SUSE-CU-2022:302-1: Security update of bci/openjdk-devel

Fri Mar 18 15:58:43 UTC 2022

SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:302-1
Container Tags        : bci/openjdk-devel:11 , bci/openjdk-devel:11-14.19 , bci/openjdk-devel:latest
Container Release     : 14.19
Severity              : important
Type                  : security
References            : 1187512 1188348 1188507 1190447 1192954 1193632 1194265 1194925
                        1194926 1194927 1194928 1194929 1194930 1194931 1194932 1194933
                        1194934 1194935 1194937 1194939 1194940 1194941 1194976 1195326
                        1195468 1195654 1196025 1196026 1196036 1196168 1196169 1196171
                        CVE-2021-3995 CVE-2021-3996 CVE-2022-21248 CVE-2022-21277 CVE-2022-21282
                        CVE-2022-21283 CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296
                        CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21360
                        CVE-2022-21365 CVE-2022-21366 CVE-2022-24407 CVE-2022-25235 CVE-2022-25236
                        CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 
-----------------------------------------------------------------

The container bci/openjdk-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2626-1
Released:    Thu Aug  5 12:10:35 2021
Summary:     Recommended maintenance update for libeconf
Type:        recommended
Severity:    moderate
References:  1188348
This update for libeconf fixes the following issue:

- Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:674-1
Released:    Wed Mar  2 13:24:38 2022
Summary:     Recommended update for yast2-network
Type:        recommended
Severity:    moderate
References:  1187512
This update for yast2-network fixes the following issues:

- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:692-1
Released:    Thu Mar  3 15:46:47 2022
Summary:     Recommended update for filesystem
Type:        recommended
Severity:    moderate
References:  1190447
This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:713-1
Released:    Fri Mar  4 09:34:17 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:

- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:727-1
Released:    Fri Mar  4 10:39:21 2022
Summary:     Security update for libeconf, shadow and util-linux
Type:        security
Severity:    moderate
References:  1188507,1192954,1193632,1194976,CVE-2021-3995,CVE-2021-3996
This security update for libeconf, shadow and util-linux fix the following issues:

libeconf:

- Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow' 
  to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

Issues fixed in libeconf:
- Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)
- Fixed different issues while writing string values to file.
- Writing comments to file too.
- Fixed crash while merging values.
- Added econftool cat option (#146)
- new API call: econf_readDirsHistory (showing ALL locations)
- new API call: econf_getPath (absolute path of the configuration file)
- Man pages libeconf.3 and econftool.8.
- Handling multiline strings.
- Added libeconf_ext which returns more information like
  line_nr, comments, path of the configuration file,...
- Econftool, an command line interface for handling configuration
  files.
- Generating HTML API documentation with doxygen.
- Improving error handling and semantic file check.
- Joining entries with the same key to one single entry if
  env variable ECONF_JOIN_SAME_ENTRIES has been set.

shadow:

- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to 
  read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

util-linux:

- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to 
  read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
- Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507)
- Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507)
- CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976) 
- CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:743-1
Released:    Mon Mar  7 22:08:12 2022
Summary:     Security update for cyrus-sasl
Type:        security
Severity:    important
References:  1194265,1196036,CVE-2022-24407
This update for cyrus-sasl fixes the following issues:

- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

The following non-security bugs were fixed:

- postfix: sasl authentication with password fails (bsc#1194265).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:787-1
Released:    Thu Mar 10 11:20:13 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  
This update for openldap2 fixes the following issue:

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:788-1
Released:    Thu Mar 10 11:21:04 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1195326
This update for libzypp, zypper fixes the following issues:

- Fix handling of redirected command in-/output (bsc#1195326)
  This fixes delays at the end of zypper operations, where
  zypper unintentionally waits for appdata plugin scripts to
  complete.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:789-1
Released:    Thu Mar 10 11:22:05 2022
Summary:     Recommended update for update-alternatives
Type:        recommended
Severity:    moderate
References:  1195654
This update for update-alternatives fixes the following issues:

- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:808-1
Released:    Fri Mar 11 06:07:58 2022
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1195468
This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if
  someone sends such signal. Without the signal handler, SIGURG will
  just be ignored. (bsc#1195468)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:816-1
Released:    Mon Mar 14 10:22:04 2022
Summary:     Security update for java-11-openjdk
Type:        security
Severity:    moderate
References:  1194925,1194926,1194927,1194928,1194929,1194930,1194931,1194932,1194933,1194934,1194935,1194937,1194939,1194940,1194941,CVE-2022-21248,CVE-2022-21277,CVE-2022-21282,CVE-2022-21283,CVE-2022-21291,CVE-2022-21293,CVE-2022-21294,CVE-2022-21296,CVE-2022-21299,CVE-2022-21305,CVE-2022-21340,CVE-2022-21341,CVE-2022-21360,CVE-2022-21365,CVE-2022-21366
This update for java-11-openjdk fixes the following issues:

- CVE-2022-21248: Fixed incomplete deserialization class filtering in ObjectInputStream. (bnc#1194926)
- CVE-2022-21277: Fixed incorrect reading of TIFF files in TIFFNullDecompressor. (bnc#1194930)
- CVE-2022-21282: Fixed Insufficient URI checks in the XSLT TransformerImpl. (bnc#1194933)
- CVE-2022-21283: Fixed unexpected exception thrown in regex Pattern. (bnc#1194937)
- CVE-2022-21291: Fixed Incorrect marking of writeable fields. (bnc#1194925)
- CVE-2022-21293: Fixed Incomplete checks of StringBuffer and StringBuilder during deserialization. (bnc#1194935)
- CVE-2022-21294: Fixed Incorrect IdentityHashMap size checks during deserialization. (bnc#1194934)
- CVE-2022-21296: Fixed Incorrect access checks in XMLEntityManager. (bnc#1194932)
- CVE-2022-21299: Fixed Infinite loop related to incorrect handling of newlines in XMLEntityScanner. (bnc#1194931)
- CVE-2022-21305: Fixed Array indexing issues in LIRGenerator. (bnc#1194939)
- CVE-2022-21340: Fixed Excessive resource use when reading JAR manifest attributes. (bnc#1194940)
- CVE-2022-21341: Fixed OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream. (bnc#1194941)
- CVE-2022-21360: Fixed Excessive memory allocation in BMPImageReader. (bnc#1194929)
- CVE-2022-21365: Fixed Integer overflow in BMPImageReader. (bnc#1194928)
- CVE-2022-21366: Fixed Excessive memory allocation in TIFF*Decompressor. (bnc#1194927)

The following package changes have been done:

- filesystem-15.0-11.5.1 updated
- java-11-openjdk-devel-11.0.14.0-3.74.2 updated
- java-11-openjdk-headless-11.0.14.0-3.74.2 updated
- java-11-openjdk-11.0.14.0-3.74.2 updated
- libaugeas0-1.10.1-3.5.1 updated
- libblkid1-2.36.2-150300.4.14.3 updated
- libeconf0-0.4.4+git20220104.962774f-150300.3.6.2 added
- libexpat1-2.2.5-3.15.1 updated
- libfdisk1-2.36.2-150300.4.14.3 updated
- libldap-2_4-2-2.4.46-9.61.1 updated
- libldap-data-2.4.46-9.61.1 updated
- libmount1-2.36.2-150300.4.14.3 updated
- libprocps7-3.3.15-7.22.1 updated
- libsasl2-3-2.1.27-150300.4.6.1 updated
- libsmartcols1-2.36.2-150300.4.14.3 updated
- libuuid1-2.36.2-150300.4.14.3 updated
- libzypp-17.29.4-31.1 updated
- login_defs-4.8.1-150300.4.3.8 updated
- procps-3.3.15-7.22.1 updated
- shadow-4.8.1-150300.4.3.8 updated
- update-alternatives-1.19.0.4-4.3.1 updated
- util-linux-2.36.2-150300.4.14.3 updated
- zypper-1.14.51-27.1 updated
- container:openjdk-11-image-15.3.0-14.11 updated