SUSE Container Update Advisory: ses/7/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:315-1 Container Tags : ses/7/ceph/ceph:15.2.14.84 , ses/7/ceph/ceph:15.2.14.84.6.1 , ses/7/ceph/ceph:latest , ses/7/ceph/ceph:sle15.2.octopus Container Release : 6.1 Severity : critical Type : security References : 1102408 1138715 1138746 1172505 1176389 1177120 1181291 1182421 1182422 1183561 1183818 1184517 1184614 1185246 1185748 1186348 1188571 1188979 1189173 1189206 1189465 1189465 1189520 1189521 1189521 1189534 1189554 1189683 CVE-2020-12049 CVE-2020-26137 CVE-2021-36222 CVE-2021-3711 CVE-2021-3712 CVE-2021-3712 CVE-2021-38185 CVE-2021-38185 ----------------------------------------------------------------- The container ses/7/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2689-1 Released: Mon Aug 16 10:54:52 2021 Summary: Security update for cpio Type: security Severity: important References: 1189206,CVE-2021-38185 This update for cpio fixes the following issues: It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2763-1 Released: Tue Aug 17 17:16:22 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465 This update for cpio fixes the following issues: - A regression in last update would cause builds to hang on various architectures(bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2780-1 Released: Thu Aug 19 16:09:15 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465,CVE-2021-38185 This update for cpio fixes the following issues: - A regression in the previous update could lead to crashes (bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2800-1 Released: Fri Aug 20 10:43:04 2021 Summary: Security update for krb5 Type: security Severity: important References: 1188571,CVE-2021-36222 This update for krb5 fixes the following issues: - CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2810-1 Released: Mon Aug 23 12:14:30 2021 Summary: Security update for dbus-1 Type: security Severity: moderate References: 1172505,CVE-2020-12049 This update for dbus-1 fixes the following issues: - CVE-2020-12049: truncated messages lead to resource exhaustion. (bsc#1172505) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:2816-1 Released: Mon Aug 23 14:16:58 2021 Summary: Optional update for python-kubernetes Type: optional Severity: low References: This patch provides the python3-kubernetes package to the following modules: - Container Module for SUSE Linux Enterprise 15 SP2 - Container Module for SUSE Linux Enterprise 15 SP3 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2817-1 Released: Mon Aug 23 15:05:36 2021 Summary: Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 Type: security Severity: moderate References: 1102408,1138715,1138746,1176389,1177120,1182421,1182422,CVE-2020-26137 This patch updates the Python AWS SDK stack in SLE 15: General: # aws-cli - Version updated to upstream release v1.19.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-boto3 - Version updated to upstream release 1.17.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-botocore - Version updated to upstream release 1.20.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-urllib3 - Version updated to upstream release 1.25.10 For a detailed list of all changes, please refer to the changelog file of this package. # python-service_identity - Added this new package to resolve runtime dependencies for other packages. Version: 18.1.0 # python-trustme - Added this new package to resolve runtime dependencies for other packages. Version: 0.6.0 Security fixes: # python-urllib3: - CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2830-1 Released: Tue Aug 24 16:20:18 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1189520,1189521,CVE-2021-3711,CVE-2021-3712 This update for openssl-1_1 fixes the following security issues: - CVE-2021-3711: A bug in the implementation of the SM2 decryption code could lead to buffer overflows. [bsc#1189520] - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2863-1 Released: Mon Aug 30 08:18:50 2021 Summary: Recommended update for python-dbus-python Type: recommended Severity: moderate References: 1183818 This update for python-dbus-python fixes the following issues: - Update to latest version from tumbleweed. (jsc#ECO-3589, bsc#1183818) - update to 1.2.16: * All tests are run even if the 'tap.py' module is not available, althoug diagnostics for failing tests will be better if it is present. - Support builds with more than one python3 flavor - Clean duplicate python flavor variables for configure - Version update to version 1.2.14: * Ensure that the numeric types from dbus.types get the same str() under Python 3.8 that they did under previous versions. * Disable -Winline. * Add clearer license information using SPDX-License-Identifier. * Include inherited methods and properties when documenting objects, which regressed when migrating from epydoc to sphinx. * Add missing variant_level member to UnixFd type, for parity with the other dbus.types types * Don't reply to method calls if they have the NO_REPLY_EXPECTED flag * Silence '-Wcast-function-type' with gcc 8. * Fix distcheck with python3.7 by deleting '__pycache__' during uninstall. * Consistently save and restore the exception indicator when called from C code. - Add missing dependency for pkg-config files - Version update to version 1.2.8: * Python 2.7 required or 3.4 respectively * Upstream dropped epydoc completely - Add dbus-1-python3 package - Make BusConnection.list_activatable_names actually call struct entries than the signature allows with libdbus 1.4 imports dbus, is finalized, is re-initialized, and re-imports - When removing signal matches, clean up internal state, avoiding a memory leak in long-lived Python processes that connect to - When setting the sender of a message, allow it to be org.freedesktop.DBus so you can implement a D-Bus daemon - New package: dbus-1-python-devel ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2895-1 Released: Tue Aug 31 19:40:32 2021 Summary: Recommended update for unixODBC Type: recommended Severity: moderate References: This update for unixODBC fixes the following issues: - ECO: Update unixODBC to 2.3.9 in SLE 15. (jsc#SLE-18004) - Fix incorrect permission for documentation files. - Update requires and baselibs for new libodbc2. - Employ shared library packaging guideline: new subpacakge libodbc2. - Update to 2.3.9: * Remove '#define UNIXODBC_SOURCE' from unixodbc_conf.h - Update to 2.3.8: * Add configure support for editline * SQLDriversW was ignoring user config * SQLDataSources Fix termination character * Fix for pooling seg fault * Make calling SQLSetStmtAttrW call the W function in the driver is its there * Try and fix race condition clearing system odbc.ini file * Remove trailing space from isql/iusql SQL * When setting connection attributes set before connect also check if the W entry poins can be used * Try calling the W error functions first if available in the driver * Add iconvperdriver configure option to allow calling unicode_setup in SQLAllocHandle * iconv handles was being lost when reusing pooled connection * Catch null copy in iniPropertyInsert * Fix a few leaks - Update to 2.3.7: * Fix for pkg-config file update on no linux platforms * Add W entry for GUI work * Various fixes for SQLBrowseConnect/W, SQLGetConnectAttr/W,and SQLSetConnectAttr/W * Fix buffer overflows in SQLConnect/W and refine behaviour of SQLGet/WritePrivateProfileString * SQLBrowseConnect/W allow disconnecting a started browse session after error * Add --with-stats-ftok-name configure option to allow the selection of a file name used to generate the IPC id when collecting stats. Default is the system odbc.ini file * Improve diag record handling with the behavior of Windows DM and export SQLCancelHandle * bug fix when SQLGetPrivateProfileString() is called to get a list of sections or a list of keys * Connection pooling: Fix liveness check for Unicode drivers ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2938-1 Released: Fri Sep 3 09:19:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - openldap2-contrib is shipped to the Legacy Module. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2966-1 Released: Tue Sep 7 09:49:14 2021 Summary: Security update for openssl-1_1 Type: security Severity: low References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3001-1 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Type: recommended Severity: moderate References: 1189683 This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3021-1 Released: Mon Sep 13 10:32:31 2021 Summary: Recommended update for ceph Type: recommended Severity: moderate References: 1181291,1183561,1184517,1185246,1186348,1188979,1189173 This update for ceph fixes the following issues: - cls/rgw: look for plane entries in non-ascii plain namespace too (bsc#1184517) - rgw: check object locks in multi-object delete (bsc#1185246) - mgr/zabbix: adapt zabbix_sender default path (bsc#1186348) - mgr/cephadm: pass --container-init to 'cephadm deploy' if specified (bsc#1188979) - mgr/dashboard: Downstream branding: Adapt latest upstream changes to branded navigation component (bsc#1189173) - qa/tasks/salt_manager: allow gatherlogs for files in subdir - qa/tasks/ceph_salt: gather /var/log/ceph/cephadm.out - mgr/zabbix: adapt zabbix_sender default path (bsc#1186348) - Revert 'cephadm: default container_init to False' (bsc#1188979) - mgr/cephadm: alias rgw-nfs -> nfs (bsc#1181291) - mgr/cephadm: on ssh connection error, advice chmod 0600 (bsc#1183561) - Update _constraints: only honor physical memory, not 'any memory' (e.g. swap). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3030-1 Released: Tue Sep 14 09:27:45 2021 Summary: Recommended update for patterns-base Type: recommended Severity: moderate References: 1189534,1189554 This update of patterns-base fixes the following issue: - The fips pattern should also install 'openssh-fips' if 'openssh' is installed (bsc#1189554 bsc#1189534) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3034-1 Released: Tue Sep 14 13:49:23 2021 Summary: Recommended update for python-pytz Type: recommended Severity: moderate References: 1185748 This update for python-pytz fixes the following issues: - Add %pyunittest shim for platforms where it is missing. - Remove real directory of %{python_sitelib}/pytz/zoneinfo when upgrading, before it is replaced by a symlink. (bsc#1185748) - update to 2021.1: * update to IANA 2021a timezone release - update to 2020.5: * update to IANA 2020e timezone release - update to 2020.4: * update to IANA 2020d timezone release - update to version 2020.1: * Test against Python 3.8 and Python 3.9 * Bump version numbers to 2020.1/2020a * use .rst extension name * Make FixedOffset part of public API - Update to 2019.3 * IANA 2019c - Add versioned dependency on timezone database to ensure the correct data is installed - Add a symlink to the system timezone database - update to 2019.2 * IANA 2019b * Defer generating case-insensitive lookups The following package changes have been done: - ceph-base-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-common-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-grafana-dashboards-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-mds-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-mgr-cephadm-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-mgr-dashboard-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-mgr-modules-core-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-mgr-rook-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-mgr-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-mon-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-osd-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-prometheus-alerts-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-radosgw-15.2.14.84+gb6e5642e260-3.25.1 updated - cephadm-15.2.14.84+gb6e5642e260-3.25.1 updated - ceph-15.2.14.84+gb6e5642e260-3.25.1 updated - cpio-2.12-3.9.1 updated - dbus-1-1.12.2-8.11.2 updated - krb5-1.16.3-3.21.1 updated - libcephfs2-15.2.14.84+gb6e5642e260-3.25.1 updated - libdbus-1-3-1.12.2-8.11.2 updated - libldap-2_4-2-2.4.46-9.58.1 updated - libldap-data-2.4.46-9.58.1 updated - libltdl7-2.4.6-3.4.1 updated - libopenssl1_1-hmac-1.1.1d-11.30.1 updated - libopenssl1_1-1.1.1d-11.30.1 updated - librados2-15.2.14.84+gb6e5642e260-3.25.1 updated - librbd1-15.2.14.84+gb6e5642e260-3.25.1 updated - librgw2-15.2.14.84+gb6e5642e260-3.25.1 updated - netcfg-11.6-3.3.1 updated - openssl-1_1-1.1.1d-11.30.1 updated - patterns-base-fips-20200124-4.12.1 added - python3-asn1crypto-0.24.0-3.2.1 updated - python3-cachetools-4.1.0-3.2.1 updated - python3-ceph-argparse-15.2.14.84+gb6e5642e260-3.25.1 updated - python3-ceph-common-15.2.14.84+gb6e5642e260-3.25.1 updated - python3-cephfs-15.2.14.84+gb6e5642e260-3.25.1 updated - python3-cffi-1.13.2-3.2.5 updated - python3-cryptography-2.8-10.1 updated - python3-dbus-python-1.2.16-6.3.1 updated - python3-google-auth-1.5.1-3.4.1 updated - python3-kubernetes-8.0.1-3.5.1 updated - python3-oauth2client-gce-4.1.2-3.2.1 updated - python3-oauth2client-4.1.2-3.2.1 updated - python3-pyOpenSSL-17.5.0-8.3.1 updated - python3-pyasn1-0.4.2-3.2.1 updated - python3-pycparser-2.17-3.2.1 updated - python3-pytz-2021.1-6.7.1 updated - python3-rados-15.2.14.84+gb6e5642e260-3.25.1 updated - python3-rbd-15.2.14.84+gb6e5642e260-3.25.1 updated - python3-rgw-15.2.14.84+gb6e5642e260-3.25.1 updated - python3-urllib3-1.25.10-9.14.1 updated - rbd-mirror-15.2.14.84+gb6e5642e260-3.25.1 updated - container:sles15-image-15.0.0-9.5.18 updated - dbus-1-glib-0.108-1.29 removed - dracut-049.1+suse.188.gbf445638-3.30.1 removed - dracut-fips-049.1+suse.188.gbf445638-3.30.1 removed - elfutils-0.168-4.5.3 removed - file-5.32-7.11.2 removed - fipscheck-1.4.1-3.3.1 removed - glib-networking-2.62.3-1.29 removed - gsettings-desktop-schemas-3.34.0-3.4 removed - hardlink-1.0+git.e66999f-1.25 removed - libasm1-0.168-4.5.3 removed - libbrotlicommon1-1.0.7-1.59 removed - libbrotlidec1-1.0.7-1.59 removed - libfipscheck1-1.4.1-3.3.1 removed - libfreebl3-3.53.1-3.53.1 removed - libfreebl3-hmac-3.53.1-3.53.1 removed - libkcapi-tools-0.13.0-1.114 removed - libpcsclite1-1.8.24-1.14 removed - libsoftokn3-3.53.1-3.53.1 removed - libsoftokn3-hmac-3.53.1-3.53.1 removed - libsoup-2_4-1-2.68.3-2.32 removed - mozilla-nspr-4.25.1-3.17.1 removed - mozilla-nss-3.53.1-3.53.1 removed - mozilla-nss-certs-3.53.1-3.53.1 removed - patterns-base-basesystem-20200124-2.7 removed - patterns-base-minimal_base-20200124-2.7 removed - patterns-server-enterprise-fips-20171206-12.3.1 removed - pigz-2.3.3-1.28 removed - purge-kernels-service-0-8.3.1 removed - strongswan-hmac-5.8.2-11.17.3 removed - strongswan-ipsec-5.8.2-11.17.3 removed - strongswan-libs0-5.8.2-11.17.3 removed - sysconfig-0.85.6-9.1 removed - sysconfig-netconfig-0.85.6-9.1 removed - systemd-sysvinit-234-24.90.1 removed - util-linux-systemd-2.33.1-4.13.2 removed - wicked-0.6.64-3.3.4 removed - wicked-service-0.6.64-3.3.4 removed