SUSE Container Update Advisory: rancher/elemental-teal/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2024:1698-1 Container Tags : rancher/elemental-teal/5.4:1.2.3 , rancher/elemental-teal/5.4:1.2.3-3.2.153 , rancher/elemental-teal/5.4:latest Container Release : 3.2.153 Severity : important Type : security References : 1107342 1144060 1176006 1188307 1190495 1190495 1192051 1203823 1205502 1206627 1207987 1210507 1210959 1211886 1213189 1213418 1214934 1215377 1215434 1216198 1217445 1217450 1217589 1217667 1217964 1218232 1218492 1218571 1218842 1218866 1218894 1219031 1219238 1219243 1219321 1219520 1219559 1219563 1219576 1219767 1219975 1220061 1220117 1220117 1220385 1220441 1220568 1220724 1220770 1220771 1221050 1221218 1221239 1221289 1221399 1221470 1221665 1221667 1221677 1221677 1221831 CVE-2023-29383 CVE-2023-45918 CVE-2023-52160 CVE-2023-52425 CVE-2023-5388 CVE-2023-7207 CVE-2024-0727 CVE-2024-1753 CVE-2024-1753 CVE-2024-2004 CVE-2024-21626 CVE-2024-2398 CVE-2024-25062 CVE-2024-26458 CVE-2024-26461 CVE-2024-28085 CVE-2024-28182 CVE-2024-28757 ----------------------------------------------------------------- The container rancher/elemental-teal/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:322-1 Released: Fri Feb 2 15:13:26 2024 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1107342,1215434 This update for aaa_base fixes the following issues: - Set JAVA_HOME correctly (bsc#1107342, bsc#1215434) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:459-1 Released: Tue Feb 13 15:28:56 2024 Summary: Security update for runc Type: security Severity: important References: 1218894,CVE-2024-21626 This update for runc fixes the following issues: - Update to runc v1.1.12 (bsc#1218894) The following CVE was already fixed with the previous release. - CVE-2024-21626: Fixed container breakout. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:597-1 Released: Thu Feb 22 20:07:11 2024 Summary: Security update for mozilla-nss Type: security Severity: important References: 1216198,CVE-2023-5388 This update for mozilla-nss fixes the following issues: Update to NSS 3.90.2: - CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:613-1 Released: Mon Feb 26 11:21:43 2024 Summary: Security update for libxml2 Type: security Severity: moderate References: 1219576,CVE-2024-25062 This update for libxml2 fixes the following issues: - CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:615-1 Released: Mon Feb 26 11:32:32 2024 Summary: Recommended update for netcfg Type: recommended Severity: moderate References: 1211886 This update for netcfg fixes the following issues: - Add krb-prop entry (bsc#1211886) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:766-1 Released: Tue Mar 5 13:50:28 2024 Summary: Recommended update for libssh Type: recommended Severity: important References: 1220385 This update for libssh fixes the following issues: - Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:792-1 Released: Thu Mar 7 09:55:23 2024 Summary: Recommended update for timezone Type: recommended Severity: moderate References: This update for timezone fixes the following issues: - Update to version 2024a - Kazakhstan unifies on UTC+5 - Palestine springs forward a week later than previously predicted in 2024 and 2025 - Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 not 00:00 - From 1947 through 1949, Toronto's transitions occurred at 02:00 not 00:00 - In 1911 Miquelon adopted standard time on June 15, not May 15 - The FROM and TO columns of Rule lines can no longer be 'minimum' - localtime no longer mishandle some timestamps - strftime %s now uses tm_gmtoff if available - Ittoqqortoormiit, Greenland changes time zones on 2024-03-31 - Vostok, Antarctica changed time zones on 2023-12-18 - Casey, Antarctica changed time zones five times since 2020 - Code and data fixes for Palestine timestamps starting in 2072 - A new data file zonenow.tab for timestamps starting now - Much of Greenland changed its standard time from -03 to -02 on 2023-03-25 - localtime.c no longer mishandles TZif files that contain a single transition into a DST regime - tzselect no longer creates temporary files - tzselect no longer mishandles the following: * Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION. * TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/ * ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments * Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension * zic no longer mishandles data for Palestine after the year 2075 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:819-1 Released: Fri Mar 8 12:05:12 2024 Summary: Security update for wpa_supplicant Type: security Severity: important References: 1219975,CVE-2023-52160 This update for wpa_supplicant fixes the following issues: - CVE-2023-52160: Bypassing WiFi Authentication (bsc#1219975). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:833-1 Released: Mon Mar 11 10:31:14 2024 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1219243,CVE-2024-0727 This update for openssl-1_1 fixes the following issues: - CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:305-1 Released: Mon Mar 11 14:15:37 2024 Summary: Security update for cpio Type: security Severity: moderate References: 1218571,1219238,CVE-2023-7207 This update for cpio fixes the following issues: - Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:838-1 Released: Tue Mar 12 06:46:28 2024 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1220117 This update for util-linux fixes the following issues: - Processes not cleaned up after failed SSH session are using up 100% CPU (bsc#1220117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:861-1 Released: Wed Mar 13 09:12:30 2024 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1218232 This update for aaa_base fixes the following issues: - Silence the output in the case of broken symlinks (bsc#1218232) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:870-1 Released: Wed Mar 13 13:05:14 2024 Summary: Security update for glibc Type: security Severity: moderate References: 1217445,1217589,1218866 This update for glibc fixes the following issues: Security issues fixed: - qsort: harden handling of degenerated / non transient compare function (bsc#1218866) Other issues fixed: - getaddrinfo: translate ENOMEM to EAI_MEMORY (bsc#1217589, BZ #31163) - aarch64: correct CFI in rawmemchr (bsc#1217445, BZ #31113) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:907-1 Released: Fri Mar 15 08:57:38 2024 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1215377 This update for audit fixes the following issue: - Fix plugin termination when using systemd service units (bsc#1215377) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:929-1 Released: Tue Mar 19 06:36:24 2024 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1219321 This update for coreutils fixes the following issues: - tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:939-1 Released: Wed Mar 20 09:03:37 2024 Summary: Security update for shadow Type: security Severity: moderate References: 1144060,1176006,1188307,1203823,1205502,1206627,1210507,1213189,CVE-2023-29383 This update for shadow fixes the following issues: - CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507). The following non-security bugs were fixed: - bsc#1176006: Fix chage date miscalculation - bsc#1188307: Fix passwd segfault - bsc#1203823: Remove pam_keyinit from PAM config files - bsc#1213189: Change lock mechanism to file locking to prevent lock files after power interruptions - bsc#1206627: Add --prefix support to passwd, chpasswd and chage - bsc#1205502: useradd audit event user id field cannot be interpretedd ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:980-1 Released: Mon Mar 25 06:18:28 2024 Summary: Recommended update for pam-config Type: recommended Severity: moderate References: 1219767 This update for pam-config fixes the following issues: - Fix pam_gnome_keyring module for AUTH (bsc#1219767) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:982-1 Released: Mon Mar 25 12:56:33 2024 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate References: 1217964 This update for systemd-rpm-macros fixes the following issue: - Order packages that requires systemd after systemd-sysvcompat if needed. (bsc#1217964) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:984-1 Released: Mon Mar 25 16:04:44 2024 Summary: Recommended update for runc Type: recommended Severity: important References: 1192051,1221050 This update for runc fixes the following issues: - Add upstream patch to properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050 This allows running 15 SP6 containers on older distributions. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1006-1 Released: Wed Mar 27 10:48:38 2024 Summary: Security update for krb5 Type: security Severity: important References: 1220770,1220771,CVE-2024-26458,CVE-2024-26461 This update for krb5 fixes the following issues: - CVE-2024-26458: Fixed memory leak at /krb5/src/lib/rpc/pmap_rmt.c (bsc#1220770). - CVE-2024-26461: Fixed memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c (bsc#1220771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1010-1 Released: Wed Mar 27 16:07:37 2024 Summary: Recommended update for perl-Bootloader Type: recommended Severity: important References: 1218842,1221470 This update for perl-Bootloader fixes the following issues: - Log grub2-install errors correctly (bsc#1221470) - Update to version 0.947 - Support old grub versions that used /usr/lib (bsc#1218842) - Create EFI boot fallback directory if necessary ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1015-1 Released: Thu Mar 28 06:08:11 2024 Summary: Recommended update for sed Type: recommended Severity: important References: 1221218 This update for sed fixes the following issues: - 'sed -i' now creates temporary files with correct umask (bsc#1221218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1058-1 Released: Thu Mar 28 14:50:41 2024 Summary: Security update for podman Type: security Severity: important References: 1221677,CVE-2024-1753 This update for podman fixes the following issues: - CVE-2024-1753: Fixed full container escape at build time (bsc#1221677). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1080-1 Released: Tue Apr 2 06:50:10 2024 Summary: Recommended update for xfsprogs-scrub Type: recommended Severity: low References: 1190495 This update for xfsprogs-scrub fixes the following issues: - Added missing xfsprogs-scrub to Package Hub for SLE-15-SP5 and SLE-15-SP4 (bsc#1190495) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1104-1 Released: Wed Apr 3 14:29:58 2024 Summary: Recommended update for docker, containerd, rootlesskit, catatonit, slirp4netns, fuse-overlayfs Type: recommended Severity: important References: This update for docker fixes the following issues: - Overlay files are world-writable (bsc#1220339) - Allow disabling apparmor support (some products only support SELinux) The other packages in the update (containerd, rootlesskit, catatonit, slirp4netns, fuse-overlayfs) are no-change rebuilds required because the corresponding binary packages were missing in a number of repositories, thus making docker not installable on some products. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1129-1 Released: Mon Apr 8 09:12:08 2024 Summary: Security update for expat Type: security Severity: important References: 1219559,1221289,CVE-2023-52425,CVE-2024-28757 This update for expat fixes the following issues: - CVE-2023-52425: Fixed a DoS caused by processing large tokens. (bsc#1219559) - CVE-2024-28757: Fixed an XML Entity Expansion. (bsc#1221289) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1133-1 Released: Mon Apr 8 11:29:02 2024 Summary: Security update for ncurses Type: security Severity: moderate References: 1220061,CVE-2023-45918 This update for ncurses fixes the following issues: - CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1144-1 Released: Mon Apr 8 11:33:47 2024 Summary: Security update for buildah Type: security Severity: important References: 1219563,1220568,1221677,CVE-2024-1753 This update for buildah fixes the following issues: - CVE-2024-1753: Fixed an issue to prevent a full container escape at build time. (bsc#1221677) - Update to version 1.34.1 for compatibility with Docker 25.0 (which is not in SLES yet, but will eventually be) (bsc#1219563). See the corresponding release notes: * https://github.com/containers/buildah/releases/tag/v1.34.1 * https://github.com/containers/buildah/releases/tag/v1.34.0 * https://github.com/containers/buildah/releases/tag/v1.33.0 * https://github.com/containers/buildah/releases/tag/v1.32.0 * https://github.com/containers/buildah/releases/tag/v1.31.0 * https://github.com/containers/buildah/releases/tag/v1.30.0 - Require cni-plugins (bsc#1220568) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1151-1 Released: Mon Apr 8 11:36:23 2024 Summary: Security update for curl Type: security Severity: moderate References: 1221665,1221667,CVE-2024-2004,CVE-2024-2398 This update for curl fixes the following issues: - CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665) - CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1167-1 Released: Mon Apr 8 15:11:11 2024 Summary: Security update for nghttp2 Type: security Severity: important References: 1221399,CVE-2024-28182 This update for nghttp2 fixes the following issues: - CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1169-1 Released: Tue Apr 9 09:50:32 2024 Summary: Security update for util-linux Type: security Severity: important References: 1207987,1220117,1221831,CVE-2024-28085 This update for util-linux fixes the following issues: - CVE-2024-28085: Properly neutralize escape sequences in wall. (bsc#1221831) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1201-1 Released: Thu Apr 11 10:47:59 2024 Summary: Recommended update for xfsprogs-scrub and jctools Type: recommended Severity: low References: 1190495,1213418 This update for xfsprogs-scrub fixes the following issues: - Added missing xfsprogs-scrub to Package Hub for SLE-15-SP5 (bsc#1190495) - Added missing jctools to Package Hub for SLE-15-SP5 (bsc#1213418) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1231-1 Released: Thu Apr 11 15:20:40 2024 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1220441 This update for glibc fixes the following issues: - duplocale: protect use of global locale (bsc#1220441, BZ #23970) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1253-1 Released: Fri Apr 12 08:15:18 2024 Summary: Recommended update for gcc13 Type: recommended Severity: moderate References: 1210959,1214934,1217450,1217667,1218492,1219031,1219520,1220724,1221239 This update for gcc13 fixes the following issues: - Fix unwinding for JIT code. [bsc#1221239] - Revert libgccjit dependency change. [bsc#1220724] - Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520] - Add support for -fmin-function-alignment. [bsc#1214934] - Use %{_target_cpu} to determine host and build. - Fix for building TVM. [bsc#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. - Fixed building mariadb on i686. [bsc#1217667] - Avoid update-alternatives dependency for accelerator crosses. - Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence. - Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450] The following package changes have been done: - libssh-config-0.9.8-150400.3.6.1 updated - glibc-2.31-150300.71.1 updated - libnghttp2-14-1.40.0-150200.17.1 updated - libuuid1-2.37.2-150400.8.29.1 updated - libsmartcols1-2.37.2-150400.8.29.1 updated - libexpat1-2.4.4-150400.3.17.1 updated - libblkid1-2.37.2-150400.8.29.1 updated - libaudit1-3.0.6-150400.4.16.1 updated - libfdisk1-2.37.2-150400.8.29.1 updated - libgcc_s1-13.2.1+git8285-150000.1.9.1 updated - catatonit-0.1.7-150300.10.5.2 updated - mozilla-nss-certs-3.90.2-150400.3.39.1 updated - libxml2-2-2.9.14-150400.5.28.1 updated - libfreebl3-3.90.2-150400.3.39.1 updated - libmount1-2.37.2-150400.8.29.1 updated - libsoftokn3-3.90.2-150400.3.39.1 updated - mozilla-nss-3.90.2-150400.3.39.1 updated - libstdc++6-13.2.1+git8285-150000.1.9.1 updated - libncurses6-6.1-150000.5.24.1 updated - terminfo-base-6.1-150000.5.24.1 updated - coreutils-8.32-150400.9.3.1 updated - timezone-2024a-150000.75.28.1 updated - systemd-rpm-macros-15-150000.7.39.1 updated - netcfg-11.6-150000.3.6.1 updated - ncurses-utils-6.1-150000.5.24.1 updated - glibc-locale-base-2.31-150300.71.1 updated - login_defs-4.8.1-150400.3.6.1 updated - perl-Bootloader-0.947-150400.3.12.1 updated - cpio-2.13-150400.3.6.1 updated - sed-4.4-150300.13.3.1 updated - libopenssl1_1-1.1.1l-150400.7.63.1 updated - krb5-1.19.2-150400.3.9.1 updated - libssh4-0.9.8-150400.3.6.1 updated - libcurl4-8.0.1-150400.5.44.1 updated - pam-config-1.1-150200.3.6.1 updated - shadow-4.8.1-150400.3.6.1 updated - util-linux-2.37.2-150400.8.29.1 updated - aaa_base-84.87+git20180409.04c9dae-150300.10.12.1 updated - util-linux-systemd-2.37.2-150400.8.29.1 updated - wpa_supplicant-2.9-150000.4.39.1 updated - runc-1.1.12-150000.64.1 updated - cni-0.7.1-150100.3.18.1 updated - cni-plugins-0.8.6-150100.3.22.3 updated - fuse-overlayfs-1.1.2-150100.3.11.1 updated - xfsprogs-5.13.0-150400.3.7.1 updated - slirp4netns-1.2.0-150300.8.7.1 updated - podman-4.4.4-150400.4.22.1 updated - hostname-3.16-2.22 removed - iproute2-5.14-150400.1.8 removed - libltdl7-2.4.6-3.4.1 removed - libmspack0-0.6-3.14.1 removed - libxslt1-1.1.34-150400.3.3.1 removed - system-user-nobody-20170617-150400.24.2.1 removed - tar-1.34-150000.3.34.1 removed - which-2.21-2.20 removed