SUSE Image Update Advisory: ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2022:1107-1 Image Tags : Image Release : Severity : critical Type : security References : 1142847 1150130 1157805 1164550 1164569 1177179 1181994 1182983 1188006 1189282 1189802 1190698 1190700 1191020 1191021 1191036 1194319 1195391 1195773 1198197 1198523 1198828 1198976 1199079 1199492 1201680 1201783 1201942 1201972 1202100 1202101 1202117 1202146 1202624 1202821 1202826 1202868 1202870 1203018 1203438 1203649 CVE-2019-13224 CVE-2019-16163 CVE-2019-19203 CVE-2019-19204 CVE-2019-19246 CVE-2020-26159 CVE-2021-28861 CVE-2021-36690 CVE-2021-46828 CVE-2022-29869 CVE-2022-31252 CVE-2022-35737 CVE-2022-40674 ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2796-1 Released: Fri Aug 12 14:34:31 2022 Summary: Recommended update for jitterentropy Type: recommended Severity: moderate References: This update for jitterentropy fixes the following issues: jitterentropy is included in version 3.4.0 (jsc#SLE-24941): This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library, used by other FIPS libraries. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3304-1 Released: Mon Sep 19 11:43:25 2022 Summary: Recommended update for libassuan Type: recommended Severity: moderate References: This update for libassuan fixes the following issues: - Add a timeout for writing to a SOCKS5 proxy - Add workaround for a problem with LD_LIBRARY_PATH on newer systems - Fix issue in the logging code - Fix some build trivialities - Upgrade autoconf ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3305-1 Released: Mon Sep 19 11:45:57 2022 Summary: Security update for libtirpc Type: security Severity: important References: 1201680,CVE-2021-46828 This update for libtirpc fixes the following issues: - CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3307-1 Released: Mon Sep 19 13:26:51 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 This update for sqlite3 fixes the following issues: - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783). - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802). - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3316-1 Released: Tue Sep 20 11:12:14 2022 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1190698,1191021,1202146 This update for gnutls fixes the following issues: - FIPS: Zeroize the calculated hmac and new_hmac in the check_binary_integrity() function. [bsc#1191021] - FIPS: Additional modifications to the SLI. [bsc#1190698] * Mark CMAC and GMAC and non-approved in gnutls_pbkfd2(). * Mark HMAC keylength less than 112 bits as non-approved in gnutls_pbkfd2(). - FIPS: Port GnuTLS to use jitterentropy [bsc#1202146, jsc#SLE-24941] * Add new dependency on jitterentropy ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3327-1 Released: Wed Sep 21 12:47:17 2022 Summary: Security update for oniguruma Type: security Severity: important References: 1142847,1150130,1157805,1164550,1164569,1177179,CVE-2019-13224,CVE-2019-16163,CVE-2019-19203,CVE-2019-19204,CVE-2019-19246,CVE-2020-26159 This update for oniguruma fixes the following issues: - CVE-2019-19246: Fixed an out of bounds access during regular expression matching (bsc#1157805). - CVE-2019-19204: Fixed an out of bounds access when compiling a crafted regular expression (bsc#1164569). - CVE-2019-19203: Fixed an out of bounds access when performing a string search (bsc#1164550). - CVE-2019-16163: Fixed an uncontrolled recursion issue when compiling a crafted regular expression, which could lead to denial of service (bsc#1150130). - CVE-2020-26159: Fixed an off-by-one buffer overflow (bsc#1177179). - CVE-2019-13224: Fixed a potential use-after-free when handling multiple different encodings (bsc#1142847). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3328-1 Released: Wed Sep 21 12:48:56 2022 Summary: Recommended update for jitterentropy Type: recommended Severity: moderate References: 1202870 This update for jitterentropy fixes the following issues: - Hide the non-GNUC constructs that are library internal from the exported header, to make it usable in builds with strict C99 compliance. (bsc#1202870) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3353-1 Released: Fri Sep 23 15:23:40 2022 Summary: Security update for permissions Type: security Severity: moderate References: 1203018,CVE-2022-31252 This update for permissions fixes the following issues: - CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3388-1 Released: Mon Sep 26 12:51:36 2022 Summary: Recommended update for google-guest-agent, google-guest-oslogin, google-osconfig-agent Type: recommended Severity: moderate References: 1191036,1194319,1195391,1202100,1202101,1202826 This update for google-guest-agent, google-guest-oslogin, google-osconfig-agent fixes the following issues: - Update to version 20220713.00 (bsc#1202100, bsc#1202101) - Use pam_moduledir (bsc#1191036) - Use install command in %post section to create state file (bsc#1202826) - Avoid bashim in post install scripts (bsc#1195391) - Don't restart daemon on package upgrade, create a state file instead (bsc#1194319) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3395-1 Released: Mon Sep 26 16:35:18 2022 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1181994,1188006,1199079,1202868 This update for ca-certificates-mozilla fixes the following issues: Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868) - Added: - Certainly Root E1 - Certainly Root R1 - DigiCert SMIME ECC P384 Root G5 - DigiCert SMIME RSA4096 Root G5 - DigiCert TLS ECC P384 Root G5 - DigiCert TLS RSA4096 Root G5 - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Removed: - Hellenic Academic and Research Institutions RootCA 2011 Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079) - Added: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - D-TRUST BR Root CA 1 2020 - D-TRUST EV Root CA 1 2020 - GlobalSign ECC Root CA R4 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - HiPKI Root CA - G1 - ISRG Root X2 - Telia Root CA v2 - vTrus ECC Root CA - vTrus Root CA - Removed: - Cybertrust Global Root - DST Root CA X3 - DigiNotar PKIoverheid CA Organisatie - G2 - GlobalSign ECC Root CA R4 - GlobalSign Root CA R2 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 Updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006) - Added: - HARICA Client ECC Root CA 2021 - HARICA Client RSA Root CA 2021 - HARICA TLS ECC Root CA 2021 - HARICA TLS RSA Root CA 2021 - TunTrust Root CA Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994) - Added new root CAs: - NAVER Global Root Certification Authority - Removed old root CAs: - GeoTrust Global CA - GeoTrust Primary Certification Authority - GeoTrust Primary Certification Authority - G3 - GeoTrust Universal CA - GeoTrust Universal CA 2 - thawte Primary Root CA - thawte Primary Root CA - G2 - thawte Primary Root CA - G3 - VeriSign Class 3 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3435-1 Released: Tue Sep 27 14:55:38 2022 Summary: Recommended update for runc Type: recommended Severity: important References: 1202821 This update for runc fixes the following issues: - Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd. - Fix 'permission denied' error from runc run on noexec fs - Fix regression causing a failed 'exec' error after systemctl daemon-reload (bsc#1202821) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3449-1 Released: Tue Sep 27 20:12:03 2022 Summary: Recommended update for perl-Bootloader Type: recommended Severity: moderate References: 1198197,1198828 This update for perl-Bootloader fixes the following issues: - Fix sysconfig parsing (bsc#1198828) - grub2/install: Reset error code when passing through recover code. (bsc#1198197) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3452-1 Released: Wed Sep 28 12:13:43 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1201942 This update for glibc fixes the following issues: - Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942) - powerpc: Optimized memcmp for power10 (jsc#PED-987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3489-1 Released: Sat Oct 1 13:35:24 2022 Summary: Security update for expat Type: security Severity: important References: 1203438,CVE-2022-40674 This update for expat fixes the following issues: - CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2022:3520-1 Released: Tue Oct 4 14:18:34 2022 Summary: Feature update for dmidecode Type: feature Severity: moderate References: This feature update for dmidecode fixes the following issues: Update dmidecode from version 3.2 to version 3.4 (jsc#SLE-24502, jsc#SLE-24591, jsc#PED-411): - Add bios-revision, firmware-revision and system-sku-number to `-s` option - Decode HPE OEM records 194, 199, 203, 236, 237, 238 ans 240 - Decode system slot base bus width and peers - Document how the UUID fields are interpreted - Don't display the raw CPU ID in quiet mode - Don't use memcpy on /dev/mem on arm64 - Fix OEM vendor name matching - Fix small typo in NEWS file - Improve the formatting of the manual pages - Present HPE type 240 attributes as a proper list instead of packing them on a single line. This makes it more readable overall, and will also scale better if the number of attributes increases - Skip details of uninstalled memory modules - Support for SMBIOS 3.4.0. This includes new memory device types, new processor upgrades, new slot types and characteristics, decoding of memor module extended speed, new system slot types, new processor characteristic and new format of Processor ID - Support for SMBIOS 3.5.0. This includes new processor upgrades, BIOS characteristics, new slot characteristics, new on-board device types, new pointing device interface types, and a new record type (type 45 - Firmware Inventory Information) - Use the most appropriate unit for cache size ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3521-1 Released: Tue Oct 4 14:18:56 2022 Summary: Recommended update for lvm2 Type: recommended Severity: critical References: 1198523 This update for lvm2 fixes the following issues: - Add additional check in the package to prevent removal of device-mapper library files during install (bsc#1198523) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3525-1 Released: Wed Oct 5 12:17:14 2022 Summary: Security update for cifs-utils Type: security Severity: moderate References: 1198976,CVE-2022-29869 This update for cifs-utils fixes the following issues: - Fix changelog to include Bugzilla and CVE tracker id numbers missing from previous update ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3544-1 Released: Thu Oct 6 13:48:42 2022 Summary: Security update for python3 Type: security Severity: important References: 1202624,CVE-2021-28861 This update for python3 fixes the following issues: - CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3551-1 Released: Fri Oct 7 17:03:55 2022 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1182983,1190700,1191020,1202117 This update for libgcrypt fixes the following issues: - FIPS: Fixed gpg/gpg2 gets out of core handler in FIPS mode while typing Tab key to Auto-Completion. [bsc#1182983] - FIPS: Ported libgcrypt to use jitterentropy [bsc#1202117, jsc#SLE-24941] * Enable the jitter based entropy generator by default in random.conf * Update the internal jitterentropy to version 3.4.0 - FIPS: Get most of the entropy from rndjent_poll [bsc#1202117] - FIPS: Check keylength in gcry_fips_indicator_kdf() [bsc#1190700] * Consider approved keylength greater or equal to 112 bits. - FIPS: Zeroize buffer and digest in check_binary_integrity() [bsc#1191020] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3555-1 Released: Mon Oct 10 14:05:12 2022 Summary: Recommended update for aaa_base Type: recommended Severity: important References: 1199492 This update for aaa_base fixes the following issues: - The wrapper rootsh is not a restricted shell. (bsc#1199492) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3564-1 Released: Tue Oct 11 16:15:57 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: critical References: 1189282,1201972,1203649 This update for libzypp, zypper fixes the following issues: libzypp: - Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282) - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Remove migration code that is no longer needed (bsc#1203649) - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined zypper: - Fix contradiction in the man page: `--download-in-advance` option is the default behavior - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Fix tests to use locale 'C.UTF-8' rather than 'en_US' - Make sure 'up' respects solver related CLI options (bsc#1201972) - Remove unneeded code to compute the PPP status because it is now auto established - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-150300.10.3.1 updated - ca-certificates-mozilla-2.56-150200.24.1 updated - cifs-utils-6.15-150400.3.9.1 updated - dmidecode-3.4-150400.16.3.1 updated - glibc-locale-base-2.31-150300.41.1 updated - glibc-locale-2.31-150300.41.1 updated - glibc-2.31-150300.41.1 updated - google-guest-agent-20220713.00-150000.1.29.1 updated - google-guest-oslogin-20220721.00-150000.1.30.1 updated - google-osconfig-agent-20220801.00-150000.1.22.1 updated - libassuan0-2.5.5-150000.4.3.1 updated - libdevmapper1_03-1.02.163-150400.178.1 updated - libexpat1-2.4.4-150400.3.9.1 updated - libgcrypt20-1.9.4-150400.6.5.1 updated - libgnutls30-3.7.3-150400.4.13.1 updated - libjitterentropy3-3.4.0-150000.1.6.1 added - libonig4-6.7.0-150000.3.3.1 updated - libpython3_6m1_0-3.6.15-150300.10.30.1 updated - libsqlite3-0-3.39.3-150000.3.17.1 updated - libtirpc-netconfig-1.2.6-150300.3.14.1 updated - libtirpc3-1.2.6-150300.3.14.1 updated - libzck1-1.1.16-150400.1.10 added - libzypp-17.31.2-150400.3.9.1 updated - perl-Bootloader-0.939-150400.3.3.1 updated - permissions-20201225-150400.5.11.1 updated - python3-base-3.6.15-150300.10.30.1 updated - python3-3.6.15-150300.10.30.1 updated - runc-1.1.4-150000.33.4 updated - zypper-1.14.57-150400.3.9.1 updated - klogd-1.4.1-11.2 removed