SUSE: 2022:302-1 bci/openjdk-devel Security Update | LinuxSecurity.com
SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:302-1
Container Tags        : bci/openjdk-devel:11 , bci/openjdk-devel:11-14.19 , bci/openjdk-devel:latest
Container Release     : 14.19
Severity              : important
Type                  : security
References            : 1187512 1188348 1188507 1190447 1192954 1193632 1194265 1194925
                        1194926 1194927 1194928 1194929 1194930 1194931 1194932 1194933
                        1194934 1194935 1194937 1194939 1194940 1194941 1194976 1195326
                        1195468 1195654 1196025 1196026 1196036 1196168 1196169 1196171
                        CVE-2021-3995 CVE-2021-3996 CVE-2022-21248 CVE-2022-21277 CVE-2022-21282
                        CVE-2022-21283 CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296
                        CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21360
                        CVE-2022-21365 CVE-2022-21366 CVE-2022-24407 CVE-2022-25235 CVE-2022-25236
                        CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 
-----------------------------------------------------------------

The container bci/openjdk-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2626-1
Released:    Thu Aug  5 12:10:35 2021
Summary:     Recommended maintenance update for libeconf
Type:        recommended
Severity:    moderate
References:  1188348
This update for libeconf fixes the following issue:

- Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:674-1
Released:    Wed Mar  2 13:24:38 2022
Summary:     Recommended update for yast2-network
Type:        recommended
Severity:    moderate
References:  1187512
This update for yast2-network fixes the following issues:
  
- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:692-1
Released:    Thu Mar  3 15:46:47 2022
Summary:     Recommended update for filesystem
Type:        recommended
Severity:    moderate
References:  1190447
This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:713-1
Released:    Fri Mar  4 09:34:17 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:
  
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:727-1
Released:    Fri Mar  4 10:39:21 2022
Summary:     Security update for libeconf, shadow and util-linux
Type:        security
Severity:    moderate
References:  1188507,1192954,1193632,1194976,CVE-2021-3995,CVE-2021-3996
This security update for libeconf, shadow and util-linux fix the following issues:

libeconf:

- Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow' 
  to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

Issues fixed in libeconf:
- Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)
- Fixed different issues while writing string values to file.
- Writing comments to file too.
- Fixed crash while merging values.
- Added econftool cat option (#146)
- new API call: econf_readDirsHistory (showing ALL locations)
- new API call: econf_getPath (absolute path of the configuration file)
- Man pages libeconf.3 and econftool.8.
- Handling multiline strings.
- Added libeconf_ext which returns more information like
  line_nr, comments, path of the configuration file,...
- Econftool, an command line interface for handling configuration
  files.
- Generating HTML API documentation with doxygen.
- Improving error handling and semantic file check.
- Joining entries with the same key to one single entry if
  env variable ECONF_JOIN_SAME_ENTRIES has been set.

shadow:

- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to 
  read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

util-linux:

- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to 
  read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
- Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507)
- Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507)
- CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976) 
- CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:743-1
Released:    Mon Mar  7 22:08:12 2022
Summary:     Security update for cyrus-sasl
Type:        security
Severity:    important
References:  1194265,1196036,CVE-2022-24407
This update for cyrus-sasl fixes the following issues:

- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

The following non-security bugs were fixed:

- postfix: sasl authentication with password fails (bsc#1194265).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:787-1
Released:    Thu Mar 10 11:20:13 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  
This update for openldap2 fixes the following issue:

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:788-1
Released:    Thu Mar 10 11:21:04 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1195326
This update for libzypp, zypper fixes the following issues:

- Fix handling of redirected command in-/output (bsc#1195326)
  This fixes delays at the end of zypper operations, where
  zypper unintentionally waits for appdata plugin scripts to
  complete.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:789-1
Released:    Thu Mar 10 11:22:05 2022
Summary:     Recommended update for update-alternatives
Type:        recommended
Severity:    moderate
References:  1195654
This update for update-alternatives fixes the following issues:

- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:808-1
Released:    Fri Mar 11 06:07:58 2022
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1195468
This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if
  someone sends such signal. Without the signal handler, SIGURG will
  just be ignored. (bsc#1195468)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:816-1
Released:    Mon Mar 14 10:22:04 2022
Summary:     Security update for java-11-openjdk
Type:        security
Severity:    moderate
References:  1194925,1194926,1194927,1194928,1194929,1194930,1194931,1194932,1194933,1194934,1194935,1194937,1194939,1194940,1194941,CVE-2022-21248,CVE-2022-21277,CVE-2022-21282,CVE-2022-21283,CVE-2022-21291,CVE-2022-21293,CVE-2022-21294,CVE-2022-21296,CVE-2022-21299,CVE-2022-21305,CVE-2022-21340,CVE-2022-21341,CVE-2022-21360,CVE-2022-21365,CVE-2022-21366
This update for java-11-openjdk fixes the following issues:

- CVE-2022-21248: Fixed incomplete deserialization class filtering in ObjectInputStream. (bnc#1194926)
- CVE-2022-21277: Fixed incorrect reading of TIFF files in TIFFNullDecompressor. (bnc#1194930)
- CVE-2022-21282: Fixed Insufficient URI checks in the XSLT TransformerImpl. (bnc#1194933)
- CVE-2022-21283: Fixed unexpected exception thrown in regex Pattern. (bnc#1194937)
- CVE-2022-21291: Fixed Incorrect marking of writeable fields. (bnc#1194925)
- CVE-2022-21293: Fixed Incomplete checks of StringBuffer and StringBuilder during deserialization. (bnc#1194935)
- CVE-2022-21294: Fixed Incorrect IdentityHashMap size checks during deserialization. (bnc#1194934)
- CVE-2022-21296: Fixed Incorrect access checks in XMLEntityManager. (bnc#1194932)
- CVE-2022-21299: Fixed Infinite loop related to incorrect handling of newlines in XMLEntityScanner. (bnc#1194931)
- CVE-2022-21305: Fixed Array indexing issues in LIRGenerator. (bnc#1194939)
- CVE-2022-21340: Fixed Excessive resource use when reading JAR manifest attributes. (bnc#1194940)
- CVE-2022-21341: Fixed OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream. (bnc#1194941)
- CVE-2022-21360: Fixed Excessive memory allocation in BMPImageReader. (bnc#1194929)
- CVE-2022-21365: Fixed Integer overflow in BMPImageReader. (bnc#1194928)
- CVE-2022-21366: Fixed Excessive memory allocation in TIFF*Decompressor. (bnc#1194927)


The following package changes have been done:

- filesystem-15.0-11.5.1 updated
- java-11-openjdk-devel-11.0.14.0-3.74.2 updated
- java-11-openjdk-headless-11.0.14.0-3.74.2 updated
- java-11-openjdk-11.0.14.0-3.74.2 updated
- libaugeas0-1.10.1-3.5.1 updated
- libblkid1-2.36.2-150300.4.14.3 updated
- libeconf0-0.4.4+git20220104.962774f-150300.3.6.2 added
- libexpat1-2.2.5-3.15.1 updated
- libfdisk1-2.36.2-150300.4.14.3 updated
- libldap-2_4-2-2.4.46-9.61.1 updated
- libldap-data-2.4.46-9.61.1 updated
- libmount1-2.36.2-150300.4.14.3 updated
- libprocps7-3.3.15-7.22.1 updated
- libsasl2-3-2.1.27-150300.4.6.1 updated
- libsmartcols1-2.36.2-150300.4.14.3 updated
- libuuid1-2.36.2-150300.4.14.3 updated
- libzypp-17.29.4-31.1 updated
- login_defs-4.8.1-150300.4.3.8 updated
- procps-3.3.15-7.22.1 updated
- shadow-4.8.1-150300.4.3.8 updated
- update-alternatives-1.19.0.4-4.3.1 updated
- util-linux-2.36.2-150300.4.14.3 updated
- zypper-1.14.51-27.1 updated
- container:openjdk-11-image-15.3.0-14.11 updated

SUSE: 2022:302-1 bci/openjdk-devel Security Update

March 18, 2022
The container bci/openjdk-devel was updated

Summary

Advisory ID: SUSE-RU-2021:2626-1 Released: Thu Aug 5 12:10:35 2021 Summary: Recommended maintenance update for libeconf Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:674-1 Released: Wed Mar 2 13:24:38 2022 Summary: Recommended update for yast2-network Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:692-1 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:713-1 Released: Fri Mar 4 09:34:17 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-SU-2022:727-1 Released: Fri Mar 4 10:39:21 2022 Summary: Security update for libeconf, shadow and util-linux Type: security Severity: moderate Advisory ID: SUSE-SU-2022:743-1 Released: Mon Mar 7 22:08:12 2022 Summary: Security update for cyrus-sasl Type: security Severity: important Advisory ID: SUSE-RU-2022:787-1 Released: Thu Mar 10 11:20:13 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:788-1 Released: Thu Mar 10 11:21:04 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:789-1 Released: Thu Mar 10 11:22:05 2022 Summary: Recommended update for update-alternatives Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:808-1 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:816-1 Released: Mon Mar 14 10:22:04 2022 Summary: Security update for java-11-openjdk Type: security Severity: moderate

References

References : 1187512 1188348 1188507 1190447 1192954 1193632 1194265 1194925

1194926 1194927 1194928 1194929 1194930 1194931 1194932 1194933

1194934 1194935 1194937 1194939 1194940 1194941 1194976 1195326

1195468 1195654 1196025 1196026 1196036 1196168 1196169 1196171

CVE-2021-3995 CVE-2021-3996 CVE-2022-21248 CVE-2022-21277 CVE-2022-21282

CVE-2022-21283 CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296

CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21360

CVE-2022-21365 CVE-2022-21366 CVE-2022-24407 CVE-2022-25235 CVE-2022-25236

CVE-2022-25313 CVE-2022-25314 CVE-2022-25315

1188348

This update for libeconf fixes the following issue:

- Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348)

1187512

This update for yast2-network fixes the following issues:

- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

1190447

This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315

This update for expat fixes the following issues:

- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).

- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).

- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).

- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).

- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

1188507,1192954,1193632,1194976,CVE-2021-3995,CVE-2021-3996

This security update for libeconf, shadow and util-linux fix the following issues:

libeconf:

- Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow'

to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

Issues fixed in libeconf:

- Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)

- Fixed different issues while writing string values to file.

- Writing comments to file too.

- Fixed crash while merging values.

- Added econftool cat option (#146)

- new API call: econf_readDirsHistory (showing ALL locations)

- new API call: econf_getPath (absolute path of the configuration file)

- Man pages libeconf.3 and econftool.8.

- Handling multiline strings.

- Added libeconf_ext which returns more information like

line_nr, comments, path of the configuration file,...

- Econftool, an command line interface for handling configuration

files.

- Generating HTML API documentation with doxygen.

- Improving error handling and semantic file check.

- Joining entries with the same key to one single entry if

env variable ECONF_JOIN_SAME_ENTRIES has been set.

shadow:

- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to

read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

util-linux:

- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to

read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

- Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507)

- Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507)

- CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)

- CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)

1194265,1196036,CVE-2022-24407

This update for cyrus-sasl fixes the following issues:

- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

The following non-security bugs were fixed:

- postfix: sasl authentication with password fails (bsc#1194265).

This update for openldap2 fixes the following issue:

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

1195326

This update for libzypp, zypper fixes the following issues:

- Fix handling of redirected command in-/output (bsc#1195326)

This fixes delays at the end of zypper operations, where

zypper unintentionally waits for appdata plugin scripts to

complete.

1195654

This update for update-alternatives fixes the following issues:

- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

1195468

This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if

someone sends such signal. Without the signal handler, SIGURG will

just be ignored. (bsc#1195468)

1194925,1194926,1194927,1194928,1194929,1194930,1194931,1194932,1194933,1194934,1194935,1194937,1194939,1194940,1194941,CVE-2022-21248,CVE-2022-21277,CVE-2022-21282,CVE-2022-21283,CVE-2022-21291,CVE-2022-21293,CVE-2022-21294,CVE-2022-21296,CVE-2022-21299,CVE-2022-21305,CVE-2022-21340,CVE-2022-21341,CVE-2022-21360,CVE-2022-21365,CVE-2022-21366

This update for java-11-openjdk fixes the following issues:

- CVE-2022-21248: Fixed incomplete deserialization class filtering in ObjectInputStream. (bnc#1194926)

- CVE-2022-21277: Fixed incorrect reading of TIFF files in TIFFNullDecompressor. (bnc#1194930)

- CVE-2022-21282: Fixed Insufficient URI checks in the XSLT TransformerImpl. (bnc#1194933)

- CVE-2022-21283: Fixed unexpected exception thrown in regex Pattern. (bnc#1194937)

- CVE-2022-21291: Fixed Incorrect marking of writeable fields. (bnc#1194925)

- CVE-2022-21293: Fixed Incomplete checks of StringBuffer and StringBuilder during deserialization. (bnc#1194935)

- CVE-2022-21294: Fixed Incorrect IdentityHashMap size checks during deserialization. (bnc#1194934)

- CVE-2022-21296: Fixed Incorrect access checks in XMLEntityManager. (bnc#1194932)

- CVE-2022-21299: Fixed Infinite loop related to incorrect handling of newlines in XMLEntityScanner. (bnc#1194931)

- CVE-2022-21305: Fixed Array indexing issues in LIRGenerator. (bnc#1194939)

- CVE-2022-21340: Fixed Excessive resource use when reading JAR manifest attributes. (bnc#1194940)

- CVE-2022-21341: Fixed OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream. (bnc#1194941)

- CVE-2022-21360: Fixed Excessive memory allocation in BMPImageReader. (bnc#1194929)

- CVE-2022-21365: Fixed Integer overflow in BMPImageReader. (bnc#1194928)

- CVE-2022-21366: Fixed Excessive memory allocation in TIFF*Decompressor. (bnc#1194927)

The following package changes have been done:

- filesystem-15.0-11.5.1 updated

- java-11-openjdk-devel-11.0.14.0-3.74.2 updated

- java-11-openjdk-headless-11.0.14.0-3.74.2 updated

- java-11-openjdk-11.0.14.0-3.74.2 updated

- libaugeas0-1.10.1-3.5.1 updated

- libblkid1-2.36.2-150300.4.14.3 updated

- libeconf0-0.4.4+git20220104.962774f-150300.3.6.2 added

- libexpat1-2.2.5-3.15.1 updated

- libfdisk1-2.36.2-150300.4.14.3 updated

- libldap-2_4-2-2.4.46-9.61.1 updated

- libldap-data-2.4.46-9.61.1 updated

- libmount1-2.36.2-150300.4.14.3 updated

- libprocps7-3.3.15-7.22.1 updated

- libsasl2-3-2.1.27-150300.4.6.1 updated

- libsmartcols1-2.36.2-150300.4.14.3 updated

- libuuid1-2.36.2-150300.4.14.3 updated

- libzypp-17.29.4-31.1 updated

- login_defs-4.8.1-150300.4.3.8 updated

- procps-3.3.15-7.22.1 updated

- shadow-4.8.1-150300.4.3.8 updated

- update-alternatives-1.19.0.4-4.3.1 updated

- util-linux-2.36.2-150300.4.14.3 updated

- zypper-1.14.51-27.1 updated

- container:openjdk-11-image-15.3.0-14.11 updated

Severity
Container Advisory ID : SUSE-CU-2022:302-1
Container Tags : bci/openjdk-devel:11 , bci/openjdk-devel:11-14.19 , bci/openjdk-devel:latest
Container Release : 14.19
Severity : important
Type : security

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.