SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:282-1
Container Tags        : suse/sle15:15.3 , suse/sle15:15.3.17.5.23
Container Release     : 17.5.23
Severity              : important
Type                  : security
References            : 1040589 1047218 1099521 1157818 1158812 1158958 1158959 1158960
                        1159491 1159715 1159847 1159850 1160309 1160438 1160439 1164719
                        1172091 1172115 1172234 1172236 1172240 1173641 1175448 1175449
                        1182604 1185540 1185807 1185828 1185958 1186049 1186411 1186447
                        1186503 1186791 1187154 1187210 1187212 1187292 1188063 1188217
                        1188218 1188219 1188220 928700 928701 CVE-2015-3414 CVE-2015-3415
                        CVE-2019-19244 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646
                        CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926
                        CVE-2019-19959 CVE-2019-20218 CVE-2020-13434 CVE-2020-13435 CVE-2020-13630
                        CVE-2020-13631 CVE-2020-13632 CVE-2020-15358 CVE-2020-24370 CVE-2020-24371
                        CVE-2020-9327 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925
                        CVE-2021-33560 CVE-2021-33910 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2157-1
Released:    Thu Jun 24 15:40:14 2021
Summary:     Security update for libgcrypt
Type:        security
Severity:    important
References:  1187212,CVE-2021-33560
This update for libgcrypt fixes the following issues:

- CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2173-1
Released:    Mon Jun 28 14:59:45 2021
Summary:     Recommended update for automake
Type:        recommended
Severity:    moderate
References:  1040589,1047218,1182604,1185540,1186049
This update for automake fixes the following issues:

- Implement generated autoconf makefiles reproducible (bsc#1182604)
- Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
- Avoid bashisms in test-driver script. (bsc#1185540)

This update for pcre fixes the following issues:

- Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

This update for brp-check-suse fixes the following issues:

- Add fixes to support reproducible builds. (bsc#1186049) 


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2191-1
Released:    Mon Jun 28 18:38:12 2021
Summary:     Recommended update for patterns-microos
Type:        recommended
Severity:    moderate
References:  1186791
This update for patterns-microos provides the following fix:

- Add zypper-migration-plugin to the default pattern. (bsc#1186791)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2196-1
Released:    Tue Jun 29 09:41:39 2021
Summary:     Security update for lua53
Type:        security
Severity:    moderate
References:  1175448,1175449,CVE-2020-24370,CVE-2020-24371
This update for lua53 fixes the following issues:

Update to version 5.3.6:

- CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
- CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
- Long brackets with a huge number of '=' overflow some internal buffer arithmetic.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2205-1
Released:    Wed Jun 30 09:17:41 2021
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    important
References:  1187210
This update for openldap2 fixes the following issues:

- Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2273-1
Released:    Thu Jul  8 09:48:48 2021
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1186447,1186503
This update for libzypp, zypper fixes the following issues:

- Enhance XML output of repo GPG options
- Add optional attributes showing the raw values actually present in the '.repo' file.
- Link all executables with -PIE (bsc#1186447)
- Ship an empty '/etc/zypp/needreboot' per default (jsc#PM-2645)
- Add 'Solvable::isBlacklisted' as superset of retracted and ptf packages (bsc#1186503)
- Fix segv if 'ZYPP_FULLOG' is set.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2316-1
Released:    Wed Jul 14 13:49:55 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1185807,1185828,1185958,1186411,1187154,1187292
This update for systemd fixes the following issues:

- Restore framebuffer devices as possible master of seat. Until simpledrm driver is released, this change is prematured as some graphical chips don't have DRM driver and fallback to framebuffer. (bsc#1187154)
- Fixed an issue when '/var/lock/subsys' dropped when the creation of 'filesystem' package took the initialization of the generic paths over. (bsc#1187292)

- 'udev' requires systemd in its %post (bsc#1185958)
  nspawn: turn on higher optimization level in seccomp
  nspawn: return ENOSYS by default, EPERM for 'known' calls (bsc#1186411)
  shared/seccomp-util: added functionality to make list of filtred syscalls
  hared/syscall-list: filter out some obviously platform-specific syscalls
  shared/seccomp: reduce scope of indexing variables
  generate-syscall-list: require python3
  shared: add @known syscall list
  meson: add syscall-names-update target
  shared/seccomp: use _cleanup_ in one more place
  home: fix homed.conf install location
- We need to make sure that the creation of the symlinks is done after  updating udev DB so if worker A is preempted by worker B before A  updates the DB but after it creates the symlinks, worker B won't
  manage to overwrite the freshly created symlinks (by A) because A
  has still yet not registered the symlinks in the DB. (bsc#1185828)

- Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2320-1
Released:    Wed Jul 14 17:01:06 2021
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327
This update for sqlite3 fixes the following issues:

- Update to version 3.36.0
- CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener
  optimization (bsc#1173641)
- CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in
  isAuxiliaryVtabOperator (bsc#1164719)
- CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
- CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
- CVE-2019-19923: improper handling  of  certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer
  dereference (bsc#1160309)
- CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
- CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
- CVE-2019-19926: improper handling  of certain errors during parsing  multiSelect in select.c (bsc#1159715)
- CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference
  (bsc#1159491)
- CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with
  a shadow table name (bsc#1158960)
- CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated
  columns (bsc#1158959)
- CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views
  in conjunction with ALTER TABLE statements (bsc#1158958)
- CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column,
  which allows attackers to cause a denial of service (bsc#1158812)
- CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a
  sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
- CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
- CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
- CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
- CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
- CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
- CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
- CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2399-1
Released:    Mon Jul 19 19:06:22 2021
Summary:     Recommended update for release packages
Type:        recommended
Severity:    moderate
References:  1099521
This update for the release packages provides the following fix:

- Fix grub menu entries after migration from SLE-12*. (bsc#1099521)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2410-1
Released:    Tue Jul 20 14:41:26 2021
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1188063,CVE-2021-33910
This update for systemd fixes the following issues:

- CVE-2021-33910: Fixed a denial of service (stack exhaustion) in systemd (PID 1)  (bsc#1188063)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2439-1
Released:    Wed Jul 21 13:46:48 2021
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925
This update for curl fixes the following issues:

- CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
- CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
- CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
- CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)


The following package changes have been done:

- libcurl4-7.66.0-4.22.1 updated
- libgcrypt20-1.8.2-8.39.1 updated
- libldap-2_4-2-2.4.46-9.56.1 updated
- libldap-data-2.4.46-9.56.1 updated
- liblua5_3-5-5.3.6-3.6.1 updated
- libpcre1-8.41-6.4.2 updated
- libsqlite3-0-3.36.0-3.12.1 updated
- libsystemd0-246.13-7.8.1 updated
- libudev1-246.13-7.8.1 updated
- libzypp-17.27.0-12.1 updated
- sles-release-15.3-55.4.1 updated
- suse-build-key-12.0-8.16.1 updated
- zypper-1.14.46-13.1 updated