SUSE-CU-2022:2660-1: Security update of ses/7.1/ceph/haproxy

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Oct 25 07:19:42 UTC 2022


SUSE Container Update Advisory: ses/7.1/ceph/haproxy
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:2660-1
Container Tags        : ses/7.1/ceph/haproxy:2.0.14 , ses/7.1/ceph/haproxy:2.0.14.3.5.205 , ses/7.1/ceph/haproxy:latest , ses/7.1/ceph/haproxy:sle15.3.pacific
Container Release     : 3.5.205
Severity              : critical
Type                  : security
References            : 1047178 1189282 1189802 1195773 1199140 1199492 1199895 1200270
                        1200697 1200698 1200700 1200701 1200732 1200884 1200902 1200903
                        1200904 1200993 1201092 1201132 1201133 1201134 1201135 1201136
                        1201150 1201151 1201152 1201153 1201154 1201155 1201249 1201356
                        1201359 1201363 1201576 1201620 1201638 1201680 1201783 1201863
                        1201942 1201972 1202046 1202049 1202050 1202051 1202414 1202420
                        1202421 1202511 1202512 1202515 1202552 1202599 1202687 1202689
                        1202862 1203018 1203438 1203649 1204357 CVE-2017-6512 CVE-2021-36690
                        CVE-2021-46828 CVE-2022-1720 CVE-2022-1968 CVE-2022-2124 CVE-2022-2125
                        CVE-2022-2126 CVE-2022-2129 CVE-2022-2175 CVE-2022-2182 CVE-2022-2183
                        CVE-2022-2206 CVE-2022-2207 CVE-2022-2208 CVE-2022-2210 CVE-2022-2231
                        CVE-2022-2257 CVE-2022-2264 CVE-2022-2284 CVE-2022-2285 CVE-2022-2286
                        CVE-2022-2287 CVE-2022-2304 CVE-2022-2343 CVE-2022-2344 CVE-2022-2345
                        CVE-2022-2522 CVE-2022-2571 CVE-2022-2580 CVE-2022-2581 CVE-2022-2598
                        CVE-2022-2816 CVE-2022-2817 CVE-2022-2819 CVE-2022-2845 CVE-2022-2849
                        CVE-2022-2862 CVE-2022-2874 CVE-2022-2889 CVE-2022-2923 CVE-2022-2946
                        CVE-2022-3016 CVE-2022-31252 CVE-2022-3515 CVE-2022-35737 CVE-2022-40674
-----------------------------------------------------------------

The container ses/7.1/ceph/haproxy was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3215-1
Released:    Thu Sep  8 15:58:27 2022
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  
This update for rpm fixes the following issues:

- Support Ed25519 RPM signatures [jsc#SLE-24714]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3223-1
Released:    Fri Sep  9 04:33:35 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1199895,1200993,1201092,1201576,1201638
This update for libzypp, zypper fixes the following issues:

libzypp:

- Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895)
- Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092)
- Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
- Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test
  the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend.

zypper:

- Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638)
- Reject install/remove modifier without argument (bsc#1201576)
- zypper-download: Handle unresolvable arguments as errors
- Put signing key supplying repository name in quotes

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3229-1
Released:    Fri Sep  9 14:46:01 2022
Summary:     Security update for vim
Type:        security
Severity:    important
References:  1200270,1200697,1200698,1200700,1200701,1200732,1200884,1200902,1200903,1200904,1201132,1201133,1201134,1201135,1201136,1201150,1201151,1201152,1201153,1201154,1201155,1201249,1201356,1201359,1201363,1201620,1201863,1202046,1202049,1202050,1202051,1202414,1202420,1202421,1202511,1202512,1202515,1202552,1202599,1202687,1202689,1202862,CVE-2022-1720,CVE-2022-1968,CVE-2022-2124,CVE-2022-2125,CVE-2022-2126,CVE-2022-2129,CVE-2022-2175,CVE-2022-2182,CVE-2022-2183,CVE-2022-2206,CVE-2022-2207,CVE-2022-2208,CVE-2022-2210,CVE-2022-2231,CVE-2022-2257,CVE-2022-2264,CVE-2022-2284,CVE-2022-2285,CVE-2022-2286,CVE-2022-2287,CVE-2022-2304,CVE-2022-2343,CVE-2022-2344,CVE-2022-2345,CVE-2022-2522,CVE-2022-2571,CVE-2022-2580,CVE-2022-2581,CVE-2022-2598,CVE-2022-2816,CVE-2022-2817,CVE-2022-2819,CVE-2022-2845,CVE-2022-2849,CVE-2022-2862,CVE-2022-2874,CVE-2022-2889,CVE-2022-2923,CVE-2022-2946,CVE-2022-3016
This update for vim fixes the following issues:

Updated to version 9.0 with patch level 0313:

- CVE-2022-2183: Fixed out-of-bounds read through get_lisp_indent() (bsc#1200902).
- CVE-2022-2182: Fixed heap-based buffer overflow through parse_cmd_address() (bsc#1200903).
- CVE-2022-2175: Fixed buffer over-read through cmdline_insert_reg() (bsc#1200904).
- CVE-2022-2304: Fixed stack buffer overflow in spell_dump_compl() (bsc#1201249).
- CVE-2022-2343: Fixed heap-based buffer overflow in GitHub repository vim prior to 9.0.0044 (bsc#1201356).
- CVE-2022-2344: Fixed another heap-based buffer overflow vim prior to 9.0.0045 (bsc#1201359).
- CVE-2022-2345: Fixed use after free in GitHub repository vim prior to 9.0.0046. (bsc#1201363).
- CVE-2022-2819: Fixed heap-based Buffer Overflow in compile_lock_unlock() (bsc#1202414).
- CVE-2022-2874: Fixed NULL Pointer Dereference in generate_loadvar() (bsc#1202552).
- CVE-2022-1968: Fixed use after free in utf_ptr2char (bsc#1200270).
- CVE-2022-2124: Fixed out of bounds read in current_quote() (bsc#1200697).
- CVE-2022-2125: Fixed out of bounds read in get_lisp_indent() (bsc#1200698).
- CVE-2022-2126: Fixed out of bounds read in suggest_trie_walk() (bsc#1200700).
- CVE-2022-2129: Fixed out of bounds write in vim_regsub_both() (bsc#1200701).
- CVE-2022-1720: Fixed out of bounds read in grab_file_name() (bsc#1200732).
- CVE-2022-2264: Fixed out of bounds read in inc() (bsc#1201132).
- CVE-2022-2284: Fixed out of bounds read in utfc_ptr2len() (bsc#1201133).
- CVE-2022-2285: Fixed negative size passed to memmove() due to integer overflow (bsc#1201134).
- CVE-2022-2286: Fixed out of bounds read in ins_bytes() (bsc#1201135).
- CVE-2022-2287: Fixed out of bounds read in suggest_trie_walk() (bsc#1201136).
- CVE-2022-2231: Fixed null pointer dereference skipwhite() (bsc#1201150).
- CVE-2022-2210: Fixed out of bounds read in ml_append_int() (bsc#1201151).
- CVE-2022-2208: Fixed null pointer dereference in diff_check() (bsc#1201152).
- CVE-2022-2207: Fixed out of bounds read in ins_bs() (bsc#1201153).
- CVE-2022-2257: Fixed out of bounds read in msg_outtrans_special() (bsc#1201154).
- CVE-2022-2206: Fixed out of bounds read in msg_outtrans_attr() (bsc#1201155).
- CVE-2022-2522: Fixed out of bounds read via nested autocommand (bsc#1201863).
- CVE-2022-2571: Fixed heap-based buffer overflow related to ins_comp_get_next_word_or_line() (bsc#1202046).
- CVE-2022-2580: Fixed heap-based buffer overflow related to eval_string() (bsc#1202049).
- CVE-2022-2581: Fixed out-of-bounds read related to cstrchr() (bsc#1202050).
- CVE-2022-2598: Fixed undefined behavior for Input to API related to diff_mark_adjust_tp() and ex_diffgetput() (bsc#1202051).
- CVE-2022-2817: Fixed use after gree in f_assert_fails() (bsc#1202420).
- CVE-2022-2816: Fixed out-of-bounds Read in check_vim9_unlet() (bsc#1202421).
- CVE-2022-2862: Fixed use-after-free in compile_nested_function() (bsc#1202511).
- CVE-2022-2849: Fixed invalid memory access related to mb_ptr2len() (bsc#1202512).
- CVE-2022-2845: Fixed buffer Over-read related to display_dollar() (bsc#1202515).
- CVE-2022-2889: Fixed use-after-free in find_var_also_in_script() in evalvars.c (bsc#1202599).
- CVE-2022-2923: Fixed NULL pointer dereference in GitHub repository vim/vim prior to 9.0.0240 (bsc#1202687).
- CVE-2022-2946: Fixed use after free in function vim_vsnprintf_typval (bsc#1202689).
- CVE-2022-3016: Fixed use after free in vim prior to 9.0.0285 (bsc#1202862).
  
Bugfixes:

- Fixing vim error on startup (bsc#1200884).
- Fixing vim SUSE Linux Enterprise Server 15 SP4 Basesystem plugin-tlib issue (bsc#1201620).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3262-1
Released:    Tue Sep 13 15:34:29 2022
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1199140

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3271-1
Released:    Wed Sep 14 06:45:39 2022
Summary:     Security update for perl
Type:        security
Severity:    moderate
References:  1047178,CVE-2017-6512
This update for perl fixes the following issues:

- CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3276-1
Released:    Thu Sep 15 06:15:29 2022
Summary:     This update fixes the following issues:
Type:        recommended
Severity:    moderate
References:  
Implement ECO jsc#SLE-20950 to fix the channel configuration for libeconf-devel having L3 support (instead of unsupported).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3304-1
Released:    Mon Sep 19 11:43:25 2022
Summary:     Recommended update for libassuan
Type:        recommended
Severity:    moderate
References:  
This update for libassuan fixes the following issues:

- Add a timeout for writing to a SOCKS5 proxy
- Add workaround for a problem with LD_LIBRARY_PATH on newer systems
- Fix issue in the logging code
- Fix some build trivialities
- Upgrade autoconf

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3305-1
Released:    Mon Sep 19 11:45:57 2022
Summary:     Security update for libtirpc
Type:        security
Severity:    important
References:  1201680,CVE-2021-46828
This update for libtirpc fixes the following issues:

- CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3307-1
Released:    Mon Sep 19 13:26:51 2022
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737
This update for sqlite3 fixes the following issues:

- CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
- CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
  
- Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3394-1
Released:    Mon Sep 26 16:05:19 2022
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1203018,CVE-2022-31252
This update for permissions fixes the following issues:

- CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3452-1
Released:    Wed Sep 28 12:13:43 2022
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1201942
This update for glibc fixes the following issues:

- Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942)
- powerpc: Optimized memcmp for power10 (jsc#PED-987)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3555-1
Released:    Mon Oct 10 14:05:12 2022
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    important
References:  1199492
This update for aaa_base fixes the following issues:

- The wrapper rootsh is not a restricted shell. (bsc#1199492)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3565-1
Released:    Tue Oct 11 16:17:38 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    critical
References:  1189282,1201972,1203649
This update for libzypp, zypper fixes the following issues:

libzypp:
 
- Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)
- Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
- Remove migration code that is no longer needed (bsc#1203649)
- Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

zypper:

- Fix contradiction in the man page: `--download-in-advance` option is the default behavior
- Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
- Fix tests to use locale 'C.UTF-8' rather than 'en_US'
- Make sure 'up' respects solver related CLI options (bsc#1201972)
- Remove unneeded code to compute the PPP status because it is now auto established
- Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3597-1
Released:    Mon Oct 17 13:13:16 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1203438,CVE-2022-40674
This update for expat fixes the following issues:

- CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3683-1
Released:    Fri Oct 21 11:48:39 2022
Summary:     Security update for libksba
Type:        security
Severity:    critical
References:  1204357,CVE-2022-3515
This update for libksba fixes the following issues:

  - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.3.1 updated
- glibc-2.31-150300.41.1 updated
- libassuan0-2.5.5-150000.4.3.1 updated
- libeconf0-0.4.4+git20220104.962774f-150300.3.8.1 updated
- libexpat1-2.2.5-150000.3.22.1 updated
- libgcc_s1-11.3.0+git1637-150000.1.11.2 updated
- libksba8-1.3.5-150000.4.3.1 updated
- libsqlite3-0-3.39.3-150000.3.17.1 updated
- libstdc++6-11.3.0+git1637-150000.1.11.2 updated
- libtirpc-netconfig-1.2.6-150300.3.14.1 updated
- libtirpc3-1.2.6-150300.3.14.1 updated
- libzypp-17.31.2-150200.45.1 updated
- perl-base-5.26.1-150300.17.11.1 updated
- perl-5.26.1-150300.17.11.1 updated
- permissions-20181225-150200.23.15.1 updated
- rpm-ndb-4.14.3-150300.49.1 updated
- vim-data-common-9.0.0313-150000.5.25.1 updated
- vim-9.0.0313-150000.5.25.1 updated
- zypper-1.14.57-150200.39.1 updated
- container:sles15-image-15.0.0-17.20.52 updated


More information about the sle-security-updates mailing list