SUSE Container Update Advisory: bci/bci-busybox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:468-1 Container Tags : bci/bci-busybox:15.5 , bci/bci-busybox:15.5.4.2 Container Release : 4.2 Severity : important Type : security References : 1040589 1047218 1078466 1134524 1146705 1172973 1172974 1175519 1178775 1180020 1180083 1180596 1181011 1181831 1181994 1182604 1182959 1183094 1185540 1186049 1186489 1187911 1188006 1190447 1191592 1194640 1194768 1194770 1194785 1195149 1195792 1195856 1196275 1196406 1197718 1198751 1199079 1199140 1199232 1199744 1200334 1200855 1200855 1201560 1201640 1201942 1202868 1206212 1206622 914660 CVE-2014-9645 CVE-2019-20838 CVE-2019-5021 CVE-2020-14155 CVE-2021-33574 CVE-2021-35942 CVE-2021-3999 CVE-2022-1586 CVE-2022-23218 CVE-2022-23219 CVE-2022-30065 ----------------------------------------------------------------- The container bci/bci-busybox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2173-1 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Type: recommended Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3291-1 Released: Wed Oct 6 16:45:36 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489). - CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3382-1 Released: Tue Oct 12 14:30:17 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: This update for ca-certificates-mozilla fixes the following issues: - A new sub-package for minimal base containers (jsc#SLE-22162) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3529-1 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Type: security Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3980-1 Released: Thu Dec 9 16:42:19 2021 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1191592 glibc was updated to fix the following issue: - Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:207-1 Released: Thu Jan 27 09:24:49 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate References: This update for glibc fixes the following issues: - Add support for livepatches on x86_64 for SUSE Linux Enterprise 15 SP4 (jsc#SLE-20049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:330-1 Released: Fri Feb 4 09:29:08 2022 Summary: Security update for glibc Type: security Severity: important References: 1194640,1194768,1194770,1194785,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219 This update for glibc fixes the following issues: - CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640) - CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768) - CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770) Features added: - IBM Power 10 string operation improvements (bsc#1194785, jsc#SLE-18195) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:692-1 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1190447 This update for filesystem fixes the following issues: - Release ported filesystem to LTSS channels (bsc#1190447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:861-1 Released: Tue Mar 15 23:30:48 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1182959,1195149,1195792,1195856 This update for openssl-1_1 fixes the following issues: openssl-1_1: - Fix PAC pointer authentication in ARM (bsc#1195856) - Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792) - FIPS: Fix function and reason error codes (bsc#1182959) - Enable zlib compression support (bsc#1195149) glibc: - Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1 linux-glibc-devel: - Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1 libxcrypt: - Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1 zlib: - Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:936-1 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Type: recommended Severity: moderate References: 1196275,1196406 This update for filesystem and systemd-rpm-macros fixes the following issues: filesystem: - Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639) systemd-rpm-macros: - Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1909-1 Released: Wed Jun 1 16:25:35 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1198751 This update for glibc fixes the following issues: - Add the correct name for the IBM Z16 (bsc#1198751). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2361-1 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Type: security Severity: important References: 1199232,CVE-2022-1586 This update for pcre fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2406-1 Released: Fri Jul 15 11:49:01 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1197718,1199140,1200334,1200855 This update for glibc fixes the following issues: - powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334) - Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718) - i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718) - rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051) This readds the s390 32bit glibc and libcrypt1 libraries (glibc-32bit, glibc-locale-base-32bit, libcrypt1-32bit). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2494-1 Released: Thu Jul 21 15:16:42 2022 Summary: Recommended update for glibc Type: recommended Severity: important References: 1200855,1201560,1201640 This update for glibc fixes the following issues: - Remove tunables from static tls surplus patch which caused crashes (bsc#1200855) - i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3395-1 Released: Mon Sep 26 16:35:18 2022 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1181994,1188006,1199079,1202868 This update for ca-certificates-mozilla fixes the following issues: Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868) - Added: - Certainly Root E1 - Certainly Root R1 - DigiCert SMIME ECC P384 Root G5 - DigiCert SMIME RSA4096 Root G5 - DigiCert TLS ECC P384 Root G5 - DigiCert TLS RSA4096 Root G5 - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Removed: - Hellenic Academic and Research Institutions RootCA 2011 Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079) - Added: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - D-TRUST BR Root CA 1 2020 - D-TRUST EV Root CA 1 2020 - GlobalSign ECC Root CA R4 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - HiPKI Root CA - G1 - ISRG Root X2 - Telia Root CA v2 - vTrus ECC Root CA - vTrus Root CA - Removed: - Cybertrust Global Root - DST Root CA X3 - DigiNotar PKIoverheid CA Organisatie - G2 - GlobalSign ECC Root CA R4 - GlobalSign Root CA R2 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 Updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006) - Added: - HARICA Client ECC Root CA 2021 - HARICA Client RSA Root CA 2021 - HARICA TLS ECC Root CA 2021 - HARICA TLS RSA Root CA 2021 - TunTrust Root CA Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994) - Added new root CAs: - NAVER Global Root Certification Authority - Removed old root CAs: - GeoTrust Global CA - GeoTrust Primary Certification Authority - GeoTrust Primary Certification Authority - G3 - GeoTrust Universal CA - GeoTrust Universal CA 2 - thawte Primary Root CA - thawte Primary Root CA - G2 - thawte Primary Root CA - G3 - VeriSign Class 3 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3452-1 Released: Wed Sep 28 12:13:43 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1201942 This update for glibc fixes the following issues: - Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942) - powerpc: Optimized memcmp for power10 (jsc#PED-987) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4291-1 Released: Tue Nov 29 16:00:24 2022 Summary: Recommended update for busybox-links Type: recommended Severity: moderate References: This update rebuilds busybox-links to match the current busybox version. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4371-1 Released: Thu Dec 8 17:19:43 2022 Summary: Security update for busybox Type: security Severity: moderate References: 1199744,914660,CVE-2014-9645,CVE-2022-30065 This update for busybox fixes the following issues: - CVE-2022-30065: Fixed use-after-free in the AWK applet (bsc#1199744). - CVE-2014-9645: Fixed loading of unwanted module with / in module names (bsc#914660). - Update to 1.35.0 also introduced: - awk: fix printf %%, fix read beyond end of buffer - chrt: silence analyzer warning - libarchive: remove duplicate forward declaration - mount: 'mount -o rw ....' should not fall back to RO mount - ps: fix -o pid=PID,args interpreting entire 'PID,args' as header - tar: prevent malicious archives with long name sizes causing OOM - udhcpc6: fix udhcp_find_option to actually find DHCP6 options - xxd: fix -p -r - support for new optoins added to basename, cpio, date, find, mktemp, wget and others ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:37-1 Released: Fri Jan 6 15:35:49 2023 Summary: Security update for ca-certificates-mozilla Type: security Severity: important References: 1206212,1206622 This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622) Removed CAs: - Global Chambersign Root - EC-ACC - Network Solutions Certificate Authority - Staat der Nederlanden EV Root CA - SwissSign Platinum CA - G2 Added CAs: - DIGITALSIGN GLOBAL ROOT ECDSA CA - DIGITALSIGN GLOBAL ROOT RSA CA - Security Communication ECC RootCA1 - Security Communication RootCA3 Changed trust: - TrustCor certificates only trusted up to Nov 30 (bsc#1206212) - Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022' and it is not clear how many certs were issued for SSL middleware by TrustCor: - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1 The following package changes have been done: - busybox-adduser-1.35.0-150400.4.3.14 added - busybox-attr-1.35.0-150400.4.3.14 added - busybox-bc-1.35.0-150400.4.3.14 added - busybox-bind-utils-1.35.0-150400.4.3.14 added - busybox-bzip2-1.35.0-150400.4.3.14 added - busybox-coreutils-1.35.0-150400.4.3.14 added - busybox-cpio-1.35.0-150400.4.3.14 added - busybox-diffutils-1.35.0-150400.4.3.14 added - busybox-dos2unix-1.35.0-150400.4.3.14 added - busybox-ed-1.35.0-150400.4.3.14 added - busybox-findutils-1.35.0-150400.4.3.14 added - busybox-gawk-1.35.0-150400.4.3.14 added - busybox-grep-1.35.0-150400.4.3.14 added - busybox-gzip-1.35.0-150400.4.3.14 added - busybox-hostname-1.35.0-150400.4.3.14 added - busybox-iproute2-1.35.0-150400.4.3.14 added - busybox-iputils-1.35.0-150400.4.3.14 added - busybox-kbd-1.35.0-150400.4.3.14 added - busybox-less-1.35.0-150400.4.3.14 added - busybox-links-1.35.0-150400.4.3.14 added - busybox-man-1.35.0-150400.4.3.14 added - busybox-misc-1.35.0-150400.4.3.14 added - busybox-ncurses-utils-1.35.0-150400.4.3.14 added - busybox-net-tools-1.35.0-150400.4.3.14 added - busybox-netcat-1.35.0-150400.4.3.14 added - busybox-patch-1.35.0-150400.4.3.14 added - busybox-policycoreutils-1.35.0-150400.4.3.14 added - busybox-procps-1.35.0-150400.4.3.14 added - busybox-psmisc-1.35.0-150400.4.3.14 added - busybox-sed-1.35.0-150400.4.3.14 added - busybox-selinux-tools-1.35.0-150400.4.3.14 added - busybox-sendmail-1.35.0-150400.4.3.14 added - busybox-sharutils-1.35.0-150400.4.3.14 added - busybox-sh-1.35.0-150400.4.3.14 added - busybox-syslogd-1.35.0-150400.4.3.14 added - busybox-sysvinit-tools-1.35.0-150400.4.3.14 added - busybox-tar-1.35.0-150400.4.3.14 added - busybox-telnet-1.35.0-150400.4.3.14 added - busybox-tftp-1.35.0-150400.4.3.14 added - busybox-time-1.35.0-150400.4.3.14 added - busybox-traceroute-1.35.0-150400.4.3.14 added - busybox-tunctl-1.35.0-150400.4.3.14 added - busybox-unzip-1.35.0-150400.4.3.14 added - busybox-util-linux-1.35.0-150400.4.3.14 added - busybox-vi-1.35.0-150400.4.3.14 added - busybox-vlan-1.35.0-150400.4.3.14 added - busybox-wget-1.35.0-150400.4.3.14 added - busybox-which-1.35.0-150400.4.3.14 added - busybox-whois-1.35.0-150400.4.3.14 added - busybox-xz-1.35.0-150400.4.3.14 added - busybox-1.35.0-150500.8.1 added - ca-certificates-mozilla-prebuilt-2.60-150200.27.1 added - filesystem-15.0-11.8.1 added - glibc-2.31-150300.41.1 added - libcrypt1-4.4.15-150300.4.4.3 added - libpcre1-8.45-150000.20.13.1 added - libselinux1-3.1-150400.1.69 added - libsepol1-3.1-150400.1.70 added - sles-release-15.5-150500.29.2 added - system-user-nobody-20170617-150400.22.33 added - system-user-root-20190513-3.3.1 added - sysuser-shadow-3.1-150400.1.35 added