SUSE-CU-2022:364-1: Security update of bci/nodejs

sle-security-updates at sle-security-updates at
Sat Mar 26 13:24:59 UTC 2022

SUSE Container Update Advisory: bci/nodejs
Container Advisory ID : SUSE-CU-2022:364-1
Container Tags        : bci/node:16 , bci/node:16-4.21 , bci/node:latest , bci/nodejs:16 , bci/nodejs:16-4.21 , bci/nodejs:latest
Container Release     : 4.21
Severity              : important
Type                  : security
References            : 1099272 1115529 1128846 1162964 1172113 1172427 1173277 1174075
                        1174911 1180689 1181826 1182959 1187512 1187906 1188348 1188507
                        1190447 1190926 1192954 1193632 1194229 1194265 1194642 1194976
                        1195149 1195326 1195468 1195654 1195792 1195856 1196025 1196025
                        1196026 1196036 1196168 1196169 1196171 1196784 1197004 CVE-2020-14367
                        CVE-2021-3995 CVE-2021-3996 CVE-2022-24407 CVE-2022-25235 CVE-2022-25236
                        CVE-2022-25236 CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 

The container bci/nodejs was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2021:2626-1
Released:    Thu Aug  5 12:10:35 2021
Summary:     Recommended maintenance update for libeconf
Type:        recommended
Severity:    moderate
References:  1188348
This update for libeconf fixes the following issue:

- Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348)
Advisory ID: SUSE-RU-2022:674-1
Released:    Wed Mar  2 13:24:38 2022
Summary:     Recommended update for yast2-network
Type:        recommended
Severity:    moderate
References:  1187512
This update for yast2-network fixes the following issues:
- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

Advisory ID: SUSE-RU-2022:692-1
Released:    Thu Mar  3 15:46:47 2022
Summary:     Recommended update for filesystem
Type:        recommended
Severity:    moderate
References:  1190447
This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

Advisory ID: SUSE-SU-2022:713-1
Released:    Fri Mar  4 09:34:17 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

Advisory ID: SUSE-SU-2022:727-1
Released:    Fri Mar  4 10:39:21 2022
Summary:     Security update for libeconf, shadow and util-linux
Type:        security
Severity:    moderate
References:  1188507,1192954,1193632,1194976,CVE-2021-3995,CVE-2021-3996
This security update for libeconf, shadow and util-linux fix the following issues:


- Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow' 
  to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

Issues fixed in libeconf:
- Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)
- Fixed different issues while writing string values to file.
- Writing comments to file too.
- Fixed crash while merging values.
- Added econftool cat option (#146)
- new API call: econf_readDirsHistory (showing ALL locations)
- new API call: econf_getPath (absolute path of the configuration file)
- Man pages libeconf.3 and econftool.8.
- Handling multiline strings.
- Added libeconf_ext which returns more information like
  line_nr, comments, path of the configuration file,...
- Econftool, an command line interface for handling configuration
- Generating HTML API documentation with doxygen.
- Improving error handling and semantic file check.
- Joining entries with the same key to one single entry if
  env variable ECONF_JOIN_SAME_ENTRIES has been set.


- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to 
  read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)


- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to 
  read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
- Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507)
- Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507)
- CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976) 
- CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)

Advisory ID: SUSE-SU-2022:743-1
Released:    Mon Mar  7 22:08:12 2022
Summary:     Security update for cyrus-sasl
Type:        security
Severity:    important
References:  1194265,1196036,CVE-2022-24407
This update for cyrus-sasl fixes the following issues:

- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

The following non-security bugs were fixed:

- postfix: sasl authentication with password fails (bsc#1194265).

Advisory ID: SUSE-RU-2022:787-1
Released:    Thu Mar 10 11:20:13 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
This update for openldap2 fixes the following issue:

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

Advisory ID: SUSE-RU-2022:788-1
Released:    Thu Mar 10 11:21:04 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1195326
This update for libzypp, zypper fixes the following issues:

- Fix handling of redirected command in-/output (bsc#1195326)
  This fixes delays at the end of zypper operations, where
  zypper unintentionally waits for appdata plugin scripts to

Advisory ID: SUSE-RU-2022:789-1
Released:    Thu Mar 10 11:22:05 2022
Summary:     Recommended update for update-alternatives
Type:        recommended
Severity:    moderate
References:  1195654
This update for update-alternatives fixes the following issues:

- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

Advisory ID: SUSE-RU-2022:808-1
Released:    Fri Mar 11 06:07:58 2022
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1195468
This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if
  someone sends such signal. Without the signal handler, SIGURG will
  just be ignored. (bsc#1195468)

Advisory ID: SUSE-SU-2022:844-1
Released:    Tue Mar 15 11:33:57 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196784,CVE-2022-25236
This update for expat fixes the following issues:

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

Advisory ID: SUSE-SU-2022:845-1
Released:    Tue Mar 15 11:40:52 2022
Summary:     Security update for chrony
Type:        security
Severity:    moderate
References:  1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367
This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

  * Add support for NTS servers specified by IP address (matching
    Subject Alternative Name in server certificate)
  * Add source-specific configuration of trusted certificates
  * Allow multiple files and directories with trusted certificates
  * Allow multiple pairs of server keys and certificates
  * Add copy option to server/pool directive
  * Increase PPS lock limit to 40% of pulse interval
  * Perform source selection immediately after loading dump files
  * Reload dump files for addresses negotiated by NTS-KE server
  * Update seccomp filter and add less restrictive level
  * Restart ongoing name resolution on online command
  * Fix dump files to not include uncorrected offset
  * Fix initstepslew to accept time from own NTP clients
  * Reset NTP address and port when no longer negotiated by NTS-KE

- Ensure the correct pool packages are installed for openSUSE
  and SLE (bsc#1180689).
- Fix pool package dependencies, so that SLE prefers chrony-pool-suse
  over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

  - Enhancements

    - Add support for Network Time Security (NTS) authentication
    - Add support for AES-CMAC keys (AES128, AES256) with Nettle
    - Add authselectmode directive to control selection of
      unauthenticated sources
    - Add binddevice, bindacqdevice, bindcmddevice directives
    - Add confdir directive to better support fragmented
    - Add sourcedir directive and 'reload sources' command to
      support dynamic NTP sources specified in files
    - Add clockprecision directive
    - Add dscp directive to set Differentiated Services Code Point
    - Add -L option to limit log messages by severity
    - Add -p option to print whole configuration with included
    - Add -U option to allow start under non-root user
    - Allow maxsamples to be set to 1 for faster update with -q/-Q
    - Avoid replacing NTP sources with sources that have
      unreachable address
    - Improve pools to repeat name resolution to get 'maxsources'
    - Improve source selection with trusted sources
    - Improve NTP loop test to prevent synchronisation to itself
    - Repeat iburst when NTP source is switched from offline state
      to online
    - Update clock synchronisation status and leap status more
    - Update seccomp filter
    - Add 'add pool' command
    - Add 'reset sources' command to drop all measurements
    - Add authdata command to print details about NTP
    - Add selectdata command to print details about source
    - Add -N option and sourcename command to print original names
      of sources
    - Add -a option to some commands to print also unresolved
    - Add -k, -p, -r options to clients command to select, limit,
      reset data

  - Bug fixes

    - Don’t set interface for NTP responses to allow asymmetric
    - Handle RTCs that don’t support interrupts
    - Respond to command requests with correct address on
      multihomed hosts
  - Removed features
    - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
    - Drop support for long (non-standard) MACs in NTPv4 packets
      (chrony 2.x clients using non-MD5/SHA1 keys need to use
      option 'version 3')
    - Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so
  only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the
  expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

  * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial
  synchronisation (bsc#1172113).

Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems

- Fix location of helper script in chrony-dnssrv at .service

- Read runtime servers from /var/run/netconfig/chrony.servers to
  fix bsc#1099272.
- Move chrony-helper to /usr/lib/chrony/helper, because there
  should be no executables in /usr/share.

Update to version 3.4

  * Enhancements

    + Add filter option to server/pool/peer directive
    + Add minsamples and maxsamples options to hwtimestamp directive
    + Add support for faster frequency adjustments in Linux 4.19
    + Change default pidfile to /var/run/chrony/ to allow chronyd 
      without root privileges to remove it on exit
    + Disable sub-second polling intervals for distant NTP sources
    + Extend range of supported sub-second polling intervals
    + Get/set IPv4 destination/source address of NTP packets on FreeBSD
    + Make burst options and command useful with short polling intervals
    + Modify auto_offline option to activate when sending request failed
    + Respond from interface that received NTP request if possible
    + Add onoffline command to switch between online and offline state 
      according to current system network configuration
    + Improve example NetworkManager dispatcher script

  * Bug fixes

    + Avoid waiting in Linux getrandom system call
    + Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

  * Enhancements:

    + Add burst option to server/pool directive
    + Add stratum and tai options to refclock directive
    + Add support for Nettle crypto library
    + Add workaround for missing kernel receive timestamps on Linux
    + Wait for late hardware transmit timestamps
    + Improve source selection with unreachable sources
    + Improve protection against replay attacks on symmetric mode
    + Allow PHC refclock to use socket in /var/run/chrony
    + Add shutdown command to stop chronyd
    + Simplify format of response to manual list command
    + Improve handling of unknown responses in chronyc

  * Bug fixes:

    + Respond to NTPv1 client requests with zero mode
    + Fix -x option to not require CAP_SYS_TIME under non-root user
    + Fix acquisitionport directive to work with privilege separation
    + Fix handling of socket errors on Linux to avoid high CPU usage
    + Fix chronyc to not get stuck in infinite loop after clock step
Advisory ID: SUSE-RU-2022:861-1
Released:    Tue Mar 15 23:30:48 2022
Summary:     Recommended update for openssl-1_1 
Type:        recommended
Severity:    moderate
References:  1182959,1195149,1195792,1195856
This update for openssl-1_1 fixes the following issues:


- Fix PAC pointer authentication in ARM (bsc#1195856)
- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
- FIPS: Fix function and reason error codes (bsc#1182959)
- Enable zlib compression support (bsc#1195149)

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1


- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1


- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

Advisory ID: SUSE-RU-2022:874-1
Released:    Wed Mar 16 10:40:52 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1197004
This update for openldap2 fixes the following issue:

- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

Advisory ID: SUSE-RU-2022:905-1
Released:    Mon Mar 21 08:46:09 2022
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    important
References:  1172427,1194642
This update for util-linux fixes the following issues:

- Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
- Make uuidd lock state file usable and time based UUIDs safer. (bsc#1194642)
- Fix `su -s` bash completion. (bsc#1172427)

The following package changes have been done:

- filesystem-15.0-11.5.1 updated
- glibc-2.31-150300.20.7 updated
- libaugeas0-1.10.1-3.9.1 updated
- libblkid1-2.36.2-150300.4.17.1 updated
- libcrypt1-4.4.15-150300.4.2.41 updated
- libeconf0-0.4.4+git20220104.962774f-150300.3.6.2 added
- libexpat1-2.2.5-3.19.1 updated
- libfdisk1-2.36.2-150300.4.17.1 updated
- libldap-2_4-2-2.4.46-9.64.1 updated
- libldap-data-2.4.46-9.64.1 updated
- libmount1-2.36.2-150300.4.17.1 updated
- libopenssl1_1-hmac-1.1.1d-11.43.1 updated
- libopenssl1_1-1.1.1d-11.43.1 updated
- libprocps7-3.3.15-7.22.1 updated
- libsasl2-3-2.1.27-150300.4.6.1 updated
- libsmartcols1-2.36.2-150300.4.17.1 updated
- libuuid1-2.36.2-150300.4.17.1 updated
- libz1-1.2.11-3.26.10 updated
- libzypp-17.29.4-31.1 updated
- login_defs-4.8.1-150300.4.3.8 updated
- openssl-1_1-1.1.1d-11.43.1 updated
- procps-3.3.15-7.22.1 updated
- shadow-4.8.1-150300.4.3.8 updated
- update-alternatives- updated
- util-linux-2.36.2-150300.4.17.1 updated
- zypper-1.14.51-27.1 updated
- container:sles15-image-15.0.0-17.11.9 updated

More information about the sle-security-updates mailing list