SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2019:27-1
Container Tags        : suse/sle15:15.0 , suse/sle15:15.0.4.22.76
Container Release     : 4.22.76
Severity              : moderate
Type                  : security
References            : 1073313 1081947 1082293 1085196 1106214 1111388 1112438 1114845
                        1121197 1122417 1125689 1125886 1133773 1134616 1135534 1135708
                        1143055 1143194 1143273 1146182 1146184 1146866 1150003 1150137
                        1150250 353876 CVE-2017-17740 CVE-2019-13057 CVE-2019-13565 CVE-2019-1547
                        CVE-2019-1563 CVE-2019-16168 CVE-2019-9511 CVE-2019-9513 SLE-9132
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2392-1
Released:    Tue Sep 17 15:46:35 2019
Summary:     Security update for util-linux and shadow
Type:        security
Severity:    moderate
References:  1081947,1082293,1085196,1106214,1121197,1122417,1125886,1135534,1135708,353876
This update for util-linux and shadow fixes the following issues:

util-linux:

- Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197)
- Prevent outdated pam files (bsc#1082293).
- Do not trim read-only volumes (bsc#1106214).
- Integrate pam_keyinit pam module to login (bsc#1081947).
- Perform one-time reset of /etc/default/su (bsc#1121197).
- Fix problems in reading of login.defs values (bsc#1121197)
- libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
- Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197).

shadow:

- Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197)
- Hardening for su wrappers (bsc#353876)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2395-1
Released:    Wed Sep 18 08:31:38 2019
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565
This update for openldap2 fixes the following issues:

Security issue fixed:

- CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194).
- CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273).
- CVE-2017-17740: When both the nops module and the member of overlay
  are enabled, attempts to free a buffer that was allocated on the stack,
  which allows remote attackers to cause a denial of service (slapd crash)
  via a member MODDN operation. (bsc#1073313)

Non-security issues fixed:

- Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845).
- Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388)
- Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2410-1
Released:    Fri Sep 20 09:51:53 2019
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1150003,1150250,CVE-2019-1547,CVE-2019-1563
This update for openssl-1_1 fixes the following issues:

OpenSSL Security Advisory [10 September 2019]

* CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003)
* CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2423-1
Released:    Fri Sep 20 16:41:45 2019
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1146866,SLE-9132
This update for aaa_base fixes the following issues:

Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132)

Following settings have been tightened (and set to 0):

- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
- net.ipv4.conf.default.accept_source_route
- net.ipv6.conf.all.accept_redirects
- net.ipv6.conf.default.accept_redirects


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2473-1
Released:    Thu Sep 26 10:02:03 2019
Summary:     Security update for nghttp2
Type:        security
Severity:    moderate
References:  1112438,1125689,1134616,1146182,1146184,CVE-2019-9511,CVE-2019-9513
This update for nghttp2 fixes the following issues:

Security issues fixed:

- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461).

Bug fixes and enhancements:

- Fixed mistake in spec file (bsc#1125689)
- Fixed build issue with boost 1.70.0 (bsc#1134616)
- Feature: Add W&S module (FATE#326776, bsc#1112438)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2533-1
Released:    Thu Oct  3 15:02:50 2019
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1150137,CVE-2019-16168
This update for sqlite3 fixes the following issues:

Security issue fixed:

- CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2418-1
Released:    Thu Nov 14 11:53:03 2019
Summary:     Recommended update for bash
Type:        recommended
Severity:    moderate
References:  1133773,1143055
This update for bash fixes the following issues:

- Rework patch readline-7.0-screen (bsc#1143055):
   map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as
   map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm'
- Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773)


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-3.15.1 updated
- bash-4.4-9.10.1 updated
- libblkid1-2.31.1-9.8.1 updated
- libfdisk1-2.31.1-9.8.1 updated
- libldap-2_4-2-2.4.46-9.19.2 updated
- libmount1-2.31.1-9.8.1 updated
- libnghttp2-14-1.39.2-3.3.1 updated
- libopenssl1_1-1.1.0i-4.24.1 updated
- libreadline7-7.0-9.10.1 updated
- libsmartcols1-2.31.1-9.8.1 updated
- libsqlite3-0-3.28.0-3.9.2 updated
- libuuid1-2.31.1-9.8.1 updated
- openssl-1_1-1.1.0i-4.24.1 updated
- shadow-4.5-7.6.4 updated
- util-linux-2.31.1-9.8.1 updated