SUSE Container Update Advisory: sles12/salt-api ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:566-1 Container Tags : sles12/salt-api:2018.3.0 , sles12/salt-api:2018.3.0-3.9.116 Container Release : 3.9.116 Severity : important Type : security References : 1002895 1002895 1002895 1010675 1010996 1014478 1024540 1051948 1054413 1054413 1054413 1071152 1071390 1073879 1073879 1074247 1100415 1104780 1109893 1110146 1110422 1110542 1111319 1112911 1113296 1120629 1120630 1120631 1121446 1122523 1126613 1127155 1127223 1127308 1128574 1131823 1134226 1137977 1139083 1139083 888534 973042 979331 985657 CVE-2009-5155 CVE-2016-3189 CVE-2016-9015 CVE-2016-9318 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2019-12900 CVE-2019-12900 CVE-2019-9169 ----------------------------------------------------------------- The container sles12/salt-api was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:50-1 Released: Thu Jan 15 16:33:18 2015 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 888534 The system root SSL certificates were updated to match Mozilla NSS 2.2. Some removed/disabled 1024 bit certificates were temporarily reenabled/readded, as openssl and gnutls have a different handling of intermediates than mozilla nss and would otherwise not recognize SSL certificates from commonly used sites like Amazon. Updated to 2.2 (bnc#888534) - The following CAs were added: + COMODO_RSA_Certification_Authority codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R4 codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R5 codeSigning emailProtection serverAuth + USERTrust_ECC_Certification_Authority codeSigning emailProtection serverAuth + USERTrust_RSA_Certification_Authority codeSigning emailProtection serverAuth + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal - The following CAs were changed: + Equifax_Secure_eBusiness_CA_1 remote code signing and https trust, leave email trust + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2 only trust emailProtection - Updated to 2.1 (bnc#888534) - The following 1024-bit CA certificates were removed - Entrust.net Secure Server Certification Authority - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority - TDC Internet Root CA - The following CA certificates were added: - Certification Authority of WoSign - CA 沃通根证书 - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3 - The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2 - VeriSign Class 2 Public Primary Certification Authority - G3 - AC Raíz Certicámara S.A. - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado Temporary reenable some root ca trusts, as openssl/gnutls have trouble using intermediates as root CA. - GTE CyberTrust Global Root - Thawte Server CA - Thawte Premium Server CA - ValiCert Class 1 VA - ValiCert Class 2 VA - RSA Root Certificate 1 - Entrust.net Secure Server CA - America Online Root Certification Authority 1 - America Online Root Certification Authority 2 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:587-1 Released: Fri Apr 8 17:06:56 2016 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 973042 The root SSL certificate store ca-certificates-mozilla was updated to version 2.7 of the Mozilla NSS equivalent. (bsc#973042) - Newly added CAs: * CA WoSign ECC Root * Certification Authority of WoSign * Certification Authority of WoSign G2 * Certinomis - Root CA * Certum Trusted Network CA 2 * CFCA EV ROOT * COMODO RSA Certification Authority * DigiCert Assured ID Root G2 * DigiCert Assured ID Root G3 * DigiCert Global Root G2 * DigiCert Global Root G3 * DigiCert Trusted Root G4 * Entrust Root Certification Authority - EC1 * Entrust Root Certification Authority - G2 * GlobalSign * IdenTrust Commercial Root CA 1 * IdenTrust Public Sector Root CA 1 * OISTE WISeKey Global Root GB CA * QuoVadis Root CA 1 G3 * QuoVadis Root CA 2 G3 * QuoVadis Root CA 3 G3 * Staat der Nederlanden EV Root CA * Staat der Nederlanden Root CA - G3 * S-TRUST Universal Root CA * SZAFIR ROOT CA2 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 * USERTrust ECC Certification Authority * USERTrust RSA Certification Authority * 沃通根证书 - Removed CAs: * AOL CA * A Trust nQual 03 * Buypass Class 3 CA 1 * CA Disig * Digital Signature Trust Co Global CA 1 * Digital Signature Trust Co Global CA 3 * E Guven Kok Elektronik Sertifika Hizmet Saglayicisi * NetLock Expressz (Class C) Tanusitvanykiado * NetLock Kozjegyzoi (Class A) Tanusitvanykiado * NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado * NetLock Uzleti (Class B) Tanusitvanykiado * SG TRUST SERVICES RACINE * Staat der Nederlanden Root CA * TC TrustCenter Class 2 CA II * TC TrustCenter Universal CA I * TDC Internet Root CA * UTN DATACorp SGC Root CA * Verisign Class 1 Public Primary Certification Authority - G2 * Verisign Class 3 Public Primary Certification Authority * Verisign Class 3 Public Primary Certification Authority - G2 - Removed server trust from: * AC Raíz Certicámara S.A. * ComSign Secured CA * NetLock Uzleti (Class B) Tanusitvanykiado * NetLock Business (Class B) Root * NetLock Expressz (Class C) Tanusitvanykiado * TC TrustCenter Class 3 CA II * TURKTRUST Certificate Services Provider Root 1 * TURKTRUST Certificate Services Provider Root 2 * Equifax Secure Global eBusiness CA-1 * Verisign Class 4 Public Primary Certification Authority G3 - Enable server trust for: * Actalis Authentication Root CA ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:591-1 Released: Thu Apr 13 13:58:28 2017 Summary: Recommended update for python-azure-sdk Type: recommended Severity: low References: 1014478 This update adds python-adal, python-msrest and python-msrestazure to the Public Cloud Module for SUSE Linux Enterprise Server 12. These packages are new requirements of python-azure-sdk. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1073-1 Released: Thu Jun 29 18:16:26 2017 Summary: Initial release of python-urllib3 Type: optional Severity: low References: 1002895 This update adds python-urllib3 to the Public Cloud 12 Module. This is a new runtime requirement of recent versions of the Google Cloud SDK. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1140-1 Released: Wed Jul 12 15:00:34 2017 Summary: Optional update for python-httpretty, python-urllib3 Type: optional Severity: low References: 1002895 This update adds python-httpretty and python-urllib3 to SUSE Enterprise Storage 3. These are new runtime requirements of the next update for python-boto. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1556-1 Released: Mon Sep 18 09:24:26 2017 Summary: Recommended update for python-boto Type: recommended Severity: low References: 1002895 This update provides python-boto 2.42.0, which brings fixes and enhancements: - Respect is_secure parameter in generate_url_sigv4 - Update MTurk API - Update endpoints.json - Allow s3 bucket lifecycle policies with multiple transitions - Fixes upload parts for glacier - Autodetect sigv4 for ap-northeast-2 - Added support for ap-northeast-2 - Remove VeriSign Class 3 CA from trusted certs - Add note about boto3 on all pages of boto docs - Fix for listing EMR steps based on cluster_states filter - Fixed param name in set_contents_from_string docstring - Spelling and documentation fixes - Add deprecation notice to emr methods - Add some GovCloud endpoints. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1658-1 Released: Mon Oct 9 15:38:26 2017 Summary: Optional update for SUSE Manager Server 3.1 Type: optional Severity: low References: 1051948 This update adds the following new packages to SUSE Manager Server 3.1 to provide kubernetes-support for salt: python-kubernetes: Python-client for Kubernetes. python-urllib3: HTTP library with thread-safe connection pooling, file post, and more. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:129-1 Released: Tue Jan 23 14:46:32 2018 Summary: Recommended update for python-py Type: recommended Severity: low References: 1073879 This update for python-py adds the Python 3 sub-package to the codestream. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:265-1 Released: Tue Feb 6 14:58:28 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1010996,1071152,1071390 This update for ca-certificates-mozilla fixes the following issues: The system SSL root certificate store was updated to Mozilla certificate version 2.22 from January 2018. (bsc#1071152 bsc#1071390 bsc#1010996) We removed the old 1024 bit legacy CAs that were temporary left in to allow in-chain root certificates as openssl is now able to handle it. Further changes coming from Mozilla: - New Root CAs added: * Amazon Root CA 1: (email protection, server auth) * Amazon Root CA 2: (email protection, server auth) * Amazon Root CA 3: (email protection, server auth) * Amazon Root CA 4: (email protection, server auth) * Certplus Root CA G1: (email protection, server auth) * Certplus Root CA G2: (email protection, server auth) * D-TRUST Root CA 3 2013: (email protection) * GDCA TrustAUTH R5 ROOT: (server auth) * Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth) * Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth) * ISRG Root X1: (server auth) * LuxTrust Global Root 2: (server auth) * OpenTrust Root CA G1: (email protection, server auth) * OpenTrust Root CA G2: (email protection, server auth) * OpenTrust Root CA G3: (email protection, server auth) * SSL.com EV Root Certification Authority ECC: (server auth) * SSL.com EV Root Certification Authority RSA R2: (server auth) * SSL.com Root Certification Authority ECC: (email protection, server auth) * SSL.com Root Certification Authority RSA: (email protection, server auth) * Symantec Class 1 Public Primary Certification Authority - G4: (email protection) * Symantec Class 1 Public Primary Certification Authority - G6: (email protection) * Symantec Class 2 Public Primary Certification Authority - G4: (email protection) * Symantec Class 2 Public Primary Certification Authority - G6: (email protection) * TrustCor ECA-1: (email protection, server auth) * TrustCor RootCert CA-1: (email protection, server auth) * TrustCor RootCert CA-2: (email protection, server auth) * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth) - Removed root CAs: * AddTrust Public Services Root * AddTrust Public CA Root * AddTrust Qualified CA Root * ApplicationCA - Japanese Government * Buypass Class 2 CA 1 * CA Disig Root R1 * CA WoSign ECC Root * Certification Authority of WoSign G2 * Certinomis - Autorité Racine * Certum Root CA * China Internet Network Information Center EV Certificates Root * CNNIC ROOT * Comodo Secure Services root * Comodo Trusted Services root * ComSign Secured CA * EBG Elektronik Sertifika Hizmet Sağlayıcısı * Equifax Secure CA * Equifax Secure eBusiness CA 1 * Equifax Secure Global eBusiness CA * GeoTrust Global CA 2 * IGC/A * Juur-SK * Microsec e-Szigno Root CA * PSCProcert * Root CA Generalitat Valenciana * RSA Security 2048 v3 * Security Communication EV RootCA1 * Sonera Class 1 Root CA * StartCom Certification Authority * StartCom Certification Authority G2 * S-TRUST Authentication and Encryption Root CA 2005 PN * Swisscom Root CA 1 * Swisscom Root EV CA 2 * TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 * UTN USERFirst Hardware Root CA * UTN USERFirst Object Root CA * VeriSign Class 3 Secure Server CA - G2 * Verisign Class 1 Public Primary Certification Authority * Verisign Class 2 Public Primary Certification Authority - G2 * Verisign Class 3 Public Primary Certification Authority * WellsSecure Public Root Certificate Authority * Certification Authority of WoSign * WoSign China - Removed Code Signing rights from a lot of CAs (not listed here). - Removed Server Auth rights from: * AddTrust Low-Value Services Root * Camerfirma Chambers of Commerce Root * Camerfirma Global Chambersign Root * Swisscom Root CA 2 ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:660-1 Released: Thu Apr 19 08:38:02 2018 Summary: Initial release of python3-idna Type: optional Severity: low References: 1073879 This update provides the following new Python 3 module for the SUSE Linux Enterprise Server: - python3-idna ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1643-1 Released: Thu Aug 16 17:41:07 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 The systemwide Root CA certificates were updated to the 2.24 state of the Mozilla NSS Certificate store. Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1763-1 Released: Mon Aug 27 09:30:15 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: The Root CA store was updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - Removed server auth from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Removed CAs - ComSign CA - Added new CAs - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2437-1 Released: Wed Oct 24 16:36:46 2018 Summary: Recommended update for several Python modules Type: recommended Severity: moderate References: 1054413 This update provides several new Python modules and adds the Python 3 variants of existing modules to the Public Cloud Module. The following Python 2 and Python 3 modules got added: - python-appdirs - python-python-dateutil The following Python 3 modules got added: - python-PySocks - python-blinker - python-certifi - python-pytz Additionally, the following packages have been updated: python-PySocks from version 1.5.6 to 1.6.8. python-certifi from version 2015.9.6.2 to 2018.4.16. python-pytz from version 2016.10 to 2018.3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:139-1 Released: Mon Jan 21 15:54:18 2019 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1024540,1074247,1110422,CVE-2016-9015 This update for python-urllib3 fixes the following issues: python-urllib3 was updated to version 1.22 (fate#326733, bsc#1110422) and contains new features and lots of bugfixes: The full changelog can be found on: https://github.com/Lukasa/urllib3/blob/1.22/CHANGES.rst Security issues fixed: - CVE-2016-9015: TLS certificate validation vulnerability (bsc#1024540). (This issue did not affect our previous version 1.16.) Non security issues fixed: - bsc#1074247: Fix test suite, use correct date (gh#shazow/urllib3#1303). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:149-1 Released: Wed Jan 23 17:58:18 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:388-1 Released: Thu Feb 14 13:26:34 2019 Summary: Recommended update for additional Python updates Type: recommended Severity: moderate References: 1054413 This update brings new versions for several python modules, needed for updates for other parts of the python stack, to enable the Python Azure SDK. It also enables and ship various modules as Python3 modules. - python-adal: was updated to 0.5.0 and python 3 enabled. - python-chardet: was updated to 3.0.4 and python 3 enabled. - python-linecache2: new version 1.0.0 as a dependency of unittest2. - python-msrestazure: was updated to 0.4.11 and python 3 enabled. - python-msrest: was updated to 0.4.11 and python 3 enabled. - python-oauthlib: was python 3 enabled. - python-PyJWT: was python 3 enabled. - python-pytest-runner: was updated to 4.2 and python 3 enabled. - python-requests-oauthlib: was python 3 enabled. - python-traceback2: was updated to 1.1.0 and python 3 enabled. - python-unittest2: was updated to 1.1.10 and python 3 enabled. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1896-1 Released: Thu Jul 18 16:26:45 2019 Summary: Security update for libxml2 Type: security Severity: moderate References: 1010675,1110146,1126613,CVE-2016-9318 This update for libxml2 fixes the following issues: Issue fixed: - Fixed a bug related to the fix for CVE-2016-9318 which allowed xsltproc to access the internet even when --nonet was given and also was making docbook-xsl-stylesheets to have incomplete xml catalog file (bsc#1010675, bsc#1126613 and bsc#1110146). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1955-1 Released: Tue Jul 23 11:42:41 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,985657,CVE-2016-3189,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1958-1 Released: Tue Jul 23 13:18:12 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1127223,1127308,1128574,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Added cfi information for start routines in order to stop unwinding on S390 (bsc#1128574). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1972-1 Released: Thu Jul 25 15:00:03 2019 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1109893,1110542,1111319,1112911,1113296,1120629,1120630,1120631,1127155,1131823,1134226,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libsolv, libzypp and zypper fixes the following issues: libsolv was updated to version 0.6.36 fixes the following issues: Security issues fixed: - CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629). - CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630). - CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631). Non-security issues fixed: - Made cleandeps jobs on patterns work (bsc#1137977). - Fixed an issue multiversion packages that obsolete their own name (bsc#1127155). - Keep consistent package name if there are multiple alternatives (bsc#1131823). libzypp received following fixes: - Fixes a bug where locking the kernel was not possible (bsc#1113296) zypper received following fixes: - Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226) - Improved the displaying of locks (bsc#1112911) - Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542) - zypper will now always warn when no repositories are defined (bsc#1109893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2013-1 Released: Mon Jul 29 15:42:41 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2026-1 Released: Tue Jul 30 19:19:50 2019 Summary: Recommended update for Azure Python SDK Type: recommended Severity: moderate References: 1054413,1122523,979331 This update brings the following python modules for the Azure Python SDK: - python-Flask - python-Werkzeug - python-click - python-decorator - python-httpbin - python-idna - python-itsdangerous - python-py - python-pytest-httpbin - python-pytest-mock - python-requests