SUSE-CU-2023:1498-1: Security update of trento/trento-web

sle-updates at lists.suse.com sle-updates at lists.suse.com
Tue May 9 16:10:25 UTC 2023


SUSE Container Update Advisory: trento/trento-web
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:1498-1
Container Tags        : trento/trento-web:2.0.0 , trento/trento-web:2.0.0-build4.21.2 , trento/trento-web:latest
Container Release     : 4.21.2
Severity              : important
Type                  : security
References            : 1065270 1121365 1177460 1194038 1198472 1199132 1199467 1200657
                        1200723 1202436 1202436 1203599 1203600 1203652 1203857 1204423
                        1204585 1204585 1205000 1205126 1205646 1206309 1206738 1207533
                        1207534 1207536 1207538 1207571 1207753 1207957 1207975 1207992
                        1208358 1209209 1209210 1209211 1209212 1209214 1209533 1209624
                        1209873 1209878 1210411 1210412 1210507 CVE-2021-3541 CVE-2022-29824
                        CVE-2022-42898 CVE-2022-4304 CVE-2022-43552 CVE-2022-4415 CVE-2022-4450
                        CVE-2022-48303 CVE-2022-4899 CVE-2023-0215 CVE-2023-0286 CVE-2023-0464
                        CVE-2023-0465 CVE-2023-0466 CVE-2023-0687 CVE-2023-23916 CVE-2023-27533
                        CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538 CVE-2023-28484
                        CVE-2023-29383 CVE-2023-29469 
-----------------------------------------------------------------

The container trento/trento-web was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4256-1
Released:    Mon Nov 28 12:36:32 2022
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
References:  
This update for gcc12 fixes the following issues:

This update ship the GCC 12 compiler suite and its base libraries.

The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.

The Go, D and Ada language compiler parts are available unsupported via the
PackageHub repositories.

To use gcc12 compilers use:

- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

For a full changelog with all new GCC12 features, check out

	https://gcc.gnu.org/gcc-12/changes.html


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4312-1
Released:    Fri Dec  2 11:16:47 2022
Summary:     Recommended update for tar
Type:        recommended
Severity:    moderate
References:  1200657,1203600
This update for tar fixes the following issues:

- Fix unexpected inconsistency when making directory (bsc#1203600)
- Update race condition fix (bsc#1200657)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4630-1
Released:    Wed Dec 28 09:25:18 2022
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1200723,1203857,1204423,1205000,CVE-2022-4415
This update for systemd fixes the following issues:

- CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

Bug fixes:

- Support by-path devlink for multipath nvme block devices (bsc#1200723).
- Set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857).
- Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4633-1
Released:    Wed Dec 28 09:32:15 2022
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1206309,CVE-2022-43552
This update for curl fixes the following issues:

- CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:25-1
Released:    Thu Jan  5 09:51:41 2023
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

Version update from 2022f to 2022g (bsc#1177460):

- In the Mexican state of Chihuahua:
  * The border strip near the US will change to agree with nearby US locations on 2022-11-30.
  * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules,
    like El Paso, TX.
  * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX.
  * A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
- Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving
  time becomes standard time.
- Changes for pre-1996 northern Canada
- Update to past DST transition in Colombia (1993), Singapore (1981)
- 'timegm' is now supported by default

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:48-1
Released:    Mon Jan  9 10:37:54 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1199467
This update for libtirpc fixes the following issues:

- Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:157-1
Released:    Thu Jan 26 15:54:43 2023
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1194038,1205646
This update for util-linux fixes the following issues:

- libuuid continuous clock handling for time based UUIDs:
  Prevent use of the new libuuid ABI by uuidd %post before update
  of libuuid1 (bsc#1205646).
- Use chown --quiet to prevent error message if /var/lib/libuuid/clock.txt
  does not exist.
- Fix tests not passing when '@' character is in build path: 
  Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:176-1
Released:    Thu Jan 26 20:56:20 2023
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1206738
This update for permissions fixes the following issues:

Update to version 20181225:

* Backport postfix permissions to SLE 15 SP2 (bsc#1206738)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:179-1
Released:    Thu Jan 26 21:54:30 2023
Summary:     Recommended update for tar
Type:        recommended
Severity:    low
References:  1202436
This update for tar fixes the following issue:

- Fix hang when unpacking test tarball (bsc#1202436)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:188-1
Released:    Fri Jan 27 12:07:19 2023
Summary:     Recommended update for zlib
Type:        recommended
Severity:    important
References:  1203652
This update for zlib fixes the following issues:

- Follow up fix for bug bsc#1203652 due to libxml2 issues

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:198-1
Released:    Fri Jan 27 14:26:54 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1205126,CVE-2022-42898
This update for krb5 fixes the following issues:

- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:310-1
Released:    Tue Feb  7 17:35:34 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1121365,1198472,1207533,1207534,1207536,1207538,CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286
This update for openssl-1_1 fixes the following issues:

- CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
- CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
- CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538).
- CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).
- FIPS: list only FIPS approved public key algorithms (bsc#1121365, bsc#1198472)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:463-1
Released:    Mon Feb 20 16:33:39 2023
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1202436,1207753,CVE-2022-48303
This update for tar fixes the following issues:

- CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753). 

Bug fixes:

- Fix hang when unpacking test tarball (bsc#1202436).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:676-1
Released:    Wed Mar  8 14:33:23 2023
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  1204585
This update for libxml2 fixes the following issues:

- Add W3C conformance tests to the testsuite (bsc#1204585):
  * Added file xmlts20080827.tar.gz 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:776-1
Released:    Thu Mar 16 17:29:23 2023
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
References:  
This update for gcc12 fixes the following issues:

This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.

SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes


This update ship the GCC 12 compiler suite and its base libraries.

The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.

The new compilers for C, C++, and Fortran are provided in the SUSE Linux
Enterprise Module for Development Tools.

To use gcc12 compilers use:

- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

For a full changelog with all new GCC12 features, check out

	https://gcc.gnu.org/gcc-12/changes.html


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1711-1
Released:    Fri Mar 31 13:33:04 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1207992,1209209,1209210,1209211,1209212,1209214,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538
This update for curl fixes the following issues:

- CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
- CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
- CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
- CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
- CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
- CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1718-1
Released:    Fri Mar 31 15:47:34 2023
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1207571,1207957,1207975,1208358,CVE-2023-0687
This update for glibc fixes the following issues:

Security issue fixed:

- CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975)

Other issues fixed:

- Fix avx2 strncmp offset compare condition check (bsc#1208358)
- elf: Allow dlopen of filter object to work (bsc#1207571)
- powerpc: Fix unrecognized instruction errors with recent GCC
- x86: Cache computation for AMD architecture (bsc#1207957)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1790-1
Released:    Thu Apr  6 15:36:15 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1209624,1209873,1209878,CVE-2023-0464,CVE-2023-0465,CVE-2023-0466
This update for openssl-1_1 fixes the following issues:

- CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).
- CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878).
- CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1805-1
Released:    Tue Apr 11 10:12:41 2023
Summary:     Recommended update for timezone
Type:        recommended
Severity:    important
References:  
This update for timezone fixes the following issues:

- Version update from 2022g to 2023c:
  * Egypt now uses DST again, from April through October.
  * This year Morocco springs forward April 23, not April 30.
  * Palestine delays the start of DST this year.
  * Much of Greenland still uses DST from 2024 on.
  * America/Yellowknife now links to America/Edmonton.
  * tzselect can now use current time to help infer timezone.
  * The code now defaults to C99 or later.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1945-1
Released:    Fri Apr 21 14:13:27 2023
Summary:     Recommended update for elfutils
Type:        recommended
Severity:    moderate
References:  1203599
This update for elfutils fixes the following issues:

- go1.19 builds created debuginfo that was not extractable using rpm / elfutils 0.177. (bsc#1203599)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2048-1
Released:    Wed Apr 26 21:05:45 2023
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469
This update for libxml2 fixes the following issues:

- CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
- CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). 
  
  The following non-security bugs were fixed:

- Added W3C conformance tests to the testsuite (bsc#1204585).
- Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) . 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2070-1
Released:    Fri Apr 28 13:56:33 2023
Summary:     Security update for shadow
Type:        security
Severity:    moderate
References:  1210507,CVE-2023-29383
This update for shadow fixes the following issues:

- CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2074-1
Released:    Fri Apr 28 17:02:25 2023
Summary:     Security update for zstd
Type:        security
Severity:    moderate
References:  1209533,CVE-2022-4899
This update for zstd fixes the following issues:

- CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).


The following package changes have been done:

- libtirpc-netconfig-1.2.6-150300.3.17.1 updated
- glibc-2.31-150300.46.1 updated
- libsepol1-3.1-150400.1.70 updated
- liblz4-1-1.9.3-150400.1.7 updated
- libgpg-error0-1.42-150400.1.101 updated
- libcap2-2.63-150400.1.7 updated
- libbz2-1-1.0.8-150400.1.122 updated
- libaudit1-3.0.6-150400.2.13 updated
- libzstd1-1.5.0-150400.3.3.1 updated
- libuuid1-2.37.2-150400.8.14.1 updated
- libudev1-249.16-150400.8.25.7 updated
- libsmartcols1-2.37.2-150400.8.14.1 updated
- libeconf0-0.4.6+git20220427.3016f4e-150400.3.3.1 updated
- libcom_err2-1.46.4-150400.3.3.1 updated
- libblkid1-2.37.2-150400.8.14.1 updated
- libgcrypt20-1.9.4-150400.6.8.1 updated
- libgcrypt20-hmac-1.9.4-150400.6.8.1 updated
- libfdisk1-2.37.2-150400.8.14.1 updated
- libz1-1.2.11-150000.3.39.1 updated
- libgcc_s1-12.2.1+git416-150000.1.7.1 updated
- libstdc++6-12.2.1+git416-150000.1.7.1 updated
- libelf1-0.185-150400.5.3.1 updated
- libxml2-2-2.9.14-150400.5.16.1 updated
- libsystemd0-249.16-150400.8.25.7 updated
- libopenssl1_1-1.1.1l-150400.7.34.1 updated
- libopenssl1_1-hmac-1.1.1l-150400.7.34.1 updated
- libdw1-0.185-150400.5.3.1 updated
- patterns-base-fips-20200124-150400.20.4.1 updated
- libselinux1-3.1-150400.1.69 updated
- libreadline7-7.0-150400.25.22 updated
- libsemanage1-3.1-150400.1.65 updated
- bash-4.4-150400.25.22 updated
- cpio-2.13-150400.1.98 updated
- libmount1-2.37.2-150400.8.14.1 updated
- krb5-1.19.2-150400.3.3.1 updated
- login_defs-4.8.1-150400.10.6.1 updated
- coreutils-8.32-150400.7.5 updated
- libssh4-0.9.6-150400.1.5 updated
- libtirpc3-1.2.6-150300.3.17.1 updated
- sles-release-15.4-150400.58.7.3 updated
- libcurl4-7.79.1-150400.5.18.1 updated
- rpm-config-SUSE-1-150400.14.3.1 updated
- permissions-20201225-150400.5.16.1 updated
- shadow-4.8.1-150400.10.6.1 updated
- sysuser-shadow-3.1-150400.1.35 updated
- system-group-hardware-20170617-150400.22.33 updated
- util-linux-2.37.2-150400.8.14.1 updated
- timezone-2023c-150000.75.23.1 updated
- tar-1.34-150000.3.31.1 updated
- container:bci-nodejs-16-15.0.0-27.14.56 added
- container:sles15-image-15.0.0-27.14.56 updated
- container:nodejs-16-image-15.0.0-17.20.75 removed
- libebl-plugins-0.177-150300.11.3.1 removed


More information about the sle-updates mailing list