Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
100
security advisoryimportantsecurity patchSUSE: 2023:504-2 Important Kubelet Security Update Released
The container ses/7.1/cephcsi/csi-node-driver-registrar was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7.1/cephcsi/csi-node-driver-registrar ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:503-1 Container Tags : ses/7.1/cephcsi/csi-node-driver-registrar:v2.5.1 , ses/7.1/cephcsi/csi-node-driver-registrar:v2.5.1-rev1 , ses/7.1/cephcsi/csi-node-driver-registrar:v2.5.1-rev1-build2.2.379 Container Release : 2.2.379 Severity : important Type : security References : 1121365 1167864 1177460 1177460 1180995 1181961 1183533 1194038 1194530 1198472 1199467 1200723 1201959 1201978 1202324 1202750 1202812 1203046 1203652 1203652 1203681 1203857 1203911 1204137 1204179 1204211 1204256 1204366 1204367 1204383 1204423 1204649 1204968 1205000 1205126 1205156 1205646 1206309 1206337 1206412 1206579 1206738 1207533 1207534 1207536 1207538 CVE-2016-3709 CVE-2020-10696 CVE-2021-20206 CVE-2021-22569 CVE-2021-28153 CVE-2022-1941 CVE-2022-2990 CVE-2022-3171 CVE-2022-32221 CVE-2022-3821 CVE-2022-40303 CVE-2022-40304 CVE-2022-42898 CVE-2022-4304 CVE-2022-43552 CVE-2022-4415 CVE-2022-4450 CVE-2022-46908 CVE-2022-47629 CVE-2023-0215 CVE-2023-0286 ----------------------------------------------------------------- The container ses/7.1/cephcsi/csi-node-driver-registrar was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3766-1 Released: Wed Oct 26 11:38:01 2022 Summary: Security update for buildah Type: security Severity: important References: 1167864,1181961,1202812,CVE-2020-10696,CVE-2021-20206,CVE-2022-2990 This update for buildahfixes the following issues: - CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961). - CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864). - CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812 Buildah was updated to version 1.27.1: * run: add container gid to additional groups - Add fix for CVE-2022-2990 / bsc#1202812 Update to version 1.27.0: * Don't try to call runLabelStdioPipes if spec.Linux is not set * build: support filtering cache by duration using --cache-ttl * build: support building from commit when using git repo as build context * build: clean up git repos correctly when using subdirs* integration tests: quote '?' in shell scripts * test: manifest inspect should have OCIv1 annotation * vendor: bump to c/common@87fab4b7019a * Failure to determine a file or directory should print an error * refactor: remove unused CommitOptions from generateBuildOutput * stage_executor: generate output for cases with no commit * stage_executor, commit: output only if last stage in build * Use errors.Is() instead of os.Is{Not,}Exist * Minor test tweak for podman-remote compatibility * Cirrus: Use the latest imgts container * imagebuildah: complain about the right Dockerfile * tests: don't try to wrap `nil` errors* cmd/buildah.commitCmd: don't shadow 'err' * cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig * Fix a copy/paste error message * Fix a typo in an error message * build,cache: support pulling/pushing cache layers to/from remote sources * Update vendor of containers/(common, storage, image) * Rename chroot/run.go to chroot/run_linux.go * Don't bother telling codespell to skip files that don't exist * Set user namespace defaults correctly for the library * imagebuildah: optimize cache hits for COPY and ADD instructions * Cirrus: Update VM images w/ updated bats * docs, run: show SELinux label flag for cache and bindmounts * imagebuildah, build: remove undefined concurrent writes * bump github.com/opencontainers/runtime-tools * Add FreeBSD support for 'buildah info' * Vendor in latest containers/(storage, common, image) * Add freebsd cross build targets * Make the jail package build on 32bit platforms * Cirrus: Ensure the build-push VM image is labeled * GHA: Fix dynamic script filename * Vendor in containers/(common, storage, image) * Run codespell * Remove import of github.com/pkg/errors* Avoid using cgo in pkg/jail * Rename footypes to fooTypes for naming consistency * Move cleanupTempVolumes and cleanupRunMounts to run_common.go * Make the various run mounts work for FreeBSD * Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go * Move runSetupRunMounts to run_common.go * Move cleanableDestinationListFromMounts to run_common.go * Make setupMounts and runSetupBuiltinVolumes work on FreeBSD * Move setupMounts and runSetupBuiltinVolumes to run_common.go * Tidy up - runMakeStdioPipe can't be shared with linux * Move runAcceptTerminal to run_common.go * Move stdio copying utilities to run_common.go * Move runUsingRuntime and runCollectOutput to run_common.go * Move fileCloser, waitForSync and contains to run_common.go * Move checkAndOverrideIsolationOptions to run_common.go * Move DefaultNamespaceOptions to run_common.go * Move getNetworkInterface to run_common.go * Move configureEnvironment to run_common.go * Don't crash in configureUIDGID if Process.Capabilities is nil * Move configureUIDGID to run_common.go * Move runLookupPath to run_common.go * Move setupTerminal to run_common.go * Move etc file generation utilities to run_common.go * Add run support for FreeBSD * Add a simple FreeBSD jail library * Add FreeBSD support to pkg/chrootuser * Sync call signature for RunUsingChroot with chroot/run.go * test: verify feature to resolve basename with args * vendor: bump openshift/imagebuilder to master@4151e43 * GHA: Remove required reserved-name use * buildah: set XDG_RUNTIME_DIR before setting default runroot * imagebuildah:honor build output even if build container is not commited * chroot: honor DefaultErrnoRet * [CI:DOCS] improve pull-policy documentation * tests: retrofit test since --file does not supports dir * Switch to golang native error wrapping * BuildDockerfiles: error out if path to containerfile is a directory * define.downloadToDirectory: fail early if bad HTTP response * GHA: Allow re-use of Cirrus-Cron fail-mail workflow * add: fail on bad http response instead of writing to container * [CI:DOCS] Update buildahimage comment * lint: inspectable is never nil * vendor: c/common to common@7e1563b * build: support OCI hooks for ephemeral build containers* [CI:BUILD] Install latest buildah instead of compiling * Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED] * Make sure cpp is installed in buildah images * demo: use unshare for rootless invocations * buildah.spec.rpkg: initial addition * build: fix test for subid 4 * build, userns: add support for --userns=auto * Fix building upstream buildah image * Remove redundant buildahimages-are-sane validation * Docs: Update multi-arch buildah images readme * Cirrus: Migrate multiarch build off github actions * retrofit-tests: we skip unused stages so use stages * stage_executor: dont rely on stage while looking for additional-context * buildkit, multistage: skip computing unwanted stages * More test cleanup * copier: work around freebsd bug for 'mkdir /' * Replace $BUILDAH_BINARY with buildah() function * Fix up buildah images * Make util and copier build on FreeBSD * Vendor in latest github.com/sirupsen/logrus * Makefile: allow building without .git * run_unix: don't return an error from getNetworkInterface * run_unix: return a valid DefaultNamespaceOptions * Update vendor of containers/storage * chroot: use ActKillThread instead of ActKill * use resolvconf package from c/common/libnetwork * update c/common to latest main * copier: add `NoOverwriteNonDirDir` option * Sort buildoptions and move cli/build functions to internal * Fix TODO: de-spaghettifyrun mounts * Move options parsing out of build.go and into pkg/cli * [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps * build, multiarch: support splitting build logs for --platform * [CI:BUILD] WIP Cleanup Image Dockerfiles * cli remove stutter * docker-parity: ignore sanity check if baseImage history is null * build, commit: allow disabling image history with --omit-history * Fix use generic/ambiguous DEBUG name * Cirrus: use Ubuntu 22.04 LTS * Fix codespell errors* Remove util.StringInSlice because it is defined in containers/common * buildah: add support for renaming a device in rootless setups * squash: never use build cache when computing last step of last stage * Update vendor of containers/(common, storage, image) * buildkit: supports additionalBuildContext in builds via --build-context * buildah source pull/push: show progress bar * run: allow resuing secret twice in different RUN steps * test helpers: default to being rootless-aware * Add --cpp-flag flag to buildah build * build: accept branch and subdirectory when context is git repo * Vendor in latest containers/common * vendor: update c/storage and c/image * Fix gentoo install docs * copier: move NSS load to new process * Add test for prevention of reusing encrypted layers* Make `buildah build --label foo` create an empty 'foo' label again Update to version 1.26.4: * build, multiarch: support splitting build logs for --platform * copier: add `NoOverwriteNonDirDir` option * docker-parity: ignore sanity check if baseImage history is null * build, commit: allow disabling image history with --omit-history * buildkit: supports additionalBuildContext in builds via --build-context * Add --cpp-flag flag to buildah build Update to version 1.26.3: * define.downloadToDirectory: fail early if bad HTTP response * add: fail on bad http response instead of writing to container * squash: never use build cache when computing last step of last stage * run: allow resuing secret twice in different RUN steps * integration tests: update expected error messages *integration tests: quote '?' in shell scripts * Use errors.Is() to check for storage errors* lint: inspectable is never nil * chroot: use ActKillThread instead of ActKill * chroot: honor DefaultErrnoRet * Set user namespace defaults correctly for the library * contrib/rpm/buildah.spec: fix `rpm` parser warnings Drop requires on apparmor pattern, should be moved elsewhere for systems which want AppArmor instead of SELinux. - Update BuildRequires to libassuan-devel > = 2.5.2, pkgconfig file is required to build. Update to version 1.26.2: * buildah: add support for renaming a device in rootless setups Update to version 1.26.1: * Make `buildah build --label foo` create an empty 'foo' label again * imagebuildah,build: move deepcopy of args before we spawn goroutine * Vendor in containers/storage v1.40.2 * buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated * help output: get more consistent about option usage text * Handle OS version and features flags * buildah build: --annotation and --label should remove values * buildah build: add a --env * buildah: deep copy options.Args before performing concurrent build/stage * test: inline platform and builtinargs behaviour * vendor: bump imagebuilder to master/009dbc6 * build: automatically set correct TARGETPLATFORM where expected * Vendor in containers/(common, storage, image) * imagebuildah, executor: process arg variables while populating baseMap * buildkit: add support for custom build output with --output * Cirrus: Update CI VMs to F36 * fix staticcheck linter warning for deprecated function * Fix docs build on FreeBSD * copier.unwrapError(): update for Go 1.16 * copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit * copier.Put(): write to read-only directories * Ed's periodic test cleanup * using consistent lowercase 'invalid' word in returned err msg * use etchosts package from c/common * run: set actual hostname in /etc/hostname to match docker parity * Update vendor of containers/(common,storage,image) * manifest-create:allow creating manifest list from local image * Update vendor of storage,common,image * Initialize network backend before first pull * oci spec: change special mount points for namespaces * tests/helpers.bash: assert handle corner cases correctly * buildah: actually use containers.conf settings * integration tests: learn to start a dummy registry * Fix error check to work on Podman * buildah build should accept at most one arg * tests: reduce concurrency for flaky bud-multiple-platform-no-run * vendor in latest containers/common,image,storage * manifest-add: allow override arch,variant while adding image * Remove a stray `\` from .containerenv * Vendor in latest opencontainers/selinux v1.10.1 * build, commit: allow removing default identity labels * Create shorter names for containers based on image IDs * test: skip rootless on cgroupv2 in root env * fix hang when oci runtime fails * Set permissions for GitHub actions * copier test: use correct UID/GID in test archives * run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3773-1 Released: Wed Oct 26 12:19:29 2022 Summary: Security update for curl Type: security Severity: important References: 1204383,CVE-2022-32221 This update for curl fixes the following issues: - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3776-1 Released: Wed Oct 26 14:06:43 2022 Summary: Recommended update for permissions Type: recommended Severity: important References: 1203911,1204137 This update for permissions fixes the following issues: - Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't properly support ICMP_PROTO sockets feature yet (bsc#1204137) - Fix regression introduced by backport of security fix(bsc#1203911) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3871-1 Released: Fri Nov 4 13:26:29 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304 This update for libxml2 fixes the following issues: - CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3901-1 Released: Tue Nov 8 10:50:06 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1180995,1203046 This update for openssl-1_1 fixes the following issues: - Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995) - Fix memory leaks (bsc#1203046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3910-1 Released: Tue Nov 8 13:05:04 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issue: - Update pam_motd to the most current version. (PED-1712) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3922-1 Released: Wed Nov 9 09:03:33 2022 Summary: Security update for protobuf Type: security Severity: important References: 1194530,1203681,1204256,CVE-2021-22569,CVE-2022-1941,CVE-2022-3171 This update for protobuf fixes the following issues: - CVE-2021-22569: Fixed Denial of Service in protobuf-java in the parsing procedure for binary data (bsc#1194530). - CVE-2022-1941: Fix a potential DoS issue in protobuf-cpp and protobuf-python (bsc#1203681) - CVE-2022-3171: Fix a potential DoS issue when parsingwith binary data in protobuf-java (bsc#1204256) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3961-1 Released: Mon Nov 14 07:33:50 2022 Summary: Recommended update for zlib Type: recommended Severity: important References: 1203652 This update for zlib fixes the following issues: - Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3973-1 Released: Mon Nov 14 15:38:25 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1201959,1204211 This update for util-linux fixes the following issues: - Fix file conflict during upgrade (bsc#1204211) - libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4056-1 Released: Thu Nov 17 15:38:08 2022 Summary: Security update for systemd Type: security Severity: moderate References: 1204179,1204968,CVE-2022-3821 This update for systemd fixes the following issues: - CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968). - Import commit 56bee38fd0da18dad5fc5c5d12c02238a22b50e2 * 8a70235d8a core: Add trigger limit for path units * 93e544f3a0 core/mount: also add default before dependency for automount mount units * 5916a7748c logind: fix crash in logind on user-specified message string - Document udev naming scheme (bsc#1204179). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4066-1 Released: Fri Nov 18 10:43:00 2022 Summary: Recommended update for timezone Type: recommended Severity: important References: 1177460,1202324,1204649,1205156 This update for timezone fixes the following issues: Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156): - Mexico will no longer observe DST except near the US border - Chihuahua moves to year-round -06 on 2022-10-30 - Fiji no longer observes DST - In vanguard form, GMT is now a Zone and Etc/GMT a link - zic now supports links to links, and vanguard form uses this - Simplify four Ontario zones - Fix a Y2438 bug when reading TZif data - Enable 64-bit time_t on 32-bit glibc platforms - Omit large-file support when no longer needed - Jordan and Syria switch from +02/+03 with DST to year-round +03 - Palestine transitions are now Saturdays at 02:00 - Simplify three Ukraine zones into one - Improve tzselect on intercontinental Zones - Chile's DST is delayed by a week in September 2022 (bsc#1202324) - Iran no longer observes DST after 2022 - Rename Europe/Kiev to Europe/Kyiv - New `zic -R` command option - Vanguard form now uses %z ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4198-1 Released: Wed Nov 23 13:15:04 2022 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1202750 This update for rpm fixes the following issues: - Strip critical bit in signature subpackage parsing - No longer deadlock DNF after pubkey import (bsc#1202750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4256-1 Released: Mon Nov 28 12:36:32 2022 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the'Development Tools' module. The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4628-1 Released: Wed Dec 28 09:23:13 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1206337,CVE-2022-46908 This update for sqlite3 fixes the following issues: - CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4630-1 Released: Wed Dec 28 09:25:18 2022 Summary: Security update for systemd Type: security Severity: important References: 1200723,1203857,1204423,1205000,CVE-2022-4415 This update for systemd fixes the following issues: - CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000). Bug fixes: - Support by-path devlink for multipath nvme block devices (bsc#1200723). - Set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857). - Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4633-1 Released: Wed Dec 28 09:32:15 2022 Summary: Security update for curl Type: security Severity: moderate References: 1206309,CVE-2022-43552 This update for curl fixes the following issues: - CVE-2022-43552: HTTP Proxy deny use-after-free(bsc#1206309). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:25-1 Released: Thu Jan 5 09:51:41 2023 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: Version update from 2022f to 2022g (bsc#1177460): - In the Mexican state of Chihuahua: * The border strip near the US will change to agree with nearby US locations on 2022-11-30. * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. * A new Zone America/Ciudad_Juarez splits from America/Ojinaga. - Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time. - Changes for pre-1996 northern Canada - Update to past DST transition in Colombia (1993), Singapore (1981) - 'timegm' is now supported by default ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:48-1 Released: Mon Jan 9 10:37:54 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1199467 This update for libtirpc fixes the following issues: - Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:56-1 Released: Mon Jan 9 11:13:43 2023 Summary: Security update for libksba Type: security Severity: moderate References: 1206579,CVE-2022-47629 This update for libksba fixes the following issues: - CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:157-1 Released: Thu Jan 26 15:54:432023 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1194038,1205646 This update for util-linux fixes the following issues: - libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646). - Use chown --quiet to prevent error message if /var/lib/libuuid/clock.txt does not exist. - Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:174-1 Released: Thu Jan 26 20:52:38 2023 Summary: Security update for glib2 Type: security Severity: low References: 1183533,CVE-2021-28153 This update for glib2 fixes the following issues: - CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:176-1 Released: Thu Jan 26 20:56:20 2023 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1206738 This update for permissions fixes the following issues: Update to version 20181225: * Backport postfix permissions to SLE 15 SP2 (bsc#1206738) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:181-1 Released: Thu Jan 26 21:55:43 2023 Summary: Recommended update for procps Type: recommended Severity: low References: 1206412 This update for procps fixes the following issues: - Improve memory handling/usage (bsc#1206412) - Make sure that correct library version is installed (bsc#1206412) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:188-1 Released: Fri Jan 27 12:07:19 2023 Summary: Recommended update for zlib Type: recommended Severity: important References: 1203652 Thisupdate for zlib fixes the following issues: - Follow up fix for bug bsc#1203652 due to libxml2 issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:198-1 Released: Fri Jan 27 14:26:54 2023 Summary: Security update for krb5 Type: security Severity: important References: 1205126,CVE-2022-42898 This update for krb5 fixes the following issues: - CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:310-1 Released: Tue Feb 7 17:35:34 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1121365,1198472,1207533,1207534,1207536,1207538,CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286 This update for openssl-1_1 fixes the following issues: - CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533). - CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536). - CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538). - CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534). - FIPS: list only FIPS approved public key algorithms (bsc#1121365, bsc#1198472) The following package changes have been done: - krb5-1.19.2-150300.10.1 updated - libblkid1-2.36.2-150300.4.32.1 updated - libcurl4-7.66.0-150200.4.45.1 updated - libfdisk1-2.36.2-150300.4.32.1 updated - libgcc_s1-12.2.1+git416-150000.1.5.1 updated - libglib-2_0-0-2.62.6-150200.3.10.1 updated - libgpg-error0-1.42-150300.9.3.1 updated - libksba8-1.3.5-150000.4.6.1 updated - libmount1-2.36.2-150300.4.32.1 updated - libopenssl1_1-hmac-1.1.1d-150200.11.57.1 updated - libopenssl1_1-1.1.1d-150200.11.57.1 updated - libprocps7-3.3.15-150000.7.28.1 updated - libprotobuf-lite20-3.9.2-150200.4.19.2 updated - libsmartcols1-2.36.2-150300.4.32.1 updated - libsqlite3-0-3.39.3-150000.3.20.1 updated - libstdc++6-12.2.1+git416-150000.1.5.1 updated -libsystemd0-246.16-150300.7.57.1 updated - libtirpc-netconfig-1.2.6-150300.3.17.1 updated - libtirpc3-1.2.6-150300.3.17.1 updated - libudev1-246.16-150300.7.57.1 updated - libuuid1-2.36.2-150300.4.32.1 updated - libxml2-2-2.9.7-150000.3.51.1 updated - libz1-1.2.11-150000.3.39.1 updated - openssl-1_1-1.1.1d-150200.11.57.1 updated - pam-1.3.0-150000.6.61.1 updated - permissions-20181225-150200.23.23.1 updated - procps-3.3.15-150000.7.28.1 updated - rpm-ndb-4.14.3-150300.52.1 updated - timezone-2022g-150000.75.18.1 updated - util-linux-2.36.2-150300.4.32.1 updated - container:sles15-image-15.0.0-17.20.107 updated . Critical safety upgrade for SUSE container ses/7.1/csi-node-driver-registrar tackling multiple urgent vulnerabilities.. SUSE Container, Security Update, ses/7.1, csi-node-driver-registrar. . Severity: Important. LinuxSecurity.com Team
Mar 01, 2023
•Important
SuSE
100
security advisoryupdateissueSUSE: 2022:2809-1 Important: Grafana Security Fix for SES/7.1
The container ses/7.1/ceph/grafana was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7.1/ceph/grafana ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:2809-1 Container Tags : ses/7.1/ceph/grafana:8.3.10 , ses/7.1/ceph/grafana:8.3.10.2.2.285 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific Container Release : 2.2.285 Severity : important Type : security References : 1167864 1181961 1195726 1195727 1195728 1200501 1201535 1201539 1202812 1203911 1204137 1204383 CVE-2020-10696 CVE-2021-20206 CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 CVE-2022-2990 CVE-2022-31097 CVE-2022-31107 CVE-2022-32221 ----------------------------------------------------------------- The container ses/7.1/ceph/grafana was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3765-1 Released: Wed Oct 26 11:17:18 2022 Summary: Security update for grafana Type: security Severity: important References: 1195726,1195727,1195728,1201535,1201539,CVE-2022-21702,CVE-2022-21703,CVE-2022-21713,CVE-2022-31097,CVE-2022-31107 This update for grafana fixes the following issues: Updated to version 8.3.10 (jsc#SLE-24565, jsc#SLE-23422, jsc#SLE-23439): - CVE-2022-31097: Fixed XSS vulnerability in the Unified Alerting (bsc#1201535). - CVE-2022-31107: Fixed OAuth account takeover vulnerability (bsc#1201539). - CVE-2022-21702: Fixed XSS through attacker-controlled data source (bsc#1195726). - CVE-2022-21703: Fixed Cross Site Request Forgery (bsc#1195727). - CVE-2022-21713: Fixed Teams API IDOR (bsc#1195728). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3766-1 Released: Wed Oct 26 11:38:01 2022 Summary: Securityupdate for buildah Type: security Severity: important References: 1167864,1181961,1202812,CVE-2020-10696,CVE-2021-20206,CVE-2022-2990 This update for buildah fixes the following issues: - CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961). - CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864). - CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812 Buildah was updated to version 1.27.1: * run: add container gid to additional groups - Add fix for CVE-2022-2990 / bsc#1202812 Update to version 1.27.0: * Don't try to call runLabelStdioPipes if spec.Linux is not set * build: support filtering cache by duration using --cache-ttl * build: support building from commit when using git repo as build context * build: clean up git repos correctly when using subdirs* integration tests: quote '?' in shell scripts * test: manifest inspect should have OCIv1 annotation * vendor: bump to c/common@87fab4b7019a * Failure to determine a file or directory should print an error * refactor: remove unused CommitOptions from generateBuildOutput * stage_executor: generate output for cases with no commit * stage_executor, commit: output only if last stage in build * Use errors.Is() instead of os.Is{Not,}Exist * Minor test tweak for podman-remote compatibility * Cirrus: Use the latest imgts container * imagebuildah: complain about the right Dockerfile * tests: don't try to wrap `nil` errors* cmd/buildah.commitCmd: don't shadow 'err' * cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig * Fix a copy/paste error message * Fix a typo in an error message * build,cache: support pulling/pushing cache layers to/from remote sources * Update vendor of containers/(common, storage, image) * Rename chroot/run.go to chroot/run_linux.go * Don't bother telling codespell to skip files that don't exist * Set user namespace defaults correctly for thelibrary * imagebuildah: optimize cache hits for COPY and ADD instructions * Cirrus: Update VM images w/ updated bats * docs, run: show SELinux label flag for cache and bind mounts * imagebuildah, build: remove undefined concurrent writes * bump github.com/opencontainers/runtime-tools * Add FreeBSD support for 'buildah info' * Vendor in latest containers/(storage, common, image) * Add freebsd cross build targets * Make the jail package build on 32bit platforms * Cirrus: Ensure the build-push VM image is labeled * GHA: Fix dynamic script filename * Vendor in containers/(common, storage, image) * Run codespell * Remove import of github.com/pkg/errors* Avoid using cgo in pkg/jail * Rename footypes to fooTypes for naming consistency * Move cleanupTempVolumes and cleanupRunMounts to run_common.go * Make the various run mounts work for FreeBSD * Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go * Move runSetupRunMounts to run_common.go * Move cleanableDestinationListFromMounts to run_common.go * Make setupMounts and runSetupBuiltinVolumes work on FreeBSD * Move setupMounts and runSetupBuiltinVolumes to run_common.go * Tidy up - runMakeStdioPipe can't be shared with linux * Move runAcceptTerminal to run_common.go * Move stdio copying utilities to run_common.go * Move runUsingRuntime and runCollectOutput to run_common.go * Move fileCloser, waitForSync and contains to run_common.go * Move checkAndOverrideIsolationOptions to run_common.go * Move DefaultNamespaceOptions to run_common.go * Move getNetworkInterface to run_common.go * Move configureEnvironment to run_common.go * Don't crash in configureUIDGID if Process.Capabilities is nil * Move configureUIDGID to run_common.go * Move runLookupPath to run_common.go * Move setupTerminal to run_common.go * Move etc file generation utilities to run_common.go * Add run support for FreeBSD * Add a simple FreeBSD jail library * Add FreeBSD support to pkg/chrootuser * Sync call signature for RunUsingChroot with chroot/run.go * test: verify feature to resolve basename with args *vendor: bump openshift/imagebuilder to master@4151e43 * GHA: Remove required reserved-name use * buildah: set XDG_RUNTIME_DIR before setting default runroot * imagebuildah: honor build output even if build container is not commited * chroot: honor DefaultErrnoRet * [CI:DOCS] improve pull-policy documentation * tests: retrofit test since --file does not supports dir * Switch to golang native error wrapping * BuildDockerfiles: error out if path to containerfile is a directory * define.downloadToDirectory: fail early if bad HTTP response * GHA: Allow re-use of Cirrus-Cron fail-mail workflow * add: fail on bad http response instead of writing to container * [CI:DOCS] Update buildahimage comment * lint: inspectable is never nil * vendor: c/common to common@7e1563b * build: support OCI hooks for ephemeral build containers* [CI:BUILD] Install latest buildah instead of compiling * Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED] * Make sure cpp is installed in buildah images * demo: use unshare for rootless invocations * buildah.spec.rpkg: initial addition * build: fix test for subid 4 * build, userns: add support for --userns=auto * Fix building upstream buildah image * Remove redundant buildahimages-are-sane validation * Docs: Update multi-arch buildah images readme * Cirrus: Migrate multiarch build off github actions * retrofit-tests: we skip unused stages so use stages * stage_executor: dont rely on stage while looking for additional-context * buildkit, multistage: skip computing unwanted stages * More test cleanup * copier: work around freebsd bug for 'mkdir /' * Replace $BUILDAH_BINARY with buildah() function * Fix up buildah images * Make util and copier build on FreeBSD * Vendor in latest github.com/sirupsen/logrus * Makefile: allow building without .git * run_unix: don't return an error from getNetworkInterface * run_unix: return a valid DefaultNamespaceOptions * Update vendor of containers/storage * chroot: use ActKillThread instead of ActKill * use resolvconf package fromc/common/libnetwork * update c/common to latest main * copier: add `NoOverwriteNonDirDir` option * Sort buildoptions and move cli/build functions to internal * Fix TODO: de-spaghettify run mounts * Move options parsing out of build.go and into pkg/cli * [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps * build, multiarch: support splitting build logs for --platform * [CI:BUILD] WIP Cleanup Image Dockerfiles * cli remove stutter * docker-parity: ignore sanity check if baseImage history is null * build, commit: allow disabling image history with --omit-history * Fix use generic/ambiguous DEBUG name * Cirrus: use Ubuntu 22.04 LTS * Fix codespell errors* Remove util.StringInSlice because it is defined in containers/common * buildah: add support for renaming a device in rootless setups * squash: never use build cache when computing last step of last stage * Update vendor of containers/(common, storage, image) * buildkit: supports additionalBuildContext in builds via --build-context * buildah source pull/push: show progress bar * run: allow resuing secret twice in different RUN steps * test helpers: default to being rootless-aware * Add --cpp-flag flag to buildah build * build: accept branch and subdirectory when context is git repo * Vendor in latest containers/common * vendor: update c/storage and c/image * Fix gentoo install docs * copier: move NSS load to new process * Add test for prevention of reusing encrypted layers* Make `buildah build --label foo` create an empty 'foo' label again Update to version 1.26.4: * build, multiarch: support splitting build logs for --platform * copier: add `NoOverwriteNonDirDir` option * docker-parity: ignore sanity check if baseImage history is null * build, commit: allow disabling image history with --omit-history * buildkit: supports additionalBuildContext in builds via --build-context * Add --cpp-flag flag to buildah build Update to version 1.26.3: * define.downloadToDirectory: fail early if bad HTTP response * add: fail on bad http response instead of writing tocontainer * squash: never use build cache when computing last step of last stage * run: allow resuing secret twice in different RUN steps * integration tests: update expected error messages * integration tests: quote '?' in shell scripts * Use errors.Is() to check for storage errors* lint: inspectable is never nil * chroot: use ActKillThread instead of ActKill * chroot: honor DefaultErrnoRet * Set user namespace defaults correctly for the library * contrib/rpm/buildah.spec: fix `rpm` parser warnings Drop requires on apparmor pattern, should be moved elsewhere for systems which want AppArmor instead of SELinux. - Update BuildRequires to libassuan-devel > = 2.5.2, pkgconfig file is required to build. Update to version 1.26.2: * buildah: add support for renaming a device in rootless setups Update to version 1.26.1: * Make `buildah build --label foo` create an empty 'foo' label again * imagebuildah,build: move deepcopy of args before we spawn goroutine * Vendor in containers/storage v1.40.2 * buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated * help output: get more consistent about option usage text * Handle OS version and features flags * buildah build: --annotation and --label should remove values * buildah build: add a --env * buildah: deep copy options.Args before performing concurrent build/stage * test: inline platform and builtinargs behaviour * vendor: bump imagebuilder to master/009dbc6 * build: automatically set correct TARGETPLATFORM where expected * Vendor in containers/(common, storage, image) * imagebuildah, executor: process arg variables while populating baseMap * buildkit: add support for custom build output with --output * Cirrus: Update CI VMs to F36 * fix staticcheck linter warning for deprecated function * Fix docs build on FreeBSD * copier.unwrapError(): update for Go 1.16 * copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit * copier.Put(): write to read-only directories * Ed's periodic test cleanup * using consistent lowercase 'invalid' word inreturned err msg * use etchosts package from c/common * run: set actual hostname in /etc/hostname to match docker parity * Update vendor of containers/(common,storage,image) * manifest-create: allow creating manifest list from local image * Update vendor of storage,common,image * Initialize network backend before first pull * oci spec: change special mount points for namespaces * tests/helpers.bash: assert handle corner cases correctly * buildah: actually use containers.conf settings * integration tests: learn to start a dummy registry * Fix error check to work on Podman * buildah build should accept at most one arg * tests: reduce concurrency for flaky bud-multiple-platform-no-run * vendor in latest containers/common,image,storage * manifest-add: allow override arch,variant while adding image * Remove a stray `\` from .containerenv * Vendor in latest opencontainers/selinux v1.10.1 * build, commit: allow removing default identity labels * Create shorter names for containers based on image IDs * test: skip rootless on cgroupv2 in root env * fix hang when oci runtime fails * Set permissions for GitHub actions * copier test: use correct UID/GID in test archives * run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3773-1 Released: Wed Oct 26 12:19:29 2022 Summary: Security update for curl Type: security Severity: important References: 1204383,CVE-2022-32221 This update for curl fixes the following issues: - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3776-1 Released: Wed Oct 26 14:06:43 2022 Summary: Recommended update for permissions Type: recommended Severity: important References: 1203911,1204137 This update for permissions fixes the following issues: - Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterpriseversions don't properly support ICMP_PROTO sockets feature yet (bsc#1204137) - Fix regression introduced by backport of security fix (bsc#1203911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3792-1 Released: Thu Oct 27 10:09:11 2022 Summary: Recommended update for grafana-piechart-panel Type: recommended Severity: moderate References: 1200501 This update for grafana-piechart-panel fixes the following issues: - Update grafana-piechart-panel to version 1.6.2 that is signed for use with Grafana v8.x (bsc#1200501) The following package changes have been done: - grafana-piechart-panel-1.6.2-150200.3.11.1 updated - grafana-8.3.10-150200.3.26.1 updated - libcurl4-7.66.0-150200.4.42.1 updated - libgpg-error0-1.42-150300.9.3.1 updated - permissions-20181225-150200.23.20.1 updated - container:sles15-image-15.0.0-17.20.59 updated . Security patch released for openSUSE Containers: ses/7.1/ceph/grafana tackling critical vulnerabilities and significant concerns.. SUSE Linux,grafana,security update,containers,ceph. . Severity: Important. LinuxSecurity.com Team
Nov 05, 2022
•Important
SuSE
100
security advisorysecurity issuecriticalSUSE: 2022:2699-1 Critical: csi-snapshotter Security Update
The container ses/7.1/cephcsi/csi-snapshotter was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7.1/cephcsi/csi-snapshotter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:2699-1 Container Tags : ses/7.1/cephcsi/csi-snapshotter:v5.0.1 , ses/7.1/cephcsi/csi-snapshotter:v5.0.1-rev1 , ses/7.1/cephcsi/csi-snapshotter:v5.0.1-rev1-build2.2.254 Container Release : 2.2.254 Severity : critical Type : security References : 1047178 1189282 1189802 1195773 1199140 1199492 1199895 1200993 1201092 1201576 1201638 1201680 1201783 1201942 1201972 1203018 1203649 1204357 CVE-2017-6512 CVE-2021-36690 CVE-2021-46828 CVE-2022-31252 CVE-2022-3515 CVE-2022-35737 ----------------------------------------------------------------- The container ses/7.1/cephcsi/csi-snapshotter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3215-1 Released: Thu Sep 8 15:58:27 2022 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Support Ed25519 RPM signatures [jsc#SLE-24714] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3223-1 Released: Fri Sep 9 04:33:35 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1199895,1200993,1201092,1201576,1201638 This update for libzypp, zypper fixes the following issues: libzypp: - Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895) - Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092) - Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993) - Remove Medianetwork and itsdependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend. zypper: - Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638) - Reject install/remove modifier without argument (bsc#1201576) - zypper-download: Handle unresolvable arguments as errors- Put signing key supplying repository name in quotes ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3262-1 Released: Tue Sep 13 15:34:29 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1199140 This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3271-1 Released: Wed Sep 14 06:45:39 2022 Summary: Security update for perl Type: security Severity: moderate References: 1047178,CVE-2017-6512 This update for perl fixes the following issues: - CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3276-1 Released: Thu Sep 15 06:15:29 2022 Summary: This update fixes the following issues: Type: recommended Severity: moderate References: Implement ECO jsc#SLE-20950 to fix the channel configuration for libeconf-devel having L3 support (instead of unsupported). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3304-1 Released: Mon Sep 19 11:43:25 2022 Summary: Recommended update for libassuan Type: recommended Severity: moderate References: This update for libassuan fixes the following issues: - Add a timeout for writing to a SOCKS5 proxy - Add workaround for a problem with LD_LIBRARY_PATH on newer systems - Fix issue in the logging code - Fixsome build trivialities - Upgrade autoconf ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3305-1 Released: Mon Sep 19 11:45:57 2022 Summary: Security update for libtirpc Type: security Severity: important References: 1201680,CVE-2021-46828 This update for libtirpc fixes the following issues: - CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3307-1 Released: Mon Sep 19 13:26:51 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 This update for sqlite3 fixes the following issues: - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783). - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802). - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3394-1 Released: Mon Sep 26 16:05:19 2022 Summary: Security update for permissions Type: security Severity: moderate References: 1203018,CVE-2022-31252 This update for permissions fixes the following issues: - CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3452-1 Released: Wed Sep 28 12:13:43 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1201942 This update for glibc fixes the following issues: - Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942) - powerpc: Optimized memcmp for power10 (jsc#PED-987) ----------------------------------------------------------------- Advisory ID:SUSE-RU-2022:3555-1 Released: Mon Oct 10 14:05:12 2022 Summary: Recommended update for aaa_base Type: recommended Severity: important References: 1199492 This update for aaa_base fixes the following issues: - The wrapper rootsh is not a restricted shell. (bsc#1199492) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3565-1 Released: Tue Oct 11 16:17:38 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: critical References: 1189282,1201972,1203649 This update for libzypp, zypper fixes the following issues: libzypp: - Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282) - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Remove migration code that is no longer needed (bsc#1203649) - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined zypper: - Fix contradiction in the man page: `--download-in-advance` option is the default behavior - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Fix tests to use locale 'C.UTF-8' rather than 'en_US' - Make sure 'up' respects solver related CLI options (bsc#1201972) - Remove unneeded code to compute the PPP status because it is now auto established - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3683-1 Released: Fri Oct 21 11:48:39 2022 Summary: Security update for libksba Type: security Severity: critical References: 1204357,CVE-2022-3515 This update for libksba fixes the following issues: - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357). The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-150300.10.3.1 updated - glibc-2.31-150300.41.1 updated -libassuan0-2.5.5-150000.4.3.1 updated - libeconf0-0.4.4+git20220104.962774f-150300.3.8.1 updated - libgcc_s1-11.3.0+git1637-150000.1.11.2 updated - libksba8-1.3.5-150000.4.3.1 updated - libsqlite3-0-3.39.3-150000.3.17.1 updated - libstdc++6-11.3.0+git1637-150000.1.11.2 updated - libtirpc-netconfig-1.2.6-150300.3.14.1 updated - libtirpc3-1.2.6-150300.3.14.1 updated - libzypp-17.31.2-150200.45.1 updated - perl-base-5.26.1-150300.17.11.1 updated - permissions-20181225-150200.23.15.1 updated - rpm-ndb-4.14.3-150300.49.1 updated - zypper-1.14.57-150200.39.1 updated - container:sles15-image-15.0.0-17.20.53 updated . Important revision for ses/7.1/cephcsi/csi-snapshotter tackling vulnerabilities and featuring several enhancements.. SUSE Security Critical Update, SES 7.1 csi-snapshotter, Software Patch Recommendations. . Severity: Critical. LinuxSecurity.com Team
Oct 26, 2022
•Critical
SuSE
100
security advisoryimportantsecurity fixesSUSE: 2022:906-1 Important: ceph/keepalived Security Updates
The container ses/7.1/ceph/keepalived was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7.1/ceph/keepalived ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:906-1 Container Tags : ses/7.1/ceph/keepalived:2.0.19 , ses/7.1/ceph/keepalived:2.0.19.3.5.1 , ses/7.1/ceph/keepalived:latest , ses/7.1/ceph/keepalived:sle15.3.pacific Container Release : 3.5.1 Severity : important Type : security References : 1121227 1121230 1122004 1122021 1183533 1184501 1191157 1191502 1193086 1193489 1194642 1194848 1194883 1195231 1195247 1195251 1195258 1195529 1195628 1195899 1195999 1196061 1196093 1196107 1196317 1196368 1196514 1196567 1196647 1196925 1196939 1196955 1197004 1197024 1197134 1197459 1198062 CVE-2018-20573 CVE-2018-20574 CVE-2018-25032 CVE-2019-6285 CVE-2019-6292 CVE-2021-22570 CVE-2021-28153 CVE-2022-1271 ----------------------------------------------------------------- The container ses/7.1/ceph/keepalived was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1040-1 Released: Wed Mar 30 09:40:58 2022 Summary: Security update for protobuf Type: security Severity: moderate References: 1195258,CVE-2021-22570 This update for protobuf fixes the following issues: - CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1047-1 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1196093,1197024 This update for pam fixes the following issues: - Define _pam_vendordir as the variable isneeded by systemd and others. (bsc#1196093) - Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1061-1 Released: Wed Mar 30 18:27:06 2022 Summary: Security update for zlib Type: security Severity: important References: 1197459,CVE-2018-25032 This update for zlib fixes the following issues: - CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1073-1 Released: Fri Apr 1 11:45:01 2022 Summary: Security update for yaml-cpp Type: security Severity: moderate References: 1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292 This update for yaml-cpp fixes the following issues: - CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227). - CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230). - CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004). - CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1099-1 Released: Mon Apr 4 12:53:05 2022 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1194883 This update for aaa_base fixes the following issues: - Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883) - Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readlinelibrary ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1107-1 Released: Mon Apr 4 17:49:17 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1194642 This update for util-linux fixes the following issue: - Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1157-1 Released: Tue Apr 12 13:26:19 2022 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: important References: 1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134 This update for libsolv, libzypp, zypper fixes the following issues: Security relevant fix: - Harden package signature checks (bsc#1184501). libsolv update to 0.7.22: - reworked choice rule generation to cover more usecases - support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514) - support parsing of Debian's Multi-Arch indicator - fix segfault on conflict resolution when using bindings - fix split provides not working if the update includes a forbidden vendor change - support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY - support zstd compressed control files in debian packages - add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20) - support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata - support queying of the custom vendor check function new function: pool_get_custom_vendorcheck - support solv files with an idarray block - allow accessing the toolversion at runtime libzypp update to 17.30.0: - ZConfig: Update solver settings if target changes (bsc#1196368) - Fix possible hang in singletrans mode (bsc#1197134) - Do 2 retries if mount is still busy. - Fix package signature check (bsc#1184501) Payattention that header and payload are secured by a valid signature and report more detailed which signature is missing. - Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry. - Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925) - Fix handling of ISO media in releaseAll (bsc#1196061) - Hint on common ptf resolver conflicts (bsc#1194848) - Hint on ptf patch resolver conflicts (bsc#1194848) zypper update to 1.14.52: - info: print the packages upstream URL if available (fixes #426) - info: Fix SEGV with not installed PTFs (bsc#1196317) - Don't prevent less restrictive umasks (bsc#1195999) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1158-1 Released: Tue Apr 12 14:44:43 2022 Summary: Security update for xz Type: security Severity: important References: 1198062,CVE-2022-1271 This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1170-1 Released: Tue Apr 12 18:20:07 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1191502,1193086,1195247,1195529,1195899,1196567 This update for systemd fixes the following issues: - Fix the default target when it's been incorrectly set to one of the runlevel targets (bsc#1196567) - When migrating from sysvinit to systemd (it probably won't happen anymore), let's use the default systemd target, which is the graphical.target one. - Don't open /var journals in volatile mode when runtime_journal==NULL - udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529) - man: tweak description of auto/noauto (bsc#1191502) - shared/install: ignore failures for auxiliary files - install: make UnitFileChangeType enumanonymous - shared/install: reduce scope of iterator variables - systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23867) - Update s390 udev rules conversion script to include the case when the legacy rule was also 41-* (bsc#1195247) - Drop or soften some of the deprecation warnings (bsc#1193086) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1179-1 Released: Wed Apr 13 15:47:16 2022 Summary: Recommended update for net-snmp Type: recommended Severity: moderate References: 1196955 This update for net-snmp fixes the following issues: - Decouple snmp-mibs from net-snmp version to allow major version upgrade (bsc#1196955). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1203-1 Released: Thu Apr 14 11:43:28 2022 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1195231 This update for lvm2 fixes the following issues: - udev: create symlinks and watch even in suspended state (bsc#1195231) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1281-1 Released: Wed Apr 20 12:26:38 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This update for libtirpc fixes the following issues: - Add option to enforce connection via protocol version 2 first (bsc#1196647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1302-1 Released: Fri Apr 22 10:04:46 2022 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1196939 This update for e2fsprogs fixes the following issues: - Add support for 'libreadline7' for Leap. (bsc#1196939) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1374-1 Released: Mon Apr 25 15:02:13 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1191157,1197004 This update for openldap2 fixes the following issues: - allow specification of max/min TLS version with TLS1.3 (bsc#1191157) - libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004) - restore CLDAP functionality in CLI tools (jsc#PM-3288) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1409-1 Released: Tue Apr 26 12:54:57 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1195628,1196107 This update for gcc11 fixes the following issues: - Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107] - Fixed memory corruption when creating dependences with the D language frontend. - Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628] - Put libstdc++6-pp Requires on the shared library and drop to Recommends. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1438-1 Released: Wed Apr 27 15:27:19 2022 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: low References: 1195251 This update for systemd-presets-common-SUSE fixes the following issue: - enable vgauthd service for VMWare by default (bsc#1195251) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1451-1 Released: Thu Apr 28 10:47:22 2022 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1193489 This update for perl fixes the following issues: - Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons(bsc#1193489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1455-1 Released: Thu Apr 28 11:31:51 2022 Summary: Security update for glib2 Type: security Severity: low References: 1183533,CVE-2021-28153 This update for glib2 fixes the following issues: - CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533). The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-3.57.1 updated - libblkid1-2.36.2-150300.4.20.1 updated - libcom_err2-1.43.8-150000.4.29.1 updated - libdevmapper1_03-1.02.163-8.42.1 updated - libfdisk1-2.36.2-150300.4.20.1 updated - libgcc_s1-11.2.1+git610-150000.1.6.6 updated - libglib-2_0-0-2.62.6-150200.3.9.1 updated - libldap-2_4-2-2.4.46-150200.14.5.1 updated - libldap-data-2.4.46-150200.14.5.1 updated - liblzma5-5.2.3-150000.4.7.1 updated - libmount1-2.36.2-150300.4.20.1 updated - libprotobuf-lite20-3.9.2-4.12.1 updated - libsmartcols1-2.36.2-150300.4.20.1 updated - libsnmp30-5.7.3-10.12.1 updated - libsolv-tools-0.7.22-150200.12.1 updated - libstdc++6-11.2.1+git610-150000.1.6.6 updated - libsystemd0-246.16-150300.7.42.1 updated - libtirpc-netconfig-1.2.6-150300.3.3.1 updated - libtirpc3-1.2.6-150300.3.3.1 updated - libudev1-246.16-150300.7.42.1 updated - libuuid1-2.36.2-150300.4.20.1 updated - libyaml-cpp0_6-0.6.1-4.5.1 updated - libz1-1.2.11-150000.3.30.1 updated - libzypp-17.30.0-150200.36.1 updated - pam-1.3.0-150000.6.55.3 updated - perl-base-5.26.1-150300.17.3.1 updated - perl-5.26.1-150300.17.3.1 updated - snmp-mibs-5.7.3-10.12.1 updated - systemd-presets-common-SUSE-15-150100.8.12.1 updated - systemd-246.16-150300.7.42.1 updated - udev-246.16-150300.7.42.1 updated - util-linux-2.36.2-150300.4.20.1 updated - zypper-1.14.52-150200.30.2 updated - container:sles15-image-15.0.0-17.14.8 updated . SUSE enhances ses/7.1/ceph/keepalived with essential corrections and updates addressing multiple vulnerabilities with differing levels of threat..SUSE Container Update, Ceph Security, Keepalived Patch. . Severity: Important. LinuxSecurity.com Team
May 06, 2022
•Important
SuSE
100
security advisorysecurity updatecriticalSUSE: 2022:53-2 Important: ses/7/cephcsi/csi-provisioner Security Patch
The container ses/7/cephcsi/csi-attacher was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7/cephcsi/csi-attacher ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:52-1 Container Tags : ses/7/cephcsi/csi-attacher:v3.3.0 , ses/7/cephcsi/csi-attacher:v3.3.0-rev1 , ses/7/cephcsi/csi-attacher:v3.3.0-rev1-build3.443 Container Release : 3.443 Severity : critical Type : security References : 1027496 1029961 1113013 1122417 1125886 1134353 1161276 1162581 1169614 1171962 1172973 1172974 1174504 1174504 1177127 1178236 1179416 1180064 1180125 1183085 1183543 1183545 1183632 1183659 1184614 1184994 1184994 1185016 1185299 1185524 1186489 1186503 1186602 1186910 1187153 1187224 1187270 1187273 1187425 1187466 1187512 1187654 1187670 1187738 1187760 1187911 1187993 1188018 1188063 1188063 1188156 1188217 1188218 1188219 1188220 1188291 1188344 1188435 1188548 1188571 1188623 1188713 1188921 1189031 1189206 1189465 1189465 1189480 1189520 1189521 1189521 1189534 1189554 1189683 1189803 1189929 1189996 1190052 1190059 1190199 1190234 1190325 1190356 1190373 1190374 1190440 1190465 1190645 1190712 1190739 1190793 1190815 1190915 1190933 1190984 1191252 1191286 1191324 1191370 1191563 1191609 1191736 1191987 1192161 1192248 1192337 1192436 1192489 1192688 1192717 1193480 1193481 1193521 1193711 CVE-2016-10228 CVE-2019-20838 CVE-2020-14155 CVE-2020-29361 CVE-2021-20266 CVE-2021-20271 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925 CVE-2021-22946 CVE-2021-22947 CVE-2021-33574 CVE-2021-33910 CVE-2021-33910 CVE-2021-3421 CVE-2021-35942 CVE-2021-36222 CVE-2021-3711 CVE-2021-3712 CVE-2021-3712 CVE-2021-37600 CVE-2021-37750 CVE-2021-38185 CVE-2021-38185 CVE-2021-39537 CVE-2021-43618 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-attacher was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:3026-1 Released: Fri Oct 23 15:35:49 2020 Summary: Optional update for the Public Cloud Module Type: optional Severity: moderate References: This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398). The following packages were included: - python3-grpcio - python3-protobuf - python3-google-api-core - python3-google-cloud-core - python3-google-cloud-storage - python3-google-resumable-media - python3-googleapis-common-protos - python3-grpcio-gcp - python3-mock (updated to version 3.0.5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:294-1 Released: Wed Feb 3 12:54:28 2021 Summary: Recommended update for libprotobuf Type: recommended Severity: moderate References: libprotobuf was updated to fix: - ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate References: 1177127 This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2404-1 Released: Tue Jul 20 14:21:30 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1184994,1188063,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063) - Skip udev rules if 'elevator=' is used (bsc#1184994) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2439-1 Released: Wed Jul 21 13:46:48 2021 Summary: Security update for curl Type: security Severity: moderate References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 This update for curl fixes the following issues: - CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220) - CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219) - CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218) - CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2689-1 Released: Mon Aug 16 10:54:52 2021 Summary: Security update for cpio Type: security Severity: important References: 1189206,CVE-2021-38185 This update for cpio fixes the following issues: It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2763-1 Released: Tue Aug 17 17:16:22 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465 This update for cpio fixes the following issues: - A regression in last update would cause builds to hang on various architectures(bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2780-1 Released: Thu Aug 19 16:09:15 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465,CVE-2021-38185 This update for cpiofixes the following issues: - A regression in the previous update could lead to crashes (bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2800-1 Released: Fri Aug 20 10:43:04 2021 Summary: Security update for krb5 Type: security Severity: important References: 1188571,CVE-2021-36222 This update for krb5 fixes the following issues: - CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2830-1 Released: Tue Aug 24 16:20:18 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1189520,1189521,CVE-2021-3711,CVE-2021-3712 This update for openssl-1_1 fixes the following security issues: - CVE-2021-3711: A bug in the implementation of the SM2 decryption code could lead to buffer overflows. [bsc#1189520] - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2938-1 Released: Fri Sep 3 09:19:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - openldap2-contrib is shipped to the Legacy Module. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2966-1 Released: Tue Sep 7 09:49:14 2021 Summary: Security update for openssl-1_1 Type: security Severity: low References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings(bsc#1189521). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3001-1 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Type: recommended Severity: moderate References: 1189683 This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3030-1 Released: Tue Sep 14 09:27:45 2021 Summary: Recommended update for patterns-base Type: recommended Severity: moderate References: 1189534,1189554 This update of patterns-base fixes the following issue: - The fips pattern should also install 'openssh-fips' if 'openssh' is installed (bsc#1189554 bsc#1189534) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3182-1 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1189996 This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3298-1 Released: Wed Oct 6 16:54:52 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3348-1 Released: Tue Oct 12 13:08:06 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910 This update for systemdfixes the following issues: - CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063). - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018). - Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353). - Rules weren't applied to dm devices (multipath) (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291). - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3385-1 Released: Tue Oct 12 15:54:31 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3444-1 Released: Fri Oct 15 09:03:07 2021 Summary: Security update for rpm Type: security Severity: important References: 1179416,1183543,1183545,1183632,1183659,1185299,1187670,1188548,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421 This update for rpm fixes the following issues: Security issues fixed: - CVE-2021-3421, CVE-2021-20271, CVE-2021-20266: Multiple header check improvements (bsc#1183543, bsc#1183545, bsc#1183632) - PGP hardening changes (bsc#1185299) - Fixed potential access of freed mem in ndb's glue code (bsc#1179416) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock(bsc#1183659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3454-1 Released: Mon Oct 18 09:29:26 2021 Summary: Security update for krb5 Type: security Severity: moderate References: 1189929,CVE-2021-37750 This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3480-1 Released: Wed Oct 20 11:24:10 2021 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933 This update for yast2-network fixes the following issues: - Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915). - Fix the shown description using the interface friendly name when it is empty (bsc#1190933). - Consider aliases sections as case insensitive (bsc#1190739). - Display user defined device name in the devices overview (bnc#1190645). - Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344). - Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910). - Fix desktop file so the control center tooltip is translated (bsc#1187270). - Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016). - Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo.(bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3501-1 Released: Fri Oct 22 10:42:46 2021 Summary: Recommended update for libzypp, zypper, libsolv, protobuf Type: recommended Severity: moderate References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815 This update for libzypp, zypper, libsolv and protobuf fixes the following issues: - Choice rules: treat orphaned packages as newest (bsc#1190465) - Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602) - Do not check of signatures and keys two times(redundant) (bsc#1190059) - Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760) - Show key fpr from signature when signature check fails (bsc#1187224) - Fix solver jobs for PTFs (bsc#1186503) - Fix purge-kernels fails (bsc#1187738) - Fix obs:// platform guessing for Leap (bsc#1187425) - Make sure to keep states alives while transitioning. (bsc#1190199) - Manpage: Improve description about patch updates(bsc#1187466) - Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested. - Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815) - Fix crashes in logging code when shutting down (bsc#1189031) - Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712) - Add need reboot/restart hint to XML install summary (bsc#1188435) - Prompt: choose exact match if prompt options are not prefix free (bsc#1188156) - Include libprotobuf-lite20 inproducts to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3510-1 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1191987 This update for pam fixes the following issues: - Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3523-1 Released: Tue Oct 26 15:40:13 2021 Summary: Security update for util-linux Type: security Severity: moderate References: 1122417,1125886,1178236,1188921,CVE-2021-37600 This update for util-linux fixes the following issues: Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921). - agetty: Fix 8-bit processing in get_logname() (bsc#1125886). - mount: Fix 'mount' output for net file systems (bsc#1122417). - ipcs: Avoid overflows (bsc#1178236) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3529-1 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Type: security Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3799-1 Released: Wed Nov 24 18:07:54 2021 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1187153,1187273,1188623 This update for gcc11 fixes thefollowing issues: The additional GNU compiler collection GCC 11 is provided: To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3809-1 Released: Fri Nov 26 00:31:59 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1189803,1190325,1190440,1190984,1191252,1192161 This update for systemd fixes the following issues: - Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103) - Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161) - shutdown: Reduce log level of unmounts (bsc#1191252) - pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803) - core: rework how we connect to the bus (bsc#1190325) - mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984) - virt: detect Amazon EC2 Nitro instance (bsc#1190440) - Several fixes for umount - busctl: use usec granularity for the timestamp printed by the busctl monitor command - fix unitialized fields in MountPoint in dm_list_get() - shutdown: explicitly set a log target - mount-util: add mount_option_mangle() - dissect: automatically mark partitions read-only that have a read-only file system - build-sys: require proper libmount version - systemd-shutdown: use log_set_prohibit_ipc(true) - rationalize interface for opening/closing logging - pid1: when we can't log to journal, remember our fallback log target - log: remove LOG_TARGET_SAFE pseudo log target - log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console() - log: add new 'prohibit_ipc' flag to logging system - log: make log_set_upgrade_syslog_to_journal() take effect immediately - dbus:split up bus_done() into seperate functions - machine-id-setup: generate machine-id from DMI product ID on Amazon EC2 - virt: if we detect Xen by DMI, trust that over CPUID ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3830-1 Released: Wed Dec 1 13:45:46 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1027496,1183085,CVE-2016-10228 This update for glibc fixes the following issues: - libio: do not attempt to free wide buffers of legacy streams (bsc#1183085) - CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3870-1 Released: Thu Dec 2 07:11:50 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1190356,1191286,1191324,1191370,1191609,1192337,1192436 This update for libzypp, zypper fixes the following issues: libzypp: - Check log writer before accessing it (bsc#1192337) - Zypper should keep cached files if transaction is aborted (bsc#1190356) - Require a minimum number of mirrors for multicurl (bsc#1191609) - Fixed slowdowns when rlimit is too high by using procfs to detect niumber of open file descriptors (bsc#1191324) - Fixed zypper incomplete messages when using non English localization (bsc#1191370) - RepoManager: Don't probe for plaindir repository if the URL schema is a plugin (bsc#1191286) - Disable logger in the child process after fork (bsc#1192436) zypper: - Fixed Zypper removing a kernel explicitely pinned that uses uname -r output format as name (openSUSE/zypper#418) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3872-1 Released: Thu Dec 2 07:25:55 2021 Summary: Recommended update for cracklib Type: recommended Severity: moderate References: 1191736 This update for cracklib fixes the following issues: - Enable build time tests(bsc#1191736) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3891-1 Released: Fri Dec 3 10:21:49 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1029961,1113013,1187654 This update for keyutils fixes the following issues: - Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) keyutils was updated to 1.6.3 (jsc#SLE-20016): * Revert the change notifications that were using /dev/watch_queue. * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). * Allow 'keyctl supports' to retrieve raw capability data. * Allow 'keyctl id' to turn a symbolic key ID into a numeric ID. * Allow 'keyctl new_session' to name the keyring. * Allow 'keyctl add/padd/etc.' to take hex-encoded data. * Add 'keyctl watch*' to expose kernel change notifications on keys. * Add caps for namespacing and notifications. * Set a default TTL on keys that upcall for name resolution. * Explicitly clear memory after it's held sensitive information. * Various manual page fixes. * Fix C++-related errors. * Add support for keyctl_move(). * Add support for keyctl_capabilities(). * Make key=val list optional for various public-key ops. * Fix system call signature for KEYCTL_PKEY_QUERY. * Fix 'keyctl pkey_query' argument passing. * Use keyctl_read_alloc() in dump_key_tree_aux(). * Various manual page fixes. Updated to 1.6: * Apply various specfile cleanups from Fedora. * request-key: Provide a command line option to suppress helper execution. * request-key: Find least-wildcard match rather than first match. * Remove the dependency on MIT Kerberos. * Fix some error messages * keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. * Fix doc and comment typos. * Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). * Add pkg-config support for finding libkeyutils. * upstream isn't offering PGP signatures for the source tarballs anymore Updated to 1.5.11 (bsc#1113013) * Add keyringrestriction support. * Add KDF support to the Diffie-Helman function. * DNS: Add support for AFS config files and SRV records ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3899-1 Released: Fri Dec 3 11:27:41 2021 Summary: Security update for aaa_base Type: security Severity: moderate References: 1162581,1174504,1191563,1192248 This update for aaa_base fixes the following issues: - Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504). - Add $HOME/.local/bin to PATH, if it exists (bsc#1192248). - Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563). - Support xz compressed kernel (bsc#1162581) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3946-1 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Type: security Severity: moderate References: 1192717,CVE-2021-43618 This update for gmp fixes the following issues: - CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4139-1 Released: Tue Dec 21 17:02:44 2021 Summary: Recommended update for systemd Type: recommended Severity: critical References: 1193481,1193521 This update for systemd fixes the following issues: - Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481) sleep-config: partitions can't be deleted, only files can shared/sleep-config: exclude zram devices from hibernation candidates ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4145-1 Released: Wed Dec 22 05:27:48 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Remove previously applied patch because it interferes with FIPS validation(bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:4154-1 Released: Wed Dec 22 11:02:38 2021 Summary: Security update for p11-kit Type: security Severity: important References: 1180064,1187993,CVE-2020-29361 This update for p11-kit fixes the following issues: - CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064) - Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4182-1 Released: Thu Dec 23 11:51:51 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1192688 This update for zlib fixes the following issues: - Fix hardware compression incorrect result on z15 hardware (bsc#1192688) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:4192-1 Released: Tue Dec 28 10:39:50 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1174504 This update for permissions fixes the following issues: - Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4-1 Released: Mon Jan 3 08:28:54 2022 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1193480 This update for libgcrypt fixes the following issues: - Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:93-1 Released: Tue Jan 18 05:11:58 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: important References: 1192489 This update for openssl-1_1 fixes the following issues: - Add RSA_get0_pss_params() accessor that is used by nodejs16 and provideopenssl-has-RSA_get0_pss_params (bsc#1192489) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:94-1 Released: Tue Jan 18 05:13:24 2022 Summary: Recommended update for rpm Type: recommended Severity: important References: 1180125,1193711 This update for rpm fixes the following issues: - Add explicit requirement on python-rpm-macros (bsc#1180125, bsc#1193711) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:141-1 Released: Thu Jan 20 13:47:16 2022 Summary: Security update for permissions Type: security Severity: moderate References: 1169614 This update for permissions fixes the following issues: - Update to version 20181225: setuid bit for cockpit session binary (bsc#1169614). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:154-1 Released: Mon Jan 24 07:02:02 2022 Summary: Recommended update for ceph-csi, csi-external-attacher, csi-external-provisioner, csi-external-resizer, csi-external-snapshotter, csi-node-driver-registrar, rook Type: recommended Severity: moderate References: This update for ceph-csi, csi-external-attacher, csi-external-provisioner, csi-external-resizer, csi-external-snapshotter, csi-node-driver-registrar, rook fixes the following issues: - Update to 3.4.0 Features: Beta: Below features have been lifted from its Alpha support to Beta * Snapshot creation and deletion * Volume restore from snapshot * Volume clone support * Volume/PV Metrics of File Mode Volume * Volume/PV Metrics of Block Mode Volume Alpha: * rbd-nbd volume mounter Enhancement: * Restore RBD snapshot to a different Pool * Snapshot schedule support for RBD mirrored PVC * Mirroring support for thick PVC * Multi-Tenant support for vault encryption * AmazonMetadata KMS provider support * rbd-nbd volume healer support * Locking enhancement for improving POD deletion performance *Improvements in lock handling for snap and clone operations * Better thick provisioning support * Create CephFS subvolume with VolumeNamePrefix * CephFS Subvolume path addition in PV object * Consumption of go-ceph APIs for various CephFS controller and node operations. * Resize of the RBD encrypted volume * Better error handling for GRPC * Golang profiling support for debugging * Updated Kubernetes sidecar versions to the latest release * Kubernetes dependency update to v1.21.2 * Create storageclass and secrets using helm charts CI/E2E * Expansion of RBD encrypted volumes * Update and addition of new static golang tools * Kubernetes v1.21 support * Unit tests for SecretsKMS * Test for Vault with ServiceAccount per Tenant * E2E for user secret based metadata encryption * Update rook.sh and Ceph cluster version in E2E * Added RBD test for testing sc, secret via helm * Update feature gates setting from minikube.sh * Add CephFS test for sc, secret via helm * Add e2e for static PVC without imageFeature parameter * Make use of snapshot v1 API and client sets in e2e tests * Validate thick-provisioned PVC-PVC cloning * Adding retry support for various e2e failure scenarios * Refactor KMS configuration and usage - Removed patch ceph-csi-locking.patch (got merged upstream) - Update to v3.3.0 * Feature * Add command line arguments to configure leader election options (#313, @RaunakShah) * Adds mappings for PV access modes to new CSI access modes: SINGLE_NODE_SINGLE_WRITER and SINGLE_NODE_MULTI_WRITER. (#308, @chrishenzie) * Updates Kubernetes dependencies to v1.22.0 (#321, @chrishenzie) [SIG Storage] * Bug or Regression * Fix a bug that the controller can panic crash when it receives DeletedFinalStateUnknown deletion event. (#304, @Jiawei0227) * Other (Cleanup or Flake) * Updates container-storage-interface dependency to v1.5.0 (#312, @chrishenzie) * Reuse the same gRPC CSI client for all CSI driver calls (#318, @yeya24) - Update tov3.2.1 - Get rid of vendoring - Update version of go to 1.16 - Update to v3.0.2 - Update version to 3.0.0 * Feature * Add command line arguments to configure leader election options (#643, @RaunakShah) * Adds mappings for PV access modes to new CSI access modes: SINGLE_NODE_SINGLE_WRITER and SINGLE_NODE_MULTI_WRITER. (#630, @chrishenzie) * The provisioner sidecar now has an argument called controller-publish-readonly which sets the value of CSI PV spec readonly field value based on the PVC access mode. If this flag is set to true and the PVC access mode only contains the ROX access mode, the controller automatically sets PersistentVolume.spec.CSIPersistentVolumeSource.readOnly field to true. (#469, @humblec) * Updates Kubernetes dependencies to v1.22.0 (#660, @chrishenzie) [SIG Storage] * Updates container-storage-interface dependency to v1.5.0 (#644, @chrishenzie) * Bug or Regression * Fix a bug that not being able to use block device mode when enable a storage capacity tracking mode. (#635, @bells17) * Fix a data race in cloning protection controller (#651, @tksm) * Fix capacity information updates when topology changes. Only affected central deployment and network attached storage, not deployment on each node. This broke in v2.2.0 as part of a bug fix for capacity informer handling. (#617, @bai3shuo4) * Fix env name from POD_NAMESPACE to NAMESPACE for capacity-ownerref-level option. (#636, @bells17) * Fixed reporting of metrics when a migratable CSI driver is used. (#620, @jsafrane) * Newly provisioned CSI Migration enabled PV will have 'provisioned-by' annotation set to in-tree provisioner name instead of the CSI provisioner (#646, @wongma7) - Update version to 2.2.2 - Get rid of vendoring - Use go 1.16 for building - Update version to 2.0.4 - Update to version 1.3.0 * Other (Cleanup or Flake) * Updates Kubernetes dependencies to v1.22.0 (#165, @chrishenzie) [SIG Storage] * Updates container-storage-interface dependency to v1.5.0 (#156,@chrishenzie) * Feature * Adds mappings for PV access modes to new CSI access modes: SINGLE_NODE_SINGLE_WRITER and SINGLE_NODE_MULTI_WRITER. (#151, @chrishenzie) * leader-election-lease-duration, leader-election-renew-deadline and leader-election-retry-period were added to command line arguments to configure leader election options (#158, @RaunakShah) - Update to version 1.2.0 - Get rid of vendoring - Push go version to 1.16 - Update to version 1.0.1 - Update to version 4.2.0 * Feature * Snapshot APIs * The namespace of the referenced VolumeSnapshot is printed when printing a VolumeSnapshotContent. (#535, @tsmetana) * Snapshot Controller * retry-interval-start and retry-interval-max arguments are added to common-controller which controls retry interval of failed volume snapshot creation and deletion. These values set the ratelimiter for snapshot and content queues. (#530, @humblec) * Add command line arguments leader-election-lease-duration, leader-election-renew-deadline, and leader-election-retry-period to configure leader election options for the snapshot controller. (#575, @bertinatto) * Adds an operations_in_flight metric for determining the number of snapshot operations in progress. (#519, @ggriffiths) * Introduced 'SnapshotCreated' and 'SnapshotReady' events. (#540, @rexagod) * CSI Snapshotter Sidecar * retry-interval-start and retry-interval-max arguments are added to csi-snapshotter sidecar which controls retry interval of failed volume snapshot creation and deletion. These values set the ratelimiter for volumesnapshotcontent queue. (#308, @humblec) * Add command line arguments leader-election-lease-duration, leader-election-renew-deadline, and leader-election-retry-period to configure leader election options for CSI snapshotter sidecar. (#538, @RaunakShah) * Bug or Regression * Snapshot Controller * Add process_start_time_seconds metric (#569, @saikat-royc) * Adds the leader election health check for the snapshot controller at/healthz/leader-election (#573, @ggriffiths) * Remove kube-system namespace verification during startup and instead list volumes across all namespaces (#515, @mauriciopoppe) * Other (Cleanup or Flake) * Updates Kubernetes dependencies to v1.22.0 (#570, @chrishenzie) [SIG Storage] * Updates csi-lib-utils dependency to v0.10.0 (#574, @chrishenzie) * Updates container-storage-interface dependency to v1.5.0 (#532, @chrishenzie) * Snapshot Validation Webhook * Changed the webhook image from distroless/base to distroless/static. (#550, @WanzenBug) - Update to version 4.1.1 - Get rid of vendoring - Update go-version to 1.16 - Update to version 3.0.2 - Update to version 2.3.0 * Dockerfile.Windows args changed to ADDON_IMAGE and BASE_IMAGE (#146, @mauriciopoppe) * Updates Kubernetes dependencies to v1.22.0 (#159, @chrishenzie) [SIG Storage] * Updates csi-lib-utils dependency to v0.10.0 (#160, @chrishenzie) * New running modes, the kubelet-registration-probe mode checks if node-driver-registrar kubelet plugin registration succeeded. (#152, @mauriciopoppe) * Updates container-storage-interface dependency to v1.5.0 (#151, @chrishenzie) - Update to version 2.2.0 * Updated runtime (Go 1.16) and dependencies (#136, @pohly) * Update image and tag names for Windows to have separate parameters for nanoserver and servercore (#111, @jingxu97) - Update to v1.7.7 Rook v1.7.7 is a patch release limited in scope and focusing on small feature additions and bug fixes to the Ceph operator. * docs: Support ephemeral volumes with Ceph CSI RBD and CephFS driver (#9055, @humblec) * core: Allow downgrade of all daemons consistently (#9098, @travisn) * core: Reconcile once instead of multiple times after the cluster CR is edited (#9091, @leseb) * nfs: Add pool setting CR option (#9040, @leseb) * ceph: Trigger 'CephMonQuorumLost' alert when mon quorum is down (#9068, @aruniiird) * rgw: Updated livenessProbe and readinessProbe (#9080, @satoru-takeuchi) * mgr: Do not set the balancer modeon pacific (#9063, @leseb) * helm: Add appVersion property to the charts (#9051, @travisn) * rgw: Read tls secret hint for insecure tls (#9020, @leseb) * ceph: Ability to set labels on the crash collector (#9044, @leseb) * core: Treat cluster as not existing if the cleanup policy is set (#9041, @travisn) * docs: Document failover and failback scenarios for applications (#8411, @Yuggupta27) * ceph: Update endpoint with IP for external RGW server (#9010, @thotz) - Combined gomod.patch and gosum.patch to vendor.patch * Patching module-files to match the SUSE build env - Update to v1.7.6 Rook v1.7.6 is a patch release limited in scope and focusing on small feature additions and bug fixes to the Ceph operator. * core: only merge stderr on error (#8995, @leseb)core: only merge stderr on error (#8995, @leseb) * nfs: remove RADOS options from CephNFS and use .nfs pool (#8501, @josephsawaya) * csi: fix comment for the provisioner and clusterID (#8990, @Madhu-1) * mon: Enable mon failover for the arbiter in stretch mode (#8984, @travisn) * monitoring: fixing the queries for alerts 'CephMgrIsAbsent' and 'CephMgrIsMissingReplicas' (#8985, @aruniiird) * osd: fix kms auto-detection when full TLS (#8867, @leseb) * csi: add affinity to csi version check job (#8965, @Rakshith-R) * pool: remove default value for pool compression (#8966, @leseb) * monitoring: handle empty ceph_version in ceph_mon_metadata to avoid raising misleading alert (#8947, @GowthamShanmugam) * nfs: remove RADOS options from CephNFS and use .nfs pool (#8501, @josephsawaya) * osd: print the c-v output when inventory command fails (#8971, @leseb) * helm: remove chart content not in common.yaml (#8884, @BlaineEXE) * rgw: replace period update --commit with function (#8911, @BlaineEXE) * rgw: fixing ClientID of log-collector for RGW instance (#8889, @parth-gr) * mon: run ceph commands to mon with timeout (#8939, @leseb) * osd: do not hide errors (#8933, @leseb) * rgw: use trace logs for RGW admin HTTP info(#8937, @BlaineEXE) - Update to v1.7.5 Rook v1.7.5 is a patch release limited in scope and focusing on small feature additions and bug fixes to the Ceph operator. * Update csi sidecar references to the latest versions (#8820, @humblec) * No longer install the VolumeReplication CRDs from Rook (#8845, @travisn) * Initialize rbd block pool after creation (#8923, @Rakshith-R) * Close stdoutPipe for the discovery daemon (#8917, @subhamkrai) * Add documentation to recover a pod from a lost node (#8742, @subhamkrai) * Increasing the auto-resolvable alerts delay to 15m (#8896, @aruniiird) * Change CephAbsentMgr to use 'up' query (#8882, @aruniiird) * Adding 'namespace' field to the needed ceph queries (#8901, @aruniiird) * Update period if period does not exist (#8828, @BlaineEXE) * Do not fail on KMS keys deletion (#8868, @leseb) * Do not build all the multus args to remote exec cmd (#8860, @leseb) * Fix external script when passing monitoring list (#8807, @leseb) * Use insecure TLS for bucket health check (#8712, @leseb) * Add PVC privileges to the rook-ceph-purge-osd service account (#8833, @ashangit) * Fix the example of local PVC-based cluster (#8846, @satoru-takeuchi) * Add signal handling for log collector (#8806, @leseb) * Prometheus rules format changes (#8774, @aruniiird) * Add namespace to ceph node down query (#8793, @aruniiird) - Added gomod.patch and gosum.patch * Patching module-files to match the SUSE build env - Update to v1.7.4 Rook v1.7.4 is a patch release limited in scope and focusing on small feature additions and bug fixes to the Ceph operator. * Add missing error type check to exec (#8751, @BlaineEXE) * Raise minimum supported version of Ceph-CSI to v3.3.0 (#8803, @humblec) * Set the Ceph v16.2.6 release as the default version (#8743, @leseb) * Pass region to newS3agent() (#8766, @thotz) * Remove unnecessary CephFS provisioner permission (#8739, @Madhu-1) * Configurable csi provisioner replica count (#8801, @Madhu-1) * Allow setting thedefault storageclass for a filesystem in the helm chart (#8771, @kubealex) * Retry object health check if creation fails (#8708, @BlaineEXE) * Use the admin socket for the mgr liveness probe (#8721, @jmolmo) * Correct the CephFS mirroring documentation (#8732, @leseb) * Reconcile OSD PDBs if allowed disruption is 0 (#8698, @sp98) * Add peer spec migration to upgrade doc (#8435, @BlaineEXE) * Fix lvm osd db device check (#8267, @lyind) * Refactor documentation to simplify for the Ceph provider (#8693, @travisn) * Emphasize unit tests in the development guide (#8685, @BlaineEXE) - Update to v1.7.3 Rook Ceph v1.7.3 is a patch release limited in scope and focusing on small feature additions and bug fixes. * Cassandra and NFS have moved to their own repos. All improvements in this repo starting from this release will only be for the Ceph storage provider. (#8619, @BlaineEXE) * Image list for offline installation can be found in images.txt (#8596, @subhamkrai) * Add networking.k8s.io/v1 Ingress chart compatibility (#8666, @hall) * Modify the log info when ok to continue fails (#8675, @subhamkrai) * Print the output on errors from ceph-volume (#8670, @leseb) * Add quota and capabilities configuration for CephObjectStore users (#8211, @thotz) * Fix pool deletion when uninstalling a multus cluster configuration (#8659, @leseb) * Use node externalIP if no internalIP defined (#8653, @JrCs) * Fix CephOSDCriticallyFull and CephOSDNearFull monitoring alert queries (#8668, @Muyan0828) * Fix CephMonQuorumAtRisk monitoring alert query (#8652, @anmolsachan) * Allow an even number of mons (#8636, @travisn) * Create a pod disruption budget for the Ceph mgr deployment when two mgrs are requested (#8593, @parth-gr) * Fix error message in UpdateNodeStatus (#8629, @hiroyaonoe) * Avoid multiple reconciles of ceph cluster due to the ipv4 default setting (#8638, @leseb) * Avoid duplicate ownerReferences (#8615, @YZ775) * Auto grow OSDs size on PVCs based on prometheus metrics (#8078, @parth-gr) * Externalcluster configuration script fixed for backward compatibility with python2 (#8623, @aruniiird) * Fix vault kv secret engine auto-detection (#8618, @leseb) * Add ClusterID and PoolID mappings between local and peer cluster (#8626, @sp98) * Set the filesystem status when mirroring is not enabled (#8609, @travisn) - Update to v1.7.2 Rook v1.7.2 s a patch release limited in scope and focusing on small feature additions and bug fixes. * Ceph * Merge toleration for osd/prepareOSD pod if specified both places (#8566, @subhamkrai) * Fix panic when recreating the csidriver object (#8582, @Madhu-1) * Build with latest golang v1.16.7 (#8540, @BlaineEXE) * Do not check ok-to-stop when OSDs are in CLBO (#8583, @leseb) * Convert util.NewSet() to sets.NewString() (#8584, @parth-gr) * Add support for update() from lib-bucket-provisioner (#8514, @thotz) * Signal handling with context (#8441, @leseb) * Make storage device config nullable (#8552, @BlaineEXE) * Allow K8s version check on prerelease versions (#8561, @subhamkrai) * Add permissions to rook-ceph-mgr role for osd removal in rook orchestator (#8568, @josephsawaya) * Use serviceAccountName as the key in ceph csi templates (#8546, @humblec) * Consolidate the calls to set mon config (#8590, @travisn) * NFS * Upgrade nfs-ganesha to 3.5 version (#8534, @kam1kaze) - Update to v1.7.1 Rook v1.7.1 s a patch release limited in scope and focusing on small feature additions and bug fixes. * Ceph * Update Ceph CSI version to v3.4.0 (#8425, @Madhu-1) * Add ability to specify the CA bundle for RGW (#8492, @degorenko) * Remove unused mon timeout cli flags (#8489, @leseb) * Add an option to enable/disable merge all placement (#8381, @subhamkrai) * Refuse to failover the arbiter mon on stretch clusters (#8520, @travisn) * Improve topology example of cluster on local pvc (#8491, @satoru-takeuchi) - Update to v1.7.0 v1.7.0 is a minor release with features primarily for the Ceph operator. K8s VersionSupport Kubernetes supported versions: 1.11 and newer. Upgrade Guides If you are running a previous Rook version, please see the corresponding storage provider upgrade guide: * Ceph Breaking Changes Ceph Clusters with multiple filesystems will need to update their Ceph version to Pacific. The Operator configuration option ROOK_ALLOW_MULTIPLE_FILESYSTEMS has been removed in favor of simply verifying the Ceph version is at least Pacific where multiple filesystems are fully supported. Features Ceph * Official Ceph images are now being published to quay.io. To pick up the latest version of Ceph, update your CephCLuster spec field image must be updated to point to quay. See the example cluster. * Add support for creating Hybrid Storage Pools. * A hybrid storage pool creates a CRUSH rule for choosing the primary OSD for high performance devices (ssd, nvme, etc) and the remaining OSD for low performance devices (hdd). * See the design and Ceph docs for more details. * Add support CephFS mirroring peer configuration. See the configuration for more details. * Add support for Kubernetes TLS secrets for referring TLS certs needed for the Ceph RGW server. * Stretch clusters are considered stable * Ceph v16.2.5 or greater is required for stretch clusters * The use of peer secret names in CephRBDMirror is deprecated. Please use CephBlockPool CR to configure peer secret names and import peers. See the mirroring section in the CephBlockPool spec for more details. * Add user data protection when deleting Rook-Ceph Custom Resources. See the design for detailed information. * A CephCluster will not be deleted if there are any other Rook-Ceph Custom resources referencing it with the assumption that they are using the underlying Ceph cluster. * A CephObjectStore will not be deleted if there is a bucket present. In addition to protection from deletion when users have data in the store,this implicitly protects these resources from being deleted when there is a referencing ObjectBucketClaim present. Cassandra * CRDs converted from v1beta1 to v1 * Schema is generated from the internal types for more complete validation * Minimum K8s version for the v1 CRDs is K8s 1.16 NFS * CRDs converted from v1beta1 to v1 * Schema is generated from the internal types for more complete validation * Minimum K8s version for the v1 CRDs is K8s 1.16 - Update to v1.6.10 Rook v1.6.10 is a patch release limited in scope and focusing on small feature additions and bug fixes. * Ceph * Reconcile OSD PDB if allowed disruptions are 0 (#8698) * Merge tolerations for the OSDs if specified in both all and osd placement (#8630) * External cluster script compatibility with python2 (#8623) * Do not check ok-to-stop when OSDs are in CLBO (#8583) * Fix panic when recreating the csidriver object (#8582) - Update to v1.6.9 Rook v1.6.9 s a patch release limited in scope and focusing on small feature additions and bug fixes. * Ceph * Make storage device config nullable (#8552) * Build with latest golang v1.16.7 (#8540) * Refuse to failover the arbiter mon on stretch clusters (#8520) * Add an option to enable/disable merge all placement (#8381) * Update ancillary monitoring resources (#8406) * Updated mon health check goroutine for reconfiguring patch values (#8370) * Releases for v1.6 are now based on Github actions instead of Jenkins (#8525 #8564) - Update to v1.6.8 Rook v1.6.8 is a patch release limited in scope and focusing on small feature additions and bug fixes. * Ceph * Re-enable lvm mode for OSDs on disks. See details to know if your OSDs are affected by unexpected partitions (#8319) * Update test to watch for v1 cronjob instead of v1beta1 (#8356) * Update PodDisruptionBudget from v1beta1 to v1 (#7977) * Add support for tls certs via k8s tls secrets for rgw (#8243) * Create correctClusterRoleBinding for helm chart in namespace other than rook-ceph (#8344) * If two mgrs, ensure services are reconciled with the cluster (#8330) * Proxy rbd commands when multus is enabled (#8339) * Proxy ceph command when multus is configured (#8272) * Ensure OSD keyring exists at OSD pod start (#8155) * Add an example of a pvc-based ceph cluster on bare metal (#7969) * Mount /dev for the OSD daemon on lv-backed pvc (#8304) * Add ceph cluster context for lib bucket provisioning reconcile (#8310) * Create PDBs for all rgw and cephfs (#8301) * Always rehydrate the access and secret keys (#8286) * Fix PDB of RGW instances (#8274) * Ability to disable pool mirroring (#8215) * Fetch rgw port from the CephObjectStore the OBC (#8244) * Enable debug logging for adminops client log level is debug (#8208) * Update blockPoolChannel before starting the mirror monitoring (#8222) * Scaling down nfs deployment was failing (#8250) - removed update-tarball.sh (_service file will be used instead) - Update to v1.6.7 Rook v1.6.7 is a patch release limited in scope and focusing on small feature additions and bug fixes. * Ceph * Ignore atari partitions for OSDs when scanning disks. This is a partial fix for multiple OSDs being created unexpectedly per disk, causing OSD corruption. See details to know if your OSDs are affected (#8195) * Update CSIDriver object from betav1 to v1 (#8029) * Retry cluster reconcile immediately after cancellation (#8237) * Avoid operator resource over-usage when configuring RGW pools and memory limits are applied (#8238) * Remove k8s.io/kubernetes as a code dependency (#7913) * Silence harmless errors if the operator is still initializing (#8227) * If MDS resource limits are not set, assign mds_cache_memory_limit = resource requests * 0.8 (#8180) * Do not require rgw instances spec for external clusters (#8219) * Add tls support to external rgw endpoint (#8092) * Stop overwriting sharedlivenessProbe when overridden (#8206) * Update cluster-on-pvc example for proper OSD scheduling (#8199) - Update to v1.6.6 Rook v1.6.6 is a patch release limited in scope and focusing on small feature additions and bug fixes. * Ceph * Update csi sidecar images to latest release (#8125) * Update csi node-driver-registrar to latest release (#8190) * Evict a mon if colocated with another mon (#8181) * Enable logging in legacy LVM OSD daemons (#8175) * Do not leak key encryption key to the log (#8173) * Read and validate CSI params in a goroutine (#8140) * Only require rgw-admin-ops user when an RGW endpoint is provided (#8164) * Avoid unnecessary OSD restarts when multus is configured (#8142) * Use cacert if no client cert/key are present for OSD encryption with Vault (#8157) * Mons in stretch cluster should be assigned to a node when using dataDirHostPath (#8147) * Support cronjob v1 for newer versions of K8s to avoid deprecated v1beta1 (#8114) * Initialise httpclient for bucketchecker and objectstoreuse (#8139) * Activate osd container should use correct host path for config (#8137) * Set device class for already present osd deployments (#8134) * No need for --force when creating filesystem (#8130) * Expose enableCSIHostNetwork correctly in the helm chart (#8074) * Add RBAC for mgr to create service monitor (#8118) * Update operator internal controller runtime and k8s reference version (#8087) - Update to v1.6.5 Rook v1.6.5 is a patch release limited in scope and focusing on small feature additions and bug fixes. We are happy to announce the availability of a Helm chart to configure the CephCluster CR. Please try it out and share feedback! We would like to declare it stable in v1.7. * Ceph * Experimental Helm chart for CephClusters (#7778) * Disable insecure global id if no insecure clients are detected. If insecure clients are still required, see these instructions. (#7746) * Enable host networking by default inthe CSI driver due to issues with client IO hangs when the driver restarts (#8102) * Add a disaster recovery guide for an accidentally deleted CephCluster CR (#8040) * Do not fail prepareOSD job if devices are not passed (#8098) * Ensure MDS and RGW are upgraded anytime the ceph image changes (#8060) * External cluster config enables v1 address type when enabling v2 (#8083) * Create object pools in parallel for faster object store reconcile (#8082) * Fix detection of delete event reconciliation (#8086) * Use RGW admin API for s3 user management (#7998) - Update to v1.6.4 Rook v1.6.4 is a patch release limited in scope and focusing on small feature additions and bug fixes. * Ceph * Support for separate tolerations and affinities for rbd and cephfs CSI drivers (#8006) * Update ceph version to 15.2.13 (#8004) * External cluster upgrades fix for CRD schema (#8042) * Build with golang 1.16 instead of 1.15 (#7945) * Retry starting CSI drivers on initial failure (#8020) * During uninstall stop monitoring rbd mirroring before cleanup (#8031) * Update the backend path for RGW transit engine (#8008) * If reducing mon count only remove one extra mon per health check (#8011) * Parse radosgw-admin json properly for internal commands (#8000) * Expand OSD PVCs only if the underlying storage class allow expansion (#8001) * Allow the operator log level to be changed dynamically (#7976) * Pin experimental volume replication to release-v0.1 branch (#7985) * Remove '--site-name' arg when creating bootstrap peer token (#7986) * Do not configure external metric endpoint if not present (#7974) * Helm chart to allow multiple filesystems (#7930) * Rehydrate the bootstrap peer token secret on monitor changes (#7935) - Update to v1.6.3 Rook v1.6.3 is a patch release limited in scope and focusing on small feature additions and bug fixes. * Ceph * Ensure correct devices are started for OSDs after node restart (#7951) * Write reconcileresults to events on the CephCluster CR (#7222) * Updated dashboard ingress example for networking v1 (#7933) * Remove obsolete gateway type setting in object store CRD (#7919) * Support specifying only public network or only cluster network or both (#7546) * Generate same operator deployment for OKD as OCP (#7898) * Ensure correct hostpath lock for OSD integrity (#7886) * Improve resilience of mon failover if operator is restarted during failover (#7884) * Disallow overriding the liveness probe handler function (#7889) * Actively update the service endpoint for external mgr (#7875) * Remove obsolete CSI statefulset template path vars from K8s 1.13 (#7877) * Create crash collector pods after mon secret created (#7867) * OSD controller only updates PDBs during node drains instead of any OSD down event (#7726) * Allow heap dump generation when logCollector sidecar is not running (#7847) * Add nullable to object gateway settings (#7857) - Update to v1.6.2 Rook v1.6.2 is a patch release limited in scope and focusing on small feature additions and bug fixes. * Ceph * Set base Ceph operator image and example deployments to v16.2.2 (#7829) * Update snapshot APIs from v1beta1 to v1 (#7711) * Documentation for creating static PVs (#7782) * Allow setting primary-affinity for the OSD (#7807) * Remove unneeded debug log statements (#7526) * Preserve volume claim template annotations during upgrade (#7835) * Allow re-creating erasure coded pool with different settings (#7820) * Double mon failover timeout during a node drain (#7801) * Remove unused volumesource schema from CephCluster CRD (#7813) * Set the device class on raw mode osds (#7815) * External cluster schema fix to allow not setting mons (#7789) * Add phase to the CephFilesystem CRD (#7752) * Generate full schema for volumeClaimTemplates in the CephCluster CRD (#7631) * Automate upgrades for the MDS daemon to properly scale down and scale up (#7445) * Add Vault KMS support for object stores (#7385) * Ensure object store endpoint is initialized when creating an object user (#7633) * Support for OBC operations when RGW is configured with TLS (#7764) * Preserve the OSD topology affinity during upgrade for clusters on PVCs (#7759) * Unify timeouts for various Ceph commands (#7719) * Allow setting annotations on RGW service (#7598) * Expand PVC size of mon daemons if requested (#7715) - Update to v1.6.1 Rook v1.6.1 is a patch release limited in scope and focusing on small feature additions and bug fixes. * Ceph * Disable host networking by default in the CSI plugin with option to enable (#7356) * Fix the schema for erasure-coded pools so replication size is not required (#7662) * Improve node watcher for adding new OSDs (#7568) * Operator base image updated to v16.2.1 (#7713) * Deployment examples updated to Ceph v15.2.11 (#7733) * Update Ceph-CSI to v3.3.1 (#7724) * Allow any device class for the OSDs in a pool instead of restricting the schema (#7718) * Fix metadata OSDs for Ceph Pacific (#7703) * Allow setting the initial CRUSH weight for an OSD (#7472) * Fix object store health check in case SSL is enabled (#7331) * Upgrades now ensure latest config flags are set for MDS and RGW (#7681) * Suppress noisy RGW log entry for radosgw-admin commands (#7663) - Update to v1.6.0 * Major Themes v1.6.0 is a minor release with features primarily for the Ceph operator. * K8s Version Support Kubernetes supported versions: 1.11 and newer * Upgrade Guides If you are running a previous Rook version, please see the corresponding storage provider upgrade guide: * Ceph * Breaking Changes * Removed Storage Providers Each storage provider is unique and requires time and attention to properly develop and support. After much discussion with the community, we have decided to remove three storage providers from Rook in order to focus our efforts on storageproviders that have active community support. See the project status for more information. These storage providers have been removed: * CockroachDB * EdgeFS * YugabyteDB * Ceph Support for creating OSDs via Drive Groups was removed. Please refer to the Ceph upgrade guide for migration instructions. * Features * Ceph Ceph Pacific (v16) support, including features such as: Multiple Ceph Filesystems Networking dual stack CephFilesystemMirror CRD to support mirroring of CephFS volumes with Pacific Ceph CSI Driver CSI v3.3.0 driver enabled by default Volume Replication Controller for improved RBD replication support Multus support GRPC metrics disabled by default Ceph RGW Extended the support of vault KMS configuration Scale with multiple daemons with a single deployment instead of a separate deployment for each rgw daemon OSDs: LVM is no longer used to provision OSDs as of Nautilus 14.2.14 Octopus 15.2.9, and Pacific 16.2.0, simplifying the OSDs on raw devices, except for encrypted OSDs and multiple OSDs per device. More efficient updates for multiple OSDs at the same time (in the same failure domain) to speed up upgrades for larger Ceph clusters Multiple Ceph mgr daemons are supported for stretch clusters and other clusters where HA of the mgr is critical (set count: 2 under mgr in the CephCluster CR) Pod Disruption Budgets (PDBs) are enabled by default for Mon, RGW, MDS, and OSD daemons. See the disruption management settings. Monitor failover can be disabled, for scenarios where maintenance is planned and automatic mon failover is not desired CephClient CRD has been converted to use the controller-runtime library The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-3.52.1 updated - cpio-2.12-3.9.1 updated - cracklib-dict-small-2.9.7-11.6.1 updated - cracklib-2.9.7-11.6.1 updated - csi-external-attacher-3.3.0-3.11.2 updated -file-magic-5.32-7.14.1 updated - glibc-2.26-13.62.1 updated - krb5-1.16.3-3.24.1 updated - libaugeas0-1.10.1-3.3.1 updated - libblkid1-2.33.2-4.16.1 updated - libcrack2-2.9.7-11.6.1 updated - libcurl4-7.66.0-4.27.1 updated - libfdisk1-2.33.2-4.16.1 updated - libgcc_s1-11.2.1+git610-1.3.9 updated - libgcrypt20-hmac-1.8.2-8.42.1 added - libgcrypt20-1.8.2-8.42.1 updated - libgmp10-6.1.2-4.9.1 updated - libgnutls30-hmac-3.6.7-14.13.5 added - libkeyutils1-1.6.3-5.6.1 updated - libldap-2_4-2-2.4.46-9.58.1 updated - libldap-data-2.4.46-9.58.1 updated - libmagic1-5.32-7.14.1 updated - libmount1-2.33.2-4.16.1 updated - libncurses6-6.1-5.9.1 updated - libopenssl1_1-hmac-1.1.1d-11.38.1 added - libopenssl1_1-1.1.1d-11.38.1 updated - libp11-kit0-0.23.2-4.13.1 updated - libpcre1-8.45-20.10.1 updated - libprotobuf-lite20-3.9.2-4.9.1 added - libsmartcols1-2.33.2-4.16.1 updated - libsolv-tools-0.7.20-9.2 updated - libstdc++6-11.2.1+git610-1.3.9 updated - libsystemd0-234-24.102.1 updated - libudev1-234-24.102.1 updated - libuuid1-2.33.2-4.16.1 updated - libz1-1.2.11-3.24.1 updated - libzypp-17.28.8-20.1 updated - ncurses-utils-6.1-5.9.1 updated - netcfg-11.6-3.3.1 updated - pam-1.3.0-6.50.1 updated - patterns-base-fips-20200124-4.12.1 added - permissions-20181225-23.12.1 updated - rpm-4.14.1-22.7.1 updated - terminfo-base-6.1-5.9.1 updated - util-linux-2.33.2-4.16.1 updated - zypper-1.14.50-21.1 updated - container:sles15-image-15.0.0-9.5.77 updated . Updated container ses/7/cephcsi/csi-attacher includes critical security patches for SUSE.. Security Update, Updated Container, Ceph CSI, SUSE Patch. . Severity: Critical. LinuxSecurity.com Team
Jan 25, 2022
•Critical
SuSE
100
security advisoryupdatesecuritySUSE: 2021:266-1 Important: csi-attacher DoS Attack Resolution
The container ses/7/cephcsi/csi-attacher was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7/cephcsi/csi-attacher ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:266-1 Container Tags : ses/7/cephcsi/csi-attacher:v3.0.0 , ses/7/cephcsi/csi-attacher:v3.0.0-rev1 , ses/7/cephcsi/csi-attacher:v3.0.0-rev1-build3.324 Container Release : 3.324 Severity : important Type : security References : 1029961 1040589 1047218 1047218 1078466 1099521 1106014 1146705 1153687 1154935 1157818 1158812 1158958 1158959 1158960 1159491 1159715 1159847 1159850 1160309 1160438 1160439 1161268 1161276 1164719 1167471 1172091 1172115 1172234 1172236 1172240 1172308 1172442 1173641 1175448 1175449 1175519 1178219 1178561 1178577 1178624 1178675 1178775 1180020 1180073 1180083 1180596 1180836 1180851 1180851 1181011 1181358 1181443 1181831 1181874 1181874 1181976 1182016 1182372 1182604 1182791 1182899 1182936 1182936 1183064 1183094 1183268 1183370 1183371 1183456 1183457 1183589 1183628 1183628 1183791 1183797 1183801 1183852 1183933 1183934 1184326 1184358 1184399 1184401 1184435 1184614 1184690 1184761 1184967 1184997 1184997 1184997 1185046 1185163 1185221 1185239 1185239 1185325 1185331 1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438 1185540 1185562 1185698 1185807 1185958 1186015 1186049 1186114 1186447 1186503 1186579 1186642 1187060 1187210 1187212 1187292 1187400 928700 928701 CVE-2015-3414 CVE-2015-3415 CVE-2019-19244 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218 CVE-2020-11080 CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-15358 CVE-2020-24370 CVE-2020-24371 CVE-2020-9327 CVE-2021-20231 CVE-2021-20232 CVE-2021-20305 CVE-2021-22876 CVE-2021-22890 CVE-2021-22898 CVE-2021-24031 CVE-2021-24032 CVE-2021-33560 CVE-2021-3449 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 CVE-2021-3580 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-attacher was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466,bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' > = 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:935-1 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLSserver may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: -Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1286-1 Released: Tue Apr 20 20:10:21 2021 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1180836 This recommended update for SLES-release provides the following fix: - Revert the problematic changes previously released and make sure the version is high enough to obsolete the package on containers and images. (bsc#1180836) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1299-1 Released: Wed Apr 21 14:11:41 2021 Summary: Optional update for gpgme Type: optional Severity: low References: 1183801 This update for gpgme fixes the following issues: - Fixed a bug in test cases (bsc#1183801) This patch is optional to install and does not provide any user visible bug fixes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1426-1 Released: Thu Apr 29 06:23:13 2021 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: This update for libsolv fixes the following issues: - Fix rare segfault in resolve_jobrules() that could happen if new rules are learnt. - Fix a couple of memory leaks in error cases. - Fix error handling in solv_xfopen_fd() - Fixed 'regex' code on win32. - Fixed memory leak in choice rule generation ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1466-1 Released: Tue May 4 08:30:57 2021 Summary: Security update for permissions Type: security Severity: important References: 1182899 This update for permissions fixes the following issues: - etc/permissions: remove unnecessary entries (bsc#1182899) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). -CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1528-1 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1544-1 Released: Fri May 7 16:34:41 2021 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libzypp fixes the following issues: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafeusage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stackcontents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1833-1 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1879-1 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1184326,1184399,1184997,1185325 This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper wasupdated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1937-1 Released: Thu Jun 10 10:47:09 2021 Summary: Recommended update for nghttp2 Type: recommended Severity: moderate References: 1186642 This update for nghttp2 fixes the following issue: - The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2143-1 Released: Wed Jun 23 16:27:04 2021 Summary: Security update for libnettle Type: security Severity: important References: 1187060,CVE-2021-3580 This update for libnettle fixes the following issues: - CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext(bsc#1187060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2157-1 Released: Thu Jun 24 15:40:14 2021 Summary: Security update for libgcrypt Type: security Severity: important References: 1187212,CVE-2021-33560 This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2173-1 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Type: recommended Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2196-1 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Type: security Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------------------------------- AdvisoryID: SUSE-RU-2021:2205-1 Released: Wed Jun 30 09:17:41 2021 Summary: Recommended update for openldap2 Type: recommended Severity: important References: 1187210 This update for openldap2 fixes the following issues: - Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2229-1 Released: Thu Jul 1 20:40:37 2021 Summary: Recommended update for release packages Type: recommended Severity: moderate References: 1099521,1185221 This update for the release packages provides the following fix: - Fix grub menu entries after migration from SLE-12*. (bsc#1099521) - Adjust the sles-release changelog to include an entry for the previous release that was reverting a broken change. (bsc#1185221) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2246-1 Released: Mon Jul 5 15:17:49 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400 This update for systemd fixes the following issues: cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network devicerenaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:2249-1 Released: Mon Jul 5 15:40:46 2021 Summary: Optional update for gnutls Type: optional Severity: low References: 1047218,1186579 This update for gnutls does not fix any user visible issues. It is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2273-1 Released: Thu Jul 8 09:48:48 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1186447,1186503 This update for libzypp, zypper fixes the following issues: - Enhance XML output of repo GPG options - Add optional attributes showing the raw values actually present in the '.repo' file. - Link all executables with -PIE (bsc#1186447) - Ship an empty '/etc/zypp/needreboot' per default (jsc#PM-2645) - Add 'Solvable::isBlacklisted' as superset of retracted and ptf packages (bsc#1186503) - Fix segv if 'ZYPP_FULLOG' is set. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2320-1 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Type: security Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types ofself-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) . Important security patch for SUSE container ses/7/cephcsi/csi-mounter to maintain strong system integrity and performance.. SUSE Container Update, CSI Attacher Security, SUSE Advisory. . Severity: Important. LinuxSecurity.com Team
Jul 21, 2021
•Important
SuSE
100
security advisorysecurity updatecriticalSUSE: 2022:45-3 Important: Rook Ceph Security Update for ses/7
The container ses/7/rook/ceph was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:99-1 Container Tags : ses/7/rook/ceph:1.5.7 , ses/7/rook/ceph:1.5.7.4 , ses/7/rook/ceph:1.5.7.4.1.1546 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1546 Severity : important Type : security References : 1078466 1083473 1112500 1115408 1125671 1140565 1146705 1154393 1160876 1165780 1171549 1172442 1172926 1174514 1175289 1175519 1176201 1176390 1176489 1176679 1176784 1176785 1176828 1177360 1177857 1178168 1178407 1178775 1178837 1178860 1178905 1178932 1179569 1179847 1179997 1180020 1180073 1180083 1180596 1180713 1181011 1181328 1181358 1181622 1181831 1182328 1182362 1182379 1182629 1182766 1183012 1183094 1183370 1183371 1183456 1183457 1183852 1183933 1183934 CVE-2020-11080 CVE-2020-14343 CVE-2020-25659 CVE-2020-25678 CVE-2020-27839 CVE-2021-20231 CVE-2021-20232 CVE-2021-22876 CVE-2021-22890 CVE-2021-23336 CVE-2021-24031 CVE-2021-24032 CVE-2021-27218 CVE-2021-27219 CVE-2021-3449 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length butstores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' > = 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire > = 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use`updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:935-1 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed(bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:952-1 Released: Thu Mar 25 14:36:56 2021 Summary: Recommended update for libunwind Type: recommended Severity: moderate References: 1160876,1171549 This update for libunwind fixes the following issues: - Update to version 1.5.0. (jsc#ECO-3395) - Enable s390x for building. (jsc#ECO-3395) - Fix compilation with 'fno-common'. (bsc#1171549) - Fix build with 'GCC-10'. (bsc#1160876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:953-1 Released: Thu Mar 25 14:37:26 2021 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1178407 This update for psmisc fixes the following issues: - Fix for 'fuser' when it does not show open kvm storage image files such as 'qcow2' files. (bsc#1178407) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:985-1 Released: Tue Mar 30 14:42:46 2021 Summary: Recommended update for the Azure SDK and CLI Type: recommended Severity: moderate References: 1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659 This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1018-1 Released: Tue Apr 6 14:29:13 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1180713 This update for gzip fixes the following issues: - Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1109-1 Released: Thu Apr 8 11:49:10 2021 Summary: Security update for ceph Type: security Severity: moderate References: 1172926,1176390,1176489,1176679,1176828,1177360,1177857,1178837,1178860,1178905,1178932,1179569,1179997,1182766,CVE-2020-25678,CVE-2020-27839 This update for ceph fixes the following issues: - ceph was updated to to 15.2.9 - cephadm: fix 'inspect' and'pull' (bsc#1182766) - CVE-2020-27839: mgr/dashboard: Use secure cookies to store JWT Token (bsc#1179997) - CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905) - mgr/orchestrator: Sort 'ceph orch device ls' by host (bsc#1172926) - mgr/dashboard: enable different URL for users of browser to Grafana (bsc#1176390, bsc#1176679) - mgr/cephadm: lock multithreaded access to OSDRemovalQueue (bsc#1176489) - cephadm: command_unit: call systemctl with verbose=True (bsc#1176828) - cephadm: silence 'Failed to evict container' log msg (bsc#1177360) - mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails (bsc#1177857) - rgw: cls/user: set from_index for reset stats calls (bsc#1178837) - mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) - cephadm: reference the last local image by digest (bsc#1178932, bsc#1179569) . SUSE advises on important security update for the Rook Ceph container in ses/7 to ensure system integrity and patch known issues.. SUSE Container Update,Rook Ceph,Security Update,System Integrity. . Severity: Important. LinuxSecurity.com Team
Apr 09, 2021
•Important
SuSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!