SUSE-IU-2022:1116-1: Security update of suse-sles-15-sp3-chost-byos-v20221019-x86_64-gen2
    sle-security-updates at lists.suse.com 
    sle-security-updates at lists.suse.com
       
    Sat Oct 22 07:04:30 UTC 2022
    
    
  
SUSE Image Update Advisory: suse-sles-15-sp3-chost-byos-v20221019-x86_64-gen2
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2022:1116-1
Image Tags        : suse-sles-15-sp3-chost-byos-v20221019-x86_64-gen2:20221019
Image Release     : 
Severity          : critical
Type              : security
References        : 1027519 1142847 1150130 1157805 1164550 1164569 1167608 1177179
                        1181994 1185104 1186272 1188006 1189282 1189802 1195773 1197081
                        1199079 1199492 1200641 1200762 1200994 1201051 1201394 1201631
                        1201680 1201783 1201942 1201972 1202624 1202821 1202868 1203018
                        1203438 1203649 1203806 1203807 CVE-2019-13224 CVE-2019-16163
                        CVE-2019-19203 CVE-2019-19204 CVE-2019-19246 CVE-2020-26159 CVE-2021-28689
                        CVE-2021-28861 CVE-2021-36690 CVE-2021-46828 CVE-2022-26365 CVE-2022-31252
                        CVE-2022-33740 CVE-2022-33741 CVE-2022-33742 CVE-2022-33745 CVE-2022-33746
                        CVE-2022-33748 CVE-2022-35737 CVE-2022-40674 
-----------------------------------------------------------------
The container suse-sles-15-sp3-chost-byos-v20221019-x86_64-gen2 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3304-1
Released:    Mon Sep 19 11:43:25 2022
Summary:     Recommended update for libassuan
Type:        recommended
Severity:    moderate
References:  
This update for libassuan fixes the following issues:
- Add a timeout for writing to a SOCKS5 proxy
- Add workaround for a problem with LD_LIBRARY_PATH on newer systems
- Fix issue in the logging code
- Fix some build trivialities
- Upgrade autoconf
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3305-1
Released:    Mon Sep 19 11:45:57 2022
Summary:     Security update for libtirpc
Type:        security
Severity:    important
References:  1201680,CVE-2021-46828
This update for libtirpc fixes the following issues:
- CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3307-1
Released:    Mon Sep 19 13:26:51 2022
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737
This update for sqlite3 fixes the following issues:
- CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
- CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
  
- Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3327-1
Released:    Wed Sep 21 12:47:17 2022
Summary:     Security update for oniguruma
Type:        security
Severity:    important
References:  1142847,1150130,1157805,1164550,1164569,1177179,CVE-2019-13224,CVE-2019-16163,CVE-2019-19203,CVE-2019-19204,CVE-2019-19246,CVE-2020-26159
This update for oniguruma fixes the following issues:
- CVE-2019-19246: Fixed an out of bounds access during regular
  expression matching (bsc#1157805).
- CVE-2019-19204: Fixed an out of bounds access when compiling a
  crafted regular expression (bsc#1164569).
- CVE-2019-19203: Fixed an out of bounds access when performing a
  string search (bsc#1164550).
- CVE-2019-16163: Fixed an uncontrolled recursion issue when compiling
  a crafted regular expression, which could lead to denial of service (bsc#1150130).
- CVE-2020-26159: Fixed an off-by-one buffer overflow (bsc#1177179).
- CVE-2019-13224: Fixed a potential use-after-free when handling
  multiple different encodings (bsc#1142847).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3394-1
Released:    Mon Sep 26 16:05:19 2022
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1203018,CVE-2022-31252
This update for permissions fixes the following issues:
- CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3395-1
Released:    Mon Sep 26 16:35:18 2022
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1181994,1188006,1199079,1202868
This update for ca-certificates-mozilla fixes the following issues:
Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)
- Added:
  - Certainly Root E1
  - Certainly Root R1
  - DigiCert SMIME ECC P384 Root G5
  - DigiCert SMIME RSA4096 Root G5
  - DigiCert TLS ECC P384 Root G5
  - DigiCert TLS RSA4096 Root G5
  - E-Tugra Global Root CA ECC v3
  - E-Tugra Global Root CA RSA v3
- Removed:
  - Hellenic Academic and Research Institutions RootCA 2011
Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)
- Added:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - D-TRUST BR Root CA 1 2020
  - D-TRUST EV Root CA 1 2020
  - GlobalSign ECC Root CA R4
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
  - HiPKI Root CA - G1
  - ISRG Root X2
  - Telia Root CA v2
  - vTrus ECC Root CA
  - vTrus Root CA
- Removed:
  - Cybertrust Global Root
  - DST Root CA X3
  - DigiNotar PKIoverheid CA Organisatie - G2
  - GlobalSign ECC Root CA R4
  - GlobalSign Root CA R2
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
  
Updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)
- Added:
  - HARICA Client ECC Root CA 2021
  - HARICA Client RSA Root CA 2021
  - HARICA TLS ECC Root CA 2021
  - HARICA TLS RSA Root CA 2021
  - TunTrust Root CA
Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)
- Added new root CAs:
  - NAVER Global Root Certification Authority
- Removed old root CAs:
  - GeoTrust Global CA
  - GeoTrust Primary Certification Authority
  - GeoTrust Primary Certification Authority - G3
  - GeoTrust Universal CA
  - GeoTrust Universal CA 2
  - thawte Primary Root CA
  - thawte Primary Root CA - G2
  - thawte Primary Root CA - G3
  - VeriSign Class 3 Public Primary Certification Authority - G4
  - VeriSign Class 3 Public Primary Certification Authority - G5
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3435-1
Released:    Tue Sep 27 14:55:38 2022
Summary:     Recommended update for runc
Type:        recommended
Severity:    important
References:  1202821
This update for runc fixes the following issues:
- Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the 
  cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd.
- Fix 'permission denied' error from runc run on noexec fs
- Fix regression causing a failed 'exec' error after systemctl daemon-reload (bsc#1202821)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3452-1
Released:    Wed Sep 28 12:13:43 2022
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1201942
This update for glibc fixes the following issues:
- Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942)
- powerpc: Optimized memcmp for power10 (jsc#PED-987)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3544-1
Released:    Thu Oct  6 13:48:42 2022
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1202624,CVE-2021-28861
This update for python3 fixes the following issues:
- CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3555-1
Released:    Mon Oct 10 14:05:12 2022
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    important
References:  1199492
This update for aaa_base fixes the following issues:
- The wrapper rootsh is not a restricted shell. (bsc#1199492)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3565-1
Released:    Tue Oct 11 16:17:38 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    critical
References:  1189282,1201972,1203649
This update for libzypp, zypper fixes the following issues:
libzypp:
 
- Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)
- Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
- Remove migration code that is no longer needed (bsc#1203649)
- Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined
zypper:
- Fix contradiction in the man page: `--download-in-advance` option is the default behavior
- Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
- Fix tests to use locale 'C.UTF-8' rather than 'en_US'
- Make sure 'up' respects solver related CLI options (bsc#1201972)
- Remove unneeded code to compute the PPP status because it is now auto established
- Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3591-1
Released:    Fri Oct 14 11:38:04 2022
Summary:     Recommended update for kdump
Type:        recommended
Severity:    moderate
References:  1186272,1201051
This update for kdump fixes the following issues:
    
- Fix unload issue when secure boot enabled (bsc#1186272)
- Fix network-related dracut options handling for fadump case (bsc#1201051)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3597-1
Released:    Mon Oct 17 13:13:16 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1203438,CVE-2022-40674
This update for expat fixes the following issues:
- CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3612-1
Released:    Tue Oct 18 12:21:03 2022
Summary:     Recommended update for SUSEConnect
Type:        recommended
Severity:    moderate
References:  1200641,1200994
This update for SUSEConnect fixes the following issues:
- Allow suseconnect-keepalive.service to recognize a configured proxy. (bsc#1200994)
- Remove the `WantedBy` statement from suseconnect-keepalive.service since it's only to be triggered by a systemd timer.
- SUSEConnect will now ensure that the `PROXY_ENABLED` environment variable is honored.
- Write services with ssl_verify=no when using connect with insecure
- Rely on system-wide defaults for enabling the keepalive timer by systemd-presets-branding-SLE. (bsc#1200641)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3665-1
Released:    Wed Oct 19 20:29:16 2022
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1027519,1167608,1185104,1197081,1200762,1201394,1201631,1203806,1203807,CVE-2021-28689,CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33745,CVE-2022-33746,CVE-2022-33748
This update for xen fixes the following issues:
                                                                                                                                                                          
  - CVE-2022-33746: Fixed DoS due to excessively long P2M pool freeing (bsc#1203806).                                                                                     
  - CVE-2022-33748: Fixed DoS due to race in locking (bsc#1203807).
  - CVE-2022-26365: Fixed issue where Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (bsc#1200762).
  - CVE-2022-33740: Fixed issue where Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (bsc#1200762).
  - CVE-2022-33741: Fixed issue where data residing in the same 4K page as data shared with a backend was being accessible by such backend (bsc#1200762).
  - CVE-2022-33742: Fixed issue where data residing in the same 4K page as data shared with a backend was being accessible by such backend (bsc#1200762).
  - CVE-2022-33745: Fixed an insufficient TLB flush for x86 PV guests in shadow mode (bsc#1201394).
  - CVE-2021-28689: Fixed speculative vulnerabilities with bare (non-shim) 32-bit PV guests (bsc#1185104).
  Bugfixes:                                                                                                                                                               
                                                                                                                                                                          
  - Fixed logic error in built-in default of max_event_channels (bsc#1167608, bsc#1201631). 
  - Fixed issue where dom0 fails to boot with constrained vcpus and nodes (bsc#1197081).
  - Included upstream bugfixes (bsc#1027519).
The following package changes have been done:
- SUSEConnect-0.3.36-150300.20.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.3.1 updated
- ca-certificates-mozilla-2.56-150200.24.1 updated
- glibc-locale-base-2.31-150300.41.1 updated
- glibc-locale-2.31-150300.41.1 updated
- glibc-2.31-150300.41.1 updated
- kdump-0.9.0-150300.18.15.1 updated
- libassuan0-2.5.5-150000.4.3.1 updated
- libexpat1-2.2.5-150000.3.22.1 updated
- libonig4-6.7.0-150000.3.3.1 updated
- libpython3_6m1_0-3.6.15-150300.10.30.1 updated
- libsqlite3-0-3.39.3-150000.3.17.1 updated
- libtirpc-netconfig-1.2.6-150300.3.14.1 updated
- libtirpc3-1.2.6-150300.3.14.1 updated
- libzypp-17.31.2-150200.45.1 updated
- permissions-20181225-150200.23.15.1 updated
- python3-base-3.6.15-150300.10.30.1 updated
- python3-3.6.15-150300.10.30.1 updated
- runc-1.1.4-150000.33.4 updated
- xen-libs-4.14.5_06-150300.3.35.1 updated
- zypper-1.14.57-150200.39.1 updated
    
    
More information about the sle-security-updates
mailing list