SUSE-IU-2023:348-1: Security update of suse-sles-15-sp3-chost-byos-v20230613-hvm-ssd-x86_64
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Jun 15 07:02:05 UTC 2023
SUSE Image Update Advisory: suse-sles-15-sp3-chost-byos-v20230613-hvm-ssd-x86_64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2023:348-1
Image Tags : suse-sles-15-sp3-chost-byos-v20230613-hvm-ssd-x86_64:20230613
Image Release :
Severity : critical
Type : security
References : 1065270 1127591 1168481 1173115 1176785 1178233 1185232 1185261
1185441 1185621 1186449 1186870 1187071 1187260 1187810 1189036
1191467 1191525 1193282 1195175 1195633 1198438 1198458 1198458
1198932 1199132 1199282 1199282 1199756 1200321 1200441 1200710
1201066 1201234 1201490 1202120 1202353 1203201 1203248 1203249
1203331 1203332 1203355 1203446 1203599 1203715 1203746 1204356
1204548 1204585 1204662 1204929 1204956 1205128 1205200 1205375
1205554 1205570 1205588 1205636 1206065 1206103 1206235 1206351
1206483 1206513 1206781 1206949 1206992 1207014 1207022 1207051
1207064 1207088 1207168 1207416 1207560 1207571 1207575 1207773
1207780 1207795 1207843 1207845 1207875 1207957 1207975 1207992
1208023 1208036 1208137 1208153 1208179 1208212 1208329 1208358
1208423 1208426 1208471 1208598 1208599 1208601 1208700 1208741
1208776 1208777 1208787 1208816 1208828 1208828 1208837 1208843
1208845 1208929 1208957 1208959 1208962 1208971 1209008 1209017
1209018 1209019 1209026 1209042 1209052 1209122 1209165 1209187
1209188 1209188 1209209 1209210 1209211 1209212 1209214 1209234
1209256 1209288 1209289 1209290 1209291 1209361 1209362 1209366
1209372 1209406 1209481 1209483 1209485 1209532 1209533 1209547
1209549 1209624 1209634 1209635 1209636 1209667 1209672 1209683
1209687 1209713 1209714 1209739 1209777 1209778 1209785 1209871
1209873 1209878 1209884 1209888 1210135 1210164 1210202 1210203
1210298 1210301 1210328 1210329 1210336 1210337 1210382 1210411
1210412 1210414 1210418 1210434 1210453 1210469 1210498 1210506
1210507 1210593 1210629 1210640 1210647 1210649 1210870 1211144
1211231 1211232 1211233 1211339 1211430 1211604 1211605 1211606
1211607 1211643 1211661 1211795 1212187 CVE-2017-5753 CVE-2020-36691
CVE-2021-3541 CVE-2021-3923 CVE-2022-2196 CVE-2022-23471 CVE-2022-28737
CVE-2022-28737 CVE-2022-29217 CVE-2022-29824 CVE-2022-32746 CVE-2022-36109
CVE-2022-36280 CVE-2022-38096 CVE-2022-42331 CVE-2022-42332 CVE-2022-42333
CVE-2022-42334 CVE-2022-43945 CVE-2022-4744 CVE-2022-4899 CVE-2023-0045
CVE-2023-0225 CVE-2023-0461 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466
CVE-2023-0512 CVE-2023-0590 CVE-2023-0597 CVE-2023-0614 CVE-2023-0687
CVE-2023-0922 CVE-2023-1075 CVE-2023-1076 CVE-2023-1078 CVE-2023-1095
CVE-2023-1118 CVE-2023-1127 CVE-2023-1127 CVE-2023-1170 CVE-2023-1175
CVE-2023-1264 CVE-2023-1281 CVE-2023-1355 CVE-2023-1382 CVE-2023-1390
CVE-2023-1513 CVE-2023-1582 CVE-2023-1611 CVE-2023-1670 CVE-2023-1838
CVE-2023-1855 CVE-2023-1872 CVE-2023-1981 CVE-2023-1989 CVE-2023-1990
CVE-2023-1998 CVE-2023-2008 CVE-2023-2124 CVE-2023-2162 CVE-2023-2176
CVE-2023-22995 CVE-2023-22998 CVE-2023-23000 CVE-2023-23004 CVE-2023-23006
CVE-2023-23559 CVE-2023-23916 CVE-2023-23931 CVE-2023-24329 CVE-2023-24593
CVE-2023-25012 CVE-2023-25153 CVE-2023-25173 CVE-2023-25180 CVE-2023-25809
CVE-2023-2650 CVE-2023-26545 CVE-2023-27533 CVE-2023-27534 CVE-2023-27535
CVE-2023-27536 CVE-2023-27538 CVE-2023-27561 CVE-2023-28320 CVE-2023-28321
CVE-2023-28322 CVE-2023-28327 CVE-2023-28328 CVE-2023-28464 CVE-2023-28466
CVE-2023-28484 CVE-2023-28486 CVE-2023-28487 CVE-2023-28642 CVE-2023-28772
CVE-2023-29383 CVE-2023-29469 CVE-2023-29491 CVE-2023-2953 CVE-2023-30630
CVE-2023-30772 CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067
CVE-2023-32324
-----------------------------------------------------------------
The container suse-sles-15-sp3-chost-byos-v20230613-hvm-ssd-x86_64 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2917-1
Released: Wed Oct 14 11:29:48 2020
Summary: Recommended update for mokutil
Type: recommended
Severity: moderate
References: 1173115
This update for mokutil fixes the following issue:
- Add options for CA and kernel keyring checks (bsc#1173115)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2638-1
Released: Wed Aug 3 10:35:14 2022
Summary: Security update for mokutil
Type: security
Severity: moderate
References: 1198458
This update for mokutil fixes the following issues:
- Adds SBAT revocation support to mokutil. (bsc#1198458)
New options added (see manpage):
- mokutil --sbat
List all entries in SBAT.
- mokutil --set-sbat-policy (latest | previous | delete)
To set the SBAT acceptance policy.
- mokutil --list-sbat-revocations
To list the current SBAT revocations.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:776-1
Released: Thu Mar 16 17:29:23 2023
Summary: Recommended update for gcc12
Type: recommended
Severity: moderate
References:
This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux
Enterprise Module for Development Tools.
To use gcc12 compilers use:
- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.
For a full changelog with all new GCC12 features, check out
https://gcc.gnu.org/gcc-12/changes.html
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:780-1
Released: Thu Mar 16 18:06:30 2023
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1186449,1195175,1198438,1203331,1203332,1204356,1204662,1206103,1206351,1207051,1207575,1207773,1207795,1207845,1207875,1208023,1208153,1208212,1208700,1208741,1208776,1208816,1208837,1208845,1208971,CVE-2022-36280,CVE-2022-38096,CVE-2023-0045,CVE-2023-0590,CVE-2023-0597,CVE-2023-1118,CVE-2023-22995,CVE-2023-22998,CVE-2023-23000,CVE-2023-23006,CVE-2023-23559,CVE-2023-26545
The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2022-36280: Fixed out-of-bounds memory access vulnerability found in vmwgfx driver (bsc#1203332).
- CVE-2022-38096: Fixed NULL-ptr deref in vmw_cmd_dx_define_query() (bsc#1203331).
- CVE-2023-0045: Fixed missing Flush IBP in ib_prctl_set (bsc#1207773).
- CVE-2023-0590: Fixed race condition in qdisc_graft() (bsc#1207795).
- CVE-2023-0597: Fixed lack of randomization of per-cpu entry area in x86/mm (bsc#1207845).
- CVE-2023-1118: Fixed a use-after-free bugs caused by ene_tx_irqsim() in media/rc (bsc#1208837).
- CVE-2023-22995: Fixed lacks of certain platform_device_put and kfree in drivers/usb/dwc3/dwc3-qcom.c (bsc#1208741).
- CVE-2023-22998: Fixed NULL vs IS_ERR checking in virtio_gpu_object_shmem_init (bsc#1208776).
- CVE-2023-23000: Fixed return value of tegra_xusb_find_port_node function phy/tegra (bsc#1208816).
- CVE-2023-23006: Fixed NULL vs IS_ERR checking in dr_domain_init_resources (bsc#1208845).
- CVE-2023-23559: Fixed integer overflow in rndis_wlan that leads to a buffer overflow (bsc#1207051).
- CVE-2023-26545: Fixed double free in net/mpls/af_mpls.c upon an allocation failure (bsc#1208700).
The following non-security bugs were fixed:
- cifs: fix use-after-free caused by invalid pointer `hostname` (bsc#1208971).
- genirq: Provide new interfaces for affinity hints (bsc#1208153).
- mm/slub: fix panic in slab_alloc_node() (bsc#1208023).
- module: Do not wait for GOING modules (bsc#1196058, bsc#1186449, bsc#1204356, bsc#1204662).
- net: mana: Assign interrupts to CPUs based on NUMA nodes (bsc#1208153).
- net: mana: Fix IRQ name - add PCI and queue number (bsc#1207875).
- net: mana: Fix accessing freed irq affinity_hint (bsc#1208153).
- refresh patches.kabi/scsi-kABI-fix-for-eh_should_retry_cmd (bsc#1206351). The former kABI fix only move the newly added member to scsi_host_template to the end of the struct. But that is usually allocated statically, even by 3rd party modules relying on kABI. Before we use the member we need to signalize that it is to be expected. As we only expect it to be allocated by in-tree modules that we can control, we can use a space in the bitfield to signalize that.
- s390/kexec: fix ipl report address for kdump (bsc#1207575).
- scsi: qla2xxx: Add option to disable FC2 Target support (bsc#1198438 bsc#1206103).
- update suse/net-mlx5-Allocate-individual-capability (bsc#1195175).
- update suse/net-mlx5-Dynamically-resize-flow-counters-query-buff (bsc#1195175).
- update suse/net-mlx5-Fix-flow-counters-SF-bulk-query-len (bsc#1195175).
- update suse/net-mlx5-Reduce-flow-counters-bulk-query-buffer-size (bsc#1195175).
- update suse/net-mlx5-Reorganize-current-and-maximal-capabilities (bsc#1195175).
- update suse/net-mlx5-Use-order-0-allocations-for-EQs (bsc#1195175). Fixed bugzilla reference.
- vmxnet3: move rss code block under eop descriptor (bsc#1208212).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:781-1
Released: Thu Mar 16 19:07:00 2023
Summary: Security update for vim
Type: security
Severity: important
References: 1207780,1208828,1208957,1208959,CVE-2023-0512,CVE-2023-1127,CVE-2023-1170,CVE-2023-1175
This update for vim fixes the following issues:
- CVE-2023-0512: Fixed a divide By Zero (bsc#1207780).
- CVE-2023-1175: vim: an incorrect calculation of buffer size (bsc#1208957).
- CVE-2023-1170: Fixed a heap-based Buffer Overflow (bsc#1208959).
- CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828).
Updated to version 9.0 with patch level 1386.
- https://github.com/vim/vim/compare/v9.0.1234...v9.0.1386
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:784-1
Released: Thu Mar 16 19:33:52 2023
Summary: Recommended update for grub2
Type: recommended
Severity: moderate
References: 1205200,1205554
This update for grub2 fixes the following issues:
- Remove zfs modules (bsc#1205554)
- Make grub.cfg invariant to efi and legacy platforms (bsc#1205200)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:786-1
Released: Thu Mar 16 19:36:09 2023
Summary: Recommended update for libsolv, libzypp, zypper
Type: recommended
Severity: important
References: 1178233,1203248,1203249,1203715,1204548,1204956,1205570,1205636,1206949
This update for libsolv, libzypp, zypper fixes the following issues:
libsolv:
- Do not autouninstall SUSE PTF packages
- Ensure 'duplinvolvedmap_all' is reset when a solver is reused
- Fix 'keep installed' jobs not disabling 'best update' rules
- New '-P' and '-W' options for `testsolv`
- New introspection interface for weak dependencies similar to ruleinfos
- Ensure special case file dependencies are written correctly in the testcase writer
- Support better info about alternatives
- Support decision reason queries
- Support merging of related decisions
- Support stringification of multiple solvables
- Support stringification of ruleinfo, decisioninfo and decision reasons
libzypp:
- Avoid calling getsockopt when we know the info already.
This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when
accepting new socket connections (bsc#1178233)
- Avoid redirecting 'history.logfile=/dev/null' into the target
- Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956)
- Enhance yaml-cpp detection
- Improve download of optional files
- MultiCurl: Make sure to reset the progress function when falling back.
- Properly reset range requests (bsc#1204548)
- Removing a PTF without enabled repos should always fail (bsc#1203248)
Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well.
To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the
installed PTF packages to theit latest version.
- Skip media.1/media download for http repo status calc.
This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed.
This optimisation only takes place if the repo does specify only downloading base urls.
- Use a dynamic fallback for BLKSIZE in downloads.
When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed,
relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar
metric as the MirrorCache implementation on the server side.
- ProgressData: enforce reporting the INIT||END state (bsc#1206949)
- ps: fix service detection on newer Tumbleweed systems (bsc#1205636)
zypper:
- Allow to (re)add a service with the same URL (bsc#1203715)
- Bump dependency requirement to libzypp-devel 17.31.7 or greater
- Explain outdatedness of repositories
- patterns: Avoid dispylaing superfluous @System entries (bsc#1205570)
- Provide `removeptf` command (bsc#1203249)
A remove command which prefers replacing dependant packages to removing them as well.
A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant
packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the
remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official
update versions.
- Update man page and explain '.no_auto_prune' (bsc#1204956)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:794-1
Released: Fri Mar 17 08:42:12 2023
Summary: Security update for python-PyJWT
Type: security
Severity: critical
References: 1176785,1199282,1199756,CVE-2022-29217
This update for python-PyJWT fixes the following issues:
- CVE-2022-29217: Fixed Key confusion through non-blocklisted public key formats (bsc#1199756).
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to 2.4.0 (bsc#1199756)
- Explicit check the key for ECAlgorithm
- Don't use implicit optionals
- documentation fix: show correct scope
- fix: Update copyright information
- Don't mutate options dictionary in .decode_complete()
- Add support for Python 3.10
- api_jwk: Add PyJWKSet.__getitem__
- Update usage.rst
- Docs: mention performance reasons for reusing RSAPrivateKey
when encoding
- Fixed typo in usage.rst
- Add detached payload support for JWS encoding and decoding
- Replace various string interpolations with f-strings by
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:795-1
Released: Fri Mar 17 09:13:12 2023
Summary: Security update for docker
Type: security
Severity: moderate
References: 1205375,1206065,CVE-2022-36109
This update for docker fixes the following issues:
Docker was updated to 20.10.23-ce.
See upstream changelog at https://docs.docker.com/engine/release-notes/#201023
Docker was updated to 20.10.21-ce (bsc#1206065)
See upstream changelog at https://docs.docker.com/engine/release-notes/#201021
Security issues fixed:
- CVE-2022-36109: Fixed supplementary group permissions bypass (bsc#1205375)
- Fix wrong After: in docker.service, fixes bsc#1188447
- Add apparmor-parser as a Recommends to make sure that most users will end up
with it installed even if they are primarily running SELinux.
- Allow to install container-selinux instead of apparmor-parser.
- Change to using systemd-sysusers
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:847-1
Released: Tue Mar 21 13:27:57 2023
Summary: Security update for xen
Type: security
Severity: important
References: 1209017,1209018,1209019,1209188,CVE-2022-42331,CVE-2022-42332,CVE-2022-42333,CVE-2022-42334
This update for xen fixes the following issues:
- CVE-2022-42332: Fixed use-after-free in x86 shadow plus log-dirty mode (bsc#1209017).
- CVE-2022-42333,CVE-2022-42334: Fixed x86/HVM pinned cache attributes mis-handling (bsc#1209018).
- CVE-2022-42331: Fixed speculative vulnerability in 32bit SYSCALL path on x86 (bsc#1209019).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:868-1
Released: Wed Mar 22 09:41:01 2023
Summary: Security update for python3
Type: security
Severity: important
References: 1203355,1208471,CVE-2023-24329
This update for python3 fixes the following issues:
- CVE-2023-24329: Fixed a blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters (bsc#1208471).
The following non-security bug was fixed:
- Eliminate unnecessary and dangerous calls to PyThread_exit_thread() (bsc#1203355).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1586-1
Released: Mon Mar 27 13:02:52 2023
Summary: Recommended update for nfs-utils
Type: recommended
Severity: moderate
References: 1200710,1203746,1206781,1207022,1207843
This update for nfs-utils fixes the following issues:
- Rename all drop-in options.conf files as 10-options.conf
This makes it easier for other packages to over-ride with a drop-in with a later sequence number (bsc#1207843)
- Avoid modprobe errors when sysctl is not installed (bsc#1200710 bsc#1207022 bsc#1206781)
- Add '-S scope' option to rpc.nfsd to simplify fail-over cluster configuration (bsc#1203746)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1628-1
Released: Tue Mar 28 12:28:51 2023
Summary: Security update for containerd
Type: security
Severity: important
References: 1206235,CVE-2022-23471
This update for containerd fixes the following issues:
- CVE-2022-23471: Fixed host memory exhaustion through Terminal resize goroutine leak (bsc#1206235).
- Re-build containerd to use updated golang-packaging (jsc#1342).
- Update to containerd v1.6.16 for Docker v23.0.0-ce.
* https://github.com/containerd/containerd/releases/tag/v1.6.16
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1687-1
Released: Wed Mar 29 17:52:28 2023
Summary: Security update for ldb, samba
Type: security
Severity: important
References: 1201490,1207416,1209481,1209483,1209485,CVE-2022-32746,CVE-2023-0225,CVE-2023-0614,CVE-2023-0922
This update for ldb, samba fixes the following issues:
ldb:
- CVE-2022-32746: Fixed an use-after-free issue in the database audit logging module (bsc#1201490).
- CVE-2023-0614: Fixed discovering of access controlled AD LDAP attributes (bso#15270) (bsc#1209485).
samba:
- CVE-2023-0922: Fixed cleartext password sending by AD DC admin tool (bso#15315) (bsc#1209481).
- CVE-2023-0225: Fixed deletion of AD DC 'dnsHostname' attribute by unprivileged authenticated users (bso#15276) (bsc#1209483).
- CVE-2023-0614: Fixed discovering of access controlled AD LDAP attributes (bso#15270) (bsc#1209485).
The following non-security bug was fixed:
- Prevent use after free of messaging_ctdb_fde_ev structs (bso#15293) (bsc#1207416).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1691-1
Released: Thu Mar 30 09:51:28 2023
Summary: Security update for grub2
Type: security
Severity: moderate
References: 1209188
This update of grub2 fixes the following issues:
- rebuild the package with the new secure boot key (bsc#1209188).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1698-1
Released: Thu Mar 30 12:16:57 2023
Summary: Security update for sudo
Type: security
Severity: moderate
References: 1203201,1206483,1209361,1209362,CVE-2023-28486,CVE-2023-28487
This update for sudo fixes the following issue:
Security fixes:
- CVE-2023-28486: Fixed missing control characters escaping in log messages (bsc#1209362).
- CVE-2023-28487: Fixed missing control characters escaping in sudoreplay output (bsc#1209361).
Other fixes:
- Fix a situation where 'sudo -U otheruser -l' would dereference a NULL pointer (bsc#1206483).
- Do not re-enable the reader when flushing the buffers as part of pty_finish() (bsc#1203201).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1702-1
Released: Thu Mar 30 15:23:23 2023
Summary: Security update for shim
Type: security
Severity: important
References: 1185232,1185261,1185441,1185621,1187071,1187260,1193282,1198458,1201066,1202120,1205588,CVE-2022-28737
This update for shim fixes the following issues:
- Updated shim signature after shim 15.7 be signed back:
signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458)
- Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to
disable the NX compatibility flag when using post-process-pe because
grub2 is not ready. (bsc#1205588)
- Enable the NX compatibility flag by default. (jsc#PED-127)
Update to 15.7 (bsc#1198458) (jsc#PED-127):
- Make SBAT variable payload introspectable
- Reference MokListRT instead of MokList
- Add a link to the test plan in the readme.
- [V3] Enable TDX measurement to RTMR register
- Discard load-options that start with a NUL
- Fixed load_cert_file bugs
- Add -malign-double to IA32 compiler flags
- pe: Fix image section entry-point validation
- make-archive: Build reproducible tarball
- mok: remove MokListTrusted from PCR 7
Other fixes:
- Support enhance shim measurement to TD RTMR. (jsc#PED-1273)
- shim-install: ensure grub.cfg created is not overwritten after installing grub related files
- Add logic to shim.spec to only set sbat policy when efivarfs is writeable. (bsc#1201066)
- Add logic to shim.spec for detecting --set-sbat-policy option before using mokutil to set sbat policy. (bsc#1202120)
- Change the URL in SBAT section to mail:security at suse.de. (bsc#1193282)
Update to 15.6 (bsc#1198458):
- MokManager: removed Locate graphic output protocol fail error message
- shim: implement SBAT verification for the shim_lock protocol
- post-process-pe: Fix a missing return code check
- Update github actions matrix to be more useful
- post-process-pe: Fix format string warnings on 32-bit platforms
- Allow MokListTrusted to be enabled by default
- Re-add ARM AArch64 support
- Use ASCII as fallback if Unicode Box Drawing characters fail
- make: don't treat cert.S specially
- shim: use SHIM_DEVEL_VERBOSE when built in devel mode
- Break out of the inner sbat loop if we find the entry.
- Support loading additional certificates
- Add support for NX (W^X) mitigations.
- Fix preserve_sbat_uefi_variable() logic
- SBAT Policy latest should be a one-shot
- pe: Fix a buffer overflow when SizeOfRawData > VirtualSize
- pe: Perform image verification earlier when loading grub
- Update advertised sbat generation number for shim
- Update SBAT generation requirements for 05/24/22
- Also avoid CVE-2022-28737 in verify_image() by @vathpela
Update to 15.5 (bsc#1198458):
- Broken ia32 relocs and an unimportant submodule change.
- mok: allocate MOK config table as BootServicesData
- Don't call QueryVariableInfo() on EFI 1.10 machines (bsc#1187260)
- Relax the check for import_mok_state() (bsc#1185261)
- SBAT.md: trivial changes
- shim: another attempt to fix load options handling
- Add tests for our load options parsing.
- arm/aa64: fix the size of .rela* sections
- mok: fix potential buffer overrun in import_mok_state
- mok: relax the maximum variable size check
- Don't unhook ExitBootServices when EBS protection is disabled
- fallback: find_boot_option() needs to return the index for the boot entry in optnum
- httpboot: Ignore case when checking HTTP headers
- Fallback allocation errors
- shim: avoid BOOTx64.EFI in message on other architectures
- str: remove duplicate parameter check
- fallback: add compile option FALLBACK_NONINTERACTIVE
- Test mok mirror
- Modify sbat.md to help with readability.
- csv: detect end of csv file correctly
- Specify that the .sbat section is ASCII not UTF-8
- tests: add 'include-fixed' GCC directory to include directories
- pe: simplify generate_hash()
- Don't make shim abort when TPM log event fails (RHBZ #2002265)
- Fallback to default loader if parsed one does not exist
- fallback: Fix for BootOrder crash when index returned
- Better console checks
- docs: update SBAT UEFI variable name
- Don't parse load options if invoked from removable media path
- fallback: fix fallback not passing arguments of the first boot option
- shim: Don't stop forever at 'Secure Boot not enabled' notification
- Allocate mokvar table in runtime memory.
- Remove post-process-pe on 'make clean'
- pe: missing perror argument
- CVE-2022-28737: Fixed a buffer overflow when SizeOfRawData > VirtualSize (bsc#1198458)
- Add mokutil command to post script for setting sbat policy to latest mode
when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created.
(bsc#1198458)
- Updated vendor dbx binary and script (bsc#1198458)
- Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding
SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
- Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding
openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
- Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt
and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment.
- Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin
file which includes all .der for testing environment.
- avoid buffer overflow when copying data to the MOK config table (bsc#1185232)
- Disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261)
- ignore the odd LoadOptions length (bsc#1185232)
- shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist
- relax the maximum variable size check for u-boot (bsc#1185621)
- handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)
- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
the size of MokListXRT (bsc#1185261)
+ Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1711-1
Released: Fri Mar 31 13:33:04 2023
Summary: Security update for curl
Type: security
Severity: moderate
References: 1207992,1209209,1209210,1209211,1209212,1209214,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538
This update for curl fixes the following issues:
- CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
- CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
- CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
- CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
- CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
- CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1718-1
Released: Fri Mar 31 15:47:34 2023
Summary: Security update for glibc
Type: security
Severity: moderate
References: 1207571,1207957,1207975,1208358,CVE-2023-0687
This update for glibc fixes the following issues:
Security issue fixed:
- CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975)
Other issues fixed:
- Fix avx2 strncmp offset compare condition check (bsc#1208358)
- elf: Allow dlopen of filter object to work (bsc#1207571)
- powerpc: Fix unrecognized instruction errors with recent GCC
- x86: Cache computation for AMD architecture (bsc#1207957)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1753-1
Released: Tue Apr 4 11:55:00 2023
Summary: Recommended update for systemd-presets-common-SUSE
Type: recommended
Severity: moderate
References:
This update for systemd-presets-common-SUSE fixes the following issue:
- Enable systemd-pstore.service by default (jsc#PED-2663)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1763-1
Released: Tue Apr 4 14:35:52 2023
Summary: Security update for python-cryptography
Type: security
Severity: moderate
References: 1208036,CVE-2023-23931
This update for python-cryptography fixes the following issues:
- CVE-2023-23931: Fixed memory corruption in Cipher.update_into (bsc#1208036).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1790-1
Released: Thu Apr 6 15:36:15 2023
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1209624,1209873,1209878,CVE-2023-0464,CVE-2023-0465,CVE-2023-0466
This update for openssl-1_1 fixes the following issues:
- CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).
- CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878).
- CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1805-1
Released: Tue Apr 11 10:12:41 2023
Summary: Recommended update for timezone
Type: recommended
Severity: important
References:
This update for timezone fixes the following issues:
- Version update from 2022g to 2023c:
* Egypt now uses DST again, from April through October.
* This year Morocco springs forward April 23, not April 30.
* Palestine delays the start of DST this year.
* Much of Greenland still uses DST from 2024 on.
* America/Yellowknife now links to America/Edmonton.
* tzselect can now use current time to help infer timezone.
* The code now defaults to C99 or later.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1810-1
Released: Tue Apr 11 12:06:13 2023
Summary: Recommended update for cups
Type: recommended
Severity: moderate
References: 1191467,1191525,1198932,1200321,1201234,1203446
This update for cups fixes the following issues:
- Fix print jobs on cups.sock return with EAGAIN (Resource temporarily unavailable) (bsc#1191525)
- Fix '/usr/bin/lpr: Error - The printer or class does not exist (bsc#1203446)
- Improves logging on 'IPP_STATUS_ERROR_NOT_FOUND' error (bsc#1191467, bsc#1198932)
- Add 'After=network.target sssd.service' to the systemd unit (bsc#1201234, bsc#1200321)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1811-1
Released: Tue Apr 11 12:11:23 2023
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1207168,1207560,1208137,1208179,1208598,1208599,1208601,1208777,1208787,1208843,1209008,1209052,1209256,1209288,1209289,1209290,1209291,1209366,1209532,1209547,1209549,1209634,1209635,1209636,1209672,1209683,1209778,1209785,CVE-2017-5753,CVE-2021-3923,CVE-2022-4744,CVE-2023-0461,CVE-2023-1075,CVE-2023-1076,CVE-2023-1078,CVE-2023-1095,CVE-2023-1281,CVE-2023-1382,CVE-2023-1390,CVE-2023-1513,CVE-2023-1582,CVE-2023-23004,CVE-2023-25012,CVE-2023-28327,CVE-2023-28328,CVE-2023-28464,CVE-2023-28466,CVE-2023-28772
The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2017-5753: Fixed spectre V1 vulnerability on netlink (bsc#1209547).
- CVE-2017-5753: Fixed spectre vulnerability in prlimit (bsc#1209256).
- CVE-2021-3923: Fixed stack information leak vulnerability that could lead to kernel protection bypass in infiniband RDMA (bsc#1209778).
- CVE-2022-4744: Fixed double-free that could lead to DoS or privilege escalation in TUN/TAP device driver functionality (bsc#1209635).
- CVE-2023-0461: Fixed use-after-free in icsk_ulp_data (bsc#1208787).
- CVE-2023-1075: Fixed a type confusion in tls_is_tx_ready (bsc#1208598).
- CVE-2023-1076: Fixed incorrect UID assigned to tun/tap sockets (bsc#1208599).
- CVE-2023-1078: Fixed a heap out-of-bounds write in rds_rm_zerocopy_callback (bsc#1208601).
- CVE-2023-1095: Fixed a NULL pointer dereference in nf_tables due to zeroed list head (bsc#1208777).
- CVE-2023-1281: Fixed use after free that could lead to privilege escalation in tcindex (bsc#1209634).
- CVE-2023-1382: Fixed denial of service in tipc_conn_close (bsc#1209288).
- CVE-2023-1390: Fixed remote DoS vulnerability in tipc_link_xmit() (bsc#1209289).
- CVE-2023-1513: Fixed an uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak (bsc#1209532).
- CVE-2023-1582: Fixed soft lockup in __page_mapcount (bsc#1209636).
- CVE-2023-23004: Fixed misinterpretation of get_sg_table return value (bsc#1208843).
- CVE-2023-25012: Fixed a use-after-free in bigben_set_led() (bsc#1207560).
- CVE-2023-28327: Fixed DoS in in_skb in unix_diag_get_exact() (bsc#1209290).
- CVE-2023-28328: Fixed a denial of service issue in az6027 driver in drivers/media/usb/dev-usb/az6027.c (bsc#1209291).
- CVE-2023-28464: Fixed user-after-free that could lead to privilege escalation in hci_conn_cleanup in net/bluetooth/hci_conn.c (bsc#1209052).
- CVE-2023-28466: Fixed race condition that could lead to use-after-free or NULL pointer dereference in do_tls_getsockopt in net/tls/tls_main.c (bsc#1209366).
- CVE-2023-28772: Fixed buffer overflow in seq_buf_putmem_hex in lib/seq_buf.c (bsc#1209549).
The following non-security bugs were fixed:
- Do not sign the vanilla kernel (bsc#1209008).
- PCI: hv: Add a per-bus mutex state_lock (bsc#1209785).
- PCI: hv: Fix a race condition in hv_irq_unmask() that can cause panic (bsc#1209785).
- PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev (bsc#1209785).
- PCI: hv: fix a race condition bug in hv_pci_query_relations() (bsc#1209785).
- Revert 'PCI: hv: Fix a timing issue which causes kdump to fail occasionally' (bsc#1209785).
- ipv6: raw: Deduct extension header length in rawv6_push_pending_frames (bsc#1207168).
- kernel-module-subpackage: Fix expansion with -b parameter (bsc#1208179).
- net: ena: optimize data access in fast-path code (bsc#1208137).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1827-1
Released: Thu Apr 13 10:18:16 2023
Summary: Security update for containerd
Type: security
Severity: moderate
References: 1208423,1208426,CVE-2023-25153,CVE-2023-25173
This update for containerd fixes the following issues:
Update to containerd v1.6.19:
Security fixes:
- CVE-2023-25153: Fixed OCI image importer memory exhaustion (bnc#1208423).
- CVE-2023-25173: Fixed supplementary groups not set up properly (bnc#1208426).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1886-1
Released: Tue Apr 18 11:15:49 2023
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1204929,1208929
This update for dracut fixes the following issues:
- Update to version 049.1+suse.251.g0b8dad5:
* omission updates in conf files (bsc#1208929)
* chown using rpc default group (bsc#1204929)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1920-1
Released: Wed Apr 19 16:22:58 2023
Summary: Recommended update for hwdata
Type: recommended
Severity: moderate
References:
This update for hwdata fixes the following issues:
- Update pci, usb and vendor ids
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1932-1
Released: Thu Apr 20 18:40:58 2023
Summary: Recommended update for grub2
Type: recommended
Severity: moderate
References: 1187810,1189036,1207064,1209165,1209234,1209372,1209667
This update for grub2 fixes the following issues:
- Fix aarch64 kiwi image's file not found due to '/@' prepended to path in btrfs filesystem. (bsc#1209165)
- Make grub more robust against storage race condition causing system boot failures (bsc#1189036)
- Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064, bsc#1209234)
- Fix installation over serial console ends up in infinite boot loop (bsc#1187810, bsc#1209667, bsc#1209372)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1945-1
Released: Fri Apr 21 14:13:27 2023
Summary: Recommended update for elfutils
Type: recommended
Severity: moderate
References: 1203599
This update for elfutils fixes the following issues:
- go1.19 builds created debuginfo that was not extractable using rpm / elfutils 0.177. (bsc#1203599)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1993-1
Released: Tue Apr 25 13:50:58 2023
Summary: Security update for avahi
Type: security
Severity: moderate
References: 1210328,CVE-2023-1981
This update for avahi fixes the following issues:
- CVE-2023-1981: Fixed crash in avahi-daemon (bsc#1210328).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2003-1
Released: Tue Apr 25 18:05:42 2023
Summary: Security update for runc
Type: security
Severity: important
References: 1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642
This update for runc fixes the following issues:
Update to runc v1.1.5:
Security fixes:
- CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884).
- CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962).
- CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888).
Other fixes:
- Fix the inability to use `/dev/null` when inside a container.
- Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481).
- Fix rare runc exec/enter unshare error on older kernels.
- nsexec: Check for errors in `write_log()`.
- Drop version-specific Go requirement.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2048-1
Released: Wed Apr 26 21:05:45 2023
Summary: Security update for libxml2
Type: security
Severity: important
References: 1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469
This update for libxml2 fixes the following issues:
- CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
- CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132).
The following non-security bugs were fixed:
- Added W3C conformance tests to the testsuite (bsc#1204585).
- Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) .
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2070-1
Released: Fri Apr 28 13:56:33 2023
Summary: Security update for shadow
Type: security
Severity: moderate
References: 1210507,CVE-2023-29383
This update for shadow fixes the following issues:
- CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2074-1
Released: Fri Apr 28 17:02:25 2023
Summary: Security update for zstd
Type: security
Severity: moderate
References: 1209533,CVE-2022-4899
This update for zstd fixes the following issues:
- CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2076-1
Released: Fri Apr 28 17:35:05 2023
Summary: Security update for glib2
Type: security
Severity: moderate
References: 1209713,1209714,1210135,CVE-2023-24593,CVE-2023-25180
This update for glib2 fixes the following issues:
- CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714).
- CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713).
The following non-security bug was fixed:
- Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2084-1
Released: Tue May 2 13:31:52 2023
Summary: Security update for shim
Type: security
Severity: important
References: 1210382,CVE-2022-28737
This update for shim fixes the following issues:
- CVE-2022-28737 was missing as reference previously.
- Upgrade shim-install for bsc#1210382
After closing Leap-gap project since Leap 15.3, openSUSE Leap direct
uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot
CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no,
so all files in /boot/efi/EFI/boot are not updated.
Logic was added that is using ID field in os-release for
checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure
Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2103-1
Released: Thu May 4 20:05:44 2023
Summary: Security update for vim
Type: security
Severity: moderate
References: 1208828,1209042,1209187,CVE-2023-1127,CVE-2023-1264,CVE-2023-1355
This update for vim fixes the following issues:
Updated to version 9.0 with patch level 1443, fixes the following security problems
- CVE-2023-1264: Fixed NULL Pointer Dereference (bsc#1209042).
- CVE-2023-1355: Fixed NULL Pointer Dereference (bsc#1209187).
- CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2104-1
Released: Thu May 4 21:05:30 2023
Summary: Recommended update for procps
Type: recommended
Severity: moderate
References: 1209122
This update for procps fixes the following issue:
- Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2111-1
Released: Fri May 5 14:34:00 2023
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1210434,CVE-2023-29491
This update for ncurses fixes the following issues:
- CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2131-1
Released: Tue May 9 13:35:24 2023
Summary: Recommended update for openssh
Type: recommended
Severity: important
References: 1207014
This update for openssh fixes the following issues:
- Remove some patches that cause invalid environment assignments (bsc#1207014).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2133-1
Released: Tue May 9 13:37:10 2023
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1206513
This update for zlib fixes the following issues:
- Add DFLTCC support for using inflate() with a small window (bsc#1206513)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2148-1
Released: Tue May 9 17:05:48 2023
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1202353,1205128,1206992,1207088,1209687,1209739,1209777,1209871,1210202,1210203,1210301,1210329,1210336,1210337,1210414,1210453,1210469,1210498,1210506,1210629,1210647,CVE-2020-36691,CVE-2022-2196,CVE-2022-43945,CVE-2023-1611,CVE-2023-1670,CVE-2023-1838,CVE-2023-1855,CVE-2023-1872,CVE-2023-1989,CVE-2023-1990,CVE-2023-1998,CVE-2023-2008,CVE-2023-2124,CVE-2023-2162,CVE-2023-2176,CVE-2023-30772
The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2023-2124: Fixed an out of bound access in the XFS subsystem that could have lead to denial-of-service or potentially privilege escalation (bsc#1210498).
- CVE-2023-1872:Fixed a use after free vulnerability in the io_uring subsystem, which could lead to local privilege escalation (bsc#1210414).
- CVE-2022-2196: Fixed a regression related to KVM that allowed for speculative execution attacks (bsc#1206992).
- CVE-2023-1670: Fixed a use after free in the Xircom 16-bit PCMCIA Ethernet driver. A local user could use this flaw to crash the system or potentially escalate their privileges on the system (bsc#1209871).
- CVE-2023-2162: Fixed an use-after-free flaw in iscsi_sw_tcp_session_create (bsc#1210647).
- CVE-2023-2176: A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege (bsc#1210629).
- CVE-2023-1998: Fixed a use after free during login when accessing the shost ipaddress (bsc#1210506).
- CVE-2023-30772: Fixed a race condition and resultant use-after-free in da9150_charger_remove (bsc#1210329).
- CVE-2023-2008: A flaw was found in the fault handler of the udmabuf device driver. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code (bsc#1210453).
- CVE-2023-1855: Fixed a use after free in xgene_hwmon_remove (bsc#1210202).
- CVE-2020-36691: Fixed a denial of service vulnerability via a nested Netlink policy with a back reference (bsc#1209777).
- CVE-2023-1990: Fixed a use after free in ndlc_remove (bsc#1210337).
- CVE-2023-1989: Fixed a use after free in btsdio_remove (bsc#1210336).
- CVE-2022-43945: Fixed a buffer overflow in the NFSD implementation (bsc#1205128).
- CVE-2023-1611: Fixed an use-after-free flaw in btrfs_search_slot (bsc#1209687).
- CVE-2023-1838: Fixed an use-after-free flaw in virtio network subcomponent. This flaw could allow a local attacker to crash the system and lead to a kernel information leak problem. (bsc#1210203).
The following non-security bugs were fixed:
- Drivers: vmbus: Check for channel allocation before looking up relids (git-fixes).
- cifs: fix negotiate context parsing (bsc#1210301).
- keys: Fix linking a duplicate key to a keyring's assoc_array (bsc#1207088).
- vmxnet3: use gro callback when UPT is enabled (bsc#1209739).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2166-1
Released: Wed May 10 20:18:51 2023
Summary: Recommended update for supportutils-plugin-suse-public-cloud
Type: recommended
Severity: moderate
References: 1209026
This update for supportutils-plugin-suse-public-cloud fixes the following issues:
- Update to version 1.0.7 (bsc#1209026)
+ Include information about the cached registration data
+ Collect the data that is sent to the update infrastructure during
registration
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2215-1
Released: Tue May 16 11:24:41 2023
Summary: Security update for dmidecode
Type: security
Severity: moderate
References: 1210418,CVE-2023-30630
This update for dmidecode fixes the following issues:
- CVE-2023-30630: Fixed potential privilege escalation vulnerability via file overwrite (bsc#1210418).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2216-1
Released: Tue May 16 11:27:50 2023
Summary: Recommended update for python-packaging
Type: recommended
Severity: important
References: 1186870,1199282
This update for python-packaging fixes the following issues:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Add patch to fix testsuite on big-endian targets
- Ignore python3.6.2 since the test doesn't support it.
- update to 21.3:
* Add a pp3-none-any tag
* Replace the blank pyparsing 3 exclusion with a 3.0.5 exclusion
* Fix a spelling mistake
- update to 21.2:
* Update documentation entry for 21.1.
* Update pin to pyparsing to exclude 3.0.0.
* PEP 656: musllinux support
* Drop support for Python 2.7, Python 3.4 and Python 3.5
* Replace distutils usage with sysconfig
* Add support for zip files
* Use cached hash attribute to short-circuit tag equality comparisons
* Specify the default value for the 'specifier' argument to 'SpecifierSet'
* Proper keyword-only 'warn' argument in packaging.tags
* Correctly remove prerelease suffixes from ~= check
* Fix type hints for 'Version.post' and 'Version.dev'
* Use typing alias 'UnparsedVersion'
* Improve type inference
* Tighten the return typeo
- Add Provides: for python*dist(packaging). (bsc#1186870)
- add no-legacyversion-warning.patch to restore compatibility with 20.4
- update to 20.9:
* Add support for the ``macosx_10_*_universal2`` platform tags
* Introduce ``packaging.utils.parse_wheel_filename()`` and ``parse_sdist_filename()``
- update to 20.8:
* Revert back to setuptools for compatibility purposes for some Linux distros
* Do not insert an underscore in wheel tags when the interpreter version number is more than 2 digits
* Fix flit configuration, to include LICENSE files
* Make `intel` a recognized CPU architecture for the `universal` macOS platform tag
* Add some missing type hints to `packaging.requirements`
* Officially support Python 3.9
* Deprecate the ``LegacyVersion`` and ``LegacySpecifier`` classes
* Handle ``OSError`` on non-dynamic executables when attempting to resolve the glibc version string.
- update to 20.4:
* Canonicalize version before comparing specifiers.
* Change type hint for ``canonicalize_name`` to return ``packaging.utils.NormalizedName``.
This enables the use of static typing tools (like mypy) to detect mixing of normalized and un-normalized names.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2227-1
Released: Wed May 17 09:57:41 2023
Summary: Security update for curl
Type: security
Severity: important
References: 1211231,1211232,1211233,1211339,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322
This update for curl fixes the following issues:
- CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231).
- CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232).
- CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2237-1
Released: Wed May 17 17:10:07 2023
Summary: Recommended update for vim
Type: recommended
Severity: moderate
References: 1211144
This update for vim fixes the following issues:
* Make xxd conflict with the previous vim packages to avoid a file conflict during migration (bsc#1211144)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2247-1
Released: Thu May 18 17:04:38 2023
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: moderate
References: 1127591,1195633,1208329,1209406,1210870
This update for libzypp, zypper fixes the following issues:
- Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633)
- multicurl: propagate ssl settings stored in repo url (bsc#1127591)
- MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870)
- zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329)
- Teach MediaNetwork to retry on HTTP2 errors.
- Fix selecting installed patterns from picklist (bsc#1209406)
- man: better explanation of --priority
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2254-1
Released: Fri May 19 15:20:23 2023
Summary: Security update for containerd
Type: security
Severity: important
References: 1210298
This update for containerd fixes the following issues:
- Rebuild containerd with a current version of go to catch up on bugfixes and security fixes (bsc#1210298)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2256-1
Released: Fri May 19 15:26:43 2023
Summary: Security update for runc
Type: security
Severity: important
References: 1200441
This update of runc fixes the following issues:
- rebuild the package with the go 19.9 secure release (bsc#1200441).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2278-1
Released: Wed May 24 07:56:35 2023
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1210640
This update for dracut fixes the following issues:
- Update to version 049.1+suse.253.g1008bf13:
* fix(network-legacy): handle do_dhcp calls without arguments (bsc#1210640)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2313-1
Released: Tue May 30 09:29:25 2023
Summary: Security update for c-ares
Type: security
Severity: important
References: 1211604,1211605,1211606,1211607,CVE-2023-31124,CVE-2023-31130,CVE-2023-31147,CVE-2023-32067
This update for c-ares fixes the following issues:
Update to version 1.19.1:
- CVE-2023-32067: 0-byte UDP payload causes Denial of Service (bsc#1211604)
- CVE-2023-31147: Insufficient randomness in generation of DNS query IDs (bsc#1211605)
- CVE-2023-31130: Buffer Underwrite in ares_inet_net_pton() (bsc#1211606)
- CVE-2023-31124: AutoTools does not set CARES_RANDOM_FILE during cross compilation (bsc#1211607)
- Fix uninitialized memory warning in test
- ares_getaddrinfo() should allow a port of 0
- Fix memory leak in ares_send() on error
- Fix comment style in ares_data.h
- Fix typo in ares_init_options.3
- Sync ax_pthread.m4 with upstream
- Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2333-1
Released: Wed May 31 09:01:28 2023
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1210593
This update for zlib fixes the following issue:
- Fix function calling order to avoid crashes (bsc#1210593)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2343-1
Released: Thu Jun 1 11:35:28 2023
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1211430,CVE-2023-2650
This update for openssl-1_1 fixes the following issues:
- CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2347-1
Released: Thu Jun 1 14:33:10 2023
Summary: Security update for cups
Type: security
Severity: important
References: 1211643,CVE-2023-32324
This update for cups fixes the following issues:
- CVE-2023-32324: Fixed a buffer overflow in format_log_line() which could cause a denial-of-service (bsc#1211643).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2355-1
Released: Fri Jun 2 12:48:25 2023
Summary: Recommended update for librelp
Type: recommended
Severity: moderate
References: 1210649
This update for librelp fixes the following issues:
- update to librelp 1.11.0 (bsc#1210649)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2365-1
Released: Mon Jun 5 09:22:46 2023
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1210164
This update for util-linux fixes the following issues:
- Add upstream patches (bsc#1210164, bsc#1210164, bsc#1210164)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2430-1
Released: Tue Jun 6 22:55:28 2023
Summary: Recommended update for supportutils-plugin-suse-public-cloud
Type: recommended
Severity: critical
References:
This update for supportutils-plugin-suse-public-cloud fixes the following issues:
- This update will be delivered to SLE Micro. (SMO-219)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2484-1
Released: Mon Jun 12 08:49:58 2023
Summary: Security update for openldap2
Type: security
Severity: moderate
References: 1211795,CVE-2023-2953
This update for openldap2 fixes the following issues:
- CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2497-1
Released: Tue Jun 13 15:37:25 2023
Summary: Recommended update for libzypp
Type: recommended
Severity: important
References: 1211661,1212187
This update for libzypp fixes the following issues:
- Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]
- Do not unconditionally release a medium if provideFile failed. [bsc#1211661]
The following package changes have been done:
- containerd-ctr-1.6.19-150000.90.3 updated
- containerd-1.6.19-150000.90.3 updated
- cups-config-2.2.7-150000.3.43.1 updated
- curl-7.66.0-150200.4.57.1 updated
- dmidecode-3.2-150100.9.16.1 updated
- docker-20.10.23_ce-150000.175.1 updated
- dracut-049.1+suse.253.g1008bf13-150200.3.69.1 updated
- elfutils-0.177-150300.11.6.1 updated
- glibc-locale-base-2.31-150300.46.1 updated
- glibc-locale-2.31-150300.46.1 updated
- glibc-2.31-150300.46.1 updated
- grub2-i386-pc-2.04-150300.22.37.1 updated
- grub2-x86_64-efi-2.04-150300.22.37.1 updated
- grub2-x86_64-xen-2.04-150300.22.37.1 updated
- grub2-2.04-150300.22.37.1 updated
- hwdata-0.368-150000.3.57.1 updated
- kernel-default-5.3.18-150300.59.121.2 updated
- libasm1-0.177-150300.11.6.1 updated
- libavahi-client3-0.7-150100.3.24.1 updated
- libavahi-common3-0.7-150100.3.24.1 updated
- libblkid1-2.36.2-150300.4.35.1 updated
- libcares2-1.19.1-150000.3.23.1 updated
- libcups2-2.2.7-150000.3.43.1 updated
- libcurl4-7.66.0-150200.4.57.1 updated
- libdw1-0.177-150300.11.6.1 updated
- libebl-plugins-0.177-150300.11.6.1 updated
- libelf1-0.177-150300.11.6.1 updated
- libfdisk1-2.36.2-150300.4.35.1 updated
- libgcc_s1-12.2.1+git416-150000.1.7.1 updated
- libglib-2_0-0-2.62.6-150200.3.15.1 updated
- libldap-2_4-2-2.4.46-150200.14.14.1 updated
- libldap-data-2.4.46-150200.14.14.1 updated
- libldb2-2.4.4-150300.3.23.1 updated
- libmount1-2.36.2-150300.4.35.1 updated
- libncurses6-6.1-150000.5.15.1 updated
- libopenssl1_1-1.1.1d-150200.11.65.1 updated
- libprocps7-3.3.15-150000.7.31.1 updated
- libpython3_6m1_0-3.6.15-150300.10.45.1 updated
- librelp0-1.11.0-150000.3.3.1 updated
- libsmartcols1-2.36.2-150300.4.35.1 updated
- libsolv-tools-0.7.24-150200.18.1 updated
- libstdc++6-12.2.1+git416-150000.1.7.1 updated
- libuuid1-2.36.2-150300.4.35.1 updated
- libxml2-2-2.9.7-150000.3.57.1 updated
- libz1-1.2.11-150000.3.45.1 updated
- libzstd1-1.4.4-150000.1.9.1 updated
- libzypp-17.31.13-150200.66.1 updated
- login_defs-4.8.1-150300.4.6.1 updated
- mokutil-0.4.0-150200.4.6.1 added
- ncurses-utils-6.1-150000.5.15.1 updated
- nfs-client-2.1.1-150100.10.32.1 updated
- openssh-clients-8.4p1-150300.3.18.2 updated
- openssh-common-8.4p1-150300.3.18.2 updated
- openssh-server-8.4p1-150300.3.18.2 updated
- openssh-8.4p1-150300.3.18.2 updated
- openssl-1_1-1.1.1d-150200.11.65.1 updated
- openssl-1.1.1d-1.46 added
- procps-3.3.15-150000.7.31.1 updated
- python3-PyJWT-2.4.0-150200.3.6.2 updated
- python3-base-3.6.15-150300.10.45.1 updated
- python3-cryptography-3.3.2-150200.19.1 updated
- python3-packaging-21.3-150200.3.3.1 updated
- python3-3.6.15-150300.10.45.1 updated
- rsyslog-module-relp-8.2106.0-150200.4.35.1 added
- runc-1.1.5-150000.43.1 updated
- samba-client-libs-4.15.13+git.636.53d93c5b9d6-150300.3.52.1 updated
- samba-libs-4.15.13+git.636.53d93c5b9d6-150300.3.52.1 updated
- shadow-4.8.1-150300.4.6.1 updated
- shim-15.7-150300.4.16.1 updated
- sudo-1.9.5p2-150300.3.24.1 updated
- supportutils-plugin-suse-public-cloud-1.0.7-150000.3.14.1 updated
- systemd-presets-common-SUSE-15-150100.8.20.1 updated
- terminfo-base-6.1-150000.5.15.1 updated
- terminfo-6.1-150000.5.15.1 updated
- timezone-2023c-150000.75.23.1 updated
- util-linux-systemd-2.36.2-150300.4.35.1 updated
- util-linux-2.36.2-150300.4.35.1 updated
- vim-data-common-9.0.1443-150000.5.43.1 updated
- vim-9.0.1443-150000.5.43.1 updated
- xen-libs-4.14.5_12-150300.3.48.1 updated
- xen-tools-domU-4.14.5_12-150300.3.48.1 updated
- xxd-9.0.1443-150000.5.43.1 added
- zypper-1.14.60-150200.51.1 updated
- python3-ecdsa-0.13.3-3.7.1 removed
More information about the sle-security-updates
mailing list