SUSE: 2022:24-1 bci/golang Security Update
Summary
Advisory ID: SUSE-RU-2021:3891-1 Released: Fri Dec 3 10:21:49 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:3899-1 Released: Fri Dec 3 11:27:41 2021 Summary: Security update for aaa_base Type: security Severity: moderate Advisory ID: SUSE-SU-2021:3946-1 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Type: security Severity: moderate Advisory ID: SUSE-RU-2021:3963-1 Released: Mon Dec 6 19:57:39 2021 Summary: Recommended update for system-usersType: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3980-1 Released: Thu Dec 9 16:42:19 2021 Summary: Recommended update for glibc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:4145-1 Released: Wed Dec 22 05:27:48 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:4169-1 Released: Thu Dec 23 09:52:43 2021 Summary: Security update for go1.16 Type: security Severity: moderate Advisory ID: SUSE-RU-2021:4175-1 Released: Thu Dec 23 11:22:33 2021 Summary: Recommended update for systemd Type: recommended Severity: important Advisory ID: SUSE-RU-2021:4182-1 Released: Thu Dec 23 11:51:51 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:4192-1 Released: Tue Dec 28 10:39:50 2021 Summary: Security update for permissions Type: security Severity: moderate Advisory ID: SUSE-RU-2022:4-1 Released: Mon Jan 3 08:28:54 2022 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate
References
References : 1029961 1113013 1161276 1162581 1174504 1174504 1182345 1187654
1190401 1191563 1191592 1192248 1192423 1192688 1192717 1192858
1193480 1193597 1193598 1193759 CVE-2021-43618 CVE-2021-44716
CVE-2021-44717
1029961,1113013,1187654
This update for keyutils fixes the following issues:
- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)
keyutils was updated to 1.6.3 (jsc#SLE-20016):
* Revert the change notifications that were using /dev/watch_queue.
* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
* Allow 'keyctl supports' to retrieve raw capability data.
* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
* Allow 'keyctl new_session' to name the keyring.
* Allow 'keyctl add/padd/etc.' to take hex-encoded data.
* Add 'keyctl watch*' to expose kernel change notifications on keys.
* Add caps for namespacing and notifications.
* Set a default TTL on keys that upcall for name resolution.
* Explicitly clear memory after it's held sensitive information.
* Various manual page fixes.
* Fix C++-related errors.
* Add support for keyctl_move().
* Add support for keyctl_capabilities().
* Make key=val list optional for various public-key ops.
* Fix system call signature for KEYCTL_PKEY_QUERY.
* Fix 'keyctl pkey_query' argument passing.
* Use keyctl_read_alloc() in dump_key_tree_aux().
* Various manual page fixes.
Updated to 1.6:
* Apply various specfile cleanups from Fedora.
* request-key: Provide a command line option to suppress helper execution.
* request-key: Find least-wildcard match rather than first match.
* Remove the dependency on MIT Kerberos.
* Fix some error messages
* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
* Fix doc and comment typos.
* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
* Add pkg-config support for finding libkeyutils.
* upstream isn't offering PGP signatures for the source tarballs anymore
Updated to 1.5.11 (bsc#1113013)
* Add keyring restriction support.
* Add KDF support to the Diffie-Helman function.
* DNS: Add support for AFS config files and SRV records
1162581,1174504,1191563,1192248
This update for aaa_base fixes the following issues:
- Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
- Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
- Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
- Support xz compressed kernel (bsc#1162581)
1192717,CVE-2021-43618
This update for gmp fixes the following issues:
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).
1190401
This update for system-users fixes the following issues:
- system-user-tss.conf: Removed group entry because it's not needed and contained syntax errors (bsc#1190401)
1191592
glibc was updated to fix the following issue:
- Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869)
1161276
This update for openssl-1_1 fixes the following issues:
- Remove previously applied patch because it interferes with FIPS validation (bsc#1161276)
1182345,1193597,1193598,CVE-2021-44716,CVE-2021-44717
This update for go1.16 fixes the following issues:
Updated to upstream version 1.16.12 to include security fixes to the compiler,
syscall, runtime, the net/http, net/http/httptest, and time packages (bsc#1182345)
- CVE-2021-44717: syscall: don't close fd 0 on ForkExec error (bsc#1193598).
- CVE-2021-44716: net/http: limit growth of header canonicalization cache (bsc#1193597).
1192423,1192858,1193759
This update for systemd fixes the following issues:
- Bump the max number of inodes for /dev to a million (bsc#1192858)
- sleep: don't skip resume device with low priority/available space (bsc#1192423)
- test: use kbd-mode-map we ship in one more test case
- test-keymap-util: always use kbd-model-map we ship
- Add rules for virtual devices and enforce 'none' for loop devices. (bsc#1193759)
1192688
This update for zlib fixes the following issues:
- Fix hardware compression incorrect result on z15 hardware (bsc#1192688)
1174504
This update for permissions fixes the following issues:
- Update to version 20181225:
* drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)
1193480
This update for libgcrypt fixes the following issues:
- Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)
The following package changes have been done:
- aaa_base-84.87+git20180409.04c9dae-3.52.1 updated
- glibc-devel-2.31-9.6.1 updated
- glibc-2.31-9.6.1 updated
- go1.16-1.16.12-1.37.2 updated
- libgcrypt20-hmac-1.8.2-8.42.1 updated
- libgcrypt20-1.8.2-8.42.1 updated
- libgmp10-6.1.2-4.9.1 updated
- libkeyutils1-1.6.3-5.6.1 updated
- libopenssl1_1-hmac-1.1.1d-11.33.2 updated
- libopenssl1_1-1.1.1d-11.33.2 updated
- libsystemd0-246.16-7.28.1 updated
- libudev1-246.16-7.28.1 updated
- libz1-1.2.11-3.24.1 updated
- permissions-20181225-23.9.1 updated
- system-group-hardware-20170617-17.3.1 updated
- container:sles15-image-15.0.0-17.8.54 updated