Linux Security
    Linux Security
    Linux Security

    SUSE: 2020:844-1 caasp/v4.5/prometheus-server Security Update

    Date 12 Dec 2020
    85
    Posted By LinuxSecurity Advisories
    The container caasp/v4.5/prometheus-server was updated. The following patches have been included in this update:
    SUSE Container Update Advisory: caasp/v4.5/prometheus-server
    -----------------------------------------------------------------
    Container Advisory ID : SUSE-CU-2020:844-1
    Container Tags        : caasp/v4.5/prometheus-server:2.18.0 , caasp/v4.5/prometheus-server:2.18.0-rev3 , caasp/v4.5/prometheus-server:2.18.0-rev3-build5.5.1
    Container Release     : 5.5.1
    Severity              : important
    Type                  : security
    References            : 1011548 1100369 1104902 1109160 1118367 1118368 1128220 1142733
                            1146991 1153943 1153946 1154935 1156205 1157051 1158336 1158830
                            1161168 1161239 1165424 1165502 1165580 1167471 1170667 1170713
                            1170964 1171313 1171740 1171762 1172195 1172798 1172824 1172846
                            1172958 1173273 1173307 1173311 1173422 1173470 1173529 1173539
                            1173972 1173983 1174079 1174154 1174232 1174240 1174551 1174561
                            1174593 1174736 1174753 1174817 1174918 1174918 1175109 1175110
                            1175168 1175342 1175443 1175568 1175592 1175811 1175830 1175831
                            1175844 1176086 1176092 1176123 1176179 1176181 1176192 1176410
                            1176435 1176513 1176671 1176674 1176712 1176740 1176800 1176902
                            1177143 1177238 1177458 1177479 1177490 1177510 1177858 1177864
                            1178376 1178387 1178512 1178727 1179398 1179399 1179431 1179491
                            1179515 1179593 906079 935885 CVE-2017-3136 CVE-2018-5741 CVE-2019-6477
                            CVE-2020-13844 CVE-2020-15719 CVE-2020-1971 CVE-2020-24659 CVE-2020-24977
                            CVE-2020-25219 CVE-2020-25692 CVE-2020-26154 CVE-2020-28196 CVE-2020-8027
                            CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8616
                            CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621
                            CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 
    -----------------------------------------------------------------
    
    The container caasp/v4.5/prometheus-server was updated. The following patches have been included in this update:
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2384-1
    Released:    Sat Aug 29 00:57:13 2020
    Summary:     Recommended update for e2fsprogs
    Type:        recommended
    Severity:    low
    References:  1170964
    This update for e2fsprogs fixes the following issues:
    
    - Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2411-1
    Released:    Tue Sep  1 13:28:47 2020
    Summary:     Recommended update for systemd
    Type:        recommended
    Severity:    moderate
    References:  1142733,1146991,1158336,1172195,1172824,1173539
    This update for systemd fixes the following issues:
    
    - Improve logging when PID1 fails at setting a namespace up when spawning a command specified by
      'Exec*='. (bsc#1172824, bsc#1142733)
      
      pid1: improve message when setting up namespace fails.
      
      execute: let's close glibc syslog channels too.
      
      execute: normalize logging in *execute.c*.
      
      execute: fix typo in error message.
      
      execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary.
      
      execute: make use of the new logging mode in *execute.c*
      
      log: add a mode where we open the log fds for every single log message.
      
      log: let's make use of the fact that our functions return the negative error code for *log_oom()* too.
      
      execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result.
      
      execute: rework logging in *setup_keyring()* to include unit info.
      
      execute: improve and augment execution log messages.
      
    - vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539)
    - fix infinite timeout. (bsc#1158336)
    - bpf: mount bpffs by default on boot. (bsc#1146991)
    - man: explain precedence for options which take a list.
    - man: unify titling, fix description of precedence in sysusers.d(5)
    - udev-event: fix timeout log messages.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2420-1
    Released:    Tue Sep  1 13:48:35 2020
    Summary:     Recommended update for zlib
    Type:        recommended
    Severity:    moderate
    References:  1174551,1174736
    This update for zlib provides the following fixes:
    
    - Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
    - Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:2445-1
    Released:    Wed Sep  2 09:33:02 2020
    Summary:     Security update for curl
    Type:        security
    Severity:    moderate
    References:  1175109,CVE-2020-8231
    This update for curl fixes the following issues:
    
    - An application that performs multiple requests with libcurl's
      multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in
      rare circumstances experience that when subsequently using the
      setup connect-only transfer, libcurl will pick and use the wrong
      connection and instead pick another one the application has
      created since then. [bsc#1175109, CVE-2020-8231]
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:2581-1
    Released:    Wed Sep  9 13:07:07 2020
    Summary:     Security update for openldap2
    Type:        security
    Severity:    moderate
    References:  1174154,CVE-2020-15719
    This update for openldap2 fixes the following issues:
    
    - bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509
      SAN's falling back to CN validation in violation of rfc6125.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:2612-1
    Released:    Fri Sep 11 11:18:01 2020
    Summary:     Security update for libxml2
    Type:        security
    Severity:    moderate
    References:  1176179,CVE-2020-24977
    This update for libxml2 fixes the following issues:
    
    - CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).  
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2638-1
    Released:    Tue Sep 15 15:41:32 2020
    Summary:     Recommended update for cryptsetup
    Type:        recommended
    Severity:    moderate
    References:  1165580
    This update for cryptsetup fixes the following issues:
    
    Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580)
    
    - Fix support of larger metadata areas in *LUKS2* header.
    
      This release properly supports all specified metadata areas, as documented
      in *LUKS2* format description.
      Currently, only default metadata area size is used (in format or convert).
      Later cryptsetup versions will allow increasing this metadata area size.
    
    - If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check
      if the requested *AEAD* algorithm with specified key size is available in kernel crypto API.
      This change avoids formatting a device that cannot be later activated.
    
      For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. 
      Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) 
      are already mandatory for LUKS2.
    
    - Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option.
    
    - Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt.
    
    - Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested 
      sector size. Previously it was possible, and the device was rejected to activate by kernel later.
    
    - Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash 
      algorithm with invalid keyslot preventing the device from activation.
    
    - Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used
      both for data encryption and keyslot encryption in *LUKS1/2* devices.
    
      For benchmark, use:
        
          # cryptsetup benchmark -c xchacha12,aes-adiantum
          # cryptsetup benchmark -c xchacha20,aes-adiantum
    
      For LUKS format:
      
          # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2651-1
    Released:    Wed Sep 16 14:42:55 2020
    Summary:     Recommended update for zlib
    Type:        recommended
    Severity:    moderate
    References:  1175811,1175830,1175831
    This update for zlib fixes the following issues:
    
    - Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
    - Enable hardware compression on s390/s390x (jsc#SLE-13776)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2704-1
    Released:    Tue Sep 22 15:06:36 2020
    Summary:     Recommended update for krb5
    Type:        recommended
    Severity:    moderate
    References:  1174079
    This update for krb5 fixes the following issue:
    
    - Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:2712-1
    Released:    Tue Sep 22 17:08:03 2020
    Summary:     Security update for openldap2
    Type:        security
    Severity:    moderate
    References:  1175568,CVE-2020-8027
    This update for openldap2 fixes the following issues:
    
    - CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2819-1
    Released:    Thu Oct  1 10:39:16 2020
    Summary:     Recommended update for libzypp, zypper
    Type:        recommended
    Severity:    moderate
    References:  1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592
    This update for libzypp, zypper provides the following fixes:
    
    Changes in libzypp:
    - VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
    - Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
      a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
    - Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
    - Make sure reading from lsof does not block forever. (bsc#1174240)
    - Just collect details for the signatures found.
    
    Changes in zypper:
    - man: Enhance description of the global package cache. (bsc#1175592)
    - man: Point out that plain rpm packages are not downloaded to the global package cache.
      (bsc#1173273)
    - Directly list subcommands in 'zypper help'. (bsc#1165424)
    - Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
    - Point out that plaindir repos do not follow symlinks. (bsc#1174561)
    - Fix help command for list-patches.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2850-1
    Released:    Fri Oct  2 12:26:03 2020
    Summary:     Recommended update for lvm2
    Type:        recommended
    Severity:    moderate
    References:  1175110
    This update for lvm2 fixes the following issues:
    
    - Fixed an issue when the hot spares in LVM not added automatically. (bsc#1175110)  
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2852-1
    Released:    Fri Oct  2 16:55:39 2020
    Summary:     Recommended update for openssl-1_1
    Type:        recommended
    Severity:    moderate
    References:  1173470,1175844
    This update for openssl-1_1 fixes the following issues:
    
    FIPS:
    
    * Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1175844, bsc#1173470).
    * Add shared secret KAT to FIPS DH selftest (bsc#1175844).
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:2864-1
    Released:    Tue Oct  6 10:34:14 2020
    Summary:     Security update for gnutls
    Type:        security
    Severity:    moderate
    References:  1176086,1176181,1176671,CVE-2020-24659
    This update for gnutls fixes the following issues:
    
    - Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
    - FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
    - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
    - FIPS: Add TLS KDF selftest (bsc#1176671)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2869-1
    Released:    Tue Oct  6 16:13:20 2020
    Summary:     Recommended update for aaa_base
    Type:        recommended
    Severity:    moderate
    References:  1011548,1153943,1153946,1161239,1171762
    This update for aaa_base fixes the following issues:
    
    - DIR_COLORS (bug#1006973):
      
      - add screen.xterm-256color
      - add TERM rxvt-unicode-256color
      - sort and merge TERM entries in etc/DIR_COLORS
      
    - check for Packages.db and use this instead of Packages. (bsc#1171762)
    - Rename path() to _path() to avoid using a general name.
    - refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
    - etc/profile add some missing ;; in case esac statements
    - profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
    - backup-rpmdb: exit if zypper is running (bsc#1161239)
    - Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2893-1
    Released:    Mon Oct 12 14:14:55 2020
    Summary:     Recommended update for openssl-1_1
    Type:        recommended
    Severity:    moderate
    References:  1177479
    This update for openssl-1_1 fixes the following issues:
    
    - Restore private key check in EC_KEY_check_key (bsc#1177479)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:2901-1
    Released:    Tue Oct 13 14:22:43 2020
    Summary:     Security update for libproxy
    Type:        security
    Severity:    important
    References:  1176410,1177143,CVE-2020-25219,CVE-2020-26154
    This update for libproxy fixes the following issues:
    
    - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
    - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:2914-1
    Released:    Tue Oct 13 17:25:20 2020
    Summary:     Security update for bind
    Type:        security
    Severity:    moderate
    References:  1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
    This update for bind fixes the following issues:
    
    BIND was upgraded to version 9.16.6:
    
    Note:
    
    - bind is now more strict in regards to DNSSEC. If queries are not working,
      check for DNSSEC issues. For instance, if bind is used in a namserver
      forwarder chain, the forwarding DNS servers must support DNSSEC.
    
    Fixing security issues:
    
    - CVE-2020-8616: Further limit the number of queries that can be triggered from
      a request.  Root and TLD servers are no longer exempt
      from max-recursion-queries.  Fetches for missing name server. (bsc#1171740)
      Address records are limited to 4 for any domain.
    - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
      assertion failure. (bsc#1171740)
    - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass 
      the tcp-clients limit (bsc#1157051).
    - CVE-2018-5741: Fixed the documentation (bsc#1109160).
    - CVE-2020-8618: It was possible to trigger an INSIST when determining
      whether a record would fit into a TCP message buffer (bsc#1172958).
    - CVE-2020-8619: It was possible to trigger an INSIST in
      lib/dns/rbtdb.c:new_reference() with a particular zone content
      and query patterns (bsc#1172958).
    - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were
      incorrectly treated as 'zonesub' rules, which allowed
      keys used in 'subdomain' rules to update names outside
      of the specified subdomains. The problem was fixed by
      making sure 'subdomain' rules are again processed as
      described in the ARM (bsc#1175443).
    - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
      was possible to trigger an assertion failure in code
      determining the number of bits in the PKCS#11 RSA public
      key with a specially crafted packet (bsc#1175443).
    - CVE-2020-8621: named could crash in certain query resolution scenarios
      where QNAME minimization and forwarding were both
      enabled (bsc#1175443).
    - CVE-2020-8620: It was possible to trigger an assertion failure by
      sending a specially crafted large TCP DNS message (bsc#1175443).
    - CVE-2020-8622: It was possible to trigger an assertion failure when
      verifying the response to a TSIG-signed request (bsc#1175443).
    
    Other issues fixed:
    
    - Add engine support to OpenSSL EdDSA implementation.
    - Add engine support to OpenSSL ECDSA implementation.
    - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
    - Warn about AXFR streams with inconsistent message IDs.
    - Make ISC rwlock implementation the default again.
    - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
    - Installed the default files in /var/lib/named and created 
      chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
    - Fixed an issue where bind was not working in FIPS mode (bsc#906079).
    - Fixed dependency issues (bsc#1118367 and bsc#1118368).
    - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
    - Fixed an issue with FIPS (bsc#1128220).
    - The liblwres library is discontinued upstream and is no longer included.
    - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
    - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
    - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
    - Zone timers are now exported via statistics channel.
    - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
    - 'rndc dnstap -roll ' did not limit the number of saved files to .
    - Add 'rndc dnssec -status' command.
    - Addressed a couple of situations where named could crash.
    - Changed /var/lib/named to owner root:named and perms rwxrwxr-t
      so that named, being a/the only member of the 'named' group
      has full r/w access yet cannot change directories owned by root
      in the case of a compromized named.
      [bsc#1173307, bind-chrootenv.conf]
    - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
    - Removed '-r /dev/urandom' from all invocations of rndc-confgen
      (init/named system/lwresd.init system/named.init in vendor-files)
      as this option is deprecated and causes rndc-confgen to fail.
      (bsc#1173311, bsc#1176674, bsc#1170713)
    - /usr/bin/genDDNSkey: Removing the use of the -r option in the call
      of /usr/sbin/dnssec-keygen as BIND now uses the random number
      functions provided by the crypto library (i.e., OpenSSL or a
      PKCS#11 provider) as a source of randomness rather than /dev/random.
      Therefore the -r command line option no longer has any effect on
      dnssec-keygen. Leaving the option in genDDNSkey as to not break
      compatibility. Patch provided by Stefan Eisenwiener.
      [bsc#1171313]
    - Put libns into a separate subpackage to avoid file conflicts
      in the libisc subpackage due to different sonums (bsc#1176092).
    - Require /sbin/start_daemon: both init scripts, the one used in
      systemd context as well as legacy sysv, make use of start_daemon.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:2947-1
    Released:    Fri Oct 16 15:23:07 2020
    Summary:     Security update for gcc10, nvptx-tools
    Type:        security
    Severity:    moderate
    References:  1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
    This update for gcc10, nvptx-tools fixes the following issues:
    
    This update provides the GCC10 compiler suite and runtime libraries.
    
    The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
    the gcc10 variants.
    
    The new compiler variants are available with '-10' suffix, you can specify them
    via:
    
    	CC=gcc-10
    	CXX=g++-10
    
    or similar commands.
    
    For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
    
    Changes in nvptx-tools:
    
    - Enable build on aarch64
      
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2958-1
    Released:    Tue Oct 20 12:24:55 2020
    Summary:     Recommended update for procps
    Type:        recommended
    Severity:    moderate
    References:  1158830
    This update for procps fixes the following issues:
    
    - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:2983-1
    Released:    Wed Oct 21 15:03:03 2020
    Summary:     Recommended update for file
    Type:        recommended
    Severity:    moderate
    References:  1176123
    This update for file fixes the following issues:
    
    - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)  
      
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3048-1
    Released:    Tue Oct 27 16:04:52 2020
    Summary:     Recommended update for libsolv, libzypp, yaml-cpp, zypper
    Type:        recommended
    Severity:    moderate
    References:  1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
    This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:
    
    libzypp was updated to 17.25.1:
    
    - When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
    - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
      kernel-default-base has new packaging, where the kernel uname -r
      does not reflect the full package version anymore. This patch
      adds additional logic to use the most generic/shortest edition
      each package provides with %{packagename}= to group the
      kernel packages instead of the rpm versions.
      This also changes how the keep-spec for specific versions is
      applied, instead of matching the package versions, each of the
      package name provides will be matched.
    - RepoInfo: Return the type of the local metadata cache as
      fallback (bsc#1176435)
    - VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
      Enhance API and testcases. (bsc#1174918)
    - Update docs regarding 'opensuse' namepace matching.
    - Link against libzstd to close libsolvs open references
      (as we link statically)
    
    yaml-cpp:
    
    - The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
      channels, and the INSTALLER channels, as a new libzypp dependency.
    
      No source changes were done to yaml-cpp.
    
    zypper was updated to 1.14.40:
    
    - info: Assume descriptions starting with '

    ' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3157-1 Released: Wed Nov 4 15:37:05 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3581-1 Released: Tue Dec 1 14:40:22 2020 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate References: 1178376 This update for libusb-1_0 fixes the following issues: - Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3626-1 Released: Fri Dec 4 13:51:46 2020 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1179515 This update for audit fixes the following issues: - Enable Aarch64 processor support. (bsc#1179515) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1179431 This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"22","type":"x","order":"1","pct":34.92,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"13","type":"x","order":"2","pct":20.63,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"28","type":"x","order":"3","pct":44.44,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.