SUSE Container Update Advisory: suse/sles12sp3
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:94-1
Container Tags        : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.237 , suse/sles12sp3:latest
Container Release     : 24.237
Severity              : important
Type                  : security
References            : 1116107 1159635 1174215 1175109 1178727 1178823 1178909 1178925
                        1178966 1179398 1179398 1179399 1179491 1180073 1181728 1182138
                        1182279 1182331 1182333 1182408 1182411 1182412 1182413 1182415
                        1182416 1182417 1182418 1182419 1182420 CVE-2019-19906 CVE-2020-1971
                        CVE-2020-25709 CVE-2020-25710 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223
                        CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228
                        CVE-2020-36229 CVE-2020-36230 CVE-2020-8231 CVE-2020-8284 CVE-2020-8284
                        CVE-2020-8285 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 
-----------------------------------------------------------------

The container suse/sles12sp3 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3569-1
Released:    Mon Nov 30 17:13:16 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1178727
This update for pam fixes the following issue:

- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3573-1
Released:    Mon Nov 30 18:13:05 2020
Summary:     Recommended update for sg3_utils
Type:        recommended
Severity:    low
References:  1116107
This update for sg3_utils fixes the following issues:

- Fixed wrong device ID for devices using NAA extended format (bsc#1116107)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3763-1
Released:    Fri Dec 11 14:17:32 2020
Summary:     Security update for openssl
Type:        security
Severity:    important
References:  1179491,CVE-2020-1971
This update for openssl fixes the following issues:

- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3794-1
Released:    Mon Dec 14 17:40:20 2020
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1174215,1178925,1178966
This update for libzypp, zypper fixes the following issues:

Changes in zypper:

- Fix typo in `list-patches` help. (bsc#1178925)

  The options for selecting issues matching the specified string is `--issue[=STRING]`, not `--issues[=STRING]`.

Changes in libzypp:

- Fix in repository manager for removing non-directory entries related to the cache. (bsc#1178966)
- Remove from the logs the credentials available from the authorization header. (bsc#1174215)
  
  The authorization header may include base64 encoded credentials which could be restored from the log file. 
  The credentials are now stripped from the log.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3800-1
Released:    Mon Dec 14 18:55:59 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1175109,1179398,CVE-2020-8231,CVE-2020-8284
This update for curl fixes the following issues:

- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).
- CVE-2020-8231: Fixed an issue with trusting FTP PASV responses (bsc#1175109).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3876-1
Released:    Fri Dec 18 16:45:25 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1179398,1179399,CVE-2020-8284,CVE-2020-8285
This update for curl fixes the following issue:

- CVE-2020-8285: Fixed an FTP wildcard stack overflow (bsc#1179399).
- CVE-2020-8284: Adjust trusting FTP PASV responses (bsc#1179398).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3939-1
Released:    Mon Dec 28 14:29:41 2020
Summary:     Security update for cyrus-sasl
Type:        security
Severity:    important
References:  1159635,CVE-2019-19906
This update for cyrus-sasl fixes the following issues:

- CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635).	  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:26-1
Released:    Tue Jan  5 14:18:00 2021
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  1178823
This update for libxml2 fixes the following issues:

Avoid quadratic checking of identity-constraints, speeding up XML validation. (bsc#1178823)

* key/unique/keyref schema attributes currently use quadratic loops
  to check their various constraints (that keys are unique and that
  keyrefs refer to existing keys).
* This fix uses a hash table to avoid the quadratic behaviour.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:128-1
Released:    Thu Jan 14 11:01:24 2021
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1178909,CVE-2020-25709,CVE-2020-25710
This update for openldap2 fixes the following issues:

- CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
- CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:588-1
Released:    Thu Feb 25 06:10:02 2021
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1182138
This update for file fixes the following issues:

- Fixed an issue when file is used with a string started with '80'. (bsc#1182138)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:693-1
Released:    Wed Mar  3 18:13:33 2021
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212
This update for openldap2 fixes the following issues:

- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
  X.509 DN parsing in decode.c ber_next_element, resulting in denial
  of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
  parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
  in the Certificate List Exact Assertion processing, resulting in
  denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
  cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
  saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
  in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
  crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
  saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
  Assertion processing, resulting in denial of service (schema_init.c
  serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
  control handling, resulting in denial of service (double free and
  out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
    in the issuerAndThisUpdateCheck function via a crafted packet,
    resulting in a denial of service (daemon exit) via a short timestamp.
    This is related to schema_init.c and checkTime.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:939-1
Released:    Wed Mar 24 12:24:38 2021
Summary:     Security update for openssl
Type:        security
Severity:    moderate
References:  1182331,1182333,CVE-2021-23840,CVE-2021-23841
This update for openssl fixes the following issues:

- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:970-1
Released:    Mon Mar 29 14:53:14 2021
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1181728
This update for apparmor fixes the following issues:

- Add abstraction/base fix to apparmor-profile. (bsc#1181728)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1003-1
Released:    Thu Apr  1 15:06:58 2021
Summary:     Recommended update for libcap
Type:        recommended
Severity:    moderate
References:  1180073
This update for libcap fixes the following issues:

- Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
- Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)