Discover Government News

SUSE Container Update Advisory: ses/7.1/ceph/prometheus-node-exporter
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:508-1
Container Tags        : ses/7.1/ceph/prometheus-node-exporter:1.3.0 , ses/7.1/ceph/prometheus-node-exporter:1.3.0.3.2.359 , ses/7.1/ceph/prometheus-node-exporter:latest , ses/7.1/ceph/prometheus-node-exporter:sle15.3.pacific
Container Release     : 3.2.359
Severity              : important
Type                  : security
References            : 1121365 1167864 1177460 1177460 1180995 1181961 1183533 1194038
                        1194530 1196338 1198472 1199467 1200723 1201959 1201978 1202324
                        1202750 1202812 1203046 1203652 1203652 1203681 1203857 1203911
                        1204137 1204179 1204211 1204256 1204366 1204367 1204383 1204423
                        1204649 1204968 1205000 1205126 1205156 1205646 1206309 1206337
                        1206412 1206579 1206738 1207533 1207534 1207536 1207538 CVE-2016-3709
                        CVE-2020-10696 CVE-2021-20206 CVE-2021-22569 CVE-2021-28153 CVE-2022-1941
                        CVE-2022-21698 CVE-2022-2990 CVE-2022-3171 CVE-2022-32221 CVE-2022-3821
                        CVE-2022-40303 CVE-2022-40304 CVE-2022-42898 CVE-2022-4304 CVE-2022-43552
                        CVE-2022-4415 CVE-2022-4450 CVE-2022-46908 CVE-2022-47629 CVE-2023-0215
                        CVE-2023-0286 
-----------------------------------------------------------------

The container ses/7.1/ceph/prometheus-node-exporter was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3745-1
Released:    Wed Oct 26 10:37:11 2022
Summary:     Security update for golang-github-prometheus-node_exporter
Type:        security
Severity:    moderate
References:  1196338,CVE-2022-21698
This update for golang-github-prometheus-node_exporter fixes the following issues:

  (bsc#1196338, jsc#SLE-24238, jsc#SLE-24239, jsc#SUMA-114,
  CVE-2022-21698)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3766-1
Released:    Wed Oct 26 11:38:01 2022
Summary:     Security update for buildah
Type:        security
Severity:    important
References:  1167864,1181961,1202812,CVE-2020-10696,CVE-2021-20206,CVE-2022-2990
This update for buildah fixes the following issues:

- CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
- CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
- CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

Buildah was updated to version 1.27.1:

* run: add container gid to additional groups

- Add fix for CVE-2022-2990 / bsc#1202812


Update to version 1.27.0:

* Don't try to call runLabelStdioPipes if spec.Linux is not set
* build: support filtering cache by duration using --cache-ttl
* build: support building from commit when using git repo as build context
* build: clean up git repos correctly when using subdirs* integration tests: quote '?' in shell scripts
* test: manifest inspect should have OCIv1 annotation
* vendor: bump to c/common@87fab4b7019a
* Failure to determine a file or directory should print an error
* refactor: remove unused CommitOptions from generateBuildOutput
* stage_executor: generate output for cases with no commit
* stage_executor, commit: output only if last stage in build
* Use errors.Is() instead of os.Is{Not,}Exist
* Minor test tweak for podman-remote compatibility
* Cirrus: Use the latest imgts container
* imagebuildah: complain about the right Dockerfile
* tests: don't try to wrap `nil` errors* cmd/buildah.commitCmd: don't shadow 'err'
* cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
* Fix a copy/paste error message
* Fix a typo in an error message
* build,cache: support pulling/pushing cache layers to/from remote sources
* Update vendor of containers/(common, storage, image)
* Rename chroot/run.go to chroot/run_linux.go
* Don't bother telling codespell to skip files that don't exist
* Set user namespace defaults correctly for the library
* imagebuildah: optimize cache hits for COPY and ADD instructions
* Cirrus: Update VM images w/ updated bats
* docs, run: show SELinux label flag for cache and bind mounts
* imagebuildah, build: remove undefined concurrent writes
* bump github.com/opencontainers/runtime-tools
* Add FreeBSD support for 'buildah info'
* Vendor in latest containers/(storage, common, image)
* Add freebsd cross build targets
* Make the jail package build on 32bit platforms
* Cirrus: Ensure the build-push VM image is labeled
* GHA: Fix dynamic script filename
* Vendor in containers/(common, storage, image)
* Run codespell
* Remove import of github.com/pkg/errors* Avoid using cgo in pkg/jail
* Rename footypes to fooTypes for naming consistency
* Move cleanupTempVolumes and cleanupRunMounts to run_common.go
* Make the various run mounts work for FreeBSD
* Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
* Move runSetupRunMounts to run_common.go
* Move cleanableDestinationListFromMounts to run_common.go
* Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
* Move setupMounts and runSetupBuiltinVolumes to run_common.go
* Tidy up - runMakeStdioPipe can't be shared with linux
* Move runAcceptTerminal to run_common.go
* Move stdio copying utilities to run_common.go
* Move runUsingRuntime and runCollectOutput to run_common.go
* Move fileCloser, waitForSync and contains to run_common.go
* Move checkAndOverrideIsolationOptions to run_common.go
* Move DefaultNamespaceOptions to run_common.go
* Move getNetworkInterface to run_common.go
* Move configureEnvironment to run_common.go
* Don't crash in configureUIDGID if Process.Capabilities is nil
* Move configureUIDGID to run_common.go
* Move runLookupPath to run_common.go
* Move setupTerminal to run_common.go
* Move etc file generation utilities to run_common.go
* Add run support for FreeBSD
* Add a simple FreeBSD jail library
* Add FreeBSD support to pkg/chrootuser
* Sync call signature for RunUsingChroot with chroot/run.go
* test: verify feature to resolve basename with args
* vendor: bump openshift/imagebuilder to master@4151e43
* GHA: Remove required reserved-name use
* buildah: set XDG_RUNTIME_DIR before setting default runroot
* imagebuildah: honor build output even if build container is not commited
* chroot: honor DefaultErrnoRet
* [CI:DOCS] improve pull-policy documentation
* tests: retrofit test since --file does not supports dir
* Switch to golang native error wrapping
* BuildDockerfiles: error out if path to containerfile is a directory
* define.downloadToDirectory: fail early if bad HTTP response
* GHA: Allow re-use of Cirrus-Cron fail-mail workflow
* add: fail on bad http response instead of writing to container
* [CI:DOCS] Update buildahimage comment
* lint: inspectable is never nil
* vendor: c/common to common@7e1563b
* build: support OCI hooks for ephemeral build containers* [CI:BUILD] Install latest buildah instead of compiling
* Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
* Make sure cpp is installed in buildah images
* demo: use unshare for rootless invocations
* buildah.spec.rpkg: initial addition
* build: fix test for subid 4
* build, userns: add support for --userns=auto
* Fix building upstream buildah image
* Remove redundant buildahimages-are-sane validation
* Docs: Update multi-arch buildah images readme
* Cirrus: Migrate multiarch build off github actions
* retrofit-tests: we skip unused stages so use stages
* stage_executor: dont rely on stage while looking for additional-context
* buildkit, multistage: skip computing unwanted stages
* More test cleanup
* copier: work around freebsd bug for 'mkdir /'
* Replace $BUILDAH_BINARY with buildah() function
* Fix up buildah images
* Make util and copier build on FreeBSD
* Vendor in latest github.com/sirupsen/logrus
* Makefile: allow building without .git
* run_unix: don't return an error from getNetworkInterface
* run_unix: return a valid DefaultNamespaceOptions
* Update vendor of containers/storage
* chroot: use ActKillThread instead of ActKill
* use resolvconf package from c/common/libnetwork
* update c/common to latest main
* copier: add `NoOverwriteNonDirDir` option
* Sort buildoptions and move cli/build functions to internal
* Fix TODO: de-spaghettify run mounts
* Move options parsing out of build.go and into pkg/cli
* [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
* build, multiarch: support splitting build logs for --platform
* [CI:BUILD] WIP Cleanup Image Dockerfiles
* cli remove stutter
* docker-parity: ignore sanity check if baseImage history is null
* build, commit: allow disabling image history with --omit-history
* Fix use generic/ambiguous DEBUG name
* Cirrus: use Ubuntu 22.04 LTS
* Fix codespell errors* Remove util.StringInSlice because it is defined in containers/common
* buildah: add support for renaming a device in rootless setups
* squash: never use build cache when computing last step of last stage
* Update vendor of containers/(common, storage, image)
* buildkit: supports additionalBuildContext in builds via --build-context
* buildah source pull/push: show progress bar
* run: allow resuing secret twice in different RUN steps
* test helpers: default to being rootless-aware
* Add --cpp-flag flag to buildah build
* build: accept branch and subdirectory when context is git repo
* Vendor in latest containers/common
* vendor: update c/storage and c/image
* Fix gentoo install docs
* copier: move NSS load to new process
* Add test for prevention of reusing encrypted layers* Make `buildah build --label foo` create an empty 'foo' label again


Update to version 1.26.4:

* build, multiarch: support splitting build logs for --platform
* copier: add `NoOverwriteNonDirDir` option
* docker-parity: ignore sanity check if baseImage history is null
* build, commit: allow disabling image history with --omit-history
* buildkit: supports additionalBuildContext in builds via --build-context
* Add --cpp-flag flag to buildah build

Update to version 1.26.3:

* define.downloadToDirectory: fail early if bad HTTP response
* add: fail on bad http response instead of writing to container
* squash: never use build cache when computing last step of last stage
* run: allow resuing secret twice in different RUN steps
* integration tests: update expected error messages
* integration tests: quote '?' in shell scripts
* Use errors.Is() to check for storage errors* lint: inspectable is never nil
* chroot: use ActKillThread instead of ActKill
* chroot: honor DefaultErrnoRet
* Set user namespace defaults correctly for the library
* contrib/rpm/buildah.spec: fix `rpm` parser warnings

Drop requires on apparmor pattern, should be moved elsewhere
for systems which want AppArmor instead of SELinux.

- Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file
  is required to build.

Update to version 1.26.2:

* buildah: add support for renaming a device in rootless setups

Update to version 1.26.1:

* Make `buildah build --label foo` create an empty 'foo' label again
* imagebuildah,build: move deepcopy of args before we spawn goroutine
* Vendor in containers/storage v1.40.2
* buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
* help output: get more consistent about option usage text
* Handle OS version and features flags
* buildah build: --annotation and --label should remove values
* buildah build: add a --env
* buildah: deep copy options.Args before performing concurrent build/stage
* test: inline platform and builtinargs behaviour
* vendor: bump imagebuilder to master/009dbc6
* build: automatically set correct TARGETPLATFORM where expected
* Vendor in containers/(common, storage, image)
* imagebuildah, executor: process arg variables while populating baseMap
* buildkit: add support for custom build output with --output
* Cirrus: Update CI VMs to F36
* fix staticcheck linter warning for deprecated function
* Fix docs build on FreeBSD
* copier.unwrapError(): update for Go 1.16
* copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
* copier.Put(): write to read-only directories
* Ed's periodic test cleanup
* using consistent lowercase 'invalid' word in returned err msg
* use etchosts package from c/common
* run: set actual hostname in /etc/hostname to match docker parity
* Update vendor of containers/(common,storage,image)
* manifest-create: allow creating manifest list from local image
* Update vendor of storage,common,image
* Initialize network backend before first pull
* oci spec: change special mount points for namespaces
* tests/helpers.bash: assert handle corner cases correctly
* buildah: actually use containers.conf settings
* integration tests: learn to start a dummy registry
* Fix error check to work on Podman
* buildah build should accept at most one arg
* tests: reduce concurrency for flaky bud-multiple-platform-no-run
* vendor in latest containers/common,image,storage
* manifest-add: allow override arch,variant while adding image
* Remove a stray `\` from .containerenv
* Vendor in latest opencontainers/selinux v1.10.1
* build, commit: allow removing default identity labels
* Create shorter names for containers based on image IDs
* test: skip rootless on cgroupv2 in root env
* fix hang when oci runtime fails
* Set permissions for GitHub actions
* copier test: use correct UID/GID in test archives
* run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3773-1
Released:    Wed Oct 26 12:19:29 2022
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1204383,CVE-2022-32221
This update for curl fixes the following issues:

  - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3776-1
Released:    Wed Oct 26 14:06:43 2022
Summary:     Recommended update for permissions
Type:        recommended
Severity:    important
References:  1203911,1204137
This update for permissions fixes the following issues:

- Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't
  properly support ICMP_PROTO sockets feature yet (bsc#1204137)
- Fix regression introduced by backport of security fix (bsc#1203911)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3871-1
Released:    Fri Nov  4 13:26:29 2022
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304
This update for libxml2 fixes the following issues:

  - CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978).
  - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366).
  - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3901-1
Released:    Tue Nov  8 10:50:06 2022
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1180995,1203046
This update for openssl-1_1 fixes the following issues:

- Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995)
- Fix memory leaks (bsc#1203046)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3910-1
Released:    Tue Nov  8 13:05:04 2022
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  
This update for pam fixes the following issue:

- Update pam_motd to the most current version. (PED-1712)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3922-1
Released:    Wed Nov  9 09:03:33 2022
Summary:     Security update for protobuf
Type:        security
Severity:    important
References:  1194530,1203681,1204256,CVE-2021-22569,CVE-2022-1941,CVE-2022-3171
This update for protobuf fixes the following issues:

- CVE-2021-22569: Fixed Denial of Service in protobuf-java in the parsing procedure for binary data (bsc#1194530).
- CVE-2022-1941: Fix a potential DoS issue in protobuf-cpp and protobuf-python (bsc#1203681)
- CVE-2022-3171: Fix a potential DoS issue when parsing with binary data in protobuf-java (bsc#1204256)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3961-1
Released:    Mon Nov 14 07:33:50 2022
Summary:     Recommended update for zlib
Type:        recommended
Severity:    important
References:  1203652
This update for zlib fixes the following issues:

- Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3973-1
Released:    Mon Nov 14 15:38:25 2022
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1201959,1204211
This update for util-linux fixes the following issues:

- Fix file conflict during upgrade (bsc#1204211)
- libuuid improvements (bsc#1201959, PED-1150):
  libuuid: Fix range when parsing UUIDs.
  Improve cache handling for short running applications-increment the cache size over runtime.
  Implement continuous clock handling for time based UUIDs.
  Check clock value from clock file to provide seamless libuuid.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4056-1
Released:    Thu Nov 17 15:38:08 2022
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1204179,1204968,CVE-2022-3821
This update for systemd fixes the following issues:

- CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

- Import commit 56bee38fd0da18dad5fc5c5d12c02238a22b50e2
  * 8a70235d8a core: Add trigger limit for path units
  * 93e544f3a0 core/mount: also add default before dependency for automount mount units
  * 5916a7748c logind: fix crash in logind on user-specified message string

- Document udev naming scheme (bsc#1204179).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4066-1
Released:    Fri Nov 18 10:43:00 2022
Summary:     Recommended update for timezone
Type:        recommended
Severity:    important
References:  1177460,1202324,1204649,1205156
This update for timezone fixes the following issues:

Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

- Mexico will no longer observe DST except near the US border
- Chihuahua moves to year-round -06 on 2022-10-30
- Fiji no longer observes DST
- In vanguard form, GMT is now a Zone and Etc/GMT a link
- zic now supports links to links, and vanguard form uses this
- Simplify four Ontario zones
- Fix a Y2438 bug when reading TZif data
- Enable 64-bit time_t on 32-bit glibc platforms
- Omit large-file support when no longer needed
- Jordan and Syria switch from +02/+03 with DST to year-round +03
- Palestine transitions are now Saturdays at 02:00
- Simplify three Ukraine zones into one
- Improve tzselect on intercontinental Zones
- Chile's DST is delayed by a week in September 2022 (bsc#1202324)
- Iran no longer observes DST after 2022
- Rename Europe/Kiev to Europe/Kyiv
- New `zic -R` command option
- Vanguard form now uses %z

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4198-1
Released:    Wed Nov 23 13:15:04 2022
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  1202750
This update for rpm fixes the following issues:

- Strip critical bit in signature subpackage parsing
- No longer deadlock DNF after pubkey import (bsc#1202750)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4256-1
Released:    Mon Nov 28 12:36:32 2022
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
References:  
This update for gcc12 fixes the following issues:

This update ship the GCC 12 compiler suite and its base libraries.

The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.

The Go, D and Ada language compiler parts are available unsupported via the
PackageHub repositories.

To use gcc12 compilers use:

- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

For a full changelog with all new GCC12 features, check out

	https://gcc.gnu.org/gcc-12/changes.html


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4628-1
Released:    Wed Dec 28 09:23:13 2022
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1206337,CVE-2022-46908
This update for sqlite3 fixes the following issues:

- CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, 
  when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4630-1
Released:    Wed Dec 28 09:25:18 2022
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1200723,1203857,1204423,1205000,CVE-2022-4415
This update for systemd fixes the following issues:

- CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

Bug fixes:

- Support by-path devlink for multipath nvme block devices (bsc#1200723).
- Set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857).
- Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4633-1
Released:    Wed Dec 28 09:32:15 2022
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1206309,CVE-2022-43552
This update for curl fixes the following issues:

- CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:25-1
Released:    Thu Jan  5 09:51:41 2023
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

Version update from 2022f to 2022g (bsc#1177460):

- In the Mexican state of Chihuahua:
  * The border strip near the US will change to agree with nearby US locations on 2022-11-30.
  * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules,
    like El Paso, TX.
  * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX.
  * A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
- Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving
  time becomes standard time.
- Changes for pre-1996 northern Canada
- Update to past DST transition in Colombia (1993), Singapore (1981)
- 'timegm' is now supported by default

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:48-1
Released:    Mon Jan  9 10:37:54 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1199467
This update for libtirpc fixes the following issues:

- Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:56-1
Released:    Mon Jan  9 11:13:43 2023
Summary:     Security update for libksba
Type:        security
Severity:    moderate
References:  1206579,CVE-2022-47629
This update for libksba fixes the following issues:

- CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL
  signature parser (bsc#1206579).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:157-1
Released:    Thu Jan 26 15:54:43 2023
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1194038,1205646
This update for util-linux fixes the following issues:

- libuuid continuous clock handling for time based UUIDs:
  Prevent use of the new libuuid ABI by uuidd %post before update
  of libuuid1 (bsc#1205646).
- Use chown --quiet to prevent error message if /var/lib/libuuid/clock.txt
  does not exist.
- Fix tests not passing when '@' character is in build path: 
  Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:174-1
Released:    Thu Jan 26 20:52:38 2023
Summary:     Security update for glib2
Type:        security
Severity:    low
References:  1183533,CVE-2021-28153
This update for glib2 fixes the following issues:

- CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:176-1
Released:    Thu Jan 26 20:56:20 2023
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1206738
This update for permissions fixes the following issues:

Update to version 20181225:

* Backport postfix permissions to SLE 15 SP2 (bsc#1206738)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:181-1
Released:    Thu Jan 26 21:55:43 2023
Summary:     Recommended update for procps
Type:        recommended
Severity:    low
References:  1206412
This update for procps fixes the following issues:

- Improve memory handling/usage (bsc#1206412) 
- Make sure that correct library version is installed (bsc#1206412)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:188-1
Released:    Fri Jan 27 12:07:19 2023
Summary:     Recommended update for zlib
Type:        recommended
Severity:    important
References:  1203652
This update for zlib fixes the following issues:

- Follow up fix for bug bsc#1203652 due to libxml2 issues

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:198-1
Released:    Fri Jan 27 14:26:54 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1205126,CVE-2022-42898
This update for krb5 fixes the following issues:

- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:310-1
Released:    Tue Feb  7 17:35:34 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1121365,1198472,1207533,1207534,1207536,1207538,CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286
This update for openssl-1_1 fixes the following issues:

- CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
- CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
- CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538).
- CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).
- FIPS: list only FIPS approved public key algorithms (bsc#1121365, bsc#1198472)


The following package changes have been done:

- golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1 updated
- krb5-1.19.2-150300.10.1 updated
- libblkid1-2.36.2-150300.4.32.1 updated
- libcurl4-7.66.0-150200.4.45.1 updated
- libfdisk1-2.36.2-150300.4.32.1 updated
- libgcc_s1-12.2.1+git416-150000.1.5.1 updated
- libglib-2_0-0-2.62.6-150200.3.10.1 updated
- libgpg-error0-1.42-150300.9.3.1 updated
- libksba8-1.3.5-150000.4.6.1 updated
- libmount1-2.36.2-150300.4.32.1 updated
- libopenssl1_1-hmac-1.1.1d-150200.11.57.1 updated
- libopenssl1_1-1.1.1d-150200.11.57.1 updated
- libprocps7-3.3.15-150000.7.28.1 updated
- libprotobuf-lite20-3.9.2-150200.4.19.2 updated
- libsmartcols1-2.36.2-150300.4.32.1 updated
- libsqlite3-0-3.39.3-150000.3.20.1 updated
- libstdc++6-12.2.1+git416-150000.1.5.1 updated
- libsystemd0-246.16-150300.7.57.1 updated
- libtirpc-netconfig-1.2.6-150300.3.17.1 updated
- libtirpc3-1.2.6-150300.3.17.1 updated
- libudev1-246.16-150300.7.57.1 updated
- libuuid1-2.36.2-150300.4.32.1 updated
- libxml2-2-2.9.7-150000.3.51.1 updated
- libz1-1.2.11-150000.3.39.1 updated
- openssl-1_1-1.1.1d-150200.11.57.1 updated
- pam-1.3.0-150000.6.61.1 updated
- permissions-20181225-150200.23.23.1 updated
- procps-3.3.15-150000.7.28.1 updated
- rpm-ndb-4.14.3-150300.52.1 updated
- timezone-2022g-150000.75.18.1 updated
- util-linux-2.36.2-150300.4.32.1 updated
- container:sles15-image-15.0.0-17.20.107 updated

SUSE: 2023:508-1 ses/7.1/ceph/prometheus-node-exporter Security Update

March 1, 2023
The container ses/7.1/ceph/prometheus-node-exporter was updated

Summary

Advisory ID: SUSE-SU-2022:3745-1 Released: Wed Oct 26 10:37:11 2022 Summary: Security update for golang-github-prometheus-node_exporter Type: security Severity: moderate Advisory ID: SUSE-SU-2022:3766-1 Released: Wed Oct 26 11:38:01 2022 Summary: Security update for buildah Type: security Severity: important Advisory ID: SUSE-SU-2022:3773-1 Released: Wed Oct 26 12:19:29 2022 Summary: Security update for curl Type: security Severity: important Advisory ID: SUSE-RU-2022:3776-1 Released: Wed Oct 26 14:06:43 2022 Summary: Recommended update for permissions Type: recommended Severity: important Advisory ID: SUSE-SU-2022:3871-1 Released: Fri Nov 4 13:26:29 2022 Summary: Security update for libxml2 Type: security Severity: important Advisory ID: SUSE-RU-2022:3901-1 Released: Tue Nov 8 10:50:06 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:3910-1 Released: Tue Nov 8 13:05:04 2022 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:3922-1 Released: Wed Nov 9 09:03:33 2022 Summary: Security update for protobuf Type: security Severity: important Advisory ID: SUSE-RU-2022:3961-1 Released: Mon Nov 14 07:33:50 2022 Summary: Recommended update for zlib Type: recommended Severity: important Advisory ID: SUSE-RU-2022:3973-1 Released: Mon Nov 14 15:38:25 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:4056-1 Released: Thu Nov 17 15:38:08 2022 Summary: Security update for systemd Type: security Severity: moderate Advisory ID: SUSE-RU-2022:4066-1 Released: Fri Nov 18 10:43:00 2022 Summary: Recommended update for timezone Type: recommended Severity: important Advisory ID: SUSE-RU-2022:4198-1 Released: Wed Nov 23 13:15:04 2022 Summary: Recommended update for rpm Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:4256-1 Released: Mon Nov 28 12:36:32 2022 Summary: Recommended update for gcc12 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:4628-1 Released: Wed Dec 28 09:23:13 2022 Summary: Security update for sqlite3 Type: security Severity: moderate Advisory ID: SUSE-SU-2022:4630-1 Released: Wed Dec 28 09:25:18 2022 Summary: Security update for systemd Type: security Severity: important Advisory ID: SUSE-SU-2022:4633-1 Released: Wed Dec 28 09:32:15 2022 Summary: Security update for curl Type: security Severity: moderate Advisory ID: SUSE-RU-2023:25-1 Released: Thu Jan 5 09:51:41 2023 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:48-1 Released: Mon Jan 9 10:37:54 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:56-1 Released: Mon Jan 9 11:13:43 2023 Summary: Security update for libksba Type: security Severity: moderate Advisory ID: SUSE-RU-2023:157-1 Released: Thu Jan 26 15:54:43 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:174-1 Released: Thu Jan 26 20:52:38 2023 Summary: Security update for glib2 Type: security Severity: low Advisory ID: SUSE-RU-2023:176-1 Released: Thu Jan 26 20:56:20 2023 Summary: Recommended update for permissions Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:181-1 Released: Thu Jan 26 21:55:43 2023 Summary: Recommended update for procps Type: recommended Severity: low Advisory ID: SUSE-RU-2023:188-1 Released: Fri Jan 27 12:07:19 2023 Summary: Recommended update for zlib Type: recommended Severity: important Advisory ID: SUSE-SU-2023:198-1 Released: Fri Jan 27 14:26:54 2023 Summary: Security update for krb5 Type: security Severity: important Advisory ID: SUSE-SU-2023:310-1 Released: Tue Feb 7 17:35:34 2023 Summary: Security update for openssl-1_1 Type: security Severity: important

References

References : 1121365 1167864 1177460 1177460 1180995 1181961 1183533 1194038

1194530 1196338 1198472 1199467 1200723 1201959 1201978 1202324

1202750 1202812 1203046 1203652 1203652 1203681 1203857 1203911

1204137 1204179 1204211 1204256 1204366 1204367 1204383 1204423

1204649 1204968 1205000 1205126 1205156 1205646 1206309 1206337

1206412 1206579 1206738 1207533 1207534 1207536 1207538 CVE-2016-3709

CVE-2020-10696 CVE-2021-20206 CVE-2021-22569 CVE-2021-28153 CVE-2022-1941

CVE-2022-21698 CVE-2022-2990 CVE-2022-3171 CVE-2022-32221 CVE-2022-3821

CVE-2022-40303 CVE-2022-40304 CVE-2022-42898 CVE-2022-4304 CVE-2022-43552

CVE-2022-4415 CVE-2022-4450 CVE-2022-46908 CVE-2022-47629 CVE-2023-0215

CVE-2023-0286

1196338,CVE-2022-21698

This update for golang-github-prometheus-node_exporter fixes the following issues:

(bsc#1196338, jsc#SLE-24238, jsc#SLE-24239, jsc#SUMA-114,

CVE-2022-21698)

1167864,1181961,1202812,CVE-2020-10696,CVE-2021-20206,CVE-2022-2990

This update for buildah fixes the following issues:

- CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).

- CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).

- CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

Buildah was updated to version 1.27.1:

* run: add container gid to additional groups

- Add fix for CVE-2022-2990 / bsc#1202812

Update to version 1.27.0:

* Don't try to call runLabelStdioPipes if spec.Linux is not set

* build: support filtering cache by duration using --cache-ttl

* build: support building from commit when using git repo as build context

* build: clean up git repos correctly when using subdirs* integration tests: quote '?' in shell scripts

* test: manifest inspect should have OCIv1 annotation

* vendor: bump to c/common@87fab4b7019a

* Failure to determine a file or directory should print an error

* refactor: remove unused CommitOptions from generateBuildOutput

* stage_executor: generate output for cases with no commit

* stage_executor, commit: output only if last stage in build

* Use errors.Is() instead of os.Is{Not,}Exist

* Minor test tweak for podman-remote compatibility

* Cirrus: Use the latest imgts container

* imagebuildah: complain about the right Dockerfile

* tests: don't try to wrap `nil` errors* cmd/buildah.commitCmd: don't shadow 'err'

* cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig

* Fix a copy/paste error message

* Fix a typo in an error message

* build,cache: support pulling/pushing cache layers to/from remote sources

* Update vendor of containers/(common, storage, image)

* Rename chroot/run.go to chroot/run_linux.go

* Don't bother telling codespell to skip files that don't exist

* Set user namespace defaults correctly for the library

* imagebuildah: optimize cache hits for COPY and ADD instructions

* Cirrus: Update VM images w/ updated bats

* docs, run: show SELinux label flag for cache and bind mounts

* imagebuildah, build: remove undefined concurrent writes

* bump github.com/opencontainers/runtime-tools

* Add FreeBSD support for 'buildah info'

* Vendor in latest containers/(storage, common, image)

* Add freebsd cross build targets

* Make the jail package build on 32bit platforms

* Cirrus: Ensure the build-push VM image is labeled

* GHA: Fix dynamic script filename

* Vendor in containers/(common, storage, image)

* Run codespell

* Remove import of github.com/pkg/errors* Avoid using cgo in pkg/jail

* Rename footypes to fooTypes for naming consistency

* Move cleanupTempVolumes and cleanupRunMounts to run_common.go

* Make the various run mounts work for FreeBSD

* Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go

* Move runSetupRunMounts to run_common.go

* Move cleanableDestinationListFromMounts to run_common.go

* Make setupMounts and runSetupBuiltinVolumes work on FreeBSD

* Move setupMounts and runSetupBuiltinVolumes to run_common.go

* Tidy up - runMakeStdioPipe can't be shared with linux

* Move runAcceptTerminal to run_common.go

* Move stdio copying utilities to run_common.go

* Move runUsingRuntime and runCollectOutput to run_common.go

* Move fileCloser, waitForSync and contains to run_common.go

* Move checkAndOverrideIsolationOptions to run_common.go

* Move DefaultNamespaceOptions to run_common.go

* Move getNetworkInterface to run_common.go

* Move configureEnvironment to run_common.go

* Don't crash in configureUIDGID if Process.Capabilities is nil

* Move configureUIDGID to run_common.go

* Move runLookupPath to run_common.go

* Move setupTerminal to run_common.go

* Move etc file generation utilities to run_common.go

* Add run support for FreeBSD

* Add a simple FreeBSD jail library

* Add FreeBSD support to pkg/chrootuser

* Sync call signature for RunUsingChroot with chroot/run.go

* test: verify feature to resolve basename with args

* vendor: bump openshift/imagebuilder to master@4151e43

* GHA: Remove required reserved-name use

* buildah: set XDG_RUNTIME_DIR before setting default runroot

* imagebuildah: honor build output even if build container is not commited

* chroot: honor DefaultErrnoRet

* [CI:DOCS] improve pull-policy documentation

* tests: retrofit test since --file does not supports dir

* Switch to golang native error wrapping

* BuildDockerfiles: error out if path to containerfile is a directory

* define.downloadToDirectory: fail early if bad HTTP response

* GHA: Allow re-use of Cirrus-Cron fail-mail workflow

* add: fail on bad http response instead of writing to container

* [CI:DOCS] Update buildahimage comment

* lint: inspectable is never nil

* vendor: c/common to common@7e1563b

* build: support OCI hooks for ephemeral build containers* [CI:BUILD] Install latest buildah instead of compiling

* Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]

* Make sure cpp is installed in buildah images

* demo: use unshare for rootless invocations

* buildah.spec.rpkg: initial addition

* build: fix test for subid 4

* build, userns: add support for --userns=auto

* Fix building upstream buildah image

* Remove redundant buildahimages-are-sane validation

* Docs: Update multi-arch buildah images readme

* Cirrus: Migrate multiarch build off github actions

* retrofit-tests: we skip unused stages so use stages

* stage_executor: dont rely on stage while looking for additional-context

* buildkit, multistage: skip computing unwanted stages

* More test cleanup

* copier: work around freebsd bug for 'mkdir /'

* Replace $BUILDAH_BINARY with buildah() function

* Fix up buildah images

* Make util and copier build on FreeBSD

* Vendor in latest github.com/sirupsen/logrus

* Makefile: allow building without .git

* run_unix: don't return an error from getNetworkInterface

* run_unix: return a valid DefaultNamespaceOptions

* Update vendor of containers/storage

* chroot: use ActKillThread instead of ActKill

* use resolvconf package from c/common/libnetwork

* update c/common to latest main

* copier: add `NoOverwriteNonDirDir` option

* Sort buildoptions and move cli/build functions to internal

* Fix TODO: de-spaghettify run mounts

* Move options parsing out of build.go and into pkg/cli

* [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps

* build, multiarch: support splitting build logs for --platform

* [CI:BUILD] WIP Cleanup Image Dockerfiles

* cli remove stutter

* docker-parity: ignore sanity check if baseImage history is null

* build, commit: allow disabling image history with --omit-history

* Fix use generic/ambiguous DEBUG name

* Cirrus: use Ubuntu 22.04 LTS

* Fix codespell errors* Remove util.StringInSlice because it is defined in containers/common

* buildah: add support for renaming a device in rootless setups

* squash: never use build cache when computing last step of last stage

* Update vendor of containers/(common, storage, image)

* buildkit: supports additionalBuildContext in builds via --build-context

* buildah source pull/push: show progress bar

* run: allow resuing secret twice in different RUN steps

* test helpers: default to being rootless-aware

* Add --cpp-flag flag to buildah build

* build: accept branch and subdirectory when context is git repo

* Vendor in latest containers/common

* vendor: update c/storage and c/image

* Fix gentoo install docs

* copier: move NSS load to new process

* Add test for prevention of reusing encrypted layers* Make `buildah build --label foo` create an empty 'foo' label again

Update to version 1.26.4:

* build, multiarch: support splitting build logs for --platform

* copier: add `NoOverwriteNonDirDir` option

* docker-parity: ignore sanity check if baseImage history is null

* build, commit: allow disabling image history with --omit-history

* buildkit: supports additionalBuildContext in builds via --build-context

* Add --cpp-flag flag to buildah build

Update to version 1.26.3:

* define.downloadToDirectory: fail early if bad HTTP response

* add: fail on bad http response instead of writing to container

* squash: never use build cache when computing last step of last stage

* run: allow resuing secret twice in different RUN steps

* integration tests: update expected error messages

* integration tests: quote '?' in shell scripts

* Use errors.Is() to check for storage errors* lint: inspectable is never nil

* chroot: use ActKillThread instead of ActKill

* chroot: honor DefaultErrnoRet

* Set user namespace defaults correctly for the library

* contrib/rpm/buildah.spec: fix `rpm` parser warnings

Drop requires on apparmor pattern, should be moved elsewhere

for systems which want AppArmor instead of SELinux.

- Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file

is required to build.

Update to version 1.26.2:

* buildah: add support for renaming a device in rootless setups

Update to version 1.26.1:

* Make `buildah build --label foo` create an empty 'foo' label again

* imagebuildah,build: move deepcopy of args before we spawn goroutine

* Vendor in containers/storage v1.40.2

* buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated

* help output: get more consistent about option usage text

* Handle OS version and features flags

* buildah build: --annotation and --label should remove values

* buildah build: add a --env

* buildah: deep copy options.Args before performing concurrent build/stage

* test: inline platform and builtinargs behaviour

* vendor: bump imagebuilder to master/009dbc6

* build: automatically set correct TARGETPLATFORM where expected

* Vendor in containers/(common, storage, image)

* imagebuildah, executor: process arg variables while populating baseMap

* buildkit: add support for custom build output with --output

* Cirrus: Update CI VMs to F36

* fix staticcheck linter warning for deprecated function

* Fix docs build on FreeBSD

* copier.unwrapError(): update for Go 1.16

* copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit

* copier.Put(): write to read-only directories

* Ed's periodic test cleanup

* using consistent lowercase 'invalid' word in returned err msg

* use etchosts package from c/common

* run: set actual hostname in /etc/hostname to match docker parity

* Update vendor of containers/(common,storage,image)

* manifest-create: allow creating manifest list from local image

* Update vendor of storage,common,image

* Initialize network backend before first pull

* oci spec: change special mount points for namespaces

* tests/helpers.bash: assert handle corner cases correctly

* buildah: actually use containers.conf settings

* integration tests: learn to start a dummy registry

* Fix error check to work on Podman

* buildah build should accept at most one arg

* tests: reduce concurrency for flaky bud-multiple-platform-no-run

* vendor in latest containers/common,image,storage

* manifest-add: allow override arch,variant while adding image

* Remove a stray `\` from .containerenv

* Vendor in latest opencontainers/selinux v1.10.1

* build, commit: allow removing default identity labels

* Create shorter names for containers based on image IDs

* test: skip rootless on cgroupv2 in root env

* fix hang when oci runtime fails

* Set permissions for GitHub actions

* copier test: use correct UID/GID in test archives

* run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM

1204383,CVE-2022-32221

This update for curl fixes the following issues:

- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

1203911,1204137

This update for permissions fixes the following issues:

- Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't

properly support ICMP_PROTO sockets feature yet (bsc#1204137)

- Fix regression introduced by backport of security fix (bsc#1203911)

1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304

This update for libxml2 fixes the following issues:

- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978).

- CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366).

- CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

1180995,1203046

This update for openssl-1_1 fixes the following issues:

- Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995)

- Fix memory leaks (bsc#1203046)

This update for pam fixes the following issue:

- Update pam_motd to the most current version. (PED-1712)

1194530,1203681,1204256,CVE-2021-22569,CVE-2022-1941,CVE-2022-3171

This update for protobuf fixes the following issues:

- CVE-2021-22569: Fixed Denial of Service in protobuf-java in the parsing procedure for binary data (bsc#1194530).

- CVE-2022-1941: Fix a potential DoS issue in protobuf-cpp and protobuf-python (bsc#1203681)

- CVE-2022-3171: Fix a potential DoS issue when parsing with binary data in protobuf-java (bsc#1204256)

1203652

This update for zlib fixes the following issues:

- Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

1201959,1204211

This update for util-linux fixes the following issues:

- Fix file conflict during upgrade (bsc#1204211)

- libuuid improvements (bsc#1201959, PED-1150):

libuuid: Fix range when parsing UUIDs.

Improve cache handling for short running applications-increment the cache size over runtime.

Implement continuous clock handling for time based UUIDs.

Check clock value from clock file to provide seamless libuuid.

1204179,1204968,CVE-2022-3821

This update for systemd fixes the following issues:

- CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

- Import commit 56bee38fd0da18dad5fc5c5d12c02238a22b50e2

* 8a70235d8a core: Add trigger limit for path units

* 93e544f3a0 core/mount: also add default before dependency for automount mount units

* 5916a7748c logind: fix crash in logind on user-specified message string

- Document udev naming scheme (bsc#1204179).

1177460,1202324,1204649,1205156

This update for timezone fixes the following issues:

Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

- Mexico will no longer observe DST except near the US border

- Chihuahua moves to year-round -06 on 2022-10-30

- Fiji no longer observes DST

- In vanguard form, GMT is now a Zone and Etc/GMT a link

- zic now supports links to links, and vanguard form uses this

- Simplify four Ontario zones

- Fix a Y2438 bug when reading TZif data

- Enable 64-bit time_t on 32-bit glibc platforms

- Omit large-file support when no longer needed

- Jordan and Syria switch from +02/+03 with DST to year-round +03

- Palestine transitions are now Saturdays at 02:00

- Simplify three Ukraine zones into one

- Improve tzselect on intercontinental Zones

- Chile's DST is delayed by a week in September 2022 (bsc#1202324)

- Iran no longer observes DST after 2022

- Rename Europe/Kiev to Europe/Kyiv

- New `zic -R` command option

- Vanguard form now uses %z

1202750

This update for rpm fixes the following issues:

- Strip critical bit in signature subpackage parsing

- No longer deadlock DNF after pubkey import (bsc#1202750)

This update for gcc12 fixes the following issues:

This update ship the GCC 12 compiler suite and its base libraries.

The compiler baselibraries are provided for all SUSE Linux Enterprise 15

versions and replace the same named GCC 11 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux

Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.

The Go, D and Ada language compiler parts are available unsupported via the

PackageHub repositories.

To use gcc12 compilers use:

- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.

- override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

For a full changelog with all new GCC12 features, check out

https://gcc.gnu.org/gcc-12/changes.html

1206337,CVE-2022-46908

This update for sqlite3 fixes the following issues:

- CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism,

when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

1200723,1203857,1204423,1205000,CVE-2022-4415

This update for systemd fixes the following issues:

- CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

Bug fixes:

- Support by-path devlink for multipath nvme block devices (bsc#1200723).

- Set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857).

- Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).

1206309,CVE-2022-43552

This update for curl fixes the following issues:

- CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).

1177460

This update for timezone fixes the following issues:

Version update from 2022f to 2022g (bsc#1177460):

- In the Mexican state of Chihuahua:

* The border strip near the US will change to agree with nearby US locations on 2022-11-30.

* The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules,

like El Paso, TX.

* The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX.

* A new Zone America/Ciudad_Juarez splits from America/Ojinaga.

- Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving

time becomes standard time.

- Changes for pre-1996 northern Canada

- Update to past DST transition in Colombia (1993), Singapore (1981)

- 'timegm' is now supported by default

1199467

This update for libtirpc fixes the following issues:

- Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

1206579,CVE-2022-47629

This update for libksba fixes the following issues:

- CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL

signature parser (bsc#1206579).

1194038,1205646

This update for util-linux fixes the following issues:

- libuuid continuous clock handling for time based UUIDs:

Prevent use of the new libuuid ABI by uuidd %post before update

of libuuid1 (bsc#1205646).

- Use chown --quiet to prevent error message if /var/lib/libuuid/clock.txt

does not exist.

- Fix tests not passing when '@' character is in build path:

Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).

1183533,CVE-2021-28153

This update for glib2 fixes the following issues:

- CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533).

1206738

This update for permissions fixes the following issues:

Update to version 20181225:

* Backport postfix permissions to SLE 15 SP2 (bsc#1206738)

1206412

This update for procps fixes the following issues:

- Improve memory handling/usage (bsc#1206412)

- Make sure that correct library version is installed (bsc#1206412)

1203652

This update for zlib fixes the following issues:

- Follow up fix for bug bsc#1203652 due to libxml2 issues

1205126,CVE-2022-42898

This update for krb5 fixes the following issues:

- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

1121365,1198472,1207533,1207534,1207536,1207538,CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286

This update for openssl-1_1 fixes the following issues:

- CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).

- CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).

- CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538).

- CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).

- FIPS: list only FIPS approved public key algorithms (bsc#1121365, bsc#1198472)

The following package changes have been done:

- golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1 updated

- krb5-1.19.2-150300.10.1 updated

- libblkid1-2.36.2-150300.4.32.1 updated

- libcurl4-7.66.0-150200.4.45.1 updated

- libfdisk1-2.36.2-150300.4.32.1 updated

- libgcc_s1-12.2.1+git416-150000.1.5.1 updated

- libglib-2_0-0-2.62.6-150200.3.10.1 updated

- libgpg-error0-1.42-150300.9.3.1 updated

- libksba8-1.3.5-150000.4.6.1 updated

- libmount1-2.36.2-150300.4.32.1 updated

- libopenssl1_1-hmac-1.1.1d-150200.11.57.1 updated

- libopenssl1_1-1.1.1d-150200.11.57.1 updated

- libprocps7-3.3.15-150000.7.28.1 updated

- libprotobuf-lite20-3.9.2-150200.4.19.2 updated

- libsmartcols1-2.36.2-150300.4.32.1 updated

- libsqlite3-0-3.39.3-150000.3.20.1 updated

- libstdc++6-12.2.1+git416-150000.1.5.1 updated

- libsystemd0-246.16-150300.7.57.1 updated

- libtirpc-netconfig-1.2.6-150300.3.17.1 updated

- libtirpc3-1.2.6-150300.3.17.1 updated

- libudev1-246.16-150300.7.57.1 updated

- libuuid1-2.36.2-150300.4.32.1 updated

- libxml2-2-2.9.7-150000.3.51.1 updated

- libz1-1.2.11-150000.3.39.1 updated

- openssl-1_1-1.1.1d-150200.11.57.1 updated

- pam-1.3.0-150000.6.61.1 updated

- permissions-20181225-150200.23.23.1 updated

- procps-3.3.15-150000.7.28.1 updated

- rpm-ndb-4.14.3-150300.52.1 updated

- timezone-2022g-150000.75.18.1 updated

- util-linux-2.36.2-150300.4.32.1 updated

- container:sles15-image-15.0.0-17.20.107 updated

Severity
Container Advisory ID : SUSE-CU-2023:508-1
Container Tags : ses/7.1/ceph/prometheus-node-exporter:1.3.0 , ses/7.1/ceph/prometheus-node-exporter:1.3.0.3.2.359 , ses/7.1/ceph/prometheus-node-exporter:latest , ses/7.1/ceph/prometheus-node-exporter:sle15.3.pacific
Container Release : 3.2.359
Severity : important
Type : security

Related News