SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3452-1 Container Tags : suse/sle-micro-rancher/5.2:latest Container Release : 7.5.219 Severity : important Type : security References : 1176588 1202845 1207036 1207270 1208995 1210169 1210643 1210658 1212703 1213812 1214233 1214351 1214380 1214386 1215115 1215117 1215150 1215221 1215275 1215299 1215322 1215356 CVE-2020-36766 CVE-2023-1192 CVE-2023-1206 CVE-2023-1859 CVE-2023-2177 CVE-2023-23454 CVE-2023-4004 CVE-2023-40283 CVE-2023-42753 CVE-2023-4389 CVE-2023-4622 CVE-2023-4623 CVE-2023-4881 CVE-2023-4921 ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4095-1 Released: Tue Oct 17 15:03:04 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1176588,1202845,1207036,1207270,1208995,1210169,1210643,1210658,1212703,1213812,1214233,1214351,1214380,1214386,1215115,1215117,1215150,1215221,1215275,1215299,1215322,1215356,CVE-2020-36766,CVE-2023-1192,CVE-2023-1206,CVE-2023-1859,CVE-2023-2177,CVE-2023-23454,CVE-2023-4004,CVE-2023-40283,CVE-2023-42753,CVE-2023-4389,CVE-2023-4622,CVE-2023-4623,CVE-2023-4881,CVE-2023-4921 The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2023-1206: Fixed a hash collision flaw in the IPv6 connection lookup table. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95% (bsc#1212703). - CVE-2023-42753: Fixed an array indexing vulnerability in the netfilter subsystem. This issue may have allowed a local user to crash the system or potentially escalate their privileges on the system. (bsc#1215150) - CVE-2023-4389: Fixed a a double decrement of the reference count flaw in the btrfs filesystem a double decrement of the reference count, which may have allowed a local attacker with user privilege to crash the system or may lead to leaked internal kernel information. (bsc#1214351) - CVE-2023-4921: Fixed a use-after-free vulnerability in the sch_qfq component which could be exploited to achieve local privilege escalation. (bsc#1215275) - CVE-2023-23454: Fixed a type-confusion in the CBQ network scheduler (bsc#1207036). - CVE-2023-4004: Fixed improper element removal netfilter nft_set_pipapo (bsc#1213812). - CVE-2023-4622: Fixed a use-after-free vulnerability in the af_unix component which could be exploited to achieve local privilege escalation. (bsc#1215117) - CVE-2023-4623: Fixed a use-after-free issue in the HFSC network scheduler which could be exploited to achieve local privilege escalation (bsc#1215115). - CVE-2020-36766: Fixed an issue in drivers/media/cec/core/cec-api.c which could leaks one byte of kernel memory on specific hardware to unprivileged users. (bsc#1215299) - CVE-2023-1859: Fixed a use-after-free flaw in Xen transport for 9pfs. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak. (bsc#1210169) - CVE-2023-2177: Fixed a null pointer dereference issue in the sctp network protocol which could allow a user to crash the system or potentially cause a denial of service. (bsc#1210643) - CVE-2023-4881: Fixed a out-of-bounds write flaw in the netfilter subsystem that could lead to potential information disclosure or a denial of service (bsc#1215221). - CVE-2023-40283: Fixed use-after-free in l2cap_sock_ready_cb (bsc#1214233). - CVE-2023-1192: Fixed use-after-free in cifs_demultiplex_thread() (bsc#1208995). The following non-security bugs were fixed: - bnx2x: new flag for track HW resource allocation (bsc#1202845 bsc#1215322). - locking/rwsem: Disable reader optimistic spinning (bnc#1176588). - mkspec: Allow unsupported KMPs (bsc#1214386) - scsi: qedf: Add synchronization between I/O completions and abort (bsc#1210658). - x86/pkeys: Revert a5eff7259790 ('x86/pkeys: Add PKRU value to init_fpstate') (bsc#1215356). - x86/srso: Do not probe microcode in a guest (git-fixes). - x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes). - x86/srso: Fix srso_show_state() side effect (git-fixes). - x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes). The following package changes have been done: - kernel-default-5.3.18-150300.59.138.1 updated