SUSE: 2021:601-1 ses/7/ceph/grafana Security Update
Summary
Advisory ID: SUSE-OU-2020:3026-1 Released: Fri Oct 23 15:35:49 2020 Summary: Optional update for the Public Cloud Module Type: optional Severity: moderate Advisory ID: SUSE-RU-2021:294-1 Released: Wed Feb 3 12:54:28 2021 Summary: Recommended update for libprotobuf Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:3175-1 Released: Tue Sep 21 16:27:50 2021 Summary: Security update for grafana-piechart-panel Type: security Severity: moderate Advisory ID: SUSE-RU-2021:3182-1 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:3298-1 Released: Wed Oct 6 16:54:52 2021 Summary: Security update for curl Type: security Severity: moderate Advisory ID: SUSE-SU-2021:3348-1 Released: Tue Oct 12 13:08:06 2021 Summary: Security update for systemd Type: security Severity: moderate Advisory ID: SUSE-SU-2021:3385-1 Released: Tue Oct 12 15:54:31 2021 Summary: Security update for glibc Type: security Severity: moderate Advisory ID: SUSE-SU-2021:3444-1 Released: Fri Oct 15 09:03:07 2021 Summary: Security update for rpm Type: security Severity: important Advisory ID: SUSE-SU-2021:3454-1 Released: Mon Oct 18 09:29:26 2021 Summary: Security update for krb5 Type: security Severity: moderate Advisory ID: SUSE-RU-2021:3480-1 Released: Wed Oct 20 11:24:08 2021 Summary: Recommended update for yast2-network Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3501-1 Released: Fri Oct 22 10:42:46 2021 Summary: Recommended update for libzypp, zypper, libsolv, protobuf Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3510-1 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Type: recommended Severity: important Advisory ID: SUSE-SU-2021:3523-1 Released: Tue Oct 26 15:40:13 2021 Summary: Security update for util-linux Type: security Severity: moderate Advisory ID: SUSE-SU-2021:3529-1 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Type: security Severity: moderate Advisory ID: SUSE-RU-2021:3799-1 Released: Wed Nov 24 18:07:54 2021 Summary: Recommended update for gcc11 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3809-1 Released: Fri Nov 26 00:31:59 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:3830-1 Released: Wed Dec 1 13:45:46 2021 Summary: Security update for glibc Type: security Severity: moderate Advisory ID: SUSE-RU-2021:3870-1 Released: Thu Dec 2 07:11:50 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3872-1 Released: Thu Dec 2 07:25:55 2021 Summary: Recommended update for cracklib Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3891-1 Released: Fri Dec 3 10:21:49 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:3899-1 Released: Fri Dec 3 11:27:41 2021 Summary: Security update for aaa_base Type: security Severity: moderate Advisory ID: SUSE-RU-2021:3917-1 Released: Fri Dec 3 14:18:08 2021 Summary: Recommended update for grafana Type: recommended Severity: low Advisory ID: SUSE-SU-2021:3946-1 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Type: security Severity: moderate Advisory ID: SUSE-RU-2021:4139-1 Released: Tue Dec 21 17:02:44 2021 Summary: Recommended update for systemd Type: recommended Severity: critical Advisory ID: SUSE-RU-2021:4145-1 Released: Wed Dec 22 05:27:48 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:4154-1 Released: Wed Dec 22 11:02:38 2021 Summary: Security update for p11-kit Type: security Severity: important Advisory ID: SUSE-RU-2021:4182-1 Released: Thu Dec 23 11:51:51 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:4187-1 Released: Thu Dec 23 15:31:00 2021 Summary: Recommended update for ceph, ceph-iscsi, nfs-ganesha Type: recommended Severity: moderate
References
References : 1027496 1029961 1113013 1122417 1125886 1134353 1161276 1162581
1164548 1171962 1172125 1172973 1172974 1174504 1177100 1177127
1178236 1179416 1180064 1183028 1183085 1183543 1183545 1183632
1183659 1184994 1185016 1185299 1185524 1186489 1186503 1186602
1186910 1187153 1187224 1187270 1187273 1187425 1187466 1187512
1187654 1187670 1187738 1187760 1187911 1187993 1188018 1188063
1188156 1188291 1188344 1188435 1188548 1188623 1188713 1188921
1189031 1189480 1189803 1189929 1189996 1190052 1190059 1190199
1190234 1190325 1190356 1190373 1190374 1190440 1190465 1190645
1190712 1190739 1190772 1190793 1190815 1190915 1190933 1190984
1191252 1191286 1191324 1191370 1191563 1191609 1191736 1191987
1192161 1192248 1192337 1192367 1192436 1192688 1192717 1192840
1193481 1193521 CVE-2016-10228 CVE-2019-20838 CVE-2020-13429
CVE-2020-14155 CVE-2020-29361 CVE-2021-20266 CVE-2021-20271 CVE-2021-22946
CVE-2021-22947 CVE-2021-33574 CVE-2021-33910 CVE-2021-3421 CVE-2021-35942
CVE-2021-37600 CVE-2021-37750 CVE-2021-39537 CVE-2021-43618
This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398).
The following packages were included:
- python3-grpcio
- python3-protobuf
- python3-google-api-core
- python3-google-cloud-core
- python3-google-cloud-storage
- python3-google-resumable-media
- python3-googleapis-common-protos
- python3-grpcio-gcp
- python3-mock (updated to version 3.0.5)
libprotobuf was updated to fix:
- ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911)
1177127
This update for protobuf fixes the following issues:
- Add missing dependency of python subpackages on python-six. (bsc#1177127)
1172125,CVE-2020-13429
This update for grafana-piechart-panel fixes the following issues:
- CVE-2020-13429: Fixed XSS via the Values Header option in the piechart-panel (bsc#1172125).
1189996
This update for file fixes the following issues:
- Fixes exception thrown by memory allocation problem (bsc#1189996)
1190373,1190374,CVE-2021-22946,CVE-2021-22947
This update for curl fixes the following issues:
- CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
- CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).
1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910
This update for systemd fixes the following issues:
- CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063).
- logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018).
- Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353).
- Rules weren't applied to dm devices (multipath) (bsc#1188713).
- Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234).
- Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
- Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291).
- Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962).
1186489,1187911,CVE-2021-33574,CVE-2021-35942
This update for glibc fixes the following issues:
- CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
- CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)
1179416,1183543,1183545,1183632,1183659,1185299,1187670,1188548,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421
This update for rpm fixes the following issues:
Security issues fixed:
- CVE-2021-3421, CVE-2021-20271, CVE-2021-20266: Multiple header check improvements (bsc#1183543, bsc#1183545, bsc#1183632)
- PGP hardening changes (bsc#1185299)
- Fixed potential access of freed mem in ndb's glue code (bsc#1179416)
Maintaince issues fixed:
- Fixed zstd detection (bsc#1187670)
- Added ndb rofs support (bsc#1188548)
- Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659)
1189929,CVE-2021-37750
This update for krb5 fixes the following issues:
- CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929).
1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933
This update for yast2-network fixes the following issues:
- Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
- Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
- Consider aliases sections as case insensitive (bsc#1190739).
- Display user defined device name in the devices overview (bnc#1190645).
- Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
- Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
- Fix desktop file so the control center tooltip is translated (bsc#1187270).
- Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
- Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).
1190793,CVE-2021-39537
This update for ncurses fixes the following issues:
- CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)
1190052
This update for pam fixes the following issues:
- Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
- Added new file macros.pam on request of systemd. (bsc#1190052)
1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815
This update for libzypp, zypper, libsolv and protobuf fixes the following issues:
- Choice rules: treat orphaned packages as newest (bsc#1190465)
- Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602)
- Do not check of signatures and keys two times(redundant) (bsc#1190059)
- Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760)
- Show key fpr from signature when signature check fails (bsc#1187224)
- Fix solver jobs for PTFs (bsc#1186503)
- Fix purge-kernels fails (bsc#1187738)
- Fix obs:// platform guessing for Leap (bsc#1187425)
- Make sure to keep states alives while transitioning. (bsc#1190199)
- Manpage: Improve description about patch updates(bsc#1187466)
- Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
- Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
- Fix crashes in logging code when shutting down (bsc#1189031)
- Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
- Add need reboot/restart hint to XML install summary (bsc#1188435)
- Prompt: choose exact match if prompt options are not prefix free (bsc#1188156)
- Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862)
1191987
This update for pam fixes the following issues:
- Fixed a bad directive file which resulted in
the 'securetty' file to be installed as 'macros.pam'.
(bsc#1191987)
1122417,1125886,1178236,1188921,CVE-2021-37600
This update for util-linux fixes the following issues:
Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2:
- CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921).
- agetty: Fix 8-bit processing in get_logname() (bsc#1125886).
- mount: Fix 'mount' output for net file systems (bsc#1122417).
- ipcs: Avoid overflows (bsc#1178236)
1172973,1172974,CVE-2019-20838,CVE-2020-14155
This update for pcre fixes the following issues:
Update pcre to version 8.45:
- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)
1187153,1187273,1188623
This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:
- gcc11
- gcc-c++11
- and others with 11 prefix.
to select them for building:
- CC='gcc-11'
- CXX='g++-11'
The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants.
1189803,1190325,1190440,1190984,1191252,1192161
This update for systemd fixes the following issues:
- Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103)
- Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)
- shutdown: Reduce log level of unmounts (bsc#1191252)
- pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803)
- core: rework how we connect to the bus (bsc#1190325)
- mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
- virt: detect Amazon EC2 Nitro instance (bsc#1190440)
- Several fixes for umount
- busctl: use usec granularity for the timestamp printed by the busctl monitor command
- fix unitialized fields in MountPoint in dm_list_get()
- shutdown: explicitly set a log target
- mount-util: add mount_option_mangle()
- dissect: automatically mark partitions read-only that have a read-only file system
- build-sys: require proper libmount version
- systemd-shutdown: use log_set_prohibit_ipc(true)
- rationalize interface for opening/closing logging
- pid1: when we can't log to journal, remember our fallback log target
- log: remove LOG_TARGET_SAFE pseudo log target
- log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console()
- log: add new 'prohibit_ipc' flag to logging system
- log: make log_set_upgrade_syslog_to_journal() take effect immediately
- dbus: split up bus_done() into seperate functions
- machine-id-setup: generate machine-id from DMI product ID on Amazon EC2
- virt: if we detect Xen by DMI, trust that over CPUID
1027496,1183085,CVE-2016-10228
This update for glibc fixes the following issues:
- libio: do not attempt to free wide buffers of legacy streams (bsc#1183085)
- CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496)
1190356,1191286,1191324,1191370,1191609,1192337,1192436
This update for libzypp, zypper fixes the following issues:
libzypp:
- Check log writer before accessing it (bsc#1192337)
- Zypper should keep cached files if transaction is aborted (bsc#1190356)
- Require a minimum number of mirrors for multicurl (bsc#1191609)
- Fixed slowdowns when rlimit is too high by using procfs to detect niumber of
open file descriptors (bsc#1191324)
- Fixed zypper incomplete messages when using non English localization (bsc#1191370)
- RepoManager: Don't probe for plaindir repository if the URL schema is a plugin (bsc#1191286)
- Disable logger in the child process after fork (bsc#1192436)
zypper:
- Fixed Zypper removing a kernel explicitely pinned that uses uname -r output format as name (openSUSE/zypper#418)
1191736
This update for cracklib fixes the following issues:
- Enable build time tests (bsc#1191736)
1029961,1113013,1187654
This update for keyutils fixes the following issues:
- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)
keyutils was updated to 1.6.3 (jsc#SLE-20016):
* Revert the change notifications that were using /dev/watch_queue.
* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
* Allow 'keyctl supports' to retrieve raw capability data.
* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
* Allow 'keyctl new_session' to name the keyring.
* Allow 'keyctl add/padd/etc.' to take hex-encoded data.
* Add 'keyctl watch*' to expose kernel change notifications on keys.
* Add caps for namespacing and notifications.
* Set a default TTL on keys that upcall for name resolution.
* Explicitly clear memory after it's held sensitive information.
* Various manual page fixes.
* Fix C++-related errors.
* Add support for keyctl_move().
* Add support for keyctl_capabilities().
* Make key=val list optional for various public-key ops.
* Fix system call signature for KEYCTL_PKEY_QUERY.
* Fix 'keyctl pkey_query' argument passing.
* Use keyctl_read_alloc() in dump_key_tree_aux().
* Various manual page fixes.
Updated to 1.6:
* Apply various specfile cleanups from Fedora.
* request-key: Provide a command line option to suppress helper execution.
* request-key: Find least-wildcard match rather than first match.
* Remove the dependency on MIT Kerberos.
* Fix some error messages
* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
* Fix doc and comment typos.
* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
* Add pkg-config support for finding libkeyutils.
* upstream isn't offering PGP signatures for the source tarballs anymore
Updated to 1.5.11 (bsc#1113013)
* Add keyring restriction support.
* Add KDF support to the Diffie-Helman function.
* DNS: Add support for AFS config files and SRV records
1162581,1174504,1191563,1192248
This update for aaa_base fixes the following issues:
- Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
- Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
- Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
- Support xz compressed kernel (bsc#1162581)
This update for grafana fixes the following issue:
- Add URL to package source code in the login page footer.
1192717,CVE-2021-43618
This update for gmp fixes the following issues:
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).
1193481,1193521
This update for systemd fixes the following issues:
- Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481)
sleep-config: partitions can't be deleted, only files can
shared/sleep-config: exclude zram devices from hibernation candidates
1161276
This update for openssl-1_1 fixes the following issues:
- Remove previously applied patch because it interferes with FIPS validation (bsc#1161276)
1180064,1187993,CVE-2020-29361
This update for p11-kit fixes the following issues:
- CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).
1192688
This update for zlib fixes the following issues:
- Fix hardware compression incorrect result on z15 hardware (bsc#1192688)
1164548,1177100,1183028,1190772,1192367,1192840
This update for ceph, ceph-iscsi, nfs-ganesha fixes the following issues:
- Update to 15.2.15-83-gf72054fa653:
- rebase on top of Ceph v15.2.15 tag
- mgr/mgr_module.py: CLICommand: Fix parsing of kwargs arguments. (bsc#1192840)
- re-do some downstream patches
- patches dropped:
'cephadm: use full qualified image names for cephadm'
'Switch to CaaSP v4.5 container images'
'cephadm: Update Grafana container image from 7.0.3'
* replaced by:
'cephadm: downstream-ify default container image paths'
- Update to 15.2.14-86-g25f8e6a7abf:
- (jsc#SES-704) mgr/mgr_module.py: CLICommand: Fix parsing of kwargs arguments
(fixes an issue caused by downstream commit 'pybing/mgr/mgr_module: allow
keyword arguments')(jsc#SES-704)
- Update to 3.5+1638408991.g5341b5d
+ rbd unmap image when deleting target (bsc#1190772)
+ gwcli: add error handling path for config api request (#231)
+ rbd-target-api: misc fixing for disk API (#229)
+ iscsi: raise if the 'gateway.conf' config file doesn't exist (#228)
+ iscsi: write cert/key to temp files in mode 'w' to handle strings (#227)
+ Fix the default value for gateway_conf (#226)
+ Add a strip to ListSetting.Normalize (#220, bsc#1177100)
+ Make settings mon config key store aware (#217)
+ Rename blacklist to blocklist (#216)
+ Fix gateway creation crash in python3 (#196)
+ Report tcmu-runner device status (#210)
+ Fix list access violiation when load config (#200, bsc#1183028)
+ fix delete disk error when disk owner is not specified (#206)
+ Support specified gateway config name (#207)
+ spec: added dependency on ceph-common package (#201)
- Add patch to fix getopt return value on aarch64 (bsc#1192367)
- Disable build of the XFS FSAL
- Enable FSAL_RGW again, as it turned out to be compatible with Ceph 16.x, but
needs patching from upstream. Backport upstream patch to fix version
comparison.
- Disable FSAL_RGW which is incompatible with Ceph 16.1.0
- Remove -fcommon from spec file
- Reverting changes made to fix (bsc#1164548)
The following package changes have been done:
- aaa_base-84.87+git20180409.04c9dae-3.52.1 updated
- ceph-grafana-dashboards-15.2.15.83+gf72054fa653-3.28.1 updated
- cracklib-dict-small-2.9.7-11.6.1 updated
- cracklib-2.9.7-11.6.1 updated
- file-magic-5.32-7.14.1 updated
- glibc-2.26-13.62.1 updated
- grafana-piechart-panel-1.6.1-3.6.1 updated
- grafana-7.5.7-3.15.1 updated
- krb5-1.16.3-3.24.1 updated
- libaugeas0-1.10.1-3.3.1 updated
- libblkid1-2.33.2-4.16.1 updated
- libcrack2-2.9.7-11.6.1 updated
- libcurl4-7.66.0-4.27.1 updated
- libfdisk1-2.33.2-4.16.1 updated
- libgcc_s1-11.2.1+git610-1.3.9 updated
- libgmp10-6.1.2-4.9.1 updated
- libkeyutils1-1.6.3-5.6.1 updated
- libmagic1-5.32-7.14.1 updated
- libmount1-2.33.2-4.16.1 updated
- libncurses6-6.1-5.9.1 updated
- libopenssl1_1-hmac-1.1.1d-11.33.2 updated
- libopenssl1_1-1.1.1d-11.33.2 updated
- libp11-kit0-0.23.2-4.13.1 updated
- libpcre1-8.45-20.10.1 updated
- libprotobuf-lite20-3.9.2-4.9.1 added
- libsmartcols1-2.33.2-4.16.1 updated
- libsolv-tools-0.7.20-9.2 updated
- libstdc++6-11.2.1+git610-1.3.9 updated
- libsystemd0-234-24.102.1 updated
- libudev1-234-24.102.1 updated
- libuuid1-2.33.2-4.16.1 updated
- libz1-1.2.11-3.24.1 updated
- libzypp-17.28.8-20.1 updated
- ncurses-utils-6.1-5.9.1 updated
- pam-1.3.0-6.50.1 updated
- rpm-4.14.1-22.4.2 updated
- terminfo-base-6.1-5.9.1 updated
- util-linux-2.33.2-4.16.1 updated
- zypper-1.14.50-21.1 updated
- container:sles15-image-15.0.0-9.5.67 updated