SUSE-IU-2023:480-1: Security update of sles-15-sp5-chost-byos-v20230704-arm64
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Sat Jul 8 07:02:11 UTC 2023
SUSE Image Update Advisory: sles-15-sp5-chost-byos-v20230704-arm64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2023:480-1
Image Tags : sles-15-sp5-chost-byos-v20230704-arm64:20230704
Image Release :
Severity : important
Type : security
References : 1194557 1201627 1202234 1203300 1206674 1207004 1207071 1207534
1208074 1209233 1209565 1210298 1211026 1211261 1211261 1211418
1211419 1211430 1211578 1211588 1211612 1211647 1211754 1212187
1212187 1212222 1212222 1212516 1212517 1212544 1212567 1212662
CVE-2022-4304 CVE-2023-2602 CVE-2023-2603 CVE-2023-2650 CVE-2023-2828
CVE-2023-2911
-----------------------------------------------------------------
The container sles-15-sp5-chost-byos-v20230704-arm64 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 29171
Released: Tue Jun 20 12:29:00 2023
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1201627,1207534,1211430,CVE-2022-4304,CVE-2023-2650
This update for openssl-1_1 fixes the following issues:
- CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).
- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
The previous fix for this timing side channel turned out to cause a
severe 2-3x performance regression in the typical use case (bsc#1207534).
- Update further expiring certificates that affect tests (bsc#1201627)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2557-1
Released: Tue Jun 20 18:00:45 2023
Summary: Recommended update for suseconnect-ng
Type: recommended
Severity: moderate
References: 1211588
This update for suseconnect-ng fixes the following issues:
- Update to version 1.1.0~git2.f42b4b2a060e:
- Keep keepalive timer states when replacing SUSEConnect (bsc#1211588)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2571-1
Released: Wed Jun 21 13:26:09 2023
Summary: Security update for Salt
Type: security
Severity: moderate
References: 1207071,1209233,1211612,1211754,1212516,1212517
This update for salt fixes the following issues:
salt:
- Update to Salt release version 3006.0 (jsc#PED-4361)
* See release notes: https://docs.saltproject.io/en/latest/topics/releases/3006.0.html
- Add missing patch after rebase to fix collections Mapping issues
- Add python3-looseversion as new dependency for salt
- Add python3-packaging as new dependency for salt
- Allow entrypoint compatibility for 'importlib-metadata>=5.0.0' (bsc#1207071)
- Avoid conflicts with Salt dependencies versions (bsc#1211612)
- Avoid failures due transactional_update module not available in Salt 3006.0 (bsc#1211754)
- Create new salt-tests subpackage containing Salt tests
- Drop conflictive patch dicarded from upstream
- Fix package build with old setuptools versions
- Fix SLS rendering error when Jinja macros are used
- Fix version detection and avoid building and testing failures
- Prevent deadlocks in salt-ssh executions
- Require python3-jmespath runtime dependency (bsc#1209233)
- Make master_tops compatible with Salt 3000 and older minions (bsc#1212516, bsc#1212517)
python-jmespath:
- Deliver python3-jmespath to SUSE Linux Enterprise Micro on s390x architecture as it is now required by Salt
(no source changes)
python-ply:
- Deliver python3-ply to SUSE Linux Enterprise Micro on s390x architecture as it is a requirement for python-jmespath
(no source changes)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2625-1
Released: Fri Jun 23 17:16:11 2023
Summary: Recommended update for gcc12
Type: recommended
Severity: moderate
References:
This update for gcc12 fixes the following issues:
- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204
* includes regression and other bug fixes
- Speed up builds with --enable-link-serialization.
- Update embedded newlib to version 4.2.0
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2643-1
Released: Mon Jun 26 15:35:07 2023
Summary: Recommended update for cpupower
Type: recommended
Severity: moderate
References:
This update for cpupower fixes the following issues:
- Add Emerald Ridge Intel CPU model support (jsc#PED-4393)
- Add EMR CPU support to turbostat (jsc#PED-4395)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2649-1
Released: Tue Jun 27 10:01:13 2023
Summary: Recommended update for hwdata
Type: recommended
Severity: moderate
References:
This update for hwdata fixes the following issues:
- update to 0.371:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2658-1
Released: Tue Jun 27 14:46:15 2023
Summary: Recommended update for containerd, docker, runc
Type: recommended
Severity: moderate
References: 1207004,1208074,1210298,1211578
This update for containerd, docker, runc fixes the following issues:
- Update to containerd v1.6.21 (bsc#1211578)
- Update to Docker 23.0.6-ce (bsc#1211578)
- Update to runc v1.1.7
- Require a minimum Go version explicitly (bsc#1210298)
- Re-unify packaging for SLE-12 and SLE-15
- Fix build on SLE-12 by switching back to libbtrfs-devel headers
- Allow man pages to be built without internet access in OBS
- Add apparmor-parser as a Recommends to make sure that most users will end up with it installed
even if they are primarily running SELinux
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser
- Change to using systemd-sysusers
- Update runc.keyring to upstream version
- Fix the inability to use `/dev/null` when inside a container (bsc#1207004)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2667-1
Released: Wed Jun 28 09:14:31 2023
Summary: Security update for bind
Type: security
Severity: important
References: 1212544,1212567,CVE-2023-2828,CVE-2023-2911
This update for bind fixes the following issues:
Update to release 9.16.42
Security Fixes:
* The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured
max-cache-size limit. (CVE-2023-2828)
* A query that prioritizes stale data over lookup triggers a
fetch to refresh the stale data in cache. If the fetch is
aborted for exceeding the recursion quota, it was possible for
named to enter an infinite callback loop and crash due to stack
overflow. This has been fixed. (CVE-2023-2911)
Bug Fixes:
* Previously, it was possible for a delegation from cache to be
returned to the client after the stale-answer-client-timeout
duration. This has been fixed. [bsc#1212544, bsc#1212567, jsc#SLE-24600]
Update to release 9.16.41
Bug Fixes:
* When removing delegations from an opt-out range,
empty-non-terminal NSEC3 records generated by those delegations
were not cleaned up. This has been fixed. [jsc#SLE-24600]
Update to release 9.16.40
Bug Fixes:
* Logfiles using timestamp-style suffixes were not always
correctly removed when the number of files exceeded the limit
set by versions. This has been fixed for configurations which
do not explicitly specify a directory path as part of the file
argument in the channel specification.
* Performance of DNSSEC validation in zones with many DNSKEY
records has been improved.
Update to release 9.16.39
Feature Changes:
* libuv support for receiving multiple UDP messages in a single
recvmmsg() system call has been tweaked several times between
libuv versions 1.35.0 and 1.40.0; the current recommended libuv
version is 1.40.0 or higher. New rules are now in effect for
running with a different version of libuv than the one used at
compilation time. These rules may trigger a fatal error at
startup:
- Building against or running with libuv versions 1.35.0 and
1.36.0 is now a fatal error.
- Running with libuv version higher than 1.34.2 is now a
fatal error when named is built against libuv version
1.34.2 or lower.
- Running with libuv version higher than 1.39.0 is now a
fatal error when named is built against libuv version
1.37.0, 1.38.0, 1.38.1, or 1.39.0.
* This prevents the use of libuv versions that may trigger an
assertion failure when receiving multiple UDP messages in a
single system call.
Bug Fixes:
* named could crash with an assertion failure when adding a new
zone into the configuration file for a name which was already
configured as a member zone for a catalog zone. This has been
fixed.
* When named starts up, it sends a query for the DNSSEC key for
each configured trust anchor to determine whether the key has
changed. In some unusual cases, the query might depend on a
zone for which the server is itself authoritative, and would
have failed if it were sent before the zone was fully loaded.
This has now been fixed by delaying the key queries until all
zones have finished loading. [jsc#SLE-24600]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2740-1
Released: Fri Jun 30 10:57:08 2023
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1212662
This update for dracut fixes the following issues:
- Update to version 055+suse.366.g14047665
- Continue parsing if ldd prints 'cannot execute binary file' (bsc#1212662)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2742-1
Released: Fri Jun 30 11:40:59 2023
Summary: Recommended update for autoyast2, libzypp, yast2-pkg-bindings, yast2-update, zypper
Type: recommended
Severity: moderate
References: 1202234,1209565,1211261,1212187,1212222
This update for yast2-pkg-bindings fixes the following issues:
libzypp was updated to version 17.31.14 (22):
- Curl: trim all custom headers (bsc#1212187)
HTTP/2 RFC 9113 forbids fields ending with a space. So we make
sure all custom headers are trimmed. This also includes headers
returned by URL-Resolver plugins.
- build: honor libproxy.pc's includedir (bsc#1212222)
zypper was updated to version 1.14.61:
- targetos: Add an error note if XPath:/product/register/target
is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)
yast2-pkg-bindings, autoyast:
- Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565)
- Selected products are not installed after resetting the package manager internally (bsc#1202234)
yast2-update:
- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2747-1
Released: Fri Jun 30 15:28:51 2023
Summary: Recommended update for wicked
Type: recommended
Severity: moderate
References: 1194557,1203300,1206674,1211026,1211647
This update for wicked fixes the following issues:
- Update to version 0.6.73
- Handle ENOBUFS sending errors (bsc#1203300)
- Ignore WIRELESS_EAP_AUTH within TLS (bsc#1211026)
- Cleanup /var/run leftovers in extension scripts (bsc#1194557)
- extensions/nbft: add post-up script (bsc#1211647)
- Workaround 6.1 kernel enslave regression (bsc#1206674)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2765-1
Released: Mon Jul 3 20:28:14 2023
Summary: Security update for libcap
Type: security
Severity: moderate
References: 1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:
- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2772-1
Released: Tue Jul 4 09:54:23 2023
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: moderate
References: 1211261,1212187,1212222
This update for libzypp, zypper fixes the following issues:
libzypp was updated to version 17.31.14 (22):
- Curl: trim all custom headers (bsc#1212187)
HTTP/2 RFC 9113 forbids fields ending with a space. So we make
sure all custom headers are trimmed. This also includes headers
returned by URL-Resolver plugins.
- build: honor libproxy.pc's includedir (bsc#1212222)
zypper was updated to version 1.14.61:
- targetos: Add an error note if XPath:/product/register/target
is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)
The following package changes have been done:
- bind-utils-9.16.42-150400.5.27.1 updated
- containerd-ctr-1.6.21-150000.93.1 updated
- containerd-1.6.21-150000.93.1 updated
- cpupower-5.14-150500.9.3.1 updated
- docker-23.0.6_ce-150000.178.1 updated
- dracut-mkinitrd-deprecated-055+suse.366.g14047665-150500.3.6.1 updated
- dracut-055+suse.366.g14047665-150500.3.6.1 updated
- hwdata-0.371-150000.3.62.1 updated
- libcap2-2.63-150400.3.3.1 updated
- libcpupower0-5.14-150500.9.3.1 updated
- libgcc_s1-12.3.0+git1204-150000.1.10.1 updated
- libopenssl1_1-1.1.1l-150500.17.6.1 updated
- libprotobuf-lite20-3.9.2-150200.4.21.1 updated
- libstdc++6-12.3.0+git1204-150000.1.10.1 updated
- libzypp-17.31.14-150400.3.35.1 updated
- openssl-1_1-1.1.1l-150500.17.6.1 updated
- python3-bind-9.16.42-150400.5.27.1 updated
- python3-ply-3.10-150000.3.3.4 updated
- runc-1.1.7-150000.46.1 updated
- suseconnect-ng-1.1.0~git2.f42b4b2a060e-150500.3.3.1 updated
- wicked-service-0.6.72-150500.3.7.1 updated
- wicked-0.6.72-150500.3.7.1 updated
- zypper-1.14.61-150400.3.24.1 updated
More information about the sle-security-updates
mailing list