SUSE-CU-2020:522-1: Security update of harbor/harbor-core
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Thu Oct 15 00:05:44 MDT 2020
SUSE Container Update Advisory: harbor/harbor-core
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:522-1
Container Tags : harbor/harbor-core:2.0.3 , harbor/harbor-core:2.0.3-rev1 , harbor/harbor-core:2.0.3-rev1-build3.7
Container Release : 3.7
Severity : important
Type : security
References : 1011548 1100369 1109160 1118367 1118368 1128220 1142733 1146991
1153943 1153946 1156205 1157051 1158336 1161168 1161239 1165424
1170667 1170713 1171313 1171740 1171762 1172195 1172824 1172958
1173273 1173307 1173311 1173470 1173529 1173539 1173983 1174079
1174154 1174240 1174551 1174561 1174736 1174918 1175109 1175342
1175443 1175568 1175592 1175811 1175830 1175831 1175844 1176086
1176092 1176179 1176181 1176410 1176671 1176674 1177143 1177479
906079 CVE-2017-3136 CVE-2018-5741 CVE-2019-6477 CVE-2020-15719
CVE-2020-24659 CVE-2020-24977 CVE-2020-25219 CVE-2020-26154 CVE-2020-8027
CVE-2020-8231 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619
CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624
-----------------------------------------------------------------
The container harbor/harbor-core was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2411-1
Released: Tue Sep 1 13:28:47 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1142733,1146991,1158336,1172195,1172824,1173539
This update for systemd fixes the following issues:
- Improve logging when PID1 fails at setting a namespace up when spawning a command specified by
'Exec*='. (bsc#1172824, bsc#1142733)
pid1: improve message when setting up namespace fails.
execute: let's close glibc syslog channels too.
execute: normalize logging in *execute.c*.
execute: fix typo in error message.
execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary.
execute: make use of the new logging mode in *execute.c*
log: add a mode where we open the log fds for every single log message.
log: let's make use of the fact that our functions return the negative error code for *log_oom()* too.
execute: downgrade a log message ERR â WARNING, since we proceed ignoring its result.
execute: rework logging in *setup_keyring()* to include unit info.
execute: improve and augment execution log messages.
- vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539)
- fix infinite timeout. (bsc#1158336)
- bpf: mount bpffs by default on boot. (bsc#1146991)
- man: explain precedence for options which take a list.
- man: unify titling, fix description of precedence in sysusers.d(5)
- udev-event: fix timeout log messages.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2420-1
Released: Tue Sep 1 13:48:35 2020
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1174551,1174736
This update for zlib provides the following fixes:
- Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
- Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2445-1
Released: Wed Sep 2 09:33:02 2020
Summary: Security update for curl
Type: security
Severity: moderate
References: 1175109,CVE-2020-8231
This update for curl fixes the following issues:
- An application that performs multiple requests with libcurl's
multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in
rare circumstances experience that when subsequently using the
setup connect-only transfer, libcurl will pick and use the wrong
connection and instead pick another one the application has
created since then. [bsc#1175109, CVE-2020-8231]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2581-1
Released: Wed Sep 9 13:07:07 2020
Summary: Security update for openldap2
Type: security
Severity: moderate
References: 1174154,CVE-2020-15719
This update for openldap2 fixes the following issues:
- bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509
SAN's falling back to CN validation in violation of rfc6125.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2612-1
Released: Fri Sep 11 11:18:01 2020
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1176179,CVE-2020-24977
This update for libxml2 fixes the following issues:
- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2651-1
Released: Wed Sep 16 14:42:55 2020
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1175811,1175830,1175831
This update for zlib fixes the following issues:
- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
- Enable hardware compression on s390/s390x (jsc#SLE-13776)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2704-1
Released: Tue Sep 22 15:06:36 2020
Summary: Recommended update for krb5
Type: recommended
Severity: moderate
References: 1174079
This update for krb5 fixes the following issue:
- Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2712-1
Released: Tue Sep 22 17:08:03 2020
Summary: Security update for openldap2
Type: security
Severity: moderate
References: 1175568,CVE-2020-8027
This update for openldap2 fixes the following issues:
- CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2819-1
Released: Thu Oct 1 10:39:16 2020
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: moderate
References: 1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592
This update for libzypp, zypper provides the following fixes:
Changes in libzypp:
- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
- Make sure reading from lsof does not block forever. (bsc#1174240)
- Just collect details for the signatures found.
Changes in zypper:
- man: Enhance description of the global package cache. (bsc#1175592)
- man: Point out that plain rpm packages are not downloaded to the global package cache.
(bsc#1173273)
- Directly list subcommands in 'zypper help'. (bsc#1165424)
- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
- Point out that plaindir repos do not follow symlinks. (bsc#1174561)
- Fix help command for list-patches.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2852-1
Released: Fri Oct 2 16:55:39 2020
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1173470,1175844
This update for openssl-1_1 fixes the following issues:
FIPS:
* Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1175844, bsc#1173470).
* Add shared secret KAT to FIPS DH selftest (bsc#1175844).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2864-1
Released: Tue Oct 6 10:34:14 2020
Summary: Security update for gnutls
Type: security
Severity: moderate
References: 1176086,1176181,1176671,CVE-2020-24659
This update for gnutls fixes the following issues:
- Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
- FIPS: Add TLS KDF selftest (bsc#1176671)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2869-1
Released: Tue Oct 6 16:13:20 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1011548,1153943,1153946,1161239,1171762
This update for aaa_base fixes the following issues:
- DIR_COLORS (bug#1006973):
- add screen.xterm-256color
- add TERM rxvt-unicode-256color
- sort and merge TERM entries in etc/DIR_COLORS
- check for Packages.db and use this instead of Packages. (bsc#1171762)
- Rename path() to _path() to avoid using a general name.
- refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
- etc/profile add some missing ;; in case esac statements
- profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
- backup-rpmdb: exit if zypper is running (bsc#1161239)
- Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2893-1
Released: Mon Oct 12 14:14:55 2020
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1177479
This update for openssl-1_1 fixes the following issues:
- Restore private key check in EC_KEY_check_key (bsc#1177479)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2901-1
Released: Tue Oct 13 14:22:43 2020
Summary: Security update for libproxy
Type: security
Severity: important
References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154
This update for libproxy fixes the following issues:
- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2914-1
Released: Tue Oct 13 17:25:20 2020
Summary: Security update for bind
Type: security
Severity: moderate
References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
This update for bind fixes the following issues:
BIND was upgraded to version 9.16.6:
Note:
- bind is now more strict in regards to DNSSEC. If queries are not working,
check for DNSSEC issues. For instance, if bind is used in a namserver
forwarder chain, the forwarding DNS servers must support DNSSEC.
Fixing security issues:
- CVE-2020-8616: Further limit the number of queries that can be triggered from
a request. Root and TLD servers are no longer exempt
from max-recursion-queries. Fetches for missing name server. (bsc#1171740)
Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass
the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
lib/dns/rbtdb.c:new_reference() with a particular zone content
and query patterns (bsc#1172958).
- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were
incorrectly treated as 'zonesub' rules, which allowed
keys used in 'subdomain' rules to update names outside
of the specified subdomains. The problem was fixed by
making sure 'subdomain' rules are again processed as
described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
where QNAME minimization and forwarding were both
enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request (bsc#1175443).
Other issues fixed:
- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created
chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
- 'rndc dnstap -roll <value>' did not limit the number of saved files to <value>.
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
so that named, being a/the only member of the 'named' group
has full r/w access yet cannot change directories owned by root
in the case of a compromized named.
[bsc#1173307, bind-chrootenv.conf]
- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed '-r /dev/urandom' from all invocations of rndc-confgen
(init/named system/lwresd.init system/named.init in vendor-files)
as this option is deprecated and causes rndc-confgen to fail.
(bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
of /usr/sbin/dnssec-keygen as BIND now uses the random number
functions provided by the crypto library (i.e., OpenSSL or a
PKCS#11 provider) as a source of randomness rather than /dev/random.
Therefore the -r command line option no longer has any effect on
dnssec-keygen. Leaving the option in genDDNSkey as to not break
compatibility. Patch provided by Stefan Eisenwiener.
[bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
systemd context as well as legacy sysv, make use of start_daemon.
More information about the sle-updates
mailing list