SUSE-CU-2022:315-1: Security update of ses/6/ceph/ceph

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Sun Mar 20 14:03:19 UTC 2022


SUSE Container Update Advisory: ses/6/ceph/ceph
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:315-1
Container Tags        : ses/6/ceph/ceph:14.2.22.445 , ses/6/ceph/ceph:14.2.22.445.1.5.578 , ses/6/ceph/ceph:latest
Container Release     : 1.5.578
Severity              : critical
Type                  : security
References            : 1027496 1029961 1082318 1099272 1113013 1115529 1128846 1153687
                        1162581 1162964 1171479 1172113 1173277 1174075 1174504 1174911
                        1177460 1180064 1180125 1180689 1180995 1181703 1181826 1182372
                        1182959 1183085 1183268 1183374 1183589 1183858 1183909 1184326
                        1184399 1184519 1184997 1185325 1185588 1186447 1186503 1186602
                        1187153 1187196 1187224 1187273 1187338 1187425 1187466 1187512
                        1187654 1187668 1187738 1187760 1187906 1187993 1188156 1188435
                        1188623 1188941 1189031 1189152 1189241 1189287 1189803 1189841
                        1189879 1189983 1189984 1190059 1190199 1190325 1190356 1190440
                        1190447 1190465 1190598 1190712 1190815 1190926 1190984 1191200
                        1191252 1191260 1191286 1191324 1191370 1191473 1191480 1191500
                        1191563 1191566 1191609 1191675 1191690 1191804 1191922 1192161
                        1192248 1192267 1192337 1192436 1192688 1192717 1192790 1193007
                        1193170 1193480 1193481 1193488 1193521 1193625 1193759 1193805
                        1193841 1193845 1193907 1193913 1194172 1194229 1194251 1194362
                        1194474 1194476 1194477 1194478 1194479 1194480 1194597 1194640
                        1194661 1194768 1194770 1194898 1195054 1195149 1195217 1195258
                        1195326 1195468 1195560 1195654 1195792 1195856 1196025 1196025
                        1196026 1196036 1196168 1196169 1196171 1196784 1196877 1197004
                        954813 CVE-2015-8985 CVE-2016-10228 CVE-2020-12762 CVE-2020-14367
                        CVE-2020-29361 CVE-2021-20294 CVE-2021-22570 CVE-2021-33430 CVE-2021-3426
                        CVE-2021-3733 CVE-2021-3737 CVE-2021-3999 CVE-2021-41496 CVE-2021-43527
                        CVE-2021-43618 CVE-2021-45960 CVE-2021-46143 CVE-2022-0778 CVE-2022-22822
                        CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
                        CVE-2022-23218 CVE-2022-23219 CVE-2022-23852 CVE-2022-23990 CVE-2022-24407
                        CVE-2022-25235 CVE-2022-25236 CVE-2022-25236 CVE-2022-25313 CVE-2022-25314
                        CVE-2022-25315 
-----------------------------------------------------------------

The container ses/6/ceph/ceph was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:305-1
Released:    Thu Feb  4 15:00:37 2021
Summary:     Recommended update for libprotobuf
Type:        recommended
Severity:    moderate
References:  

libprotobuf was updated to fix:

- ship the libprotobuf-lite15 on the base products. (jsc#ECO-2911)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3643-1
Released:    Tue Nov  9 19:32:18 2021
Summary:     Security update for binutils
Type:        security
Severity:    moderate
References:  1183909,1184519,1188941,1191473,1192267,CVE-2021-20294
This update for binutils fixes the following issues:

- For compatibility on old code stream that expect 'brcl 0,label' to
  not be disassembled as 'jgnop label' on s390x.  (bsc#1192267)
  This reverts IBM zSeries HLASM support for now.
- Fixed that ppc64 optflags did not enable LTO (bsc#1188941).
- Fix empty man-pages from broken release tarball
- Fixed a memory corruption with rpath option (bsc#1191473).
- Fixed slow performance of stripping some binaries (bsc#1183909).

Security issue fixed:

- CVE-2021-20294: Fixed out-of-bounds write in print_dynamic_symbol in readelf (bnc#1184519)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3781-1
Released:    Tue Nov 23 23:48:43 2021
Summary:     This update for libzypp, zypper and libsolv fixes the following issues:
Type:        recommended
Severity:    moderate
References:  1153687,1182372,1183268,1183589,1184326,1184399,1184997,1185325,1186447,1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190356,1190465,1190712,1190815,1191286,1191324,1191370,1191609,1192337,1192436
This update for zypper fixes the following issues:

- Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
- Let a patch's reboot-needed flag overrule included packages. (bsc#1183268)
- Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687)
- Protect against strict/relaxed user umask via sudo. (bsc#1183589)
- xml summary: Add solvables repository alias. (bsc#1182372)
- Allow trusted repos to add additional signing keys. (bsc#1184326)
- MediaCurl: Fix logging of redirects.
- Let negative values wait forever for the zypp lock. (bsc#1184399)
- Fix 'purge-kernels' is broken in Leap 15.3. (bsc#1185325)
- Fix service detection with cgroupv2. (bsc#1184997)
- Add hints to 'trust GPG key' prompt.
- Enhance XML output of repo GPG options
- Add optional attributes showing the raw values actually present in the '.repo' file.
- Link all executables with -pie (bsc#1186447)
- Ship an empty '/etc/zypp/needreboot' per default. (jsc#PM-2645)
- Fix solver jobs for PTFs. (bsc#1186503)
- choice rules: treat orphaned packages as newest. (bc#1190465)
- Add need reboot/restart hint to XML install summary. (bsc#1188435)
- Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
- Fix obs:// platform guessing for Leap. (bsc#1187425)
- Fix purge-kernels fails. (bsc#1187738)
- Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
- Prompt: choose exact match if prompt options are not prefix free. (bsc#1188156)
- Do not check of signatures and keys two times(redundant). (bsc#1190059)
- Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760)
- Show key fpr from signature when signature check fails. (bsc#1187224)
- Make sure to keep states alives while transitioning. (bsc#1190199)
- Fix crashes in logging code when shutting down. (bsc#1189031)
- Manpage: Improve description about patch updates. (bsc#1187466)
- Avoid calling 'su' to detect a too restrictive sudo user umask. (bsc#1186602)
- Consolidate reboot-recommendations across tools and stop using /etc/zypp/needreboot (jsc#-SLE-18858)
- Disable logger in the child after fork (bsc#1192436)
- Check log writer before accessing it (bsc#1192337)
- Allow uname-r format in purge kernels keepspec
- zypper should keep cached files if transaction is aborted (bsc#1190356)
- Require a minimum number of mirrors for multicurl (bsc#1191609)
- Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324)
- Fix translations (bsc#1191370)
- RepoManager: Don't probe for plaindir repo if URL schema is plugin (bsc#1191286)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3787-1
Released:    Wed Nov 24 06:00:10 2021
Summary:     Recommended update for xfsprogs
Type:        recommended
Severity:    moderate
References:  1189983,1189984,1191500,1191566,1191675
This update for xfsprogs fixes the following issues:

- Make libhandle1 an explicit dependency in the xfsprogs-devel package (bsc#1191566)
- Remove deprecated barrier/nobarrier mount options from manual pages section 5 (bsc#1191675)
- xfs_io: include support for label command (bsc#1191500)
- xfs_quota: state command to report all three (-ugp) grace times separately (bsc#1189983)
- xfs_admin: add support for external log devices (bsc#1189984)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3798-1
Released:    Wed Nov 24 18:01:36 2021
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  


This update for gcc7 fixes the following issues:

- Fixed a build issue when built with recent kernel headers.
- Backport the '-fpatchable-function-entry' feature from newer GCC. (jsc#SLE-20049)
- do not handle exceptions in std::thread (jsc#CAR-1182)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3799-1
Released:    Wed Nov 24 18:07:54 2021
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1187153,1187273,1188623
This update for gcc11 fixes the following issues:

The additional GNU compiler collection GCC 11 is provided:

To select these compilers install the packages:

- gcc11
- gcc-c++11
- and others with 11 prefix.

to select them for building:

- CC='gcc-11'
- CXX='g++-11'

The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3809-1
Released:    Fri Nov 26 00:31:59 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1189803,1190325,1190440,1190984,1191252,1192161
This update for systemd fixes the following issues:

- Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103)
- Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)
- shutdown: Reduce log level of unmounts (bsc#1191252)
- pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803)
- core: rework how we connect to the bus (bsc#1190325)
- mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
- virt: detect Amazon EC2 Nitro instance (bsc#1190440)
- Several fixes for umount
- busctl: use usec granularity for the timestamp printed by the busctl monitor command
- fix unitialized fields in MountPoint in dm_list_get()
- shutdown: explicitly set a log target
- mount-util: add mount_option_mangle()
- dissect: automatically mark partitions read-only that have a read-only file system
- build-sys: require proper libmount version
- systemd-shutdown: use log_set_prohibit_ipc(true)
- rationalize interface for opening/closing logging
- pid1: when we can't log to journal, remember our fallback log target
- log: remove LOG_TARGET_SAFE pseudo log target
- log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console()
- log: add new 'prohibit_ipc' flag to logging system
- log: make log_set_upgrade_syslog_to_journal() take effect immediately
- dbus: split up bus_done() into seperate functions
- machine-id-setup: generate machine-id from DMI product ID on Amazon EC2
- virt: if we detect Xen by DMI, trust that over CPUID

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3830-1
Released:    Wed Dec  1 13:45:46 2021
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1027496,1183085,CVE-2016-10228

This update for glibc fixes the following issues:


- libio: do not attempt to free wide buffers of legacy streams (bsc#1183085) 
- CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3869-1
Released:    Thu Dec  2 07:10:09 2021
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1189841,1189879,1190598,1191200,1191260,1191480,1191804,1191922
This update for suse-module-tools fixes the following issues:

- rpm-script: fix bad exit status in OpenQA (bsc#1191922)
- cert-script: Deal with existing $cert.delete file (bsc#1191804)
- cert-script: Ignore kernel keyring for kernel certificates (bsc#1191480)
- cert-script: Only print mokutil output in verbose mode
- inkmp-script(postun): don't pass  existing files to weak-modules2 (bsc#1191200)
- kernel-scriptlets: skip cert scriptlet on non-UEFI systems (bsc#1191260)
- rpm-script: link config also into /boot (bsc#1189879)
- Import kernel scriptlets from kernel-source (bsc#1189841, bsc#1190598)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3883-1
Released:    Thu Dec  2 11:47:07 2021
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

Update timezone to 2021e (bsc#1177460)

- Palestine will fall back 10-29 (not 10-30) at 01:00
- Fiji suspends DST for the 2021/2022 season
- 'zic -r' marks unspecified timestamps with '-00'
- Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
- Refresh timezone info for china

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3891-1
Released:    Fri Dec  3 10:21:49 2021
Summary:     Recommended update for keyutils
Type:        recommended
Severity:    moderate
References:  1029961,1113013,1187654
This update for keyutils fixes the following issues:

- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

keyutils was updated to 1.6.3 (jsc#SLE-20016):

* Revert the change notifications that were using /dev/watch_queue.
* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
* Allow 'keyctl supports' to retrieve raw capability data.
* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
* Allow 'keyctl new_session' to name the keyring.
* Allow 'keyctl add/padd/etc.' to take hex-encoded data.
* Add 'keyctl watch*' to expose kernel change notifications on keys.
* Add caps for namespacing and notifications.
* Set a default TTL on keys that upcall for name resolution.
* Explicitly clear memory after it's held sensitive information.
* Various manual page fixes.
* Fix C++-related errors.
* Add support for keyctl_move().
* Add support for keyctl_capabilities().
* Make key=val list optional for various public-key ops.
* Fix system call signature for KEYCTL_PKEY_QUERY.
* Fix 'keyctl pkey_query' argument passing.
* Use keyctl_read_alloc() in dump_key_tree_aux().
* Various manual page fixes. 

Updated to 1.6:

* Apply various specfile cleanups from Fedora.
* request-key: Provide a command line option to suppress helper execution.
* request-key: Find least-wildcard match rather than first match.
* Remove the dependency on MIT Kerberos.
* Fix some error messages
* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
* Fix doc and comment typos.
* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
* Add pkg-config support for finding libkeyutils.
* upstream isn't offering PGP signatures for the source tarballs anymore

Updated to 1.5.11 (bsc#1113013)

* Add keyring restriction support.
* Add KDF support to the Diffie-Helman function.
* DNS: Add support for AFS config files and SRV records
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3899-1
Released:    Fri Dec  3 11:27:41 2021
Summary:     Security update for aaa_base
Type:        security
Severity:    moderate
References:  1162581,1174504,1191563,1192248
This update for aaa_base fixes the following issues:

- Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
- Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
- Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
- Support xz compressed kernel (bsc#1162581)   

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3930-1
Released:    Mon Dec  6 11:16:10 2021
Summary:     Recommended update for curl
Type:        recommended
Severity:    moderate
References:  1192790
This update for curl fixes the following issues:

- Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3934-1
Released:    Mon Dec  6 13:22:27 2021
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1193170,CVE-2021-43527
This update for mozilla-nss fixes the following issues:

Update to version 3.68.1:

- CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3946-1
Released:    Mon Dec  6 14:57:42 2021
Summary:     Security update for gmp
Type:        security
Severity:    moderate
References:  1192717,CVE-2021-43618
This update for gmp fixes the following issues:
    
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3987-1
Released:    Fri Dec 10 06:09:40 2021
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1187196
This update for suse-module-tools fixes the following issues:

-  Blacklist isst_if_mbox_msr driver because uses hardware information based on 
   CPU family and model, which is too unspecific. On large systems, this causes
   a lot of failing loading attempts for this driver, leading to slow or even 
   stalled boot (bsc#1187196)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4015-1
Released:    Mon Dec 13 17:16:00 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1180125,1183374,1183858,1185588,1187338,1187668,1189241,1189287,CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
This update for python3 fixes the following issues:


- CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241)
- CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287)
- CVE-2021-3426: Fixed an information disclosure via pydoc. (bsc#1183374)

- Rebuild to get new headers, avoid building in support for stropts.h (bsc#1187338).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4017-1
Released:    Tue Dec 14 07:26:55 2021
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1180995
This update for openssl-1_1 fixes the following issues:

- Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameters 
  consistently with our other codestreams (bsc#1180995)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4139-1
Released:    Tue Dec 21 17:02:44 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    critical
References:  1193481,1193521
This update for systemd fixes the following issues:

- Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481)
  sleep-config: partitions can't be deleted, only files can
  shared/sleep-config: exclude zram devices from hibernation candidates

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4154-1
Released:    Wed Dec 22 11:02:38 2021
Summary:     Security update for p11-kit
Type:        security
Severity:    important
References:  1180064,1187993,CVE-2020-29361
This update for p11-kit fixes the following issues:

- CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4182-1
Released:    Thu Dec 23 11:51:51 2021
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1192688
This update for zlib fixes the following issues:

- Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4-1
Released:    Mon Jan  3 08:28:54 2022
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1193480
This update for libgcrypt fixes the following issues:

- Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:49-1
Released:    Tue Jan 11 09:19:15 2022
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1191690
This update for apparmor fixes the following issues:

- Fixed an issue when apparmor provides python2 and python3 libraries with the same name. (bsc#1191690)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:57-1
Released:    Wed Jan 12 07:10:42 2022
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    moderate
References:  1193488,954813
This update for libzypp fixes the following issues:
    
- Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
- Fix wrong encoding of URI compontents of ISO images (bsc#954813)
- When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
- Introduce zypp-curl as a sublibrary for CURL related code
- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
- Save all signatures associated with a public key in its PublicKeyData

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:72-1
Released:    Thu Jan 13 16:13:36 2022
Summary:     Recommended update for mozilla-nss and MozillaFirefox
Type:        recommended
Severity:    important
References:  1193845
This update for mozilla-nss and MozillaFirefox fix the following issues:

mozilla-nss: 
    
- Update from version 3.68.1 to 3.68.2 (bsc#1193845)
- Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol 
  implementation
    
MozillaFirefox:

- Firefox Extended Support Release 91.4.1 ESR (bsc#1193845)
- Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol 
  implementation to fix frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING 
  error messages when trying to connect to various microsoft.com domains

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:134-1
Released:    Thu Jan 20 10:02:15 2022
Summary:     Security update for python-numpy
Type:        security
Severity:    moderate
References:  1193907,1193913,CVE-2021-33430,CVE-2021-41496
This update for python-numpy fixes the following issues:

- CVE-2021-33430: Fixed buffer overflow that could lead to DoS in PyArray_NewFromDescr_int function of ctors.c (bsc#1193913).
- CVE-2021-41496: Fixed buffer overflow that could lead to DoS in array_from_pyobj function of fortranobject.c (bsc#1193907).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:178-1
Released:    Tue Jan 25 14:16:23 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1194251,1194362,1194474,1194476,1194477,1194478,1194479,1194480,CVE-2021-45960,CVE-2021-46143,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827
This update for expat fixes the following issues:
  
- CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
- CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
- CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
- CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
- CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
- CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
- CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
- CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).  

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:184-1
Released:    Tue Jan 25 18:20:56 2022
Summary:     Security update for json-c
Type:        security
Severity:    important
References:  1171479,CVE-2020-12762
This update for json-c fixes the following issues:

- CVE-2020-12762: Fixed integer overflow and out-of-bounds write. (bsc#1171479)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:337-1
Released:    Fri Feb  4 10:24:28 2022
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    important
References:  1193007,1194597,1194898
This update for libzypp fixes the following issues:

- RepoManager: remember execution errors in exception history (bsc#1193007)
- Fix exception handling when reading or writing credentials (bsc#1194898)
- Fix install path for parser (bsc#1194597)
- Fix Legacy include (bsc#1194597)
- Public header files on older distros must use c++11 (bsc#1194597)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:473-1
Released:    Thu Feb 17 10:29:42 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1195326
This update for libzypp, zypper fixes the following issues:

- Fix handling of redirected command in-/output (bsc#1195326)
  This fixes delays at the end of zypper operations, where
  zypper unintentionally waits for appdata plugin scripts to
  complete.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:476-1
Released:    Thu Feb 17 10:31:35 2022
Summary:     Recommended update for nfs-utils
Type:        recommended
Severity:    moderate
References:  1194661
This update for nfs-utils fixes the following issues:

- If an error or warning message is produced before closeall() is called, mountd doesn't work. (bsc#1194661)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:498-1
Released:    Fri Feb 18 10:46:56 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1195054,1195217,CVE-2022-23852,CVE-2022-23990
This update for expat fixes the following issues:

- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:511-1
Released:    Fri Feb 18 12:41:53 2022
Summary:     Recommended update for coreutils
Type:        recommended
Severity:    moderate
References:  1082318,1189152
This update for coreutils fixes the following issues:

- Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).
- Properly sort docs and license files (bsc#1082318).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:523-1
Released:    Fri Feb 18 12:49:09 2022
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1193759,1193841
This update for systemd fixes the following issues:

- systemctl: exit with 1 if no unit files found (bsc#1193841).
- add rules for virtual devices (bsc#1193759).
- enforce 'none' for loop devices (bsc#1193759).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:572-1
Released:    Thu Feb 24 11:58:05 2022
Summary:     Recommended update for psmisc
Type:        recommended
Severity:    moderate
References:  1194172
This update for psmisc fixes the following issues:

- Determine the namespace of a process only once to speed up the parsing of 'fdinfo'. (bsc#1194172)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:674-1
Released:    Wed Mar  2 13:24:38 2022
Summary:     Recommended update for yast2-network
Type:        recommended
Severity:    moderate
References:  1187512
This update for yast2-network fixes the following issues:
  
- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:692-1
Released:    Thu Mar  3 15:46:47 2022
Summary:     Recommended update for filesystem
Type:        recommended
Severity:    moderate
References:  1190447
This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:701-1
Released:    Thu Mar  3 17:45:33 2022
Summary:     Recommended update for sudo
Type:        recommended
Severity:    moderate
References:  1181703
This update for sudo fixes the following issues:

- Add support in the LDAP filter for negated users (jsc#SLE-20068)
- Restrict use of sudo -U other -l to people who have permission
  to run commands as that user (bsc#1181703, jsc#SLE-22569)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:702-1
Released:    Thu Mar  3 18:22:59 2022
Summary:     Security update for cyrus-sasl
Type:        security
Severity:    important
References:  1196036,CVE-2022-24407
This update for cyrus-sasl fixes the following issues:

- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:713-1
Released:    Fri Mar  4 09:34:17 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:
  
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:787-1
Released:    Thu Mar 10 11:20:13 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  
This update for openldap2 fixes the following issue:

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:789-1
Released:    Thu Mar 10 11:22:05 2022
Summary:     Recommended update for update-alternatives
Type:        recommended
Severity:    moderate
References:  1195654
This update for update-alternatives fixes the following issues:

- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:808-1
Released:    Fri Mar 11 06:07:58 2022
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1195468
This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if
  someone sends such signal. Without the signal handler, SIGURG will
  just be ignored. (bsc#1195468)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:823-1
Released:    Mon Mar 14 15:16:37 2022
Summary:     Security update for protobuf
Type:        security
Severity:    moderate
References:  1195258,CVE-2021-22570
This update for protobuf fixes the following issues:

- CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:832-1
Released:    Mon Mar 14 17:27:03 2022
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1193625,1194640,1194768,1194770,1195560,CVE-2015-8985,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219

glibc was updated to fix the following issues:

Security issues fixed:

- CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770)
- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
- CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625)

Also the following bug was fixed:

- Fix pthread_rwlock_try*lock stalls (bsc#1195560)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:844-1
Released:    Tue Mar 15 11:33:57 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196784,CVE-2022-25236
This update for expat fixes the following issues:

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:845-1
Released:    Tue Mar 15 11:40:52 2022
Summary:     Security update for chrony
Type:        security
Severity:    moderate
References:  1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367
This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

  * Add support for NTS servers specified by IP address (matching
    Subject Alternative Name in server certificate)
  * Add source-specific configuration of trusted certificates
  * Allow multiple files and directories with trusted certificates
  * Allow multiple pairs of server keys and certificates
  * Add copy option to server/pool directive
  * Increase PPS lock limit to 40% of pulse interval
  * Perform source selection immediately after loading dump files
  * Reload dump files for addresses negotiated by NTS-KE server
  * Update seccomp filter and add less restrictive level
  * Restart ongoing name resolution on online command
  * Fix dump files to not include uncorrected offset
  * Fix initstepslew to accept time from own NTP clients
  * Reset NTP address and port when no longer negotiated by NTS-KE
    server

- Ensure the correct pool packages are installed for openSUSE
  and SLE (bsc#1180689).
- Fix pool package dependencies, so that SLE prefers chrony-pool-suse
  over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

  - Enhancements

    - Add support for Network Time Security (NTS) authentication
    - Add support for AES-CMAC keys (AES128, AES256) with Nettle
    - Add authselectmode directive to control selection of
      unauthenticated sources
    - Add binddevice, bindacqdevice, bindcmddevice directives
    - Add confdir directive to better support fragmented
      configuration
    - Add sourcedir directive and 'reload sources' command to
      support dynamic NTP sources specified in files
    - Add clockprecision directive
    - Add dscp directive to set Differentiated Services Code Point
      (DSCP)
    - Add -L option to limit log messages by severity
    - Add -p option to print whole configuration with included
      files
    - Add -U option to allow start under non-root user
    - Allow maxsamples to be set to 1 for faster update with -q/-Q
      option
    - Avoid replacing NTP sources with sources that have
      unreachable address
    - Improve pools to repeat name resolution to get 'maxsources'
      sources
    - Improve source selection with trusted sources
    - Improve NTP loop test to prevent synchronisation to itself
    - Repeat iburst when NTP source is switched from offline state
      to online
    - Update clock synchronisation status and leap status more
      frequently
    - Update seccomp filter
    - Add 'add pool' command
    - Add 'reset sources' command to drop all measurements
    - Add authdata command to print details about NTP
      authentication
    - Add selectdata command to print details about source
      selection
    - Add -N option and sourcename command to print original names
      of sources
    - Add -a option to some commands to print also unresolved
      sources
    - Add -k, -p, -r options to clients command to select, limit,
      reset data

  - Bug fixes

    - Don’t set interface for NTP responses to allow asymmetric
      routing
    - Handle RTCs that don’t support interrupts
    - Respond to command requests with correct address on
      multihomed hosts
  - Removed features
    - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
    - Drop support for long (non-standard) MACs in NTPv4 packets
      (chrony 2.x clients using non-MD5/SHA1 keys need to use
      option 'version 3')
    - Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so
  only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the
  expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

  * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial
  synchronisation (bsc#1172113).




Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems

- Fix location of helper script in chrony-dnssrv at .service
  (bsc#1128846).


- Read runtime servers from /var/run/netconfig/chrony.servers to
  fix bsc#1099272.
- Move chrony-helper to /usr/lib/chrony/helper, because there
  should be no executables in /usr/share.

Update to version 3.4

  * Enhancements

    + Add filter option to server/pool/peer directive
    + Add minsamples and maxsamples options to hwtimestamp directive
    + Add support for faster frequency adjustments in Linux 4.19
    + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd 
      without root privileges to remove it on exit
    + Disable sub-second polling intervals for distant NTP sources
    + Extend range of supported sub-second polling intervals
    + Get/set IPv4 destination/source address of NTP packets on FreeBSD
    + Make burst options and command useful with short polling intervals
    + Modify auto_offline option to activate when sending request failed
    + Respond from interface that received NTP request if possible
    + Add onoffline command to switch between online and offline state 
      according to current system network configuration
    + Improve example NetworkManager dispatcher script

  * Bug fixes

    + Avoid waiting in Linux getrandom system call
    + Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

  * Enhancements:

    + Add burst option to server/pool directive
    + Add stratum and tai options to refclock directive
    + Add support for Nettle crypto library
    + Add workaround for missing kernel receive timestamps on Linux
    + Wait for late hardware transmit timestamps
    + Improve source selection with unreachable sources
    + Improve protection against replay attacks on symmetric mode
    + Allow PHC refclock to use socket in /var/run/chrony
    + Add shutdown command to stop chronyd
    + Simplify format of response to manual list command
    + Improve handling of unknown responses in chronyc

  * Bug fixes:

    + Respond to NTPv1 client requests with zero mode
    + Fix -x option to not require CAP_SYS_TIME under non-root user
    + Fix acquisitionport directive to work with privilege separation
    + Fix handling of socket errors on Linux to avoid high CPU usage
    + Fix chronyc to not get stuck in infinite loop after clock step
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:853-1
Released:    Tue Mar 15 19:27:30 2022
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1196877,CVE-2022-0778
This update for openssl-1_1 fixes the following issues:

- CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:861-1
Released:    Tue Mar 15 23:30:48 2022
Summary:     Recommended update for openssl-1_1 
Type:        recommended
Severity:    moderate
References:  1182959,1195149,1195792,1195856
This update for openssl-1_1 fixes the following issues:

openssl-1_1:

- Fix PAC pointer authentication in ARM (bsc#1195856)
- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
- FIPS: Fix function and reason error codes (bsc#1182959)
- Enable zlib compression support (bsc#1195149)
    
glibc:

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1
    
linux-glibc-devel:

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

libxcrypt:

- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

zlib:

- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:867-1
Released:    Wed Mar 16 07:14:44 2022
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1193805
This update for libtirpc fixes the following issues:

- Fix memory leak in client protocol version 2 code (bsc#1193805)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:874-1
Released:    Wed Mar 16 10:40:52 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1197004
This update for openldap2 fixes the following issue:

- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-3.52.1 updated
- binutils-2.37-7.26.1 updated
- coreutils-8.29-4.3.1 updated
- filesystem-15.0-11.5.1 updated
- glibc-locale-base-2.26-13.65.1 updated
- glibc-2.26-13.65.1 updated
- keyutils-1.6.3-5.6.1 updated
- libapparmor1-2.12.3-7.25.2 updated
- libaugeas0-1.10.1-3.9.1 updated
- libctf-nobfd0-2.37-7.26.1 updated
- libctf0-2.37-7.26.1 updated
- libcurl4-7.60.0-28.1 updated
- libexpat1-2.2.5-3.19.1 updated
- libfreebl3-3.68.2-3.64.2 updated
- libgcc_s1-11.2.1+git610-1.3.9 updated
- libgcrypt20-1.8.2-8.42.1 updated
- libgfortran4-7.5.0+r278197-4.30.1 updated
- libgmp10-6.1.2-4.9.1 updated
- libjson-c3-0.13-3.3.1 updated
- libkeyutils1-1.6.3-5.6.1 updated
- libldap-2_4-2-2.4.46-9.64.1 updated
- libldap-data-2.4.46-9.64.1 updated
- libopenssl1_1-1.1.0i-14.27.1 updated
- libp11-kit0-0.23.2-4.13.1 updated
- libprocps7-3.3.15-7.22.1 updated
- libprotobuf-lite15-3.5.0-5.5.1 added
- libpython3_6m1_0-3.6.15-3.91.3 updated
- libquadmath0-11.2.1+git610-1.3.9 updated
- libsasl2-3-2.1.26-5.10.1 updated
- libsoftokn3-3.68.2-3.64.2 updated
- libsolv-tools-0.7.20-4.3.1 updated
- libstdc++6-11.2.1+git610-1.3.9 updated
- libsystemd0-234-24.105.1 updated
- libtirpc-netconfig-1.0.2-3.11.1 updated
- libtirpc3-1.0.2-3.11.1 updated
- libudev1-234-24.105.1 updated
- libz1-1.2.11-3.26.10 updated
- libzypp-17.29.4-3.73.1 updated
- mozilla-nss-certs-3.68.2-3.64.2 updated
- mozilla-nss-3.68.2-3.64.2 updated
- nfs-client-2.1.1-10.21.1 updated
- nfs-kernel-server-2.1.1-10.21.1 updated
- openssl-1_1-1.1.0i-14.27.1 updated
- p11-kit-tools-0.23.2-4.13.1 updated
- p11-kit-0.23.2-4.13.1 updated
- procps-3.3.15-7.22.1 updated
- psmisc-23.0-6.19.1 updated
- python3-base-3.6.15-3.91.3 updated
- python3-numpy-1.17.3-10.1 updated
- python3-3.6.15-3.91.4 updated
- sudo-1.8.27-4.24.1 updated
- suse-module-tools-15.1.24-3.22.1 updated
- systemd-234-24.105.1 updated
- timezone-2021e-75.4.1 updated
- udev-234-24.105.1 updated
- update-alternatives-1.19.0.4-4.3.1 updated
- xfsprogs-4.15.0-4.52.1 updated
- zypper-1.14.51-3.52.1 updated
- container:sles15-image-15.0.0-6.2.587 updated
- python-rpm-macros-20200207.5feb6c1-3.11.1 removed


More information about the sle-security-updates mailing list