SUSE Security Update: Security update for CaaS Platform 1.0 images ______________________________________________________________________________ Announcement ID: SUSE-SU-2017:2470-1 Rating: important References: #1004995 #1009745 #1014471 #1017420 #1019637 #1026825 #1027079 #1027688 #1027908 #1028281 #1028723 #1029523 #1031756 #1032706 #1033236 #1035062 #1036659 #1038132 #1038444 #1038984 #1042392 #1043218 #1043333 #1044095 #1044107 #1044175 #1044840 #1045384 #1045735 #1045987 #1046268 #1046417 #1046659 #1046853 #1046858 #1047008 #1047236 #1047240 #1047310 #1047379 #1047785 #1047964 #1047965 #1048315 #1048483 #1048605 #1048679 #1048715 #1049344 #1050396 #1050484 #1051626 #1051643 #1051644 #1052030 #1052759 #1053409 #874665 #902364 #938657 #944903 #954661 #960820 #963041 Cross-References: CVE-2013-7459 CVE-2016-9063 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-3308 CVE-2017-3309 CVE-2017-3453 CVE-2017-3456 CVE-2017-3464 CVE-2017-7435 CVE-2017-7436 CVE-2017-8872 CVE-2017-9233 CVE-2017-9269 Affected Products: SUSE Container as a Service Platform ALL ______________________________________________________________________________ An update that solves 18 vulnerabilities and has 46 fixes is now available. Description: The Docker images provided with SUSE CaaS Platform 1.0 have been updated to include the following updates: libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. - Adapt loop mounting of ISO images. (bsc#1038132, bsc#1033236) - Fix potential crash if repository has no baseurl. (bsc#1043218) zypper: - CVE-2017-7436: Adapt download callback to report and handle unsigned packages. (bsc#1038984) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) - Document support for custom repository variables defined in /etc/zypp/vars.d. - Emphasize that it depends on how fast PackageKit will respond to a 'quit' request sent if PK blocks package management. libgcrypt: - Fix infinite loop in gnome-keyring-daemon caused by attempt to read from random device left open by libgcrypt. (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests. (bsc#1046659) - Fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests. (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym. (bsc#1047008) lua51: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) cyrus-sasl: - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence "GSSAPI client step 1" debug log message (bsc#1044840) libxml2: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) curl: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service. (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service. (bsc#1051643) ncurses: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) sed: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) openssl: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem. (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14. (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the "OPENSSL_s390xcap" environmental variable. (bsc#1028723) - Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. (bsc#1028281) - Fix a bug in XTS key handling. (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed. (bsc#1042392) procps: - Don't set buffering on invalid file descriptor. (bsc#1053409) expat: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour. (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service. (bsc#1047236) systemd: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS "bg" mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. insserv-compat: - Add /etc/init.d hierarchy from former "filesystem" package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. mariadb: - Update libmysqlclient18 from version 10.0.30 to 10.0.31. python-pycrypto: - CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew (bsc#1017420). velum: - Fix loopback IP for proxy exception during initial configuration. (bsc#1052759) - Set secure flag in cookie. (bsc#1050484) - Set VERSION to 1.0.0. (bsc#1050396) - Allow kubeconfig download when master is ready. (bsc#1048483) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Container as a Service Platform ALL: zypper in -t patch SUSE-CAASP-ALL-2017-1531=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Container as a Service Platform ALL (x86_64): container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3 sles12-mariadb-docker-image-1.1.0-2.3.10 sles12-pause-docker-image-1.1.0-2.3.11 sles12-pv-recycler-node-docker-image-1.1.0-2.3.10 sles12-salt-api-docker-image-1.1.0-2.3.9 sles12-salt-master-docker-image-1.1.0-4.3.10 sles12-salt-minion-docker-image-1.1.0-2.3.8 sles12-velum-docker-image-1.1.0-4.3.9 - SUSE Container as a Service Platform ALL (noarch): caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3 References: https://www.suse.com/security/cve/CVE-2013-7459.html https://www.suse.com/security/cve/CVE-2016-9063.html https://www.suse.com/security/cve/CVE-2017-1000100.html https://www.suse.com/security/cve/CVE-2017-1000101.html https://www.suse.com/security/cve/CVE-2017-10684.html https://www.suse.com/security/cve/CVE-2017-10685.html https://www.suse.com/security/cve/CVE-2017-11112.html https://www.suse.com/security/cve/CVE-2017-11113.html https://www.suse.com/security/cve/CVE-2017-3308.html https://www.suse.com/security/cve/CVE-2017-3309.html https://www.suse.com/security/cve/CVE-2017-3453.html https://www.suse.com/security/cve/CVE-2017-3456.html https://www.suse.com/security/cve/CVE-2017-3464.html https://www.suse.com/security/cve/CVE-2017-7435.html https://www.suse.com/security/cve/CVE-2017-7436.html https://www.suse.com/security/cve/CVE-2017-8872.html https://www.suse.com/security/cve/CVE-2017-9233.html https://www.suse.com/security/cve/CVE-2017-9269.html https://bugzilla.suse.com/1004995 https://bugzilla.suse.com/1009745 https://bugzilla.suse.com/1014471 https://bugzilla.suse.com/1017420 https://bugzilla.suse.com/1019637 https://bugzilla.suse.com/1026825 https://bugzilla.suse.com/1027079 https://bugzilla.suse.com/1027688 https://bugzilla.suse.com/1027908 https://bugzilla.suse.com/1028281 https://bugzilla.suse.com/1028723 https://bugzilla.suse.com/1029523 https://bugzilla.suse.com/1031756 https://bugzilla.suse.com/1032706 https://bugzilla.suse.com/1033236 https://bugzilla.suse.com/1035062 https://bugzilla.suse.com/1036659 https://bugzilla.suse.com/1038132 https://bugzilla.suse.com/1038444 https://bugzilla.suse.com/1038984 https://bugzilla.suse.com/1042392 https://bugzilla.suse.com/1043218 https://bugzilla.suse.com/1043333 https://bugzilla.suse.com/1044095 https://bugzilla.suse.com/1044107 https://bugzilla.suse.com/1044175 https://bugzilla.suse.com/1044840 https://bugzilla.suse.com/1045384 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1045987 https://bugzilla.suse.com/1046268 https://bugzilla.suse.com/1046417 https://bugzilla.suse.com/1046659 https://bugzilla.suse.com/1046853 https://bugzilla.suse.com/1046858 https://bugzilla.suse.com/1047008 https://bugzilla.suse.com/1047236 https://bugzilla.suse.com/1047240 https://bugzilla.suse.com/1047310 https://bugzilla.suse.com/1047379 https://bugzilla.suse.com/1047785 https://bugzilla.suse.com/1047964 https://bugzilla.suse.com/1047965 https://bugzilla.suse.com/1048315 https://bugzilla.suse.com/1048483 https://bugzilla.suse.com/1048605 https://bugzilla.suse.com/1048679 https://bugzilla.suse.com/1048715 https://bugzilla.suse.com/1049344 https://bugzilla.suse.com/1050396 https://bugzilla.suse.com/1050484 https://bugzilla.suse.com/1051626 https://bugzilla.suse.com/1051643 https://bugzilla.suse.com/1051644 https://bugzilla.suse.com/1052030 https://bugzilla.suse.com/1052759 https://bugzilla.suse.com/1053409 https://bugzilla.suse.com/874665 https://bugzilla.suse.com/902364 https://bugzilla.suse.com/938657 https://bugzilla.suse.com/944903 https://bugzilla.suse.com/954661 https://bugzilla.suse.com/960820 https://bugzilla.suse.com/963041 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org