SUSE Container Update Advisory: rancher/seedimage-builder
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:4258-1
Container Tags        : rancher/seedimage-builder:1.6.4 , rancher/seedimage-builder:1.6.4-2.12 , rancher/seedimage-builder:latest
Container Release     : 2.12
Severity              : important
Type                  : security
References            : 1188441 1199079 1220356 1220724 1221239 1221289 1221399 1221482
                        1221665 1221666 1221667 1221668 1221940 1222992 1223423 1223424
                        1223425 1224282 1227525 1227888 1228041 1228535 1229930 1229931
                        1229932 CVE-2024-2004 CVE-2024-2379 CVE-2024-2398 CVE-2024-2466
                        CVE-2024-28182 CVE-2024-28757 CVE-2024-2961 CVE-2024-33599 CVE-2024-33600
                        CVE-2024-33601 CVE-2024-33602 CVE-2024-34459 CVE-2024-45490 CVE-2024-45491
                        CVE-2024-45492 CVE-2024-6197 CVE-2024-7264 
-----------------------------------------------------------------

The container rancher/seedimage-builder was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 9
Released:    Fri Aug  9 10:33:34 2024
Summary:     Recommended update for bash, libcap-ng, libselinux, libselinux-bindings, libsemanage, zypper
Type:        recommended
Severity:    low
References:  
This update fixes the following issues:

- No change rebuild due to dependency changes.

-----------------------------------------------------------------
Advisory ID: 18
Released:    Tue Aug 20 13:47:06 2024
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1221399,CVE-2024-28182
This update for nghttp2 fixes the following issues:

- CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399)

-----------------------------------------------------------------
Advisory ID: 24
Released:    Wed Aug 28 13:31:01 2024
Summary:     Security update for ca-certificates-mozilla
Type:        security
Severity:    important
References:  1199079,1220356,1227525
This update for ca-certificates-mozilla fixes the following issues:

- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
  - Added: FIRMAPROFESIONAL CA ROOT-A WEB
  - Distrust: GLOBALTRUST 2020

- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
  Added:
  - CommScope Public Trust ECC Root-01
  - CommScope Public Trust ECC Root-02
  - CommScope Public Trust RSA Root-01
  - CommScope Public Trust RSA Root-02
  - D-Trust SBR Root CA 1 2022
  - D-Trust SBR Root CA 2 2022
  - Telekom Security SMIME ECC Root 2021
  - Telekom Security SMIME RSA Root 2023
  - Telekom Security TLS ECC Root 2020
  - Telekom Security TLS RSA Root 2023
  - TrustAsia Global Root CA G3
  - TrustAsia Global Root CA G4
  Removed:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - Chambers of Commerce Root - 2008
  - Global Chambersign Root - 2008
  - Security Communication Root CA
  - Symantec Class 1 Public Primary Certification Authority - G6
  - Symantec Class 2 Public Primary Certification Authority - G6
  - TrustCor ECA-1
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - VeriSign Class 1 Public Primary Certification Authority - G3
  - VeriSign Class 2 Public Primary Certification Authority - G3

-----------------------------------------------------------------
Advisory ID: 29
Released:    Wed Sep  4 12:41:35 2024
Summary:     Recommended update for gcc13
Type:        recommended
Severity:    important
References:  1188441,1220724,1221239
This update for gcc13 fixes the following issues:

- Update to GCC 13.3 release

- Removed Fiji support from the GCN offload compiler as that is requiring
  Code Object version 3 which is no longer supported by llvm18.
- Avoid combine spending too much compile-time and memory doing nothing
  on s390x.  [bsc#1188441]
- Make requirement to lld version specific to avoid requiring the
  meta-package.
- Fix unwinding for JIT code.  [bsc#1221239] 
- Revert libgccjit dependency change.  [bsc#1220724]

-----------------------------------------------------------------
Advisory ID: 30
Released:    Wed Sep  4 16:07:40 2024
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1221665,1221666,1221667,1221668,1227888,1228535,CVE-2024-2004,CVE-2024-2379,CVE-2024-2398,CVE-2024-2466,CVE-2024-6197,CVE-2024-7264
This update for curl fixes the following issues:

Security issues fixed:

- CVE-2024-7264: ASN.1 date parser overread (bsc#1228535)
- CVE-2024-6197: Freeing stack buffer in utf8asn1str (bsc#1227888)
- CVE-2024-2379: QUIC certificate check bypass with wolfSSL (bsc#1221666)
- CVE-2024-2466: TLS certificate check bypass with mbedTLS (bsc#1221668)
- CVE-2024-2004: Usage of disabled protocol (bsc#1221665)
- CVE-2024-2398: HTTP/2 push headers memory-leak (bsc#1221667)

Non-security issue fixed:

- Fixed various TLS related issues including FTP over SSL transmission timeouts.

-----------------------------------------------------------------
Advisory ID: 32
Released:    Thu Sep  5 12:12:35 2024
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1221482,1221940,1222992,1223423,1223424,1223425,1228041,CVE-2024-2961,CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602
This update for glibc fixes the following issues:

Fixed security issues:

- CVE-2024-33602: Use time_t for return type of addgetnetgrentX (bsc#1223425)
- CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bsc#1223423)
- CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bsc#1223424)
- CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bsc#1223424)
- CVE-2024-33601, CVE-2024-33602: netgroup: Use two buffers in addgetnetgrentX (bsc#1223425)
- CVE-2024-2961: iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (bsc#1222992)

Fixed non-security issues:

- Add workaround for invalid use of libc_nonshared.a with non-SUSE libc (bsc#1221482)
- Fix segfault in wcsncmp (bsc#1228041)
- Also include stat64 in the 32-bit libc_nonshared.a workaround (bsc#1221482)
- Avoid creating ULP prologue for _start routine (bsc#1221940)
- Also add libc_nonshared.a workaround to 32-bit x86 compat package (bsc#1221482)
- malloc: Use __get_nprocs on arena_get2
- linux: Use rseq area unconditionally in sched_getcpu

-----------------------------------------------------------------
Advisory ID: 44
Released:    Wed Sep 11 13:33:01 2024
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1221289,1229930,1229931,1229932,CVE-2024-28757,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492
This update for expat fixes the following issues:

- CVE-2024-45492: detect integer overflow in function nextScaffoldPart (bsc#1229932) 
- CVE-2024-45491: detect integer overflow in dtdCopy (bsc#1229931)
- CVE-2024-45490: reject negative len for XML_ParseBuffer (bsc#1229930)
- CVE-2024-28757: XML Entity Expansion attack when there is isolated use of external parsers (bsc#1221289) 

-----------------------------------------------------------------
Advisory ID: 45
Released:    Wed Sep 11 13:41:31 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1224282,CVE-2024-34459
This update for libxml2 fixes the following issues:

- CVE-2024-34459: Fixed buffer over-read in (bsc#1224282)


The following package changes have been done:

- boost-license1_84_0-1.84.0-1.4 added
- compat-usrmerge-tools-84.87-2.195 added
- crypto-policies-20230920.570ea89-1.50 updated
- file-magic-5.44-4.151 added
- kbd-legacy-2.6.4-1.3 added
- libsemanage-conf-3.5-3.1 added
- libssh-config-0.10.6-1.12 updated
- pkgconf-m4-1.8.0-2.205 added
- system-user-root-20190513-2.208 updated
- filesystem-84.87-5.2 updated
- glibc-2.38-7.1 updated
- libzstd1-1.5.5-8.142 updated
- libz1-1.2.13-6.138 updated
- libverto1-0.3.2-12.5 updated
- libuuid1-2.39.3-2.7 added
- libunistring5-1.1-2.8 added
- libtasn1-6-4.19.0-2.7 updated
- libsmartcols1-2.39.3-2.7 added
- libsepol2-3.5-2.196 added
- libseccomp2-2.5.4-2.199 added
- libsasl2-3-2.1.28-5.7 updated
- libpopt0-1.19-2.184 added
- libpkgconf3-1.8.0-2.205 added
- libpcre2-8-0-10.42-2.179 added
- libnss_usrfiles2-2.27-2.185 added
- libnghttp2-14-1.52.0-5.1 updated
- liblzma5-5.4.3-4.166 updated
- liblz4-1-1.9.4-2.8 added
- liblua5_4-5-5.4.6-1.68 added
- libkeyutils1-1.6.3-2.8 updated
- libip4tc2-1.8.9-2.9 added
- libgpg-error0-1.47-4.136 added
- libgmp10-6.3.0-1.119 updated
- libgcc_s1-13.3.0+git8781-1.1 updated
- libffi8-3.4.4-2.182 added
- libexpat1-2.5.0-3.1 added
- libeconf0-0.6.1-1.13 added
- libcrypt1-4.4.36-1.134 added
- libcom_err2-1.47.0-2.3 updated
- libcap2-2.69-2.83 updated
- libcap-ng0-0.8.3-4.1 added
- libbz2-1-1.0.8-2.191 updated
- libbrotlicommon1-1.1.0-1.6 updated
- libblkid1-2.39.3-2.7 added
- libaudit1-3.0.9-3.143 added
- libattr1-2.5.1-2.193 updated
- libalternatives1-1.2+30.a5431e9-2.12 added
- libacl1-2.3.1-2.187 updated
- fillup-1.42-2.7 added
- diffutils-3.10-2.101 added
- libidn2-0-2.3.4-2.6 updated
- pkgconf-1.8.0-2.205 added
- libselinux1-3.5-3.1 updated
- netcfg-11.6-4.42 added
- libxml2-2-2.11.6-3.1 added
- libgcrypt20-1.10.3-1.37 added
- libstdc++6-13.3.0+git8781-1.1 updated
- libncurses6-6.4.20240224-10.2 updated
- terminfo-base-6.4.20240224-10.2 updated
- libp11-kit0-0.25.3-1.6 updated
- perl-base-5.38.2-1.52 added
- libudev1-254.9-1.9 added
- chkstat-1600_20240206-1.8 added
- libzio1-1.08-2.192 updated
- libmagic1-5.44-4.151 added
- libbrotlidec1-1.1.0-1.6 updated
- libfdisk1-2.39.3-2.7 added
- alts-1.2+30.a5431e9-2.12 added
- libpsl5-0.21.2-2.5 updated
- sed-4.9-2.9 added
- libsubid4-4.15.1-1.1 added
- libsemanage2-3.5-3.1 added
- libmount1-2.39.3-2.7 added
- findutils-4.9.0-2.181 updated
- libsystemd0-254.9-1.9 added
- libreadline8-8.2-2.180 added
- bash-5.2.15-3.1 updated
- p11-kit-0.25.3-1.6 updated
- p11-kit-tools-0.25.3-1.6 updated
- ncurses-utils-6.4.20240224-10.2 added
- libboost_thread1_84_0-1.84.0-1.4 added
- bash-sh-5.2.15-3.1 updated
- xz-5.4.3-4.166 added
- systemd-default-settings-branding-openSUSE-0.7-2.4 added
- systemd-default-settings-0.7-2.4 added
- pkgconf-pkg-config-1.8.0-2.205 added
- login_defs-4.15.1-1.1 added
- grep-3.11-4.8 added
- coreutils-9.4-4.8 updated
- systemd-presets-common-SUSE-15-5.1 added
- rpm-config-SUSE-20240214-1.1 added
- rpm-4.18.0-6.133 added
- permissions-config-1600_20240206-1.8 added
- glibc-locale-base-2.38-7.1 added
- ca-certificates-2+git20230406.2dae8b7-2.8 updated
- ca-certificates-mozilla-2.68-1.1 updated
- systemd-presets-branding-ALP-transactional-20230214-3.1 added
- permissions-1600_20240206-1.8 added
- libopenssl3-3.1.4-5.6 added
- pam-1.6.0-2.22 added
- libldap2-2.6.4-4.12 added
- libkmod2-30-10.56 added
- krb5-1.20.1-4.11 updated
- util-linux-2.39.3-2.7 added
- shadow-4.15.1-1.1 added
- pam-config-2.11-1.1 added
- kbd-2.6.4-1.3 added
- libssh4-0.10.6-1.12 updated
- libcurl4-8.6.0-2.1 updated
- curl-8.6.0-2.1 updated
- aaa_base-84.87+git20230815.cab7b44-1.8 added
- dbus-1-daemon-1.14.10-1.11 added
- dbus-1-tools-1.14.10-1.11 added
- systemd-254.9-1.9 added
- sysuser-shadow-3.1-2.197 added
- dbus-1-common-1.14.10-1.11 added
- libdbus-1-3-1.14.10-1.11 added
- dbus-1-1.14.10-1.11 added
- container:suse-toolbox-image-1.0.0-6.51 added
- container:suse-sle15-15.5-- removed
- info-6.5-4.17 removed
- libffi7-3.2.1.git259-10.8 removed
- libjitterentropy3-3.4.1-150000.1.12.1 removed
- libldap-2_4-2-2.4.46-150200.14.17.1 removed
- libldap-data-2.4.46-150200.14.17.1 removed
- libopenssl1_1-1.1.1l-150500.17.31.1 removed
- libopenssl1_1-hmac-1.1.1l-150500.17.31.1 removed
- libreadline7-7.0-150400.25.22 removed
- libtasn1-4.13-150000.4.8.1 removed
- libunistring2-0.9.10-1.1 removed
- openssl-1_1-1.1.1l-150500.17.31.1 removed
- patterns-base-fips-20200124-150400.20.4.1 removed