SUSE-CU-2022:253-1: Security update of bci/golang

sle-security-updates at sle-security-updates at
Sun Mar 6 08:02:12 UTC 2022

SUSE Container Update Advisory: bci/golang
Container Advisory ID : SUSE-CU-2022:253-1
Container Tags        : bci/golang:1.16 , bci/golang:1.16-10.26
Container Release     : 10.26
Severity              : important
Type                  : security
References            : 1182345 1187512 1188348 1188507 1190447 1192954 1193632 1194976
                        1195834 1195835 1195838 CVE-2021-3995 CVE-2021-3996 CVE-2022-23772
                        CVE-2022-23773 CVE-2022-23806 

The container bci/golang was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2021:2626-1
Released:    Thu Aug  5 12:10:35 2021
Summary:     Recommended maintenance update for libeconf
Type:        recommended
Severity:    moderate
References:  1188348
This update for libeconf fixes the following issue:

- Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348)
Advisory ID: SUSE-RU-2022:674-1
Released:    Wed Mar  2 13:24:38 2022
Summary:     Recommended update for yast2-network
Type:        recommended
Severity:    moderate
References:  1187512
This update for yast2-network fixes the following issues:
- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

Advisory ID: SUSE-RU-2022:692-1
Released:    Thu Mar  3 15:46:47 2022
Summary:     Recommended update for filesystem
Type:        recommended
Severity:    moderate
References:  1190447
This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

Advisory ID: SUSE-SU-2022:724-1
Released:    Fri Mar  4 10:34:01 2022
Summary:     Security update for go1.16
Type:        security
Severity:    important
References:  1182345,1195834,1195835,1195838,CVE-2022-23772,CVE-2022-23773,CVE-2022-23806
This update for go1.16 fixes the following issues:

- CVE-2022-23806: Fixed incorrect returned value in crypto/elliptic IsOnCurve (bsc#1195838).
- CVE-2022-23772: Fixed overflow in Rat.SetString in math/big can lead to uncontrolled memory consumption (bsc#1195835).
- CVE-2022-23773: Fixed incorrect access control in cmd/go (bsc#1195834).

The following non-security bugs were fixed:

- go#50977 crypto/elliptic: IsOnCurve returns true for invalid field elements
- go#50700 math/big: Rat.SetString may consume large amount of RAM and crash
- go#50686 cmd/go: do not treat branches with semantic-version names as releases
- go#50866 cmd/compile: incorrect use of CMN on arm64
- go#50832 runtime/race: NoRaceMutexPureHappensBefore failures
- go#50811 cmd/go: remove bitbucket VCS probing
- go#50780 runtime: incorrect frame information in traceback traversal may hang the process.
- go#50721 debug/pe: reading debug_info section of PE files that use the DWARF5 form DW_FORM_line_strp causes error
- go#50682 cmd/compile: MOVWreg missing sign-extension following a Copy from a floating-point LoadReg
- go#50645 testing: surprising interaction of subtests with TempDir
- go#50585 net/http/httptest: add fipsonly compliant certificate in for NewTLSServer(), for dev.boringcrypto branch
- go#50245 runtime: intermittent os/exec.Command.Start() Hang on Darwin in Presence of 'plugin' Package

Advisory ID: SUSE-SU-2022:727-1
Released:    Fri Mar  4 10:39:21 2022
Summary:     Security update for libeconf, shadow and util-linux
Type:        security
Severity:    moderate
References:  1188507,1192954,1193632,1194976,CVE-2021-3995,CVE-2021-3996
This security update for libeconf, shadow and util-linux fix the following issues:


- Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow' 
  to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

Issues fixed in libeconf:
- Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)
- Fixed different issues while writing string values to file.
- Writing comments to file too.
- Fixed crash while merging values.
- Added econftool cat option (#146)
- new API call: econf_readDirsHistory (showing ALL locations)
- new API call: econf_getPath (absolute path of the configuration file)
- Man pages libeconf.3 and econftool.8.
- Handling multiline strings.
- Added libeconf_ext which returns more information like
  line_nr, comments, path of the configuration file,...
- Econftool, an command line interface for handling configuration
- Generating HTML API documentation with doxygen.
- Improving error handling and semantic file check.
- Joining entries with the same key to one single entry if
  env variable ECONF_JOIN_SAME_ENTRIES has been set.


- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to 
  read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)


- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to 
  read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
- Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507)
- Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507)
- CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976) 
- CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)

The following package changes have been done:

- filesystem-15.0-11.5.1 updated
- go1.16-1.16.14-1.43.1 updated
- libaugeas0-1.10.1-3.5.1 updated
- libblkid1-2.36.2-150300.4.14.3 updated
- libeconf0-0.4.4+git20220104.962774f-150300.3.6.2 added
- libfdisk1-2.36.2-150300.4.14.3 updated
- libmount1-2.36.2-150300.4.14.3 updated
- libsmartcols1-2.36.2-150300.4.14.3 updated
- libuuid1-2.36.2-150300.4.14.3 updated
- login_defs-4.8.1-150300.4.3.8 updated
- shadow-4.8.1-150300.4.3.8 updated
- util-linux-2.36.2-150300.4.14.3 updated
- container:sles15-image-15.0.0-17.8.86 updated

More information about the sle-security-updates mailing list