SUSE-RU-2020:3949-1: moderate: Recommended update for openscap

sle-updates at lists.suse.com sle-updates at lists.suse.com
Thu Dec 31 10:15:10 MST 2020


   SUSE Recommended Update: Recommended update for openscap
______________________________________________________________________________

Announcement ID:    SUSE-RU-2020:3949-1
Rating:             moderate
References:         #1154380 #1155258 #1160720 #1178301 #1180456 
                    
Affected Products:
                    SUSE Linux Enterprise Module for Basesystem 15-SP1
______________________________________________________________________________

   An update that has 5 recommended fixes can now be installed.

Description:

   This update for openscap fixes the following issues:

   OpenSCAP was updated to 1.3.4:

   - add CPE dict entries for openSUSE Leap 15.1 and 15.2
   - add dbus-1-devel buildrequires to enable systemd tests (bsc#1178301)

   openscap 1.3.4:

     * New features

       - Add support for FreeBSD
       - Make use of HTTP header content-encoding: gzip if available
       - Improved yamlfilecontent: updated yaml-filter, extend the schema and
         probe to be able to work with a set of values in maps

     * Maintenance, bug fixes

       - A lot of memory leaks have been plugged
       - Refactored rpmverifyfile probe and fixed memory leak
       - Fixed SEGFAULT caused by recursive and circular dependencies between
         OVAL definitions
       - Fixed DOM representation of the profile platform
       - Test suit: better portability, more granularity in results,
         inclusion of memory-related tests
       - Compatibility with uClibc
       - Local and remote file system detection method was improved
       - Make the report a valid HTML5 document
       - openscap: DISA STIG Viewer URL reference changed (bsc#1180456)

   openscap 1.3.3:

   Notable improvements in this release:

     - a Python script that can be used for CLI tailoring (autotailor) (thank
       you, Matěj Týč);
     - timezone for XCCDF TestResult start and end time (thank you, Jan
       Černý);
     - new yamlfilecontent independent probe (draft implementation), see the
       proposal https://github.com/OVAL-Community/OVAL/issues/91 for
       additional information.

   There are other changes as well, here is the list:

     - Introduced `urn:xccdf:fix:script:kubernetes` fix type in XCCDF;
     - Added ability to generate `machineconfig` fix;
     - Detect ambiguous scan target (utils/oscap-podman);
     - Fixed #170: The rpmverifyfile probe can't verify files from '/bin'
       directory;
     - The data system_info probe return for offline and online modes is
       consistent and actual;
     - Prevent crashes when complicated regexes are executed in
       textfilecontent58 probe;
     - Fixed #1512: Severity refinement lost in generated guide;
     - Fixed #1453: Pointer lost in Swig API;
     - Evaluation Characteristics of the XCCDF report are now consistent with
       OVAL entities; from system_info probe;
     - Fixed filepath pattern matching in offline mode in textfilecontent58
       probe;
     - Fixed infinite recursion in systemdunitdependency probe;
     - Fixed the case when CMake couldn't find libacl or xattr.h.

   openscap 1.3.2:

     - the test suite and build scripts were improved to support Debian 10
     - offline mode has received some love with a set of dedicated tests and
       various fixes in OVAL probes;
     - the oscap-docker wrapper is no longer dependent on Atomic
     - Python binding are now more robust
     - HTML reports and guides, generated by the scanner, are now more
       accessible for non-visual rendering agents
     - Support of multi-check rules has been improved across the whole
       workflow

     There are other changes as well, here is the list:

     * New features

       - Offline mode support for environmentvariable58 probe
       - The oscap-docker wrapper is available without Atomic

     * Maintenance, bug fixes

       - Improved support of multi-check rules (report, remediations, console
         output)
       - Improved HTML report look and feel, including printed version
       - Less clutter in verbose mode output; some warnings and errors
         demoted to verbose mode levels
       - Probe rpmverifyfile uses and returns canonical paths
       - Improved a11y of HTML reports and guides
       - Fixes and improvements for SWIG Python bindings
       - #1403 fixed: Scanner would not apply remediation for multicheck
         rules (verbosity)
       - Fixed URL link mechanism for Red Hat Errata
       - New STIG Viewer URI: public.cyber.mil
       - Probe selinuxsecuritycontext would not check if SELinux is enabled
       - Scanner would provide information about unsupported OVAL objects
       - Added more tests for offline mode (probes, remediation)
       - #528 fixed: Eval SCE script when /tmp is in mode noexec
       - #1173, RHBZ#1603347 fixed: Double chdir/chroot in probe
         rpmverifypackage
       - make it build with new RPM  (bsc#1160720)


Patch Instructions:

   To install this SUSE Recommended Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Basesystem 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3949=1



Package List:

   - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64):

      libopenscap25-1.3.4-3.6.1
      libopenscap25-debuginfo-1.3.4-3.6.1
      openscap-1.3.4-3.6.1
      openscap-content-1.3.4-3.6.1
      openscap-debuginfo-1.3.4-3.6.1
      openscap-debugsource-1.3.4-3.6.1
      openscap-devel-1.3.4-3.6.1
      openscap-utils-1.3.4-3.6.1
      openscap-utils-debuginfo-1.3.4-3.6.1


References:

   https://bugzilla.suse.com/1154380
   https://bugzilla.suse.com/1155258
   https://bugzilla.suse.com/1160720
   https://bugzilla.suse.com/1178301
   https://bugzilla.suse.com/1180456



More information about the sle-updates mailing list