SUSE: 2020:858-1 caasp/v4/nginx-ingress-controller Security Update
SUSE: 2020:858-1 caasp/v4/nginx-ingress-controller Security Update
The container caasp/v4/nginx-ingress-controller was updated. The following patches have been included in this update:
SUSE Container Update Advisory: caasp/v4/nginx-ingress-controller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:858-1 Container Tags : caasp/v4/nginx-ingress-controller:0.15.0 , caasp/v4/nginx-ingress-controller:0.15.0-rev1 , caasp/v4/nginx-ingress-controller:0.15.0-rev1-build2.305 , caasp/v4/nginx-ingress-controller:beta1 Container Release : 2.305 Severity : important Type : security References : 1005063 1010675 1010996 1010996 1030472 1030476 1033084 1033085 1033087 1033088 1033089 1033090 1040621 1042781 1049825 1050241 1069384 1071152 1071152 1071390 1071390 1080919 1082318 1082318 1083571 1084671 1085003 1087481 1091236 1092034 1092100 1093414 1096209 1096974 1096984 1097869 1098155 1100078 1100396 1100415 1100415 1100989 1102840 1103244 1104780 1104902 1105435 1105495 1106383 1106390 1107067 1107617 1108606 1109893 1110146 1110542 1110797 1110929 1111300 1111319 1111498 1111973 1112300 1112723 1112726 1112758 1112911 1113296 1113975 1114592 1114674 1114835 1115500 1116544 1116995 1117025 1117382 1117951 1117951 1118629 1118629 1119296 1120629 1120629 1120630 1120630 1120631 1120631 1120658 1121446 1121563 1121626 1121753 1122000 1122344 1123333 1123361 1123371 1123377 1123378 1123522 1123685 1123697 1123704 1123886 1123892 1123919 1124211 1124847 1125007 1125113 1125352 1125352 1125535 1126056 1126117 1126118 1126119 1126613 1127080 1127155 1127155 1127155 1127223 1127308 1127557 1127891 1128383 1128471 1128472 1128474 1128476 1128480 1128481 1128481 1128490 1128492 1128493 1128574 1128657 1128712 1128828 1130103 1130230 1130324 1131291 1131635 1131823 1131823 1131830 1131886 1131982 1132160 1132348 1132400 1132721 1133418 1133495 1133528 1134226 1134550 1135170 1135254 1135261 1135709 1136298 1136570 1137053 1137832 1137977 1137977 1139083 1139083 1139459 1139459 1139870 1139937 1139942 1140039 1140095 1140101 1140120 1140631 1140914 1141093 1141493 1141897 1142614 1142649 1142654 1142661 1143194 1143273 1144169 1145521 1146415 1146608 1148517 1148987 1149145 1149332 1149429 1149496 1149995 1150003 1150250 1150595 1150734 1151377 1151506 1151577 1152590 1153386 1153557 1154036 1154037 1154043 1154043 1154256 1154609 1154862 1154871 1154871 1154948 1155199 1155338 1155339 1155574 1156159 1156194 1156276 1156402 1156482 1157198 1157315 1157578 1158586 1158763 1158809 1159162 1159814 1159928 1160039 1160160 1160163 1160571 1160594 1160613 1160614 1160764 1161262 1161436 1161517 1161521 1161779 1162108 1162518 1162698 1162879 1163834 1163922 1164538 1165471 1165633 1165784 1165915 1165915 1165919 1165919 1166301 1166510 1167622 1167898 1168195 1169488 1169766 1169947 1170601 1170715 1170771 1171145 1171863 1171864 1171866 1171878 1172021 1172085 1172265 1172295 1172491 1172698 1172704 1172798 1172846 1173027 1173227 1173593 1173972 1174080 1174537 1174628 1174628 1174660 1174673 1174753 1174817 1175168 1175239 1176013 1176123 1176179 1176410 1176513 1176800 1177143 1177458 1177510 1177864 1177914 1178038 1178387 1178512 888534 941922 954600 955942 973042 983268 985657 CVE-2009-5155 CVE-2015-5186 CVE-2016-10254 CVE-2016-10255 CVE-2016-3189 CVE-2016-5102 CVE-2016-9318 CVE-2017-12652 CVE-2017-6891 CVE-2017-7607 CVE-2017-7608 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2017-7890 CVE-2017-9103 CVE-2017-9104 CVE-2017-9105 CVE-2017-9106 CVE-2017-9107 CVE-2017-9108 CVE-2017-9109 CVE-2018-1000654 CVE-2018-10360 CVE-2018-10754 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-1152 CVE-2018-11813 CVE-2018-14498 CVE-2018-14553 CVE-2018-16062 CVE-2018-16403 CVE-2018-16839 CVE-2018-16890 CVE-2018-17000 CVE-2018-18310 CVE-2018-18311 CVE-2018-18520 CVE-2018-18521 CVE-2018-20532 CVE-2018-20532 CVE-2018-20533 CVE-2018-20533 CVE-2018-20534 CVE-2018-20534 CVE-2018-20843 CVE-2018-6954 CVE-2019-11038 CVE-2019-11068 CVE-2019-12749 CVE-2019-12900 CVE-2019-12900 CVE-2019-13050 CVE-2019-13057 CVE-2019-13117 CVE-2019-13118 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14973 CVE-2019-1547 CVE-2019-1551 CVE-2019-1559 CVE-2019-1563 CVE-2019-15847 CVE-2019-15903 CVE-2019-17498 CVE-2019-17594 CVE-2019-17595 CVE-2019-18197 CVE-2019-18900 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-2201 CVE-2019-3688 CVE-2019-3690 CVE-2019-3822 CVE-2019-3823 CVE-2019-3842 CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3859 CVE-2019-3860 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863 CVE-2019-5188 CVE-2019-5436 CVE-2019-5482 CVE-2019-6128 CVE-2019-6454 CVE-2019-6454 CVE-2019-6977 CVE-2019-6978 CVE-2019-7150 CVE-2019-7317 CVE-2019-7663 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9232 CVE-2019-9433 CVE-2019-9893 CVE-2019-9924 CVE-2020-10029 CVE-2020-10543 CVE-2020-10878 CVE-2020-12243 CVE-2020-12723 CVE-2020-13790 CVE-2020-13844 CVE-2020-14344 CVE-2020-14344 CVE-2020-14363 CVE-2020-15999 CVE-2020-1712 CVE-2020-24977 CVE-2020-25219 CVE-2020-25692 CVE-2020-26154 CVE-2020-28196 CVE-2020-7595 CVE-2020-8013 CVE-2020-8023 CVE-2020-8177 SLE-10396 SLE-5933 SLE-7081 SLE-7257 ----------------------------------------------------------------- The container caasp/v4/nginx-ingress-controller was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:50-1 Released: Thu Jan 15 16:33:18 2015 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 888534 The system root SSL certificates were updated to match Mozilla NSS 2.2. Some removed/disabled 1024 bit certificates were temporarily reenabled/readded, as openssl and gnutls have a different handling of intermediates than mozilla nss and would otherwise not recognize SSL certificates from commonly used sites like Amazon. Updated to 2.2 (bnc#888534) - The following CAs were added: + COMODO_RSA_Certification_Authority codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R4 codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R5 codeSigning emailProtection serverAuth + USERTrust_ECC_Certification_Authority codeSigning emailProtection serverAuth + USERTrust_RSA_Certification_Authority codeSigning emailProtection serverAuth + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal - The following CAs were changed: + Equifax_Secure_eBusiness_CA_1 remote code signing and https trust, leave email trust + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2 only trust emailProtection - Updated to 2.1 (bnc#888534) - The following 1024-bit CA certificates were removed - Entrust.net Secure Server Certification Authority - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority - TDC Internet Root CA - The following CA certificates were added: - Certification Authority of WoSign - CA 沃通根证书 - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3 - The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2 - VeriSign Class 2 Public Primary Certification Authority - G3 - AC Raíz Certicámara S.A. - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado Temporary reenable some root ca trusts, as openssl/gnutls have trouble using intermediates as root CA. - GTE CyberTrust Global Root - Thawte Server CA - Thawte Premium Server CA - ValiCert Class 1 VA - ValiCert Class 2 VA - RSA Root Certificate 1 - Entrust.net Secure Server CA - America Online Root Certification Authority 1 - America Online Root Certification Authority 2 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:587-1 Released: Fri Apr 8 17:06:56 2016 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 973042 The root SSL certificate store ca-certificates-mozilla was updated to version 2.7 of the Mozilla NSS equivalent. (bsc#973042) - Newly added CAs: * CA WoSign ECC Root * Certification Authority of WoSign * Certification Authority of WoSign G2 * Certinomis - Root CA * Certum Trusted Network CA 2 * CFCA EV ROOT * COMODO RSA Certification Authority * DigiCert Assured ID Root G2 * DigiCert Assured ID Root G3 * DigiCert Global Root G2 * DigiCert Global Root G3 * DigiCert Trusted Root G4 * Entrust Root Certification Authority - EC1 * Entrust Root Certification Authority - G2 * GlobalSign * IdenTrust Commercial Root CA 1 * IdenTrust Public Sector Root CA 1 * OISTE WISeKey Global Root GB CA * QuoVadis Root CA 1 G3 * QuoVadis Root CA 2 G3 * QuoVadis Root CA 3 G3 * Staat der Nederlanden EV Root CA * Staat der Nederlanden Root CA - G3 * S-TRUST Universal Root CA * SZAFIR ROOT CA2 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 * USERTrust ECC Certification Authority * USERTrust RSA Certification Authority * 沃通根证书 - Removed CAs: * AOL CA * A Trust nQual 03 * Buypass Class 3 CA 1 * CA Disig * Digital Signature Trust Co Global CA 1 * Digital Signature Trust Co Global CA 3 * E Guven Kok Elektronik Sertifika Hizmet Saglayicisi * NetLock Expressz (Class C) Tanusitvanykiado * NetLock Kozjegyzoi (Class A) Tanusitvanykiado * NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado * NetLock Uzleti (Class B) Tanusitvanykiado * SG TRUST SERVICES RACINE * Staat der Nederlanden Root CA * TC TrustCenter Class 2 CA II * TC TrustCenter Universal CA I * TDC Internet Root CA * UTN DATACorp SGC Root CA * Verisign Class 1 Public Primary Certification Authority - G2 * Verisign Class 3 Public Primary Certification Authority * Verisign Class 3 Public Primary Certification Authority - G2 - Removed server trust from: * AC Raíz Certicámara S.A. * ComSign Secured CA * NetLock Uzleti (Class B) Tanusitvanykiado * NetLock Business (Class B) Root * NetLock Expressz (Class C) Tanusitvanykiado * TC TrustCenter Class 3 CA II * TURKTRUST Certificate Services Provider Root 1 * TURKTRUST Certificate Services Provider Root 2 * Equifax Secure Global eBusiness CA-1 * Verisign Class 4 Public Primary Certification Authority G3 - Enable server trust for: * Actalis Authentication Root CA ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:265-1 Released: Tue Feb 6 14:58:28 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1010996,1071152,1071390 This update for ca-certificates-mozilla fixes the following issues: The system SSL root certificate store was updated to Mozilla certificate version 2.22 from January 2018. (bsc#1071152 bsc#1071390 bsc#1010996) We removed the old 1024 bit legacy CAs that were temporary left in to allow in-chain root certificates as openssl is now able to handle it. Further changes coming from Mozilla: - New Root CAs added: * Amazon Root CA 1: (email protection, server auth) * Amazon Root CA 2: (email protection, server auth) * Amazon Root CA 3: (email protection, server auth) * Amazon Root CA 4: (email protection, server auth) * Certplus Root CA G1: (email protection, server auth) * Certplus Root CA G2: (email protection, server auth) * D-TRUST Root CA 3 2013: (email protection) * GDCA TrustAUTH R5 ROOT: (server auth) * Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth) * Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth) * ISRG Root X1: (server auth) * LuxTrust Global Root 2: (server auth) * OpenTrust Root CA G1: (email protection, server auth) * OpenTrust Root CA G2: (email protection, server auth) * OpenTrust Root CA G3: (email protection, server auth) * SSL.com EV Root Certification Authority ECC: (server auth) * SSL.com EV Root Certification Authority RSA R2: (server auth) * SSL.com Root Certification Authority ECC: (email protection, server auth) * SSL.com Root Certification Authority RSA: (email protection, server auth) * Symantec Class 1 Public Primary Certification Authority - G4: (email protection) * Symantec Class 1 Public Primary Certification Authority - G6: (email protection) * Symantec Class 2 Public Primary Certification Authority - G4: (email protection) * Symantec Class 2 Public Primary Certification Authority - G6: (email protection) * TrustCor ECA-1: (email protection, server auth) * TrustCor RootCert CA-1: (email protection, server auth) * TrustCor RootCert CA-2: (email protection, server auth) * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth) - Removed root CAs: * AddTrust Public Services Root * AddTrust Public CA Root * AddTrust Qualified CA Root * ApplicationCA - Japanese Government * Buypass Class 2 CA 1 * CA Disig Root R1 * CA WoSign ECC Root * Certification Authority of WoSign G2 * Certinomis - Autorité Racine * Certum Root CA * China Internet Network Information Center EV Certificates Root * CNNIC ROOT * Comodo Secure Services root * Comodo Trusted Services root * ComSign Secured CA * EBG Elektronik Sertifika Hizmet Sağlayıcısı * Equifax Secure CA * Equifax Secure eBusiness CA 1 * Equifax Secure Global eBusiness CA * GeoTrust Global CA 2 * IGC/A * Juur-SK * Microsec e-Szigno Root CA * PSCProcert * Root CA Generalitat Valenciana * RSA Security 2048 v3 * Security Communication EV RootCA1 * Sonera Class 1 Root CA * StartCom Certification Authority * StartCom Certification Authority G2 * S-TRUST Authentication and Encryption Root CA 2005 PN * Swisscom Root CA 1 * Swisscom Root EV CA 2 * TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 * UTN USERFirst Hardware Root CA * UTN USERFirst Object Root CA * VeriSign Class 3 Secure Server CA - G2 * Verisign Class 1 Public Primary Certification Authority * Verisign Class 2 Public Primary Certification Authority - G2 * Verisign Class 3 Public Primary Certification Authority * WellsSecure Public Root Certificate Authority * Certification Authority of WoSign * WoSign China - Removed Code Signing rights from a lot of CAs (not listed here). - Removed Server Auth rights from: * AddTrust Low-Value Services Root * Camerfirma Chambers of Commerce Root * Camerfirma Global Chambersign Root * Swisscom Root CA 2 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1643-1 Released: Thu Aug 16 17:41:07 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 The systemwide Root CA certificates were updated to the 2.24 state of the Mozilla NSS Certificate store. Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1763-1 Released: Mon Aug 27 09:30:15 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: The Root CA store was updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - Removed server auth from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Removed CAs - ComSign CA - Added new CAs - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:149-1 Released: Wed Jan 23 17:58:18 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:218-1 Released: Thu Jan 31 20:30:20 2019 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1118629 This update for kmod fixes the following issues: - Fix module dependency file corruption on parallel invocation (bsc#1118629). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:249-1 Released: Wed Feb 6 08:36:16 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:261-1 Released: Wed Feb 6 11:26:21 2019 Summary: Recommended update for pam-config Type: recommended Severity: moderate References: 1114835 This update for pam-config fixes the following issues: - Adds support for more pam_cracklib options. (bsc#1114835) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:428-1 Released: Tue Feb 19 10:59:59 2019 Summary: Security update for systemd Type: security Severity: important References: 1111498,1117025,1117382,1120658,1122000,1122344,1123333,1123892,1125352,CVE-2019-6454 This update for systemd fixes the following issues: Security vulnerability fixed: - CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS message on the system bus by an unprivileged user (bsc#1125352) Other bug fixes and changes: - journal-remote: set a limit on the number of fields in a message - journal-remote: verify entry length from header - journald: set a limit on the number of fields (1k) - journald: do not store the iovec entry for process commandline on stack - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - manager: don't skip sigchld handler for main and control pid for services (#3738) - core: Add helper functions unit_{main, control}_pid - manager: Fixing a debug printf formatting mistake (#3640) - manager: Only invoke a single sigchld per unit within a cleanup cycle (bsc#1117382) - core: update invoke_sigchld_event() to handle NULL ->sigchld_event() - sd-event: expose the event loop iteration counter via sd_event_get_iteration() (#3631) - unit: rework a bit how we keep the service fdstore from being destroyed during service restart (bsc#1122344) - core: when restarting services, don't close fds - cryptsetup: Add dependency on loopback setup to generated units - journal-gateway: use localStorage['cursor'] only when it has valid value - journal-gateway: explicitly declare local variables - analyze: actually select longest activated-time of services - sd-bus: fix implicit downcast of bitfield reported by LGTM - core: free lines after reading them (bsc#1123892) - pam_systemd: reword message about not creating a session (bsc#1111498) - pam_systemd: suppress LOG_DEBUG log messages if debugging is off (bsc#1111498) - main: improve RLIMIT_NOFILE handling (#5795) (bsc#1120658) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345) (bsc#1123333) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:434-1 Released: Tue Feb 19 12:19:02 2019 Summary: Recommended update for libsemanage Type: recommended Severity: moderate References: 1115500 This update for libsemanage provides the following fix: - Prevent an error message when reading module version if the directory does not exist. (bsc#1115500) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:450-1 Released: Wed Feb 20 16:42:38 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). (These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.) Also the following non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:514-1 Released: Thu Feb 28 15:39:05 2019 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1112300 This update for apparmor fixes the following issues: - Fix erroneously generated audit records: include status* files in dnsmasq. (bsc#1112300) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:655-1 Released: Wed Mar 20 10:30:49 2019 Summary: Security update for libssh2_org Type: security Severity: moderate References: 1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493,CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863 This update for libssh2_org fixes the following issues: Security issues fixed: - CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH packets (bsc#1128490). - CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially crafted message channel request packet (bsc#1128492). - CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP packets (bsc#1128481). - CVE-2019-3863: Fixed an Integer overflow in user authenticate keyboard interactive which could allow out-of-bounds writes with specially crafted keyboard responses (bsc#1128493). - CVE-2019-3856: Fixed a potential Integer overflow in keyboard interactive handling which could allow out-of-bounds write with specially crafted payload (bsc#1128472). - CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require and _libssh2_packet_requirev (bsc#1128480). - CVE-2019-3855: Fixed a potential Integer overflow in transport read which could allow out-of-bounds write with specially crafted payload (bsc#1128471). - CVE-2019-3858: Fixed a potential zero-byte allocation which could lead to an out-of-bounds read with a specially crafted SFTP packet (bsc#1128476). - CVE-2019-3857: Fixed a potential Integer overflow which could lead to zero-byte allocation and out-of-bounds with specially crafted message channel request SSH packet (bsc#1128474). Other issue addressed: - Libbssh2 will stop using keys unsupported types in the known_hosts file (bsc#1091236). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:747-1 Released: Tue Mar 26 14:35:16 2019 Summary: Security update for gd Type: security Severity: moderate References: 1123361,1123522,CVE-2019-6977,CVE-2019-6978 This update for gd fixes the following issues: Security issues fixed: - CVE-2019-6977: Fixed a heap-based buffer overflow the GD Graphics Library used in the imagecolormatch function (bsc#1123361). - CVE-2019-6978: Fixed a double free in the gdImage*Ptr() functions (bsc#1123522). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:794-1 Released: Thu Mar 28 12:09:29 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1087481 This update for krb5 fixes the following issues: - Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to suppress sending the confidentiality and integrity flags in GSS initiator tokens unless they are requested by the caller. These flags control the negotiated SASL security layer for the Microsoft GSS-SPNEGO SASL mechanism. (bsc#1087481). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:803-1 Released: Fri Mar 29 13:14:21 2019 Summary: Security update for openssl Type: security Severity: moderate References: 1100078,1113975,1117951,1127080,CVE-2019-1559 This update for openssl fixes the following issues: Security issues fixed: - The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951) - CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080). Other issues addressed: - Fixed IV handling in SHAEXT paths: aes/asm/aesni-sha*-x86_64.pl (bsc#1113975). - Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:838-1 Released: Tue Apr 2 09:52:06 2019 Summary: Security update for bash Type: security Severity: important References: 1130324,CVE-2019-9924 This update for bash fixes the following issues: Security issue fixed: - CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:839-1 Released: Tue Apr 2 13:13:21 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974 CVE-2018-10360). - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:979-1 Released: Thu Apr 18 08:23:19 2019 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1069384 This update for sg3_utils fixes the following issues: - rescan-scsi-bus.sh: use LUN wildcard in idlist (bsc#1069384) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:996-1 Released: Tue Apr 23 18:42:35 2019 Summary: Security update for curl Type: security Severity: important References: 1112758,1131886,CVE-2018-16839 This update for curl fixes the following issues: Security issue fixed: - CVE-2018-16839: Fixed a buffer overflow in the SASL authentication code (bsc#1112758). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1060-1 Released: Sat Apr 27 09:45:38 2019 Summary: Security update for libssh2_org Type: security Severity: important References: 1130103,1133528,CVE-2019-3859 This update for libssh2_org fixes the following issues: - Incorrect upstream fix for CVE-2019-3859 broke public key authentication [bsc#1133528, bsc#1130103] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1111-1 Released: Tue Apr 30 12:59:27 2019 Summary: Security update for libjpeg-turbo Type: security Severity: moderate References: 1096209,1098155,1128712,CVE-2018-1152,CVE-2018-11813,CVE-2018-14498 This update for libjpeg-turbo fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row function which could allow to an attacker to cause denial of service (bsc#1128712). - CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in rdtarga.c, which allowed remote attackers to cause a denial-of-service via crafted JPG files due to a large loop (bsc#1096209) - CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c caused by a divide by zero when processing a crafted BMP image (bsc#1098155) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1125-1 Released: Tue Apr 30 18:50:59 2019 Summary: Recommended update for glibc Type: recommended Severity: important References: 1100396,1103244 This update for glibc fixes the following issues: - Add support for the new Japanese time era name that comes into effect on 2019-05-01. [bsc#1100396, bsc#1103244] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1131-1 Released: Thu May 2 15:39:59 2019 Summary: Recommended update for libidn Type: recommended Severity: moderate References: 1092034 This update for libidn fixes the following issues: - Obsoletes now the libidn 32bit package (bsc#1092034) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1136-1 Released: Fri May 3 10:27:57 2019 Summary: Security update for openssl Type: security Severity: moderate References: 1131291 This update for openssl fixes the following issues: - Reject invalid EC point coordinates (bsc#1131291) This helps openssl using services that do not do this verification on their own. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1166-1 Released: Tue May 7 11:01:39 2019 Summary: Security update for audit Type: security Severity: moderate References: 1042781,1085003,1125535,941922,CVE-2015-5186 This update for audit fixes the following issues: Audit on SUSE Linux Enterprise 12 SP3 was updated to 2.8.1 to bring new features and bugfixes. (bsc#1125535 FATE#326346) * Many features were added to auparse_normalize * cli option added to auditd and audispd for setting config dir * In auditd, restore the umask after creating a log file * Option added to auditd for skipping email verification The full changelog can be found here: https://people.redhat.com/sgrubb/audit/ChangeLog - Change openldap dependency to client only (bsc#1085003) Minor security issue fixed: - CVE-2015-5186: Audit: log terminal emulator escape sequences handling (bsc#941922) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1232-1 Released: Tue May 14 17:07:56 2019 Summary: Security update for libxslt Type: security Severity: moderate References: 1132160,CVE-2019-11068 This update for libxslt fixes the following issues: - CVE-2019-11068: Fixed a protection mechanism bypass where callers of xsltCheckRead() and xsltCheckWrite() would permit access upon receiving an error (bsc#1132160). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1259-1 Released: Wed May 15 14:06:20 2019 Summary: Recommended update for sysvinit Type: recommended Severity: moderate References: 1131982 This update for sysvinit fixes the following issues: - Handle various optional fields of /proc//mountinfo on the entry/ies before the hyphen (bsc#1131982) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1265-1 Released: Thu May 16 09:52:22 2019 Summary: Security update for systemd Type: security Severity: important References: 1080919,1121563,1125352,1126056,1127557,1128657,1130230,1132348,1132400,1132721,955942,CVE-2018-6954,CVE-2019-3842,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-6954: Fixed a vulnerability in the symlink handling of systemd-tmpfiles which allowed a local user to obtain ownership of arbitrary files (bsc#1080919). - CVE-2019-3842: Fixed a vulnerability in pam_systemd which allowed a local user to escalate privileges (bsc#1132348). - CVE-2019-6454: Fixed a denial of service caused by long dbus messages (bsc#1125352). Non-security issues fixed: - systemd-coredump: generate a stack trace of all core dumps (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - core: only watch processes when it's really necessary (bsc#955942 bsc#1128657) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - Do not automatically online memory on s390x (bsc#1127557) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1363-1 Released: Tue May 28 10:50:53 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1379-1 Released: Wed May 29 15:07:04 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1040621,1105435,CVE-2017-6891,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issues fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). - CVE-2017-6891: Fixed a stack overflow in asn1_find_node() (bsc#1040621). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1402-1 Released: Mon Jun 3 09:12:38 2019 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1097869,1118629 This update for kmod fixes the following issues: - Fixes a potential buffer overflow in libkmod (bsc#1118629). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1431-1 Released: Wed Jun 5 16:50:13 2019 Summary: Recommended update for xz Type: recommended Severity: moderate References: 1135709 This update for xz does only update the license: - Add SUSE-Public-Domain license as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain license (bsc#1135709) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1474-1 Released: Wed Jun 12 14:46:20 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1481-1 Released: Thu Jun 13 07:46:01 2019 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1119296,1133418,954600 This update for sg3_utils provides the following fixes: - Fix regression for page 0xa. (bsc#1119296) - Add pre/post scripts for lunmask.service. (bsc#954600) - Will now generate by-path links for fibrechannel. (bsc#1005063) - Fixes a syntax error for rule 59-fc-wwpn-id.rules. (bsc#1133418) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1733-1 Released: Wed Jul 3 13:54:39 2019 Summary: Security update for elfutils Type: security Severity: low References: 1030472,1030476,1033084,1033085,1033087,1033088,1033089,1033090,1106390,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2016-10254,CVE-2016-10255,CVE-2017-7607,CVE-2017-7608,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067). - CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472). - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007). - CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476). - CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files to be read (bsc#1123685). - CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390). - CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088). - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090). - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084). - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085). - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087). - CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723). - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089). - CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973). - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1761-1 Released: Fri Jul 5 14:10:34 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383,1135261 This update for e2fsprogs fixes the following issues: - Revert 'mke2fs: prevent creation of unmountable ext4 with large flex_bg count'. (bsc#1135261) - Place metadata blocks in the last flex_bg so they are contiguous. (bsc#1135261) - Check and fix tails of all bitmaps. (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1834-1 Released: Fri Jul 12 17:55:14 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1844-1 Released: Mon Jul 15 07:13:09 2019 Summary: Recommended update for pam Type: recommended Severity: low References: 1116544 This update for pam fixes the following issues: - restricted the number of file descriptors to close to a more sensible number based upon resource limits (bsc#1116544) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1867-1 Released: Wed Jul 17 13:11:03 2019 Summary: Security update for libxslt Type: security Severity: moderate References: 1140095,1140101,CVE-2019-13117,CVE-2019-13118 This update for libxslt fixes the following issues: Security issues fixed: - CVE-2019-13118: Fixed a read of uninitialized stack data (bsc#1140101). - CVE-2019-13117: Fixed a uninitialized read which allowed to discern whether a byte on the stack contains certain special characters (bsc#1140095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1896-1 Released: Thu Jul 18 16:26:45 2019 Summary: Security update for libxml2 Type: security Severity: moderate References: 1010675,1110146,1126613,CVE-2016-9318 This update for libxml2 fixes the following issues: Issue fixed: - Fixed a bug related to the fix for CVE-2016-9318 which allowed xsltproc to access the internet even when --nonet was given and also was making docbook-xsl-stylesheets to have incomplete xml catalog file (bsc#1010675, bsc#1126613 and bsc#1110146). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1955-1 Released: Tue Jul 23 11:42:41 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,985657,CVE-2016-3189,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1958-1 Released: Tue Jul 23 13:18:12 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1127223,1127308,1128574,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Added cfi information for start routines in order to stop unwinding on S390 (bsc#1128574). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1972-1 Released: Thu Jul 25 15:00:03 2019 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1109893,1110542,1111319,1112911,1113296,1120629,1120630,1120631,1127155,1131823,1134226,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libsolv, libzypp and zypper fixes the following issues: libsolv was updated to version 0.6.36 fixes the following issues: Security issues fixed: - CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629). - CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630). - CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631). Non-security issues fixed: - Made cleandeps jobs on patterns work (bsc#1137977). - Fixed an issue multiversion packages that obsolete their own name (bsc#1127155). - Keep consistent package name if there are multiple alternatives (bsc#1131823). libzypp received following fixes: - Fixes a bug where locking the kernel was not possible (bsc#1113296) zypper received following fixes: - Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226) - Improved the displaying of locks (bsc#1112911) - Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542) - zypper will now always warn when no repositories are defined (bsc#1109893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2013-1 Released: Mon Jul 29 15:42:41 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2101-1 Released: Fri Aug 9 10:38:55 2019 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate References: 1100989,1105495,1111300,1123697,1123704,1127155,1127891,1131635 This update for suse-module-tools to version 12.6 fixes the following issues: - weak-modules2: emit 'inconsistent' warning only if replacement fails (bsc#1127155) - modprobe.conf.common: add csiostor->cxgb4 dependency (bsc#1100989, bsc#1131635) - Fix driver-check.sh (bsc#1123697, bsc#1123704) - modsign-verify: support for parsing PKCS#7 signatures (bsc#1111300, bsc#1105495) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2120-1 Released: Wed Aug 14 11:17:39 2019 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1136298,SLE-7257 This update for pam fixes the following issues: - Enable pam_userdb.so (SLE-7257,bsc#1136298) - Upgraded pam_userdb to 1.3.1. (bsc#1136298) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1606-1 Released: Wed Aug 21 13:36:49 2019 Summary: Security update for libssh2_org Type: security Severity: moderate References: 1128481,1136570,CVE-2019-3860 This update for libssh2_org fixes the following issues: - Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481) (Out-of-bounds reads with specially crafted SFTP packets) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2240-1 Released: Wed Aug 28 14:57:51 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: - Update to 2.34 state of the Mozilla NSS Certificate store. (bsc#1144169) - Removed Root CAs: - Certinomis - Root CA - Added root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2264-1 Released: Mon Sep 2 09:07:12 2019 Summary: Security update for perl Type: security Severity: important References: 1114674,CVE-2018-18311 This update for perl fixes the following issues: Security issue fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2288-1 Released: Wed Sep 4 14:22:47 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1107617,1137053,1142661 This update for systemd fixes the following issues: - Fixes an issue where the Kernel took very long to unmount a user's runtime directory (bsc#1104902) - udevd: changed the default value of udev.children-max (again) (bsc#1107617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2372-1 Released: Thu Sep 12 14:01:27 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1139942,1140914,SLE-7081 This update for krb5 fixes the following issues: - Fix missing responder if there is no pre-auth; (bsc#1139942) - Load mechglue config files from /etc/gss/mech.d; (bsc#1140914, jsc#SLE-7081) - Fix impersonate_name to work with interposers; (bsc#1140914, jsc#SLE-7081) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2339-1 Released: Thu Sep 12 14:17:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149496,CVE-2019-5482 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2390-1 Released: Tue Sep 17 15:46:02 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1143194,1143273,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2019-13565: Fixed ssf memory reuse that leads to incorrect authorization of another connection, granting excess connection rights (ssf) (bsc#1143194). - CVE-2019-13057: Fixed rootDN of a backend that may proxyauth incorrectly to another backend, violating multi-tenant isolation (bsc#1143273). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2413-1 Released: Fri Sep 20 10:44:26 2019 Summary: Security update for openssl Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl fixes the following issues: OpenSSL Security Advisory [10 September 2019] - CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003). - CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2440-1 Released: Mon Sep 23 17:15:13 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issue fixed: - CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2480-1 Released: Fri Sep 27 13:12:08 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093) Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2510-1 Released: Tue Oct 1 17:37:12 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2818-1 Released: Tue Oct 29 17:22:01 2019 Summary: Recommended update for zypper and libzypp Type: recommended Severity: important References: 1049825,1116995,1140039,1145521,1146415,1153557 This update for zypper and libzypp fixes the following issues: Package: zypper - Fixed an issue where zypper exited on a SIGPIPE during package download (bsc#1145521) - Rephrased the file conflicts check summary (bsc#1140039) - Fixes an issue where the bash completion was wrongly expanded (bsc#1049825) Package: libzypp - Fixed an issue where YaST2 was not able to find base products via libzypp (bsc#1153557) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes a file descriptor leak in the media backend (bsc#1116995) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2887-1 Released: Mon Nov 4 17:31:49 2019 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1139870 This update for apparmor provides the following fix: - Change pathname in logprof.conf and use check_qualifiers() in autodep to make sure apparmor does not generate profiles for programs marked as not having their own profiles. (bsc#1139870) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2898-1 Released: Tue Nov 5 17:00:27 2019 Summary: Recommended update for systemd Type: recommended Severity: important References: 1140631,1150595,1154948 This update for systemd fixes the following issues: - sd-bus: deal with cookie overruns (bsc#1150595) - rules: Add by-id symlinks for persistent memory (bsc#1140631) - Drop the old fds used for logging and reopen them in the sub process before doing any new logging. (bsc#1154948) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2936-1 Released: Fri Nov 8 13:19:55 2019 Summary: Security update for libssh2_org Type: security Severity: moderate References: 1154862,CVE-2019-17498 This update for libssh2_org fixes the following issue: - CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2941-1 Released: Tue Nov 12 10:03:32 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issues: Update to new upstream release 2.4.1: * Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. Updated to 2.4.0 (bsc#1128828 CVE-2019-9893): * Update the syscall table for Linux v5.0-rc5 * Added support for the SCMP_ACT_KILL_PROCESS action * Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute * Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension * Added support for the parisc and parisc64 architectures * Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) * Return -EDOM on an endian mismatch when adding an architecture to a filter * Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() * Fix PFC generation when a syscall is prioritized, but no rule exists * Numerous fixes to the seccomp-bpf filter generation code * Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 * Numerous tests added to the included test suite, coverage now at ~92% * Update our Travis CI configuration to use Ubuntu 16.04 * Numerous documentation fixes and updates Update to release 2.3.3: * Updated the syscall table for Linux v4.15-rc7 Update to release 2.3.2: * Achieved full compliance with the CII Best Practices program * Added Travis CI builds to the GitHub repository * Added code coverage reporting with the '--enable-code-coverage' configure flag and added Coveralls to the GitHub repository * Updated the syscall tables to match Linux v4.10-rc6+ * Support for building with Python v3.x * Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is set to true * Several small documentation fixes - ignore make check error for ppc64/ppc64le, bypass bsc#1142614 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2972-1 Released: Thu Nov 14 12:04:52 2019 Summary: Security update for libjpeg-turbo Type: security Severity: important References: 1156402,CVE-2019-2201 This update for libjpeg-turbo fixes the following issues: - CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo, when attempting to compress or decompress gigapixel images. [bsc#1156402] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3003-1 Released: Tue Nov 19 10:12:33 2019 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1153386,SLE-10396 This update for procps provides the following fixes: - Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396) - Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3058-1 Released: Mon Nov 25 17:32:43 2019 Summary: Security update for tiff Type: security Severity: moderate References: 1108606,1121626,1125113,1146608,983268,CVE-2016-5102,CVE-2018-17000,CVE-2019-14973,CVE-2019-6128,CVE-2019-7663 This update for tiff fixes the following issues: Security issues fixed: - CVE-2019-14973: Fixed an improper check which was depended on the compiler which could have led to integer overflow (bsc#1146608). - CVE-2016-5102: Fixed a buffer overflow in readgifimage() (bsc#983268) - CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606). - CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626). - CVE-2019-7663: Fixed an invalid address dereference in the TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3064-1 Released: Mon Nov 25 18:44:36 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3085-1 Released: Thu Nov 28 10:01:53 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3094-1 Released: Thu Nov 28 16:47:52 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1131830,1134550,1154036,1154037,CVE-2018-10754,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830). - CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037). Bug fixes: - Fixed ppc64le build configuration (bsc#1134550). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3132-1 Released: Tue Dec 3 10:52:14 2019 Summary: Recommended update for update-alternatives Type: recommended Severity: moderate References: 1154043 This update for update-alternatives fixes the following issues: - Fix post install scripts: test if there is actual file before calling update-alternatives. (bsc#1154043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3180-1 Released: Thu Dec 5 11:42:40 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused segmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3342-1 Released: Thu Dec 19 11:04:35 2019 Summary: Recommended update for elfutils Type: recommended Severity: moderate References: 1151577 This update for elfutils fixes the following issues: - Add require of 'libebl1' for 'libelf1'. (bsc#1151577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3364-1 Released: Thu Dec 19 19:20:52 2019 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: 1158586,1159162 This update for ncurses fixes the following issues: - Work around a bug of old upstream gen-pkgconfig (bsc#1159162) - Remove doubled library path options (bsc#1159162) - Also remove private requirements as (lib)tinfo are binary compatible with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162) - Fix last change, that is add missed library linker paths as well as missed include directories for none standard paths (bsc#1158586, bsc#1159162) - Do not mix include directories of different ncurses ABI (bsc#1158586) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:86-1 Released: Mon Jan 13 14:12:22 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:106-1 Released: Wed Jan 15 12:50:55 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1155338,1155339 This update for libgcrypt fixes the following issues: - Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode - Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:373-1 Released: Tue Feb 18 15:06:18 2020 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:404-1 Released: Wed Feb 19 09:05:47 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1154871 This update for p11-kit fixes the following issues: - Support loading NSS attribute 'CKA_NSS_MOZILLA_CA_POLICY' so Firefox detects built-in certificates. (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:459-1 Released: Tue Feb 25 11:02:12 2020 Summary: Security update for libvpx Type: security Severity: moderate References: 1160613,1160614,CVE-2019-9232,CVE-2019-9433 This update for libvpx fixes the following issues: - CVE-2019-9232: Fixed an out of bound memory access (bsc#1160613). - CVE-2019-9433: Fixdd a use-after-free in vp8_deblock() (bsc#1160614). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:474-1 Released: Tue Feb 25 13:24:15 2020 Summary: Security update for openssl Type: security Severity: moderate References: 1117951,1158809,1160163,CVE-2019-1551 This update for openssl fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Non-security issue fixed: - Fixed a crash in BN_copy (bsc#1160163). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:545-1 Released: Fri Feb 28 15:50:46 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1123886,1160594,1160764,1161779,1163922,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:561-1 Released: Mon Mar 2 17:24:59 2020 Summary: Recommended update for elfutils Type: recommended Severity: moderate References: 1110929,1157578 This update for elfutils fixes the following issues: - Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578) - Fix for '.ko' file corruption in debug info. (bsc#1110929) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:569-1 Released: Tue Mar 3 11:43:43 2020 Summary: Security update for libpng16 Type: security Severity: moderate References: 1124211,1141493,CVE-2017-12652,CVE-2019-7317 This update for libpng16 fixes the following issues: Security issues fixed: - CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when png_image_free() was called under png_safe_execute (bsc#1124211). - CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:571-1 Released: Tue Mar 3 13:23:35 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:596-1 Released: Thu Mar 5 15:23:51 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1010996,1071152,1071390,1082318,1100415,1154871,1160160 This update for ca-certificates-mozilla fixes the following issues: The following non-security bugs were fixed: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email Added certificates: - Entrust Root Certification Authority - G4 - Export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). - Updated to 2.24 state of the Mozilla NSS Certificate store (bsc#1100415). - Use %license instead of %doc (bsc#1082318). - Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152, bsc#1071390, bsc#1010996). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:623-1 Released: Mon Mar 9 16:17:26 2020 Summary: Security update for gd Type: security Severity: moderate References: 1050241,1140120,1165471,CVE-2017-7890,CVE-2018-14553,CVE-2019-11038 This update for gd fixes the following issues: - CVE-2017-7890: Fixed a buffer over-read into uninitialized memory (bsc#1050241). - CVE-2018-14553: Fixed a null pointer dereference in gdImageClone() (bsc#1165471). - CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:652-1 Released: Thu Mar 12 09:53:23 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1165915,1165919,1166301 This update for ca-certificates-mozilla fixes the following issues: This reverts a previous change to the generated pem structure, as it require a p11-kit tools update installed first, which can not always ensured correctly. (bsc#1166301 bsc#1165915 bsc#1165919) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:331-1 Released: Wed Mar 18 12:52:46 2020 Summary: Security update for systemd Type: security Severity: important References: 1106383,1133495,1139459,1151377,1151506,1154043,1155574,1156482,1159814,1162108,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459) - Fix warnings thrown during package installation. (bsc#1154043) - Fix for system-udevd prevent crash within OES2018. (bsc#1151506) - Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482) - Wait for workers to finish when exiting. (bsc#1106383) - Improve log message when inotify limit is reached. (bsc#1155574) - Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377) - Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:786-1 Released: Wed Mar 25 06:47:18 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1165915,1165919 This update for p11-kit fixes the following issues: - tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY' provides so we can pull it in. (bsc#1165915 bsc#1165919) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:915-1 Released: Fri Apr 3 13:15:11 2020 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1168195 This update for openldap2 fixes the following issue: - The openldap2-ppolicy-check-password plugin is now included (FATE#319461 bsc#1168195) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:920-1 Released: Fri Apr 3 17:13:04 2020 Summary: Security update for libxslt Type: security Severity: moderate References: 1154609,CVE-2019-18197 This update for libxslt fixes the following issue: - CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:394-1 Released: Tue Apr 14 17:25:16 2020 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847 This update for gcc9 fixes the following issues: The GNU Compiler Collection is shipped in version 9. A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html The compilers have been added to the SUSE Linux Enterprise Toolchain Module. To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9 CXX=g++-9 set. For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and other compiler libraries have been switched from their gcc8 variants to their gcc9 variants. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1168-1 Released: Mon May 4 14:06:46 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1162879 This update for libgcrypt fixes the following issues: - FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1193-1 Released: Tue May 5 16:26:05 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1254-1 Released: Tue May 12 11:17:06 2020 Summary: Recommended update for geolite2legacy, geoipupdate Type: recommended Severity: moderate References: 1156194,1169766 This update for geolite2legacy and geoipupdate fixes the following issues: - Create the initial package of GeoIP 2 Legacy, as the GeoIP is discontinued. (bsc#1156194) - Update README.SUSE in GeoIP with a description how to get the latest Geo IP data after the distribution changes. (jsc#SLE-11184, bsc#1156194, jsc#ECO-1405) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1325-1 Released: Mon May 18 11:50:19 2020 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1156276 This update for coreutils fixes the following issues: -Fix for an issue when using sort with '--human-numeric-sort-key' option the column containig the values can be faulty. (bsc#1156276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1329-1 Released: Mon May 18 17:17:54 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:822-1 Released: Fri May 22 10:59:33 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb to a separate package pam-extra (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1612-1 Released: Fri Jun 12 09:43:17 2020 Summary: Security update for adns Type: security Severity: important References: 1172265,CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9106,CVE-2017-9107,CVE-2017-9108,CVE-2017-9109 This update for adns fixes the following issues: - CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver which could have led to remote code execution (bsc#1172265). - CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of service (bsc#1172265). - CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265). - CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1662-1 Released: Thu Jun 18 11:13:05 2020 Summary: Security update for perl Type: security Severity: important References: 1102840,1160039,1170601,1171863,1171864,1171866,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601). - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1689-1 Released: Fri Jun 19 11:03:49 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) - Fix hang on startup. (bsc#1156159) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1732-1 Released: Wed Jun 24 09:42:55 2020 Summary: Security update for curl Type: security Severity: important References: 1173027,CVE-2020-8177 This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1842-1 Released: Fri Jul 3 22:40:42 2020 Summary: Security update for systemd Type: security Severity: moderate References: 1084671,1154256,1157315,1161262,1161436,1162698,1164538,1165633,1167622,1171145,CVE-2019-20386 This update for systemd fixes the following issues: - CVE-2019-20386: Fixed a memory leak when executing the udevadm trigger command (bsc#1161436). - Renamed the persistent link for ATA devices (bsc#1164538) - shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) - tmpfiles: removed unnecessary assert (bsc#1171145) - pid1: by default make user units inherit their umask from the user manager (bsc#1162698) - manager: fixed job mode when signalled to shutdown etc (bsc#1161262) - coredump: fixed bug that loses core dump files when core dumps are compressed and disk space is low. (bsc#1167622) - udev: inform systemd how many workers we can potentially spawn (#4036) (bsc#1165633) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1859-1 Released: Mon Jul 6 17:08:28 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170715,1172698,1172704,CVE-2020-8023 This update for openldap2 fixes the following issues: - CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698). - Changed DB_CONFIG to root:ldap permissions (bsc#1172704). - Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2059-1 Released: Tue Jul 28 11:32:56 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1163834 This update for grep fixes the following issues: Fix for an issue when command 'grep -i' produces bad performance by using multibyte with 'non-utf8' encoding. (bsc#1163834) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2117-1 Released: Tue Aug 4 15:14:39 2020 Summary: Security update for libX11 Type: security Severity: important References: 1174628,CVE-2020-14344 This update for libX11 fixes the following issues: - Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2196-1 Released: Tue Aug 11 13:31:24 2020 Summary: Security update for libX11 Type: security Severity: important References: 1174628,CVE-2020-14344 This update for libX11 fixes the following issues: - Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2287-1 Released: Thu Aug 20 16:07:37 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1174080 This update for grep fixes the following issues: - Fix for -P treating invalid UTF-8 input and causing incosistency. (bsc#1174080) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2294-1 Released: Fri Aug 21 16:59:17 2020 Summary: Recommended update for openldap2 Type: recommended Severity: important References: 1174537 This update for openldap2 fixes the following issues: - Fixes an issue where slapd failed to start due to the missing pwdMaxRecordedFailure attribute (bsc#1174537) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2410-1 Released: Tue Sep 1 13:15:48 2020 Summary: Recommended update for pam Type: recommended Severity: low References: 1173593 This update of pam fixes the following issue: - On some SUSE Linux Enterprise 12 SP5 based media from build.suse.com a pam version with a higher release number than the last update of pam was delivered. This update releases pam with a higher release number to align it with this media. (bsc#1173593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2428-1 Released: Tue Sep 1 22:07:35 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1174673 This update for ca-certificates-mozilla fixes the following issues: Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: - AddTrust External CA Root - AddTrust Class 1 CA Root - LuxTrust Global Root 2 - Staat der Nederlanden Root CA - G2 - Symantec Class 1 Public Primary Certification Authority - G4 - Symantec Class 2 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: - certSIGN Root CA G2 - e-Szigno Root CA 2017 - Microsoft ECC Root Certificate Authority 2017 - Microsoft RSA Root Certificate Authority 2017 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2475-1 Released: Thu Sep 3 12:10:58 2020 Summary: Security update for libX11 Type: security Severity: moderate References: 1175239,CVE-2020-14363 This update for libX11 fixes the following issues: - CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2570-1 Released: Tue Sep 8 14:59:35 2020 Summary: Security update for libjpeg-turbo Type: security Severity: moderate References: 1172491,CVE-2020-13790 This update for libjpeg-turbo fixes the following issues: - CVE-2020-13790: Fixed a heap-based buffer over-read via a malformed PPM input file (bsc#1172491). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2587-1 Released: Wed Sep 9 22:03:04 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1174660 This update for procps fixes the following issues: - Add fix for procps and its libraries to avoid issues with the 'free' tool. (bsc#1174660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2609-1 Released: Fri Sep 11 10:58:59 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,1172021,1176179,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). - CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179). - Fixed invalid xmlns references due to CVE-2019-19956 (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2660-1 Released: Wed Sep 16 16:15:10 2020 Summary: Security update for libsolv Type: security Severity: moderate References: 1120629,1120630,1120631,1127155,1131823,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libsolv fixes the following issues: This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products. libsolv was updated to version 0.6.36 fixes the following issues: Security issues fixed: - CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629). - CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630). - CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631). Non-security issues fixed: - Made cleandeps jobs on patterns work (bsc#1137977). - Fixed an issue multiversion packages that obsolete their own name (bsc#1127155). - Keep consistent package name if there are multiple alternatives (bsc#1131823). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:79-1 Released: Wed Sep 16 16:17:11 2020 Summary: Security update for libzypp Type: security Severity: moderate References: 1158763,CVE-2019-18900 This update for libzypp fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2777-1 Released: Tue Sep 29 11:26:41 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1169488,1173227 This update for systemd fixes the following issues: - Fixes some file mode inconsistencies for some ghost files (bsc#1173227) - Fixes an issue where the system could hang on reboot (bsc#1169488) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2900-1 Released: Tue Oct 13 14:20:15 2020 Summary: Security update for libproxy Type: security Severity: important References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154 This update for libproxy fixes the following issues: - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410). - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2959-1 Released: Tue Oct 20 12:33:48 2020 Summary: Recommended update for file Type: recommended Severity: moderate References: 1176123 This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2998-1 Released: Thu Oct 22 10:04:33 2020 Summary: Security update for freetype2 Type: security Severity: important References: 1177914,CVE-2020-15999 This update for freetype2 fixes the following issues: - CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3024-1 Released: Fri Oct 23 14:21:54 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1165784,1171878,1172085,1176013,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a stack corruption from range reduction of pseudo-zero (bsc#1165784) - Use posix_spawn on popen (bsc#1149332, bsc#1176013) - Correct locking and cancellation cleanup in syslog functions (bsc#1172085) - Fixed concurrent changes on nscd aware files (bsc#1171878) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3156-1 Released: Wed Nov 4 15:21:49 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3263-1 Released: Tue Nov 10 09:48:14 2020 Summary: Security update for gcc10 Type: security Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 This update for gcc10 fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3314-1 Released: Thu Nov 12 16:10:36 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3346-1 Released: Mon Nov 16 17:44:39 2020 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1169947,1178038 This update for zypper fixes the following issues: - Fixed an issue, where zypper crashed when the system language is set to Spanish and the user tried to patch their system with 'zypper patch --category security' (bsc#1178038) - Fixed a typo in man page (bsc#1169947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3379-1 Released: Thu Nov 19 09:30:16 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3489-1 Released: Mon Nov 23 14:07:29 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1083571,1139459,1176513,1176800,1177458,1177510 This update for systemd fixes the following issues: - Create systemd-remote user only if journal-remote is included with the package (bsc#1177458) - Fixed a buffer overflow in systemd ask-password (bsc#1177510) - Fixed an issue in the boot process, when the system has an NFS moiunt on fstab that uses the 'bg' option while the NFS server is not reachable (bsc#1176513) - Fixed an issue with the try-restart command, where services won't restart (bsc#1139459) Exclusively for SUSE Linux Enterprise 12 SP5: - cryptsetup: support LUKS2 on-disk format (bsc#1083571, jsc#SLE-13842)