Alerts This Week
Warning Icon 1 537
Alerts This Week
Warning Icon 1 537

Stay Secure with the Latest Linux Advisories

Debianlts Large Esm H800
Debian LTS

Debian Dovecot High Severity Service Disruption Info Leak Flaw DLA-4617-1

Calendar White Jun 05, 2026
Important
Debianlts Large Esm H900
Debian LTS

Debian 11 gsasl Critical DoS Threat Advisory DLA-4618-1 CVE-2026-48829

Calendar White Jun 05, 2026
Critical
Suse Large Esm H900
SuSE

SUSE MozillaThunderbird Important Memory Safety Fix Advisory 2026-2271-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H800
SuSE

SUSE Linux Micro 6.0 Ignition Key HTTP Transport Loop Patch 2026-21987-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H900
SuSE

SUSE Linux Micro 6.0 Important Libzypp Libsolv Security Update 2026-21988-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H900
SuSE

SUSE Google-Guest-Agent Important Security Update 2026-21989-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H800
SuSE

SUSE Linux Micro Important Salt Multi-Linux Manager Vuln 2026-21990-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H900
SuSE

SUSE Linux Micro Critical Ignition Patch CVE-2026-33814

Calendar White Jun 05, 2026
Important
Suse Large Esm H900
SuSE

SUSE Linux Micro 6.1 Security Update for libzypp libsolv Key 2026-21992-1

Calendar White Jun 05, 2026
Important
Filter Icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

More Polls

What got you started with Linux?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/150-what-got-you-started-with-linux?task=poll.vote&format=json
150
radio
0
[{"id":483,"title":"Self-taught through trial and error","votes":548,"type":"x","order":1,"pct":78.51,"resources":[]},{"id":484,"title":"Formal training or courses","votes":30,"type":"x","order":2,"pct":4.3,"resources":[]},{"id":485,"title":"A job that required it","votes":34,"type":"x","order":3,"pct":4.87,"resources":[]},{"id":486,"title":"Other","votes":86,"type":"x","order":4,"pct":12.32,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found -6 articles for you...
89
Ls Advisories Fedora Esm H240
Price Tag 1security advisoryfedoracloud provider

Fedora 42 Rust-afterburn CVE-2026-25537 Stack Exhaustion Advisory

Update the time crate to version 0.3.47. Update the time-macros crate to version 0.2.27. Update the time-core crate to version 0.1.8. Update the num-conv crate to version 0.2.0. Update the git2 crate to version 0.20.4.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-6388b28850 2026-02-11 00:58:02.841951+00:00 -------------------------------------------------------------------------------- Name : rust-afterburn Product : Fedora 42 Version : 5.10.0 Release : 3.fc42 URL : https://crates.io/crates/afterburn Summary : Simple cloud provider agent Description : A simple cloud provider agent. -------------------------------------------------------------------------------- Update Information: Update the time crate to version 0.3.47. Update the time-macros crate to version 0.2.27. Update the time-core crate to version 0.1.8. Update the num-conv crate to version 0.2.0. Update the git2 crate to version 0.20.4. Update the bytes crate to version 1.11.1. Additionally, this update contains rebuilds of applications affected by security advisories: bytes: RUSTSEC-2026-0007 git2: RUSTSEC-2026-0008 jsonwebtoken: CVE-2026-25537 time: RUSTSEC-2026-0009 All applications that statically link libgit2 via the git2 Rust bindings were also rebuilt against the latest version of the git2 / libgit2-sys crates to pull in fixes included in libgit2 between v1.8.1 and v1.9.2. -------------------------------------------------------------------------------- ChangeLog: * Sat Feb 7 2026 Fabio Valentini - 5.10.0-3 - Rebuild for RUSTSEC-2026-{0007,0008,0009} and CVE-2026-25537 * Sat Jan 17 2026 Fedora Release Engineering - 5.10.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2437465 - CVE-2026-25537 rust-jsonwebtoken: jsonwebtoken has Type Confusion that leads topotential authorization bypass [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2437465 [ 2 ] Bug #2437467 - CVE-2026-25537 uv: jsonwebtoken has Type Confusion that leads to potential authorization bypass [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2437467 [ 3 ] Bug #2438046 - CVE-2026-25727 atuin: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438046 [ 4 ] Bug #2438075 - CVE-2026-25727 keylime-agent-rust: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438075 [ 5 ] Bug #2438077 - CVE-2026-25727 maturin: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438077 [ 6 ] Bug #2438086 - CVE-2026-25727 rustup: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438086 [ 7 ] Bug #2438091 - CVE-2026-25727 tbtools: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438091 [ 8 ] Bug #2438097 - CVE-2026-25727 tuigreet: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438097 [ 9 ] Bug #2438098 - CVE-2026-25727 uv: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438098 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-6388b28850' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by theFedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new . Fedora 42 advisory updates Rust applications addressing CVE-2026-25537 stack exhaustion issues and more.. Fedora 42,Rust updates,CVE-2026-25537,stack exhaustion advisory,Rust application security. . Severity: Important. LinuxSecurity.com Team

Calendar 2 Feb 11, 2026 Important Fedora
100
Ls Advisories Suse Esm H240
Price Tag 1security advisorycriticalpatch

SUSE: 2022:72-1 Critical Update for OpenStack CaaS Platform

The container caasp/v4/cloud-provider-openstack was updated. The following patches have been included in this update:. SUSE Container Update Advisory: caasp/v4/cloud-provider-openstack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:72-1 Container Tags : caasp/v4/cloud-provider-openstack:1.15.0 , caasp/v4/cloud-provider-openstack:1.15.0-rev3 , caasp/v4/cloud-provider-openstack:1.15.0-rev3-build2.2.472 Container Release : 2.2.472 Severity : critical Type : security References : 1027496 1029961 1029961 1040589 1047218 1050625 1078466 1084671 1106014 1113013 1122417 1125886 1134353 1141597 1146705 1153687 1154935 1157818 1158812 1158958 1158959 1158960 1159491 1159715 1159847 1159850 1160309 1160438 1160439 1161268 1162581 1164719 1167471 1169006 1171962 1172091 1172115 1172234 1172236 1172240 1172308 1172973 1172974 1173641 1174016 1174436 1174504 1174942 1175448 1175449 1175458 1175514 1175519 1175623 1176201 1177238 1177275 1177427 1177490 1177583 1177976 1178219 1178236 1178386 1178554 1178561 1178577 1178624 1178675 1178775 1178775 1178823 1178825 1178909 1178910 1178966 1179083 1179222 1179363 1179503 1179694 1179721 1179816 1179824 1179847 1179909 1180020 1180038 1180064 1180073 1180077 1180083 1180138 1180225 1180596 1180603 1180603 1180603 1180663 1180721 1180851 1180885 1180995 1181011 1181328 1181443 1181505 1181622 1181831 1181874 1181976 1182016 1182117 1182279 1182328 1182331 1182333 1182362 1182372 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182604 1182629 1182791 1182936 11830641183085 1183094 1183268 1183370 1183371 1183456 1183457 1183589 1183628 1183791 1183797 1183933 1184326 1184358 1184399 1184401 1184435 1184614 1184614 1184690 1184761 1184967 1184994 1184994 1184997 1184997 1185016 1185046 1185163 1185239 1185325 1185331 1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438 1185524 1185540 1185562 1185698 1185807 1185958 1186015 1186049 1186114 1186447 1186489 1186503 1186602 1186910 1187060 1187153 1187210 1187212 1187224 1187270 1187273 1187292 1187400 1187425 1187466 1187512 1187654 1187738 1187760 1187911 1187993 1188018 1188063 1188063 1188156 1188217 1188218 1188219 1188220 1188291 1188344 1188435 1188571 1188623 1188713 1188921 1189031 1189206 1189465 1189465 1189480 1189521 1189521 1189683 1189803 1189929 1189996 1190052 1190059 1190199 1190234 1190325 1190356 1190373 1190374 1190440 1190465 1190645 1190712 1190739 1190793 1190815 1190915 1190933 1190984 1191252 1191286 1191324 1191370 1191563 1191609 1191987 1192161 1192248 1192337 1192436 1192688 1192717 1192790 1193480 1193481 1193488 1193521 928700 928701 954813 CVE-2015-3414 CVE-2015-3415 CVE-2016-10228 CVE-2017-9271 CVE-2019-19244 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218 CVE-2019-20838 CVE-2019-25013 CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-14155 CVE-2020-15358 CVE-2020-24370 CVE-2020-24371 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-29361 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-9327 CVE-2021-20231 CVE-2021-20232 CVE-2021-20305 CVE-2021-22876 CVE-2021-22898 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925 CVE-2021-22946 CVE-2021-22947 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3326 CVE-2021-33560 CVE-2021-33574 CVE-2021-33910 CVE-2021-33910 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 CVE-2021-3580 CVE-2021-35942 CVE-2021-36222 CVE-2021-3712 CVE-2021-3712 CVE-2021-37600 CVE-2021-37750 CVE-2021-38185 CVE-2021-38185 CVE-2021-39537 CVE-2021-43618 ----------------------------------------------------------------- The container caasp/v4/cloud-provider-openstack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardwareconfigurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update forkeyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itselfis no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:305-1 Released: Thu Feb 4 15:00:37 2021 Summary: Recommended update for libprotobuf Type: recommended Severity: moderate References: libprotobuf was updated to fix: - ship the libprotobuf-lite15 on the base products. (jsc#ECO-2911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:307-1 Released: Fri Feb 5 05:30:34 2021 Summary: Recommended update for libselinux Type: recommended Severity: low References: 1180603 This update for libselinux fixes the following issues: - Corrected the license to public domain (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of/sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch-> bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 -an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:753-1 Released: Tue Mar 9 17:09:57 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:890-1 Released: Fri Mar 19 15:51:41 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' > = 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:934-1 Released: Wed Mar 24 12:18:21 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed(bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:956-1 Released: Thu Mar 25 19:19:02 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commands help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: -Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files.(bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1602-1 Released: Thu May 13 16:35:19 2021 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libsolv and libzypp fixes the following issues: libsolv: Upgrade from version 0.7.17 to version 0.7.19 - Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned. - Fix memory leaks in error cases - Fix error handling in `solv_xfopen_fd()` - Fix regex code on win32 - fixed memory leak in choice rule generation - `repo_add_conda`: add a flag to skip version 2 packages. libzypp: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE LinuxEnterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID:SUSE-SU-2021:1809-1 Released: Mon May 31 16:24:59 2021 Summary: Security update for curl Type: security Severity: moderate References: 1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976). - Allow partial chain verification (jsc#SLE-17956). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issuewhere the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2143-1 Released: Wed Jun 23 16:27:04 2021 Summary: Security update for libnettle Type: security Severity: important References: 1187060,CVE-2021-3580 This update for libnettle fixes the following issues: - CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2157-1 Released: Thu Jun 24 15:40:14 2021 Summary: Security update for libgcrypt Type: security Severity: important References: 1187212,CVE-2021-33560 This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2173-1 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Type: recommended Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2196-1 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Type: security Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2205-1 Released: Wed Jun 30 09:17:41 2021 Summary: Recommended update for openldap2 Type: recommended Severity: important References: 1187210 This update for openldap2 fixes the following issues: - Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2246-1 Released: Mon Jul 5 15:17:49 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400 This update for systemd fixes the following issues: cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2320-1 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Type: security Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959:memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashedthe process that is running SQLite (bsc#1172091) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2404-1 Released: Tue Jul 20 14:21:30 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1184994,1188063,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063) - Skip udev rules if 'elevator=' is used (bsc#1184994) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2440-1 Released: Wed Jul 21 13:48:24 2021 Summary: Security update for curl Type: security Severity: moderate References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 This update for curl fixes the following issues: - CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220) - CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219) - CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218) - CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2689-1 Released: Mon Aug 16 10:54:52 2021 Summary: Security update for cpio Type: security Severity: important References: 1189206,CVE-2021-38185 This update for cpio fixes the following issues: It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2763-1 Released: Tue Aug 17 17:16:22 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465 This update for cpio fixes the following issues: - A regression in last update would cause builds to hang on various architectures(bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2780-1 Released: Thu Aug 19 16:09:15 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465,CVE-2021-38185 This update for cpio fixes the following issues: - A regression in the previous update could lead to crashes (bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2800-1 Released: Fri Aug 20 10:43:04 2021 Summary: Security update for krb5 Type: security Severity: important References: 1188571,CVE-2021-36222 This update for krb5 fixes the following issues: - CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2831-1 Released: Tue Aug 24 16:20:45 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following security issue: - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2938-1 Released: Fri Sep 3 09:19:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - openldap2-contrib is shipped to the Legacy Module. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2968-1 Released: Tue Sep 7 09:53:00 2021 Summary: Security update for openssl-1_1 Type: security Severity: low References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following issues: - CVE-2021-3712: This is an update forthe incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3001-1 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Type: recommended Severity: moderate References: 1189683 This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3182-1 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1189996 This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3297-1 Released: Wed Oct 6 16:53:29 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3348-1 Released: Tue Oct 12 13:08:06 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063). - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018). - Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353). - Rules weren't applied to dm devices (multipath) (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994,bsc#1190234). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291). - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3385-1 Released: Tue Oct 12 15:54:31 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3454-1 Released: Mon Oct 18 09:29:26 2021 Summary: Security update for krb5 Type: security Severity: moderate References: 1189929,CVE-2021-37750 This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3480-1 Released: Wed Oct 20 11:24:10 2021 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933 This update for yast2-network fixes the following issues: - Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915). - Fix the shown description using the interface friendly name when it is empty (bsc#1190933). - Consider aliases sections as case insensitive (bsc#1190739). - Display user defined device name in the devices overview (bnc#1190645). - Don't crash when defined aliases in AutoYaST profile are not defined as a map(bsc#1188344). - Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910). - Fix desktop file so the control center tooltip is translated (bsc#1187270). - Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016). - Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3510-1 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1191987 This update for pam fixes the following issues: - Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3523-1 Released: Tue Oct 26 15:40:13 2021 Summary: Security update for util-linux Type: security Severity: moderate References: 1122417,1125886,1178236,1188921,CVE-2021-37600 This update for util-linux fixes the following issues: Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2: -CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921). - agetty: Fix 8-bit processing in get_logname() (bsc#1125886). - mount: Fix 'mount' output for net file systems (bsc#1122417). - ipcs: Avoid overflows (bsc#1178236) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3529-1 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Type: security Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3781-1 Released: Tue Nov 23 23:48:43 2021 Summary: This update for libzypp, zypper and libsolv fixes the following issues: Type: recommended Severity: moderate References: 1153687,1182372,1183268,1183589,1184326,1184399,1184997,1185325,1186447,1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190356,1190465,1190712,1190815,1191286,1191324,1191370,1191609,1192337,1192436 This update for zypper fixes the following issues: - Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested. - Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) - Allow trusted repos to add additional signing keys. (bsc#1184326) - MediaCurl: Fix logging of redirects. - Let negative values wait forever for the zypp lock. (bsc#1184399) - Fix 'purge-kernels' is broken in Leap 15.3. (bsc#1185325) -Fix service detection with cgroupv2. (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Enhance XML output of repo GPG options - Add optional attributes showing the raw values actually present in the '.repo' file. - Link all executables with -pie (bsc#1186447) - Ship an empty '/etc/zypp/needreboot' per default. (jsc#PM-2645) - Fix solver jobs for PTFs. (bsc#1186503) - choice rules: treat orphaned packages as newest. (bc#1190465) - Add need reboot/restart hint to XML install summary. (bsc#1188435) - Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815) - Fix obs:// platform guessing for Leap. (bsc#1187425) - Fix purge-kernels fails. (bsc#1187738) - Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712) - Prompt: choose exact match if prompt options are not prefix free. (bsc#1188156) - Do not check of signatures and keys two times(redundant). (bsc#1190059) - Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760) - Show key fpr from signature when signature check fails. (bsc#1187224) - Make sure to keep states alives while transitioning. (bsc#1190199) - Fix crashes in logging code when shutting down. (bsc#1189031) - Manpage: Improve description about patch updates. (bsc#1187466) - Avoid calling 'su' to detect a too restrictive sudo user umask. (bsc#1186602) - Consolidate reboot-recommendations across tools and stop using /etc/zypp/needreboot (jsc#-SLE-18858) - Disable logger in the child after fork (bsc#1192436) - Check log writer before accessing it (bsc#1192337) - Allow uname-r format in purge kernels keepspec - zypper should keep cached files if transaction is aborted (bsc#1190356) - Require a minimum number of mirrors for multicurl (bsc#1191609) - Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324) - Fix translations (bsc#1191370) - RepoManager: Don't probe for plaindir repo if URL schema is plugin (bsc#1191286) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3799-1 Released: WedNov 24 18:07:54 2021 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1187153,1187273,1188623 This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided: To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3809-1 Released: Fri Nov 26 00:31:59 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1189803,1190325,1190440,1190984,1191252,1192161 This update for systemd fixes the following issues: - Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103) - Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161) - shutdown: Reduce log level of unmounts (bsc#1191252) - pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803) - core: rework how we connect to the bus (bsc#1190325) - mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984) - virt: detect Amazon EC2 Nitro instance (bsc#1190440) - Several fixes for umount - busctl: use usec granularity for the timestamp printed by the busctl monitor command - fix unitialized fields in MountPoint in dm_list_get() - shutdown: explicitly set a log target - mount-util: add mount_option_mangle() - dissect: automatically mark partitions read-only that have a read-only file system - build-sys: require proper libmount version - systemd-shutdown: use log_set_prohibit_ipc(true) - rationalize interface for opening/closing logging - pid1: when we can't log to journal, remember our fallback log target - log: remove LOG_TARGET_SAFE pseudo log target - log: add brief comment forlog_set_open_when_needed() and log_set_always_reopen_console() - log: add new 'prohibit_ipc' flag to logging system - log: make log_set_upgrade_syslog_to_journal() take effect immediately - dbus: split up bus_done() into seperate functions - machine-id-setup: generate machine-id from DMI product ID on Amazon EC2 - virt: if we detect Xen by DMI, trust that over CPUID ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3830-1 Released: Wed Dec 1 13:45:46 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1027496,1183085,CVE-2016-10228 This update for glibc fixes the following issues: - libio: do not attempt to free wide buffers of legacy streams (bsc#1183085) - CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3891-1 Released: Fri Dec 3 10:21:49 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1029961,1113013,1187654 This update for keyutils fixes the following issues: - Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) keyutils was updated to 1.6.3 (jsc#SLE-20016): * Revert the change notifications that were using /dev/watch_queue. * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). * Allow 'keyctl supports' to retrieve raw capability data. * Allow 'keyctl id' to turn a symbolic key ID into a numeric ID. * Allow 'keyctl new_session' to name the keyring. * Allow 'keyctl add/padd/etc.' to take hex-encoded data. * Add 'keyctl watch*' to expose kernel change notifications on keys. * Add caps for namespacing and notifications. * Set a default TTL on keys that upcall for name resolution. * Explicitly clear memory after it's held sensitive information. * Various manual page fixes. * Fix C++-related errors. * Add support for keyctl_move(). * Add support for keyctl_capabilities(). * Make key=val list optionalfor various public-key ops. * Fix system call signature for KEYCTL_PKEY_QUERY. * Fix 'keyctl pkey_query' argument passing. * Use keyctl_read_alloc() in dump_key_tree_aux(). * Various manual page fixes. Updated to 1.6: * Apply various specfile cleanups from Fedora. * request-key: Provide a command line option to suppress helper execution. * request-key: Find least-wildcard match rather than first match. * Remove the dependency on MIT Kerberos. * Fix some error messages * keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. * Fix doc and comment typos. * Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). * Add pkg-config support for finding libkeyutils. * upstream isn't offering PGP signatures for the source tarballs anymore Updated to 1.5.11 (bsc#1113013) * Add keyring restriction support. * Add KDF support to the Diffie-Helman function. * DNS: Add support for AFS config files and SRV records ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3899-1 Released: Fri Dec 3 11:27:41 2021 Summary: Security update for aaa_base Type: security Severity: moderate References: 1162581,1174504,1191563,1192248 This update for aaa_base fixes the following issues: - Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504). - Add $HOME/.local/bin to PATH, if it exists (bsc#1192248). - Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563). - Support xz compressed kernel (bsc#1162581) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3930-1 Released: Mon Dec 6 11:16:10 2021 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1192790 This update for curl fixes the following issues: - Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790) ----------------------------------------------------------------- Advisory ID:SUSE-SU-2021:3946-1 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Type: security Severity: moderate References: 1192717,CVE-2021-43618 This update for gmp fixes the following issues: - CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4017-1 Released: Tue Dec 14 07:26:55 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1180995 This update for openssl-1_1 fixes the following issues: - Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameters consistently with our other codestreams (bsc#1180995) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4139-1 Released: Tue Dec 21 17:02:44 2021 Summary: Recommended update for systemd Type: recommended Severity: critical References: 1193481,1193521 This update for systemd fixes the following issues: - Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481) sleep-config: partitions can't be deleted, only files can shared/sleep-config: exclude zram devices from hibernation candidates ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:4154-1 Released: Wed Dec 22 11:02:38 2021 Summary: Security update for p11-kit Type: security Severity: important References: 1180064,1187993,CVE-2020-29361 This update for p11-kit fixes the following issues: - CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064) - Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4182-1 Released: Thu Dec 23 11:51:51 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1192688 This update for zlibfixes the following issues: - Fix hardware compression incorrect result on z15 hardware (bsc#1192688) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4-1 Released: Mon Jan 3 08:28:54 2022 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1193480 This update for libgcrypt fixes the following issues: - Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:57-1 Released: Wed Jan 12 07:10:42 2022 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1193488,954813 This update for libzypp fixes the following issues: - Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488) - Fix wrong encoding of URI compontents of ISO images (bsc#954813) - When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible - Introduce zypp-curl as a sublibrary for CURL related code - zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set - Save all signatures associated with a public key in its PublicKeyData The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-3.52.1 updated - bash-4.4-9.14.1 updated - cpio-2.12-3.9.1 updated - file-magic-5.32-7.14.1 updated - filesystem-15.0-11.3.2 updated - glibc-2.26-13.62.1 updated - gpg2-2.2.5-4.19.8 updated - krb5-1.16.3-3.24.1 updated - libaugeas0-1.10.1-3.3.1 updated - libblkid1-2.33.2-4.16.1 updated - libbz2-1-1.0.6-5.11.1 updated - libcap2-2.26-4.6.1 updated - libcom_err2-1.43.8-4.26.1 updated - libcurl4-7.60.0-28.1 updated - libfdisk1-2.33.2-4.16.1 updated - libgcc_s1-11.2.1+git610-1.3.9 updated - libgcrypt20-1.8.2-8.42.1 updated - libglib-2_0-0-2.54.3-4.24.1 updated - libgmp10-6.1.2-4.9.1 updated - libgnutls30-3.6.7-6.40.2 updated - libhogweed4-3.4.1-4.18.1 updated - libidn2-0-2.2.0-3.6.1 updated - libkeyutils1-1.6.3-5.6.1 updated -libldap-2_4-2-2.4.46-9.58.1 updated - libldap-data-2.4.46-9.58.1 updated - liblua5_3-5-5.3.6-3.6.1 updated - liblz4-1-1.8.0-3.8.1 updated - libmagic1-5.32-7.14.1 updated - libmount1-2.33.2-4.16.1 updated - libncurses6-6.1-5.9.1 updated - libnettle6-3.4.1-4.18.1 updated - libnghttp2-14-1.40.0-3.11.1 updated - libopenssl1_1-1.1.0i-14.24.3 updated - libp11-kit0-0.23.2-4.13.1 updated - libpcre1-8.45-20.10.1 updated - libprocps7-3.3.15-7.19.1 updated - libprotobuf-lite15-3.5.0-5.2.1 added - libreadline7-7.0-9.14.1 updated - libselinux1-2.8-8.3.1 updated - libsigc-2_0-0-2.10.0-3.7.1 updated - libsmartcols1-2.33.2-4.16.1 updated - libsolv-tools-0.7.20-4.3.1 updated - libsqlite3-0-3.36.0-3.12.1 updated - libstdc++6-11.2.1+git610-1.3.9 updated - libsystemd0-234-24.102.1 updated - libudev1-234-24.102.1 updated - libuuid1-2.33.2-4.16.1 updated - libxml2-2-2.9.7-3.37.1 updated - libz1-1.2.11-3.24.1 updated - libzstd1-1.4.4-1.6.1 updated - libzypp-17.29.0-3.64.1 updated - ncurses-utils-6.1-5.9.1 updated - netcfg-11.6-3.3.1 updated - pam-1.3.0-6.50.1 updated - procps-3.3.15-7.19.1 updated - sed-4.4-4.3.1 updated - sles-release-15.1-66.1 added - terminfo-base-6.1-5.9.1 updated - util-linux-2.33.2-4.16.1 updated - zypper-1.14.50-3.46.1 updated - container:sles15-image-15.0.0-6.2.559 updated - ca-certificates-2+git20170807.10b2785-7.3.3 removed - ca-certificates-mozilla-2.44-4.29.1 removed - openssl-1.1.0i-3.3.1 removed - openssl-1_1-1.1.0i-14.12.1 removed - p11-kit-0.23.2-4.8.3 removed - p11-kit-tools-0.23.2-4.8.3 removed . The latest version of SUSE's caasp/v4/cloud-provider-azure has been rolled out, delivering essential updates that address critical vulnerabilities and improve overall performance.. SUSE Cloud Provider, Container Security Update, OpenStack Vulnerabilities. . Severity: Critical. LinuxSecurity.com Team

Calendar 2 Jan 27, 2022 Critical SuSE
Banner 2 1028x280 1708121730 1 1771599631
100
Ls Advisories Suse Esm H240
Price Tag 1security advisorysecurityimportant

SUSE 2020:781-1 Important: Cloud Provider OpenStack Security Update

The container caasp/v4/cloud-provider-openstack was updated. The following patches have been included in this update:. SUSE Container Update Advisory: caasp/v4/cloud-provider-openstack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:781-1 Container Tags : caasp/v4/cloud-provider-openstack:1.15.0 , caasp/v4/cloud-provider-openstack:1.15.0-rev3 , caasp/v4/cloud-provider-openstack:1.15.0-rev3-build2.2.290 Container Release : 2.2.290 Severity : important Type : security References : 1007715 1010996 1011548 1013125 1049825 1051143 1071152 1071390 1073313 1081947 1081947 1082293 1082318 1084671 1084934 1085196 1087982 1090047 1092100 1092920 1093414 1100369 1102840 1103320 1103678 1104902 1106214 1106383 1107116 1107121 1109160 1110797 1111388 1111499 1114592 1114845 1116995 1118367 1118368 1120629 1120630 1120631 1121197 1121753 1122417 1123919 1125689 1125886 1127155 1127608 1127701 1128220 1130306 1130873 1130873 1131113 1131823 1133297 1133495 1133773 1134226 1135114 1135254 1135534 1135708 1135749 1137001 1137977 1138793 1138869 1139459 1139459 1139795 1139939 1139959 1140039 1140631 1141113 1141897 1142649 1142654 1142733 1143055 1143194 1143273 1144047 1144169 1145023 1145521 1145554 1145716 1146027 1146182 1146184 1146415 1146415 1146866 1146947 1146991 1148517 1148788 1148987 1149145 1149332 1149495 1149496 1149511 1149911 1149995 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1151708 1152101 1152590 1152692 1152755 1153351 1153557 1153936 1153943 1153946 1154019 1154036 1154037 1154256 11542951154661 1154803 1154803 1154804 1154805 1154871 1154871 1154884 1154887 1154935 1155198 1155199 1155205 1155207 1155271 1155298 1155327 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156159 1156205 1156213 1156300 1156482 1156913 1157051 1157198 1157278 1157292 1157315 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158336 1158485 1158499 1158763 1158809 1158830 1158830 1158921 1158996 1159003 1159314 1159814 1159928 1160039 1160158 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161168 1161198 1161203 1161215 1161216 1161218 1161219 1161220 1161239 1161262 1161335 1161436 1161517 1161521 1161779 1161816 1162108 1162108 1162152 1162518 1162698 1162930 1163184 1163569 1163922 1164505 1164538 1164543 1164543 1164562 1164717 1164950 1164950 1165011 1165281 1165424 1165476 1165476 1165502 1165534 1165539 1165573 1165573 1165579 1165784 1166106 1166260 1166481 1166510 1166510 1166610 1166610 1166748 1166848 1166881 1167122 1167122 1167163 1167223 1167471 1167631 1167674 1167898 1168076 1168235 1168345 1168364 1168389 1168699 1168835 1168990 1168990 1169357 1169488 1169512 1169569 1169944 1169947 1169947 1169992 1170527 1170667 1170713 1170771 1170801 1170801 1170964 1171145 1171173 1171224 1171224 1171313 1171422 1171740 1171762 1171863 1171864 1171866 1171872 1171878 1171883 1172021 1172072 1172085 1172135 1172135 1172195 1172295 1172348 1172461 1172506 1172695 1172698 1172704 1172798 1172824 1172846 1172925 1172925 11729581173027 1173106 1173227 1173229 1173273 1173307 1173311 1173422 1173422 1173529 1173539 1173972 1173983 1174011 1174079 1174154 1174232 1174240 1174551 1174561 1174593 1174673 1174736 1174753 1174817 1174918 1174918 1174918 1175109 1175168 1175342 1175443 1175568 1175592 1175811 1175830 1175831 1175847 1176086 1176092 1176123 1176179 1176181 1176192 1176192 1176410 1176435 1176435 1176513 1176625 1176671 1176674 1176712 1176712 1176740 1176740 1176800 1176902 1176902 1177143 1177238 1177238 1177458 1177479 1177490 1177510 1177858 1177864 1178346 1178376 1178387 1178512 1178727 1179398 1179399 1179431 1179491 1179593 353876 859480 906079 935885 935885 973042 CVE-2017-17740 CVE-2017-3136 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-16428 CVE-2018-16429 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-5741 CVE-2019-12290 CVE-2019-12450 CVE-2019-13012 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18224 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5188 CVE-2019-5481 CVE-2019-5482 CVE-2019-6477 CVE-2019-9511 CVE-2019-9513 CVE-2020-10029 CVE-2020-10543 CVE-2020-10878 CVE-2020-11501 CVE-2020-12243 CVE-2020-12723 CVE-2020-13777 CVE-2020-13844 CVE-2020-15719 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-1971 CVE-2020-24659 CVE-2020-24977 CVE-2020-25219 CVE-2020-25692 CVE-2020-26154 CVE-2020-28196 CVE-2020-7595 CVE-2020-8013 CVE-2020-8023 CVE-2020-8027 CVE-2020-8177 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/cloud-provider-openstack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2780-1 Released: Mon Nov 26 17:46:10 2018 Summary: Security update for glib2 Type: security Severity: moderate References: 1107116,1107121,1111499,CVE-2018-16428,CVE-2018-16429 This update for glib2 fixes the following issues: Security issues fixed: - CVE-2018-16428: Do not do a NULL pointer dereference (crash). Avoid that, at the cost of introducing a new translatable error message (bsc#1107121). - CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116). Non-security issue fixed: - various GVariant parsing issues have been resolved (bsc#1111499) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:251-1 Released: Wed Feb 6 11:22:43 2019 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1090047 This update for glib2 provides the following fix: - Enable systemtap. (fate#326393, bsc#1090047) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1594-1 Released: Fri Jun 21 10:17:15 2019 Summary: Security update for glib2 Type: security Severity: important References: 1103678,1137001,CVE-2019-12450 This update for glib2 fixes the following issues: Security issue fixed: - CVE-2019-12450: Fixed an improper file permission when copy operation takes place (bsc#1137001). Other issue addressed: - glib2 was handling an UNKNOWN connectivity state from NetworkManager as if there was a connection thus giving false positives to PackageKit (bsc#1103678) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1833-1 Released: Fri Jul 12 17:53:51 2019 Summary: Security update for glib2 Type: security Severity: moderate References: 1139959,CVE-2019-13012 This update for glib2 fixes the following issues: Security issue fixed: - CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linuxand shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow(bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update foraaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove > 15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers* top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 resetsequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 asarchitecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes thefollowing issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support.(bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releaseverusescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker.(bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID:SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:532019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location(bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update fore2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor aftermanager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf).(bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates(bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissionsfixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor[bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from https://www.suse.com/de-de/ to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513 “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-↑ - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is beingmoved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. *Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG isavailable: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update forlibssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:422020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1271-1 Released: Wed May 13 13:17:59 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issues: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the followingissues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:342020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1579-1 Released: Tue Jun 9 17:05:23 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1584-1 Released: Tue Jun 9 18:39:15 2020 Summary: Security update for gnutls Type: security Severity: important References: 1172461,1172506,CVE-2020-13777 This update for gnutls fixes the following issues: - CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506). - Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1611-1 Released: Fri Jun 12 09:38:03 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.13 to fix: - Fix solvable swapping messing up idarrays - fix ruleinfo of complex dependencies returning the wrong origin libzypp was updated to 17.23.4 to fix: - Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only. - remove 'using namespace std;' (bsc#1166610, fixes #218) - Online doc: add 'Hardware (modalias) dependencies' page (fixes #216) - Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs. - RepoVariables: Add safe guard in case the caller does not own a zypp instance. - Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake. - Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476) - Log patch status changes to history (jsc#SLE-5116) - Allowto disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'. - update translations - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it. - Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770) - RpmDb: Become rpmdb backend independent (jsc#SLE-7272) - RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro). - Remove legacy rpmV3database conversion code. - Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990) - Remove undocumented rug legacy stuff. - Remove 'using namespace std;' (bsc#1166610) - patch table: Add 'Since' column if history data are available (jsc#SLE-5116) zypper was updated to version 1.14.36: - Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770) - Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770) - Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543) - Correctly detect ambigous switch abbreviations (bsc#1165573) - zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems. - Do not allow the abbreviation of cli arguments (bsc#1164543) - accoring to according in all translation files. - Always show exception history if available. - Use default package cache location for temporary repos(bsc#1130873) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1637-1 Released: Wed Jun 17 15:07:58 2020 Summary: Recommended update for zypper Type: recommended Severity: important References: 1169947,1172925 This update for zypper fixes the following issues: - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1759-1 Released: Thu Jun 25 18:44:37 2020 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1169357 This update for krb5 fixes the following issue: - Call systemd to reload the services instead of init-scripts. (bsc#1169357) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1760-1 Released: Thu Jun 25 18:46:13 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1157315,1162698,1164538,1169488,1171145,1172072 This update for systemd fixes the following issues: - Merge branch'SUSE/v234' into SLE15 units: starting suspend.target should not fail when suspend is successful (bsc#1172072) core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488) mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too udev: rename the persistent link for ATA devices (bsc#1164538) shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) tmpfiles: remove unnecessary assert (bsc#1171145) test-engine: manager_free() was called too early pid1: by default make user units inherit their umask from the user manager (bsc#1162698) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1773-1 Released: Fri Jun 26 08:05:59 2020 Summary: Security update for curl Type: security Severity: important References: 1173027,CVE-2020-8177 This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Fri Jul 3 12:33:05 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1856-1 Released: Mon Jul 6 17:05:51 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1172698,1172704,CVE-2020-8023 This update for openldap2 fixes the following issues: - CVE-2020-8023: Fixed apotential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698). - Changed DB_CONFIG to root:ldap permissions (bsc#1172704). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1860-1 Released: Mon Jul 6 17:09:44 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1171883 This update for permissions fixes the following issues: - Removed conflicting entries which might expose pcp to security issues (bsc#1171883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1869-1 Released: Tue Jul 7 15:08:12 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990,1169947,1170801,1171224,1172135,1172925 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.14: - Enable zstd compression support - Support blacklisted packages in solver_findproblemrule() (bnc#1172135) - Support rules with multiple negative literals in choice rule generation - Fix solvable swapping messing up idarrays - fix ruleinfo of complex dependencies returning the wrong origin libzypp was updated to 17.23.7: - Enable zchunk metadata download if libsolv supports it. - Older kernel-devel packages are not properly purged (bsc#1171224) - doc: enhance service plugin example. - Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only. - remove 'using namespace std;' (bsc#1166610, fixes #218) - Online doc: add 'Hardware (modalias) dependencies' page (fixes #216) - Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs. - RepoVariables: Add safe guard in case the caller does not own a zypp instance. - Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake. - Fix package statuscomputation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476) - Log patch status changes to history (jsc#SLE-5116) - Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'. - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it. - Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770) - RpmDb: Become rpmdb backend independent (jsc#SLE-7272) - RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro). - Remove legacy rpmV3database conversion code. - Fix core dump with corrupted history file (bsc#1170801) zypper was updated to 1.14.37: - Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990) - Remove undocumented rug legacy stuff. - Remove 'using namespace std;' (bsc#1166610) - patch table: Add 'Since' column if history data are available (jsc#SLE-5116) - Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770) - Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770) - Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543) - Correctly detect ambigous switch abbreviations (bsc#1165573) - zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems. - Do not allow theabbreviation of cli arguments (bsc#1164543) - accoring to according in all translation files. - Always show exception history if available. - Use default package cache location for temporary repos (bsc#1130873) - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2040-1 Released: Fri Jul 24 13:58:53 2020 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1170801,1171224,1172135,1173106,1174011 This update for libsolv, libzypp fixes the following issues: libsolv was updated to version 0.7.14: - Enable zstd compression support for sle15 - Support blacklisted packages in solver_findproblemrule() (bsc#1172135) - Support rules with multiple negative literals in choice rule generation libzypp was updated to version 17.24.0: - Enable zchunk metadata download if libsolv supports it. - Older kernel-devel packages are not properly purged (bsc#1171224) - doc: enhance service plugin example. - Fix core dump with corrupted history file (bsc#1170801) - Better handling of the purge-kernels algorithm. (bsc#1173106) - Proactively send credentials if the URL specifes '?auth=basic' and a username. (bsc#1174011) - ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2083-1 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Type: recommended Severity: moderate References: 1156913 This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2099-1 Released: Fri Jul 31 08:06:40 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1173227,1173229,1173422 Thisupdate for systemd fixes the following issues: - migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229) The marker is used to make sure the script is run only once. Instead of storing it in /usr, use /var which is more appropriate for such file. Also make it owned by systemd package. - Fix inconsistent file modes for some ghost files (bsc#1173227) Ghost files are assumed by rpm to have mode 000 by default which is not consistent with file permissions set at runtime. Also /var/lib/systemd/random-seed was tracked wrongly as a directory. Also don't track (ghost) /etc/systemd/system/runlevel*.target aliases since we're not supposed to track units or aliases user might define/override. - Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2224-1 Released: Thu Aug 13 09:15:47 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1171878,1172085 This update for glibc fixes the following issues: - Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178) - Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2278-1 Released: Wed Aug 19 21:26:08 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1149911,1151708,1168235,1168389 This update for util-linux fixes the following issues: - blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235) - nologin: Add support for -c to prevent error from su -c. (bsc#1151708) - Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389) - mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911) ----------------------------------------------------------------- Advisory ID:SUSE-RU-2020:2284-1 Released: Thu Aug 20 16:04:17 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1010996,1071152,1071390,1154871,1174673,973042 This update for ca-certificates-mozilla fixes the following issues: update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 - reverted p11-kit nss trust integration as it breaks in fresh installations (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2384-1 Released: Sat Aug 29 00:57:13 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1170964 This update for e2fsprogs fixes the following issues: - Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2411-1 Released: Tue Sep 1 13:28:47 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1142733,1146991,1158336,1172195,1172824,1173539 This update for systemd fixes the following issues: - Improve logging when PID1 fails at setting a namespace up when spawning a command specified by 'Exec*='. (bsc#1172824, bsc#1142733) pid1: improve message when setting up namespace fails. execute: let's close glibc syslog channels too. execute: normalize logging in *execute.c*. execute: fix typo in error message. execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary. execute: make use of the new logging mode in *execute.c* log: add a mode where we open the log fds for every single log message. log: let's make use of the fact that our functions return the negative error code for *log_oom()* too. execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result. execute: rework logging in *setup_keyring()* to include unit info. execute: improve and augment execution log messages. - vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539) - fix infinite timeout. (bsc#1158336) - bpf: mount bpffs by default on boot. (bsc#1146991) - man: explain precedence for options which take a list. - man: unify titling, fix description of precedence in sysusers.d(5) - udev-event: fix timeout log messages. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2420-1 Released: Tue Sep 1 13:48:35 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1174551,1174736 This update for zlib provides the following fixes: - Permit a deflateParams() parameter change as soon as possible. (bsc#1174736) - Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2446-1 Released: Wed Sep 2 09:33:22 2020 Summary: Security update for curl Type: security Severity: moderate References: 1175109,CVE-2020-8231 This update for curl fixes the following issues: - An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109,CVE-2020-8231] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2581-1 Released: Wed Sep 9 13:07:07 2020 Summary: Security update for openldap2 Type: security Severity: moderate References: 1174154,CVE-2020-15719 This update for openldap2 fixes the following issues: - bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN's falling back to CN validation in violation of rfc6125. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2612-1 Released: Fri Sep 11 11:18:01 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1176179,CVE-2020-24977 This update for libxml2 fixes the following issues: - CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2651-1 Released: Wed Sep 16 14:42:55 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1175811,1175830,1175831 This update for zlib fixes the following issues: - Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831) - Enable hardware compression on s390/s390x (jsc#SLE-13776) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2704-1 Released: Tue Sep 22 15:06:36 2020 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1174079 This update for krb5 fixes the following issue: - Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2712-1 Released: Tue Sep 22 17:08:03 2020 Summary: Security update for openldap2 Type: security Severity: moderate References: 1175568,CVE-2020-8027 This update for openldap2 fixes the following issues: -CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2818-1 Released: Thu Oct 1 10:38:55 2020 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592 This update for libzypp, zypper provides the following fixes: Changes in libzypp: - VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918) - Support buildnr with commit hash in purge-kernels. This adds special behaviour for when a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342) - Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529) - Make sure reading from lsof does not block forever. (bsc#1174240) - Just collect details for the signatures found. Changes in zypper: - man: Enhance description of the global package cache. (bsc#1175592) - man: Point out that plain rpm packages are not downloaded to the global package cache. (bsc#1173273) - Directly list subcommands in 'zypper help'. (bsc#1165424) - Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux. - Point out that plaindir repos do not follow symlinks. (bsc#1174561) - Fix help command for list-patches. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2830-1 Released: Fri Oct 2 10:34:26 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1161335,1176625 This update for permissions fixes the following issues: - whitelist WMP (bsc#1161335, bsc#1176625) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2869-1 Released: Tue Oct 6 16:13:20 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1011548,1153943,1153946,1161239,1171762 This update for aaa_base fixes the following issues: - DIR_COLORS (bug#1006973): - add screen.xterm-256color - add TERM rxvt-unicode-256color - sort and merge TERM entries in etc/DIR_COLORS - check for Packages.db and use this instead of Packages. (bsc#1171762) - Rename path() to _path() to avoid using a general name. - refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548) - etc/profile add some missing ;; in case esac statements - profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946) - backup-rpmdb: exit if zypper is running (bsc#1161239) - Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2901-1 Released: Tue Oct 13 14:22:43 2020 Summary: Security update for libproxy Type: security Severity: important References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154 This update for libproxy fixes the following issues: - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410). - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2914-1 Released: Tue Oct 13 17:25:20 2020 Summary: Security update for bind Type: security Severity: moderate References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624 This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS serversmust support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSAimplementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey:Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2947-1 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Type: security Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 This update for gcc10, nvptx-tools fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Changes in nvptx-tools: - Enable build on aarch64 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2958-1 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2983-1 Released: WedOct 21 15:03:03 2020 Summary: Recommended update for file Type: recommended Severity: moderate References: 1176123 This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2988-1 Released: Wed Oct 21 17:35:34 2020 Summary: Security update for gnutls Type: security Severity: moderate References: 1176086,1176181,1176671,CVE-2020-24659 This update for gnutls fixes the following issues: - Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181) - FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086) - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - FIPS: Add TLS KDF selftest (bsc#1176671) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3048-1 Released: Tue Oct 27 16:04:52 2020 Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper Type: recommended Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues: libzypp was updated to 17.25.1: - When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902) - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435) -VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - Link against libzstd to close libsolvs open references (as we link statically) yaml-cpp: - The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS channels, and the INSTALLER channels, as a new libzypp dependency. No source changes were done to yaml-cpp. zypper was updated to 1.14.40: - info: Assume descriptions starting with ' ' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers- new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default(bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3234-1 Released: Fri Nov 6 16:01:36 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3285-1 Released: Wed Nov 11 11:22:14 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to version 17.25.1: - Fix bsc#1176902: When kernel-rt has been installed, the purge-kernels service fails during boot. - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback(bsc#1176435) - VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - New solver testcase format. - Link against libzsd to close libsolvs open references (as we link statically) zypper was updated to version 1.14.40. - info: Assume descriptions starting with ' ' are richtext (bsc#935885) - Use new testcase API in libzypp. - BuildRequires: libzypp-devel > = 17.25.0. - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to version 0.7.16: - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers- new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommendedupdate for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3546-1 Released: Fri Nov 27 11:21:09 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3560-1 Released: Mon Nov 30 12:21:34 2020 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1158499,1160158,1161198,1161203,1163569,1165281,1165534,1166848,1175847,1177479 This update for openssl-1_1 fixes the following issues: This update backports various bugfixes for FIPS: - Restore private key check in EC_KEY_check_key [bsc#1177479] - Add shared secret KAT to FIPS DH selftest [bsc#1175847] - Include ECDH/DH Requirements from SP800-56Arev3 [bsc#1175847] - Fix locking issue uncovered by python testsuite (bsc#1166848) - Fix the sequence of locking operations in FIPS mode [bsc#1165534] - Fix deadlock in FIPS rand code (bsc#1165281) - Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569) - Fix FIPS DRBG without derivation function (bsc#1161198) - Allow md5_sha1 in FIPS mode to enable TLS 1.0 (bsc#1161203) - Obsolete libopenssl-1_0_0-hmac for a clean upgrade from SLE-12 (bsc#1158499) -Restore the EVP_PBE_scrypt() behavior from before the KDF patch by treating salt=NULL as salt=' (bsc#1160158) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3579-1 Released: Tue Dec 1 14:24:31 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: - Add support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3581-1 Released: Tue Dec 1 14:40:22 2020 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate References: 1178376 This update for libusb-1_0 fixes the following issues: - Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least ` ` characters length in some form. This is enabled by the new parameter `usersubstr= ` ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1179431 This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3720-1 Released: Wed Dec 9 13:36:26 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3733-1 Released: Wed Dec 9 18:18:35 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). . The refreshed caasp/v4/cloud-provider-openstack image incorporates critical security updates aimed at addressing potential vulnerabilities.. SUSE Update, caasp, OpenStack, cloud security, Linux updates. . Severity: Important. LinuxSecurity.com Team

Calendar 2 Dec 12, 2020 Important SuSE
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

More Polls

What got you started with Linux?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/150-what-got-you-started-with-linux?task=poll.vote&format=json
150
radio
0
[{"id":483,"title":"Self-taught through trial and error","votes":548,"type":"x","order":1,"pct":78.51,"resources":[]},{"id":484,"title":"Formal training or courses","votes":30,"type":"x","order":2,"pct":4.3,"resources":[]},{"id":485,"title":"A job that required it","votes":34,"type":"x","order":3,"pct":4.87,"resources":[]},{"id":486,"title":"Other","votes":86,"type":"x","order":4,"pct":12.32,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200

Search Topics

Your message here