SUSE-CU-2022:1616-1: Security update of trento/trento-runner

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Jul 22 08:48:01 UTC 2022


SUSE Container Update Advisory: trento/trento-runner
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:1616-1
Container Tags        : trento/trento-runner:1.0.1 , trento/trento-runner:1.0.1-build4.16.1 , trento/trento-runner:latest
Container Release     : 4.16.1
Severity              : important
Type                  : security
References            : 1040589 1180065 1182345 1182345 1182345 1182345 1182345 1182345
                        1182345 1182345 1182345 1182345 1182345 1182345 1182345 1182345
                        1183043 1183333 1183334 1185637 1185790 1186622 1187443 1187444
                        1187445 1188229 1189162 1190589 1191157 1191468 1191908 1192377
                        1192378 1192951 1193489 1193597 1193598 1193659 1195283 1195834
                        1195835 1195838 1196490 1196732 1196861 1197004 1197065 1197716
                        1197718 1197743 1197771 1197794 1198090 1198114 1198176 1198422
                        1198446 1198458 1198511 1198614 1198723 1198751 1198766 1199132
                        1199140 1199166 1199223 1199224 1199232 1199240 1200334 1200550
                        1200735 1200737 1200855 1200855 1201099 1201560 1201640 CVE-2015-20107
                        CVE-2020-29362 CVE-2021-27918 CVE-2021-27919 CVE-2021-31525 CVE-2021-33195
                        CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 CVE-2021-36221
                        CVE-2021-38297 CVE-2021-39293 CVE-2021-41771 CVE-2021-41772 CVE-2021-44716
                        CVE-2021-44717 CVE-2022-1292 CVE-2022-1304 CVE-2022-1586 CVE-2022-2068
                        CVE-2022-2097 CVE-2022-22576 CVE-2022-23308 CVE-2022-23772 CVE-2022-23773
                        CVE-2022-23806 CVE-2022-24921 CVE-2022-27775 CVE-2022-27776 CVE-2022-27781
                        CVE-2022-27782 CVE-2022-29155 CVE-2022-29824 CVE-2022-32206 CVE-2022-32208
-----------------------------------------------------------------

The container trento/trento-runner was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:604-1
Released:    Thu Feb 25 13:58:04 2021
Summary:     Recommended update for go1.16
Type:        recommended
Severity:    moderate
References:  1182345

  
This update brings go1.16 to the Development Tools Module.

go1.16 (released 2021-02-16)

Go 1.16 is a major release of Go.

go1.16.x minor releases will be provided through February 2022.

See https://github.com/golang/go/wiki/Go-Release-Cycle

Most changes are in the implementation of the toolchain, runtime,
and libraries. As always, the release maintains the Go 1 promise
of compatibility. We expect almost all Go programs to continue to
compile and run as before.

* See release notes https://golang.org/doc/go1.16. Excerpts
  relevant to OBS environment and for SUSE/openSUSE follow:
* Module-aware mode is enabled by default, regardless of whether
  a go.mod file is present in the current working directory or a
  parent directory. More precisely, the GO111MODULE environment
  variable now defaults to on. To switch to the previous
  behavior, set GO111MODULE to auto.
* Build commands like go build and go test no longer modify
  go.mod and go.sum by default. Instead, they report an error if
  a module requirement or checksum needs to be added or updated
  (as if the -mod=readonly flag were used). Module requirements
  and sums may be adjusted with go mod tidy or go get.
* go install now accepts arguments with version suffixes (for
  example, go install example.com/cmd at v1.0.0). This causes go
  install to build and install packages in module-aware mode,
  ignoring the go.mod file in the current directory or any parent
  directory, if there is one. This is useful for installing
  executables without affecting the dependencies of the main
  module.
* go install, with or without a version suffix (as described
  above), is now the recommended way to build and install
  packages in module mode. go get should be used with the -d flag
  to adjust the current module's dependencies without building
  packages, and use of go get to build and install packages is
  deprecated. In a future release, the -d flag will always be
  enabled.
* retract directives may now be used in a go.mod file to indicate
  that certain published versions of the module should not be
  used by other modules. A module author may retract a version
  after a severe problem is discovered or if the version was
  published unintentionally.
* The go mod vendor and go mod tidy subcommands now accept the -e
  flag, which instructs them to proceed despite errors in
  resolving missing packages.
* The go command now ignores requirements on module versions
  excluded by exclude directives in the main module. Previously,
  the go command used the next version higher than an excluded
  version, but that version could change over time, resulting in
  non-reproducible builds.
* In module mode, the go command now disallows import paths that
  include non-ASCII characters or path elements with a leading
  dot character (.). Module paths with these characters were
  already disallowed (see Module paths and versions), so this
  change affects only paths within module subdirectories.
* The go command now supports including static files and file
  trees as part of the final executable, using the new //go:embed
  directive. See the documentation for the new embed package for
  details.
* When using go test, a test that calls os.Exit(0) during
  execution of a test function will now be considered to
  fail. This will help catch cases in which a test calls code
  that calls os.Exit(0) and thereby stops running all future
  tests. If a TestMain function calls os.Exit(0) that is still
  considered to be a passing test.
* go test reports an error when the -c or -i flags are used
  together with unknown flags. Normally, unknown flags are passed
  to tests, but when -c or -i are used, tests are not run.
* The go get -insecure flag is deprecated and will be removed in
  a future version. This flag permits fetching from repositories
  and resolving custom domains using insecure schemes such as
  HTTP, and also bypasses module sum validation using the
  checksum database. To permit the use of insecure schemes, use
  the GOINSECURE environment variable instead. To bypass module
  sum validation, use GOPRIVATE or GONOSUMDB. See go help
  environment for details.
* go get example.com/mod at patch now requires that some version of
  example.com/mod already be required by the main
  module. (However, go get -u=patch continues to patch even
  newly-added dependencies.)
* GOVCS is a new environment variable that limits which version
  control tools the go command may use to download source
  code. This mitigates security issues with tools that are
  typically used in trusted, authenticated environments. By
  default, git and hg may be used to download code from any
  repository. svn, bzr, and fossil may only be used to download
  code from repositories with module paths or package paths
  matching patterns in the GOPRIVATE environment variable. See go
  help vcs for details.
* When the main module's go.mod file declares go 1.16 or higher,
  the all package pattern now matches only those packages that
  are transitively imported by a package or test found in the
  main module. (Packages imported by tests of packages imported
  by the main module are no longer included.) This is the same
  set of packages retained by go mod vendor since Go 1.11.
* When the -toolexec build flag is specified to use a program
  when invoking toolchain programs like compile or asm, the
  environment variable TOOLEXEC_IMPORTPATH is now set to the
  import path of the package being built.
* The -i flag accepted by go build, go install, and go test is
  now deprecated. The -i flag instructs the go command to install
  packages imported by packages named on the command line. Since
  the build cache was introduced in Go 1.10, the -i flag no
  longer has a significant effect on build times, and it causes
  errors when the install directory is not writable.
* When the -export flag is specified, the BuildID field is now
  set to the build ID of the compiled package. This is equivalent
  to running go tool buildid on go list -exported -f {{.Export}},
  but without the extra step.
* The -overlay flag specifies a JSON configuration file
  containing a set of file path replacements. The -overlay flag
  may be used with all build commands and go mod subcommands. It
  is primarily intended to be used by editor tooling such as
  gopls to understand the effects of unsaved changes to source
  files. The config file maps actual file paths to replacement
  file paths and the go command and its builds will run as if the
  actual file paths exist with the contents given by the
  replacement file paths, or don't exist if the replacement file
  paths are empty.
* The cgo tool will no longer try to translate C struct bitfields
  into Go struct fields, even if their size can be represented in
  Go. The order in which C bitfields appear in memory is
  implementation dependent, so in some cases the cgo tool
  produced results that were silently incorrect.
* The linux/riscv64 port now supports cgo and -buildmode=pie.
  This release also includes performance optimizations and code
  generation improvements for RISC-V.
* The new runtime/metrics package introduces a stable interface
  for reading implementation-defined metrics from the Go
  runtime. It supersedes existing functions like
  runtime.ReadMemStats and debug.GCStats and is significantly
  more general and efficient. See the package documentation for
  more details.
* Setting the GODEBUG environment variable to inittrace=1 now
  causes the runtime to emit a single line to standard error for
  each package init, summarizing its execution time and memory
  allocation. This trace can be used to find bottlenecks or
  regressions in Go startup performance. The GODEBUG
  documentation describes the format.
* On Linux, the runtime now defaults to releasing memory to the
  operating system promptly (using MADV_DONTNEED), rather than
  lazily when the operating system is under memory pressure
  (using MADV_FREE). This means process-level memory statistics
  like RSS will more accurately reflect the amount of physical
  memory being used by Go processes. Systems that are currently
  using GODEBUG=madvdontneed=1 to improve memory monitoring
  behavior no longer need to set this environment variable.
* Go 1.16 fixes a discrepancy between the race detector and the
  Go memory model. The race detector now more precisely follows
  the channel synchronization rules of the memory model. As a
  result, the detector may now report races it previously missed.
* linker: This release includes additional improvements to the Go
  linker, reducing linker resource usage (both time and memory)
  and improving code robustness/maintainability. These changes
  form the second half of a two-release project to modernize the
  Go linker.
* The linker changes in 1.16 extend the 1.15 improvements to all
  supported architecture/OS combinations (the 1.15 performance
  improvements were primarily focused on ELF-based OSes and amd64
  architectures). For a representative set of large Go programs,
  linking is 20-25% faster than 1.15 and requires 5-15% less
  memory on average for linux/amd64, with larger improvements for
  other architectures and OSes. Most binaries are also smaller as
  a result of more aggressive symbol pruning.
* The new embed package provides access to files embedded in the
  program during compilation using the new //go:embed directive.
* The new io/fs package defines the fs.FS interface, an
  abstraction for read-only trees of files. The standard library
  packages have been adapted to make use of the interface as
  appropriate.
* For testing code that implements fs.FS, the new testing/fstest
  package provides a TestFS function that checks for and reports
  common mistakes. It also provides a simple in-memory file
  system implementation, MapFS, which can be useful for testing
  code that accepts fs.FS implementations.
* syscall: On Linux, Setgid, Setuid, and related calls are now
  implemented. Previously, they returned an syscall.EOPNOTSUPP
  error. On Linux, the new functions AllThreadsSyscall and
  AllThreadsSyscall6 may be used to make a system call on all Go
  threads in the process. These functions may only be used by
  programs that do not use cgo; if a program uses cgo, they will
  always return syscall.ENOTSUP.
* time/tzdata: The slim timezone data format is now used for the
  timezone database in $GOROOT/lib/time/zoneinfo.zip and the
  embedded copy in this package. This reduces the size of the
  timezone database by about 350 KB.


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:937-1
Released:    Wed Mar 24 12:22:21 2021
Summary:     Security update for go1.16
Type:        security
Severity:    moderate
References:  1182345,1183333,1183334,CVE-2021-27918,CVE-2021-27919
This update for go1.16 fixes the following issues:

- go1.16.2 (released 2021-03-11) (bsc#1182345) 
- go1.16.1 (released 2021-03-10) (bsc#1182345) 
  - CVE-2021-27918: Fixed an infinite loop when using xml.NewTokenDecoder with a custom TokenReader (bsc#1183333).
  - CVE-2021-27919: Fixed an issue where archive/zip: can panic when calling Reader.Open (bsc#1183334).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1202-1
Released:    Thu Apr 15 15:11:29 2021
Summary:     Recommended update for go1.16
Type:        recommended
Severity:    moderate
References:  1182345
This update for go1.16 fixes the following issues:

- Updated to upstream version 1.16.3 to include fixes for the compiler, linker,
  runtime, the go command, and the testing and time packages (bsc#1182345)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2085-1
Released:    Fri Jun 18 17:21:29 2021
Summary:     Security update for go1.16
Type:        security
Severity:    moderate
References:  1182345,1185790,CVE-2021-31525
This update for go1.16 fixes the following issues:

- Updated go to upstream version 1.16.4 (released 2021-05-06) (bsc#1182345).
- CVE-2021-31525: Fixed stack overflow via net/http ReadRequest (bsc#1185790).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2186-1
Released:    Mon Jun 28 18:23:20 2021
Summary:     Security update for go1.16
Type:        security
Severity:    important
References:  1182345,1186622,1187443,1187444,1187445,CVE-2021-33195,CVE-2021-33196,CVE-2021-33197,CVE-2021-33198
This update for go1.16 fixes the following issues:

Update to 1.16.5.

Includes these security fixes 

- CVE-2021-33195: net: Lookup functions may return invalid host names (bsc#1187443).
- CVE-2021-33196: archive/zip: malformed archive may cause panic or memory exhaustion (bsc#1186622).
- CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection headers if first one is empty (bsc#1187444)
- CVE-2021-33198: math/big: (*Rat).SetString with '1.770p02041010010011001001' crashes with 'makeslice: len out of range' (bsc#1187445).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2392-1
Released:    Mon Jul 19 08:50:19 2021
Summary:     Security update for go1.16
Type:        security
Severity:    important
References:  1182345,1188229,CVE-2021-34558
This update for go1.16 fixes the following issues:

go1.16.6 (released 2021-07-12, bsc#1182345) includes a security fix to the
crypto/tls package, as well as bug fixes to the compiler, and the
net and net/http packages.

Security issue fixed:

CVE-2021-34558: Fixed crypto/tls: clients can panic when provided a certificate of the wrong type for the negotiated parameters (bsc#1188229)

go1.16 release:

* bsc#1188229 go#47143 CVE-2021-34558
* go#47145 security: fix CVE-2021-34558
* go#46999 net: LookupMX behaviour broken
* go#46981 net: TestCVE202133195 fails if /etc/resolv.conf specifies ndots larger than 3
* go#46769 syscall: TestGroupCleanupUserNamespace test failure on Fedora
* go#46657 runtime: deeply nested struct initialized with non-zero values
* go#44984 net/http: server not setting Content-Length in certain cases

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2788-1
Released:    Fri Aug 20 10:06:08 2021
Summary:     Security update for go1.16
Type:        security
Severity:    moderate
References:  1182345,1189162,CVE-2021-36221
This update for go1.16 fixes the following issues:

Update to go1.16.7:

- go#47473 net/http: panic due to racy read of persistConn after handler panic (CVE-2021-36221 bsc#1189162)
- go#47348 cmd/go: 'go list -f '{{.Stale}}'' stack overflow with cyclic imports
- go#47332 time: Timer reset broken under heavy use since go1.16 timer optimizations added
- go#47289 cmd/link: build error with cgo in Windows, redefinition of go.map.zero
- go#47015 cmd/go: go mod vendor: open C:\Users\LICENSE: Access is denied.
- go#46928 cmd/compile: register conflict between external linker and duffzero on arm64
- go#46858 runtime: ppc64x binaries randomly segfault on linux 5.13rc6
- go#46551 cmd/go: unhelpful error message when running 'go install' on a replaced-but-not-required package

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3292-1
Released:    Wed Oct  6 16:46:16 2021
Summary:     Security update for go1.16
Type:        security
Severity:    important
References:  1182345,1190589,CVE-2021-39293
This update for go1.16 fixes the following issues:

- Update to go 1.16.8
- CVE-2021-39293: Fixed a buffer overflow issue in preallocation check that can cause OOM panic. (bas#)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3487-1
Released:    Wed Oct 20 16:18:28 2021
Summary:     Security update for go1.16
Type:        security
Severity:    moderate
References:  1182345,1191468,CVE-2021-38297
This update for go1.16 fixes the following issues:

Update to go1.16.9

- CVE-2021-38297: misc/wasm, cmd/link: do not let command line args overwrite global data (bsc#1191468)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3834-1
Released:    Wed Dec  1 16:05:12 2021
Summary:     Security update for go1.16
Type:        security
Severity:    moderate
References:  1182345,1192377,1192378,CVE-2021-41771,CVE-2021-41772
This update for go1.16 fixes the following issues:

Security update go1.16.10 (released 2021-11-04) (bsc#1182345).

- CVE-2021-41771: Fixed invalid dynamic symbol table command that could have caused panic (bsc#1192377).
- CVE-2021-41772: Fixed panic on (*Reader).Open (bsc#1192378).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4169-1
Released:    Thu Dec 23 09:52:43 2021
Summary:     Security update for go1.16
Type:        security
Severity:    moderate
References:  1182345,1193597,1193598,CVE-2021-44716,CVE-2021-44717
This update for go1.16 fixes the following issues:

Updated to upstream version 1.16.12 to include security fixes to the compiler,
syscall, runtime, the net/http, net/http/httptest, and time packages (bsc#1182345)

- CVE-2021-44717: syscall: don't close fd 0 on ForkExec error (bsc#1193598).
- CVE-2021-44716: net/http: limit growth of header canonicalization cache (bsc#1193597).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:87-1
Released:    Mon Jan 17 12:50:09 2022
Summary:     Recommended update for go1.16
Type:        recommended
Severity:    moderate
References:  1182345
This update for go1.16 fixes the following issues:

Update to go1.16.13 (bsc#1182345)         

- it includes fixes to the compiler, linker, runtime, and the net/http package.
  * x/net/http2: `http.Server.WriteTimeout` does not fire if the http2 stream's window is out of space.
  * runtime/race: building for iOS, but linking in object file built for macOS
  * runtime: race detector `SIGABRT` or `SIGSEGV` on macOS Monterey
  * runtime: mallocs cause 'base outside usable address space' panic when running on iOS 14
  * cmd/link: does not set section type of `.init_array` correctly
  * cmd/link: support more load commands on `Mach-O`
  * cmd/compile: internal compiler error: `Op...LECall and OpDereference have mismatched mem`

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:724-1
Released:    Fri Mar  4 10:34:01 2022
Summary:     Security update for go1.16
Type:        security
Severity:    important
References:  1182345,1195834,1195835,1195838,CVE-2022-23772,CVE-2022-23773,CVE-2022-23806
This update for go1.16 fixes the following issues:

- CVE-2022-23806: Fixed incorrect returned value in crypto/elliptic IsOnCurve (bsc#1195838).
- CVE-2022-23772: Fixed overflow in Rat.SetString in math/big can lead to uncontrolled memory consumption (bsc#1195835).
- CVE-2022-23773: Fixed incorrect access control in cmd/go (bsc#1195834).

The following non-security bugs were fixed:

- go#50977 crypto/elliptic: IsOnCurve returns true for invalid field elements
- go#50700 math/big: Rat.SetString may consume large amount of RAM and crash
- go#50686 cmd/go: do not treat branches with semantic-version names as releases
- go#50866 cmd/compile: incorrect use of CMN on arm64
- go#50832 runtime/race: NoRaceMutexPureHappensBefore failures
- go#50811 cmd/go: remove bitbucket VCS probing
- go#50780 runtime: incorrect frame information in traceback traversal may hang the process.
- go#50721 debug/pe: reading debug_info section of PE files that use the DWARF5 form DW_FORM_line_strp causes error
- go#50682 cmd/compile: MOVWreg missing sign-extension following a Copy from a floating-point LoadReg
- go#50645 testing: surprising interaction of subtests with TempDir
- go#50585 net/http/httptest: add fipsonly compliant certificate in for NewTLSServer(), for dev.boringcrypto branch
- go#50245 runtime: intermittent os/exec.Command.Start() Hang on Darwin in Presence of 'plugin' Package

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1164-1
Released:    Tue Apr 12 15:03:24 2022
Summary:     Security update for go1.16
Type:        security
Severity:    important
References:  1182345,1183043,1196732,CVE-2022-24921
This update for go1.16 fixes the following issues:

Update to version 1.16.15 (bsc#1182345):
  - CVE-2022-24921: Fixed a potential denial of service via large regular
    expressions (bsc#1196732).

Non-security fixes:
  - Fixed an issue with v2 modules (go#51331).
  - Fixed an issue when building source in riscv64 (go#51198).
  - Increased compatibility for the DNS protocol in the net module (go#51161).
  - Fixed an issue with histograms in the runtime/metrics module (go#50733).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1374-1
Released:    Mon Apr 25 15:02:13 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1191157,1197004
This update for openldap2 fixes the following issues:

- allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
- libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol
  resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
- restore CLDAP functionality in CLI tools (jsc#PM-3288)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1451-1
Released:    Thu Apr 28 10:47:22 2022
Summary:     Recommended update for perl
Type:        recommended
Severity:    moderate
References:  1193489
This update for perl fixes the following issues:

- Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1626-1
Released:    Tue May 10 15:55:13 2022
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1198090,1198114
This update for systemd fixes the following issues:

- tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090)
- journald: make sure journal_file_open() doesn't leave a corrupted file around after failing (bsc#1198114)
- tmpfiles: constify item_compatible() parameters
- test tmpfiles: add a test for 'w+'
- test: add test checking tmpfiles conf file precedence
- journald: make use of CLAMP() in cache_space_refresh()
- journal-file: port journal_file_open() to openat_report_new()
- fs-util: make sure openat_report_new() initializes return param also on shortcut
- fs-util: fix typos in comments
- fs-util: add openat_report_new() wrapper around openat()

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1655-1
Released:    Fri May 13 15:36:10 2022
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1197794
This update for pam fixes the following issue:

- Do not include obsolete header files (bsc#1197794)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1657-1
Released:    Fri May 13 15:39:07 2022
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1198614,1198723,1198766,CVE-2022-22576,CVE-2022-27775,CVE-2022-27776
This update for curl fixes the following issues:

- CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766)
- CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723)
- CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1658-1
Released:    Fri May 13 15:40:20 2022
Summary:     Recommended update for libpsl
Type:        recommended
Severity:    important
References:  1197771
This update for libpsl fixes the following issues:

- Fix libpsl compilation issues (bsc#1197771)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1670-1
Released:    Mon May 16 10:06:30 2022
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1199240,CVE-2022-29155
This update for openldap2 fixes the following issues:

- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1688-1
Released:    Mon May 16 14:02:49 2022
Summary:     Security update for e2fsprogs
Type:        security
Severity:    important
References:  1198446,CVE-2022-1304
This update for e2fsprogs fixes the following issues:

- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
  and possibly arbitrary code execution. (bsc#1198446)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1709-1
Released:    Tue May 17 17:35:47 2022
Summary:     Recommended update for libcbor
Type:        recommended
Severity:    important
References:  1197743
This update for libcbor fixes the following issues:

- Fix build errors occuring on SUSE Linux Enterprise 15 Service Pack 4

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1750-1
Released:    Thu May 19 15:28:20 2022
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1196490,1199132,CVE-2022-23308,CVE-2022-29824
This update for libxml2 fixes the following issues:

- CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).
- CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1770-1
Released:    Fri May 20 14:36:30 2022
Summary:     Recommended update for skelcd, sles15-image
Type:        recommended
Severity:    moderate
References:  
This update for skelcd, sles15-image fixes the following issues:

Changes in skelcd:

- Ship skelcd-EULA-bci for SLE BCI EULA (jsc#BCI-10)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1851-1
Released:    Thu May 26 08:59:55 2022
Summary:     Recommended update for gcc8
Type:        recommended
Severity:    moderate
References:  1197716
This update for gcc8 fixes the following issues:

- Fix build against SP4. (bsc#1197716)
- Remove bogus fixed include bits/statx.h from glibc 2.30 (bsc#1197716)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1870-1
Released:    Fri May 27 10:03:40 2022
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1199223,1199224,CVE-2022-27781,CVE-2022-27782
This update for curl fixes the following issues:

- CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
- CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1887-1
Released:    Tue May 31 09:24:18 2022
Summary:     Recommended update for grep
Type:        recommended
Severity:    moderate
References:  1040589
This update for grep fixes the following issues:

- Make profiling deterministic. (bsc#1040589, SLE-24115)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1899-1
Released:    Wed Jun  1 10:43:22 2022
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    important
References:  1198176
This update for libtirpc fixes the following issues:

- Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1909-1
Released:    Wed Jun  1 16:25:35 2022
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1198751
This update for glibc fixes the following issues:

- Add the correct name for the IBM Z16 (bsc#1198751).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2019-1
Released:    Wed Jun  8 16:50:07 2022
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1192951,1193659,1195283,1196861,1197065
This update for gcc11 fixes the following issues:

Update to the GCC 11.3.0 release.

* includes SLS hardening backport on x86_64.  [bsc#1195283]
* includes change to adjust gnats idea of the target, fixing the build of gprbuild.  [bsc#1196861]
* fixed miscompile of embedded premake in 0ad on i586.  [bsc#1197065]
* use --with-cpu rather than specifying --with-arch/--with-tune 
* Fix D memory corruption in -M output.
* Fix ICE in is_this_parameter with coroutines.  [bsc#1193659]
* fixes issue with debug dumping together with -o /dev/null
* fixes libgccjit issue showing up in emacs build  [bsc#1192951]
* Package mwaitintrin.h

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2049-1
Released:    Mon Jun 13 09:23:49 2022
Summary:     Recommended update for binutils
Type:        recommended
Severity:    moderate
References:  1191908,1198422
This update for binutils fixes the following issues:

- Revert back to old behaviour of not ignoring the in-section content
  of to be relocated fields on x86-64, even though that's a RELA architecture.
  Compatibility with buggy object files generated by old tools.
  [bsc#1198422]
- Fix a problem in crash not accepting some of our .ko.debug files. (bsc#1191908)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2157-1
Released:    Wed Jun 22 17:11:26 2022
Summary:     Recommended update for binutils
Type:        recommended
Severity:    moderate
References:  1198458
This update for binutils fixes the following issues:

- For building the shim 15.6~rc1 and later versions aarch64 image, objcopy
  needs to support efi-app-aarch64 target. (bsc#1198458)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2251-1
Released:    Mon Jul  4 09:52:25 2022
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1185637,1199166,1200550,CVE-2022-1292,CVE-2022-2068
This update for openssl-1_1 fixes the following issues:
	  
- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2327-1
Released:    Thu Jul  7 15:06:13 2022
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1200735,1200737,CVE-2022-32206,CVE-2022-32208
This update for curl fixes the following issues:

- CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
- CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2328-1
Released:    Thu Jul  7 15:07:35 2022
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1201099,CVE-2022-2097
This update for openssl-1_1 fixes the following issues:

- CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2357-1
Released:    Mon Jul 11 20:34:20 2022
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1198511,CVE-2015-20107
This update for python3 fixes the following issues:

- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2361-1
Released:    Tue Jul 12 12:05:01 2022
Summary:     Security update for pcre
Type:        security
Severity:    important
References:  1199232,CVE-2022-1586
This update for pcre fixes the following issues:

- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2405-1
Released:    Fri Jul 15 11:47:57 2022
Summary:     Security update for p11-kit
Type:        security
Severity:    moderate
References:  1180065,CVE-2020-29362
This update for p11-kit fixes the following issues:

- CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2406-1
Released:    Fri Jul 15 11:49:01 2022
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1197718,1199140,1200334,1200855
This update for glibc fixes the following issues:

- powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
- Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
- i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
- rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)

This readds the s390 32bit glibc and libcrypt1 libraries (glibc-32bit, glibc-locale-base-32bit, libcrypt1-32bit).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2494-1
Released:    Thu Jul 21 15:16:42 2022
Summary:     Recommended update for glibc
Type:        recommended
Severity:    important
References:  1200855,1201560,1201640
This update for glibc fixes the following issues:

- Remove tunables from static tls surplus patch which caused crashes (bsc#1200855)
- i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788)


The following package changes have been done:

- libldap-data-2.4.46-150200.14.8.1 updated
- libtirpc-netconfig-1.2.6-150300.3.6.1 updated
- glibc-2.31-150300.31.2 updated
- libcrypt1-4.4.15-150300.4.4.3 updated
- perl-base-5.26.1-150300.17.3.1 updated
- libpcre1-8.45-150000.20.13.1 updated
- libgcc_s1-11.3.0+git1637-150000.1.9.1 updated
- libcom_err2-1.43.8-150000.4.33.1 updated
- libxml2-2-2.9.7-150000.3.46.1 updated
- libstdc++6-11.3.0+git1637-150000.1.9.1 updated
- libpsl5-0.20.1-150000.3.3.1 updated
- libopenssl1_1-1.1.1d-150200.11.51.1 updated
- libopenssl1_1-hmac-1.1.1d-150200.11.51.1 updated
- libldap-2_4-2-2.4.46-150200.14.8.1 updated
- libudev1-246.16-150300.7.45.1 updated
- libtirpc3-1.2.6-150300.3.6.1 updated
- libcurl4-7.66.0-150200.4.36.1 updated
- libsystemd0-246.16-150300.7.45.1 updated
- grep-3.1-150000.4.6.1 updated
- pam-1.3.0-150000.6.58.3 updated
- openssl-1_1-1.1.1d-150200.11.51.1 updated
- libp11-kit0-0.23.2-150000.4.16.1 updated
- p11-kit-0.23.2-150000.4.16.1 updated
- p11-kit-tools-0.23.2-150000.4.16.1 updated
- libatomic1-11.3.0+git1637-150000.1.9.1 updated
- libctf-nobfd0-2.37-150100.7.37.1 updated
- libgomp1-11.3.0+git1637-150000.1.9.1 updated
- libitm1-11.3.0+git1637-150000.1.9.1 updated
- liblsan0-11.3.0+git1637-150000.1.9.1 updated
- libmpx2-8.2.1+r264010-150000.1.6.4 updated
- libmpxwrappers2-8.2.1+r264010-150000.1.6.4 updated
- libtsan0-11.3.0+git1637-150000.1.9.1 updated
- libxcrypt-devel-4.4.15-150300.4.4.3 updated
- libctf0-2.37-150100.7.37.1 updated
- binutils-2.37-150100.7.37.1 updated
- glibc-devel-2.31-150300.37.1 updated
- go1.16-1.16.15-150000.1.46.1 added
- libcbor0-0.5.0-150100.4.6.1 updated
- python3-base-3.6.15-150300.10.27.1 updated
- libpython3_6m1_0-3.6.15-150300.10.27.1 updated
- python3-3.6.15-150300.10.27.1 updated
- container:sles15-image-15.0.0-17.18.1 updated
- go-1.17-3.20.1 removed
- go1.17-1.17.9-150000.1.31.1 removed


More information about the sle-security-updates mailing list