SUSE: 2022:295-1 bci/bci-init Security Update | LinuxSecurity.com
SUSE Container Update Advisory: bci/bci-init
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:295-1
Container Tags        : bci/bci-init:15.3 , bci/bci-init:15.3.11.15 , bci/bci-init:latest
Container Release     : 11.15
Severity              : important
Type                  : security
References            : 1099272 1115529 1128846 1162964 1172113 1173277 1174075 1174911
                        1180689 1181826 1182959 1187906 1190926 1194229 1195149 1195792
                        1195856 1196025 1196784 CVE-2020-14367 CVE-2022-25236 
-----------------------------------------------------------------

The container bci/bci-init was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:844-1
Released:    Tue Mar 15 11:33:57 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196784,CVE-2022-25236
This update for expat fixes the following issues:

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:845-1
Released:    Tue Mar 15 11:40:52 2022
Summary:     Security update for chrony
Type:        security
Severity:    moderate
References:  1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367
This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

  * Add support for NTS servers specified by IP address (matching
    Subject Alternative Name in server certificate)
  * Add source-specific configuration of trusted certificates
  * Allow multiple files and directories with trusted certificates
  * Allow multiple pairs of server keys and certificates
  * Add copy option to server/pool directive
  * Increase PPS lock limit to 40% of pulse interval
  * Perform source selection immediately after loading dump files
  * Reload dump files for addresses negotiated by NTS-KE server
  * Update seccomp filter and add less restrictive level
  * Restart ongoing name resolution on online command
  * Fix dump files to not include uncorrected offset
  * Fix initstepslew to accept time from own NTP clients
  * Reset NTP address and port when no longer negotiated by NTS-KE
    server

- Ensure the correct pool packages are installed for openSUSE
  and SLE (bsc#1180689).
- Fix pool package dependencies, so that SLE prefers chrony-pool-suse
  over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

  - Enhancements

    - Add support for Network Time Security (NTS) authentication
    - Add support for AES-CMAC keys (AES128, AES256) with Nettle
    - Add authselectmode directive to control selection of
      unauthenticated sources
    - Add binddevice, bindacqdevice, bindcmddevice directives
    - Add confdir directive to better support fragmented
      configuration
    - Add sourcedir directive and 'reload sources' command to
      support dynamic NTP sources specified in files
    - Add clockprecision directive
    - Add dscp directive to set Differentiated Services Code Point
      (DSCP)
    - Add -L option to limit log messages by severity
    - Add -p option to print whole configuration with included
      files
    - Add -U option to allow start under non-root user
    - Allow maxsamples to be set to 1 for faster update with -q/-Q
      option
    - Avoid replacing NTP sources with sources that have
      unreachable address
    - Improve pools to repeat name resolution to get 'maxsources'
      sources
    - Improve source selection with trusted sources
    - Improve NTP loop test to prevent synchronisation to itself
    - Repeat iburst when NTP source is switched from offline state
      to online
    - Update clock synchronisation status and leap status more
      frequently
    - Update seccomp filter
    - Add 'add pool' command
    - Add 'reset sources' command to drop all measurements
    - Add authdata command to print details about NTP
      authentication
    - Add selectdata command to print details about source
      selection
    - Add -N option and sourcename command to print original names
      of sources
    - Add -a option to some commands to print also unresolved
      sources
    - Add -k, -p, -r options to clients command to select, limit,
      reset data

  - Bug fixes

    - Don’t set interface for NTP responses to allow asymmetric
      routing
    - Handle RTCs that don’t support interrupts
    - Respond to command requests with correct address on
      multihomed hosts
  - Removed features
    - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
    - Drop support for long (non-standard) MACs in NTPv4 packets
      (chrony 2.x clients using non-MD5/SHA1 keys need to use
      option 'version 3')
    - Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so
  only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the
  expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

  * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial
  synchronisation (bsc#1172113).




Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems

- Fix location of helper script in [email protected]
  (bsc#1128846).


- Read runtime servers from /var/run/netconfig/chrony.servers to
  fix bsc#1099272.
- Move chrony-helper to /usr/lib/chrony/helper, because there
  should be no executables in /usr/share.

Update to version 3.4

  * Enhancements

    + Add filter option to server/pool/peer directive
    + Add minsamples and maxsamples options to hwtimestamp directive
    + Add support for faster frequency adjustments in Linux 4.19
    + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd 
      without root privileges to remove it on exit
    + Disable sub-second polling intervals for distant NTP sources
    + Extend range of supported sub-second polling intervals
    + Get/set IPv4 destination/source address of NTP packets on FreeBSD
    + Make burst options and command useful with short polling intervals
    + Modify auto_offline option to activate when sending request failed
    + Respond from interface that received NTP request if possible
    + Add onoffline command to switch between online and offline state 
      according to current system network configuration
    + Improve example NetworkManager dispatcher script

  * Bug fixes

    + Avoid waiting in Linux getrandom system call
    + Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

  * Enhancements:

    + Add burst option to server/pool directive
    + Add stratum and tai options to refclock directive
    + Add support for Nettle crypto library
    + Add workaround for missing kernel receive timestamps on Linux
    + Wait for late hardware transmit timestamps
    + Improve source selection with unreachable sources
    + Improve protection against replay attacks on symmetric mode
    + Allow PHC refclock to use socket in /var/run/chrony
    + Add shutdown command to stop chronyd
    + Simplify format of response to manual list command
    + Improve handling of unknown responses in chronyc

  * Bug fixes:

    + Respond to NTPv1 client requests with zero mode
    + Fix -x option to not require CAP_SYS_TIME under non-root user
    + Fix acquisitionport directive to work with privilege separation
    + Fix handling of socket errors on Linux to avoid high CPU usage
    + Fix chronyc to not get stuck in infinite loop after clock step
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:861-1
Released:    Tue Mar 15 23:30:48 2022
Summary:     Recommended update for openssl-1_1 
Type:        recommended
Severity:    moderate
References:  1182959,1195149,1195792,1195856
This update for openssl-1_1 fixes the following issues:

openssl-1_1:

- Fix PAC pointer authentication in ARM (bsc#1195856)
- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
- FIPS: Fix function and reason error codes (bsc#1182959)
- Enable zlib compression support (bsc#1195149)
    
glibc:

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1
    
linux-glibc-devel:

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

libxcrypt:

- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

zlib:

- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1


The following package changes have been done:

- glibc-2.31-150300.20.7 updated
- libaugeas0-1.10.1-3.9.1 updated
- libcrypt1-4.4.15-150300.4.2.41 updated
- libexpat1-2.2.5-3.19.1 updated
- libopenssl1_1-hmac-1.1.1d-11.43.1 updated
- libopenssl1_1-1.1.1d-11.43.1 updated
- libz1-1.2.11-3.26.10 updated
- openssl-1_1-1.1.1d-11.43.1 updated
- container:sles15-image-15.0.0-17.11.7 updated

SUSE: 2022:295-1 bci/bci-init Security Update

March 18, 2022
The container bci/bci-init was updated

Summary

Advisory ID: SUSE-SU-2022:844-1 Released: Tue Mar 15 11:33:57 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-SU-2022:845-1 Released: Tue Mar 15 11:40:52 2022 Summary: Security update for chrony Type: security Severity: moderate Advisory ID: SUSE-RU-2022:861-1 Released: Tue Mar 15 23:30:48 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate

References

References : 1099272 1115529 1128846 1162964 1172113 1173277 1174075 1174911

1180689 1181826 1182959 1187906 1190926 1194229 1195149 1195792

1195856 1196025 1196784 CVE-2020-14367 CVE-2022-25236

1196025,1196784,CVE-2022-25236

This update for expat fixes the following issues:

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367

This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

* Add support for NTS servers specified by IP address (matching

Subject Alternative Name in server certificate)

* Add source-specific configuration of trusted certificates

* Allow multiple files and directories with trusted certificates

* Allow multiple pairs of server keys and certificates

* Add copy option to server/pool directive

* Increase PPS lock limit to 40% of pulse interval

* Perform source selection immediately after loading dump files

* Reload dump files for addresses negotiated by NTS-KE server

* Update seccomp filter and add less restrictive level

* Restart ongoing name resolution on online command

* Fix dump files to not include uncorrected offset

* Fix initstepslew to accept time from own NTP clients

* Reset NTP address and port when no longer negotiated by NTS-KE

server

- Ensure the correct pool packages are installed for openSUSE

and SLE (bsc#1180689).

- Fix pool package dependencies, so that SLE prefers chrony-pool-suse

over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

- Enhancements

- Add support for Network Time Security (NTS) authentication

- Add support for AES-CMAC keys (AES128, AES256) with Nettle

- Add authselectmode directive to control selection of

unauthenticated sources

- Add binddevice, bindacqdevice, bindcmddevice directives

- Add confdir directive to better support fragmented

configuration

- Add sourcedir directive and 'reload sources' command to

support dynamic NTP sources specified in files

- Add clockprecision directive

- Add dscp directive to set Differentiated Services Code Point

(DSCP)

- Add -L option to limit log messages by severity

- Add -p option to print whole configuration with included

files

- Add -U option to allow start under non-root user

- Allow maxsamples to be set to 1 for faster update with -q/-Q

option

- Avoid replacing NTP sources with sources that have

unreachable address

- Improve pools to repeat name resolution to get 'maxsources'

sources

- Improve source selection with trusted sources

- Improve NTP loop test to prevent synchronisation to itself

- Repeat iburst when NTP source is switched from offline state

to online

- Update clock synchronisation status and leap status more

frequently

- Update seccomp filter

- Add 'add pool' command

- Add 'reset sources' command to drop all measurements

- Add authdata command to print details about NTP

authentication

- Add selectdata command to print details about source

selection

- Add -N option and sourcename command to print original names

of sources

- Add -a option to some commands to print also unresolved

sources

- Add -k, -p, -r options to clients command to select, limit,

reset data

- Bug fixes

- Don’t set interface for NTP responses to allow asymmetric

routing

- Handle RTCs that don’t support interrupts

- Respond to command requests with correct address on

multihomed hosts

- Removed features

- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)

- Drop support for long (non-standard) MACs in NTPv4 packets

(chrony 2.x clients using non-MD5/SHA1 keys need to use

option 'version 3')

- Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so

only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the

expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial

synchronisation (bsc#1172113).

Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0

+ Add support for hardware timestamping on interfaces with read-only timestamping configuration

+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris

+ Update seccomp filter to work on more architectures

+ Validate refclock driver options

+ Fix bindaddress directive on FreeBSD

+ Fix transposition of hardware RX timestamp on Linux 4.13 and later

+ Fix building on non-glibc systems

- Fix location of helper script in [email protected]

(bsc#1128846).

- Read runtime servers from /var/run/netconfig/chrony.servers to

fix bsc#1099272.

- Move chrony-helper to /usr/lib/chrony/helper, because there

should be no executables in /usr/share.

Update to version 3.4

* Enhancements

+ Add filter option to server/pool/peer directive

+ Add minsamples and maxsamples options to hwtimestamp directive

+ Add support for faster frequency adjustments in Linux 4.19

+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd

without root privileges to remove it on exit

+ Disable sub-second polling intervals for distant NTP sources

+ Extend range of supported sub-second polling intervals

+ Get/set IPv4 destination/source address of NTP packets on FreeBSD

+ Make burst options and command useful with short polling intervals

+ Modify auto_offline option to activate when sending request failed

+ Respond from interface that received NTP request if possible

+ Add onoffline command to switch between online and offline state

according to current system network configuration

+ Improve example NetworkManager dispatcher script

* Bug fixes

+ Avoid waiting in Linux getrandom system call

+ Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

* Enhancements:

+ Add burst option to server/pool directive

+ Add stratum and tai options to refclock directive

+ Add support for Nettle crypto library

+ Add workaround for missing kernel receive timestamps on Linux

+ Wait for late hardware transmit timestamps

+ Improve source selection with unreachable sources

+ Improve protection against replay attacks on symmetric mode

+ Allow PHC refclock to use socket in /var/run/chrony

+ Add shutdown command to stop chronyd

+ Simplify format of response to manual list command

+ Improve handling of unknown responses in chronyc

* Bug fixes:

+ Respond to NTPv1 client requests with zero mode

+ Fix -x option to not require CAP_SYS_TIME under non-root user

+ Fix acquisitionport directive to work with privilege separation

+ Fix handling of socket errors on Linux to avoid high CPU usage

+ Fix chronyc to not get stuck in infinite loop after clock step

1182959,1195149,1195792,1195856

This update for openssl-1_1 fixes the following issues:

openssl-1_1:

- Fix PAC pointer authentication in ARM (bsc#1195856)

- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)

- FIPS: Fix function and reason error codes (bsc#1182959)

- Enable zlib compression support (bsc#1195149)

glibc:

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

linux-glibc-devel:

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

libxcrypt:

- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

zlib:

- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

The following package changes have been done:

- glibc-2.31-150300.20.7 updated

- libaugeas0-1.10.1-3.9.1 updated

- libcrypt1-4.4.15-150300.4.2.41 updated

- libexpat1-2.2.5-3.19.1 updated

- libopenssl1_1-hmac-1.1.1d-11.43.1 updated

- libopenssl1_1-1.1.1d-11.43.1 updated

- libz1-1.2.11-3.26.10 updated

- openssl-1_1-1.1.1d-11.43.1 updated

- container:sles15-image-15.0.0-17.11.7 updated

Severity
Container Advisory ID : SUSE-CU-2022:295-1
Container Tags : bci/bci-init:15.3 , bci/bci-init:15.3.11.15 , bci/bci-init:latest
Container Release : 11.15
Severity : important
Type : security

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.