SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2024:2991-1 Container Tags : bci/openjdk-devel:21 , bci/openjdk-devel:21-14.5 , bci/openjdk-devel:latest Container Release : 14.5 Severity : critical Type : security References : 1029961 1092100 1121753 1158830 1158830 1158830 1181475 1181976 1185417 1188441 1195468 1206412 1206798 1209122 1209122 1214025 1214290 1224168 1224170 1224171 1224172 1224173 1225598 1226415 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2023-4016 CVE-2023-4156 CVE-2024-32002 CVE-2024-32004 CVE-2024-32020 CVE-2024-32021 CVE-2024-32465 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2958-1 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:808-1 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1195468 This update for procps fixes the following issues: - Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2944-1 Released: Wed Aug 31 05:39:14 2022 Summary: Recommended update for procps Type: recommended Severity: important References: 1181475 This update for procps fixes the following issues: - Fix 'free' command reporting misleading 'used' value (bsc#1181475) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:181-1 Released: Thu Jan 26 21:55:43 2023 Summary: Recommended update for procps Type: recommended Severity: low References: 1206412 This update for procps fixes the following issues: - Improve memory handling/usage (bsc#1206412) - Make sure that correct library version is installed (bsc#1206412) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2104-1 Released: Thu May 4 21:05:30 2023 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1209122 This update for procps fixes the following issue: - Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3440-1 Released: Mon Aug 28 08:57:10 2023 Summary: Security update for gawk Type: security Severity: low References: 1214025,CVE-2023-4156 This update for gawk fixes the following issues: - CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3472-1 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Type: security Severity: low References: 1214290,CVE-2023-4016 This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:11-1 Released: Tue Jan 2 13:24:52 2024 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1029961,1158830,1206798,1209122 This update for procps fixes the following issues: - Update procps to 3.3.17 (jsc#PED-3244 jsc#PED-6369) - For support up to 2048 CPU as well (bsc#1185417) - Allow `-´ as leading character to ignore possible errors on systctl entries (bsc#1209122) - Get the first CPU summary correct (bsc#1121753) - Enable pidof for SLE-15 as this is provided by sysvinit-tools - Use a check on syscall __NR_pidfd_open to decide if the pwait tool and its manual page will be build - Do not truncate output of w with option -n - Prefer logind over utmp (jsc#PED-3144) - Don't install translated man pages for non-installed binaries (uptime, kill). - Fix directory for Ukrainian man pages translations. - Move localized man pages to lang package. - Update to procps-ng-3.3.17 * library: Incremented to 8:3:0 (no removals or additions, internal changes only) * all: properly handle utf8 cmdline translations * kill: Pass int to signalled process * pgrep: Pass int to signalled process * pgrep: Check sanity of SG_ARG_MAX * pgrep: Add older than selection * pidof: Quiet mode * pidof: show worker threads * ps.1: Mention stime alias * ps: check also match on truncated 16 char comm names * ps: Add exe output option * ps: A lot more sorting available * pwait: New command waits for a process * sysctl: Match systemd directory order * sysctl: Document directory order * top: ensure config file backward compatibility * top: add command line 'e' for symmetry with 'E' * top: add '4' toggle for two abreast cpu display * top: add '!' toggle for combining multiple cpus * top: fix potential SEGV involving -p switch * vmstat: Wide mode gives wider proc columns * watch: Add environment variable for interval * watch: Add no linewrap option * watch: Support more colors * free,uptime,slabtop: complain about extra ops - Package translations in procps-lang. - Fix pgrep: cannot allocate 4611686018427387903 bytes when ulimit -s is unlimited. - Enable pidof by default - Update to procps-ng-3.3.16 * library: Increment to 8:2:0 No removals or functions Internal changes only, so revision is incremented. Previous version should have been 8:1:0 not 8:0:1 * docs: Use correct symbols for -h option in free.1 * docs: ps.1 now warns about command name length * docs: install translated man pages * pgrep: Match on runstate * snice: Fix matching on pid * top: can now exploit 256-color terminals * top: preserves 'other filters' in configuration file * top: can now collapse/expand forest view children * top: parent %CPU time includes collapsed children * top: improve xterm support for vim navigation keys * top: avoid segmentation fault at program termination * 'ps -C' does not allow anymore an argument longer than 15 characters (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-feature-2024:1664-1 Released: Thu May 16 07:56:10 2024 Summary: Feature update for Java Type: feature Severity: moderate References: This update for byte-buddy, javadoc-parser, jurand, modulemaker-maven-plugin, open-test-reporting, plexus-xml fixes the following issues: byte-buddy: - New RPM package implementation at version 1.14.13 javadoc-parser: - New RPM package implementation at version 0.3.1 jurand: - New RPM package implementation at version 1.3.2 modulemaker-maven-plugin: - New RPM package implementation at version 1.11 open-test-reporting: - New RPM package implementation at version 0.1.0-M2 plexus-xml: - New RPM package implementation at version 3.0.0 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2000-1 Released: Wed Jun 12 05:43:59 2024 Summary: Recommended update for Java Type: recommended Severity: moderate References: This update for Java fixes the following issues: javadoc-parser: - Deliver javadoc-parser RPM package to meet new dependency requirements (no source changes) maven-filtering was updated to version 3.3.2: - Build against the plexus-build-api0 package containing sonatype plexus build api - Version 3.3.2: * Changes: + pick correct hamcrest dependency + Prefer commons lang to plexus utils + MSHARED-1214: move tag back to HEAD + MSHARED-1216: Use caching output stream + Bump org.codehaus.plexus:plexus-utils from 3.0.16 to 3.0.24 in /src/test/resources + Fix typos and grammar + Fix 'licenced' typo in PR template + refactor IncrementalResourceFilteringTest + MSHARED-1340: Require Maven 3.6.3+ + Bump commons-io:commons-io from 2.11.0 to 2.15.1 + Bump org.apache.commons:commons-lang3 from 3.12.0 to 3.14.0 + MSHARED-1339: Bump org.apache.maven.shared:maven-shared-components from 39 to 41 + MSHARED-1290: Fix PropertyUtils cycle detection results in false positives + MSHARED-1285: use an up-to-date scanner instead the newscanner + Bump org.codehaus.plexus:plexus-testing from 1.2.0 to 1.3.0 + Bump org.codehaus.plexus:plexus-interpolation from 1.26 to 1.27 + Bump org.codehaus.plexus:plexus-utils from 3.5.1 to 4.0.0 + Bump release-drafter/release-drafter from 5 to 6 + Bump org.junit.jupiter:junit-jupiter-api from 5.10.1 to 5.10.2 + MSHARED-1351: Fix console message when origin is baseDir + MSHARED-1050: Fix ConcurrentModificationException for maven-filtering + MSHARED-1330: Always overwrite files - Version 3.3.1: * Changes: + MSHARED-1175: Copying x resources from rel/path to rel/path + MSHARED-1213: Bug: filtering existing but 0 byte file + MSHARED-1199: Upgrade parent pom to 39 + MSHARED-1112: Ignore setting permissions on non existing dest files/symlinks + MSHARED-1144: remove rendundant error message - Version 3.3.0: * Changes: + Fixed cloning of MavenResourcesExecution's instances using copyOf() method + MRESOURCES-258: Copying and filtering logic is delegated to FileUtils + replace deprecated methods + replace deprecated code in favor of Java 7 core and apache commons libraries declare dependencies + MSHARED-1080: Parent POM 36, Java8, drop legacy. maven-plugin-tools: - Build against the plexus-build-api0 package containing sonatype plexus build api - Added dependency on plexus-xml where relevant modello was updated to version 2.4.0: - Build against the new codehaus plexus build api 1.2.0 - Build all modello plugins - Version 2.4.0: * New features and improvements: + Keep license structure + Support addition of license header to generated files + Make generated code - Java 8 based by default + threadsafety * Bugs fixed: + Revert snakeyaml to 1.33 (as 2.x is not fully compatible with 1.x). - Version 2.3.0: * Changes: + Kill off dead Plexus + Fix for #366 - Version 2.2.0: * Changes: + Parse javadoc tags in xdoc generator (only @since is supported atm) + Use generic in Xpp3Reader for JDK 5+ + Get rid of usage deprecated Reader/WriterFactory + Make spotless plugin work with Java 21 + Support java source property being discovered as 1.x + Fix thread safety issues by not using singletons for generators + Improve discovering javaSource based on maven.compiler properties, default as 8 + Switch Plexus Annotation to JSR-330 + Make spotless plugin work with Java 21 - Add dependency on plexus-xml where relevant plexus-build-api was updated to version 1.2.0: - Version 1.2.0: * Potentially breaking changes: + change package to org.codehaus.plexus.build * New features and improvements: + Convert to JSR 330 component + Bump sisu-maven-plugin from 0.3.5 to 0.9.0.M2 + Switch to parent 13 and reformat + Use a CachingOutputStream when using the build context + Reuse plexus-pom action for CI + Add README and LICENSE + Remove ThreadBuildContext * Bugs fixed: + Store Objects in the DefaultContext in a map + Let the DefaultBuildContext delegate to the legacy build-api plexus-build-api0 was implemented at version 0.0.8: - New package plexus-xml: - Deliver plexus-xml RPM package to meet new dependency requirements (no source changes) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2079-1 Released: Wed Jun 19 05:41:08 2024 Summary: Recommended update for Java Type: recommended Severity: moderate References: This update for Gradle and Maven fixes the following issues: gradle-bootstrap: - Regenerate to account for the new plexus-xml dependency gradle: - Fixed build with the `plexus-xml` split from plexus-utils maven-artifact-transfer: - Added dependency on `plexus-xml` where relevant - Removed unnecessary dependency on xmvn tools and parent pom maven-assembly-plugin, maven-doxia, maven-doxia-sitetools, maven-install-plugin, maven-javadoc-plugin, maven-plugin-testing, maven-resolver, maven: - Added dependency on `plexus-xml` where relevant ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2086-1 Released: Wed Jun 19 11:48:24 2024 Summary: Recommended update for gcc13 Type: recommended Severity: moderate References: 1188441 This update for gcc13 fixes the following issues: Update to GCC 13.3 release - Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18. - Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441] - Make requirement to lld version specific to avoid requiring the meta-package. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2214-1 Released: Tue Jun 25 17:11:26 2024 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1225598 This update for util-linux fixes the following issue: - Fix hang of lscpu -e (bsc#1225598) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2239-1 Released: Wed Jun 26 13:09:10 2024 Summary: Recommended update for systemd Type: recommended Severity: critical References: 1226415 This update for systemd contains the following fixes: - testsuite: move a misplaced %endif - Do not remove existing configuration files in /etc. If these files were modified on the systemd, that may cause unwanted side effects (bsc#1226415). - Import upstream commit (merge of v254.13) Use the pty slave fd opened from the namespace when transient service is running in a container. This revert the backport of the broken commit until a fix is released in the v254-stable tree. - Import upstream commit (merge of v254.11) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/e8d77af4240894da620de74fbc7823aaaa448fef...85db84ee440eac202c4b5507e96e1704269179bc ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2255-1 Released: Tue Jul 2 05:25:54 2024 Summary: Recommended update for Java Type: recommended Severity: moderate References: This update for Java fixes the following issues: maven-file-management: - Use sisu-plexus instead of plexus-containers-container-default - Added dependency on plexus-xml where relevant - Removed unnecessary dependency on xmvn tools and parent pom maven-shared-io: - Do not add PROVIDED dependency on plexus-container-default - Use sisu-plexus instead of plexus-containers-container-default - Removed unnecessary dependency on xmvn tools and parent pom maven2: - Use sisu-plexus instead of plexus-containers-container-default - Fixed build with both sisu-plexus and plexus-containers-container-default - Require the new plexus-xml package to fix build maven-shared-utils was updated to version 3.3.4: - Use the org.eclipse.sisu:org.eclipse.sisu.plexus artifact in order to avoid conflict/choise of providers - Checked exception converted to raw runtime - PrettyPrintXmlWriter output is platform dependent - Deprecated StringUtils.unifyLineSeparator - Fixed environment variable with null value - Dependencies upgraded: * Upgraded Jansi to 2.0.1 * Upgraded Jansi to 2.2.0 plexus-ant-factory: - Use the org.eclipse.sisu:org.eclipse.sisu.plexus to avoid conflict/choise of providers - Use sisu-plexus instead of plexus-containers-container-default - Fixed the code to build both with sisu-plexus and plexus-containers-container-default. plexus-bsh-factory: - Use the org.eclipse.sisu:org.eclipse.sisu.plexus to avoid conflict/choise of providers - Use sisu-plexus instead of plexus-containers-container-default plexus-cli: - Use the org.eclipse.sisu:org.eclipse.sisu.plexus artifact to avoid conflict/choise of providers plexus-i18n: - Use sisu-plexus instead of plexus-containers-container-default plexus-resources: - Use the org.eclipse.sisu:org.eclipse.sisu.plexus artifact to avoid conflict/choise of providers - Use sisu-plexus instead of plexus-containers-container-default plexus-sec-dispatcher: - Removed unnecessary dependency on plexus-containers-container-default - Add dependency on plexus-xml where relevant - Build with source and target levels 8 plexus-velocity: - Use the org.eclipse.sisu:org.eclipse.sisu.plexus artifact to avoid conflict/choise of providers - Use sisu-plexus instead of plexus-containers-container-default tesla-polyglot: - Fixed build with maven-plugin-plugin - Fixed build with snakeyaml 2.2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2277-1 Released: Tue Jul 2 17:03:49 2024 Summary: Security update for git Type: security Severity: important References: 1224168,1224170,1224171,1224172,1224173,CVE-2024-32002,CVE-2024-32004,CVE-2024-32020,CVE-2024-32021,CVE-2024-32465 This update for git fixes the following issues: - CVE-2024-32002: Fix recursive clones on case-insensitive filesystems that support symbolic links are susceptible to case confusion. (bsc#1224168) - CVE-2024-32004: Fixed arbitrary code execution during local clones. (bsc#1224170) - CVE-2024-32020: Fix file overwriting vulnerability during local clones. (bsc#1224171) - CVE-2024-32021: Git may create hardlinks to arbitrary user-readable files. (bsc#1224172) - CVE-2024-32465: Fixed arbitrary code execution during clone operations. (bsc#1224173) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2024:2282-1 Released: Tue Jul 2 22:41:28 2024 Summary: Optional update for openscap, scap-security-guide Type: optional Severity: moderate References: This update for scap-security-guide and openscap provides the SCAP tooling for SLE Micro 5.3, 5.4, 5.5. This includes shipping openscap dependencies libxmlsec1-1 and libxmlsec1-openssl for SLE Micro. The following package changes have been done: - libuuid1-2.39.3-150600.4.6.2 updated - libsmartcols1-2.39.3-150600.4.6.2 updated - libblkid1-2.39.3-150600.4.6.2 updated - libfdisk1-2.39.3-150600.4.6.2 updated - liblz4-1-1.9.4-150600.1.4 added - libgpg-error0-1.47-150600.1.3 added - libgcrypt20-1.10.3-150600.1.23 added - libgcc_s1-13.3.0+git8781-150000.1.12.1 updated - libstdc++6-13.3.0+git8781-150000.1.12.1 updated - libmount1-2.39.3-150600.4.6.2 updated - libsystemd0-254.13-150600.4.5.1 added - libprocps8-3.3.17-150000.7.39.1 added - procps-3.3.17-150000.7.39.1 added - util-linux-2.39.3-150600.4.6.2 updated - curl-8.6.0-150600.2.2 added - gawk-4.2.1-150000.3.3.1 added - maven-resolver-api-1.9.18-150200.3.20.1 updated - plexus-xml-3.0.0-150200.5.5.1 added - maven-shared-utils-3.3.4-150200.3.7.2 updated - maven-resolver-util-1.9.18-150200.3.20.1 updated - maven-resolver-spi-1.9.18-150200.3.20.1 updated - plexus-sec-dispatcher-2.0-150200.3.7.3 updated - maven-resolver-named-locks-1.9.18-150200.3.20.1 updated - maven-resolver-transport-file-1.9.18-150200.3.20.1 updated - maven-resolver-connector-basic-1.9.18-150200.3.20.1 updated - maven-resolver-transport-wagon-1.9.18-150200.3.20.1 updated - git-core-2.43.0-150600.3.3.1 updated - maven-resolver-impl-1.9.18-150200.3.20.1 updated - maven-resolver-transport-http-1.9.18-150200.3.20.1 updated - maven-lib-3.9.6-150200.4.24.2 updated - maven-3.9.6-150200.4.24.2 updated - container:bci-openjdk-21-15.6.21-14.4 updated