mon Dec  6 14:57:42 2021
Summary:     Security update for gmp
Type:        security
Severity:    moderate
References:  1192717,CVE-2021-43618
This update for gmp fixes the following issues:
    
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3950-1
Released:    Mon Dec  6 14:59:37 2021
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1190975,CVE-2021-41617
This update for openssh fixes the following issues:

- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3963-1
Released:    Mon Dec  6 19:57:39 2021
Summary:     Recommended update for system-users
Type:        recommended
Severity:    moderate
References:  1190401
This update for system-users fixes the following issues:

- system-user-tss.conf: Removed group entry because it's not needed and contained syntax errors (bsc#1190401)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3980-1
Released:    Thu Dec  9 16:42:19 2021
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1191592

glibc was updated to fix the following issue:

- Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4145-1
Released:    Wed Dec 22 05:27:48 2021
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1161276
This update for openssl-1_1 fixes the following issues:

- Remove previously applied patch because it interferes with FIPS validation (bsc#1161276)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4153-1
Released:    Wed Dec 22 11:00:48 2021
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1183137,CVE-2021-28041
This update for openssh fixes the following issues:

- CVE-2021-28041: Fixed double free in ssh-agent (bsc#1183137).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4154-1
Released:    Wed Dec 22 11:02:38 2021
Summary:     Security update for p11-kit
Type:        security
Severity:    important
References:  1180064,1187993,CVE-2020-29361
This update for p11-kit fixes the following issues:

- CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4175-1
Released:    Thu Dec 23 11:22:33 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1192423,1192858,1193759
This update for systemd fixes the following issues:

- Bump the max number of inodes for /dev to a million (bsc#1192858)
- sleep: don't skip resume device with low priority/available space (bsc#1192423)
- test: use kbd-mode-map we ship in one more test case
- test-keymap-util: always use kbd-model-map we ship
- Add rules for virtual devices and enforce 'none' for loop devices. (bsc#1193759)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4182-1
Released:    Thu Dec 23 11:51:51 2021
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1192688
This update for zlib fixes the following issues:

- Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4192-1
Released:    Tue Dec 28 10:39:50 2021
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1174504
This update for permissions fixes the following issues:

- Update to version 20181225:
  * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4-1
Released:    Mon Jan  3 08:28:54 2022
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1193480
This update for libgcrypt fixes the following issues:

- Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:12-1
Released:    Mon Jan  3 15:36:03 2022
Summary:     Recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff
Type:        recommended
Severity:    moderate
References:  
This recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff provides the following fix:

- Ship some missing binaries to PackageHub.
  

The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-3.52.1 updated
- cracklib-dict-small-2.9.7-11.6.1 updated
- cracklib-2.9.7-11.6.1 updated
- git-core-2.31.1-10.6.1 updated
- glibc-2.31-9.6.1 updated
- libcrack2-2.9.7-11.6.1 updated
- libfreebl3-hmac-3.68.1-3.61.1 updated
- libfreebl3-3.68.1-3.61.1 updated
- libgcc_s1-11.2.1+git610-1.3.9 updated
- libgcrypt20-hmac-1.8.2-8.42.1 updated
- libgcrypt20-1.8.2-8.42.1 updated
- libgmp10-6.1.2-4.9.1 updated
- libjpeg8-8.1.2-32.2.1 updated
- libkeyutils1-1.6.3-5.6.1 updated
- libopenssl1_1-hmac-1.1.1d-11.33.2 updated
- libopenssl1_1-1.1.1d-11.33.2 updated
- libp11-kit0-0.23.2-4.13.1 updated
- libsoftokn3-hmac-3.68.1-3.61.1 updated
- libsoftokn3-3.68.1-3.61.1 updated
- libstdc++6-11.2.1+git610-1.3.9 updated
- libsystemd0-246.16-7.28.1 updated
- libudev1-246.16-7.28.1 updated
- libxcb1-1.13-3.7.1 updated
- libz1-1.2.11-3.24.1 updated
- libzypp-17.28.8-20.1 updated
- mozilla-nss-certs-3.68.1-3.61.1 updated
- mozilla-nss-3.68.1-3.61.1 updated
- openssh-clients-8.4p1-3.9.1 updated
- openssh-common-8.4p1-3.9.1 updated
- openssh-fips-8.4p1-3.9.1 updated
- openssl-1_1-1.1.1d-11.33.2 updated
- p11-kit-tools-0.23.2-4.13.1 updated
- p11-kit-0.23.2-4.13.1 updated
- permissions-20181225-23.9.1 updated
- rpm-config-SUSE-1-5.6.1 updated
- system-group-hardware-20170617-17.3.1 updated
- zypper-1.14.50-21.1 updated
- container:openjdk11-image-15.3.0-6.23 updated


More information about the sle-security-updates mailing list