SUSE-CU-2023:1463-1: Security update of ses/7.1/ceph/prometheus-alertmanager

sle-security-updates at sle-security-updates at
Sun May 7 07:03:00 UTC 2023

SUSE Container Update Advisory: ses/7.1/ceph/prometheus-alertmanager
Container Advisory ID : SUSE-CU-2023:1463-1
Container Tags        : ses/7.1/ceph/prometheus-alertmanager:0.23.0 , ses/7.1/ceph/prometheus-alertmanager: , ses/7.1/ceph/prometheus-alertmanager:latest , ses/7.1/ceph/prometheus-alertmanager:sle15.3.pacific
Container Release     : 3.2.423
Severity              : important
Type                  : security
References            : 1065270 1178233 1199132 1203248 1203249 1203599 1203715 1204548
                        1204585 1204956 1205570 1205636 1206949 1207294 1207571 1207957
                        1207975 1207992 1208358 1209122 1209209 1209210 1209211 1209212
                        1209214 1209533 1209624 1209713 1209714 1209873 1209878 1210135
                        1210411 1210412 1210434 1210507 CVE-2021-3541 CVE-2022-29824
                        CVE-2022-4899 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-0687
                        CVE-2023-23916 CVE-2023-24593 CVE-2023-25180 CVE-2023-27533 CVE-2023-27534
                        CVE-2023-27535 CVE-2023-27536 CVE-2023-27538 CVE-2023-28484 CVE-2023-29383
                        CVE-2023-29469 CVE-2023-29491 

The container ses/7.1/ceph/prometheus-alertmanager was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2023:714-1
Released:    Mon Mar 13 10:53:25 2023
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1207294
This update for rpm fixes the following issues:

- Fix missing python(abi) for 3.XX versions (bsc#1207294)

Advisory ID: SUSE-RU-2023:776-1
Released:    Thu Mar 16 17:29:23 2023
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
This update for gcc12 fixes the following issues:

This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.

SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.

The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.

The new compilers for C, C++, and Fortran are provided in the SUSE Linux
Enterprise Module for Development Tools.

To use gcc12 compilers use:

- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

For a full changelog with all new GCC12 features, check out

Advisory ID: SUSE-RU-2023:786-1
Released:    Thu Mar 16 19:36:09 2023
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    important
References:  1178233,1203248,1203249,1203715,1204548,1204956,1205570,1205636,1206949
This update for libsolv, libzypp, zypper fixes the following issues:


- Do not autouninstall SUSE PTF packages
- Ensure 'duplinvolvedmap_all' is reset when a solver is reused
- Fix 'keep installed' jobs not disabling 'best update' rules
- New '-P' and '-W' options for `testsolv`
- New introspection interface for weak dependencies similar to ruleinfos
- Ensure special case file dependencies are written correctly in the testcase writer
- Support better info about alternatives
- Support decision reason queries
- Support merging of related decisions
- Support stringification of multiple solvables
- Support stringification of ruleinfo, decisioninfo and decision reasons


- Avoid calling getsockopt when we know the info already.
  This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when
  accepting new socket connections (bsc#1178233)
- Avoid redirecting 'history.logfile=/dev/null' into the target
- Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956)
- Enhance yaml-cpp detection
- Improve download of optional files
- MultiCurl: Make sure to reset the progress function when falling back.
- Properly reset range requests (bsc#1204548)
- Removing a PTF without enabled repos should always fail (bsc#1203248)
  Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. 
  To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the
  installed PTF packages to theit latest version.
- Skip media.1/media download for http repo status calc.
  This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed.
  This optimisation only takes place if the repo does specify only downloading base urls.
- Use a dynamic fallback for BLKSIZE in downloads.
  When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed,
  relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar
  metric as the MirrorCache implementation on the server side.
- ProgressData: enforce reporting the INIT||END state (bsc#1206949)
- ps: fix service detection on newer Tumbleweed systems (bsc#1205636)


- Allow to (re)add a service with the same URL (bsc#1203715)
- Bump dependency requirement to libzypp-devel 17.31.7 or greater
- Explain outdatedness of repositories
- patterns: Avoid dispylaing superfluous @System entries (bsc#1205570)
- Provide `removeptf` command (bsc#1203249)
  A remove command which prefers replacing dependant packages to removing them as well.
  A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant
  packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the
  remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official
  update versions.
- Update man page and explain '.no_auto_prune' (bsc#1204956)

Advisory ID: SUSE-SU-2023:1711-1
Released:    Fri Mar 31 13:33:04 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1207992,1209209,1209210,1209211,1209212,1209214,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538
This update for curl fixes the following issues:

- CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
- CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
- CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
- CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
- CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
- CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

Advisory ID: SUSE-SU-2023:1718-1
Released:    Fri Mar 31 15:47:34 2023
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1207571,1207957,1207975,1208358,CVE-2023-0687
This update for glibc fixes the following issues:

Security issue fixed:

- CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975)

Other issues fixed:

- Fix avx2 strncmp offset compare condition check (bsc#1208358)
- elf: Allow dlopen of filter object to work (bsc#1207571)
- powerpc: Fix unrecognized instruction errors with recent GCC
- x86: Cache computation for AMD architecture (bsc#1207957)

Advisory ID: SUSE-SU-2023:1790-1
Released:    Thu Apr  6 15:36:15 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1209624,1209873,1209878,CVE-2023-0464,CVE-2023-0465,CVE-2023-0466
This update for openssl-1_1 fixes the following issues:

- CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).
- CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878).
- CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873).

Advisory ID: SUSE-RU-2023:1805-1
Released:    Tue Apr 11 10:12:41 2023
Summary:     Recommended update for timezone
Type:        recommended
Severity:    important
This update for timezone fixes the following issues:

- Version update from 2022g to 2023c:
  * Egypt now uses DST again, from April through October.
  * This year Morocco springs forward April 23, not April 30.
  * Palestine delays the start of DST this year.
  * Much of Greenland still uses DST from 2024 on.
  * America/Yellowknife now links to America/Edmonton.
  * tzselect can now use current time to help infer timezone.
  * The code now defaults to C99 or later.

Advisory ID: SUSE-RU-2023:1945-1
Released:    Fri Apr 21 14:13:27 2023
Summary:     Recommended update for elfutils
Type:        recommended
Severity:    moderate
References:  1203599
This update for elfutils fixes the following issues:

- go1.19 builds created debuginfo that was not extractable using rpm / elfutils 0.177. (bsc#1203599)

Advisory ID: SUSE-SU-2023:2048-1
Released:    Wed Apr 26 21:05:45 2023
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469
This update for libxml2 fixes the following issues:

- CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
- CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). 
  The following non-security bugs were fixed:

- Added W3C conformance tests to the testsuite (bsc#1204585).
- Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) . 

Advisory ID: SUSE-SU-2023:2070-1
Released:    Fri Apr 28 13:56:33 2023
Summary:     Security update for shadow
Type:        security
Severity:    moderate
References:  1210507,CVE-2023-29383
This update for shadow fixes the following issues:

- CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

Advisory ID: SUSE-SU-2023:2074-1
Released:    Fri Apr 28 17:02:25 2023
Summary:     Security update for zstd
Type:        security
Severity:    moderate
References:  1209533,CVE-2022-4899
This update for zstd fixes the following issues:

- CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).

Advisory ID: SUSE-SU-2023:2076-1
Released:    Fri Apr 28 17:35:05 2023
Summary:     Security update for glib2
Type:        security
Severity:    moderate
References:  1209713,1209714,1210135,CVE-2023-24593,CVE-2023-25180
This update for glib2 fixes the following issues:

- CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714).
- CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713).

The following non-security bug was fixed:

- Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978).

Advisory ID: SUSE-RU-2023:2104-1
Released:    Thu May  4 21:05:30 2023
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1209122
This update for procps fixes the following issue:

- Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)

Advisory ID: SUSE-SU-2023:2111-1
Released:    Fri May  5 14:34:00 2023
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1210434,CVE-2023-29491
This update for ncurses fixes the following issues:

- CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

The following package changes have been done:

- glibc-2.31-150300.46.1 updated
- libcurl4-7.66.0-150200.4.52.1 updated
- libdw1-0.177-150300.11.6.1 updated
- libebl-plugins-0.177-150300.11.6.1 updated
- libelf1-0.177-150300.11.6.1 updated
- libgcc_s1-12.2.1+git416-150000.1.7.1 updated
- libglib-2_0-0-2.62.6-150200.3.15.1 updated
- libncurses6-6.1-150000.5.15.1 updated
- libopenssl1_1-hmac-1.1.1d-150200.11.62.1 updated
- libopenssl1_1-1.1.1d-150200.11.62.1 updated
- libprocps7-3.3.15-150000.7.31.1 updated
- libsolv-tools-0.7.23-150200.15.1 updated
- libstdc++6-12.2.1+git416-150000.1.7.1 updated
- libxml2-2-2.9.7-150000.3.57.1 updated
- libzstd1-1.4.4-150000.1.9.1 updated
- libzypp-17.31.8-150200.50.1 updated
- login_defs-4.8.1-150300.4.6.1 updated
- ncurses-utils-6.1-150000.5.15.1 updated
- openssl-1_1-1.1.1d-150200.11.62.1 updated
- procps-3.3.15-150000.7.31.1 updated
- rpm-ndb-4.14.3-150300.55.1 updated
- shadow-4.8.1-150300.4.6.1 updated
- terminfo-base-6.1-150000.5.15.1 updated
- timezone-2023c-150000.75.23.1 updated
- zypper-1.14.59-150200.42.2 updated
- container:sles15-image-15.0.0-17.20.133 updated

More information about the sle-security-updates mailing list