SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-attestation ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2024:3208-1 Container Tags : suse/manager/5.0/x86_64/server-attestation:5.0.0 , suse/manager/5.0/x86_64/server-attestation:5.0.0.4.5 , suse/manager/5.0/x86_64/server-attestation:latest Container Release : 4.5 Severity : important Type : security References : 1188441 1209627 1221482 1223428 1224044 1224388 1225291 1225551 CVE-2024-34397 CVE-2024-4603 CVE-2024-4741 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/server-attestation was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1764-1 Released: Thu May 23 04:56:40 2024 Summary: Recommended update for jackson Type: recommended Severity: moderate References: This update for jackson fixes the following issues: jackson-annotations was upgraded to version 2.16.1: - Added new OptBoolean valued property in @JsonTypeInfo to allow per-type configuration of strict type id handling - Allow per-type configuration of strict type id handling - Added JsonTypeInfo.Value object (backport from 3.0) - Added new JsonTypeInfo.Id.SIMPLE_NAME jackson-bom was upgraded to version 2.16.1: - Added dependency for jackson-module-android-record. This new module offers support for Record type on Android platform, where Java records are supported through 'de-sugaring' jackson-core was upgraded to version 2.16.1: - NPE in Version.equals() if snapshot-info null - NPE in 'FastDoubleParser', method 'JavaBigDecimalParser.parseBigDecimal()' - JsonPointer.append(JsonPointer.tail()) includes the original pointer - Change StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION default to false in Jackson 2.16 - Improve error message for StreamReadConstraints violations - JsonFactory implementations should respect CANONICALIZE_FIELD_NAMES - Root cause for failing test for testMangledIntsBytes() in ParserErrorHandlingTest - Allow all array elements in JsonPointerBasedFilter - Indicate explicitly blocked sources as 'REDACTED' instead of 'UNKNOWN' in JsonLocation - Start using AssertJ in unit tests - Allow configuring spaces before and/or after the colon in DefaultPrettyPrinter (for Canonical JSON) - Add configurable limit for the maximum number of bytes/chars of content to parse before failing - Add configurable limit for the maximum length of Object property names to parse before failing - Add configurable processing limits for JSON generator (StreamWriteConstraints) - Compare _snapshotInfo in Version - Add JsonGeneratorDecorator to allow decorating JsonGenerators - Add full set of BufferRecyclerPool implementations - Add configurable error report behavior via ErrorReportConfiguration - Make ByteSourceJsonBootstrapper use StringReader for < 8KiB byte[] inputs - Allow pluggable buffer recycling via new RecyclerPool extension point - Change parsing error message to mention -INF jackson-databind was upgraded to version 2.16.1: - JsonSetter(contentNulls = FAIL) is ignored in delegating @JsonCreator argument - Primitive array deserializer not being captured by DeserializerModifier - JsonNode.findValues() and findParents() missing expected values in 2.16.0 - Incorrect deserialization for BigDecimal numbers - Add a way to configure caches Jackson uses - Mix-ins do not work for Enums - Map deserialization results in different numeric classes based on json ordering (BigDecimal / Double) when used in combination with @JsonSubTypes - Generic class with generic field of runtime type Double is deserialized as BigDecimal when used with @JsonTypeInfo and JsonTypeInfo.As.EXISTING_PROPERTY - Combination of @JsonUnwrapped and @JsonAnySetter results in BigDecimal instead of Double - @JsonIgnoreProperties not working with @JsonValue - Deprecated JsonNode.with(String) suggests using JsonNode.withObject(String) but it is not the same thing - Difference in the handling of ObjectId-property inJsonIdentityInfo depending on the deserialization route - Add new OptBoolean valued property in @JsonTypeInfo, handling, to allow per-polymorphic type loose Type Id handling - Fixed regression in 2.15.0 that reaks deserialization for records when mapper.setVisibility(PropertyAccessor.ALL, Visibility.NONE) - Incorrect target type when disabling coercion, trying to deserialize String from Array/Object - @JsonProperty on constructor parameter changes default field serialization order - Create new JavaType subtype IterationType (extending SimpleType) - Use JsonTypeInfo.Value for annotation handling - Add JsonNodeFeature.WRITE_PROPERTIES_SORTED for sorting ObjectNode properties on serialization (for Canonical JSON) - Optimize ObjectNode findValue(s) and findParent(s) fast paths - Locale '' is deserialised as null if ACCEPT_EMPTY_STRING_AS_NULL_OBJECT is enabled - Add guardrail setting for TypeParser handling of type parameters - Use @JsonProperty for Enum values also when READ_ENUMS USING_TO_STRING enabled - Fix Enum deserialization to use @JsonProperty, @JsonAlias even if EnumNamingStrategy used - Use @JsonProperty and lowercase feature when serializing Enums despite using toString() - Use @JsonProperty over EnumNamingStrategy for Enum serialization - Actually cache EnumValues#internalMap - ObjectMapper.valueToTree() will ignore the configuration SerializationFeature.WRAP_ROOT_VALUE - Provide the 'ObjectMapper.treeToValue(TreeNode, TypeReference)' method - Expose NativeImageUtil.isRunningInNativeImage() method - Add JsonTypeInfo.Id.SIMPLE_NAME which defaults type id to Class.getSimpleName() - Impossible to deserialize custom Throwable sub-classes that do not have single-String constructors - java.desktop module is no longer optional - ClassUtil fails with java.lang.reflect.InaccessibleObjectException trying to setAccessible on OptionalInt with JDK 17+ - Support sequenced collections (JDK 21) - Add withObjectProperty(String), withArrayProperty(String) in JsonNode - Change JsonNode.withObject(String) to work similar to withArray() wrt argument - Log WARN if deprecated subclasses of PropertyNamingStrategy is used - NPE when transforming a tree to a model class object, at ArrayNode.elements() - Deprecated ObjectReader.withType(Type) has no direct replacement; need forType(Type) - Add new DefaultTyping.NON_FINAL_AND_ENUMS to allow Default Typing for Enums - Do not rewind position when serializing direct ByteBuffer - Exception when deserialization of private record with default constructor - BeanDeserializer updates currentValue incorrectly when deserialising empty Object jackson-dataformats-binary was upgraded to version 2.16.1: - (ion) NullPointerException in IonParser.nextToken() - (smile) Remove Smile-specific buffer-recycling jackson-modules-base was upgraded to version 2.16.1: - (afterburner) Disable when running in native-image - (afterburner) IncompatibleClassChangeError when deserializing a class implementing an interface with default get/set implementations - (blackbird) BlackBird proxy object error in Java 17 - (blackbird) Disable when running in native-image - (guice) Add guice7 (jakarta.inject) module jackson-parent was upgraded to version 2.16: - Upgrade to oss-parent 56 (tons of plugin updates to resolve Maven warnings, new Moditect plugin) jackson-parent, fasterxml-oss-parent: - Added to SUSE Manager 4.3 as it is needed by `jackson-modules-base` ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1950-1 Released: Fri Jun 7 17:20:14 2024 Summary: Security update for glib2 Type: security Severity: moderate References: 1224044,CVE-2024-34397 This update for glib2 fixes the following issues: Update to version 2.78.6: + Fix a regression with IBus caused by the fix for CVE-2024-34397 Changes in version 2.78.5: + Fix CVE-2024-34397: GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing. (bsc#1224044) + Bugs fixed: - gvfs-udisks2-volume-monitor SIGSEGV in g_content_type_guess_for_tree() due to filename with bad encoding - gcontenttype: Make filename valid utf-8 string before processing. - gdbusconnection: Don't deliver signals if the sender doesn't match. Changes in version 2.78.4: + Bugs fixed: - Fix generated RST anchors for methods, signals and properties. - docs/reference: depend on a native gtk-doc. - gobject_gdb.py: Do not break bt on optimized build. - gregex: clean up usage of _GRegex.jit_status. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1954-1 Released: Fri Jun 7 18:01:06 2024 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1221482 This update for glibc fixes the following issues: - Also include stat64 in the 32-bit libc_nonshared.a workaround (bsc#1221482) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2024-1 Released: Thu Jun 13 16:15:18 2024 Summary: Recommended update for jitterentropy Type: recommended Severity: moderate References: 1209627 This update for jitterentropy fixes the following issues: - Fixed a stack corruption on s390x: [bsc#1209627] * Output size of the STCKE command on s390x is 16 bytes, compared to 8 bytes of the STCK command. Fix a stack corruption in the s390x version of jent_get_nstime(). Add some more detailed information on the STCKE command. Updated to 3.4.1 * add FIPS 140 hints to man page * simplify the test tool to search for optimal configurations * fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0 * enhancement: add ARM64 assembler code to read high-res timer ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2066-1 Released: Tue Jun 18 13:16:09 2024 Summary: Security update for openssl-3 Type: security Severity: important References: 1223428,1224388,1225291,1225551,CVE-2024-4603,CVE-2024-4741 This update for openssl-3 fixes the following issues: Security issues fixed: - CVE-2024-4603: Check DSA parameters for excessive sizes before validating (bsc#1224388) - CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551) Other issues fixed: - Enable livepatching support (bsc#1223428) - Fix HDKF key derivation (bsc#1225291, gh#openssl/openssl#23448, + gh#openssl/openssl#23456) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2086-1 Released: Wed Jun 19 11:48:24 2024 Summary: Recommended update for gcc13 Type: recommended Severity: moderate References: 1188441 This update for gcc13 fixes the following issues: Update to GCC 13.3 release - Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18. - Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441] - Make requirement to lld version specific to avoid requiring the meta-package. The following package changes have been done: - glibc-2.38-150600.14.5.1 updated - libgcc_s1-13.3.0+git8781-150000.1.12.1 updated - libstdc++6-13.3.0+git8781-150000.1.12.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.7.1 updated - libjitterentropy3-3.4.1-150000.1.12.1 updated - libglib-2_0-0-2.78.6-150600.4.3.1 updated - libopenssl3-3.1.4-150600.5.7.1 updated - openssl-3-3.1.4-150600.5.7.1 updated - jackson-core-2.16.1-150200.3.14.7 updated - jackson-annotations-2.16.1-150200.3.14.4 updated - jackson-databind-2.16.1-150200.3.18.1 updated