SUSE Image Update Advisory: ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2024:847-1 Image Tags : Image Release : Severity : important Type : security References : 1027519 1208690 1214718 1214960 1219004 1221984 1222075 1223107 1225976 1226125 1226128 1226412 1226469 1226529 1226664 1227067 1227106 1227355 1227711 1228256 1228257 1228258 1228322 1228770 916845 CVE-2013-4235 CVE-2013-4235 CVE-2023-46842 CVE-2024-1737 CVE-2024-1975 CVE-2024-31143 CVE-2024-37891 CVE-2024-4076 ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2654-1 Released: Tue Jul 30 15:33:33 2024 Summary: Security update for xen Type: security Severity: important References: 1027519,1214718,1221984,1227355,CVE-2023-46842,CVE-2024-31143 This update for xen fixes the following issues: - CVE-2023-46842: Fixed x86 HVM hypercalls may trigger Xen bug check (XSA-454, bsc#1221984). - CVE-2024-31143: Fixed double unlock in x86 guest IRQ handling (XSA-458, bsc#1227355). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2658-1 Released: Tue Jul 30 15:37:26 2024 Summary: Security update for shadow Type: security Severity: important References: 916845,CVE-2013-4235 This update for shadow fixes the following issues: - CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2662-1 Released: Tue Jul 30 15:41:34 2024 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1226469,CVE-2024-37891 This update for python-urllib3 fixes the following issues: - CVE-2024-37891: Fixed proxy-authorization request header is not stripped during cross-origin redirects (bsc#1226469) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2678-1 Released: Wed Jul 31 06:59:12 2024 Summary: Recommended update for wicked Type: recommended Severity: important References: 1225976,1226125,1226664 This update for wicked fixes the following issues: - Update to version 0.6.76 - compat-suse: warn user and create missing parent config of infiniband children - client: fix origin in loaded xml-config with obsolete port references but missing port interface config, causing a no-carrier of master (bsc#1226125) - ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976) - wireless: add frequency-list in station mode (jsc#PED-8715) - client: fix crash while hierarchy traversing due to loop in e.g. systemd-nspawn containers (bsc#1226664) - man: add supported bonding options to ifcfg-bonding(5) man page - arputil: Document minimal interval for getopts - man: (re)generate man pages from md sources - client: warn on interface wait time reached - compat-suse: fix dummy type detection from ifname to not cause conflicts with e.g. correct vlan config on dummy0.42 interfaces - compat-suse: fix infiniband and infiniband child type detection from ifname ----------------------------------------------------------------- Advisory ID: SUSE-feature-2024:2688-1 Released: Thu Aug 1 07:00:59 2024 Summary: Feature update for Public Cloud Type: feature Severity: important References: 1222075,1227067,1227106,1227711 This update for Public Cloud fixes the following issues: - Added Public Cloud packages and dependencies to SLE Micro 5.5 to enhance SUSE Manager 5.0 (jsc#SMO-345): * google-guest-agent (no source changes) * google-guest-configs (no source changes) * google-guest-oslogin (no source changes) * google-osconfig-agent (no source changes) * growpart-rootgrow (no source changes) * python-azure-agent (includes bug fixes see below) * python-cssselect (no source changes) * python-instance-billing-flavor-check (no source changes) * python-toml (no source changes) * python3-lxml (inlcudes a bug fix, see below) - python-azure-agent received the following fixes: * Use the proper option to force btrfs to overwrite a file system on the resource disk if one already exists (bsc#1227711) * Set Provisioning.Agent parameter to 'cloud-init' in SLE Micro 5.5 and newer (bsc#1227106) * Do not package `waagent2.0` in Python 3 builds * Do not require `wicked` in non-SUSE build environments * Apply python3 interpreter patch in non SLE build environments (bcs#1227067) - python3-lxml also received the following fix: * Fixed compatibility with system libexpat in tests (bnc#1222075) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2696-1 Released: Thu Aug 1 15:20:51 2024 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1208690,1226412,1226529 This update for dracut fixes the following issues: - Version update: * feat(crypt): force the inclusion of crypttab entries with x-initrd.attach (bsc#1226529) * fix(mdraid): try to assemble the missing raid device (bsc#1226412) * fix(dracut-install): continue parsing if ldd prints 'cannot be preloaded' (bsc#1208690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2742-1 Released: Mon Aug 5 17:35:36 2024 Summary: Recommended update for suseconnect-ng Type: recommended Severity: important References: 1219004,1223107,1226128 This update for suseconnect-ng fixes the following issues: - Version update * Added uname as collector * Added SAP workload detection * Added detection of container runtimes * Multiple fixes on ARM64 detection * Use `read_values` for the CPU collector on Z * Fixed data collection for ppc64le * Grab the home directory from /etc/passwd if needed (bsc#1226128) * Build zypper-migration and zypper-packages-search as standalone binaries rather then one single binary * Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004) * Include /etc/products.d in directories whose content are backed up and restored if a zypper-migration rollback happens (bsc#1219004) * Add the ability to upload the system uptime logs, produced by the suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report (jsc#PED-7982) (jsc#PED-8018) * Add support for third party packages in SUSEConnect * Refactor existing system information collection implementation self-signed SSL certificate (bsc#1223107) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2791-1 Released: Tue Aug 6 16:35:06 2024 Summary: Recommended update for various 32bit packages Type: recommended Severity: moderate References: 1228322 This update of various packages delivers 32bit variants to allow running Wine on SLE PackageHub 15 SP6. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2799-1 Released: Wed Aug 7 08:19:10 2024 Summary: Recommended update for runc Type: recommended Severity: important References: 1214960 This update for runc fixes the following issues: - Update to runc v1.1.13, changelog is available at https://github.com/opencontainers/runc/releases/tag/v1.1.13 - Fix a performance issue when running lots of containers caused by too many mount notifications (bsc#1214960) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2804-1 Released: Wed Aug 7 09:48:29 2024 Summary: Security update for shadow Type: security Severity: moderate References: 1228770,CVE-2013-4235 This update for shadow fixes the following issues: - Fixed not copying of skel files (bsc#1228770) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2862-1 Released: Fri Aug 9 09:20:34 2024 Summary: Security update for bind Type: security Severity: important References: 1228256,1228257,1228258,CVE-2024-1737,CVE-2024-1975,CVE-2024-4076 This update for bind fixes the following issues: Update to 9.16.50: - Bug Fixes: * A regression in cache-cleaning code enabled memory use to grow significantly more quickly than before, until the configured max-cache-size limit was reached. This has been fixed. * Using rndc flush inadvertently caused cache cleaning to become less effective. This could ultimately lead to the configured max-cache-size limit being exceeded and has now been fixed. * The logic for cleaning up expired cached DNS records was tweaked to be more aggressive. This change helps with enforcing max-cache-ttl and max-ncache-ttl in a timely manner. * It was possible to trigger a use-after-free assertion when the overmem cache cleaning was initiated. This has been fixed. New Features: * Added RESOLVER.ARPA to the built in empty zones. - Security Fixes: * It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in a cache or zone database. The default is 100, which can be tuned with the new max-types-per-name option. (CVE-2024-1737, bsc#1228256) * Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause excessive CPU load, leading to a denial-of-service condition. Support for SIG(0) message validation was removed from this version of named. (CVE-2024-1975, bsc#1228257) * When looking up the NS records of parent zones as part of looking up DS records, it was possible for named to trigger an assertion failure if serve-stale was enabled. This has been fixed. (CVE-2024-4076, bsc#1228258) The following package changes have been done: - bind-utils-9.16.50-150500.8.21.1 updated - docker-25.0.6_ce-150000.203.1 updated - dracut-055+suse.388.g70c21afa-150500.3.21.2 updated - google-guest-agent-20240314.00-150400.1.48.7 updated - google-guest-configs-20240307.00-150400.13.11.6 updated - google-guest-oslogin-20240311.00-150400.1.45.7 updated - google-osconfig-agent-20240320.00-150400.1.35.7 updated - growpart-rootgrow-1.0.7-150400.1.14.7 updated - libassuan0-2.5.5-150000.4.7.1 updated - login_defs-4.8.1-150400.10.21.1 updated - python-instance-billing-flavor-check-0.0.6-150400.1.11.7 updated - python3-bind-9.16.50-150500.8.21.1 updated - python3-cssselect-1.0.3-150400.3.7.4 updated - python3-lxml-4.9.1-150500.3.4.3 updated - python3-urllib3-1.25.10-150300.4.12.1 updated - runc-1.1.13-150000.67.1 updated - shadow-4.8.1-150400.10.21.1 updated - suseconnect-ng-1.11.0-150500.3.26.4 updated - wicked-service-0.6.76-150500.3.33.1 updated - wicked-0.6.76-150500.3.33.1 updated - xen-libs-4.17.4_04-150500.3.33.1 updated