SUSE-CU-2023:332-1: Security update of suse/manager/4.3/proxy-salt-broker

sle-security-updates at sle-security-updates at
Sat Feb 11 08:03:25 UTC 2023

SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker
Container Advisory ID : SUSE-CU-2023:332-1
Container Tags        : suse/manager/4.3/proxy-salt-broker:4.3.4 , suse/manager/4.3/proxy-salt-broker: , suse/manager/4.3/proxy-salt-broker:latest
Container Release     : 9.15.1
Severity              : important
Type                  : security
References            : 1111657 1144506 1148184 1175622 1177460 1179584 1186870 1188882
                        1194038 1196205 1199282 1199467 1200581 1200723 1203274 1203652
                        1204585 1204867 1204944 1205000 1205000 1205502 1205646 1206212
                        1206308 1206309 1206337 1206412 1206579 1206622 1207182 1207264
                        1207533 1207534 1207536 1207538 944832 CVE-2022-4304 CVE-2022-43551
                        CVE-2022-43552 CVE-2022-4415 CVE-2022-4415 CVE-2022-4450 CVE-2022-46908
                        CVE-2022-47629 CVE-2023-0215 CVE-2023-0286 

The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2022:4491-1
Released:    Wed Dec 14 13:31:51 2022
Summary:     Recommended update for libsodium, python-Django, python-PyNaCl, python-cffi, python-hypothesis, python-packaging, python-readthedocs-sphinx-ext, python-semver, python-sphinx_rtd_theme
Type:        recommended
Severity:    important
References:  1111657,1144506,1148184,1186870,1199282
This update for libsodium, python-Django, python-PyNaCl, python-cffi, python-hypothesis, python-packaging, python-readthedocs-sphinx-ext, python-semver, python-sphinx_rtd_theme fixes the following issues:


- Version update from 1.0.16 to 1.0.18 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
  * Enterprise versions of Visual Studio are now supported
  * Visual Studio 2019 is now supported
  * 32-bit binaries for Visual Studio 2010 are now provided
  * Emscripten: print and printErr functions are overridden to send errors to the console, if there is one
  * Emscripten: UTF8ToString() is now exported since Pointer_stringify() has been deprecated
  * Libsodium version detection has been fixed in the CMake recipe
  * Generic hashing got a 10% speedup on AVX2.
  * New target: WebAssembly/WASI (compile with dist-builds/
  * New functions to map a hash to an edwards25519 point or get a random point: core_ed25519_from_hash() and core_ed25519_random()
  * crypto_core_ed25519_scalar_mul() has been implemented for scalar*scalar (mod L) multiplication
  * Support for the Ristretto group has been implemented for interoperability with wasm-crypto
  * Improvements have been made to the test suite
  * Portability improvements have been made
  * 'randombytes_salsa20' has been 'renamed to randombytes_internal'
  * Support for NativeClient has been removed
  * Most ((nonnull)) attributes have been relaxed to allow 0-length inputs to be NULL.
  * The -ftree-vectorize and -ftree-slp-vectorize compiler switches are now used, if available, for optimized builds
  * For the full list of changes please consult the packaged ChangeLog
- Disable LTO to bypass build failures on Power PC architecture (bsc#1148184)

- Version update from 1.11.2 to 1.15.0 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
  * Fixed to include missing file for Windows arm64 support
  * Fixed Linux wheel build to use gcc default ISA for libffi
  * Updated Python trove specifiers to currently-tested Python versions
  * CPython 3.10 support (including wheels)
  * MacOS arm64 support (including wheels)
  * Initial Windows arm64 support
  * Misc. doc and test updates
- Fix for using to proper void returning function not to corrupt memory in tests. (bsc#1111657)    
- New package at version 2.0.7 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

- Version update from 3.40.1 to 3.76.0 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
  * This release deprecates using floats for min_size and max_size
  * The type hint for average_size arguments has been changed from Optional[int] to None, because non-None values are
    always ignored and deprecated.
  * Fix a broken link in a docstring
  * Deprecate the use of 'min_size=None', setting the mdefault min_size to 0
  * Strategies are now fully constructed and validated before the timer is started
  * Fix some broken formatting and links in the documentation
  * Check that the value of the print_blob setting is a PrintSettings instance
  * Being able to specify a boolean value was not intended, and is now deprecated. In addition, specifying True will
    now cause the blob to always be printed, instead of causing it to be suppressed.
  * Specifying any value that is not a PrintSettings or a boolean is now an error
  * Changes the documentation for hypothesis.strategies.datetimes, hypothesis.strategies.dates,
    hypothesis.strategies.times to use the new parameter names min_value and max_value instead of the deprecated names
  * Ensure that Hypothesis deprecation warnings display the code that emitted them when you’re not running in -Werror
  * For the full list of changes please consult the changelog at

- Version update from 16.8 to 21.3 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
  * Fix testsuite on big-endian targets
  * Ignore python3.6.2 since the test doesn't support it 
  * Replace the blank pyparsing 3 exclusion with a 3.0.5 exclusion
  * Fix a spelling mistake
  * Work around dependency generator issues (bsc#1186870) 
  * Remove dependency on attrs (bsc#1144506)
  * Update documentation entry for 21.1.
  * Update pin to pyparsing to exclude 3.0.0.
  * PEP 656: musllinux support
  * Drop support for Python 2.7, Python 3.4 and Python 3.5.
  * Replace distutils usage with sysconfig
  * Add support for zip files in `parse_sdist_filename`
  * Use cached `_hash` attribute to short-circuit tag equality comparisons
  * Specify the default value for the `specifier` argument to `SpecifierSet`
  * Proper keyword-only 'warn' argument in packaging.tags
  * Correctly remove prerelease suffixes from ~= check
  * Fix type hints for ``` and ``
  * Use typing alias `UnparsedVersion``
  * Improve type inference for `packaging.specifiers.filter()`
  * Tighten the return type of `canonicalize_version()`
  * For the full list of changes please consult the packaged CHANGELOG file

 - Version update from 1.2.1 to 1.4.0 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
  * Add dependency requirement to python-six, needed by the testsuite 
  * Update `libsodium` to 1.0.18.
  * **BACKWARDS INCOMPATIBLE:** We no longer distribute 32-bit `manylinux1`
    wheels. Continuing to produce them was a maintenance burden.
  * Added support for Python 3.8, and removed support for Python 3.4.
  * Add low level bindings for extracting the seed and the public key
    from crypto_sign_ed25519 secret key
  * Add low level bindings for deterministic random generation.
  * Add `wheel` and `setuptools` setup_requirements in ``
  * Fix checks on very slow builders (#481, #495)
  * Add low-level bindings to ed25519 arithmetic functions
  * Update low-level blake2b state implementation
  * Fix wrong short-input behavior of SealedBox.decrypt()
  * Raise CryptPrefixError exception instead of InvalidkeyError when trying
    to check a password against a verifier stored in a unknown format
  * Add support for minimal builds of libsodium. Trying to call functions
    not available in a minimal build will raise an UnavailableError
    exception. To compile a minimal build of the bundled libsodium, set
    the SODIUM_INSTALL_MINIMAL environment variable to any non-empty
    string (e.g. `SODIUM_INSTALL_MINIMAL=1`) for setup.
- New package at version 2.13.0 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

- Version update from 0.2.4 to 0.5.1 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
  * Add github, gitlab, bitbucket page arguments option
  * Add html language attribute
  * Add language to the JS output variable
  * Add open list spacing
  * Add option to style external links
  * Add pygments support
  * Add setuptools entry point allowing to use sphinx_rtd_theme as Sphinx html_theme directly.
  * Add Sphinx as a dependency
  * Allow setting 'rel' and 'title' attributes for stylesheets
  * Changed code and literals to use a native font stack
  * Color accessibility improvements on the left navigation
  * Compress our Javascript files
  * Do not rely on for CSS/JS
  * Fix line height adjustments for Liberation Mono
  * Fix line number spacing to align with the code lines
  * Fix many sidebar glitches
  * Fix many styling issues
  * Fix mkdocs version selector
  * Fix small styling issues
  * Fix some HTML warnings and errors
  * Fix table centering
  * Hide Edit links on auto created pages
  * Include missing font files with the theme
  * Updated dependencies
  * Write theme version and build date at top of JavaScript and CSS

Advisory ID: SUSE-SU-2022:4597-1
Released:    Wed Dec 21 10:13:11 2022
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1206308,1206309,CVE-2022-43551,CVE-2022-43552
This update for curl fixes the following issues:

- CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).
- CVE-2022-43551: Fixed HSTS bypass via IDN (bsc#1206308).

Advisory ID: SUSE-feature-2022:4601-1
Released:    Wed Dec 21 12:23:59 2022
Summary:     Feature update for GNOME 41
Type:        feature
Severity:    moderate
References:  1175622,1179584,1188882,1196205,1200581,1203274,1204867,944832
This update for GNOME 41 fixes the following issues:


- Version update from 2.28.1 to 2.28.3 (jsc#PED-2235):
  * Meson build: Avoid unnecessary configuration warnings
  * Meson build: Perl is not required by new versions of mm-common
  * Meson build: Require meson >= 0.55.0
  * Meson build: Specify 'check' option in run_command(). Will be necessary with future versions of Meson.
  * Require atk >= 2.12.0 Not a new requirement, but previously it was not specified in and
  * Support building with Visual Studio 2022


- Version update from 41.1 to 41.2 (jsc#PED-2235):
  * eog-window: use correct type for display_profile
  * Fix discovery of Evince for multi-page images


- Version update 41.3 to 41.4 (jsc#PED-2235):
  * shell: Fix failures when thumbnail extraction takes too long
  * Fix build with meson 0.60.0 and newer

- Ensure evolution-devel is forward compatible with evolution-data-server-devel in a same major version (jsc#PED-2235)

- Version update from 3.42.4 to 3.42.5 (jsc#PED-2235):
  * Google OAuth out-of-band (oob) flow will be deprecated


- Version update 0.15.3 to 0.15.5 (jsc#PED-2235):
  * vapi: Add missing generic type argument
  * Fix docs build against newer eds version
  * Fix build against newer eds version
  * Remove volatile keyword from tests


- Version update 3.41.0 to 3.41.1 (jsc#PED-2235):
  * Add G_SPAWN_CLOEXEC_PIPES flag to all the g_spawn commands
  * Add gi-docgen dependency which is needed by the docs
  * Fix build with meson 0.60.0 and newer
  * Fix build without systemd 
  * Several CI fixes


- Version update from 3.26.2 to 3.26.4 (jsc#PED-2235):
   * Fix to a test data file not being installed, and a bug fix for a bug in the libsoup3 port
   * Add support for libsoup 3.x


- Version update from 1.70.1 to 1.70.2 (jsc#PED-2235):
  * Build and compatibility fixes backported from the development branch
  * Reverse order of running-from-source checks
- Require xorg-x11-Xvfb for proper package build (bsc#1203274)


- Version update from 2.70.4 to 2.70.5 (jsc#PED-2235):
  * Bugs fixed: glgo#GNOME/GLib#2620, glgo#GNOME/GLib!2537, glgo#GNOME/GLib!2555
  * Split gtk-docs from -devel package, these are not needed during building projects using glib2


- Fix the size of logo icon in About system (bsc#1200581)
- Version update from 41.4 to 41.7 (jsc#PED-2235):
  * Cellular: Remove duplicate line from .desktop
  * Info: Allow changing 'Device Name' by pressing 'Enter'
  * Info: Remove trailing space after CPU name
  * Keyboard: Fix crash resetting all keyboard shortcuts
  * Keyboard: Fix leaks
  * Network: Fix saving passwords for non-wifi connections
  * Network: Fix critical when opening VPN details page
  * Wacom: Fix leaks


- Version update from 41.2 to 41.8 (jsc#PED-2235):
  * Version increase but no actual changes


- Version update from 41.0 to 41.1 (jsc#PED-2235):
  * Ensure the correct album is played
  * Fix build with meson 0.61.0 and newer
  * Fix crash on empty selection
  * Fix incorrect playlist import
  * Fix time displayed in RTL languages
  * Improve async queue work
  * Make random shuffle actually random
  * Make shuffle random
  * Speed increase on first startup on larger collections
  * Time is reversed in RTL


- Version update from 41.2 to 41.3 (jsc#PED-2235):
  * Add Icelandic translation


- Clear error messages that can be ignored because expected to happen for GDM sessions (bsc#1204867)
- Add fix for gnome-session to exit immediately when lost name on bus (bsc#1175622, bsc#1188882)

- Disable offline update suggestion before shutdown/reboot in SLE and openSUSE Leap (bsc#944832)
- Version update from 41.4 to 41.9 (jsc#PED-2235):
  * Allow extension updates with only Extension Manager installed
  * Allow more intermediate icon sizes in app grid
  * Disable workspace switching while in search.
  * Do not create systemd scope for D-Bus activated apps
  * Fix calendar to correctly align world clocks header in RTL
  * Fix drag placeholder position in dash in RTL locales
  * Fix edge case where windows stay dimmed after a modal is closed
  * Fix feedback when turning on a11y features by keyboard
  * Fix focus tracking in magnifier on wayland
  * Fix fractional timezone offsets in world clock
  * Fix glitches in overview transition
  * Fix logging in with realmd
  * Fix memory leak
  * Fix opening device settings for enterprise WPA networks
  * Fix programatically set scrollview fade
  * Fix regression in ibus support
  * Fix unresponsive top bar in overview when in fullscreen
  * Handle monitor changes during startup animation
  * Hide overview after 'Show Details' from app context menu
  * Improve Belgian on-screen keyboard layout
  * Improve CSS shadow appearance
  * Make sure startup animation completes
  * Misc. bug fixes and cleanups
  * Only close messages via delete key if they can be closed
  * Respect IM hint for candidates list in on-screen keyboard

- Disable offline update feature in SUSE Linux Enterprise and openSUSE Leap (bsc#944832)
- Version update from 41.4 to 41.5 (jsc#PED-2235):
  * Added several appstream-related fixed
  * Disable scroll-by-mouse-wheel on featured carousel
  * Ensure details page shows app provided on command line


- Version update from 3.42.2 to 3.42.3 (jsc#PED-2235):
  * Fix build with meson 0.61.0 and newer
  * window: Use a normal menu for the popup menu


- Version update from 41.1 to 41.5 (jsc#PED-2235):
  * Added missing icon for network-wired-symbolic


- Version update from 1.8.4 to 1.10.0 (jsc#PED-2235):
  * Build: distribute more files in tarballs
  * Documentation improvements


- Version update from 3.24.5 to 3.24.6 (jsc#PED-2235):
  * Build with Meson: MSVC build: Support Visual Studio 2022
  * Check if Perl is required for building documentation
  * Don't use deprecated python3.path() and execute (..., gui_app...)
  * GTK: TreeValueProxy: Declare copy constructor = default, avoiding warnings from the claing++ compiler
  * Object::_release_c_instance(): Unref orphan managed widgets
  * SizeGroup demo: Set active items in the combo boxs, so something is shown
  * Specify 'check' option in run_command()


- Version update from 1.3.0 to 1.3.1 (jsc#PED-2235):
  * Add 'check' arg to meson run_command()
  * Fix invalid use of subprojects with meson
  * Support ZRLE encoding for zero size alpha cursors


- Version update from 0.12.11 to 0.14.1 (jsc#PED-2235):
  * Add utility function to format GDateTime to the iso variant DIDL expects
  * Allow to be used as a subproject
  * Drop autotools
  * Fix stripping @refID
  * Fix unsetting subtitleFileType
  * Make Feature derivable again
  * Obsolete code removal.
  * Port to modern GObject
  * Remove hand-written ref-counting, use RcBox/AtomicRcBox instead.
  * Switch to meson build system, following upstream
- Rename libgupnp-av-1_0-2 subpackage to libgupnp-av-1_0-3, correcting the package name to match the provided library
- Conflict with the wrongly provided libgupnp-av-1_0-2

- Version update from 1.48.1 to 1.48.2 (jsc#PED-2235):
  * sftp: Adapt on new OpenSSH password prompts
  * smb: Rework anonymous handling to avoid EINVAL
  * smb: Ignore EINVAL for kerberos/ccache login


- Version update from 1.14.48 to 1.14.50 (jsc#PED-2235):
  * Fix error handling problem when writing ole files
  * Fix problems with non-western text in OLE properties
  * Use g_date_time_new_from_iso8601 and g_date_time_format_iso8601 when available


- Version update from 1.9.5 to 1.9.6 (jsc#PED-2235):
  * build: Add introspection/vapi/tests options
  * build: Use library() to optionally build a static library


- Version update from 1.8.32 to 1.8.40 (jsc#PED-2235):
  * Ad-Hoc networks now default to using WPA2 instead of WEP
  * Add possibility of building libnma-gtk4 library with Gtk4 support
  * Do not allow setting empty 802.1x domain for EAP TLS
  * Fixed keyboard accelerator for certificate chooser
  * Fixed libnma-gtk4 version of mobile-wizard
  * Include OWE wireless security option
  * The GtkBuilder files for Gtk4 are now included in the release tarball
  * WEP is no longer provided as an option for connecting to hidden networks due to its deprecated status
- New sub-packages libnma-gtk4-0, typelib-1_0-NMA4-1_0 and libnma-gtk4-devel
- Split out documentation files in own docs sub-package


- Version update from 0.7.10 to 0.7.12 (jsc#PED-2235):
  * Delete unused notifynotification.xml
  * Fix potential build errors with old glib version we require
  * docs/notify-send: Add --transient option to manpage
  * notification: Bookend calling NotifyActionCallback with temporary reference
  * notification: Include sender-pid hint by default if not provided
  * notify-send: Add debug message about server not supporting persistence
  * notify-send: Add explicit option to create transient notifications
  * notify-send: Add support for boolean hints
  * notify-send: Move server capabilities check to a separate function
  * notify-send: Support passing any hint value, by parsing variant strings


- Version update from 1.30.0 to 1.32.0 (jsc#PED-2235):
  * Icon licenses have been corrected
  * Parallel build system operation fixes
  * Use gi-docgen for documentation
  * Various build warnings squashed
  * Various GIR data that should not have been exported was removed
- Stop packaging the demo files/sub-package


- Version update from 2.52.6 to 2.52.9 (jsc#PED-2235):
  * Catch circular references when rendering patterns
  * Fix regressions when computing element geometries
  * Fix regression outputting all text as paths


- Version update from 0.20.4 to 0.20.5 (jsc#PED-2235):
  * Add bash-completion for secret-tool
  * Add locking capabilities to secret tool
  * Add support for TPM2 based secret storage
  * Create default collection after DBus.Error.UnknownObject
  * Detect local storage in snaps in the same way as flatpaks
  * Drop autotools-based build
  * GI annotation and documentation fixes
  * Port documentation to gi-docgen
  * Use G_GNUC_NULL_TERMINATED where appropriate collection, methods, prompt: Port to GTask
  * secret-file-backend: Avoid closing the same file descriptor twice


- Version update from 41.5 to 41.9 (jsc#PED-2235):
  * Fix '--replace option'
  * Fix missing root window properties after XWayland start
  * Fix night light without GAMMA_LUT property
  * KMS: Survive missing GAMMA_LUT property
  * wayland: Fix rotation transform
  * Misc. bug fixes


- Version update from 41.2 to 41.5(jsc#PED-2235):
  * Drag-and-drop bugfixes
  * HighContrast style fixes


- Version update from 41.1 to 41.3 (jsc#PED-2235):
  * Add more event-flood detection and handling for improved performance
  * Fix bug causing accessing preferences to fail for Esperanto
  * Web: Fix bug causing widgets descending from off-screen label elements to be skipped over
  * Web: Fix presentation of the FluentUI react dialog (and any other dialog which has an ARIA document-role descendant)
  * WebKitGtk: Fail gracefully when structural navigation commands are used in WebKitGtk 2.36.x


- Add python3-cairo to SUSE Linux Enterprise Micro 5.3 as it is now required by python3-gobject-cairo


- Add dependency on python-cairo to python-gobject-cairo: The introspection wrapper needs pycairo (bsc#1179584)
- Version update from 3.42.0 to 3.42.2 (jsc#PED-2235):
  * Add a workaround for a PyPy 3.9+ bug when threads are used
  * Do not error out for unknown scopes
  * Prompt an error instead of crashing when marshaling unsupported fundamental types in some cases
  * Fix a crash/refcounting error in case marshaling a hash table fails
  * Fix crashes when marshaling zero terminated arrays for certain item types
  * Implement DynamicImporter.find_spec() to silence deprecation warning
  * Make the test suite pass again with PyPy
  * Some test/CI fixes
  * gtk overrides: Do not override Treeview.enable_model_drag_xx for GTK4
  * gtk overrides: restore Gtk.ListStore.insert_with_valuesv with newer GTK4
  * interface: Fix leak when overriding GInterfaceInfo
  * look up pycairo headers without importing the module


- Allow system calls used by gstreamer (bsc#1196205)
- Version update from 3.2.2 to 3.2.1 (jsc#PED-2235):
  * Backport seccomp rules for rseq and mbind syscalls


- Version update from 0.54.6 to 0.54.8 (jsc#PED-2235):
  * Add missing TraverseVisitor.visit_data_type()
  * Add support for 'copy_/free_function' metadata for compact classes
  * Catch and throw possible inner error of lock statements
  * Clear SemanticAnalyzer.current_{symbol,source_file} when not needed anymore
  * Don't count instance-parameter when checking for backwards closure reference
  * Fix a few binding errors
  * Free empty stack list for code contexts
  * Handle duplicated and unnamed symbols.
  * Improve UI parsing and handling of nested objects and properties
  * Make sure to drop our 'trap' jump target in case of an error
  * Move dynamic property errors to semantic analyzer pass
  * Require lvalue access of delegate target/destroy 'fields'
  * Show source location when reporting deprecations
  * Transform assignment of an array element as needed
  * manual: Update from
  * parser: Improve handling of nullable VarType in with-statement
  * parser: Reduce the source reference of main block method to its beginning


- Version update from 0.54.6 to 0.54.8 (jsc#PED-2235):
  * Properly bind property in Lockdown portal

Advisory ID: SUSE-SU-2022:4628-1
Released:    Wed Dec 28 09:23:13 2022
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1206337,CVE-2022-46908
This update for sqlite3 fixes the following issues:

- CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, 
  when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

Advisory ID: SUSE-SU-2022:4629-1
Released:    Wed Dec 28 09:24:07 2022
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1200723,1205000,CVE-2022-4415
This update for systemd fixes the following issues:

- CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

Bug fixes:

- Support by-path devlink for multipath nvme block devices (bsc#1200723).

Advisory ID: SUSE-RU-2023:25-1
Released:    Thu Jan  5 09:51:41 2023
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

Version update from 2022f to 2022g (bsc#1177460):

- In the Mexican state of Chihuahua:
  * The border strip near the US will change to agree with nearby US locations on 2022-11-30.
  * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules,
    like El Paso, TX.
  * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX.
  * A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
- Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving
  time becomes standard time.
- Changes for pre-1996 northern Canada
- Update to past DST transition in Colombia (1993), Singapore (1981)
- 'timegm' is now supported by default

Advisory ID: SUSE-SU-2023:37-1
Released:    Fri Jan  6 15:35:49 2023
Summary:     Security update for ca-certificates-mozilla
Type:        security
Severity:    important
References:  1206212,1206622
This update for ca-certificates-mozilla fixes the following issues:

- Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622)
  Removed CAs:
  - Global Chambersign Root
  - EC-ACC
  - Network Solutions Certificate Authority
  - Staat der Nederlanden EV Root CA
  - SwissSign Platinum CA - G2
  Added CAs:
  - Security Communication ECC RootCA1
  - Security Communication RootCA3
  Changed trust:
  - TrustCor certificates only trusted up to Nov 30 (bsc#1206212)
- Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022'
  and it is not clear how many certs were issued for SSL middleware by TrustCor:
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - TrustCor ECA-1

Advisory ID: SUSE-RU-2023:45-1
Released:    Mon Jan  9 10:32:26 2023
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  1204585
This update for libxml2 fixes the following issues:

- Add W3C conformance tests to the testsuite (bsc#1204585):
  * Added file xmlts20080827.tar.gz 

Advisory ID: SUSE-RU-2023:48-1
Released:    Mon Jan  9 10:37:54 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1199467
This update for libtirpc fixes the following issues:

- Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

Advisory ID: SUSE-RU-2023:50-1
Released:    Mon Jan  9 10:42:21 2023
Summary:     Recommended update for shadow
Type:        recommended
Severity:    moderate
References:  1205502
This update for shadow fixes the following issues:

- Fix issue with user id field that cannot be interpreted (bsc#1205502)

Advisory ID: SUSE-SU-2023:56-1
Released:    Mon Jan  9 11:13:43 2023
Summary:     Security update for libksba
Type:        security
Severity:    moderate
References:  1206579,CVE-2022-47629
This update for libksba fixes the following issues:

- CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL
  signature parser (bsc#1206579).

Advisory ID: SUSE-RU-2023:177-1
Released:    Thu Jan 26 20:57:35 2023
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1194038,1205646
This update for util-linux fixes the following issues:

- Fix tests not passing when '@' character is in build path: 
  Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).
- libuuid continuous clock handling for time based UUIDs:
  Prevent use of the new libuuid ABI by uuidd %post before update
  of libuuid1 (bsc#1205646).

Advisory ID: SUSE-RU-2023:178-1
Released:    Thu Jan 26 20:58:21 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1207182
This update for openssl-1_1 fixes the following issues:

- FIPS: Add Pair-wise Consistency Test when generating DH key [bsc#1207182]

Advisory ID: SUSE-RU-2023:181-1
Released:    Thu Jan 26 21:55:43 2023
Summary:     Recommended update for procps
Type:        recommended
Severity:    low
References:  1206412
This update for procps fixes the following issues:

- Improve memory handling/usage (bsc#1206412) 
- Make sure that correct library version is installed (bsc#1206412)

Advisory ID: SUSE-RU-2023:188-1
Released:    Fri Jan 27 12:07:19 2023
Summary:     Recommended update for zlib
Type:        recommended
Severity:    important
References:  1203652
This update for zlib fixes the following issues:

- Follow up fix for bug bsc#1203652 due to libxml2 issues

Advisory ID: SUSE-SU-2023:201-1
Released:    Fri Jan 27 15:24:15 2023
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1204944,1205000,1207264,CVE-2022-4415
This update for systemd fixes the following issues:

- CVE-2022-4415: Fixed an issue where users could access coredumps
  with changed uid, gid or capabilities (bsc#1205000).

Non-security fixes:

- Enabled the pstore service (jsc#PED-2663).
- Fixed an issue accessing TPM when secure boot is enabled (bsc#1204944).
- Fixed an issue where a pamd file could get accidentally overwritten
  after an update (bsc#1207264).

Advisory ID: SUSE-SU-2023:311-1
Released:    Tue Feb  7 17:36:32 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1207533,1207534,1207536,1207538,CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286
This update for openssl-1_1 fixes the following issues:

- CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
- CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
- CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538).
- CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).

The following package changes have been done:

- libtirpc-netconfig-1.2.6-150300.3.17.1 updated
- libuuid1-2.37.2-150400.8.14.1 updated
- libudev1-249.14-150400.8.19.1 updated
- libsmartcols1-2.37.2-150400.8.14.1 updated
- libblkid1-2.37.2-150400.8.14.1 updated
- libfdisk1-2.37.2-150400.8.14.1 updated
- libz1-1.2.11-150000.3.39.1 updated
- libsqlite3-0-3.39.3-150000.3.20.1 updated
- libksba8-1.3.5-150000.4.6.1 updated
- libglib-2_0-0-2.70.5-150400.3.3.1 updated
- libxml2-2-2.9.14-150400.5.13.1 updated
- libsystemd0-249.14-150400.8.19.1 updated
- libopenssl1_1-1.1.1l-150400.7.22.1 updated
- libopenssl1_1-hmac-1.1.1l-150400.7.22.1 updated
- libprocps7-3.3.15-150000.7.28.1 updated
- procps-3.3.15-150000.7.28.1 updated
- libmount1-2.37.2-150400.8.14.1 updated
- login_defs-4.8.1-150400.10.3.1 updated
- libtirpc3-1.2.6-150300.3.17.1 updated
- libcurl4-7.79.1-150400.5.12.1 updated
- shadow-4.8.1-150400.10.3.1 updated
- util-linux-2.37.2-150400.8.14.1 updated
- timezone-2022g-150000.75.18.1 updated
- curl-7.79.1-150400.5.12.1 updated
- openssl-1_1-1.1.1l-150400.7.22.1 updated
- ca-certificates-mozilla-2.60-150200.27.1 updated
- libsodium23-1.0.18-150000.4.6.1 updated

More information about the sle-security-updates mailing list