SUSE-CU-2021:84-1: Security update of suse/sles12sp5

sle-updates at lists.suse.com sle-updates at lists.suse.com
Tue Mar 30 06:05:43 UTC 2021 

SUSE Container Update Advisory: suse/sles12sp5
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:84-1
Container Tags        : suse/sles12sp5:6.5.151 , suse/sles12sp5:latest
Container Release     : 6.5.151
Severity              : important
Type                  : security
References            : 1082318 1088639 1112438 1125689 1134616 1146182 1146184 1176201
                        1181358 962914 964140 966514 CVE-2016-1544 CVE-2018-1000168 CVE-2019-9511
                        CVE-2019-9513 CVE-2020-11080 
-----------------------------------------------------------------

The container suse/sles12sp5 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:796-1
Released:    Tue Mar 16 10:28:14 2021
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1176201
This update for zlib fixes the following issues:

- Fixed hw compression on z15 (bsc#1176201)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:932-1
Released:    Wed Mar 24 12:13:01 2021
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1082318,1088639,1112438,1125689,1134616,1146182,1146184,1181358,962914,964140,966514,CVE-2016-1544,CVE-2018-1000168,CVE-2019-9511,CVE-2019-9513,CVE-2020-11080
This update for nghttp2 fixes the following issues:

Security issues fixed:

- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358).
- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182).
- CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639).
- CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514).

Bug fixes and enhancements:

- Packages must not mark license files as %doc (bsc#1082318)
- Typo in description of libnghttp2_asio1 (bsc#962914)
- Fixed mistake in spec file (bsc#1125689)
- Fixed build issue with boost 1.70.0 (bsc#1134616)
- Fixed build issue with GCC 6 (bsc#964140)
- Feature: Add W&S module (FATE#326776, bsc#1112438)

More information about the sle-updates mailing list