SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2024:237-1 Container Tags : suse/sle-micro-rancher/5.3:latest Container Release : 7.2.308 Severity : important Type : security References : 1179610 1183045 1193285 1211162 1211188 1211190 1211226 1212584 1214747 1214823 1215237 1215423 1215696 1215885 1216057 1216060 1216559 1216776 1217000 1217036 1217217 1217250 1217602 1217692 1217790 1217801 1217933 1217938 1217946 1217947 1217980 1217981 1217982 1218056 1218126 1218139 1218184 1218186 1218209 1218234 1218253 1218258 1218335 1218357 1218447 1218475 1218515 1218559 1218569 1218659 CVE-2020-26555 CVE-2023-1667 CVE-2023-2283 CVE-2023-48795 CVE-2023-51779 CVE-2023-6004 CVE-2023-6121 CVE-2023-6531 CVE-2023-6546 CVE-2023-6606 CVE-2023-6610 CVE-2023-6622 CVE-2023-6918 CVE-2023-6931 CVE-2023-6932 CVE-2024-22365 ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:136-1 Released: Thu Jan 18 09:53:47 2024 Summary: Security update for pam Type: security Severity: moderate References: 1217000,1218475,CVE-2024-22365 This update for pam fixes the following issues: - CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475). - Check localtime_r() return value to fix crashing (bsc#1217000) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:140-1 Released: Thu Jan 18 11:34:58 2024 Summary: Security update for libssh Type: security Severity: important References: 1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918 This update for libssh fixes the following issues: Security fixes: - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209) - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126) - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186) - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm guessing (bsc#1211188) - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190) Other fixes: - Update to version 0.9.8 - Allow @ in usernames when parsing from URI composes - Update to version 0.9.7 - Fix several memory leaks in GSSAPI handling code ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:151-1 Released: Thu Jan 18 14:25:10 2024 Summary: Recommended update for selinux-policy Type: recommended Severity: moderate References: 1215423,1216060 This update for selinux-policy fixes the following issues: - Allow keepalived_t read+write kernel_t pipes (bsc#1216060) - Support new PING_CHECK health checker in keepalived - Allow init to run bpf programs. We do this during early startup (bsc#1215423) - Allow sysadm_t run kernel bpf programs ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:156-1 Released: Thu Jan 18 17:01:26 2024 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1179610,1183045,1193285,1211162,1211226,1212584,1214747,1214823,1215237,1215696,1215885,1216057,1216559,1216776,1217036,1217217,1217250,1217602,1217692,1217790,1217801,1217933,1217938,1217946,1217947,1217980,1217981,1217982,1218056,1218139,1218184,1218234,1218253,1218258,1218335,1218357,1218447,1218515,1218559,1218569,1218659,CVE-2020-26555,CVE-2023-51779,CVE-2023-6121,CVE-2023-6531,CVE-2023-6546,CVE-2023-6606,CVE-2023-6610,CVE-2023-6622,CVE-2023-6931,CVE-2023-6932 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-6531: Fixed a use-after-free flaw due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic()on the socket that the SKB is queued on (bsc#1218447). - CVE-2023-6610: Fixed an out of bounds read in the SMB client when printing debug information (bsc#1217946). - CVE-2023-51779: Fixed a use-after-free because of a bt_sock_ioctl race condition in bt_sock_recvmsg (bsc#1218559). - CVE-2020-26555: Fixed an issue during BR/EDR PIN code pairing in the Bluetooth subsystem that would allow replay attacks (bsc#1179610 bsc#1215237). - CVE-2023-6606: Fixed an out of bounds read in the SMB client when receiving a malformed length from a server (bsc#1217947). - CVE-2023-6546: Fixed a race condition in the GSM 0710 tty multiplexor via the GSMIOC_SETCONF ioctl that could lead to local privilege escalation (bsc#1218335). - CVE-2023-6931: Fixed an out of bounds write in the Performance Events subsystem when adding a new event (bsc#1218258). - CVE-2023-6932: Fixed a use-after-free issue when receiving an IGMP query packet due to reference count mismanagement (bsc#1218253). - CVE-2023-6622: Fixed a null pointer dereference vulnerability in nft_dynset_init() that could allow a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service (bsc#1217938). - CVE-2023-6121: Fixed an information leak via dmesg when receiving a crafted packet in the NVMe-oF/TCP subsystem (bsc#1217250). The following non-security bugs were fixed: - Reviewed and added more information to README.SUSE (jsc#PED-5021). - Enabled multibuild for kernel packages (JSC-SLE#5501, boo#1211226, bsc#1218184). - Drop drm/bridge lt9611uxc patches that have been reverted on stable trees - KVM: s390/mm: Properly reset no-dat (bsc#1218056). - KVM: s390: vsie: fix wrong VIR 37 when MSO is used (bsc#1217933). - KVM: x86: Mask LVTPC when handling a PMI (jsc#PED-7322). - NFS: Fix O_DIRECT locking issues (bsc#1211162). - NFS: Fix a few more clear_bit() instances that need release semantics (bsc#1211162). - NFS: Fix a potential data corruption (bsc#1211162). - NFS: Fix a use after free in nfs_direct_join_group() (bsc#1211162). - NFS: Fix error handling for O_DIRECT write scheduling (bsc#1211162). - NFS: More O_DIRECT accounting fixes for error paths (bsc#1211162). - NFS: More fixes for nfs_direct_write_reschedule_io() (bsc#1211162). - NFS: Use the correct commit info in nfs_join_page_group() (bsc#1211162). - NLM: Defend against file_lock changes after vfs_test_lock() (bsc#1217692). - Updated SPI patches for NVIDIA Grace enablement (bsc#1212584 jsc#PED-3459) - block: fix revalidate performance regression (bsc#1216057). - bpf: Adjust insufficient default bpf_jit_limit (bsc#1218234). - ceph: fix incorrect revoked caps assert in ceph_fill_file_size() (bsc#1217980). - ceph: fix type promotion bug on 32bit systems (bsc#1217982). - clocksource: Add a Kconfig option for WATCHDOG_MAX_SKEW (bsc#1215885 bsc#1217217). - clocksource: Enable TSC watchdog checking of HPET and PMTMR only when requested (bsc#1215885 bsc#1217217). - clocksource: Handle negative skews in 'skew is too large' messages (bsc#1215885 bsc#1217217). - clocksource: Improve 'skew is too large' messages (bsc#1215885 bsc#1217217). - clocksource: Improve read-back-delay message (bsc#1215885 bsc#1217217). - clocksource: Loosen clocksource watchdog constraints (bsc#1215885 bsc#1217217). - clocksource: Print clocksource name when clocksource is tested unstable (bsc#1215885 bsc#1217217). - clocksource: Verify HPET and PMTMR when TSC unverified (bsc#1215885 bsc#1217217). - dm_blk_ioctl: implement path failover for SG_IO (bsc#1183045, bsc#1216776). - fuse: dax: set fc->dax to NULL in fuse_dax_conn_free() (bsc#1218659). - libceph: use kernel_connect() (bsc#1217981). - mm: kmem: drop __GFP_NOFAIL when allocating objcg vectors (bsc#1218515). - net/smc: Fix pos miscalculation in statistics (bsc#1218139). - net/tg3: fix race condition in tg3_reset_task() (bsc#1217801). - nfs: only issue commit in DIO codepath if we have uncommitted data (bsc#1211162). - remove unnecessary WARN_ON_ONCE() (bsc#1214823 bsc#1218569). - s390/vx: fix save/restore of fpu kernel context (bsc#1218357). - scsi: lpfc: use unsigned type for num_sge (bsc#1214747). - swiotlb: fix a braino in the alignment check fix (bsc#1216559). - swiotlb: fix slot alignment checks (bsc#1216559). - tracing: Disable preemption when using the filter buffer (bsc#1217036). - tracing: Fix a possible race when disabling buffered events (bsc#1217036). - tracing: Fix a warning when allocating buffered events fails (bsc#1217036). - tracing: Fix incomplete locking when disabling buffered events (bsc#1217036). - tracing: Fix warning in trace_buffered_event_disable() (bsc#1217036). - tracing: Use __this_cpu_read() in trace_event_buffer_lock_reserver() (bsc#1217036). - uapi: propagate __struct_group() attributes to the container union (jsc#SLE-18978). - vsprintf/kallsyms: Prevent invalid data when printing symbol (bsc#1217602). - x86/entry/ia32: Ensure s32 is sign extended to s64 (bsc#1193285). - x86/platform/uv: Use alternate source for socket to node data (bsc#1215696 bsc#1217790). - x86/tsc: Add option to force frequency recalibration with HW timer (bsc#1215885 bsc#1217217). - x86/tsc: Be consistent about use_tsc_delay() (bsc#1215885 bsc#1217217). - x86/tsc: Extend watchdog check exemption to 4-Sockets platform (bsc#1215885 bsc#1217217). The following package changes have been done: - kernel-default-5.14.21-150400.24.103.1 updated - libssh-config-0.9.8-150400.3.3.1 updated - libssh4-0.9.8-150400.3.3.1 updated - pam-1.3.0-150000.6.66.1 updated - selinux-policy-targeted-20210716+git65.8c9b6599-150400.5.12.1 updated - selinux-policy-20210716+git65.8c9b6599-150400.5.12.1 updated