SUSE-CU-2023:3477-1: Security update of rancher/elemental-operator

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Oct 20 10:10:02 UTC 2023


SUSE Container Update Advisory: rancher/elemental-operator
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3477-1
Container Tags        : rancher/elemental-operator:1.3.4 , rancher/elemental-operator:1.3.4-3.2.1 , rancher/elemental-operator:latest
Container Release     : 3.2.1
Severity              : critical
Type                  : security
References            : 1089497 1105435 1114407 1124223 1125410 1126377 1131060 1131686
                        1174673 1177864 1181994 1186606 1188006 1190858 1194038 1194609
                        1194900 1199079 1202868 1204690 1206212 1206622 1206627 1208194
                        1208721 1209229 1209741 1210702 1210999 1211576 1211828 1212434
                        1213185 1213189 1213237 1213487 1213517 1213575 1213853 1213873
                        1214054 1214248 CVE-2018-1000654 CVE-2019-3880 CVE-2021-46848
                        CVE-2023-31484 CVE-2023-32001 CVE-2023-3446 CVE-2023-36054 CVE-2023-3817
-----------------------------------------------------------------

The container rancher/elemental-operator was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1040-1
Released:    Thu Apr 25 17:09:21 2019
Summary:     Security update for samba
Type:        security
Severity:    important
References:  1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880
This update for samba fixes the following issues:

Security issue fixed:

- CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).


ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686):

- Out of bound read in ldb_wildcard_compare
- Hold at most 10 outstanding paged result cookies
- Put 'results_store' into a doubly linked list
- Refuse to build Samba against a newer minor version of ldb


Non-security issues fixed:

- Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377).
- Abide to the load_printers parameter in smb.conf (bsc#1124223).
- Provide the 32bit samba winbind PAM module and its dependend 32bit libraries.
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1372-1
Released:    Tue May 28 16:53:28 2019
Summary:     Security update for libtasn1
Type:        security
Severity:    moderate
References:  1105435,CVE-2018-1000654
This update for libtasn1 fixes the following issues:

Security issue fixed:

- CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2148-1
Released:    Thu Aug  6 13:36:17 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    important
References:  1174673
This update for ca-certificates-mozilla fixes the following issues:

Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)

Removed CAs:

  * AddTrust External CA Root
  * AddTrust Class 1 CA Root
  * LuxTrust Global Root 2
  * Staat der Nederlanden Root CA - G2
  * Symantec Class 1 Public Primary Certification Authority - G4
  * Symantec Class 2 Public Primary Certification Authority - G4
  * VeriSign Class 3 Public Primary Certification Authority - G3

Added CAs:

  * certSIGN Root CA G2
  * e-Szigno Root CA 2017
  * Microsoft ECC Root Certificate Authority 2017
  * Microsoft RSA Root Certificate Authority 2017

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3157-1
Released:    Wed Nov  4 15:37:05 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1177864
This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

  - EE Certification Centre Root CA
  - Taiwan GRCA

- Added CAs:

  - Trustwave Global Certification Authority
  - Trustwave Global ECC P256 Certification Authority
  - Trustwave Global ECC P384 Certification Authority

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3274-1
Released:    Fri Oct  1 10:34:17 2021
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    important
References:  1190858
This update for ca-certificates-mozilla fixes the following issues:

- remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires
  September 30th 2021 and openssl certificate chain handling does not
  handle this correctly in openssl 1.0.2 and older.
  (bsc#1190858)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3382-1
Released:    Tue Oct 12 14:30:17 2021
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  
This update for ca-certificates-mozilla fixes the following issues:

- A new sub-package for minimal base containers (jsc#SLE-22162)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3395-1
Released:    Mon Sep 26 16:35:18 2022
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1181994,1188006,1199079,1202868
This update for ca-certificates-mozilla fixes the following issues:

Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)

- Added:

  - Certainly Root E1
  - Certainly Root R1
  - DigiCert SMIME ECC P384 Root G5
  - DigiCert SMIME RSA4096 Root G5
  - DigiCert TLS ECC P384 Root G5
  - DigiCert TLS RSA4096 Root G5
  - E-Tugra Global Root CA ECC v3
  - E-Tugra Global Root CA RSA v3

- Removed:

  - Hellenic Academic and Research Institutions RootCA 2011

Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)

- Added:

  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - D-TRUST BR Root CA 1 2020
  - D-TRUST EV Root CA 1 2020
  - GlobalSign ECC Root CA R4
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
  - HiPKI Root CA - G1
  - ISRG Root X2
  - Telia Root CA v2
  - vTrus ECC Root CA
  - vTrus Root CA

- Removed:

  - Cybertrust Global Root
  - DST Root CA X3
  - DigiNotar PKIoverheid CA Organisatie - G2
  - GlobalSign ECC Root CA R4
  - GlobalSign Root CA R2
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
  

Updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)

- Added:

  - HARICA Client ECC Root CA 2021
  - HARICA Client RSA Root CA 2021
  - HARICA TLS ECC Root CA 2021
  - HARICA TLS RSA Root CA 2021
  - TunTrust Root CA


Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)

- Added new root CAs:

  - NAVER Global Root Certification Authority

- Removed old root CAs:

  - GeoTrust Global CA
  - GeoTrust Primary Certification Authority
  - GeoTrust Primary Certification Authority - G3
  - GeoTrust Universal CA
  - GeoTrust Universal CA 2
  - thawte Primary Root CA
  - thawte Primary Root CA - G2
  - thawte Primary Root CA - G3
  - VeriSign Class 3 Public Primary Certification Authority - G4
  - VeriSign Class 3 Public Primary Certification Authority - G5
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3784-1
Released:    Wed Oct 26 18:03:28 2022
Summary:     Security update for libtasn1
Type:        security
Severity:    critical
References:  1204690,CVE-2021-46848
This update for libtasn1 fixes the following issues:

- CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:37-1
Released:    Fri Jan  6 15:35:49 2023
Summary:     Security update for ca-certificates-mozilla
Type:        security
Severity:    important
References:  1206212,1206622
This update for ca-certificates-mozilla fixes the following issues:

- Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622)
  Removed CAs:
  - Global Chambersign Root
  - EC-ACC
  - Network Solutions Certificate Authority
  - Staat der Nederlanden EV Root CA
  - SwissSign Platinum CA - G2
  Added CAs:
  - DIGITALSIGN GLOBAL ROOT ECDSA CA
  - DIGITALSIGN GLOBAL ROOT RSA CA
  - Security Communication ECC RootCA1
  - Security Communication RootCA3
  Changed trust:
  - TrustCor certificates only trusted up to Nov 30 (bsc#1206212)
- Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022'
  and it is not clear how many certs were issued for SSL middleware by TrustCor:
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - TrustCor ECA-1

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2882-1
Released:    Wed Jul 19 11:49:39 2023
Summary:     Security update for perl
Type:        security
Severity:    important
References:  1210999,CVE-2023-31484
This update for perl fixes the following issues:


  - CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2885-1
Released:    Wed Jul 19 16:58:43 2023
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1208721,1209229,1211828
This update for glibc fixes the following issues:

- getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
- Exclude static archives from preparation for live patching (bsc#1208721)
- resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2891-1
Released:    Wed Jul 19 21:14:33 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1213237,CVE-2023-32001
This update for curl fixes the following issues:

- CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2918-1
Released:    Thu Jul 20 12:00:17 2023
Summary:     Recommended update for gpgme
Type:        recommended
Severity:    moderate
References:  1089497
This update for gpgme fixes the following issues:

gpgme:

- Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)
    
libassuan:

- Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2962-1
Released:    Tue Jul 25 09:34:53 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213487,CVE-2023-3446
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3285-1
Released:    Fri Aug 11 10:30:38 2023
Summary:     Recommended update for shadow
Type:        recommended
Severity:    moderate
References:  1206627,1213189
This update for shadow fixes the following issues:

- Prevent lock files from remaining after power interruptions (bsc#1213189)
- Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3286-1
Released:    Fri Aug 11 10:32:03 2023
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1194038,1194900
This update for util-linux fixes the following issues:

- Fix blkid for floppy drives (bsc#1194900)
- Fix rpmbuild %checks fail when @ in the directory path (bsc#1194038)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3363-1
Released:    Fri Aug 18 14:54:16 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1214054,CVE-2023-36054
This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3397-1
Released:    Wed Aug 23 18:35:56 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213517,1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)
- Don't pass zero length input to EVP_Cipher because s390x assembler optimized AES cannot handle zero size. (bsc#1213517)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3451-1
Released:    Mon Aug 28 12:15:22 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1186606,1194609,1208194,1209741,1210702,1211576,1212434,1213185,1213575,1213873
This update for systemd fixes the following issues:

- Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575)
- Decrease devlink priority for iso disks (bsc#1213185)
- Do not ignore mount point paths longer than 255 characters (bsc#1208194)
- Refuse hibernation if there's no possible way to resume (bsc#1186606)
- Update 'korean' and 'arabic' keyboard layouts (bsc#1210702)
- Drop some entries no longer needed by YaST (bsc#1194609)
- The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741)
- Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3454-1
Released:    Mon Aug 28 13:43:18 2023
Summary:     Security update for ca-certificates-mozilla
Type:        security
Severity:    important
References:  1214248
This update for ca-certificates-mozilla fixes the following issues:

- Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248)
  Added:
  - Atos TrustedRoot Root CA ECC G2 2020
  - Atos TrustedRoot Root CA ECC TLS 2021
  - Atos TrustedRoot Root CA RSA G2 2020
  - Atos TrustedRoot Root CA RSA TLS 2021
  - BJCA Global Root CA1
  - BJCA Global Root CA2
  - LAWtrust Root CA2 (4096)
  - Sectigo Public Email Protection Root E46
  - Sectigo Public Email Protection Root R46
  - Sectigo Public Server Authentication Root E46
  - Sectigo Public Server Authentication Root R46
  - SSL.com Client ECC Root CA 2022
  - SSL.com Client RSA Root CA 2022
  - SSL.com TLS ECC Root CA 2022
  - SSL.com TLS RSA Root CA 2022
  Removed CAs:
  - Chambers of Commerce Root
  - E-Tugra Certification Authority
  - E-Tugra Global Root CA ECC v3
  - E-Tugra Global Root CA RSA v3
  - Hongkong Post Root CA 1


The following package changes have been done:

- glibc-2.31-150300.52.2 updated
- perl-base-5.26.1-150300.17.14.1 updated
- libuuid1-2.37.2-150400.8.20.1 updated
- libudev1-249.16-150400.8.33.1 updated
- libsmartcols1-2.37.2-150400.8.20.1 updated
- libblkid1-2.37.2-150400.8.20.1 updated
- libaudit1-3.0.6-150400.4.13.1 updated
- libfdisk1-2.37.2-150400.8.20.1 updated
- libassuan0-2.5.5-150000.4.5.2 updated
- libsystemd0-249.16-150400.8.33.1 updated
- libopenssl1_1-1.1.1l-150400.7.53.1 updated
- libopenssl1_1-hmac-1.1.1l-150400.7.53.1 updated
- libmount1-2.37.2-150400.8.20.1 updated
- krb5-1.19.2-150400.3.6.1 updated
- login_defs-4.8.1-150400.10.9.1 updated
- libcurl4-8.0.1-150400.5.26.1 updated
- shadow-4.8.1-150400.10.9.1 updated
- util-linux-2.37.2-150400.8.20.1 updated
- libtasn1-6-4.13-150000.4.8.1 added
- libtasn1-4.13-150000.4.8.1 added
- crypto-policies-20210917.c9d86d1-150400.3.3.1 added
- openssl-1_1-1.1.1l-150400.7.53.1 added
- p11-kit-0.23.22-150400.1.10 added
- p11-kit-tools-0.23.22-150400.1.10 added
- ca-certificates-2+git20210309.21162a6-2.1 added
- ca-certificates-mozilla-2.62-150200.30.1 added


More information about the sle-security-updates mailing list