SUSE-CU-2023:501-1: Security update of ses/7.1/ceph/keepalived

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Mar 1 08:02:56 UTC 2023


SUSE Container Update Advisory: ses/7.1/ceph/keepalived
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:501-1
Container Tags        : ses/7.1/ceph/keepalived:2.0.19 , ses/7.1/ceph/keepalived:2.0.19.3.5.316 , ses/7.1/ceph/keepalived:latest , ses/7.1/ceph/keepalived:sle15.3.pacific
Container Release     : 3.5.316
Severity              : important
Type                  : security
References            : 1087072 1121365 1167864 1177460 1177460 1180995 1181961 1183533
                        1194038 1194530 1198472 1198523 1199074 1199467 1199944 1200723
                        1201103 1201959 1201978 1202324 1202750 1202812 1203046 1203216
                        1203652 1203652 1203681 1203857 1203911 1204111 1204112 1204113
                        1204137 1204179 1204211 1204256 1204366 1204367 1204383 1204423
                        1204649 1204708 1204968 1205000 1205126 1205148 1205150 1205156
                        1205646 1206044 1206309 1206337 1206412 1206579 1206738 1206828
                        1207533 1207534 1207536 1207538 CVE-2016-3709 CVE-2020-10696
                        CVE-2021-20206 CVE-2021-22569 CVE-2021-28153 CVE-2022-1664 CVE-2022-1941
                        CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24809
                        CVE-2022-24810 CVE-2022-2990 CVE-2022-3171 CVE-2022-32221 CVE-2022-3821
                        CVE-2022-40303 CVE-2022-40304 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012
                        CVE-2022-42898 CVE-2022-4304 CVE-2022-43552 CVE-2022-43680 CVE-2022-4415
                        CVE-2022-4450 CVE-2022-44792 CVE-2022-44793 CVE-2022-46908 CVE-2022-47629
                        CVE-2023-0215 CVE-2023-0286 
-----------------------------------------------------------------

The container ses/7.1/ceph/keepalived was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3766-1
Released:    Wed Oct 26 11:38:01 2022
Summary:     Security update for buildah
Type:        security
Severity:    important
References:  1167864,1181961,1202812,CVE-2020-10696,CVE-2021-20206,CVE-2022-2990
This update for buildah fixes the following issues:

- CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
- CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
- CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

Buildah was updated to version 1.27.1:

* run: add container gid to additional groups

- Add fix for CVE-2022-2990 / bsc#1202812


Update to version 1.27.0:

* Don't try to call runLabelStdioPipes if spec.Linux is not set
* build: support filtering cache by duration using --cache-ttl
* build: support building from commit when using git repo as build context
* build: clean up git repos correctly when using subdirs
* integration tests: quote '?' in shell scripts
* test: manifest inspect should have OCIv1 annotation
* vendor: bump to c/common at 87fab4b7019a
* Failure to determine a file or directory should print an error
* refactor: remove unused CommitOptions from generateBuildOutput
* stage_executor: generate output for cases with no commit
* stage_executor, commit: output only if last stage in build
* Use errors.Is() instead of os.Is{Not,}Exist
* Minor test tweak for podman-remote compatibility
* Cirrus: Use the latest imgts container
* imagebuildah: complain about the right Dockerfile
* tests: don't try to wrap `nil` errors
* cmd/buildah.commitCmd: don't shadow 'err'
* cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
* Fix a copy/paste error message
* Fix a typo in an error message
* build,cache: support pulling/pushing cache layers to/from remote sources
* Update vendor of containers/(common, storage, image)
* Rename chroot/run.go to chroot/run_linux.go
* Don't bother telling codespell to skip files that don't exist
* Set user namespace defaults correctly for the library
* imagebuildah: optimize cache hits for COPY and ADD instructions
* Cirrus: Update VM images w/ updated bats
* docs, run: show SELinux label flag for cache and bind mounts
* imagebuildah, build: remove undefined concurrent writes
* bump github.com/opencontainers/runtime-tools
* Add FreeBSD support for 'buildah info'
* Vendor in latest containers/(storage, common, image)
* Add freebsd cross build targets
* Make the jail package build on 32bit platforms
* Cirrus: Ensure the build-push VM image is labeled
* GHA: Fix dynamic script filename
* Vendor in containers/(common, storage, image)
* Run codespell
* Remove import of github.com/pkg/errors
* Avoid using cgo in pkg/jail
* Rename footypes to fooTypes for naming consistency
* Move cleanupTempVolumes and cleanupRunMounts to run_common.go
* Make the various run mounts work for FreeBSD
* Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
* Move runSetupRunMounts to run_common.go
* Move cleanableDestinationListFromMounts to run_common.go
* Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
* Move setupMounts and runSetupBuiltinVolumes to run_common.go
* Tidy up - runMakeStdioPipe can't be shared with linux
* Move runAcceptTerminal to run_common.go
* Move stdio copying utilities to run_common.go
* Move runUsingRuntime and runCollectOutput to run_common.go
* Move fileCloser, waitForSync and contains to run_common.go
* Move checkAndOverrideIsolationOptions to run_common.go
* Move DefaultNamespaceOptions to run_common.go
* Move getNetworkInterface to run_common.go
* Move configureEnvironment to run_common.go
* Don't crash in configureUIDGID if Process.Capabilities is nil
* Move configureUIDGID to run_common.go
* Move runLookupPath to run_common.go
* Move setupTerminal to run_common.go
* Move etc file generation utilities to run_common.go
* Add run support for FreeBSD
* Add a simple FreeBSD jail library
* Add FreeBSD support to pkg/chrootuser
* Sync call signature for RunUsingChroot with chroot/run.go
* test: verify feature to resolve basename with args
* vendor: bump openshift/imagebuilder to master at 4151e43
* GHA: Remove required reserved-name use
* buildah: set XDG_RUNTIME_DIR before setting default runroot
* imagebuildah: honor build output even if build container is not commited
* chroot: honor DefaultErrnoRet
* [CI:DOCS] improve pull-policy documentation
* tests: retrofit test since --file does not supports dir
* Switch to golang native error wrapping
* BuildDockerfiles: error out if path to containerfile is a directory
* define.downloadToDirectory: fail early if bad HTTP response
* GHA: Allow re-use of Cirrus-Cron fail-mail workflow
* add: fail on bad http response instead of writing to container
* [CI:DOCS] Update buildahimage comment
* lint: inspectable is never nil
* vendor: c/common to common at 7e1563b
* build: support OCI hooks for ephemeral build containers
* [CI:BUILD] Install latest buildah instead of compiling
* Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
* Make sure cpp is installed in buildah images
* demo: use unshare for rootless invocations
* buildah.spec.rpkg: initial addition
* build: fix test for subid 4
* build, userns: add support for --userns=auto
* Fix building upstream buildah image
* Remove redundant buildahimages-are-sane validation
* Docs: Update multi-arch buildah images readme
* Cirrus: Migrate multiarch build off github actions
* retrofit-tests: we skip unused stages so use stages
* stage_executor: dont rely on stage while looking for additional-context
* buildkit, multistage: skip computing unwanted stages
* More test cleanup
* copier: work around freebsd bug for 'mkdir /'
* Replace $BUILDAH_BINARY with buildah() function
* Fix up buildah images
* Make util and copier build on FreeBSD
* Vendor in latest github.com/sirupsen/logrus
* Makefile: allow building without .git
* run_unix: don't return an error from getNetworkInterface
* run_unix: return a valid DefaultNamespaceOptions
* Update vendor of containers/storage
* chroot: use ActKillThread instead of ActKill
* use resolvconf package from c/common/libnetwork
* update c/common to latest main
* copier: add `NoOverwriteNonDirDir` option
* Sort buildoptions and move cli/build functions to internal
* Fix TODO: de-spaghettify run mounts
* Move options parsing out of build.go and into pkg/cli
* [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
* build, multiarch: support splitting build logs for --platform
* [CI:BUILD] WIP Cleanup Image Dockerfiles
* cli remove stutter
* docker-parity: ignore sanity check if baseImage history is null
* build, commit: allow disabling image history with --omit-history
* Fix use generic/ambiguous DEBUG name
* Cirrus: use Ubuntu 22.04 LTS
* Fix codespell errors
* Remove util.StringInSlice because it is defined in containers/common
* buildah: add support for renaming a device in rootless setups
* squash: never use build cache when computing last step of last stage
* Update vendor of containers/(common, storage, image)
* buildkit: supports additionalBuildContext in builds via --build-context
* buildah source pull/push: show progress bar
* run: allow resuing secret twice in different RUN steps
* test helpers: default to being rootless-aware
* Add --cpp-flag flag to buildah build
* build: accept branch and subdirectory when context is git repo
* Vendor in latest containers/common
* vendor: update c/storage and c/image
* Fix gentoo install docs
* copier: move NSS load to new process
* Add test for prevention of reusing encrypted layers
* Make `buildah build --label foo` create an empty 'foo' label again


Update to version 1.26.4:

* build, multiarch: support splitting build logs for --platform
* copier: add `NoOverwriteNonDirDir` option
* docker-parity: ignore sanity check if baseImage history is null
* build, commit: allow disabling image history with --omit-history
* buildkit: supports additionalBuildContext in builds via --build-context
* Add --cpp-flag flag to buildah build

Update to version 1.26.3:

* define.downloadToDirectory: fail early if bad HTTP response
* add: fail on bad http response instead of writing to container
* squash: never use build cache when computing last step of last stage
* run: allow resuing secret twice in different RUN steps
* integration tests: update expected error messages
* integration tests: quote '?' in shell scripts
* Use errors.Is() to check for storage errors
* lint: inspectable is never nil
* chroot: use ActKillThread instead of ActKill
* chroot: honor DefaultErrnoRet
* Set user namespace defaults correctly for the library
* contrib/rpm/buildah.spec: fix `rpm` parser warnings

Drop requires on apparmor pattern, should be moved elsewhere
for systems which want AppArmor instead of SELinux.

- Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file
  is required to build.

Update to version 1.26.2:

* buildah: add support for renaming a device in rootless setups

Update to version 1.26.1:

* Make `buildah build --label foo` create an empty 'foo' label again
* imagebuildah,build: move deepcopy of args before we spawn goroutine
* Vendor in containers/storage v1.40.2
* buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
* help output: get more consistent about option usage text
* Handle OS version and features flags
* buildah build: --annotation and --label should remove values
* buildah build: add a --env
* buildah: deep copy options.Args before performing concurrent build/stage
* test: inline platform and builtinargs behaviour
* vendor: bump imagebuilder to master/009dbc6
* build: automatically set correct TARGETPLATFORM where expected
* Vendor in containers/(common, storage, image)
* imagebuildah, executor: process arg variables while populating baseMap
* buildkit: add support for custom build output with --output
* Cirrus: Update CI VMs to F36
* fix staticcheck linter warning for deprecated function
* Fix docs build on FreeBSD
* copier.unwrapError(): update for Go 1.16
* copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
* copier.Put(): write to read-only directories
* Ed's periodic test cleanup
* using consistent lowercase 'invalid' word in returned err msg
* use etchosts package from c/common
* run: set actual hostname in /etc/hostname to match docker parity
* Update vendor of containers/(common,storage,image)
* manifest-create: allow creating manifest list from local image
* Update vendor of storage,common,image
* Initialize network backend before first pull
* oci spec: change special mount points for namespaces
* tests/helpers.bash: assert handle corner cases correctly
* buildah: actually use containers.conf settings
* integration tests: learn to start a dummy registry
* Fix error check to work on Podman
* buildah build should accept at most one arg
* tests: reduce concurrency for flaky bud-multiple-platform-no-run
* vendor in latest containers/common,image,storage
* manifest-add: allow override arch,variant while adding image
* Remove a stray `\` from .containerenv
* Vendor in latest opencontainers/selinux v1.10.1
* build, commit: allow removing default identity labels
* Create shorter names for containers based on image IDs
* test: skip rootless on cgroupv2 in root env
* fix hang when oci runtime fails
* Set permissions for GitHub actions
* copier test: use correct UID/GID in test archives
* run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3773-1
Released:    Wed Oct 26 12:19:29 2022
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1204383,CVE-2022-32221
This update for curl fixes the following issues:

  - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3776-1
Released:    Wed Oct 26 14:06:43 2022
Summary:     Recommended update for permissions
Type:        recommended
Severity:    important
References:  1203911,1204137
This update for permissions fixes the following issues:

- Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't
  properly support ICMP_PROTO sockets feature yet (bsc#1204137)
- Fix regression introduced by backport of security fix (bsc#1203911)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3805-1
Released:    Thu Oct 27 17:19:46 2022
Summary:     Security update for dbus-1
Type:        security
Severity:    important
References:  1087072,1204111,1204112,1204113,CVE-2022-42010,CVE-2022-42011,CVE-2022-42012
This update for dbus-1 fixes the following issues:

  - CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111).
  - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112).
  - CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113).

  Bugfixes:

  - Disable asserts (bsc#1087072).


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3871-1
Released:    Fri Nov  4 13:26:29 2022
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304
This update for libxml2 fixes the following issues:

  - CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978).
  - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366).
  - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3901-1
Released:    Tue Nov  8 10:50:06 2022
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1180995,1203046
This update for openssl-1_1 fixes the following issues:

- Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995)
- Fix memory leaks (bsc#1203046)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3910-1
Released:    Tue Nov  8 13:05:04 2022
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  
This update for pam fixes the following issue:

- Update pam_motd to the most current version. (PED-1712)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3912-1
Released:    Tue Nov  8 13:38:11 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1204708,CVE-2022-43680
This update for expat fixes the following issues:

  - CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3922-1
Released:    Wed Nov  9 09:03:33 2022
Summary:     Security update for protobuf
Type:        security
Severity:    important
References:  1194530,1203681,1204256,CVE-2021-22569,CVE-2022-1941,CVE-2022-3171
This update for protobuf fixes the following issues:

- CVE-2021-22569: Fixed Denial of Service in protobuf-java in the parsing procedure for binary data (bsc#1194530).
- CVE-2022-1941: Fix a potential DoS issue in protobuf-cpp and protobuf-python (bsc#1203681)
- CVE-2022-3171: Fix a potential DoS issue when parsing with binary data in protobuf-java (bsc#1204256)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3961-1
Released:    Mon Nov 14 07:33:50 2022
Summary:     Recommended update for zlib
Type:        recommended
Severity:    important
References:  1203652
This update for zlib fixes the following issues:

- Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3973-1
Released:    Mon Nov 14 15:38:25 2022
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1201959,1204211
This update for util-linux fixes the following issues:

- Fix file conflict during upgrade (bsc#1204211)
- libuuid improvements (bsc#1201959, PED-1150):
  libuuid: Fix range when parsing UUIDs.
  Improve cache handling for short running applications-increment the cache size over runtime.
  Implement continuous clock handling for time based UUIDs.
  Check clock value from clock file to provide seamless libuuid.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4056-1
Released:    Thu Nov 17 15:38:08 2022
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1204179,1204968,CVE-2022-3821
This update for systemd fixes the following issues:

- CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

- Import commit 56bee38fd0da18dad5fc5c5d12c02238a22b50e2
  * 8a70235d8a core: Add trigger limit for path units
  * 93e544f3a0 core/mount: also add default before dependency for automount mount units
  * 5916a7748c logind: fix crash in logind on user-specified message string

- Document udev naming scheme (bsc#1204179).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4066-1
Released:    Fri Nov 18 10:43:00 2022
Summary:     Recommended update for timezone
Type:        recommended
Severity:    important
References:  1177460,1202324,1204649,1205156
This update for timezone fixes the following issues:

Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

- Mexico will no longer observe DST except near the US border
- Chihuahua moves to year-round -06 on 2022-10-30
- Fiji no longer observes DST
- In vanguard form, GMT is now a Zone and Etc/GMT a link
- zic now supports links to links, and vanguard form uses this
- Simplify four Ontario zones
- Fix a Y2438 bug when reading TZif data
- Enable 64-bit time_t on 32-bit glibc platforms
- Omit large-file support when no longer needed
- Jordan and Syria switch from +02/+03 with DST to year-round +03
- Palestine transitions are now Saturdays at 02:00
- Simplify three Ukraine zones into one
- Improve tzselect on intercontinental Zones
- Chile's DST is delayed by a week in September 2022 (bsc#1202324)
- Iran no longer observes DST after 2022
- Rename Europe/Kiev to Europe/Kyiv
- New `zic -R` command option
- Vanguard form now uses %z

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4081-1
Released:    Fri Nov 18 15:40:46 2022
Summary:     Security update for dpkg
Type:        security
Severity:    low
References:  1199944,CVE-2022-1664
This update for dpkg fixes the following issues:

- CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4198-1
Released:    Wed Nov 23 13:15:04 2022
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  1202750
This update for rpm fixes the following issues:

- Strip critical bit in signature subpackage parsing
- No longer deadlock DNF after pubkey import (bsc#1202750)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4205-1
Released:    Wed Nov 23 17:34:41 2022
Summary:     Security update for net-snmp
Type:        security
Severity:    moderate
References:  1201103,CVE-2022-24805,CVE-2022-24806,CVE-2022-24807,CVE-2022-24808,CVE-2022-24809,CVE-2022-24810
This update for net-snmp fixes the following issues:

  Updated to version 5.9.3 (bsc#1201103, jsc#SLE-11203):

  - CVE-2022-24805: Fixed a buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB that can cause an out-of-bounds memory access.
  - CVE-2022-24809: Fixed a malformed OID in a GET-NEXT to the nsVacmAccessTable that can cause a NULL pointer dereference.
  - CVE-2022-24806: Fixed an improper Input Validation when SETing malformed OIDs in master agent and subagent simultaneously.
  - CVE-2022-24807: Fixed a malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an out-of-bounds memory access.
  - CVE-2022-24808: Fixed a malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference.
  - CVE-2022-24810: Fixed a malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer dereference.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4256-1
Released:    Mon Nov 28 12:36:32 2022
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
References:  
This update for gcc12 fixes the following issues:

This update ship the GCC 12 compiler suite and its base libraries.

The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.

The Go, D and Ada language compiler parts are available unsupported via the
PackageHub repositories.

To use gcc12 compilers use:

- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

For a full changelog with all new GCC12 features, check out

	https://gcc.gnu.org/gcc-12/changes.html


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4270-1
Released:    Tue Nov 29 13:20:45 2022
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1198523,1199074,1203216
This update for lvm2 fixes the following issues:

- Design changes to avoid kernel panic (bsc#1198523)
- Fix device-mapper rpm package versioning to prevent migration issues (bsc#1199074)
- killed lvmlockd doesn't clear/adopt locks leading to inability to start volume group (bsc#1203216)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4628-1
Released:    Wed Dec 28 09:23:13 2022
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1206337,CVE-2022-46908
This update for sqlite3 fixes the following issues:

- CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, 
  when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4630-1
Released:    Wed Dec 28 09:25:18 2022
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1200723,1203857,1204423,1205000,CVE-2022-4415
This update for systemd fixes the following issues:

- CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

Bug fixes:

- Support by-path devlink for multipath nvme block devices (bsc#1200723).
- Set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857).
- Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4633-1
Released:    Wed Dec 28 09:32:15 2022
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1206309,CVE-2022-43552
This update for curl fixes the following issues:

- CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:25-1
Released:    Thu Jan  5 09:51:41 2023
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

Version update from 2022f to 2022g (bsc#1177460):

- In the Mexican state of Chihuahua:
  * The border strip near the US will change to agree with nearby US locations on 2022-11-30.
  * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules,
    like El Paso, TX.
  * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX.
  * A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
- Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving
  time becomes standard time.
- Changes for pre-1996 northern Canada
- Update to past DST transition in Colombia (1993), Singapore (1981)
- 'timegm' is now supported by default

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:48-1
Released:    Mon Jan  9 10:37:54 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1199467
This update for libtirpc fixes the following issues:

- Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:56-1
Released:    Mon Jan  9 11:13:43 2023
Summary:     Security update for libksba
Type:        security
Severity:    moderate
References:  1206579,CVE-2022-47629
This update for libksba fixes the following issues:

- CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL
  signature parser (bsc#1206579).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:75-1
Released:    Thu Jan 12 09:03:11 2023
Summary:     Security update for net-snmp
Type:        security
Severity:    moderate
References:  1205148,1205150,1206044,1206828,CVE-2022-44792,CVE-2022-44793
This update for net-snmp fixes the following issues:

- CVE-2022-44793: Fixed a NULL pointer dereference issue that could
  allow a remote attacker with write access to crash the server
  instance (bsc#1205148).
- CVE-2022-44792: Fixed a NULL pointer dereference issue that could
  allow a remote attacker with write access to crash the server
  instance (bsc#1205150).

Other fixes:
- Enabled AES-192 and AES-256 privacy protocols (bsc#1206828).
- Fixed an incorrect systemd hardening that caused home directory
  size and allocation to be listed incorrectly (bsc#1206044)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:157-1
Released:    Thu Jan 26 15:54:43 2023
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1194038,1205646
This update for util-linux fixes the following issues:

- libuuid continuous clock handling for time based UUIDs:
  Prevent use of the new libuuid ABI by uuidd %post before update
  of libuuid1 (bsc#1205646).
- Use chown --quiet to prevent error message if /var/lib/libuuid/clock.txt
  does not exist.
- Fix tests not passing when '@' character is in build path: 
  Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:174-1
Released:    Thu Jan 26 20:52:38 2023
Summary:     Security update for glib2
Type:        security
Severity:    low
References:  1183533,CVE-2021-28153
This update for glib2 fixes the following issues:

- CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:176-1
Released:    Thu Jan 26 20:56:20 2023
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1206738
This update for permissions fixes the following issues:

Update to version 20181225:

* Backport postfix permissions to SLE 15 SP2 (bsc#1206738)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:181-1
Released:    Thu Jan 26 21:55:43 2023
Summary:     Recommended update for procps
Type:        recommended
Severity:    low
References:  1206412
This update for procps fixes the following issues:

- Improve memory handling/usage (bsc#1206412) 
- Make sure that correct library version is installed (bsc#1206412)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:188-1
Released:    Fri Jan 27 12:07:19 2023
Summary:     Recommended update for zlib
Type:        recommended
Severity:    important
References:  1203652
This update for zlib fixes the following issues:

- Follow up fix for bug bsc#1203652 due to libxml2 issues

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:198-1
Released:    Fri Jan 27 14:26:54 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1205126,CVE-2022-42898
This update for krb5 fixes the following issues:

- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:310-1
Released:    Tue Feb  7 17:35:34 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1121365,1198472,1207533,1207534,1207536,1207538,CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286
This update for openssl-1_1 fixes the following issues:

- CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
- CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
- CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538).
- CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).
- FIPS: list only FIPS approved public key algorithms (bsc#1121365, bsc#1198472)


The following package changes have been done:

- dbus-1-1.12.2-150100.8.14.1 updated
- krb5-1.19.2-150300.10.1 updated
- libblkid1-2.36.2-150300.4.32.1 updated
- libcurl4-7.66.0-150200.4.45.1 updated
- libdbus-1-3-1.12.2-150100.8.14.1 updated
- libdevmapper1_03-2.03.05_1.02.163-150200.8.49.1 updated
- libexpat1-2.2.5-150000.3.25.1 updated
- libfdisk1-2.36.2-150300.4.32.1 updated
- libgcc_s1-12.2.1+git416-150000.1.5.1 updated
- libglib-2_0-0-2.62.6-150200.3.10.1 updated
- libgpg-error0-1.42-150300.9.3.1 updated
- libksba8-1.3.5-150000.4.6.1 updated
- libmount1-2.36.2-150300.4.32.1 updated
- libopenssl1_1-hmac-1.1.1d-150200.11.57.1 updated
- libopenssl1_1-1.1.1d-150200.11.57.1 updated
- libprocps7-3.3.15-150000.7.28.1 updated
- libprotobuf-lite20-3.9.2-150200.4.19.2 updated
- libsmartcols1-2.36.2-150300.4.32.1 updated
- libsqlite3-0-3.39.3-150000.3.20.1 updated
- libstdc++6-12.2.1+git416-150000.1.5.1 updated
- libsystemd0-246.16-150300.7.57.1 updated
- libtirpc-netconfig-1.2.6-150300.3.17.1 updated
- libtirpc3-1.2.6-150300.3.17.1 updated
- libudev1-246.16-150300.7.57.1 updated
- libuuid1-2.36.2-150300.4.32.1 updated
- libxml2-2-2.9.7-150000.3.51.1 updated
- libz1-1.2.11-150000.3.39.1 updated
- openssl-1_1-1.1.1d-150200.11.57.1 updated
- pam-1.3.0-150000.6.61.1 updated
- permissions-20181225-150200.23.23.1 updated
- procps-3.3.15-150000.7.28.1 updated
- rpm-ndb-4.14.3-150300.52.1 updated
- snmp-mibs-5.9.3-150300.15.8.1 updated
- systemd-246.16-150300.7.57.1 updated
- timezone-2022g-150000.75.18.1 updated
- udev-246.16-150300.7.57.1 updated
- update-alternatives-1.19.0.4-150000.4.4.1 updated
- util-linux-2.36.2-150300.4.32.1 updated
- container:sles15-image-15.0.0-17.20.107 updated


More information about the sle-security-updates mailing list