SUSE Container Update Advisory: sles12/pause ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:432-1 Container Tags : sles12/pause:1.0.0 Container Release : 2.3.231 Severity : important Type : security References : 1087481 1091236 1096974 1096984 1100078 1113975 1117951 1126117 1126118 1126119 1127080 1128471 1128472 1128474 1128476 1128480 1128481 1128490 1128492 1128493 1130324 CVE-2018-10360 CVE-2019-1559 CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9924 ----------------------------------------------------------------- The container sles12/pause was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:655-1 Released: Wed Mar 20 10:30:49 2019 Summary: Security update for libssh2_org Type: security Severity: moderate References: 1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493,CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863 This update for libssh2_org fixes the following issues: Security issues fixed: - CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH packets (bsc#1128490). - CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially crafted message channel request packet (bsc#1128492). - CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP packets (bsc#1128481). - CVE-2019-3863: Fixed an Integer overflow in user authenticate keyboard interactive which could allow out-of-bounds writes with specially crafted keyboard responses (bsc#1128493). - CVE-2019-3856: Fixed a potential Integer overflow in keyboard interactive handling which could allow out-of-bounds write with specially crafted payload (bsc#1128472). - CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require and _libssh2_packet_requirev (bsc#1128480). - CVE-2019-3855: Fixed a potential Integer overflow in transport read which could allow out-of-bounds write with specially crafted payload (bsc#1128471). - CVE-2019-3858: Fixed a potential zero-byte allocation which could lead to an out-of-bounds read with a specially crafted SFTP packet (bsc#1128476). - CVE-2019-3857: Fixed a potential Integer overflow which could lead to zero-byte allocation and out-of-bounds with specially crafted message channel request SSH packet (bsc#1128474). Other issue addressed: - Libbssh2 will stop using keys unsupported types in the known_hosts file (bsc#1091236). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:794-1 Released: Thu Mar 28 12:09:29 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1087481 This update for krb5 fixes the following issues: - Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to suppress sending the confidentiality and integrity flags in GSS initiator tokens unless they are requested by the caller. These flags control the negotiated SASL security layer for the Microsoft GSS-SPNEGO SASL mechanism. (bsc#1087481). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:803-1 Released: Fri Mar 29 13:14:21 2019 Summary: Security update for openssl Type: security Severity: moderate References: 1100078,1113975,1117951,1127080,CVE-2019-1559 This update for openssl fixes the following issues: Security issues fixed: - The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951) - CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080). Other issues addressed: - Fixed IV handling in SHAEXT paths: aes/asm/aesni-sha*-x86_64.pl (bsc#1113975). - Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:838-1 Released: Tue Apr 2 09:52:06 2019 Summary: Security update for bash Type: security Severity: important References: 1130324,CVE-2019-9924 This update for bash fixes the following issues: Security issue fixed: - CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:839-1 Released: Tue Apr 2 13:13:21 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974 CVE-2018-10360). - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)