SUSE Image Update Advisory: suse-sles-15-chost-byos-v20200615-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2020:39-1 Image Tags : suse-sles-15-chost-byos-v20200615-hvm-ssd-x86_64:20200615 Image Release : Severity : important Type : security References : 1043898 1043899 1079603 1087982 1091109 1099272 1123156 1138793 1149955 1149995 1152590 1154661 1155271 1156194 1156884 1159314 1159928 1160594 1160764 1161066 1161119 1161517 1161521 1161779 1162930 1163018 1163922 1165011 1165024 1165776 1165894 1166240 1166260 1167656 1167898 1168076 1168481 1169030 1169512 1169582 1169944 1169997 1170160 1170527 1170771 1170838 1170908 1170940 1171173 1171422 1171561 1171872 1172021 CVE-2017-8834 CVE-2017-8871 CVE-2018-6942 CVE-2019-16056 CVE-2019-18218 CVE-2019-19956 CVE-2019-19956 CVE-2019-20382 CVE-2019-20388 CVE-2019-3688 CVE-2019-3690 CVE-2019-6778 CVE-2020-12243 CVE-2020-1711 CVE-2020-1983 CVE-2020-7039 CVE-2020-7595 CVE-2020-8013 CVE-2020-8608 ----------------------------------------------------------------- The container suse-sles-15-chost-byos-v20200615-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1163-1 Released: Mon May 4 09:45:01 2020 Summary: Security update for permissions Type: security Severity: important References: 1160594,1160764,1161779,1163922,CVE-2019-3688,CVE-2019-3690,CVE-2020-8013 This update for permissions fixes the following issues: Security issue fixed: - CVE-2020-8013: Fixed a local privilege escalation with mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) - Fixed capability handling when doing multiple permission changes at once (bsc#1161779) - Fixed handling of relative directory symlinks in chkstat ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1181-1 Released: Tue May 5 12:02:39 2020 Summary: Recommended update for pciutils-ids Type: recommended Severity: moderate References: 1170160 This update for pciutils-ids fixes the following issues: - Update the PCI utilities database to 20200324. (bsc#1170160) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1182-1 Released: Tue May 5 12:06:55 2020 Summary: Recommended update for chrony Type: recommended Severity: moderate References: 1099272,1156884,1161119 This update for chrony fixes the following issues: - Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272, bsc#1161119) - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. - Add chrony-pool-suse and chrony-pool-openSUSE subpackages that preconfigure chrony to use NTP servers from the respective pools for SUSE and openSUSE. (bsc#1156884, SLE-11424) - Add chrony-pool-empty to still allow installing chrony without preconfigured servers. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1192-1 Released: Tue May 5 14:35:05 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Double free in test_keys() on failed signature verification [bsc#1169944] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1266-1 Released: Wed May 13 10:20:54 2020 Summary: Recommended update for jq Type: recommended Severity: moderate References: 1170838 This update for jq fixes the following issues: jq was updated to version 1.6: * Destructuring Alternation * many new builtins (see docs) * Add support for ASAN and UBSAN * Make it easier to use jq with shebangs * Add $ENV builtin variable to access environment * Add JQ_COLORS env var for configuring the output colors * change: Calling jq without a program argument now always assumes '.' for the program, regardless of stdin/stdout * fix: Make sorting stable regardless of qsort. - Make jq depend on libjq1, so upgrading jq upgrades both ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1267-1 Released: Wed May 13 11:58:58 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issue: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1268-1 Released: Wed May 13 12:02:28 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1165024,1167656,1169030,1169997 This update for dracut fixes the following issues: - Solve bringing up network interface prematurely. (bsc#1169030) - shutdown: guard against read-only /run (bsc#1167656) - dracut-init: when is it not possible to load a module, prompt a warning message for dracut instead of a fatal error. (bsc#1169997) - Backport upstream typo fix in dmsquash-live-root.sh so that FSIMG variable is correctly set. (bsc#1165024) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1303-1 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1169582 This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1342-1 Released: Tue May 19 13:27:31 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1149955,1165894,CVE-2019-16056 This update for python3 fixes the following issues: - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1348-1 Released: Wed May 20 11:37:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170908 This update for mozilla-nss fixes the following issues: The following issues are fixed: - Add AES Keywrap POST. - Accept EACCES in lieu of ENOENT when trying to access /proc/sys/crypto/fips_enabled (bsc#1170908). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1349-1 Released: Wed May 20 11:39:00 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1353-1 Released: Wed May 20 13:02:32 2020 Summary: Security update for freetype2 Type: security Severity: moderate References: 1079603,1091109,CVE-2018-6942 This update for freetype2 to version 2.10.1 fixes the following issues: Security issue fixed: - CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603). Non-security issues fixed: - Update to version 2.10.1 * The bytecode hinting of OpenType variation fonts was flawed, since the data in the `CVAR' table wasn't correctly applied. * Auto-hinter support for Mongolian. * The handling of the default character in PCF fonts as introduced in version 2.10.0 was partially broken, causing premature abortion of charmap iteration for many fonts. * If `FT_Set_Named_Instance' was called with the same arguments twice in a row, the function returned an incorrect error code the second time. * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug introduced in version 2.10.0). * Increased precision while computing OpenType font variation instances. * The flattening algorithm of cubic Bezier curves was slightly changed to make it faster. This can cause very subtle rendering changes, which aren't noticeable by the eye, however. * The auto-hinter now disables hinting if there are blue zones defined for a `style' (i.e., a certain combination of a script and its related typographic features) but the font doesn't contain any characters needed to set up at least one blue zone. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * A bunch of new functions has been added to access and process COLR/CPAL data of OpenType fonts with color-layered glyphs. * As a GSoC 2018 project, Nikhil Ramakrishnan completely overhauled and modernized the API reference. * The logic for computing the global ascender, descender, and height of OpenType fonts has been slightly adjusted for consistency. * `TT_Set_MM_Blend' could fail if called repeatedly with the same arguments. * The precision of handling deltas in Variation Fonts has been increased.The problem did only show up with multidimensional designspaces. * New function `FT_Library_SetLcdGeometry' to set up the geometry of LCD subpixels. * FreeType now uses the `defaultChar' property of PCF fonts to set the glyph for the undefined character at glyph index 0 (as FreeType already does for all other supported font formats). As a consequence, the order of glyphs of a PCF font if accessed with FreeType can be different now compared to previous versions. This change doesn't affect PCF font access with cmaps. * `FT_Select_Charmap' has been changed to allow parameter value `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT formats to access built-in cmaps that don't have a predefined `FT_Encoding' value. * A previously reserved field in the `FT_GlyphSlotRec' structure now holds the glyph index. * The usual round of fuzzer bug fixes to better reject malformed fonts. * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have been removed.These two functions were public by oversight only and were never documented. * A new function `FT_Error_String' returns descriptions of error codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is defined. * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new functions limited to Adobe MultiMaster fonts to directly set and get the weight vector. - Enable subpixel rendering with infinality config: - Re-enable freetype-config, there is just too many fallouts. - Update to version 2.9.1 * Type 1 fonts containing flex features were not rendered correctly (bug introduced in version 2.9). * CVE-2018-6942: Older FreeType versions can crash with certain malformed variation fonts. * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage. * Emboldening of bitmaps didn't work correctly sometimes, showing various artifacts (bug introduced in version 2.8.1). * The auto-hinter script ranges have been updated for Unicode 11. No support for new scripts have been added, however, with the exception of Georgian Mtavruli. - freetype-config is now deprecated by upstream and not enabled by default. - Update to version 2.10.1 * The `ftmulti' demo program now supports multiple hidden axes with the same name tag. * `ftview', `ftstring', and `ftgrid' got a `-k' command line option to emulate a sequence of keystrokes at start-up. * `ftview', `ftstring', and `ftgrid' now support screen dumping to a PNG file. * The bytecode debugger, `ttdebug', now supports variation TrueType fonts; a variation font instance can be selected with the new `-d' command line option. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * The `ftdump' demo program has new options `-c' and `-C' to display charmaps in compact and detailed format, respectively. Option `-V' has been removed. * The `ftview', `ftstring', and `ftgrid' demo programs use a new command line option `-d' to specify the program window's width, height, and color depth. * The `ftview' demo program now displays red boxes for zero-width glyphs. * `ftglyph' has limited support to display fonts with color-layered glyphs.This will be improved later on. * `ftgrid' can now display bitmap fonts also. * The `ttdebug' demo program has a new option `-f' to select a member of a TrueType collection (TTC). * Other various improvements to the demo programs. - Remove 'Supplements: fonts-config' to avoid accidentally pulling in Qt dependencies on some non-Qt based desktops.(bsc#1091109) fonts-config is fundamental but ft2demos seldom installs by end users. only fonts-config maintainers/debuggers may use ft2demos along to debug some issues. - Update to version 2.9.1 * No changelog upstream. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1362-1 Released: Thu May 21 09:31:43 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1422-1 Released: Tue May 26 12:32:27 2020 Summary: Recommended update for GeoIP Type: recommended Severity: moderate References: 1156194 This update for GeoIP fixes the following issues: - Update README.SUSE with a description how to get the latest Geo IP data after the distribution changes. (jsc#SLE-11184, bsc#1156194, jsc#ECO-1405) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1427-1 Released: Tue May 26 14:55:16 2020 Summary: Recommended update for docker-runc Type: recommended Severity: moderate References: 1168481 This update for docker-runc contains the following fixes: - Backport upstream fix that enable access to /dev/null in containers. Resolves many issues with the implementation of the runc devices cgroup code. Removes some of the disruptive aspects of 'runc update'. (bsc#1168481) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1492-1 Released: Wed May 27 18:32:41 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1171561 This update for python-rpm-macros fixes the following issue: - Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1523-1 Released: Wed Jun 3 08:35:42 2020 Summary: Security update for qemu Type: security Severity: moderate References: 1123156,1161066,1163018,1165776,1166240,1170940,CVE-2019-20382,CVE-2019-6778,CVE-2020-1711,CVE-2020-1983,CVE-2020-7039,CVE-2020-8608 This update for qemu fixes the following issues: Security issues fixed: - CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940). - CVE-2019-20382: Fixed a potential DoS due to a memory leak in VNC disconnect (bsc#1165776). - CVE-2020-1711: Fixed a potential OOB access in the iSCSI client code (bsc#1166240). - CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018). - CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066). - Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156). Non-security issue fixed: - Miscellaneous fixes to the in-package support documentation. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1535-1 Released: Thu Jun 4 10:44:48 2020 Summary: Security update for libcroco Type: security Severity: low References: 1043898,1043899,CVE-2017-8834,CVE-2017-8871 This update for libcroco fixes the following issues: Security issues fixed: - CVE-2017-8834: Fixed denial of service (memory allocation error) via a crafted CSS file (bsc#1043898). - CVE-2017-8871: Fixed denial of service (infinite loop and CPU consumption) via a crafted CSS file (bsc#1043899). The following package changes have been done: - GeoIP-data-1.6.11-3.3.1 updated - aaa_base-84.87+git20180409.04c9dae-3.39.1 updated - chrony-pool-suse-3.2-9.12.1 added - chrony-3.2-9.12.1 updated - docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-6.35.1 updated - dracut-044.2-18.58.1 updated - file-magic-5.32-7.8.1 updated - file-5.32-7.8.1 updated - glibc-locale-base-2.26-13.48.1 updated - glibc-locale-2.26-13.48.1 updated - glibc-2.26-13.48.1 updated - grep-3.1-4.3.12 updated - jq-1.6-3.3.1 updated - libGeoIP1-1.6.11-3.3.1 updated - libcroco-0_6-3-0.6.12-4.3.51 updated - libfreebl3-3.47.1-3.37.1 updated - libfreetype6-2.10.1-4.3.1 updated - libgcc_s1-9.3.1+git1296-1.6.1 updated - libgcrypt20-1.8.2-6.49.1 updated - libgnutls30-3.6.7-6.26.1 updated - libjq1-1.6-3.3.1 updated - libldap-2_4-2-2.4.46-9.28.2 updated - libldap-data-2.4.46-9.28.2 updated - libmagic1-5.32-7.8.1 updated - libpython3_6m1_0-3.6.10-3.53.1 updated - libsolv-tools-0.7.11-3.25.6 updated - libstdc++6-9.3.1+git1296-1.6.1 updated - libsystemd0-234-24.49.2 updated - libudev1-234-24.49.2 updated - libxml2-2-2.9.7-3.22.1 updated - libz1-1.2.11-3.12.1 updated - libzypp-17.19.0-3.36.13 updated - pciutils-ids-20200324-3.6.1 updated - permissions-20180125-3.24.1 updated - python-rpm-macros-20200207.5feb6c1-3.11.1 updated - python3-base-3.6.10-3.53.1 updated - python3-3.6.10-3.53.1 updated - qemu-tools-2.11.2-9.36.1 updated - systemd-sysvinit-234-24.49.2 updated - systemd-234-24.49.2 updated - timezone-2020a-3.26.1 updated - udev-234-24.49.2 updated