SUSE-IU-2022:1108-1: Security update of suse-sles-15-sp4-chost-byos-v20221018-x86_64-gen2

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Oct 20 07:02:26 UTC 2022


SUSE Image Update Advisory: suse-sles-15-sp4-chost-byos-v20221018-x86_64-gen2
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2022:1108-1
Image Tags        : suse-sles-15-sp4-chost-byos-v20221018-x86_64-gen2:20221018
Image Release     : 
Severity          : critical
Type              : security
References        : 1181994 1182983 1188006 1189282 1190700 1191020 1198197 1198523
                        1198828 1198976 1199079 1199492 1201942 1201972 1202117 1202624
                        1202821 1202868 1203438 1203649 CVE-2021-28861 CVE-2022-29869
                        CVE-2022-40674 
-----------------------------------------------------------------

The container suse-sles-15-sp4-chost-byos-v20221018-x86_64-gen2 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3395-1
Released:    Mon Sep 26 16:35:18 2022
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1181994,1188006,1199079,1202868
This update for ca-certificates-mozilla fixes the following issues:

Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)

- Added:

  - Certainly Root E1
  - Certainly Root R1
  - DigiCert SMIME ECC P384 Root G5
  - DigiCert SMIME RSA4096 Root G5
  - DigiCert TLS ECC P384 Root G5
  - DigiCert TLS RSA4096 Root G5
  - E-Tugra Global Root CA ECC v3
  - E-Tugra Global Root CA RSA v3

- Removed:

  - Hellenic Academic and Research Institutions RootCA 2011

Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)

- Added:

  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - D-TRUST BR Root CA 1 2020
  - D-TRUST EV Root CA 1 2020
  - GlobalSign ECC Root CA R4
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
  - HiPKI Root CA - G1
  - ISRG Root X2
  - Telia Root CA v2
  - vTrus ECC Root CA
  - vTrus Root CA

- Removed:

  - Cybertrust Global Root
  - DST Root CA X3
  - DigiNotar PKIoverheid CA Organisatie - G2
  - GlobalSign ECC Root CA R4
  - GlobalSign Root CA R2
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
  

Updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)

- Added:

  - HARICA Client ECC Root CA 2021
  - HARICA Client RSA Root CA 2021
  - HARICA TLS ECC Root CA 2021
  - HARICA TLS RSA Root CA 2021
  - TunTrust Root CA


Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)

- Added new root CAs:

  - NAVER Global Root Certification Authority

- Removed old root CAs:

  - GeoTrust Global CA
  - GeoTrust Primary Certification Authority
  - GeoTrust Primary Certification Authority - G3
  - GeoTrust Universal CA
  - GeoTrust Universal CA 2
  - thawte Primary Root CA
  - thawte Primary Root CA - G2
  - thawte Primary Root CA - G3
  - VeriSign Class 3 Public Primary Certification Authority - G4
  - VeriSign Class 3 Public Primary Certification Authority - G5
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3435-1
Released:    Tue Sep 27 14:55:38 2022
Summary:     Recommended update for runc
Type:        recommended
Severity:    important
References:  1202821
This update for runc fixes the following issues:

- Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the 
  cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd.
- Fix 'permission denied' error from runc run on noexec fs
- Fix regression causing a failed 'exec' error after systemctl daemon-reload (bsc#1202821)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3449-1
Released:    Tue Sep 27 20:12:03 2022
Summary:     Recommended update for perl-Bootloader
Type:        recommended
Severity:    moderate
References:  1198197,1198828
This update for perl-Bootloader fixes the following issues:

- Fix sysconfig parsing (bsc#1198828)
- grub2/install: Reset error code when passing through recover code. (bsc#1198197)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3452-1
Released:    Wed Sep 28 12:13:43 2022
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1201942
This update for glibc fixes the following issues:

- Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942)
- powerpc: Optimized memcmp for power10 (jsc#PED-987)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3489-1
Released:    Sat Oct  1 13:35:24 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1203438,CVE-2022-40674
This update for expat fixes the following issues:

- CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

-----------------------------------------------------------------
Advisory ID: SUSE-feature-2022:3520-1
Released:    Tue Oct  4 14:18:34 2022
Summary:     Feature update for dmidecode
Type:        feature
Severity:    moderate
References:  
This feature update for dmidecode fixes the following issues:

Update dmidecode from version 3.2 to version 3.4 (jsc#SLE-24502, jsc#SLE-24591, jsc#PED-411):

- Add bios-revision, firmware-revision and system-sku-number to `-s` option
- Decode HPE OEM records 194, 199, 203, 236, 237, 238 ans 240
- Decode system slot base bus width and peers
- Document how the UUID fields are interpreted
- Don't display the raw CPU ID in quiet mode
- Don't use memcpy on /dev/mem on arm64
- Fix OEM vendor name matching
- Fix small typo in NEWS file
- Improve the formatting of the manual pages
- Present HPE type 240 attributes as a proper list instead of packing them on a single line. 
  This makes it more readable overall, and will also scale better if the number of attributes increases
- Skip details of uninstalled memory modules
- Support for SMBIOS 3.4.0. This includes new memory device types, new processor upgrades, new slot types and
  characteristics, decoding of memor module extended speed, new system slot types, new processor characteristic and new
  format of Processor ID
- Support for SMBIOS 3.5.0. This includes new processor upgrades, BIOS characteristics, new slot characteristics, new
  on-board device types, new pointing device interface types, and a new record type
  (type 45 - Firmware Inventory Information)
- Use the most appropriate unit for cache size

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3521-1
Released:    Tue Oct  4 14:18:56 2022
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    critical
References:  1198523
This update for lvm2 fixes the following issues:

- Add additional check in the package to prevent removal of device-mapper library files during install (bsc#1198523)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3525-1
Released:    Wed Oct  5 12:17:14 2022
Summary:     Security update for cifs-utils
Type:        security
Severity:    moderate
References:  1198976,CVE-2022-29869
This update for cifs-utils fixes the following issues:

- Fix changelog to include Bugzilla and CVE tracker id numbers missing from previous update

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3544-1
Released:    Thu Oct  6 13:48:42 2022
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1202624,CVE-2021-28861
This update for python3 fixes the following issues:

- CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3551-1
Released:    Fri Oct  7 17:03:55 2022
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1182983,1190700,1191020,1202117
This update for libgcrypt fixes the following issues:

- FIPS: Fixed gpg/gpg2 gets out of core handler in FIPS mode while
  typing Tab key to Auto-Completion. [bsc#1182983]

- FIPS: Ported libgcrypt to use jitterentropy [bsc#1202117, jsc#SLE-24941]

  * Enable the jitter based entropy generator by default in random.conf
  * Update the internal jitterentropy to version 3.4.0

- FIPS: Get most of the entropy from rndjent_poll [bsc#1202117]
- FIPS: Check keylength in gcry_fips_indicator_kdf() [bsc#1190700]

  * Consider approved keylength greater or equal to 112 bits.

- FIPS: Zeroize buffer and digest in check_binary_integrity() [bsc#1191020]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3555-1
Released:    Mon Oct 10 14:05:12 2022
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    important
References:  1199492
This update for aaa_base fixes the following issues:

- The wrapper rootsh is not a restricted shell. (bsc#1199492)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3564-1
Released:    Tue Oct 11 16:15:57 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    critical
References:  1189282,1201972,1203649
This update for libzypp, zypper fixes the following issues:

libzypp:
 
- Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)
- Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
- Remove migration code that is no longer needed (bsc#1203649)
- Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

zypper:

- Fix contradiction in the man page: `--download-in-advance` option is the default behavior
- Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
- Fix tests to use locale 'C.UTF-8' rather than 'en_US'
- Make sure 'up' respects solver related CLI options (bsc#1201972)
- Remove unneeded code to compute the PPP status because it is now auto established
- Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.3.1 updated
- ca-certificates-mozilla-2.56-150200.24.1 updated
- cifs-utils-6.15-150400.3.9.1 updated
- dmidecode-3.4-150400.16.3.1 updated
- glibc-locale-base-2.31-150300.41.1 updated
- glibc-locale-2.31-150300.41.1 updated
- glibc-2.31-150300.41.1 updated
- libdevmapper1_03-1.02.163-150400.178.1 updated
- libexpat1-2.4.4-150400.3.9.1 updated
- libgcrypt20-1.9.4-150400.6.5.1 updated
- libpython3_6m1_0-3.6.15-150300.10.30.1 updated
- libzck1-1.1.16-150400.1.10 added
- libzypp-17.31.2-150400.3.9.1 updated
- perl-Bootloader-0.939-150400.3.3.1 updated
- python3-base-3.6.15-150300.10.30.1 updated
- python3-3.6.15-150300.10.30.1 updated
- runc-1.1.4-150000.33.4 updated
- zypper-1.14.57-150400.3.9.1 updated
- klogd-1.4.1-11.2 removed


More information about the sle-security-updates mailing list