SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:2561-1 Container Tags : suse/sle-micro/5.3/toolbox:11.1 , suse/sle-micro/5.3/toolbox:11.1-5.2.12 , suse/sle-micro/5.3/toolbox:latest Container Release : 5.2.12 Severity : critical Type : security References : 1160171 1178331 1178332 1181475 1182983 1189282 1189802 1190700 1191020 1193282 1194550 1195061 1195773 1196125 1196490 1197684 1198341 1198627 1198720 1198752 1199042 1199132 1199140 1199492 1199895 1200624 1200747 1200800 1200993 1201092 1201225 1201385 1201576 1201638 1201680 1201783 1201972 1202117 1202175 1202310 1202593 1203018 1203649 CVE-2021-36690 CVE-2021-46828 CVE-2022-23308 CVE-2022-29458 CVE-2022-29824 CVE-2022-31252 CVE-2022-34903 CVE-2022-35252 CVE-2022-35737 CVE-2022-37434 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2493-1 Released: Thu Jul 21 14:35:08 2022 Summary: Recommended update for rpm-config-SUSE Type: recommended Severity: moderate References: 1193282 This update for rpm-config-SUSE fixes the following issues: - Add SBAT values macros for other packages (bsc#1193282) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2546-1 Released: Mon Jul 25 14:43:22 2022 Summary: Security update for gpg2 Type: security Severity: important References: 1196125,1201225,CVE-2022-34903 This update for gpg2 fixes the following issues: - CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225). - Use AES as default cipher instead of 3DES when we are in FIPS mode. (bsc#1196125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2552-1 Released: Tue Jul 26 14:55:40 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1196490,1199132,CVE-2022-23308,CVE-2022-29824 This update for libxml2 fixes the following issues: Update to 2.9.14: - CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132). Update to version 2.9.13: - CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes. (bsc#1196490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2573-1 Released: Thu Jul 28 04:24:19 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1194550,1197684,1199042 This update for libzypp, zypper fixes the following issues: libzypp: - appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684) - zypp-rpm: flush rpm script output buffer before sending endOfScriptTag - PluginRepoverification: initial version hooked into repo::Downloader and repo refresh - Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042) - singletrans: no dry-run commit if doing just download-only - Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo. - Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER zypper: - Basic JobReport for 'cmdout/monitor' - versioncmp: if verbose, also print the edition 'parts' which are compared - Make sure MediaAccess is closed on exception (bsc#1194550) - Display plus-content hint conditionally - Honor the NO_COLOR environment variable when auto-detecting whether to use color - Define table columns which should be sorted natural [case insensitive] - lr/ls: Use highlight color on name and alias as well ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2632-1 Released: Wed Aug 3 09:51:00 2022 Summary: Security update for permissions Type: security Severity: important References: 1198720,1200747,1201385 This update for permissions fixes the following issues: * apptainer: fix starter-suid location (bsc#1198720) * static permissions: remove deprecated bind / named chroot entries (bsc#1200747) * postfix: add postlog setgid for maildrop binary (bsc#1201385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2640-1 Released: Wed Aug 3 10:43:44 2022 Summary: Recommended update for yaml-cpp Type: recommended Severity: moderate References: 1160171,1178331,1178332,1200624 This update for yaml-cpp fixes the following issue: - Version 0.6.3 changed ABI without changing SONAME. Re-add symbol from the old ABI to prevent ABI breakage and crash of applications compiled with 0.6.1 (bsc#1200624, bsc#1178332, bsc#1178331, bsc#1160171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2717-1 Released: Tue Aug 9 12:54:16 2022 Summary: Security update for ncurses Type: security Severity: moderate References: 1198627,CVE-2022-29458 This update for ncurses fixes the following issues: - CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2904-1 Released: Fri Aug 26 05:28:34 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1198341 This update for openldap2 fixes the following issues: - Prevent memory reuse which may lead to instability (bsc#1198341) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2929-1 Released: Mon Aug 29 11:21:47 2022 Summary: Recommended update for timezone Type: recommended Severity: important References: 1202310 This update for timezone fixes the following issue: - Reflect new Chile DST change (bsc#1202310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2944-1 Released: Wed Aug 31 05:39:14 2022 Summary: Recommended update for procps Type: recommended Severity: important References: 1181475 This update for procps fixes the following issues: - Fix 'free' command reporting misleading 'used' value (bsc#1181475) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2947-1 Released: Wed Aug 31 09:16:21 2022 Summary: Security update for zlib Type: security Severity: important References: 1202175,CVE-2022-37434 This update for zlib fixes the following issues: - CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3003-1 Released: Fri Sep 2 15:01:44 2022 Summary: Security update for curl Type: security Severity: low References: 1202593,CVE-2022-35252 This update for curl fixes the following issues: - CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3127-1 Released: Wed Sep 7 04:36:10 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1198752,1200800 This update for libtirpc fixes the following issues: - Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800) - Fix memory leak in params.r_addr assignement (bsc#1198752) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3215-1 Released: Thu Sep 8 15:58:27 2022 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Support Ed25519 RPM signatures [jsc#SLE-24714] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3220-1 Released: Fri Sep 9 04:30:52 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1199895,1200993,1201092,1201576,1201638 This update for libzypp, zypper fixes the following issues: libzypp: - Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895) - Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092) - Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993) - Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend. zypper: - Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638) - Reject install/remove modifier without argument (bsc#1201576) - zypper-download: Handle unresolvable arguments as errors - Put signing key supplying repository name in quotes ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3262-1 Released: Tue Sep 13 15:34:29 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1199140 This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3304-1 Released: Mon Sep 19 11:43:25 2022 Summary: Recommended update for libassuan Type: recommended Severity: moderate References: This update for libassuan fixes the following issues: - Add a timeout for writing to a SOCKS5 proxy - Add workaround for a problem with LD_LIBRARY_PATH on newer systems - Fix issue in the logging code - Fix some build trivialities - Upgrade autoconf ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3305-1 Released: Mon Sep 19 11:45:57 2022 Summary: Security update for libtirpc Type: security Severity: important References: 1201680,CVE-2021-46828 This update for libtirpc fixes the following issues: - CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3307-1 Released: Mon Sep 19 13:26:51 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 This update for sqlite3 fixes the following issues: - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783). - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802). - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3353-1 Released: Fri Sep 23 15:23:40 2022 Summary: Security update for permissions Type: security Severity: moderate References: 1203018,CVE-2022-31252 This update for permissions fixes the following issues: - CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3551-1 Released: Fri Oct 7 17:03:55 2022 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1182983,1190700,1191020,1202117 This update for libgcrypt fixes the following issues: - FIPS: Fixed gpg/gpg2 gets out of core handler in FIPS mode while typing Tab key to Auto-Completion. [bsc#1182983] - FIPS: Ported libgcrypt to use jitterentropy [bsc#1202117, jsc#SLE-24941] * Enable the jitter based entropy generator by default in random.conf * Update the internal jitterentropy to version 3.4.0 - FIPS: Get most of the entropy from rndjent_poll [bsc#1202117] - FIPS: Check keylength in gcry_fips_indicator_kdf() [bsc#1190700] * Consider approved keylength greater or equal to 112 bits. - FIPS: Zeroize buffer and digest in check_binary_integrity() [bsc#1191020] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3555-1 Released: Mon Oct 10 14:05:12 2022 Summary: Recommended update for aaa_base Type: recommended Severity: important References: 1199492 This update for aaa_base fixes the following issues: - The wrapper rootsh is not a restricted shell. (bsc#1199492) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3564-1 Released: Tue Oct 11 16:15:57 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: critical References: 1189282,1201972,1203649 This update for libzypp, zypper fixes the following issues: libzypp: - Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282) - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Remove migration code that is no longer needed (bsc#1203649) - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined zypper: - Fix contradiction in the man page: `--download-in-advance` option is the default behavior - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Fix tests to use locale 'C.UTF-8' rather than 'en_US' - Make sure 'up' respects solver related CLI options (bsc#1201972) - Remove unneeded code to compute the PPP status because it is now auto established - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3604-1 Released: Mon Oct 17 22:29:59 2022 Summary: Recommended update for sles15-image Type: recommended Severity: moderate References: 1195061 This update for sles15-image fixes the following issues: - Make the title match BCI (bsc#1195061) The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-150300.10.3.1 updated - glibc-2.31-150300.41.1 updated - gpg2-2.2.27-150300.3.5.1 updated - libassuan0-2.5.5-150000.4.3.1 updated - libblkid1-2.37.2-150400.8.3.1 updated - libcurl4-7.79.1-150400.5.6.1 updated - libdw1-0.185-150400.5.3.1 updated - libelf1-0.185-150400.5.3.1 updated - libfdisk1-2.37.2-150400.8.3.1 updated - libgcc_s1-11.3.0+git1637-150000.1.11.2 updated - libgcrypt20-hmac-1.9.4-150400.6.5.1 updated - libgcrypt20-1.9.4-150400.6.5.1 updated - libldap-2_4-2-2.4.46-150200.14.11.2 updated - libldap-data-2.4.46-150200.14.11.2 updated - libmount1-2.37.2-150400.8.3.1 updated - libncurses6-6.1-150000.5.12.1 updated - libprocps7-3.3.15-150000.7.25.1 updated - libsmartcols1-2.37.2-150400.8.3.1 updated - libsqlite3-0-3.39.3-150000.3.17.1 updated - libstdc++6-11.3.0+git1637-150000.1.11.2 updated - libsystemd0-249.12-150400.8.10.1 updated - libtirpc-netconfig-1.2.6-150300.3.14.1 updated - libtirpc3-1.2.6-150300.3.14.1 updated - libudev1-249.12-150400.8.10.1 updated - libuuid1-2.37.2-150400.8.3.1 updated - libxml2-2-2.9.14-150400.5.7.1 updated - libyaml-cpp0_6-0.6.3-150400.4.3.1 updated - libz1-1.2.11-150000.3.33.1 updated - libzck1-1.1.16-150400.1.10 added - libzypp-17.31.2-150400.3.9.1 updated - ncurses-utils-6.1-150000.5.12.1 updated - perl-base-5.26.1-150300.17.11.1 updated - permissions-20201225-150400.5.11.1 updated - procps-3.3.15-150000.7.25.1 updated - rpm-config-SUSE-1-150400.14.3.1 updated - rpm-ndb-4.14.3-150300.49.1 updated - terminfo-base-6.1-150000.5.12.1 updated - timezone-2022a-150000.75.10.1 updated - util-linux-2.37.2-150400.8.3.1 updated - zypper-1.14.57-150400.3.9.1 updated - container:sles15-image-15.0.0-27.12.1 updated