SUSE-CU-2022:83-1: Security update of caasp/v4/kubernetes-client

sle-security-updates at sle-security-updates at
Thu Jan 27 08:06:15 UTC 2022

SUSE Container Update Advisory: caasp/v4/kubernetes-client
Container Advisory ID : SUSE-CU-2022:83-1
Container Tags        : caasp/v4/kubernetes-client:1.17.17 , caasp/v4/kubernetes-client:1.17.17-rev1 , caasp/v4/kubernetes-client:1.17.17-rev1-build1.10.45
Container Release     : 1.10.45
Severity              : critical
Type                  : security
References            : 1027496 1029961 1113013 1122417 1125886 1134353 1153687 1162581
                        1171962 1172973 1172974 1174504 1177952 1178236 1180064 1180995
                        1182372 1183085 1183268 1183589 1184326 1184399 1184994 1184997
                        1185016 1185325 1185524 1186447 1186489 1186503 1186602 1186910
                        1187153 1187224 1187270 1187273 1187425 1187466 1187512 1187654
                        1187738 1187760 1187911 1187993 1188018 1188063 1188156 1188291
                        1188344 1188435 1188623 1188713 1188921 1189031 1189480 1189803
                        1189929 1190052 1190059 1190199 1190234 1190325 1190356 1190440
                        1190465 1190645 1190712 1190739 1190793 1190815 1190915 1190929
                        1190933 1190984 1191252 1191286 1191324 1191370 1191563 1191609
                        1191987 1192161 1192248 1192337 1192436 1192688 1192717 1192790
                        1193480 1193481 1193488 1193521 954813 CVE-2016-10228 CVE-2019-20838
                        CVE-2020-14155 CVE-2020-29361 CVE-2021-33574 CVE-2021-33910 CVE-2021-35942
                        CVE-2021-37600 CVE-2021-37750 CVE-2021-39537 CVE-2021-43618 

The container caasp/v4/kubernetes-client was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2021:305-1
Released:    Thu Feb  4 15:00:37 2021
Summary:     Recommended update for libprotobuf
Type:        recommended
Severity:    moderate

libprotobuf was updated to fix:

- ship the libprotobuf-lite15 on the base products. (jsc#ECO-2911)
Advisory ID: SUSE-SU-2021:3348-1
Released:    Tue Oct 12 13:08:06 2021
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910
This update for systemd fixes the following issues:

- CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063).

- logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018).
- Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353).
- Rules weren't applied to dm devices (multipath) (bsc#1188713).
- Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234).
- Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
- Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291).
- Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962).

Advisory ID: SUSE-SU-2021:3385-1
Released:    Tue Oct 12 15:54:31 2021
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1186489,1187911,CVE-2021-33574,CVE-2021-35942
This update for glibc fixes the following issues:

- CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
- CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)

Advisory ID: SUSE-SU-2021:3454-1
Released:    Mon Oct 18 09:29:26 2021
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1189929,CVE-2021-37750
This update for krb5 fixes the following issues:

- CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929).

Advisory ID: SUSE-RU-2021:3480-1
Released:    Wed Oct 20 11:24:10 2021
Summary:     Recommended update for yast2-network
Type:        recommended
Severity:    moderate
References:  1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933
This update for yast2-network fixes the following issues:

- Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
- Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
- Consider aliases sections as case insensitive (bsc#1190739).
- Display user defined device name in the devices overview (bnc#1190645).
- Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
- Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
- Fix desktop file so the control center tooltip is translated (bsc#1187270).
- Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
- Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).

Advisory ID: SUSE-SU-2021:3490-1
Released:    Wed Oct 20 16:31:55 2021
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1190793,CVE-2021-39537
This update for ncurses fixes the following issues:

- CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

Advisory ID: SUSE-RU-2021:3494-1
Released:    Wed Oct 20 16:48:46 2021
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1190052
This update for pam fixes the following issues:

- Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
- Added new file macros.pam on request of systemd. (bsc#1190052)

Advisory ID: SUSE-RU-2021:3496-1
Released:    Thu Oct 21 09:57:47 2021
Summary:     Recommended update for bash-completion
Type:        recommended
Severity:    low
References:  1190929
This update for bash-completion fixes the following issue:

- modinfo completion fails to recognize .ko.xz (bsc#1190929)

Advisory ID: SUSE-RU-2021:3510-1
Released:    Tue Oct 26 11:22:15 2021
Summary:     Recommended update for pam
Type:        recommended
Severity:    important
References:  1191987
This update for pam fixes the following issues:

- Fixed a bad directive file which resulted in
  the 'securetty' file to be installed as 'macros.pam'.

Advisory ID: SUSE-SU-2021:3523-1
Released:    Tue Oct 26 15:40:13 2021
Summary:     Security update for util-linux
Type:        security
Severity:    moderate
References:  1122417,1125886,1178236,1188921,CVE-2021-37600
This update for util-linux fixes the following issues:

Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2:

- CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921).
- agetty: Fix 8-bit processing in get_logname() (bsc#1125886).
- mount: Fix 'mount' output for net file systems (bsc#1122417).
- ipcs: Avoid overflows (bsc#1178236)

Advisory ID: SUSE-SU-2021:3529-1
Released:    Wed Oct 27 09:23:32 2021
Summary:     Security update for pcre
Type:        security
Severity:    moderate
References:  1172973,1172974,CVE-2019-20838,CVE-2020-14155
This update for pcre fixes the following issues:

Update pcre to version 8.45:

- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

Advisory ID: SUSE-RU-2021:3781-1
Released:    Tue Nov 23 23:48:43 2021
Summary:     This update for libzypp, zypper and libsolv fixes the following issues:
Type:        recommended
Severity:    moderate
References:  1153687,1182372,1183268,1183589,1184326,1184399,1184997,1185325,1186447,1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190356,1190465,1190712,1190815,1191286,1191324,1191370,1191609,1192337,1192436
This update for zypper fixes the following issues:

- Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
- Let a patch's reboot-needed flag overrule included packages. (bsc#1183268)
- Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687)
- Protect against strict/relaxed user umask via sudo. (bsc#1183589)
- xml summary: Add solvables repository alias. (bsc#1182372)
- Allow trusted repos to add additional signing keys. (bsc#1184326)
- MediaCurl: Fix logging of redirects.
- Let negative values wait forever for the zypp lock. (bsc#1184399)
- Fix 'purge-kernels' is broken in Leap 15.3. (bsc#1185325)
- Fix service detection with cgroupv2. (bsc#1184997)
- Add hints to 'trust GPG key' prompt.
- Enhance XML output of repo GPG options
- Add optional attributes showing the raw values actually present in the '.repo' file.
- Link all executables with -pie (bsc#1186447)
- Ship an empty '/etc/zypp/needreboot' per default. (jsc#PM-2645)
- Fix solver jobs for PTFs. (bsc#1186503)
- choice rules: treat orphaned packages as newest. (bc#1190465)
- Add need reboot/restart hint to XML install summary. (bsc#1188435)
- Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
- Fix obs:// platform guessing for Leap. (bsc#1187425)
- Fix purge-kernels fails. (bsc#1187738)
- Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
- Prompt: choose exact match if prompt options are not prefix free. (bsc#1188156)
- Do not check of signatures and keys two times(redundant). (bsc#1190059)
- Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760)
- Show key fpr from signature when signature check fails. (bsc#1187224)
- Make sure to keep states alives while transitioning. (bsc#1190199)
- Fix crashes in logging code when shutting down. (bsc#1189031)
- Manpage: Improve description about patch updates. (bsc#1187466)
- Avoid calling 'su' to detect a too restrictive sudo user umask. (bsc#1186602)
- Consolidate reboot-recommendations across tools and stop using /etc/zypp/needreboot (jsc#-SLE-18858)
- Disable logger in the child after fork (bsc#1192436)
- Check log writer before accessing it (bsc#1192337)
- Allow uname-r format in purge kernels keepspec
- zypper should keep cached files if transaction is aborted (bsc#1190356)
- Require a minimum number of mirrors for multicurl (bsc#1191609)
- Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324)
- Fix translations (bsc#1191370)
- RepoManager: Don't probe for plaindir repo if URL schema is plugin (bsc#1191286)

Advisory ID: SUSE-RU-2021:3799-1
Released:    Wed Nov 24 18:07:54 2021
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1187153,1187273,1188623
This update for gcc11 fixes the following issues:

The additional GNU compiler collection GCC 11 is provided:

To select these compilers install the packages:

- gcc11
- gcc-c++11
- and others with 11 prefix.

to select them for building:

- CC='gcc-11'
- CXX='g++-11'

The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants.

Advisory ID: SUSE-RU-2021:3809-1
Released:    Fri Nov 26 00:31:59 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1189803,1190325,1190440,1190984,1191252,1192161
This update for systemd fixes the following issues:

- Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103)
- Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)
- shutdown: Reduce log level of unmounts (bsc#1191252)
- pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803)
- core: rework how we connect to the bus (bsc#1190325)
- mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
- virt: detect Amazon EC2 Nitro instance (bsc#1190440)
- Several fixes for umount
- busctl: use usec granularity for the timestamp printed by the busctl monitor command
- fix unitialized fields in MountPoint in dm_list_get()
- shutdown: explicitly set a log target
- mount-util: add mount_option_mangle()
- dissect: automatically mark partitions read-only that have a read-only file system
- build-sys: require proper libmount version
- systemd-shutdown: use log_set_prohibit_ipc(true)
- rationalize interface for opening/closing logging
- pid1: when we can't log to journal, remember our fallback log target
- log: remove LOG_TARGET_SAFE pseudo log target
- log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console()
- log: add new 'prohibit_ipc' flag to logging system
- log: make log_set_upgrade_syslog_to_journal() take effect immediately
- dbus: split up bus_done() into seperate functions
- machine-id-setup: generate machine-id from DMI product ID on Amazon EC2
- virt: if we detect Xen by DMI, trust that over CPUID

Advisory ID: SUSE-SU-2021:3830-1
Released:    Wed Dec  1 13:45:46 2021
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1027496,1183085,CVE-2016-10228

This update for glibc fixes the following issues:

- libio: do not attempt to free wide buffers of legacy streams (bsc#1183085) 
- CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496)

Advisory ID: SUSE-RU-2021:3891-1
Released:    Fri Dec  3 10:21:49 2021
Summary:     Recommended update for keyutils
Type:        recommended
Severity:    moderate
References:  1029961,1113013,1187654
This update for keyutils fixes the following issues:

- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

keyutils was updated to 1.6.3 (jsc#SLE-20016):

* Revert the change notifications that were using /dev/watch_queue.
* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
* Allow 'keyctl supports' to retrieve raw capability data.
* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
* Allow 'keyctl new_session' to name the keyring.
* Allow 'keyctl add/padd/etc.' to take hex-encoded data.
* Add 'keyctl watch*' to expose kernel change notifications on keys.
* Add caps for namespacing and notifications.
* Set a default TTL on keys that upcall for name resolution.
* Explicitly clear memory after it's held sensitive information.
* Various manual page fixes.
* Fix C++-related errors.
* Add support for keyctl_move().
* Add support for keyctl_capabilities().
* Make key=val list optional for various public-key ops.
* Fix system call signature for KEYCTL_PKEY_QUERY.
* Fix 'keyctl pkey_query' argument passing.
* Use keyctl_read_alloc() in dump_key_tree_aux().
* Various manual page fixes. 

Updated to 1.6:

* Apply various specfile cleanups from Fedora.
* request-key: Provide a command line option to suppress helper execution.
* request-key: Find least-wildcard match rather than first match.
* Remove the dependency on MIT Kerberos.
* Fix some error messages
* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
* Fix doc and comment typos.
* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
* Add pkg-config support for finding libkeyutils.
* upstream isn't offering PGP signatures for the source tarballs anymore

Updated to 1.5.11 (bsc#1113013)

* Add keyring restriction support.
* Add KDF support to the Diffie-Helman function.
* DNS: Add support for AFS config files and SRV records
Advisory ID: SUSE-SU-2021:3899-1
Released:    Fri Dec  3 11:27:41 2021
Summary:     Security update for aaa_base
Type:        security
Severity:    moderate
References:  1162581,1174504,1191563,1192248
This update for aaa_base fixes the following issues:

- Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
- Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
- Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
- Support xz compressed kernel (bsc#1162581)   

Advisory ID: SUSE-RU-2021:3930-1
Released:    Mon Dec  6 11:16:10 2021
Summary:     Recommended update for curl
Type:        recommended
Severity:    moderate
References:  1192790
This update for curl fixes the following issues:

- Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790)

Advisory ID: SUSE-SU-2021:3946-1
Released:    Mon Dec  6 14:57:42 2021
Summary:     Security update for gmp
Type:        security
Severity:    moderate
References:  1192717,CVE-2021-43618
This update for gmp fixes the following issues:
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

Advisory ID: SUSE-RU-2021:4017-1
Released:    Tue Dec 14 07:26:55 2021
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1180995
This update for openssl-1_1 fixes the following issues:

- Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameters 
  consistently with our other codestreams (bsc#1180995)

Advisory ID: SUSE-RU-2021:4139-1
Released:    Tue Dec 21 17:02:44 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    critical
References:  1193481,1193521
This update for systemd fixes the following issues:

- Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481)
  sleep-config: partitions can't be deleted, only files can
  shared/sleep-config: exclude zram devices from hibernation candidates

Advisory ID: SUSE-SU-2021:4154-1
Released:    Wed Dec 22 11:02:38 2021
Summary:     Security update for p11-kit
Type:        security
Severity:    important
References:  1180064,1187993,CVE-2020-29361
This update for p11-kit fixes the following issues:

- CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).

Advisory ID: SUSE-RU-2021:4182-1
Released:    Thu Dec 23 11:51:51 2021
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1192688
This update for zlib fixes the following issues:

- Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

Advisory ID: SUSE-RU-2022:4-1
Released:    Mon Jan  3 08:28:54 2022
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1193480
This update for libgcrypt fixes the following issues:

- Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

Advisory ID: SUSE-RU-2022:57-1
Released:    Wed Jan 12 07:10:42 2022
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    moderate
References:  1193488,954813
This update for libzypp fixes the following issues:
- Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
- Fix wrong encoding of URI compontents of ISO images (bsc#954813)
- When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
- Introduce zypp-curl as a sublibrary for CURL related code
- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
- Save all signatures associated with a public key in its PublicKeyData

Advisory ID: SUSE-RU-2022:180-1
Released:    Tue Jan 25 17:34:26 2022
Summary:     Includes a cri-o update to 1.19
Type:        recommended
Severity:    moderate
References:  1177952
 == Cri-o 
Upgrade Cri-o to 1.19, it fixes bsc#1177952

The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-3.52.1 updated
- bash-completion-2.7-4.6.1 updated
- glibc-2.26-13.62.1 updated
- krb5-1.16.3-3.24.1 updated
- kubernetes-client-1.17.17-4.28.3 updated
- kubernetes-common-1.17.17-4.28.3 updated
- libaugeas0-1.10.1-3.3.1 updated
- libblkid1-2.33.2-4.16.1 updated
- libcurl4-7.60.0-28.1 updated
- libfdisk1-2.33.2-4.16.1 updated
- libgcc_s1-11.2.1+git610-1.3.9 updated
- libgcrypt20-1.8.2-8.42.1 updated
- libgmp10-6.1.2-4.9.1 updated
- libkeyutils1-1.6.3-5.6.1 updated
- libmount1-2.33.2-4.16.1 updated
- libncurses6-6.1-5.9.1 updated
- libopenssl1_1-1.1.0i-14.24.3 updated
- libp11-kit0-0.23.2-4.13.1 updated
- libpcre1-8.45-20.10.1 updated
- libprotobuf-lite15-3.5.0-5.2.1 added
- libsmartcols1-2.33.2-4.16.1 updated
- libsolv-tools-0.7.20-4.3.1 updated
- libstdc++6-11.2.1+git610-1.3.9 updated
- libsystemd0-234-24.102.1 updated
- libudev1-234-24.102.1 updated
- libuuid1-2.33.2-4.16.1 updated
- libz1-1.2.11-3.24.1 updated
- libzypp-17.29.0-3.64.1 updated
- ncurses-utils-6.1-5.9.1 updated
- pam-1.3.0-6.50.1 updated
- terminfo-base-6.1-5.9.1 updated
- util-linux-2.33.2-4.16.1 updated
- zypper-1.14.50-3.46.1 updated
- container:sles15-image-15.0.0-6.2.559 updated

More information about the sle-security-updates mailing list