SUSE Security Update: Security update for CaaS Platform 1.0 images
______________________________________________________________________________
Announcement ID: SUSE-SU-2017:2470-1
Rating: important
References: #1004995 #1009745 #1014471 #1017420 #1019637
#1026825 #1027079 #1027688 #1027908 #1028281
#1028723 #1029523 #1031756 #1032706 #1033236
#1035062 #1036659 #1038132 #1038444 #1038984
#1042392 #1043218 #1043333 #1044095 #1044107
#1044175 #1044840 #1045384 #1045735 #1045987
#1046268 #1046417 #1046659 #1046853 #1046858
#1047008 #1047236 #1047240 #1047310 #1047379
#1047785 #1047964 #1047965 #1048315 #1048483
#1048605 #1048679 #1048715 #1049344 #1050396
#1050484 #1051626 #1051643 #1051644 #1052030
#1052759 #1053409 #874665 #902364 #938657
#944903 #954661 #960820 #963041
Cross-References: CVE-2013-7459 CVE-2016-9063 CVE-2017-1000100
CVE-2017-1000101 CVE-2017-10684 CVE-2017-10685
CVE-2017-11112 CVE-2017-11113 CVE-2017-3308
CVE-2017-3309 CVE-2017-3453 CVE-2017-3456
CVE-2017-3464 CVE-2017-7435 CVE-2017-7436
CVE-2017-8872 CVE-2017-9233 CVE-2017-9269
Affected Products:
SUSE Container as a Service Platform ALL
______________________________________________________________________________
An update that solves 18 vulnerabilities and has 46 fixes
is now available.
Description:
The Docker images provided with SUSE CaaS Platform 1.0 have been updated
to include the following updates:
libzypp:
– CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows,
mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984)
– Fix gpg-pubkey release (creation time) computation. (bsc#1036659)
– Update lsof blacklist. (bsc#1046417)
– Re-probe on refresh if the repository type changes. (bsc#1048315)
– Propagate proper error code to DownloadProgressReport. (bsc#1047785)
– Allow to trigger an appdata refresh unconditionally. (bsc#1009745)
– Support custom repo variables defined in /etc/zypp/vars.d.
– Adapt loop mounting of ISO images. (bsc#1038132, bsc#1033236)
– Fix potential crash if repository has no baseurl. (bsc#1043218)
zypper:
– CVE-2017-7436: Adapt download callback to report and handle unsigned
packages. (bsc#1038984)
– Report missing/optional files as ‘not found’ rather than ‘error’.
(bsc#1047785)
– Document support for custom repository variables defined in
/etc/zypp/vars.d.
– Emphasize that it depends on how fast PackageKit will respond to a
‘quit’ request sent if PK blocks package management.
libgcrypt:
– Fix infinite loop in gnome-keyring-daemon caused by attempt to read from
random device left open by libgcrypt. (bsc#1043333)
– Avoid seeding the DRBG during FIPS power-up selftests. (bsc#1046659)
– Fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some
of the tests. (bsc#1046659)
– dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling
dlsym. (bsc#1047008)
lua51:
– Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket.
(bsc#1051626)
cyrus-sasl:
– Fix unknown authentication mechanism: kerberos5 (bsc#1026825)
– Really use SASLAUTHD_PARAMS variable (bsc#938657)
– Make sure /usr/sbin/rcsaslauthd exists
– Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service
(bsc#1014471)
– Silence “GSSAPI client step 1” debug log message (bsc#1044840)
libxml2:
– CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444)
curl:
– CVE-2017-1000100: TFP sends more than buffer size and it could lead to a
denial of service. (bsc#1051644)
– CVE-2017-1000101: URL globbing out of bounds read could lead to a denial
of service. (bsc#1051643)
ncurses:
– CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)
– CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry.
(bsc#1047965)
– CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses
6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858,
bsc#1049344)
sed:
– Don’t terminate with a segmentation fault if close of last file
descriptor fails. (bsc#954661)
openssl:
– Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32
problem. (bsc#1027908)
– Use getrandom syscall instead of reading from /dev/urandom to get at
least 128 bits of entropy to comply with FIPS 140.2 IG 7.14.
(bsc#1027079 bsc#1044175)
– Fix x86 extended feature detection (bsc#1029523)
– Allow runtime switching of s390x capabilities via the “OPENSSL_s390xcap”
environmental variable. (bsc#1028723)
– Add back certificate initialization set_cert_key_stuff() which was
removed in a previous update. (bsc#1028281)
– Fix a bug in XTS key handling. (bsc#1019637)
– Don’t run FIPS power-up self-tests when the checksum files aren’t
installed. (bsc#1042392)
procps:
– Don’t set buffering on invalid file descriptor. (bsc#1053409)
expat:
– CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading
to unexpected behaviour. (bsc#1047240)
– CVE-2017-9233: External Entity Vulnerability could lead to denial of
service. (bsc#1047236)
systemd:
– Revert fix for bsc#1004995 which could have caused boot failure on LVM
(bsc#1048605)
– compat-rules: drop the bogus ‘import everything’ rule (bsc#1046268)
– core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification
(bsc#1045384 bsc#1047379)
– udev/path_id: introduce support for NVMe devices (bsc#1045987)
– compat-rules: Don’t rely on ID_SERIAL when generating ‘by-id’ links for
NVMe devices. (bsc#1048679)
– fstab-generator: Handle NFS “bg” mounts correctly. (bsc#874665,
fate#323464)
– timesyncd: Don’t use compiled-in list if FallbackNTP has been configured
explicitly.
insserv-compat:
– Add /etc/init.d hierarchy from former “filesystem” package. (bsc#1035062)
– Fix directory argument parsing. (bsc#944903)
– Add perl(Getopt::Long) to list of requirements.
mariadb:
– Update libmysqlclient18 from version 10.0.30 to 10.0.31.
python-pycrypto:
– CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew
(bsc#1017420).
velum:
– Fix loopback IP for proxy exception during initial configuration.
(bsc#1052759)
– Set secure flag in cookie. (bsc#1050484)
– Set VERSION to 1.0.0. (bsc#1050396)
– Allow kubeconfig download when master is ready. (bsc#1048483)
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
– SUSE Container as a Service Platform ALL:
zypper in -t patch SUSE-CAASP-ALL-2017-1531=1
To bring your system up-to-date, use “zypper patch”.
Package List:
– SUSE Container as a Service Platform ALL (x86_64):
container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3
sles12-mariadb-docker-image-1.1.0-2.3.10
sles12-pause-docker-image-1.1.0-2.3.11
sles12-pv-recycler-node-docker-image-1.1.0-2.3.10
sles12-salt-api-docker-image-1.1.0-2.3.9
sles12-salt-master-docker-image-1.1.0-4.3.10
sles12-salt-minion-docker-image-1.1.0-2.3.8
sles12-velum-docker-image-1.1.0-4.3.9
– SUSE Container as a Service Platform ALL (noarch):
caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3
References:
https://www.suse.com/security/cve/CVE-2013-7459.html
https://www.suse.com/security/cve/CVE-2016-9063.html
https://www.suse.com/security/cve/CVE-2017-1000100.html
https://www.suse.com/security/cve/CVE-2017-1000101.html
https://www.suse.com/security/cve/CVE-2017-10684.html
https://www.suse.com/security/cve/CVE-2017-10685.html
https://www.suse.com/security/cve/CVE-2017-11112.html
https://www.suse.com/security/cve/CVE-2017-11113.html
https://www.suse.com/security/cve/CVE-2017-3308.html
https://www.suse.com/security/cve/CVE-2017-3309.html
https://www.suse.com/security/cve/CVE-2017-3453.html
https://www.suse.com/security/cve/CVE-2017-3456.html
https://www.suse.com/security/cve/CVE-2017-3464.html
https://www.suse.com/security/cve/CVE-2017-7435.html
https://www.suse.com/security/cve/CVE-2017-7436.html
https://www.suse.com/security/cve/CVE-2017-8872.html
https://www.suse.com/security/cve/CVE-2017-9233.html
https://www.suse.com/security/cve/CVE-2017-9269.html
https://bugzilla.suse.com/1004995
https://bugzilla.suse.com/1009745
https://bugzilla.suse.com/1014471
https://bugzilla.suse.com/1017420
https://bugzilla.suse.com/1019637
https://bugzilla.suse.com/1026825
https://bugzilla.suse.com/1027079
https://bugzilla.suse.com/1027688
https://bugzilla.suse.com/1027908
https://bugzilla.suse.com/1028281
https://bugzilla.suse.com/1028723
https://bugzilla.suse.com/1029523
https://bugzilla.suse.com/1031756
https://bugzilla.suse.com/1032706
https://bugzilla.suse.com/1033236
https://bugzilla.suse.com/1035062
https://bugzilla.suse.com/1036659
https://bugzilla.suse.com/1038132
https://bugzilla.suse.com/1038444
https://bugzilla.suse.com/1038984
https://bugzilla.suse.com/1042392
https://bugzilla.suse.com/1043218
https://bugzilla.suse.com/1043333
https://bugzilla.suse.com/1044095
https://bugzilla.suse.com/1044107
https://bugzilla.suse.com/1044175
https://bugzilla.suse.com/1044840
https://bugzilla.suse.com/1045384
https://bugzilla.suse.com/1045735
https://bugzilla.suse.com/1045987
https://bugzilla.suse.com/1046268
https://bugzilla.suse.com/1046417
https://bugzilla.suse.com/1046659
https://bugzilla.suse.com/1046853
https://bugzilla.suse.com/1046858
https://bugzilla.suse.com/1047008
https://bugzilla.suse.com/1047236
https://bugzilla.suse.com/1047240
https://bugzilla.suse.com/1047310
https://bugzilla.suse.com/1047379
https://bugzilla.suse.com/1047785
https://bugzilla.suse.com/1047964
https://bugzilla.suse.com/1047965
https://bugzilla.suse.com/1048315
https://bugzilla.suse.com/1048483
https://bugzilla.suse.com/1048605
https://bugzilla.suse.com/1048679
https://bugzilla.suse.com/1048715
https://bugzilla.suse.com/1049344
https://bugzilla.suse.com/1050396
https://bugzilla.suse.com/1050484
https://bugzilla.suse.com/1051626
https://bugzilla.suse.com/1051643
https://bugzilla.suse.com/1051644
https://bugzilla.suse.com/1052030
https://bugzilla.suse.com/1052759
https://bugzilla.suse.com/1053409
https://bugzilla.suse.com/874665
https://bugzilla.suse.com/902364
https://bugzilla.suse.com/938657
https://bugzilla.suse.com/944903
https://bugzilla.suse.com/954661
https://bugzilla.suse.com/960820
https://bugzilla.suse.com/963041
—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org