SUSE-CU-2023:2854-1: Security update of suse/sle15

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Sep 5 07:06:35 UTC 2023 

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:2854-1
Container Tags        : suse/sle15:15.1 , suse/sle15:15.1.6.2.811
Container Release     : 6.2.811
Severity              : important
Type                  : security
References            : 1099269 1133277 1144068 1158763 1162343 1177127 1178168 1182066
                        1184753 1194530 1197726 1198331 1199282 1203681 1204256 1210740
                        1213231 1213557 1213673 CVE-2018-1000518 CVE-2020-25659 CVE-2020-36242
                        CVE-2021-22569 CVE-2021-22570 CVE-2022-1941 CVE-2022-3171 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2783-1
Released:    Tue Jul  4 21:54:25 2023
Summary:     Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets
Type:        security
Severity:    important
References:  1099269,1133277,1144068,1162343,1177127,1178168,1182066,1184753,1194530,1197726,1198331,1199282,1203681,1204256,CVE-2018-1000518,CVE-2020-25659,CVE-2020-36242,CVE-2021-22569,CVE-2021-22570,CVE-2022-1941,CVE-2022-3171
This update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets fixes the following issues:

grpc:
- Update in SLE-15 (bsc#1197726, bsc#1144068)
  
protobuf:
- Fix a potential DoS issue in protobuf-cpp and protobuf-python, CVE-2022-1941, bsc#1203681
- Fix a potential DoS issue when parsing with binary data in  protobuf-java, CVE-2022-3171, bsc#1204256
- Fix potential Denial of Service in protobuf-java in the parsing procedure for binary data, CVE-2021-22569, bsc#1194530
- Add missing dependency of python subpackages on python-six (bsc#1177127)
- Updated to version 3.9.2 (bsc#1162343)
  * Remove OSReadLittle* due to alignment requirements.
  * Don't use unions and instead use memcpy for the type swaps.
- Disable LTO (bsc#1133277)

python-aiocontextvars:  
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-avro:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-cryptography:  
- update to 3.3.2 (bsc#1182066, CVE-2020-36242, bsc#1198331)
  * SECURITY ISSUE: Fixed a bug where certain sequences of update()
    calls when symmetrically encrypting very large payloads (>2GB) could
    result in an integer overflow, leading to buffer overflows.
  CVE-2020-36242

python-cryptography-vectors:
- update to 3.2 (bsc#1178168, CVE-2020-25659):
  * CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time,
    to protect against Bleichenbacher vulnerabilities. Due to limitations imposed
    by our API, we cannot completely mitigate this vulnerability.
  * Support for OpenSSL 1.0.2 has been removed.
  * Added basic support for PKCS7 signing (including SMIME) via PKCS7SignatureBuilder.
- update to 3.3.2 (bsc#1198331)

python-Deprecated:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- update to 1.2.13:

python-google-api-core:
- Update to 1.14.2

python-googleapis-common-protos:
- Update to 1.6.0
  
python-grpcio-gcp:
- Initial spec for v0.2.2

python-humanfriendly:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to 10.0

python-jsondiff:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to version 1.3.0

python-knack:  
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to version 0.9.0

python-opencensus:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Disable Python2 build
- Update to 0.8.0

python-opencensus-context:  
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-opencensus-ext-threading:  
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Initial build version 0.1.2

python-opentelemetry-api:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Version update to 1.5.0

python-psutil:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- update to 5.9.1
- remove the dependency on net-tools, since it conflicts with busybox-hostnmame which is default on MicroOS. (bsc#1184753)
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-PyGithub:
- Update to 1.43.5:

python-pytest-asyncio:  
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Initial release of python-pytest-asyncio 0.8.0 
  
python-requests:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
  
python-websocket-client:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to version 1.3.2

python-websockets:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- update to 9.1:
 
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3513-1
Released:    Fri Sep  1 15:47:41 2023
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1158763,1210740,1213231,1213557,1213673
This update for libzypp, zypper fixes the following issues:

- Fix occasional isue with downloading very small files (bsc#1213673)
- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
- Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
- Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
- Revised explanation of --force-resolution in man page (bsc#1213557)
- Print summary hint if policies were violated due to --force-resolution (bsc#1213557)


The following package changes have been done:

- libprotobuf-lite20-3.9.2-150100.8.3.3 added
- libzypp-17.31.20-150100.3.117.1 updated
- zypper-1.14.63-150100.3.84.1 updated
- libprotobuf-lite15-3.5.0-5.5.1 removed

More information about the sle-security-updates mailing list