SUSE Container Update Advisory: caasp/v4/389-ds
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2019:73-1
Container Tags        : caasp/v4/389-ds:1.4.0 , caasp/v4/389-ds:1.4.0-rev3 , caasp/v4/389-ds:1.4.0-rev3-build1.1
Container Release     : 1.1
Severity              : important
Type                  : security
References            : 1083689 1092187 1097073 1099465 1105606 1108674 1109609 1120189
                        1132385 1135751 1136717 1137624 1140647 1141059 1141322 1141883
                        1144797 991201 CVE-2016-5416 CVE-2018-1054 CVE-2018-10871 CVE-2018-1089
                        CVE-2018-10935 CVE-2018-14638 CVE-2018-14648 CVE-2019-3883 SLE-5807
-----------------------------------------------------------------

The container caasp/v4/389-ds was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2085-1
Released:    Wed Aug  7 13:58:43 2019
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1135751
This update for apparmor fixes the following issues:

- Profile updates for dnsmasq, dovecot, identd, syslog-ng
- Parser: fix 'Px -> foo-bar' (the '-' was rejected before)
- Add certbot paths to abstractions/ssl_certs and abstractions/ssl_keys.
- Fix build with swig 4.0. (bsc#1135751)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2097-1
Released:    Fri Aug  9 09:31:17 2019
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    important
References:  1097073
This update for libgcrypt fixes the following issues:

- Fixed a regression where system were unable to boot in fips mode, caused by an 
  incomplete implementation of previous change (bsc#1097073).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2134-1
Released:    Wed Aug 14 11:54:56 2019
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1136717,1137624,1141059,SLE-5807
This update for zlib fixes the following issues:

- Update the s390 patchset. (bsc#1137624)
- Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059)
- Use FAT LTO objects in order to provide proper static library.
- Do not enable the previous patchset on s390 but just s390x. (bsc#1137624)
- Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2142-1
Released:    Wed Aug 14 18:14:04 2019
Summary:     Recommended update for mozilla-nspr, mozilla-nss
Type:        recommended
Severity:    moderate
References:  1141322

  
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.45 (bsc#1141322) :

* New function in pk11pub.h: PK11_FindRawCertsWithSubject
* The following CA certificates were Removed:
  CN = Certinomis - Root CA (bmo#1552374)
* Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403)
  This adds a new experimental function SSL_DelegateCredential
  Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360).
  Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
* Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
* Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
* Add IPSEC IKE support to softoken (bmo#1546229)
* Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
* Expose an external clock for SSL (bmo#1543874)
  This adds new experimental functions: SSL_SetTimeFunc, 
  SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and 
  SSL_ReleaseAntiReplayContext.
  The experimental function SSL_InitAntiReplay is removed.
* Various changes in response to the ongoing FIPS review (bmo#1546477)
  Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.

mozilla-nspr was updated to version 4.21

* Changed prbit.h to use builtin function on aarch64.
* Removed Gonk/B2G references.  


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2155-1
Released:    Thu Aug 15 17:50:59 2019
Summary:     Security update for 389-ds
Type:        security
Severity:    important
References:  1083689,1092187,1099465,1105606,1108674,1109609,1120189,1132385,1144797,991201,CVE-2016-5416,CVE-2018-1054,CVE-2018-10871,CVE-2018-1089,CVE-2018-10935,CVE-2018-14638,CVE-2018-14648,CVE-2019-3883
This update for 389-ds to version 1.4.0.26 fixes the following issues:

Security issues fixed:

- CVE-2016-5416: Fixed an information disclosure where a anonymous user could read the default ACI (bsc#991201).
- CVE-2018-1054: Fixed a denial of service via search filters in SetUnicodeStringFromUTF_8() (bsc#1083689).
- CVE-2018-1089: Fixed a buffer overflow via large filter value (bsc#1092187).
- CVE-2018-10871: Fixed an information disclosure in certain plugins leading to the disclosure of plaintext password to an privileged attackers (bsc#1099465).
- CVE-2018-14638: Fixed a denial of service through a crash in delete_passwdPolicy () (bsc#1108674).
- CVE-2018-14648: Fixed a denial of service caused by malformed values in search queries (bsc#1109609).
- CVE-2018-10935: Fixed a denial of service related to ldapsearch with server side sort (bsc#1105606).
- CVE-2019-3883: Fixed a denial of service caused by hanging LDAP requests over TLS (bsc#1132385).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2188-1
Released:    Wed Aug 21 10:10:29 2019
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1140647
This update for aaa_base fixes the following issues:

- Make systemd detection cgroup oblivious. (bsc#1140647) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2218-1
Released:    Mon Aug 26 11:29:57 2019
Summary:     Recommended update for pinentry
Type:        recommended
Severity:    moderate
References:  1141883
This update for pinentry fixes the following issues:

- Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883)


The following package changes have been done:

- 389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1 updated
- aaa_base-84.87+git20180409.04c9dae-3.12.1 updated
- cyrus-sasl-plain-2.1.26-5.3.1 added
- libapparmor1-2.12.3-7.20.1 updated
- libfreebl3-3.45-3.19.1 updated
- libgcrypt20-1.8.2-8.9.1 updated
- libsoftokn3-3.45-3.19.1 updated
- libsvrcore0-1.4.0.26~git0.8a2d3de6f-4.14.1 updated
- libz1-1.2.11-3.9.1 updated
- mozilla-nspr-4.21-3.6.1 updated
- mozilla-nss-certs-3.45-3.19.1 updated
- mozilla-nss-3.45-3.19.1 updated
- pinentry-1.1.0-4.3.1 updated
- container:sles15-image-15.0.0-6.2.66 updated
- cyrus-sasl-digestmd5-2.1.26-5.3.1 removed
- cyrus-sasl-gssapi-2.1.26-5.3.1 removed
- libtcmalloc4-2.5-4.12 removed
- libunwind-1.2.1-2.13 removed
- mozilla-nss-tools-3.44.1-3.16.2 removed
- openldap2-client-2.4.46-9.3.1 removed
- python3-selinux-2.8-6.21 removed