SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:8-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.13.1 Container Release : 4.13.1 Severity : moderate Type : security References : 1044840 1063675 1088524 1112570 1114984 1114993 1116833 1118364 1119687 1120689 1121051 1123319 1125494 1126096 1126590 1128189 1128246 1129598 CVE-2018-20346 CVE-2019-1543 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:678-1 Released: Thu Mar 21 10:40:31 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1116833,1125494,1128189,CVE-2019-1543 This update for openssl-1_1 (OpenSSL Security Advisory [6 March 2019]) fixes the following issues: Security issue fixed: - CVE-2019-1543: Fixed an implementation error in ChaCha20-Poly1305 where it was allowed to set IV with more than 12 bytes (bsc#1128189). Other issues addressed: - Fixed a segfault in openssl speed when an unknown algorithm is passed (bsc#1125494). - Correctly skipped binary curves in openssl speed to avoid spitting errors (bsc#1116833). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:697-1 Released: Thu Mar 21 19:53:05 2019 Summary: Recommended update for libcap-ng Type: recommended Severity: moderate References: 1123319 This update for libcap-ng fixes the following issues: - bsc#1123319: run SPEC file through spec-cleaner ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). The following package changes have been done: - libtirpc-netconfig-1.0.2-3.8.1 updated - libnettle6-3.4.1-4.7.3 updated - libcap-ng0-0.7.9-3.3.1 updated - libtirpc3-1.0.2-3.8.1 updated - libgpgme11-1.10.0-4.3.4 updated - aaa_base-84.87+git20180409.04c9dae-3.6.1 updated - glibc-2.26-13.14.1 updated - libsqlite3-0-3.27.2-3.3.2 updated - libsasl2-3-2.1.26-5.3.1 updated - libopenssl1_1-1.1.0i-4.21.1 updated - libhogweed4-3.4.1-4.7.3 updated - openssl-1_1-1.1.0i-4.21.1 updated