SUSE-CU-2023:3071-1: Security update of ses/7.1/ceph/grafana

sle-updates at lists.suse.com sle-updates at lists.suse.com
Thu Sep 21 07:32:02 UTC 2023


SUSE Container Update Advisory: ses/7.1/ceph/grafana
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3071-1
Container Tags        : ses/7.1/ceph/grafana:9.5.5 , ses/7.1/ceph/grafana:9.5.5.3.4.156 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific
Container Release     : 3.4.156
Severity              : critical
Type                  : security
References            : 1089497 1158763 1192154 1192696 1198165 1200480 1201535 1201539
                        1201627 1202234 1203185 1203596 1203597 1204501 1206627 1207534
                        1208721 1209229 1209565 1209645 1210740 1210907 1210999 1211078
                        1211261 1211419 1211661 1211828 1212099 1212100 1212187 1212187
                        1212222 1212260 1212641 1213189 1213231 1213487 1213517 1213557
                        1213673 1213853 1214052 1214054 1214290 1214768 CVE-2020-7753
                        CVE-2021-3807 CVE-2021-3918 CVE-2021-43138 CVE-2022-0155 CVE-2022-27664
                        CVE-2022-31097 CVE-2022-31107 CVE-2022-32149 CVE-2022-35957 CVE-2022-36062
                        CVE-2022-4304 CVE-2023-1387 CVE-2023-1410 CVE-2023-2183 CVE-2023-22652
                        CVE-2023-2603 CVE-2023-2801 CVE-2023-30078 CVE-2023-30079 CVE-2023-3128
                        CVE-2023-31484 CVE-2023-32181 CVE-2023-3446 CVE-2023-36054 CVE-2023-3817
                        CVE-2023-39615 CVE-2023-4016 CVE-2023-4039 
-----------------------------------------------------------------

The container ses/7.1/ceph/grafana was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2497-1
Released:    Tue Jun 13 15:37:25 2023
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    important
References:  1211661,1212187
This update for libzypp fixes the following issues:

- Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]
- Do not unconditionally release a medium if provideFile failed. [bsc#1211661]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2575-1
Released:    Wed Jun 21 13:41:49 2023
Summary:     Security update for SUSE Manager Client Tools
Type:        security
Severity:    important
References:  1192154,1192696,1200480,1201535,1201539,1203185,1203596,1203597,1204501,1209645,1210907,CVE-2020-7753,CVE-2021-3807,CVE-2021-3918,CVE-2021-43138,CVE-2022-0155,CVE-2022-27664,CVE-2022-31097,CVE-2022-31107,CVE-2022-32149,CVE-2022-35957,CVE-2022-36062,CVE-2023-1387,CVE-2023-1410
This update fixes the following issues:

grafana:

- Version update from 8.5.22 to 9.5.1 (jsc#PED-3694):
  * Security fixes:
    - CVE-2023-1410: grafana: Stored XSS in Graphite FunctionDescription tooltip (bsc#1209645)
    - CVE-2023-1387: grafana: JWT URL-login flow leaks token to data sources through request parameter in proxy requests
      (bnc#1210907)
    - CVE-2022-36062: grafana: Fix RBAC folders/dashboards privilege escalation (bsc#1203596)
    - CVE-2022-35957: grafana: Escalation from admin to server admin when auth proxy is used (bsc#1203597)
    - CVE-2022-32149: Upgrade x/text to version unaffected by CVE-2022-32149 (bsc#1204501)
    - CVE-2022-31107: grafana: OAuth account takeover (bsc#1201539)
    - CVE-2022-31097: grafana: stored XSS vulnerability (bsc#1201535)
    - CVE-2022-27664: go1.18,go1.19: net/http: handle server errors after sending GOAWAY (bsc#1203185)
    - CVE-2022-0155: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
    - CVE-2021-43138: spacewalk-web: a malicious user can obtain privileges via the mapValues() method(bsc#1200480)
    - CVE-2021-3918: json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes
      ('Prototype Pollution') (bsc#1192696)
    - CVE-2021-3807: node-ansi-regex: Inefficient Regular Expression Complexity in chalk/ansi-regex (bsc#1192154)
    - CVE-2020-7753: nodejs-trim: Regular Expression Denial of Service (ReDoS) in trim function 
  * Important changes:
    - Default named retention policies won't be used to query.
      Users who have a default named retention policy in their influxdb database, have to rename it to something else.
      To change the hardcoded retention policy in the dashboard.json, users must then select the right retention policy
      from dropdown and save the panel/dashboard.
    - Grafana Alerting rules with NoDataState configuration set to Alerting will now respect 'For' duration.
    - Users who use LDAP role sync to only sync Viewer, Editor and Admin roles, but grant Grafana Server Admin role
      manually will not be able to do that anymore. After this change, LDAP role sync will override any manual changes
      to Grafana Server Admin role assignments. If grafana_admin is left unset in LDAP role mapping configuration, it
      will default to false.
    - The InfluxDB backend migration feature toggle (influxdbBackendMigration) has been reintroduced in this version
      as issues were discovered with backend processing of InfluxDB data. Unless this feature toggle is enabled, all
      InfluxDB data will be parsed in the frontend. This frontend processing is the default behavior. 
      In Grafana 9.4.4, InfluxDB data parsing started to be handled in the backend. If you have upgraded to 9.4.4
      and then added new transformations on InfluxDB data, those panels will fail to render. To resolve this either:
      Remove the affected panel and re-create it or edit the `time` field as `Time` in `panel.json` 
      or `dashboard.json`
    - The `@grafana/ui` package helper function `selectOptionInTest` used in frontend tests has been removed as it
      caused testing libraries to be bundled in the production code of Grafana. If you were using this helper function
      in your tests please update your code accordingly.
    - Removed deprecated `checkHealth` prop from the `@grafana/e2e` `addDataSource` configuration. Previously this
      value defaulted to `false`, and has not been used in end-to-end tests since Grafana 8.0.3.
    - Removed the deprecated `LegacyBaseMap`, `LegacyValueMapping`, `LegacyValueMap`, and `LegacyRangeMap` types, and
      `getMappedValue` function from grafana-data. See the documentation for the migration.
      This change fixes a bug in Grafana where intermittent failure of database, network between Grafana and the
      database, or error in querying the database would cause all alert rules to be unscheduled in Grafana. 
      Following this change scheduled alert rules are not updated unless the query is successful.
    - The `get_alert_rules_duration_seconds` metric has been renamed to `schedule_query_alert_rules_duration_seconds`
    - Any secret (data sources credential, alert manager credential, etc, etc) created or modified with Grafana v9.0
      won't be decryptable from any previous version (by default) because the way encrypted secrets are stored into the
      database has changed. Although secrets created or modified with previous versions will still be decryptable by
      Grafana v9.0.
    - If required, although generally discouraged, the `disableEnvelopeEncryption` feature toggle can be enabled to
      keep envelope encryption disabled once updating to Grafana
    - In case of need to rollback to an earlier version of Grafana (i.e. Grafana v8.x) for any reason, after being
      created or modified any secret with Grafana v9.0, the `envelopeEncryption` feature toggle will need to be enabled
      to keep backwards compatibility (only from `v8.3.x` a bit unstable, from `8.5.x` stable).
    - As a final attempt to deal with issues related with the aforementioned situations, the 
      `grafana-cli admin secrets-migration rollback` command has been designed to move back all the Grafana secrets
      encrypted with envelope encryption to legacy encryption. So, after running that command it should be safe to
      disable envelope encryption and/or roll back to a previous version of Grafana.
      Alternatively or complementarily to all the points above, backing up the Grafana database before updating could
      be a good idea to prevent disasters (although the risk of getting some secrets corrupted only applies to those 
      updates/created with after updating to Grafana v9.0).
    - In Elasticsearch, browser access mode was deprecated in grafana 7.4.0 and removed in 9.0.0. If you used this mode
      please switch to server access mode on the datasource configuration page.
    - Environment variables passed from Grafana to external Azure plugins have been renamed:
      `AZURE_CLOUD` renamed to `GFAZPL_AZURE_CLOUD`,
      `AZURE_MANAGED_IDENTITY_ENABLED` renamed to `GFAZPL_MANAGED_IDENTITY_ENABLED`,
      `AZURE_MANAGED_IDENTITY_CLIENT_ID` renamed to `GFAZPL_MANAGED_IDENTITY_CLIENT_ID`.
      There are no known plugins which were relying on these variables. Moving forward plugins should read Azure
      settings only via Grafana Azure SDK which properly handles old and new environment variables.
    - Removes support for for ElasticSearch versions after their end-of-life, currently versions < 7.10.0.
      To continue to use ElasticSearch data source, upgrade ElasticSearch to version 7.10.0+.
    - Application Insights and Insight Analytics queries in Azure Monitor were deprecated in Grafana 8.0 and finally
      removed in 9.0. Deprecated queries will no longer be executed.
    - grafana/ui: Button now specifies a default type='button'.
      The `Button` component provided by @grafana/ui now specifies a default `type='button'` when no type is provided.
      In previous versions, if the attribute was not specified for buttons associated with a `<form>` the
      default value was `submit` per the specification. You can preserve the old behavior by explicitly setting the
      type attribute: `<Button type='submit' />`
    - The `Rename by regex` transformation has been improved to allow global patterns of the form 
      `/<stringToReplace>/g`.
      Depending on the regex match used, this may cause some transformations to behave slightly differently. You can
      guarantee the same behaviour as before by wrapping the `match` string in forward slashes (`/`), e.g. `(.*)` would
      become `/(.*)/`
    - `<Select />` menus will now portal to the document body by default. This is to give more consistent
      behaviour when positioning and overlaying. If you were setting`menuShouldPortal={true}` before you can safely 
      remove that prop and behaviour will be the same. If you weren't explicitly setting that prop, there should be no
      visible changes in behaviour but your tests may need updating. If you were setting `menuShouldPortal={false}`
      this will continue to prevent the menu from portalling.
    - Grafana alerting endpoint prefixed with `api/v1/rule/test` that tests a rule against a Corte/Loki data source now
      expects the data source UID as a path parameter instead of the data source numeric identifier.
    - Grafana alerting endpoints prefixed with `api/prometheus/` that proxy requests to a Cortex/Loki data source now
      expect the data source UID as a path parameter instead of the data source numeric identifier.
    - Grafana alerting endpoints prefixed with `api/ruler/` that proxy requests to a Cortex/Loki data source now expect
      the data source UID as a path parameter instead of the data
    - Grafana alerting endpoints prefixed with `api/alertmanager/` that proxy requests to an Alertmanager now expect
      the data source UID as a path parameter instead of the data source numeric identifier.
    - The format of log messages have been updated, `lvl` is now `level` and `eror`and `dbug` has been replaced with
      `error` and `debug`. The precision of timestamps has been increased.
      To smooth the transition, it is possible to opt-out of the new log format by enabling the feature toggle
      `oldlog`.
      This option will be removed in a future minor release.
    - In the Loki data source, the dataframe format used to represent Loki logs-data has been changed to a more
      efficient format. The query-result is represented by a single dataframe with a 'labels' column, instead of the
      separate dataframes for every labels-value. When displaying such data in explore, or in a logs-panel in the
      dashboard will continue to work without changes, but if the data was loaded into a different dashboard-panel, or
      Transforms were used, adjustments may be necessary. For example, if you used the 'labels to fields' 
      transformation with the logs data, please switch to the 'extract fields' transformation.
  * Deprecations:
    - The `grafana_database_conn_*` metrics are deprecated, and will be removed in a future version of Grafana. Use 
      the `go_sql_stats_*` metrics instead.
    - Support for compact Explore URLs is deprecated and will be removed in a future release. Until then, when
      navigating to Explore using the deprecated format the URLs are automatically converted. If you have
      existing links pointing to Explore update them using the format generated by Explore upon navigation.
      You can identify a compact URL by its format. Compact URLs have the left (and optionally right) url parameter as
      an array of strings, for example `&left=['now-1h','now'...]`. The standard explore URLs follow a key/value
      pattern, for example `&left={'datasource':'test'...}`. Please be sure to check your dashboards for any
      hardcoded links to Explore and update them to the standard URL pattern.
    - Chore: Remove deprecated DataSourceAPI methods.
    - Data: Remove deprecated types and functions from valueMappings.
    - Elasticsearch: Remove browser access mode.
    - Elasticsearch: Remove support for versions after their end of the life (<7.10.0).
    - Explore: Remove support for legacy, compact format URLs.
    - Graph: Deprecate Graph (old) and make it no longer a visualization option for new panels.
    - `setExploreQueryField`, `setExploreMetricsQueryField` and `setExploreLogsQueryField` are now deprecated and will
      be removed in a future release. If you need to set a different query editor for Explore, conditionally render
      based on `props.app` in your regular query editor.
  * Changes:
    - User: Fix externalUserId not being populated.
      If you used any of these components please use them from grafana/experimental from now on:
       - AccessoryButton
       - EditorFieldGroup
       - EditorHeader
       - EditorField
       - EditorRow
       - EditorList
       - EditorRows
       - EditorSwitch
       - FlexItem
       - Stack
       - InlineSelect
       - InputGroup
       - Space
    - Starting with 9.1.0, existing heatmap panels will start using a new implementation. This can be disabled by
      setting the `useLegacyHeatmapPanel` feature flag to true. It can be tested on a single dashbobard by adding
      `?__feature.useLegacyHeatmapPanel=true` to any dashboard URL.
    - Logger: Enable new logging format by default.
    - Loki: Enable new visual query builder by default.
    - Plugins: Remove plugin list panel.
    - Install wrapper scripts under /usr/sbin
    - Install actual binaries under /usr/libexec/grafana (or /usr/lib under older distributions) and create a simlink 
      for wrapper scripts and the service (which expect the binary to be under /usr/share/grafana/bin)
    - Chore: Upgrade typescript to 4.6.4.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2625-1
Released:    Fri Jun 23 17:16:11 2023
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
References:  
This update for gcc12 fixes the following issues:

- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

  * includes regression and other bug fixes

- Speed up builds with --enable-link-serialization.

- Update embedded newlib to version 4.2.0

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2742-1
Released:    Fri Jun 30 11:40:56 2023
Summary:     Recommended update for autoyast2, libzypp, yast2-pkg-bindings, yast2-update, zypper
Type:        recommended
Severity:    moderate
References:  1202234,1209565,1211261,1212187,1212222
This update for yast2-pkg-bindings fixes the following issues:

libzypp was updated to version 17.31.14 (22):

- Curl: trim all custom headers (bsc#1212187)
  HTTP/2 RFC 9113 forbids fields ending with a space. So we make
  sure all custom headers are trimmed. This also includes headers
  returned by URL-Resolver plugins.
- build: honor libproxy.pc's includedir (bsc#1212222)

zypper was updated to version 1.14.61:

- targetos: Add an error note if XPath:/product/register/target
  is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)

yast2-pkg-bindings, autoyast:

- Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565)
- Selected products are not installed after resetting the package manager internally (bsc#1202234)

yast2-update:

- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2855-1
Released:    Mon Jul 17 16:35:21 2023
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1212260
This update for openldap2 fixes the following issues:

- libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2882-1
Released:    Wed Jul 19 11:49:39 2023
Summary:     Security update for perl
Type:        security
Severity:    important
References:  1210999,CVE-2023-31484
This update for perl fixes the following issues:


  - CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2885-1
Released:    Wed Jul 19 16:58:43 2023
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1208721,1209229,1211828
This update for glibc fixes the following issues:

- getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
- Exclude static archives from preparation for live patching (bsc#1208721)
- resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2917-1
Released:    Thu Jul 20 11:49:45 2023
Summary:     Security update for SUSE Manager Client Tools
Type:        security
Severity:    critical
References:  1212099,1212100,1212641,CVE-2023-2183,CVE-2023-2801,CVE-2023-3128
This update fixes the following issues:

grafana:

- Update to version 9.5.5:
  * CVE-2023-3128: Fix authentication bypass using Azure AD OAuth (bsc#1212641, jsc#PED-3694)
  * Bug fixes:
    * Auth: Show invite button if disable login form is set to false.
    * Azure: Fix Kusto auto-completion for Azure datasources.
    * RBAC: Remove legacy AC editor and admin role on new dashboard route.
    * API: Revert allowing editors to access GET /datasources. 
    * Settings: Add ability to override skip_org_role_sync with Env variables.
- Update to version 9.5.3:
  * CVE-2023-2801: Query: Prevent crash while executing concurrent mixed queries (bsc#1212099)
  * CVE-2023-2183: Alerting: Require alert.notifications:write permissions to test receivers and templates (bsc#1212100)
- Update to version 9.5.2:
    Alerting: Scheduler use rule fingerprint instead of version.
    Explore: Update table min height.
    DataLinks: Encoded URL fixed.
    TimeSeries: Fix leading null-fill for missing intervals.
    Dashboard: Revert fixed header shown on mobile devices in the new panel header.
    PostgreSQL: Fix TLS certificate issue by downgrading lib/pq.
    Provisioning: Fix provisioning issues with legacy alerting and data source permissions.
    Alerting: Fix misleading status code in provisioning API.
    Loki: Fix log samples using `instant` queries.
    Panel Header: Implement new Panel Header on Angular Panels.
    Azure Monitor: Fix bug that was not showing resources for certain locations.
    Alerting: Fix panic when reparenting receivers to groups following an attempted rename via Provisioning.
    Cloudwatch Logs: Clarify Cloudwatch Logs Limits.
- Update to 9.5.1
    Loki Variable Query Editor: Fix bug when the query is updated
    Expressions: Fix expression load with legacy UID -100


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2918-1
Released:    Thu Jul 20 12:00:17 2023
Summary:     Recommended update for gpgme
Type:        recommended
Severity:    moderate
References:  1089497
This update for gpgme fixes the following issues:

gpgme:

- Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)
    
libassuan:

- Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2956-1
Released:    Tue Jul 25 08:33:38 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211419,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3179-1
Released:    Thu Aug  3 13:59:38 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1201627,1207534,1213487,CVE-2022-4304,CVE-2023-3446
This update for openssl-1_1 fixes the following issues:

- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
  The previous fix for this timing side channel turned out to cause a
  severe 2-3x performance regression in the typical use case (bsc#1207534).
- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

- Update further expiring certificates that affect tests [bsc#1201627]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3284-1
Released:    Fri Aug 11 10:29:50 2023
Summary:     Recommended update for shadow
Type:        recommended
Severity:    moderate
References:  1206627,1213189
This update for shadow fixes the following issues:

- Prevent lock files from remaining after power interruptions (bsc#1213189)
- Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3291-1
Released:    Fri Aug 11 12:51:21 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213517,1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3365-1
Released:    Fri Aug 18 20:35:01 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1214054,CVE-2023-36054
This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3472-1
Released:    Tue Aug 29 10:55:16 2023
Summary:     Security update for procps
Type:        security
Severity:    low
References:  1214290,CVE-2023-4016
This update for procps fixes the following issues:

  - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3515-1
Released:    Fri Sep  1 15:54:25 2023
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1158763,1210740,1213231,1213557,1213673
This update for libzypp, zypper fixes the following issues:

- Fix occasional isue with downloading very small files (bsc#1213673)
- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
- Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
- Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
- Revised explanation of --force-resolution in man page (bsc#1213557)
- Print summary hint if policies were violated due to --force-resolution (bsc#1213557)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3639-1
Released:    Mon Sep 18 13:33:16 2023
Summary:     Security update for libeconf
Type:        security
Severity:    moderate
References:  1198165,1211078,CVE-2023-22652,CVE-2023-30078,CVE-2023-30079,CVE-2023-32181
This update for libeconf fixes the following issues:

Update to version 0.5.2.

- CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).
- CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)

The following non-security bug was fixed:

- Fixed parsing files correctly which have space characters AND none space characters as delimiters (bsc#1198165).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3661-1
Released:    Mon Sep 18 21:44:09 2023
Summary:     Security update for gcc12
Type:        security
Severity:    important
References:  1214052,CVE-2023-4039
This update for gcc12 fixes the following issues:

- CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3698-1
Released:    Wed Sep 20 11:01:15 2023
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1214768,CVE-2023-39615
This update for libxml2 fixes the following issues:

- CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).


The following package changes have been done:

- glibc-2.31-150300.52.2 updated
- grafana-9.5.5-150200.3.44.1 updated
- krb5-1.19.2-150300.13.1 updated
- libassuan0-2.5.5-150000.4.5.2 updated
- libcap2-2.26-150000.4.9.1 updated
- libeconf0-0.5.2-150300.3.11.1 updated
- libgcc_s1-12.3.0+git1204-150000.1.16.1 updated
- libldap-2_4-2-2.4.46-150200.14.17.1 updated
- libldap-data-2.4.46-150200.14.17.1 updated
- libopenssl1_1-hmac-1.1.1d-150200.11.75.1 updated
- libopenssl1_1-1.1.1d-150200.11.75.1 updated
- libprocps7-3.3.15-150000.7.34.1 updated
- libprotobuf-lite20-3.9.2-150200.4.21.1 updated
- libsolv-tools-0.7.24-150200.20.2 updated
- libstdc++6-12.3.0+git1204-150000.1.16.1 updated
- libxml2-2-2.9.7-150000.3.60.1 updated
- libzypp-17.31.20-150200.75.1 updated
- login_defs-4.8.1-150300.4.9.1 updated
- openssl-1_1-1.1.1d-150200.11.75.1 updated
- perl-base-5.26.1-150300.17.14.1 updated
- procps-3.3.15-150000.7.34.1 updated
- shadow-4.8.1-150300.4.9.1 updated
- zypper-1.14.63-150200.59.1 updated
- container:sles15-image-15.0.0-17.20.185 updated


More information about the sle-updates mailing list