Linux Security
    Linux Security
    Linux Security

    SUSE: 2021:5-1 suse-sles-15-chost-byos-v20210202-hvm-ssd-x86_64 Security Update

    Date 09 Feb 2021
    145
    Posted By LinuxSecurity Advisories
    The container suse-sles-15-chost-byos-v20210202-hvm-ssd-x86_64 was updated. The following patches have been included in this update:
    SUSE Image Update Advisory: suse-sles-15-chost-byos-v20210202-hvm-ssd-x86_64
    -----------------------------------------------------------------
    Image Advisory ID : SUSE-IU-2021:5-1
    Image Tags        : suse-sles-15-chost-byos-v20210202-hvm-ssd-x86_64:20210202
    Image Release     : 
    Severity          : important
    Type              : security
    References        : 1027519 1047634 1050349 1093795 1094444 1108255 1108919 1111207
                            1112387 1116463 1123940 1125218 1135710 1136845 1141064 1141597
                            1145276 1148566 1153601 1155094 1170336 1173513 1173914 1174091
                            1174436 1174571 1174701 1175458 1176355 1176782 1177196 1177211
                            1177460 1177490 1178009 1178775 1178823 1178909 1179193 1179363
                            1179496 1179498 1179501 1179502 1179503 1179506 1179514 1179516
                            1179630 1179824 1180138 1180225 1180377 1180603 1180603 1180684
                            1180685 1180687 1180885 1181090 CVE-2019-16935 CVE-2019-18348
                            CVE-2019-20907 CVE-2019-5010 CVE-2020-14145 CVE-2020-14422 CVE-2020-25709
                            CVE-2020-25710 CVE-2020-26116 CVE-2020-27619 CVE-2020-29480 CVE-2020-29481
                            CVE-2020-29483 CVE-2020-29484 CVE-2020-29566 CVE-2020-29570 CVE-2020-29571
                            CVE-2020-8492 CVE-2021-23239 CVE-2021-23240 CVE-2021-3156 
    -----------------------------------------------------------------
    
    The container suse-sles-15-chost-byos-v20210202-hvm-ssd-x86_64 was updated. The following patches have been included in this update:
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3774-1
    Released:    Mon Dec 14 11:27:33 2020
    Summary:     Recommended update for kdump
    Type:        recommended
    Severity:    moderate
    References:  1047634,1050349,1093795,1094444,1108255,1108919,1111207,1112387,1116463,1123940,1125218,1141064,1153601,1170336,1173914,1177196
    This update for kdump fixes the following issues:
    
    - Fix multipath configuration with `user_friendly_names` and/or aliases. (bsc#1111207, bsc#1125218, bsc#1153601)
    - Recover from missing `CRASHTIME=` in `VMCOREINFO`. (bsc#1112387)
    - Clean up the use of current vs. boot network interface names. (bsc#1094444, bsc#1116463, bsc#1141064)
    - Use a custom namespace for physical NICs. (bsc#1094444, bsc#1116463, bsc#1141064)
    - Add `:force` option to `KDUMP_NETCONFIG`. (bsc#1108919)
    - Add `fence_kdump_send` when `fence-agents` are installed. (bsc#1108919)
    - Use var for path of `fence_kdump_send` and remove the unnecessary `PRESCRIPT` check. (bsc#1108919)
    - Document kdump behaviour for `fence_kdump_send`. (bsc#1108919)
    - Restore only static routes in kdump initrd. (bsc#1093795)
    - Replace obsolete perl-Bootloader library with a simpler script. (bsc#1050349)
    - Remove `console=hvc0` from command line. (bsc#1173914)
    - Set serial console from Xen command line. (bsc#1173914)
    - Remove `noefi` and `acpi_rsdp` for EFI firmware. (bsc#1123940, bsc#1170336)
    - Add `skip_balance` option to BTRFS mounts. (bsc#1108255)
    - Do not add `rd.neednet=1` to dracut command line. (bsc#1177196)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3792-1
    Released:    Mon Dec 14 17:39:24 2020
    Summary:     Recommended update for gzip
    Type:        recommended
    Severity:    moderate
    References:  1145276
    This update for gzip fixes the following issues:
    
    Update from version 1.9 to version 1.10 (jsc#ECO-2217, jsc#SLE-12974)
    
    - Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) 
    
      Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.
    - Fix three data corruption issues. (bsc#1145276, jsc#SLE-5818, jsc#SLE-8914)
    - Add support for `DFLTCC` (hardware-accelerated deflation) for s390x arch. (jsc#SLE-5818, jsc#SLE-8914)
    
      Enable it using the `--enable-dfltcc` option.
    - Compressed gzip output no longer contains the current time as a timestamp when the input is not a regular file.  
      Instead, the output contains a `null` (zero) timestamp. This makes gzip's behavior more reproducible when 
      used as part of a pipeline.
    - A use of uninitialized memory on some malformed inputs has been fixed.
    - A few theoretical race conditions in signal handlers have been fixed.
    - Update gnulib for `libio.h` removal.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3803-1
    Released:    Tue Dec 15 09:40:41 2020
    Summary:     Recommended update for rsyslog
    Type:        recommended
    Severity:    moderate
    References:  1176355
    This update for rsyslog fixes the following issues:
    
    - Fixes a crash for imfile (bsc#1176355)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3882-1
    Released:    Fri Dec 18 16:47:31 2020
    Summary:     Security update for openssh
    Type:        security
    Severity:    moderate
    References:  1148566,1173513,CVE-2020-14145
    This update for openssh fixes the following issues:
    
    - CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513).
    - Fixed an issue where oracle cluster with cluvfy using 'scp' failing/missinterpreted (bsc#1148566).
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3916-1
    Released:    Tue Dec 22 14:16:38 2020
    Summary:     Security update for xen
    Type:        security
    Severity:    moderate
    References:  1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
    This update for xen fixes the following issues:
    
    - CVE-2020-29480: Fixed an issue which could have allowed leak of non-sensitive data to administrator guests (bsc#117949 XSA-115).
    - CVE-2020-29481: Fixed an issue which could have allowd to new domains to inherit existing node permissions (bsc#1179498 XSA-322). 
    - CVE-2020-29483: Fixed an issue where guests could disturb domain cleanup (bsc#1179502 XSA-325).
    - CVE-2020-29484: Fixed an issue where guests could crash xenstored via watchs (bsc#1179501 XSA-324). 
    - CVE-2020-29566: Fixed an undue recursion in x86 HVM context switch code (bsc#1179506 XSA-348).
    - CVE-2020-29570: Fixed an issue where FIFO event channels control block related ordering (bsc#1179514 XSA-358).
    - CVE-2020-29571: Fixed an issue where FIFO event channels control structure ordering (bsc#1179516 XSA-359).
    - Fixed an issue where dump-core shows missing nr_pages during core (bsc#1176782).
    - Multiple other bugs (bsc#1027519)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2020:3930-1
    Released:    Wed Dec 23 18:19:39 2020
    Summary:     Security update for python3
    Type:        security
    Severity:    important
    References:  1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492
    This update for python3 fixes the following issues:
    
    - Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support
      calls eval() on content retrieved via HTTP.
    - Change setuptools and pip version numbers according to new wheels
    - Handful of changes to make python36 compatible with SLE15 and SLE12
      (jsc#ECO-2799, jsc#SLE-13738)
    - add triplets for mips-r6 and riscv
    - RISC-V needs CTYPES_PASS_BY_REF_HACK
    
    Update to 3.6.12 (bsc#1179193)
    
    * Ensure python3.dll is loaded from correct locations when Python is embedded
    * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface 
      incorrectly generated constant hash values of 32 and 128 respectively. This 
      resulted in always causing hash collisions. The fix uses hash() to generate 
      hash values for the tuple of (address, mask length, network address).
    * Prevent http header injection by rejecting control characters in 
      http.client.putrequest(…).
    * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now 
      UnpicklingError instead of crashing.
    * Avoid infinite loop when reading specially crafted TAR files using the tarfile 
      module
    
    - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).
    
    Update to 3.6.11:
    
    - Disallow CR or LF in email.headerregistry. Address
      arguments to guard against header injection attacks.
    - Disallow control characters in hostnames in http.client, addressing
      CVE-2019-18348. Such potentially malicious header injection URLs now
      cause a InvalidURL to be raised. (bsc#1155094)
    - CVE-2020-8492: The AbstractBasicAuthHandler class
      of the urllib.request module uses an inefficient regular
      expression which can be exploited by an attacker to cause
      a denial of service. Fix the regex to prevent the
      catastrophic backtracking. Vulnerability reported by Ben
      Caller and Matt Schwager.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3942-1
    Released:    Tue Dec 29 12:22:01 2020
    Summary:     Recommended update for libidn2
    Type:        recommended
    Severity:    moderate
    References:  1180138
    This update for libidn2 fixes the following issues:
    
    - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
      adjusted the RPM license tags (bsc#1180138)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3943-1
    Released:    Tue Dec 29 12:24:45 2020
    Summary:     Recommended update for libxml2
    Type:        recommended
    Severity:    moderate
    References:  1178823
    This update for libxml2 fixes the following issues:
    
    Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823)
    * key/unique/keyref schema attributes currently use quadratic loops
      to check their various constraints (that keys are unique and that
      keyrefs refer to existing keys).
    * This fix uses a hash table to avoid the quadratic behaviour.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2020:3946-1
    Released:    Tue Dec 29 17:39:54 2020
    Summary:     Recommended update for python3
    Type:        recommended
    Severity:    important
    References:  1180377
    This update for python3 fixes the following issues:
    
    - A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3,
      which caused regressions in several applications. (bsc#1180377)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2021:76-1
    Released:    Tue Jan 12 10:25:26 2021
    Summary:     Recommended update for SUSEConnect
    Type:        recommended
    Severity:    low
    References:  
    This update for SUSEConnect fixes the following issue:
    
    Update to version 0.3.29
    
    - Replace the Ruby path with the native one during build phase.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2021:129-1
    Released:    Thu Jan 14 12:26:15 2021
    Summary:     Security update for openldap2
    Type:        security
    Severity:    moderate
    References:  1178909,1179503,CVE-2020-25709,CVE-2020-25710
    This update for openldap2 fixes the following issues:
    
    Security issues fixed:
    
    - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
    - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
    
    Non-security issue fixed:
    
    - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2021:177-1
    Released:    Wed Jan 20 11:18:03 2021
    Summary:     Recommended update for libselinux
    Type:        recommended
    Severity:    moderate
    References:  1135710,1136845,1180603
    This update for libselinux fixes the following issue:
    
    Issues addressed: 	  
    
    - Removed check for selinux-policy package as it is not shipped in this package(bsc#1136845).
    - Added check that restorecond is installed and enabled
    - adjusted licenses of packages. All packages are under Public Domain, only selinux-tools contains a GPL-2.0 tool.
    
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2021:179-1
    Released:    Wed Jan 20 13:38:51 2021
    Summary:     Recommended update for timezone
    Type:        recommended
    Severity:    moderate
    References:  1177460
    This update for timezone fixes the following issues:
    
    - timezone update 2020f (bsc#1177460)
      * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
        fixing a 2020e bug.
    
    - timezone update 2020e (bsc#1177460)
      * Volgograd switches to Moscow time on 2020-12-27 at 02:00.
    
    - timezone update 2020f (bsc#1177460)
      * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
        fixing a 2020e bug.
    
    - timezone update 2020e (bsc#1177460)
      * Volgograd switches to Moscow time on 2020-12-27 at 02:00.
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2021:220-1
    Released:    Tue Jan 26 14:00:51 2021
    Summary:     Recommended update for keyutils
    Type:        recommended
    Severity:    moderate
    References:  1180603
    This update for keyutils fixes the following issues:
    
    - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-SU-2021:227-1
    Released:    Tue Jan 26 19:22:14 2021
    Summary:     Security update for sudo
    Type:        security
    Severity:    important
    References:  1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156
    This update for sudo fixes the following issues:
    
    - A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges 
      [bsc#1181090,CVE-2021-3156]
    - It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit`
      [bsc#1180684,CVE-2021-23239]
    - A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685,
      CVE-2021-23240]
    - It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2021:233-1
    Released:    Wed Jan 27 12:15:33 2021
    Summary:     Recommended update for systemd
    Type:        recommended
    Severity:    moderate
    References:  1141597,1174436,1175458,1177490,1179363,1179824,1180225
    This update for systemd fixes the following issues:
    
    - Added a timestamp to the output of the busctl monitor command (bsc#1180225)
    - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824)
    - Improved the caching of cgroups member mask (bsc#1175458)
    - Fixed the dependency definition of sound.target (bsc#1179363)
    - Fixed a bug that could lead to a potential error, when daemon-reload is called between
      StartTransientUnit and scope_start() (bsc#1174436)
    - time-util: treat /etc/localtime missing as UTC (bsc#1141597)
    - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)
    
    -----------------------------------------------------------------
    Advisory ID: SUSE-RU-2021:265-1
    Released:    Mon Feb  1 15:06:45 2021
    Summary:     Recommended update for systemd
    Type:        recommended
    Severity:    important
    References:  1178775,1180885
    This update for systemd fixes the following issues:
    
    - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998))
    - Fix for an issue when container start causes interference in other containers. (bsc#1178775)
    

    Advisories

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"22","type":"x","order":"1","pct":34.92,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"13","type":"x","order":"2","pct":20.63,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"28","type":"x","order":"3","pct":44.44,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.