Linux Security
    Linux Security
    Linux Security

    SUSE: 2021:13-1 harbor/harbor-test Security Update

    Date 04 Jan 2021
    367
    Posted By LinuxSecurity Advisories
    The container harbor/harbor-test was updated. The following patches have been included in this update:
    SUSE Container Update Advisory: harbor/harbor-test
    -----------------------------------------------------------------
    Container Advisory ID : SUSE-CU-2021:13-1
    Container Tags        : harbor/harbor-test:2.1.2 , harbor/harbor-test:2.1.2-rev1 , harbor/harbor-test:2.1.2-rev1-build7.7
    Container Release     : 7.7
    Severity              : important
    Type                  : security
    References            : 1084671 1098449 1144793 1155094 1168771 1169006 1174091 1174232
                            1174571 1174593 1174701 1174942 1175514 1175623 1176262 1176262
                            1177120 1177211 1177458 1177490 1177510 1177533 1177658 1177858
                            1177864 1177998 1178009 1178168 1178346 1178376 1178387 1178512
                            1178554 1178727 1178823 1178825 1178882 1178882 1179193 1179193
                            1179398 1179399 1179431 1179491 1179515 1179593 1179615 1179630
                            1180138 1180377 CVE-2019-16935 CVE-2019-18348 CVE-2019-20907
                            CVE-2019-20916 CVE-2019-20916 CVE-2019-5010 CVE-2020-14422 CVE-2020-1971
                            CVE-2020-25659 CVE-2020-25692 CVE-2020-26116 CVE-2020-26137 CVE-2020-27619
                            CVE-2020-28196 CVE-2020-8277 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286
                            CVE-2020-8492 
    -----------------------------------------------------------------
    
    The container harbor/harbor-test was updated. The following patches have been included in this update:
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3157-1
    Released:    Wed Nov  4 15:37:05 2020
    Summary:     Recommended update for ca-certificates-mozilla
    Type:        recommended
    Severity:    moderate
    References:  1177864
    This update for ca-certificates-mozilla fixes the following issues:
    
    The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)
    
    - Removed CAs:
    
      - EE Certification Centre Root CA
      - Taiwan GRCA
    
    - Added CAs:
    
      - Trustwave Global Certification Authority
      - Trustwave Global ECC P256 Certification Authority
      - Trustwave Global ECC P384 Certification Authority
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3290-1
    Released:    Wed Nov 11 12:25:32 2020
    Summary:     Recommended update for findutils
    Type:        recommended
    Severity:    moderate
    References:  1174232
    This update for findutils fixes the following issues:
    
    - Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
      NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3294-1
    Released:    Wed Nov 11 12:28:46 2020
    Summary:     Recommended update for SLES-release
    Type:        recommended
    Severity:    moderate
    References:  1177998
    This update for SLES-release fixes the following issue:
    
    - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3313-1
    Released:    Thu Nov 12 16:07:37 2020
    Summary:     Security update for openldap2
    Type:        security
    Severity:    important
    References:  1178387,CVE-2020-25692
    This update for openldap2 fixes the following issues:
    
    - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3377-1
    Released:    Thu Nov 19 09:29:32 2020
    Summary:     Security update for krb5
    Type:        security
    Severity:    moderate
    References:  1178512,CVE-2020-28196
    This update for krb5 fixes the following security issue:
    
    - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3381-1
    Released:    Thu Nov 19 10:53:38 2020
    Summary:     Recommended update for systemd
    Type:        recommended
    Severity:    moderate
    References:  1177458,1177490,1177510
    This update for systemd fixes the following issues:
    
    - build-sys: optionally disable support of journal over the network (bsc#1177458)
    - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
    - mount: don't propagate errors from mount_setup_unit() further up
    - Rely on the new build option --disable-remote for journal_remote
      This allows to drop the workaround that consisted in cleaning journal-upload files and
      {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
    - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package 
    - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
      These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
    - Make use of %{_unitdir} and %{_sysusersdir}
    - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3462-1
    Released:    Fri Nov 20 13:14:35 2020
    Summary:     Recommended update for pam and sudo
    Type:        recommended
    Severity:    moderate
    References:  1174593,1177858,1178727
    This update for pam and sudo fixes the following issue:
    
    pam:
    
    - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
    - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
    - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)
    
    sudo:
    
    - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3478-1
    Released:    Mon Nov 23 09:33:17 2020
    Summary:     Security update for c-ares
    Type:        security
    Severity:    moderate
    References:  1178882,CVE-2020-8277
    This update for c-ares fixes the following issues:
    
    - Version update to 1.17.0
      * CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882)
      * For further details see https://c-ares.haxx.se/changelog.html
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3566-1
    Released:    Mon Nov 30 16:56:52 2020
    Summary:     Security update for python-setuptools
    Type:        security
    Severity:    important
    References:  1176262,CVE-2019-20916
    This update for python-setuptools fixes the following issues:
    
    - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3581-1
    Released:    Tue Dec  1 14:40:22 2020
    Summary:     Recommended update for libusb-1_0
    Type:        recommended
    Severity:    moderate
    References:  1178376
    This update for libusb-1_0 fixes the following issues:
    
    - Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3592-1
    Released:    Wed Dec  2 10:31:34 2020
    Summary:     Security update for python-cryptography
    Type:        security
    Severity:    moderate
    References:  1178168,CVE-2020-25659
    This update for python-cryptography fixes the following issues:
    
    - CVE-2020-25659: Attempted to mitigate Bleichenbacher attacks on RSA decryption (bsc#1178168).
     
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3593-1
    Released:    Wed Dec  2 10:33:49 2020
    Summary:     Security update for python3
    Type:        security
    Severity:    important
    References:  1176262,1179193,CVE-2019-20916
    This update for python3 fixes the following issues:
    
    Update to 3.6.12 (bsc#1179193), including:
    
    - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3616-1
    Released:    Thu Dec  3 10:56:12 2020
    Summary:     Recommended update for c-ares
    Type:        recommended
    Severity:    moderate
    References:  1178882
    
    
    - Fixed incomplete c-ares-devel dependencies introduced by the privous update (bsc#1178882).
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3620-1
    Released:    Thu Dec  3 17:03:55 2020
    Summary:     Recommended update for pam
    Type:        recommended
    Severity:    moderate
    References:  
    This update for pam fixes the following issues:
    
    - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
      - Check whether the password contains a substring of of the user's name of at least `` characters length in 
      some form. This is enabled by the new parameter `usersubstr=`
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3626-1
    Released:    Fri Dec  4 13:51:46 2020
    Summary:     Recommended update for audit
    Type:        recommended
    Severity:    moderate
    References:  1179515
    This update for audit fixes the following issues:
    
    - Enable Aarch64 processor support. (bsc#1179515) 
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3703-1
    Released:    Mon Dec  7 20:17:32 2020
    Summary:     Recommended update for aaa_base
    Type:        recommended
    Severity:    moderate
    References:  1179431
    This update for aaa_base fixes the following issue:
    
    - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3721-1
    Released:    Wed Dec  9 13:36:46 2020
    Summary:     Security update for openssl-1_1
    Type:        security
    Severity:    important
    References:  1179491,CVE-2020-1971
    This update for openssl-1_1 fixes the following issues:
    	  
    - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3723-1
    Released:    Wed Dec  9 13:37:55 2020
    Summary:     Security update for python-urllib3
    Type:        security
    Severity:    moderate
    References:  1177120,CVE-2020-26137
    This update for python-urllib3 fixes the following issues:
    
    - CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120).	  
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3735-1
    Released:    Wed Dec  9 18:19:24 2020
    Summary:     Security update for curl
    Type:        security
    Severity:    moderate
    References:  1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
    This update for curl fixes the following issues:
    
    - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). 
    - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
    - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).	  
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3791-1
    Released:    Mon Dec 14 17:39:19 2020
    Summary:     Recommended update for gzip
    Type:        recommended
    Severity:    moderate
    References:  
    This update for gzip fixes the following issue:
    
    - Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)
      
      Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3809-1
    Released:    Tue Dec 15 13:46:05 2020
    Summary:     Recommended update for glib2
    Type:        recommended
    Severity:    moderate
    References:  1178346
    This update for glib2 fixes the following issues:
    
    Update from version 2.62.5 to version 2.62.6:
    
    - Support for slim format of timezone. (bsc#1178346)
    - Fix DST incorrect end day when using slim format. (bsc#1178346)
    - Fix SOCKS5 username/password authentication.
    - Updated translations.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3853-1
    Released:    Wed Dec 16 12:27:27 2020
    Summary:     Recommended update for util-linux
    Type:        recommended
    Severity:    moderate
    References:  1084671,1169006,1174942,1175514,1175623,1178554,1178825
    This update for util-linux fixes the following issue:
    
    - Do not trigger the automatic close of CDROM. (bsc#1084671)
    - Try to automatically configure broken serial lines. (bsc#1175514)
    - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514)
    - Build with `libudev` support to support non-root users. (bsc#1169006)
    - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
    - Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3860-1
    Released:    Thu Dec 17 10:47:37 2020
    Summary:     Recommended update for tcl
    Type:        recommended
    Severity:    moderate
    References:  1179615
    This update for tcl fixes the following issue:
    
    - `TCL_LIBS` in `tclConfig.sh` possibly breaks build on newer service packs. (bsc#1179615) 
    
      It is not needed for linking to a dynamic `libtcl` anyway and now it is empty.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3930-1
    Released:    Wed Dec 23 18:19:39 2020
    Summary:     Security update for python3
    Type:        security
    Severity:    important
    References:  1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492
    This update for python3 fixes the following issues:
    
    - Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support
      calls eval() on content retrieved via HTTP.
    - Change setuptools and pip version numbers according to new wheels
    - Handful of changes to make python36 compatible with SLE15 and SLE12
      (jsc#ECO-2799, jsc#SLE-13738)
    - add triplets for mips-r6 and riscv
    - RISC-V needs CTYPES_PASS_BY_REF_HACK
    
    Update to 3.6.12 (bsc#1179193)
    
    * Ensure python3.dll is loaded from correct locations when Python is embedded
    * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface 
      incorrectly generated constant hash values of 32 and 128 respectively. This 
      resulted in always causing hash collisions. The fix uses hash() to generate 
      hash values for the tuple of (address, mask length, network address).
    * Prevent http header injection by rejecting control characters in 
      http.client.putrequest(…).
    * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now 
      UnpicklingError instead of crashing.
    * Avoid infinite loop when reading specially crafted TAR files using the tarfile 
      module
    
    - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).
    
    Update to 3.6.11:
    
    - Disallow CR or LF in email.headerregistry. Address
      arguments to guard against header injection attacks.
    - Disallow control characters in hostnames in http.client, addressing
      CVE-2019-18348. Such potentially malicious header injection URLs now
      cause a InvalidURL to be raised. (bsc#1155094)
    - CVE-2020-8492: The AbstractBasicAuthHandler class
      of the urllib.request module uses an inefficient regular
      expression which can be exploited by an attacker to cause
      a denial of service. Fix the regex to prevent the
      catastrophic backtracking. Vulnerability reported by Ben
      Caller and Matt Schwager.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3942-1
    Released:    Tue Dec 29 12:22:01 2020
    Summary:     Recommended update for libidn2
    Type:        recommended
    Severity:    moderate
    References:  1180138
    This update for libidn2 fixes the following issues:
    
    - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
      adjusted the RPM license tags (bsc#1180138)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3943-1
    Released:    Tue Dec 29 12:24:45 2020
    Summary:     Recommended update for libxml2
    Type:        recommended
    Severity:    moderate
    References:  1178823
    This update for libxml2 fixes the following issues:
    
    Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823)
    * key/unique/keyref schema attributes currently use quadratic loops
      to check their various constraints (that keys are unique and that
      keyrefs refer to existing keys).
    * This fix uses a hash table to avoid the quadratic behaviour.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3946-1
    Released:    Tue Dec 29 17:39:54 2020
    Summary:     Recommended update for python3
    Type:        recommended
    Severity:    important
    References:  1180377
    This update for python3 fixes the following issues:
    
    - A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3,
      which caused regressions in several applications. (bsc#1180377)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2021:6-1
    Released:    Mon Jan  4 07:05:06 2021
    Summary:     Recommended update for libdlm
    Type:        recommended
    Severity:    moderate
    References:  1098449,1144793,1168771,1177533,1177658
    This update for libdlm fixes the following issues:
    
    - Rework libdlm3 require with a shared library version tag instead so it propagates to all consuming packages.(bsc#1177658, bsc#1098449)
    - Add support for type 'uint64_t' to corosync ringid. (bsc#1168771)
    - Include some fixes/enhancements for dlm_controld. (bsc#1144793)
    - Fixed an issue where /boot logical volume was accidentally unmounted. (bsc#1177533)
    

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"22","type":"x","order":"1","pct":34.92,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"13","type":"x","order":"2","pct":20.63,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"28","type":"x","order":"3","pct":44.44,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.