SUSE-CU-2020:198-1: Security update of caasp/v4/cilium
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Tue Jun 16 11:29:12 MDT 2020
SUSE Container Update Advisory: caasp/v4/cilium
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:198-1
Container Tags : caasp/v4/cilium:1.6.6 , caasp/v4/cilium:1.6.6-rev4 , caasp/v4/cilium:1.6.6-rev4-build3.5.1
Container Release : 3.5.1
Severity : important
Type : security
References : 1007715 1013125 1041090 1047218 1048688 1049825 1051143 1071995
1073313 1081947 1081947 1082293 1082318 1084671 1084934 1085196
1086909 1087982 1092100 1092920 1093414 1094448 1095603 1102840
1102920 1103320 1106214 1106383 1109412 1109413 1109414 1110797
1111388 1111996 1112534 1112535 1113247 1113252 1113255 1114592
1114845 1116827 1116995 1118644 1118830 1118831 1120629 1120630
1120631 1120640 1121034 1121035 1121056 1121197 1121353 1121353
1121753 1122417 1122666 1123919 1125306 1125689 1125886 1127155
1127608 1127701 1128828 1129568 1130306 1131113 1131823 1133131
1133232 1133495 1133773 1134226 1135114 1135254 1135534 1135708
1135749 1135984 1137296 1137977 1138457 1138793 1138869 1138908
1139459 1139459 1139584 1139795 1139939 1140039 1140631 1141113
1141897 1141897 1141913 1142614 1142649 1142649 1142654 1142772
1143055 1143194 1143273 1144047 1144068 1144169 1145023 1145231
1145231 1145521 1145554 1145716 1146027 1146182 1146184 1146415
1146415 1146475 1146866 1146947 1148244 1148517 1148517 1148788
1148987 1149145 1149145 1149332 1149429 1149495 1149496 1149511
1149995 1150003 1150021 1150021 1150137 1150250 1150595 1150734
1151023 1151023 1151377 1151582 1151876 1152101 1152334 1152590
1152590 1152692 1152755 1153351 1153557 1153936 1154016 1154019
1154025 1154036 1154037 1154256 1154295 1154661 1154804 1154805
1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155217
1155271 1155298 1155327 1155337 1155338 1155339 1155346 1155574
1155668 1155678 1155819 1156158 1156213 1156300 1156450 1156482
1157198 1157278 1157292 1157337 1157377 1157775 1157794 1157893
1158095 1158095 1158101 1158358 1158485 1158763 1158809 1158830
1158921 1158996 1159002 1159003 1159003 1159004 1159006 1159108
1159314 1159539 1159814 1159928 1160039 1160086 1160160 1160460
1160460 1160571 1160590 1160594 1160595 1160735 1160764 1160970
1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436
1161517 1161521 1161779 1161816 1162093 1162108 1162108 1162152
1162518 1162651 1162930 1163184 1163526 1163922 1164126 1164390
1164390 1164505 1164562 1164717 1164718 1164950 1164950 1165011
1165539 1165579 1165784 1166106 1166260 1166481 1166510 1166510
1166748 1166881 1167073 1167163 1167223 1167631 1167674 1167898
1168076 1168345 1168364 1168699 1168835 1169506 1169512 1169569
1169944 1169992 1170173 1170527 1170771 1171173 1171422 1171512
1171656 1171872 1172021 353876 859480 CVE-2017-17740 CVE-2018-1000876
CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126
CVE-2018-17358 CVE-2018-17359 CVE-2018-17360 CVE-2018-17985 CVE-2018-18309
CVE-2018-18483 CVE-2018-18484 CVE-2018-18605 CVE-2018-18606 CVE-2018-18607
CVE-2018-19931 CVE-2018-19932 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
CVE-2018-20623 CVE-2018-20651 CVE-2018-20671 CVE-2018-6323 CVE-2018-6543
CVE-2018-6759 CVE-2018-6872 CVE-2018-7208 CVE-2018-7568 CVE-2018-7569
CVE-2018-7570 CVE-2018-7642 CVE-2018-7643 CVE-2018-8945 CVE-2019-1010180
CVE-2019-12290 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250
CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547
CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-15847 CVE-2019-15903
CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218
CVE-2019-18224 CVE-2019-18466 CVE-2019-18801 CVE-2019-18802 CVE-2019-18802
CVE-2019-18836 CVE-2019-18838 CVE-2019-18900 CVE-2019-19126 CVE-2019-19391
CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3687
CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5188 CVE-2019-5481
CVE-2019-5482 CVE-2019-9511 CVE-2019-9513 CVE-2019-9893 CVE-2020-10029
CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730
CVE-2020-1752 CVE-2020-7595 CVE-2020-8013 ECO-368 SLE-6206 SLE-6533
SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171
-----------------------------------------------------------------
The container caasp/v4/cilium was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2241-1
Released: Wed Aug 28 14:58:49 2019
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1144169
This update for ca-certificates-mozilla fixes the following issues:
ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169)
Removed CAs:
- Certinomis - Root CA
Includes new root CAs from the 2.32 version:
- emSign ECC Root CA - C3 (email and server auth)
- emSign ECC Root CA - G3 (email and server auth)
- emSign Root CA - C1 (email and server auth)
- emSign Root CA - G1 (email and server auth)
- Hongkong Post Root CA 3 (server auth)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2307-1
Released: Thu Sep 5 14:45:08 2019
Summary: Security update for util-linux and shadow
Type: security
Severity: moderate
References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876
This update for util-linux and shadow fixes the following issues:
util-linux:
- Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197)
- Prevent outdated pam files (bsc#1082293).
- De-duplicate fstrim -A properly (bsc#1127701).
- Do not trim read-only volumes (bsc#1106214).
- Integrate pam_keyinit pam module to login (bsc#1081947).
- Perform one-time reset of /etc/default/su (bsc#1121197).
- Fix problems in reading of login.defs values (bsc#1121197)
- libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
- libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832)
- Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197).
shadow:
- Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197)
- Fix segfault in useradd during setting password inactivity period. (bsc#1141113)
- Hardening for su wrappers (bsc#353876)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2361-1
Released: Thu Sep 12 07:54:54 2019
Summary: Recommended update for krb5
Type: recommended
Severity: moderate
References: 1081947,1144047
This update for krb5 contains the following fixes:
- Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2367-1
Released: Thu Sep 12 12:59:37 2019
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1122666,1135984,1137296
This update for lvm2 fixes the following issues:
- Fix unknown feature in status message (bsc#1135984)
- Fix using device aliases with lvmetad (bsc#1137296)
- Fix devices drop open error message (bsc#1122666)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2373-1
Released: Thu Sep 12 14:18:53 2019
Summary: Security update for curl
Type: security
Severity: important
References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495).
- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2395-1
Released: Wed Sep 18 08:31:38 2019
Summary: Security update for openldap2
Type: security
Severity: moderate
References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565
This update for openldap2 fixes the following issues:
Security issue fixed:
- CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194).
- CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273).
- CVE-2017-17740: When both the nops module and the member of overlay
are enabled, attempts to free a buffer that was allocated on the stack,
which allows remote attackers to cause a denial of service (slapd crash)
via a member MODDN operation. (bsc#1073313)
Non-security issues fixed:
- Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845).
- Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388)
- Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2403-1
Released: Wed Sep 18 16:14:29 2019
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563
This update for openssl-1_1 fixes the following issues:
OpenSSL Security Advisory [10 September 2019]
* CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003)
* CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2423-1
Released: Fri Sep 20 16:41:45 2019
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1146866,SLE-9132
This update for aaa_base fixes the following issues:
Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132)
Following settings have been tightened (and set to 0):
- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
- net.ipv4.conf.default.accept_source_route
- net.ipv6.conf.all.accept_redirects
- net.ipv6.conf.default.accept_redirects
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2429-1
Released: Mon Sep 23 09:28:40 2019
Summary: Security update for expat
Type: security
Severity: moderate
References: 1149429,CVE-2019-15903
This update for expat fixes the following issues:
Security issues fixed:
- CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2517-1
Released: Wed Oct 2 10:49:20 2019
Summary: Security update for libseccomp
Type: security
Severity: moderate
References: 1082318,1128828,1142614,CVE-2019-9893
This update for libseccomp fixes the following issues:
Security issues fixed:
- CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828)
libseccomp was updated to new upstream release 2.4.1:
- Fix a BPF generation bug where the optimizer mistakenly
identified duplicate BPF code blocks.
libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893):
- Update the syscall table for Linux v5.0-rc5
- Added support for the SCMP_ACT_KILL_PROCESS action
- Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
- Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
- Added support for the parisc and parisc64 architectures
- Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
- Return -EDOM on an endian mismatch when adding an architecture to a filter
- Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
- Fix PFC generation when a syscall is prioritized, but no rule exists
- Numerous fixes to the seccomp-bpf filter generation code
- Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
- Numerous tests added to the included test suite, coverage now at ~92%
- Update our Travis CI configuration to use Ubuntu 16.04
- Numerous documentation fixes and updates
libseccomp was updated to release 2.3.3:
- Updated the syscall table for Linux v4.15-rc7
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2533-1
Released: Thu Oct 3 15:02:50 2019
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1150137,CVE-2019-16168
This update for sqlite3 fixes the following issues:
Security issue fixed:
- CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2626-1
Released: Thu Oct 10 17:22:35 2019
Summary: Recommended update for permissions
Type: recommended
Severity: moderate
References: 1110797
This update for permissions fixes the following issues:
- Updated permissons for amanda. (bsc#1110797)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2676-1
Released: Tue Oct 15 21:06:54 2019
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: moderate
References: 1145716,1152101,CVE-2019-5094
This update for e2fsprogs fixes the following issues:
Security issue fixed:
- CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101)
Non-security issue fixed:
- libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2681-1
Released: Tue Oct 15 22:01:40 2019
Summary: Recommended update for libdb-4_8
Type: recommended
Severity: moderate
References: 1148244
This update for libdb-4_8 fixes the following issues:
- Add off-page deadlock patch as found and documented by Red Hat.
(bsc#1148244)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2702-1
Released: Wed Oct 16 18:41:30 2019
Summary: Security update for gcc7
Type: security
Severity: moderate
References: 1071995,1141897,1142649,1148517,1149145,CVE-2019-14250,CVE-2019-15847
This update for gcc7 to r275405 fixes the following issues:
Security issues fixed:
- CVE-2019-14250: Fixed an integer overflow in binutils (bsc#1142649).
- CVE-2019-15847: Fixed an optimization in the POWER9 backend of gcc that could reduce the entropy of the random number generator (bsc#1149145).
Non-security issue fixed:
- Move Live Patching technology stack from kGraft to upstream klp (bsc#1071995, fate#323487).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2730-1
Released: Mon Oct 21 16:04:57 2019
Summary: Security update for procps
Type: security
Severity: important
References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
This update for procps fixes the following issues:
procps was updated to 3.3.15. (bsc#1092100)
Following security issues were fixed:
- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
with HOME unset in an attacker-controlled directory, the attacker could have
achieved privilege escalation by exploiting one of several vulnerabilities in
the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
Inbuilt protection in ps maped a guard page at the end of the overflowed
buffer, ensuring that the impact of this flaw is limited to a crash (temporary
denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
corruption in file2strvec function. This allowed a privilege escalation for a
local attacker who can create entries in procfs by starting processes, which
could result in crashes or arbitrary code execution in proc utilities run by
other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
truncation/integer overflow issues (bsc#1092100).
Also this non-security issue was fixed:
- Fix CPU summary showing old data. (bsc#1121753)
The update to 3.3.15 contains the following fixes:
* library: Increment to 8:0:1
No removals, no new functions
Changes: slab and pid structures
* library: Just check for SIGLOST and don't delete it
* library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
* library: Use size_t for alloc functions CVE-2018-1126
* library: Increase comm size to 64
* pgrep: Fix stack-based buffer overflow CVE-2018-1125
* pgrep: Remove >15 warning as comm can be longer
* ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
* ps: Increase command name selection field to 64
* top: Don't use cwd for location of config CVE-2018-1122
* update translations
* library: build on non-glibc systems
* free: fix scaling on 32-bit systems
* Revert 'Support running with child namespaces'
* library: Increment to 7:0:1
No changes, no removals
New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
* doc: Document I idle state in ps.1 and top.1
* free: fix some of the SI multiples
* kill: -l space between name parses correctly
* library: dont use vm_min_free on non Linux
* library: don't strip off wchan prefixes (ps & top)
* pgrep: warn about 15+ char name only if -f not used
* pgrep/pkill: only match in same namespace by default
* pidof: specify separator between pids
* pkill: Return 0 only if we can kill process
* pmap: fix duplicate output line under '-x' option
* ps: avoid eip/esp address truncations
* ps: recognizes SCHED_DEADLINE as valid CPU scheduler
* ps: display NUMA node under which a thread ran
* ps: Add seconds display for cputime and time
* ps: Add LUID field
* sysctl: Permit empty string for value
* sysctl: Don't segv when file not available
* sysctl: Read and write large buffers
* top: add config file support for XDG specification
* top: eliminated minor libnuma memory leak
* top: show fewer memory decimal places (configurable)
* top: provide command line switch for memory scaling
* top: provide command line switch for CPU States
* top: provides more accurate cpu usage at startup
* top: display NUMA node under which a thread ran
* top: fix argument parsing quirk resulting in SEGV
* top: delay interval accepts non-locale radix point
* top: address a wishlist man page NLS suggestion
* top: fix potential distortion in 'Mem' graph display
* top: provide proper multi-byte string handling
* top: startup defaults are fully customizable
* watch: define HOST_NAME_MAX where not defined
* vmstat: Fix alignment for disk partition format
* watch: Support ANSI 39,49 reset sequences
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2742-1
Released: Tue Oct 22 15:40:16 2019
Summary: Recommended update for libzypp, zypper, libsolv and PackageKit
Type: recommended
Severity: important
References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
This update for libzypp, zypper, libsolv and PackageKit fixes the following issues:
Security issues fixed in libsolv:
- CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629).
- CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
- CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631).
Other issues addressed in libsolv:
- Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749).
- Fixed an issue with the package name (bsc#1131823).
- repo_add_rpmdb: do not copy bad solvables from the old solv file
- Fixed an issue with cleandeps updates in which all packages were not updated
- Experimental DISTTYPE_CONDA and REL_CONDA support
- Fixed cleandeps jobs when using patterns (bsc#1137977)
- Fixed favorq leaking between solver runs if the solver is reused
- Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason
- Be more correct with multiversion packages that obsolete their own name (bnc#1127155)
- Fix repository priority handling for multiversion packages
- Make code compatible with swig 4.0, remove obj0 instances
- repo2solv: support zchunk compressed data
- Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will
not strip debug info for archives
Issues fixed in libzypp:
- Fix empty metalink downloads if filesize is unknown (bsc#1153557)
- Recognize riscv64 as architecture
- Fix installation of new header file (fixes #185)
- zypp.conf: Introduce `solver.focus` to define the resolvers general
attitude when resolving jobs. (bsc#1146415)
- New container detection algorithm for zypper ps (bsc#1146947)
- Fix leaking filedescriptors in MediaCurl. (bsc#1116995)
- Run file conflict check on dry-run. (bsc#1140039)
- Do not remove orphan products if the .prod file is owned by
a package. (bsc#1139795)
- Rephrase file conflict check summary. (bsc#1140039)
- Fix bash completions option detection. (bsc#1049825)
- Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521)
- Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027)
- PublicKey::algoName: supply key algorithm and length
Issues fixed in zypper:
- Update to version 1.14.30
- Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521)
- Dump stacktrace on SIGPIPE (bsc#1145521)
- info: The requested info must be shown in QUIET mode (fixes #287)
- Fix local/remote url classification.
- Rephrase file conflict check summary (bsc#1140039)
- Fix bash completions option detection (bsc#1049825)
- man: split '--with[out]' like options to ease searching.
- Unhided 'ps' command in help
- Added option to show more conflict information
- Rephrased `zypper ps` hint (bsc#859480)
- Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED
if --root is used (bsc#1134226)
- Fixed unknown package handling in zypper install (bsc#1127608)
- Re-show progress bar after pressing retry upon install error (bsc#1131113)
Issues fixed in PackageKit:
- Port the cron configuration variables to the systemd timer script, and add -sendwait
parameter to mail in the script(bsc#1130306).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2757-1
Released: Wed Oct 23 17:21:17 2019
Summary: Security update for lz4
Type: security
Severity: moderate
References: 1153936,CVE-2019-17543
This update for lz4 fixes the following issues:
- CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2779-1
Released: Thu Oct 24 16:57:42 2019
Summary: Security update for binutils
Type: security
Severity: moderate
References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206
This update for binutils fixes the following issues:
binutils was updated to current 2.32 branch [jsc#ECO-368].
Includes following security fixes:
- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)
- enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
(bsc#1141913).
- Fixed some LTO build issues (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section
- Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016).
- Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590).
Update to binutils 2.32:
* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
encoding of VEX.W-ignored (WIG) VEX instructions.
It also has a new -mx86-used-note=[yes|no] option to generate (or
not) x86 GNU property notes.
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
the Loongson EXTensions (EXT) instructions, the Loongson Content
Address Memory (CAM) ASE and the Loongson MultiMedia extensions
Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
limit on the maximum amount of recursion that is allowed whilst
demangling strings. This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
specifying the starting symbol for disassembly. Disassembly will
continue from this symbol up to the next symbol or the end of the
function.
* The BFD linker will now report property change in linker map file
when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
archives, unless -t is given twice. This makes it more useful
when generating a list of files that should be packaged for a
linker bug report.
* The GOLD linker has improved warning messages for relocations that
refer to discarded sections.
- Improve relro support on s390 [fate#326356]
- Fix broken debug symbols (bsc#1118644)
- Handle ELF compressed header alignment correctly.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2811-1
Released: Tue Oct 29 14:57:18 2019
Summary: Recommended update for llvm7
Type: recommended
Severity: moderate
References: 1138457
This update for llvm7 doesn't address any user visible issues.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2812-1
Released: Tue Oct 29 14:57:55 2019
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1139459,1140631,1145023,1150595,SLE-7687
This update for systemd provides the following fixes:
- Fix a problem that would cause invoking try-restart to an inactive service to hang when
a daemon-reload is invoked before the try-restart returned. (bsc#1139459)
- man: Add a note about _netdev usage.
- units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target.
- units: Add [Install] section to remote-cryptsetup.target.
- cryptsetup: Ignore _netdev, since it is used in generator.
- cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687)
- cryptsetup-generator: Add a helper utility to create symlinks.
- units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target.
- man: Add an explicit description of _netdev to systemd.mount(5).
- man: Order fields alphabetically in crypttab(5).
- man: Make crypttab(5) a bit easier to read.
- units: Order cryptsetup-pre.target before cryptsetup.target.
- Fix reporting of enabled-runtime units.
- sd-bus: Deal with cookie overruns. (bsc#1150595)
- rules: Add by-id symlinks for persistent memory. (bsc#1140631)
- Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit.
(bsc#1145023)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2870-1
Released: Thu Oct 31 08:09:14 2019
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1051143,1138869,1151023
This update for aaa_base provides the following fixes:
- Check if variables can be set before modifying them to avoid warnings on login with a
restricted shell. (bsc#1138869)
- Add s390x compressed kernel support. (bsc#1151023)
- service: Check if there is a second argument before using it. (bsc#1051143)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2933-1
Released: Fri Nov 8 11:46:01 2019
Summary: Recommended update for llvm7
Type: recommended
Severity: moderate
References: 1139584
This update for llvm7 fixes the following issues:
- Enable RTTI (run time type information) by built for LLVM. (bsc#1139584)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2418-1
Released: Thu Nov 14 11:53:03 2019
Summary: Recommended update for bash
Type: recommended
Severity: moderate
References: 1133773,1143055
This update for bash fixes the following issues:
- Rework patch readline-7.0-screen (bsc#1143055):
map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as
map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm'
- Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773)
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2019:2980-1
Released: Thu Nov 14 22:45:33 2019
Summary: Optional update for curl
Type: optional
Severity: low
References: 1154019
This update for curl doesn't address any user visible issues.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2997-1
Released: Mon Nov 18 15:16:38 2019
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595
This update for ncurses fixes the following issues:
Security issues fixed:
- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).
Non-security issue fixed:
- Removed screen.xterm from terminfo database (bsc#1103320).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3010-1
Released: Tue Nov 19 18:10:58 2019
Summary: Recommended update for zypper and libsolv
Type: recommended
Severity: moderate
References: 1145554,1146415,1149511,1153351,SLE-9171
This update for zypper and libsolv fixes the following issues:
Package: zypper
- Improved the documentation of $releasever and --releasever usescases (bsc#1149511)
- zypper will now ask only once when multiple packages share the same license text (bsc#1145554)
- Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus
mode when resolving jobs (bsc#1146415)
- Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351)
- Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171)
Package: libsolv
- Fixes issues when updating too many packages in focusbest mode
- Fixes the handling of disabled and installed packages in distupgrade
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3040-1
Released: Fri Nov 22 11:59:52 2019
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1145231
This update for lvm2 fixes the following issues:
- Adds a fix to detect MD devices by LVM2 with metadata=1.0/0.9 (bsc#1145231)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3059-1
Released: Mon Nov 25 17:33:07 2019
Summary: Security update for cpio
Type: security
Severity: moderate
References: 1155199,CVE-2019-14866
This update for cpio fixes the following issues:
- CVE-2019-14866: Fixed an improper validation of the values written
in the header of a TAR file through the to_oct() function which could
have led to unexpected TAR generation (bsc#1155199).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3061-1
Released: Mon Nov 25 17:34:22 2019
Summary: Security update for gcc9
Type: security
Severity: moderate
References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536
This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html
The base system compiler libraries libgcc_s1, libstdc++6 and others are
now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 /
CXX=g++-9 during configuration for using it.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3070-1
Released: Tue Nov 26 12:39:29 2019
Summary: Recommended update for gpg2
Type: recommended
Severity: low
References: 1152755
This update for gpg2 provides the following fix:
- Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3086-1
Released: Thu Nov 28 10:02:24 2019
Summary: Security update for libidn2
Type: security
Severity: moderate
References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224
This update for libidn2 to version 2.2.0 fixes the following issues:
- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3087-1
Released: Thu Nov 28 10:03:00 2019
Summary: Security update for libxml2
Type: security
Severity: low
References: 1123919
This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect
all CVEs that have been fixed over the past.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3118-1
Released: Fri Nov 29 14:41:35 2019
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: moderate
References: 1154295
This update for e2fsprogs fixes the following issues:
- Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3166-1
Released: Wed Dec 4 11:24:42 2019
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1007715,1084934,1157278
This update for aaa_base fixes the following issues:
- Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
- Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715)
- Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3181-1
Released: Thu Dec 5 11:43:07 2019
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690
This update for permissions fixes the following issues:
- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
which could have allowed a squid user to gain persistence by changing the
binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic
links (bsc#1150734).
- Fixed a regression which caused sagmentation fault (bsc#1157198).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3240-1
Released: Tue Dec 10 10:40:19 2019
Summary: Recommended update for ca-certificates-mozilla, p11-kit
Type: recommended
Severity: moderate
References: 1154871
This update for ca-certificates-mozilla, p11-kit fixes the following issues:
Changes in ca-certificates-mozilla:
- export correct p11kit trust attributes so Firefox detects built in
certificates (bsc#1154871).
Changes in p11-kit:
- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
detects built in certificates (bsc#1154871)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3267-1
Released: Wed Dec 11 11:19:53 2019
Summary: Security update for libssh
Type: security
Severity: important
References: 1158095,CVE-2019-14889
This update for libssh fixes the following issues:
- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3343-1
Released: Thu Dec 19 11:05:27 2019
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1155668
This update for lvm2 fixes the following issues:
- Fix seeing a 90 Second delay during shutdown and reboot. (bsc#1155668)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3392-1
Released: Fri Dec 27 13:33:29 2019
Summary: Security update for libgcrypt
Type: security
Severity: moderate
References: 1148987,1155338,1155339,CVE-2019-13627
This update for libgcrypt fixes the following issues:
Security issues fixed:
- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).
Bug fixes:
- Added CMAC AES self test (bsc#1155339).
- Added CMAC TDES self test missing (bsc#1155338).
- Fix test dsa-rfc6979 in FIPS mode.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:10-1
Released: Thu Jan 2 12:35:06 2020
Summary: Recommended update for gcc7
Type: recommended
Severity: moderate
References: 1146475
This update for gcc7 fixes the following issues:
- Fix miscompilation with thread-safe localstatic initialization (gcc#85887).
- Fix debug info created for array definitions that complete an earlier declaration (bsc#1146475).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:69-1
Released: Fri Jan 10 12:33:59 2020
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789
This update for openssl-1_1 fixes the following issues:
Security issue fixed:
- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).
Various FIPS related improvements were done:
- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).
- Port FIPS patches from SLE-12 (bsc#1158101).
- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:129-1
Released: Mon Jan 20 09:21:13 2020
Summary: Security update for libssh
Type: security
Severity: important
References: 1158095,CVE-2019-14889
This update for libssh fixes the following issues:
- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:225-1
Released: Fri Jan 24 06:49:07 2020
Summary: Recommended update for procps
Type: recommended
Severity: moderate
References: 1158830
This update for procps fixes the following issues:
- Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:256-1
Released: Wed Jan 29 09:39:17 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1157794,1160970
This update for aaa_base fixes the following issues:
- Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794)
- Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:262-1
Released: Thu Jan 30 11:02:42 2020
Summary: Security update for glibc
Type: security
Severity: moderate
References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126
This update for glibc fixes the following issues:
Security issue fixed:
- CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292).
Bug fixes:
- Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893).
- Fixed Hardware support in toolchain (bsc#1151582).
- Fixed syscalls during early process initialization (SLE-8348).
- Fixed an array overflow in backtrace for PowerPC (bsc#1158996).
- Moved to posix_spawn on popen (bsc#1149332).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:265-1
Released: Thu Jan 30 14:05:34 2020
Summary: Security update for e2fsprogs
Type: security
Severity: moderate
References: 1160571,CVE-2019-5188
This update for e2fsprogs fixes the following issues:
- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:277-1
Released: Fri Jan 31 10:43:03 2020
Summary: Security update for bazel-platforms, bazel-rules-swift, bazel-toolchains, bazel2.0, cel-cpp, envoy-build-tools, moonjit, re2, sql-parser, udpa, zipkin-api
Type: security
Severity: moderate
References: CVE-2019-19391
This update for bazel-platforms, bazel-rules-swift, bazel-toolchains, bazel2.0, cel-cpp, envoy-build-tools, moonjit, re2, sql-parser, udpa, zipkin-api fixes the following issues:
Changes in bazel-platforms, bazel-rules-swift, bazel-toolchains, bazel2.0, cel-cpp, envoy-build-tools, moonjit, re2, udpa, zipkin-api:
These are build dependencies for cilium and envoy.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:279-1
Released: Fri Jan 31 12:01:39 2020
Summary: Recommended update for p11-kit
Type: recommended
Severity: moderate
References: 1013125
This update for p11-kit fixes the following issues:
- Also build documentation (bsc#1013125)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:335-1
Released: Thu Feb 6 11:37:24 2020
Summary: Security update for systemd
Type: security
Severity: important
References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712
This update for systemd fixes the following issues:
- CVE-2020-1712 (bsc#bsc#1162108)
Fix a heap use-after-free vulnerability, when asynchronous
Polkit queries were performed while handling Dbus messages. A local
unprivileged attacker could have abused this flaw to crash systemd services or
potentially execute code and elevate their privileges, by sending specially
crafted Dbus messages.
- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)
- libblkid: open device in nonblock mode. (bsc#1084671)
- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)
- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)
- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)
- fileio: initialize errno to zero before we do fread()
- fileio: try to read one byte too much in read_full_stream()
- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)
- logind: never elect a session that is stopping as display
- journal: include kmsg lines from the systemd process which exec()d us (#8078)
- udevd: don't use monitor after manager_exit()
- udevd: capitalize log messages in on_sigchld()
- udevd: merge conditions to decrease indentation
- Revert 'udevd: fix crash when workers time out after exit is signal caught'
- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)
- udevd: fix crash when workers time out after exit is signal caught
- udevd: wait for workers to finish when exiting (bsc#1106383)
- Improve bash completion support (bsc#1155207)
* shell-completion: systemctl: do not list template units in {re,}start
* shell-completion: systemctl: pass current word to all list_unit*
* bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)
* bash-completion: systemctl: use systemctl --no-pager
* bash-completion: also suggest template unit files
* bash-completion: systemctl: add missing options and verbs
* bash-completion: use the first argument instead of the global variable (#6457)
- networkd: VXLan Make group and remote variable separate (bsc#1156213)
- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)
- fs-util: let's avoid unnecessary strerror()
- fs-util: introduce inotify_add_watch_and_warn() helper
- ask-password: improve log message when inotify limit is reached (bsc#1155574)
- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)
- man: alias names can't be used with enable command (bsc#1151377)
- Add boot option to not use swap at system start (jsc#SLE-7689)
- Allow YaST to select Iranian (Persian, Farsi) keyboard layout
(bsc#1092920)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:339-1
Released: Thu Feb 6 13:03:22 2020
Summary: Recommended update for openldap2
Type: recommended
Severity: low
References: 1158921
This update for openldap2 provides the following fix:
- Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:368-1
Released: Fri Feb 7 13:49:41 2020
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1150021
This update for lvm2 fixes the following issues:
- Fix for LVM in KVM: The scsi presistent reservation scenario can trigger and error during LVM actions. (bsc#1150021)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:395-1
Released: Tue Feb 18 14:16:48 2020
Summary: Recommended update for gcc7
Type: recommended
Severity: moderate
References: 1160086
This update for gcc7 fixes the following issue:
- Fixed a miscompilation in zSeries code (bsc#1160086)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:432-1
Released: Fri Feb 21 14:34:16 2020
Summary: Security update for libsolv, libzypp, zypper
Type: security
Severity: moderate
References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900
This update for libsolv, libzypp, zypper fixes the following issues:
Security issue fixed:
- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).
Bug fixes
- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).
- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).
- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).
- Load only target resolvables for zypper rm (bsc#1157377).
- Fix broken search by filelist (bsc#1135114).
- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).
- Do not sort out requested locales which are not available (bsc#1155678).
- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).
- XML add patch issue-date and issue-list (bsc#1154805).
- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).
- Always execute commit when adding/removing locales (fixes bsc#1155205).
- Fix description of --table-style,-s in man page (bsc#1154804).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:451-1
Released: Tue Feb 25 10:50:35 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1155337,1161215,1161216,1161218,1161219,1161220
This update for libgcrypt fixes the following issues:
- ECDSA: Check range of coordinates (bsc#1161216)
- FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219]
- FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215]
- FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220]
- FIPS: keywrap gives incorrect results [bsc#1161218]
- FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:453-1
Released: Tue Feb 25 10:51:53 2020
Summary: Recommended update for binutils
Type: recommended
Severity: moderate
References: 1160590
This update for binutils fixes the following issues:
- Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:476-1
Released: Tue Feb 25 14:23:14 2020
Summary: Recommended update for perl
Type: recommended
Severity: moderate
References: 1102840,1160039
This update for perl fixes the following issues:
- Some packages make assumptions about the date and time they are built.
This update will solve the issues caused by calling the perl function timelocal
expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:480-1
Released: Tue Feb 25 17:38:22 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1160735
This update for aaa_base fixes the following issues:
- Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:521-1
Released: Thu Feb 27 18:08:56 2020
Summary: Recommended update for c-ares
Type: recommended
Severity: moderate
References: 1125306,1159006
This update for c-ares fixes the following issues:
c-ares version update to 1.15.0:
* Add ares_init_options() configurability for path to resolv.conf file
* Ability to exclude building of tools (adig, ahost, acountry) in CMake
* Report ARES_ENOTFOUND for .onion domain names as per RFC7686
(bsc#1125306)
* Apply the IPv6 server blacklist to all nameserver sources
* Prevent changing name servers while queries are outstanding
* ares_set_servers_csv() on failure should not leave channel in a
bad state
* getaddrinfo - avoid infinite loop in case of NXDOMAIN
* ares_getenv - return NULL in all cases
* implement ares_getaddrinfo
- Fixed a regression in DNS results that contain both A and AAAA answers.
- Add netcfg as the build requirement and runtime requirement.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:525-1
Released: Fri Feb 28 11:49:36 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1164562
This update for pam fixes the following issues:
- Add libdb as build-time dependency to enable pam_userdb module.
Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:547-1
Released: Fri Feb 28 16:26:21 2020
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013
This update for permissions fixes the following issues:
Security issues fixed:
- CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788)
- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).
Non-security issues fixed:
- Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:572-1
Released: Tue Mar 3 13:25:41 2020
Summary: Recommended update for cyrus-sasl
Type: recommended
Severity: moderate
References: 1162518
This update for cyrus-sasl fixes the following issues:
- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:573-1
Released: Tue Mar 3 13:37:28 2020
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1160160
This update for ca-certificates-mozilla to 2.40 fixes the following issues:
Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):
Removed certificates:
- Certplus Class 2 Primary CA
- Deutsche Telekom Root CA 2
- CN=Swisscom Root CA 2
- UTN-USERFirst-Client Authentication and Email
added certificates:
- Entrust Root Certification Authority - G4
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:597-1
Released: Thu Mar 5 15:24:09 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1164950
This update for libgcrypt fixes the following issues:
- FIPS: Run the self-tests from the constructor [bsc#1164950]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:633-1
Released: Tue Mar 10 16:23:08 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1139939,1151023
This update for aaa_base fixes the following issues:
- get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939)
- added '-h'/'--help' to the command old
- change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:668-1
Released: Fri Mar 13 10:48:58 2020
Summary: Security update for glibc
Type: security
Severity: moderate
References: 1163184,1164505,1165784,CVE-2020-10029
This update for glibc fixes the following issues:
- CVE-2020-10029: Fixed a potential overflow in on-stack buffer
during range reduction (bsc#1165784).
- Fixed an issue where pthread were not always locked correctly (bsc#1164505).
- Document mprotect and introduce section on memory protection (bsc#1163184).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:689-1
Released: Fri Mar 13 17:09:01 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1166510
This update for PAM fixes the following issue:
- The license of libdb linked against pam_userdb is not always wanted,
so we temporary disabled pam_userdb again. It will be published
in a different package at a later time. (bsc#1166510)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:697-1
Released: Mon Mar 16 13:17:10 2020
Summary: Security update for cni, cni-plugins, conmon, fuse-overlayfs, podman
Type: security
Severity: moderate
References: 1155217,1160460,1164390,CVE-2019-18466
This update for cni, cni-plugins, conmon, fuse-overlayfs, podman fixes the following issues:
podman was updated to 1.8.0:
- CVE-2019-18466: Fixed a bug where podman cp would improperly copy files on the
host when copying a symlink in the container that included a
glob operator (#3829 bsc#1155217)
- The name of the cni-bridge in the default config changed from
'cni0' to 'podman-cni0' with podman-1.6.0. Add a %trigger to
rename the bridge in the system to the new default if it exists.
The trigger is only excuted when updating podman-cni-config
from something older than 1.6.0. This is mainly needed for SLE
where we're updating from 1.4.4 to 1.8.0 (bsc#1160460).
Update podman to v1.8.0 (bsc#1160460):
* Features
- The podman system service command has been added, providing a
preview of Podman's new Docker-compatible API. This API is
still very new, and not yet ready for production use, but is
available for early testing
- Rootless Podman now uses Rootlesskit for port forwarding,
which should greatly improve performance and capabilities
- The podman untag command has been added to remove tags from
images without deleting them
- The podman inspect command on images now displays previous
names they used
- The podman generate systemd command now supports a --new
option to generate service files that create and run new
containers instead of managing existing containers
- Support for --log-opt tag= to set logging tags has been added
to the journald log driver
- Added support for using Seccomp profiles embedded in images
for podman run and podman create via the new --seccomp-policy
CLI flag
- The podman play kube command now honors pull policy
* Bugfixes
- Fixed a bug where the podman cp command would not copy the
contents of directories when paths ending in /. were given
- Fixed a bug where the podman play kube command did not
properly locate Seccomp profiles specified relative to
localhost
- Fixed a bug where the podman info command for remote Podman
did not show registry information
- Fixed a bug where the podman exec command did not support
having input piped into it
- Fixed a bug where the podman cp command with rootless Podman
on CGroups v2 systems did not properly determine if the
container could be paused while copying
- Fixed a bug where the podman container prune --force command
could possible remove running containers if they were started
while the command was running
- Fixed a bug where Podman, when run as root, would not
properly configure slirp4netns networking when requested
- Fixed a bug where podman run --userns=keep-id did not work
when the user had a UID over 65535
- Fixed a bug where rootless podman run and podman create with
the --userns=keep-id option could change permissions on
/run/user/$UID and break KDE
- Fixed a bug where rootless Podman could not be run in a
systemd service on systems using CGroups v2
- Fixed a bug where podman inspect would show CPUShares as 0,
instead of the default (1024), when it was not explicitly set
- Fixed a bug where podman-remote push would segfault
- Fixed a bug where image healthchecks were not shown in the
output of podman inspect
- Fixed a bug where named volumes created with containers from
pre-1.6.3 releases of Podman would be autoremoved with their
containers if the --rm flag was given, even if they were
given names
- Fixed a bug where podman history was not computing image
sizes correctly
- Fixed a bug where Podman would not error on invalid values to
the --sort flag to podman images
- Fixed a bug where providing a name for the image made by
podman commit was mandatory, not optional as it should be
- Fixed a bug where the remote Podman client would append an
extra ' to %PATH
- Fixed a bug where the podman build command would sometimes
ignore the -f option and build the wrong Containerfile
- Fixed a bug where the podman ps --filter command would only
filter running containers, instead of all containers, if
--all was not passed
- Fixed a bug where the podman load command on compressed
images would leave an extra copy on disk
- Fixed a bug where the podman restart command would not
properly clean up the network, causing it to function
differently from podman stop; podman start
- Fixed a bug where setting the --memory-swap flag to podman
create and podman run to -1 (to indicate unlimited) was not
supported
* Misc
- Initial work on version 2 of the Podman remote API has been
merged, but is still in an alpha state and not ready for use.
Read more here
- Many formatting corrections have been made to the manpages
- The changes to address (#5009) may cause anonymous volumes
created by Podman versions 1.6.3 to 1.7.0 to not be removed
when their container is removed
- Updated vendored Buildah to v1.13.1
- Updated vendored containers/storage to v1.15.8
- Updated vendored containers/image to v5.2.0
- Add apparmor-abstractions as required runtime dependency to
have `tunables/global` available.
- fixed the --force flag for the 'container prune' command.
(https://github.com/containers/libpod/issues/4844)
Update podman to v1.7.0
* Features
- Added support for setting a static MAC address for containers
- Added support for creating macvlan networks with podman
network create, allowing Podman containers to be attached
directly to networks the host is connected to
- The podman image prune and podman container prune commands
now support the --filter flag to filter what will be pruned,
and now prompts for confirmation when run without --force
(#4410 and #4411)
- Podman now creates CGroup namespaces by default on systems
using CGroups v2 (#4363)
- Added the podman system reset command to remove all Podman
files and perform a factory reset of the Podman installation
- Added the --history flag to podman images to display previous
names used by images (#4566)
- Added the --ignore flag to podman rm and podman stop to not
error when requested containers no longer exist
- Added the --cidfile flag to podman rm and podman stop to read
the IDs of containers to be removed or stopped from a file
- The podman play kube command now honors Seccomp annotations
(#3111)
- The podman play kube command now honors RunAsUser,
RunAsGroup, and selinuxOptions
- The output format of the podman version command has been
changed to better match docker version when using the
--format flag
- Rootless Podman will no longer initialize containers/storage
twice, removing a potential deadlock preventing Podman
commands from running while an image was being pulled (#4591)
- Added tmpcopyup and notmpcopyup options to the --tmpfs and
--mount type=tmpfs flags to podman create and podman run to
control whether the content of directories are copied into
tmpfs filesystems mounted over them
- Added support for disabling detaching from containers by
setting empty detach keys via --detach-keys=''
- The podman build command now supports the --pull and
--pull-never flags to control when images are pulled during a
build
- The podman ps -p command now shows the name of the pod as
well as its ID (#4703)
- The podman inspect command on containers will now display the
command used to create the container
- The podman info command now displays information on registry
mirrors (#4553)
* Bugfixes
- Fixed a bug where Podman would use an incorrect runtime
directory as root, causing state to be deleted after root
logged out and making Podman in systemd services not function
properly
- Fixed a bug where the --change flag to podman import and
podman commit was not being parsed properly in many cases
- Fixed a bug where detach keys specified in libpod.conf were
not used by the podman attach and podman exec commands, which
always used the global default ctrl-p,ctrl-q key combination
(#4556)
- Fixed a bug where rootless Podman was not able to run podman
pod stats even on CGroups v2 enabled systems (#4634)
- Fixed a bug where rootless Podman would fail on kernels
without the renameat2 syscall (#4570)
- Fixed a bug where containers with chained network namespace
dependencies (IE, container A using --net container=B and
container B using --net container=C) would not properly mount
/etc/hosts and /etc/resolv.conf into the container (#4626)
- Fixed a bug where podman run with the --rm flag and without
-d could, when run in the background, throw a 'container does
not exist' error when attempting to remove the container
after it exited
- Fixed a bug where named volume locks were not properly
reacquired after a reboot, potentially leading to deadlocks
when trying to start containers using the volume (#4605 and
#4621)
- Fixed a bug where Podman could not completely remove
containers if sent SIGKILL during removal, leaving the
container name unusable without the podman rm --storage
command to complete removal (#3906)
- Fixed a bug where checkpointing containers started with --rm
was allowed when --export was not specified (the container,
and checkpoint, would be removed after checkpointing was
complete by --rm) (#3774)
- Fixed a bug where the podman pod prune command would fail if
containers were present in the pods and the --force flag was
not passed (#4346)
- Fixed a bug where containers could not set a static IP or
static MAC address if they joined a non-default CNI network
(#4500)
- Fixed a bug where podman system renumber would always throw
an error if a container was mounted when it was run
- Fixed a bug where podman container restore would fail with
containers using a user namespace
- Fixed a bug where rootless Podman would attempt to use the
journald events backend even on systems without systemd
installed
- Fixed a bug where podman history would sometimes not properly
identify the IDs of layers in an image (#3359)
- Fixed a bug where containers could not be restarted when
Conmon v2.0.3 or later was used
- Fixed a bug where Podman did not check image OS and
Architecture against the host when starting a container
- Fixed a bug where containers in pods did not function
properly with the Kata OCI runtime (#4353)
- Fixed a bug where `podman info --format '{{ json . }}' would
not produce JSON output (#4391)
- Fixed a bug where Podman would not verify if files passed to
--authfile existed (#4328)
- Fixed a bug where podman images --digest would not always
print digests when they were available
- Fixed a bug where rootless podman run could hang due to a
race with reading and writing events
- Fixed a bug where rootless Podman would print warning-level
logs despite not be instructed to do so (#4456)
- Fixed a bug where podman pull would attempt to fetch from
remote registries when pulling an unqualified image using the
docker-daemon transport (#4434)
- Fixed a bug where podman cp would not work if STDIN was a
pipe
- Fixed a bug where podman exec could stop accepting input if
anything was typed between the command being run and the exec
session starting (#4397)
- Fixed a bug where podman logs --tail 0 would print all lines
of a container's logs, instead of no lines (#4396)
- Fixed a bug where the timeout for slirp4netns was incorrectly
set, resulting in an extremely long timeout (#4344)
- Fixed a bug where the podman stats command would print CPU
utilizations figures incorrectly (#4409)
- Fixed a bug where the podman inspect --size command would not
print the size of the container's read/write layer if the
size was 0 (#4744)
- Fixed a bug where the podman kill command was not properly
validating signals before use (#4746)
- Fixed a bug where the --quiet and --format flags to podman ps
could not be used at the same time
- Fixed a bug where the podman stop command was not stopping
exec sessions when a container was created without a PID
namespace (--pid=host)
- Fixed a bug where the podman pod rm --force command was not
removing anonymous volumes for containers that were removed
- Fixed a bug where the podman checkpoint command would not
export all changes to the root filesystem of the container if
performed more than once on the same container (#4606)
- Fixed a bug where containers started with --rm would not be
automatically removed on being stopped if an exec session was
running inside the container (#4666)
* Misc
- The fixes to runtime directory path as root can cause strange
behavior if an upgrade is performed while containers are
running
- Updated vendored Buildah to v1.12.0
- Updated vendored containers/storage library to v1.15.4
- Updated vendored containers/image library to v5.1.0
- Kata Containers runtimes (kata-runtime, kata-qemu, and
kata-fc) are now present in the default libpod.conf, but will
not be available unless Kata containers is installed on the
system
- Podman previously did not allow the creation of containers
with a memory limit lower than 4MB. This restriction has been
removed, as the crun runtime can create containers with
significantly less memory
Update podman to v1.6.4
- Remove winsz FIFO on container restart to allow use with Conmon 2.03 and higher
- Ensure volumes reacquire locks on system restart, preventing deadlocks when starting containers
- Suppress spurious log messages when running rootless Podman
- Update vendored containers/storage to v1.13.6
- Fix a deadlock related to writing events
- Do not use the journald event logger when it is not available
Update podman to v1.6.2
* Features
- Added a --runtime flag to podman system migrate to allow the
OCI runtime for all containers to be reset, to ease transition
to the crun runtime on CGroups V2 systems until runc gains full
support
- The podman rm command can now remove containers in broken
states which previously could not be removed
- The podman info command, when run without root, now shows
information on UID and GID mappings in the rootless user
namespace
- Added podman build --squash-all flag, which squashes all layers
(including those of the base image) into one layer
- The --systemd flag to podman run and podman create now accepts
a string argument and allows a new value, always, which forces
systemd support without checking if the the container
entrypoint is systemd
* Bugfixes
- Fixed a bug where the podman top command did not work on
systems using CGroups V2 (#4192)
- Fixed a bug where rootless Podman could double-close a file,
leading to a panic
- Fixed a bug where rootless Podman could fail to retrieve some
containers while refreshing the state
- Fixed a bug where podman start --attach --sig-proxy=false would
still proxy signals into the container
- Fixed a bug where Podman would unconditionally use a
non-default path for authentication credentials (auth.json),
breaking podman login integration with skopeo and other tools
using the containers/image library
- Fixed a bug where podman ps --format=json and podman images
--format=json would display null when no results were returned,
instead of valid JSON
- Fixed a bug where podman build --squash was incorrectly
squashing all layers into one, instead of only new layers
- Fixed a bug where rootless Podman would allow volumes with
options to be mounted (mounting volumes requires root),
creating an inconsistent state where volumes reported as
mounted but were not (#4248)
- Fixed a bug where volumes which failed to unmount could not be
removed (#4247)
- Fixed a bug where Podman incorrectly handled some errors
relating to unmounted or missing containers in
containers/storage
- Fixed a bug where podman stats was broken on systems running
CGroups V2 when run rootless (#4268)
- Fixed a bug where the podman start command would print the
short container ID, instead of the full ID
- Fixed a bug where containers created with an OCI runtime that
is no longer available (uninstalled or removed from the config
file) would not appear in podman ps and could not be removed
via podman rm
- Fixed a bug where containers restored via podman container
restore --import would retain the CGroup path of the original
container, even if their container ID changed; thus, multiple
containers created from the same checkpoint would all share the
same CGroup
* Misc
- The default PID limit for containers is now set to 4096. It can
be adjusted back to the old default (unlimited) by passing
--pids-limit 0 to podman create and podman run
- The podman start --attach command now automatically attaches
STDIN if the container was created with -i
- The podman network create command now validates network names
using the same regular expression as container and pod names
- The --systemd flag to podman run and podman create will now
only enable systemd mode when the binary being run inside the
container is /sbin/init, /usr/sbin/init, or ends in systemd
(previously detected any path ending in init or systemd)
- Updated vendored Buildah to 1.11.3
- Updated vendored containers/storage to 1.13.5
- Updated vendored containers/image to 4.0.1
Update podman to v1.6.1
* Features
- The podman network create, podman network rm, podman network
inspect, and podman network ls commands have been added to
manage CNI networks used by Podman
- The podman volume create command can now create and mount
volumes with options, allowing volumes backed by NFS, tmpfs,
and many other filesystems
- Podman can now run containers without CGroups for better
integration with systemd by using the --cgroups=disabled flag
with podman create and podman run. This is presently only
supported with the crun OCI runtime
- The podman volume rm and podman volume inspect commands can now
refer to volumes by an unambiguous partial name, in addition to
full name (e.g. podman volume rm myvol to remove a volume named
myvolume) (#3891)
- The podman run and podman create commands now support the
--pull flag to allow forced re-pulling of images (#3734)
- Mounting volumes into a container using --volume, --mount, and
--tmpfs now allows the suid, dev, and exec mount options (the
inverse of nosuid, nodev, noexec) (#3819)
- Mounting volumes into a container using --mount now allows the
relabel=Z and relabel=z options to relabel mounts.
- The podman push command now supports the --digestfile option to
save a file containing the pushed digest
- Pods can now have their hostname set via podman pod create
--hostname or providing Pod YAML with a hostname set to podman
play kube (#3732)
- The podman image sign command now supports the --cert-dir flag
- The podman run and podman create commands now support the
--security-opt label=filetype:$LABEL flag to set the SELinux
label for container files
- The remote Podman client now supports healthchecks
* Bugfixes
- Fixed a bug where remote podman pull would panic if a Varlink
connection was not available (#4013)
- Fixed a bug where podman exec would not properly set terminal
size when creating a new exec session (#3903)
- Fixed a bug where podman exec would not clean up socket
symlinks on the host (#3962)
- Fixed a bug where Podman could not run systemd in containers
that created a CGroup namespace
- Fixed a bug where podman prune -a would attempt to prune images
used by Buildah and CRI-O, causing errors (#3983)
- Fixed a bug where improper permissions on the ~/.config
directory could cause rootless Podman to use an incorrect
directory for storing some files
- Fixed a bug where the bash completions for podman import threw
errors
- Fixed a bug where Podman volumes created with podman volume
create would not copy the contents of their mountpoint the
first time they were mounted into a container (#3945)
- Fixed a bug where rootless Podman could not run podman exec
when the container was not run inside a CGroup owned by the
user (#3937)
- Fixed a bug where podman play kube would panic when given Pod
YAML without a securityContext (#3956)
- Fixed a bug where Podman would place files incorrectly when
storage.conf configuration items were set to the empty string
(#3952)
- Fixed a bug where podman build did not correctly inherit
Podman's CGroup configuration, causing crashed on CGroups V2
systems (#3938)
- Fixed a bug where remote podman run --rm would exit before the
container was completely removed, allowing race conditions when
removing container resources (#3870)
- Fixed a bug where rootless Podman would not properly handle
changes to /etc/subuid and /etc/subgid after a container was
launched
- Fixed a bug where rootless Podman could not include some
devices in a container using the --device flag (#3905)
- Fixed a bug where the commit Varlink API would segfault if
provided incorrect arguments (#3897)
- Fixed a bug where temporary files were not properly cleaned up
after a build using remote Podman (#3869)
- Fixed a bug where podman remote cp crashed instead of reporting
it was not yet supported (#3861)
- Fixed a bug where podman exec would run as the wrong user when
execing into a container was started from an image with
Dockerfile USER (or a user specified via podman run --user)
(#3838)
- Fixed a bug where images pulled using the oci: transport would
be improperly named
- Fixed a bug where podman varlink would hang when managed by
systemd due to SD_NOTIFY support conflicting with Varlink
(#3572)
- Fixed a bug where mounts to the same destination would
sometimes not trigger a conflict, causing a race as to which
was actually mounted
- Fixed a bug where podman exec --preserve-fds caused Podman to
hang (#4020)
- Fixed a bug where removing an unmounted container that was
unmounted might sometimes not properly clean up the container
(#4033)
- Fixed a bug where the Varlink server would freeze when run in a
systemd unit file (#4005)
- Fixed a bug where Podman would not properly set the $HOME
environment variable when the OCI runtime did not set it
- Fixed a bug where rootless Podman would incorrectly print
warning messages when an OCI runtime was not found (#4012)
- Fixed a bug where named volumes would conflict with, instead of
overriding, tmpfs filesystems added by the --read-only-tmpfs
flag to podman create and podman run
- Fixed a bug where podman cp would incorrectly make the target
directory when copying to a symlink which pointed to a
nonexistent directory (#3894)
- Fixed a bug where remote Podman would incorrectly read STDIN
when the -i flag was not set (#4095)
- Fixed a bug where podman play kube would create an empty pod
when given an unsupported YAML type (#4093)
- Fixed a bug where podman import --change improperly parsed CMD
(#4000)
- Fixed a bug where rootless Podman on systems using CGroups V2
would not function with the cgroupfs CGroups manager
- Fixed a bug where rootless Podman could not correctly identify
the DBus session address, causing containers to fail to start
(#4162)
- Fixed a bug where rootless Podman with slirp4netns networking
would fail to start containers due to mount leaks
* Misc
- Significant changes were made to Podman volumes in this
release. If you have pre-existing volumes, it is strongly
recommended to run podman system renumber after upgrading.
- Version 0.8.1 or greater of the CNI Plugins is now required for
Podman
- Version 2.0.1 or greater of Conmon is strongly recommended
- Updated vendored Buildah to v1.11.2
- Updated vendored containers/storage library to v1.13.4
- Improved error messages when trying to create a pod with no
name via podman play kube
- Improved error messages when trying to run podman pause or
podman stats on a rootless container on a system without
CGroups V2 enabled
- TMPDIR has been set to /var/tmp by default to better handle
large temporary files
- podman wait has been optimized to detect stopped containers
more rapidly
- Podman containers now include a ContainerManager annotation
indicating they were created by libpod
- The podman info command now includes information about
slirp4netns and fuse-overlayfs if they are available
- Podman no longer sets a default size of 65kb for tmpfs
filesystems
- The default Podman CNI network has been renamed in an attempt
to prevent conflicts with CRI-O when both are run on the same
system. This should only take effect on system restart
- The output of podman volume inspect has been more closely
matched to docker volume inspect
- Add katacontainers as a recommended package, and include it as an
additional OCI runtime in the configuration.
Update podman to v1.5.1
* Features
- The hostname of pods is now set to the pod's name
* Bugfixes
- Fixed a bug where podman run and podman create did not honor the --authfile
option (#3730)
- Fixed a bug where containers restored with podman container restore
--import would incorrectly duplicate the Conmon PID file of the original container
- Fixed a bug where podman build ignored the default OCI runtime configured
in libpod.conf
- Fixed a bug where podman run --rm (or force-removing any running container
with podman rm --force) were not retrieving the correct exit code (#3795)
- Fixed a bug where Podman would exit with an error if any configured hooks
directory was not present
- Fixed a bug where podman inspect and podman commit would not use the
correct CMD for containers run with podman play kube
- Fixed a bug created pods when using rootless Podman and CGroups V2 (#3801)
- Fixed a bug where the podman events command with the --since or --until
options could take a very long time to complete
* Misc
- Rootless Podman will now inherit OCI runtime configuration from the root
configuration (#3781)
- Podman now properly sets a user agent while contacting registries (#3788)
- Add zsh completion for podman commands
Update podman to v1.5.0
* Features
- Podman containers can now join the user namespaces of other
containers with --userns=container:$ID, or a user namespace at
an arbitary path with --userns=ns:$PATH
- Rootless Podman can experimentally squash all UIDs and GIDs in
an image to a single UID and GID (which does not require use of
the newuidmap and newgidmap executables) by passing
--storage-opt ignore_chown_errors
- The podman generate kube command now produces YAML for any bind
mounts the container has created (#2303)
- The podman container restore command now features a new flag,
--ignore-static-ip, that can be used with --import to import a
single container with a static IP multiple times on the same
host
- Added the ability for podman events to output JSON by
specifying --format=json
- If the OCI runtime or conmon binary cannot be found at the
paths specified in libpod.conf, Podman will now also search for
them in the calling user's path
- Added the ability to use podman import with URLs (#3609)
- The podman ps command now supports filtering names using
regular expressions (#3394)
- Rootless Podman containers with --privileged set will now mount
in all host devices that the user can access
- The podman create and podman run commands now support the
--env-host flag to forward all environment variables from the
host into the container
- Rootless Podman now supports healthchecks (#3523)
- The format of the HostConfig portion of the output of podman
inspect on containers has been improved and synced with Docker
- Podman containers now support CGroup namespaces, and can create
them by passing --cgroupns=private to podman run or podman
create
- The podman create and podman run commands now support the
--ulimit=host flag, which uses any ulimits currently set on the
host for the container
- The podman rm and podman rmi commands now use different exit
codes to indicate 'no such container' and 'container is
running' errors
- Support for CGroups V2 through the crun OCI runtime has been
greatly improved, allowing resource limits to be set for
rootless containers when the CGroups V2 hierarchy is in use
* Bugfixes
- Fixed a bug where a race condition could cause podman restart
to fail to start containers with ports
- Fixed a bug where containers restored from a checkpoint would
not properly report the time they were started at
- Fixed a bug where podman search would return at most 25
results, even when the maximum number of results was set higher
- Fixed a bug where podman play kube would not honor capabilities
set in imported YAML (#3689)
- Fixed a bug where podman run --env, when passed a single key
(to use the value from the host), would set the environment
variable in the container even if it was not set on the host
(#3648)
- Fixed a bug where podman commit --changes would not properly
set environment variables
- Fixed a bug where Podman could segfault while working with
images with no history
- Fixed a bug where podman volume rm could remove arbitrary
volumes if given an ambiguous name (#3635)
- Fixed a bug where podman exec invocations leaked memory by not
cleaning up files in tmpfs
- Fixed a bug where the --dns and --net=container flags to podman
run and podman create were not mutually exclusive (#3553)
- Fixed a bug where rootless Podman would be unable to run
containers when less than 5 UIDs were available
- Fixed a bug where containers in pods could not be removed
without removing the entire pod (#3556)
- Fixed a bug where Podman would not properly clean up all CGroup
controllers for created cgroups when using the cgroupfs CGroup
driver
- Fixed a bug where Podman containers did not properly clean up
files in tmpfs, resulting in a memory leak as containers
stopped
- Fixed a bug where healthchecks from images would not use
default settings for interval, retries, timeout, and start
period when they were not provided by the image (#3525)
- Fixed a bug where healthchecks using the HEALTHCHECK CMD format
where not properly supported (#3507)
- Fixed a bug where volume mounts using relative source paths
would not be properly resolved (#3504)
- Fixed a bug where podman run did not use authorization
credentials when a custom path was specified (#3524)
- Fixed a bug where containers checkpointed with podman container
checkpoint did not properly set their finished time
- Fixed a bug where running podman inspect on any container not
created with podman run or podman create (for example, pod
infra containers) would result in a segfault (#3500)
- Fixed a bug where healthcheck flags for podman create and
podman run were incorrectly named (#3455)
- Fixed a bug where Podman commands would fail to find targets if
a partial ID was specified that was ambiguous between a
container and pod (#3487)
- Fixed a bug where restored containers would not have the
correct SELinux label
- Fixed a bug where Varlink endpoints were not working properly
if more was not correctly specified
- Fixed a bug where the Varlink PullImage endpoint would crash if
an error occurred (#3715)
- Fixed a bug where the --mount flag to podman create and podman
run did not allow boolean arguments for its ro and rw options
(#2980)
- Fixed a bug where pods did not properly share the UTS
namespace, resulting in incorrect behavior from some utilities
which rely on hostname (#3547)
- Fixed a bug where Podman would unconditionally append
ENTRYPOINT to CMD during podman commit (and when reporting CMD
in podman inspect) (#3708)
- Fixed a bug where podman events with the journald events
backend would incorrectly print 6 previous events when only new
events were requested (#3616)
- Fixed a bug where podman port would exit prematurely when a
port number was specified (#3747)
- Fixed a bug where passing . as an argument to the --dns-search
flag to podman create and podman run was not properly clearing
DNS search domains in the container
* Misc
- Updated vendored Buildah to v1.10.1
- Updated vendored containers/image to v3.0.2
- Updated vendored containers/storage to v1.13.1
- Podman now requires conmon v2.0.0 or higher
- The podman info command now displays the events logger being in
use
- The podman inspect command on containers now includes the ID of
the pod a container has joined and the PID of the container's
conmon process
- The -v short flag for podman --version has been re-added
- Error messages from podman pull should be significantly clearer
- The podman exec command is now available in the remote client
- The podman-v1.5.0.tar.gz file attached is podman packaged for
MacOS. It can be installed using Homebrew.
- Update libpod.conf to support latest path discovery feature for
`runc` and `conmon` binaries.
conmon was included in version 2.0.10. (bsc#1160460, bsc#1164390, jsc#ECO-1048, jsc#SLE-11485, jsc#SLE-11331):
fuse-overlayfs was updated to v0.7.6 (bsc#1160460)
- do not look in lower layers for the ino if there is no origin
xattr set
- attempt to use the file path if the operation on the fd fails
with ENXIO
- do not expose internal xattrs through listxattr and getxattr
- fix fallocate for deleted files.
- ignore O_DIRECT. It causes issues with libfuse not using an
aligned buffer, causing write(2) to fail with EINVAL.
- on copyup, do not copy the opaque xattr.
- fix a wrong lookup for whiteout files, that could happen on a
double unlink.
- fix possible segmentation fault in direct_fsync()
- use the data store to create missing whiteouts
- after a rename, force a directory reload
- introduce inodes cache
- correctly read inode for unix sockets
- avoid hash map lookup when possible
- use st_dev for the ino key
- check whether writeback is supported
- set_attrs: don't require write to S_IFREG
- ioctl: do not reuse fi->fh for directories
- fix skip whiteout deletion optimization
- store the new mode after chmod
- support fuse writeback cache and enable it by default
- add option to disable fsync
- add option to disable xattrs
- add option to skip ino number check in lower layers
- fix fd validity check
- fix memory leak
- fix read after free
- fix type for flistxattr return
- fix warnings reported by lgtm.com
- enable parallel dirops
cni was updated to 0.7.1:
- Set correct CNI version for 99-loopback.conf
Update to version 0.7.1 (bsc#1160460):
* Library changes:
+ invoke : ensure custom envs of CNIArgs are prepended to process envs
+ add GetNetworkListCachedResult to CNI interface
+ delegate : allow delegation funcs override CNI_COMMAND env automatically in heritance
* Documentation & Convention changes:
+ Update cnitool documentation for spec v0.4.0
+ Add cni-route-override to CNI plugin list
Update to version 0.7.0:
* Spec changes:
+ Use more RFC2119 style language in specification (must, should...)
+ add notes about ADD/DEL ordering
+ Make the container ID required and unique.
+ remove the version parameter from ADD and DEL commands.
+ Network interface name matters
+ be explicit about optional and required structure members
+ add CHECK method
+ Add a well-known error for 'try again'
+ SPEC.md: clarify meaning of 'routes'
* Library changes:
+ pkg/types: Makes IPAM concrete type
+ libcni: return error if Type is empty
+ skel: VERSION shouldn't block on stdin
+ non-pointer instances of types.Route now correctly marshal to JSON
+ libcni: add ValidateNetwork and ValidateNetworkList functions
+ pkg/skel: return error if JSON config has no network name
+ skel: add support for plugin version string
+ libcni: make exec handling an interface for better downstream testing
+ libcni: api now takes a Context to allow operations to be timed out or cancelled
+ types/version: add helper to parse PrevResult
+ skel: only print about message, not errors
+ skel,invoke,libcni: implementation of CHECK method
+ cnitool: Honor interface name supplied via CNI_IFNAME environment variable.
+ cnitool: validate correct number of args
+ Don't copy gw from IP4.Gateway to Route.GW When converting from 0.2.0
+ add PrintTo method to Result interface
+ Return a better error when the plugin returns none
- Install sleep binary into CNI plugin directory
cni-plugins was updated to 0.8.4:
Update to version 0.8.4 (bsc#1160460):
* add support for mips64le
* Add missing cniVersion in README example
* bump go-iptables module to v0.4.5
* iptables: add idempotent functions
* portmap doesn't fail if chain doesn't exist
* fix portmap port forward flakiness
* Add Bruce Ma and Piotr Skarmuk as owners
Update to version 0.8.3:
* Enhancements:
* static: prioritize the input sources for IPs (#400).
* tuning: send gratuitous ARP in case of MAC address update (#403).
* bandwidth: use uint64 for Bandwidth value (#389).
* ptp: only override DNS conf if DNS settings provided (#388).
* loopback: When prevResults are not supplied to loopback plugin, create results to return (#383).
* loopback support CNI CHECK and result cache (#374).
* Better input validation:
* vlan: add MTU validation to loadNetConf (#405).
* macvlan: add MTU validation to loadNetConf (#404).
* bridge: check vlan id when loading net conf (#394).
* Bugfixes:
* bugfix: defer after err check, or it may panic (#391).
* portmap: Fix dual-stack support (#379).
* firewall: don't return error in DEL if prevResult is not found (#390).
* bump up libcni back to v0.7.1 (#377).
* Docs:
* contributing doc: revise test script name to run (#396).
* contributing doc: describe cnitool installation (#397).
Update plugins to v0.8.2
+ New features:
* Support 'args' in static and tuning
* Add Loopback DSR support, allow l2tunnel networks
to be used with the l2bridge plugin
* host-local: return error if same ADD request is seen twice
* bandwidth: fix collisions
* Support ips capability in static and mac capability in tuning
* pkg/veth: Make host-side veth name configurable
+ Bug fixes:
* Fix: failed to set bridge addr: could not add IP address to 'cni0': file exists
* host-device: revert name setting to make retries idempotent (#357).
* Vendor update go-iptables. Vendor update go-iptables to
obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10
* Update go.mod & go.sub
* Remove link Down/Up in MAC address change to prevent route flush (#364).
* pkg/ip unit test: be agnostic of Linux version, on Linux 4.4 the syscall
error message is 'invalid argument' not 'file exists'
* bump containernetworking/cni to v0.7.1
Updated plugins to v0.8.1:
+ Bugs:
* bridge: fix ipMasq setup to use correct source address
* fix compilation error on 386
* bandwidth: get bandwidth interface in host ns through
container interface
+ Improvements:
* host-device: add pciBusID property
Updated plugins to v0.8.0:
+ New plugins:
* bandwidth - limit incoming and outgoing bandwidth
* firewall - add containers to firewall rules
* sbr - convert container routes to source-based routes
* static - assign a fixed IP address
* win-bridge, win-overlay: Windows plugins
+ Plugin features / changelog:
* CHECK Support
* macvlan:
- Allow to configure empty ipam for macvlan
- Make master config optional
* bridge:
- Add vlan tag to the bridge cni plugin
- Allow the user to assign VLAN tag
- L2 bridge Implementation.
* dhcp:
- Include Subnet Mask option parameter in DHCPREQUEST
- Add systemd unit file to activate socket with systemd
- Add container ifName to the dhcp clientID, making the
clientID value
* flannel:
- Pass through runtimeConfig to delegate
* host-local:
- host-local: add ifname to file tracking IP address used
* host-device:
- Support the IPAM in the host-device
- Handle empty netns in DEL for loopback and host-device
* tuning:
- adds 'ip link' command related feature into tuning
+ Bug fixes & minor changes
* Correctly DEL on ipam failure for all plugins
* Fix bug on ip revert if cmdAdd fails on macvlan and host-device
* host-device: Ensure device is down before rename
* Fix -hostprefix option
* some DHCP servers expect to request for explicit router options
* bridge: release IP in case of error
* change source of ipmasq rule from ipn to ip
from version v0.7.5:
+ This release takes a minor change to the portmap plugin:
* Portmap: append, rather than prepend, entry rules
+ This fixes a potential issue where firewall rules may
be bypassed by port mapping
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:475-1
Released: Thu Mar 19 11:00:46 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1160595
This update for systemd fixes the following issues:
- Remove TasksMax limit for both user and system slices (jsc#SLE-10123)
- Backport IP filtering feature (jsc#SLE-7743 bsc#1160595)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:726-1
Released: Thu Mar 19 13:23:03 2020
Summary: Security update for nghttp2
Type: security
Severity: moderate
References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513
This update for nghttp2 fixes the following issues:
Security issues fixed:
- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461).
- CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003)
Bug fixes and enhancements:
- Fixed mistake in spec file (bsc#1125689)
Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and
cilium-proxy (bsc#1166481)
* lib: Add nghttp2_check_authority as public API
* lib: Fix the bug that stream is closed with wrong error code
* lib: Faster huffman encoding and decoding
* build: Avoid filename collision of static and dynamic lib
* build: Add new flag ENABLE_STATIC_CRT for Windows
* build: cmake: Support building nghttpx with systemd
* third-party: Update neverbleed to fix memory leak
* nghttpx: Fix bug that mruby is incorrectly shared between
backends
* nghttpx: Reconnect h1 backend if it lost connection before
sending headers
* nghttpx: Returns 408 if backend timed out before sending
headers
* nghttpx: Fix request stal
- Conditionally remove dependecy on jemalloc for SLE-12
- Require correct library from devel package - boo#1125689
Update to version 1.39.2 (bsc#1146184, bsc#1146182):
* This release fixes CVE-2019-9511 “Data Dribble†and CVE-2019-9513
“Resource Loop†vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
frames cause Denial of Service by consuming CPU time. Check out
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for details. For nghttpx, additionally limiting inbound traffic by
--read-rate and --read-burst options is quite effective against
this kind of attack.
* Add nghttp2_option_set_max_outbound_ack API function
* nghttpx: Fix request stall
Update to version 1.39.1:
* This release fixes the bug that log-level is not set with
cmd-line or configuration file. It also fixes FPE with default
backend.
Changes for version 1.39.0:
* libnghttp2 now ignores content-length in 200 response to
CONNECT request as per RFC 7230.
* mruby has been upgraded to 2.0.1.
* libnghttp2-asio now supports boost-1.70.
* http-parser has been replaced with llhttp.
* nghttpx now ignores Content-Length and Transfer-Encoding in 1xx
or 200 to CONNECT.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:729-1
Released: Thu Mar 19 14:44:22 2020
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1166106
This update for glibc fixes the following issues:
- Allow dlopen of filter object to work (bsc#1166106, BZ #16272)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:793-1
Released: Wed Mar 25 15:16:00 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712
This update for systemd fixes the following issues:
- manager: fix job mode when signalled to shutdown etc (bsc#1161262)
- remove fallback for user/exit.target
- dbus method Manager.Exit() does not start exit.target
- do not install rescue.target for alt-↑
- %j/%J unit specifiers
Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717).
Added the udev 60-ssd-scheduler.rules:
- This rules file which select the default IO scheduler for SSDs is
being moved out from the git repo since this is not related to
systemd or udev at all and is maintained by the kernel team.
- core: coldplug possible nop_job (bsc#1139459)
- Revert 'udev: use 'deadline' IO scheduler for SSD disks'
- Fix typo in function name
- polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712)
- sd-bus: introduce API for re-enqueuing incoming messages
- polkit: on async pk requests, re-validate action/details
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:814-1
Released: Mon Mar 30 16:23:42 2020
Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1
Type: recommended
Severity: moderate
References: 1161816,1162152,1167223
This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues:
libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223):
Full Release Notes can be found on:
https://wiki.documentfoundation.org/ReleaseNotes/6.4
- Fixed broken handling of non-ASCII characters in the KDE filedialog
(bsc#1161816)
- Move the animation library to core package bsc#1162152
xmlsec1 was updated to 1.2.28:
* Added BoringSSL support (chenbd).
* Added gnutls-3.6.x support (alonbl).
* Added DSA and ECDSA key size getter for MSCNG (vmiklos).
* Added --enable-mans configuration option (alonbl).
* Added coninuous build integration for MacOSX (vmiklos).
* Several other small fixes (more details).
- Make sure to recommend at least one backend when you install
just xmlsec1
- Drop the gnutls backend as based on the tests it is quite borked:
* We still have nss and openssl backend for people to use
Version update to 1.2.27:
* Added AES-GCM support for OpenSSL and MSCNG (snargit).
* Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos).
* Added RSA-OAEP support for MSCNG (vmiklos).
* Continuous build integration in Travis and Appveyor.
* Several other small fixes (more details).
myspell-dictionaries was updated to 20191219:
* Updated the English dictionaries: GB+US+CA+AU
* Bring shipped Spanish dictionary up to version 2.5
boost was updated to fix:
- add a backport of Boost.Optional::has_value() for LibreOffice
The QR-Code-generator is shipped:
- Initial commit, needed by libreoffice 6.4
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:820-1
Released: Tue Mar 31 13:02:22 2020
Summary: Security update for glibc
Type: security
Severity: important
References: 1167631,CVE-2020-1752
This update for glibc fixes the following issues:
- CVE-2020-1752: Fixed a use after free in glob which could have allowed
a local attacker to create a specially crafted path that, when processed
by the glob function, could potentially have led to arbitrary code execution
(bsc#1167631).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:834-1
Released: Tue Mar 31 17:21:34 2020
Summary: Recommended update for permissions
Type: recommended
Severity: moderate
References: 1167163
This update for permissions fixes the following issue:
- whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:846-1
Released: Thu Apr 2 07:24:07 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1164950,1166748,1167674
This update for libgcrypt fixes the following issues:
- FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950)
- FIPS: Fix drbg to be threadsafe (bsc#1167674)
- FIPS: Run self-tests from constructor during power-on [bsc#1166748]
* Set up global_init as the constructor function:
* Relax the entropy requirements on selftest. This is especially
important for virtual machines to boot properly before the RNG
is available:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:917-1
Released: Fri Apr 3 15:02:25 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1166510
This update for pam fixes the following issues:
- Moved pam_userdb into a separate package pam-extra. (bsc#1166510)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:948-1
Released: Wed Apr 8 07:44:21 2020
Summary: Security update for gmp, gnutls, libnettle
Type: security
Severity: moderate
References: 1152692,1155327,1166881,1168345,CVE-2020-11501
This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:
- CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)
FIPS related bugfixes:
- FIPS: Install checksums for binary integrity verification which are
required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
- FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if
input is shorter than block size. (bsc#1166881)
- FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:961-1
Released: Wed Apr 8 13:34:06 2020
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: moderate
References: 1160979
This update for e2fsprogs fixes the following issues:
- e2fsck: clarify overflow link count error message (bsc#1160979)
- ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
- ext2fs: implement dir entry creation in htree directories (bsc#1160979)
- tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
- tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:967-1
Released: Thu Apr 9 11:41:53 2020
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1168699,CVE-2020-1730
This update for libssh fixes the following issues:
- CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:969-1
Released: Thu Apr 9 11:43:17 2020
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1168364
This update for permissions fixes the following issues:
- Fixed spelling of icinga group (bsc#1168364)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:981-1
Released: Mon Apr 13 15:43:44 2020
Summary: Recommended update for rpm
Type: recommended
Severity: moderate
References: 1156300
This update for rpm fixes the following issues:
- Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1026-1
Released: Fri Apr 17 16:14:43 2020
Summary: Recommended update for libsolv
Type: recommended
Severity: moderate
References: 1159314
This update for libsolv fixes the following issues:
libsolv was updated to version 0.7.11:
- fix solv_zchunk decoding error if large chunks are used (bsc#1159314)
- treat retracted pathes as irrelevant
- made add_update_target work with multiversion installs
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1047-1
Released: Tue Apr 21 10:33:06 2020
Summary: Recommended update for gnutls
Type: recommended
Severity: moderate
References: 1168835
This update for gnutls fixes the following issues:
- Backport AES XTS support (bsc#1168835)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1063-1
Released: Wed Apr 22 10:46:50 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1165539,1169569
This update for libgcrypt fixes the following issues:
This update for libgcrypt fixes the following issues:
- FIPS: Switch the PCT to use the new signature operation (bsc#1165539)
- FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539)
- Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates.
- Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1108-1
Released: Fri Apr 24 16:31:01 2020
Summary: Recommended update for gnutls
Type: recommended
Severity: moderate
References: 1169992
This update for gnutls fixes the following issues:
- FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1175-1
Released: Tue May 5 08:33:43 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1165011,1168076
This update for systemd fixes the following issues:
- Fix check for address to keep interface names stable. (bsc#1168076)
- Fix for checking non-normalized WHAT for network FS. (bsc#1165011)
- Allow to specify an arbitrary string for when vfs is used. (bsc#1165011)
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2020:1196-1
Released: Wed May 6 13:35:05 2020
Summary: Update to kubernetes 1.17, podman, cri-o and docs
Type: feature
Severity: moderate
References: 1121353,1152334,1157337,1159108,1160460,1162093,1164390,1170173
= Required Actions
== Kubernetes 1.17
In order to update to kubernetes 1.17, follow the instructions in the admin guide https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components .
Make sure you look at the Release Notes https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_3_0 for any known bug.
== conmon and cri-o
Conmon and cri-o will be updated by `skuba-update`. No action is required from your side. For more info see https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates
== skuba
In order to update skuba, you need to update the admin workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_update_management_workstation
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1214-1
Released: Thu May 7 11:20:34 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1169944
This update for libgcrypt fixes the following issues:
- FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1219-1
Released: Thu May 7 17:10:42 2020
Summary: Security update for openldap2
Type: security
Severity: important
References: 1170771,CVE-2020-12243
This update for openldap2 fixes the following issues:
- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1226-1
Released: Fri May 8 10:51:05 2020
Summary: Recommended update for gcc9
Type: recommended
Severity: moderate
References: 1149995,1152590,1167898
This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.
- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1271-1
Released: Wed May 13 13:17:59 2020
Summary: Recommended update for permissions
Type: recommended
Severity: important
References: 1171173
This update for permissions fixes the following issues:
- Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1290-1
Released: Fri May 15 16:39:59 2020
Summary: Recommended update for gnutls
Type: recommended
Severity: moderate
References: 1171422
This update for gnutls fixes the following issues:
- Add RSA 4096 key generation support in FIPS mode (bsc#1171422)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1294-1
Released: Mon May 18 07:38:36 2020
Summary: Security update for file
Type: security
Severity: moderate
References: 1154661,1169512,CVE-2019-18218
This update for file fixes the following issues:
Security issues fixed:
- CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).
Non-security issue fixed:
- Fixed broken '--help' output (bsc#1169512).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1299-1
Released: Mon May 18 07:43:21 2020
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595
This update for libxml2 fixes the following issues:
- CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
- CVE-2019-19956: Fixed a memory leak (bsc#1159928).
- CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1328-1
Released: Mon May 18 17:16:04 2020
Summary: Recommended update for grep
Type: recommended
Severity: moderate
References: 1155271
This update for grep fixes the following issues:
- Update testsuite expectations, no functional changes (bsc#1155271)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1361-1
Released: Thu May 21 09:31:18 2020
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1171872
This update for libgcrypt fixes the following issues:
- FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1370-1
Released: Thu May 21 19:06:00 2020
Summary: Recommended update for systemd-presets-branding-SLE
Type: recommended
Severity: moderate
References: 1171656
This update for systemd-presets-branding-SLE fixes the following issues:
Cleanup of outdated autostart services (bsc#1171656):
- Remove acpid.service. acpid is only available on SLE via openSUSE
backports. In openSUSE acpid.service is *not* autostarted. I see no
reason why it should be on SLE.
- Remove spamassassin.timer. This timer never seems to have existed.
Instead spamassassin ships a 'sa-update.timer'. But it is not
default-enabled and nobody ever complained about this.
- Remove snapd.apparmor.service: This service was proactively added a year
ago, but snapd didn't even make it into openSUSE yet. There's no reason
to keep this entry unless snapd actually enters SLE which is not
foreseeable.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1400-1
Released: Mon May 25 14:09:02 2020
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1162930
This update for glibc fixes the following issues:
- nptl: wait for pending setxid request also in detached thread. (bsc#1162930)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1404-1
Released: Mon May 25 15:32:34 2020
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1138793,1166260
This update for zlib fixes the following issues:
- Including the latest fixes from IBM (bsc#1166260)
IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements
deflate algorithm in hardware with estimated compression and decompression performance
orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
- Add SUSE specific fix to solve bsc#1138793.
The fix will avoid to test if the app was linked with exactly same version of zlib
like the one that is present on the runtime.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1506-1
Released: Fri May 29 17:22:11 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1087982,1170527
This update for aaa_base fixes the following issues:
- Not all XTerm based emulators do have a terminfo entry. (bsc#1087982)
- Better support of Midnight Commander. (bsc#1170527)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1532-1
Released: Thu Jun 4 10:16:12 2020
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1172021,CVE-2019-19956
This update for libxml2 fixes the following issues:
- CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1560-1
Released: Mon Jun 8 12:08:28 2020
Summary: Recommended update for llvm7
Type: recommended
Severity: low
References: 1171512
This update for llvm7 fixes the following issues:
-Fix for build failures when using 'llvm7' on i586. (bsc#1171512)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1562-1
Released: Mon Jun 8 12:39:15 2020
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1145231,1150021,1158358,1163526,1164126,1164718
This update for lvm2 fixes the following issues:
- Fix heap memory leak in lvmetad. (bsc#1164126)
- lvmetad uses devices/global_filter but not devices/filter after lvm2 update. (bsc#1163526)
This config item global_filter_compat is a SUSE special.
The default value is 1, which means the devices/global_filter behaviour is same as before.
When the value is 0, user should use global_filter to control system-wide software,
e.g. udev and lvmetad global_filter_compat are not opened by LVM.
- Avoid creation of mixed-blocksize 'PV' on 'LVM' volume groups (LVM2). (bsc#1149408)
- Fix for LVM metadata when an error occurs writing device. (bsc#1150021)
- Fix for boot when it takes extremely long time with 400 LUN's. (bsc#1158358)
- Fix for LVM metadata to avoid faulty LVM detection. (bsc#1145231)
- Enhance block cache code to fix issues with 'lvmtad' and 'lvmcache'. (bsc#1164718)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1573-1
Released: Tue Jun 9 12:07:53 2020
Summary: Add features for Metrics Server, Cert Status Checker, VSphere VCP, and Cilium Envoy
Type: security
Severity: moderate
References: 1041090,1047218,1048688,1086909,1094448,1095603,1102920,1121353,1129568,1138908,1144068,1151876,1156450,1159002,1159003,1159004,1159539,1162651,1167073,1169506,CVE-2019-18801,CVE-2019-18802,CVE-2019-18836,CVE-2019-18838
Metrics Server
* Support monitoring of *CPU* and *memory* of a pod or node.
Cert Status Checker
* Exposes cluster-wide certificates status and use monitoring stack (Prometheus and Grafana) to receives alerts
by Prometheus Alertmanager and monitors certificate status by Grafana dashboard.
VSphere VCP
* Allow Kubernetes pods to use VMWare vSphere Virtual Machine Disk (VMDK) volumes as persistent storage.
Cilium Envoy
* Updated Cilium from version 1.5.3 to version 1.6.6
* Provide Envoy-proxy support for Cilium
* Envoy and its dependencies packaged for version 1.12.2
* Cilium uses CRD and ConfigMap points on etcd are removed
See release notes for installation instructions: https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/
Following CVE entries are relevant for the casp 4.2.1 update:
cilium-proxy:
CVE-2019-18801: An untrusted remote client might have been able to send HTTP/2 requests via cilium-proxyx
that could have written to the heap outside of the request buffers when the upstream is HTTP/1. (bsc#1159002)
CVE-2019-18802: A malformed request header may have caused bypass of route matchers resulting in escalation of
privileges or information disclosure (bsc#1159003)
CVE-2019-18838: A malformed HTTP request without the Host header may cause abnormal termination ofthe Envoy
process (bsc#1159004)
CVE-2019-18836: Excessive iteration due to listener filter timeout in envoy could lead to DoS (bsc#1156450)
kafka:
CVE-2018-1288: authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request. (bsc#1102920)
More information about the sle-updates
mailing list