SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:254-1 Container Tags : bci/golang:1.17 , bci/golang:1.17-9.24 , bci/golang:latest Container Release : 9.24 Severity : important Type : security References : 1187512 1188348 1188507 1190447 1190649 1192954 1193632 1194976 1195834 1195835 1195838 CVE-2021-3995 CVE-2021-3996 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2626-1 Released: Thu Aug 5 12:10:35 2021 Summary: Recommended maintenance update for libeconf Type: recommended Severity: moderate References: 1188348 This update for libeconf fixes the following issue: - Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:674-1 Released: Wed Mar 2 13:24:38 2022 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1187512 This update for yast2-network fixes the following issues: - Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:692-1 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1190447 This update for filesystem fixes the following issues: - Release ported filesystem to LTSS channels (bsc#1190447). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:723-1 Released: Fri Mar 4 10:31:46 2022 Summary: Security update for go1.17 Type: security Severity: important References: 1190649,1195834,1195835,1195838,CVE-2022-23772,CVE-2022-23773,CVE-2022-23806 This update for go1.17 fixes the following issues: - CVE-2022-23806: Fixed incorrect returned value in crypto/elliptic IsOnCurve (bsc#1195838). - CVE-2022-23772: Fixed overflow in Rat.SetString in math/big can lead to uncontrolled memory consumption (bsc#1195835). - CVE-2022-23773: Fixed incorrect access control in cmd/go (bsc#1195834). The following non-security bugs were fixed: - go#50978 crypto/elliptic: IsOnCurve returns true for invalid field elements - go#50701 math/big: Rat.SetString may consume large amount of RAM and crash - go#50687 cmd/go: do not treat branches with semantic-version names as releases - go#50942 cmd/asm: 'compile: loop' compiler bug? - go#50867 cmd/compile: incorrect use of CMN on arm64 - go#50812 cmd/go: remove bitbucket VCS probing - go#50781 runtime: incorrect frame information in traceback traversal may hang the process. - go#50722 debug/pe: reading debug_info section of PE files that use the DWARF5 form DW_FORM_line_strp causes error - go#50683 cmd/compile: MOVWreg missing sign-extension following a Copy from a floating-point LoadReg - go#50586 net/http/httptest: add fipsonly compliant certificate in for NewTLSServer(), for dev.boringcrypto branch - go#50297 cmd/link: does not set section type of .init_array correctly - go#50246 runtime: intermittent os/exec.Command.Start() Hang on Darwin in Presence of 'plugin' Package ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:727-1 Released: Fri Mar 4 10:39:21 2022 Summary: Security update for libeconf, shadow and util-linux Type: security Severity: moderate References: 1188507,1192954,1193632,1194976,CVE-2021-3995,CVE-2021-3996 This security update for libeconf, shadow and util-linux fix the following issues: libeconf: - Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow' to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402) Issues fixed in libeconf: - Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157) - Fixed different issues while writing string values to file. - Writing comments to file too. - Fixed crash while merging values. - Added econftool cat option (#146) - new API call: econf_readDirsHistory (showing ALL locations) - new API call: econf_getPath (absolute path of the configuration file) - Man pages libeconf.3 and econftool.8. - Handling multiline strings. - Added libeconf_ext which returns more information like line_nr, comments, path of the configuration file,... - Econftool, an command line interface for handling configuration files. - Generating HTML API documentation with doxygen. - Improving error handling and semantic file check. - Joining entries with the same key to one single entry if env variable ECONF_JOIN_SAME_ENTRIES has been set. shadow: - The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402) util-linux: - The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402) - Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507) - Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507) - CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976) - CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976) The following package changes have been done: - filesystem-15.0-11.5.1 updated - go1.17-1.17.7-1.20.1 updated - libaugeas0-1.10.1-3.5.1 updated - libblkid1-2.36.2-150300.4.14.3 updated - libeconf0-0.4.4+git20220104.962774f-150300.3.6.2 added - libfdisk1-2.36.2-150300.4.14.3 updated - libmount1-2.36.2-150300.4.14.3 updated - libsmartcols1-2.36.2-150300.4.14.3 updated - libuuid1-2.36.2-150300.4.14.3 updated - login_defs-4.8.1-150300.4.3.8 updated - shadow-4.8.1-150300.4.3.8 updated - util-linux-2.36.2-150300.4.14.3 updated - container:sles15-image-15.0.0-17.8.86 updated