SUSE: 2022:319-1 ses/7/ceph/prometheus-server Security Update | Lin...
SUSE Container Update Advisory: ses/7/ceph/prometheus-server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:319-1
Container Tags        : ses/7/ceph/prometheus-server:2.32.1 , ses/7/ceph/prometheus-server:2.32.1.1.6.6 , ses/7/ceph/prometheus-server:latest , ses/7/ceph/prometheus-server:sle15.2.octopus
Container Release     : 1.6.6
Severity              : important
Type                  : security
References            : 1082318 1099272 1115529 1128846 1162964 1169614 1172113 1173277
                        1174075 1174911 1180125 1180689 1181400 1181826 1182959 1187512
                        1187906 1189152 1190447 1190926 1192489 1193007 1193488 1193625
                        1193711 1193759 1193805 1193841 1194229 1194522 1194597 1194640
                        1194768 1194770 1194898 1195149 1195326 1195468 1195560 1195792
                        1195856 1196036 1196167 1196275 1196300 1196406 1197004 954813
                        CVE-2015-8985 CVE-2020-14367 CVE-2021-3999 CVE-2021-4209 CVE-2022-23218
                        CVE-2022-23219 CVE-2022-24407 
-----------------------------------------------------------------

The container ses/7/ceph/prometheus-server was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:93-1
Released:    Tue Jan 18 05:11:58 2022
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    important
References:  1192489
This update for openssl-1_1 fixes the following issues:

- Add RSA_get0_pss_params() accessor that is used by nodejs16 and provide openssl-has-RSA_get0_pss_params (bsc#1192489)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:94-1
Released:    Tue Jan 18 05:13:24 2022
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1180125,1193711
This update for rpm fixes the following issues:

- Add explicit requirement on python-rpm-macros (bsc#1180125, bsc#1193711)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:141-1
Released:    Thu Jan 20 13:47:16 2022
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1169614
This update for permissions fixes the following issues:

- Update to version 20181225: setuid bit for cockpit session binary (bsc#1169614).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:228-1
Released:    Mon Jan 31 06:07:52 2022
Summary:     Recommended update for boost
Type:        recommended
Severity:    moderate
References:  1194522
This update for boost fixes the following issues:

- Fix compilation errors (bsc#1194522)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:348-1
Released:    Tue Feb  8 13:02:20 2022
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    important
References:  1193007,1193488,1194597,1194898,954813
This update for libzypp fixes the following issues:

- RepoManager: remember execution errors in exception history (bsc#1193007)
- Fix exception handling when reading or writing credentials (bsc#1194898)
- Fix install path for parser (bsc#1194597)
- Fix Legacy include (bsc#1194597)
- Public header files on older distros must use c++11 (bsc#1194597)
- Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
- Fix wrong encoding of URI compontents of ISO images (bsc#954813)
- When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
- Introduce zypp-curl as a sublibrary for CURL related code
- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
- Save all signatures associated with a public key in its PublicKeyData

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:511-1
Released:    Fri Feb 18 12:41:53 2022
Summary:     Recommended update for coreutils
Type:        recommended
Severity:    moderate
References:  1082318,1189152
This update for coreutils fixes the following issues:

- Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).
- Properly sort docs and license files (bsc#1082318).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:523-1
Released:    Fri Feb 18 12:49:09 2022
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1193759,1193841
This update for systemd fixes the following issues:

- systemctl: exit with 1 if no unit files found (bsc#1193841).
- add rules for virtual devices (bsc#1193759).
- enforce 'none' for loop devices (bsc#1193759).

-----------------------------------------------------------------
Advisory ID: SUSE-feature-2022:599-1
Released:    Mon Feb 28 16:59:39 2022
Summary:     Feature update for golang-github-prometheus-prometheus
Type:        feature
Severity:    moderate
References:  1181400
This feature update for golang-github-prometheus-prometheus provides the following changes:

Upgrade `golang-github-prometheus-prometheus` from version 2.27.1 to version 2.32.1: (jsc#SLE-22863)

- Use `obs-service-go_modules`
- Added hardening to systemd service(s). Modified `prometheus.service` (bsc#1181400)
- Bugfixes:
  * Scrape: Fix reporting metrics when sample limit is reached during the report.
  * Scrape: Ensure that scrape interval and scrape timeout are  always set.
  * TSDB: Expose and fix bug in iterators' Seek() method.
  * TSDB: Add more size checks when writing individual sections in the index.
  * PromQL: Make deriv() return zero values for constant series.
  * TSDB: Fix panic when checkpoint directory is empty. #9687
  * TSDB: Fix panic, out of order chunks, and race warning during WAL replay.
  * UI: Correctly render links for targets with IPv6 addresses that contain a Zone ID.
  * Promtool: Fix checking of `authorization.credentials_file` and `bearer_token_file` fields.
  * Uyuni SD: Fix null pointer exception during initialization.
  * TSDB: Fix queries after a failed snapshot replay.
  * SD: Fix a panic when the experimental discovery manager receives targets during a reload.
  * Backfill: Apply rule labels after query labels.
  * Scrape: Resolve conflicts between multiple exported label prefixes.
  * Scrape: Restart scrape loops when __scrape_interval__ is changed.
  * TSDB: Fix memory leak in samples deletion.
  * UI: Use consistent margin-bottom for all alert kinds.
  * TSDB: Fix panic on failed snapshot replay.
  * TSDB: Don't fail snapshot replay with exemplar storage disabled when the snapshot contains exemplars.
  * TSDB: Don't error on overlapping m-mapped chunks during WAL replay.
  * promtool rules backfill: Prevent creation of data before the start time.
  * promtool rules backfill: Do not query after the end time.
  * Azure SD: Fix panic when no computername is set.
  * Exemplars: Fix panic when resizing exemplar storage from 0 to a non-zero size.
  * TSDB: Correctly decrement `prometheus_tsdb_head_active_appenders` when the append has no samples.
  * promtool rules backfill: Return 1 if backfill was unsuccessful.
  * promtool rules backfill: Avoid creation of overlapping blocks.
  * config: Fix a panic when reloading configuration with a null relabel action.
  * Fix Kubernetes SD failing to discover Ingress in Kubernetes v1.22.
  * Fix data race in loading write-ahead-log (WAL).
  * TSDB: align atomically accessed int64 to prevent panic in 32-bit archs.
  * Log when total symbol size exceeds 2^32 bytes, causing compaction to fail, and skip compaction.
  * Fix incorrect target_limit reloading of zero value.
  * Fix head GC and pending readers race condition.
  * Fix timestamp handling in OpenMetrics parser.
  * Fix potential duplicate metrics in /federate endpoint when specifying multiple matchers.
  * Fix server configuration and validation for authentication via client cert.
  * Allow start and end again as label names in PromQL queries. They were disallowed since the introduction of @ 
    timestamp feature.
  * HTTP SD: Allow charset specification in Content-Type header.
  * HTTP SD: Fix handling of disappeared target groups.
  * Fix incorrect log-level handling after moving to go-kit/log.
  * UI: In the experimental PromQL editor, fix autocompletion and parsing for special float values and improve series 
    metadata fetching.
  * TSDB: When merging chunks, split resulting chunks if they would contain more than the maximum of 120 samples.
  * SD: Fix the computation of the `prometheus_sd_discovered_targets` metric when using multiple service discoveries.
- Change:
  * remote-write: Change default max retry time from 100ms to 5 seconds.
  * UI: Remove standard PromQL editor in favour of the codemirror-based editor.
  * Promote `--storage.tsdb.allow-overlapping-blocks` flag to stable.
  * Promote `--storage.tsdb.retention.size` flag to stable.
  * UI: Make the new experimental PromQL editor the default.
- Features:
  * Agent: New mode of operation optimized for remote-write only scenarios, without local storage.
  * Promtool: Add promtool check service-discovery command.
  * PromQL: Add trigonometric functions and atan2 binary operator.
  * Remote: Add support for exemplar in the remote write receiver endpoint.
  * SD: Add PuppetDB service discovery.
  * SD: Add Uyuni service discovery. 
  * Web: Add support for security-related HTTP headers.
  * experimental TSDB: Snapshot in-memory chunks on shutdown for faster restarts.
  * experimental Scrape: Configure scrape interval and scrape timeout via relabeling using `__scrape_interval__` and 
  `__scrape_timeout__` labels respectively.
  * Scrape: Add scrape_timeout_seconds and scrape_sample_limit metric.
  * Add Kuma service discovery.
  * Add present_over_time PromQL function.
  * Allow configuring exemplar storage via file and make it reloadable.
  * UI: Allow selecting time range with mouse drag.
  * promtool: Add feature flags flag `--enable-feature`.
  * promtool: Add `file_sd` file validation.
  * Linode SD: Add Linode service discovery.
  * HTTP SD: Add generic HTTP-based service discovery.
  * Kubernetes SD: Allow configuring API Server access via a kubeconfig file.
  * UI: Add exemplar display support to the graphing interface.
  * Consul SD: Add namespace support for Consul Enterprise.
- Enhancements:
  * Promtool: Improve test output.
  * Promtool: Use kahan summation for better numerical stability.
  * Remote-write: Reuse memory for marshalling.
  * Scrape: Add scrape_body_size_bytes scrape metric behind the `--enable-feature=extra-scrape-metrics` flag.
  * TSDB: Add windows arm64 support.
  * TSDB: Optimize query by skipping unneeded sorting in TSDB.
  * Templates: Support int and uint as datatypes for template formatting.
  * UI: Prefer rate over rad, delta over deg, and count over cos in autocomplete.
  * Azure SD: Add proxy_url, follow_redirects, tls_config.
  * Backfill: Add `--max-block-duration` in promtool `create-blocks-from` rules.
  * Config: Print human-readable sizes with unit instead of raw numbers.
  * https: Re-enable HTTP/2.
  * Kubernetes SD: Warn user if number of endpoints exceeds limit.
  * OAuth2: Add TLS configuration to token requests.
  * PromQL: Several optimizations.
  * PromQL: Make aggregations deterministic in instant queries.
  * Rules: Add the ability to limit number of alerts or series.
  * SD: Experimental discovery manager to avoid restarts upon reload.
  * UI: Debounce timerange setting changes.
  * Remote Write: Redact remote write URL when used for metric label.
  * UI: Redact remote write URL and proxy URL passwords in the /config page.
  * Scrape: Add --scrape.timestamp-tolerance flag to adjust scrape timestamp tolerance when enabled via
   `--scrape.adjust-timestamps`.
  * Remote Write: Improve throughput when sending exemplars.
  * TSDB: Optimise WAL loading by removing extra map and caching min-time
  * promtool: Speed up checking for duplicate rules.
  * Scrape: Reduce allocations when parsing the metrics.
  * docker_sd: Support host network mode
  * Reduce blocking of outgoing remote write requests from series garbage collection.
  * Improve write-ahead-log decoding performance.
  * Improve append performance in TSDB by reducing mutexes usage.
  * Allow configuring max_samples_per_send for remote write metadata.
  * Add `__meta_gce_interface_ipv4_` meta label to GCE discovery.
  * Add `__meta_ec2_availability_zone_id` meta label to EC2 discovery.
  * Add `__meta_azure_machine_computer_name` meta label to Azure discovery.
  * Add `__meta_hetzner_hcloud_labelpresent_` meta label to Hetzner discovery.
  * promtool: Add compaction efficiency to promtool tsdb analyze reports.
  * promtool: Allow configuring max block duration for backfilling via `--max-block-duration` flag.
  * UI: Add sorting and filtering to flags page.
  * UI: Improve alerts page rendering performance.
  * Promtool: Allow silencing output when importing / backfilling data.
  * Consul SD: Support reading tokens from file.
  * Rules: Add a new .ExternalURL alert field templating variable, containing the external URL of the Prometheus 
    server.
  * Scrape: Add experimental body_size_limit scrape configuration setting to limit the allowed response body size 
    for target scrapes.
  * Kubernetes SD: Add ingress class name label for ingress discovery.
  * UI: Show a startup screen with progress bar when the TSDB is not ready yet.
  * SD: Add a target creation failure counter `prometheus_target_sync_failed_total` and improve target creation 
    failure handling.
  * TSDB: Improve validation of exemplar label set length.
  * TSDB: Add a prometheus_tsdb_clean_start metric that indicates whether a TSDB lockfile from a previous run still 
    existed upon startup.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:674-1
Released:    Wed Mar  2 13:24:38 2022
Summary:     Recommended update for yast2-network
Type:        recommended
Severity:    moderate
References:  1187512
This update for yast2-network fixes the following issues:
  
- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:692-1
Released:    Thu Mar  3 15:46:47 2022
Summary:     Recommended update for filesystem
Type:        recommended
Severity:    moderate
References:  1190447
This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:702-1
Released:    Thu Mar  3 18:22:59 2022
Summary:     Security update for cyrus-sasl
Type:        security
Severity:    important
References:  1196036,CVE-2022-24407
This update for cyrus-sasl fixes the following issues:

- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:717-1
Released:    Fri Mar  4 09:45:20 2022
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1196167,CVE-2021-4209
This update for gnutls fixes the following issues:

- CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:787-1
Released:    Thu Mar 10 11:20:13 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  
This update for openldap2 fixes the following issue:

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:788-1
Released:    Thu Mar 10 11:21:04 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1195326
This update for libzypp, zypper fixes the following issues:

- Fix handling of redirected command in-/output (bsc#1195326)
  This fixes delays at the end of zypper operations, where
  zypper unintentionally waits for appdata plugin scripts to
  complete.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:796-1
Released:    Thu Mar 10 12:16:15 2022
Summary:     Recommended update for golang-github-prometheus-prometheus
Type:        recommended
Severity:    moderate
References:  1196300
This update for golang-github-prometheus-prometheus fixes the following issues:

- Fix Firewalld configuration file location (bsc#1196300)
- Require Go 1.16+
- Do not build on s390 architecture.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:808-1
Released:    Fri Mar 11 06:07:58 2022
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1195468
This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if
  someone sends such signal. Without the signal handler, SIGURG will
  just be ignored. (bsc#1195468)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:832-1
Released:    Mon Mar 14 17:27:03 2022
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1193625,1194640,1194768,1194770,1195560,CVE-2015-8985,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219

glibc was updated to fix the following issues:

Security issues fixed:

- CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770)
- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
- CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625)

Also the following bug was fixed:

- Fix pthread_rwlock_try*lock stalls (bsc#1195560)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:845-1
Released:    Tue Mar 15 11:40:52 2022
Summary:     Security update for chrony
Type:        security
Severity:    moderate
References:  1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367
This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

  * Add support for NTS servers specified by IP address (matching
    Subject Alternative Name in server certificate)
  * Add source-specific configuration of trusted certificates
  * Allow multiple files and directories with trusted certificates
  * Allow multiple pairs of server keys and certificates
  * Add copy option to server/pool directive
  * Increase PPS lock limit to 40% of pulse interval
  * Perform source selection immediately after loading dump files
  * Reload dump files for addresses negotiated by NTS-KE server
  * Update seccomp filter and add less restrictive level
  * Restart ongoing name resolution on online command
  * Fix dump files to not include uncorrected offset
  * Fix initstepslew to accept time from own NTP clients
  * Reset NTP address and port when no longer negotiated by NTS-KE
    server

- Ensure the correct pool packages are installed for openSUSE
  and SLE (bsc#1180689).
- Fix pool package dependencies, so that SLE prefers chrony-pool-suse
  over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

  - Enhancements

    - Add support for Network Time Security (NTS) authentication
    - Add support for AES-CMAC keys (AES128, AES256) with Nettle
    - Add authselectmode directive to control selection of
      unauthenticated sources
    - Add binddevice, bindacqdevice, bindcmddevice directives
    - Add confdir directive to better support fragmented
      configuration
    - Add sourcedir directive and 'reload sources' command to
      support dynamic NTP sources specified in files
    - Add clockprecision directive
    - Add dscp directive to set Differentiated Services Code Point
      (DSCP)
    - Add -L option to limit log messages by severity
    - Add -p option to print whole configuration with included
      files
    - Add -U option to allow start under non-root user
    - Allow maxsamples to be set to 1 for faster update with -q/-Q
      option
    - Avoid replacing NTP sources with sources that have
      unreachable address
    - Improve pools to repeat name resolution to get 'maxsources'
      sources
    - Improve source selection with trusted sources
    - Improve NTP loop test to prevent synchronisation to itself
    - Repeat iburst when NTP source is switched from offline state
      to online
    - Update clock synchronisation status and leap status more
      frequently
    - Update seccomp filter
    - Add 'add pool' command
    - Add 'reset sources' command to drop all measurements
    - Add authdata command to print details about NTP
      authentication
    - Add selectdata command to print details about source
      selection
    - Add -N option and sourcename command to print original names
      of sources
    - Add -a option to some commands to print also unresolved
      sources
    - Add -k, -p, -r options to clients command to select, limit,
      reset data

  - Bug fixes

    - Don’t set interface for NTP responses to allow asymmetric
      routing
    - Handle RTCs that don’t support interrupts
    - Respond to command requests with correct address on
      multihomed hosts
  - Removed features
    - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
    - Drop support for long (non-standard) MACs in NTPv4 packets
      (chrony 2.x clients using non-MD5/SHA1 keys need to use
      option 'version 3')
    - Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so
  only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the
  expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

  * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial
  synchronisation (bsc#1172113).




Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems

- Fix location of helper script in [email protected]
  (bsc#1128846).


- Read runtime servers from /var/run/netconfig/chrony.servers to
  fix bsc#1099272.
- Move chrony-helper to /usr/lib/chrony/helper, because there
  should be no executables in /usr/share.

Update to version 3.4

  * Enhancements

    + Add filter option to server/pool/peer directive
    + Add minsamples and maxsamples options to hwtimestamp directive
    + Add support for faster frequency adjustments in Linux 4.19
    + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd 
      without root privileges to remove it on exit
    + Disable sub-second polling intervals for distant NTP sources
    + Extend range of supported sub-second polling intervals
    + Get/set IPv4 destination/source address of NTP packets on FreeBSD
    + Make burst options and command useful with short polling intervals
    + Modify auto_offline option to activate when sending request failed
    + Respond from interface that received NTP request if possible
    + Add onoffline command to switch between online and offline state 
      according to current system network configuration
    + Improve example NetworkManager dispatcher script

  * Bug fixes

    + Avoid waiting in Linux getrandom system call
    + Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

  * Enhancements:

    + Add burst option to server/pool directive
    + Add stratum and tai options to refclock directive
    + Add support for Nettle crypto library
    + Add workaround for missing kernel receive timestamps on Linux
    + Wait for late hardware transmit timestamps
    + Improve source selection with unreachable sources
    + Improve protection against replay attacks on symmetric mode
    + Allow PHC refclock to use socket in /var/run/chrony
    + Add shutdown command to stop chronyd
    + Simplify format of response to manual list command
    + Improve handling of unknown responses in chronyc

  * Bug fixes:

    + Respond to NTPv1 client requests with zero mode
    + Fix -x option to not require CAP_SYS_TIME under non-root user
    + Fix acquisitionport directive to work with privilege separation
    + Fix handling of socket errors on Linux to avoid high CPU usage
    + Fix chronyc to not get stuck in infinite loop after clock step
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:861-1
Released:    Tue Mar 15 23:30:48 2022
Summary:     Recommended update for openssl-1_1 
Type:        recommended
Severity:    moderate
References:  1182959,1195149,1195792,1195856
This update for openssl-1_1 fixes the following issues:

openssl-1_1:

- Fix PAC pointer authentication in ARM (bsc#1195856)
- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
- FIPS: Fix function and reason error codes (bsc#1182959)
- Enable zlib compression support (bsc#1195149)
    
glibc:

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1
    
linux-glibc-devel:

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

libxcrypt:

- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

zlib:

- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:867-1
Released:    Wed Mar 16 07:14:44 2022
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1193805
This update for libtirpc fixes the following issues:

- Fix memory leak in client protocol version 2 code (bsc#1193805)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:874-1
Released:    Wed Mar 16 10:40:52 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1197004
This update for openldap2 fixes the following issue:

- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:936-1
Released:    Tue Mar 22 18:10:17 2022
Summary:     Recommended update for filesystem and systemd-rpm-macros
Type:        recommended
Severity:    moderate
References:  1196275,1196406
This update for filesystem and systemd-rpm-macros fixes the following issues:

filesystem:

- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

systemd-rpm-macros:

- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)


The following package changes have been done:

- boost-license1_66_0-1.66.0-12.3.1 updated
- coreutils-8.29-4.3.1 updated
- filesystem-15.0-11.8.1 updated
- glibc-2.26-13.65.1 updated
- golang-github-prometheus-prometheus-2.32.1-4.6.1 updated
- libaugeas0-1.10.1-3.9.1 updated
- libboost_system1_66_0-1.66.0-12.3.1 updated
- libboost_thread1_66_0-1.66.0-12.3.1 updated
- libgnutls30-hmac-3.6.7-14.16.1 updated
- libgnutls30-3.6.7-14.16.1 updated
- libldap-2_4-2-2.4.46-9.64.1 updated
- libldap-data-2.4.46-9.64.1 updated
- libopenssl1_1-hmac-1.1.1d-11.43.1 updated
- libopenssl1_1-1.1.1d-11.43.1 updated
- libprocps7-3.3.15-7.22.1 updated
- libsasl2-3-2.1.26-5.10.1 updated
- libsystemd0-234-24.105.1 updated
- libtirpc-netconfig-1.0.2-3.11.1 updated
- libtirpc3-1.0.2-3.11.1 updated
- libudev1-234-24.105.1 updated
- libz1-1.2.11-3.26.10 updated
- libzypp-17.29.4-31.1 updated
- openssl-1_1-1.1.1d-11.43.1 added
- openssl-1.1.1d-1.46 added
- permissions-20181225-23.12.1 updated
- procps-3.3.15-7.22.1 updated
- rpm-4.14.1-22.7.1 updated
- zypper-1.14.51-27.1 updated
- container:sles15-image-15.0.0-9.5.107 updated

SUSE: 2022:319-1 ses/7/ceph/prometheus-server Security Update

March 25, 2022
The container ses/7/ceph/prometheus-server was updated

Summary

Advisory ID: SUSE-RU-2022:93-1 Released: Tue Jan 18 05:11:58 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: important Advisory ID: SUSE-RU-2022:94-1 Released: Tue Jan 18 05:13:24 2022 Summary: Recommended update for rpm Type: recommended Severity: important Advisory ID: SUSE-SU-2022:141-1 Released: Thu Jan 20 13:47:16 2022 Summary: Security update for permissions Type: security Severity: moderate Advisory ID: SUSE-RU-2022:228-1 Released: Mon Jan 31 06:07:52 2022 Summary: Recommended update for boost Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:348-1 Released: Tue Feb 8 13:02:20 2022 Summary: Recommended update for libzypp Type: recommended Severity: important Advisory ID: SUSE-RU-2022:511-1 Released: Fri Feb 18 12:41:53 2022 Summary: Recommended update for coreutils Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:523-1 Released: Fri Feb 18 12:49:09 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-feature-2022:599-1 Released: Mon Feb 28 16:59:39 2022 Summary: Feature update for golang-github-prometheus-prometheus Type: feature Severity: moderate Advisory ID: SUSE-RU-2022:674-1 Released: Wed Mar 2 13:24:38 2022 Summary: Recommended update for yast2-network Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:692-1 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:702-1 Released: Thu Mar 3 18:22:59 2022 Summary: Security update for cyrus-sasl Type: security Severity: important Advisory ID: SUSE-SU-2022:717-1 Released: Fri Mar 4 09:45:20 2022 Summary: Security update for gnutls Type: security Severity: moderate Advisory ID: SUSE-RU-2022:787-1 Released: Thu Mar 10 11:20:13 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:788-1 Released: Thu Mar 10 11:21:04 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:796-1 Released: Thu Mar 10 12:16:15 2022 Summary: Recommended update for golang-github-prometheus-prometheus Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:808-1 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:832-1 Released: Mon Mar 14 17:27:03 2022 Summary: Security update for glibc Type: security Severity: important Advisory ID: SUSE-SU-2022:845-1 Released: Tue Mar 15 11:40:52 2022 Summary: Security update for chrony Type: security Severity: moderate Advisory ID: SUSE-RU-2022:861-1 Released: Tue Mar 15 23:30:48 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:867-1 Released: Wed Mar 16 07:14:44 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:874-1 Released: Wed Mar 16 10:40:52 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:936-1 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Type: recommended Severity: moderate

References

References : 1082318 1099272 1115529 1128846 1162964 1169614 1172113 1173277

1174075 1174911 1180125 1180689 1181400 1181826 1182959 1187512

1187906 1189152 1190447 1190926 1192489 1193007 1193488 1193625

1193711 1193759 1193805 1193841 1194229 1194522 1194597 1194640

1194768 1194770 1194898 1195149 1195326 1195468 1195560 1195792

1195856 1196036 1196167 1196275 1196300 1196406 1197004 954813

CVE-2015-8985 CVE-2020-14367 CVE-2021-3999 CVE-2021-4209 CVE-2022-23218

CVE-2022-23219 CVE-2022-24407

1192489

This update for openssl-1_1 fixes the following issues:

- Add RSA_get0_pss_params() accessor that is used by nodejs16 and provide openssl-has-RSA_get0_pss_params (bsc#1192489)

1180125,1193711

This update for rpm fixes the following issues:

- Add explicit requirement on python-rpm-macros (bsc#1180125, bsc#1193711)

1169614

This update for permissions fixes the following issues:

- Update to version 20181225: setuid bit for cockpit session binary (bsc#1169614).

1194522

This update for boost fixes the following issues:

- Fix compilation errors (bsc#1194522)

1193007,1193488,1194597,1194898,954813

This update for libzypp fixes the following issues:

- RepoManager: remember execution errors in exception history (bsc#1193007)

- Fix exception handling when reading or writing credentials (bsc#1194898)

- Fix install path for parser (bsc#1194597)

- Fix Legacy include (bsc#1194597)

- Public header files on older distros must use c++11 (bsc#1194597)

- Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)

- Fix wrong encoding of URI compontents of ISO images (bsc#954813)

- When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible

- Introduce zypp-curl as a sublibrary for CURL related code

- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set

- Save all signatures associated with a public key in its PublicKeyData

1082318,1189152

This update for coreutils fixes the following issues:

- Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).

- Properly sort docs and license files (bsc#1082318).

1193759,1193841

This update for systemd fixes the following issues:

- systemctl: exit with 1 if no unit files found (bsc#1193841).

- add rules for virtual devices (bsc#1193759).

- enforce 'none' for loop devices (bsc#1193759).

1181400

This feature update for golang-github-prometheus-prometheus provides the following changes:

Upgrade `golang-github-prometheus-prometheus` from version 2.27.1 to version 2.32.1: (jsc#SLE-22863)

- Use `obs-service-go_modules`

- Added hardening to systemd service(s). Modified `prometheus.service` (bsc#1181400)

- Bugfixes:

* Scrape: Fix reporting metrics when sample limit is reached during the report.

* Scrape: Ensure that scrape interval and scrape timeout are always set.

* TSDB: Expose and fix bug in iterators' Seek() method.

* TSDB: Add more size checks when writing individual sections in the index.

* PromQL: Make deriv() return zero values for constant series.

* TSDB: Fix panic when checkpoint directory is empty. #9687

* TSDB: Fix panic, out of order chunks, and race warning during WAL replay.

* UI: Correctly render links for targets with IPv6 addresses that contain a Zone ID.

* Promtool: Fix checking of `authorization.credentials_file` and `bearer_token_file` fields.

* Uyuni SD: Fix null pointer exception during initialization.

* TSDB: Fix queries after a failed snapshot replay.

* SD: Fix a panic when the experimental discovery manager receives targets during a reload.

* Backfill: Apply rule labels after query labels.

* Scrape: Resolve conflicts between multiple exported label prefixes.

* Scrape: Restart scrape loops when __scrape_interval__ is changed.

* TSDB: Fix memory leak in samples deletion.

* UI: Use consistent margin-bottom for all alert kinds.

* TSDB: Fix panic on failed snapshot replay.

* TSDB: Don't fail snapshot replay with exemplar storage disabled when the snapshot contains exemplars.

* TSDB: Don't error on overlapping m-mapped chunks during WAL replay.

* promtool rules backfill: Prevent creation of data before the start time.

* promtool rules backfill: Do not query after the end time.

* Azure SD: Fix panic when no computername is set.

* Exemplars: Fix panic when resizing exemplar storage from 0 to a non-zero size.

* TSDB: Correctly decrement `prometheus_tsdb_head_active_appenders` when the append has no samples.

* promtool rules backfill: Return 1 if backfill was unsuccessful.

* promtool rules backfill: Avoid creation of overlapping blocks.

* config: Fix a panic when reloading configuration with a null relabel action.

* Fix Kubernetes SD failing to discover Ingress in Kubernetes v1.22.

* Fix data race in loading write-ahead-log (WAL).

* TSDB: align atomically accessed int64 to prevent panic in 32-bit archs.

* Log when total symbol size exceeds 2^32 bytes, causing compaction to fail, and skip compaction.

* Fix incorrect target_limit reloading of zero value.

* Fix head GC and pending readers race condition.

* Fix timestamp handling in OpenMetrics parser.

* Fix potential duplicate metrics in /federate endpoint when specifying multiple matchers.

* Fix server configuration and validation for authentication via client cert.

* Allow start and end again as label names in PromQL queries. They were disallowed since the introduction of @

timestamp feature.

* HTTP SD: Allow charset specification in Content-Type header.

* HTTP SD: Fix handling of disappeared target groups.

* Fix incorrect log-level handling after moving to go-kit/log.

* UI: In the experimental PromQL editor, fix autocompletion and parsing for special float values and improve series

metadata fetching.

* TSDB: When merging chunks, split resulting chunks if they would contain more than the maximum of 120 samples.

* SD: Fix the computation of the `prometheus_sd_discovered_targets` metric when using multiple service discoveries.

- Change:

* remote-write: Change default max retry time from 100ms to 5 seconds.

* UI: Remove standard PromQL editor in favour of the codemirror-based editor.

* Promote `--storage.tsdb.allow-overlapping-blocks` flag to stable.

* Promote `--storage.tsdb.retention.size` flag to stable.

* UI: Make the new experimental PromQL editor the default.

- Features:

* Agent: New mode of operation optimized for remote-write only scenarios, without local storage.

* Promtool: Add promtool check service-discovery command.

* PromQL: Add trigonometric functions and atan2 binary operator.

* Remote: Add support for exemplar in the remote write receiver endpoint.

* SD: Add PuppetDB service discovery.

* SD: Add Uyuni service discovery.

* Web: Add support for security-related HTTP headers.

* experimental TSDB: Snapshot in-memory chunks on shutdown for faster restarts.

* experimental Scrape: Configure scrape interval and scrape timeout via relabeling using `__scrape_interval__` and

`__scrape_timeout__` labels respectively.

* Scrape: Add scrape_timeout_seconds and scrape_sample_limit metric.

* Add Kuma service discovery.

* Add present_over_time PromQL function.

* Allow configuring exemplar storage via file and make it reloadable.

* UI: Allow selecting time range with mouse drag.

* promtool: Add feature flags flag `--enable-feature`.

* promtool: Add `file_sd` file validation.

* Linode SD: Add Linode service discovery.

* HTTP SD: Add generic HTTP-based service discovery.

* Kubernetes SD: Allow configuring API Server access via a kubeconfig file.

* UI: Add exemplar display support to the graphing interface.

* Consul SD: Add namespace support for Consul Enterprise.

- Enhancements:

* Promtool: Improve test output.

* Promtool: Use kahan summation for better numerical stability.

* Remote-write: Reuse memory for marshalling.

* Scrape: Add scrape_body_size_bytes scrape metric behind the `--enable-feature=extra-scrape-metrics` flag.

* TSDB: Add windows arm64 support.

* TSDB: Optimize query by skipping unneeded sorting in TSDB.

* Templates: Support int and uint as datatypes for template formatting.

* UI: Prefer rate over rad, delta over deg, and count over cos in autocomplete.

* Azure SD: Add proxy_url, follow_redirects, tls_config.

* Backfill: Add `--max-block-duration` in promtool `create-blocks-from` rules.

* Config: Print human-readable sizes with unit instead of raw numbers.

* https: Re-enable HTTP/2.

* Kubernetes SD: Warn user if number of endpoints exceeds limit.

* OAuth2: Add TLS configuration to token requests.

* PromQL: Several optimizations.

* PromQL: Make aggregations deterministic in instant queries.

* Rules: Add the ability to limit number of alerts or series.

* SD: Experimental discovery manager to avoid restarts upon reload.

* UI: Debounce timerange setting changes.

* Remote Write: Redact remote write URL when used for metric label.

* UI: Redact remote write URL and proxy URL passwords in the /config page.

* Scrape: Add --scrape.timestamp-tolerance flag to adjust scrape timestamp tolerance when enabled via

`--scrape.adjust-timestamps`.

* Remote Write: Improve throughput when sending exemplars.

* TSDB: Optimise WAL loading by removing extra map and caching min-time

* promtool: Speed up checking for duplicate rules.

* Scrape: Reduce allocations when parsing the metrics.

* docker_sd: Support host network mode

* Reduce blocking of outgoing remote write requests from series garbage collection.

* Improve write-ahead-log decoding performance.

* Improve append performance in TSDB by reducing mutexes usage.

* Allow configuring max_samples_per_send for remote write metadata.

* Add `__meta_gce_interface_ipv4_` meta label to GCE discovery.

* Add `__meta_ec2_availability_zone_id` meta label to EC2 discovery.

* Add `__meta_azure_machine_computer_name` meta label to Azure discovery.

* Add `__meta_hetzner_hcloud_labelpresent_` meta label to Hetzner discovery.

* promtool: Add compaction efficiency to promtool tsdb analyze reports.

* promtool: Allow configuring max block duration for backfilling via `--max-block-duration` flag.

* UI: Add sorting and filtering to flags page.

* UI: Improve alerts page rendering performance.

* Promtool: Allow silencing output when importing / backfilling data.

* Consul SD: Support reading tokens from file.

* Rules: Add a new .ExternalURL alert field templating variable, containing the external URL of the Prometheus

server.

* Scrape: Add experimental body_size_limit scrape configuration setting to limit the allowed response body size

for target scrapes.

* Kubernetes SD: Add ingress class name label for ingress discovery.

* UI: Show a startup screen with progress bar when the TSDB is not ready yet.

* SD: Add a target creation failure counter `prometheus_target_sync_failed_total` and improve target creation

failure handling.

* TSDB: Improve validation of exemplar label set length.

* TSDB: Add a prometheus_tsdb_clean_start metric that indicates whether a TSDB lockfile from a previous run still

existed upon startup.

1187512

This update for yast2-network fixes the following issues:

- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

1190447

This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

1196036,CVE-2022-24407

This update for cyrus-sasl fixes the following issues:

- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

1196167,CVE-2021-4209

This update for gnutls fixes the following issues:

- CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167).

This update for openldap2 fixes the following issue:

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

1195326

This update for libzypp, zypper fixes the following issues:

- Fix handling of redirected command in-/output (bsc#1195326)

This fixes delays at the end of zypper operations, where

zypper unintentionally waits for appdata plugin scripts to

complete.

1196300

This update for golang-github-prometheus-prometheus fixes the following issues:

- Fix Firewalld configuration file location (bsc#1196300)

- Require Go 1.16+

- Do not build on s390 architecture.

1195468

This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if

someone sends such signal. Without the signal handler, SIGURG will

just be ignored. (bsc#1195468)

1193625,1194640,1194768,1194770,1195560,CVE-2015-8985,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219

glibc was updated to fix the following issues:

Security issues fixed:

- CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)

- CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770)

- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)

- CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625)

Also the following bug was fixed:

- Fix pthread_rwlock_try*lock stalls (bsc#1195560)

1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367

This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

* Add support for NTS servers specified by IP address (matching

Subject Alternative Name in server certificate)

* Add source-specific configuration of trusted certificates

* Allow multiple files and directories with trusted certificates

* Allow multiple pairs of server keys and certificates

* Add copy option to server/pool directive

* Increase PPS lock limit to 40% of pulse interval

* Perform source selection immediately after loading dump files

* Reload dump files for addresses negotiated by NTS-KE server

* Update seccomp filter and add less restrictive level

* Restart ongoing name resolution on online command

* Fix dump files to not include uncorrected offset

* Fix initstepslew to accept time from own NTP clients

* Reset NTP address and port when no longer negotiated by NTS-KE

server

- Ensure the correct pool packages are installed for openSUSE

and SLE (bsc#1180689).

- Fix pool package dependencies, so that SLE prefers chrony-pool-suse

over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

- Enhancements

- Add support for Network Time Security (NTS) authentication

- Add support for AES-CMAC keys (AES128, AES256) with Nettle

- Add authselectmode directive to control selection of

unauthenticated sources

- Add binddevice, bindacqdevice, bindcmddevice directives

- Add confdir directive to better support fragmented

configuration

- Add sourcedir directive and 'reload sources' command to

support dynamic NTP sources specified in files

- Add clockprecision directive

- Add dscp directive to set Differentiated Services Code Point

(DSCP)

- Add -L option to limit log messages by severity

- Add -p option to print whole configuration with included

files

- Add -U option to allow start under non-root user

- Allow maxsamples to be set to 1 for faster update with -q/-Q

option

- Avoid replacing NTP sources with sources that have

unreachable address

- Improve pools to repeat name resolution to get 'maxsources'

sources

- Improve source selection with trusted sources

- Improve NTP loop test to prevent synchronisation to itself

- Repeat iburst when NTP source is switched from offline state

to online

- Update clock synchronisation status and leap status more

frequently

- Update seccomp filter

- Add 'add pool' command

- Add 'reset sources' command to drop all measurements

- Add authdata command to print details about NTP

authentication

- Add selectdata command to print details about source

selection

- Add -N option and sourcename command to print original names

of sources

- Add -a option to some commands to print also unresolved

sources

- Add -k, -p, -r options to clients command to select, limit,

reset data

- Bug fixes

- Don’t set interface for NTP responses to allow asymmetric

routing

- Handle RTCs that don’t support interrupts

- Respond to command requests with correct address on

multihomed hosts

- Removed features

- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)

- Drop support for long (non-standard) MACs in NTPv4 packets

(chrony 2.x clients using non-MD5/SHA1 keys need to use

option 'version 3')

- Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so

only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the

expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial

synchronisation (bsc#1172113).

Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0

+ Add support for hardware timestamping on interfaces with read-only timestamping configuration

+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris

+ Update seccomp filter to work on more architectures

+ Validate refclock driver options

+ Fix bindaddress directive on FreeBSD

+ Fix transposition of hardware RX timestamp on Linux 4.13 and later

+ Fix building on non-glibc systems

- Fix location of helper script in [email protected]

(bsc#1128846).

- Read runtime servers from /var/run/netconfig/chrony.servers to

fix bsc#1099272.

- Move chrony-helper to /usr/lib/chrony/helper, because there

should be no executables in /usr/share.

Update to version 3.4

* Enhancements

+ Add filter option to server/pool/peer directive

+ Add minsamples and maxsamples options to hwtimestamp directive

+ Add support for faster frequency adjustments in Linux 4.19

+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd

without root privileges to remove it on exit

+ Disable sub-second polling intervals for distant NTP sources

+ Extend range of supported sub-second polling intervals

+ Get/set IPv4 destination/source address of NTP packets on FreeBSD

+ Make burst options and command useful with short polling intervals

+ Modify auto_offline option to activate when sending request failed

+ Respond from interface that received NTP request if possible

+ Add onoffline command to switch between online and offline state

according to current system network configuration

+ Improve example NetworkManager dispatcher script

* Bug fixes

+ Avoid waiting in Linux getrandom system call

+ Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

* Enhancements:

+ Add burst option to server/pool directive

+ Add stratum and tai options to refclock directive

+ Add support for Nettle crypto library

+ Add workaround for missing kernel receive timestamps on Linux

+ Wait for late hardware transmit timestamps

+ Improve source selection with unreachable sources

+ Improve protection against replay attacks on symmetric mode

+ Allow PHC refclock to use socket in /var/run/chrony

+ Add shutdown command to stop chronyd

+ Simplify format of response to manual list command

+ Improve handling of unknown responses in chronyc

* Bug fixes:

+ Respond to NTPv1 client requests with zero mode

+ Fix -x option to not require CAP_SYS_TIME under non-root user

+ Fix acquisitionport directive to work with privilege separation

+ Fix handling of socket errors on Linux to avoid high CPU usage

+ Fix chronyc to not get stuck in infinite loop after clock step

1182959,1195149,1195792,1195856

This update for openssl-1_1 fixes the following issues:

openssl-1_1:

- Fix PAC pointer authentication in ARM (bsc#1195856)

- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)

- FIPS: Fix function and reason error codes (bsc#1182959)

- Enable zlib compression support (bsc#1195149)

glibc:

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

linux-glibc-devel:

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

libxcrypt:

- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

zlib:

- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

1193805

This update for libtirpc fixes the following issues:

- Fix memory leak in client protocol version 2 code (bsc#1193805)

1197004

This update for openldap2 fixes the following issue:

- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

1196275,1196406

This update for filesystem and systemd-rpm-macros fixes the following issues:

filesystem:

- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

systemd-rpm-macros:

- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

The following package changes have been done:

- boost-license1_66_0-1.66.0-12.3.1 updated

- coreutils-8.29-4.3.1 updated

- filesystem-15.0-11.8.1 updated

- glibc-2.26-13.65.1 updated

- golang-github-prometheus-prometheus-2.32.1-4.6.1 updated

- libaugeas0-1.10.1-3.9.1 updated

- libboost_system1_66_0-1.66.0-12.3.1 updated

- libboost_thread1_66_0-1.66.0-12.3.1 updated

- libgnutls30-hmac-3.6.7-14.16.1 updated

- libgnutls30-3.6.7-14.16.1 updated

- libldap-2_4-2-2.4.46-9.64.1 updated

- libldap-data-2.4.46-9.64.1 updated

- libopenssl1_1-hmac-1.1.1d-11.43.1 updated

- libopenssl1_1-1.1.1d-11.43.1 updated

- libprocps7-3.3.15-7.22.1 updated

- libsasl2-3-2.1.26-5.10.1 updated

- libsystemd0-234-24.105.1 updated

- libtirpc-netconfig-1.0.2-3.11.1 updated

- libtirpc3-1.0.2-3.11.1 updated

- libudev1-234-24.105.1 updated

- libz1-1.2.11-3.26.10 updated

- libzypp-17.29.4-31.1 updated

- openssl-1_1-1.1.1d-11.43.1 added

- openssl-1.1.1d-1.46 added

- permissions-20181225-23.12.1 updated

- procps-3.3.15-7.22.1 updated

- rpm-4.14.1-22.7.1 updated

- zypper-1.14.51-27.1 updated

- container:sles15-image-15.0.0-9.5.107 updated

Severity
Container Advisory ID : SUSE-CU-2022:319-1
Container Tags : ses/7/ceph/prometheus-server:2.32.1 , ses/7/ceph/prometheus-server:2.32.1.1.6.6 , ses/7/ceph/prometheus-server:latest , ses/7/ceph/prometheus-server:sle15.2.octopus
Container Release : 1.6.6
Severity : important
Type : security

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.