SUSE-CU-2022:1696-1: Security update of bci/nodejs

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Jul 29 07:47:42 UTC 2022


SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:1696-1
Container Tags        : bci/node:12 , bci/node:12-16.116 , bci/nodejs:12 , bci/nodejs:12-16.116
Container Release     : 16.116
Severity              : important
Type                  : security
References            : 1194550 1196125 1197684 1199042 1200855 1201225 1201431 1201560
                        1201640 CVE-2022-29187 CVE-2022-34903 
-----------------------------------------------------------------

The container bci/nodejs was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2494-1
Released:    Thu Jul 21 15:16:42 2022
Summary:     Recommended update for glibc
Type:        recommended
Severity:    important
References:  1200855,1201560,1201640
This update for glibc fixes the following issues:

- Remove tunables from static tls surplus patch which caused crashes (bsc#1200855)
- i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2546-1
Released:    Mon Jul 25 14:43:22 2022
Summary:     Security update for gpg2
Type:        security
Severity:    important
References:  1196125,1201225,CVE-2022-34903
This update for gpg2 fixes the following issues:

- CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225).
- Use AES as default cipher instead of 3DES when we are in FIPS mode. (bsc#1196125)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2550-1
Released:    Tue Jul 26 14:00:21 2022
Summary:     Security update for git
Type:        security
Severity:    important
References:  1201431,CVE-2022-29187
This update for git fixes the following issues:

- CVE-2022-29187: Incomplete fix for CVE-2022-24765: potential command injection via git worktree (bsc#1201431).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2572-1
Released:    Thu Jul 28 04:22:33 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1194550,1197684,1199042
This update for libzypp, zypper fixes the following issues:

libzypp:

- appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684)
- zypp-rpm: flush rpm script output buffer before sending endOfScriptTag
- PluginRepoverification: initial version hooked into repo::Downloader and repo refresh
- Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042)
- singletrans: no dry-run commit if doing just download-only
- Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were 
  removed at the  beginning of the repo.
- Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER

zypper:

- Basic JobReport for 'cmdout/monitor'
- versioncmp: if verbose, also print the edition 'parts' which are compared
- Make sure MediaAccess is closed on exception (bsc#1194550)
- Display plus-content hint conditionally
- Honor the NO_COLOR environment variable when auto-detecting whether to use color
- Define table columns which should be sorted natural [case insensitive]
- lr/ls: Use highlight color on name and alias as well


The following package changes have been done:

- git-core-2.35.3-150300.10.15.1 updated
- glibc-2.31-150300.37.1 updated
- gpg2-2.2.27-150300.3.5.1 updated
- libzypp-17.30.2-150200.39.1 updated
- zypper-1.14.53-150200.33.1 updated
- container:sles15-image-15.0.0-17.20.6 updated


More information about the sle-security-updates mailing list