SUSE Container Update Advisory: ses/7/rook/ceph
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:274-1
Container Tags        : ses/7/rook/ceph:1.5.12 , ses/7/rook/ceph:1.5.12.4 , ses/7/rook/ceph:1.5.12.4.1.1719 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus
Container Release     : 1.1719
Severity              : important
Type                  : security
References            : 1157818 1158812 1158958 1158959 1158960 1159491 1159715 1159847
                        1159850 1160309 1160438 1160439 1164719 1172091 1172115 1172234
                        1172236 1172240 1173641 1186447 1186503 1187105 928700 928701
                        CVE-2015-3414 CVE-2015-3415 CVE-2019-19244 CVE-2019-19317 CVE-2019-19603
                        CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924
                        CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218 CVE-2020-13434
                        CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-15358
                        CVE-2020-35512 CVE-2020-9327 
-----------------------------------------------------------------

The container ses/7/rook/ceph was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2273-1
Released:    Thu Jul  8 09:48:48 2021
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1186447,1186503
This update for libzypp, zypper fixes the following issues:

- Enhance XML output of repo GPG options
- Add optional attributes showing the raw values actually present in the '.repo' file.
- Link all executables with -PIE (bsc#1186447)
- Ship an empty '/etc/zypp/needreboot' per default (jsc#PM-2645)
- Add 'Solvable::isBlacklisted' as superset of retracted and ptf packages (bsc#1186503)
- Fix segv if 'ZYPP_FULLOG' is set.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2292-1
Released:    Mon Jul 12 08:25:20 2021
Summary:     Security update for dbus-1
Type:        security
Severity:    important
References:  1187105,CVE-2020-35512
This update for dbus-1 fixes the following issues:

- CVE-2020-35512: Fixed a use-after-free or potential undefined behaviour caused by shared UID's (bsc#1187105)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2320-1
Released:    Wed Jul 14 17:01:06 2021
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327
This update for sqlite3 fixes the following issues:

- Update to version 3.36.0
- CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener
  optimization (bsc#1173641)
- CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in
  isAuxiliaryVtabOperator (bsc#1164719)
- CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
- CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
- CVE-2019-19923: improper handling  of  certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer
  dereference (bsc#1160309)
- CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
- CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
- CVE-2019-19926: improper handling  of certain errors during parsing  multiSelect in select.c (bsc#1159715)
- CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference
  (bsc#1159491)
- CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with
  a shadow table name (bsc#1158960)
- CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated
  columns (bsc#1158959)
- CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views
  in conjunction with ALTER TABLE statements (bsc#1158958)
- CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column,
  which allows attackers to cause a denial of service (bsc#1158812)
- CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a
  sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
- CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
- CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
- CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
- CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
- CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
- CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
- CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

SUSE: 2021:274-1 ses/7/rook/ceph Security Update

July 21, 2021
The container ses/7/rook/ceph was updated

Summary

Advisory ID: SUSE-RU-2021:2273-1 Released: Thu Jul 8 09:48:48 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:2292-1 Released: Mon Jul 12 08:25:20 2021 Summary: Security update for dbus-1 Type: security Severity: important Advisory ID: SUSE-SU-2021:2320-1 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Type: security Severity: important

References

References : 1157818 1158812 1158958 1158959 1158960 1159491 1159715 1159847

1159850 1160309 1160438 1160439 1164719 1172091 1172115 1172234

1172236 1172240 1173641 1186447 1186503 1187105 928700 928701

CVE-2015-3414 CVE-2015-3415 CVE-2019-19244 CVE-2019-19317 CVE-2019-19603

CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924

CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218 CVE-2020-13434

CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-15358

CVE-2020-35512 CVE-2020-9327

1186447,1186503

This update for libzypp, zypper fixes the following issues:

- Enhance XML output of repo GPG options

- Add optional attributes showing the raw values actually present in the '.repo' file.

- Link all executables with -PIE (bsc#1186447)

- Ship an empty '/etc/zypp/needreboot' per default (jsc#PM-2645)

- Add 'Solvable::isBlacklisted' as superset of retracted and ptf packages (bsc#1186503)

- Fix segv if 'ZYPP_FULLOG' is set.

1187105,CVE-2020-35512

This update for dbus-1 fixes the following issues:

- CVE-2020-35512: Fixed a use-after-free or potential undefined behaviour caused by shared UID's (bsc#1187105)

1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327

This update for sqlite3 fixes the following issues:

- Update to version 3.36.0

- CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener

optimization (bsc#1173641)

- CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in

isAuxiliaryVtabOperator (bsc#1164719)

- CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)

- CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)

- CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer

dereference (bsc#1160309)

- CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)

- CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)

- CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)

- CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference

(bsc#1159491)

- CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with

a shadow table name (bsc#1158960)

- CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated

columns (bsc#1158959)

- CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views

in conjunction with ALTER TABLE statements (bsc#1158958)

- CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column,

which allows attackers to cause a denial of service (bsc#1158812)

- CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a

sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)

- CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)

- CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)

- CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)

- CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow

- CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)

- CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)

- CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

Severity
Container Advisory ID : SUSE-CU-2021:274-1
Container Tags : ses/7/rook/ceph:1.5.12 , ses/7/rook/ceph:1.5.12.4 , ses/7/rook/ceph:1.5.12.4.1.1719 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus
Container Release : 1.1719
Severity : important
Type : security

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved