Discover Government News

SUSE Container Update Advisory: caasp/v4.5/cilium
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:816-1
Container Tags        : caasp/v4.5/cilium:1.7.6 , caasp/v4.5/cilium:1.7.6-rev4 , caasp/v4.5/cilium:1.7.6-rev4-build5.10.1
Container Release     : 5.10.1
Severity              : important
Type                  : security
References            : 1104902 1126826 1126829 1126831 1140126 1142649 1143609 1150164
                        1153768 1153770 1154935 1157755 1158830 1160254 1160590 1161913
                        1163333 1163744 1165502 1167471 1167939 1172798 1173422 1174232
                        1174593 1174918 1176123 1176192 1176435 1176513 1176712 1176740
                        1176800 1176902 1177238 1177458 1177490 1177510 1177858 1177864
                        1178376 1178387 1178512 1178577 1178614 1178624 1178675 1178727
                        1179036 1179341 1179398 1179399 1179431 1179491 1179515 1179593
                        935885 CVE-2019-12972 CVE-2019-14250 CVE-2019-14444 CVE-2019-17450
                        CVE-2019-17451 CVE-2019-9074 CVE-2019-9075 CVE-2019-9077 CVE-2020-13844
                        CVE-2020-1971 CVE-2020-25692 CVE-2020-28196 CVE-2020-8284 CVE-2020-8285
                        CVE-2020-8286 
-----------------------------------------------------------------

The container caasp/v4.5/cilium was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2958-1
Released:    Tue Oct 20 12:24:55 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2983-1
Released:    Wed Oct 21 15:03:03 2020
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1176123
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)  
  
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2020:3026-1
Released:    Fri Oct 23 15:35:49 2020
Summary:     Optional update for the Public Cloud Module
Type:        optional
Severity:    moderate
References:  

This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398).
The following packages were included:

- python3-grpcio
- python3-protobuf
- python3-google-api-core
- python3-google-cloud-core
- python3-google-cloud-storage
- python3-google-resumable-media
- python3-googleapis-common-protos
- python3-grpcio-gcp
- python3-mock (updated to version 3.0.5)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3048-1
Released:    Tue Oct 27 16:04:52 2020
Summary:     Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type:        recommended
Severity:    moderate
References:  1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:

libzypp was updated to 17.25.1:

- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
  kernel-default-base has new packaging, where the kernel uname -r
  does not reflect the full package version anymore. This patch
  adds additional logic to use the most generic/shortest edition
  each package provides with %{packagename}= to group the
  kernel packages instead of the rpm versions.
  This also changes how the keep-spec for specific versions is
  applied, instead of matching the package versions, each of the
  package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
  fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
  Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
  (as we link statically)

yaml-cpp:

- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
  channels, and the INSTALLER channels, as a new libzypp dependency.

  No source changes were done to yaml-cpp.

zypper was updated to 1.14.40:

- info: Assume descriptions starting with '

' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers- new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3060-1 Released: Wed Oct 28 08:09:21 2020 Summary: Security update for binutils Type: security Severity: moderate References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077 This update for binutils fixes the following issues: binutils was updated to version 2.35. (jsc#ECO-2373) Update to binutils 2.35: * The assembler can now produce DWARF-5 format line number tables. * Readelf now has a 'lint' mode to enable extra checks of the files it is processing. * Readelf will now display '[...]' when it has to truncate a symbol name. The old behaviour - of displaying as many characters as possible, up to the 80 column limit - can be restored by the use of the --silent-truncation option. * The linker can now produce a dependency file listing the inputs that it has processed, much like the -M -MP option supported by the compiler. - fix DT_NEEDED order with -flto [bsc#1163744] Update to binutils 2.34: * The disassembler (objdump --disassemble) now has an option to generate ascii art thats show the arcs between that start and end points of control flow instructions. * The binutils tools now have support for debuginfod. Debuginfod is a HTTP service for distributing ELF/DWARF debugging information as well as source code. The tools can now connect to debuginfod servers in order to download debug information about the files that they are processing. * The assembler and linker now support the generation of ELF format files for the Z80 architecture. - Add new subpackages for libctf and libctf-nobfd. - Disable LTO due to bsc#1163333. - Includes fixes for these CVEs: bsc#1153768 aka CVE-2019-17451 aka PR25070 bsc#1153770 aka CVE-2019-17450 aka PR25078 - fix various build fails on aarch64 (PR25210, bsc#1157755). Update to binutils 2.33.1: * Adds support for the Arm Scalable Vector Extension version 2 (SVE2) instructions, the Arm Transactional Memory Extension (TME) instructions and the Armv8.1-M Mainline and M-profile Vector Extension (MVE) instructions. * Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE, Cortex-A76AE, and Cortex-A77 processors. * Adds a .float16 directive for both Arm and AArch64 to allow encoding of 16-bit floating point literals. * For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not) Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no] configure time option to set the default behavior. Set the default if the configure option is not used to 'no'. * The Cortex-A53 Erratum 843419 workaround now supports a choice of which workaround to use. The option --fix-cortex-a53-843419 now takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp] which can be used to force a particular workaround to be used. See --help for AArch64 for more details. * Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties in the AArch64 ELF linker. * Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI on inputs and use PLTs protected with BTI. * Add -z pac-plt for AArch64 to pick PAC enabled PLTs. * Add --source-comment[=] option to objdump which if present, provides a prefix to source code lines displayed in a disassembly. * Add --set-section-alignment = option to objcopy to allow the changing of section alignments. * Add --verilog-data-width option to objcopy for verilog targets to control width of data elements in verilog hex format. * The separate debug info file options of readelf (--debug-dump=links and --debug-dump=follow) and objdump (--dwarf=links and --dwarf=follow-links) will now display and/or follow multiple links if more than one are present in a file. (This usually happens when gcc's -gsplit-dwarf option is used). In addition objdump's --dwarf=follow-links now also affects its other display options, so that for example, when combined with --syms it will cause the symbol tables in any linked debug info files to also be displayed. In addition when combined with --disassemble the --dwarf= follow-links option will ensure that any symbol tables in the linked files are read and used when disassembling code in the main file. * Add support for dumping types encoded in the Compact Type Format to objdump and readelf. - Includes fixes for these CVEs: bsc#1126826 aka CVE-2019-9077 aka PR1126826 bsc#1126829 aka CVE-2019-9075 aka PR1126829 bsc#1126831 aka CVE-2019-9074 aka PR24235 bsc#1140126 aka CVE-2019-12972 aka PR23405 bsc#1143609 aka CVE-2019-14444 aka PR24829 bsc#1142649 aka CVE-2019-14250 aka PR90924 * Add xBPF target * Fix various problems with DWARF 5 support in gas * fix nm -B for objects compiled with -flto and -fcommon. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3157-1 Released: Wed Nov 4 15:37:05 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3581-1 Released: Tue Dec 1 14:40:22 2020 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate References: 1178376 This update for libusb-1_0 fixes the following issues: - Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3626-1 Released: Fri Dec 4 13:51:46 2020 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1179515 This update for audit fixes the following issues: - Enable Aarch64 processor support. (bsc#1179515) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3640-1 Released: Mon Dec 7 13:24:41 2020 Summary: Recommended update for binutils Type: recommended Severity: important References: 1179036,1179341 This update for binutils fixes the following issues: Update binutils 2.35 branch to commit 1c5243df: * Fixes PR26520, aka [bsc#1179036], a problem in addr2line with certain DWARF variable descriptions. * Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878, PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869, PR26711 * The above includes fixes for dwo files produced by modern dwp, fixing several problems in the DWARF reader. Update binutils to 2.35.1 and rebased branch diff: * This is a point release over the previous 2.35 version, containing bug fixes, and as an exception to the usual rule, one new feature. The new feature is the support for a new directive in the assembler: '.nop'. This directive creates a single no-op instruction in whatever encoding is correct for the target architecture. Unlike the .space or .fill this is a real instruction, and it does affect the generation of DWARF line number tables, should they be enabled. This fixes an incompatibility introduced in the latest update that broke the install scripts of the Oracle server. [bsc#1179341] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1179431 This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3749-1 Released: Thu Dec 10 14:39:28 2020 Summary: Security update for gcc7 Type: security Severity: moderate References: 1150164,1161913,1167939,1172798,1178577,1178614,1178624,1178675,CVE-2020-13844 This update for gcc7 fixes the following issues: - CVE-2020-13844: Added mitigation for aarch64 Straight Line Speculation issue (bsc#1172798) - Enable fortran for the nvptx offload compiler. - Update README.First-for.SuSE.packagers- avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel. - Backport the aarch64 -moutline-atomics feature and accumulated fixes but not its default enabling. [jsc#SLE-12209, bsc#1167939] - Fixed 32bit libgnat.so link. [bsc#1178675] - Fixed memcpy miscompilation on aarch64. [bsc#1178624, bsc#1178577] - Fixed debug line info for try/catch. [bsc#1178614] - Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is used to build gcc7 (ie when ada is enabled) - Fixed corruption of pass private ->aux via DF. [gcc#94148] - Fixed debug information issue with inlined functions and passed by reference arguments. [gcc#93888] - Fixed binutils release date detection issue. - Fixed register allocation issue with exception handling code on s390x. [bsc#1161913] - Fixed miscompilation of some atomic code on aarch64. [bsc#1150164]

SUSE: 2020:816-1 caasp/v4.5/cilium Security Update

December 12, 2020
The container caasp/v4.5/cilium was updated

Summary

Advisory ID: SUSE-RU-2020:2958-1 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2983-1 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Type: recommended Severity: moderate Advisory ID: SUSE-OU-2020:3026-1 Released: Fri Oct 23 15:35:49 2020 Summary: Optional update for the Public Cloud Module Type: optional Severity: moderate Advisory ID: SUSE-RU-2020:3048-1 Released: Tue Oct 27 16:04:52 2020 Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:3060-1 Released: Wed Oct 28 08:09:21 2020 Summary: Security update for binutils Type: security Severity: moderate Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3157-1 Released: Wed Nov 4 15:37:05 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3581-1 Released: Tue Dec 1 14:40:22 2020 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3626-1 Released: Fri Dec 4 13:51:46 2020 Summary: Recommended update for audit Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3640-1 Released: Mon Dec 7 13:24:41 2020 Summary: Recommended update for binutils Type: recommended Severity: important Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate Advisory ID: SUSE-SU-2020:3749-1 Released: Thu Dec 10 14:39:28 2020 Summary: Security update for gcc7 Type: security Severity: moderate

References

References : 1104902 1126826 1126829 1126831 1140126 1142649 1143609 1150164

1153768 1153770 1154935 1157755 1158830 1160254 1160590 1161913

1163333 1163744 1165502 1167471 1167939 1172798 1173422 1174232

1174593 1174918 1176123 1176192 1176435 1176513 1176712 1176740

1176800 1176902 1177238 1177458 1177490 1177510 1177858 1177864

1178376 1178387 1178512 1178577 1178614 1178624 1178675 1178727

1179036 1179341 1179398 1179399 1179431 1179491 1179515 1179593

935885 CVE-2019-12972 CVE-2019-14250 CVE-2019-14444 CVE-2019-17450

CVE-2019-17451 CVE-2019-9074 CVE-2019-9075 CVE-2019-9077 CVE-2020-13844

CVE-2020-1971 CVE-2020-25692 CVE-2020-28196 CVE-2020-8284 CVE-2020-8285

CVE-2020-8286

1158830

This update for procps fixes the following issues:

- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

1176123

This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398).

The following packages were included:

- python3-grpcio

- python3-protobuf

- python3-google-api-core

- python3-google-cloud-core

- python3-google-cloud-storage

- python3-google-resumable-media

- python3-googleapis-common-protos

- python3-grpcio-gcp

- python3-mock (updated to version 3.0.5)

1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885

This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:

libzypp was updated to 17.25.1:

- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)

- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)

kernel-default-base has new packaging, where the kernel uname -r

does not reflect the full package version anymore. This patch

adds additional logic to use the most generic/shortest edition

each package provides with %{packagename}= to group the

kernel packages instead of the rpm versions.

This also changes how the keep-spec for specific versions is

applied, instead of matching the package versions, each of the

package name provides will be matched.

- RepoInfo: Return the type of the local metadata cache as

fallback (bsc#1176435)

- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.

Enhance API and testcases. (bsc#1174918)

- Update docs regarding 'opensuse' namepace matching.

- Link against libzstd to close libsolvs open references

(as we link statically)

yaml-cpp:

- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS

channels, and the INSTALLER channels, as a new libzypp dependency.

No source changes were done to yaml-cpp.

zypper was updated to 1.14.40:

- info: Assume descriptions starting with '

' are richtext

(bsc#935885)

- help: prevent 'whatis' from writing to stderr (bsc#1176712)

- wp: point out that command is aliased to a search command and

searches case-insensitive (jsc#SLE-16271)

libsolv was updated to 0.7.15 to fix:

- make testcase_mangle_repo_names deal correctly with freed repos

[bsc#1177238]

- fix deduceq2addedmap clearing bits outside of the map

- conda: feature depriorization first

- conda: fix startswith implementation

- move find_update_seeds() call in cleandeps calculation

- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers- new testcase_mangle_repo_names() function

- new solv_fmemopen() function

1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077

This update for binutils fixes the following issues:

binutils was updated to version 2.35. (jsc#ECO-2373)

Update to binutils 2.35:

* The assembler can now produce DWARF-5 format line number tables.

* Readelf now has a 'lint' mode to enable extra checks of the files it is processing.

* Readelf will now display '[...]' when it has to truncate a symbol name.

The old behaviour - of displaying as many characters as possible, up to

the 80 column limit - can be restored by the use of the --silent-truncation

option.

* The linker can now produce a dependency file listing the inputs that it

has processed, much like the -M -MP option supported by the compiler.

- fix DT_NEEDED order with -flto [bsc#1163744]

Update to binutils 2.34:

* The disassembler (objdump --disassemble) now has an option to

generate ascii art thats show the arcs between that start and end

points of control flow instructions.

* The binutils tools now have support for debuginfod. Debuginfod is a

HTTP service for distributing ELF/DWARF debugging information as

well as source code. The tools can now connect to debuginfod

servers in order to download debug information about the files that

they are processing.

* The assembler and linker now support the generation of ELF format

files for the Z80 architecture.

- Add new subpackages for libctf and libctf-nobfd.

- Disable LTO due to bsc#1163333.

- Includes fixes for these CVEs:

bsc#1153768 aka CVE-2019-17451 aka PR25070

bsc#1153770 aka CVE-2019-17450 aka PR25078

- fix various build fails on aarch64 (PR25210, bsc#1157755).

Update to binutils 2.33.1:

* Adds support for the Arm Scalable Vector Extension version 2

(SVE2) instructions, the Arm Transactional Memory Extension (TME)

instructions and the Armv8.1-M Mainline and M-profile Vector

Extension (MVE) instructions.

* Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P

processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE,

Cortex-A76AE, and Cortex-A77 processors.

* Adds a .float16 directive for both Arm and AArch64 to allow

encoding of 16-bit floating point literals.

* For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not)

Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no]

configure time option to set the default behavior. Set the default

if the configure option is not used to 'no'.

* The Cortex-A53 Erratum 843419 workaround now supports a choice of

which workaround to use. The option --fix-cortex-a53-843419 now

takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp]

which can be used to force a particular workaround to be used.

See --help for AArch64 for more details.

* Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and

GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties

in the AArch64 ELF linker.

* Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI

on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI

on inputs and use PLTs protected with BTI.

* Add -z pac-plt for AArch64 to pick PAC enabled PLTs.

* Add --source-comment[=] option to objdump which if present,

provides a prefix to source code lines displayed in a disassembly.

* Add --set-section-alignment =

option to objcopy to allow the changing of section alignments.

* Add --verilog-data-width option to objcopy for verilog targets to

control width of data elements in verilog hex format.

* The separate debug info file options of readelf (--debug-dump=links

and --debug-dump=follow) and objdump (--dwarf=links and

--dwarf=follow-links) will now display and/or follow multiple

links if more than one are present in a file. (This usually

happens when gcc's -gsplit-dwarf option is used).

In addition objdump's --dwarf=follow-links now also affects its

other display options, so that for example, when combined with

--syms it will cause the symbol tables in any linked debug info

files to also be displayed. In addition when combined with

--disassemble the --dwarf= follow-links option will ensure that

any symbol tables in the linked files are read and used when

disassembling code in the main file.

* Add support for dumping types encoded in the Compact Type Format

to objdump and readelf.

- Includes fixes for these CVEs:

bsc#1126826 aka CVE-2019-9077 aka PR1126826

bsc#1126829 aka CVE-2019-9075 aka PR1126829

bsc#1126831 aka CVE-2019-9074 aka PR24235

bsc#1140126 aka CVE-2019-12972 aka PR23405

bsc#1143609 aka CVE-2019-14444 aka PR24829

bsc#1142649 aka CVE-2019-14250 aka PR90924

* Add xBPF target

* Fix various problems with DWARF 5 support in gas

* fix nm -B for objects compiled with -flto and -fcommon.

1104902,1154935,1165502,1167471,1173422,1176513,1176800

This update for systemd fixes the following issues:

- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)

- test-seccomp: log function names

- test-seccomp: add log messages when skipping tests

- basic/virt: Detect PowerVM hypervisor (bsc#1176800)

- fs-util: suppress world-writable warnings if we read /dev/null

- udevadm: rename option '--log-priority' into '--log-level'

- udev: rename kernel option 'log_priority' into 'log_level'

- fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513)

- Fix memory protection default (bsc#1167471)

- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)

- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)

1177864

This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

- EE Certification Centre Root CA

- Taiwan GRCA

- Added CAs:

- Trustwave Global Certification Authority

- Trustwave Global ECC P256 Certification Authority

- Trustwave Global ECC P384 Certification Authority

1174232

This update for findutils fixes the following issues:

- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)

NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.

1178387,CVE-2020-25692

This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

1178512,CVE-2020-28196

This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

1177458,1177490,1177510

This update for systemd fixes the following issues:

- build-sys: optionally disable support of journal over the network (bsc#1177458)

- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)

- mount: don't propagate errors from mount_setup_unit() further up

- Rely on the new build option --disable-remote for journal_remote

This allows to drop the workaround that consisted in cleaning journal-upload files and

{sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.

- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package

- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)

These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.

- Make use of %{_unitdir} and %{_sysusersdir}

- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

1174593,1177858,1178727

This update for pam and sudo fixes the following issue:

pam:

- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)

- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)

- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

sudo:

- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

1178376

This update for libusb-1_0 fixes the following issues:

- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)

This update for pam fixes the following issues:

- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)

- Check whether the password contains a substring of of the user's name of at least `` characters length in

some form. This is enabled by the new parameter `usersubstr=`

1179515

This update for audit fixes the following issues:

- Enable Aarch64 processor support. (bsc#1179515)

1179036,1179341

This update for binutils fixes the following issues:

Update binutils 2.35 branch to commit 1c5243df:

* Fixes PR26520, aka [bsc#1179036], a problem in addr2line with

certain DWARF variable descriptions.

* Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878,

PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869,

PR26711

* The above includes fixes for dwo files produced by modern dwp,

fixing several problems in the DWARF reader.

Update binutils to 2.35.1 and rebased branch diff:

* This is a point release over the previous 2.35 version, containing bug

fixes, and as an exception to the usual rule, one new feature. The

new feature is the support for a new directive in the assembler:

'.nop'. This directive creates a single no-op instruction in whatever

encoding is correct for the target architecture. Unlike the .space or

.fill this is a real instruction, and it does affect the generation of

DWARF line number tables, should they be enabled. This fixes an

incompatibility introduced in the latest update that broke the install

scripts of the Oracle server. [bsc#1179341]

1179431

This update for aaa_base fixes the following issue:

- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)

1179491,CVE-2020-1971

This update for openssl-1_1 fixes the following issues:

- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286

This update for curl fixes the following issues:

- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).

- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).

- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).

1150164,1161913,1167939,1172798,1178577,1178614,1178624,1178675,CVE-2020-13844

This update for gcc7 fixes the following issues:

- CVE-2020-13844: Added mitigation for aarch64 Straight Line Speculation issue (bsc#1172798)

- Enable fortran for the nvptx offload compiler.

- Update README.First-for.SuSE.packagers- avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel.

- Backport the aarch64 -moutline-atomics feature and accumulated fixes but not its

default enabling. [jsc#SLE-12209, bsc#1167939]

- Fixed 32bit libgnat.so link. [bsc#1178675]

- Fixed memcpy miscompilation on aarch64. [bsc#1178624, bsc#1178577]

- Fixed debug line info for try/catch. [bsc#1178614]

- Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is used to build gcc7 (ie when ada is enabled)

- Fixed corruption of pass private ->aux via DF. [gcc#94148]

- Fixed debug information issue with inlined functions and passed by reference arguments. [gcc#93888]

- Fixed binutils release date detection issue.

- Fixed register allocation issue with exception handling code on s390x. [bsc#1161913]

- Fixed miscompilation of some atomic code on aarch64. [bsc#1150164]

Severity
Container Advisory ID : SUSE-CU-2020:816-1
Container Tags : caasp/v4.5/cilium:1.7.6 , caasp/v4.5/cilium:1.7.6-rev4 , caasp/v4.5/cilium:1.7.6-rev4-build5.10.1
Container Release : 5.10.1
Severity : important
Type : security

Related News