SUSE Container Update Advisory: caasp/v4/cilium
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2019:110-1
Container Tags        : caasp/v4/cilium:1.4.2 , caasp/v4/cilium:1.4.2-rev1 , caasp/v4/cilium:1.4.2-rev1-build1.11 , caasp/v4/cilium:beta
Container Release     : 1.11
Severity              : important
Type                  : security
References            : 1044840 1063675 1065270 1084842 1088524 1096008 1096974 1096984
                        1100396 1110304 1111019 1112570 1114407 1114592 1114984 1114993
                        1118087 1118364 1119414 1119687 1120279 1120689 1121051 1122361
                        1122729 1123820 1124223 1124644 1125410 1125439 1126096 1126117
                        1126118 1126119 1126327 1126377 1126590 1127073 1128246 1128794
                        1129389 1129576 1129598 1129753 1130045 1130325 1130326 1130681
                        1130682 1131060 1131264 1131686 985657 CVE-2016-10739 CVE-2016-3189
                        CVE-2018-10360 CVE-2018-16868 CVE-2018-20346 CVE-2019-3829 CVE-2019-3836
                        CVE-2019-3880 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9936
                        CVE-2019-9937 SLE-3853 SLE-4117 SLE-6738 
-----------------------------------------------------------------

The container caasp/v4/cilium was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:369-1
Released:    Wed Feb 13 14:01:42 2019
Summary:     Recommended update for itstool
Type:        recommended
Severity:    moderate
References:  1065270,1111019
This update for itstool and python-libxml2-python fixes the following issues:

Package: itstool
  - Updated version to support Python3. (bnc#1111019)

Package: python-libxml2-python
  - Fix segfault when parsing invalid data. (bsc#1065270)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:532-1
Released:    Fri Mar  1 13:47:29 2019
Summary:     Recommended update for console-setup, kbd
Type:        recommended
Severity:    moderate
References:  1122361
This update for console-setup and kbd provides the following fix:

- Fix Shift-Tab mapping. (bsc#1122361)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:571-1
Released:    Thu Mar  7 18:13:46 2019
Summary:     Security update for file
Type:        security
Severity:    moderate
References:  1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
This update for file fixes the following issues:

The following security vulnerabilities were addressed:

- CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in
  readelf.c, which allowed remote attackers to cause a denial of service
  (application crash) via a crafted ELF file (bsc#1096974)
- CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c
  (bsc#1126118)
- CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c
  (bsc#1126119)
- CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c
  (bsc#1126117)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:577-1
Released:    Mon Mar 11 12:03:49 2019
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    important
References:  1123820,1127073

This update for apparmor fixes the following issues:

- apparmor prevents libvirtd from starting (bsc#1127073)
- Start apparmor after filesystem remount (bsc#1123820)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:641-1
Released:    Tue Mar 19 13:17:28 2019
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1112570,1114984,1114993
This update for glibc provides the following fixes:

- Fix Haswell CPU string flags. (bsc#1114984)
- Fix waiters-after-spinning case. (bsc#1114993)
- Do not relocate absolute symbols. (bsc#1112570)
- Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales.
  (fate#326551)
- Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962)
- Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880,
  fate#325881, fate#325882)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:664-1
Released:    Wed Mar 20 14:54:12 2019
Summary:     Recommended update for gpgme
Type:        recommended
Severity:    low
References:  1121051
This update for gpgme provides the following fix:

- Re-generate keys in Qt tests to not expire. (bsc#1121051)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:700-1
Released:    Thu Mar 21 19:54:00 2019
Summary:     Recommended update for cyrus-sasl
Type:        recommended
Severity:    moderate
References:  1044840
This update for cyrus-sasl provides the following fix:

- Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'.
  By server context the connection will be sent to the log function but the client content
  does not have log level information, so there is no way to stop DEBUG level logs.
  (bsc#1044840)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:713-1
Released:    Fri Mar 22 15:55:05 2019
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1063675,1126590
This update for glibc fixes the following issues:

- Add MAP_SYNC from Linux 4.15 (bsc#1126590)
- Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590)
- nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:732-1
Released:    Mon Mar 25 14:10:04 2019
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1088524,1118364,1128246
This update for aaa_base fixes the following issues:

- Restore old position of ssh/sudo source of profile (bsc#1118364).
- Update logic for JRE_HOME env variable (bsc#1128246)
 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:788-1
Released:    Thu Mar 28 11:55:06 2019
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1119687,CVE-2018-20346
This update for sqlite3 to version 3.27.2 fixes the following issue:

Security issue fixed: 

- CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

Release notes: https://www.sqlite.org/releaselog/3_27_2.html

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:791-1
Released:    Thu Mar 28 12:06:50 2019
Summary:     Security update for libnettle
Type:        recommended
Severity:    moderate
References:  1129598
This update for libnettle to version 3.4.1 fixes the following issues:

Issues addressed and new features:

- Updated to 3.4.1 (fate#327114 and bsc#1129598)
- Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv.
- Fixed a link error on the pss-mgf1-test which was affecting builds without public key support.
- All functions using RSA private keys are now side-channel silent. This applies both to the 
  bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of 
  PKCS#1 padding needed for RSA decryption.
- Changes in behavior:
   The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message 
   buffer, independent of the actual message length. They are side-channel silent, in that
   branches and memory accesses don't depend on the validity or length of the message. 
   Side-channel leakage from the caller's use of length and return value may still provide 
   an oracle useable for a Bleichenbacher-style chosen ciphertext attack. 
   Which is why the new function rsa_sec_decrypt is recommended.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:858-1
Released:    Wed Apr  3 15:50:37 2019
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1120689,1126096
This update for libtirpc fixes the following issues:

- Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096).
- add an option to enforce connection via protocol version 2 first (bsc#1120689).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:866-1
Released:    Thu Apr  4 11:24:48 2019
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1120279,1125439
This update for apparmor fixes the following issues:

- Add /proc/pid/tcp and /proc/pid/tcp6 entries to the apparmor profile. (bsc#1125439)
- allow network access and notify file creation/access (bsc#1120279)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:894-1
Released:    Fri Apr  5 17:16:23 2019
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  1119414,1126327,1129753,SLE-3853,SLE-4117
This update for rpm fixes the following issues:

- This update shortens RPM changelog to after a certain cut off date (bsc#1129753)
- Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414).
- Re-add symset-table from SLE 12 (bsc#1126327).


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:903-1
Released:    Mon Apr  8 15:41:44 2019
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1100396,1122729,1130045,CVE-2016-10739
This update for glibc fixes the following issues:

Security issue fixed: 

- CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow
  applications to incorrectly assume that had parsed a valid string, without the possibility of
  embedded HTTP headers or other potentially dangerous substrings (bsc#1122729).

Other issue fixed: 

- Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions 
  while maintained the robust mutex list due to missing compiler barriers (bsc#1130045).
- Added new Japanese Era name support (bsc#1100396).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:905-1
Released:    Mon Apr  8 16:48:02 2019
Summary:     Recommended update for gcc
Type:        recommended
Severity:    moderate
References:  1096008
This update for gcc fixes the following issues:

- Fix gcc-PIE spec to properly honor -no-pie at link time. (bsc#1096008)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1002-1
Released:    Wed Apr 24 10:13:34 2019
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1110304,1129576
This update for zlib fixes the following issues:

- Fixes a segmentation fault error (bsc#1110304, bsc#1129576)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1040-1
Released:    Thu Apr 25 17:09:21 2019
Summary:     Security update for samba
Type:        security
Severity:    important
References:  1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880
This update for samba fixes the following issues:

Security issue fixed:

- CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).


ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686):

- Out of bound read in ldb_wildcard_compare
- Hold at most 10 outstanding paged result cookies
- Put 'results_store' into a doubly linked list
- Refuse to build Samba against a newer minor version of ldb


Non-security issues fixed:

- Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377).
- Abide to the load_printers parameter in smb.conf (bsc#1124223).
- Provide the 32bit samba winbind PAM module and its dependend 32bit libraries.
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1105-1
Released:    Tue Apr 30 12:10:58 2019
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1084842,1114592,1124644,1128794,1129389,1131264,SLE-6738
This update for gcc7 fixes the following issues:

Update to gcc-7-branch head (r270528).

- Disables switch jump-tables when retpolines are used. This restores
  some lost performance for kernel builds with retpolines.  (bsc#1131264,
  jsc#SLE-6738)
- Fix ICE compiling tensorflow on aarch64. (bsc#1129389)
- Fix for aarch64 FMA steering pass use-after-free. (bsc#1128794)
- Fix for s390x FP load-and-test issue. (bsc#1124644)
- Improve build reproducability by disabling address-space randomization
  during build.
- Adjust gnat manual entries in the info directory. (bsc#1114592)
- Includes fix to no longer try linking -lieee with -mieee-fp. (bsc#1084842)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1121-1
Released:    Tue Apr 30 18:02:43 2019
Summary:     Security update for gnutls
Type:        security
Severity:    important
References:  1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836
This update for gnutls fixes to version 3.6.7 the following issues:

Security issued fixed:

- CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682).
- CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681).
- CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087)

Non-security issue fixed:

- Update gnutls to support TLS 1.3 (fate#327114) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1127-1
Released:    Thu May  2 09:39:24 2019
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1130325,1130326,CVE-2019-9936,CVE-2019-9937
This update for sqlite3 to version 3.28.0 fixes the following issues:

Security issues fixed:

- CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix
  queries inside transaction (bsc#1130326).
- CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in
  a single transaction with an fts5 virtual table (bsc#1130325).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1206-1
Released:    Fri May 10 14:01:55 2019
Summary:     Security update for bzip2
Type:        security
Severity:    low
References:  985657,CVE-2016-3189
This update for bzip2 fixes the following issues:

Security issue fixed:

- CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-3.6.1 updated
- binutils-2.31-5.31 updated
- cilium-cni-1.4.2-1.2 added
- cilium-1.4.2-1.2 updated
- clang7-7.0.1-1.16 added
- clang-7.0.1-1.17 updated
- cni-plugins-0.7.4-1.11 updated
- cni-0.6.0-1.11 updated
- cpp7-7.4.1+r270528-4.6.1 updated
- cpp-7-3.3.22 updated
- dbus-1-1.12.2-6.21 updated
- file-magic-5.32-7.5.1 updated
- gcc7-7.4.1+r270528-4.6.1 updated
- gcc-7-3.3.22 updated
- glibc-32bit-2.26-13.19.1 updated
- glibc-devel-32bit-2.26-13.19.1 updated
- glibc-devel-2.26-13.19.1 updated
- glibc-2.26-13.19.1 updated
- iproute2-4.12-10.15 updated
- kbd-legacy-2.0.4-8.3.1 updated
- kbd-2.0.4-8.3.1 updated
- krb5-1.16.3-1.16 updated
- libLLVM7-7.0.1-1.16 added
- libLTO7-7.0.1-1.16 added
- libapparmor1-2.12.2-7.17.1 updated
- libasan4-7.4.1+r270528-4.6.1 updated
- libblkid1-2.33.1-2.28 updated
- libbz2-1-1.0.6-5.3.1 updated
- libcap-ng0-0.7.9-4.37 updated
- libcilkrts5-7.4.1+r270528-4.6.1 updated
- libclang7-7.0.1-1.16 added
- libcryptsetup12-2.0.5-2.1 updated
- libdbus-1-3-1.12.2-6.21 updated
- libdevmapper1_03-1.02.149-10.13 updated
- libfdisk1-2.33.1-2.28 updated
- libgcrypt20-1.8.2-6.7 updated
- libgnutls30-3.6.7-6.8.1 updated
- libgpgme11-1.10.0-4.3.4 updated
- libhogweed4-3.4.1-4.9.1 updated
- libmagic1-5.32-7.5.1 updated
- libmount1-2.33.1-2.28 updated
- libnettle6-3.4.1-4.9.1 updated
- libopenssl1_1-1.1.0i-12.9 updated
- libp11-kit0-0.23.2-4.2.1 updated
- libsasl2-3-2.1.26-5.3.1 updated
- libselinux1-2.8-6.35 updated
- libsemanage1-2.8-4.35 updated
- libsepol1-2.8-4.37 updated
- libsmartcols1-2.33.1-2.28 updated
- libsolv-tools-0.7.3-1.20 updated
- libsqlite3-0-3.28.0-3.6.1 updated
- libssh4-0.8.4-8.26 updated
- libstdc++-devel-7-3.3.22 updated
- libstdc++6-devel-gcc7-7.4.1+r270528-4.6.1 updated
- libsystemd0-234-24.25.1 updated
- libtasn1-6-4.13-4.2.1 updated
- libtasn1-4.13-4.2.1 updated
- libtirpc-netconfig-1.0.2-3.8.1 updated
- libtirpc3-1.0.2-3.8.1 updated
- libubsan0-7.4.1+r270528-4.6.1 updated
- libudev1-234-24.25.1 updated
- libuuid1-2.33.1-2.28 updated
- libxml2-2-2.9.7-3.6.1 updated
- libz1-1.2.11-3.6.4 updated
- libzypp-17.11.4-1.8 updated
- llvm7-7.0.1-1.16 added
- llvm-7.0.1-1.17 updated
- openssl-1_1-1.1.0i-12.9 updated
- p11-kit-tools-0.23.2-4.2.1 updated
- p11-kit-0.23.2-4.2.1 updated
- pam-config-0.96-5.17 updated
- permissions-20181116-7.2 updated
- rpm-4.14.1-10.16.1 updated
- shadow-4.6-1.31 updated
- systemd-presets-branding-SLE-15.1-18.10 updated
- systemd-presets-common-SUSE-15-6.10 updated
- systemd-234-24.25.1 updated
- udev-234-24.25.1 updated
- util-linux-2.33.1-2.28 updated
- zypper-1.14.27-1.11 updated
- container:sles15-image-15.0.0-6.2.17 updated
- clang5-5.0.1-8.5.1 removed
- libLLVM5-5.0.1-8.5.1 removed
- libLTO5-5.0.1-8.5.1 removed
- libclang5-5.0.1-8.5.1 removed
- libustr-1_0-1-1.0.4-2.20 removed
- llvm5-5.0.1-8.5.1 removed