SUSE-CU-2020:832-1: Security update of caasp/v4.5/kube-controller-manager

sle-updates at lists.suse.com sle-updates at lists.suse.com
Sat Dec 12 02:21:28 MST 2020


SUSE Container Update Advisory: caasp/v4.5/kube-controller-manager
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:832-1
Container Tags        : caasp/v4.5/kube-controller-manager:v1.18.10 , caasp/v4.5/kube-controller-manager:v1.18.10-rev3 , caasp/v4.5/kube-controller-manager:v1.18.10-rev3-build5.5.1
Container Release     : 5.5.1
Severity              : important
Type                  : security
References            : 1011548 1014478 1054413 1100369 1104902 1109160 1118367 1118368
                        1122669 1128220 1136184 1140565 1142733 1146853 1146854 1146991
                        1153943 1153946 1154935 1156205 1157051 1158336 1158830 1159018
                        1161168 1161239 1163764 1165424 1165439 1165502 1165580 1167471
                        1170200 1170498 1170667 1170713 1170964 1171313 1171740 1171762
                        1172195 1172270 1172798 1172824 1172846 1172958 1173055 1173079
                        1173165 1173273 1173307 1173311 1173422 1173470 1173529 1173539
                        1173972 1173983 1174079 1174154 1174219 1174232 1174240 1174466
                        1174529 1174551 1174561 1174593 1174644 1174736 1174753 1174817
                        1174918 1174918 1174951 1175109 1175110 1175120 1175161 1175168
                        1175169 1175342 1175352 1175443 1175568 1175592 1175811 1175830
                        1175831 1175844 1176086 1176092 1176123 1176179 1176181 1176192
                        1176225 1176262 1176410 1176435 1176451 1176499 1176513 1176578
                        1176638 1176671 1176674 1176712 1176740 1176800 1176902 1176903
                        1176904 1177078 1177143 1177151 1177238 1177319 1177344 1177361
                        1177362 1177450 1177458 1177479 1177490 1177510 1177643 1177660
                        1177661 1177676 1177699 1177843 1177858 1177864 1177933 1178073
                        1178376 1178387 1178512 1178531 1178727 1178785 1179193 1179398
                        1179399 1179431 1179452 1179491 1179515 1179526 1179593 906079
                        935885 982804 999200 CVE-2017-3136 CVE-2018-5741 CVE-2019-20916
                        CVE-2019-6477 CVE-2020-13844 CVE-2020-15106 CVE-2020-15719 CVE-2020-1747
                        CVE-2020-1971 CVE-2020-24659 CVE-2020-24977 CVE-2020-25219 CVE-2020-25660
                        CVE-2020-25692 CVE-2020-26154 CVE-2020-28196 CVE-2020-8027 CVE-2020-8029
                        CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8564
                        CVE-2020-8565 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619
                        CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624
-----------------------------------------------------------------

The container caasp/v4.5/kube-controller-manager was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:498-1
Released:    Wed Feb 26 17:59:44 2020
Summary:     Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized
Type:        recommended
Severity:    moderate
References:  1122669,1136184,1146853,1146854,1159018


This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues:

python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507):

Upgrade to 1.11.0:

  * Add ReservedConcurrentExecutions to globals
  * Fix ElasticsearchHttpPostPolicy resource reference
  * Support using AWS::Region in Ref and Sub
  * Documentation and examples updates
  * Add VersionDescription property to Serverless::Function
  * Update ServerlessRepoReadWriteAccessPolicy
  * Add additional template validation

Upgrade to 1.10.0:

  * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
  * Add DynamoDBReconfigurePolicy
  * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
  * Add EKSDescribePolicy
  * Add SESBulkTemplatedCrudPolicy
  * Add FilterLogEventsPolicy
  * Add SSMParameterReadPolicy
  * Add SESEmailTemplateCrudPolicy
  * Add s3:PutObjectAcl to S3CrudPolicy
  * Add allow_credentials CORS option
  * Add support for AccessLogSetting and CanarySetting Serverless::Api properties
  * Add support for X-Ray in Serverless::Api
  * Add support for MinimumCompressionSize in Serverless::Api
  * Add Auth to Serverless::Api globals
  * Remove trailing slashes from APIGW permissions
  * Add SNS FilterPolicy and an example application
  * Add Enabled property to Serverless::Function event sources
  * Add support for PermissionsBoundary in Serverless::Function
  * Fix boto3 client initialization
  * Add PublicAccessBlockConfiguration property to S3 bucket resource
  * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
  * Add limited support for resolving intrinsics in Serverless::LayerVersion
  * SAM now uses Flake8
  * Add example application for S3 Events written in Go
  * Updated several example applications

python-cfn-lint was added in version 0.21.4:

- Add upstream patch to fix EOL dates for lambda runtimes
- Add upstream patch to fix test_config_expand_paths test

- Rename to python-cfn-lint.  This package has a python API, which
  is required by python-moto.

Update to version 0.21.4:

  + Features
    * Include more resource types in W3037
  + CloudFormation Specifications
    * Add Resource Type `AWS::CDK::Metadata`
  + Fixes
    * Uncap requests dependency in setup.py
    * Check Join functions have lists in the correct sections
    * Pass a parameter value for AutoPublishAlias when doing a Transform
    * Show usage examples when displaying the help

Update to version 0.21.3

  + Fixes
    * Support dumping strings for datetime objects when doing a Transform

Update to version 0.21.2

  + CloudFormation Specifications
    * Update CloudFormation specs to 3.3.0
    * Update instance types from pricing API as of 2019.05.23

Update to version 0.21.1

  + Features
    * Add `Info` logging capability and set the default logging to `NotSet`
  + Fixes
    * Only do rule logging (start/stop/time) when the rule is going to be called
    * Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub`
    * Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub`
    * Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type

Update to version 0.21.0

  + Features
    * New rule E3038 to check if a Serverless resource includes the appropriate Transform
    * New rule E2531 to validate a Lambda's runtime against the deprecated dates
    * New rule W2531 to validate a Lambda's runtime against the EOL dates
    * Update rule E2541 to include updates to Code Pipeline capabilities
    * Update rule E2503 to include checking of values for load balancer attributes
  + CloudFormation Specifications
    * Update CloudFormation specs to 3.2.0
    * Update instance types from pricing API as of 2019.05.20
  + Fixes
    * Include setuptools in setup.py requires

Update to version 0.20.3

  + CloudFormation Specifications
    * Update instance types from pricing API as of 2019.05.16
  + Fixes
    * Update E7001 to allow float/doubles for mapping values
    * Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed
    * Pin requests to be below or equal to 2.21.0 to prevent issues with botocore

Update to version 0.20.2

  + Features
    * Add support for List<String> Parameter types
  + CloudFormation Specifications
    * Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet
    * Create new property type for Security Group IDs or Names
    * Add new Lambda runtime environment for NodeJs 10.x
    * Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive
    * Update Glue Crawler Role to take an ARN or a name
    * Remove PrimitiveType from MaintenanceWindowTarget Targets
    * Add Min/Max values for Load Balancer Ports to be between 1-65535
  + Fixes
    * Include License file in the pypi package to help with downstream projects
    * Filter out dynamic references from rule E3031 and E3030
    * Convert Python linting and Code Coverage from Python 3.6 to 3.7

Update to version 0.20.1

  + Fixes
    * Update rule E8003 to support more functions inside a Fn::Equals

Update to version 0.20.0

  + Features
    * Allow a rule's exception to be defined in a resource's metadata
    * Add rule configuration capabilities
    * Update rule E3012 to allow for non strict property checking
    * Add rule E8003 to test Fn::Equals structure and syntax
    * Add rule E8004 to test Fn::And structure and syntax
    * Add rule E8005 to test Fn::Not structure and syntax
    * Add rule E8006 to test Fn::Or structure and syntax
    * Include Path to error in the JSON output
    * Update documentation to describe how to install cfn-lint from brew
  + CloudFormation Specifications
    * Update CloudFormation specs to version 3.0.0
    * Add new region ap-east-1
    * Add list min/max and string min/max for CloudWatch Alarm Actions
    * Add allowed values for EC2::LaunchTemplate
    * Add allowed values for EC2::Host
    * Update allowed values for Amazon MQ to include 5.15.9
    * Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions
    * Add AWS::EC2::VPCEndpointService to all regions
    * Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN
    * Patch spec files for SSM MaintenanceWindow to look for Target and not Targets
    * Update ManagedPolicyArns list size to be 20 which is the hard limit.  10 is the soft limit.
  + Fixes
    * Fix rule E3033 to check the string size when the string is inside a list
    * Fix an issue in which AWS::NotificationARNs was not a list
    * Add AWS::EC2::Volume to rule W3010
    * Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger
    * Fix rule W3010 to not error when the availability zone is 'all'

Update to version 0.19.1

  + Fixes
    * Fix core Condition processing to support direct Condition in another Condition
    * Fix the W2030 to check numbers against string allowed values

Update to version 0.19.0

  + Features
    * Add NS and PTR Route53 record checking to rule E3020
    * New rule E3050 to check if a Ref to IAM Role has a Role path of '/'
    * New rule E3037 to look for duplicates in a list that doesn't support duplicates
    * New rule I3037 to look for duplicates in a list when duplicates are allowed
  + CloudFormation Specifications
    * Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds
    * Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument
    * Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl
      NetworkInterface, PlacementGroup, and Volume
    * Add Min/max values to AWS::Budgets::Budget.Notification Threshold
    * Update RDS Instance types by database engine and license definitions using the pricing API
    * Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN
    * Update AWS::ECS::Service Role to support Role Name or ARN
  + Fixes
    * Update E3025 to support the new structure of data in the RDS instance type json
    * Update E2540 to remove all nested conditions from the object
    * Update E3030 to not do strict type checking
    * Update E3020 to support conditions nested in the record sets
    * Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats

Update to version 0.18.1

  + CloudFormation Specifications
    * Update CloudFormation Specs to 2.30.0
    * Fix IAM Regex Path to support more character types
    * Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an
      InstanceProfile or GetAtt the InstanceProfile Arn
    * Allow VPC IDs to Ref a Parameter of type String
  + Fixes
    * Fix E3502 to check the size of the property instead of the parent object

Update to version 0.18.0

  + Features
    * New rule E3032 to check the size of lists
    * New rule E3502 to check JSON Object Size using definitions in the spec file
    * New rule E3033 to test the minimum and maximum length of a string
    * New rule E3034 to validate the min and max of a number
    * Remove Ebs Iops check from E2504 and use rule E3034 instead
    * Remove rule E2509 and use rule E3033 instead
    * Remove rule E2508 as it replaced by E3032 and E3502
    * Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs
    * SAM requirement upped to minimal version of 1.10.0
  + CloudFormation Specifications
    * Extend specs to include:
      > `ListMin` and `ListMax` for the minimum and maximum size of a list
      > `JsonMax` to check the max size of a JSON Object
      > `StringMin` and `StringMax` to check the minimum and maximum length of a String
      > `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long
    * Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy
    * Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance
    * Add AllowedValues for the AWS::GuardDuty Resources
    * Add AllowedValues for AWS::EC2 VPC and VPN Resources
    * Switch IAM Instance Profiles for certain resources to the type that only takes the name
    * Add regex pattern for IAM Instance Profile when a name (not Arn) is used
    * Add regex pattern for IAM Paths
    * Add Regex pattern for IAM Role Arn
    * Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2
  + Fixes
    * Fix serverless transform to use DefinitionBody when Auth is in the API definition
    * Fix rule W2030 to not error when checking SSM or List Parameters

Update to version 0.17.1

  + Features
    * Update rule E2503 to make sure NLBs don't have a Security Group configured
  + CloudFormation Specifications
    * Add all the allowed values of the `AWS::Glue` Resources
    * Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics`
    * Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic`
    * Update CloudFormation specs to 2.29.0
    * Fix type with MariaDB in the AllowedValues
    * Update pricing information for data available on 2018.3.29
  + Fixes
    * Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies
    * Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+`
    * Fix rule E2532 to allow for `Parameters` inside a `Pass` action
    * Fix an issue when getting the location of an error in which numbers are causing an attribute error

Update to version 0.17.0

  + Features
    * Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters.  Status: Released
    * Add new rule W3037 to validate IAM resource policies.  Status: Experimental
    * Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released
  + CloudFormation Specifications
    * Update Spec files to 2.28.0
    * Add all the allowed values of the AWS::Redshift::* Resources
    * Add all the allowed values of the AWS::Neptune::* Resources
    * Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required
    * Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required
  + Fixes
    * Remove extra blank lines when there is no errors in the output
    * Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition
    * Update rule E1029 to allow for literals in a Sub
    * Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check
    * Correct typos for errors in rule W1001
    * Switch from parsing a template as Yaml to Json when finding an escape character
    * Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers
    * Fix an issue with rule E2541 when non strings were used for Stage Names

Update to version 0.16.0

  + Features
    * Add rule E3031 to look for regex patterns based on the patched spec file
    * Remove regex checks from rule E2509
    * Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting
  + CloudFormation Specifications
    * Update Spec files to 2.26.0
    * Add all the allowed values of the AWS::DirectoryService::* Resources
    * Add all the allowed values of the AWS::DynamoDB::* Resources
    * Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2
    * Patch the spec file with regex patterns
    * Add all the allowed values of the AWS::DocDb::* Resources
  + Fixes
    * Update rule E2504 to have '20000' as the max value
    * Update rule E1016 to not allow ImportValue inside of Conditions
    * Update rule E2508 to check conditions when providing limit checks on managed policies
    * Convert unicode to strings when in Py 3.4/3.5 and updating specs
    * Convert from `awslabs` to `aws-cloudformation` organization
    * Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with
      samtranslator 1.10.0

Update to version 0.15.0

  + Features
    * Add scaffolding for arbitrary Match attributes, adding attributes for Type checks
    * Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST
  + CloudFormation Specifications
    * Update Spec files to 2.24.0
    * Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName
    * Add all the allowed values of the AWS::CloudFront::* Resources
    * Add all the allowed values of the AWS::DAX::* Resources
  + Fixes
    * Update config parsing to use the builtin Yaml decoder
    * Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules
    * Update rule E1029 to better check Resource strings inside IAM Policies
    * Improve the line/column information of a Match with array support

Update to version 0.14.1

  + CloudFormation Specifications
    * Update CloudFormation Specs to version 2.23.0
    * Add allowed values for AWS::Config::* resources
    * Add allowed values for AWS::ServiceDiscovery::* resources
    * Fix allowed values for Apache MQ
  + Fixes
    * Update rule E3008 to not error when using a list from a custom resource
    * Support simple types in the CloudFormation spec
    * Add tests for the formatters

Update to version 0.14.0

  + Features
    * Add rule E3035 to check the values of DeletionPolicy
    * Add rule E3036 to check the values of UpdateReplacePolicy
    * Add rule E2014 to check that there are no REFs in the Parameter section
    * Update rule E2503 to support TLS on NLBs
  + CloudFormation Specifications
    * Update CloudFormation spec to version 2.22.0
    * Add allowed values for AWS::Cognito::* resources
  + Fixes
    * Update rule E3002 to allow GetAtts to Custom Resources under a Condition

Update to version 0.13.2

  + Features
    * Introducing the cfn-lint logo!
    * Update SAM dependency version
  + Fixes
    * Fix CloudWatchAlarmComparisonOperator allowed values.
    * Fix typo resoruce_type_spec in several files
    * Better support for nested And, Or, and Not when processing Conditions

Update to version 0.13.1

  + CloudFormation Specifications
    * Add allowed values for AWS::CloudTrail::Trail resources
    * Patch spec to have AWS::CodePipeline::CustomActionType Version included
  + Fixes
    * Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified

Update to version 0.13.0

  + Features
    * New rule W1011 to check if a FindInMap is using the correct map name and keys
    * New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used
    * Removed logic in E1011 and moved it to W1011 for validating keys
    * Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne
    * Update rule E2505 to check the netmask bit
    * Include the ability to update the CloudFormation Specs using the Pricing API
  + CloudFormation Specifications
    * Update to version 2.21.0
    * Add allowed values for AWS::Budgets::Budget
    * Add allowed values for AWS::CertificateManager resources
    * Add allowed values for AWS::CodePipeline resources
    * Add allowed values for AWS::CodeCommit resources
    * Add allowed values for EC2 InstanceTypes from pricing API
    * Add allowed values for RedShift InstanceTypes from pricing API
    * Add allowed values for MQ InstanceTypes from pricing API
    * Add allowed values for RDS InstanceTypes from pricing API
  + Fixes
    * Fixed README indentation issue with .pre-commit-config.yaml
    * Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task
    * Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record
    * Update rule E3001 to support UpdateReplacePolicy
    * Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder
    * Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content

- Initial build
  + Version 0.12.1

Update to 0.9.1

 * the prof plugin now uses cProfile instead of hotshot for profiling
 * skipped tests now include the user's reason in junit XML's message field
 * the prettyassert plugin mishandled multi-line function definitions
 * Using a plugin's CLI flag when the plugin is already enabled via config
   no longer errors
 * nose2.plugins.prettyassert, enabled with --pretty-assert
 * Cleanup code for EOLed python versions
 * Dropped support for distutils.
 * Result reporter respects failure status set by other plugins
 * JUnit XML plugin now includes the skip reason in its output

Upgrade to 0.8.0:

- List of changes is too long to show here, see
  https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst
  changes between 0.6.5 and 0.8.0

Update to 0.7.0:

* Added parameterized_class feature, for parameterizing entire test
  classes (many thanks to @TobyLL for their suggestions and help testing!)
* Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh;
  https://github.com/wolever/parameterized/issues/67)
* Make sure that `setUp` and `tearDown` methods work correctly (#40)
* Raise a ValueError when input is empty (thanks @danielbradburn;
  https://github.com/wolever/parameterized/pull/48)
* Fix the order when number of cases exceeds 10 (thanks @ntflc;
  https://github.com/wolever/parameterized/pull/49)



aws-cli was updated to version 1.16.223:

For detailed changes see the changes entries:

  https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst
  https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst
  https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst
  https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst
  https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst
  https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst
  https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst

python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing
lots of bugs and adding features (bsc#1146853, bsc#1146854)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:959-1
Released:    Wed Apr  8 12:59:50 2020
Summary:     Security update for python-PyYAML
Type:        security
Severity:    important
References:  1165439,CVE-2020-1747
This update for python-PyYAML fixes the following issues:

- CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1000-1
Released:    Wed Apr 15 14:18:57 2020
Summary:     Recommended update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager
Type:        recommended
Severity:    moderate
References:  1014478,1054413,1140565,982804,999200
This update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager fixes the following issues:

The Azure python modules and client tool stack was updated to the 2020 state.

Various other python modules were added and updated.

- python-PyYAML was updated to 5.1.2.
- python-humanfriendly was updated 4.16.1.


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2384-1
Released:    Sat Aug 29 00:57:13 2020
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    low
References:  1170964
This update for e2fsprogs fixes the following issues:

- Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2411-1
Released:    Tue Sep  1 13:28:47 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1142733,1146991,1158336,1172195,1172824,1173539
This update for systemd fixes the following issues:

- Improve logging when PID1 fails at setting a namespace up when spawning a command specified by
  'Exec*='. (bsc#1172824, bsc#1142733)
  
  pid1: improve message when setting up namespace fails.
  
  execute: let's close glibc syslog channels too.
  
  execute: normalize logging in *execute.c*.
  
  execute: fix typo in error message.
  
  execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary.
  
  execute: make use of the new logging mode in *execute.c*
  
  log: add a mode where we open the log fds for every single log message.
  
  log: let's make use of the fact that our functions return the negative error code for *log_oom()* too.
  
  execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result.
  
  execute: rework logging in *setup_keyring()* to include unit info.
  
  execute: improve and augment execution log messages.
  
- vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539)
- fix infinite timeout. (bsc#1158336)
- bpf: mount bpffs by default on boot. (bsc#1146991)
- man: explain precedence for options which take a list.
- man: unify titling, fix description of precedence in sysusers.d(5)
- udev-event: fix timeout log messages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2420-1
Released:    Tue Sep  1 13:48:35 2020
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1174551,1174736
This update for zlib provides the following fixes:

- Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
- Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2445-1
Released:    Wed Sep  2 09:33:02 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1175109,CVE-2020-8231
This update for curl fixes the following issues:

- An application that performs multiple requests with libcurl's
  multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in
  rare circumstances experience that when subsequently using the
  setup connect-only transfer, libcurl will pick and use the wrong
  connection and instead pick another one the application has
  created since then. [bsc#1175109, CVE-2020-8231]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2581-1
Released:    Wed Sep  9 13:07:07 2020
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1174154,CVE-2020-15719
This update for openldap2 fixes the following issues:

- bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509
  SAN's falling back to CN validation in violation of rfc6125.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2612-1
Released:    Fri Sep 11 11:18:01 2020
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1176179,CVE-2020-24977
This update for libxml2 fixes the following issues:

- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2638-1
Released:    Tue Sep 15 15:41:32 2020
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1165580
This update for cryptsetup fixes the following issues:

Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580)

- Fix support of larger metadata areas in *LUKS2* header.

  This release properly supports all specified metadata areas, as documented
  in *LUKS2* format description.
  Currently, only default metadata area size is used (in format or convert).
  Later cryptsetup versions will allow increasing this metadata area size.

- If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check
  if the requested *AEAD* algorithm with specified key size is available in kernel crypto API.
  This change avoids formatting a device that cannot be later activated.

  For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. 
  Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) 
  are already mandatory for LUKS2.

- Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option.

- Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt.

- Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested 
  sector size. Previously it was possible, and the device was rejected to activate by kernel later.

- Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash 
  algorithm with invalid keyslot preventing the device from activation.

- Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used
  both for data encryption and keyslot encryption in *LUKS1/2* devices.

  For benchmark, use:
    
      # cryptsetup benchmark -c xchacha12,aes-adiantum
      # cryptsetup benchmark -c xchacha20,aes-adiantum

  For LUKS format:
  
      # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 <device>

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2651-1
Released:    Wed Sep 16 14:42:55 2020
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1175811,1175830,1175831
This update for zlib fixes the following issues:

- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
- Enable hardware compression on s390/s390x (jsc#SLE-13776)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2704-1
Released:    Tue Sep 22 15:06:36 2020
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1174079
This update for krb5 fixes the following issue:

- Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2712-1
Released:    Tue Sep 22 17:08:03 2020
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1175568,CVE-2020-8027
This update for openldap2 fixes the following issues:

- CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2819-1
Released:    Thu Oct  1 10:39:16 2020
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592
This update for libzypp, zypper provides the following fixes:

Changes in libzypp:
- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
  a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
- Make sure reading from lsof does not block forever. (bsc#1174240)
- Just collect details for the signatures found.

Changes in zypper:
- man: Enhance description of the global package cache. (bsc#1175592)
- man: Point out that plain rpm packages are not downloaded to the global package cache.
  (bsc#1173273)
- Directly list subcommands in 'zypper help'. (bsc#1165424)
- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
- Point out that plaindir repos do not follow symlinks. (bsc#1174561)
- Fix help command for list-patches.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2850-1
Released:    Fri Oct  2 12:26:03 2020
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1175110
This update for lvm2 fixes the following issues:

- Fixed an issue when the hot spares in LVM not added automatically. (bsc#1175110)  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2852-1
Released:    Fri Oct  2 16:55:39 2020
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1173470,1175844
This update for openssl-1_1 fixes the following issues:

FIPS:

* Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1175844, bsc#1173470).
* Add shared secret KAT to FIPS DH selftest (bsc#1175844).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2864-1
Released:    Tue Oct  6 10:34:14 2020
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1176086,1176181,1176671,CVE-2020-24659
This update for gnutls fixes the following issues:

- Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
- FIPS: Add TLS KDF selftest (bsc#1176671)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2869-1
Released:    Tue Oct  6 16:13:20 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1011548,1153943,1153946,1161239,1171762
This update for aaa_base fixes the following issues:

- DIR_COLORS (bug#1006973):
  
  - add screen.xterm-256color
  - add TERM rxvt-unicode-256color
  - sort and merge TERM entries in etc/DIR_COLORS
  
- check for Packages.db and use this instead of Packages. (bsc#1171762)
- Rename path() to _path() to avoid using a general name.
- refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
- etc/profile add some missing ;; in case esac statements
- profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
- backup-rpmdb: exit if zypper is running (bsc#1161239)
- Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2893-1
Released:    Mon Oct 12 14:14:55 2020
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1177479
This update for openssl-1_1 fixes the following issues:

- Restore private key check in EC_KEY_check_key (bsc#1177479)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2901-1
Released:    Tue Oct 13 14:22:43 2020
Summary:     Security update for libproxy
Type:        security
Severity:    important
References:  1176410,1177143,CVE-2020-25219,CVE-2020-26154
This update for libproxy fixes the following issues:

- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2914-1
Released:    Tue Oct 13 17:25:20 2020
Summary:     Security update for bind
Type:        security
Severity:    moderate
References:  1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
This update for bind fixes the following issues:

BIND was upgraded to version 9.16.6:

Note:

- bind is now more strict in regards to DNSSEC. If queries are not working,
  check for DNSSEC issues. For instance, if bind is used in a namserver
  forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues:

- CVE-2020-8616: Further limit the number of queries that can be triggered from
  a request.  Root and TLD servers are no longer exempt
  from max-recursion-queries.  Fetches for missing name server. (bsc#1171740)
  Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
  assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass 
  the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
  whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
  lib/dns/rbtdb.c:new_reference() with a particular zone content
  and query patterns (bsc#1172958).
- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were
  incorrectly treated as 'zonesub' rules, which allowed
  keys used in 'subdomain' rules to update names outside
  of the specified subdomains. The problem was fixed by
  making sure 'subdomain' rules are again processed as
  described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
  was possible to trigger an assertion failure in code
  determining the number of bits in the PKCS#11 RSA public
  key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
  where QNAME minimization and forwarding were both
  enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
  sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
  verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed:

- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created 
  chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
- 'rndc dnstap -roll <value>' did not limit the number of saved files to <value>.
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
  so that named, being a/the only member of the 'named' group
  has full r/w access yet cannot change directories owned by root
  in the case of a compromized named.
  [bsc#1173307, bind-chrootenv.conf]
- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed '-r /dev/urandom' from all invocations of rndc-confgen
  (init/named system/lwresd.init system/named.init in vendor-files)
  as this option is deprecated and causes rndc-confgen to fail.
  (bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
  of /usr/sbin/dnssec-keygen as BIND now uses the random number
  functions provided by the crypto library (i.e., OpenSSL or a
  PKCS#11 provider) as a source of randomness rather than /dev/random.
  Therefore the -r command line option no longer has any effect on
  dnssec-keygen. Leaving the option in genDDNSkey as to not break
  compatibility. Patch provided by Stefan Eisenwiener.
  [bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
  in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
  systemd context as well as legacy sysv, make use of start_daemon.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2947-1
Released:    Fri Oct 16 15:23:07 2020
Summary:     Security update for gcc10, nvptx-tools
Type:        security
Severity:    moderate
References:  1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
This update for gcc10, nvptx-tools fixes the following issues:

This update provides the GCC10 compiler suite and runtime libraries.

The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.

The new compiler variants are available with '-10' suffix, you can specify them
via:

	CC=gcc-10
	CXX=g++-10

or similar commands.

For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html

Changes in nvptx-tools:

- Enable build on aarch64
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2958-1
Released:    Tue Oct 20 12:24:55 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2983-1
Released:    Wed Oct 21 15:03:03 2020
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1176123
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)  
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3048-1
Released:    Tue Oct 27 16:04:52 2020
Summary:     Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type:        recommended
Severity:    moderate
References:  1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:

libzypp was updated to 17.25.1:

- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
  kernel-default-base has new packaging, where the kernel uname -r
  does not reflect the full package version anymore. This patch
  adds additional logic to use the most generic/shortest edition
  each package provides with %{packagename}=<version> to group the
  kernel packages instead of the rpm versions.
  This also changes how the keep-spec for specific versions is
  applied, instead of matching the package versions, each of the
  package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
  fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
  Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
  (as we link statically)

yaml-cpp:

- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
  channels, and the INSTALLER channels, as a new libzypp dependency.

  No source changes were done to yaml-cpp.

zypper was updated to 1.14.40:

- info: Assume descriptions starting with '<p>' are richtext
  (bsc#935885)
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
  searches case-insensitive (jsc#SLE-16271)

libsolv was updated to 0.7.15 to fix:

- make testcase_mangle_repo_names deal correctly with freed repos
  [bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3138-1
Released:    Tue Nov  3 12:14:03 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1104902,1154935,1165502,1167471,1173422,1176513,1176800
This update for systemd fixes the following issues:

- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)
- test-seccomp: log function names
- test-seccomp: add log messages when skipping tests
- basic/virt: Detect PowerVM hypervisor (bsc#1176800)
- fs-util: suppress world-writable warnings if we read /dev/null
- udevadm: rename option '--log-priority' into '--log-level'
- udev: rename kernel option 'log_priority' into 'log_level'
- fstab-generator: add 'nofail' when  NFS 'bg' option is used (bsc#1176513)
- Fix memory protection default (bsc#1167471) 
- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)
- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3157-1
Released:    Wed Nov  4 15:37:05 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1177864
This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

  - EE Certification Centre Root CA
  - Taiwan GRCA

- Added CAs:

  - Trustwave Global Certification Authority
  - Trustwave Global ECC P256 Certification Authority
  - Trustwave Global ECC P384 Certification Authority

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3290-1
Released:    Wed Nov 11 12:25:32 2020
Summary:     Recommended update for findutils
Type:        recommended
Severity:    moderate
References:  1174232
This update for findutils fixes the following issues:

- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
  NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3307-1
Released:    Thu Nov 12 14:17:55 2020
Summary:     Recommended update for rdma-core
Type:        recommended
Severity:    moderate
References:  1177699
This update for rdma-core fixes the following issue:

- Move rxe_cfg to libibverbs-utils. (bsc#1177699)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3313-1
Released:    Thu Nov 12 16:07:37 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3377-1
Released:    Thu Nov 19 09:29:32 2020
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3381-1
Released:    Thu Nov 19 10:53:38 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1177458,1177490,1177510
This update for systemd fixes the following issues:

- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
  This allows to drop the workaround that consisted in cleaning journal-upload files and
  {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package 
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
  These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3462-1
Released:    Fri Nov 20 13:14:35 2020
Summary:     Recommended update for pam and sudo
Type:        recommended
Severity:    moderate
References:  1174593,1177858,1178727
This update for pam and sudo fixes the following issue:

pam:

- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

sudo:

- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3473-1
Released:    Fri Nov 20 19:08:33 2020
Summary:     Security update for ceph
Type:        security
Severity:    moderate
References:  1163764,1170200,1170498,1173079,1174466,1174529,1174644,1175120,1175161,1175169,1176451,1176499,1176638,1177078,1177151,1177319,1177344,1177450,1177643,1177676,1177843,1177933,1178073,1178531,CVE-2020-25660
This update for ceph fixes the following issues:

- CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843).
- Added --container-init feature (bsc#1177319, bsc#1163764)
- Made journald as the logdriver again (bsc#1177933)
- Fixes a condition check for copy_tree, copy_files, and move_files in cephadm (bsc#1177676)
- Fixed a bug where device_health_metrics pool gets created even without any OSDs in the cluster (bsc#1173079)
- Log cephadm output /var/log/ceph/cephadm.log (bsc#1174644)
- Fixed a bug where the orchestrator didn't come up anymore after the deletion of OSDs (bsc#1176499)
- Fixed a bug where cephadm fails to deploy all OSDs and gets stuck (bsc#1177450)
- python-common will no longer skip unavailable disks (bsc#1177151)
- Added snap-schedule module (jsc#SES-704)
- Updated the SES7 downstream branding (bsc#1175120, bsc#1175161, bsc#1175169, bsc#1170498)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3581-1
Released:    Tue Dec  1 14:40:22 2020
Summary:     Recommended update for libusb-1_0
Type:        recommended
Severity:    moderate
References:  1178376
This update for libusb-1_0 fixes the following issues:

- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3593-1
Released:    Wed Dec  2 10:33:49 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1176262,1179193,CVE-2019-20916
This update for python3 fixes the following issues:

Update to 3.6.12 (bsc#1179193), including:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3620-1
Released:    Thu Dec  3 17:03:55 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  
This update for pam fixes the following issues:

- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
  - Check whether the password contains a substring of of the user's name of at least `<N>` characters length in 
  some form. This is enabled by the new parameter `usersubstr=<N>`

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3626-1
Released:    Fri Dec  4 13:51:46 2020
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1179515
This update for audit fixes the following issues:

- Enable Aarch64 processor support. (bsc#1179515) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3703-1
Released:    Mon Dec  7 20:17:32 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1179431
This update for aaa_base fixes the following issue:

- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3721-1
Released:    Wed Dec  9 13:36:46 2020
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1179491,CVE-2020-1971
This update for openssl-1_1 fixes the following issues:
	  
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3735-1
Released:    Wed Dec  9 18:19:24 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
This update for curl fixes the following issues:

- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). 
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).	  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3741-1
Released:    Thu Dec 10 09:32:43 2020
Summary:     Recommended update for ceph
Type:        recommended
Severity:    moderate
References:  1179452,1179526
This update for ceph fixes the following issues:
  
- Fixed an issue when reading a large 'RGW' object takes too long and can cause data loss. (bsc#1179526)
- Fixed a build issue caused by missing nautilus module named 'six'. (bsc#1179452)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3761-1
Released:    Fri Dec 11 13:29:49 2020
Summary:     Security changes in Kubernetes, etcd, and skuba; Bugfix in cri-o package and make helm3 the default helm
Type:        security
Severity:    important
References:  1172270,1173055,1173165,1174219,1174951,1175352,1176225,1176578,1176903,1176904,1177361,1177362,1177660,1177661,1178785,CVE-2020-15106,CVE-2020-8029,CVE-2020-8564,CVE-2020-8565

== Kubernetes & etcd (Security fixes)

This fix involves an upgrade of Kubernetes and some add-ons. See https://documentation.suse.com/suse-caasp/4.5/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components for the upgrade procedure.
   
== Skuba (Security fixes) & helm3 becomes the default helm

In order to update skuba and helm or helm 3, you need to update the management workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.5/html/caasp-admin/_cluster_updates.html#_update_management_workstation
  


More information about the sle-updates mailing list