----------------------------------------- Version 3.34 2024-08-21T09:00:26 ----------------------------------------- Patch: 7 Released: Mon Jul 15 13:04:11 2024 Summary: Security update for less Severity: important References: 1222849,CVE-2024-32487 Description: This update for less fixes the following issues: - CVE-2024-32487: Fix a bug where mishandling of \n character in paths when LESSOPEN is set leads to OS command execution. (bsc#1222849) ----------------------------------------- Patch: 8 Released: Tue Jul 30 09:43:22 2024 Summary: Security update for openssh Severity: critical References: 1217950,1218215,1226642,1227318,CVE-2023-48795,CVE-2023-51385,CVE-2024-39894,CVE-2024-6387 Description: This update for openssh fixes the following issues: - CVE-2024-39894: Fixed timing attacks against echo-off password entry (bsc#1227318) - CVE-2024-6387: Fixed race condition in a signal handler (bsc#1226642). ----------------------------------------- Patch: 9 Released: Fri Aug 9 10:33:34 2024 Summary: Recommended update for bash, libcap-ng, libselinux, libselinux-bindings, libsemanage, zypper Severity: low References: Description: This update fixes the following issues: - No change rebuild due to dependency changes. ----------------------------------------- Patch: 16 Released: Wed Aug 14 16:04:13 2024 Summary: Recommended update for elemental-system-agent, elemental, systemd-presets-branding-Elemental, elemental-toolkit, elemental-agent, elemental-operator Severity: moderate References: Description: This update for elemental-system-agent, elemental, systemd-presets-branding-Elemental, elemental-toolkit, elemental-agent, elemental-operator fixes the following issues: elemental: - Update to version v2.1.2 * Fix grub2-x86_64-efi installation * Removing syslinux from base image * Workaround to remove any pre-existing Elemental initrd elemental-agent: - Update to version 0.5.0+git20240729.4482c01: * Fix rke2 cluster class (#80) * Fix rootfs layout (#76) * Exclude cloud-config-defaults feature (#75) * Use toolkit nightly builds (#74) * Align images to Elemental dev (#73) * Only use essential elemental services (#71) * Actualyze elemental init arguments and improve iso build setup (#70) * Fix missing mtools dependency (#68) * Unify root password * Prevent associating multiple ElementalHosts (#65) * Remove CodeQL github action workaround (#66) * upgrade elemental-toolkit to 2.1.0 version (#61) * tests: align Ginkgo version in the Makefile (#63) * Dockerfiles: ensure /usr/libexec is present on the image FS (#64) * minor/setup_kind_cluster.sh: print the command to write the my-config.yaml (#62) * Fix RKE2 ClusterClass and RKE2 default registration method (#60) * Remove unused Codecov config (#59) * Actualize RKE2 templates (#58) * Remove CodeCov action (#57) * Update codeql action (#56) * Display host phases (#51) * Bump CAPI version (#54) * Print test agent config by default (#55) * Deprecate release-action (#53) * Display association status (#49) * Add registration ready condition (#50) * Prevent kubelet and containerd from running in Recovery (#43) * Mitigate time sync issues on JWT validation (#41) * Improve kubeadm image (#39) - Update to version 0.5.0+git20240319.13ad570: * Update dependencies and fix CodeQL failure (#36) * Update to go 1.22 (#32) * Update k3s provider urls (#34) * Remove tumbleweed dracut patches (#33) * Refer to CONTROL_PLANE_ENDPOINT_HOST * Update metadata.yaml * Update quickstart (#30) * Remove uninitialized taint from nodes (#29) * Set providerid on nodes (#22) * Bump yip to v1.4.10 - Initial version 0.5.0 elemental-operator: - Update to version 1.6.4: * register: always register when called (#816) - Update to version 1.6.3: * Backport to v1.6.x (#796) * Enable PR workflow for v1.6 maintenance branch * Add toggle to automatically delete no longer in sync versions (#780) (#783) * [v1.6.x] Add managedosversion finalizer (#775 & #784) (#782) * Ensure re-sync is triggered * [v1.6.x][BACKPORT] operator: fix ManagedOSVersionChannel sync (#771) * Use YAML content for Elemental Agent config (#765) (#770) * Allow yip configs (#751) (#762) * Update deployment.yaml (#757) (#761) * Flag no longer in sync ManagedOSVersions (#750) (#752) * Let elemental-register digest system hardware data (#748) (#749) * register: don't send new Disks and Controllers data (#741) * Added the ability to create a node reset marker for unmanaged hosts (#731) (#737) - Update to version 1.6.2: * chart: add chart name and version to the operator deployment (#694) * Add Metadata CRD (#717) elemental-system-agent: - Update to version 0.3.7: * Add support for CATTLE_AGENT_VAR_DIR in suc plan * add the step for creating GH release, and fix typo in filename * Migrate from Drone to GitHub Action * Version bump for Alpine and Kubectl * Add support for CATTLE_AGENT_STRICT_VERIFY|STRICT_VERIFY environment variables to ensure kubeconfig CA data is valid (#171) elemental-toolkit: - Update to version 2.1.1: * [backport] Disable boot entry if efivars is read-only (#2059) (#2145) * [backport] CI refactor to v2.1.x branch (#2146) * Remove pre-existing Elemental initrds systemd-presets-branding-Elemental: - Include elemental-register.timer as service enabled by default ----------------------------------------- Patch: 18 Released: Tue Aug 20 13:47:06 2024 Summary: Security update for nghttp2 Severity: important References: 1221399,CVE-2024-28182 Description: This update for nghttp2 fixes the following issues: - CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399) ----------------------------------------- Version 3.34 2024-09-10T10:30:30 ----------------------------------------- Patch: 30 Released: Wed Sep 4 16:07:40 2024 Summary: Security update for curl Severity: moderate References: 1221665,1221666,1221667,1221668,1227888,1228535,CVE-2024-2004,CVE-2024-2379,CVE-2024-2398,CVE-2024-2466,CVE-2024-6197,CVE-2024-7264 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2024-7264: ASN.1 date parser overread (bsc#1228535) - CVE-2024-6197: Freeing stack buffer in utf8asn1str (bsc#1227888) - CVE-2024-2379: QUIC certificate check bypass with wolfSSL (bsc#1221666) - CVE-2024-2466: TLS certificate check bypass with mbedTLS (bsc#1221668) - CVE-2024-2004: Usage of disabled protocol (bsc#1221665) - CVE-2024-2398: HTTP/2 push headers memory-leak (bsc#1221667) Non-security issue fixed: - Fixed various TLS related issues including FTP over SSL transmission timeouts. ----------------------------------------- Version 3.34 2024-09-12T17:19:11 ----------------------------------------- Patch: 44 Released: Wed Sep 11 13:33:01 2024 Summary: Security update for expat Severity: important References: 1221289,1229930,1229931,1229932,CVE-2024-28757,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492 Description: This update for expat fixes the following issues: - CVE-2024-45492: detect integer overflow in function nextScaffoldPart (bsc#1229932) - CVE-2024-45491: detect integer overflow in dtdCopy (bsc#1229931) - CVE-2024-45490: reject negative len for XML_ParseBuffer (bsc#1229930) - CVE-2024-28757: XML Entity Expansion attack when there is isolated use of external parsers (bsc#1221289)