SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:251-1 Container Tags : ses/7/rook/ceph:1.5.10 , ses/7/rook/ceph:1.5.10.4 , ses/7/rook/ceph:1.5.10.4.1.1658 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1658 Severity : important Type : security References : 1029961 1106014 1153687 1161268 1172308 1174526 1178577 1178624 1178675 1179805 1180851 1181874 1182016 1182372 1182936 1183074 1183194 1183268 1183589 1183628 1184326 1184399 1184505 1184997 1184997 1185239 1185325 1186015 1186642 1186642 1186673 CVE-2020-29651 CVE-2021-20288 CVE-2021-3541 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1833-1 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1859-1 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Type: security Severity: moderate References: 1179805,1184505,CVE-2020-29651 This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1879-1 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1184326,1184399,1184997,1185325 This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1910-1 Released: Wed Jun 9 09:37:41 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1186673 This update for openssh fixes the following issues: - Further attempts to mitigate instances of secrets lingering in memory after a session exits to meet key zeroization requirements. (bsc#1186673) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1923-1 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1183194 This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1935-1 Released: Thu Jun 10 10:45:09 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1186642 This update for gzip fixes the following issue: - gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1937-1 Released: Thu Jun 10 10:47:09 2021 Summary: Recommended update for nghttp2 Type: recommended Severity: moderate References: 1186642 This update for nghttp2 fixes the following issue: - The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1971-1 Released: Tue Jun 15 06:57:16 2021 Summary: Security update for ceph and ceph-csi Type: security Severity: important References: 1174526,1183074,CVE-2021-20288 This update for ceph and ceph-csi fixes the following issues: ceph: - updated ceph to upstream version 15.2.13: * mgr/dashboard: allow getting fresh inventory data from the orchestrator (bsc#1174526) The whole upstream changelog can be found here: https://ceph.io/releases/v15-2-13-octopus-released/ ceph-csi: - CVE-2021-20288: An authentication flaw was found in ceph in versions prior to 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (bsc#1183074) The following package changes have been done: - ceph-base-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-common-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-grafana-dashboards-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-mds-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-mgr-cephadm-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-mgr-dashboard-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-mgr-modules-core-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-mgr-rook-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-mgr-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-mon-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-osd-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-prometheus-alerts-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-radosgw-15.2.13.79+g51835b62d61-3.22.1 updated - cephadm-15.2.13.79+g51835b62d61-3.22.1 updated - ceph-15.2.13.79+g51835b62d61-3.22.1 updated - gpg2-2.2.5-4.19.8 updated - gzip-1.10-7.1 updated - libcephfs2-15.2.13.79+g51835b62d61-3.22.1 updated - libgcc_s1-10.3.0+git1587-1.6.4 updated - libnghttp2-14-1.40.0-6.1 updated - librados2-15.2.13.79+g51835b62d61-3.22.1 updated - librbd1-15.2.13.79+g51835b62d61-3.22.1 updated - librgw2-15.2.13.79+g51835b62d61-3.22.1 updated - libsolv-tools-0.7.19-6.1 updated - libstdc++6-10.3.0+git1587-1.6.4 updated - libxml2-2-2.9.7-3.37.1 updated - libzypp-17.26.0-9.1 updated - nfs-client-2.1.1-10.18.1 updated - nfs-kernel-server-2.1.1-10.18.1 updated - openssh-8.1p1-5.18.1 updated - python3-ceph-argparse-15.2.13.79+g51835b62d61-3.22.1 updated - python3-ceph-common-15.2.13.79+g51835b62d61-3.22.1 updated - python3-cephfs-15.2.13.79+g51835b62d61-3.22.1 updated - python3-py-1.8.1-5.6.1 updated - python3-rados-15.2.13.79+g51835b62d61-3.22.1 updated - python3-rbd-15.2.13.79+g51835b62d61-3.22.1 updated - python3-rgw-15.2.13.79+g51835b62d61-3.22.1 updated - rbd-mirror-15.2.13.79+g51835b62d61-3.22.1 updated - zypper-1.14.45-10.1 updated - container:ceph-image-1.0.0-4.232 updated