SUSE-CU-2022:1706-1: Security update of suse/sle15

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Jul 29 07:53:24 UTC 2022 

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:1706-1
Container Tags        : bci/bci-base:15.4 , bci/bci-base:15.4.27.11.7 , suse/sle15:15.4 , suse/sle15:15.4.27.11.7
Container Release     : 27.11.7
Severity              : important
Type                  : security
References            : 1194550 1196490 1197684 1199042 1199132 CVE-2022-23308 CVE-2022-29824
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2552-1
Released:    Tue Jul 26 14:55:40 2022
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1196490,1199132,CVE-2022-23308,CVE-2022-29824
This update for libxml2 fixes the following issues:

Update to 2.9.14:

- CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

Update to version 2.9.13:

- CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes. (bsc#1196490)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2573-1
Released:    Thu Jul 28 04:24:19 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1194550,1197684,1199042
This update for libzypp, zypper fixes the following issues:

libzypp:

- appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684)
- zypp-rpm: flush rpm script output buffer before sending endOfScriptTag
- PluginRepoverification: initial version hooked into repo::Downloader and repo refresh
- Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042)
- singletrans: no dry-run commit if doing just download-only
- Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were 
  removed at the  beginning of the repo.
- Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER

zypper:

- Basic JobReport for 'cmdout/monitor'
- versioncmp: if verbose, also print the edition 'parts' which are compared
- Make sure MediaAccess is closed on exception (bsc#1194550)
- Display plus-content hint conditionally
- Honor the NO_COLOR environment variable when auto-detecting whether to use color
- Define table columns which should be sorted natural [case insensitive]
- lr/ls: Use highlight color on name and alias as well


The following package changes have been done:

- libxml2-2-2.9.14-150400.5.7.1 updated
- libzypp-17.30.2-150400.3.3.1 updated
- zypper-1.14.53-150400.3.3.1 updated

More information about the sle-security-updates mailing list