----------------------------------------- Version 3.1.1-Build3.9.41 2020-04-19T19:30:07 ----------------------------------------- Patch: SUSE-2014-85 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------- Patch: SUSE-2014-66 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------- Patch: SUSE-2014-97 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------- Patch: SUSE-2014-113 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------- Patch: SUSE-2015-4 Released: Wed Dec 3 15:57:25 2014 Summary: Security update for libyaml Severity: moderate References: 907809,CVE-2014-9130 Description: This libyaml update fixes the following security issue: - bnc#907809: assert failure when processing wrapped strings (CVE-2014-9130) ----------------------------------------- Patch: SUSE-2015-16 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------- Patch: SUSE-2014-126 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------- Patch: SUSE-2015-29 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------- Patch: SUSE-2015-40 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------- Patch: SUSE-2015-64 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------- Patch: SUSE-2015-76 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------- Patch: SUSE-2015-55 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------- Patch: SUSE-2015-121 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------- Patch: SUSE-2015-157 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------- Patch: SUSE-2015-208 Released: Thu Mar 12 10:43:10 2015 Summary: Security update for python-PyYAML Severity: moderate References: 921588,CVE-2014-9130 Description: python-PyYAML was updated to fix one security issue which could have allowed an attacker to cause a denial of service by supplying specially crafted strings The following issue was fixed: - #921588: python-PyYAML: assert failure when processing wrapped strings (equivalent to CVE-2014-9130 in LibYAML) ----------------------------------------- Patch: SUSE-2015-275 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------- Patch: SUSE-2015-143 Released: Mon Mar 23 21:46:58 2015 Summary: Initial release of SUSE Enterprise Storage client Severity: low References: 913799,914521,917309 Description: This update provides the functionality required for SUSE Linux Enterprise Server 12 to act as a client for SUSE Enterprise Storage. qemu can now use storage provided by the SUSE Enterprise Storage Ceph cluster via the RADOS Block Device (rbd) backend. Applications can now be enhanced to directly incorporate object or block storage backed by the SUSE Enterprise Storage cluster, by linking with the librados and librbd client libraries. Also included is the rbd tool to manage RADOS block devices mapped via the rbd kernel module, for use as a standard generic block device. ----------------------------------------- Patch: SUSE-2015-235 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------- Patch: SUSE-2015-296 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------- Patch: SUSE-2015-366 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------- Patch: SUSE-2015-361 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------- Patch: SUSE-2015-422 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------- Patch: SUSE-2015-556 Released: Tue Aug 4 14:52:55 2015 Summary: Recommended update for python-requests Severity: moderate References: 935252 Description: python-requests was updated to use the system CA certificate store. ----------------------------------------- Patch: SUSE-2015-500 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------- Patch: SUSE-2015-530 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------- Patch: SUSE-2015-499 Released: Mon Aug 31 11:55:14 2015 Summary: Security update for zeromq Severity: moderate References: 912460,931978,CVE-2014-9721 Description: zeromq was updated to fix one security issue and one non-security bug. The following vulnerability was fixed: * CVE-2014-9721: zeromq protocol downgrade attack on sockets using the ZMTP v3 protocol (boo#931978) The following bug was fixed: * boo#912460: avoid curve test to hang for ppc ppc64 ppc64le architectures ----------------------------------------- Patch: SUSE-2015-568 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------- Patch: SUSE-2015-727 Released: Wed Oct 7 09:26:23 2015 Summary: Recommended update for cloud-init Severity: low References: 948930,948995,948996 Description: cloud-init uses the Jinja2 Python module to generate configuration files from templates, but this dependency was not defined in the package's spec file. This update adds the missing requirement to cloud-init. ----------------------------------------- Patch: SUSE-2015-776 Released: Fri Oct 30 08:06:58 2015 Summary: Recommended update for libyaml Severity: low References: 952625 Description: This update adjusts libyaml's packaging to require pkg-config at build time. ----------------------------------------- Patch: SUSE-2015-817 Released: Fri Nov 6 23:42:46 2015 Summary: Initial release of python-azurectl Severity: low References: 946907 Description: This update provides a set of command line tools to interact with the Microsoft Azure public cloud framework. Refer to the azurectl(1) man page, included in python-azurectl, for comprehensive documentation and usage instructions. ----------------------------------------- Patch: SUSE-2015-834 Released: Thu Nov 12 13:52:22 2015 Summary: Recommended update for python-Twisted Severity: moderate References: 940813 Description: python-Twisted has been updated to version 15.2.1, which brings several fixes and enhancements such as: - twisted.positioning, a new API for positioning systems such as GPS, has been added. It comes with an implementation of NMEA, the most common wire protocol for GPS devices. It will supersede twisted.protocols.gps. - IReactorUDP.listenUDP, IUDPTransport.write and IUDPTransport.connect now accept ipv6 address literals. - A new API, twisted.internet.ssl.optionsForClientTLS, allows clients to specify and verify the identity of the peer they're communicating with. When used with the service_identity library from PyPI, this provides support for service identity verification from RFC 6125, as well as server name indication from RFC 6066. - Twisted's TLS support now provides a way to ask for user-configured trust roots rather than having to manually configure such certificate authority certificates. - twisted.internet.ssl.CertificateOptions now supports ECDHE for servers by default on pyOpenSSL 0.14 and later, if the underlying versions of cryptography.io and OpenSSL support it. - twisted.internet.ssl.CertificateOptions now allows the user to set acceptable ciphers and uses secure ones by default. - The new package twisted.logger provides a new, fully tested, and feature-rich logging framework. The old module twisted.python.log is now implemented using the new framework. - twisted.conch.ssh.forwarding now supports local->remote forwarding of IPv6. - twisted.mail.smtp.sendmail now uses ESMTP. It will opportunistically enable encryption and allow the use of authentication. - twisted.internet.ssl.CertificateOptions now enables TLSv1.1 and TLSv1.2 by default (in addition to TLSv1.0) if the underlying version of OpenSSL supports these protocol versions. - twisted.internet.ssl.CertificateOptions now supports Diffie-Hellman key exchange. - twisted.internet.ssl.CertificateOptions now disables TLS compression to avoid CRIME attacks and, for servers, uses server preference to choose the cipher. - MSN protocol support has been marked as deprecated. - Removed deprecated UDPClient. - Better support and integration with Python 3. For a comprehensive list of changes, please refer to the file NEWS shipped within the package. ----------------------------------------- Patch: SUSE-2015-922 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------- Patch: SUSE-2015-869 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------- Patch: SUSE-2015-862 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------- Patch: SUSE-2016-46 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------- Patch: SUSE-2016-80 Released: Wed Jan 13 21:05:28 2016 Summary: Security update for python-requests Severity: moderate References: 922448,929736,961596,CVE-2015-2296 Description: The python-requests module has been updated to version 2.8.1, which brings several fixes and enhancements: - Fix handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing. (bsc#922448, CVE-2015-2296) - Add support for per-host proxies. This allows the proxies dictionary to have entries of the form {'://': ''}. Host-specific proxies will be used in preference to the previously-supported scheme-specific ones, but the previous syntax will continue to work. - Update certificate bundle to match 'certifi' 2015.9.6.2's weak certificate bundle. - Response.raise_for_status now prints the URL that failed as part of the exception message. - requests.utils.get_netrc_auth now takes an raise_errors kwarg, defaulting to False. When True, errors parsing .netrc files cause exceptions to be thrown. - Change to bundled projects import logic to make it easier to unbundle requests downstream. - Change the default User-Agent string to avoid leaking data on Linux: now contains only the requests version. - The json parameter to post() and friends will now only be used if neither data nor files are present, consistent with the documentation. - Empty fields in the NO_PROXY environment variable are now ignored. - Fix problem where httplib.BadStatusLine would get raised if combining stream=True with contextlib.closing. - Prevent bugs where we would attempt to return the same connection back to the connection pool twice when sending a Chunked body. - Digest Auth support is now thread safe. - Resolved several bugs involving chunked transfer encoding and response framing. - Copy a PreparedRequest's CookieJar more reliably. - Support bytearrays when passed as parameters in the 'files' argument. - Avoid data duplication when creating a request with 'str', 'bytes', or 'bytearray' input to the 'files' argument. - 'Connection: keep-alive' header is now sent automatically. - Support for connect timeouts. Timeout now accepts a tuple (connect, read) which is used to set individual connect and read timeouts. For a comprehensive list of changes please refer to the package's change log or the Release Notes at http://docs.python-requests.org/en/latest/community/updates/#id3 ----------------------------------------- Patch: SUSE-2016-201 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------- Patch: SUSE-2016-371 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------- Patch: SUSE-2016-413 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------- Patch: SUSE-2016-462 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------- Patch: SUSE-2016-543 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------- Patch: SUSE-2016-565 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------- Patch: SUSE-2016-636 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------- Patch: SUSE-2016-643 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------- Patch: SUSE-2016-652 Released: Wed Apr 20 10:34:05 2016 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 956981,970550,970989,974864,975093 Description: This update for SUSE Manager Client Tools provides the following new features: - Integrate SaltStack for configuration management. (fate#312447) - Replace upstream subscription counting with new subscription matching. (fate#311619) This update fixes the following issues: osad: - Fix file permissions. (bsc#970550) - Add possibility for OSAD to work in failover mode. rhn-custom-info: - Version update. rhn-virtualization: - Version update. rhncfg: - Fix file permissions. (bsc#970550) - Fix removal of temporary files during transaction rollback for rhncfg-manager. - Fix removal of directories which rhncfg-manager didn't create. - Remove temporary files when exception occurs. - Make rhncfg support sha256 and use it by default. - Fix for assigning all groups user belongs to running process. - Show server modified time with rhncfg-client diff. rhnlib: - Use TLSv1_METHOD in SSL Context. (bsc#970989) rhnpush: - Don't count on having newest rhn-client-tools. - Allow to use existing rpcServer when creating RhnServer. - Wire in timeout for rhnpush. spacecmd: - Text description missing for remote command by Spacecmd. - Added functions to add/edit SSL certificates for repositories. - Mimetype detection to set the binary flag requires 'file' tool. - Always base64 encode to avoid trim() bugs in the XML-RPC library. - Replace upstream subscription counting with new subscription matching. (fate#311619) spacewalk-backend: - Version update. spacewalk-client-tools: - Convert dbus.Int32 to int to fix a TypeError during registration. (bsc#974864) - Fix client registration for network interfaces with labels. (bsc#956981) - Show a descriptive message on reboot. - Replace upstream subscription counting with new subscription matching. (fate#311619) spacewalk-koan: - Fix file permissions. (bsc#970550) - Switch to KVM if possible. spacewalk-oscap: - Still require openscap-utils on RHEL5. spacewalk-remote-utils: - Add RHEL 7.2 channel definitions. - Update RHEL 6.7 and 7.1 channel definitions. - Use hostname instead of localhost for https connections. - Spacewalk-create-channel added -o option to clone channel to current state. spacewalksd: - Delete file with input files after template is created. suseRegisterInfo: - Fix file permissions. (bsc#970550) ----------------------------------------- Patch: SUSE-2016-697 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------- Patch: SUSE-2016-589 Released: Mon May 2 15:01:37 2016 Summary: Security update for python-tornado Severity: moderate References: 930361,930362,974657,CVE-2014-9720 Description: The python-tornado module was updated to version 4.2.1, which brings several fixes, enhancements and new features. The following security issues have been fixed: - A path traversal vulnerability in StaticFileHandler, in which files whose names started with the static_path directory but were not actually in that directory could be accessed. - The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy). (bsc#930362, CVE-2014-9720) - The signed-value format used by RequestHandler.{g,s}et_secure_cookie changed to be more secure. (bsc#930361) The following enhancements have been implemented: - SSLIOStream.connect and IOStream.start_tls now validate certificates by default. - Certificate validation will now use the system CA root certificates. - The default SSL configuration has become stricter, using ssl.create_default_context where available on the client side. - The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin and FriendFeedMixin have been removed. - New modules have been added: tornado.locks and tornado.queues. - The tornado.websocket module now supports compression via the 'permessage-deflate' extension. - Tornado now depends on the backports.ssl_match_hostname when running on Python 2. For a comprehensive list of changes, please refer to the release notes: - http://www.tornadoweb.org/en/stable/releases/v4.2.0.html - http://www.tornadoweb.org/en/stable/releases/v4.1.0.html - http://www.tornadoweb.org/en/stable/releases/v4.0.0.html - http://www.tornadoweb.org/en/stable/releases/v3.2.0.html ----------------------------------------- Patch: SUSE-2016-797 Released: Thu May 19 13:26:11 2016 Summary: Recommended update for python-futures Severity: low References: 974993 Description: This update for python-futures provides version 3.0.2 required from python-s3transfer (fate#320748) and fixes the following issues: - Made multiprocessing optional again on implementations other than just Jython - Made Executor.map() non-greedy - Dropped Python 2.5 and 3.1 support - Removed the deprecated 'futures' top level package - Remove CFLAGS: this is a python only module - Remove futures from package files: not provided anymore - Added the set_exception_info() and exception_info() methods to Future to enable extraction of tracebacks on Python 2.x - Added support for Future.set_exception_info() to ThreadPoolExecutor ----------------------------------------- Patch: SUSE-2016-801 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------- Patch: SUSE-2016-835 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------- Patch: SUSE-2016-898 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------- Patch: SUSE-2016-900 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------- Patch: SUSE-2016-984 Released: Wed Jun 22 11:11:35 2016 Summary: Recommended update for SUSE Manager Server, Proxy and Client Tools Severity: moderate References: 964932,969320,971372,973418,975303,975306,975733,975757,976148,976826,977264,978833,979313,979676,980313 Description: This update fixes the following issues for the SUSE Manager Server 3.0 and Client Tools: zypp-plugin-spacewalk: - Fix failover for multiple URLs per repo. (bsc#964932) The following issues for SUSE Manager Proxy 3.0 and Client Tools have been fixed: cobbler: - Remove grubby-compat because perl-Bootloader gets dropped. - Disabling 'get-loaders' command and 'check' fixed. (bsc#973418) - Add logrotate file for cobbler. (bsc#976826) Additionally the following issues for the SUSE Linux Enterprise 12 Clienttools have been fixed: salt: - Remove option -f from startproc. (bsc#975733) - Changed Zypper's plugin. Added Unit test and related to that data. (bsc#980313) - Zypper plugin: alter the generated event name on package set change. - Fix file ownership on master keys and cache directories during upgrade. (handles upgrading from salt 2014, where the daemon ran as root, to 2015 where it runs as the salt user, bsc#979676) - Salt-proxy .service file created. (bsc#975306) - Prevent salt-proxy test.ping crash. (bsc#975303) - Fix shared directories ownership issues. - Add Zypper plugin to generate an event, once Zypper is used outside the Salt infrastructure demand. (bsc#971372) - Restore boolean values from the repo configuration - Fix priority attribute (bsc#978833) - Unblock-Zypper. (bsc#976148) - Modify-environment. (bsc#971372) - Prevent crash if pygit2 package is requesting re-compilation. - Align OS grains from older SLES with current one. (bsc#975757) - Bugfix: salt-key crashes if tries to generate keys to the directory w/o write access. (bsc#969320) spacecmd: - Make spacecmd createRepo compatible with SUSE Manager 2.1 API. (bsc#977264) spacewalk-backend: - Better error message for system that is already registered as minion. - Fix GPG bad signature detection and improve error messages. (bsc#979313) - Send and save machine_id on traditional registration. - Add machine info capability spacewalk-client-tools: - Send and save machine_id on traditional registration. - Send machine info only if server has machine info capability. ----------------------------------------- Patch: SUSE-2016-987 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------- Patch: SUSE-2016-1028 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------- Patch: SUSE-2016-1126 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------- Patch: SUSE-2016-1141 Released: Wed Aug 3 15:24:30 2016 Summary: Security update for sqlite3 Severity: moderate References: 987394,CVE-2016-6153 Description: This update for sqlite3 fixes the following issues: The following security issue was fixed: - CVE-2016-6153: Fixed a tempdir selection vulnerability (bsc#987394) ----------------------------------------- Patch: SUSE-2016-1205 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------- Patch: SUSE-2016-1216 Released: Fri Aug 12 18:19:22 2016 Summary: Recommended update for SUSE Manager 3.0 and Client Tools Severity: moderate References: 970669,972311,978150,979448,983017,983512,984622,984998,985661,988506,989193 Description: This consolidated update includes multiple patchinfos for SUSE Manager Server, Proxy and SUSE Enterprise Storage 3. This patchinfo is used for the codestream release only ----------------------------------------- Patch: SUSE-2016-1228 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------- Patch: SUSE-2016-1245 Released: Fri Aug 19 10:31:11 2016 Summary: Security update for python Severity: moderate References: 984751,985177,985348,989523,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699 Description: This update for python fixes the following issues: - CVE-2016-0772: smtplib vulnerability opens startTLS stripping attack (bsc#984751) - CVE-2016-5636: heap overflow when importing malformed zip files (bsc#985177) - CVE-2016-5699: incorrect validation of HTTP headers allow header injection (bsc#985348) - CVE-2016-1000110: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (bsc#989523) ----------------------------------------- Patch: SUSE-2016-1247 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------- Patch: SUSE-2016-1326 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------- Patch: SUSE-2016-1358 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------- Patch: SUSE-2016-1364 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------- Patch: SUSE-2016-1370 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------- Patch: SUSE-2016-1533 Released: Mon Oct 24 14:12:29 2016 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1002529,986447,986978,990029,990439,990440,990738,991048,993039,993549,994619,996455,998185 Description: This update fixes the following issues: cobbler: - Enabling PXE grub2 support for PowerPC (bsc#986978) rhnlib: - Add function aliases for backward compatibility (bsc#998185) salt: - Setting up OS grains for SLES-ES (SLES Expanded Support platform) - Move salt home directory to /var/lib/salt (bsc#1002529) - Generate Salt Thin with configured extra modules (bsc#990439) - Prevent pkg.install failure for expired keys (bsc#996455) - Required D-Bus and generating machine ID - Fix python-jinja2 requirements in rhel - Fix pkg.installed refresh repository failure (bsc#993549) - Fix salt.states.pkgrepo.management no change failure (bsc#990440) - Prevent snapper module crash on load if no DBus is available in the system (bsc#993039) - Prevent continuous restart, if a dependency wasn't installed (bsc#991048) - Fix beacon list to include all beacons being process - Run salt-api as user salt like the master (bsc#990029) spacewalk-backend: - Fix for non-integer IDs for bugzilla bug - Silently ignore non-existing errata severity label on errata import, remove non-used exception (bsc#986447) - Make suseLib usable on a proxy spacewalk-client-tools: - Logging message in case of malformed XML file - Prevent crashes if machine-id is None (bsc#994619) - Print invalid package name and replace the invalid character - Ignore packages with not UTF-8 characters in name, version and release (bsc#990738) ----------------------------------------- Patch: SUSE-2016-1591 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------- Patch: SUSE-2016-1614 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------- Patch: SUSE-2016-1641 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------- Patch: SUSE-2016-1716 Released: Mon Nov 28 14:52:36 2016 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1003449,1004047,1004260,1004723,986019,999852 Description: This update includes the following new features: - Support Service Pack migration for Salt minions. (fate#320559) This update fixes the following issues: salt: - Fix exit codes of sysv init script. (bsc#999852) - Include resolution parameters in the Zypper debug-solver call during a dry-run dist-upgrade. - Fix Salt API crash via salt-ssh on empty roster. (bsc#1004723) - Add 'dist-upgrade' support to zypper module. (fate#320559) - Fix position of -X option to setfacl. (bsc#1004260) - Fix generated shebang in scripts on SLES-ES 7. (bsc#1004047) spacecmd: - Make exception class more generic and code fixes. (bsc#1003449) - Handle exceptions raised by listChannels. (bsc#1003449) - Alert if a non-unique package ID is detected. ----------------------------------------- Patch: SUSE-2016-1744 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------- Patch: SUSE-2016-1782 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------- Patch: SUSE-2016-1827 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------- Patch: SUSE-2016-1863 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------- Patch: SUSE-2016-1901 Released: Thu Dec 22 17:33:41 2016 Summary: Optional update for SLE 12 Modules for ARM64 Severity: low References: 1002576 Description: This update introduces many packages that were missing in the ARM64 version of the Web and Scripting, Manager Tools and Public Cloud Modules for SUSE Linux Enterprise Server 12 SP2. ----------------------------------------- Patch: SUSE-2017-2 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------- Patch: SUSE-2017-6 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------- Patch: SUSE-2017-32 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------- Patch: SUSE-2017-47 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------- Patch: SUSE-2017-77 Released: Tue Jan 17 10:06:02 2017 Summary: Recommended update for salt Severity: moderate References: 1003449,1004047,1004260,1004723,1008933,1012398,986019,999852,CVE-2016-9639 Description: This update for Salt fixes one security issue and several non-security issues. The following security issue has been fixed: - Fix possible information leak due to revoked keys still being used. (bsc#1012398, CVE-2016-9639) The following non-security issues have been fixed: - Update to 2015.8.12 - Add pre-require to salt for minions. - Do not restart salt-minion in salt package. - Add try-restart to sys-v init scripts. - Add 'Restart=on-failure' for salt-minion systemd service. - Re-introduce 'KillMode=process' for salt-minion systemd service. - Successfully exit of salt-api child processes when SIGTERM is received. - Fix exit codes of sysv init script. (bsc#999852) - Include resolution parameters in the Zypper debug-solver call during a dry-run dist-upgrade. - Fix Salt API crash via salt-ssh on empty roster. (bsc#1004723) - Add 'dist-upgrade' support to zypper module. (fate#320559) - Fix position of -X option to setfacl. (bsc#1004260) - Fix generated shebang in scripts on SLES-ES 7. (bsc#1004047) - Fix changing default-timezone. (bsc#1008933) ----------------------------------------- Patch: SUSE-2017-98 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------- Patch: SUSE-2017-149 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------- Patch: SUSE-2017-170 Released: Mon Jan 30 19:13:36 2017 Summary: Initial release of Salt Severity: low References: 989693 Description: This update adds Salt to the Advanced Systems Management 12 Module. Salt is a distributed remote execution system used to execute commands and query data. It was developed in order to bring the best solutions found in the world of remote execution together and make them better, faster and more malleable. Salt accomplishes this via its ability to handle larger loads of information, and not just dozens, but hundreds or even thousands of individual servers, handle them quickly and through a simple and manageable interface. ----------------------------------------- Patch: SUSE-2017-185 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------- Patch: SUSE-2017-192 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------- Patch: SUSE-2017-209 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------- Patch: SUSE-2017-212 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------- Patch: SUSE-2017-228 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------- Patch: SUSE-2017-261 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------- Patch: SUSE-2017-347 Released: Wed Mar 8 12:23:47 2017 Summary: Recommended update for Salt Severity: moderate References: 1011304,1017078 Description: This update for salt fixes the following issues: - Fix invalid chars allowed for data IDs. (bsc#1011304) - Fix timezone: Should be always in UTC. (bsc#1017078) - Fixes wrong 'enabled' opts for yumnotify plugin. - SSH-option parameter for salt-ssh command. ----------------------------------------- Patch: SUSE-2017-365 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------- Patch: SUSE-2017-389 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------- Patch: SUSE-2017-439 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------- Patch: SUSE-2017-448 Released: Wed Mar 22 13:31:03 2017 Summary: Recommended update for python Severity: moderate References: 1027282,964182 Description: This update provides Python 2.7.13, which brings several bug fixes. - Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1. - Update cipher lists for OpenSSL wrapper and support OpenSSL 1.1.0 and newer. - Incorporate more integer overflow checks from upstream. (bsc#964182) - Provide python2-* symbols to support new packages built as python2-. For a comprehensive list of changes, please refer to the upstream Release Notes available at https://hg.python.org/cpython/raw-file/v2.7.13/Misc/NEWS ----------------------------------------- Patch: SUSE-2017-462 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------- Patch: SUSE-2017-464 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------- Patch: SUSE-2017-580 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------- Patch: SUSE-2017-609 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------- Patch: SUSE-2017-656 Released: Fri Apr 28 16:12:30 2017 Summary: Recommended update for sqlite3 Severity: low References: 1019518,1025034 Description: This update for sqlite3 provides the following fixes: - Avoid calling sqlite3OsFetch() on a file-handle for which the xFetch method is NULL. This prevents a potential segmentation fault. (bsc#1025034) - Fix defect in the in-memory journal logic that could leave the read cursor for the in-memory journal in an inconsistent state and result in a segmentation fault. (bsc#1019518) ----------------------------------------- Patch: SUSE-2017-732 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------- Patch: SUSE-2017-735 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------- Patch: SUSE-2017-751 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------- Patch: SUSE-2017-794 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------- Patch: SUSE-2017-799 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------- Patch: SUSE-2017-821 Released: Fri May 19 00:17:44 2017 Summary: Recommended update for Salt Severity: moderate References: 1019386,1022841,1023535,1027044,1027240,1027722,1030009,1032213,1032452 Description: This update for salt fixes the following issues: - Refactoring on Zypper and Yum execution and state modules to allow installation of patches/errata. - Fix log rotation permission issue (bsc#1030009) - Use pkg/suse/salt-api.service by this package - Set SHELL environment variable for the salt-api.service. - Fix 'timeout' and 'gather_job_timeout' kwargs parameters for 'local_batch' client. - Add missing bootstrap script for Salt Cloud. (bsc#1032452) - Add missing /var/cache/salt/cloud directory. (bsc#1032213) - Add test case for race conditions on cache directory creation. - Add 'pkg.install downloadonly=True' support to yum/dnf execution module. - Makes sure 'gather_job_timeout' is an Integer. - Add 'pkg.downloaded' state and support for installing patches/erratas. - Merge master_tops output. - Fix race condition on cache directory creation. - Cleanup salt user environment preparation. (bsc#1027722) - Don't send passwords after shim delimiter is found. (bsc#1019386) - Allow to set 'timeout' and 'gather_job_timeout' via kwargs. - Allow to set custom timeouts for 'manage.up' and 'manage.status'. - Define with system for fedora and RHEL 7. (bsc#1027240) - Fix service state returning stacktrace. (bsc#1027044) - Add OpenSCAP Module. - Prevents 'OSError' exception in case certain job cache path doesn't exist. (bsc#1023535) - Fix issue with cp.push. - Fix salt-minion update on RHEL. (bsc#1022841) - Adding new functions to Snapper execution module. ----------------------------------------- Patch: SUSE-2017-865 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------- Patch: SUSE-2017-873 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------- Patch: SUSE-2017-877 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------- Patch: SUSE-2017-891 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------- Patch: SUSE-2017-907 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------- Patch: SUSE-2017-918 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------- Patch: SUSE-2017-939 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------- Patch: SUSE-2017-959 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------- Patch: SUSE-2017-962 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------- Patch: SUSE-2017-974 Released: Fri Jun 16 13:49:05 2017 Summary: Security update for Salt Severity: moderate References: 1011800,1012999,1017078,1020831,1022562,1025896,1027240,1027722,1030009,1030073,1032931,1035912,1035914,1036125,1038855,1039370,1040584,1040886,1043111,CVE-2017-5200,CVE-2017-8109 Description: This update for salt provides version 2016.11.4 and brings various fixes and improvements: - Adding a salt-minion watchdog for RHEL6 and SLES11 systems (sysV) to restart salt-minion in case of crashes during upgrade. - Fix format error. (bsc#1043111) - Fix ownership for whole master cache directory. (bsc#1035914) - Disable 3rd party runtime packages to be explicitly recommended. (bsc#1040886) - Fix insecure permissions in salt-ssh temporary files. (bsc#1035912, CVE-2017-8109) - Disable custom rosters for Salt SSH via Salt API. (bsc#1011800, CVE-2017-5200) - Orchestrate and batches don't return false failed information anymore. - Speed-up cherrypy by removing sleep call. - Fix os_family grains on SUSE. (bsc#1038855) - Fix setting the language on SUSE systems. (bsc#1038855) - Use SUSE specific salt-api.service. (bsc#1039370) - Fix using hostname for minion ID as '127'. - Fix core grains constants for timezone. (bsc#1032931) - Minor fixes on new pkg.list_downloaded. - Listing all type of advisory patches for Yum module. - Prevents zero length error on Python 2.6. - Fixes zypper test error after backporting. - Raet protocol is no longer supported. (bsc#1020831) - Fix moving SSH data to the new home. (bsc#1027722) - Fix logrotating /var/log/salt/minion. (bsc#1030009) - Fix result of master_tops extension is mutually overwritten. (bsc#1030073) - Allows to set 'timeout' and 'gather_job_timeout' via kwargs. - Allows to set custom timeouts for 'manage.up' and 'manage.status'. - Use salt's ordereddict for comparison. - Fix scripts for salt-proxy. - Add openscap module. - File.get_managed regression fix. - Fix translate variable arguments if they contain hidden keywords. (bsc#1025896) - Added unit test for dockerng.sls_build dryrun. - Added dryrun to dockerng.sls_build. - Update dockerng minimal version requirements. - Fix format error in error parsing. - Keep fix for migrating salt home directory. (bsc#1022562) - Fix salt pkg.latest raises exception if package is not available. (bsc#1012999) - Timezone should always be in UTC. (bsc#1017078) - Fix timezone handling for rpm installtime. (bsc#1017078) - Increasing timeouts for running integrations tests. - Add buildargs option to dockerng.build module. - Fix error when missing ssh-option parameter. - Re-add yum notify plugin. - All kwargs to dockerng.create to provide all features to sls_build as well. - Datetime should be returned always in UTC. - Fix possible crash while deserialising data on infinite recursion in scheduled state. (bsc#1036125) - Documentation refresh to 2016.11.4 - For a detailed description, please refer to: + https://docs.saltstack.com/en/develop/topics/releases/2016.11.4.html + https://docs.saltstack.com/en/develop/topics/releases/2016.11.3.html + https://docs.saltstack.com/en/develop/topics/releases/2016.11.2.html + https://docs.saltstack.com/en/develop/topics/releases/2016.11.1.html ----------------------------------------- Patch: SUSE-2017-985 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------- Patch: SUSE-2017-990 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------- Patch: SUSE-2017-1033 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------- Patch: SUSE-2017-1036 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------- Patch: SUSE-2017-1040 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------- Patch: SUSE-2017-1075 Released: Thu Jun 29 18:18:50 2017 Summary: Recommended update for python-PyYAML Severity: low References: 1002895 Description: This update for python-PyYAML fixes the following issues: - Adding an implicit resolver to a derived loader should not affect the base loader. - Uniform representation for OrderedDict? across different versions of Python. - Fixed comparison to None warning. ----------------------------------------- Patch: SUSE-2017-1082 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------- Patch: SUSE-2017-1086 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------- Patch: SUSE-2017-1104 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------- Patch: SUSE-2017-1116 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------- Patch: SUSE-2017-1119 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------- Patch: SUSE-2017-1126 Released: Fri Jul 7 21:23:02 2017 Summary: Recommended update for python-requests Severity: low References: 967128 Description: This update provides python-requests 2.11.1, which brings many fixes and enhancements: - Strip Content-Type and Transfer-Encoding headers from the header block when following a redirect that transforms the verb from POST/PUT to GET. - Added support for the ALL_PROXY environment variable. - Reject header values that contain leading whitespace or newline characters to reduce risk of header smuggling. - Fixed occasional TypeError when attempting to decode a JSON response that occurred in an error case. Now correctly returns a ValueError. - Requests would incorrectly ignore a non-CIDR IP address in the NO_PROXY environment variables: Requests now treats it as a specific IP. - Fixed a bug when sending JSON data that could cause us to encounter obscure OpenSSL errors in certain network conditions. - Added type checks to ensure that iter_content only accepts integers and None for chunk sizes. - Fixed issue where responses whose body had not been fully consumed would have the underlying connection closed but not returned to the connection pool, which could cause Requests to hang in situations where the HTTPAdapter had been configured to use a blocking connection pool. - Change built-in CaseInsensitiveDict to use OrderedDict as its underlying datastore. - Don't use redirect_cache if allow_redirects=False. - When passed objects that throw exceptions from tell(), send them via chunked transfer encoding instead of failing. - Raise a ProxyError for proxy related connection issues. - The verify keyword argument now supports being passed a path to a directory of CA certificates, not just a single-file bundle. - Warnings are now emitted when sending files opened in text mode. - Added the 511 Network Authentication Required status code to the status code registry. - For file-like objects that are not seeked to the very beginning, we now send the content length for the number of bytes we will actually read, rather than the total size of the file, allowing partial file uploads. - When uploading file-like objects, if they are empty or have no obvious content length we set Transfer-Encoding: chunked rather than Content-Length: 0. - We correctly receive the response in buffered mode when uploading chunked bodies. - We now handle being passed a query string as a bytestring on Python 3, by decoding it as UTF-8. - Sessions are now closed in all cases (exceptional and not) when using the functional API rather than leaking and waiting for the garbage collector to clean them up. - Correctly handle digest auth headers with a malformed qop directive that contains no token, by treating it the same as if no qop directive was provided at all. - Minor performance improvements when removing specific cookies by name. ----------------------------------------- Patch: SUSE-2017-1154 Released: Fri Jul 14 17:13:35 2017 Summary: Recommended update for python-CherryPy Severity: moderate References: 1043589,1046667 Description: This update for python-CherryPy fixes an SSL compatibility issue with CPython 2.7 and its built-in version of pyOpenSSL. ----------------------------------------- Patch: SUSE-2017-1160 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------- Patch: SUSE-2017-1174 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------- Patch: SUSE-2017-1198 Released: Fri Jul 21 14:04:23 2017 Summary: Recommended update for python-boto, python-simplejson Severity: low References: 1002895 Description: This update provides python-boto 2.42.0 and python-simplejson 3.8.2, which bring many fixes and enhancements. python-boto: - Respect is_secure parameter in generate_url_sigv4 - Update MTurk API - Update endpoints.json - Allow s3 bucket lifecycle policies with multiple transitions - Fixes upload parts for glacier - Autodetect sigv4 for ap-northeast-2 - Added support for ap-northeast-2 - Remove VeriSign Class 3 CA from trusted certs - Add note about boto3 on all pages of boto docs - Fix for listing EMR steps based on cluster_states filter - Fixed param name in set_contents_from_string docstring - Spelling and documentation fixes - Add deprecation notice to emr methods - Add some GovCloud endpoints. python-simplejson: - Fix issue with iterable_as_array and indent option - New iterable_as_array encoder option to perform lazy serialization of any iterable objects, without having to convert to tuple or list - Do not cache Decimal class in encoder, only reference the decimal module - No longer trust custom str/repr methods for int, long, float subclasses: these instances are now formatted as if they were exact instances of those types - Fix reference leak when an error occurs during dict encoding - Fix dump when only sort_keys is set - Automatically strip any UTF-8 BOM from input to more closely follow the latest specs - Fix lower bound checking in scan_once / raw_decode API - Consistently reject int_as_string_bitcount settings that are not positive integers - Add int_as_string_bitcount encoder option - Fix potential crash when encoder created with incorrect options - Documentation updates. ----------------------------------------- Patch: SUSE-2017-1222 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------- Patch: SUSE-2017-1245 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------- Patch: SUSE-2017-1268 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------- Patch: SUSE-2017-1279 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------- Patch: SUSE-2017-1316 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------- Patch: SUSE-2017-1326 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------- Patch: SUSE-2017-1330 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------- Patch: SUSE-2017-1333 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------- Patch: SUSE-2017-1334 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------- Patch: SUSE-2017-1335 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------- Patch: SUSE-2017-1344 Released: Thu Aug 17 12:20:25 2017 Summary: Recommended update for python-simplejson Severity: low References: 1002895 Description: This update provides python-simplejson 3.8.2, which brings many fixes and enhancements: - Fix issue with iterable_as_array and indent option - New iterable_as_array encoder option to perform lazy serialization of any iterable objects, without having to convert to tuple or list - Do not cache Decimal class in encoder, only reference the decimal module - No longer trust custom str/repr methods for int, long, float subclasses: these instances are now formatted as if they were exact instances of those types - Fix reference leak when an error occurs during dict encoding - Fix dump when only sort_keys is set - Automatically strip any UTF-8 BOM from input to more closely follow the latest specs - Fix lower bound checking in scan_once / raw_decode API - Consistently reject int_as_string_bitcount settings that are not positive integers - Add int_as_string_bitcount encoder option - Fix potential crash when encoder created with incorrect options - Documentation updates. ----------------------------------------- Patch: SUSE-2017-1347 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------- Patch: SUSE-2017-1349 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------- Patch: SUSE-2017-1384 Released: Fri Aug 25 13:39:19 2017 Summary: Recommended update for Salt Severity: moderate References: 1036125 Description: This update for salt fixes the following issues: - Added bugfix when jobs scheduled to run at a future time stay pending for Salt minions. (bsc#1036125) - Adding procps as dependency. This provides 'ps' and 'pgrep' utils which are called from different Salt modules and also from new salt-minion watchdog. ----------------------------------------- Patch: SUSE-2017-1390 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------- Patch: SUSE-2017-1412 Released: Tue Aug 29 18:29:00 2017 Summary: Recommended update for python-requests Severity: low References: 967128 Description: This update provides python-requests 2.11.1, which brings many fixes and enhancements: - Strip Content-Type and Transfer-Encoding headers from the header block when following a redirect that transforms the verb from POST/PUT to GET. - Added support for the ALL_PROXY environment variable. - Reject header values that contain leading whitespace or newline characters to reduce risk of header smuggling. - Fixed occasional TypeError when attempting to decode a JSON response that occurred in an error case. Now correctly returns a ValueError. - Requests would incorrectly ignore a non-CIDR IP address in the NO_PROXY environment variables: Requests now treats it as a specific IP. - Fixed a bug when sending JSON data that could cause us to encounter obscure OpenSSL errors in certain network conditions. - Added type checks to ensure that iter_content only accepts integers and None for chunk sizes. - Fixed issue where responses whose body had not been fully consumed would have the underlying connection closed but not returned to the connection pool, which could cause Requests to hang in situations where the HTTPAdapter had been configured to use a blocking connection pool. - Change built-in CaseInsensitiveDict to use OrderedDict as its underlying datastore. - Don't use redirect_cache if allow_redirects=False. - When passed objects that throw exceptions from tell(), send them via chunked transfer encoding instead of failing. - Raise a ProxyError for proxy related connection issues. - The verify keyword argument now supports being passed a path to a directory of CA certificates, not just a single-file bundle. - Warnings are now emitted when sending files opened in text mode. - Added the 511 Network Authentication Required status code to the status code registry. - For file-like objects that are not seeked to the very beginning, we now send the content length for the number of bytes we will actually read, rather than the total size of the file, allowing partial file uploads. - When uploading file-like objects, if they are empty or have no obvious content length we set Transfer-Encoding: chunked rather than Content-Length: 0. - We correctly receive the response in buffered mode when uploading chunked bodies. - We now handle being passed a query string as a bytestring on Python 3, by decoding it as UTF-8. - Sessions are now closed in all cases (exceptional and not) when using the functional API rather than leaking and waiting for the garbage collector to clean them up. - Correctly handle digest auth headers with a malformed qop directive that contains no token, by treating it the same as if no qop directive was provided at all. - Minor performance improvements when removing specific cookies by name. ----------------------------------------- Patch: SUSE-2017-1419 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------- Patch: SUSE-2017-1439 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------- Patch: SUSE-2017-1447 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------- Patch: SUSE-2017-1450 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------- Patch: SUSE-2017-1453 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------- Patch: SUSE-2017-1457 Released: Tue Sep 5 14:40:18 2017 Summary: Security update for python-pycrypto Severity: important References: 1017420,1047666,CVE-2013-7459 Description: This update for python-pycrypto fixes the following issues: - CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew (bsc#1017420). python-paramiko was adjusted to work together with this python-pycrypto change. (bsc#1047666) ----------------------------------------- Patch: SUSE-2017-1548 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------- Patch: SUSE-2017-1592 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------- Patch: SUSE-2017-1644 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------- Patch: SUSE-2017-1660 Released: Mon Oct 9 15:39:22 2017 Summary: Security update for Salt Severity: moderate References: 1051948,1052264,1053376,1053955,CVE-2017-12791 Description: This update for salt fixes one security issue and bugs: The following security issue has been fixed: - CVE-2017-12791: Directory traversal vulnerability in minion id validation allowed remote minions with incorrect credentials to authenticate to a master via a crafted minion ID (bsc#1053955). Additionally, the following non-security issues have been fixed: - Added support for SUSE Manager scalability features. (bsc#1052264) - Introduced the kubernetes module. (bsc#1051948) - Notify systemd synchronously via NOTIFY_SOCKET. (bsc#1053376) ----------------------------------------- Patch: SUSE-2017-1663 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------- Patch: SUSE-2017-1703 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------- Patch: SUSE-2017-1758 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------- Patch: SUSE-2017-1772 Released: Wed Oct 25 14:10:42 2017 Summary: Recommended update for logrotate Severity: low References: 1057801 Description: This update for logrotate provides the following fix: - Make sure log files continue to rotate properly when a stale status file is found. (bsc#1057801) ----------------------------------------- Patch: SUSE-2017-1796 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------- Patch: SUSE-2017-1797 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------- Patch: SUSE-2017-1826 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------- Patch: SUSE-2017-1829 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------- Patch: SUSE-2017-1881 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------- Patch: SUSE-2017-1903 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------- Patch: SUSE-2017-1916 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------- Patch: SUSE-2017-1917 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------- Patch: SUSE-2017-1965 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------- Patch: SUSE-2017-1966 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------- Patch: SUSE-2017-1968 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------- Patch: SUSE-2017-1970 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------- Patch: SUSE-2017-2021 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------- Patch: SUSE-2017-2031 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------- Patch: SUSE-2017-2036 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------- Patch: SUSE-2017-2097 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------- Patch: SUSE-2017-2111 Released: Wed Dec 20 12:12:49 2017 Summary: Security update for Salt Severity: moderate References: 1041993,1042749,1050003,1059291,1059758,1060230,1062462,1062464,985112,CVE-2017-14695,CVE-2017-14696 Description: This update for salt fixes one security issue and bugs. The following security issues have been fixed: - CVE-2017-14695: A directory traversal vulnerability in minion id validation allowed remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. (bsc#1062462) - CVE-2017-14696: It was possible to force a remote Denial of Service with a specially crafted authentication request. (bsc#1062464) Additionally, the following non-security issues have been fixed: - Removed deprecation warning for beacon configuration using dictionaries. (bsc#1041993) - Fixed beacons failure when pillar-based suppressing config-based. (bsc#1060230) - Fixed minion resource exhaustion when many functions are being executed in parallel. (bsc#1059758) - Remove 'TasksTask' attribute from salt-master.service in older versions of systemd. (bsc#985112) - Fix for delete_deployment in Kubernetes module. (bsc#1059291) - Catching error when PIDfile cannot be deleted. (bsc#1050003) - Use $HOME to get the user home directory instead using '~' char. (bsc#1042749) ----------------------------------------- Patch: SUSE-2017-2137 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------- Patch: SUSE-2018-4 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------- Patch: SUSE-2018-38 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------- Patch: SUSE-2018-55 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------- Patch: SUSE-2018-86 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------- Patch: SUSE-2018-88 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------- Patch: SUSE-2018-90 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------- Patch: SUSE-2018-146 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------- Patch: SUSE-2018-149 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------- Patch: SUSE-2018-209 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------- Patch: SUSE-2018-213 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------- Patch: SUSE-2018-214 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------- Patch: SUSE-2018-231 Released: Thu Feb 1 09:56:35 2018 Summary: Recommended update for systemd-rpm-macros Severity: low References: 1071543,1073715 Description: This update for systemd-rpm-macros provides the following fixes: - Make sure to apply presets if packages start shipping units during upgrades. (bsc#1071543, bsc#1073715) - Remove a useless test in %service_add_pre(). The test was placed where the condition '[ '$FIRST_ARG' -gt 1 ]' was always true. ----------------------------------------- Patch: SUSE-2018-276 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------- Patch: SUSE-2018-291 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------- Patch: SUSE-2018-314 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------- Patch: SUSE-2018-336 Released: Wed Feb 21 14:26:52 2018 Summary: Security update for libdb-4_8 Severity: moderate References: 1043886 Description: This update for libdb-4_8 fixes the following issues: - A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886) ----------------------------------------- Patch: SUSE-2018-355 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------- Patch: SUSE-2018-375 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------- Patch: SUSE-2018-377 Released: Wed Feb 28 21:31:59 2018 Summary: Recommended update for Salt Severity: moderate References: 1050003,1063419,1065792,1068446,1068566,1071322,1072218,1073618,1074227,1078001 Description: This update for salt fixes the following issues: - Fix state files with unicode. (bsc#1074227) - Catch ImportError for kubernetes.client import. (bsc#1078001) - Fix epoch handling for Rhel 6 and 7. - Fix zypper module to return UTC dates on 'pkg.list_downloaded'. - Fix return value parsing when calling vm_state. (bsc#1073618) - Fix 'user.present' when 'gid_from_name' is set but group does not exist. - Split only strings, if they are such. (bsc#1072218) - Feat: Add grain for all FQDNs. (bsc#1063419) - Fix 'No service execution module loaded' issue. (bsc#1065792) - Removed unnecessary logging on shutdown. (bsc#1050003) - Add grain for retrieving FQDNs. (bsc#1063419) - Older logrotate need su directive. (bsc#1071322) - Fix for wrong version processing during yum pkg install. (bsc#1068566) - Avoid excessive syslogging by watchdog cronjob. - Check pillar: Fix the logic according to the exact described purpose of the function. (bsc#1068446) ----------------------------------------- Patch: SUSE-2018-439 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------- Patch: SUSE-2018-443 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------- Patch: SUSE-2018-446 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------- Patch: SUSE-2018-465 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------- Patch: SUSE-2018-472 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------- Patch: SUSE-2018-522 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------- Patch: SUSE-2018-524 Released: Thu Mar 22 11:53:28 2018 Summary: Recommended update for zypp-plugin Severity: low References: 1081596 Description: This update provides the new Python 3 module for the zypp-plugin. ----------------------------------------- Patch: SUSE-2018-567 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------- Patch: SUSE-2018-594 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------- Patch: SUSE-2018-624 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------- Patch: SUSE-2018-651 Released: Mon Apr 16 19:25:08 2018 Summary: Initial release of python3-cssselect, -lxml, -pycparser, -simplejson and -pycurl Severity: low References: 1073879 Description: This update provides the following new Python 3 modules for the SUSE Linux Enterprise Server: - python3-cssselect - python3-lxml - python3-pycparser - python3-pycurl - python3-simplejson ----------------------------------------- Patch: SUSE-2018-727 Released: Tue Apr 24 12:50:53 2018 Summary: Initial release of python3-pyzmq Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-pyzmq ----------------------------------------- Patch: SUSE-2018-730 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------- Patch: SUSE-2018-736 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------- Patch: SUSE-2018-743 Released: Thu Apr 26 15:40:28 2018 Summary: Initial release of python3-psutil and -pycrypto Severity: low References: 1073879 Description: This update provides the following new Python 3 modules: - python3-psutil - python3-pycrypto ----------------------------------------- Patch: SUSE-2018-759 Released: Mon Apr 30 12:03:07 2018 Summary: Recommended update for Salt Severity: moderate References: 1072973,1079398,1085635 Description: This update for salt fixes the following issues: - Make module result usable in states module.run. (bsc#1085635) - Fix Augeas module 'stripped quotes' issue. (bsc#1079398) - Fix logging with FQDNs. - Explore 'module.run' state module output in depth to catch the 'result' properly. - Fix x509 unit test to run on 2016.11.4 version. - Fix TypeError, thrown by M2Crypto on missing fields. (bsc#1072973) ----------------------------------------- Patch: SUSE-2018-779 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------- Patch: SUSE-2018-793 Released: Fri May 4 10:25:21 2018 Summary: Initial release of python3-CherryPy Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-CherryPy ----------------------------------------- Patch: SUSE-2018-797 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------- Patch: SUSE-2018-801 Released: Mon May 7 12:59:12 2018 Summary: Initial release of python3-msgpack-python Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-msgpack-python ----------------------------------------- Patch: SUSE-2018-806 Released: Tue May 8 12:31:07 2018 Summary: Initial release of python3-MarkupSafe Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-MarkupSafe ----------------------------------------- Patch: SUSE-2018-807 Released: Tue May 8 12:33:03 2018 Summary: Initial release of python3-Jinja2 Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-Jinja2 ----------------------------------------- Patch: SUSE-2018-810 Released: Tue May 8 17:20:51 2018 Summary: Initial release of python3-PyYAML Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-PyYAML ----------------------------------------- Patch: SUSE-2018-919 Released: Tue May 15 16:30:21 2018 Summary: Initial release of python3-tornado Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-tornado ----------------------------------------- Patch: SUSE-2018-925 Released: Wed May 16 10:09:28 2018 Summary: Initial release of python3-requests Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-requests ----------------------------------------- Patch: SUSE-2018-939 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------- Patch: SUSE-2018-964 Released: Tue May 22 18:31:29 2018 Summary: Security update for python Severity: moderate References: 1068664,1079300,CVE-2017-1000158,CVE-2018-1000030 Description: This update for python fixes the following issues: Security issues fixed: - CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664). - CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same I/O stream concurrently (bsc#1079300). ----------------------------------------- Patch: SUSE-2018-974 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------- Patch: SUSE-2018-977 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------- Patch: SUSE-2018-978 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------- Patch: SUSE-2018-1028 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------- Patch: SUSE-2018-1077 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------- Patch: SUSE-2018-1082 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------- Patch: SUSE-2018-1141 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------- Patch: SUSE-2018-1144 Released: Fri Jun 15 19:19:29 2018 Summary: Recommended update for logrotate Severity: moderate References: 1093617 Description: This update for logrotate provides the following fix: - Ensure the HOME environment variable is set to /root when logrotate is started via systemd. This allows mariadb to rotate its logs when the database has a root password defined. (bsc#1093617) ----------------------------------------- Patch: SUSE-2018-1145 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------- Patch: SUSE-2018-1157 Released: Tue Jun 19 15:31:48 2018 Summary: Security update for salt Severity: moderate References: 1059291,1061407,1062464,1064520,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1090242,1091371,1092161,1092373,1094055,1097174,1097413,CVE-2017-14695,CVE-2017-14696 Description: This update for salt provides version 2018.3 and brings many fixes and improvements: - Fix for sorting of multi-version packages (bsc#1097174 and bsc#1097413) - Align SUSE salt-master.service 'LimitNOFILES' limit with upstream Salt - Add 'other' attribute to GECOS fields to avoid inconsistencies with chfn - Prevent zypper from parsing repo configuration from not .repo files (bsc#1094055) - Collect all versions of installed packages on SUSE and RHEL systems (bsc#1089526) - No more AWS EC2 rate limitations in salt-cloud. (bsc#1088888) - MySQL returner now also allows to use Unix sockets. (bsc#1091371) - Do not override jid on returners, only sending back to master. (bsc#1092373) - Remove minion/thin/version if exists to force thin regeneration. (bsc#1092161) - Fix minion scheduler to return a 'retcode' attribute. (bsc#1089112) - Fix for logging during network interface querying. (bsc#1087581) - Fix rhel packages requires both net-tools and iproute. (bsc#1087055) - Fix patchinstall on yum module. Bad comparison. (bsc#1087278) - Strip trailing commas on Linux user's GECOS fields. (bsc#1089362) - Fallback to PyMySQL. (bsc#1087891) - Fix for [Errno 0] Resolver Error 0 (no error). (bsc#1087581) - Add python-2.6 support to salt-ssh. - Make it possible to use docker login, pull and push from module.run and detect errors. - Fix unicode decode error with salt-ssh. - Fix cp.push empty file. (bsc#1075950) - Fix grains containing trailing '\n'. - Remove salt-minion python2 requirement when python3 is default. (bsc#1081592) - Restoring installation of packages for Rhel 6 and 7. - Prevent queryformat pattern from expanding. (bsc#1079048) - Fix for delete_deployment in Kubernetes module. (bsc#1059291) - Fix bsc#1062464 and CVE-2017-14696 already included in 2017.7.2. - Fix wrong version reported by Salt. (bsc#1061407) - Run salt-api as user salt. (bsc#1064520) For a detailed description, please refer to the upstream-changelog at https://docs.saltstack.com/en/latest/topics/releases/index.html or to the rpm-changelog. supportutils-plugin-salt: - Collect salt-api, salt-broker and salt-ssh log files (bsc#1090242) ----------------------------------------- Patch: SUSE-2018-1242 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------- Patch: SUSE-2018-1276 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------- Patch: SUSE-2018-1328 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------- Patch: SUSE-2018-1351 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------- Patch: SUSE-2018-1376 Released: Mon Jul 23 10:54:47 2018 Summary: Security update for python Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------- Patch: SUSE-2018-1400 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------- Patch: SUSE-2018-1413 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------- Patch: SUSE-2018-1450 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------- Patch: SUSE-2018-1515 Released: Tue Aug 7 20:19:02 2018 Summary: Introduce packages added to SLES 12 SP3 after release Severity: low References: 1102861 Description: This update adds packages to the SUSE Linux Enterprise Server 12 SP3 for Teradata which were added after the released of SLES 12 SP3. ----------------------------------------- Patch: SUSE-2018-1549 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------- Patch: SUSE-2018-1610 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------- Patch: SUSE-2018-1612 Released: Thu Aug 16 14:04:38 2018 Summary: Security update for python Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------- Patch: SUSE-2018-1620 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------- Patch: SUSE-2018-1632 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------- Patch: SUSE-2018-1636 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------- Patch: SUSE-2018-1689 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------- Patch: SUSE-2018-1691 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------- Patch: SUSE-2018-1695 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------- Patch: SUSE-2018-1698 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------- Patch: SUSE-2018-1716 Released: Mon Aug 20 17:03:40 2018 Summary: Recommended update for Salt Severity: moderate References: 1057635,1072599,1089526,1095507,1096514,1098394,1099323,1099460,1099945,1100142,1100225,1100697,1101812,1101880,1102218,1102265 Description: This update for salt fixes the following issues: - Fix file.blockreplace to avoid throwing IndexError. (bsc#1101812) - Fix pkg.upgrade reports when dealing with multiversion packages. (bsc#1102265) - Fix UnicodeDecodeError using is_binary check. (bsc#1100225) - Fix corrupt public key with m2crypto python3. (bsc#1099323) - Prevent payload crash on decoding binary data. (bsc#1100697) - Accounting for when files in an archive contain non-ascii characters. (bsc#1099460) - Handle packages with multiple version properly with zypper. (bsc#1096514) - Fix file.get_diff regression on 2018.3. (bsc#1098394) - Provide python version mismatch solutions. (bsc#1072599) - Add custom SUSE capabilities as Grains. (bsc#1089526) - Fix file.managed binary file utf8 error. (bsc#1098394) - Multiversion patch plus upstream fix and patch reordering. - Add environment variable to know if yum is invoked from Salt. (bsc#1057635) - Prevent deprecation warning with salt-ssh. (bsc#1095507) - Add missing dateutils import (bsc#1099945) - Check dmidecoder executable on each 'smbios' call to avoid race condition (bsc#1101880) - Fix mine.get not returning data - workaround for #48020 (bsc#1100142) - Add API log rotation on SUSE package (bsc#1102218) - Backport the new libvirt_events engine from upstream ----------------------------------------- Patch: SUSE-2018-1753 Released: Fri Aug 24 14:24:17 2018 Summary: Security update for python Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------- Patch: SUSE-2018-1834 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------- Patch: SUSE-2018-1903 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------- Patch: SUSE-2018-1969 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------- Patch: SUSE-2018-1985 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------- Patch: SUSE-2018-1994 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------- Patch: SUSE-2018-2023 Released: Wed Sep 26 09:48:49 2018 Summary: Recommended update for patchinfo.salt, salt Severity: moderate References: 1095942,1102013,1103530,1104154 Description: This update for salt fixes the following issues: - Prepend current directory when path is just filename. (bsc#1095942) - Only do reverse DNS lookup on IPs for salt-ssh. (bsc#1104154) - Add support for Python 3.7 and Tornado 5.0. - Decode file contents for python2. (bsc#1102013, bsc#1103530) ----------------------------------------- Patch: SUSE-2018-2069 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------- Patch: SUSE-2018-2162 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------- Patch: SUSE-2018-2181 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------- Patch: SUSE-2018-2196 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------- Patch: SUSE-2018-2217 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------- Patch: SUSE-2018-2373 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------- Patch: SUSE-2018-2379 Released: Tue Oct 23 10:32:56 2018 Summary: Recommended update for Salt Severity: moderate References: 1095651,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893 Description: This update fixes the following issues: salt: - Improved IPv6 address handling (bsc#1108557) - Better handling for zypper exiting with exit code ZYPPER_EXIT_NO_REPOS (bsc#1108834, bsc#1109893) - Fix for dependency problem with pip (bsc#1104491) - Fix loosen azure sdk dependencies in azurearm cloud driver (bsc#1107333) - Fix for Python3 issue in zypper (bsc#1108995) - Allow running salt-cloud in GCE using instance credentials (bsc#1108969) - Improved handling of Python unicode literals in YAML parsing (bsc#1095651) - Fix for Salt 'acl.present' and 'acl.absent' states to make them successfully work recursively when 'recurse=True'. (bsc#1106164) - Fix for Python3 byte/unicode mismatch and additional minor bugfixes to x509 module. - Integration of MSI authentication for azurearm - Compound list targeting wrongly returned with minions specified in 'not'. - Fixes the x509 module to work, when using the sign_remote_certificate functionality. - Fix for SUSE Expanded Support os grain detection (returned 'Redhat' instead of 'Centos') ----------------------------------------- Patch: SUSE-2018-2435 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user@.service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user@.service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------- Patch: SUSE-2018-2475 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------- Patch: SUSE-2018-2488 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------- Patch: SUSE-2018-2516 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------- Patch: SUSE-2018-2520 Released: Mon Oct 29 17:28:57 2018 Summary: Security update for python, python-base Severity: moderate References: 1086001,1088004,1088009,1109663,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061 Description: This update for python, python-base fixes the following issues: Security issues fixed: - CVE-2018-1000802: Prevent command injection in shutil module (make_archive function) via passage of unfiltered user input (bsc#1109663). - CVE-2018-1061: Fixed DoS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (bsc#1088004). - CVE-2018-1060: Fixed DoS via regular expression catastrophic backtracking in apop() method in pop3lib (bsc#1088009). Bug fixes: - bsc#1086001: python tarfile uses random order. ----------------------------------------- Patch: SUSE-2018-2525 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------- Patch: SUSE-2018-2563 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------- Patch: SUSE-2018-2567 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------- Patch: SUSE-2018-2593 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------- Patch: SUSE-2018-2659 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user@.service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------- Patch: SUSE-2018-2745 Released: Thu Nov 22 16:13:42 2018 Summary: Security update for salt Severity: important References: 1110938,1113698,1113699,1113784,1114197,CVE-2018-15750,CVE-2018-15751 Description: This update for salt fixes the following issues: Security issues fixed: - CVE-2018-15750: Fixed directory traversal vulnerability in salt-api (bsc#1113698). - CVE-2018-15751: Fixed remote authentication bypass in salt-api(netapi) that allows to execute arbitrary commands (bsc#1113699). Non-security issues fixed: - Improved handling of LDAP group id. gid is no longer treated as a string, which could have lead to faulty group creations (bsc#1113784). - Fix async call to process manager (bsc#1110938). - Fixed OS arch detection when RPM is not installed (bsc#1114197). ----------------------------------------- Patch: SUSE-2018-2760 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------- Patch: SUSE-2018-2766 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------- Patch: SUSE-2018-1697 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------- Patch: SUSE-2018-1696 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------- Patch: SUSE-2018-1618 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------- Patch: SUSE-2018-2824 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------- Patch: SUSE-2018-2836 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------- Patch: SUSE-2018-2840 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------- Patch: SUSE-2018-2841 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------- Patch: SUSE-2018-2880 Released: Fri Dec 7 14:50:23 2018 Summary: Recommended update for Salt Severity: moderate References: 1112874,1114824 Description: This update fixes the following issues: salt: - Crontab module fix: file attributes option missing (bsc#1114824) - Fix git_pillar merging across multiple __env__ repositories (bsc#1112874) ----------------------------------------- Patch: SUSE-2018-2906 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------- Patch: SUSE-2018-2947 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------- Patch: SUSE-2018-2975 Released: Tue Dec 18 13:45:02 2018 Summary: Recommended update for python-psutil Severity: moderate References: 1111800 Description: python-psutil was updated to version 5.2.2 to fulfill requirements of other packages. (FATE#326775, bsc#1111800) ----------------------------------------- Patch: SUSE-2018-3029 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------- Patch: SUSE-2019-43 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------- Patch: SUSE-2019-111 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------- Patch: SUSE-2019-135 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------- Patch: SUSE-2019-143 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) ----------------------------------------- Patch: SUSE-2019-218 Released: Thu Jan 31 20:30:20 2019 Summary: Recommended update for kmod Severity: moderate References: 1118629 Description: This update for kmod fixes the following issues: - Fix module dependency file corruption on parallel invocation (bsc#1118629). ----------------------------------------- Patch: SUSE-2019-249 Released: Wed Feb 6 08:36:16 2019 Summary: Security update for curl Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------- Patch: SUSE-2019-261 Released: Wed Feb 6 11:26:21 2019 Summary: Recommended update for pam-config Severity: moderate References: 1114835 Description: This update for pam-config fixes the following issues: - Adds support for more pam_cracklib options. (bsc#1114835) ----------------------------------------- Patch: SUSE-2019-342 Released: Wed Feb 13 11:04:32 2019 Summary: Recommended update for Salt Severity: moderate References: 1099887,1114029,1114474,1116837,1117995,1121091,1123044,1123512 Description: This update fixes the following issues: salt: - Remove patch unable install salt minions on SLE 15 (bsc#1123512) - Fix integration tests in state compiler (U#2068) - Fix 'pkg.list_pkgs' output when using 'attr' to take the arch into account (bsc#1114029) - Fix powerpc null server_id_arch (bsc#1117995) - Fix module 'azure.storage' has no attribute '__version__' (bsc#1121091) - Add supportconfig module and states for minions and SaltSSH - Fix FIPS enabled RES clients (bsc#1099887) - Add hold/unhold functions. Fix Debian repo 'signed-by'. - Strip architecture from debian package names - Fix latin1 encoding problems on file module (bsc#1116837) - Don't error on retcode 0 in libcrypto.OPENSSL_init_crypto - Handle anycast IPv6 addresses on network.routes (bsc#1114474) - Debian info_installed compatibility (U#50453) - Add compatibility with other package modules for 'list_repos' function - Remove MSI Azure cloud module authentication patch (bsc#1123044) - Don't encode response string from role API ----------------------------------------- Patch: SUSE-2019-428 Released: Tue Feb 19 10:59:59 2019 Summary: Security update for systemd Severity: important References: 1111498,1117025,1117382,1120658,1122000,1122344,1123333,1123892,1125352,CVE-2019-6454 Description: This update for systemd fixes the following issues: Security vulnerability fixed: - CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS message on the system bus by an unprivileged user (bsc#1125352) Other bug fixes and changes: - journal-remote: set a limit on the number of fields in a message - journal-remote: verify entry length from header - journald: set a limit on the number of fields (1k) - journald: do not store the iovec entry for process commandline on stack - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - manager: don't skip sigchld handler for main and control pid for services (#3738) - core: Add helper functions unit_{main, control}_pid - manager: Fixing a debug printf formatting mistake (#3640) - manager: Only invoke a single sigchld per unit within a cleanup cycle (bsc#1117382) - core: update invoke_sigchld_event() to handle NULL ->sigchld_event() - sd-event: expose the event loop iteration counter via sd_event_get_iteration() (#3631) - unit: rework a bit how we keep the service fdstore from being destroyed during service restart (bsc#1122344) - core: when restarting services, don't close fds - cryptsetup: Add dependency on loopback setup to generated units - journal-gateway: use localStorage['cursor'] only when it has valid value - journal-gateway: explicitly declare local variables - analyze: actually select longest activated-time of services - sd-bus: fix implicit downcast of bitfield reported by LGTM - core: free lines after reading them (bsc#1123892) - pam_systemd: reword message about not creating a session (bsc#1111498) - pam_systemd: suppress LOG_DEBUG log messages if debugging is off (bsc#1111498) - main: improve RLIMIT_NOFILE handling (#5795) (bsc#1120658) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345) (bsc#1123333) ----------------------------------------- Patch: SUSE-2019-434 Released: Tue Feb 19 12:19:02 2019 Summary: Recommended update for libsemanage Severity: moderate References: 1115500 Description: This update for libsemanage provides the following fix: - Prevent an error message when reading module version if the directory does not exist. (bsc#1115500) ----------------------------------------- Patch: SUSE-2019-440 Released: Tue Feb 19 18:52:51 2019 Summary: Recommended update for dmidecode Severity: moderate References: 1120149 Description: This update for dmidecode fixes the following issues: - Extensions to Memory Device (Type 17) (FATE#326831 bsc#1120149) - Add 'Logical non-volatile device' to the memory device types (FATE#326831 bsc#1120149) ----------------------------------------- Patch: SUSE-2019-450 Released: Wed Feb 20 16:42:38 2019 Summary: Security update for procps Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). (These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.) Also the following non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) ----------------------------------------- Patch: SUSE-2019-482 Released: Mon Feb 25 11:57:46 2019 Summary: Security update for python Severity: important References: 1073748,1109847,1122191,CVE-2018-14647,CVE-2019-5010 Description: This update for python fixes the following issues: Security issues fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191). - CVE-2018-14647: Fixed a denial-of-service vulnerability in Expat (bsc#1109847). Non-security issue fixed: - Fixed a bug where PyWeakReference struct was not initialized correctly leading to a crash (bsc#1073748). ----------------------------------------- Patch: SUSE-2019-514 Released: Thu Feb 28 15:39:05 2019 Summary: Recommended update for apparmor Severity: moderate References: 1112300 Description: This update for apparmor fixes the following issues: - Fix erroneously generated audit records: include status* files in dnsmasq. (bsc#1112300) ----------------------------------------- Patch: SUSE-2019-592 Released: Tue Mar 12 14:05:28 2019 Summary: Recommended update for Salt Severity: moderate References: 1122663,1123865 Description: This update fixes the following issues: salt: - Don't call zypper with more than one --no-refresh parameter (bsc#1123865) - Include aliases in FQDNS grain - Prevents error when there is no job entry in filesystem cache due to race condition in minion onboarding (bsc#1122663) ----------------------------------------- Patch: SUSE-2019-655 Released: Wed Mar 20 10:30:49 2019 Summary: Security update for libssh2_org Severity: moderate References: 1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493,CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863 Description: This update for libssh2_org fixes the following issues: Security issues fixed: - CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH packets (bsc#1128490). - CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially crafted message channel request packet (bsc#1128492). - CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP packets (bsc#1128481). - CVE-2019-3863: Fixed an Integer overflow in user authenticate keyboard interactive which could allow out-of-bounds writes with specially crafted keyboard responses (bsc#1128493). - CVE-2019-3856: Fixed a potential Integer overflow in keyboard interactive handling which could allow out-of-bounds write with specially crafted payload (bsc#1128472). - CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require and _libssh2_packet_requirev (bsc#1128480). - CVE-2019-3855: Fixed a potential Integer overflow in transport read which could allow out-of-bounds write with specially crafted payload (bsc#1128471). - CVE-2019-3858: Fixed a potential zero-byte allocation which could lead to an out-of-bounds read with a specially crafted SFTP packet (bsc#1128476). - CVE-2019-3857: Fixed a potential Integer overflow which could lead to zero-byte allocation and out-of-bounds with specially crafted message channel request SSH packet (bsc#1128474). Other issue addressed: - Libbssh2 will stop using keys unsupported types in the known_hosts file (bsc#1091236). ----------------------------------------- Patch: SUSE-2019-794 Released: Thu Mar 28 12:09:29 2019 Summary: Recommended update for krb5 Severity: moderate References: 1087481 Description: This update for krb5 fixes the following issues: - Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to suppress sending the confidentiality and integrity flags in GSS initiator tokens unless they are requested by the caller. These flags control the negotiated SASL security layer for the Microsoft GSS-SPNEGO SASL mechanism. (bsc#1087481). ----------------------------------------- Patch: SUSE-2019-803 Released: Fri Mar 29 13:14:21 2019 Summary: Security update for openssl Severity: moderate References: 1100078,1113975,1117951,1127080,CVE-2019-1559 Description: This update for openssl fixes the following issues: Security issues fixed: - The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951) - CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080). Other issues addressed: - Fixed IV handling in SHAEXT paths: aes/asm/aesni-sha*-x86_64.pl (bsc#1113975). - Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078). ----------------------------------------- Patch: SUSE-2019-838 Released: Tue Apr 2 09:52:06 2019 Summary: Security update for bash Severity: important References: 1130324,CVE-2019-9924 Description: This update for bash fixes the following issues: Security issue fixed: - CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324). ----------------------------------------- Patch: SUSE-2019-839 Released: Tue Apr 2 13:13:21 2019 Summary: Security update for file Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974 CVE-2018-10360). - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------- Patch: SUSE-2019-910 Released: Tue Apr 9 08:06:27 2019 Summary: Recommended update for python Severity: low References: 1129287 Description: This update ships missing python-devel packages for the LTSS product lines. ----------------------------------------- Patch: SUSE-2019-913 Released: Tue Apr 9 11:19:07 2019 Summary: Security update for sqlite3 Severity: moderate References: 1119687,1131576,CVE-2018-20346,CVE-2018-20506 Description: This update for sqlite3 fixes the following issues: Security issues fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). - CVE-2018-20506: Fixed an integer overflow when FTS3 extension is enabled (bsc#1131576). ----------------------------------------- Version 3.1.1-Build3.9.41 2020-04-20T09:34:49 ----------------------------------------- Patch: SUSE-2016-1871 Released: Wed Dec 21 17:18:14 2016 Summary: Initial release of cloud-regionsrv Severity: low References: 979331 Description: This update adds cloud-regionsrv to the Public Cloud Module for SUSE Linux Enterprise Server 12. The region service provides functionality to correlate SMT server information with the region in which they are deployed and provide this information to a guest that connects using the region server client. For detailed setup instructions see the best practices guide: https://www.suse.com/documentation/suse-best-practices/publiccloudinfra/data/publiccloudinfra.html