SUSE-CU-2023:2517-1: Security update of suse/manager/4.3/proxy-ssh

sle-security-updates at sle-security-updates at
Thu Aug 3 07:04:20 UTC 2023

SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh
Container Advisory ID : SUSE-CU-2023:2517-1
Container Tags        : suse/manager/4.3/proxy-ssh:4.3.7 , suse/manager/4.3/proxy-ssh: , suse/manager/4.3/proxy-ssh:latest , suse/manager/4.3/proxy-ssh:susemanager-4.3.7 , suse/manager/4.3/proxy-ssh:susemanager-
Container Release     : 9.24.1
Severity              : important
Type                  : security
References            : 1186673 1201627 1207534 1208721 1209229 1209536 1210004 1210999
                        1211418 1211419 1211828 1212260 1212623 1213004 1213008 1213237
                        1213487 1213504 CVE-2022-4304 CVE-2023-2602 CVE-2023-2603 CVE-2023-31484
                        CVE-2023-32001 CVE-2023-3446 CVE-2023-38408 

The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2023:2625-1
Released:    Fri Jun 23 17:16:11 2023
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
This update for gcc12 fixes the following issues:

- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

  * includes regression and other bug fixes

- Speed up builds with --enable-link-serialization.

- Update embedded newlib to version 4.2.0

Advisory ID: SUSE-SU-2023:2648-1
Released:    Tue Jun 27 09:52:35 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1201627,1207534,CVE-2022-4304
This update for openssl-1_1 fixes the following issues:

- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
  The previous fix for this timing side channel turned out to cause a
  severe 2-3x performance regression in the typical use case (bsc#1207534).

- Update further expiring certificates that affect the testsuite (bsc#1201627).

Advisory ID: SUSE-SU-2023:2765-1
Released:    Mon Jul  3 20:28:14 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

Advisory ID: SUSE-RU-2023:2800-1
Released:    Mon Jul 10 07:35:22 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1212623
This update for openssl-1_1 fixes the following issues:

- Check the OCSP RESPONSE in openssl s_client command and terminate
  connection if a revoked certificate is found. [bsc#1212623]

Advisory ID: SUSE-RU-2023:2811-1
Released:    Wed Jul 12 11:56:18 2023
Summary:     Recommended update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt
Type:        recommended
Severity:    moderate
This update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt fixes the following issues:

This update provides a feature update to the FIDO2 stack.

Changes in libfido2:

- Version 1.13.0 (2023-02-20)

    * New API calls:

      + fido_assert_empty_allow_list;
      + fido_cred_empty_exclude_list.

    * fido2-token: fix issue when listing large blobs.

- Version 1.12.0 (2022-09-22)

  * Support for COSE_ES384.
  * Improved support for FIDO 2.1 authenticators.

  * New API calls:

    + es384_pk_free;
    + es384_pk_from_EC_KEY;
    + es384_pk_from_EVP_PKEY;
    + es384_pk_from_ptr;
    + es384_pk_new;
    + es384_pk_to_EVP_PKEY;
    + fido_cbor_info_certs_len;
    + fido_cbor_info_certs_name_ptr;
    + fido_cbor_info_certs_value_ptr;
    + fido_cbor_info_maxrpid_minpinlen;
    + fido_cbor_info_minpinlen;
    + fido_cbor_info_new_pin_required;
    + fido_cbor_info_rk_remaining;
    + fido_cbor_info_uv_attempts;
    + fido_cbor_info_uv_modality.

   * Documentation and reliability fixes.

- Version 1.11.0 (2022-05-03)

  * Experimental PCSC support; enable with -DUSE_PCSC.
  * Improved OpenSSL 3.0 compatibility.
  * Use RFC1951 raw deflate to compress CTAP 2.1 largeBlobs.
  * winhello: advertise 'uv' instead of 'clientPin'.
  * winhello: support hmac-secret in fido_dev_get_assert().
  * New API calls:

    + fido_cbor_info_maxlargeblob.

  * Documentation and reliability fixes.
  * Separate build and regress targets.

- Version 1.10.0 (2022-01-17)

  * bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*(); gh#480.
  * New API calls:

     - fido_dev_info_set;
     - fido_dev_io_handle;
     - fido_dev_new_with_info;
     - fido_dev_open_with_info.
  * Cygwin and NetBSD build fixes.
  * Documentation and reliability fixes.
  * Support for TPM 2.0 attestation of COSE_ES256 credentials.

- Version 1.9.0 (2021-10-27)

  * Enabled NFC support on Linux.
  * Support for FIDO 2.1 'minPinLength' extension.
  * Support for COSE_EDDSA, COSE_ES256, and COSE_RS1 attestation.
  * Support for TPM 2.0 attestation.
  * Support for device timeouts; see fido_dev_set_timeout().
  * New API calls:

       - es256_pk_from_EVP_PKEY;
       - fido_cred_attstmt_len;
       - fido_cred_attstmt_ptr;
       - fido_cred_pin_minlen;
       - fido_cred_set_attstmt;
       - fido_cred_set_pin_minlen;
       - fido_dev_set_pin_minlen_rpid;
       - fido_dev_set_timeout;
       - rs256_pk_from_EVP_PKEY.

  * Reliability and portability fixes.
  * Better handling of HID devices without identification strings; gh#381.

- Update to version 1.8.0:

	* Better support for FIDO 2.1 authenticators.
	* Support for attestation format 'none'.
	* New API calls:

		- fido_assert_set_clientdata;
		- fido_cbor_info_algorithm_cose;
		- fido_cbor_info_algorithm_count;
		- fido_cbor_info_algorithm_type;
		- fido_cbor_info_transports_len;
		- fido_cbor_info_transports_ptr;
		- fido_cred_set_clientdata;
		- fido_cred_set_id;
		- fido_credman_set_dev_rk;
		- fido_dev_is_winhello.

	* fido2-token: new -Sc option to update a resident credential.
	* Documentation and reliability fixes.
	* HID access serialisation on Linux.

- Update to version 1.7.0:

  * hid_win: detect devices with vendor or product IDs > 0x7fff
  * Support for FIDO 2.1 authenticator configuration.
  * Support for FIDO 2.1 UV token permissions.
  * Support for FIDO 2.1 'credBlobs' and 'largeBlobs' extensions.
  * New API calls
  * New fido_init flag to disable fido_dev_open’s U2F fallback
  * Experimental NFC support on Linux.

- Enabled hidapi again, issues related to hidapi are fixed upstream

- Update to version 1.6.0:

  * Documentation and reliability fixes.

  * New API calls:

    + fido_cred_authdata_raw_len;
    + fido_cred_authdata_raw_ptr;
    + fido_cred_sigcount;
    + fido_dev_get_uv_retry_count;
    + fido_dev_supports_credman.
  * Hardened Windows build.
  * Native FreeBSD and NetBSD support.
  * Use CTAP2 canonical CBOR when combining hmac-secret and credProtect.

- Create a udev subpackage and ship the udev rule.

Changes in python-fido2:

- update to 0.9.3:

  * Don't fail device discovery when hidraw doesn't support HIDIOCGRAWUNIQ
  * Support the latest Windows webauthn.h API (included in Windows 11).
  * Add product name and serial number to HidDescriptors.
  * Remove the need for the uhid-freebsd dependency on FreeBSD.

- Update to version 0.9.1

  * Add new CTAP error codes and improve handling of unknown codes.
  * Client: API changes to better support extensions.
  * Client.make_credential now returns a AuthenticatorAttestationResponse,
    which holds the AttestationObject and ClientData, as well as any
    client extension results for the credential.
  * Client.get_assertion now returns an AssertionSelection object,
    which is used to select between multiple assertions
  * Renames: The CTAP1 and CTAP2 classes have been renamed to
    Ctap1 and Ctap2, respectively.
  * ClientPin: The ClientPin API has been restructured to support
    multiple PIN protocols, UV tokens, and token permissions.
  * CTAP 2.1 PRE: Several new features have been added for CTAP 2.1
  * HID: The platform specific HID code has been revamped

- Version 0.8.1 (released 2019-11-25)

  * Bugfix: WindowsClient.make_credential error when resident key requirement is unspecified.

- Version 0.8.0 (released 2019-11-25)

  * New fido2.webauthn classes modeled after the W3C WebAuthn spec introduced.
  * CTAP2 send_cbor/make_credential/get_assertion and U2fClient request/authenticate timeout arguments replaced with event used to cancel a request.
  * Fido2Client:

    - make_credential/get_assertion now take WebAuthn options objects.
    - timeout is now provided in ms in WebAuthn options objects. Event based cancelation also available by passing an Event.

  * Fido2Server:

    - ATTESTATION, USER_VERIFICATION, and AUTHENTICATOR_ATTACHMENT enums have been replaced with fido2.webauthn classes.
    - RelyingParty has been replaced with PublicKeyCredentialRpEntity, and name is no longer optional.
    - Options returned by register_begin/authenticate_begin now omit unspecified values if they are optional, instead of filling in default values.
    - Fido2Server.allowed_algorithms now contains a list of PublicKeyCredentialParameters instead of algorithm identifiers.
    - Fido2Server.timeout is now in ms and of type int.

  * Support native WebAuthn API on Windows through WindowsClient.

- Version 0.7.2 (released 2019-10-24)

  * Support for the TPM attestation format.
  * Allow passing custom challenges to register/authenticate in Fido2Server.
  * Bugfix: CTAP2 CANCEL command response handling fixed.
  * Bugfix: Fido2Client fix handling of empty allow_list.
  * Bugfix: Fix typo in CTAP2.get_assertions() causing it to fail.

- Version 0.7.1 (released 2019-09-20)

  * Enforce canonical CBOR on Authenticator responses by default.
  * PCSC: Support extended APDUs.
  * Server: Verify that UP flag is set.
  * U2FFido2Server: Implement AppID exclusion extension.
  * U2FFido2Server: Allow custom U2F facet verification.
  * Bugfix: U2FFido2Server.authenticate_complete now returns the result.

- Version 0.7.0 (released 2019-06-17)

  * Add support for NFC devices using PCSC.
  * Add support for the hmac-secret Authenticator extension.
  * Honor max credential ID length and number of credentials to Authenticator.
  * Add close() method to CTAP devices to explicitly release their resources.

- Version 0.6.0 (released 2019-05-10)

  * Don't fail if CTAP2 Info contains unknown fields.
  * Replace cbor loads/dumps functions with encode/decode/decode_from.
  * Server: Add support for AuthenticatorAttachment.
  * Server: Add support for more key algorithms.
  * Client: Expose CTAP2 Info object as 

Changes in yubikey-manager:

- Update to version 4.0.9 (released 2022-06-17)

  * Dependency: Add support for python-fido2 1.x
  * Fix: Drop stated support for Click 6 as features from 7 are being used.

- Update to version 4.0.8 (released 2022-01-31)

  * Bugfix: Fix error message for invalid modhex when programing a YubiOTP credential.
  * Bugfix: Fix issue with displaying a Steam credential when it is the only account.
  * Bugfix: Prevent installation of files in site-packages root.
  * Bugfix: Fix cleanup logic in PIV for protected management key.
  * Add support for token identifier when programming slot-based HOTP.
  * Add support for programming NDEF in text mode.
  * Dependency: Add support for Cryptography ⇐ 38.

- version update to 4.0.7

  ** Bugfix release: Fix broken naming for 'YubiKey 4', and a small OATH issue with
      touch Steam credentials.

- version 4.0.6 (released 2021-09-08)

   ** Improve handling of YubiKey device reboots.
   ** More consistently mask PIN/password input in prompts.
   ** Support switching mode over CCID for YubiKey Edge.
   ** Run pkill from PATH instead of fixed location.

- version 4.0.5 (released 2021-07-16)

   ** Bugfix: Fix PIV feature detection for some YubiKey NEO versions.
   ** Bugfix: Fix argument short form for --period when adding TOTP credentials.
   ** Bugfix: More strict validation for some arguments, resulting in better error messages.
   ** Bugfix: Correctly handle TOTP credentials using period != 30 AND touch_required.
   ** Bugfix: Fix prompting for access code in the otp settings command (now uses '-A -').

- Update to version 4.0.3

  * Add support for fido reset over NFC.
  * Bugfix: The --touch argument to piv change-management-key was
  * Bugfix: Don’t prompt for password when importing PIV key/cert
    if file is invalid.
  * Bugfix: Fix setting touch-eject/auto-eject for YubiKey 4 and NEO.
  * Bugfix: Detect PKCS#12 format when outer sequence uses
    indefinite length.
  * Dependency: Add support for Click 8.

- Update to version 4.0.2

  * Update device names
  * Add read_info output to the --diagnose command, and show
    exception types.
  * Bugfix: Fix read_info for YubiKey Plus.
  * Add support for YK5-based FIPS YubiKeys.
  * Bugfix: Fix OTP device enumeration on Win32.
  * Drop reliance on libusb and libykpersonalize.
  * Support the 'fido' and 'otp' subcommands over NFC
  * New 'ykman --diagnose' command to aid in troubleshooting.
  * New 'ykman apdu' command for sending raw APDUs over the smart
    card interface.
  * New 'yubikit' package added for custom development and advanced
  * OpenPGP: Add support for KDF enabled YubiKeys.
  * Static password: Add support for FR, IT, UK and BEPO keyboard

- Update to 3.1.1

  * Add support for YubiKey 5C NFC
  * OpenPGP: set-touch now performs compatibility checks before prompting for PIN
  * OpenPGP: Improve error messages and documentation for set-touch
  * PIV: read-object command no longer adds a trailing newline
  * CLI: Hint at missing permissions when opening a device fails
  * Linux: Improve error handling when pcscd is not running
  * Windows: Improve how .DLL files are loaded, thanks to Marius Gabriel Mihai for reporting this!
  * Bugfix: set-touch now accepts the cached-fixed option
  * Bugfix: Fix crash in OtpController.prepare_upload_key() error parsing
  * Bugfix: Fix crash in piv info command when a certificate slot contains an invalid certificate
  * Library: PivController.read_certificate(slot) now wraps certificate parsing exceptions in new exception type InvalidCertificate
  * Library: PivController.list_certificates() now returns None for slots containing invalid certificate, instead of raising an exception

- Version 3.1.0 (released 2019-08-20)

  * Add support for YubiKey 5Ci
  * OpenPGP: the info command now prints OpenPGP specification version as well
  * OpenPGP: Update support for attestation to match OpenPGP v3.4
  * PIV: Use UTC time for self-signed certificates
  * OTP: Static password now supports the Norman keyboard layout

- Version 3.0.0 (released 2019-06-24)

  * Add support for new YubiKey Preview and lightning form factor
  * FIDO: Support for credential management
  * OpenPGP: Support for OpenPGP attestation, cardholder certificates and
    cached touch policies
  * OTP: Add flag for using numeric keypad when sending digits 

- Version 2.1.1 (released 2019-05-28)

  * OTP: Add initial support for uploading Yubico OTP credentials to YubiCloud
  * Don’t automatically select the U2F applet on YubiKey NEO, it might be
    blocked by the OS
  * ChalResp: Always pad challenge correctly
  * Bugfix: Don’t crash with older versions of cryptography
  * Bugfix: Password was always prompted in OATH command, even if sent as

Changes in yubikey-manager-qt:

- update to 1.2.5:

  * Compatibility update for ykman 5.0.1.
  * Update to Python 3.11.
  * Update product images.

- Update to version 1.2.4 (released 2021-10-26)

  * Update device names and images.
  * PIV: Fix import of certificate.

- Update to version 1.2.3

  * Improved error handling when using Security Key Series devices.
  * PIV: Fix generation of certificate in slot 9c.

- Update to version 1.2.2

  * Fix detection of YubiKey Plus
  * Compatibility update for yubikey-manager 4.0
  * Bugfix: Device caching with multiple devices
  * Drop dependencies on libusb and libykpers.
  * Add additional product names and images

- update to 1.1.5

  * Add support for YubiKey 5C NFC

- Update to version 1.1.4

 * OTP: Add option to upload YubiOTP credential to YubiCloud
 * Linux: Show hint about pcscd service if opening device fails
 * Bugfix: Signal handling now compatible with Python 3.8

- Version 1.1.3 (released 2019-08-20)

  * Add suppport for YubiKey 5Ci
  * PIV: Use UTC time for self-signed certificates

- Version 1.1.2 (released 2019-06-24)

  * Add support for new YubiKey Preview
  * PIV: The popup for the management key now have a 'Use default' option
  * Windows: Fix issue with importing PIV certificates
  * Bugfix: generate static password now works correctly 

Advisory ID: SUSE-RU-2023:2827-1
Released:    Fri Jul 14 11:27:47 2023
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
This update for libxml2 fixes the following issues:

- Build also for modern python version (jsc#PED-68)

Advisory ID: SUSE-RU-2023:2847-1
Released:    Mon Jul 17 08:40:42 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1210004
This update for audit fixes the following issues:

- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64

Advisory ID: SUSE-RU-2023:2855-1
Released:    Mon Jul 17 16:35:21 2023
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1212260
This update for openldap2 fixes the following issues:

- libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)

Advisory ID: SUSE-SU-2023:2882-1
Released:    Wed Jul 19 11:49:39 2023
Summary:     Security update for perl
Type:        security
Severity:    important
References:  1210999,CVE-2023-31484
This update for perl fixes the following issues:

  - CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

Advisory ID: SUSE-RU-2023:2885-1
Released:    Wed Jul 19 16:58:43 2023
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1208721,1209229,1211828
This update for glibc fixes the following issues:

- getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
- Exclude static archives from preparation for live patching (bsc#1208721)
- resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

Advisory ID: SUSE-SU-2023:2891-1
Released:    Wed Jul 19 21:14:33 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1213237,CVE-2023-32001
This update for curl fixes the following issues:

- CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).

Advisory ID: SUSE-RU-2023:2922-1
Released:    Thu Jul 20 18:34:03 2023
Summary:     Recommended update for libfido2
Type:        recommended
Severity:    moderate
This update for libfido2 fixes the following issues:

- Use openssl 1.1 still on SUSE Linux Enterprise 15 to avoid pulling unneeded
  openssl-3 dependency. (jsc#PED-4521)

Advisory ID: SUSE-SU-2023:2945-1
Released:    Mon Jul 24 09:37:30 2023
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1186673,1209536,1213004,1213008,1213504,CVE-2023-38408
This update for openssh fixes the following issues:

- CVE-2023-38408: Fixed a condition where specific libaries loaded via
  ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code
  execution via a forwarded agent socket if those libraries were present on the
  victim's system and if the agent was forwarded to an attacker-controlled
  system. [bsc#1213504, CVE-2023-38408]

- Close the right filedescriptor and also close fdh in read_hmac to avoid file
  descriptor leaks. [bsc#1209536]

- Attempts to mitigate instances of secrets lingering in memory after a session
  exits. [bsc#1186673, bsc#1213004, bsc#1213008]

Advisory ID: SUSE-SU-2023:2962-1
Released:    Tue Jul 25 09:34:53 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213487,CVE-2023-3446
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

The following package changes have been done:

- libldap-data-2.4.46-150200.14.17.1 updated
- glibc-2.31-150300.52.2 updated
- perl-base-5.26.1-150300.17.14.1 updated
- libcap2-2.63-150400.3.3.1 updated
- libaudit1-3.0.6-150400.4.10.1 updated
- libgcc_s1-12.3.0+git1204-150000.1.10.1 updated
- libstdc++6-12.3.0+git1204-150000.1.10.1 updated
- libxml2-2-2.9.14-150400.5.19.1 updated
- libopenssl1_1-1.1.1l-150400.7.48.1 updated
- libopenssl1_1-hmac-1.1.1l-150400.7.48.1 updated
- libldap-2_4-2-2.4.46-150200.14.17.1 updated
- libcurl4-8.0.1-150400.5.26.1 updated
- libhidapi-hidraw0-0.10.1-1.6 added
- openssh-common-8.4p1-150300.3.22.1 updated
- libfido2-1-1.13.0-150400.5.6.1 updated
- openssh-fips-8.4p1-150300.3.22.1 updated
- openssh-server-8.4p1-150300.3.22.1 updated
- openssh-clients-8.4p1-150300.3.22.1 updated
- openssh-8.4p1-150300.3.22.1 updated
- libfido2-udev-1.5.0-1.30 removed

More information about the sle-security-updates mailing list