SUSE: 2022:3191-1 bci/rust Security Update | LinuxSecurity.com
SUSE Container Update Advisory: bci/rust
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:3191-1
Container Tags        : bci/rust:1.61 , bci/rust:1.61-9.2
Container Release     : 9.2
Severity              : important
Type                  : security
References            : 1142579 1185597 1185712 1188374 1190651 1191473 1193929 1194783
                        1197592 1198165 1198237 1202750 1202816 1202966 1202967 1202969
                        1205126 CVE-2019-1010204 CVE-2021-3530 CVE-2021-3648 CVE-2021-3826
                        CVE-2021-45078 CVE-2021-46195 CVE-2022-27943 CVE-2022-38126 CVE-2022-38127
                        CVE-2022-38533 CVE-2022-42898 
-----------------------------------------------------------------

The container bci/rust was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4135-1
Released:    Mon Nov 21 00:13:40 2022
Summary:     Recommended update for libeconf
Type:        recommended
Severity:    moderate
References:  1198165
This update for libeconf fixes the following issues:

- Update to version 0.4.6+git
  - econftool:
    Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter.
  - libeconf:
    Parse files correctly on space characters (1198165)

- Update to version 0.4.5+git
  - econftool:
    New call 'syntax' for checking the configuration files only. Returns an error string with line number if error.
    New options '--comment' and '--delimeters'

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4146-1
Released:    Mon Nov 21 09:56:12 2022
Summary:     Security update for binutils
Type:        security
Severity:    moderate
References:  1142579,1185597,1185712,1188374,1191473,1193929,1194783,1197592,1198237,1202816,1202966,1202967,1202969,CVE-2019-1010204,CVE-2021-3530,CVE-2021-3648,CVE-2021-3826,CVE-2021-45078,CVE-2021-46195,CVE-2022-27943,CVE-2022-38126,CVE-2022-38127,CVE-2022-38533
This update for binutils fixes the following issues:

The following security bugs were fixed:

- CVE-2019-1010204: Fixed out-of-bounds read in elfcpp/elfcpp_file.h (bsc#1142579).
- CVE-2021-3530: Fixed stack-based buffer overflow in demangle_path() in rust-demangle.c (bsc#1185597).
- CVE-2021-3648: Fixed infinite loop while demangling rust symbols (bsc#1188374).
- CVE-2021-3826: Fixed heap/stack buffer overflow in the dlang_lname function in d-demangle.c (bsc#1202969).
- CVE-2021-45078: Fixed out-of-bounds write in stab_xcoff_builtin_type() in stabs.c (bsc#1193929).
- CVE-2021-46195: Fixed uncontrolled recursion in libiberty/rust-demangle.c (bsc#1194783).
- CVE-2022-27943: Fixed stack exhaustion in demangle_const in (bsc#1197592).
- CVE-2022-38126: Fixed assertion fail in the display_debug_names() function in binutils/dwarf.c (bsc#1202966).
- CVE-2022-38127: Fixed NULL pointer dereference in the read_and_display_attr_value() function in binutils/dwarf.c (bsc#1202967).
- CVE-2022-38533: Fixed heap out-of-bounds read in bfd_getl32 (bsc#1202816).


The following non-security bugs were fixed:
  
- SLE toolchain update of binutils, update to 2.39 from 2.37.
- Update to 2.39:  
  * The ELF linker will now generate a warning message if the stack is made
    executable.  Similarly it will warn if the output binary contains a
    segment with all three of the read, write and execute permission
    bits set.  These warnings are intended to help developers identify
    programs which might be vulnerable to attack via these executable
    memory regions.
    The warnings are enabled by default but can be disabled via a command
    line option.  It is also possible to build a linker with the warnings
    disabled, should that be necessary.
  * The ELF linker now supports a --package-metadata option that allows
    embedding a JSON payload in accordance to the Package Metadata
    specification. 
  * In linker scripts it is now possible to use TYPE= in an output
    section description to set the section type value.
  * The objdump program now supports coloured/colored syntax
    highlighting of its disassembler output for some architectures.
    (Currently: AVR, RiscV, s390, x86, x86_64).
  * The nm program now supports a --no-weak/-W option to make it ignore
    weak symbols.
  * The readelf and objdump programs now support a -wE option to prevent
    them from attempting to access debuginfod servers when following
    links.
  * The objcopy program's --weaken, --weaken-symbol, and
    --weaken-symbols options now works with unique symbols as well.

- Update to 2.38:
  * elfedit: Add --output-abiversion option to update ABIVERSION.
  * Add support for the LoongArch instruction set.
  * Tools which display symbols or strings (readelf, strings, nm, objdump)
    have a new command line option which controls how unicode characters are
    handled.  By default they are treated as normal for the tool.  Using
    --unicode=locale will display them according to the current locale.
    Using --unicode=hex will display them as hex byte values, whilst
    --unicode=escape will display them as escape sequences.  In addition
    using --unicode=highlight will display them as unicode escape sequences
    highlighted in red (if supported by the output device).
  * readelf -r dumps RELR relative relocations now.
  * Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been
    added to objcopy in order to enable UEFI development using binutils.
  * ar: Add --thin for creating thin archives. -T is a deprecated alias without
    diagnostics. In many ar implementations -T has a different meaning, as
    specified by X/Open System Interface.
  * Add support for AArch64 system registers that were missing in previous
    releases.
  * Add support for the LoongArch instruction set.
  * Add a command-line option, -muse-unaligned-vector-move, for x86 target
    to encode aligned vector move as unaligned vector move.
  * Add support for Cortex-R52+ for Arm.
  * Add support for Cortex-A510, Cortex-A710, Cortex-X2 for AArch64.
  * Add support for Cortex-A710 for Arm.
  * Add support for Scalable Matrix Extension (SME) for AArch64.
  * The --multibyte-handling=[allow|warn|warn-sym-only] option tells the
    assembler what to when it encoutners multibyte characters in the input.  The
    default is to allow them.  Setting the option to 'warn' will generate a
    warning message whenever any multibyte character is encountered.  Using the
    option to 'warn-sym-only' will make the assembler generate a warning whenever a
    symbol is defined containing multibyte characters.  (References to undefined
    symbols will not generate warnings).
  * Outputs of .ds.x directive and .tfloat directive with hex input from
    x86 assembler have been reduced from 12 bytes to 10 bytes to match the
    output of .tfloat directive.
  * Add support for 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and
    'armv9.3-a' for -march in AArch64 GAS.
  * Add support for 'armv8.7-a', 'armv8.8-a', 'armv9-a', 'armv9.1-a',
    'armv9.2-a' and 'armv9.3-a' for -march in Arm GAS.
  * Add support for Intel AVX512_FP16 instructions.
  * Add -z pack-relative-relocs/-z no pack-relative-relocs to x86 ELF
    linker to pack relative relocations in the DT_RELR section.
  * Add support for the LoongArch architecture.
  * Add -z indirect-extern-access/-z noindirect-extern-access to x86 ELF
    linker to control canonical function pointers and copy relocation.
  * Add --max-cache-size=SIZE to set the the maximum cache size to SIZE
    bytes.
- Explicitly enable --enable-warn-execstack=yes and	--enable-warn-rwx-segments=yes.
- Add gprofng subpackage.
- Include recognition of 'z16' name for 'arch14' on s390. (bsc#1198237).
- Add back fix for bsc#1191473, which got lost in the update to 2.38.
- Install symlinks for all target specific tools on arm-eabi-none (bsc#1185712).
- Enable PRU architecture for AM335x CPU (Beagle Bone Black board)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4153-1
Released:    Mon Nov 21 14:34:09 2022
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1205126,CVE-2022-42898
This update for krb5 fixes the following issues:

- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4198-1
Released:    Wed Nov 23 13:15:04 2022
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  1202750
This update for rpm fixes the following issues:

- Strip critical bit in signature subpackage parsing
- No longer deadlock DNF after pubkey import (bsc#1202750)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4212-1
Released:    Thu Nov 24 15:53:48 2022
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1190651
This update for openssl-1_1 fixes the following issues:

- FIPS: Mark PBKDF2 with key shorter than 112 bits as non-approved (bsc#1190651)
- FIPS: Consider RSA siggen/sigver with PKCS1 padding also approved (bsc#1190651)
- FIPS: Return the correct indicator for a given EC group order bits (bsc#1190651)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4236-1
Released:    Fri Nov 25 18:20:32 2022
Summary:     Recommended update for linux-glibc-devel
Type:        recommended
Severity:    moderate
References:  
This update for linux-glibc-devel fixes the following issues:

- Add the rest of 1.0 IAA operation definitions to the user header (jsc#PED-813).


The following package changes have been done:

- libeconf0-0.4.6+git20220427.3016f4e-150400.3.3.1 updated
- libopenssl1_1-1.1.1l-150400.7.16.1 updated
- libopenssl1_1-hmac-1.1.1l-150400.7.16.1 updated
- krb5-1.19.2-150400.3.3.1 updated
- rpm-ndb-4.14.3-150300.52.1 updated
- libctf-nobfd0-2.39-150100.7.40.1 updated
- linux-glibc-devel-5.14-150400.6.3.1 updated
- libctf0-2.39-150100.7.40.1 updated
- binutils-2.39-150100.7.40.1 updated
- container:sles15-image-15.0.0-27.14.20 updated

SUSE: 2022:3191-1 bci/rust Security Update

November 27, 2022
The container bci/rust was updated

Summary

Advisory ID: SUSE-RU-2022:4135-1 Released: Mon Nov 21 00:13:40 2022 Summary: Recommended update for libeconf Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:4146-1 Released: Mon Nov 21 09:56:12 2022 Summary: Security update for binutils Type: security Severity: moderate Advisory ID: SUSE-SU-2022:4153-1 Released: Mon Nov 21 14:34:09 2022 Summary: Security update for krb5 Type: security Severity: important Advisory ID: SUSE-RU-2022:4198-1 Released: Wed Nov 23 13:15:04 2022 Summary: Recommended update for rpm Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:4212-1 Released: Thu Nov 24 15:53:48 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:4236-1 Released: Fri Nov 25 18:20:32 2022 Summary: Recommended update for linux-glibc-devel Type: recommended Severity: moderate

References

References : 1142579 1185597 1185712 1188374 1190651 1191473 1193929 1194783

1197592 1198165 1198237 1202750 1202816 1202966 1202967 1202969

1205126 CVE-2019-1010204 CVE-2021-3530 CVE-2021-3648 CVE-2021-3826

CVE-2021-45078 CVE-2021-46195 CVE-2022-27943 CVE-2022-38126 CVE-2022-38127

CVE-2022-38533 CVE-2022-42898

1198165

This update for libeconf fixes the following issues:

- Update to version 0.4.6+git

- econftool:

Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter.

- libeconf:

Parse files correctly on space characters (1198165)

- Update to version 0.4.5+git

- econftool:

New call 'syntax' for checking the configuration files only. Returns an error string with line number if error.

New options '--comment' and '--delimeters'

1142579,1185597,1185712,1188374,1191473,1193929,1194783,1197592,1198237,1202816,1202966,1202967,1202969,CVE-2019-1010204,CVE-2021-3530,CVE-2021-3648,CVE-2021-3826,CVE-2021-45078,CVE-2021-46195,CVE-2022-27943,CVE-2022-38126,CVE-2022-38127,CVE-2022-38533

This update for binutils fixes the following issues:

The following security bugs were fixed:

- CVE-2019-1010204: Fixed out-of-bounds read in elfcpp/elfcpp_file.h (bsc#1142579).

- CVE-2021-3530: Fixed stack-based buffer overflow in demangle_path() in rust-demangle.c (bsc#1185597).

- CVE-2021-3648: Fixed infinite loop while demangling rust symbols (bsc#1188374).

- CVE-2021-3826: Fixed heap/stack buffer overflow in the dlang_lname function in d-demangle.c (bsc#1202969).

- CVE-2021-45078: Fixed out-of-bounds write in stab_xcoff_builtin_type() in stabs.c (bsc#1193929).

- CVE-2021-46195: Fixed uncontrolled recursion in libiberty/rust-demangle.c (bsc#1194783).

- CVE-2022-27943: Fixed stack exhaustion in demangle_const in (bsc#1197592).

- CVE-2022-38126: Fixed assertion fail in the display_debug_names() function in binutils/dwarf.c (bsc#1202966).

- CVE-2022-38127: Fixed NULL pointer dereference in the read_and_display_attr_value() function in binutils/dwarf.c (bsc#1202967).

- CVE-2022-38533: Fixed heap out-of-bounds read in bfd_getl32 (bsc#1202816).

The following non-security bugs were fixed:

- SLE toolchain update of binutils, update to 2.39 from 2.37.

- Update to 2.39:

* The ELF linker will now generate a warning message if the stack is made

executable. Similarly it will warn if the output binary contains a

segment with all three of the read, write and execute permission

bits set. These warnings are intended to help developers identify

programs which might be vulnerable to attack via these executable

memory regions.

The warnings are enabled by default but can be disabled via a command

line option. It is also possible to build a linker with the warnings

disabled, should that be necessary.

* The ELF linker now supports a --package-metadata option that allows

embedding a JSON payload in accordance to the Package Metadata

specification.

* In linker scripts it is now possible to use TYPE= in an output

section description to set the section type value.

* The objdump program now supports coloured/colored syntax

highlighting of its disassembler output for some architectures.

(Currently: AVR, RiscV, s390, x86, x86_64).

* The nm program now supports a --no-weak/-W option to make it ignore

weak symbols.

* The readelf and objdump programs now support a -wE option to prevent

them from attempting to access debuginfod servers when following

links.

* The objcopy program's --weaken, --weaken-symbol, and

--weaken-symbols options now works with unique symbols as well.

- Update to 2.38:

* elfedit: Add --output-abiversion option to update ABIVERSION.

* Add support for the LoongArch instruction set.

* Tools which display symbols or strings (readelf, strings, nm, objdump)

have a new command line option which controls how unicode characters are

handled. By default they are treated as normal for the tool. Using

--unicode=locale will display them according to the current locale.

Using --unicode=hex will display them as hex byte values, whilst

--unicode=escape will display them as escape sequences. In addition

using --unicode=highlight will display them as unicode escape sequences

highlighted in red (if supported by the output device).

* readelf -r dumps RELR relative relocations now.

* Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been

added to objcopy in order to enable UEFI development using binutils.

* ar: Add --thin for creating thin archives. -T is a deprecated alias without

diagnostics. In many ar implementations -T has a different meaning, as

specified by X/Open System Interface.

* Add support for AArch64 system registers that were missing in previous

releases.

* Add support for the LoongArch instruction set.

* Add a command-line option, -muse-unaligned-vector-move, for x86 target

to encode aligned vector move as unaligned vector move.

* Add support for Cortex-R52+ for Arm.

* Add support for Cortex-A510, Cortex-A710, Cortex-X2 for AArch64.

* Add support for Cortex-A710 for Arm.

* Add support for Scalable Matrix Extension (SME) for AArch64.

* The --multibyte-handling=[allow|warn|warn-sym-only] option tells the

assembler what to when it encoutners multibyte characters in the input. The

default is to allow them. Setting the option to 'warn' will generate a

warning message whenever any multibyte character is encountered. Using the

option to 'warn-sym-only' will make the assembler generate a warning whenever a

symbol is defined containing multibyte characters. (References to undefined

symbols will not generate warnings).

* Outputs of .ds.x directive and .tfloat directive with hex input from

x86 assembler have been reduced from 12 bytes to 10 bytes to match the

output of .tfloat directive.

* Add support for 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and

'armv9.3-a' for -march in AArch64 GAS.

* Add support for 'armv8.7-a', 'armv8.8-a', 'armv9-a', 'armv9.1-a',

'armv9.2-a' and 'armv9.3-a' for -march in Arm GAS.

* Add support for Intel AVX512_FP16 instructions.

* Add -z pack-relative-relocs/-z no pack-relative-relocs to x86 ELF

linker to pack relative relocations in the DT_RELR section.

* Add support for the LoongArch architecture.

* Add -z indirect-extern-access/-z noindirect-extern-access to x86 ELF

linker to control canonical function pointers and copy relocation.

* Add --max-cache-size=SIZE to set the the maximum cache size to SIZE

bytes.

- Explicitly enable --enable-warn-execstack=yes and --enable-warn-rwx-segments=yes.

- Add gprofng subpackage.

- Include recognition of 'z16' name for 'arch14' on s390. (bsc#1198237).

- Add back fix for bsc#1191473, which got lost in the update to 2.38.

- Install symlinks for all target specific tools on arm-eabi-none (bsc#1185712).

- Enable PRU architecture for AM335x CPU (Beagle Bone Black board)

1205126,CVE-2022-42898

This update for krb5 fixes the following issues:

- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

1202750

This update for rpm fixes the following issues:

- Strip critical bit in signature subpackage parsing

- No longer deadlock DNF after pubkey import (bsc#1202750)

1190651

This update for openssl-1_1 fixes the following issues:

- FIPS: Mark PBKDF2 with key shorter than 112 bits as non-approved (bsc#1190651)

- FIPS: Consider RSA siggen/sigver with PKCS1 padding also approved (bsc#1190651)

- FIPS: Return the correct indicator for a given EC group order bits (bsc#1190651)

This update for linux-glibc-devel fixes the following issues:

- Add the rest of 1.0 IAA operation definitions to the user header (jsc#PED-813).

The following package changes have been done:

- libeconf0-0.4.6+git20220427.3016f4e-150400.3.3.1 updated

- libopenssl1_1-1.1.1l-150400.7.16.1 updated

- libopenssl1_1-hmac-1.1.1l-150400.7.16.1 updated

- krb5-1.19.2-150400.3.3.1 updated

- rpm-ndb-4.14.3-150300.52.1 updated

- libctf-nobfd0-2.39-150100.7.40.1 updated

- linux-glibc-devel-5.14-150400.6.3.1 updated

- libctf0-2.39-150100.7.40.1 updated

- binutils-2.39-150100.7.40.1 updated

- container:sles15-image-15.0.0-27.14.20 updated

Severity
Container Advisory ID : SUSE-CU-2022:3191-1
Container Tags : bci/rust:1.61 , bci/rust:1.61-9.2
Container Release : 9.2
Severity : important
Type : security

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.