SUSE Container Update Advisory: suse/sles/15.7/virt-handler ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2024:3714-1 Container Tags : suse/sles/15.7/virt-handler:1.1.1 , suse/sles/15.7/virt-handler:1.1.1-150700.9.4 , suse/sles/15.7/virt-handler:1.1.1.29.13 Container Release : 29.13 Severity : important Type : security References : 1222899 1223336 1226463 1227138 1227888 1228535 1228548 1228770 916845 CVE-2013-4235 CVE-2013-4235 CVE-2024-5535 CVE-2024-6197 CVE-2024-7264 ----------------------------------------------------------------- The container suse/sles/15.7/virt-handler was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2630-1 Released: Tue Jul 30 09:12:44 2024 Summary: Security update for shadow Type: security Severity: important References: 916845,CVE-2013-4235 This update for shadow fixes the following issues: - CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2635-1 Released: Tue Jul 30 09:14:09 2024 Summary: Security update for openssl-3 Type: security Severity: important References: 1222899,1223336,1226463,1227138,CVE-2024-5535 This update for openssl-3 fixes the following issues: Security fixes: - CVE-2024-5535: Fixed SSL_select_next_proto buffer overread (bsc#1227138) Other fixes: - Build with no-afalgeng (bsc#1226463) - Build with enabled sm2 and sm4 support (bsc#1222899) - Fix non-reproducibility issue (bsc#1223336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2637-1 Released: Tue Jul 30 09:17:25 2024 Summary: Recommended update for qemu Type: recommended Severity: moderate References: This update for qemu fixes the following issues: qemu was updated to version 8.2.5: - For the full list of changes (from the various releases) please consult the following: * https://lore.kernel.org/qemu-devel/1718081047.648425.1238605.nullmailer@tls.msk.ru/ - Main changes: * disas/riscv: Decode all of the pmpcfg and pmpaddr CSRs * dockerfiles: Added 'MAKE' env variable to remaining containers * gitlab: Update msys2-64bit runner tags * gitlab: Use 'setarch -R' to workaround tsan bug * gitlab: Use $MAKE instead of 'make' * hvf: arm: Fixed encodings for ID_AA64PFR1_EL1 and debug System registers * hw/intc/arm_gic: Fixed handling of NS view of GICC_APR * hw/intc/riscv_aplic: APLICs should add child earlier than realize * iotests: test NBD+TLS+iothread * qio: Inherit follow_coroutine_ctx across TLS * target/arm: Disable SVE extensions when SVE is disabled * target/i386: Fixed SSE and SSE2 feature check * target/i386: Fixed xsave.flat from kvm-unit-tests * target/i386: No single-step exception after MOV or POP SS * target/loongarch: Fixed a wrong print in cpu dump * target/riscv: Do not set mtval2 for non guest-page faults * target/riscv: Fixed the element agnostic function problem * target/riscv: Prioritize pmp errors in raise_mmu_exception() * target/riscv: rvv: Check single width operator for vector fp widen instructions * target/riscv: rvv: Check single width operator for vfncvt.rod.f.f.w * target/riscv: rvv: Fixed Zvfhmin checking for vfwcvt.f.f.v and vfncvt.f.f.w instructions * target/riscv: rvv: Removed redudant SEW checking for vector fp narrow/widen instructions * target/riscv: rvzicbo: Fixed CBO extension register calculation * target/riscv/cpu.c: Fixed Zvkb extension config * target/riscv/kvm: Tolerate KVM disable ext errors * target/riscv/kvm.c: Fixed the hart bit setting of AIA * ui/sdl2: Allow host to power down screen ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2641-1 Released: Tue Jul 30 09:29:36 2024 Summary: Recommended update for systemd Type: recommended Severity: moderate References: This update for systemd fixes the following issues: systemd was updated from version 254.13 to version 254.15: - Changes in version 254.15: * boot: cover for hardware keys on phones/tablets * Conditional PSI check to reflect changes done in 5.13 * core/dbus-manager: refuse SoftReboot() for user managers * core/exec-invoke: reopen OpenFile= fds with O_NOCTTY * core/exec-invoke: use sched_setattr instead of sched_setscheduler * core/unit: follow merged units before updating SourcePath= timestamp too * coredump: correctly take tmpfs size into account for compression * cryptsetup: improve TPM2 blob display * docs: Add section to HACKING.md on distribution packages * docs: fixed dead link to GNOME documentation * docs/CODING_STYLE: document that we nowadays prefer (const char*) for func ret type * Fixed typo in CAP_BPF description * LICENSES/README: expand text to summarize state for binaries and libs * man: fully adopt ~/.local/state/ * man/systemd.exec: list inaccessible files for ProtectKernelTunables * man/tmpfiles: remove outdated behavior regarding symlink ownership * meson: bpf: propagate 'sysroot' for cross compilation * meson: Define __TARGET_ARCH macros required by bpf * mkfs-util: Set sector size for btrfs as well * mkosi: drop CentOS 8 from CI * mkosi: Enable hyperscale-packages-experimental for CentOS * mountpoint-util: do not assume symlinks are not mountpoints * os-util: avoid matching on the wrong extension-release file * README: add missing CONFIG_MEMCG kernel config option for oomd * README: update requirements for signed dm-verity * resolved: allow the full TTL to be used by OPT records * resolved: correct parsing of OPT extended RCODEs * sysusers: handle NSS errors gracefully * TEST-58-REPART: reverse order of diff args * TEST-64-UDEV-STORAGE: Make nvme_subsystem expected pci symlinks more generic * test: fixed TEST-24-CRYPTSETUP on SUSE * test: install /etc/hosts * Use consistent spelling of systemd.condition_first_boot argument * util: make file_read() 64bit offset safe * vmm: make sure we can handle smbios objects without variable part - Changes in version 254.14: * analyze: show pcrs also in sha384 bank * chase: Tighten '.' and './' check * core/service: fixed accept-socket deserialization * efi-api: check /sys/class/tpm/tpm0/tpm_version_major, too * executor: check for all permission related errnos when setting up IPC namespace * install: allow removing symlinks even for units that are gone * json: use secure un{base64,hex}mem for sensitive variants * man,units: drop 'temporary' from description of systemd-tmpfiles * missing_loop.h: fixed LOOP_SET_STATUS_SETTABLE_FLAGS * repart: fixed memory leak * repart: Use CRYPT_ACTIVATE_PRIVATE * resolved: permit dnssec rrtype questions when we aren't validating * rules: Limit the number of device units generated for serial ttys * run: do not pass the pty slave fd to transient service in a machine * sd-dhcp-server: clear buffer before receive * strbuf: use GREEDY_REALLOC to grow the buffer ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2779-1 Released: Tue Aug 6 14:35:49 2024 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1228548 This update for permissions fixes the following issue: * cockpit: moved setuid executable (bsc#1228548) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2784-1 Released: Tue Aug 6 14:58:38 2024 Summary: Security update for curl Type: security Severity: important References: 1227888,1228535,CVE-2024-6197,CVE-2024-7264 This update for curl fixes the following issues: - CVE-2024-7264: Fixed ASN.1 date parser overread (bsc#1228535) - CVE-2024-6197: Fixed freeing stack buffer in utf8asn1str (bsc#1227888) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2808-1 Released: Wed Aug 7 09:49:32 2024 Summary: Security update for shadow Type: security Severity: moderate References: 1228770,CVE-2013-4235 This update for shadow fixes the following issues: - Fixed not copying of skel files (bsc#1228770) The following package changes have been done: - libudev1-254.15-150600.4.8.1 updated - libsystemd0-254.15-150600.4.8.1 updated - libopenssl3-3.1.4-150600.5.10.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.10.1 updated - login_defs-4.8.1-150600.17.6.1 updated - libcurl4-8.6.0-150600.4.3.1 updated - sles-release-15.7-150700.3.1 updated - permissions-20240801-150600.10.4.1 updated - shadow-4.8.1-150600.17.6.1 updated - curl-8.6.0-150600.4.3.1 updated - kubevirt-container-disk-1.1.1-150700.9.4 updated - kubevirt-virt-handler-1.1.1-150700.9.4 updated - systemd-254.15-150600.4.8.1 updated - qemu-img-8.2.5-150600.3.6.1 updated - container:sles15-image-15.0.0-50.8 updated