SUSE Container Update Advisory: sles12/salt-master ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:583-1 Container Tags : sles12/salt-master:2018.3.0 , sles12/salt-master:2018.3.0-4.9.97 Container Release : 4.9.97 Severity : important Type : security References : 1005063 1030472 1030476 1033084 1033085 1033087 1033088 1033089 1033090 1102819 1106390 1107067 1110797 1111973 1112723 1112726 1119296 1121439 1122680 1123685 1125007 1125015 1125815 1128061 1128383 1128481 1129079 1129346 1130784 1130847 1132174 1132323 1133418 1135261 1135709 1136570 1136976 1139130 1139363 1140255 954600 CVE-2016-10254 CVE-2016-10255 CVE-2016-10745 CVE-2017-7607 CVE-2017-7608 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-16062 CVE-2018-16403 CVE-2018-18310 CVE-2018-18520 CVE-2018-18521 CVE-2019-10906 CVE-2019-13132 CVE-2019-3860 CVE-2019-7150 CVE-2019-7665 CVE-2019-8341 CVE-2019-8457 CVE-2019-9636 CVE-2019-9948 ----------------------------------------------------------------- The container sles12/salt-master was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1431-1 Released: Wed Jun 5 16:50:13 2019 Summary: Recommended update for xz Type: recommended Severity: moderate References: 1135709 This update for xz does only update the license: - Add SUSE-Public-Domain license as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain license (bsc#1135709) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1439-1 Released: Thu Jun 6 17:50:33 2019 Summary: Security update for python Type: security Severity: important References: 1129346,1130847,CVE-2019-9636,CVE-2019-9948 This update for python fixes the following issues: Security issues fixed: - CVE-2019-9948: Fixed a 'file:' blacklist bypass in URIs by using the 'local-file:' scheme instead (bsc#1130847). - CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1474-1 Released: Wed Jun 12 14:46:20 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1481-1 Released: Thu Jun 13 07:46:01 2019 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1119296,1133418,954600 This update for sg3_utils provides the following fixes: - Fix regression for page 0xa. (bsc#1119296) - Add pre/post scripts for lunmask.service. (bsc#954600) - Will now generate by-path links for fibrechannel. (bsc#1005063) - Fixes a syntax error for rule 59-fc-wwpn-id.rules. (bsc#1133418) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1554-1 Released: Tue Jun 18 18:30:08 2019 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1125815,1132174,1132323,CVE-2016-10745,CVE-2019-10906,CVE-2019-8341 This update for python-Jinja2 fixes the following issues: Security issues fixed: - CVE-2016-10745: Fixed a sandbox escape caused by an information disclosure via str.format (bsc#1132174). - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323). - CVE-2019-8341: Fixed command injection in function from_string (bsc#1125815). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1601-1 Released: Fri Jun 21 10:21:39 2019 Summary: Security update for sqlite3 Type: security Severity: important References: 1136976,CVE-2019-8457 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-8457: Fixed a Heap out-of-bound read in rtreenode() when handling invalid rtree tables (bsc#1136976). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1713-1 Released: Wed Jun 26 14:04:14 2019 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1102819,1121439,1122680,1125015,1128061,1129079,1130784 This update includes the following new features: - Update to 2019.2.0 release (fate#327138, bsc#1133523) This update fixes the following issues: salt: - Fix async-batch to fire a single done event - Do not make Salt CLI to crash when there are IPv6 established connections (bsc#1130784) - Include aliases in FQDNS grain (bsc#1121439) - Fix issue preventing syndic to start - Update to 2019.2.0 release (fate#327138, bsc#1133523) See https://docs.saltstack.com/en/latest/topics/releases/2019.2.0.html - Update year on spec copyright notice - Use ThreadPool from multiprocessing.pool to avoid leakings when calculating FQDNs - Do not report patches as installed on RHEL systems when not all the related packages are installed (bsc#1128061) - Incorporate virt.volume_info fixes (PR#131) - Fix for -t parameter in mount module - No longer limiting Python3 version to <3.7 - Add virt.volume_infos and virt.volume_delete functions - Bugfix: properly refresh pillars (bsc#1125015) - Removes version from python3 requirement completely - Adds missing version update to %setup - Add virt.all_capabilities to return all host and domain capabilities at once - Switch to better correct version nomenclature Background: The special character tilde (~) will be available for use in version representing a negative version token. - Fix setup to use the right version tag - Add 'id_' and 'force' to the whitelist of API check - Add metadata to accepted keyword arguments (bsc#1122680) - Add salt-support script to package - Early feature: Salt support-config (salt-support) - More fixes on the spec file - Fix spaces and indentation - Use Adler32 algorithm to compute string checksums (bsc#1102819) - Update spec file patch ordering after MSI patch removal - Calculate the 'FQDNs' grains in parallel to avoid long blocking (bsc#1129079) - Fix batch/batch-async related issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1733-1 Released: Wed Jul 3 13:54:39 2019 Summary: Security update for elfutils Type: security Severity: low References: 1030472,1030476,1033084,1033085,1033087,1033088,1033089,1033090,1106390,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2016-10254,CVE-2016-10255,CVE-2017-7607,CVE-2017-7608,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067). - CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472). - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007). - CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476). - CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files to be read (bsc#1123685). - CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390). - CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088). - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090). - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084). - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085). - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087). - CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723). - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089). - CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973). - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1761-1 Released: Fri Jul 5 14:10:34 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383,1135261 This update for e2fsprogs fixes the following issues: - Revert 'mke2fs: prevent creation of unmountable ext4 with large flex_bg count'. (bsc#1135261) - Place metadata blocks in the last flex_bg so they are contiguous. (bsc#1135261) - Check and fix tails of all bitmaps. (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1785-1 Released: Tue Jul 9 10:03:15 2019 Summary: Security update for zeromq Type: security Severity: important References: 1140255,CVE-2019-13132 This update for zeromq fixes the following issues: - CVE-2019-13132: An unauthenticated remote attacker could have exploited a stack overflow vulnerability on a server that is supposed to be protected by encryption and authentication to potentially gain a remote code execution. (bsc#1140255) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1805-1 Released: Wed Jul 10 11:13:54 2019 Summary: Recommended update for python-MarkupSafe Type: recommended Severity: moderate References: 1139130,1139363 This update for python-MarkupSafe fixes the following issues: python-MarkupSafe was updated to 0.23 (bsc#1139130 bsc#1139363) * The update provides the missing EscapeFormatter class ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1606-1 Released: Wed Aug 21 13:36:49 2019 Summary: Security update for libssh2_org Type: security Severity: moderate References: 1128481,1136570,CVE-2019-3860 This update for libssh2_org fixes the following issues: - Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481) (Out-of-bounds reads with specially crafted SFTP packets)