SUSE-SU-2018:0053-1: moderate: Security update for CaaS Platform 2.0 images

sle-updates at lists.suse.com sle-updates at lists.suse.com
Tue Jan 9 13:08:34 MST 2018


   SUSE Security Update: Security update for CaaS Platform 2.0 images
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:0053-1
Rating:             moderate
References:         #1003846 #1004995 #1009966 #1022404 #1025282 
                    #1025891 #1026567 #1029907 #1029908 #1029909 
                    #1029995 #1030623 #1035386 #1036619 #1039099 
                    #1039276 #1039513 #1040800 #1040968 #1041090 
                    #1043059 #1043590 #1043883 #1043966 #1044016 
                    #1045472 #1045522 #1045732 #1047178 #1047233 
                    #1048605 #1048861 #1050152 #1050258 #1050487 
                    #1052503 #1052507 #1052509 #1052511 #1052514 
                    #1052518 #1053137 #1053347 #1053595 #1053671 
                    #1055446 #1055641 #1055825 #1056058 #1056312 
                    #1056381 #1057007 #1057139 #1057144 #1057149 
                    #1057188 #1057634 #1057721 #1057724 #1058480 
                    #1058695 #1058783 #1059050 #1059065 #1059075 
                    #1059292 #1059723 #1060599 #1060621 #1061241 
                    #1061384 #1062561 #1063249 #1063269 #1064571 
                    #1064999 #1065363 #1066242 #1066371 #1066500 
                    #1066611 #1067891 #1070878 #1070958 #1071905 
                    #1071906 
Cross-References:   CVE-2014-3710 CVE-2014-8116 CVE-2014-8117
                    CVE-2014-9620 CVE-2014-9621 CVE-2014-9653
                    CVE-2017-12448 CVE-2017-12450 CVE-2017-12452
                    CVE-2017-12453 CVE-2017-12454 CVE-2017-12456
                    CVE-2017-12799 CVE-2017-12837 CVE-2017-12883
                    CVE-2017-13757 CVE-2017-14128 CVE-2017-14129
                    CVE-2017-14130 CVE-2017-14333 CVE-2017-14529
                    CVE-2017-14729 CVE-2017-14745 CVE-2017-14974
                    CVE-2017-3735 CVE-2017-3736 CVE-2017-3737
                    CVE-2017-3738 CVE-2017-6512
Affected Products:
                    SUSE CaaS Platform ALL
______________________________________________________________________________

   An update that solves 29 vulnerabilities and has 57 fixes
   is now available.

Description:


   The Docker images provided with SUSE CaaS Platform 2.0 have been updated
   to include the following updates:

   binutils:

   * Update to version 2.29
   * 18750 bsc#1030296 CVE-2014-9939
   * 20891 bsc#1030585 CVE-2017-7225
   * 20892 bsc#1030588 CVE-2017-7224
   * 20898 bsc#1030589 CVE-2017-7223
   * 20905 bsc#1030584 CVE-2017-7226
   * 20908 bsc#1031644 CVE-2017-7299
   * 20909 bsc#1031656 CVE-2017-7300
   * 20921 bsc#1031595 CVE-2017-7302
   * 20922 bsc#1031593 CVE-2017-7303
   * 20924 bsc#1031638 CVE-2017-7301
   * 20931 bsc#1031590 CVE-2017-7304
   * 21135 bsc#1030298 CVE-2017-7209
   * 21137 bsc#1029909 CVE-2017-6965
   * 21139 bsc#1029908 CVE-2017-6966
   * 21156 bsc#1029907 CVE-2017-6969
   * 21157 bsc#1030297 CVE-2017-7210
   * 21409 bsc#1037052 CVE-2017-8392
   * 21412 bsc#1037057 CVE-2017-8393
   * 21414 bsc#1037061 CVE-2017-8394
   * 21432 bsc#1037066 CVE-2017-8396
   * 21440 bsc#1037273 CVE-2017-8421
   * 21580 bsc#1044891 CVE-2017-9746
   * 21581 bsc#1044897 CVE-2017-9747
   * 21582 bsc#1044901 CVE-2017-9748
   * 21587 bsc#1044909 CVE-2017-9750
   * 21594 bsc#1044925 CVE-2017-9755
   * 21595 bsc#1044927 CVE-2017-9756
   * 21787 bsc#1052518 CVE-2017-12448
   * 21813 bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454,
     bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514,
     CVE-2017-12450, bsc#1052503, CVE-2017-12456, bsc#1052507,
     CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511,
     CVE-2017-12452, bsc#1052514, CVE-2017-12450
   * 21933 bsc#1053347 CVE-2017-12799
   * 21990 bsc#1058480 CVE-2017-14333
   * 22018 bsc#1056312 CVE-2017-13757
   * 22047 bsc#1057144 CVE-2017-14129
   * 22058 bsc#1057149 CVE-2017-14130
   * 22059 bsc#1057139 CVE-2017-14128
   * 22113 bsc#1059050 CVE-2017-14529
   * 22148 bsc#1060599 CVE-2017-14745
   * 22163 bsc#1061241 CVE-2017-14974
   * 22170 bsc#1060621 CVE-2017-14729
   * Make compressed debug section handling explicit, disable for
     old products and enable for gas on all architectures otherwise.
      [bsc#1029995]
   * Remove empty rpath component removal optimization from to workaround
     CMake rpath handling.  [bsc#1025282]
   * Fix alignment frags for aarch64 (bsc#1003846)


   coreutils:

   * Fix df(1) to no longer interact with excluded file system types, so for
     example specifying -x nfs no longer hangs with problematic nfs mounts.
     (bsc#1026567)
   * Ensure df -l no longer interacts with dummy file system types, so for
     example no longer hangs with problematic NFS mounted via
     system.automount(5). (bsc#1043059)
   * Significantly speed up df(1) for huge mount lists. (bsc#965780)

   file:

   * update to version 5.22.
   * CVE-2014-9621: The ELF parser in file allowed remote attackers to cause
     a denial of service via a long string. (bsc#913650)
   * CVE-2014-9620: The ELF parser in file allowed remote attackers to cause
     a denial of service via a large number of notes. (bsc#913651)
   * CVE-2014-9653: readelf.c in file did not consider that pread calls
     sometimes read only a subset of the available data, which allows remote
     attackers to cause a denial of service (uninitialized memory access) or
     possibly have unspecified other impact via a crafted ELF file.
     (bsc#917152)
   * CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote
     attackers to cause a denial of service (CPU consumption or crash) via a
     large number
     of (1) program or (2) section headers or (3) invalid capabilities.
      (bsc#910253)
   * CVE-2014-8117: softmagic.c in file did not properly limit recursion,
     which allowed remote attackers to cause a denial of service (CPU
     consumption or crash) via unspecified vectors. (bsc#910253)
   * Fixed a memory corruption during rpmbuild (bsc#1063269)
   * Backport of a fix for an increased printable string length as found in
     file 5.30 (bsc#996511)
   * file command throws "Composite Document File V2 Document, corrupt: Can't
     read SSAT" error against excel 97/2003 file format. (bsc#1009966)

   gcc7:

   * Support for specific IBM Power9 processor instructions.
   * Support for specific IBM zSeries z14 processor instructions.
   * New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain
     Module for specific NVIDIA Card offload support.

   gzip:

   * fix mishandling of leading zeros in the end-of-block code (bsc#1067891)

   libsolv:

   * Many fixes and improvements for cleandeps.
   * Always create dup rules for "distupgrade" jobs.
   * Use recommends also for ordering packages.
   * Fix splitprovides handling with addalreadyrecommended turned off.
     (bsc#1059065)
   * Expose solver_get_recommendations() in bindings.
   * Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output
     from solver_get_recommendations().
   * Support 'without' and 'unless' dependencies.
   * Use same heuristic as upstream to determine source RPMs.
   * Fix memory leak in bindings.
   * Add pool_best_solvables() function.
   * Fix 64bit integer parsing from RPM headers.
   * Enable bzip2 and xz/lzma compression support.
   * Enable complex/rich dependencies on distributions with RPM 4.13+.

   libtool:

   * Add missing dependencies and provides to baselibs.conf to make sure
     libltdl libraries are properly installed. (bsc#1056381)

   libzypp:

   * Fix media handling in presence of a repo path prefix. (bsc#1062561)
   * Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561)
   * Remove unused legacy notify-message script. (bsc#1058783)
   * Support multiple product licenses in repomd. (fate#322276)
   * Propagate 'rpm --import' errors. (bsc#1057188)
   * Fix typos in zypp.conf.

   openssl:

   * CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could
     cause OOB read (bsc#1056058)
   * CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64
     (bsc#1066242)
   * Out of bounds read+crash in DES_fcrypt (bsc#1065363)
   * openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers
     (bsc#1055825)

   perl:

   Security issues for perl:

   * CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in
     regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1
     allows remote attackers to cause a denial of service (out-of-bounds
     write) via a regular expression with a escape and the case-insensitive
     modifier. (bnc#1057724)
   * CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in
     regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1
     allows remote attackers to disclose sensitive information or cause a
     denial of service (application crash) via a crafted regular expression
     with an invalid escape. (bnc#1057721)
   * CVE-2017-6512: Race condition in the rmtree and remove_tree functions in
     the File-Path module before 2.13 for Perl allows attackers to set the
     mode on arbitrary files via vectors involving directory-permission
     loosening logic. (bnc#1047178)

   Bug fixes for perl:

   * backport set_capture_string changes from upstream (bsc#999735)
   * reformat baselibs.conf as source validator workaround

   systemd:

   * unit: When JobTimeoutSec= is turned off, implicitly turn off
     JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995)
   * compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing
     and warn users that have broken symlinks. (bsc#1063249)
   * compat-rules: Allow to specify the generation number through the kernel
     command line.
   * scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099)
   * tmpfiles: Remove old ICE and X11 sockets at boot.
   * tmpfiles: Silently ignore any path that passes through autofs.
     (bsc#1045472)
   * pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on.
   * shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595)
   * shutdown: Fix incorrect fscanf() result check.
   * shutdown: Don't remount,ro network filesystems. (bsc#1035386)
   * shutdown: Don't be fooled when detaching DM devices with BTRFS.
     (bsc#1055641)
   * bash-completion: Add support for --now. (bsc#1053137)
   * Add convert-lib-udev-path.sh script to convert /lib/udev directory into
     a symlink pointing to /usr/lib/udev when upgrading from SLE11.
     (bsc#1050152)
   * Add a rule to teach hotplug to offline containers transparently.
     (bsc#1040800)

   timezone:

   * Northern Cyprus switches from +03 to +02/+03 on 2017-10-29
   * Fiji ends DST 2018-01-14, not 2018-01-21
   * Namibia switches from +01/+02 to +02 on 2018-04-01
   * Sudan switches from +03 to +02 on 2017-11-01
   * Tonga likely switches from +13/+14 to +13 on 2017-11-05
   * Turks and Caicos switches from -04 to -05/-04 on 2018-11-04
   * Corrections to past DST transitions
   * Move oversized Canada/East-Saskatchewan to 'backward' file
   * zic(8) and the reference runtime now reject multiple leap seconds within
     28 days of each other, or leap seconds before the Epoch.

   util-linux:

   - Allow unmounting of filesystems without calling stat() on the mount
     point, when "-c" is used. (bsc#1040968)
   - Fix an infinite loop, a crash and report the correct minimum and maximum
     frequencies in lscpu for some processors. (bsc#1055446)
   - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500)
   - If multiple subvolumes are mounted, report the default subvolume.
     (bsc#1039276)

   velum:

   * Fix logout issue on DEX download page * page doesn't exist (bsc#1066611)
   * Handle invalid sessions more user friendly
   * Fix undesired minimum nodes alert blink (bsc#1066371)

   wicked:

   - A regression in wicked was causing the hostname not to be set correctly
     via DHCP in some cases (bsc#1057007,bsc#1050258)
   - Configure the interface MTU correctly even in cases where the interface
     was up already (bsc#1059292)
   - Don't abort the process that adds configures routes if one route fails
     (bsc#1036619)
   - Handle DHCP4 user-class ids properly (bsc#1045522)
   - ethtool: handle channels parameters (bsc#1043883)

   zypper:

   * Locale: Fix possible segmentation fault. (bsc#1064999)
   * Add summary hint if product is better updated by a different command.
     This is mainly used by rolling distributions like openSUSE Tumbleweed to
     remind their users to use 'zypper dup' to update (not zypper up or
     patch). (bsc#1061384)
   * Unify '(add|modify)(repo|service)' property related arguments.
   * Fixed 'add' commands supporting to set only a subset of properties.
   * Introduced '-f/-F' as preferred short option for --[no-]refresh in all
     four commands. (bsc#661410, bsc#1053671)
   * Fix missing package names in installation report. (bsc#1058695)
   * Differ between unsupported and packages with unknown support status.
     (bsc#1057634)
   * Return error code '107' if an RPM's %post configuration script fails,
     but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment.
     (bsc#1047233)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE CaaS Platform ALL:

      zypper in -t patch SUSE-CAASP-ALL-2018-40=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE CaaS Platform ALL (x86_64):

      sles12-caasp-dex-image-2.0.0-3.3.11
      sles12-dnsmasq-nanny-image-2.0.1-2.3.15
      sles12-haproxy-image-2.0.1-2.3.16
      sles12-kubedns-image-2.0.1-2.3.11
      sles12-mariadb-image-2.0.1-2.3.15
      sles12-openldap-image-2.0.0-2.3.11
      sles12-pause-image-2.0.1-2.3.9
      sles12-pv-recycler-node-image-2.0.1-2.3.10
      sles12-salt-api-image-2.0.1-2.3.10
      sles12-salt-master-image-2.0.1-2.3.10
      sles12-salt-minion-image-2.0.1-2.3.14
      sles12-sidecar-image-2.0.1-2.3.11
      sles12-tiller-image-2.0.0-2.3.11
      sles12-velum-image-2.0.1-2.3.13


References:

   https://www.suse.com/security/cve/CVE-2014-3710.html
   https://www.suse.com/security/cve/CVE-2014-8116.html
   https://www.suse.com/security/cve/CVE-2014-8117.html
   https://www.suse.com/security/cve/CVE-2014-9620.html
   https://www.suse.com/security/cve/CVE-2014-9621.html
   https://www.suse.com/security/cve/CVE-2014-9653.html
   https://www.suse.com/security/cve/CVE-2017-12448.html
   https://www.suse.com/security/cve/CVE-2017-12450.html
   https://www.suse.com/security/cve/CVE-2017-12452.html
   https://www.suse.com/security/cve/CVE-2017-12453.html
   https://www.suse.com/security/cve/CVE-2017-12454.html
   https://www.suse.com/security/cve/CVE-2017-12456.html
   https://www.suse.com/security/cve/CVE-2017-12799.html
   https://www.suse.com/security/cve/CVE-2017-12837.html
   https://www.suse.com/security/cve/CVE-2017-12883.html
   https://www.suse.com/security/cve/CVE-2017-13757.html
   https://www.suse.com/security/cve/CVE-2017-14128.html
   https://www.suse.com/security/cve/CVE-2017-14129.html
   https://www.suse.com/security/cve/CVE-2017-14130.html
   https://www.suse.com/security/cve/CVE-2017-14333.html
   https://www.suse.com/security/cve/CVE-2017-14529.html
   https://www.suse.com/security/cve/CVE-2017-14729.html
   https://www.suse.com/security/cve/CVE-2017-14745.html
   https://www.suse.com/security/cve/CVE-2017-14974.html
   https://www.suse.com/security/cve/CVE-2017-3735.html
   https://www.suse.com/security/cve/CVE-2017-3736.html
   https://www.suse.com/security/cve/CVE-2017-3737.html
   https://www.suse.com/security/cve/CVE-2017-3738.html
   https://www.suse.com/security/cve/CVE-2017-6512.html
   https://bugzilla.suse.com/1003846
   https://bugzilla.suse.com/1004995
   https://bugzilla.suse.com/1009966
   https://bugzilla.suse.com/1022404
   https://bugzilla.suse.com/1025282
   https://bugzilla.suse.com/1025891
   https://bugzilla.suse.com/1026567
   https://bugzilla.suse.com/1029907
   https://bugzilla.suse.com/1029908
   https://bugzilla.suse.com/1029909
   https://bugzilla.suse.com/1029995
   https://bugzilla.suse.com/1030623
   https://bugzilla.suse.com/1035386
   https://bugzilla.suse.com/1036619
   https://bugzilla.suse.com/1039099
   https://bugzilla.suse.com/1039276
   https://bugzilla.suse.com/1039513
   https://bugzilla.suse.com/1040800
   https://bugzilla.suse.com/1040968
   https://bugzilla.suse.com/1041090
   https://bugzilla.suse.com/1043059
   https://bugzilla.suse.com/1043590
   https://bugzilla.suse.com/1043883
   https://bugzilla.suse.com/1043966
   https://bugzilla.suse.com/1044016
   https://bugzilla.suse.com/1045472
   https://bugzilla.suse.com/1045522
   https://bugzilla.suse.com/1045732
   https://bugzilla.suse.com/1047178
   https://bugzilla.suse.com/1047233
   https://bugzilla.suse.com/1048605
   https://bugzilla.suse.com/1048861
   https://bugzilla.suse.com/1050152
   https://bugzilla.suse.com/1050258
   https://bugzilla.suse.com/1050487
   https://bugzilla.suse.com/1052503
   https://bugzilla.suse.com/1052507
   https://bugzilla.suse.com/1052509
   https://bugzilla.suse.com/1052511
   https://bugzilla.suse.com/1052514
   https://bugzilla.suse.com/1052518
   https://bugzilla.suse.com/1053137
   https://bugzilla.suse.com/1053347
   https://bugzilla.suse.com/1053595
   https://bugzilla.suse.com/1053671
   https://bugzilla.suse.com/1055446
   https://bugzilla.suse.com/1055641
   https://bugzilla.suse.com/1055825
   https://bugzilla.suse.com/1056058
   https://bugzilla.suse.com/1056312
   https://bugzilla.suse.com/1056381
   https://bugzilla.suse.com/1057007
   https://bugzilla.suse.com/1057139
   https://bugzilla.suse.com/1057144
   https://bugzilla.suse.com/1057149
   https://bugzilla.suse.com/1057188
   https://bugzilla.suse.com/1057634
   https://bugzilla.suse.com/1057721
   https://bugzilla.suse.com/1057724
   https://bugzilla.suse.com/1058480
   https://bugzilla.suse.com/1058695
   https://bugzilla.suse.com/1058783
   https://bugzilla.suse.com/1059050
   https://bugzilla.suse.com/1059065
   https://bugzilla.suse.com/1059075
   https://bugzilla.suse.com/1059292
   https://bugzilla.suse.com/1059723
   https://bugzilla.suse.com/1060599
   https://bugzilla.suse.com/1060621
   https://bugzilla.suse.com/1061241
   https://bugzilla.suse.com/1061384
   https://bugzilla.suse.com/1062561
   https://bugzilla.suse.com/1063249
   https://bugzilla.suse.com/1063269
   https://bugzilla.suse.com/1064571
   https://bugzilla.suse.com/1064999
   https://bugzilla.suse.com/1065363
   https://bugzilla.suse.com/1066242
   https://bugzilla.suse.com/1066371
   https://bugzilla.suse.com/1066500
   https://bugzilla.suse.com/1066611
   https://bugzilla.suse.com/1067891
   https://bugzilla.suse.com/1070878
   https://bugzilla.suse.com/1070958
   https://bugzilla.suse.com/1071905
   https://bugzilla.suse.com/1071906



More information about the sle-updates mailing list