SUSE Container Update Advisory: 
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:3799-1
Container Tags        : suse/sle-micro-rancher/5.2:latest
Container Release     : 7.5.396
Severity              : important
Type                  : security
References            : 1065729 1179610 1186463 1216834 1218820 1220185 1220186 1220187
                        1221539 1222728 1222824 1223863 1224918 1225404 1225431 1226519
                        1226550 1226574 1226575 1226662 1226666 1226785 1227213 1227362
                        1227487 1227716 1227750 1227810 1227836 1227976 1228013 1228040
                        1228114 1228328 1228561 1228644 1228743 1229069 CVE-2020-26558
                        CVE-2021-0129 CVE-2021-47126 CVE-2021-47219 CVE-2021-47291 CVE-2021-47506
                        CVE-2021-47520 CVE-2021-47580 CVE-2021-47598 CVE-2021-47600 CVE-2022-48792
                        CVE-2022-48821 CVE-2022-48822 CVE-2023-31315 CVE-2023-52686 CVE-2023-52885
                        CVE-2024-26583 CVE-2024-26584 CVE-2024-26585 CVE-2024-26800 CVE-2024-36974
                        CVE-2024-38559 CVE-2024-39494 CVE-2024-40937 CVE-2024-40956 CVE-2024-41011
                        CVE-2024-41059 CVE-2024-41069 CVE-2024-41090 CVE-2024-42145 
-----------------------------------------------------------------

The container  was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2943-1
Released:    Fri Aug 16 13:08:11 2024
Summary:     Security update for kernel-firmware
Type:        security
Severity:    important
References:  1229069,CVE-2023-31315
This update for kernel-firmware fixes the following issues:

- CVE-2023-31315: Fixed validation in a model specific register (MSR) that lead to modification of SMM configuration by malicious program with ring0 access (bsc#1229069)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2948-1
Released:    Fri Aug 16 15:47:51 2024
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1065729,1179610,1186463,1216834,1218820,1220185,1220186,1220187,1221539,1222728,1222824,1223863,1224918,1225404,1225431,1226519,1226550,1226574,1226575,1226662,1226666,1226785,1227213,1227362,1227487,1227716,1227750,1227810,1227836,1227976,1228013,1228040,1228114,1228328,1228561,1228644,1228743,CVE-2020-26558,CVE-2021-0129,CVE-2021-47126,CVE-2021-47219,CVE-2021-47291,CVE-2021-47506,CVE-2021-47520,CVE-2021-47580,CVE-2021-47598,CVE-2021-47600,CVE-2022-48792,CVE-2022-48821,CVE-2022-48822,CVE-2023-52686,CVE-2023-52885,CVE-2024-26583,CVE-2024-26584,CVE-2024-26585,CVE-2024-26800,CVE-2024-36974,CVE-2024-38559,CVE-2024-39494,CVE-2024-40937,CVE-2024-40956,CVE-2024-41011,CVE-2024-41059,CVE-2024-41069,CVE-2024-41090,CVE-2024-42145


The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

- CVE-2020-26558: Fixed a flaw in the Bluetooth LE and BR/EDR secure pairing that could permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (bsc#1179610).
- CVE-2021-0129: Improper access control in BlueZ may have allowed an authenticated user to potentially enable information disclosure via adjacent access (bsc#1186463).
- CVE-2021-47126: ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions (bsc#1221539).
- CVE-2021-47219: scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs() (bsc#1222824).
- CVE-2021-47291: ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions (bsc#1224918).
- CVE-2021-47506: nfsd: fix use-after-free due to delegation race (bsc#1225404).
- CVE-2021-47520: can: pch_can: pch_can_rx_normal: fix use after free (bsc#1225431).
- CVE-2021-47580: scsi: scsi_debug: Fix type in min_t to avoid stack OOB (bsc#1226550).
- CVE-2021-47598: sch_cake: do not call cake_destroy() from cake_init() (bsc#1226574).
- CVE-2021-47600: dm btree remove: fix use after free in rebalance_children() (bsc#1226575).
- CVE-2022-48792: scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task (bsc#1228013).
- CVE-2022-48821: misc: fastrpc: avoid double fput() on failed usercopy (bsc#1227976).
- CVE-2023-52686: Fix a null pointer in opal_event_init() (bsc#1065729).
- CVE-2023-52885: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() (bsc#1227750).
- CVE-2024-26585: Fixed race between tx work scheduling and socket close (bsc#1220187).
- CVE-2024-36974: net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP (bsc#1226519).
- CVE-2024-38559: scsi: qedf: Ensure the copied buf is NUL terminated (bsc#1226785).
- CVE-2024-39494: ima: Fix use-after-free on a dentry's dname.name (bsc#1227716).
- CVE-2024-40937: gve: Clear napi->skb before dev_kfree_skb_any() (bsc#1227836).
- CVE-2024-40956: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list (bsc#1227810).
- CVE-2024-41011: drm/amdkfd: do not allow mapping the MMIO HDP page with large pages (bsc#1228114).
- CVE-2024-41059: hfsplus: fix uninit-value in copy_name (bsc#1228561).
- CVE-2024-41069: ASoC: topology: Fix route memory corruption (bsc#1228644).
- CVE-2024-41090: tap: add missing verification for short frame (bsc#1228328).
- CVE-2024-42145: IB/core: Implement a limit on UMAD receive List (bsc#1228743).

The following non-security bugs were fixed:

- Fix spurious WARNING caused by a qxl driver patch (bsc#1227213) 
- nfs: Clean up directory array handling (bsc#1226662).
- nfs: Clean up nfs_readdir_page_filler() (bsc#1226662).
- nfs: Clean up readdir struct nfs_cache_array (bsc#1226662).
- nfs: Do not discard readdir results (bsc#1226662).
- nfs: Do not overfill uncached readdir pages (bsc#1226662).
- nfs: Do not re-read the entire page cache to find the next cookie (bsc#1226662).
- nfs: Ensure contents of struct nfs_open_dir_context are consistent (bsc#1226662).
- nfs: Fix up directory verifier races (bsc#1226662).
- nfs: Further optimisations for 'ls -l' (bsc#1226662).
- nfs: More readdir cleanups (bsc#1226662).
- nfs: Reduce number of RPC calls when doing uncached readdir (bsc#1226662).
- nfs: Reduce use of uncached readdir (bsc#1226662).
- nfs: Support larger readdir buffers (bsc#1226662).
- nfs: Use the 64-bit server readdir cookies when possible (bsc#1226662).
- nfs: optimise readdir cache page invalidation (bsc#1226662).
- nfsv4.x: by default serialize open/close operations (bsc#1223863 bsc#1227362)
- ocfs2: fix DIO failure due to insufficient transaction credits (bsc#1216834).
- powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() (bsc#1227487).
- powerpc/rtas: clean up includes (bsc#1227487).
- x.509: Fix the parser of extended key usage for length (bsc#1218820, bsc#1226666).


The following package changes have been done:

- kernel-default-5.3.18-150300.59.170.1 updated
- kernel-firmware-bnx2-20210208-150300.4.22.1 updated
- kernel-firmware-chelsio-20210208-150300.4.22.1 updated
- kernel-firmware-i915-20210208-150300.4.22.1 updated
- kernel-firmware-intel-20210208-150300.4.22.1 updated
- kernel-firmware-iwlwifi-20210208-150300.4.22.1 updated
- kernel-firmware-liquidio-20210208-150300.4.22.1 updated
- kernel-firmware-marvell-20210208-150300.4.22.1 updated
- kernel-firmware-mediatek-20210208-150300.4.22.1 updated
- kernel-firmware-mellanox-20210208-150300.4.22.1 updated
- kernel-firmware-network-20210208-150300.4.22.1 updated
- kernel-firmware-platform-20210208-150300.4.22.1 updated
- kernel-firmware-qlogic-20210208-150300.4.22.1 updated
- kernel-firmware-realtek-20210208-150300.4.22.1 updated
- kernel-firmware-usb-network-20210208-150300.4.22.1 updated