SUSE Container Update Advisory: suse/sles/15.3/virt-handler
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:35-1
Container Tags        : suse/sles/15.3/virt-handler:0.45.0 , suse/sles/15.3/virt-handler:0.45.0-8.7.1 , suse/sles/15.3/virt-handler:0.45.0.8.10.1
Container Release     : 8.10.1
Severity              : important
Type                  : security
References            : 1134353 1160242 1177902 1178236 1180125 1183247 1183374 1183858
                        1183905 1184994 1185588 1186071 1186398 1187196 1187668 1188291
                        1188588 1188713 1188921 1189176 1189234 1189241 1189287 1189441
                        1189446 1189480 1189537 1189702 1189841 1189938 1190190 1190401
                        1190420 1190425 1190440 1190493 1190587 1190598 1190622 1190693
                        1190695 1190839 1190917 1190984 1191019 1191200 1191242 1191260
                        1191480 1191532 1191668 1191690 1191690 1191804 1191804 1191922
                        1192017 1192104 1192161 1192423 1192858 1193181 1193430 1193623
                        1193719 1193759 1193930 1193981 1194041 CVE-2021-3426 CVE-2021-3713
                        CVE-2021-3733 CVE-2021-3737 CVE-2021-3748 CVE-2021-37600 CVE-2021-4147
                        CVE-2021-43565 
-----------------------------------------------------------------

The container suse/sles/15.3/virt-handler was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3203-1
Released:    Thu Sep 23 14:41:35 2021
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1189537,1190190
This update for kmod fixes the following issues:

- Use docbook 4 rather than docbook 5 for building man pages (bsc#1190190).
- Enable support for ZSTD compressed modules    
- Display module information even for modules built into the running kernel (bsc#1189537)
- '/usr/lib' should override '/lib' where both are available. Support '/usr/lib' for depmod.d as well.
- Remove test patches included in release 29

- Update to release 29
  * Fix `modinfo -F` not working for built-in modules and certain fields.
  * Fix a memory leak, overflow and double free on error path.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3241-1
Released:    Tue Sep 28 00:24:49 2021
Summary:     Recommended update for multipath-tools
Type:        recommended
Severity:    important
References:  1189176,1190622
This update for multipath-tools provides the following fixes:

- Update to version 0.8.5+82+suse.746b76e:
  * libmultipath: avoid buffer size warning with systemd 240+. (bsc#1189176)
- Add a versioned dependency of multipath-tools on libmpath0. (bsc#1190622)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3306-1
Released:    Wed Oct  6 18:11:57 2021
Summary:     Recommended update for numactl
Type:        recommended
Severity:    moderate
References:  
This update for numactl fixes the following issues:
    
- Fix System call numbers on s390x.
- Debug verify for --preferred option.
- Description for the usage of numactl.
- Varios memleacks on source files: sysfs.c, shm.c and numactl.c
- Description for numa_node_size64 and definition for numa_node_size in manpage.
- link with -latomic when needed.
- Clear race conditions on numa_police_memory().
- numademo: Use first two nodes instead of node 0 and 1
- Enhance _service settings
- Enable automake

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3310-1
Released:    Wed Oct  6 18:12:41 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1134353,1184994,1188291,1188588,1188713,1189446,1189480
This update for systemd fixes the following issues:

- Switch I/O scheduler from 'mq-deadline' to 'bfq' for rotating disks(HD's) (jsc#SLE-21032, bsc#1134353).
- Multipath: Rules weren't applied to dm devices (bsc#1188713).
- Ignore obsolete 'elevator' kernel parameter (bsc#1184994).
- Remove kernel unsupported single-queue block I/O.
- Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
- Avoid error message when updating active udev on sockets restart (bsc#1188291).

- Merge of v246.16, for a complete list of changes, visit:
   https://github.com/openSUSE/systemd/compare/8d8f5fc31eece95644b299b784bbfb8f836d0108...f5c33d9f82d3d782d28938df9ff09484360c540d

- Drop 1007-tmpfiles-follow-SUSE-policies.patch:
   Since most of the tmpfiles config files shipped by upstream are
   ignored (see previous commit 'Drop most of the tmpfiles that deal
   with generic paths'), this patch is no more relevant.

Additional fixes:
- core: make sure cgroup_oom_queue is flushed on manager exit.
- cgroup: do 'catchup' for unit cgroup inotify watch files.
- journalctl: never fail at flushing when the flushed flag is set (bsc#1188588).
- manager: reexecute on SIGRTMIN+25, user instances only.
- manager: fix HW watchdog when systemd starts before driver loaded (bsc#1189446).
- pid1: watchdog modernizations.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3410-1
Released:    Wed Oct 13 10:41:36 2021
Summary:     Recommended update for xkeyboard-config
Type:        recommended
Severity:    moderate
References:  1191242
This update for xkeyboard-config fixes the following issue:

- Wrong keyboard mapping causing input delays with ABNT2 keyboards. (bsc#1191242)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3411-1
Released:    Wed Oct 13 10:42:25 2021
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1191019
This update for lvm2 fixes the following issues:

- Do not crash vgextend when extending VG with missing PV. (bsc#1191019)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3413-1
Released:    Wed Oct 13 10:50:45 2021
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    important
References:  1189441,1189841,1190598
This update for suse-module-tools fixes the following issues:

- Fixed an issue where the queuing of secure boot certificates did not happen (bsc#1189841, bsc#1190598)
- Fixed an issue where initrd was not always rebuilding after installing
  any kernel-*-extra package (bsc#1189441)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3474-1
Released:    Wed Oct 20 08:41:31 2021
Summary:     Security update for util-linux
Type:        security
Severity:    moderate
References:  1178236,1188921,CVE-2021-37600
This update for util-linux fixes the following issues:

- CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3509-1
Released:    Tue Oct 26 09:47:40 2021
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    important
References:  1191200,1191260,1191480,1191804,1191922
This update for suse-module-tools fixes the following issues:

Update to version 15.3.13:

- Fix bad exit status in openQA. (bsc#1191922)
- Ignore kernel keyring for kernel certificates. (bsc#1191480)
- Deal with existing certificates that should be de-enrolled. (bsc#1191804)
- Don't pass existing files to weak-modules2. (bsc#1191200)
- Skip certificate scriptlet on non-UEFI systems. (bsc#1191260)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3538-1
Released:    Wed Oct 27 10:40:32 2021
Summary:     Recommended update for iproute2
Type:        recommended
Severity:    moderate
References:  1160242
This update for iproute2 fixes the following issues:

- Follow-up fixes backported from upstream. (bsc#1160242)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3589-1
Released:    Mon Nov  1 19:27:52 2021
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1191690
This update for apparmor fixes the following issues:

- Fixed an issue when apparmor provides python2 and python3 libraries with the same name. (bsc#1191690)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3605-1
Released:    Wed Nov  3 14:59:32 2021
Summary:     Security update for qemu
Type:        security
Severity:    important
References:  1189234,1189702,1189938,1190425,CVE-2021-3713,CVE-2021-3748
This update for qemu fixes the following issues:

Security issues fixed:

- CVE-2021-3713: Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702)
- CVE-2021-3748: Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938)

Non-security issues fixed:

- Add transfer length item in block limits page of scsi vpd (bsc#1190425)
- Fix qemu crash while deleting xen-block (bsc#1189234)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3619-1
Released:    Fri Nov  5 12:29:52 2021
Summary:     Security update for libvirt
Type:        security
Severity:    moderate
References:  1177902,1183247,1186398,1190420,1190493,1190693,1190695,1190917
This update for libvirt fixes the following issues:

- lxc: controller: Fix container launch on cgroup v1. (bsc#1183247)
- supportconfig: Use systemctl command 'is-active' instead of 'is-enabled' when checking if libvirtd is active.
- qemu: Do not report error in the logs when processing monitor IO. (bsc#1190917)
- spec: Fix an issue when package update hangs (bsc#1177902, bsc#1190693)
- spec: Don't add '--timeout' argument to '/etc/sysconfig/libvirtd' when running in traditional mode without socket activation. (bsc#1190695)
- libxl: Improve reporting of 'die_id' in capabilities. (bsc#1190493)
- libxl: Fix driver reload. (bsc#1190420)
- qemu: Set label on virtual host network device when hotplugging. (bsc#1186398)
- supportconfig: When checking for installed hypervisor drivers,
  use the libvirtr-daemon-driver- package instead of
  libvirt-daemon-. The latter are not required packages
  for a functioning hypervisor driver.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3663-1
Released:    Mon Nov 15 19:14:32 2021
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1191804
This update for suse-module-tools fixes the following issues:

- Update to version 15.3.14:
  * more fixes for updates under secure boot
  * cert-script: Deal with existing $cert.delete file (bsc#1191804).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3792-1
Released:    Wed Nov 24 06:12:09 2021
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1192104
This update for kmod fixes the following issues:

- Enable ZSTD compression (bsc#1192104)(jsc#SLE-21256)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3808-1
Released:    Fri Nov 26 00:30:54 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1186071,1190440,1190984,1192161
This update for systemd fixes the following issues:

- Add timestamp to D-Bus events to improve traceability (jsc#SLE-17798)
- Fix fd_is_mount_point() when both the parent and directory are network file systems (bsc#1190984)
- Support detection for ARM64 Hyper-V guests (bsc#1186071)
- Fix systemd-detect-virt not detecting Amazon EC2 Nitro instance (bsc#1190440)
- Enable support for Portable Services in openSUSE Leap only (jsc#SLE-21694)
- Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3963-1
Released:    Mon Dec  6 19:57:39 2021
Summary:     Recommended update for system-users
Type:        recommended
Severity:    moderate
References:  1190401
This update for system-users fixes the following issues:

- system-user-tss.conf: Removed group entry because it's not needed and contained syntax errors (bsc#1190401)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3985-1
Released:    Fri Dec 10 06:08:24 2021
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1187196
This update for suse-module-tools fixes the following issues:

-  Blacklist isst_if_mbox_msr driver because uses hardware information based on 
   CPU family and model, which is too unspecific. On large systems, this causes a lot of 
   failing loading attempts for this driver, leading to slow or even stalled boot (bsc#1187196)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4014-1
Released:    Mon Dec 13 13:57:39 2021
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1191532,1191690
This update for apparmor fixes the following issues:

Changes in apparmor:

- Add a profile for 'samba-bgqd'. (bsc#1191532)
- Fix 'Requires' of python3 module. (bsc#1191690)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4104-1
Released:    Thu Dec 16 11:14:12 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1180125,1183374,1183858,1185588,1187668,1189241,1189287,CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
This update for python3 fixes the following issues:

- CVE-2021-3426: Fixed information disclosure via pydoc (bsc#1183374).
- CVE-2021-3733: Fixed infinitely reading potential HTTP headers after a 100 Continue status response from the server (bsc#1189241).
- CVE-2021-3737: Fixed ReDoS in urllib.request (bsc#1189287).

- We do not require python-rpm-macros package (bsc#1180125).
- Use versioned python-Sphinx to avoid dependency on other version of Python (bsc#1183858).
- Stop providing 'python' symbol, which means python2 currently (bsc#1185588).
- Modify Lib/ensurepip/__init__.py to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4165-1
Released:    Wed Dec 22 22:52:11 2021
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1193430
This update for kmod fixes the following issues:

- Ensure that kmod and packages linking to libkmod provide same features. (bsc#1193430)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4175-1
Released:    Thu Dec 23 11:22:33 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1192423,1192858,1193759
This update for systemd fixes the following issues:

- Bump the max number of inodes for /dev to a million (bsc#1192858)
- sleep: don't skip resume device with low priority/available space (bsc#1192423)
- test: use kbd-mode-map we ship in one more test case
- test-keymap-util: always use kbd-model-map we ship
- Add rules for virtual devices and enforce 'none' for loop devices. (bsc#1193759)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2-1
Released:    Mon Jan  3 08:27:18 2022
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1183905,1193181
This update for lvm2 fixes the following issues:

- Fix lvconvert not taking `--stripes` option (bsc#1183905)
- Fix LVM vgimportclone not working on hardware snapshot (bsc#1193181)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:21-1
Released:    Tue Jan  4 16:06:08 2022
Summary:     Security update for libvirt
Type:        security
Severity:    important
References:  1191668,1192017,1193623,1193719,1193981,1194041,CVE-2021-4147
This update for libvirt fixes the following issues:

- CVE-2021-4147: libxl: Fix libvirtd deadlocks and segfaults. (bsc#1194041)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:40-1
Released:    Mon Jan 10 10:45:12 2022
Summary:     Security update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container
Type:        security
Severity:    important
References:  1190587,1190839,1193930,CVE-2021-43565
This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container fixes the following issues:

- CVE-2021-43565: Fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed unauthenticated clients to cause a panic in SSH servers. (bsc#1193930)


The following package changes have been done:

- kubevirt-container-disk-0.45.0-8.7.1 updated
- kubevirt-virt-handler-0.45.0-8.7.1 updated
- libapparmor1-2.13.6-3.8.1 updated
- libdevmapper1_03-1.02.163-8.39.1 updated
- libkmod2-29-4.15.1 updated
- libnuma1-2.0.14.20.g4ee5e0c-10.1 updated
- system-group-kvm-20170617-17.3.1 updated
- suse-module-tools-15.3.15-3.17.1 updated
- libpython3_6m1_0-3.6.15-10.9.1 updated
- libmpath0-0.8.5+82+suse.746b76e-2.7.1 updated
- iproute2-5.3-5.5.1 updated
- xkeyboard-config-2.23.1-3.9.1 updated
- system-user-qemu-20170617-17.3.1 updated
- kmod-29-4.15.1 updated
- python3-base-3.6.15-10.9.1 updated
- systemd-246.16-7.28.1 updated
- udev-246.16-7.28.1 updated
- qemu-tools-5.2.0-106.4 updated
- util-linux-systemd-2.36.2-4.5.1 updated
- libvirt-libs-7.1.0-6.11.1 updated
- libvirt-client-7.1.0-6.11.1 updated
- python-rpm-macros-20200207.5feb6c1-3.11.1 removed