SUSE-IU-2023:478-1: Security update of suse-sles-15-sp5-chost-byos-v20230704-x86_64-gen2
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Sat Jul 8 07:02:08 UTC 2023
SUSE Image Update Advisory: suse-sles-15-sp5-chost-byos-v20230704-x86_64-gen2
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2023:478-1
Image Tags : suse-sles-15-sp5-chost-byos-v20230704-x86_64-gen2:20230704
Image Release :
Severity : important
Type : security
References : 1171511 1194557 1201627 1202234 1203300 1203393 1206674 1207004
1207071 1207534 1208074 1209233 1209565 1210277 1210298 1210652
1211026 1211261 1211261 1211418 1211419 1211430 1211578 1211588
1211612 1211647 1211754 1212187 1212187 1212222 1212222 1212516
1212517 1212544 1212567 1212662 CVE-2022-2084 CVE-2022-4304 CVE-2023-1786
CVE-2023-2602 CVE-2023-2603 CVE-2023-2650 CVE-2023-2828 CVE-2023-2911
-----------------------------------------------------------------
The container suse-sles-15-sp5-chost-byos-v20230704-x86_64-gen2 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 29171
Released: Tue Jun 20 12:29:00 2023
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1201627,1207534,1211430,CVE-2022-4304,CVE-2023-2650
This update for openssl-1_1 fixes the following issues:
- CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).
- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
The previous fix for this timing side channel turned out to cause a
severe 2-3x performance regression in the typical use case (bsc#1207534).
- Update further expiring certificates that affect tests (bsc#1201627)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2557-1
Released: Tue Jun 20 18:00:45 2023
Summary: Recommended update for suseconnect-ng
Type: recommended
Severity: moderate
References: 1211588
This update for suseconnect-ng fixes the following issues:
- Update to version 1.1.0~git2.f42b4b2a060e:
- Keep keepalive timer states when replacing SUSEConnect (bsc#1211588)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2571-1
Released: Wed Jun 21 13:26:09 2023
Summary: Security update for Salt
Type: security
Severity: moderate
References: 1207071,1209233,1211612,1211754,1212516,1212517
This update for salt fixes the following issues:
salt:
- Update to Salt release version 3006.0 (jsc#PED-4361)
* See release notes: https://docs.saltproject.io/en/latest/topics/releases/3006.0.html
- Add missing patch after rebase to fix collections Mapping issues
- Add python3-looseversion as new dependency for salt
- Add python3-packaging as new dependency for salt
- Allow entrypoint compatibility for 'importlib-metadata>=5.0.0' (bsc#1207071)
- Avoid conflicts with Salt dependencies versions (bsc#1211612)
- Avoid failures due transactional_update module not available in Salt 3006.0 (bsc#1211754)
- Create new salt-tests subpackage containing Salt tests
- Drop conflictive patch dicarded from upstream
- Fix package build with old setuptools versions
- Fix SLS rendering error when Jinja macros are used
- Fix version detection and avoid building and testing failures
- Prevent deadlocks in salt-ssh executions
- Require python3-jmespath runtime dependency (bsc#1209233)
- Make master_tops compatible with Salt 3000 and older minions (bsc#1212516, bsc#1212517)
python-jmespath:
- Deliver python3-jmespath to SUSE Linux Enterprise Micro on s390x architecture as it is now required by Salt
(no source changes)
python-ply:
- Deliver python3-ply to SUSE Linux Enterprise Micro on s390x architecture as it is a requirement for python-jmespath
(no source changes)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2625-1
Released: Fri Jun 23 17:16:11 2023
Summary: Recommended update for gcc12
Type: recommended
Severity: moderate
References:
This update for gcc12 fixes the following issues:
- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204
* includes regression and other bug fixes
- Speed up builds with --enable-link-serialization.
- Update embedded newlib to version 4.2.0
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2628-1
Released: Fri Jun 23 21:43:22 2023
Summary: Security update for cloud-init
Type: security
Severity: important
References: 1171511,1203393,1210277,1210652,CVE-2022-2084,CVE-2023-1786
This update for cloud-init fixes the following issues:
- CVE-2023-1786: Do not expose sensitive data gathered from the CSP. (bsc#1210277)
- CVE-2022-2084: Fixed a bug which caused logging schema failures can include password hashes. (bsc#1210652)
- Update to version 23.1
+ Support transactional-updates for SUSE based distros
+ Set ownership for new folders in Write Files Module
+ add OpenCloudOS and TencentOS support
+ lxd: Retry if the server isn't ready
+ test: switch pycloudlib source to pypi
+ test: Fix integration test deprecation message
+ Recognize opensuse-microos, dev tooling fixes
+ sources/azure: refactor imds handler into own module
+ docs: deprecation generation support
+ add function is_virtual to distro/FreeBSD
+ cc_ssh: support multiple hostcertificates
+ Fix minor schema validation regression and fixup typing
+ doc: Reword user data debug section
+ cli: schema also validate vendordata*.
+ ci: sort and add checks for cla signers file
+ Add 'ederst' as contributor
+ readme: add reference to packages dir
+ docs: update downstream package list
+ docs: add google search verification
+ docs: fix 404 render use default notfound_urls_prefix in RTD conf
+ Fix OpenStack datasource detection on bare metal
+ docs: add themed RTD 404 page and pointer to readthedocs-hosted
+ schema: fix gpt labels, use type string for GUID
+ cc_disk_setup: code cleanup
+ netplan: keep custom strict perms when 50-cloud-init.yaml exists
+ cloud-id: better handling of change in datasource files
+ Warn on empty network key
+ Fix Vultr cloud_interfaces usage
+ cc_puppet: Update puppet service name
+ docs: Clarify networking docs
+ lint: remove httpretty
+ cc_set_passwords: Prevent traceback when restarting ssh
+ tests: fix lp1912844
+ tests: Skip ansible test on bionic
+ Wait for NetworkManager
+ docs: minor polishing
+ CI: migrate integration-test to GH actions
+ Fix permission of SSH host keys
+ Fix default route rendering on v2 ipv6
+ doc: fix path in net_convert command
+ docs: update net_convert docs
+ doc: fix dead link
+ cc_set_hostname: ignore /var/lib/cloud/data/set-hostname if it's empty
+ distros/rhel.py: _read_hostname() missing strip on 'hostname'
+ integration tests: add IBM VPC support
+ machine-id: set to uninitialized to trigger regeneration on clones
+ sources/azure: retry on connection error when fetching metdata
+ Ensure ssh state accurately obtained
+ bddeb: drop dh-systemd dependency on newer deb-based releases
+ doc: fix `config formats` link in cloudsigma.rst
+ Fix wrong subp syntax in cc_set_passwords.py
+ docs: update the PR template link to readthedocs
+ ci: switch unittests to gh actions
+ Add mount_default_fields for PhotonOS.
+ sources/azure: minor refactor for metadata source detection logic
+ add 'CalvoM' as contributor
+ ci: doc to gh actions
+ lxd: handle 404 from missing devices route for LXD 4.0
+ docs: Diataxis overhaul
+ vultr: Fix issue regarding cache and region codes
+ cc_set_passwords: Move ssh status checking later
+ Improve Wireguard module idempotency
+ network/netplan: add gateways as on-link when necessary
+ tests: test_lxd assert features.networks.zones when present
+ Use btrfs enquque when available (#1926) [Robert Schweikert]
+ sources/azure: fix device driver matching for net config (#1914)
+ BSD: fix duplicate macs in Ifconfig parser
+ pycloudlib: add lunar support for integration tests
+ nocloud: add support for dmi variable expansion for seedfrom URL
+ tools: read-version drop extra call to git describe --long
+ doc: improve cc_write_files doc
+ read-version: When insufficient tags, use cloudinit.version.get_version
+ mounts: document weird prefix in schema
+ Ensure network ready before cloud-init service runs on RHEL
+ docs: add copy button to code blocks
+ netplan: define features.NETPLAN_CONFIG_ROOT_READ_ONLY flag
+ azure: fix support for systems without az command installed
+ Fix the distro.osfamily output problem in the openEuler system.
+ pycloudlib: bump commit dropping azure api smoke test
+ net: netplan config root read-only as wifi config can contain creds
+ autoinstall: clarify docs for users
+ sources/azure: encode health report as utf-8
+ Add back gateway4/6 deprecation to docs
+ networkd: Add support for multiple [Route] sections
+ doc: add qemu tutorial
+ lint: fix tip-flake8 and tip-mypy
+ Add support for setting uid when creating users on FreeBSD
+ Fix exception in BSD networking code-path
+ Append derivatives to is_rhel list in cloud.cfg.tmpl
+ FreeBSD init: use cloudinit_enable as only rcvar
+ feat: add support aliyun metadata security harden mode
+ docs: uprate analyze to performance page
+ test: fix lxd preseed managed network config
+ Add support for static IPv6 addresses for FreeBSD
+ Make 3.12 failures not fail the build
+ Docs: adding relative links
+ Fix setup.py to align with PEP 440 versioning replacing trailing
+ Add 'nkukard' as contributor
+ doc: add how to render new module doc
+ doc: improve module creation explanation
+ Add Support for IPv6 metadata to OpenStack
+ add xiaoge1001 to .github-cla-signers
+ network: Deprecate gateway{4,6} keys in network config v2
+ VMware: Move Guest Customization transport from OVF to VMware
+ doc: home page links added
+ net: skip duplicate mac check for netvsc nic and its VF
This update for python-responses fixes the following issues:
- update to 0.21.0:
* Add `threading.Lock()` to allow `responses` working with `threading` module.
* Add `urllib3` `Retry` mechanism. See #135
* Removed internal `_cookies_from_headers` function
* Now `add`, `upsert`, `replace` methods return registered response.
`remove` method returns list of removed responses.
* Added null value support in `urlencoded_params_matcher` via `allow_blank` keyword argument
* Added strict version of decorator. Now you can apply `@responses.activate(assert_all_requests_are_fired=True)`
to your function to validate that all requests were executed in the wrapped function. See #183
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2643-1
Released: Mon Jun 26 15:35:07 2023
Summary: Recommended update for cpupower
Type: recommended
Severity: moderate
References:
This update for cpupower fixes the following issues:
- Add Emerald Ridge Intel CPU model support (jsc#PED-4393)
- Add EMR CPU support to turbostat (jsc#PED-4395)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2649-1
Released: Tue Jun 27 10:01:13 2023
Summary: Recommended update for hwdata
Type: recommended
Severity: moderate
References:
This update for hwdata fixes the following issues:
- update to 0.371:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2658-1
Released: Tue Jun 27 14:46:15 2023
Summary: Recommended update for containerd, docker, runc
Type: recommended
Severity: moderate
References: 1207004,1208074,1210298,1211578
This update for containerd, docker, runc fixes the following issues:
- Update to containerd v1.6.21 (bsc#1211578)
- Update to Docker 23.0.6-ce (bsc#1211578)
- Update to runc v1.1.7
- Require a minimum Go version explicitly (bsc#1210298)
- Re-unify packaging for SLE-12 and SLE-15
- Fix build on SLE-12 by switching back to libbtrfs-devel headers
- Allow man pages to be built without internet access in OBS
- Add apparmor-parser as a Recommends to make sure that most users will end up with it installed
even if they are primarily running SELinux
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser
- Change to using systemd-sysusers
- Update runc.keyring to upstream version
- Fix the inability to use `/dev/null` when inside a container (bsc#1207004)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2667-1
Released: Wed Jun 28 09:14:31 2023
Summary: Security update for bind
Type: security
Severity: important
References: 1212544,1212567,CVE-2023-2828,CVE-2023-2911
This update for bind fixes the following issues:
Update to release 9.16.42
Security Fixes:
* The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured
max-cache-size limit. (CVE-2023-2828)
* A query that prioritizes stale data over lookup triggers a
fetch to refresh the stale data in cache. If the fetch is
aborted for exceeding the recursion quota, it was possible for
named to enter an infinite callback loop and crash due to stack
overflow. This has been fixed. (CVE-2023-2911)
Bug Fixes:
* Previously, it was possible for a delegation from cache to be
returned to the client after the stale-answer-client-timeout
duration. This has been fixed. [bsc#1212544, bsc#1212567, jsc#SLE-24600]
Update to release 9.16.41
Bug Fixes:
* When removing delegations from an opt-out range,
empty-non-terminal NSEC3 records generated by those delegations
were not cleaned up. This has been fixed. [jsc#SLE-24600]
Update to release 9.16.40
Bug Fixes:
* Logfiles using timestamp-style suffixes were not always
correctly removed when the number of files exceeded the limit
set by versions. This has been fixed for configurations which
do not explicitly specify a directory path as part of the file
argument in the channel specification.
* Performance of DNSSEC validation in zones with many DNSKEY
records has been improved.
Update to release 9.16.39
Feature Changes:
* libuv support for receiving multiple UDP messages in a single
recvmmsg() system call has been tweaked several times between
libuv versions 1.35.0 and 1.40.0; the current recommended libuv
version is 1.40.0 or higher. New rules are now in effect for
running with a different version of libuv than the one used at
compilation time. These rules may trigger a fatal error at
startup:
- Building against or running with libuv versions 1.35.0 and
1.36.0 is now a fatal error.
- Running with libuv version higher than 1.34.2 is now a
fatal error when named is built against libuv version
1.34.2 or lower.
- Running with libuv version higher than 1.39.0 is now a
fatal error when named is built against libuv version
1.37.0, 1.38.0, 1.38.1, or 1.39.0.
* This prevents the use of libuv versions that may trigger an
assertion failure when receiving multiple UDP messages in a
single system call.
Bug Fixes:
* named could crash with an assertion failure when adding a new
zone into the configuration file for a name which was already
configured as a member zone for a catalog zone. This has been
fixed.
* When named starts up, it sends a query for the DNSSEC key for
each configured trust anchor to determine whether the key has
changed. In some unusual cases, the query might depend on a
zone for which the server is itself authoritative, and would
have failed if it were sent before the zone was fully loaded.
This has now been fixed by delaying the key queries until all
zones have finished loading. [jsc#SLE-24600]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2740-1
Released: Fri Jun 30 10:57:08 2023
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1212662
This update for dracut fixes the following issues:
- Update to version 055+suse.366.g14047665
- Continue parsing if ldd prints 'cannot execute binary file' (bsc#1212662)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2742-1
Released: Fri Jun 30 11:40:59 2023
Summary: Recommended update for autoyast2, libzypp, yast2-pkg-bindings, yast2-update, zypper
Type: recommended
Severity: moderate
References: 1202234,1209565,1211261,1212187,1212222
This update for yast2-pkg-bindings fixes the following issues:
libzypp was updated to version 17.31.14 (22):
- Curl: trim all custom headers (bsc#1212187)
HTTP/2 RFC 9113 forbids fields ending with a space. So we make
sure all custom headers are trimmed. This also includes headers
returned by URL-Resolver plugins.
- build: honor libproxy.pc's includedir (bsc#1212222)
zypper was updated to version 1.14.61:
- targetos: Add an error note if XPath:/product/register/target
is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)
yast2-pkg-bindings, autoyast:
- Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565)
- Selected products are not installed after resetting the package manager internally (bsc#1202234)
yast2-update:
- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2747-1
Released: Fri Jun 30 15:28:51 2023
Summary: Recommended update for wicked
Type: recommended
Severity: moderate
References: 1194557,1203300,1206674,1211026,1211647
This update for wicked fixes the following issues:
- Update to version 0.6.73
- Handle ENOBUFS sending errors (bsc#1203300)
- Ignore WIRELESS_EAP_AUTH within TLS (bsc#1211026)
- Cleanup /var/run leftovers in extension scripts (bsc#1194557)
- extensions/nbft: add post-up script (bsc#1211647)
- Workaround 6.1 kernel enslave regression (bsc#1206674)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2765-1
Released: Mon Jul 3 20:28:14 2023
Summary: Security update for libcap
Type: security
Severity: moderate
References: 1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:
- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2772-1
Released: Tue Jul 4 09:54:23 2023
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: moderate
References: 1211261,1212187,1212222
This update for libzypp, zypper fixes the following issues:
libzypp was updated to version 17.31.14 (22):
- Curl: trim all custom headers (bsc#1212187)
HTTP/2 RFC 9113 forbids fields ending with a space. So we make
sure all custom headers are trimmed. This also includes headers
returned by URL-Resolver plugins.
- build: honor libproxy.pc's includedir (bsc#1212222)
zypper was updated to version 1.14.61:
- targetos: Add an error note if XPath:/product/register/target
is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)
The following package changes have been done:
- bind-utils-9.16.42-150400.5.27.1 updated
- cloud-init-config-suse-23.1-150100.8.63.5 updated
- cloud-init-23.1-150100.8.63.5 updated
- containerd-ctr-1.6.21-150000.93.1 updated
- containerd-1.6.21-150000.93.1 updated
- cpupower-5.14-150500.9.3.1 updated
- docker-23.0.6_ce-150000.178.1 updated
- dracut-mkinitrd-deprecated-055+suse.366.g14047665-150500.3.6.1 updated
- dracut-055+suse.366.g14047665-150500.3.6.1 updated
- hwdata-0.371-150000.3.62.1 updated
- libcap2-2.63-150400.3.3.1 updated
- libcpupower0-5.14-150500.9.3.1 updated
- libgcc_s1-12.3.0+git1204-150000.1.10.1 updated
- libopenssl1_1-1.1.1l-150500.17.6.1 updated
- libprotobuf-lite20-3.9.2-150200.4.21.1 updated
- libstdc++6-12.3.0+git1204-150000.1.10.1 updated
- libzypp-17.31.14-150400.3.35.1 updated
- openssl-1_1-1.1.1l-150500.17.6.1 updated
- python3-bind-9.16.42-150400.5.27.1 updated
- python3-ply-3.10-150000.3.3.4 updated
- runc-1.1.7-150000.46.1 updated
- suseconnect-ng-1.1.0~git2.f42b4b2a060e-150500.3.3.1 updated
- wicked-service-0.6.72-150500.3.7.1 updated
- wicked-0.6.72-150500.3.7.1 updated
- zypper-1.14.61-150400.3.24.1 updated
More information about the sle-security-updates
mailing list