SUSE-CU-2023:2958-1: Security update of rancher/elemental-teal-iso/5.4
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Sep 14 07:02:56 UTC 2023
SUSE Container Update Advisory: rancher/elemental-teal-iso/5.4
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:2958-1
Container Tags : rancher/elemental-teal-iso/5.4:1.2.2 , rancher/elemental-teal-iso/5.4:1.2.2-2.9 , rancher/elemental-teal-iso/5.4:latest
Container Release : 2.9
Severity : important
Type : security
References : 1168481 1187364 1187364 1187365 1187366 1187366 1187367 1187367
1198773 1198773 1200441 1200441 1201519 1201551 1201551 1204844
1206346 1207004 1208074 1208962 1209884 1209888 1210004 1210298
1211079 1211124 1211418 1211419 1211578 CVE-2021-3592 CVE-2021-3592
CVE-2021-3593 CVE-2021-3594 CVE-2021-3594 CVE-2021-3595 CVE-2021-3595
CVE-2023-25809 CVE-2023-2602 CVE-2023-2603 CVE-2023-27561 CVE-2023-28642
-----------------------------------------------------------------
The container rancher/elemental-teal-iso/5.4 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1465-1
Released: Fri Apr 29 11:36:02 2022
Summary: Security update for libslirp
Type: security
Severity: important
References: 1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:
- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1730-1
Released: Wed May 18 16:56:21 2022
Summary: Security update for libslirp
Type: security
Severity: important
References: 1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:
- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2941-1
Released: Tue Aug 30 10:51:09 2022
Summary: Security update for libslirp
Type: security
Severity: moderate
References: 1187365,1201551,CVE-2021-3593
This update for libslirp fixes the following issues:
- CVE-2021-3593: Fixed invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365).
Non-security fixes:
- Fix the version header (bsc#1201551)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1913-1
Released: Wed Apr 19 14:23:14 2023
Summary: Recommended update for libslirp, slirp4netns
Type: recommended
Severity: moderate
References: 1201551
This update for libslirp and slirp4netns fixes the following issues:
libslirp was updated to version 4.7.0+44 (current git master):
* Fix vmstate regression
* Align outgoing packets
* Bump incoming packet alignment to 8 bytes
* vmstate: only enable when building under GNU C
* ncsitest: Fix build with msvc
* Separate out SLIRP_PACKED to SLIRP_PACKED_BEGIN/END
* ncsi: Add Mellanox Get Mac Address handler
* slirp: Add out-of-band ethernet address
* ncsi: Add OEM command handler
* ncsi: Add basic test for Get Version ID response
* ncsi: Use response header for payload length
* ncsi: Pass command header to response handlers
* ncsi: Add Get Version ID command
* ncsi: Pass Slirp structure to response handlers
* slirp: Add manufacturer's ID
Release v4.7.0
* slirp: invoke client callback before creating timers
* pingtest: port to timer_new_opaque
* introduce timer_new_opaque callback
* introduce slirp_timer_new wrapper
* icmp6: make ndp_send_ra static
* socket: Handle ECONNABORTED from recv
* bootp: fix g_str_has_prefix warning/critical
* slirp: Don't duplicate packet in tcp_reass
* Rename insque/remque -> slirp_[ins|rem]que
* mbuf: Use SLIRP_DEBUG to enable mbuf debugging instead of DEBUG
* Replace inet_ntoa() with safer inet_ntop()
* Add VMS_END marker
* bootp: add support for UEFI HTTP boot
* IPv6 DNS proxying support
* Add missing scope_id in caching
* socket: Move closesocket(so->s_aux) to sofree
* socket: Check so_type instead of so_tcpcb for Unix-to-inet translation
* socket: Add s_aux field to struct socket for storing auxilliary socket
* socket: Initialize so_type in socreate
* socket: Allocate Unix-to-TCP hostfwd port from OS by binding to port 0
* Allow to disable internal DHCP server
* slirp_pollfds_fill: Explain why dividing so_snd.sb_datalen by two
* CI: run integration tests with slirp4netns
* socket: Check address family for Unix-to-inet accept translation
* socket: Add debug args for tcpx_listen (inet and Unix sockets)
* socket: Restore original definition of fhost
* socket: Move <sys/un.h> include to socket.h
* Support Unix sockets in hostfwd
* resolv: fix IPv6 resolution on Darwin
* Use the exact sockaddr size in getnameinfo call
* Initialize sin6_scope_id to zero
* slirp_socketpair_with_oob: Connect pair through 127.0.0.1
* resolv: fix memory leak when using libresolv
* pingtest: Add a trivial ping test
* icmp: Support falling back on trying a SOCK_RAW socket
Update to version 4.6.1+7:
* Haiku: proper path to resolv.conf for DNS server
* Fix for Haiku
* dhcp: Always send DHCP_OPT_LEN bytes in options
Update to version 4.6.1:
* Fix 'DHCP broken in libslirp v4.6.0'
Update to version 4.6.0:
* udp: check upd_input buffer size
* tftp: introduce a header structure
* tftp: check tftp_input buffer size
* upd6: check udp6_input buffer size
* bootp: check bootp_input buffer size
* bootp: limit vendor-specific area to input packet memory buffer
Update to version 4.4.0:
* socket: consume empty packets
* slirp: check pkt_len before reading protocol header
* Add DNS resolving for iOS
* sosendoob: better document what urgc is used for
* TCPIPHDR_DELTA: Fix potential negative value
* udp, udp6, icmp, icmp6: Enable forwarding errors on Linux
* icmp, icmp6: Add icmp_forward_error and icmp6_forward_error
* udp, udp6, icmp: handle TTL value
* ip_stripoptions use memmove
slirp4netns was updated to 1.2.0:
* Add slirp4netns --target-type=bess /path/to/bess.sock for supporting UML (#281)
* Explicitly support DHCP (#270)
* Update parson to v1.1.3 (#273) kgabis/parson at 70dc239...2d7b3dd
Update to version 1.1.11:
* Add --macaddress option to specify the MAC address of the tap interface.
* Updated the man page.
Update to version 1.1.8:
Update to 1.0.0:
* --enable-sandbox is now out of experimental
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2003-1
Released: Tue Apr 25 18:05:42 2023
Summary: Security update for runc
Type: security
Severity: important
References: 1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642
This update for runc fixes the following issues:
Update to runc v1.1.5:
Security fixes:
- CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884).
- CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962).
- CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888).
Other fixes:
- Fix the inability to use `/dev/null` when inside a container.
- Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481).
- Fix rare runc exec/enter unshare error on older kernels.
- nsexec: Check for errors in `write_log()`.
- Drop version-specific Go requirement.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2256-1
Released: Fri May 19 15:26:43 2023
Summary: Security update for runc
Type: security
Severity: important
References: 1200441
This update of runc fixes the following issues:
- rebuild the package with the go 19.9 secure release (bsc#1200441).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2325-1
Released: Tue May 30 15:57:30 2023
Summary: Security update for cni
Type: security
Severity: important
References: 1200441
This update of cni fixes the following issues:
- rebuild the package with the go 1.19 security release (bsc#1200441).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2657-1
Released: Tue Jun 27 14:43:57 2023
Summary: Recommended update for libcontainers-common
Type: recommended
Severity: moderate
References: 1211124
This update for libcontainers-common fixes the following issues:
- New subpackage libcontainers-sles-mounts which adds SLE-specific mounts on SLE systems (bsc#1211124)
- Own /etc/containers/systemd and /usr/share/containers/systemd for podman quadlet
- Remove container-storage-driver.sh to default to the overlay driver instead of btrfs
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2658-1
Released: Tue Jun 27 14:46:15 2023
Summary: Recommended update for containerd, docker, runc
Type: recommended
Severity: moderate
References: 1207004,1208074,1210298,1211578
This update for containerd, docker, runc fixes the following issues:
- Update to containerd v1.6.21 (bsc#1211578)
- Update to Docker 23.0.6-ce (bsc#1211578)
- Update to runc v1.1.7
- Require a minimum Go version explicitly (bsc#1210298)
- Re-unify packaging for SLE-12 and SLE-15
- Fix build on SLE-12 by switching back to libbtrfs-devel headers
- Allow man pages to be built without internet access in OBS
- Add apparmor-parser as a Recommends to make sure that most users will end up with it installed
even if they are primarily running SELinux
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser
- Change to using systemd-sysusers
- Update runc.keyring to upstream version
- Fix the inability to use `/dev/null` when inside a container (bsc#1207004)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2765-1
Released: Mon Jul 3 20:28:14 2023
Summary: Security update for libcap
Type: security
Severity: moderate
References: 1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:
- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2847-1
Released: Mon Jul 17 08:40:42 2023
Summary: Recommended update for audit
Type: recommended
Severity: moderate
References: 1210004
This update for audit fixes the following issues:
- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2868-1
Released: Tue Jul 18 11:35:52 2023
Summary: Security update for cni
Type: security
Severity: important
References: 1206346
This update of cni fixes the following issues:
- rebuild the package with the go 1.20 security release (bsc#1206346).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3217-1
Released: Mon Aug 7 16:51:10 2023
Summary: Recommended update for cryptsetup
Type: recommended
Severity: moderate
References: 1211079
This update for cryptsetup fixes the following issues:
- Handle system with low memory and no swap space (bsc#1211079)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3410-1
Released: Thu Aug 24 06:56:32 2023
Summary: Recommended update for audit
Type: recommended
Severity: moderate
References: 1201519,1204844
This update for audit fixes the following issues:
- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)
The following package changes have been done:
- libsemanage-conf-3.4-150400.1.8 added
- libsepol2-3.4-150400.1.11 added
- libsemanage2-3.4-150400.1.8 added
- libcontainers-common-20230214-150400.3.8.1 updated
- libslirp0-4.7.0+44-150300.15.2 added
- runc-1.1.7-150000.46.1 updated
- cni-0.7.1-150100.3.12.1 updated
- slirp4netns-1.2.0-150300.8.5.2 updated
- util-linux-systemd-2.37.2-150400.8.20.1 removed
More information about the sle-security-updates
mailing list