SUSE Container Update Advisory: suse/sles12sp4
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:95-1
Container Tags        : suse/sles12sp4:26.268 , suse/sles12sp4:latest
Container Release     : 26.268
Severity              : important
Type                  : security
References            : 1082318 1088639 1112438 1125689 1134616 1146182 1146184 1159635
                        1174215 1178727 1178823 1178909 1178925 1178966 1179491 1180038
                        1180073 1180777 1180959 1181358 1181365 1181505 1182117 1182138
                        1182279 1182331 1182333 1182408 1182411 1182412 1182413 1182415
                        1182416 1182417 1182418 1182419 1182420 962914 964140 966514
                        CVE-2016-1544 CVE-2018-1000168 CVE-2019-19906 CVE-2019-25013
                        CVE-2019-9511 CVE-2019-9513 CVE-2020-11080 CVE-2020-1971 CVE-2020-25709
                        CVE-2020-25710 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224
                        CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229
                        CVE-2020-36230 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 CVE-2021-3326
-----------------------------------------------------------------

The container suse/sles12sp4 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3569-1
Released:    Mon Nov 30 17:13:16 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1178727
This update for pam fixes the following issue:

- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3732-1
Released:    Wed Dec  9 18:18:03 2020
Summary:     Security update for openssl-1_0_0
Type:        security
Severity:    important
References:  1179491,CVE-2020-1971
This update for openssl-1_0_0 fixes the following issues:

- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3794-1
Released:    Mon Dec 14 17:40:20 2020
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1174215,1178925,1178966
This update for libzypp, zypper fixes the following issues:

Changes in zypper:

- Fix typo in `list-patches` help. (bsc#1178925)

  The options for selecting issues matching the specified string is `--issue[=STRING]`, not `--issues[=STRING]`.

Changes in libzypp:

- Fix in repository manager for removing non-directory entries related to the cache. (bsc#1178966)
- Remove from the logs the credentials available from the authorization header. (bsc#1174215)
  
  The authorization header may include base64 encoded credentials which could be restored from the log file. 
  The credentials are now stripped from the log.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3939-1
Released:    Mon Dec 28 14:29:41 2020
Summary:     Security update for cyrus-sasl
Type:        security
Severity:    important
References:  1159635,CVE-2019-19906
This update for cyrus-sasl fixes the following issues:

- CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635).	  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:26-1
Released:    Tue Jan  5 14:18:00 2021
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  1178823
This update for libxml2 fixes the following issues:

Avoid quadratic checking of identity-constraints, speeding up XML validation. (bsc#1178823)

* key/unique/keyref schema attributes currently use quadratic loops
  to check their various constraints (that keys are unique and that
  keyrefs refer to existing keys).
* This fix uses a hash table to avoid the quadratic behaviour.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:128-1
Released:    Thu Jan 14 11:01:24 2021
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1178909,CVE-2020-25709,CVE-2020-25710
This update for openldap2 fixes the following issues:

- CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
- CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:244-1
Released:    Fri Jan 29 09:46:42 2021
Summary:     Recommended update for openssl-1_0_0
Type:        recommended
Severity:    moderate
References:  1180777,1180959
This update for openssl-1_0_0 fixes the following issues:

- Add declaration of BN_secure_new() function needed by other packages. (bsc#1180777)
- Add FIPS elliptic curve key check necessary for FIPS 140-2 certification. (bsc#1180959)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:588-1
Released:    Thu Feb 25 06:10:02 2021
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1182138
This update for file fixes the following issues:

- Fixed an issue when file is used with a string started with '80'. (bsc#1182138)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:608-1
Released:    Thu Feb 25 21:03:59 2021
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1180038,1181365,1181505,1182117,CVE-2019-25013,CVE-2021-3326
This update for glibc fixes the following issues:

- Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
- gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
- Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)
- powerpc: Add support for POWER10 (bsc#1181365)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:693-1
Released:    Wed Mar  3 18:13:33 2021
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212
This update for openldap2 fixes the following issues:

- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
  X.509 DN parsing in decode.c ber_next_element, resulting in denial
  of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
  parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
  in the Certificate List Exact Assertion processing, resulting in
  denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
  cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
  saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
  in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
  crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
  saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
  Assertion processing, resulting in denial of service (schema_init.c
  serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
  control handling, resulting in denial of service (double free and
  out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
    in the issuerAndThisUpdateCheck function via a crafted packet,
    resulting in a denial of service (daemon exit) via a short timestamp.
    This is related to schema_init.c and checkTime.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:725-1
Released:    Mon Mar  8 16:47:37 2021
Summary:     Security update for openssl-1_0_0
Type:        security
Severity:    moderate
References:  1182331,1182333,CVE-2021-23840,CVE-2021-23841
This update for openssl-1_0_0 fixes the following issues:

- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)	  

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:932-1
Released:    Wed Mar 24 12:13:01 2021
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1082318,1088639,1112438,1125689,1134616,1146182,1146184,1181358,962914,964140,966514,CVE-2016-1544,CVE-2018-1000168,CVE-2019-9511,CVE-2019-9513,CVE-2020-11080
This update for nghttp2 fixes the following issues:

Security issues fixed:

- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358).
- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182).
- CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639).
- CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514).

Bug fixes and enhancements:

- Packages must not mark license files as %doc (bsc#1082318)
- Typo in description of libnghttp2_asio1 (bsc#962914)
- Fixed mistake in spec file (bsc#1125689)
- Fixed build issue with boost 1.70.0 (bsc#1134616)
- Fixed build issue with GCC 6 (bsc#964140)
- Feature: Add W&S module (FATE#326776, bsc#1112438)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1003-1
Released:    Thu Apr  1 15:06:58 2021
Summary:     Recommended update for libcap
Type:        recommended
Severity:    moderate
References:  1180073
This update for libcap fixes the following issues:

- Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
- Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)