SUSE Container Update Advisory: caasp/v4/hyperkube ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:166-1 Container Tags : caasp/v4/hyperkube:v1.17.4 , caasp/v4/hyperkube:v1.17.4-rev5 , caasp/v4/hyperkube:v1.17.4-rev5-build3.12.1 Container Release : 3.12.1 Severity : important Type : security References : 1002895 1013125 1027282 1029377 1029902 1040164 1042670 1070853 1079761 1081750 1083507 1084671 1086001 1088004 1088009 1088573 1092920 1094814 1102840 1106383 1107030 1107105 1109663 1109847 1120644 1121353 1122191 1124556 1125689 1129346 1130840 1131817 1132337 1133452 1133495 1134365 1135114 1137227 1137337 1137942 1138459 1138666 1139459 1139939 1140504 1140879 1141203 1141853 1145571 1145756 1146182 1146184 1148360 1148498 1148788 1149121 1149332 1149792 1149955 1150021 1151023 1151377 1151490 1151582 1152334 1152335 1152692 1153238 1153876 1154230 1154256 1154804 1154805 1155045 1155198 1155205 1155207 1155298 1155323 1155327 1155337 1155350 1155357 1155360 1155463 1155574 1155593 1155655 1155678 1155810 1155819 1155950 1156158 1156213 1156300 1156482 1156571 1157292 1157337 1157377 1157611 1157794 1157802 1157893 1158095 1158485 1158763 1158830 1158921 1158923 1158925 1158926 1158927 1158929 1158930 1158931 1158932 1158933 1158996 1159003 1159035 1159074 1159108 1159314 1159452 1159622 1159814 1160039 1160160 1160443 1160460 1160571 1160594 1160595 1160600 1160735 1160764 1160920 1160970 1160979 1161056 1161074 1161179 1161215 1161216 1161218 1161219 1161220 1161262 1161312 1161436 1161770 1161779 1161816 1161975 1162093 1162108 1162108 1162152 1162224 1162367 1162423 1162518 1162825 1163184 1163922 1164390 1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784 1165894 1166106 1166139 1166403 1166481 1166484 1166510 1166510 1166748 1166880 1166881 1167163 1167223 1167631 1167674 1167732 1168076 1168345 1168364 1168669 1168699 1168835 1169569 1169872 1169992 1170173 1170571 1170572 637176 658604 673071 709442 743787 747125 751718 754447 754677 787526 809831 831629 834601 871152 885662 885882 917607 942751 951166 983582 984751 985177 985348 989523 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2016-0772 CVE-2016-1000110 CVE-2016-5636 CVE-2016-5699 CVE-2017-18207 CVE-2018-1000802 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-20406 CVE-2018-20852 CVE-2019-10160 CVE-2019-14889 CVE-2019-15903 CVE-2019-16056 CVE-2019-16935 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-5010 CVE-2019-5188 CVE-2019-9511 CVE-2019-9513 CVE-2019-9636 CVE-2019-9674 CVE-2019-9947 CVE-2020-10029 CVE-2020-11501 CVE-2020-1699 CVE-2020-1700 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-1759 CVE-2020-1760 CVE-2020-8013 CVE-2020-8492 ----------------------------------------------------------------- The container caasp/v4/hyperkube was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:114-1 Released: Thu Jan 16 10:11:52 2020 Summary: Security update for python3 Type: security Severity: important References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947 This update for python3 to version 3.6.10 fixes the following issues: - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:158-1 Released: Wed Jan 22 08:03:20 2020 Summary: Recommended update for ceph Type: recommended Severity: moderate References: 1124556,1131817,1132337,1134365,1137227,1140504,1140879,1141203,1145571,1145756,1148360,1148498,1153876,1154230,1155045,1155463,1155655,1155950,1156571,1157611,1158923,1158925,1158926,1158927,1158929,1158930,1158931,1158932,1158933,1160920 This update for ceph fixes the following issues: Ceph was updated to 14.2.5-371-g3551250731: This is the upstream Nautilus 14.2.5 point release, see https://ceph.io/releases/v14-2-5-nautilus-released/ * health warnings will be issued if daemons have recently crashed (bsc#1158923) * pg_num must be a power of two, otherwise HEALTH_WARN (bsc#1158925) * pool size must be > 1, otherwise HEALTH_WARN (bsc#1158926) * health warning if average OSD heartbeat ping time exceeds threshold (bsc#1158927) * changes in the telemetry MGR module (bsc#1158929) * new OSD daemon command dump_recovery_reservations (bsc#1158930) * new OSD daemon command dump_scrub_reservations (bsc#1158931) * RGW now supports S3 Object Lock set of APIs (bsc#1158932) * RGW now supports List Objects V2 (bsc#1158933) * mon: keep v1 address type when explicitly (bsc#1140879) * doc: mention --namespace option in rados manpage (bsc#1157611) * mgr/dashboard: Remove env_build from e2e:ci * ceph-volume: check if we run in an selinux environment * qa/dashboard_e2e_tests.sh: Automatically use correct chromedriver version (bsc#1155950) * rebase on tip of upstream nautilus, SHA1 9989c20373e2294b7479ec4bd6ac5cce80b01645 * rgw: add S3 object lock feature to support object worm (jsc#SES-582) * os/bluestore: apply garbage collection against excessive blob count growth (bsc#1124556) * doc: update bluestore cache settings and clarify data fraction (bsc#1131817) * mgr/dashboard: Allow the decrease of pg's of an existing pool (bsc#1132337) * core: Improve health status for backfill_toofull and recovery_toofull and fix backfill_toofull seen on cluster where the most full OSD is at 1% (bsc#1134365) * mgr/dashboard: Set RO as the default access_type for RGW NFS exports (bsc#1137227) * mgr/dashboard: Allow disabling redirection on standby Dashboards (bsc#1140504) * rgw: dns name is not case sensitive (bsc#1141203) * os/bluestore: shallow fsck mode and legacy statfs auto repair (bsc#1145571) * mgr/dashboard: Display WWN and LUN number in iSCSI target details (bsc#1145756) * mgr/dashboard: access_control: add grafana scope read access to *-manager roles (bsc#1148360) * mgr/dashboard: internationalization support with AOT enabled (bsc#1148498) * mgr/dashboard: Fix data point alignment in MDS counters chart (bsc#1153876) * mgr/balancer: python3 compatibility issue (bsc#1154230) * mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking (bsc#1155045) * mgr/{dashboard,prometheus}: return FQDN instead of '0.0.0.0' (bsc#1155463) * core: Improve health status for backfill_toofull and recovery_toofull and fix backfill_toofull seen on cluster where the most full OSD is at 1% (bsc#1155655) * mon: ensure prepare_failure() marks no_reply on op (bsc#1156571) * mgr/dashboard: Automatically use correct chromedriver version + Revert 'rgw_file: introduce fast S3 Unix stats (immutable)' because it is incompatible with NFS-Ganesha 2.8 * include hotfix from upstream v14.2.6 release (bsc#1160920): * mon/PGMap.h: disable network stats in dump_osd_stats * osd_stat_t::dump: Add option for ceph-mgr python callers to skip ping network ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:296-1 Released: Fri Jan 31 17:23:43 2020 Summary: Security update for ceph Type: security Severity: moderate References: 1161074,1161312,CVE-2020-1699,CVE-2020-1700 This update for ceph fixes the following issues: - CVE-2020-1700: Fixed a denial of service against the RGW server via connection leakage (bsc#1161312). - CVE-2020-1699: Fixed a information disclosure by improper URL checking (bsc#1161074). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:368-1 Released: Fri Feb 7 13:49:41 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1150021 This update for lvm2 fixes the following issues: - Fix for LVM in KVM: The scsi presistent reservation scenario can trigger and error during LVM actions. (bsc#1150021) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:386-1 Released: Mon Feb 17 11:41:23 2020 Summary: Skuba bug fix, supportconfig update, cri-o and kubernetes fixes, and prometheus fixes Type: recommended Severity: important References: 1137337,1152335,1155323,1155593,1155810,1157802,1159074,1159452,1160443,1160600,1161056,1161179,1161975 = Required Actions Update skuba, kubernetes-client and kubernetes-kubeadm packages on your management workstation as you would do with any other package. Refer to: https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup-update Packages on your cluster nodes (cri-o, kubernetes, supportutils-plugin-suse-caasp) will be updated automatically by skuba-update link:https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_base_os_updates Use `helm upgrade` command to fix prometheus kube-state-metrics image. Finally, to apply the prometheus pushgateway fix, enable it in your helm chart https://github.com/SUSE/kubernetes-charts-suse-com/blob/master/stable/prometheus/values.yaml#L848 and use helm ugrade command link:https://helm.sh/docs/intro/using_helm/#helm-upgrade-and-helm-rollback-upgrading-a-release-and-recovering-on-failure. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513 “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:777-1 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1165894 This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-↑ - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:40 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:850-1 Released: Thu Apr 2 14:37:31 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1155350,1155357,1155360,1166880 This update for mozilla-nss fixes the following issues: Added various fixes related to FIPS certification: * Use getrandom() to obtain entropy where possible. * Make DSA KAT FIPS compliant. * Use FIPS compliant hash when validating keypair. * Enforce FIPS requirements on RSA key generation. * Miscellaneous fixes to CAVS tests. * Enforce FIPS limits on how much data can be processed without rekeying. * Run self tests on library initialization in FIPS mode. * Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher). * Clear various temporary variables after use. * Allow MD5 to be used in TLS PRF. * Preferentially gather entropy from /dev/random over /dev/urandom. * Allow enabling FIPS mode consistently with NSS_FIPS environment variable. * Fix argument parsing bug in lowhashtest. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:930-1 Released: Mon Apr 6 20:23:10 2020 Summary: Security update for ceph Type: security Severity: important References: 1166403,1166484,CVE-2020-1759,CVE-2020-1760 This update for ceph fixes the following issues: - CVE-2020-1759: Fixed once reuse in msgr V2 secure mode (bsc#1166403) - CVE-2020-1760: Fixed XSS due to RGW GetObject header-splitting (bsc#1166484). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:949-1 Released: Wed Apr 8 07:45:48 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1168669 This update for mozilla-nss fixes the following issues: - Use secure_getenv() to avoid PR_GetEnvSecure() being called when NSPR is unavailable, resulting in an abort (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1037-1 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Type: recommended Severity: low References: 1002895,1107105,1138666,1167732 This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1061-1 Released: Wed Apr 22 10:45:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1169872 This update for mozilla-nss fixes the following issues: - This implements API mechanisms for performing DSA and ECDSA hash-and-sign in a single call, which will be required in future FIPS cycles (bsc#1169872). - Always perform nssdbm checksumming on softoken load, even if nssdbm itself is not loaded. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1069-1 Released: Wed Apr 22 16:48:00 2020 Summary: Recommended update for python-six Type: recommended Severity: moderate References: 1166139 This update for python-six fixes the following issues: - Use setuptools for building to support pip 10.x and avoid packages to be unistalled. (bsc#1166139) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1131-1 Released: Tue Apr 28 11:59:17 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170571,1170572 This update for mozilla-nss fixes the following issues: - FIPS: Add Softoken POSTs for new DSA and ECDSA hash-and-sign update functions. (bsc#1170571) - FIPS: Add pairwise consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224 checks. - FIPS: Replace bad attempt at unconditional nssdbm checksumming with a dlopen(), so it can be located consistently and perform its own self-tests. - FIPS: This fixes an instance of inverted logic due to a boolean being mistaken for a SECStatus, which caused key derivation to fail when the caller provided a valid subprime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-feature-2020:1196-1 Released: Wed May 6 13:35:05 2020 Summary: Update to kubernetes 1.17, podman, cri-o and docs Type: feature Severity: moderate References: 1121353,1152334,1157337,1159108,1160460,1162093,1164390,1170173 = Required Actions == Kubernetes 1.17 In order to update to kubernetes 1.17, follow the instructions in the admin guide https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components . Make sure you look at the Release Notes https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_3_0 for any known bug. == conmon and cri-o Conmon and cri-o will be updated by `skuba-update`. No action is required from your side. For more info see https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates == skuba In order to update skuba, you need to update the admin workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_update_management_workstation The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-3.36.1 updated - boost-license1_66_0-1.66.0-5.3.1 updated - ca-certificates-mozilla-2.40-4.18.8 updated - ceph-common-14.2.5.389+gb0f23ac248-3.35.2 updated - glibc-2.26-13.45.1 updated - kubernetes-common-1.17.4-4.13.2 updated - libboost_system1_66_0-1.66.0-5.3.1 updated - libboost_thread1_66_0-1.66.0-5.3.1 updated - libcephfs2-14.2.5.389+gb0f23ac248-3.35.2 updated - libcom_err2-1.43.8-4.20.1 updated - libdevmapper1_03-1.02.149-12.12.1 updated - libfreebl3-3.47.1-3.34.1 updated - libgcrypt20-1.8.2-8.30.1 updated - libgmp10-6.1.2-4.3.1 updated - libgnutls30-3.6.7-6.20.1 updated - libhogweed4-3.4.1-4.12.1 updated - libldap-2_4-2-2.4.46-9.25.1 updated - libldap-data-2.4.46-9.25.1 added - libnettle6-3.4.1-4.12.1 updated - libnghttp2-14-1.40.0-3.6.3 updated - libp11-kit0-0.23.2-4.8.3 updated - libprocps7-3.3.15-7.10.2 updated - libpython3_6m1_0-3.6.10-3.50.5 updated - librados2-14.2.5.389+gb0f23ac248-3.35.2 updated - librbd1-14.2.5.389+gb0f23ac248-3.35.2 updated - librgw2-14.2.5.389+gb0f23ac248-3.35.2 updated - libsasl2-3-2.1.26-5.7.1 updated - libsoftokn3-3.47.1-3.34.1 updated - libsolv-tools-0.7.11-3.16.1 updated - libssh4-0.8.7-10.12.1 updated - libsystemd0-234-24.49.2 updated - libudev1-234-24.49.2 updated - libzypp-17.19.0-3.16.1 updated - mozilla-nss-certs-3.47.1-3.34.1 updated - mozilla-nss-3.47.1-3.34.1 updated - p11-kit-tools-0.23.2-4.8.3 updated - p11-kit-0.23.2-4.8.3 updated - pam-1.3.0-6.16.1 updated - perl-base-5.26.1-7.9.1 updated - permissions-20181116-9.29.1 updated - procps-3.3.15-7.10.2 updated - python-rpm-macros-20200117.8e39013-3.8.1 updated - python3-base-3.6.10-3.50.5 updated - python3-ceph-argparse-14.2.5.389+gb0f23ac248-3.35.2 updated - python3-cephfs-14.2.5.389+gb0f23ac248-3.35.2 updated - python3-py-1.8.1-5.3.5 updated - python3-rados-14.2.5.389+gb0f23ac248-3.35.2 updated - python3-rbd-14.2.5.389+gb0f23ac248-3.35.2 updated - python3-rgw-14.2.5.389+gb0f23ac248-3.35.2 updated - python3-six-1.11.0-4.3.2 updated - python3-3.6.10-3.50.5 updated - rpm-4.14.1-10.19.8 updated - systemd-234-24.49.2 updated - udev-234-24.49.2 updated - zypper-1.14.33-3.13.5 updated - container:sles15-image-15.0.0-6.2.220 updated