SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:221-1 Container Tags : ses/7/rook/ceph:1.3.4 , ses/7/rook/ceph:1.3.4.0 , ses/7/rook/ceph:1.3.4.0.1.1049 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1049 Severity : important Type : security References : 1002895 1005023 1007715 1009532 1013125 1014478 1027282 1029377 1029902 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1040164 1042670 1044840 1045723 1051143 1054413 1063675 1065270 1070853 1071321 1072183 1073299 1073313 1073421 1076519 1076696 1079761 1080919 1081750 1081947 1081947 1082293 1082318 1082318 1082318 1082318 1083158 1083507 1084671 1084812 1084842 1084934 1085196 1086001 1087550 1087982 1088004 1088009 1088052 1088279 1088358 1088358 1088524 1088573 1089640 1089761 1089777 1090944 1091265 1091677 1092100 1092877 1092920 1093392 1093617 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094814 1094814 1095096 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097643 1098217 1098569 1098697 1100396 1100415 1100488 1101040 1101470 1101591 1101797 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104700 1104780 1105031 1105068 1105166 1105396 1105435 1106214 1106383 1106390 1107030 1107030 1107066 1107067 1107105 1107617 1107640 1107941 1109197 1109252 1109412 1109413 1109414 1109663 1109694 1109847 1110304 1110435 1110445 1110700 1111019 1111388 1111498 1111622 1111973 1111996 1112024 1112310 1112534 1112535 1112570 1112723 1112726 1112780 1112928 1113083 1113247 1113252 1113255 1113554 1113632 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116827 1117025 1117063 1117993 1118086 1118364 1118629 1118644 1118830 1118831 1119063 1119687 1119971 1120323 1120346 1120402 1120640 1120644 1120644 1120689 1121034 1121035 1121056 1121197 1121446 1121563 1121563 1121753 1122000 1122191 1122191 1122271 1122417 1122669 1122729 1123043 1123333 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125815 1125886 1126056 1126096 1126117 1126118 1126119 1126377 1126590 1127223 1127308 1127557 1127701 1128246 1128323 1128383 1128828 1129071 1129346 1129346 1129576 1129598 1129859 1130045 1130230 1130325 1130326 1130557 1130840 1130840 1131060 1131330 1131686 1132160 1132174 1132323 1132348 1132400 1132663 1132721 1132900 1133131 1133232 1133297 1133452 1133452 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134524 1134659 1135123 1135254 1135534 1135708 1135709 1136184 1136245 1136717 1137053 1137624 1137832 1137942 1138459 1138459 1138666 1138793 1138869 1138939 1139083 1139083 1139459 1139459 1139937 1139939 1140016 1140095 1140101 1140565 1140631 1140647 1141059 1141093 1141113 1141853 1141853 1141883 1141897 1141913 1142343 1142614 1142649 1142654 1142772 1143055 1143194 1143273 1144047 1144169 1145023 1145383 1145716 1146853 1146854 1146866 1148517 1148987 1149121 1149121 1149145 1149332 1149429 1149792 1149792 1149792 1149955 1149955 1149955 1149995 1150137 1150451 1150595 1150733 1150895 1151023 1151023 1151377 1151481 1151490 1151490 1151582 1152101 1152590 1152590 1152692 1152755 1153165 1153238 1153238 1153674 1153936 1154016 1154025 1154036 1154037 1154217 1154256 1154295 1154609 1154661 1154871 1154884 1154887 1155199 1155207 1155271 1155327 1155337 1155338 1155339 1155574 1155951 1156213 1156482 1157278 1157292 1157438 1157794 1157893 1158095 1158095 1158485 1158504 1158509 1158630 1158630 1158758 1158830 1158921 1158996 1159018 1159035 1159622 1159814 1159928 1159989 1160039 1160160 1160571 1160590 1160595 1160735 1160933 1160970 1160978 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1161770 1161783 1161816 1162108 1162108 1162152 1162202 1162224 1162367 1162423 1162518 1162675 1162825 1162930 1163184 1164260 1164505 1164562 1164717 1164950 1164950 1165011 1165439 1165539 1165579 1165784 1165894 1165894 1166106 1166260 1166510 1166510 1166748 1166881 1167205 1167206 1167223 1167631 1167674 1167732 1167898 1168076 1168345 1168699 1168756 1169512 1169569 1169582 1169944 1170175 1170247 1170527 1170771 1171561 1171656 1171872 1172021 1172055 353876 637176 658604 673071 709442 743787 747125 751718 754447 754677 787526 809831 831629 834601 871152 885662 885882 915402 917607 918346 942751 951166 953659 960273 969953 982804 983582 984751 985177 985348 985657 989523 991901 999200 CVE-2009-5155 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2015-0247 CVE-2015-1572 CVE-2016-0772 CVE-2016-1000110 CVE-2016-10739 CVE-2016-10745 CVE-2016-3189 CVE-2016-5636 CVE-2016-5699 CVE-2017-17740 CVE-2017-18207 CVE-2017-18269 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-1000654 CVE-2018-1000802 CVE-2018-1000858 CVE-2018-1000876 CVE-2018-10360 CVE-2018-1060 CVE-2018-1061 CVE-2018-10906 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14647 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16869 CVE-2018-17358 CVE-2018-17359 CVE-2018-17360 CVE-2018-17953 CVE-2018-17985 CVE-2018-18074 CVE-2018-18309 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18483 CVE-2018-18484 CVE-2018-18520 CVE-2018-18521 CVE-2018-18605 CVE-2018-18606 CVE-2018-18607 CVE-2018-19211 CVE-2018-19931 CVE-2018-19932 CVE-2018-20346 CVE-2018-20406 CVE-2018-20406 CVE-2018-20623 CVE-2018-20651 CVE-2018-20671 CVE-2018-20843 CVE-2018-20852 CVE-2018-20852 CVE-2018-6323 CVE-2018-6543 CVE-2018-6759 CVE-2018-6872 CVE-2018-6954 CVE-2018-7208 CVE-2018-7568 CVE-2018-7569 CVE-2018-7570 CVE-2018-7642 CVE-2018-7643 CVE-2018-8945 CVE-2018-9251 CVE-2019-1010180 CVE-2019-10160 CVE-2019-10160 CVE-2019-10906 CVE-2019-11068 CVE-2019-11236 CVE-2019-11324 CVE-2019-12290 CVE-2019-12749 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13117 CVE-2019-13118 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14287 CVE-2019-14806 CVE-2019-14853 CVE-2019-14859 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-15847 CVE-2019-15903 CVE-2019-15903 CVE-2019-16056 CVE-2019-16056 CVE-2019-16056 CVE-2019-16168 CVE-2019-16935 CVE-2019-16935 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18197 CVE-2019-18218 CVE-2019-18224 CVE-2019-18634 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3689 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5010 CVE-2019-5010 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8341 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9636 CVE-2019-9636 CVE-2019-9674 CVE-2019-9740 CVE-2019-9893 CVE-2019-9936 CVE-2019-9937 CVE-2019-9947 CVE-2019-9947 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1747 CVE-2020-1752 CVE-2020-7595 CVE-2020-8492 ECO-368 PM-1350 SLE-5807 SLE-5933 SLE-6206 SLE-6533 SLE-6536 SLE-7687 SLE-9132 SLE-9426 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1332-1 Released: Tue Jul 17 09:01:19 2018 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1073299,1093392 This update for timezone provides the following fixes: - North Korea switches back from +0830 to +09 on 2018-05-05. - Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299) - yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1775-1 Released: Tue Aug 28 12:40:50 2018 Summary: Recommended update for xfsprogs Type: recommended Severity: important References: 1089777,1105396 This update for xfsprogs fixes the following issues: - avoid divide-by-zero when hardware reports optimal i/o size as 0 (bsc#1089777) - repair: shift inode back into place if corrupted by bad log replay (bsc#1105396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1887-1 Released: Wed Sep 12 12:34:28 2018 Summary: Recommended update for python-websocket-client Type: recommended Severity: moderate References: 1076519 This update for python-websocket-client fixes the following issues: - Use systems ca bundle file by default. (bsc#1076519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2138-1 Released: Thu Oct 4 15:52:15 2018 Summary: Recommended update for sudo Type: recommended Severity: low References: 1097643 This update for sudo fixes the following issues: - fix permissions for /var/lib/sudo and /var/lib/sudo/ts (bsc#1097643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2170-1 Released: Mon Oct 8 10:31:14 2018 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1107030 This update for python3 fixes the following issues: - Add -fwrapv to OPTS, which is default for python3 for bugs which are caused by avoiding it. (bsc#1107030) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2340-1 Released: Fri Oct 19 16:05:53 2018 Summary: Security update for fuse Type: security Severity: moderate References: 1101797,CVE-2018-10906 This update for fuse fixes the following issues: - CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2346-1 Released: Mon Oct 22 09:40:46 2018 Summary: Recommended update for logrotate Type: recommended Severity: moderate References: 1093617 This update for logrotate provides the following fix: - Ensure the HOME environment variable is set to /root when logrotate is started via systemd. This allows mariadb to rotate its logs when the database has a root password defined. (bsc#1093617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2442-1 Released: Wed Oct 24 16:39:09 2018 Summary: Recommended update for python-msrestazure and it's dependencies Type: recommended Severity: moderate References: 1109694 This update for python-adal, python-isodate, python-msrest, python-msrestazure fixes the following issues: python-msrestazure: - Update to version 0.5.0 + Features * Implementation is now using ADAL and not request-oauthlib. This allows more AD scenarios (like federated). * Add additionalInfo parsing for CloudError. * Implement new LRO options of Autorest. * Improve MSI for VM token polling algorithm. * MSIAuthentication now uses IMDS endpoint if available. * MSIAuthentication can be used in any environment that defines MSI_ENDPOINT env variable. * CloudError now includes the 'innererror' attribute to match OData v4. * Introduces ARMPolling implementation of Azure Resource Management LRO. * Add support for WebApp/Functions in MSIAuthentication classes. * Add parse_resource_id(), resource_id(), validate_resource_id() to parse ARM ids. * Retry strategy now n reach 24 seconds (instead of 12 seconds). * Add Managed Service Integrated (MSI) authentication. * Add 'timeout' to ServicePrincipalCredentials and UserPasswordCredentials. * Threads created by AzureOperationPoller have now a name prefixed by 'AzureOperationPoller' to help identify them. * Improve MSIAuthentication to support User Assigned Identity. + Bugfixes * MSIAuthentication regression for KeyVault since IMDS support. * MSIAuthentication should initialize the token attribute on creation. * Fixes refreshToken in UserPassCredentials and AADTokenCredentials. * Fix US government cloud definition. * Reduce max MSI polling time for VM. * IMDS/MSI: Retry on more error codes. * IMDS/MSI: Fix a boundary case on timeout. * Fix parse_resource_id() tool to be case*insensitive to keywords when matching. * Add missing baseclass init call for AdalAuthentication. * Fix LRO result if POST uses AsyncOperation header. * Remove a possible infinite loop with MSIAuthentication. * Fix session obj for cloudmetadata endpoint. * Fix authentication resource node for AzureSatck. * Better detection of AppService with MSIAuthentication. * get_cloud_from_metadata_endpoint incorrect on AzureStack. * get_cloud_from_metadata_endpoint certificate issue. * Fix AttributeError if error JSON from ARM does not follow ODatav4 (as it should). * Fix AttributeError if input JSON is not a dict. * Fix AdalError handling in some scenarios. * Update Azure Gov login endpoint. * Update metadata ARM endpoint parser. + Incompatible changes * Remove unused auth_uri, state, client and token_uri attributes in ServicePrincipalCredentials, UserPassCredentials and AADTokenCredentials. * Remove token caching based on 'keyring'. Token caching should be implemented using ADAL now. * Remove InteractiveCredentials. This class was deprecated and unusable. Use ADAL device code instead. python-msrest - Update to version 0.5.0 + Require python-enum32 and python-typing. + Features * Support additionalProperties and XML. * Deserialize/from_dict now accepts a content*type parameter to parse XML strings. * Add XML support * Add many type hints, and MyPY testing on CI. * HTTP calls are made through a HTTPDriver API. Only implementation is `requests` for now. This driver API is *not* considered stable and you should pin your msrest version if you want to provide a personal implementation. * msrest is now able to keep the 'requests.Session' alive for performance. * All Authentication classes now define `signed_session` and `refresh_session` with an optional `session` parameter. * Disable HTTP log by default (security), add `enable_http_log` to restore it. * Add TopicCredentials for EventGrid client. * Add LROPoller class. This is a customizable LRO engine. * Model now accept kwargs in constructor for future kwargs models. * Add support for additional_properties. * The interpretation of Swagger 2.0 'discriminator' is now lenient. * Add ApiKeyCredentials class. This can be used to support OpenAPI ApiKey feature. * Add CognitiveServicesAuthentication class. Pre*declared ApiKeyCredentials class for Cognitive Services. * Add Configuration.session_configuration_callback to customize the requests.Session if necessary. * Add a flag to Serializer to disable client*side*validation. * Remove 'import requests' from 'exceptions.py' for apps that require fast loading time. * Input is now more lenient. * Model have a 'validate' method to check content constraints. * Model have now new methods for serialize, as_dict, deserialize and from_dict. + Bugfixes * Fix a serialization issue if additional_properties is declared, and 'automatic model' syntax is used ('automatic model' being the ability to pass a dict to command and have the model auto*created). * Better parse empty node and not string types. * Improve 'object' XML parsing. * Fix some XML serialization subtle scenarios. * Fix some complex XML Swagger definitions. * Lower Accept header overwrite logging message. * Fix 'object' type and XML format. * Incorrect milliseconds serialization for some datetime object. * Improve `SDKClient.__exit__` to take exc_details as optional parameters and not required. * Refresh_session should also use the permanent HTTP session if available. * Fix incorrect date parsing if ms precision is over 6 digits. * Fix minimal dependency of isodate. * Fix serialisation from dict if datetime provided. * Date parsing is now compliant with Autorest / Swagger 2.0 specification (less lenient). * Accept to deserialize enum of different type if content string match. * Stop failing on deserialization if enum string is unkwon. Return the string instead. * Do not validate additional_properties. * Improve validation error if expected type is dict, but actual type is not. * Fix additional_properties if Swagger was flatten. * Optional formdata parameters were raising an exception. * 'application/x*www*form*urlencoded' form was sent using 'multipart/form*data'. * Fix regression: accept 'set' as a valid '[str]' * Always log response body. * Improved exception message if error JSON is Odata v4. * Refuse 'str' as a valid '[str]' type. * Better exception handling if input from server is not JSON valid. * Fix regression introduced in msrest 0.4.12 * dict syntax with enum modeled as string and enum used. * Fix regression introduced in msrest 0.4.12 * dict syntax using isodate.Duration. * Better Enum checking. + Internal optimisation * Call that does not return a streamable object are now executed in requests stream mode False (was True whatever the type of the call). This should reduce the number of leaked opened session and allow urllib3 to manage connection pooling more efficiently. Only clients generated with Autorest.Python >= 2.1.31 (not impacted otherwise, fully backward compatible) + Deprecation * Trigger DeprecationWarning for _client.add_header and _client.send_formdata. python-adal - Update to version 1.0.2 python-isodate - Update to version 0.6.0 + Support incomplete month date. + Rely on duck typing when doing duration maths. + Support ':' as separator in fractional time zones. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2454-1 Released: Thu Oct 25 11:19:46 2018 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: moderate References: 1110435 This update for python-pyOpenSSL fixes the following issues: - Handle duplicate certificate addition using X509_STORE_add_cert so it works after upgrading to openssl 1.1.1. (bsc#1110435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2463-1 Released: Thu Oct 25 14:48:34 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1104700,1112310 This update for timezone, timezone-java fixes the following issues: The timezone database was updated to 2018f: - Volgograd moves from +03 to +04 on 2018-10-28. - Fiji ends DST 2019-01-13, not 2019-01-20. - Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700) - Corrections to past timestamps of DST transitions - Use 'PST' and 'PDT' for Philippine time - minor code changes to zic handling of the TZif format - documentation updates Other bugfixes: - Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2485-1 Released: Fri Oct 26 12:38:01 2018 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1112928 This update for kmod provides the following fixes: - Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2486-1 Released: Fri Oct 26 12:38:27 2018 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1105068 This update for xfsprogs fixes the following issues: - Explictly disable systemd unit files for scrub (bsc#1105068). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2550-1 Released: Wed Oct 31 16:16:56 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1113554 This update provides the latest time zone definitions (2018g), including the following change: - Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user@.service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2641-1 Released: Mon Nov 12 20:39:30 2018 Summary: Recommended update for nfsidmap Type: recommended Severity: moderate References: 1098217 This update for nfsidmap fixes the following issues: - Improve support for SAMBA with Active Directory. (bsc#1098217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2742-1 Released: Thu Nov 22 13:28:36 2018 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 969953 This update for rpcbind fixes the following issues: - Fix tool stack buffer overflow aborting (bsc#969953) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2961-1 Released: Mon Dec 17 19:51:40 2018 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1098697,1112780 This update for psmisc provides the following fix: - Make the fuser option -m work even with mountinfo. (bsc#1098697) - Support also btrFS entries in mountinfo, that is use stat(2) to determine the device of the mounted subvolume (bsc#1098697, bsc#1112780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:62-1 Released: Thu Jan 10 20:30:58 2019 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1119063 This update for xfsprogs fixes the following issues: - Fix root inode's parent when it's bogus for sf directory (xfs repair). (bsc#1119063) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:102-1 Released: Tue Jan 15 18:02:58 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1120402 This update for timezone fixes the following issues: - Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402) - Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:170-1 Released: Fri Jan 25 13:43:29 2019 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1118629 This update for kmod fixes the following issues: - Fixes module dependency file corruption on parallel invocation (bsc#1118629). - Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:215-1 Released: Thu Jan 31 15:59:57 2019 Summary: Security update for python3 Type: security Severity: important References: 1120644,1122191,CVE-2018-20406,CVE-2019-5010 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) - CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:790-1 Released: Thu Mar 28 12:06:17 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1130557 This update for timezone fixes the following issues: timezone was updated 2019a: * Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23 * Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:966-1 Released: Wed Apr 17 12:20:13 2019 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1128323 This update for python-rpm-macros fixes the following issues: The Python RPM macros were updated to version 20190408.32abece, fixing bugs (bsc#1128323) * Add missing $ expansion on the pytest call * Rewrite pytest and pytest_arch into Lua macros with multiple arguments. * We should preserve existing PYTHONPATH. * Add --ignore to pytest calls to ignore build directories. * Actually make pytest into function to capture arguments as well * Add pytest definitions. * Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros. * Fix an issue with epoch printing having too many \ * add epoch while printing 'Provides:' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:971-1 Released: Wed Apr 17 14:43:26 2019 Summary: Security update for python3 Type: security Severity: important References: 1129346,CVE-2019-9636 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1156-1 Released: Mon May 6 13:46:07 2019 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1125815,1132174,1132323,CVE-2016-10745,CVE-2019-10906,CVE-2019-8341 This update for python-Jinja2 to version 2.10.1 fixes the following issues: Security issues fixed: - CVE-2019-8341: Fixed a command injection in from_string() (bsc#1125815). - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1221-1 Released: Mon May 13 13:28:42 2019 Summary: Security update for libxslt Type: security Severity: moderate References: 1132160,CVE-2019-11068 This update for libxslt fixes the following issues: Security issue fixed: - CVE-2019-11068: Fixed a protection mechanism bypass where callers of xsltCheckRead() and xsltCheckWrite() would permit access upon receiving an error (bsc#1132160). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1352-1 Released: Fri May 24 14:41:44 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1130840,1133452,CVE-2019-9947 This update for python3 to version 3.6.8 fixes the following issues: Security issue fixed: - CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840). Non-security issue fixed: - Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1487-1 Released: Thu Jun 13 09:40:56 2019 Summary: Security update for python-requests Type: security Severity: moderate References: 1111622,CVE-2018-18074 This update for python-requests to version 2.20.1 fixes the following issues: Security issue fixed: - CVE-2018-18074: Fixed an information disclosure vulnerability of the HTTP Authorization header (bsc#1111622). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1595-1 Released: Fri Jun 21 10:17:44 2019 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1616-1 Released: Fri Jun 21 11:04:39 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1134659 This update for rpcbind fixes the following issues: - Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659) - Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1627-1 Released: Fri Jun 21 11:15:11 2019 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1073421,1122271,1129859 This update for xfsprogs fixes the following issues: - xfs_repair: will now allow '/' in attribute names (bsc#1122271) - xfs_repair: will now allow zeroing of corrupt log (bsc#1073421) - enabdled offline (unmounted) filesystem geometry queries (bsc#1129859) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1815-1 Released: Thu Jul 11 07:47:55 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1140016 This update for timezone fixes the following issues: - Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1835-1 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2050-1 Released: Tue Aug 6 09:42:37 2019 Summary: Security update for python3 Type: security Severity: important References: 1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). - CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853). Non-security issue fixed: - Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2306-1 Released: Thu Sep 5 14:39:23 2019 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1082318,1136245 This update for parted fixes the following issues: - Included several minor bug fixes - for more details please refer to this rpm's changelog (bsc#1136245) - Installs the license file in the correct directory (bsc#1082318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2332-1 Released: Mon Sep 9 10:17:16 2019 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1129071,1132663,1132900,CVE-2019-11236,CVE-2019-11324,CVE-2019-9740 This update for python-urllib3 fixes the following issues: Security issues fixed: - CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071). - CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900). - CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2365-1 Released: Thu Sep 12 11:23:31 2019 Summary: Security update for python-Werkzeug Type: security Severity: moderate References: 1145383,CVE-2019-14806 This update for python-Werkzeug fixes the following issues: Security issue fixed: - CVE-2019-14806: Fixed the development server in Docker, the debugger security pin is now unique per container (bsc#1145383). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2422-1 Released: Fri Sep 20 16:36:43 2019 Summary: Recommended update for python-urllib3 Type: recommended Severity: moderate References: 1150895 This update for python-urllib3 fixes the following issues: - Add missing dependency on python-six (bsc#1150895) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2483-1 Released: Fri Sep 27 14:16:23 2019 Summary: Optional update for python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate. Type: optional Severity: low References: 1088358 This update ships python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate for the SUSE Linux Enterprise Public Cloud 15 module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2517-1 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2647-1 Released: Fri Oct 11 17:12:06 2019 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: moderate References: 1149792 This update for python-pyOpenSSL fixes the following issues: - Adds compatibility for openSSL 1.1.1d (bsc#1149792) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2656-1 Released: Mon Oct 14 17:02:24 2019 Summary: Security update for sudo Type: security Severity: important References: 1153674,CVE-2019-14287 This update for sudo fixes the following issue: - CVE-2019-14287: Fixed an issue where a user with sudo privileges that allowed them to run commands with an arbitrary uid, could run commands as root, despite being forbidden to do so in sudoers (bsc#1153674). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2693-1 Released: Wed Oct 16 16:43:30 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1142343 This update for rpcbind fixes the following issues: - Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2762-1 Released: Thu Oct 24 07:08:44 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1150451 This update for timezone fixes the following issues: - Fiji observes DST from 2019-11-10 to 2020-01-12. - Norfolk Island starts observing Australian-style DST. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2779-1 Released: Thu Oct 24 16:57:42 2019 Summary: Security update for binutils Type: security Severity: moderate References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206 This update for binutils fixes the following issues: binutils was updated to current 2.32 branch [jsc#ECO-368]. Includes following security fixes: - CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412) - CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413) - CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414) - CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827) - CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996) - CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535) - CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534) - CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255) - CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252) - CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247) - CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831) - CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830) - CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035) - CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034) - CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056) - CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640) - CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772) - enable xtensa architecture (Tensilica lc6 and related) - Use -ffat-lto-objects in order to provide assembly for static libs (bsc#1141913). - Fixed some LTO build issues (bsc#1133131 bsc#1133232). - riscv: Don't check ABI flags if no code section - Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016). - Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590). Update to binutils 2.32: * The binutils now support for the C-SKY processor series. * The x86 assembler now supports a -mvexwig=[0|1] option to control encoding of VEX.W-ignored (WIG) VEX instructions. It also has a new -mx86-used-note=[yes|no] option to generate (or not) x86 GNU property notes. * The MIPS assembler now supports the Loongson EXTensions R2 (EXT2), the Loongson EXTensions (EXT) instructions, the Loongson Content Address Memory (CAM) ASE and the Loongson MultiMedia extensions Instructions (MMI) ASE. * The addr2line, c++filt, nm and objdump tools now have a default limit on the maximum amount of recursion that is allowed whilst demangling strings. This limit can be disabled if necessary. * Objdump's --disassemble option can now take a parameter, specifying the starting symbol for disassembly. Disassembly will continue from this symbol up to the next symbol or the end of the function. * The BFD linker will now report property change in linker map file when merging GNU properties. * The BFD linker's -t option now doesn't report members within archives, unless -t is given twice. This makes it more useful when generating a list of files that should be packaged for a linker bug report. * The GOLD linker has improved warning messages for relocations that refer to discarded sections. - Improve relro support on s390 [fate#326356] - Fix broken debug symbols (bsc#1118644) - Handle ELF compressed header alignment correctly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2782-1 Released: Fri Oct 25 14:27:52 2019 Summary: Security update for nfs-utils Type: security Severity: moderate References: 1150733,CVE-2019-3689 This update for nfs-utils fixes the following issues: - CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2802-1 Released: Tue Oct 29 11:39:05 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426 This update for python3 to 3.6.9 fixes the following issues: Security issues fixed: - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed: - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2891-1 Released: Mon Nov 4 17:47:10 2019 Summary: Security update for python-ecdsa Type: security Severity: moderate References: 1153165,1154217,CVE-2019-14853,CVE-2019-14859 This update for python-ecdsa to version 0.13.3 fixes the following issues: Security issues fixed: - CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165). - CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2929-1 Released: Thu Nov 7 16:45:13 2019 Summary: Recommended update for python-kubernetes Type: recommended Severity: moderate References: 1151481 This update for python-kubernetes fixes the following issues: - python-ipaddress is only required for building on Python2 (on Python3 is part of the standard library) - Backport fix for base64 padding in kubeconfig (bsc#1151481) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:9-1 Released: Thu Jan 2 12:33:47 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1157438 This update for xfsprogs fixes the following issues: - Remove the 'xfs_scrub_all' script from the package, and the corresponding dependency of python. (bsc#1157438) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:36-1 Released: Wed Jan 8 10:26:46 2020 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: low References: 1159989 This update fixes the build of python-pyOpenSSL in 2020 (bsc#1159989). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:114-1 Released: Thu Jan 16 10:11:52 2020 Summary: Security update for python3 Type: security Severity: important References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947 This update for python3 to version 3.6.10 fixes the following issues: - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:119-1 Released: Thu Jan 16 15:42:39 2020 Summary: Recommended update for python-jsonpatch Type: recommended Severity: moderate References: 1160978 This update for python-jsonpatch fixes the following issues: - Drop jsondiff binary to avoid conflict with python-jsondiff package. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:408-1 Released: Wed Feb 19 09:32:46 2020 Summary: Security update for sudo Type: security Severity: important References: 1162202,1162675,CVE-2019-18634 This update for sudo fixes the following issues: Security issue fixed: - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:453-1 Released: Tue Feb 25 10:51:53 2020 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1160590 This update for binutils fixes the following issues: - Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:462-1 Released: Tue Feb 25 11:49:30 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158504,1158509,1158630,1158758 This update for xfsprogs fixes the following issues: - Allow the filesystem utility xfs_io to suffix sizes with k,m,g for kilobytes, megabytes or gigabytes respectively. (bsc#1158630) - Validate extent size hint parameters through libxfs to avoid output mismatch. (bsc#1158509) - Fix for 'xfs_repair' not to fail recovery of orphaned shortform directories. (bsc#1158504) - Fix for 'xfs_quota' to avoid false error reporting of project inheritance flag is not set. (bsc#1158758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:498-1 Released: Wed Feb 26 17:59:44 2020 Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized Type: recommended Severity: moderate References: 1122669,1136184,1146853,1146854,1159018 This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues: python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507): Upgrade to 1.11.0: * Add ReservedConcurrentExecutions to globals * Fix ElasticsearchHttpPostPolicy resource reference * Support using AWS::Region in Ref and Sub * Documentation and examples updates * Add VersionDescription property to Serverless::Function * Update ServerlessRepoReadWriteAccessPolicy * Add additional template validation Upgrade to 1.10.0: * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy * Add DynamoDBReconfigurePolicy * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy * Add EKSDescribePolicy * Add SESBulkTemplatedCrudPolicy * Add FilterLogEventsPolicy * Add SSMParameterReadPolicy * Add SESEmailTemplateCrudPolicy * Add s3:PutObjectAcl to S3CrudPolicy * Add allow_credentials CORS option * Add support for AccessLogSetting and CanarySetting Serverless::Api properties * Add support for X-Ray in Serverless::Api * Add support for MinimumCompressionSize in Serverless::Api * Add Auth to Serverless::Api globals * Remove trailing slashes from APIGW permissions * Add SNS FilterPolicy and an example application * Add Enabled property to Serverless::Function event sources * Add support for PermissionsBoundary in Serverless::Function * Fix boto3 client initialization * Add PublicAccessBlockConfiguration property to S3 bucket resource * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable * Add limited support for resolving intrinsics in Serverless::LayerVersion * SAM now uses Flake8 * Add example application for S3 Events written in Go * Updated several example applications python-cfn-lint was added in version 0.21.4: - Add upstream patch to fix EOL dates for lambda runtimes - Add upstream patch to fix test_config_expand_paths test - Rename to python-cfn-lint. This package has a python API, which is required by python-moto. Update to version 0.21.4: + Features * Include more resource types in W3037 + CloudFormation Specifications * Add Resource Type `AWS::CDK::Metadata` + Fixes * Uncap requests dependency in setup.py * Check Join functions have lists in the correct sections * Pass a parameter value for AutoPublishAlias when doing a Transform * Show usage examples when displaying the help Update to version 0.21.3 + Fixes * Support dumping strings for datetime objects when doing a Transform Update to version 0.21.2 + CloudFormation Specifications * Update CloudFormation specs to 3.3.0 * Update instance types from pricing API as of 2019.05.23 Update to version 0.21.1 + Features * Add `Info` logging capability and set the default logging to `NotSet` + Fixes * Only do rule logging (start/stop/time) when the rule is going to be called * Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub` * Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub` * Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type Update to version 0.21.0 + Features * New rule E3038 to check if a Serverless resource includes the appropriate Transform * New rule E2531 to validate a Lambda's runtime against the deprecated dates * New rule W2531 to validate a Lambda's runtime against the EOL dates * Update rule E2541 to include updates to Code Pipeline capabilities * Update rule E2503 to include checking of values for load balancer attributes + CloudFormation Specifications * Update CloudFormation specs to 3.2.0 * Update instance types from pricing API as of 2019.05.20 + Fixes * Include setuptools in setup.py requires Update to version 0.20.3 + CloudFormation Specifications * Update instance types from pricing API as of 2019.05.16 + Fixes * Update E7001 to allow float/doubles for mapping values * Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed * Pin requests to be below or equal to 2.21.0 to prevent issues with botocore Update to version 0.20.2 + Features * Add support for List Parameter types + CloudFormation Specifications * Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet * Create new property type for Security Group IDs or Names * Add new Lambda runtime environment for NodeJs 10.x * Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive * Update Glue Crawler Role to take an ARN or a name * Remove PrimitiveType from MaintenanceWindowTarget Targets * Add Min/Max values for Load Balancer Ports to be between 1-65535 + Fixes * Include License file in the pypi package to help with downstream projects * Filter out dynamic references from rule E3031 and E3030 * Convert Python linting and Code Coverage from Python 3.6 to 3.7 Update to version 0.20.1 + Fixes * Update rule E8003 to support more functions inside a Fn::Equals Update to version 0.20.0 + Features * Allow a rule's exception to be defined in a resource's metadata * Add rule configuration capabilities * Update rule E3012 to allow for non strict property checking * Add rule E8003 to test Fn::Equals structure and syntax * Add rule E8004 to test Fn::And structure and syntax * Add rule E8005 to test Fn::Not structure and syntax * Add rule E8006 to test Fn::Or structure and syntax * Include Path to error in the JSON output * Update documentation to describe how to install cfn-lint from brew + CloudFormation Specifications * Update CloudFormation specs to version 3.0.0 * Add new region ap-east-1 * Add list min/max and string min/max for CloudWatch Alarm Actions * Add allowed values for EC2::LaunchTemplate * Add allowed values for EC2::Host * Update allowed values for Amazon MQ to include 5.15.9 * Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions * Add AWS::EC2::VPCEndpointService to all regions * Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN * Patch spec files for SSM MaintenanceWindow to look for Target and not Targets * Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit. + Fixes * Fix rule E3033 to check the string size when the string is inside a list * Fix an issue in which AWS::NotificationARNs was not a list * Add AWS::EC2::Volume to rule W3010 * Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger * Fix rule W3010 to not error when the availability zone is 'all' Update to version 0.19.1 + Fixes * Fix core Condition processing to support direct Condition in another Condition * Fix the W2030 to check numbers against string allowed values Update to version 0.19.0 + Features * Add NS and PTR Route53 record checking to rule E3020 * New rule E3050 to check if a Ref to IAM Role has a Role path of '/' * New rule E3037 to look for duplicates in a list that doesn't support duplicates * New rule I3037 to look for duplicates in a list when duplicates are allowed + CloudFormation Specifications * Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds * Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument * Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl NetworkInterface, PlacementGroup, and Volume * Add Min/max values to AWS::Budgets::Budget.Notification Threshold * Update RDS Instance types by database engine and license definitions using the pricing API * Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN * Update AWS::ECS::Service Role to support Role Name or ARN + Fixes * Update E3025 to support the new structure of data in the RDS instance type json * Update E2540 to remove all nested conditions from the object * Update E3030 to not do strict type checking * Update E3020 to support conditions nested in the record sets * Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats Update to version 0.18.1 + CloudFormation Specifications * Update CloudFormation Specs to 2.30.0 * Fix IAM Regex Path to support more character types * Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an InstanceProfile or GetAtt the InstanceProfile Arn * Allow VPC IDs to Ref a Parameter of type String + Fixes * Fix E3502 to check the size of the property instead of the parent object Update to version 0.18.0 + Features * New rule E3032 to check the size of lists * New rule E3502 to check JSON Object Size using definitions in the spec file * New rule E3033 to test the minimum and maximum length of a string * New rule E3034 to validate the min and max of a number * Remove Ebs Iops check from E2504 and use rule E3034 instead * Remove rule E2509 and use rule E3033 instead * Remove rule E2508 as it replaced by E3032 and E3502 * Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs * SAM requirement upped to minimal version of 1.10.0 + CloudFormation Specifications * Extend specs to include: > `ListMin` and `ListMax` for the minimum and maximum size of a list > `JsonMax` to check the max size of a JSON Object > `StringMin` and `StringMax` to check the minimum and maximum length of a String > `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long * Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy * Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance * Add AllowedValues for the AWS::GuardDuty Resources * Add AllowedValues for AWS::EC2 VPC and VPN Resources * Switch IAM Instance Profiles for certain resources to the type that only takes the name * Add regex pattern for IAM Instance Profile when a name (not Arn) is used * Add regex pattern for IAM Paths * Add Regex pattern for IAM Role Arn * Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2 + Fixes * Fix serverless transform to use DefinitionBody when Auth is in the API definition * Fix rule W2030 to not error when checking SSM or List Parameters Update to version 0.17.1 + Features * Update rule E2503 to make sure NLBs don't have a Security Group configured + CloudFormation Specifications * Add all the allowed values of the `AWS::Glue` Resources * Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics` * Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic` * Update CloudFormation specs to 2.29.0 * Fix type with MariaDB in the AllowedValues * Update pricing information for data available on 2018.3.29 + Fixes * Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies * Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+` * Fix rule E2532 to allow for `Parameters` inside a `Pass` action * Fix an issue when getting the location of an error in which numbers are causing an attribute error Update to version 0.17.0 + Features * Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released * Add new rule W3037 to validate IAM resource policies. Status: Experimental * Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released + CloudFormation Specifications * Update Spec files to 2.28.0 * Add all the allowed values of the AWS::Redshift::* Resources * Add all the allowed values of the AWS::Neptune::* Resources * Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required * Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required + Fixes * Remove extra blank lines when there is no errors in the output * Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition * Update rule E1029 to allow for literals in a Sub * Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check * Correct typos for errors in rule W1001 * Switch from parsing a template as Yaml to Json when finding an escape character * Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers * Fix an issue with rule E2541 when non strings were used for Stage Names Update to version 0.16.0 + Features * Add rule E3031 to look for regex patterns based on the patched spec file * Remove regex checks from rule E2509 * Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting + CloudFormation Specifications * Update Spec files to 2.26.0 * Add all the allowed values of the AWS::DirectoryService::* Resources * Add all the allowed values of the AWS::DynamoDB::* Resources * Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2 * Patch the spec file with regex patterns * Add all the allowed values of the AWS::DocDb::* Resources + Fixes * Update rule E2504 to have '20000' as the max value * Update rule E1016 to not allow ImportValue inside of Conditions * Update rule E2508 to check conditions when providing limit checks on managed policies * Convert unicode to strings when in Py 3.4/3.5 and updating specs * Convert from `awslabs` to `aws-cloudformation` organization * Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with samtranslator 1.10.0 Update to version 0.15.0 + Features * Add scaffolding for arbitrary Match attributes, adding attributes for Type checks * Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST + CloudFormation Specifications * Update Spec files to 2.24.0 * Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName * Add all the allowed values of the AWS::CloudFront::* Resources * Add all the allowed values of the AWS::DAX::* Resources + Fixes * Update config parsing to use the builtin Yaml decoder * Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules * Update rule E1029 to better check Resource strings inside IAM Policies * Improve the line/column information of a Match with array support Update to version 0.14.1 + CloudFormation Specifications * Update CloudFormation Specs to version 2.23.0 * Add allowed values for AWS::Config::* resources * Add allowed values for AWS::ServiceDiscovery::* resources * Fix allowed values for Apache MQ + Fixes * Update rule E3008 to not error when using a list from a custom resource * Support simple types in the CloudFormation spec * Add tests for the formatters Update to version 0.14.0 + Features * Add rule E3035 to check the values of DeletionPolicy * Add rule E3036 to check the values of UpdateReplacePolicy * Add rule E2014 to check that there are no REFs in the Parameter section * Update rule E2503 to support TLS on NLBs + CloudFormation Specifications * Update CloudFormation spec to version 2.22.0 * Add allowed values for AWS::Cognito::* resources + Fixes * Update rule E3002 to allow GetAtts to Custom Resources under a Condition Update to version 0.13.2 + Features * Introducing the cfn-lint logo! * Update SAM dependency version + Fixes * Fix CloudWatchAlarmComparisonOperator allowed values. * Fix typo resoruce_type_spec in several files * Better support for nested And, Or, and Not when processing Conditions Update to version 0.13.1 + CloudFormation Specifications * Add allowed values for AWS::CloudTrail::Trail resources * Patch spec to have AWS::CodePipeline::CustomActionType Version included + Fixes * Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified Update to version 0.13.0 + Features * New rule W1011 to check if a FindInMap is using the correct map name and keys * New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used * Removed logic in E1011 and moved it to W1011 for validating keys * Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne * Update rule E2505 to check the netmask bit * Include the ability to update the CloudFormation Specs using the Pricing API + CloudFormation Specifications * Update to version 2.21.0 * Add allowed values for AWS::Budgets::Budget * Add allowed values for AWS::CertificateManager resources * Add allowed values for AWS::CodePipeline resources * Add allowed values for AWS::CodeCommit resources * Add allowed values for EC2 InstanceTypes from pricing API * Add allowed values for RedShift InstanceTypes from pricing API * Add allowed values for MQ InstanceTypes from pricing API * Add allowed values for RDS InstanceTypes from pricing API + Fixes * Fixed README indentation issue with .pre-commit-config.yaml * Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task * Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record * Update rule E3001 to support UpdateReplacePolicy * Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder * Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content - Initial build + Version 0.12.1 Update to 0.9.1 * the prof plugin now uses cProfile instead of hotshot for profiling * skipped tests now include the user's reason in junit XML's message field * the prettyassert plugin mishandled multi-line function definitions * Using a plugin's CLI flag when the plugin is already enabled via config no longer errors * nose2.plugins.prettyassert, enabled with --pretty-assert * Cleanup code for EOLed python versions * Dropped support for distutils. * Result reporter respects failure status set by other plugins * JUnit XML plugin now includes the skip reason in its output Upgrade to 0.8.0: - List of changes is too long to show here, see https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst changes between 0.6.5 and 0.8.0 Update to 0.7.0: * Added parameterized_class feature, for parameterizing entire test classes (many thanks to @TobyLL for their suggestions and help testing!) * Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh; https://github.com/wolever/parameterized/issues/67) * Make sure that `setUp` and `tearDown` methods work correctly (#40) * Raise a ValueError when input is empty (thanks @danielbradburn; https://github.com/wolever/parameterized/pull/48) * Fix the order when number of cases exceeds 10 (thanks @ntflc; https://github.com/wolever/parameterized/pull/49) aws-cli was updated to version 1.16.223: For detailed changes see the changes entries: https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing lots of bugs and adding features (bsc#1146853, bsc#1146854) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:556-1 Released: Mon Mar 2 13:32:11 2020 Summary: Recommended update for 389-ds Type: recommended Severity: moderate References: 1155951 This update for 389-ds to version 1.4.2.2 fixes the following issues: 389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes. Issue addressed: - Enabled python lib389 installer tooling to match upstream and suse documentation. More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:777-1 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1165894 This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-↑ - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:823-1 Released: Tue Mar 31 13:28:14 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1161783,1164260 This update for parted fixes the following issue: - Make parted work with pmemXs devices. (bsc#1164260) - Fix for error when parted output size crashing parted in yast. (bsc#1161783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:935-1 Released: Tue Apr 7 03:46:39 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158630,1167205,1167206 This update for xfsprogs fixes the following issues: - xfs_quota: reformat commands in the manpage. (bsc#1167206) Reformat commands in the manpage so that fstest can check that each command is actually documented. - xfs_db: document missing commands. (bsc#1167205) Document the commands 'attr_set', 'attr_remove', 'logformat' in the manpage. - xfs_io: allow size suffixes for the copy_range command. (bsc#1158630) Allow the usage of size suffixes k,m,g for kilobytes, megabytes or gigabytes respectively for the copy_range command ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:959-1 Released: Wed Apr 8 12:59:50 2020 Summary: Security update for python-PyYAML Type: security Severity: important References: 1165439,CVE-2020-1747 This update for python-PyYAML fixes the following issues: - CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:979-1 Released: Mon Apr 13 15:42:59 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1168756 This update for parted fixes the following issue: - fix null pointer dereference. (bsc#1168756) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1000-1 Released: Wed Apr 15 14:18:57 2020 Summary: Recommended update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager Type: recommended Severity: moderate References: 1014478,1054413,1140565,982804,999200 This update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager fixes the following issues: The Azure python modules and client tool stack was updated to the 2020 state. Various other python modules were added and updated. - python-PyYAML was updated to 5.1.2. - python-humanfriendly was updated 4.16.1. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1037-1 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Type: recommended Severity: low References: 1002895,1107105,1138666,1167732 This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1094-1 Released: Thu Apr 23 16:34:21 2020 Summary: Recommended update for python-google-api-python-client Type: recommended Severity: moderate References: 1088358,1160933 This update for python-google-api-python-client fixes the following issues: - Fix dependencies to use google-auth instead of deprecated oauth2client (bsc#1160933, jsc#ECO-1148) python-cachetools 2.0.1 is shipped to the Public Cloud Module. python-google-auth 1.5.1 is shipped to the Public Cloud Module. python-google-api-python-client was updated to: - Upgrade to 1.7.4: just series of minor bugfixes - Fix check for error text on Python 3.7. (#278) - Use new Auth URIs. (#281) - Add code-of-conduct document. (#270) - Fix some typos in test_urllib3.py (#268) - Warn when using user credentials from the Cloud SDK (#266) - Add compute engine-based IDTokenCredentials (#236) - Corrected some typos (#265) Update to 1.4.2: - Raise a helpful exception when trying to refresh credentials without a refresh token. (#262) - Fix links to README and CONTRIBUTING in docs/index.rst. (#260) - Fix a typo in credentials.py. (#256) - Use pytest instead of py.test per upstream recommendation, #dropthedot. (#255) - Fix typo on exemple of jwt usage (#245) New upstream release 1.4.1 (bsc#1088358) - Added a check for the cryptography version before attempting to use it. + From version 1.4.0 - Added `cryptography`-based RSA signer and verifier. - Added `google.oauth2.service_account.IDTokenCredentials`. - Improved documentation around ID Tokens + From version 1.3.0 - Added ``google.oauth2.credentials.Credentials.from_authorized_user_file``. - Dropped direct pyasn1 dependency in favor of letting ``pyasn1-modules`` specify the right version. - ``default()`` now checks for the project ID environment var before warning about missing project ID. - Fixed the docstrings for ``has_scopes()`` and ``with_scopes()``. - Fixed example in docstring for ``ReadOnlyScoped``. - Made ``transport.requests`` use timeouts and retries to improve reliability. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1303-1 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1169582 This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1308-1 Released: Mon May 18 10:05:46 2020 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1170247 This update for psmisc fixes the following issues: - Allow not unique mounts as well as not unique mountpoint. (bsc#1170247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1342-1 Released: Tue May 19 13:27:31 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1149955,1165894,CVE-2019-16056 This update for python3 fixes the following issues: - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Mon May 25 12:04:39 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1409-1 Released: Mon May 25 17:01:33 2020 Summary: Security update for libxslt Type: security Severity: moderate References: 1140095,1140101,1154609,CVE-2019-13117,CVE-2019-13118,CVE-2019-18197 This update for libxslt fixes the following issues: Security issues fixed: - CVE-2019-13118: Fixed a read of uninitialized stack data (bsc#1140101). - CVE-2019-13117: Fixed a uninitialized read which allowed to discern whether a byte on the stack contains certain special characters (bsc#1140095). - CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1492-1 Released: Wed May 27 18:32:41 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1171561 This update for python-rpm-macros fixes the following issue: - Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1496-1 Released: Wed May 27 20:30:31 2020 Summary: Recommended update for python-requests Type: recommended Severity: low References: 1170175 This update for python-requests fixes the following issues: - Fix for warnings 'test fails to build' for python http. (bsc#1170175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1172055 This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055)