----------------------------------------- Version 3.59 2024-10-03T09:00:25 ----------------------------------------- Patch: 7 Released: Mon Jul 15 13:04:11 2024 Summary: Security update for less Severity: important References: 1222849,CVE-2024-32487 Description: This update for less fixes the following issues: - CVE-2024-32487: Fix a bug where mishandling of \n character in paths when LESSOPEN is set leads to OS command execution. (bsc#1222849) ----------------------------------------- Patch: 8 Released: Tue Jul 30 09:43:22 2024 Summary: Security update for openssh Severity: critical References: 1217950,1218215,1226642,1227318,CVE-2023-48795,CVE-2023-51385,CVE-2024-39894,CVE-2024-6387 Description: This update for openssh fixes the following issues: - CVE-2024-39894: Fixed timing attacks against echo-off password entry (bsc#1227318) - CVE-2024-6387: Fixed race condition in a signal handler (bsc#1226642). ----------------------------------------- Patch: 9 Released: Fri Aug 9 10:33:34 2024 Summary: Recommended update for bash, libcap-ng, libselinux, libselinux-bindings, libsemanage, zypper Severity: low References: Description: This update fixes the following issues: - No change rebuild due to dependency changes. ----------------------------------------- Patch: 16 Released: Wed Aug 14 16:04:13 2024 Summary: Recommended update for elemental-system-agent, elemental, systemd-presets-branding-Elemental, elemental-toolkit, elemental-agent, elemental-operator Severity: moderate References: Description: This update for elemental-system-agent, elemental, systemd-presets-branding-Elemental, elemental-toolkit, elemental-agent, elemental-operator fixes the following issues: elemental: - Update to version v2.1.2 * Fix grub2-x86_64-efi installation * Removing syslinux from base image * Workaround to remove any pre-existing Elemental initrd elemental-agent: - Update to version 0.5.0+git20240729.4482c01: * Fix rke2 cluster class (#80) * Fix rootfs layout (#76) * Exclude cloud-config-defaults feature (#75) * Use toolkit nightly builds (#74) * Align images to Elemental dev (#73) * Only use essential elemental services (#71) * Actualyze elemental init arguments and improve iso build setup (#70) * Fix missing mtools dependency (#68) * Unify root password * Prevent associating multiple ElementalHosts (#65) * Remove CodeQL github action workaround (#66) * upgrade elemental-toolkit to 2.1.0 version (#61) * tests: align Ginkgo version in the Makefile (#63) * Dockerfiles: ensure /usr/libexec is present on the image FS (#64) * minor/setup_kind_cluster.sh: print the command to write the my-config.yaml (#62) * Fix RKE2 ClusterClass and RKE2 default registration method (#60) * Remove unused Codecov config (#59) * Actualize RKE2 templates (#58) * Remove CodeCov action (#57) * Update codeql action (#56) * Display host phases (#51) * Bump CAPI version (#54) * Print test agent config by default (#55) * Deprecate release-action (#53) * Display association status (#49) * Add registration ready condition (#50) * Prevent kubelet and containerd from running in Recovery (#43) * Mitigate time sync issues on JWT validation (#41) * Improve kubeadm image (#39) - Update to version 0.5.0+git20240319.13ad570: * Update dependencies and fix CodeQL failure (#36) * Update to go 1.22 (#32) * Update k3s provider urls (#34) * Remove tumbleweed dracut patches (#33) * Refer to CONTROL_PLANE_ENDPOINT_HOST * Update metadata.yaml * Update quickstart (#30) * Remove uninitialized taint from nodes (#29) * Set providerid on nodes (#22) * Bump yip to v1.4.10 - Initial version 0.5.0 elemental-operator: - Update to version 1.6.4: * register: always register when called (#816) - Update to version 1.6.3: * Backport to v1.6.x (#796) * Enable PR workflow for v1.6 maintenance branch * Add toggle to automatically delete no longer in sync versions (#780) (#783) * [v1.6.x] Add managedosversion finalizer (#775 & #784) (#782) * Ensure re-sync is triggered * [v1.6.x][BACKPORT] operator: fix ManagedOSVersionChannel sync (#771) * Use YAML content for Elemental Agent config (#765) (#770) * Allow yip configs (#751) (#762) * Update deployment.yaml (#757) (#761) * Flag no longer in sync ManagedOSVersions (#750) (#752) * Let elemental-register digest system hardware data (#748) (#749) * register: don't send new Disks and Controllers data (#741) * Added the ability to create a node reset marker for unmanaged hosts (#731) (#737) - Update to version 1.6.2: * chart: add chart name and version to the operator deployment (#694) * Add Metadata CRD (#717) elemental-system-agent: - Update to version 0.3.7: * Add support for CATTLE_AGENT_VAR_DIR in suc plan * add the step for creating GH release, and fix typo in filename * Migrate from Drone to GitHub Action * Version bump for Alpine and Kubectl * Add support for CATTLE_AGENT_STRICT_VERIFY|STRICT_VERIFY environment variables to ensure kubeconfig CA data is valid (#171) elemental-toolkit: - Update to version 2.1.1: * [backport] Disable boot entry if efivars is read-only (#2059) (#2145) * [backport] CI refactor to v2.1.x branch (#2146) * Remove pre-existing Elemental initrds systemd-presets-branding-Elemental: - Include elemental-register.timer as service enabled by default ----------------------------------------- Patch: 18 Released: Tue Aug 20 13:47:06 2024 Summary: Security update for nghttp2 Severity: important References: 1221399,CVE-2024-28182 Description: This update for nghttp2 fixes the following issues: - CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399) ----------------------------------------- Patch: 20 Released: Wed Aug 21 11:30:19 2024 Summary: Security update for kernel-firmware Severity: moderate References: 1219458,1222319,1225600,1225601,CVE-2023-38417,CVE-2023-47210 Description: This update for kernel-firmware fixes the following issues: Update to version 20240712: * amdgpu: update DMCUB to v0.0.225.0 for Various AMDGPU Asics * qcom: add gpu firmwares for x1e80100 chipset (bsc#1219458) * linux-firmware: add firmware for qat_402xx devices * amdgpu: update raven firmware * amdgpu: update SMU 13.0.10 firmware * amdgpu: update SDMA 6.0.3 firmware * amdgpu: update PSP 13.0.10 firmware * amdgpu: update GC 11.0.3 firmware * amdgpu: update vega20 firmware * amdgpu: update PSP 13.0.5 firmware * amdgpu: update PSP 13.0.8 firmware * amdgpu: update vega12 firmware * amdgpu: update vega10 firmware * amdgpu: update VCN 4.0.0 firmware * amdgpu: update SDMA 6.0.0 firmware * amdgpu: update PSP 13.0.0 firmware * amdgpu: update GC 11.0.0 firmware * amdgpu: update picasso firmware * amdgpu: update beige goby firmware * amdgpu: update vangogh firmware * amdgpu: update dimgrey cavefish firmware * amdgpu: update navy flounder firmware * amdgpu: update PSP 13.0.11 firmware * amdgpu: update GC 11.0.4 firmware * amdgpu: update green sardine firmware * amdgpu: update VCN 4.0.2 firmware * amdgpu: update SDMA 6.0.1 firmware * amdgpu: update PSP 13.0.4 firmware * amdgpu: update GC 11.0.1 firmware * amdgpu: update sienna cichlid firmware * amdgpu: update VPE 6.1.1 firmware * amdgpu: update VCN 4.0.6 firmware * amdgpu: update SDMA 6.1.1 firmware * amdgpu: update PSP 14.0.1 firmware * amdgpu: update GC 11.5.1 firmware * amdgpu: update VCN 4.0.5 firmware * amdgpu: update SDMA 6.1.0 firmware * amdgpu: update PSP 14.0.0 firmware * amdgpu: update GC 11.5.0 firmware * amdgpu: update navi14 firmware * amdgpu: update renoir firmware * amdgpu: update navi12 firmware * amdgpu: update PSP 13.0.6 firmware * amdgpu: update GC 9.4.3 firmware * amdgpu: update yellow carp firmware * amdgpu: update VCN 4.0.4 firmware * amdgpu: update SMU 13.0.7 firmware * amdgpu: update SDMA 6.0.2 firmware * amdgpu: update PSP 13.0.7 firmware * amdgpu: update GC 11.0.2 firmware * amdgpu: update navi10 firmware * amdgpu: update raven2 firmware * amdgpu: update aldebaran firmware * linux-firmware: Update AMD cpu microcode * linux-firmware: Add ISH firmware file for Intel Lunar Lake platform * amdgpu: update DMCUB to v0.0.224.0 for Various AMDGPU Asics * cirrus: cs35l41: Update various firmware for ASUS laptops using CS35L41 * amdgpu: Update ISP FW for isp v4.1.1 ----------------------------------------- Patch: 27 Released: Tue Sep 3 14:16:21 2024 Summary: Security update for glib2 Severity: low References: 1224044,CVE-2024-34397 Description: This update for glib2 fixes the following issues: - Fixed a possible use after free regression introduced by CVE-2024-34397 patch (bsc#1224044). ----------------------------------------- Patch: 29 Released: Wed Sep 4 12:41:35 2024 Summary: Recommended update for gcc13 Severity: important References: 1188441,1220724,1221239 Description: This update for gcc13 fixes the following issues: - Update to GCC 13.3 release - Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18. - Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441] - Make requirement to lld version specific to avoid requiring the meta-package. - Fix unwinding for JIT code. [bsc#1221239] - Revert libgccjit dependency change. [bsc#1220724] ----------------------------------------- Patch: 30 Released: Wed Sep 4 16:07:40 2024 Summary: Security update for curl Severity: moderate References: 1221665,1221666,1221667,1221668,1227888,1228535,CVE-2024-2004,CVE-2024-2379,CVE-2024-2398,CVE-2024-2466,CVE-2024-6197,CVE-2024-7264 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2024-7264: ASN.1 date parser overread (bsc#1228535) - CVE-2024-6197: Freeing stack buffer in utf8asn1str (bsc#1227888) - CVE-2024-2379: QUIC certificate check bypass with wolfSSL (bsc#1221666) - CVE-2024-2466: TLS certificate check bypass with mbedTLS (bsc#1221668) - CVE-2024-2004: Usage of disabled protocol (bsc#1221665) - CVE-2024-2398: HTTP/2 push headers memory-leak (bsc#1221667) Non-security issue fixed: - Fixed various TLS related issues including FTP over SSL transmission timeouts. ----------------------------------------- Patch: 32 Released: Thu Sep 5 12:12:35 2024 Summary: Security update for glibc Severity: important References: 1221482,1221940,1222992,1223423,1223424,1223425,1228041,CVE-2024-2961,CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602 Description: This update for glibc fixes the following issues: Fixed security issues: - CVE-2024-33602: Use time_t for return type of addgetnetgrentX (bsc#1223425) - CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bsc#1223423) - CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bsc#1223424) - CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bsc#1223424) - CVE-2024-33601, CVE-2024-33602: netgroup: Use two buffers in addgetnetgrentX (bsc#1223425) - CVE-2024-2961: iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (bsc#1222992) Fixed non-security issues: - Add workaround for invalid use of libc_nonshared.a with non-SUSE libc (bsc#1221482) - Fix segfault in wcsncmp (bsc#1228041) - Also include stat64 in the 32-bit libc_nonshared.a workaround (bsc#1221482) - Avoid creating ULP prologue for _start routine (bsc#1221940) - Also add libc_nonshared.a workaround to 32-bit x86 compat package (bsc#1221482) - malloc: Use __get_nprocs on arena_get2 - linux: Use rseq area unconditionally in sched_getcpu ----------------------------------------- Patch: 33 Released: Thu Sep 5 14:13:47 2024 Summary: Recommended update for dracut Severity: moderate References: 1208690,1226412,1226529 Description: This update for dracut fixes the following issues: - Update to version 059+suse.567.gadd3169d: * feat(crypt): force the inclusion of crypttab entries with x-initrd.attach (bsc#1226529) * fix(mdraid): try to assemble the missing raid device (bsc#1226412) * fix(dracut-install): continue parsing if ldd prints 'cannot be preloaded' (bsc#1208690) ----------------------------------------- Patch: 35 Released: Thu Sep 5 15:38:19 2024 Summary: Security update for avahi Severity: moderate References: 1216594,1216598,1226586,CVE-2023-38469,CVE-2023-38471 Description: This update for avahi fixes the following issues: Security issues fixed: - CVE-2023-38471: Extract host name using avahi_unescape_label (bsc#1216594). - CVE-2023-38469: Reject overly long TXT resource records (bsc#1216598). Non-security issue fixed: - no longer supply bogus services to callbacks (bsc#1226586). ----------------------------------------- Patch: 44 Released: Wed Sep 11 13:33:01 2024 Summary: Security update for expat Severity: important References: 1221289,1229930,1229931,1229932,CVE-2024-28757,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492 Description: This update for expat fixes the following issues: - CVE-2024-45492: detect integer overflow in function nextScaffoldPart (bsc#1229932) - CVE-2024-45491: detect integer overflow in dtdCopy (bsc#1229931) - CVE-2024-45490: reject negative len for XML_ParseBuffer (bsc#1229930) - CVE-2024-28757: XML Entity Expansion attack when there is isolated use of external parsers (bsc#1221289) ----------------------------------------- Patch: 43 Released: Wed Sep 11 13:37:26 2024 Summary: Security update for selinux-policy Severity: important References: 1210717,1215405,1225984,1227930,1228247,1229132 Description: This update for selinux-policy fixes the following issues: Update to version 20230523+git25.ad22dd7f: * Backport wtmpdb label change to have the same wtmpdb label as in SL Micro 6.1 (bsc#1229132) * Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records * Add auth_rw_wtmpdb_login_records to modules * Allow xdm_t to read-write to wtmpdb (bsc#1225984) * Introduce types for wtmpdb and rw interface * Introduce wtmp_file_type attribute * Revert 'Add policy for wtmpdb (bsc#1210717)' Update to version 20230523+git18.f44daf8a: * Provide type for sysstat lock files (bsc#1228247) Update to version 20230523+git16.0849f54c: * allow firewalld access to /dev/random and write HW acceleration logs (bsc#1215405, bsc#1227930) ----------------------------------------- Patch: 45 Released: Wed Sep 11 13:41:31 2024 Summary: Security update for libxml2 Severity: moderate References: 1224282,CVE-2024-34459 Description: This update for libxml2 fixes the following issues: - CVE-2024-34459: Fixed buffer over-read in (bsc#1224282) ----------------------------------------- Patch: 46 Released: Thu Sep 12 11:46:29 2024 Summary: Security update for podman Severity: moderate References: 1227052,CVE-2024-1753,CVE-2024-24786,CVE-2024-3727,CVE-2024-6104 Description: This update for podman fixes the following issues: - CVE-2024-6104: Fixed dependency issue with go-retryablehttp: url might write sensitive information to log file (bsc#1227052). - Update to version 4.9.5: * Bump to v4.9.5 * Update release notes for v4.9.5 * fix 'concurrent map writes' in network ls compat endpoint * [v4.9] Fix for CVE-2024-3727 * Disable failing bud test * CI Maintenance: Disable machine tests * [CI:DOCS] Allow downgrade of WiX * [CI:DOCS] Force WiX 3.11 * [CI:DOCS] Fix windows installer action * Bump to v4.9.5-dev * Bump to v4.9.4 * Update release notes for v4.9.4 * [v4.9] Bump Buildah to v1.33.7, CVE-2024-1753, CVE-2024-24786 * Add farm command to commands list * Bump to FreeBSD 13.3 (13.2 vanished) * Update health-start-periods docs * Don't update health check status during initialDelaySeconds * image scp: don't require port for ssh URL * Ignore docker's end point config when the final network mode isn't bridge. * Fix running container from docker client with rootful in rootless podman. * [skip-ci] Packit: remove koji and bodhi tasks for v4.9 * Bump to v4.9.4-dev * Remove gitleaks scanning