SUSE Container Update Advisory: sles12/velum ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:612-1 Container Tags : sles12/velum:0.0 , sles12/velum:0.0-3.42.3 Container Release : 3.42.3 Severity : important Type : security References : 1092100 1111498 1112300 1114832 1115500 1117025 1117339 1117382 1120658 1121145 1121162 1121165 1121166 1121753 1122000 1122344 1123333 1123892 1125352 1126208 CVE-2018-1000539 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2019-6454 ----------------------------------------------------------------- The container sles12/velum was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:428-1 Released: Tue Feb 19 10:59:59 2019 Summary: Security update for systemd Type: security Severity: important References: 1111498,1117025,1117382,1120658,1122000,1122344,1123333,1123892,1125352,CVE-2019-6454 This update for systemd fixes the following issues: Security vulnerability fixed: - CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS message on the system bus by an unprivileged user (bsc#1125352) Other bug fixes and changes: - journal-remote: set a limit on the number of fields in a message - journal-remote: verify entry length from header - journald: set a limit on the number of fields (1k) - journald: do not store the iovec entry for process commandline on stack - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - manager: don't skip sigchld handler for main and control pid for services (#3738) - core: Add helper functions unit_{main, control}_pid - manager: Fixing a debug printf formatting mistake (#3640) - manager: Only invoke a single sigchld per unit within a cleanup cycle (bsc#1117382) - core: update invoke_sigchld_event() to handle NULL ->sigchld_event() - sd-event: expose the event loop iteration counter via sd_event_get_iteration() (#3631) - unit: rework a bit how we keep the service fdstore from being destroyed during service restart (bsc#1122344) - core: when restarting services, don't close fds - cryptsetup: Add dependency on loopback setup to generated units - journal-gateway: use localStorage['cursor'] only when it has valid value - journal-gateway: explicitly declare local variables - analyze: actually select longest activated-time of services - sd-bus: fix implicit downcast of bitfield reported by LGTM - core: free lines after reading them (bsc#1123892) - pam_systemd: reword message about not creating a session (bsc#1111498) - pam_systemd: suppress LOG_DEBUG log messages if debugging is off (bsc#1111498) - main: improve RLIMIT_NOFILE handling (#5795) (bsc#1120658) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345) (bsc#1123333) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:434-1 Released: Tue Feb 19 12:19:02 2019 Summary: Recommended update for libsemanage Type: recommended Severity: moderate References: 1115500 This update for libsemanage provides the following fix: - Prevent an error message when reading module version if the directory does not exist. (bsc#1115500) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:450-1 Released: Wed Feb 20 16:42:38 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). (These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.) Also the following non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:514-1 Released: Thu Feb 28 15:39:05 2019 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1112300 This update for apparmor fixes the following issues: - Fix erroneously generated audit records: include status* files in dnsmasq. (bsc#1112300) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:537-1 Released: Fri Mar 1 19:24:02 2019 Summary: Security update for caasp-container-manifests, changelog-generator-data-sles12sp3-velum, kubernetes-salt, rubygem-aes_key_wrap, rubygem-json-jwt, sles12sp3-velum-image, velum Type: security Severity: important References: 1121145,1121162,1121165,1121166,CVE-2018-1000539 This update for caasp-container-manifests, changelog-generator-data-sles12sp3-velum, kubernetes-salt, rubygem-aes_key_wrap, rubygem-json-jwt, sles12sp3-velum-image, velum provides the following fixes: Security issue fixed in rubygem-json-jwt and velum: - CVE-2018-1000539: Fixed an improper verification of cryptographic signatures during the decryption of encrypted with AES-GCM JSON Web Tokens which could lead to a forged authentication tag. (bsc#1099243, bsc#1121166) caasp-container-manifests: - Disable the kubelet servers on the admin node. The admin node is not part of a k8s cluster, so enabling the endpoints for interaction by the user/api-server is not needed. Instead (only on the admin node) all endpoints (healthz and server) that are usually exposed by the kubelet are disabled. (bsc#1121145) kubernetes-salt: - haproxy: Block requests to /internal-api endpoint. The internal api endpoints expose sensitive data and thus should not be accessed via internet. This internal api was developed inside the velum project and haproxy was allowing requests to that endpoint. Velum listens on 0.0.0.0 and needs to block for that specific path. With this change any request to anything that starts with /internal-api is blocked. (bsc#1121162) velum: - Changed kubeconfig download from get to post request. The kubeconfig download request was previously done via GET request and the file content could be easily modified through url parameters. Changing from GET to POST method takes advantage of CSRF protection. (bsc#1121165) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:576-1 Released: Fri Mar 8 16:07:12 2019 Summary: Recommended update for kubernetes-salt, velum Type: recommended Severity: important References: 1114832,1117339,1126208 This update for kubernetes-salt and velum provides the following fixes: - Do not block updates on minions (bsc#1126208) - Make nodename appear first on the /etc/hosts file, because salt picks only that one (bsc#1117339) - Supportconfig consumes a lot of resources (bsc#1114832)