SUSE-CU-2022:1616-1: Security update of trento/trento-runner
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Fri Jul 22 08:48:01 UTC 2022
SUSE Container Update Advisory: trento/trento-runner
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:1616-1
Container Tags : trento/trento-runner:1.0.1 , trento/trento-runner:1.0.1-build4.16.1 , trento/trento-runner:latest
Container Release : 4.16.1
Severity : important
Type : security
References : 1040589 1180065 1182345 1182345 1182345 1182345 1182345 1182345
1182345 1182345 1182345 1182345 1182345 1182345 1182345 1182345
1183043 1183333 1183334 1185637 1185790 1186622 1187443 1187444
1187445 1188229 1189162 1190589 1191157 1191468 1191908 1192377
1192378 1192951 1193489 1193597 1193598 1193659 1195283 1195834
1195835 1195838 1196490 1196732 1196861 1197004 1197065 1197716
1197718 1197743 1197771 1197794 1198090 1198114 1198176 1198422
1198446 1198458 1198511 1198614 1198723 1198751 1198766 1199132
1199140 1199166 1199223 1199224 1199232 1199240 1200334 1200550
1200735 1200737 1200855 1200855 1201099 1201560 1201640 CVE-2015-20107
CVE-2020-29362 CVE-2021-27918 CVE-2021-27919 CVE-2021-31525 CVE-2021-33195
CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 CVE-2021-36221
CVE-2021-38297 CVE-2021-39293 CVE-2021-41771 CVE-2021-41772 CVE-2021-44716
CVE-2021-44717 CVE-2022-1292 CVE-2022-1304 CVE-2022-1586 CVE-2022-2068
CVE-2022-2097 CVE-2022-22576 CVE-2022-23308 CVE-2022-23772 CVE-2022-23773
CVE-2022-23806 CVE-2022-24921 CVE-2022-27775 CVE-2022-27776 CVE-2022-27781
CVE-2022-27782 CVE-2022-29155 CVE-2022-29824 CVE-2022-32206 CVE-2022-32208
-----------------------------------------------------------------
The container trento/trento-runner was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:604-1
Released: Thu Feb 25 13:58:04 2021
Summary: Recommended update for go1.16
Type: recommended
Severity: moderate
References: 1182345
This update brings go1.16 to the Development Tools Module.
go1.16 (released 2021-02-16)
Go 1.16 is a major release of Go.
go1.16.x minor releases will be provided through February 2022.
See https://github.com/golang/go/wiki/Go-Release-Cycle
Most changes are in the implementation of the toolchain, runtime,
and libraries. As always, the release maintains the Go 1 promise
of compatibility. We expect almost all Go programs to continue to
compile and run as before.
* See release notes https://golang.org/doc/go1.16. Excerpts
relevant to OBS environment and for SUSE/openSUSE follow:
* Module-aware mode is enabled by default, regardless of whether
a go.mod file is present in the current working directory or a
parent directory. More precisely, the GO111MODULE environment
variable now defaults to on. To switch to the previous
behavior, set GO111MODULE to auto.
* Build commands like go build and go test no longer modify
go.mod and go.sum by default. Instead, they report an error if
a module requirement or checksum needs to be added or updated
(as if the -mod=readonly flag were used). Module requirements
and sums may be adjusted with go mod tidy or go get.
* go install now accepts arguments with version suffixes (for
example, go install example.com/cmd at v1.0.0). This causes go
install to build and install packages in module-aware mode,
ignoring the go.mod file in the current directory or any parent
directory, if there is one. This is useful for installing
executables without affecting the dependencies of the main
module.
* go install, with or without a version suffix (as described
above), is now the recommended way to build and install
packages in module mode. go get should be used with the -d flag
to adjust the current module's dependencies without building
packages, and use of go get to build and install packages is
deprecated. In a future release, the -d flag will always be
enabled.
* retract directives may now be used in a go.mod file to indicate
that certain published versions of the module should not be
used by other modules. A module author may retract a version
after a severe problem is discovered or if the version was
published unintentionally.
* The go mod vendor and go mod tidy subcommands now accept the -e
flag, which instructs them to proceed despite errors in
resolving missing packages.
* The go command now ignores requirements on module versions
excluded by exclude directives in the main module. Previously,
the go command used the next version higher than an excluded
version, but that version could change over time, resulting in
non-reproducible builds.
* In module mode, the go command now disallows import paths that
include non-ASCII characters or path elements with a leading
dot character (.). Module paths with these characters were
already disallowed (see Module paths and versions), so this
change affects only paths within module subdirectories.
* The go command now supports including static files and file
trees as part of the final executable, using the new //go:embed
directive. See the documentation for the new embed package for
details.
* When using go test, a test that calls os.Exit(0) during
execution of a test function will now be considered to
fail. This will help catch cases in which a test calls code
that calls os.Exit(0) and thereby stops running all future
tests. If a TestMain function calls os.Exit(0) that is still
considered to be a passing test.
* go test reports an error when the -c or -i flags are used
together with unknown flags. Normally, unknown flags are passed
to tests, but when -c or -i are used, tests are not run.
* The go get -insecure flag is deprecated and will be removed in
a future version. This flag permits fetching from repositories
and resolving custom domains using insecure schemes such as
HTTP, and also bypasses module sum validation using the
checksum database. To permit the use of insecure schemes, use
the GOINSECURE environment variable instead. To bypass module
sum validation, use GOPRIVATE or GONOSUMDB. See go help
environment for details.
* go get example.com/mod at patch now requires that some version of
example.com/mod already be required by the main
module. (However, go get -u=patch continues to patch even
newly-added dependencies.)
* GOVCS is a new environment variable that limits which version
control tools the go command may use to download source
code. This mitigates security issues with tools that are
typically used in trusted, authenticated environments. By
default, git and hg may be used to download code from any
repository. svn, bzr, and fossil may only be used to download
code from repositories with module paths or package paths
matching patterns in the GOPRIVATE environment variable. See go
help vcs for details.
* When the main module's go.mod file declares go 1.16 or higher,
the all package pattern now matches only those packages that
are transitively imported by a package or test found in the
main module. (Packages imported by tests of packages imported
by the main module are no longer included.) This is the same
set of packages retained by go mod vendor since Go 1.11.
* When the -toolexec build flag is specified to use a program
when invoking toolchain programs like compile or asm, the
environment variable TOOLEXEC_IMPORTPATH is now set to the
import path of the package being built.
* The -i flag accepted by go build, go install, and go test is
now deprecated. The -i flag instructs the go command to install
packages imported by packages named on the command line. Since
the build cache was introduced in Go 1.10, the -i flag no
longer has a significant effect on build times, and it causes
errors when the install directory is not writable.
* When the -export flag is specified, the BuildID field is now
set to the build ID of the compiled package. This is equivalent
to running go tool buildid on go list -exported -f {{.Export}},
but without the extra step.
* The -overlay flag specifies a JSON configuration file
containing a set of file path replacements. The -overlay flag
may be used with all build commands and go mod subcommands. It
is primarily intended to be used by editor tooling such as
gopls to understand the effects of unsaved changes to source
files. The config file maps actual file paths to replacement
file paths and the go command and its builds will run as if the
actual file paths exist with the contents given by the
replacement file paths, or don't exist if the replacement file
paths are empty.
* The cgo tool will no longer try to translate C struct bitfields
into Go struct fields, even if their size can be represented in
Go. The order in which C bitfields appear in memory is
implementation dependent, so in some cases the cgo tool
produced results that were silently incorrect.
* The linux/riscv64 port now supports cgo and -buildmode=pie.
This release also includes performance optimizations and code
generation improvements for RISC-V.
* The new runtime/metrics package introduces a stable interface
for reading implementation-defined metrics from the Go
runtime. It supersedes existing functions like
runtime.ReadMemStats and debug.GCStats and is significantly
more general and efficient. See the package documentation for
more details.
* Setting the GODEBUG environment variable to inittrace=1 now
causes the runtime to emit a single line to standard error for
each package init, summarizing its execution time and memory
allocation. This trace can be used to find bottlenecks or
regressions in Go startup performance. The GODEBUG
documentation describes the format.
* On Linux, the runtime now defaults to releasing memory to the
operating system promptly (using MADV_DONTNEED), rather than
lazily when the operating system is under memory pressure
(using MADV_FREE). This means process-level memory statistics
like RSS will more accurately reflect the amount of physical
memory being used by Go processes. Systems that are currently
using GODEBUG=madvdontneed=1 to improve memory monitoring
behavior no longer need to set this environment variable.
* Go 1.16 fixes a discrepancy between the race detector and the
Go memory model. The race detector now more precisely follows
the channel synchronization rules of the memory model. As a
result, the detector may now report races it previously missed.
* linker: This release includes additional improvements to the Go
linker, reducing linker resource usage (both time and memory)
and improving code robustness/maintainability. These changes
form the second half of a two-release project to modernize the
Go linker.
* The linker changes in 1.16 extend the 1.15 improvements to all
supported architecture/OS combinations (the 1.15 performance
improvements were primarily focused on ELF-based OSes and amd64
architectures). For a representative set of large Go programs,
linking is 20-25% faster than 1.15 and requires 5-15% less
memory on average for linux/amd64, with larger improvements for
other architectures and OSes. Most binaries are also smaller as
a result of more aggressive symbol pruning.
* The new embed package provides access to files embedded in the
program during compilation using the new //go:embed directive.
* The new io/fs package defines the fs.FS interface, an
abstraction for read-only trees of files. The standard library
packages have been adapted to make use of the interface as
appropriate.
* For testing code that implements fs.FS, the new testing/fstest
package provides a TestFS function that checks for and reports
common mistakes. It also provides a simple in-memory file
system implementation, MapFS, which can be useful for testing
code that accepts fs.FS implementations.
* syscall: On Linux, Setgid, Setuid, and related calls are now
implemented. Previously, they returned an syscall.EOPNOTSUPP
error. On Linux, the new functions AllThreadsSyscall and
AllThreadsSyscall6 may be used to make a system call on all Go
threads in the process. These functions may only be used by
programs that do not use cgo; if a program uses cgo, they will
always return syscall.ENOTSUP.
* time/tzdata: The slim timezone data format is now used for the
timezone database in $GOROOT/lib/time/zoneinfo.zip and the
embedded copy in this package. This reduces the size of the
timezone database by about 350 KB.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:937-1
Released: Wed Mar 24 12:22:21 2021
Summary: Security update for go1.16
Type: security
Severity: moderate
References: 1182345,1183333,1183334,CVE-2021-27918,CVE-2021-27919
This update for go1.16 fixes the following issues:
- go1.16.2 (released 2021-03-11) (bsc#1182345)
- go1.16.1 (released 2021-03-10) (bsc#1182345)
- CVE-2021-27918: Fixed an infinite loop when using xml.NewTokenDecoder with a custom TokenReader (bsc#1183333).
- CVE-2021-27919: Fixed an issue where archive/zip: can panic when calling Reader.Open (bsc#1183334).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1202-1
Released: Thu Apr 15 15:11:29 2021
Summary: Recommended update for go1.16
Type: recommended
Severity: moderate
References: 1182345
This update for go1.16 fixes the following issues:
- Updated to upstream version 1.16.3 to include fixes for the compiler, linker,
runtime, the go command, and the testing and time packages (bsc#1182345)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2085-1
Released: Fri Jun 18 17:21:29 2021
Summary: Security update for go1.16
Type: security
Severity: moderate
References: 1182345,1185790,CVE-2021-31525
This update for go1.16 fixes the following issues:
- Updated go to upstream version 1.16.4 (released 2021-05-06) (bsc#1182345).
- CVE-2021-31525: Fixed stack overflow via net/http ReadRequest (bsc#1185790).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2186-1
Released: Mon Jun 28 18:23:20 2021
Summary: Security update for go1.16
Type: security
Severity: important
References: 1182345,1186622,1187443,1187444,1187445,CVE-2021-33195,CVE-2021-33196,CVE-2021-33197,CVE-2021-33198
This update for go1.16 fixes the following issues:
Update to 1.16.5.
Includes these security fixes
- CVE-2021-33195: net: Lookup functions may return invalid host names (bsc#1187443).
- CVE-2021-33196: archive/zip: malformed archive may cause panic or memory exhaustion (bsc#1186622).
- CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection headers if first one is empty (bsc#1187444)
- CVE-2021-33198: math/big: (*Rat).SetString with '1.770p02041010010011001001' crashes with 'makeslice: len out of range' (bsc#1187445).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2392-1
Released: Mon Jul 19 08:50:19 2021
Summary: Security update for go1.16
Type: security
Severity: important
References: 1182345,1188229,CVE-2021-34558
This update for go1.16 fixes the following issues:
go1.16.6 (released 2021-07-12, bsc#1182345) includes a security fix to the
crypto/tls package, as well as bug fixes to the compiler, and the
net and net/http packages.
Security issue fixed:
CVE-2021-34558: Fixed crypto/tls: clients can panic when provided a certificate of the wrong type for the negotiated parameters (bsc#1188229)
go1.16 release:
* bsc#1188229 go#47143 CVE-2021-34558
* go#47145 security: fix CVE-2021-34558
* go#46999 net: LookupMX behaviour broken
* go#46981 net: TestCVE202133195 fails if /etc/resolv.conf specifies ndots larger than 3
* go#46769 syscall: TestGroupCleanupUserNamespace test failure on Fedora
* go#46657 runtime: deeply nested struct initialized with non-zero values
* go#44984 net/http: server not setting Content-Length in certain cases
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2788-1
Released: Fri Aug 20 10:06:08 2021
Summary: Security update for go1.16
Type: security
Severity: moderate
References: 1182345,1189162,CVE-2021-36221
This update for go1.16 fixes the following issues:
Update to go1.16.7:
- go#47473 net/http: panic due to racy read of persistConn after handler panic (CVE-2021-36221 bsc#1189162)
- go#47348 cmd/go: 'go list -f '{{.Stale}}'' stack overflow with cyclic imports
- go#47332 time: Timer reset broken under heavy use since go1.16 timer optimizations added
- go#47289 cmd/link: build error with cgo in Windows, redefinition of go.map.zero
- go#47015 cmd/go: go mod vendor: open C:\Users\LICENSE: Access is denied.
- go#46928 cmd/compile: register conflict between external linker and duffzero on arm64
- go#46858 runtime: ppc64x binaries randomly segfault on linux 5.13rc6
- go#46551 cmd/go: unhelpful error message when running 'go install' on a replaced-but-not-required package
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3292-1
Released: Wed Oct 6 16:46:16 2021
Summary: Security update for go1.16
Type: security
Severity: important
References: 1182345,1190589,CVE-2021-39293
This update for go1.16 fixes the following issues:
- Update to go 1.16.8
- CVE-2021-39293: Fixed a buffer overflow issue in preallocation check that can cause OOM panic. (bas#)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3487-1
Released: Wed Oct 20 16:18:28 2021
Summary: Security update for go1.16
Type: security
Severity: moderate
References: 1182345,1191468,CVE-2021-38297
This update for go1.16 fixes the following issues:
Update to go1.16.9
- CVE-2021-38297: misc/wasm, cmd/link: do not let command line args overwrite global data (bsc#1191468)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3834-1
Released: Wed Dec 1 16:05:12 2021
Summary: Security update for go1.16
Type: security
Severity: moderate
References: 1182345,1192377,1192378,CVE-2021-41771,CVE-2021-41772
This update for go1.16 fixes the following issues:
Security update go1.16.10 (released 2021-11-04) (bsc#1182345).
- CVE-2021-41771: Fixed invalid dynamic symbol table command that could have caused panic (bsc#1192377).
- CVE-2021-41772: Fixed panic on (*Reader).Open (bsc#1192378).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4169-1
Released: Thu Dec 23 09:52:43 2021
Summary: Security update for go1.16
Type: security
Severity: moderate
References: 1182345,1193597,1193598,CVE-2021-44716,CVE-2021-44717
This update for go1.16 fixes the following issues:
Updated to upstream version 1.16.12 to include security fixes to the compiler,
syscall, runtime, the net/http, net/http/httptest, and time packages (bsc#1182345)
- CVE-2021-44717: syscall: don't close fd 0 on ForkExec error (bsc#1193598).
- CVE-2021-44716: net/http: limit growth of header canonicalization cache (bsc#1193597).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:87-1
Released: Mon Jan 17 12:50:09 2022
Summary: Recommended update for go1.16
Type: recommended
Severity: moderate
References: 1182345
This update for go1.16 fixes the following issues:
Update to go1.16.13 (bsc#1182345)
- it includes fixes to the compiler, linker, runtime, and the net/http package.
* x/net/http2: `http.Server.WriteTimeout` does not fire if the http2 stream's window is out of space.
* runtime/race: building for iOS, but linking in object file built for macOS
* runtime: race detector `SIGABRT` or `SIGSEGV` on macOS Monterey
* runtime: mallocs cause 'base outside usable address space' panic when running on iOS 14
* cmd/link: does not set section type of `.init_array` correctly
* cmd/link: support more load commands on `Mach-O`
* cmd/compile: internal compiler error: `Op...LECall and OpDereference have mismatched mem`
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:724-1
Released: Fri Mar 4 10:34:01 2022
Summary: Security update for go1.16
Type: security
Severity: important
References: 1182345,1195834,1195835,1195838,CVE-2022-23772,CVE-2022-23773,CVE-2022-23806
This update for go1.16 fixes the following issues:
- CVE-2022-23806: Fixed incorrect returned value in crypto/elliptic IsOnCurve (bsc#1195838).
- CVE-2022-23772: Fixed overflow in Rat.SetString in math/big can lead to uncontrolled memory consumption (bsc#1195835).
- CVE-2022-23773: Fixed incorrect access control in cmd/go (bsc#1195834).
The following non-security bugs were fixed:
- go#50977 crypto/elliptic: IsOnCurve returns true for invalid field elements
- go#50700 math/big: Rat.SetString may consume large amount of RAM and crash
- go#50686 cmd/go: do not treat branches with semantic-version names as releases
- go#50866 cmd/compile: incorrect use of CMN on arm64
- go#50832 runtime/race: NoRaceMutexPureHappensBefore failures
- go#50811 cmd/go: remove bitbucket VCS probing
- go#50780 runtime: incorrect frame information in traceback traversal may hang the process.
- go#50721 debug/pe: reading debug_info section of PE files that use the DWARF5 form DW_FORM_line_strp causes error
- go#50682 cmd/compile: MOVWreg missing sign-extension following a Copy from a floating-point LoadReg
- go#50645 testing: surprising interaction of subtests with TempDir
- go#50585 net/http/httptest: add fipsonly compliant certificate in for NewTLSServer(), for dev.boringcrypto branch
- go#50245 runtime: intermittent os/exec.Command.Start() Hang on Darwin in Presence of 'plugin' Package
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1164-1
Released: Tue Apr 12 15:03:24 2022
Summary: Security update for go1.16
Type: security
Severity: important
References: 1182345,1183043,1196732,CVE-2022-24921
This update for go1.16 fixes the following issues:
Update to version 1.16.15 (bsc#1182345):
- CVE-2022-24921: Fixed a potential denial of service via large regular
expressions (bsc#1196732).
Non-security fixes:
- Fixed an issue with v2 modules (go#51331).
- Fixed an issue when building source in riscv64 (go#51198).
- Increased compatibility for the DNS protocol in the net module (go#51161).
- Fixed an issue with histograms in the runtime/metrics module (go#50733).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1374-1
Released: Mon Apr 25 15:02:13 2022
Summary: Recommended update for openldap2
Type: recommended
Severity: moderate
References: 1191157,1197004
This update for openldap2 fixes the following issues:
- allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
- libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol
resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
- restore CLDAP functionality in CLI tools (jsc#PM-3288)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1451-1
Released: Thu Apr 28 10:47:22 2022
Summary: Recommended update for perl
Type: recommended
Severity: moderate
References: 1193489
This update for perl fixes the following issues:
- Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1626-1
Released: Tue May 10 15:55:13 2022
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1198090,1198114
This update for systemd fixes the following issues:
- tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090)
- journald: make sure journal_file_open() doesn't leave a corrupted file around after failing (bsc#1198114)
- tmpfiles: constify item_compatible() parameters
- test tmpfiles: add a test for 'w+'
- test: add test checking tmpfiles conf file precedence
- journald: make use of CLAMP() in cache_space_refresh()
- journal-file: port journal_file_open() to openat_report_new()
- fs-util: make sure openat_report_new() initializes return param also on shortcut
- fs-util: fix typos in comments
- fs-util: add openat_report_new() wrapper around openat()
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1655-1
Released: Fri May 13 15:36:10 2022
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1197794
This update for pam fixes the following issue:
- Do not include obsolete header files (bsc#1197794)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1657-1
Released: Fri May 13 15:39:07 2022
Summary: Security update for curl
Type: security
Severity: moderate
References: 1198614,1198723,1198766,CVE-2022-22576,CVE-2022-27775,CVE-2022-27776
This update for curl fixes the following issues:
- CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766)
- CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723)
- CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1658-1
Released: Fri May 13 15:40:20 2022
Summary: Recommended update for libpsl
Type: recommended
Severity: important
References: 1197771
This update for libpsl fixes the following issues:
- Fix libpsl compilation issues (bsc#1197771)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1670-1
Released: Mon May 16 10:06:30 2022
Summary: Security update for openldap2
Type: security
Severity: important
References: 1199240,CVE-2022-29155
This update for openldap2 fixes the following issues:
- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1688-1
Released: Mon May 16 14:02:49 2022
Summary: Security update for e2fsprogs
Type: security
Severity: important
References: 1198446,CVE-2022-1304
This update for e2fsprogs fixes the following issues:
- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
and possibly arbitrary code execution. (bsc#1198446)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1709-1
Released: Tue May 17 17:35:47 2022
Summary: Recommended update for libcbor
Type: recommended
Severity: important
References: 1197743
This update for libcbor fixes the following issues:
- Fix build errors occuring on SUSE Linux Enterprise 15 Service Pack 4
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1750-1
Released: Thu May 19 15:28:20 2022
Summary: Security update for libxml2
Type: security
Severity: important
References: 1196490,1199132,CVE-2022-23308,CVE-2022-29824
This update for libxml2 fixes the following issues:
- CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).
- CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1770-1
Released: Fri May 20 14:36:30 2022
Summary: Recommended update for skelcd, sles15-image
Type: recommended
Severity: moderate
References:
This update for skelcd, sles15-image fixes the following issues:
Changes in skelcd:
- Ship skelcd-EULA-bci for SLE BCI EULA (jsc#BCI-10)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1851-1
Released: Thu May 26 08:59:55 2022
Summary: Recommended update for gcc8
Type: recommended
Severity: moderate
References: 1197716
This update for gcc8 fixes the following issues:
- Fix build against SP4. (bsc#1197716)
- Remove bogus fixed include bits/statx.h from glibc 2.30 (bsc#1197716)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1870-1
Released: Fri May 27 10:03:40 2022
Summary: Security update for curl
Type: security
Severity: important
References: 1199223,1199224,CVE-2022-27781,CVE-2022-27782
This update for curl fixes the following issues:
- CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
- CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1887-1
Released: Tue May 31 09:24:18 2022
Summary: Recommended update for grep
Type: recommended
Severity: moderate
References: 1040589
This update for grep fixes the following issues:
- Make profiling deterministic. (bsc#1040589, SLE-24115)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1899-1
Released: Wed Jun 1 10:43:22 2022
Summary: Recommended update for libtirpc
Type: recommended
Severity: important
References: 1198176
This update for libtirpc fixes the following issues:
- Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1909-1
Released: Wed Jun 1 16:25:35 2022
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1198751
This update for glibc fixes the following issues:
- Add the correct name for the IBM Z16 (bsc#1198751).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2019-1
Released: Wed Jun 8 16:50:07 2022
Summary: Recommended update for gcc11
Type: recommended
Severity: moderate
References: 1192951,1193659,1195283,1196861,1197065
This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.
* includes SLS hardening backport on x86_64. [bsc#1195283]
* includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
* fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
* use --with-cpu rather than specifying --with-arch/--with-tune
* Fix D memory corruption in -M output.
* Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
* fixes issue with debug dumping together with -o /dev/null
* fixes libgccjit issue showing up in emacs build [bsc#1192951]
* Package mwaitintrin.h
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2049-1
Released: Mon Jun 13 09:23:49 2022
Summary: Recommended update for binutils
Type: recommended
Severity: moderate
References: 1191908,1198422
This update for binutils fixes the following issues:
- Revert back to old behaviour of not ignoring the in-section content
of to be relocated fields on x86-64, even though that's a RELA architecture.
Compatibility with buggy object files generated by old tools.
[bsc#1198422]
- Fix a problem in crash not accepting some of our .ko.debug files. (bsc#1191908)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2157-1
Released: Wed Jun 22 17:11:26 2022
Summary: Recommended update for binutils
Type: recommended
Severity: moderate
References: 1198458
This update for binutils fixes the following issues:
- For building the shim 15.6~rc1 and later versions aarch64 image, objcopy
needs to support efi-app-aarch64 target. (bsc#1198458)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2251-1
Released: Mon Jul 4 09:52:25 2022
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1185637,1199166,1200550,CVE-2022-1292,CVE-2022-2068
This update for openssl-1_1 fixes the following issues:
- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2327-1
Released: Thu Jul 7 15:06:13 2022
Summary: Security update for curl
Type: security
Severity: important
References: 1200735,1200737,CVE-2022-32206,CVE-2022-32208
This update for curl fixes the following issues:
- CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
- CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2328-1
Released: Thu Jul 7 15:07:35 2022
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1201099,CVE-2022-2097
This update for openssl-1_1 fixes the following issues:
- CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2357-1
Released: Mon Jul 11 20:34:20 2022
Summary: Security update for python3
Type: security
Severity: important
References: 1198511,CVE-2015-20107
This update for python3 fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2361-1
Released: Tue Jul 12 12:05:01 2022
Summary: Security update for pcre
Type: security
Severity: important
References: 1199232,CVE-2022-1586
This update for pcre fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2405-1
Released: Fri Jul 15 11:47:57 2022
Summary: Security update for p11-kit
Type: security
Severity: moderate
References: 1180065,CVE-2020-29362
This update for p11-kit fixes the following issues:
- CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2406-1
Released: Fri Jul 15 11:49:01 2022
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1197718,1199140,1200334,1200855
This update for glibc fixes the following issues:
- powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
- Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
- i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
- rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)
This readds the s390 32bit glibc and libcrypt1 libraries (glibc-32bit, glibc-locale-base-32bit, libcrypt1-32bit).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2494-1
Released: Thu Jul 21 15:16:42 2022
Summary: Recommended update for glibc
Type: recommended
Severity: important
References: 1200855,1201560,1201640
This update for glibc fixes the following issues:
- Remove tunables from static tls surplus patch which caused crashes (bsc#1200855)
- i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788)
The following package changes have been done:
- libldap-data-2.4.46-150200.14.8.1 updated
- libtirpc-netconfig-1.2.6-150300.3.6.1 updated
- glibc-2.31-150300.31.2 updated
- libcrypt1-4.4.15-150300.4.4.3 updated
- perl-base-5.26.1-150300.17.3.1 updated
- libpcre1-8.45-150000.20.13.1 updated
- libgcc_s1-11.3.0+git1637-150000.1.9.1 updated
- libcom_err2-1.43.8-150000.4.33.1 updated
- libxml2-2-2.9.7-150000.3.46.1 updated
- libstdc++6-11.3.0+git1637-150000.1.9.1 updated
- libpsl5-0.20.1-150000.3.3.1 updated
- libopenssl1_1-1.1.1d-150200.11.51.1 updated
- libopenssl1_1-hmac-1.1.1d-150200.11.51.1 updated
- libldap-2_4-2-2.4.46-150200.14.8.1 updated
- libudev1-246.16-150300.7.45.1 updated
- libtirpc3-1.2.6-150300.3.6.1 updated
- libcurl4-7.66.0-150200.4.36.1 updated
- libsystemd0-246.16-150300.7.45.1 updated
- grep-3.1-150000.4.6.1 updated
- pam-1.3.0-150000.6.58.3 updated
- openssl-1_1-1.1.1d-150200.11.51.1 updated
- libp11-kit0-0.23.2-150000.4.16.1 updated
- p11-kit-0.23.2-150000.4.16.1 updated
- p11-kit-tools-0.23.2-150000.4.16.1 updated
- libatomic1-11.3.0+git1637-150000.1.9.1 updated
- libctf-nobfd0-2.37-150100.7.37.1 updated
- libgomp1-11.3.0+git1637-150000.1.9.1 updated
- libitm1-11.3.0+git1637-150000.1.9.1 updated
- liblsan0-11.3.0+git1637-150000.1.9.1 updated
- libmpx2-8.2.1+r264010-150000.1.6.4 updated
- libmpxwrappers2-8.2.1+r264010-150000.1.6.4 updated
- libtsan0-11.3.0+git1637-150000.1.9.1 updated
- libxcrypt-devel-4.4.15-150300.4.4.3 updated
- libctf0-2.37-150100.7.37.1 updated
- binutils-2.37-150100.7.37.1 updated
- glibc-devel-2.31-150300.37.1 updated
- go1.16-1.16.15-150000.1.46.1 added
- libcbor0-0.5.0-150100.4.6.1 updated
- python3-base-3.6.15-150300.10.27.1 updated
- libpython3_6m1_0-3.6.15-150300.10.27.1 updated
- python3-3.6.15-150300.10.27.1 updated
- container:sles15-image-15.0.0-17.18.1 updated
- go-1.17-3.20.1 removed
- go1.17-1.17.9-150000.1.31.1 removed
More information about the sle-updates
mailing list