SUSE Image Update Advisory: ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2024:5-1 Image Tags : Image Release : Severity : important Type : security References : 1027519 1029961 1158830 1170415 1170446 1178760 1201384 1206798 1209122 1210141 1212160 1213229 1213500 1214076 1214788 1215294 1215323 1215369 1215496 1216412 1216654 1216807 1216853 1216987 1217277 1217292 1217513 1217592 1217593 1217695 1217696 1217873 1217950 1217969 1218014 1218291 CVE-2020-12912 CVE-2020-8694 CVE-2020-8695 CVE-2023-38472 CVE-2023-39804 CVE-2023-46835 CVE-2023-46836 CVE-2023-48795 CVE-2023-49083 CVE-2023-50495 CVE-2023-5981 ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4843-1 Released: Thu Dec 14 12:22:44 2023 Summary: Security update for python3-cryptography Type: security Severity: moderate References: 1217592,CVE-2023-49083 This update for python3-cryptography fixes the following issues: - CVE-2023-49083: Fixed a NULL pointer dereference when loading certificates from a PKCS#7 bundle (bsc#1217592). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4891-1 Released: Mon Dec 18 16:31:49 2023 Summary: Security update for ncurses Type: security Severity: moderate References: 1201384,1218014,CVE-2023-50495 This update for ncurses fixes the following issues: - CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014) - Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4901-1 Released: Tue Dec 19 11:25:47 2023 Summary: Security update for avahi Type: security Severity: moderate References: 1216853,CVE-2023-38472 This update for avahi fixes the following issues: - CVE-2023-38472: Fixed reachable assertion in avahi_rdata_parse (bsc#1216853). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4902-1 Released: Tue Dec 19 13:09:42 2023 Summary: Security update for openssh Type: security Severity: important References: 1214788,1217950,CVE-2023-48795 This update for openssh fixes the following issues: - CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (bsc#1217950). the following non-security bug was fixed: - Fix the 'no route to host' error when connecting via ProxyJump ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4936-1 Released: Wed Dec 20 17:18:21 2023 Summary: Security update for docker, rootlesskit Type: security Severity: important References: 1170415,1170446,1178760,1210141,1213229,1213500,1215323,1217513,CVE-2020-12912,CVE-2020-8694,CVE-2020-8695 This update for docker, rootlesskit fixes the following issues: docker: - Update to Docker 24.0.7-ce. See upstream changelong online at https://docs.docker.com/engine/release-notes/24.0/#2407>. bsc#1217513 * Deny containers access to /sys/devices/virtual/powercap by default. - CVE-2020-8694 bsc#1170415 - CVE-2020-8695 bsc#1170446 - CVE-2020-12912 bsc#1178760 - Update to Docker 24.0.6-ce. See upstream changelong online at https://docs.docker.com/engine/release-notes/24.0/#2406 . bsc#1215323 - Add a docker.socket unit file, but with socket activation effectively disabled to ensure that Docker will always run even if you start the socket individually. Users should probably just ignore this unit file. bsc#1210141 - Update to Docker 24.0.5-ce. See upstream changelong online at https://docs.docker.com/engine/release-notes/24.0/#2405 . bsc#1213229 This update ships docker-rootless support in the docker-rootless-extra package. (jsc#PED-6180) rootlesskit: - new package, for docker rootless support. (jsc#PED-6180) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4945-1 Released: Thu Dec 21 12:34:26 2023 Summary: Security update for xen Type: security Severity: important References: 1027519,1216654,1216807,CVE-2023-46835,CVE-2023-46836 This update for xen fixes the following issues: - CVE-2023-46836: Fixed BTC/SRSO fixes not fully effective (bsc#1216807). - CVE-2023-46835: Fixed mismatch in IOMMU quarantine page table levels on x86/AMD (bsc#1216654). Update to Xen 4.17.3 bug fix release (bsc#1027519). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4962-1 Released: Fri Dec 22 13:45:06 2023 Summary: Recommended update for curl Type: recommended Severity: important References: 1216987 This update for curl fixes the following issues: - libssh: Implement SFTP packet size limit (bsc#1216987) This update also ships curl to the INSTALLER channel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4983-1 Released: Thu Dec 28 14:21:40 2023 Summary: Security update for gnutls Type: security Severity: moderate References: 1217277,CVE-2023-5981 This update for gnutls fixes the following issues: - CVE-2023-5981: Fixed timing side-channel inside RSA-PSK key exchange (bsc#1217277). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4985-1 Released: Thu Dec 28 15:57:12 2023 Summary: Recommended update for samba Type: recommended Severity: moderate References: 1214076 This update for samba fixes the following issues: - Add 'net offlinejoin composeodj' command (bsc#1214076) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:11-1 Released: Tue Jan 2 13:24:52 2024 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1029961,1158830,1206798,1209122 This update for procps fixes the following issues: - Update procps to 3.3.17 (jsc#PED-3244 jsc#PED-6369) - For support up to 2048 CPU as well (bsc#1185417) - Allow `-´ as leading character to ignore possible errors on systctl entries (bsc#1209122) - Get the first CPU summary correct (bsc#1121753) - Enable pidof for SLE-15 as this is provided by sysvinit-tools - Use a check on syscall __NR_pidfd_open to decide if the pwait tool and its manual page will be build - Do not truncate output of w with option -n - Prefer logind over utmp (jsc#PED-3144) - Don't install translated man pages for non-installed binaries (uptime, kill). - Fix directory for Ukrainian man pages translations. - Move localized man pages to lang package. - Update to procps-ng-3.3.17 * library: Incremented to 8:3:0 (no removals or additions, internal changes only) * all: properly handle utf8 cmdline translations * kill: Pass int to signalled process * pgrep: Pass int to signalled process * pgrep: Check sanity of SG_ARG_MAX * pgrep: Add older than selection * pidof: Quiet mode * pidof: show worker threads * ps.1: Mention stime alias * ps: check also match on truncated 16 char comm names * ps: Add exe output option * ps: A lot more sorting available * pwait: New command waits for a process * sysctl: Match systemd directory order * sysctl: Document directory order * top: ensure config file backward compatibility * top: add command line 'e' for symmetry with 'E' * top: add '4' toggle for two abreast cpu display * top: add '!' toggle for combining multiple cpus * top: fix potential SEGV involving -p switch * vmstat: Wide mode gives wider proc columns * watch: Add environment variable for interval * watch: Add no linewrap option * watch: Support more colors * free,uptime,slabtop: complain about extra ops - Package translations in procps-lang. - Fix pgrep: cannot allocate 4611686018427387903 bytes when ulimit -s is unlimited. - Enable pidof by default - Update to procps-ng-3.3.16 * library: Increment to 8:2:0 No removals or functions Internal changes only, so revision is incremented. Previous version should have been 8:1:0 not 8:0:1 * docs: Use correct symbols for -h option in free.1 * docs: ps.1 now warns about command name length * docs: install translated man pages * pgrep: Match on runstate * snice: Fix matching on pid * top: can now exploit 256-color terminals * top: preserves 'other filters' in configuration file * top: can now collapse/expand forest view children * top: parent %CPU time includes collapsed children * top: improve xterm support for vim navigation keys * top: avoid segmentation fault at program termination * 'ps -C' does not allow anymore an argument longer than 15 characters (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:39-1 Released: Fri Jan 5 14:43:18 2024 Summary: Recommended update for samba Type: recommended Severity: moderate References: 1215369 This update for samba fixes the following issues: - Add idmap_nss option 'use_upn' for NSS modules able to handle UPNs or DOMAIN/user name format (bsc#1215369) - Avoid unnecessary locking in idmap parent setup (bsc#1215369) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:50-1 Released: Mon Jan 8 03:18:56 2024 Summary: Recommended update for python-instance-billing-flavor-check Type: recommended Severity: moderate References: 1217695,1217696 This update for python-instance-billing-flavor-check fixes the following issues: - Run the command as sudo only (bsc#1217696, bsc#1217695) - Handle exception for Python 3.4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:62-1 Released: Mon Jan 8 11:44:47 2024 Summary: Recommended update for libxcrypt Type: recommended Severity: moderate References: 1215496 This update for libxcrypt fixes the following issues: - fix variable name for datamember [bsc#1215496] - added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:68-1 Released: Tue Jan 9 15:26:08 2024 Summary: Recommended update for rsyslog Type: recommended Severity: moderate References: 1217292 This update for rsyslog fixes the following issues: - Restart daemon after modules packages have been updated (bsc#1217292) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:70-1 Released: Tue Jan 9 18:29:39 2024 Summary: Security update for tar Type: security Severity: low References: 1217969,CVE-2023-39804 This update for tar fixes the following issues: - CVE-2023-39804: Fixed extension attributes in PAX archives incorrect hanling (bsc#1217969). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:88-1 Released: Thu Jan 11 10:08:20 2024 Summary: Recommended update for libsolv, zypper, libzypp Type: recommended Severity: moderate References: 1212160,1215294,1216412,1217593,1217873,1218291 This update for libsolv, zypper, libzypp fixes the following issues: - Expand RepoVars in URLs downloading a .repo file (bsc#1212160) - Fix search/info commands ignoring --ignore-unknown (bsc#1217593) - CheckAccessDeleted: fix 'running in container' filter (bsc#1218291) - Open rpmdb just once during execution of %posttrans scripts (bsc#1216412) - Make sure reboot-needed is remembered until next boot (bsc#1217873) - Stop using boost version 1 timer library (bsc#1215294) - Updated to version 0.7.27 - Add zstd support for the installcheck tool - Add putinowndirpool cache to make file list handling in repo_write much faster - Do not use deprecated headerUnload with newer rpm versions - Support complex deps in SOLVABLE_PREREQ_IGNOREINST - Fix minimization not prefering installed packages in some cases - Reduce memory usage in repo_updateinfoxml - Fix lock-step interfering with architecture selection - Fix choice rule handing for package downgrades - Fix complex dependencies with an 'else' part sometimes leading to unsolved dependencies The following package changes have been done: - curl-8.0.1-150400.5.41.1 updated - docker-24.0.7_ce-150000.190.4 updated - libavahi-client3-0.8-150400.7.13.1 updated - libavahi-common3-0.8-150400.7.13.1 updated - libcrypt1-4.4.15-150300.4.7.1 updated - libcurl4-8.0.1-150400.5.41.1 updated - libgnutls30-3.7.3-150400.4.38.1 updated - libncurses6-6.1-150000.5.20.1 updated - libprocps8-3.3.17-150000.7.37.1 added - libsolv-tools-0.7.27-150400.3.11.2 updated - libzypp-17.31.27-150400.3.49.1 updated - ncurses-utils-6.1-150000.5.20.1 updated - openssh-clients-8.4p1-150300.3.27.1 updated - openssh-common-8.4p1-150300.3.27.1 updated - openssh-server-8.4p1-150300.3.27.1 updated - openssh-8.4p1-150300.3.27.1 updated - procps-3.3.17-150000.7.37.1 updated - python-instance-billing-flavor-check-0.0.4-150000.1.6.1 updated - python3-cryptography-3.3.2-150400.23.1 updated - python3-cssselect-1.0.3-150000.3.5.1 updated - rsyslog-module-relp-8.2306.0-150400.5.24.1 updated - rsyslog-8.2306.0-150400.5.24.1 updated - samba-client-libs-4.17.12+git.455.b299ac1e60-150500.3.20.1 updated - tar-1.34-150000.3.34.1 updated - terminfo-base-6.1-150000.5.20.1 updated - terminfo-6.1-150000.5.20.1 updated - xen-libs-4.17.3_02-150500.3.18.1 updated - zypper-1.14.68-150400.3.40.2 updated - libprocps7-3.3.15-150000.7.34.1 removed