Linux Security
    Linux Security
    Linux Security

    SUSE: 2021:19-1 ses/6/rook/ceph Security Update

    Date 07 Jan 2021
    334
    Posted By LinuxSecurity Advisories
    The container ses/6/rook/ceph was updated. The following patches have been included in this update:
    SUSE Container Update Advisory: ses/6/rook/ceph
    -----------------------------------------------------------------
    Container Advisory ID : SUSE-CU-2021:19-1
    Container Tags        : ses/6/rook/ceph:1.1.1.0 , ses/6/rook/ceph:1.1.1.0.1.5.334 , ses/6/rook/ceph:latest
    Container Release     : 1.5.334
    Severity              : important
    Type                  : security
    References            : 1084671 1123327 1145276 1150164 1155094 1158499 1160158 1160790
                            1161088 1161089 1161198 1161203 1161670 1161913 1163569 1165281
                            1165534 1166848 1167939 1169006 1169134 1170487 1172546 1172695
                            1172798 1173503 1174091 1174232 1174571 1174591 1174593 1174701
                            1174918 1174918 1174942 1175061 1175110 1175240 1175514 1175585
                            1175623 1175781 1175847 1176116 1176192 1176192 1176256 1176257
                            1176258 1176259 1176262 1176262 1176435 1176435 1176712 1176712
                            1176740 1176740 1176902 1176902 1176988 1177120 1177211 1177238
                            1177238 1177458 1177479 1177490 1177510 1177533 1177843 1177858
                            1178009 1178346 1178376 1178387 1178512 1178554 1178577 1178614
                            1178624 1178675 1178727 1178823 1178825 1178837 1179036 1179139
                            1179193 1179193 1179341 1179398 1179399 1179431 1179452 1179491
                            1179593 1179630 1179802 1180118 1180138 1180155 1180377 935885
                            935885 998893 CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792
                            CVE-2019-16935 CVE-2019-18348 CVE-2019-20907 CVE-2019-20916 CVE-2019-20916
                            CVE-2019-5010 CVE-2020-13844 CVE-2020-14422 CVE-2020-15166 CVE-2020-1971
                            CVE-2020-25660 CVE-2020-25692 CVE-2020-26116 CVE-2020-26137 CVE-2020-27619
                            CVE-2020-27781 CVE-2020-28196 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286
                            CVE-2020-8492 
    -----------------------------------------------------------------
    
    The container ses/6/rook/ceph was updated. The following patches have been included in this update:
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3048-1
    Released:    Tue Oct 27 16:04:52 2020
    Summary:     Recommended update for libsolv, libzypp, yaml-cpp, zypper
    Type:        recommended
    Severity:    moderate
    References:  1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
    This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:
    
    libzypp was updated to 17.25.1:
    
    - When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
    - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
      kernel-default-base has new packaging, where the kernel uname -r
      does not reflect the full package version anymore. This patch
      adds additional logic to use the most generic/shortest edition
      each package provides with %{packagename}= to group the
      kernel packages instead of the rpm versions.
      This also changes how the keep-spec for specific versions is
      applied, instead of matching the package versions, each of the
      package name provides will be matched.
    - RepoInfo: Return the type of the local metadata cache as
      fallback (bsc#1176435)
    - VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
      Enhance API and testcases. (bsc#1174918)
    - Update docs regarding 'opensuse' namepace matching.
    - Link against libzstd to close libsolvs open references
      (as we link statically)
    
    yaml-cpp:
    
    - The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
      channels, and the INSTALLER channels, as a new libzypp dependency.
    
      No source changes were done to yaml-cpp.
    
    zypper was updated to 1.14.40:
    
    - info: Assume descriptions starting with '

    ' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3264-1 Released: Tue Nov 10 09:50:29 2020 Summary: Security update for zeromq Type: security Severity: moderate References: 1176116,1176256,1176257,1176258,1176259,CVE-2020-15166 This update for zeromq fixes the following issues: - CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116). - Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256) - Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257) - Fixed memory leak when processing PUB messages with metadata (bsc#1176259) - Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3269-1 Released: Tue Nov 10 15:57:24 2020 Summary: Security update for python-waitress Type: security Severity: moderate References: 1160790,1161088,1161089,1161670,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792 This update for python-waitress to 1.4.3 fixes the following security issues: - CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling (bsc#1161088). - CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089). - CVE-2019-16789: HTTP request smuggling through invalid whitespace characters (bsc#1160790). - CVE-2019-16792: HTTP request smuggling by sending the Content-Length header twice (bsc#1161670). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3285-1 Released: Wed Nov 11 11:22:14 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to version 17.25.1: - Fix bsc#1176902: When kernel-rt has been installed, the purge-kernels service fails during boot. - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435) - VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - New solver testcase format. - Link against libzsd to close libsolvs open references (as we link statically) zypper was updated to version 1.14.40. - info: Assume descriptions starting with '

    ' are richtext (bsc#935885) - Use new testcase API in libzypp. - BuildRequires: libzypp-devel >= 17.25.0. - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to version 0.7.16: - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3289-1 Released: Wed Nov 11 12:25:19 2020 Summary: Recommended update for python-cheroot Type: recommended Severity: moderate References: 1176988 This update for python-cheroot fixes the following issue: - Ignore OpenSSL's 1.1+ Error 0 under any Python while wrapping a socket. (bsc#1176988) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3485-1 Released: Mon Nov 23 13:10:36 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1123327,1173503,1175110,998893 This update for lvm2 fixes the following issues: - Fixed an issue when the hot spares in LVM not added automatically. (bsc#1175110) - Fixed an issue when lvm produces a large number of luns with error message 'Too many open files'. (bsc#1173503) - Fixes an issue when LVM initialization failed during reboot. (bsc#998893) - Fixed a misplaced parameter in the lvm configuration. (bsc#1123327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3546-1 Released: Fri Nov 27 11:21:09 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3560-1 Released: Mon Nov 30 12:21:34 2020 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1158499,1160158,1161198,1161203,1163569,1165281,1165534,1166848,1175847,1177479 This update for openssl-1_1 fixes the following issues: This update backports various bugfixes for FIPS: - Restore private key check in EC_KEY_check_key [bsc#1177479] - Add shared secret KAT to FIPS DH selftest [bsc#1175847] - Include ECDH/DH Requirements from SP800-56Arev3 [bsc#1175847] - Fix locking issue uncovered by python testsuite (bsc#1166848) - Fix the sequence of locking operations in FIPS mode [bsc#1165534] - Fix deadlock in FIPS rand code (bsc#1165281) - Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569) - Fix FIPS DRBG without derivation function (bsc#1161198) - Allow md5_sha1 in FIPS mode to enable TLS 1.0 (bsc#1161203) - Obsolete libopenssl-1_0_0-hmac for a clean upgrade from SLE-12 (bsc#1158499) - Restore the EVP_PBE_scrypt() behavior from before the KDF patch by treating salt=NULL as salt='' (bsc#1160158) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3566-1 Released: Mon Nov 30 16:56:52 2020 Summary: Security update for python-setuptools Type: security Severity: important References: 1176262,CVE-2019-20916 This update for python-setuptools fixes the following issues: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3572-1 Released: Mon Nov 30 18:12:34 2020 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1177533 This update for lvm2 fixes the following issues: - Fixed an issue where /boot logical volume was accidentally unmounted (bsc#1177533) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3579-1 Released: Tue Dec 1 14:24:31 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: - Add support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3581-1 Released: Tue Dec 1 14:40:22 2020 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate References: 1178376 This update for libusb-1_0 fixes the following issues: - Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3593-1 Released: Wed Dec 2 10:33:49 2020 Summary: Security update for python3 Type: security Severity: important References: 1176262,1179193,CVE-2019-20916 This update for python3 fixes the following issues: Update to 3.6.12 (bsc#1179193), including: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3640-1 Released: Mon Dec 7 13:24:41 2020 Summary: Recommended update for binutils Type: recommended Severity: important References: 1179036,1179341 This update for binutils fixes the following issues: Update binutils 2.35 branch to commit 1c5243df: * Fixes PR26520, aka [bsc#1179036], a problem in addr2line with certain DWARF variable descriptions. * Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878, PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869, PR26711 * The above includes fixes for dwo files produced by modern dwp, fixing several problems in the DWARF reader. Update binutils to 2.35.1 and rebased branch diff: * This is a point release over the previous 2.35 version, containing bug fixes, and as an exception to the usual rule, one new feature. The new feature is the support for a new directive in the assembler: '.nop'. This directive creates a single no-op instruction in whatever encoding is correct for the target architecture. Unlike the .space or .fill this is a real instruction, and it does affect the generation of DWARF line number tables, should they be enabled. This fixes an incompatibility introduced in the latest update that broke the install scripts of the Oracle server. [bsc#1179341] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1179431 This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3720-1 Released: Wed Dec 9 13:36:26 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3723-1 Released: Wed Dec 9 13:37:55 2020 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1177120,CVE-2020-26137 This update for python-urllib3 fixes the following issues: - CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3733-1 Released: Wed Dec 9 18:18:35 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3749-1 Released: Thu Dec 10 14:39:28 2020 Summary: Security update for gcc7 Type: security Severity: moderate References: 1150164,1161913,1167939,1172798,1178577,1178614,1178624,1178675,CVE-2020-13844 This update for gcc7 fixes the following issues: - CVE-2020-13844: Added mitigation for aarch64 Straight Line Speculation issue (bsc#1172798) - Enable fortran for the nvptx offload compiler. - Update README.First-for.SuSE.packagers - avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel. - Backport the aarch64 -moutline-atomics feature and accumulated fixes but not its default enabling. [jsc#SLE-12209, bsc#1167939] - Fixed 32bit libgnat.so link. [bsc#1178675] - Fixed memcpy miscompilation on aarch64. [bsc#1178624, bsc#1178577] - Fixed debug line info for try/catch. [bsc#1178614] - Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is used to build gcc7 (ie when ada is enabled) - Fixed corruption of pass private ->aux via DF. [gcc#94148] - Fixed debug information issue with inlined functions and passed by reference arguments. [gcc#93888] - Fixed binutils release date detection issue. - Fixed register allocation issue with exception handling code on s390x. [bsc#1161913] - Fixed miscompilation of some atomic code on aarch64. [bsc#1150164] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3792-1 Released: Mon Dec 14 17:39:24 2020 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1145276 This update for gzip fixes the following issues: Update from version 1.9 to version 1.10 (jsc#ECO-2217, jsc#SLE-12974) - Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`. - Fix three data corruption issues. (bsc#1145276, jsc#SLE-5818, jsc#SLE-8914) - Add support for `DFLTCC` (hardware-accelerated deflation) for s390x arch. (jsc#SLE-5818, jsc#SLE-8914) Enable it using the `--enable-dfltcc` option. - Compressed gzip output no longer contains the current time as a timestamp when the input is not a regular file. Instead, the output contains a `null` (zero) timestamp. This makes gzip's behavior more reproducible when used as part of a pipeline. - A use of uninitialized memory on some malformed inputs has been fixed. - A few theoretical race conditions in signal handlers have been fixed. - Update gnulib for `libio.h` removal. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3921-1 Released: Tue Dec 22 15:19:17 2020 Summary: Recommended update for libpwquality Type: recommended Severity: low References: This update for libpwquality fixes the following issues: - Implement alignment with 'pam_cracklib'. (jsc#SLE-16720) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3930-1 Released: Wed Dec 23 18:19:39 2020 Summary: Security update for python3 Type: security Severity: important References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492 This update for python3 fixes the following issues: - Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. - Change setuptools and pip version numbers according to new wheels - Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738) - add triplets for mips-r6 and riscv - RISC-V needs CTYPES_PASS_BY_REF_HACK Update to 3.6.12 (bsc#1179193) * Ensure python3.dll is loaded from correct locations when Python is embedded * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). * Prevent http header injection by rejecting control characters in http.client.putrequest(…). * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. * Avoid infinite loop when reading specially crafted TAR files using the tarfile module - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091). Update to 3.6.11: - Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks. - Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094) - CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3946-1 Released: Tue Dec 29 17:39:54 2020 Summary: Recommended update for python3 Type: recommended Severity: important References: 1180377 This update for python3 fixes the following issues: - A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3, which caused regressions in several applications. (bsc#1180377) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:24-1 Released: Tue Jan 5 11:02:26 2021 Summary: Security update for ceph Type: security Severity: moderate References: 1169134,1170487,1172546,1174591,1175061,1175240,1175585,1175781,1177843,1178837,1179139,1179452,1179802,1180118,1180155,CVE-2020-25660,CVE-2020-27781 This update for ceph fixes the following issues: - CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843). - CVE-2020-27781: Fixed a privilege escalation via the ceph_volume_client Python interface (bsc#1179802 bsc#1180155). - Fixes an issue when check in legacy collection reaches end. (bsc#1179139) - Fixes an issue when storage service stops. (bsc#1178837) - Fix for failing test run due to missing module 'six'. (bsc#1179452) - Documented Prometheus' security model (bsc#1169134) - monclient: Fixed an issue where executing several ceph commands in a short amount of time led to a segmentation fault (bsc#1170487) - Fixed an issue, where it was not possible to edit an iSCSI logged-in client (bsc#1174591) - Fixed an issue, where OSDs could not get started after they failed (bsc#1175061) - Fixed an issue with the restful module, where it aborted on execution for POST calls (bsc#1175240) - Fixed a many-to-many issue in host-details Grafana dashboard (bsc#1175585) - Fixed collection_list ordering in os/bluestore (bsc#1172546) - Fixed help output of lvmcache (bsc#1175781) - Provide a different name for the fallback allocator in bluestore. (bsc#1180118)

    Advisories

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"11","type":"x","order":"1","pct":34.38,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"6","type":"x","order":"2","pct":18.75,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"15","type":"x","order":"3","pct":46.88,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.