Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -5 articles for you...
100
security advisoryimportantsecurity patchSUSE: 2023:3084-1 Important: Rook and Ceph Security Update
The container ses/7.1/rook/ceph was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7.1/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3084-1 Container Tags : ses/7.1/rook/ceph:1.11.9 , ses/7.1/rook/ceph:1.11.9.0 , ses/7.1/rook/ceph:1.11.9.0.4.7.1 , ses/7.1/rook/ceph:latest , ses/7.1/rook/ceph:sle15.3.pacific Container Release : 4.7.1 Severity : important Type : security References : 1089497 1099269 1103893 1112183 1133277 1144068 1157881 1158763 1162343 1177127 1178168 1182066 1182142 1184753 1186673 1193412 1194530 1197726 1198165 1198331 1199282 1200710 1201627 1202234 1203681 1203750 1204072 1204256 1206627 1207534 1207805 1208721 1209229 1209279 1209536 1209565 1209859 1210740 1210999 1211078 1211079 1211158 1211261 1211419 1211661 1211674 1211828 1212126 1212187 1212187 1212222 1212260 1213004 1213008 1213189 1213231 1213282 1213487 1213504 1213514 1213517 1213557 1213582 1213582 1213673 1213853 1214025 1214052 1214054 1214071 1214248 1214290 1214768 CVE-2007-4559 CVE-2018-1000518 CVE-2020-25659 CVE-2020-36242 CVE-2021-22569 CVE-2021-22570 CVE-2022-1941 CVE-2022-3171 CVE-2022-41409 CVE-2022-4304 CVE-2023-22652 CVE-2023-2603 CVE-2023-30078 CVE-2023-30079 CVE-2023-31484 CVE-2023-32181 CVE-2023-32681 CVE-2023-3446 CVE-2023-34969 CVE-2023-36054 CVE-2023-3817 CVE-2023-38408 CVE-2023-39615 CVE-2023-4016 CVE-2023-4039 CVE-2023-4156 ----------------------------------------------------------------- The container ses/7.1/rook/ceph was updated. The following patches have been included in thisupdate: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2497-1 Released: Tue Jun 13 15:37:25 2023 Summary: Recommended update for libzypp Type: recommended Severity: important References: 1211661,1212187 This update for libzypp fixes the following issues: - Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187] - Do not unconditionally release a medium if provideFile failed. [bsc#1211661] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2517-1 Released: Thu Jun 15 07:09:52 2023 Summary: Security update for python3 Type: security Severity: moderate References: 1203750,1211158,CVE-2007-4559 This update for python3 fixes the following issues: - CVE-2007-4559: Fixed filter for tarfile.extractall (bsc#1203750). - Fixed unittest.mock.patch.dict returns function when applied to coroutines (bsc#1211158). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2625-1 Released: Fri Jun 23 17:16:11 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: - Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204 * includes regression and other bug fixes - Speed up builds with --enable-link-serialization. - Update embedded newlib to version 4.2.0 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2742-1 Released: Fri Jun 30 11:40:56 2023 Summary: Recommended update for autoyast2, libzypp, yast2-pkg-bindings, yast2-update, zypper Type: recommended Severity: moderate References: 1202234,1209565,1211261,1212187,1212222 This update for yast2-pkg-bindings fixes the following issues: libzypp was updated to version 17.31.14 (22): - Curl: trim all custom headers (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. So we make sure all custom headersare trimmed. This also includes headers returned by URL-Resolver plugins. - build: honor libproxy.pc's includedir (bsc#1212222) zypper was updated to version 1.14.61: - targetos: Add an error note if XPath:/product/register/target is not defined in /etc/products.d/baseproduct (bsc#1211261) - targetos: Update help and man page (bsc#1211261) yast2-pkg-bindings, autoyast: - Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565) - Selected products are not installed after resetting the package manager internally (bsc#1202234) yast2-update: - Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2783-1 Released: Tue Jul 4 22:08:19 2023 Summary: Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets Type: security Severity: important References: 1099269,1133277,1144068,1162343,1177127,1178168,1182066,1184753,1194530,1197726,1198331,1199282,1203681,1204256,CVE-2018-1000518,CVE-2020-25659,CVE-2020-36242,CVE-2021-22569,CVE-2021-22570,CVE-2022-1941,CVE-2022-3171 This update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests,python-websocket-client, python-websockets fixes the following issues: grpc: - Update in SLE-15 (bsc#1197726, bsc#1144068) protobuf: - Fix a potential DoS issue in protobuf-cpp and protobuf-python, CVE-2022-1941, bsc#1203681 - Fix a potential DoS issue when parsing with binary data in protobuf-java, CVE-2022-3171, bsc#1204256 - Fix potential Denial of Service in protobuf-java in the parsing procedure for binary data, CVE-2021-22569, bsc#1194530 - Add missing dependency of python subpackages on python-six (bsc#1177127) - Updated to version 3.9.2 (bsc#1162343) * Remove OSReadLittle* due to alignment requirements. * Don't use unions and instead use memcpy for the type swaps. - Disable LTO (bsc#1133277) python-aiocontextvars: - Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) python-avro: - Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) python-cryptography: - update to 3.3.2 (bsc#1182066, CVE-2020-36242, bsc#1198331) * SECURITY ISSUE: Fixed a bug where certain sequences of update() calls when symmetrically encrypting very large payloads (> 2GB) could result in an integer overflow, leading to buffer overflows. CVE-2020-36242 python-cryptography-vectors: - update to 3.2 (bsc#1178168, CVE-2020-25659): * CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability. * Support for OpenSSL 1.0.2 has been removed. * Added basic support for PKCS7 signing (including SMIME) via PKCS7SignatureBuilder. - update to 3.3.2 (bsc#1198331) python-Deprecated: - Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - update to 1.2.13: python-google-api-core: - Update to 1.14.2 python-googleapis-common-protos: - Update to 1.6.0 python-grpcio-gcp: - Initial spec for v0.2.2 python-humanfriendly: - Update in SLE-15 (bsc#1199282, jsc#PM-3243,jsc#SLE-24629) - Update to 10.0 python-jsondiff: - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Update to version 1.3.0 python-knack: - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Update to version 0.9.0 python-opencensus: - Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Disable Python2 build - Update to 0.8.0 python-opencensus-context: - Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) python-opencensus-ext-threading: - Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Initial build version 0.1.2 python-opentelemetry-api: - Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Version update to 1.5.0 python-psutil: - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - update to 5.9.1 - remove the dependency on net-tools, since it conflicts with busybox-hostnmame which is default on MicroOS. (bsc#1184753) - Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) python-PyGithub: - Update to 1.43.5: python-pytest-asyncio: - Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Initial release of python-pytest-asyncio 0.8.0 python-requests: - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) python-websocket-client: - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Update to version 1.3.2 python-websockets: - Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - update to 9.1: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2855-1 Released: Mon Jul 17 16:35:21 2023 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1212260 This update for openldap2 fixes the following issues: - libldap2 crashes on ldap_sasl_bind_s (bsc#1212260) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2866-1 Released: Tue Jul 18 11:09:03 2023 Summary: Security update for python-requests Type: security Severity: moderate References: 1211674,CVE-2023-32681 This update for python-requests fixes the following issues: - CVE-2023-32681: Fixed unintended leak of Proxy-Authorization header (bsc#1211674). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2879-1 Released: Wed Jul 19 09:45:34 2023 Summary: Security update for dbus-1 Type: security Severity: moderate References: 1212126,CVE-2023-34969 This update for dbus-1 fixes the following issues: - CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2882-1 Released: Wed Jul 19 11:49:39 2023 Summary: Security update for perl Type: security Severity: important References: 1210999,CVE-2023-31484 This update for perl fixes the following issues: - CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2885-1 Released: Wed Jul 19 16:58:43 2023 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1208721,1209229,1211828 This update for glibc fixes the following issues: - getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235) - Exclude static archives from preparation for live patching (bsc#1208721) - resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2918-1 Released: Thu Jul 20 12:00:17 2023 Summary: Recommended update for gpgme Type: recommended Severity: moderate References: 1089497 This update for gpgme fixes the following issues: gpgme: - Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497) libassuan: - Version upgrade to 2.5.5 in LTSS to address gpgme newrequirements ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2945-1 Released: Mon Jul 24 09:37:30 2023 Summary: Security update for openssh Type: security Severity: important References: 1186673,1209536,1213004,1213008,1213504,CVE-2023-38408 This update for openssh fixes the following issues: - CVE-2023-38408: Fixed a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if those libraries were present on the victim's system and if the agent was forwarded to an attacker-controlled system. [bsc#1213504, CVE-2023-38408] - Close the right filedescriptor and also close fdh in read_hmac to avoid file descriptor leaks. [bsc#1209536] - Attempts to mitigate instances of secrets lingering in memory after a session exits. [bsc#1186673, bsc#1213004, bsc#1213008] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2956-1 Released: Tue Jul 25 08:33:38 2023 Summary: Security update for libcap Type: security Severity: moderate References: 1211419,CVE-2023-2603 This update for libcap fixes the following issues: - CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2994-1 Released: Thu Jul 27 06:45:29 2023 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1157881,1200710,1209859 This update for nfs-utils fixes the following issues: - SLE15-SP5 and earlier don't use /usr/lib/modprobe.d (bsc#1200710) - Avoid unhelpful warnings (bsc#1157881) - Fix rpc.nfsd man pages (bsc#1209859) - Allow scope to be set in sysconfig: NFSD_SCOPE ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3179-1 Released: Thu Aug 3 13:59:38 2023 Summary: Security updatefor openssl-1_1 Type: security Severity: moderate References: 1201627,1207534,1213487,CVE-2022-4304,CVE-2023-3446 This update for openssl-1_1 fixes the following issues: - CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534). - CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487). - Update further expiring certificates that affect tests [bsc#1201627] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3210-1 Released: Mon Aug 7 15:20:04 2023 Summary: Security update for pcre2 Type: security Severity: moderate References: 1213514,CVE-2022-41409 This update for pcre2 fixes the following issues: - CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3218-1 Released: Mon Aug 7 16:52:13 2023 Summary: Recommended update for cryptsetup Type: recommended Severity: moderate References: 1211079 This update for cryptsetup fixes the following issues: - Handle system with low memory and no swap space (bsc#1211079) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3284-1 Released: Fri Aug 11 10:29:50 2023 Summary: Recommended update for shadow Type: recommended Severity: moderate References: 1206627,1213189 This update for shadow fixes the following issues: - Prevent lock files from remaining after power interruptions (bsc#1213189) - Add --prefix support to passwd, chpasswd and chage (bsc#1206627) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3288-1 Released: Fri Aug 11 12:30:14 2023 Summary: Recommended update for python-apipkg Type: recommended Severity: moderate References: 1213582 This update for python-apipkg provides python3-apipkg to SUSE Linux Enterprise Micro 5.2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3291-1 Released: Fri Aug 11 12:51:21 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1213517,1213853,CVE-2023-3817 This update for openssl-1_1 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3330-1 Released: Wed Aug 16 08:59:33 2023 Summary: Recommended update for python-pyasn1 Type: recommended Severity: important References: 1207805 This update for python-pyasn1 fixes the following issues: - To avoid users of this package having to recompile bytecode files, change the mtime of any __init__.py. (bsc#1207805) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3365-1 Released: Fri Aug 18 20:35:01 2023 Summary: Security update for krb5 Type: security Severity: important References: 1214054,CVE-2023-36054 This update for krb5 fixes the following issues: - CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3388-1 Released: Wed Aug 23 17:14:22 2023 Summary: Recommended update for binutils Type: recommended Severity: important References: 1213282 This update for binutils fixes the following issues: - Add `binutils-disable-dt-relr.sh` to address compatibility problems with the glibc version included in future SUSE Linux Enterprise releases (bsc#1213282, jsc#PED-1435) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3440-1 Released: Mon Aug 28 08:57:102023 Summary: Security update for gawk Type: security Severity: low References: 1214025,CVE-2023-4156 This update for gawk fixes the following issues: - CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3454-1 Released: Mon Aug 28 13:43:18 2023 Summary: Security update for ca-certificates-mozilla Type: security Severity: important References: 1214248 This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added: - Atos TrustedRoot Root CA ECC G2 2020 - Atos TrustedRoot Root CA ECC TLS 2021 - Atos TrustedRoot Root CA RSA G2 2020 - Atos TrustedRoot Root CA RSA TLS 2021 - BJCA Global Root CA1 - BJCA Global Root CA2 - LAWtrust Root CA2 (4096) - Sectigo Public Email Protection Root E46 - Sectigo Public Email Protection Root R46 - Sectigo Public Server Authentication Root E46 - Sectigo Public Server Authentication Root R46 - SSL.com Client ECC Root CA 2022 - SSL.com Client RSA Root CA 2022 - SSL.com TLS ECC Root CA 2022 - SSL.com TLS RSA Root CA 2022 Removed CAs: - Chambers of Commerce Root - E-Tugra Certification Authority - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Hongkong Post Root CA 1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3466-1 Released: Tue Aug 29 07:33:16 2023 Summary: Recommended update for icu Type: recommended Severity: moderate References: 1103893,1112183 This update for icu fixes the following issues: - Japanese era Reiwa (bsc#1112183, bsc#1103893, fate570, fate#325570, fate#325419) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3470-1 Released: Tue Aug 29 10:49:33 2023 Summary: Recommended update for parted Type: recommended Severity: low References: 1182142,1193412 This update for parted fixes the following issues: - fix null pointer dereference (bsc#1193412) - update mkpart options in manpage (bsc#1182142) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3472-1 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Type: security Severity: low References: 1214290,CVE-2023-4016 This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3487-1 Released: Tue Aug 29 14:28:35 2023 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1214071 This update for lvm2 fixes the following issues: - blkdeactivate calls wrong mountpoint cmd (bsc#1214071) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3515-1 Released: Fri Sep 1 15:54:25 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1158763,1210740,1213231,1213557,1213673 This update for libzypp, zypper fixes the following issues: - Fix occasional isue with downloading very small files (bsc#1213673) - Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231) - Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763) - Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740) - Revised explanation of --force-resolution in man page (bsc#1213557) - Print summary hint if policies were violated due to --force-resolution (bsc#1213557) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3521-1 Released: Tue Sep 5 08:56:45 2023 Summary: Recommended update for python-iniconfig Type: recommended Severity: moderate References: 1213582 This update for python-iniconfig provides python3-iniconfig to SUSE Linux Enterprise Micro 5.2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3639-1 Released: Mon Sep 18 13:33:16 2023 Summary: Security update for libeconf Type: security Severity: moderate References: 1198165,1211078,CVE-2023-22652,CVE-2023-30078,CVE-2023-30079,CVE-2023-32181 This update for libeconf fixes the following issues: Update to version 0.5.2. - CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078). - CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078) The following non-security bug was fixed: - Fixed parsing files correctly which have space characters AND none space characters as delimiters (bsc#1198165). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3661-1 Released: Mon Sep 18 21:44:09 2023 Summary: Security update for gcc12 Type: security Severity: important References: 1214052,CVE-2023-4039 This update for gcc12 fixes the following issues: - CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3698-1 Released: Wed Sep 20 11:01:15 2023 Summary: Security update for libxml2 Type: security Severity: important References: 1214768,CVE-2023-39615 This update for libxml2 fixes the following issues: - CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3720-1 Released: Thu Sep 21 09:01:11 2023 Summary: Recommended update for ceph-csi, csi-external-attacher, csi-external-provisioner, csi-external-resizer, csi-external-snapshotter, csi-node-driver-registrar, rook Type: recommended Severity: moderate References: 1204072,1209279 This update for ceph-csi, csi-external-attacher,csi-external-provisioner, csi-external-resizer, csi-external-snapshotter, csi-node-driver-registrar, rook fixes the following issues: - Update to v4.1.0 * Updated Kubernetes dependencies to 1.26.0 (#395, @sunnylovestiramisu) - Update version to 3.4.0 Feature * Add support for cross-namespace data sources alpha feature (#805, [@ttakahashi21] * Register metrics exposed by sig-storage-lib (#792, @RaunakShah) * Update the annotation that needs to be applies to VolumeSnapshotContents from snapshot.storage.kubernetes.io/allowVolumeModeChange to snapshot.storage.kubernetes.io/allow-volume-mode-change (#791, @RaunakShah) Bug or Regression * Fix string pointer comparison for source volume mode conversion (#793, @RaunakShah) * Fix nil pointer crash for PV without ClaimRef (#796, @zezaeoh) Uncategorized * Update go to 1.19 and dependencies for k8s v1.26.0 (#834, @sunnylovestiramisu) - Update to version 1.7.0 * Fix panic in recovery path if marking pvc as resize in progress fails (#246, @gnufied) - Update to version 6.2.1 Feature * Add --retry-crd-interval-max flag to the snapshot-controller in order to allow customization of CRD detection on startup. (#777, @mattcary) Uncategorized * Change webhook example to be compatible with TLS-type secrets. (#793, @haslersn) * Fixes an issue introduced by PR 793 by respecting the format of TLS-type secrets in the script. (#796, @haslersn) * Update go to v1.19 and kubernetes dependencies to 1.26.0. (#797, @sunnylovestiramisu) - Update to version 2.7.0 * Revert of #214, node-driver-registrar will create the path specified by --kubelet-registration-path (#247, @mauriciopoppe) - Regular upgrade bsc#1204072 - Update to 1.11.9 Rook v1.11.9 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator. * multus: Fix 'deletecollection' permission not present (#12437, @sudharsanomprakash) * dashboard: Remove deprecated kubernetes.io/ingress.class annotation (#12418, @Jeansen) *external: Make import script idempotent (#12417, @parth-gr) * exporter: Ignore failed deletion of service monitor (#12430, @travisn) * multus: Add config file for validation tool (#12396, @BlaineEXE) * object: Clarify success message when reconciling CephObjectStoreUser (#12406, @polyedre) * docs: Update storage architecture diagram (#12252, @galexrt) * operator: Add ceph image version label to PVC (#12372, @YZ775) * object : Add SSL ref in cephobjectstore user secret (#12341, @thotz) - Update to 1.11.8 Rook v1.11.8 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator. * helm: add EC Block Pool config in helm chart (#12324, @Javlopez) * pool: Add .mgr pool to the stretch cluster examples (#12360, @travisn) * nfs: Add Spec.Security.Kerberos.DomainName to the CRD to configure /etc/idmapd.conf (#12220, @spuiuk) * mgr: Removing unnecessary rook-ceph-mgr rbac entries (#12337, @rkachach) * core: typo in logs to print fullname of CephCluster (#12217, @takirala) * core: empty ceph-daemons-sock-dir for osd onPVC (#12299, @avanthakkar) * docs: prevent to delete other clusters data on cluster deletion (#12334, @satoru-takeuchi) * docs: improve external doc format (#12383, @parth-gr) * docs: Suggest qemu driver for minikube on apple silicon (#11722, @BlaineEXE) - Update to 1.11.7 Rook v1.11.7 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator. * core: Delete exporter resources if ceph version is not supported (#12271, @avanthakkar) * external: FQDN should be persisted instead of using the ip endpoint (#12264, @parth-gr) * object: Implement more capabilities for object store users (#12256, @thotz) * test: Add CI e2e test for multus validation test (#12282, @BlaineEXE) * core: Use default-* logging flags for ceph daemons so they can be overridden (#12302, @Javlopez) * helm: Add exporter resource entry to ceph cluster documentation (#12251, @galexrt) * mgr: Allow othernamespaces in the ServiceMonitor resource (#12293, @kerryeon) * object: Add missing cephcluster spec addition in object controller (#12273, @thotz) * monitoring: Service monitor should not use mgr_role label (#12268, @travisn) * test: Allow specifying custom nginx image for multus validation (#12231, @iPraveenParihar) * operator: Pull multus validation test images before test (#12211, @BlaineEXE) * rbdmirror: Ensure rbd mirror daemon is upgraded (#12247, @travisn) - Update to 1.11.6 Rook v1.11.6 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator. * osd: Support expanding lvm osd on pvc (#12164, @satoru-takeuchi) * monitoring: Skip creating the service monitor for the exporter if monitoring is not enabled (#12216, @travisn) * docs: Generate documentation for CRDs (#12110 #12179, @Javlopez) * core: Add termination grace period for exporter pods (#12215, @avanthakkar) * csi: servicemonitor for rook-ceph csi drivers (#12170, @jouve) * monitoring: Configurable option to disable prometheus metrics (#12193, @travisn) * mgr: Default to active mgr label if only one mgr is running (#12137, @travisn) * osd: Allow scanning devices with filter (#11976, @Javlopez) * core: Disable controller runtime metrics server (#12194, @Madhu-1) * mgr: Use mgr_role dynamic label to tag the active ceph manager (#11845, @rkachach) * operator: use KUBECONFIG context for cli if present (#12192, @BlaineEXE) * external: fix rgw multisite config check (#12182 #12238, @parth-gr) * operator: validate multus validation networks in cli (#12187, @BlaineEXE) * operator: Fix package logger name for rookcli (#12186, @BlaineEXE) * ceph: Unset the encryption configuration before updating the setting (#12181, @Madhu-1) - Update to 1.11.5 Rook v1.11.5 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator. * mgr: Retry creating ceph dashboard credentials (#12149, @parth-gr) * nfs: Reduce size CephNFSCRD from unnecessary file volume sources (#12155, @BlaineEXE) * core: Update k8s API references to more recent version (#12161, @subhamkrai) * test: Add multus validation test routine to rook binary (#12069, @BlaineEXE) * external: check that the pool and cluster name is provided (#12132, @parth-gr) * core: Skip OBC controllers if not needed based (#12075, @sp98) * Add an ingress for Ceph object stores (#12109, @jouve) * core: Disable the exporter service (#12118, @avanthakkar) * nfs: Fixes for mounting CephNFS using Kerberos auth (#12086, @spuiuk) - Update to 1.11.4 Rook v1.11.4 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator. * core: Update default image to Ceph v17.2.6 (#12068, @travisn) * core: Disable the Ceph exporter daemon (#12077, @avanthakkar) * helm: Add option to scale down rook operator (#12048, @TomHellier) * helm: Drop snapshot.storage.k8s.io/v1beta1 (#12051, @sathieu) * external: Add support for RGW multisite in external cluster script (#12037, @parth-gr) * external: Do not require the monitoring endpoint (#12061, @neoaggelos) * external: Allow creating pools with special characters in name (#12056, @parth-gr) * external: Do not enforce rbd, cephfs and rgw flags for the external cluster (#12028, @parth-gr) * core: Use cluster ID for ns lookup on exported multi-cluster service (#12064, @sp98) * docs: Add scenario for deleted namespace to the disaster recovery guide (#11895, @gaord) * mgr: Failed to update the port of dashboard (#11932, @zhucan) - Update to 1.11.3 Rook v1.11.3 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator. * csi: Make AttachRequired as configurable for RWX volumes (#11899, @Madhu-1) * nfs: Add support for nfs-ganesha metrics monitoring (#12007, @synarete) * mgr: Add option to disable the prometheus mgr module (#11980, @thenamehasbeentake) * object: Check OBC provisioner for bucket notification (#11975, @thotz) *external: Make rgw call separate from cephfs and rbd in export script (#11947, @parth-gr) * core: Update vault pkg to 1.13.1 (#12013, @subhamkrai) * core: Fix config format for msgr2 ipv6 monitors (#11993, @heliochronix) * osd: Handle global or node-local device class configuration correctly (#11966, @satoru-takeuchi) * csi: IPv6 compatibility for requiring msgr2 (#11992, @travisn) * mon: Remove condition to use 6790 mon port (#11963, @sp98) - Update to 1.11.2 Rook v1.11.2 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator. * osd: Implemented encryption key rotation (#11749, @Rakshith-R) * core: Remove unnecessary ceph-conf-dir volume mount from exporter (#11950, @avanthakkar) * core: Set key rotation default in code instead of in CRDs (#11951, @travisn) * external: Use f-strings for formatting (#11944, @Sheetalpamecha) * core: Use msgr2 if compression is enabled (#11928, @uhthomas) * ci: Skip building csv on arm64 (#11906, @subhamkrai) * osd: Validate and remove duplicate topology labels (#11823, @parth-gr) * rgw: RGW dashboard can be disabled in the object CR (#11908, @thenamehasbeentake) * external: Pool and metadata EC pools were reversed in scripts (#11919, @dragon2611) * rgw: Skip objectstore name length validation when cluster is external (#11911, @parth-gr) * nfs: Network mode can be set separately for cephcluster and nfs (#11777, @taxilian) * csi: Update port to 3300 if msgr2 is required (#11859, @travisn) * core: Add FSID to the additionalPrinterColumns on cephcluster CRD (#11864, @thenamehasbeentake) * core: Add missing labels in exporter deployment (#11866, @avanthakkar) - Update to 1.11.1 Rook v1.11.1 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator. * ceph: Fix host networking by only adding OSD ports when required for multi-cluster config (#11797, @sp98) * core: Ceph exporter requires ceph config where OSDs are not running (#11848,@avanthakkar) * monitoring: Remove prometheus alerts that don't apply to rook (#11842, @travisn) * mgr: Revert readiness probe and go back to the original sidecar HA implementation (#11829, @rkachach) * manifest: Align whitespace in example cluster.yaml (#11804, @gauravsitlani) * external: Add realm support for external cluster (#11584, @parth-gr) * object: Make OBC genUserID unique across clusters (#11665, @BlaineEXE) * file: Check if a filesystem exists before checking dependencies during deletion (#11221, @zhucan) * core: On crash pod ensure rook version label is not set (#11760, @gaord) - Update to 1.11.0 Breaking Changes * The minimum version of K8s version supported is v1.21. * The minimum version of the Ceph-CSI driver is v3.7. * Removed support for MachineDisruptionBudgets, including settings removed from the CephCluster CR: * manageMachineDisruptionBudgets * machineDisruptionBudgetNamespace * Versions of golang supported during development are v1.19 and v1.20. Features * Ceph-CSI v3.8 is now the version deployed by default with Rook. The driver has a number of important updates to add more storage features available to clients. * Added setting requireMsgr2 on the CephCluster CR to allow clusters with a kernel of 5.11 or newer to fully communicate with msgr2 and disable the msgr1 port. This allows for more flexibility to enable msgr2 features such as encryption and compression on the wire. * Change pspEnable default value to false in helm charts, and remove documentation for enabling PSP. If still using a version of K8s where PSPs are required, see the v1.10 documentation. * Object store bucket notifications and topics are now marked as stable features. * The Ceph exporter daemon is configured as the source of metrics based on performance counters from Ceph daemons. The exporter daemon provides more scalability of metrics collection to reduce load on the Ceph mgr. * Read affinity for RBD volumes is now available, leveraging the krbd mapoptions to allow serving reads from an OSD in proximity to the client, according to OSD locations defined in the CRUSH map and topology labels on nodes. * Mirroring data across clusters with overlapping networks is now supported. Mon and OSD services will be configured with global IPs across multiple clusters with overlapping CIDRs. The clusters must be configured using an MCS API-compatible applications such as submariner globalnet. This feature is supported for Ceph version v17.2.6 or later. * The Ceph Mgr standby now is managed with a readiness probe instead of a sidecar. Note that the standby mgr is expected to fail the readiness probe, while the active mgr passes the readiness probe. The following package changes have been done: - binutils-2.39-150100.7.43.2 updated - ca-certificates-mozilla-2.62-150200.30.1 updated - cryptsetup-2.3.7-150300.3.8.1 updated - dbus-1-1.12.2-150100.8.17.1 updated - device-mapper-2.03.05_1.02.163-150200.8.52.1 updated - gawk-4.2.1-150000.3.3.1 updated - glibc-locale-base-2.31-150300.52.2 updated - glibc-2.31-150300.52.2 updated - krb5-1.19.2-150300.13.1 updated - libassuan0-2.5.5-150000.4.5.2 updated - libcap2-2.26-150000.4.9.1 updated - libcryptsetup12-hmac-2.3.7-150300.3.8.1 updated - libcryptsetup12-2.3.7-150300.3.8.1 updated - libctf-nobfd0-2.39-150100.7.43.2 updated - libctf0-2.39-150100.7.43.2 updated - libdbus-1-3-1.12.2-150100.8.17.1 updated - libdevmapper-event1_03-2.03.05_1.02.163-150200.8.52.1 updated - libdevmapper1_03-2.03.05_1.02.163-150200.8.52.1 updated - libeconf0-0.5.2-150300.3.11.1 updated - libgcc_s1-12.3.0+git1204-150000.1.16.1 updated - libicu-suse65_1-65.1-150200.4.8.1 updated - libicu65_1-ledata-65.1-150200.4.8.1 updated - libldap-2_4-2-2.4.46-150200.14.17.1 updated - libldap-data-2.4.46-150200.14.17.1 updated - liblvm2cmd2_03-2.03.05-150200.8.52.1 updated - libopenssl1_1-hmac-1.1.1d-150200.11.75.1 updated - libopenssl1_1-1.1.1d-150200.11.75.1 updated - libparted0-3.2-150300.21.3.1 updated - libpcre2-8-0-10.31-150000.3.15.1updated - libprocps7-3.3.15-150000.7.34.1 updated - libprotobuf-lite20-3.9.2-150200.4.21.1 updated - libpython3_6m1_0-3.6.15-150300.10.48.1 updated - libsolv-tools-0.7.24-150200.20.2 updated - libstdc++6-12.3.0+git1204-150000.1.16.1 updated - libxml2-2-2.9.7-150000.3.60.1 updated - libzypp-17.31.20-150200.75.1 updated - login_defs-4.8.1-150300.4.9.1 updated - lvm2-2.03.05-150200.8.52.1 updated - nfs-client-2.1.1-150100.10.37.1 updated - nfs-kernel-server-2.1.1-150100.10.37.1 updated - openssh-clients-8.4p1-150300.3.22.1 updated - openssh-common-8.4p1-150300.3.22.1 updated - openssh-fips-8.4p1-150300.3.22.1 updated - openssh-server-8.4p1-150300.3.22.1 updated - openssh-8.4p1-150300.3.22.1 updated - openssl-1_1-1.1.1d-150200.11.75.1 updated - parted-3.2-150300.21.3.1 updated - perl-base-5.26.1-150300.17.14.1 updated - procps-3.3.15-150000.7.34.1 updated - python3-apipkg-1.4-150000.3.6.1 updated - python3-base-3.6.15-150300.10.48.1 updated - python3-curses-3.6.15-150300.10.48.1 updated - python3-iniconfig-1.1.1-150000.1.11.1 updated - python3-pyasn1-0.4.2-150000.3.5.1 updated - python3-requests-2.24.0-150300.3.3.1 updated - python3-websocket-client-1.3.2-150100.6.7.3 updated - python3-3.6.15-150300.10.48.1 updated - rook-k8s-yaml-1.11.9+git0.483b15e2-150300.3.9.1 updated - rook-1.11.9+git0.483b15e2-150300.3.9.1 updated - shadow-4.8.1-150300.4.9.1 updated - zypper-1.14.63-150200.59.1 updated - container:sles15-image-15.0.0-17.20.185 updated . Patch releases for SUSE Kubernetes, focusing on urgent vulnerabilities in the etcd and kubelet modules. Maintain your safety!. SUSE Container Update, Security Update, Rook, Ceph, Critical Issues. . Severity: Important. LinuxSecurity.com Team
Sep 21, 2023
•Important
SuSE
100
security advisoryupdateimportantSUSE Container Advisory: ses/7.1/rook/ceph Important Security Update
The container ses/7.1/rook/ceph was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7.1/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:1467-1 Container Tags : ses/7.1/rook/ceph:1.10.1 , ses/7.1/rook/ceph:1.10.1.16 , ses/7.1/rook/ceph:1.10.1.16.4.5.392 , ses/7.1/rook/ceph:latest , ses/7.1/rook/ceph:sle15.3.pacific Container Release : 4.5.392 Severity : important Type : security References : 1065270 1199132 1200710 1201617 1203201 1203599 1203746 1204585 1206483 1206781 1207022 1207571 1207843 1207957 1207975 1207992 1208036 1208283 1208358 1208905 1209122 1209209 1209210 1209211 1209212 1209214 1209361 1209362 1209533 1209624 1209713 1209714 1209873 1209878 1210135 1210411 1210412 1210434 1210507 CVE-2021-3541 CVE-2022-29824 CVE-2022-4899 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-0687 CVE-2023-23916 CVE-2023-23931 CVE-2023-24593 CVE-2023-25180 CVE-2023-25577 CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538 CVE-2023-28484 CVE-2023-28486 CVE-2023-28487 CVE-2023-29383 CVE-2023-29469 CVE-2023-29491 ----------------------------------------------------------------- The container ses/7.1/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1586-1 Released: Mon Mar 27 13:02:52 2023 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1200710,1203746,1206781,1207022,1207843 This update for nfs-utils fixes the following issues: - Rename all drop-in options.conf files as 10-options.conf This makes it easier for other packages toover-ride with a drop-in with a later sequence number (bsc#1207843) - Avoid modprobe errors when sysctl is not installed (bsc#1200710 bsc#1207022 bsc#1206781) - Add '-S scope' option to rpc.nfsd to simplify fail-over cluster configuration (bsc#1203746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1693-1 Released: Thu Mar 30 10:16:39 2023 Summary: Security update for python-Werkzeug Type: security Severity: important References: 1208283,CVE-2023-25577 This update for python-Werkzeug fixes the following issues: - CVE-2023-25577: Fixed high resource usage when parsing multipart form data with many fields (bsc#1208283). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1698-1 Released: Thu Mar 30 12:16:57 2023 Summary: Security update for sudo Type: security Severity: moderate References: 1203201,1206483,1209361,1209362,CVE-2023-28486,CVE-2023-28487 This update for sudo fixes the following issue: Security fixes: - CVE-2023-28486: Fixed missing control characters escaping in log messages (bsc#1209362). - CVE-2023-28487: Fixed missing control characters escaping in sudoreplay output (bsc#1209361). Other fixes: - Fix a situation where 'sudo -U otheruser -l' would dereference a NULL pointer (bsc#1206483). - Do not re-enable the reader when flushing the buffers as part of pty_finish() (bsc#1203201). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1711-1 Released: Fri Mar 31 13:33:04 2023 Summary: Security update for curl Type: security Severity: moderate References: 1207992,1209209,1209210,1209211,1209212,1209214,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538 This update for curl fixes the following issues: - CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209). - CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210). - CVE-2023-27535: Fixed FTP too eagerconnection reuse (bsc#1209211). - CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212). - CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214). - CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1718-1 Released: Fri Mar 31 15:47:34 2023 Summary: Security update for glibc Type: security Severity: moderate References: 1207571,1207957,1207975,1208358,CVE-2023-0687 This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975) Other issues fixed: - Fix avx2 strncmp offset compare condition check (bsc#1208358) - elf: Allow dlopen of filter object to work (bsc#1207571) - powerpc: Fix unrecognized instruction errors with recent GCC - x86: Cache computation for AMD architecture (bsc#1207957) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1753-1 Released: Tue Apr 4 11:55:00 2023 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: This update for systemd-presets-common-SUSE fixes the following issue: - Enable systemd-pstore.service by default (jsc#PED-2663) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1757-1 Released: Tue Apr 4 13:18:19 2023 Summary: Recommended update for smartmontools Type: recommended Severity: important References: 1208905 This update for smartmontools fixes the following issues: - Fix `smartctl` issue affecting NVMe on big endian systems (bsc#1208905) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1763-1 Released: Tue Apr 4 14:35:52 2023 Summary: Security update for python-cryptography Type: security Severity: moderate References: 1208036,CVE-2023-23931 This update forpython-cryptography fixes the following issues: - CVE-2023-23931: Fixed memory corruption in Cipher.update_into (bsc#1208036). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1790-1 Released: Thu Apr 6 15:36:15 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1209624,1209873,1209878,CVE-2023-0464,CVE-2023-0465,CVE-2023-0466 This update for openssl-1_1 fixes the following issues: - CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624). - CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878). - CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1805-1 Released: Tue Apr 11 10:12:41 2023 Summary: Recommended update for timezone Type: recommended Severity: important References: This update for timezone fixes the following issues: - Version update from 2022g to 2023c: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1945-1 Released: Fri Apr 21 14:13:27 2023 Summary: Recommended update for elfutils Type: recommended Severity: moderate References: 1203599 This update for elfutils fixes the following issues: - go1.19 builds created debuginfo that was not extractable using rpm / elfutils 0.177. (bsc#1203599) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1954-1 Released: Mon Apr 24 11:10:40 2023 Summary: Recommended update for xmlsec1 Type: recommended Severity: low References: 1201617 This update for xmlsec1 fixes the following issue: - Ship missing xmlsec1 to synchronize its version across different products (bsc#1201617) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2048-1 Released: Wed Apr 26 21:05:45 2023 Summary: Security update for libxml2 Type: security Severity: important References: 1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469 This update for libxml2 fixes the following issues: - CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412). - CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411). - CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). The following non-security bugs were fixed: - Added W3C conformance tests to the testsuite (bsc#1204585). - Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) . ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2070-1 Released: Fri Apr 28 13:56:33 2023 Summary: Security update for shadow Type: security Severity: moderate References: 1210507,CVE-2023-29383 This update for shadow fixes the following issues: - CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2074-1 Released: Fri Apr 28 17:02:25 2023 Summary: Security update for zstd Type: security Severity: moderate References: 1209533,CVE-2022-4899 This update for zstd fixes the following issues: - CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2076-1 Released: Fri Apr 28 17:35:05 2023 Summary: Security update forglib2 Type: security Severity: moderate References: 1209713,1209714,1210135,CVE-2023-24593,CVE-2023-25180 This update for glib2 fixes the following issues: - CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714). - CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713). The following non-security bug was fixed: - Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2104-1 Released: Thu May 4 21:05:30 2023 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1209122 This update for procps fixes the following issue: - Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2111-1 Released: Fri May 5 14:34:00 2023 Summary: Security update for ncurses Type: security Severity: moderate References: 1210434,CVE-2023-29491 This update for ncurses fixes the following issues: - CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434). The following package changes have been done: - glib2-tools-2.62.6-150200.3.15.1 updated - glibc-locale-base-2.31-150300.46.1 updated - glibc-2.31-150300.46.1 updated - libcurl4-7.66.0-150200.4.52.1 updated - libdw1-0.177-150300.11.6.1 updated - libebl-plugins-0.177-150300.11.6.1 updated - libelf1-0.177-150300.11.6.1 updated - libgio-2_0-0-2.62.6-150200.3.15.1 updated - libglib-2_0-0-2.62.6-150200.3.15.1 updated - libgmodule-2_0-0-2.62.6-150200.3.15.1 updated - libgobject-2_0-0-2.62.6-150200.3.15.1 updated - libncurses6-6.1-150000.5.15.1 updated - libopenssl1_1-hmac-1.1.1d-150200.11.62.1 updated - libopenssl1_1-1.1.1d-150200.11.62.1 updated - libprocps7-3.3.15-150000.7.31.1 updated - libxml2-2-2.9.7-150000.3.57.1 updated -libxmlsec1-1-1.2.28-150100.7.13.4 updated - libxmlsec1-openssl1-1.2.28-150100.7.13.4 updated - libzstd1-1.4.4-150000.1.9.1 updated - login_defs-4.8.1-150300.4.6.1 updated - ncurses-utils-6.1-150000.5.15.1 updated - nfs-client-2.1.1-150100.10.32.1 updated - nfs-kernel-server-2.1.1-150100.10.32.1 updated - openssl-1_1-1.1.1d-150200.11.62.1 updated - procps-3.3.15-150000.7.31.1 updated - python3-Werkzeug-1.0.1-150300.3.3.1 updated - python3-cryptography-3.3.2-150200.19.1 updated - shadow-4.8.1-150300.4.6.1 updated - smartmontools-7.2-150300.8.8.1 updated - sudo-1.9.5p2-150300.3.24.1 updated - systemd-presets-common-SUSE-15-150100.8.20.1 updated - terminfo-base-6.1-150000.5.15.1 updated - timezone-2023c-150000.75.23.1 updated - container:sles15-image-15.0.0-17.20.133 updated . SUSE releases an updated version of the container ses/7.1/rook/ceph, implementing vital security fixes that tackle severe vulnerabilities.. Container Security Update, SUSE Rook Ceph Update, Important Security Patches, SUSE Container Advisory. . Severity: Important. LinuxSecurity.com Team
May 07, 2023
•Important
SuSE
100
security advisorycriticalSUSESUSE: 2022:317-1 Important: Kubernetes Security Notification Advisory
The container ses/6/rook/ceph was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/6/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:316-1 Container Tags : ses/6/rook/ceph:1.1.1.0 , ses/6/rook/ceph:1.1.1.0.1.5.568 , ses/6/rook/ceph:latest Container Release : 1.5.568 Severity : critical Type : security References : 1027496 1029961 1082318 1099272 1113013 1115529 1128846 1153687 1162581 1162964 1171479 1172113 1173277 1174075 1174504 1174911 1177460 1180064 1180125 1180689 1180995 1181703 1181826 1182372 1182959 1183085 1183268 1183374 1183589 1183858 1183909 1184326 1184399 1184519 1184997 1185325 1185588 1186447 1186503 1186602 1187153 1187196 1187224 1187273 1187338 1187425 1187466 1187512 1187654 1187668 1187738 1187760 1187906 1187993 1188156 1188435 1188623 1188941 1189031 1189152 1189241 1189287 1189803 1189841 1189879 1189983 1189984 1190059 1190199 1190325 1190356 1190440 1190447 1190465 1190598 1190712 1190815 1190926 1190984 1191200 1191252 1191260 1191286 1191324 1191370 1191473 1191480 1191500 1191563 1191566 1191609 1191675 1191690 1191804 1191922 1192161 1192248 1192267 1192337 1192436 1192688 1192717 1192790 1193007 1193170 1193480 1193481 1193488 1193521 1193625 1193759 1193805 1193841 1193845 1193907 1193913 1194172 1194229 1194251 1194362 1194474 1194476 1194477 1194478 1194479 1194480 1194597 1194640 1194661 1194768 1194770 1194898 1195054 1195149 1195217 1195258 1195326 1195468 1195560 1195654 1195792 1195856 11960251196025 1196026 1196036 1196168 1196169 1196171 1196784 1196877 1197004 954813 CVE-2015-8985 CVE-2016-10228 CVE-2020-12762 CVE-2020-14367 CVE-2020-29361 CVE-2021-20294 CVE-2021-22570 CVE-2021-33430 CVE-2021-3426 CVE-2021-3733 CVE-2021-3737 CVE-2021-3999 CVE-2021-41496 CVE-2021-43527 CVE-2021-43618 CVE-2021-45960 CVE-2021-46143 CVE-2022-0778 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23218 CVE-2022-23219 CVE-2022-23852 CVE-2022-23990 CVE-2022-24407 CVE-2022-25235 CVE-2022-25236 CVE-2022-25236 CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 ----------------------------------------------------------------- The container ses/6/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:305-1 Released: Thu Feb 4 15:00:37 2021 Summary: Recommended update for libprotobuf Type: recommended Severity: moderate References: libprotobuf was updated to fix: - ship the libprotobuf-lite15 on the base products. (jsc#ECO-2911) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3643-1 Released: Tue Nov 9 19:32:18 2021 Summary: Security update for binutils Type: security Severity: moderate References: 1183909,1184519,1188941,1191473,1192267,CVE-2021-20294 This update for binutils fixes the following issues: - For compatibility on old code stream that expect 'brcl 0,label' to not be disassembled as 'jgnop label' on s390x. (bsc#1192267) This reverts IBM zSeries HLASM support for now. - Fixed that ppc64 optflags did not enable LTO (bsc#1188941). - Fix empty man-pages from broken release tarball - Fixed a memory corruption with rpath option (bsc#1191473). - Fixed slowperformance of stripping some binaries (bsc#1183909). Security issue fixed: - CVE-2021-20294: Fixed out-of-bounds write in print_dynamic_symbol in readelf (bnc#1184519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3781-1 Released: Tue Nov 23 23:48:43 2021 Summary: This update for libzypp, zypper and libsolv fixes the following issues: Type: recommended Severity: moderate References: 1153687,1182372,1183268,1183589,1184326,1184399,1184997,1185325,1186447,1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190356,1190465,1190712,1190815,1191286,1191324,1191370,1191609,1192337,1192436 This update for zypper fixes the following issues: - Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested. - Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) - Allow trusted repos to add additional signing keys. (bsc#1184326) - MediaCurl: Fix logging of redirects. - Let negative values wait forever for the zypp lock. (bsc#1184399) - Fix 'purge-kernels' is broken in Leap 15.3. (bsc#1185325) - Fix service detection with cgroupv2. (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Enhance XML output of repo GPG options - Add optional attributes showing the raw values actually present in the '.repo' file. - Link all executables with -pie (bsc#1186447) - Ship an empty '/etc/zypp/needreboot' per default. (jsc#PM-2645) - Fix solver jobs for PTFs. (bsc#1186503) - choice rules: treat orphaned packages as newest. (bc#1190465) - Add need reboot/restart hint to XML install summary. (bsc#1188435) - Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815) - Fix obs:// platform guessing for Leap. (bsc#1187425) - Fix purge-kernels fails.(bsc#1187738) - Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712) - Prompt: choose exact match if prompt options are not prefix free. (bsc#1188156) - Do not check of signatures and keys two times(redundant). (bsc#1190059) - Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760) - Show key fpr from signature when signature check fails. (bsc#1187224) - Make sure to keep states alives while transitioning. (bsc#1190199) - Fix crashes in logging code when shutting down. (bsc#1189031) - Manpage: Improve description about patch updates. (bsc#1187466) - Avoid calling 'su' to detect a too restrictive sudo user umask. (bsc#1186602) - Consolidate reboot-recommendations across tools and stop using /etc/zypp/needreboot (jsc#-SLE-18858) - Disable logger in the child after fork (bsc#1192436) - Check log writer before accessing it (bsc#1192337) - Allow uname-r format in purge kernels keepspec - zypper should keep cached files if transaction is aborted (bsc#1190356) - Require a minimum number of mirrors for multicurl (bsc#1191609) - Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324) - Fix translations (bsc#1191370) - RepoManager: Don't probe for plaindir repo if URL schema is plugin (bsc#1191286) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3787-1 Released: Wed Nov 24 06:00:10 2021 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1189983,1189984,1191500,1191566,1191675 This update for xfsprogs fixes the following issues: - Make libhandle1 an explicit dependency in the xfsprogs-devel package (bsc#1191566) - Remove deprecated barrier/nobarrier mount options from manual pages section 5 (bsc#1191675) - xfs_io: include support for label command (bsc#1191500) - xfs_quota: state command to report all three (-ugp) grace times separately (bsc#1189983) - xfs_admin: add support for external log devices(bsc#1189984) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3798-1 Released: Wed Nov 24 18:01:36 2021 Summary: Recommended update for gcc7 Type: recommended Severity: moderate References: This update for gcc7 fixes the following issues: - Fixed a build issue when built with recent kernel headers. - Backport the '-fpatchable-function-entry' feature from newer GCC. (jsc#SLE-20049) - do not handle exceptions in std::thread (jsc#CAR-1182) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3799-1 Released: Wed Nov 24 18:07:54 2021 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1187153,1187273,1188623 This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided: To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3809-1 Released: Fri Nov 26 00:31:59 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1189803,1190325,1190440,1190984,1191252,1192161 This update for systemd fixes the following issues: - Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103) - Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161) - shutdown: Reduce log level of unmounts (bsc#1191252) - pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803) - core: rework how we connect to the bus (bsc#1190325) - mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984) - virt: detect Amazon EC2 Nitro instance (bsc#1190440) - Several fixes forumount - busctl: use usec granularity for the timestamp printed by the busctl monitor command - fix unitialized fields in MountPoint in dm_list_get() - shutdown: explicitly set a log target - mount-util: add mount_option_mangle() - dissect: automatically mark partitions read-only that have a read-only file system - build-sys: require proper libmount version - systemd-shutdown: use log_set_prohibit_ipc(true) - rationalize interface for opening/closing logging - pid1: when we can't log to journal, remember our fallback log target - log: remove LOG_TARGET_SAFE pseudo log target - log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console() - log: add new 'prohibit_ipc' flag to logging system - log: make log_set_upgrade_syslog_to_journal() take effect immediately - dbus: split up bus_done() into seperate functions - machine-id-setup: generate machine-id from DMI product ID on Amazon EC2 - virt: if we detect Xen by DMI, trust that over CPUID ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3830-1 Released: Wed Dec 1 13:45:46 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1027496,1183085,CVE-2016-10228 This update for glibc fixes the following issues: - libio: do not attempt to free wide buffers of legacy streams (bsc#1183085) - CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3869-1 Released: Thu Dec 2 07:10:09 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate References: 1189841,1189879,1190598,1191200,1191260,1191480,1191804,1191922 This update for suse-module-tools fixes the following issues: - rpm-script: fix bad exit status in OpenQA (bsc#1191922) - cert-script: Deal with existing $cert.delete file (bsc#1191804) - cert-script: Ignore kernel keyring for kernel certificates (bsc#1191480) -cert-script: Only print mokutil output in verbose mode - inkmp-script(postun): don't pass existing files to weak-modules2 (bsc#1191200) - kernel-scriptlets: skip cert scriptlet on non-UEFI systems (bsc#1191260) - rpm-script: link config also into /boot (bsc#1189879) - Import kernel scriptlets from kernel-source (bsc#1189841, bsc#1190598) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3883-1 Released: Thu Dec 2 11:47:07 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: Update timezone to 2021e (bsc#1177460) - Palestine will fall back 10-29 (not 10-30) at 01:00 - Fiji suspends DST for the 2021/2022 season - 'zic -r' marks unspecified timestamps with '-00' - Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers- Refresh timezone info for china ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3891-1 Released: Fri Dec 3 10:21:49 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1029961,1113013,1187654 This update for keyutils fixes the following issues: - Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) keyutils was updated to 1.6.3 (jsc#SLE-20016): * Revert the change notifications that were using /dev/watch_queue. * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). * Allow 'keyctl supports' to retrieve raw capability data. * Allow 'keyctl id' to turn a symbolic key ID into a numeric ID. * Allow 'keyctl new_session' to name the keyring. * Allow 'keyctl add/padd/etc.' to take hex-encoded data. * Add 'keyctl watch*' to expose kernel change notifications on keys. * Add caps for namespacing and notifications. * Set a default TTL on keys that upcall for name resolution. * Explicitly clear memory after it's held sensitive information. * Various manual page fixes. * FixC++-related errors. * Add support for keyctl_move(). * Add support for keyctl_capabilities(). * Make key=val list optional for various public-key ops. * Fix system call signature for KEYCTL_PKEY_QUERY. * Fix 'keyctl pkey_query' argument passing. * Use keyctl_read_alloc() in dump_key_tree_aux(). * Various manual page fixes. Updated to 1.6: * Apply various specfile cleanups from Fedora. * request-key: Provide a command line option to suppress helper execution. * request-key: Find least-wildcard match rather than first match. * Remove the dependency on MIT Kerberos. * Fix some error messages * keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. * Fix doc and comment typos. * Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). * Add pkg-config support for finding libkeyutils. * upstream isn't offering PGP signatures for the source tarballs anymore Updated to 1.5.11 (bsc#1113013) * Add keyring restriction support. * Add KDF support to the Diffie-Helman function. * DNS: Add support for AFS config files and SRV records ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3899-1 Released: Fri Dec 3 11:27:41 2021 Summary: Security update for aaa_base Type: security Severity: moderate References: 1162581,1174504,1191563,1192248 This update for aaa_base fixes the following issues: - Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504). - Add $HOME/.local/bin to PATH, if it exists (bsc#1192248). - Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563). - Support xz compressed kernel (bsc#1162581) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3930-1 Released: Mon Dec 6 11:16:10 2021 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1192790 This update for curl fixes the following issues: - Fix sftp via proxy failure in curl, by preventing libssh from creatingsocket (bsc#1192790) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3934-1 Released: Mon Dec 6 13:22:27 2021 Summary: Security update for mozilla-nss Type: security Severity: important References: 1193170,CVE-2021-43527 This update for mozilla-nss fixes the following issues: Update to version 3.68.1: - CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3946-1 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Type: security Severity: moderate References: 1192717,CVE-2021-43618 This update for gmp fixes the following issues: - CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3987-1 Released: Fri Dec 10 06:09:40 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate References: 1187196 This update for suse-module-tools fixes the following issues: - Blacklist isst_if_mbox_msr driver because uses hardware information based on CPU family and model, which is too unspecific. On large systems, this causes a lot of failing loading attempts for this driver, leading to slow or even stalled boot (bsc#1187196) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:4015-1 Released: Mon Dec 13 17:16:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1180125,1183374,1183858,1185588,1187338,1187668,1189241,1189287,CVE-2021-3426,CVE-2021-3733,CVE-2021-3737 This update for python3 fixes the following issues: - CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241) - CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287) - CVE-2021-3426:Fixed an information disclosure via pydoc. (bsc#1183374) - Rebuild to get new headers, avoid building in support for stropts.h (bsc#1187338). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4017-1 Released: Tue Dec 14 07:26:55 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1180995 This update for openssl-1_1 fixes the following issues: - Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameters consistently with our other codestreams (bsc#1180995) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4139-1 Released: Tue Dec 21 17:02:44 2021 Summary: Recommended update for systemd Type: recommended Severity: critical References: 1193481,1193521 This update for systemd fixes the following issues: - Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481) sleep-config: partitions can't be deleted, only files can shared/sleep-config: exclude zram devices from hibernation candidates ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:4154-1 Released: Wed Dec 22 11:02:38 2021 Summary: Security update for p11-kit Type: security Severity: important References: 1180064,1187993,CVE-2020-29361 This update for p11-kit fixes the following issues: - CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064) - Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4182-1 Released: Thu Dec 23 11:51:51 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1192688 This update for zlib fixes the following issues: - Fix hardware compression incorrect result on z15 hardware(bsc#1192688) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4-1 Released: Mon Jan 3 08:28:54 2022 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1193480 This update for libgcrypt fixes the following issues: - Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:49-1 Released: Tue Jan 11 09:19:15 2022 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1191690 This update for apparmor fixes the following issues: - Fixed an issue when apparmor provides python2 and python3 libraries with the same name. (bsc#1191690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:57-1 Released: Wed Jan 12 07:10:42 2022 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1193488,954813 This update for libzypp fixes the following issues: - Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488) - Fix wrong encoding of URI compontents of ISO images (bsc#954813) - When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible - Introduce zypp-curl as a sublibrary for CURL related code - zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set - Save all signatures associated with a public key in its PublicKeyData ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:72-1 Released: Thu Jan 13 16:13:36 2022 Summary: Recommended update for mozilla-nss and MozillaFirefox Type: recommended Severity: important References: 1193845 This update for mozilla-nss and MozillaFirefox fix the following issues: mozilla-nss: - Update from version 3.68.1 to 3.68.2 (bsc#1193845) - Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol implementation MozillaFirefox: - Firefox Extended Support Release 91.4.1 ESR (bsc#1193845) - Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol implementation to fix frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:134-1 Released: Thu Jan 20 10:02:15 2022 Summary: Security update for python-numpy Type: security Severity: moderate References: 1193907,1193913,CVE-2021-33430,CVE-2021-41496 This update for python-numpy fixes the following issues: - CVE-2021-33430: Fixed buffer overflow that could lead to DoS in PyArray_NewFromDescr_int function of ctors.c (bsc#1193913). - CVE-2021-41496: Fixed buffer overflow that could lead to DoS in array_from_pyobj function of fortranobject.c (bsc#1193907). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:178-1 Released: Tue Jan 25 14:16:23 2022 Summary: Security update for expat Type: security Severity: important References: 1194251,1194362,1194474,1194476,1194477,1194478,1194479,1194480,CVE-2021-45960,CVE-2021-46143,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827 This update for expat fixes the following issues: - CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251). - CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362). - CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474). - CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476). - CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477). - CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478). - CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479). -CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:184-1 Released: Tue Jan 25 18:20:56 2022 Summary: Security update for json-c Type: security Severity: important References: 1171479,CVE-2020-12762 This update for json-c fixes the following issues: - CVE-2020-12762: Fixed integer overflow and out-of-bounds write. (bsc#1171479) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:337-1 Released: Fri Feb 4 10:24:28 2022 Summary: Recommended update for libzypp Type: recommended Severity: important References: 1193007,1194597,1194898 This update for libzypp fixes the following issues: - RepoManager: remember execution errors in exception history (bsc#1193007) - Fix exception handling when reading or writing credentials (bsc#1194898) - Fix install path for parser (bsc#1194597) - Fix Legacy include (bsc#1194597) - Public header files on older distros must use c++11 (bsc#1194597) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:473-1 Released: Thu Feb 17 10:29:42 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1195326 This update for libzypp, zypper fixes the following issues: - Fix handling of redirected command in-/output (bsc#1195326) This fixes delays at the end of zypper operations, where zypper unintentionally waits for appdata plugin scripts to complete. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:476-1 Released: Thu Feb 17 10:31:35 2022 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1194661 This update for nfs-utils fixes the following issues: - If an error or warning message is produced before closeall() is called, mountd doesn't work.(bsc#1194661) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:498-1 Released: Fri Feb 18 10:46:56 2022 Summary: Security update for expat Type: security Severity: important References: 1195054,1195217,CVE-2022-23852,CVE-2022-23990 This update for expat fixes the following issues: - CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054). - CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:511-1 Released: Fri Feb 18 12:41:53 2022 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1082318,1189152 This update for coreutils fixes the following issues: - Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152). - Properly sort docs and license files (bsc#1082318). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:523-1 Released: Fri Feb 18 12:49:09 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1193759,1193841 This update for systemd fixes the following issues: - systemctl: exit with 1 if no unit files found (bsc#1193841). - add rules for virtual devices (bsc#1193759). - enforce 'none' for loop devices (bsc#1193759). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:572-1 Released: Thu Feb 24 11:58:05 2022 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1194172 This update for psmisc fixes the following issues: - Determine the namespace of a process only once to speed up the parsing of 'fdinfo'. (bsc#1194172) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:674-1 Released: Wed Mar 2 13:24:38 2022 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1187512 This update for yast2-network fixes the following issues: - Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:692-1 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1190447 This update for filesystem fixes the following issues: - Release ported filesystem to LTSS channels (bsc#1190447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:701-1 Released: Thu Mar 3 17:45:33 2022 Summary: Recommended update for sudo Type: recommended Severity: moderate References: 1181703 This update for sudo fixes the following issues: - Add support in the LDAP filter for negated users (jsc#SLE-20068) - Restrict use of sudo -U other -l to people who have permission to run commands as that user (bsc#1181703, jsc#SLE-22569) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:702-1 Released: Thu Mar 3 18:22:59 2022 Summary: Security update for cyrus-sasl Type: security Severity: important References: 1196036,CVE-2022-24407 This update for cyrus-sasl fixes the following issues: - CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:713-1 Released: Fri Mar 4 09:34:17 2022 Summary: Security update for expat Type: security Severity: important References: 1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315 This update for expat fixes the following issues: - CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025). - CVE-2022-25235: Fixed UTF-8 charactervalidation in a certain context (bsc#1196026). - CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168). - CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169). - CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:787-1 Released: Thu Mar 10 11:20:13 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: This update for openldap2 fixes the following issue: - restore CLDAP functionality in CLI tools (jsc#PM-3288) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:789-1 Released: Thu Mar 10 11:22:05 2022 Summary: Recommended update for update-alternatives Type: recommended Severity: moderate References: 1195654 This update for update-alternatives fixes the following issues: - Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:808-1 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1195468 This update for procps fixes the following issues: - Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:823-1 Released: Mon Mar 14 15:16:37 2022 Summary: Security update for protobuf Type: security Severity: moderate References: 1195258,CVE-2021-22570 This update for protobuf fixes the following issues: - CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:832-1 Released: Mon Mar14 17:27:03 2022 Summary: Security update for glibc Type: security Severity: important References: 1193625,1194640,1194768,1194770,1195560,CVE-2015-8985,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219 glibc was updated to fix the following issues: Security issues fixed: - CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768) - CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770) - CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640) - CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625) Also the following bug was fixed: - Fix pthread_rwlock_try*lock stalls (bsc#1195560) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:844-1 Released: Tue Mar 15 11:33:57 2022 Summary: Security update for expat Type: security Severity: important References: 1196025,1196784,CVE-2022-25236 This update for expat fixes the following issues: - Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:845-1 Released: Tue Mar 15 11:40:52 2022 Summary: Security update for chrony Type: security Severity: moderate References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367 This update for chrony fixes the following issues: Chrony was updated to 4.1, bringing features and bugfixes. Update to 4.1 * Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loadingdump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server - Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229) - Enable syscallfilter unconditionally [bsc#1181826]. Update to 4.0 - Enhancements - Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and 'reload sources' command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get 'maxsources' sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add 'add pool' command - Add 'reset sources' commandto drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data - Bug fixes - Don’t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don’t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option 'version 3') - Drop support for line editing with GNU Readline - By default we don't write log files but log to journald, so only recommend logrotate. - Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277). Update to 3.5.1: * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911) - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113). Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems - Fix location of helper script in chrony-dnssrv@.service (bsc#1128846). - Read runtime servers from /var/run/netconfig/chrony.servers to fixbsc#1099272. - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. Update to version 3.4 * Enhancements + Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script * Bug fixes + Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD Update to version 3.3 * Enhancements: + Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc * Bug fixes: + Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fixhandling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:853-1 Released: Tue Mar 15 19:27:30 2022 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1196877,CVE-2022-0778 This update for openssl-1_1 fixes the following issues: - CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:861-1 Released: Tue Mar 15 23:30:48 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1182959,1195149,1195792,1195856 This update for openssl-1_1 fixes the following issues: openssl-1_1: - Fix PAC pointer authentication in ARM (bsc#1195856) - Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792) - FIPS: Fix function and reason error codes (bsc#1182959) - Enable zlib compression support (bsc#1195149) glibc: - Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1 linux-glibc-devel: - Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1 libxcrypt: - Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1 zlib: - Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:867-1 Released: Wed Mar 16 07:14:44 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1193805 This update for libtirpc fixes the following issues: - Fix memory leak in client protocol version 2 code (bsc#1193805) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:874-1 Released: Wed Mar 16 10:40:522022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1197004 This update for openldap2 fixes the following issue: - Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004) The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-3.52.1 updated - binutils-2.37-7.26.1 updated - coreutils-8.29-4.3.1 updated - filesystem-15.0-11.5.1 updated - glibc-locale-base-2.26-13.65.1 updated - glibc-2.26-13.65.1 updated - keyutils-1.6.3-5.6.1 updated - libapparmor1-2.12.3-7.25.2 updated - libaugeas0-1.10.1-3.9.1 updated - libctf-nobfd0-2.37-7.26.1 updated - libctf0-2.37-7.26.1 updated - libcurl4-7.60.0-28.1 updated - libexpat1-2.2.5-3.19.1 updated - libfreebl3-3.68.2-3.64.2 updated - libgcc_s1-11.2.1+git610-1.3.9 updated - libgcrypt20-1.8.2-8.42.1 updated - libgfortran4-7.5.0+r278197-4.30.1 updated - libgmp10-6.1.2-4.9.1 updated - libjson-c3-0.13-3.3.1 updated - libkeyutils1-1.6.3-5.6.1 updated - libldap-2_4-2-2.4.46-9.64.1 updated - libldap-data-2.4.46-9.64.1 updated - libopenssl1_1-1.1.0i-14.27.1 updated - libp11-kit0-0.23.2-4.13.1 updated - libprocps7-3.3.15-7.22.1 updated - libprotobuf-lite15-3.5.0-5.5.1 added - libpython3_6m1_0-3.6.15-3.91.3 updated - libquadmath0-11.2.1+git610-1.3.9 updated - libsasl2-3-2.1.26-5.10.1 updated - libsoftokn3-3.68.2-3.64.2 updated - libsolv-tools-0.7.20-4.3.1 updated - libstdc++6-11.2.1+git610-1.3.9 updated - libsystemd0-234-24.105.1 updated - libtirpc-netconfig-1.0.2-3.11.1 updated - libtirpc3-1.0.2-3.11.1 updated - libudev1-234-24.105.1 updated - libz1-1.2.11-3.26.10 updated - libzypp-17.29.4-3.73.1 updated - mozilla-nss-certs-3.68.2-3.64.2 updated - mozilla-nss-3.68.2-3.64.2 updated - nfs-client-2.1.1-10.21.1 updated - nfs-kernel-server-2.1.1-10.21.1 updated - openssl-1_1-1.1.0i-14.27.1 updated - p11-kit-tools-0.23.2-4.13.1 updated - p11-kit-0.23.2-4.13.1 updated - procps-3.3.15-7.22.1 updated - psmisc-23.0-6.19.1 updated - python3-base-3.6.15-3.91.3 updated -python3-numpy-1.17.3-10.1 updated - python3-3.6.15-3.91.4 updated - sudo-1.8.27-4.24.1 updated - suse-module-tools-15.1.24-3.22.1 updated - systemd-234-24.105.1 updated - timezone-2021e-75.4.1 updated - udev-234-24.105.1 updated - update-alternatives-1.19.0.4-4.3.1 updated - xfsprogs-4.15.0-4.52.1 updated - zypper-1.14.51-3.52.1 updated - container:sles15-image-15.0.0-6.2.587 updated - python-rpm-macros-20200207.5feb6c1-3.11.1 removed . This bulletin outlines the security enhancements for SUSE's ses/6/rook/ceph focusing on significant vulnerabilities and corrections implemented.. SUSE Container Update, Critical Security Updates, Rook Ceph Security. . Severity: Critical. LinuxSecurity.com Team
Mar 20, 2022
•Critical
SuSE
100
security advisorysecurity issueimportantSUSE: 2022:300-2 Critical: Security Patch for ses/7/rook/ceph
The container ses/7/rook/ceph was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:257-1 Container Tags : ses/7/rook/ceph:1.5.12 , ses/7/rook/ceph:1.5.12.4 , ses/7/rook/ceph:1.5.12.4.1.1710 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1710 Severity : important Type : security References : 1040589 1047218 1047218 1099521 1154935 1167471 1172389 1175448 1175449 1176248 1177233 1178561 1180196 1182604 1184124 1184124 1184527 1184761 1184961 1184967 1185046 1185208 1185221 1185331 1185505 1185540 1185797 1185807 1185958 1186049 1186110 1186561 1186579 1186642 1186642 1186642 1186706 1186706 1187060 1187210 1187212 1187292 1187400 CVE-2020-13757 CVE-2020-24370 CVE-2020-24371 CVE-2021-33560 CVE-2021-3580 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1973-1 Released: Tue Jun 15 12:10:54 2021 Summary: Recommended update for libreoffice and xmlsec1 Type: recommended Severity: important References: 1184527,1184961,1185505,1185797,1186110,1186706 This update for libreoffice and xmlsec1 fixes the following issues: libreoffice: Update from version 7.1.2.2 to version 7.1.3.2 - Searching in PPTX document makes LibreOffice crash. (bsc#1185797) - Fix a text highlight issue when saving as PPTX. (bsc#1185505) - Recommend `libreoffice-qt5` only when it is actually created - Fix a build error with GCC11. (bsc#1186110) - LibreOffice requires at least java 1.8.0 to run properly. - Fix a potential dataloss inLibreOffice Math. (bsc#1184961, bsc#1184527) The issue occurred only while trying to close the document via shortcuts. In this case LibreOffice Math was closed without asking to save the document. xmlsec1: - Provide missing binaries to SUSE Linux Enterprise 15-SP3 with l3 support level. (bsc#1186706) myspell-dictionaries: - Provide missing binaries to SUSE Linux Enterprise 15-SP3 with l2 support level. (bsc#1186706) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2001-1 Released: Thu Jun 17 16:54:07 2021 Summary: Recommended update for python-pycryptodome Type: recommended Severity: moderate References: 1186642 This update for python-pycryptodome fixes the following issue: - python-pycryptodome had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2008-1 Released: Thu Jun 17 18:07:45 2021 Summary: Security update for python-rsa Type: security Severity: important References: 1172389,CVE-2020-13757 This update for python-rsa fixes the following issues: - CVE-2020-13757: Proper handling of leading '\0' bytes during decryption of ciphertext (bsc#1172389) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2096-1 Released: Mon Jun 21 13:35:38 2021 Summary: Recommended update for python-six Type: recommended Severity: moderate References: 1186642 This update for python-six fixes the following issue: - python-six had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2143-1 Released: Wed Jun 23 16:27:04 2021 Summary: Security update for libnettle Type: security Severity: important References: 1187060,CVE-2021-3580 This update for libnettle fixesthe following issues: - CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2157-1 Released: Thu Jun 24 15:40:14 2021 Summary: Security update for libgcrypt Type: security Severity: important References: 1187212,CVE-2021-33560 This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2173-1 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Type: recommended Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2178-1 Released: Mon Jun 28 15:56:15 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1186561 This update for systemd-presets-common-SUSE fixes the following issues: When installing the systemd-presets-common-SUSE package for the first time in a new system, it might happen that some services are installed before systemd so the %systemd_pre/post macros would not work. This is handled by enabling all preset services in this package's %posttrans section but it wasn't enabling user services, justsystem services. Now it enables also the user services installed before this package (bsc#1186561) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2179-1 Released: Mon Jun 28 17:36:37 2021 Summary: Recommended update for thin-provisioning-tools Type: recommended Severity: moderate References: 1184124 This update for thin-provisioning-tools fixes the following issues: - Link as position-independent executable (bsc#1184124) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2196-1 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Type: security Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2205-1 Released: Wed Jun 30 09:17:41 2021 Summary: Recommended update for openldap2 Type: recommended Severity: important References: 1187210 This update for openldap2 fixes the following issues: - Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2210-1 Released: Wed Jun 30 13:00:09 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1184124 This update for lvm2 fixes the following issues: - Link test as position independent executable and update packages with non-PIE binaries.(bsc#1184124) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2224-1 Released: Thu Jul 1 13:48:44 2021 Summary: Recommended update for psmisc Type: recommended Severity: important References: 1185208 This update for psmisc fixes the following issues: - It does no longer list all processes from different private namespaces when fuser is run on an NFS mount. This led to an issue where the wrong processes were terminated in an SAP application cluster environment (bsc#1185208) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2229-1 Released: Thu Jul 1 20:40:37 2021 Summary: Recommended update for release packages Type: recommended Severity: moderate References: 1099521,1185221 This update for the release packages provides the following fix: - Fix grub menu entries after migration from SLE-12*. (bsc#1099521) - Adjust the sles-release changelog to include an entry for the previous release that was reverting a broken change. (bsc#1185221) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2233-1 Released: Fri Jul 2 12:49:43 2021 Summary: Recommended update for rdma-core Type: recommended Severity: moderate References: 1176248,1180196 This update for rdma-core fixes the following issues: Update to v31.0 (jsc#SLE-15657, jsc#SLE-15731, jsc#SLE-15743, jsc#SLE-15810, jsc#ECO-3504) - Keep `rxe_cfg` binary available for SUSE Linux Enterprise 15-SP2 (bsc#1176248) - Make sure `srp_daemon` is loaded at boot if enabled (bsc#1180196) - Fix support of older providers with newer `rdma-core` internal ABI ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2246-1 Released: Mon Jul 5 15:17:49 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400 Thisupdate for systemd fixes the following issues: cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:2249-1 Released: Mon Jul 5 15:40:46 2021 Summary: Optional update for gnutls Type: optional Severity: low References: 1047218,1186579 This update for gnutls does not fix any user visible issues. It is therefore optional toinstall. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2261-1 Released: Tue Jul 6 13:34:21 2021 Summary: Recommended update for xmlsec1 Type: recommended Severity: moderate References: 1177233,1186642,1186706 This update rereleases xmlsec1 for SUSE Linux Enterprise 15 SP3 to fix a migration issue. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2269-1 Released: Wed Jul 7 16:48:07 2021 Summary: Recommended update for rook Type: recommended Severity: moderate References: This update for rook fixes the following issues: - Fixed OSD hostpath to prevent risk of data corruption on restart - Double the mon failover timeout (to 20 minutes) during node drain - Improved the reliability of mon failover when the operator is restarted during failover - Allow heap dump generation when logCollector sidecar is not running - Improved node watcher for deploying new OSDs - Fix bucket health check where SSL is enabled for RGW - The topology affinity for portable OSDs during upgrade will now be detected - Ensure object store endpoint is initialized for user . An important release has surfaced for ses/7/rook/ceph containers. Uncover key enhancements and vital security patches.. SUSE Update,ses/7 Rook Ceph,Container Advisory,Security Alert. . Severity: Important. LinuxSecurity.com Team
Jul 08, 2021
•Important
SuSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!