SUSE-CU-2022:917-1: Security update of trento/trento-runner

sle-updates at lists.suse.com sle-updates at lists.suse.com
Fri May 6 15:59:38 UTC 2022


SUSE Container Update Advisory: trento/trento-runner
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:917-1
Container Tags        : trento/trento-runner:1.0.0 , trento/trento-runner:1.0.0-rev1.1.0 , trento/trento-runner:1.0.0-rev1.1.0-build4.5.1 , trento/trento-runner:latest
Container Release     : 4.5.1
Severity              : important
Type                  : security
References            : 1029961 1082318 1120610 1120610 1130496 1130496 1172427 1176262
                        1177460 1181131 1181131 1182959 1184124 1186819 1191502 1193086
                        1194642 1194642 1194883 1195149 1195247 1195529 1195792 1195831
                        1195856 1195899 1196025 1196093 1196275 1196406 1196567 1196647
                        1196784 1196939 1197024 1197459 1198062 CVE-2018-20482 CVE-2018-20482
                        CVE-2018-25032 CVE-2019-20916 CVE-2019-9923 CVE-2019-9923 CVE-2021-20193
                        CVE-2021-20193 CVE-2021-3572 CVE-2022-1271 CVE-2022-25236 
-----------------------------------------------------------------

The container trento/trento-runner was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:926-1
Released:    Wed Apr 10 16:33:12 2019
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1120610,1130496,CVE-2018-20482,CVE-2019-9923
This update for tar fixes the following issues:

Security issues fixed:

- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:974-1
Released:    Mon Mar 29 19:31:27 2021
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1181131,CVE-2021-20193
This update for tar fixes the following issues:

CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2193-1
Released:    Mon Jun 28 18:38:43 2021
Summary:     Recommended update for tar
Type:        recommended
Severity:    moderate
References:  1184124
This update for tar fixes the following issues:

- Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:844-1
Released:    Tue Mar 15 11:33:57 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196784,CVE-2022-25236
This update for expat fixes the following issues:

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:861-1
Released:    Tue Mar 15 23:30:48 2022
Summary:     Recommended update for openssl-1_1 
Type:        recommended
Severity:    moderate
References:  1182959,1195149,1195792,1195856
This update for openssl-1_1 fixes the following issues:

openssl-1_1:

- Fix PAC pointer authentication in ARM (bsc#1195856)
- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
- FIPS: Fix function and reason error codes (bsc#1182959)
- Enable zlib compression support (bsc#1195149)
    
glibc:

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1
    
linux-glibc-devel:

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

libxcrypt:

- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

zlib:

- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:884-1
Released:    Thu Mar 17 09:47:43 2022
Summary:     Recommended update for python-jsonschema, python-rfc3987, python-strict-rfc3339
Type:        recommended
Severity:    moderate
References:  1082318
This update for python-jsonschema, python-rfc3987, python-strict-rfc3339 fixes the following issues:

- Add patch to fix build with new webcolors.

- update to version 3.2.0 (jsc#SLE-18756):
  * Added a format_nongpl setuptools extra, which installs only format
    dependencies that are non-GPL (#619).

- specfile:
  * require python-importlib-metadata
- update to version 3.1.1:
  * Temporarily revert the switch to js-regex until #611 and #612 are
    resolved.
- changes from version 3.1.0:
  - Regular expressions throughout schemas now respect the ECMA 262
    dialect, as recommended by the specification (#609).

- Activate more of the test suite
- Remove tests and benchmarking from the runtime package
- Update to v3.0.2
  - Fixed a bug where 0 and False were considered equal by
    const and enum
- from v3.0.1
  - Fixed a bug where extending validators did not preserve their 
    notion of which validator property contains $id information.

- Update to 3.0.1:
  - Support for Draft 6 and Draft 7
  - Draft 7 is now the default
  - New TypeChecker object for more complex type definitions (and overrides)
  - Falling back to isodate for the date-time format checker is no longer attempted, in accordance with the specification

- Use %license instead of %doc (bsc#1082318)

- Remove hashbang from runtime module
- Replace PyPI URL with https://github.com/dgerber/rfc3987
- Activate doctests

- Add missing runtime dependency on timezone
- Replace dead link with GitHub URL
- Activate test suite

- Trim bias from descriptions.

- Initial commit, needed by flex
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:905-1
Released:    Mon Mar 21 08:46:09 2022
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    important
References:  1172427,1194642
This update for util-linux fixes the following issues:

- Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
- Make uuidd lock state file usable and time based UUIDs safer. (bsc#1194642)
- Fix `su -s` bash completion. (bsc#1172427)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:936-1
Released:    Tue Mar 22 18:10:17 2022
Summary:     Recommended update for filesystem and systemd-rpm-macros
Type:        recommended
Severity:    moderate
References:  1196275,1196406
This update for filesystem and systemd-rpm-macros fixes the following issues:

filesystem:

- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

systemd-rpm-macros:

- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:942-1
Released:    Thu Mar 24 10:30:15 2022
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1186819,CVE-2021-3572
This update for python3 fixes the following issues:

- CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1047-1
Released:    Wed Mar 30 16:20:56 2022
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1196093,1197024
This update for pam fixes the following issues:

- Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
- Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. 
  This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1061-1
Released:    Wed Mar 30 18:27:06 2022
Summary:     Security update for zlib
Type:        security
Severity:    important
References:  1197459,CVE-2018-25032
This update for zlib fixes the following issues:

- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1099-1
Released:    Mon Apr  4 12:53:05 2022
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1194883
This update for aaa_base fixes the following issues:

- Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
- Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8
  multi byte characters as well as support the vi mode of readline library

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1107-1
Released:    Mon Apr  4 17:49:17 2022
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1194642
This update for util-linux fixes the following issue:

- Improve throughput and reduce clock sequence increments for high load situation with time based 
  version 1 uuids. (bsc#1194642)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1118-1
Released:    Tue Apr  5 18:34:06 2022
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

- timezone update 2022a (bsc#1177460):
  * Palestine will spring forward on 2022-03-27, not on 03-26
  * `zdump -v` now outputs better failure indications
  * Bug fixes for code that reads corrupted TZif data

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1158-1
Released:    Tue Apr 12 14:44:43 2022
Summary:     Security update for xz
Type:        security
Severity:    important
References:  1198062,CVE-2022-1271
This update for xz fixes the following issues:

- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1170-1
Released:    Tue Apr 12 18:20:07 2022
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1191502,1193086,1195247,1195529,1195899,1196567
This update for systemd fixes the following issues:

- Fix the default target when it's been incorrectly set to one of the runlevel targets (bsc#1196567)
- When migrating from sysvinit to systemd (it probably won't happen anymore),
  let's use the default systemd target, which is the graphical.target one.
- Don't open /var journals in volatile mode when runtime_journal==NULL
- udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
- man: tweak description of auto/noauto (bsc#1191502)
- shared/install: ignore failures for auxiliary files
- install: make UnitFileChangeType enum anonymous
- shared/install: reduce scope of iterator variables
- systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23867)
- Update s390 udev rules conversion script to include the case when the legacy rule was also 41-* (bsc#1195247)
- Drop or soften some of the deprecation warnings (bsc#1193086)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1281-1
Released:    Wed Apr 20 12:26:38 2022
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1196647
This update for libtirpc fixes the following issues:

- Add option to enforce connection via protocol version 2 first (bsc#1196647)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1302-1
Released:    Fri Apr 22 10:04:46 2022
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1196939
This update for e2fsprogs fixes the following issues:

- Add support for 'libreadline7' for Leap. (bsc#1196939)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1333-1
Released:    Mon Apr 25 11:29:26 2022
Summary:     Recommended update for sles15-image
Type:        recommended
Severity:    moderate
References:  
This update for sles15-image fixes the following issues:

- Add zypper explicitly to work around obs-build bug (gh#openSUSE/obs-build#562)
- Add com.suse.supportlevel label (jsc#BCI-40)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1454-1
Released:    Thu Apr 28 11:15:06 2022
Summary:     Security update for python-pip
Type:        security
Severity:    moderate
References:  1176262,1195831,CVE-2019-20916
This update for python-pip fixes the following issues:

- Add wheel subpackage with the generated wheel for this package
  (bsc#1176262, CVE-2019-20916).

- Make wheel a separate build run to avoid the setuptools/wheel build
  cycle.

- Switch this package to use update-alternatives for all files
  in %{_bindir} so it doesn't collide with the versions on
  'the latest' versions of Python interpreter (jsc#SLE-18038,
  bsc#1195831).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1548-1
Released:    Thu May  5 16:45:28 2022
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193
This update for tar fixes the following issues:

- CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
- CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
- CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).

- Update to GNU tar 1.34:
  * Fix extraction over pipe
  * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)
  * Fix extraction when . and .. are unreadable
  * Gracefully handle duplicate symlinks when extracting
  * Re-initialize supplementary groups when switching to user
    privileges

- Update to GNU tar 1.33:
  * POSIX extended format headers do not include PID by default
  * --delay-directory-restore works for archives with reversed
    member ordering
  * Fix extraction of a symbolic link hardlinked to another
    symbolic link
  * Wildcards in exclude-vcs-ignore mode don't match slash
  * Fix the --no-overwrite-dir option
  * Fix handling of chained renames in incremental backups
  * Link counting works for file names supplied with -T
  * Accept only position-sensitive (file-selection) options in file
    list files

- prepare usrmerge (bsc#1029961)

- Update to GNU 1.32
  * Fix the use of --checkpoint without explicit --checkpoint-action
  * Fix extraction with the -U option
  * Fix iconv usage on BSD-based systems
  * Fix possible NULL dereference (savannah bug #55369)
    [bsc#1130496] [CVE-2019-9923]
  * Improve the testsuite

- Update to GNU 1.31
  * Fix heap-buffer-overrun with --one-top-level, bug introduced
    with the addition of that option in 1.28
  * Support for zstd compression
  * New option '--zstd' instructs tar to use zstd as compression
    program. When listing, extractng and comparing, zstd compressed
    archives are recognized automatically. When '-a' option is in
    effect, zstd compression is selected if the destination archive
    name ends in '.zst' or '.tzst'.
  * The -K option interacts properly with member names given in the
    command line. Names of members to extract can be specified along
    with the '-K NAME' option. In this case, tar will extract NAME
    and those of named members that appear in the archive after it,
    which is consistent with the semantics of the option. Previous
    versions of tar extracted NAME, those of named members that
    appeared before it, and everything after it.
  * Fix CVE-2018-20482 - When creating archives with the --sparse
    option, previous versions of tar would loop endlessly if a
    sparse file had been truncated while being archived.


The following package changes have been done:

- libldap-data-2.4.46-9.64.1 updated
- filesystem-15.0-11.8.1 updated
- libtirpc-netconfig-1.2.6-150300.3.3.1 updated
- glibc-2.31-150300.20.7 updated
- libuuid1-2.36.2-150300.4.20.1 updated
- libsmartcols1-2.36.2-150300.4.20.1 updated
- libcrypt1-4.4.15-150300.4.2.41 updated
- libblkid1-2.36.2-150300.4.20.1 updated
- libfdisk1-2.36.2-150300.4.20.1 updated
- libz1-1.2.11-150000.3.30.1 updated
- liblzma5-5.2.3-150000.4.7.1 updated
- libcom_err2-1.43.8-150000.4.29.1 updated
- libopenssl1_1-1.1.1d-11.43.1 updated
- libopenssl1_1-hmac-1.1.1d-11.43.1 updated
- libudev1-246.16-150300.7.42.1 updated
- libmount1-2.36.2-150300.4.20.1 updated
- libtirpc3-1.2.6-150300.3.3.1 updated
- libldap-2_4-2-2.4.46-9.64.1 updated
- libsystemd0-246.16-150300.7.42.1 updated
- pam-1.3.0-150000.6.55.3 updated
- util-linux-2.36.2-150300.4.20.1 updated
- aaa_base-84.87+git20180409.04c9dae-3.57.1 updated
- openssl-1_1-1.1.1d-11.43.1 updated
- tar-1.34-150000.3.12.1 added
- libexpat1-2.2.5-3.19.1 updated
- timezone-2022a-150000.75.7.1 updated
- python3-base-3.6.15-150300.10.21.1 updated
- libpython3_6m1_0-3.6.15-150300.10.21.1 updated
- python3-3.6.15-150300.10.21.1 updated
- python3-six-1.14.0-12.1 updated
- python3-pip-20.0.2-150100.6.18.1 updated
- container:sles15-image-15.0.0-17.12.1 updated
- golang-github-prometheus-node_exporter-1.1.2-3.9.3 removed
- trento-premium-0.9.1+git.dev82.1646995460.425fc30-150300.3.13.1 removed


More information about the sle-updates mailing list