SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:738-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.5 , suse/manager/4.3/proxy-httpd:4.3.5.9.28.2 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.28.2 Severity : critical Type : security References : 1178233 1201059 1201059 1202853 1203248 1203249 1203715 1204186 1204186 1204548 1204956 1205011 1205011 1205088 1205088 1205244 1205570 1205636 1205759 1205759 1206146 1206146 1206520 1206520 1206562 1206562 1206800 1206800 1206817 1206817 1206861 1206861 1206932 1206932 1206949 1206963 1206963 1206973 1206973 1206979 1206979 1206981 1206981 1207087 1207087 1207141 1207141 1207294 1207297 1207297 1207352 1207352 1207490 1207490 1207789 1207792 1207792 1207799 1207799 1207838 1207838 1207866 1207867 1207867 1207883 1207883 1207990 1207991 1207992 1207994 1208036 1208119 1208119 1208325 1208325 1208443 1208611 1208611 1208908 1208908 1208924 1208925 1208926 1208998 1209259 1209259 1209369 1209369 CVE-2022-25147 CVE-2022-45061 CVE-2023-23914 CVE-2023-23915 CVE-2023-23916 CVE-2023-23931 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:389-1 Released: Mon Feb 13 09:41:49 2023 Summary: Security update for apr-util Type: security Severity: critical References: 1207866,CVE-2022-25147 This update for apr-util fixes the following issues: - CVE-2022-25147: Fixed a buffer overflow possible with specially crafted input during base64 encoding (bsc#1207866) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:429-1 Released: Wed Feb 15 17:41:22 2023 Summary: Security update for curl Type: security Severity: important References: 1207990,1207991,1207992,CVE-2023-23914,CVE-2023-23915,CVE-2023-23916 This update for curl fixes the following issues: - CVE-2023-23914: Fixed HSTS ignored on multiple requests (bsc#1207990). - CVE-2023-23915: Fixed HSTS amnesia with --parallel (bsc#1207991). - CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:464-1 Released: Mon Feb 20 18:11:37 2023 Summary: Recommended update for systemd Type: recommended Severity: moderate References: This update for systemd fixes the following issues: - Merge of v249.15 - Drop workaround related to systemd-timesyncd that addressed a Factory issue. - Conditionalize the use of /lib/modprobe.d only on systems with split usr support enabled (i.e. SLE). - Make use of the %systemd_* rpm macros consistently. Using the upstream variants will ease the backports of Factory changes to SLE since Factory systemd uses the upstream variants exclusively. - machines.target belongs to systemd-container, do its init/cleanup steps from the scriptlets of this sub-package. - Make sure we apply the presets on units shipped by systemd package. - systemd-testsuite: move the integration tests in a dedicated sub directory. - Move systemd-cryptenroll into udev package. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:549-1 Released: Mon Feb 27 17:35:07 2023 Summary: Security update for python3 Type: security Severity: moderate References: 1205244,1208443,CVE-2022-45061 This update for python3 fixes the following issues: - CVE-2022-45061: Fixed DoS when IDNA decodes extremely long domain names (bsc#1205244). Bugfixes: - Fixed issue where email.generator.py replaces a non-existent header (bsc#1208443). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:563-1 Released: Tue Feb 28 10:51:46 2023 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1207994 This update for openssl-1_1 fixes the following issues: - FIPS: Serialize jitterentropy calls to avoid thread safety issues [bsc#1207994] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:617-1 Released: Fri Mar 3 16:49:06 2023 Summary: Recommended update for jitterentropy Type: recommended Severity: moderate References: 1207789 This update for jitterentropy fixes the following issues: - build jitterentropy library with debuginfo (bsc#1207789) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:709-1 Released: Fri Mar 10 16:04:41 2023 Summary: Recommended update for console-setup Type: recommended Severity: moderate References: 1202853 This update for console-setup and kbd fixes the following issue: - Fix Caps_Lock mapping for us.map and others (bsc#1202853) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:714-1 Released: Mon Mar 13 10:53:25 2023 Summary: Recommended update for rpm Type: recommended Severity: important References: 1207294 This update for rpm fixes the following issues: - Fix missing python(abi) for 3.XX versions (bsc#1207294) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:722-1 Released: Tue Mar 14 14:57:15 2023 Summary: Security update for python-cryptography Type: security Severity: moderate References: 1208036,CVE-2023-23931 This update for python-cryptography fixes the following issues: - CVE-2023-23931: Fixed memory corruption due to invalidly changed immutable object (bsc#1208036). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:776-1 Released: Thu Mar 16 17:29:23 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products. SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:782-1 Released: Thu Mar 16 19:08:34 2023 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1208924,1208925,1208926 This update for libgcrypt fixes the following issues: - FIPS: ECC: Transition to error-state if PCT fail [bsc#1208925] - FIPS: ECDSA: Avoid no-keytest in ECDSA keygen [bsc#1208924] - FIPS: PBKDF2: Added additional checks for the minimum key length, salt length, iteration count and passphrase length to the kdf FIPS indicator in _gcry_fips_indicator_kdf() [bsc#1208926] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:783-1 Released: Thu Mar 16 19:09:03 2023 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1208998 This update for openssl-1_1 fixes the following issues: FIPS: Service-level indicator changes [bsc#1208998] * Add additional checks required by FIPS 140-3. Minimum values for PBKDF2 are: 112 bits for key, 128 bits for salt, 1000 for iteration count and 20 characters for password. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:788-1 Released: Thu Mar 16 19:37:59 2023 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important References: 1178233,1203248,1203249,1203715,1204548,1204956,1205570,1205636,1206949 This update for libsolv, libzypp, zypper fixes the following issues: libsolv: - Do not autouninstall SUSE PTF packages - Ensure 'duplinvolvedmap_all' is reset when a solver is reused - Fix 'keep installed' jobs not disabling 'best update' rules - New '-P' and '-W' options for `testsolv` - New introspection interface for weak dependencies similar to ruleinfos - Ensure special case file dependencies are written correctly in the testcase writer - Support better info about alternatives - Support decision reason queries - Support merging of related decisions - Support stringification of multiple solvables - Support stringification of ruleinfo, decisioninfo and decision reasons libzypp: - Avoid calling getsockopt when we know the info already. This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections (bsc#1178233) - Avoid redirecting 'history.logfile=/dev/null' into the target - Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956) - Enhance yaml-cpp detection - Improve download of optional files - MultiCurl: Make sure to reset the progress function when falling back. - Properly reset range requests (bsc#1204548) - Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the installed PTF packages to theit latest version. - Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls. - Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side. - ProgressData: enforce reporting the INIT||END state (bsc#1206949) - ps: fix service detection on newer Tumbleweed systems (bsc#1205636) zypper: - Allow to (re)add a service with the same URL (bsc#1203715) - Bump dependency requirement to libzypp-devel 17.31.7 or greater - Explain outdatedness of repositories - patterns: Avoid dispylaing superfluous @System entries (bsc#1205570) - Provide `removeptf` command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official update versions. - Update man page and explain '.no_auto_prune' (bsc#1204956) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:806-1 Released: Mon Mar 20 16:25:13 2023 Summary: Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server Type: recommended Severity: important References: 1201059,1204186,1205011,1205088,1205759,1206146,1206520,1206562,1206800,1206817,1206861,1206932,1206963,1206973,1206979,1206981,1207087,1207141,1207297,1207352,1207490,1207792,1207799,1207838,1207867,1207883,1208119,1208325,1208611,1208908,1209259,1209369 Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server This is a codestream only update ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:832-1 Released: Mon Mar 20 16:37:35 2023 Summary: Maintenance update for SUSE Manager 4.3.5 Release Notes Type: recommended Severity: important References: 1201059,1204186,1205011,1205088,1205759,1206146,1206520,1206562,1206800,1206817,1206861,1206932,1206963,1206973,1206979,1206981,1207087,1207141,1207297,1207352,1207490,1207792,1207799,1207838,1207867,1207883,1208119,1208325,1208611,1208908,1209259,1209369 Maintenance update for SUSE Manager 4.3.5 Release Notes: This is a codestream only update The following package changes have been done: - libudev1-249.15-150400.8.22.1 updated - libgcrypt20-1.9.4-150400.6.8.1 updated - libgcrypt20-hmac-1.9.4-150400.6.8.1 updated - libjitterentropy3-3.4.0-150000.1.9.1 updated - libgcc_s1-12.2.1+git416-150000.1.7.1 updated - libstdc++6-12.2.1+git416-150000.1.7.1 updated - libsystemd0-249.15-150400.8.22.1 updated - libopenssl1_1-1.1.1l-150400.7.28.1 updated - libopenssl1_1-hmac-1.1.1l-150400.7.28.1 updated - libcurl4-7.79.1-150400.5.15.1 updated - libsolv-tools-0.7.23-150400.3.3.1 updated - libzypp-17.31.8-150400.3.14.1 updated - zypper-1.14.59-150400.3.12.2 updated - curl-7.79.1-150400.5.15.1 updated - kbd-legacy-2.4.0-150400.5.3.1 updated - release-notes-susemanager-proxy-4.3.5-150400.3.48.2 updated - kbd-2.4.0-150400.5.3.1 updated - libpython3_6m1_0-3.6.15-150300.10.40.1 updated - python3-base-3.6.15-150300.10.40.1 updated - python3-3.6.15-150300.10.40.1 updated - libapr-util1-1.6.1-150300.18.5.1 updated - python3-rpm-4.14.3-150300.55.1 updated - systemd-249.15-150400.8.22.1 updated - python3-cryptography-3.3.2-150400.16.6.1 updated - spacewalk-backend-4.3.19-150400.3.15.7 updated - python3-spacewalk-client-tools-4.3.15-150400.3.15.6 updated - spacewalk-client-tools-4.3.15-150400.3.15.6 updated - spacewalk-proxy-package-manager-4.3.15-150400.3.14.2 updated - spacewalk-proxy-common-4.3.15-150400.3.14.2 updated - spacewalk-proxy-broker-4.3.15-150400.3.14.2 updated - spacewalk-proxy-redirect-4.3.15-150400.3.14.2 updated