SUSE-CU-2020:661-1: Security update of sles12/portus

sle-updates at lists.suse.com sle-updates at lists.suse.com
Mon Nov 9 04:26:21 MST 2020


SUSE Container Update Advisory: sles12/portus
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:661-1
Container Tags        : sles12/portus:2.4.3
Container Release     : 2.10.117
Severity              : important
Type                  : security
References            : 1010996 1010996 1043983 1048072 1055265 1056286 1056782 1058754
                        1058755 1058757 1062452 1069607 1069632 1071152 1071152 1071390
                        1071390 1073002 1078782 1082007 1082008 1082009 1082010 1082011
                        1082014 1082058 1082318 1084671 1087433 1087434 1087436 1087437
                        1087440 1087441 1100415 1100415 1102840 1104780 1112530 1112532
                        1120629 1120630 1120631 1121446 1127155 1130611 1130617 1130620
                        1130622 1130623 1130627 1131823 1137977 1144169 1149332 1149995
                        1152590 1152990 1152992 1152994 1152995 1154256 1154609 1154871
                        1156159 1156276 1157315 1159928 1160039 1160160 1161262 1161436
                        1161517 1161521 1162698 1162879 1163834 1164538 1165633 1165784
                        1165915 1165915 1165919 1165919 1166301 1166510 1167622 1167898
                        1168195 1169488 1169582 1170601 1170715 1170771 1171145 1171517
                        1171550 1171550 1171863 1171864 1171866 1171878 1172021 1172055
                        1172085 1172265 1172275 1172295 1172399 1172698 1172704 1173027
                        1173227 1173593 1174080 1174537 1174660 1174673 1176013 1176123
                        1176179 1176410 1177143 1177460 1177460 1177864 1178346 1178350
                        1178353 888534 973042 CVE-2015-9096 CVE-2016-2339 CVE-2016-7798
                        CVE-2017-0898 CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902
                        CVE-2017-0903 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405
                        CVE-2017-17742 CVE-2017-17790 CVE-2017-9103 CVE-2017-9104 CVE-2017-9105
                        CVE-2017-9106 CVE-2017-9107 CVE-2017-9108 CVE-2017-9109 CVE-2017-9228
                        CVE-2017-9229 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075
                        CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079
                        CVE-2018-16395 CVE-2018-16396 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
                        CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780
                        CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2019-18197
                        CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-8320 CVE-2019-8321
                        CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 CVE-2020-10029
                        CVE-2020-10543 CVE-2020-10663 CVE-2020-10878 CVE-2020-12243 CVE-2020-12723
                        CVE-2020-24977 CVE-2020-25219 CVE-2020-26154 CVE-2020-2752 CVE-2020-2812
                        CVE-2020-7595 CVE-2020-8023 CVE-2020-8177 
-----------------------------------------------------------------

The container sles12/portus was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2015:50-1
Released:    Thu Jan 15 16:33:18 2015
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  888534

The system root SSL certificates were updated to match Mozilla NSS 2.2.

Some removed/disabled 1024 bit certificates were temporarily reenabled/readded,
as openssl and gnutls have a different handling of intermediates than
mozilla nss and would otherwise not recognize SSL certificates from commonly used
sites like Amazon.

Updated to 2.2 (bnc#888534)
- The following CAs were added:
  + COMODO_RSA_Certification_Authority
    codeSigning emailProtection serverAuth
  + GlobalSign_ECC_Root_CA_-_R4
    codeSigning emailProtection serverAuth
  + GlobalSign_ECC_Root_CA_-_R5
    codeSigning emailProtection serverAuth
  + USERTrust_ECC_Certification_Authority
    codeSigning emailProtection serverAuth
  + USERTrust_RSA_Certification_Authority
    codeSigning emailProtection serverAuth
  + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal
- The following CAs were changed:
  + Equifax_Secure_eBusiness_CA_1
    remote code signing and https trust, leave email trust
  + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2
    only trust emailProtection
- Updated to 2.1 (bnc#888534)
- The following 1024-bit CA certificates were removed
  - Entrust.net Secure Server Certification Authority
  - ValiCert Class 1 Policy Validation Authority
  - ValiCert Class 2 Policy Validation Authority
  - ValiCert Class 3 Policy Validation Authority
  - TDC Internet Root CA
- The following CA certificates were added:
  - Certification Authority of WoSign
  - CA 沃通根证书
  - DigiCert Assured ID Root G2
  - DigiCert Assured ID Root G3
  - DigiCert Global Root G2
  - DigiCert Global Root G3
  - DigiCert Trusted Root G4
  - QuoVadis Root CA 1 G3
  - QuoVadis Root CA 2 G3
  - QuoVadis Root CA 3 G3
- The Trust Bits were changed for the following CA certificates
  - Class 3 Public Primary Certification Authority
  - Class 3 Public Primary Certification Authority
  - Class 2 Public Primary Certification Authority - G2
  - VeriSign Class 2 Public Primary Certification Authority - G3
  - AC Raíz Certicámara S.A.
  - NetLock Uzleti (Class B) Tanusitvanykiado
  - NetLock Expressz (Class C) Tanusitvanykiado

Temporary reenable some root ca trusts, as openssl/gnutls
have trouble using intermediates as root CA.
  - GTE CyberTrust Global Root
  - Thawte Server CA
  - Thawte Premium Server CA
  - ValiCert Class 1 VA
  - ValiCert Class 2 VA
  - RSA Root Certificate 1
  - Entrust.net Secure Server CA
  - America Online Root Certification Authority 1
  - America Online Root Certification Authority 2

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2016:587-1
Released:    Fri Apr  8 17:06:56 2016
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  973042

The root SSL certificate store ca-certificates-mozilla was updated
to version 2.7 of the Mozilla NSS equivalent. (bsc#973042)

- Newly added CAs:
  * CA WoSign ECC Root
  * Certification Authority of WoSign
  * Certification Authority of WoSign G2
  * Certinomis - Root CA
  * Certum Trusted Network CA 2
  * CFCA EV ROOT
  * COMODO RSA Certification Authority
  * DigiCert Assured ID Root G2
  * DigiCert Assured ID Root G3
  * DigiCert Global Root G2
  * DigiCert Global Root G3
  * DigiCert Trusted Root G4
  * Entrust Root Certification Authority - EC1
  * Entrust Root Certification Authority - G2
  * GlobalSign
  * IdenTrust Commercial Root CA 1
  * IdenTrust Public Sector Root CA 1
  * OISTE WISeKey Global Root GB CA
  * QuoVadis Root CA 1 G3
  * QuoVadis Root CA 2 G3
  * QuoVadis Root CA 3 G3
  * Staat der Nederlanden EV Root CA
  * Staat der Nederlanden Root CA - G3
  * S-TRUST Universal Root CA
  * SZAFIR ROOT CA2
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  * USERTrust ECC Certification Authority
  * USERTrust RSA Certification Authority
  * 沃通根证书

- Removed CAs:
  * AOL CA
  * A Trust nQual 03
  * Buypass Class 3 CA 1
  * CA Disig
  * Digital Signature Trust Co Global CA 1
  * Digital Signature Trust Co Global CA 3
  * E Guven Kok Elektronik Sertifika Hizmet Saglayicisi
  * NetLock Expressz (Class C) Tanusitvanykiado
  * NetLock Kozjegyzoi (Class A) Tanusitvanykiado
  * NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
  * NetLock Uzleti (Class B) Tanusitvanykiado
  * SG TRUST SERVICES RACINE
  * Staat der Nederlanden Root CA
  * TC TrustCenter Class 2 CA II
  * TC TrustCenter Universal CA I
  * TDC Internet Root CA
  * UTN DATACorp SGC Root CA
  * Verisign Class 1 Public Primary Certification Authority - G2
  * Verisign Class 3 Public Primary Certification Authority
  * Verisign Class 3 Public Primary Certification Authority - G2

- Removed server trust from:
  * AC Raíz Certicámara S.A.
  * ComSign Secured CA
  * NetLock Uzleti (Class B) Tanusitvanykiado
  * NetLock Business (Class B) Root
  * NetLock Expressz (Class C) Tanusitvanykiado
  * TC TrustCenter Class 3 CA II
  * TURKTRUST Certificate Services Provider Root 1
  * TURKTRUST Certificate Services Provider Root 2
  * Equifax Secure Global eBusiness CA-1
  * Verisign Class 4 Public Primary Certification Authority G3

- Enable server trust for:
  * Actalis Authentication Root CA

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:265-1
Released:    Tue Feb  6 14:58:28 2018
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1010996,1071152,1071390

  
This update for ca-certificates-mozilla fixes the following issues:

The system SSL root certificate store was updated to Mozilla certificate
version 2.22 from January 2018.  (bsc#1071152 bsc#1071390 bsc#1010996)

We removed the old 1024 bit legacy CAs that were temporary left in to allow
in-chain root certificates as openssl is now able to handle it.

Further changes coming from Mozilla:

- New Root CAs added:

  * Amazon Root CA 1: (email protection, server auth)
  * Amazon Root CA 2: (email protection, server auth)
  * Amazon Root CA 3: (email protection, server auth)
  * Amazon Root CA 4: (email protection, server auth)
  * Certplus Root CA G1: (email protection, server auth)
  * Certplus Root CA G2: (email protection, server auth)
  * D-TRUST Root CA 3 2013: (email protection)
  * GDCA TrustAUTH R5 ROOT: (server auth)
  * Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth)
  * Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth)
  * ISRG Root X1: (server auth)
  * LuxTrust Global Root 2: (server auth)
  * OpenTrust Root CA G1: (email protection, server auth)
  * OpenTrust Root CA G2: (email protection, server auth)
  * OpenTrust Root CA G3: (email protection, server auth)
  * SSL.com EV Root Certification Authority ECC: (server auth)
  * SSL.com EV Root Certification Authority RSA R2: (server auth)
  * SSL.com Root Certification Authority ECC: (email protection, server auth)
  * SSL.com Root Certification Authority RSA: (email protection, server auth)
  * Symantec Class 1 Public Primary Certification Authority - G4: (email protection)
  * Symantec Class 1 Public Primary Certification Authority - G6: (email protection)
  * Symantec Class 2 Public Primary Certification Authority - G4: (email protection)
  * Symantec Class 2 Public Primary Certification Authority - G6: (email protection)
  * TrustCor ECA-1: (email protection, server auth)
  * TrustCor RootCert CA-1: (email protection, server auth)
  * TrustCor RootCert CA-2: (email protection, server auth)
  * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth)

- Removed root CAs:

  * AddTrust Public Services Root
  * AddTrust Public CA Root
  * AddTrust Qualified CA Root
  * ApplicationCA - Japanese Government
  * Buypass Class 2 CA 1
  * CA Disig Root R1
  * CA WoSign ECC Root
  * Certification Authority of WoSign G2
  * Certinomis - Autorité Racine
  * Certum Root CA
  * China Internet Network Information Center EV Certificates Root
  * CNNIC ROOT
  * Comodo Secure Services root
  * Comodo Trusted Services root
  * ComSign Secured CA
  * EBG Elektronik Sertifika Hizmet Sağlayıcısı
  * Equifax Secure CA
  * Equifax Secure eBusiness CA 1
  * Equifax Secure Global eBusiness CA
  * GeoTrust Global CA 2
  * IGC/A
  * Juur-SK
  * Microsec e-Szigno Root CA
  * PSCProcert
  * Root CA Generalitat Valenciana
  * RSA Security 2048 v3
  * Security Communication EV RootCA1
  * Sonera Class 1 Root CA
  * StartCom Certification Authority
  * StartCom Certification Authority G2
  * S-TRUST Authentication and Encryption Root CA 2005 PN
  * Swisscom Root CA 1
  * Swisscom Root EV CA 2
  * TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  * UTN USERFirst Hardware Root CA
  * UTN USERFirst Object Root CA
  * VeriSign Class 3 Secure Server CA - G2
  * Verisign Class 1 Public Primary Certification Authority
  * Verisign Class 2 Public Primary Certification Authority - G2
  * Verisign Class 3 Public Primary Certification Authority
  * WellsSecure Public Root Certificate Authority
  * Certification Authority of WoSign
  * WoSign China

- Removed Code Signing rights from a lot of CAs (not listed here).

- Removed Server Auth rights from:

  * AddTrust Low-Value Services Root
  * Camerfirma Chambers of Commerce Root
  * Camerfirma Global Chambersign Root
  * Swisscom Root CA 2


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1643-1
Released:    Thu Aug 16 17:41:07 2018
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1100415

The systemwide Root CA certificates were updated to the 2.24 state of the Mozilla NSS Certificate store.

Following CAs were removed:

* S-TRUST_Universal_Root_CA
* TC_TrustCenter_Class_3_CA_II
* TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:1763-1
Released:    Mon Aug 27 09:30:15 2018
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1104780
This update for ca-certificates-mozilla fixes the following issues:

The Root CA store was updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780)

- Removed server auth from following CAs:

  - Certplus Root CA G1
  - Certplus Root CA G2
  - OpenTrust Root CA G1
   - OpenTrust Root CA G2
   - OpenTrust Root CA G3

- Removed CAs

    - ComSign CA

- Added new CAs

    - GlobalSign

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:149-1
Released:    Wed Jan 23 17:58:18 2019
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1121446
This update for ca-certificates-mozilla fixes the following issues:

The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446)

Removed Root CAs:

- AC Raiz Certicamara S.A.
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3
- Visa eCommerce Root

Added Root CAs:

- Certigna Root CA (email and server auth)
- GTS Root R1 (server auth)
- GTS Root R2 (server auth)
- GTS Root R3 (server auth)
- GTS Root R4 (server auth)
- OISTE WISeKey Global Root GC CA (email and server auth)
- UCA Extended Validation Root (server auth)
- UCA Global G2 Root (email and server auth)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2240-1
Released:    Wed Aug 28 14:57:51 2019
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1144169
This update for ca-certificates-mozilla fixes the following issues:

- Update to 2.34 state of the Mozilla NSS Certificate store. (bsc#1144169)

- Removed Root CAs:

  - Certinomis - Root CA

- Added root CAs from the 2.32 version:
  - emSign ECC Root CA - C3 (email and server auth)
  - emSign ECC Root CA - G3 (email and server auth)
  - emSign Root CA - C1 (email and server auth)
  - emSign Root CA - G1 (email and server auth)
  - Hongkong Post Root CA 3 (server auth)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:596-1
Released:    Thu Mar  5 15:23:51 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1010996,1071152,1071390,1082318,1100415,1154871,1160160
This update for ca-certificates-mozilla fixes the following issues:

The following non-security bugs were fixed:

Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):

Removed certificates:

- Certplus Class 2 Primary CA
- Deutsche Telekom Root CA 2
- CN=Swisscom Root CA 2
- UTN-USERFirst-Client Authentication and Email

Added certificates:

- Entrust Root Certification Authority - G4

- Export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871).
- Updated to 2.24 state of the Mozilla NSS Certificate store (bsc#1100415).
- Use %license instead of %doc (bsc#1082318).
- Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152, bsc#1071390, bsc#1010996).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:652-1
Released:    Thu Mar 12 09:53:23 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    important
References:  1165915,1165919,1166301
This update for ca-certificates-mozilla fixes the following issues:

This reverts a previous change to the generated pem structure, as it
require a p11-kit tools update installed first, which can not always
ensured correctly. (bsc#1166301 bsc#1165915 bsc#1165919)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:786-1
Released:    Wed Mar 25 06:47:18 2020
Summary:     Recommended update for p11-kit
Type:        recommended
Severity:    moderate
References:  1165915,1165919
This update for p11-kit fixes the following issues:

- tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY'
  provides so we can pull it in. (bsc#1165915 bsc#1165919)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:915-1
Released:    Fri Apr  3 13:15:11 2020
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1168195

This update for openldap2 fixes the following issue:

- The openldap2-ppolicy-check-password plugin is now included (FATE#319461 bsc#1168195)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:920-1
Released:    Fri Apr  3 17:13:04 2020
Summary:     Security update for libxslt
Type:        security
Severity:    moderate
References:  1154609,CVE-2019-18197
This update for libxslt fixes the following issue:

- CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1168-1
Released:    Mon May  4 14:06:46 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1162879
This update for libgcrypt fixes the following issues:

- FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1193-1
Released:    Tue May  5 16:26:05 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1170771,CVE-2020-12243
This update for openldap2 fixes the following issues:

- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1312-1
Released:    Mon May 18 10:36:15 2020
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1169582
This update for timezone fixes the following issues:

- timezone update 2020a (bsc#1169582)
  * Morocco springs forward on 2020-05-31, not 2020-05-24.
  * Canada's Yukon advanced to -07 year-round on 2020-03-08.
  * America/Nuuk renamed from America/Godthab.
  * zic now supports expiration dates for leap second lists.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1325-1
Released:    Mon May 18 11:50:19 2020
Summary:     Recommended update for coreutils
Type:        recommended
Severity:    moderate
References:  1156276
This update for coreutils fixes the following issues:

-Fix for an issue when using sort with '--human-numeric-sort-key' option the column containig the values can be faulty. (bsc#1156276)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1329-1
Released:    Mon May 18 17:17:54 2020
Summary:     Recommended update for gcc9
Type:        recommended
Severity:    moderate
References:  1149995,1152590,1167898
This update for gcc9 fixes the following issues:

This update ships the GCC 9.3 release.

- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
  with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:822-1
Released:    Fri May 22 10:59:33 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1166510
This update for pam fixes the following issues:

- Moved pam_userdb to a separate package pam-extra  (bsc#1166510)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1489-1
Released:    Wed May 27 18:29:21 2020
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1172055
This update for timezone fixes the following issue:

- zdump --version reported 'unknown' (bsc#1172055)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1570-1
Released:    Tue Jun  9 11:15:12 2020
Summary:     Security update for ruby2.1
Type:        security
Severity:    important
References:  1043983,1048072,1055265,1056286,1056782,1058754,1058755,1058757,1062452,1069607,1069632,1073002,1078782,1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130611,1130617,1130620,1130622,1130623,1130627,1152990,1152992,1152994,1152995,1171517,1172275,CVE-2015-9096,CVE-2016-2339,CVE-2016-7798,CVE-2017-0898,CVE-2017-0899,CVE-2017-0900,CVE-2017-0901,CVE-2017-0902,CVE-2017-0903,CVE-2017-10784,CVE-2017-14033,CVE-2017-14064,CVE-2017-17405,CVE-2017-17742,CVE-2017-17790,CVE-2017-9228,CVE-2017-9229,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325,CVE-2020-10663
This update for ruby2.1 fixes the following issues:

Security issues fixed:

- CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
- CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
- CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
- CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
- CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
- CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
- CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
- CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
- CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607).
- CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632).
- CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
- CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
- CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
- CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
- CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
- CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
- CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
- CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
- CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
- CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
- CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
- CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
- CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
- CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
- CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
- CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
- CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
- CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
- CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
- CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
- CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
- CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
- CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
- CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
- CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
- CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
- CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
- CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
- CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
- CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).

Non-security issue fixed:

- Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).

Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1612-1
Released:    Fri Jun 12 09:43:17 2020
Summary:     Security update for adns
Type:        security
Severity:    important
References:  1172265,CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9106,CVE-2017-9107,CVE-2017-9108,CVE-2017-9109
This update for adns fixes the following issues:
	  
- CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver
  which could have led to remote code execution (bsc#1172265).
- CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of 
  service (bsc#1172265).
- CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
- CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1625-1
Released:    Tue Jun 16 09:28:28 2020
Summary:     Security update for mariadb
Type:        security
Severity:    moderate
References:  1171550,CVE-2020-2752,CVE-2020-2812
This update for mariadb fixes the following issues:

mariadb was updated to version 10.0.44 (bsc#1171550)

- CVE-2020-2752: Fixed an issue which could have resulted in unauthorized ability to cause denial of service.
- CVE-2020-2812: Fixed an issue which could have resulted in unauthorized ability to cause denial of service.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1662-1
Released:    Thu Jun 18 11:13:05 2020
Summary:     Security update for perl
Type:        security
Severity:    important
References:  1102840,1160039,1170601,1171863,1171864,1171866,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723
This update for perl fixes the following issues:

- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have 
  allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of 
  instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a 
  compiled regular expression (bsc#1171866).
- Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
- Some packages make assumptions about the date and time they are built. 
  This update will solve the issues caused by calling the perl function timelocal
  expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1689-1
Released:    Fri Jun 19 11:03:49 2020
Summary:     Recommended update for audit
Type:        recommended
Severity:    important
References:  1156159,1172295
This update for audit fixes the following issues:

- Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)
- Fix hang on startup. (bsc#1156159)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1732-1
Released:    Wed Jun 24 09:42:55 2020
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1173027,CVE-2020-8177
This update for curl fixes the following issues:

- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1842-1
Released:    Fri Jul  3 22:40:42 2020
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1084671,1154256,1157315,1161262,1161436,1162698,1164538,1165633,1167622,1171145,CVE-2019-20386
This update for systemd fixes the following issues:

- CVE-2019-20386: Fixed a memory leak when executing the udevadm trigger command (bsc#1161436).
- Renamed the persistent link for ATA devices (bsc#1164538)
- shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
- tmpfiles: removed unnecessary assert (bsc#1171145)
- pid1: by default make user units inherit their umask from the user manager (bsc#1162698)
- manager: fixed job mode when signalled to shutdown etc (bsc#1161262)
- coredump: fixed bug that loses core dump files when core dumps are compressed and disk space is low. (bsc#1167622)
- udev: inform systemd how many workers we can potentially spawn (#4036) (bsc#1165633)
- libblkid: open device in nonblock mode. (bsc#1084671)
- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1859-1
Released:    Mon Jul  6 17:08:28 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1170715,1172698,1172704,CVE-2020-8023
This update for openldap2 fixes the following issues:

- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).	  
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).	 
- Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1861-1
Released:    Mon Jul  6 18:11:32 2020
Summary:     Recommended update for mariadb
Type:        recommended
Severity:    moderate
References:  1171550,1172399
This update for mariadb contains the following fixes:

- Use -DCMAKE_SKIP_RPATH=OFF and 'DCMAKE_SKIP_INSTALL_RPATH=ON': (bsc#1171550)
  This allows to link with -rpath during build and fixes quite a few test suite failures.
  When installing the file -rpath is still disabled, so this should not have any
  effect on the installed binaries.
  Fixes failed tests reported within (bsc#1171550).

- Fix updating tablespace ID in the index tree root pages. (bsc#1172399)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2059-1
Released:    Tue Jul 28 11:32:56 2020
Summary:     Recommended update for grep
Type:        recommended
Severity:    moderate
References:  1163834
This update for grep fixes the following issues:

Fix for an issue when command 'grep -i' produces bad performance by using multibyte with 'non-utf8' encoding. (bsc#1163834)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2287-1
Released:    Thu Aug 20 16:07:37 2020
Summary:     Recommended update for grep
Type:        recommended
Severity:    moderate
References:  1174080
This update for grep fixes the following issues:

- Fix for -P treating invalid UTF-8 input and causing incosistency. (bsc#1174080)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2294-1
Released:    Fri Aug 21 16:59:17 2020
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    important
References:  1174537
This update for openldap2 fixes the following issues:

- Fixes an issue where slapd failed to start due to the missing pwdMaxRecordedFailure attribute (bsc#1174537)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2410-1
Released:    Tue Sep  1 13:15:48 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    low
References:  1173593

This update of pam fixes the following issue:

- On some SUSE Linux Enterprise 12 SP5 based media from build.suse.com
  a pam version with a higher release number than the last update of pam
  was delivered. This update releases pam with a  higher release number
  to align it with this media. (bsc#1173593)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2428-1
Released:    Tue Sep  1 22:07:35 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1174673
This update for ca-certificates-mozilla fixes the following issues:

Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)

Removed CAs:

- AddTrust External CA Root
- AddTrust Class 1 CA Root
- LuxTrust Global Root 2
- Staat der Nederlanden Root CA - G2
- Symantec Class 1 Public Primary Certification Authority - G4
- Symantec Class 2 Public Primary Certification Authority - G4
- VeriSign Class 3 Public Primary Certification Authority - G3

Added CAs:

- certSIGN Root CA G2
- e-Szigno Root CA 2017
- Microsoft ECC Root Certificate Authority 2017
- Microsoft RSA Root Certificate Authority 2017

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2587-1
Released:    Wed Sep  9 22:03:04 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1174660
This update for procps fixes the following issues:

- Add fix for procps and its libraries to avoid issues with the 'free' tool. (bsc#1174660)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2609-1
Released:    Fri Sep 11 10:58:59 2020
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1159928,1161517,1161521,1172021,1176179,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595
This update for libxml2 fixes the following issues:

- CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
- CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).
- Fixed invalid xmlns references due to CVE-2019-19956 (bsc#1172021).
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2660-1
Released:    Wed Sep 16 16:15:10 2020
Summary:     Security update for libsolv
Type:        security
Severity:    moderate
References:  1120629,1120630,1120631,1127155,1131823,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
This update for libsolv fixes the following issues:

This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.

libsolv was updated to version 0.6.36 fixes the following issues:

Security issues fixed:

- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

Non-security issues fixed:

- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2738-1
Released:    Thu Sep 24 14:54:13 2020
Summary:     Recommended update for mariadb
Type:        recommended
Severity:    low
References:  
This update for mariadb fixes the following issue:

- Enable checking of hostnames from SubjectAlternativeNames.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2777-1
Released:    Tue Sep 29 11:26:41 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1169488,1173227
This update for systemd fixes the following issues:

- Fixes some file mode inconsistencies  for some ghost files (bsc#1173227)
- Fixes an issue where the system could hang on reboot (bsc#1169488)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2900-1
Released:    Tue Oct 13 14:20:15 2020
Summary:     Security update for libproxy
Type:        security
Severity:    important
References:  1176410,1177143,CVE-2020-25219,CVE-2020-26154
This update for libproxy fixes the following issues:

- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).	  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2959-1
Released:    Tue Oct 20 12:33:48 2020
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1176123
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3024-1
Released:    Fri Oct 23 14:21:54 2020
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1149332,1165784,1171878,1172085,1176013,CVE-2020-10029
This update for glibc fixes the following issues:
	  
- CVE-2020-10029: Fixed a stack corruption from range reduction of pseudo-zero (bsc#1165784)
- Use posix_spawn on popen (bsc#1149332, bsc#1176013)
- Correct locking and cancellation cleanup in syslog functions (bsc#1172085)
- Fixed concurrent changes on nscd aware files (bsc#1171878)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3100-1
Released:    Thu Oct 29 19:34:18 2020
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

- timezone update 2020b (bsc#1177460)
  * Revised predictions for Morocco's changes starting in 2023.
  * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.
  * Macquarie Island has stayed in sync with Tasmania since 2011.
  * Casey, Antarctica is at +08 in winter and +11 in summer.
  * zic no longer supports -y, nor the TYPE field of Rules.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3139-1
Released:    Tue Nov  3 13:18:28 2020
Summary:     Recommended update for timezone
Type:        recommended
Severity:    important
References:  1177460,1178346,1178350,1178353
This update for timezone fixes the following issues:

- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
- Palestine ends DST earlier than predicted, on 2020-10-24.
- Fiji starts DST later than usual, on 2020-12-20.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3156-1
Released:    Wed Nov  4 15:21:49 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1177864
This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

  - EE Certification Centre Root CA
  - Taiwan GRCA

- Added CAs:

  - Trustwave Global Certification Authority
  - Trustwave Global ECC P256 Certification Authority
  - Trustwave Global ECC P384 Certification Authority



More information about the sle-updates mailing list