SUSE Container Update Advisory: sles12/salt-master
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2019:572-1
Container Tags        : sles12/salt-master:2018.3.0 , sles12/salt-master:2018.3.0-4.9.24
Container Release     : 4.9.24
Severity              : important
Type                  : security
References            : 1073748 1092100 1099887 1109847 1111498 1112300 1114029 1114474
                        1115500 1116837 1117025 1117382 1117995 1120149 1120658 1121091
                        1121753 1122000 1122191 1122344 1122663 1123044 1123333 1123512
                        1123865 1123892 1125352 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124
                        CVE-2018-1125 CVE-2018-1126 CVE-2018-14647 CVE-2019-5010 CVE-2019-6454
-----------------------------------------------------------------

The container sles12/salt-master was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:342-1
Released:    Wed Feb 13 11:04:32 2019
Summary:     Recommended update for Salt
Type:        recommended
Severity:    moderate
References:  1099887,1114029,1114474,1116837,1117995,1121091,1123044,1123512

This update fixes the following issues:

salt:

- Remove patch unable install salt minions on SLE 15 (bsc#1123512)
- Fix integration tests in state compiler (U#2068)
- Fix 'pkg.list_pkgs' output when using 'attr' to take the arch into account (bsc#1114029)
- Fix powerpc null server_id_arch (bsc#1117995)
- Fix module 'azure.storage' has no attribute '__version__'
  (bsc#1121091)
- Add supportconfig module and states for minions and SaltSSH
- Fix FIPS enabled RES clients (bsc#1099887)
- Add hold/unhold functions. Fix Debian repo 'signed-by'.
- Strip architecture from debian package names
- Fix latin1 encoding problems on file module (bsc#1116837)
- Don't error on retcode 0 in libcrypto.OPENSSL_init_crypto
- Handle anycast IPv6 addresses on network.routes (bsc#1114474)
- Debian info_installed compatibility (U#50453)
- Add compatibility with other package modules for 'list_repos'
  function
- Remove MSI Azure cloud module authentication patch (bsc#1123044)
- Don't encode response string from role API

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:428-1
Released:    Tue Feb 19 10:59:59 2019
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1111498,1117025,1117382,1120658,1122000,1122344,1123333,1123892,1125352,CVE-2019-6454
This update for systemd fixes the following issues:

Security vulnerability fixed:

- CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS
  message on the system bus by an unprivileged user (bsc#1125352)

Other bug fixes and changes:

- journal-remote: set a limit on the number of fields in a message
- journal-remote: verify entry length from header
- journald: set a limit on the number of fields (1k)
- journald: do not store the iovec entry for process commandline on stack
- core: include Found state in device dumps
- device: fix serialization and deserialization of DeviceFound
- fix path in btrfs rule (#6844)
- assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025)
- Update systemd-system.conf.xml (bsc#1122000)
- units: inform user that the default target is started after exiting from rescue or emergency mode
- manager: don't skip sigchld handler for main and control pid for services (#3738)
- core: Add helper functions unit_{main, control}_pid
- manager: Fixing a debug printf formatting mistake (#3640)
- manager: Only invoke a single sigchld per unit within a cleanup cycle (bsc#1117382)
- core: update invoke_sigchld_event() to handle NULL ->sigchld_event()
- sd-event: expose the event loop iteration counter via sd_event_get_iteration() (#3631)
- unit: rework a bit how we keep the service fdstore from being destroyed during service restart (bsc#1122344)
- core: when restarting services, don't close fds
- cryptsetup: Add dependency on loopback setup to generated units
- journal-gateway: use localStorage['cursor'] only when it has valid value
- journal-gateway: explicitly declare local variables
- analyze: actually select longest activated-time of services
- sd-bus: fix implicit downcast of bitfield reported by LGTM
- core: free lines after reading them (bsc#1123892)
- pam_systemd: reword message about not creating a session (bsc#1111498)
- pam_systemd: suppress LOG_DEBUG log messages if debugging is off (bsc#1111498)
- main: improve RLIMIT_NOFILE handling (#5795) (bsc#1120658)
- sd-bus: if we receive an invalid dbus message, ignore and proceeed
- automount: don't pass non-blocking pipe to kernel.
- units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333)
- units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345) (bsc#1123333)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:434-1
Released:    Tue Feb 19 12:19:02 2019
Summary:     Recommended update for libsemanage
Type:        recommended
Severity:    moderate
References:  1115500
This update for libsemanage provides the following fix:

- Prevent an error message when reading module version if the directory does not exist.
  (bsc#1115500)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:440-1
Released:    Tue Feb 19 18:52:51 2019
Summary:     Recommended update for dmidecode
Type:        recommended
Severity:    moderate
References:  1120149
This update for dmidecode fixes the following issues:

- Extensions to Memory Device (Type 17) (FATE#326831 bsc#1120149)
- Add 'Logical non-volatile device' to the memory device types (FATE#326831 bsc#1120149)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:450-1
Released:    Wed Feb 20 16:42:38 2019
Summary:     Security update for procps
Type:        security
Severity:    important
References:  1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126

  
This update for procps fixes the following security issues:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).

(These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.)

Also the following non-security issue was fixed:

- Fix CPU summary showing old data. (bsc#1121753)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:482-1
Released:    Mon Feb 25 11:57:46 2019
Summary:     Security update for python
Type:        security
Severity:    important
References:  1073748,1109847,1122191,CVE-2018-14647,CVE-2019-5010
This update for python fixes the following issues:

Security issues fixed:

- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191).
- CVE-2018-14647: Fixed a denial-of-service vulnerability in Expat (bsc#1109847).

Non-security issue fixed:

- Fixed a bug where PyWeakReference struct was not initialized correctly leading to a crash (bsc#1073748).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:514-1
Released:    Thu Feb 28 15:39:05 2019
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1112300
This update for apparmor fixes the following issues:

- Fix erroneously generated audit records: include status* files in dnsmasq. (bsc#1112300)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:592-1
Released:    Tue Mar 12 14:05:28 2019
Summary:     Recommended update for Salt
Type:        recommended
Severity:    moderate
References:  1122663,1123865

This update fixes the following issues:

salt:

- Don't call zypper with more than one --no-refresh parameter
  (bsc#1123865)
- Include aliases in FQDNS grain
- Prevents error when there is no job entry in filesystem cache
  due to race condition in minion onboarding (bsc#1122663)