SUSE Container Update Advisory: ses/7.1/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:1736-1 Container Tags : ses/7.1/rook/ceph:1.8.10 , ses/7.1/rook/ceph:1.8.10.0 , ses/7.1/rook/ceph:1.8.10.0.4.5.106 , ses/7.1/rook/ceph:latest , ses/7.1/rook/ceph:sle15.3.pacific Container Release : 4.5.106 Severity : critical Type : security References : 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1040589 1082318 1104264 1106390 1107066 1107067 1111973 1112723 1112726 1123685 1125007 1137373 1180065 1181658 1185637 1191908 1192449 1192951 1193659 1194550 1194708 1195157 1195283 1196125 1196490 1196861 1197065 1197443 1197570 1197684 1197718 1197742 1197743 1197771 1197790 1197794 1197846 1198062 1198090 1198114 1198176 1198422 1198435 1198446 1198458 1198507 1198511 1198614 1198723 1198732 1198751 1198766 1198820 1198922 1199042 1199090 1199132 1199140 1199166 1199223 1199224 1199232 1199232 1199240 1199756 1200170 1200278 1200334 1200550 1200735 1200737 1200802 1200855 1200855 1201099 1201225 1201560 1201640 CVE-2015-20107 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-18310 CVE-2018-18520 CVE-2018-18521 CVE-2019-7146 CVE-2019-7148 CVE-2019-7149 CVE-2019-7150 CVE-2019-7664 CVE-2019-7665 CVE-2020-29362 CVE-2022-1271 CVE-2022-1292 CVE-2022-1304 CVE-2022-1586 CVE-2022-1586 CVE-2022-2068 CVE-2022-2097 CVE-2022-22576 CVE-2022-23308 CVE-2022-27775 CVE-2022-27776 CVE-2022-27781 CVE-2022-27782 CVE-2022-29155 CVE-2022-29217 CVE-2022-29824 CVE-2022-32206 CVE-2022-32208 CVE-2022-34903 ----------------------------------------------------------------- The container ses/7.1/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1617-1 Released: Tue May 10 14:40:12 2022 Summary: Security update for gzip Type: security Severity: important References: 1198062,1198922,CVE-2022-1271 This update for gzip fixes the following issues: - CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1625-1 Released: Tue May 10 15:54:43 2022 Summary: Recommended update for python-python3-saml Type: recommended Severity: moderate References: 1197846 This update for python-python3-saml fixes the following issues: - Update expiry dates for responses. (bsc#1197846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1626-1 Released: Tue May 10 15:55:13 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1198090,1198114 This update for systemd fixes the following issues: - tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090) - journald: make sure journal_file_open() doesn't leave a corrupted file around after failing (bsc#1198114) - tmpfiles: constify item_compatible() parameters - test tmpfiles: add a test for 'w+' - test: add test checking tmpfiles conf file precedence - journald: make use of CLAMP() in cache_space_refresh() - journal-file: port journal_file_open() to openat_report_new() - fs-util: make sure openat_report_new() initializes return param also on shortcut - fs-util: fix typos in comments - fs-util: add openat_report_new() wrapper around openat() ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1655-1 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1197794 This update for pam fixes the following issue: - Do not include obsolete header files (bsc#1197794) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1657-1 Released: Fri May 13 15:39:07 2022 Summary: Security update for curl Type: security Severity: moderate References: 1198614,1198723,1198766,CVE-2022-22576,CVE-2022-27775,CVE-2022-27776 This update for curl fixes the following issues: - CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766) - CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723) - CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1658-1 Released: Fri May 13 15:40:20 2022 Summary: Recommended update for libpsl Type: recommended Severity: important References: 1197771 This update for libpsl fixes the following issues: - Fix libpsl compilation issues (bsc#1197771) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1670-1 Released: Mon May 16 10:06:30 2022 Summary: Security update for openldap2 Type: security Severity: important References: 1199240,CVE-2022-29155 This update for openldap2 fixes the following issues: - CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1688-1 Released: Mon May 16 14:02:49 2022 Summary: Security update for e2fsprogs Type: security Severity: important References: 1198446,CVE-2022-1304 This update for e2fsprogs fixes the following issues: - CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1691-1 Released: Mon May 16 15:13:39 2022 Summary: Recommended update for augeas Type: recommended Severity: moderate References: 1197443 This update for augeas fixes the following issue: - Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1709-1 Released: Tue May 17 17:35:47 2022 Summary: Recommended update for libcbor Type: recommended Severity: important References: 1197743 This update for libcbor fixes the following issues: - Fix build errors occuring on SUSE Linux Enterprise 15 Service Pack 4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1720-1 Released: Tue May 17 17:46:03 2022 Summary: Recommended update for python-rtslib-fb Type: recommended Severity: important References: 1199090 This update for python-rtslib-fb fixes the following issues: - Update parameters description. - Enable the 'disable_emulate_legacy_capacity' parameter. (bsc#1199090) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1750-1 Released: Thu May 19 15:28:20 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1196490,1199132,CVE-2022-23308,CVE-2022-29824 This update for libxml2 fixes the following issues: - CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490). - CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1828-1 Released: Tue May 24 10:47:38 2022 Summary: Recommended update for oath-toolkit Type: recommended Severity: important References: 1197790 This update for oath-toolkit fixes the following issues: - Fix build issues occurring on SUSE Linux Enterprise 15 Service Pack 4 (bsc#1197790) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1864-1 Released: Fri May 27 09:07:30 2022 Summary: Recommended update for leveldb Type: recommended Severity: low References: 1197742 This update for leveldb fixes the following issue: - fix tests (bsc#1197742) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1870-1 Released: Fri May 27 10:03:40 2022 Summary: Security update for curl Type: security Severity: important References: 1199223,1199224,CVE-2022-27781,CVE-2022-27782 This update for curl fixes the following issues: - CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223) - CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1883-1 Released: Mon May 30 12:41:35 2022 Summary: Security update for pcre2 Type: security Severity: important References: 1199232,CVE-2022-1586 This update for pcre2 fixes the following issues: - CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1887-1 Released: Tue May 31 09:24:18 2022 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1040589 This update for grep fixes the following issues: - Make profiling deterministic. (bsc#1040589, SLE-24115) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1899-1 Released: Wed Jun 1 10:43:22 2022 Summary: Recommended update for libtirpc Type: recommended Severity: important References: 1198176 This update for libtirpc fixes the following issues: - Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1909-1 Released: Wed Jun 1 16:25:35 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1198751 This update for glibc fixes the following issues: - Add the correct name for the IBM Z16 (bsc#1198751). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2019-1 Released: Wed Jun 8 16:50:07 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1192951,1193659,1195283,1196861,1197065 This update for gcc11 fixes the following issues: Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] * fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065] * use --with-cpu rather than specifying --with-arch/--with-tune * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [bsc#1193659] * fixes issue with debug dumping together with -o /dev/null * fixes libgccjit issue showing up in emacs build [bsc#1192951] * Package mwaitintrin.h ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2049-1 Released: Mon Jun 13 09:23:52 2022 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1191908,1198422 This update for binutils fixes the following issues: - Revert back to old behaviour of not ignoring the in-section content of to be relocated fields on x86-64, even though that's a RELA architecture. Compatibility with buggy object files generated by old tools. [bsc#1198422] - Fix a problem in crash not accepting some of our .ko.debug files. (bsc#1191908) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2149-1 Released: Wed Jun 22 08:17:38 2022 Summary: Recommended update for ceph-iscsi Type: recommended Severity: moderate References: 1198435 This update for ceph-iscsi fixes the following issues: - Update to 3.5+1655410541.gf482c7a. + Improve werkzeug version checking (bsc#1198435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2157-1 Released: Wed Jun 22 17:11:26 2022 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1198458 This update for binutils fixes the following issues: - For building the shim 15.6~rc1 and later versions aarch64 image, objcopy needs to support efi-app-aarch64 target. (bsc#1198458) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2251-1 Released: Mon Jul 4 09:52:25 2022 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1185637,1199166,1200550,CVE-2022-1292,CVE-2022-2068 This update for openssl-1_1 fixes the following issues: - CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166). - CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2323-1 Released: Thu Jul 7 12:16:58 2022 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: low References: This update for systemd-presets-branding-SLE fixes the following issues: - Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2327-1 Released: Thu Jul 7 15:06:13 2022 Summary: Security update for curl Type: security Severity: important References: 1200735,1200737,CVE-2022-32206,CVE-2022-32208 This update for curl fixes the following issues: - CVE-2022-32206: HTTP compression denial of service (bsc#1200735) - CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2328-1 Released: Thu Jul 7 15:07:35 2022 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1201099,CVE-2022-2097 This update for openssl-1_1 fixes the following issues: - CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2357-1 Released: Mon Jul 11 20:34:20 2022 Summary: Security update for python3 Type: security Severity: important References: 1198511,CVE-2015-20107 This update for python3 fixes the following issues: - CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2361-1 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Type: security Severity: important References: 1199232,CVE-2022-1586 This update for pcre fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2402-1 Released: Thu Jul 14 16:58:22 2022 Summary: Security update for python-PyJWT Type: security Severity: important References: 1199756,CVE-2022-29217 This update for python-PyJWT fixes the following issues: - CVE-2022-29217: Fixed key confusion through non-blocklisted public key format (bsc#1199756). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2405-1 Released: Fri Jul 15 11:47:57 2022 Summary: Security update for p11-kit Type: security Severity: moderate References: 1180065,CVE-2020-29362 This update for p11-kit fixes the following issues: - CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2406-1 Released: Fri Jul 15 11:49:01 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1197718,1199140,1200334,1200855 This update for glibc fixes the following issues: - powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334) - Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718) - i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718) - rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051) This readds the s390 32bit glibc and libcrypt1 libraries (glibc-32bit, glibc-locale-base-32bit, libcrypt1-32bit). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2453-1 Released: Wed Jul 20 15:26:03 2022 Summary: Recommended update for rook, rook-helm Type: recommended Severity: moderate References: 1198820 This update for rook, rook-helm fixes the following issues: - Fixed an issue for deploying OSDs in SES 7.1 (bsc#1198820) - Update to v1.8.10 Rook v1.8.10 is a patch release limited in scope and focusing on small feature additions and bug fixes to the Ceph operator. * core: Improve detection of filesystem properties for disk in use (#10230, @leseb) * osd: Remove broken argument for upgraded OSDs on PVCs in legacy lvm mode (#10298, @leseb) * osd: Allow the osd to take two hours to start in case of ceph maintenance (#10250, @travisn) * operator: Report telemetry 'rook/version' in mon store (#10161, @BlaineEXE) - Update to v1.8.9 Rook v1.8.9 is a patch release limited in scope and focusing on small feature additions and bug fixes to the Ceph operator. * helm: Add ingressClassName field (#10093, @log1cb0mb) * monitoring: Only set prometheus rules ownerref in same namespace (#10028, @travisn) * osd: only set kek to env var on encryption scenario (#10035, @leseb) * docs: Update the s3 client example for accessing RGW (#9968, @thotz) * osd: Add NixOS specific PATHs to check for lvm2 (#9967, @nazarewk) - Update to v1.8.8 Rook v1.8.8 is a patch release limited in scope and focusing on small feature additions and bug fixes to the Ceph operator. * core: Cluster CR status was not being refreshed after updating the cluster CR (#9962, @leseb) * core: GetLogCollectorResources to get the right resources (#9898, @yuvalman) * object: Remove unnecessary region option from the OBC StorageClass (#9906, @thotz) * core: Add Phase in additionalPrinterColumns for all CRs (#9910, @subhamkrai) * test: Avoid potential data inconsistency on zapping disk (#9930, @satoru-takeuchi) * ci: Add pylint in ci (#9879, @subhamkrai) * core: Incorrect join command in external cluster script (#9862, @vavuthu) * core: Rework usage of ReportReconcileResult (#9873, @BlaineEXE) * csi: Populate mon endpoints even if csi driver not enabled (#9878, @travisn) - Update to v1.8.7 Rook v1.8.7 is a patch release limited in scope and focusing on small feature additions and bug fixes to the Ceph operator. * build: Update ceph base image to v16.2.7-20220216 (#9814, @travisn) * csi: default to ReadWriteOnceWithFSType for cephfs (#9729, @humblec) * mon: Disable startup probe on canary pods (#9888, @travisn) * core: Add Ceph FSID on the cephcluster CR status (#9847, @parth-gr) * csi: Properly apply CSI resource requests and limits (#9868, @TomHellier) * helm: Add resource requests and limits to the toolbox pod (#9856, @TomHellier) * helm: Remove obsolete .Values.image.prefix (#9863, @kahirokunn) * osd: Clarify vault auth error message (#9884, @leseb) * nfs: Remove secret and configmap when downscaling NFS daemons (#9859, @BlaineEXE) * helm: Handle empty StorageClass parameters for object, rbd, and cephfs in the helm chart (#9854, @Zempashi) * helm: Remove obsolete setting for enabling multiple filesystems (#9841, @travisn) * osd: Use lvm mode to create multiple OSDs per device (#9842, @BlaineEXE) * helm: Add filesystem pool name to the storage class (#9838, @mtt0) * docs: Document that the rook-ceph-operator-config ConfigMap is required (#9821, @matthiasr) * core: Suppress verbose disruption controller log messages (#9834, @travisn) * osd: Purge job will remove all pvcs for the osd, not just the data pvc (#9804, @travisn) * osd: Remove osd with purge instead of destroy (#9807, @travisn) - Update to rook 1.8.10 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2470-1 Released: Thu Jul 21 04:40:14 2022 Summary: Recommended update for systemd Type: recommended Severity: important References: 1137373,1181658,1194708,1195157,1197570,1198507,1198732,1200170 This update for systemd fixes the following issues: - Allow control characters in environment variable values (bsc#1200170) - Call pam_loginuid when creating user@.service (bsc#1198507) - Fix parsing error in s390 udev rules conversion script (bsc#1198732) - Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570) - Flagsify EscapeStyle and make ESCAPE_BACKSLASH_ONELINE implicit - Revert 'basic/env-util: (mostly) follow POSIX for what variable names are allowed' - basic/env-util: (mostly) follow POSIX for what variable names are allowed - basic/env-util: make function shorter - basic/escape: add mode where empty arguments are still shown as '' - basic/escape: always escape newlines in shell_escape() - basic/escape: escape control characters, but not utf-8, in shell quoting - basic/escape: use consistent location for '*' in function declarations - basic/string-util: inline iterator variable declarations - basic/string-util: simplify how str_realloc() is used - basic/string-util: split out helper function - core/device: device_coldplug(): don't set DEVICE_DEAD - core/device: do not downgrade device state if it is already enumerated - core/device: drop unnecessary condition - string-util: explicitly cast character to unsigned - string-util: fix build error on aarch64 - test-env-util: Verify that \r is disallowed in env var values - test-env-util: print function headers ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2494-1 Released: Thu Jul 21 15:16:42 2022 Summary: Recommended update for glibc Type: recommended Severity: important References: 1200855,1201560,1201640 This update for glibc fixes the following issues: - Remove tunables from static tls surplus patch which caused crashes (bsc#1200855) - i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2546-1 Released: Mon Jul 25 14:43:22 2022 Summary: Security update for gpg2 Type: security Severity: important References: 1196125,1201225,CVE-2022-34903 This update for gpg2 fixes the following issues: - CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225). - Use AES as default cipher instead of 3DES when we are in FIPS mode. (bsc#1196125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2547-1 Released: Mon Jul 25 19:57:38 2022 Summary: Security update for logrotate Type: security Severity: important References: 1192449,1200278,1200802 This update for logrotate fixes the following issues: Security issues fixed: - Improved coredump handing for SUID binaries (bsc#1192449). Non-security issues fixed: - Fixed 'logrotate emits unintended warning: keyword size not properly separated, found 0x3d' (bsc#1200278, bsc#1200802). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2548-1 Released: Tue Jul 26 13:48:28 2022 Summary: Critical update for python-cssselect Type: recommended Severity: critical References: This update for python-cssselect implements packages to the unrestrictied repository. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2572-1 Released: Thu Jul 28 04:22:33 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1194550,1197684,1199042 This update for libzypp, zypper fixes the following issues: libzypp: - appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684) - zypp-rpm: flush rpm script output buffer before sending endOfScriptTag - PluginRepoverification: initial version hooked into repo::Downloader and repo refresh - Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042) - singletrans: no dry-run commit if doing just download-only - Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo. - Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER zypper: - Basic JobReport for 'cmdout/monitor' - versioncmp: if verbose, also print the edition 'parts' which are compared - Make sure MediaAccess is closed on exception (bsc#1194550) - Display plus-content hint conditionally - Honor the NO_COLOR environment variable when auto-detecting whether to use color - Define table columns which should be sorted natural [case insensitive] - lr/ls: Use highlight color on name and alias as well ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2614-1 Released: Mon Aug 1 10:41:04 2022 Summary: Security update for dwarves and elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1082318,1104264,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7146,CVE-2019-7148,CVE-2019-7149,CVE-2019-7150,CVE-2019-7664,CVE-2019-7665 This update for dwarves and elfutils fixes the following issues: elfutils was updated to version 0.177 (jsc#SLE-24501): - elfclassify: New tool to analyze ELF objects. - readelf: Print DW_AT_data_member_location as decimal offset. Decode DW_AT_discr_list block attributes. - libdw: Add DW_AT_GNU_numerator, DW_AT_GNU_denominator and DW_AT_GNU_bias. - libdwelf: Add dwelf_elf_e_machine_string. dwelf_elf_begin now only returns NULL when there is an error reading or decompressing a file. If the file is not an ELF file an ELF handle of type ELF_K_NONE is returned. - backends: Add support for C-SKY. Update to version 0.176: - build: Add new --enable-install-elfh option. Do NOT use this for system installs (it overrides glibc elf.h). - backends: riscv improved core file and return value location support. - Fixes: - CVE-2019-7146, CVE-2019-7148, CVE-2019-7149, CVE-2019-7664 - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (CVE is a bit misleading, as this is not a bug in libelf as described) (bsc#1125007) Update to version 0.175: - readelf: Handle mutliple .debug_macro sections. Recognize and parse GNU Property, NT_VERSION and GNU Build Attribute ELF Notes. - strip: Handle SHT_GROUP correctly. Add strip --reloc-debug-sections-only option. Handle relocations against GNU compressed sections. - libdwelf: New function dwelf_elf_begin. - libcpu: Recognize bpf jump variants BPF_JLT, BPF_JLE, BPF_JSLT and BPF_JSLE. backends: RISCV handles ADD/SUB relocations. Handle SHT_X86_64_UNWIND. - CVE-2018-18521: arlib: Divide-by-zero vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2018-18310: Invalid Address Read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: eu-size: Bad handling of ar files inside are files (bsc#1112726) Update to version 0.174: - libelf, libdw and all tools now handle extended shnum and shstrndx correctly. - elfcompress: Don't rewrite input file if no section data needs updating. Try harder to keep same file mode bits (suid) on rewrite. - strip: Handle mixed (out of order) allocated/non-allocated sections. - unstrip: Handle SHT_GROUP sections. - backends: RISCV and M68K now have backend implementations to generate CFI based backtraces. - Fixes: - CVE-2018-16402: libelf: denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) Double-free crash in nm and readelf - CVE-2018-16403: heap buffer overflow in readelf (bsc#1107067) - CVE-2018-16062: heap-buffer-overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) Update to version 0.173: - More fixes for crashes and hangs found by afl-fuzz. In particular various functions now detect and break infinite loops caused by bad DIE tree cycles. - readelf: Will now lookup the size and signedness of constant value types to display them correctly (and not just how they were encoded). - libdw: New function dwarf_next_lines to read CU-less .debug_line data. dwarf_begin_elf now accepts ELF files containing just .debug_line or .debug_frame sections (which can be read without needing a DIE tree from the .debug_info section). Removed dwarf_getscn_info, which was never implemented. - backends: Handle BPF simple relocations. The RISCV backends now handles ABI specific CFI and knows about RISCV register types and names. Update to version 0.172: - Various bug fixes in libdw and eu-readelf dealing with bad DWARF5 data. Thanks to running the afl fuzzer on eu-readelf and various testcases. Update to version 0.171: - DWARF5 and split dwarf, including GNU DebugFission, are supported now. Data can be read from the new DWARF sections .debug_addr, .debug_line_str, .debug_loclists, .debug_str_offsets and .debug_rnglists. Plus the new DWARF5 and GNU DebugFission encodings of the existing .debug sections. Also in split DWARF .dwo (DWARF object) files. This support is mostly handled by existing functions (dwarf_getlocation*, dwarf_getsrclines, dwarf_ranges, dwarf_form*, etc.) now returning the data from the new sections and data formats. But some new functions have been added to more easily get information about skeleton and split compile units (dwarf_get_units and dwarf_cu_info), handle new attribute data (dwarf_getabbrevattr_data) and to keep references to Dwarf_Dies that might come from different sections or files (dwarf_die_addr_die). - Not yet supported are .dwp (Dwarf Package) and .sup (Dwarf Supplementary) files, the .debug_names index, the .debug_cu_index and .debug_tu_index sections. Only a single .debug_info (and .debug_types) section are currently handled. - readelf: Handle all new DWARF5 sections. --debug-dump=info+ will show split unit DIEs when found. --dwarf-skeleton can be used when inspecting a .dwo file. Recognizes GNU locviews with --debug-dump=loc. - libdw: New functions dwarf_die_addr_die, dwarf_get_units, dwarf_getabbrevattr_data and dwarf_cu_info. libdw will now try to resolve the alt file on first use of an alt attribute FORM when not set yet with dwarf_set_alt. dwarf_aggregate_size() now works with multi-dimensional arrays. - libdwfl: Use process_vm_readv when available instead of ptrace. backends: Add a RISC-V backend. There were various improvements to build on Windows. The sha1 and md5 implementations have been removed, they weren't used. Update to version 0.170: - libdw: Added new DWARF5 attribute, tag, character encoding, language code, calling convention, defaulted member function and macro constants to dwarf.h. New functions dwarf_default_lower_bound and dwarf_line_file. dwarf_peel_type now handles DWARF5 immutable, packed and shared tags. dwarf_getmacros now handles DWARF5 .debug_macro sections. - strip: Add -R, --remove-section=SECTION and --keep-section=SECTION. - backends: The bpf disassembler is now always build on all platforms. Update to version 0.169: - backends: Add support for EM_PPC64 GNU_ATTRIBUTES. Frame pointer unwinding fallback support for i386, x86_64, aarch64. - translations: Update Polish translation. - CVE-2017-7611: elfutils: DoS (heap-based buffer over-read and application crash) via a crafted ELF file (bsc#1033088) - CVE-2017-7610: elflint: heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7609: memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7607: heap-based buffer overflow in handle_gnu_hashi (readelf.c) (bsc#1033084) - CVE-2017-7608: heap-based buffer overflow in ebl_object_note_type_name (eblobjnotetypename.c) (bsc#1033085) - CVE-2017-7613: elfutils: denial of service (memory consumption) via a crafted ELF file (bsc#1033090) - CVE-2017-7612: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file (bsc#1033089) - Don't make elfutils recommend elfutils-lang as elfutils-lang already supplements elfutils. dwarves is shipped new in version 1.22 to provide tooling for use by the Linux Kernel BTF verification framework. The following package changes have been done: - binutils-2.37-150100.7.37.1 updated - ceph-iscsi-3.5+1655410541.gf482c7a-150300.3.3.1 updated - e2fsprogs-1.43.8-150000.4.33.1 updated - glibc-locale-base-2.31-150300.37.1 updated - glibc-2.31-150300.37.1 updated - gpg2-2.2.27-150300.3.5.1 updated - grep-3.1-150000.4.6.1 updated - gzip-1.10-150200.10.1 updated - libaugeas0-1.10.1-150000.3.12.1 updated - libcbor0-0.5.0-150100.4.6.1 updated - libcom_err2-1.43.8-150000.4.33.1 updated - libcrypt1-4.4.15-150300.4.4.3 updated - libctf-nobfd0-2.37-150100.7.37.1 updated - libctf0-2.37-150100.7.37.1 updated - libcurl4-7.66.0-150200.4.36.1 updated - libdw1-0.177-150300.11.3.1 updated - libebl-plugins-0.177-150300.11.3.1 updated - libelf1-0.177-150300.11.3.1 updated - libext2fs2-1.43.8-150000.4.33.1 updated - libgcc_s1-11.3.0+git1637-150000.1.9.1 updated - libldap-2_4-2-2.4.46-150200.14.8.1 updated - libldap-data-2.4.46-150200.14.8.1 updated - libleveldb1-1.18-150000.3.3.1 updated - liboath0-2.6.2-150000.3.3.1 updated - libopenssl1_1-hmac-1.1.1d-150200.11.51.1 updated - libopenssl1_1-1.1.1d-150200.11.51.1 updated - libp11-kit0-0.23.2-150000.4.16.1 updated - libpcre1-8.45-150000.20.13.1 updated - libpcre2-8-0-10.31-150000.3.7.1 updated - libpsl5-0.20.1-150000.3.3.1 updated - libpython3_6m1_0-3.6.15-150300.10.27.1 updated - libstdc++6-11.3.0+git1637-150000.1.9.1 updated - libsystemd0-246.16-150300.7.48.1 updated - libtirpc-netconfig-1.2.6-150300.3.6.1 updated - libtirpc3-1.2.6-150300.3.6.1 updated - libudev1-246.16-150300.7.48.1 updated - libxml2-2-2.9.7-150000.3.46.1 updated - libzypp-17.30.2-150200.39.1 updated - logrotate-3.13.0-150000.4.7.1 updated - oath-toolkit-xml-2.6.2-150000.3.3.1 updated - openssl-1_1-1.1.1d-150200.11.51.1 updated - p11-kit-tools-0.23.2-150000.4.16.1 updated - p11-kit-0.23.2-150000.4.16.1 updated - pam-1.3.0-150000.6.58.3 updated - python-rtslib-fb-common-2.1.74-150300.3.3.1 updated - python3-PyJWT-1.7.1-150200.3.3.1 updated - python3-base-3.6.15-150300.10.27.1 updated - python3-cssselect-1.0.3-150000.3.3.1 updated - python3-curses-3.6.15-150300.10.27.1 updated - python3-python3-saml-1.7.0-150200.3.3.2 updated - python3-rtslib-fb-2.1.74-150300.3.3.1 updated - python3-3.6.15-150300.10.27.1 updated - rook-k8s-yaml-1.8.10+git0.1899eda8a-150300.3.3.2 updated - rook-1.8.10+git0.1899eda8a-150300.3.3.2 updated - systemd-presets-branding-SLE-15.1-150100.20.11.1 updated - systemd-246.16-150300.7.48.1 updated - udev-246.16-150300.7.48.1 updated - zypper-1.14.53-150200.33.1 updated - container:sles15-image-15.0.0-17.20.7 updated