openSUSE Security Update: Security update for python-Pygments
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1402-1
Rating: important
References: #1183169
Cross-References: CVE-2021-20270
CVSS scores:
CVE-2021-20270 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-20270 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for python-Pygments fixes the following issues:
- CVE-2021-20270: Fixed an infinite loop in the SML lexer (bsc#1183169).
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1402=1
Package List:
- openSUSE Leap 15.2 (noarch):
python3-Pygments-2.6.1-lp152.5.9.1
References:
https://www.suse.com/security/cve/CVE-2021-20270.htmlhttps://bugzilla.suse.com/1183169
openSUSE Security Update: Security update for go1.16
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1420-1
Rating: moderate
References: #1182345 #1191468
Cross-References: CVE-2021-38297
CVSS scores:
CVE-2021-38297 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for go1.16 fixes the following issues:
Update to go1.16.9
- CVE-2021-38297: misc/wasm, cmd/link: do not let command line args
overwrite global data (bsc#1191468)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1420=1
Package List:
- openSUSE Leap 15.2 (x86_64):
go1.16-1.16.9-lp152.14.1
go1.16-doc-1.16.9-lp152.14.1
go1.16-race-1.16.9-lp152.14.1
References:
https://www.suse.com/security/cve/CVE-2021-38297.htmlhttps://bugzilla.suse.com/1182345https://bugzilla.suse.com/1191468
openSUSE Security Update: Security update for krb5
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1411-1
Rating: moderate
References: #1189929
Cross-References: CVE-2021-37750
CVSS scores:
CVE-2021-37750 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for krb5 fixes the following issues:
- CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body
that lacks a server field (bsc#1189929).
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1411=1
Package List:
- openSUSE Leap 15.2 (i586 x86_64):
krb5-1.16.3-lp152.5.22.1
krb5-client-1.16.3-lp152.5.22.1
krb5-client-debuginfo-1.16.3-lp152.5.22.1
krb5-debuginfo-1.16.3-lp152.5.22.1
krb5-debugsource-1.16.3-lp152.5.22.1
krb5-devel-1.16.3-lp152.5.22.1
krb5-mini-1.16.3-lp152.5.22.1
krb5-mini-debuginfo-1.16.3-lp152.5.22.1
krb5-mini-debugsource-1.16.3-lp152.5.22.1
krb5-mini-devel-1.16.3-lp152.5.22.1
krb5-plugin-kdb-ldap-1.16.3-lp152.5.22.1
krb5-plugin-kdb-ldap-debuginfo-1.16.3-lp152.5.22.1
krb5-plugin-preauth-otp-1.16.3-lp152.5.22.1
krb5-plugin-preauth-otp-debuginfo-1.16.3-lp152.5.22.1
krb5-plugin-preauth-pkinit-1.16.3-lp152.5.22.1
krb5-plugin-preauth-pkinit-debuginfo-1.16.3-lp152.5.22.1
krb5-server-1.16.3-lp152.5.22.1
krb5-server-debuginfo-1.16.3-lp152.5.22.1
- openSUSE Leap 15.2 (x86_64):
krb5-32bit-1.16.3-lp152.5.22.1
krb5-32bit-debuginfo-1.16.3-lp152.5.22.1
krb5-devel-32bit-1.16.3-lp152.5.22.1
References:
https://www.suse.com/security/cve/CVE-2021-37750.htmlhttps://bugzilla.suse.com/1189929
openSUSE Security Update: Security update for xstream
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1401-1
Rating: important
References: #1189798
Cross-References: CVE-2021-39139 CVE-2021-39140 CVE-2021-39141
CVE-2021-39144 CVE-2021-39145 CVE-2021-39146
CVE-2021-39147 CVE-2021-39148 CVE-2021-39149
CVE-2021-39150 CVE-2021-39151 CVE-2021-39152
CVE-2021-39153 CVE-2021-39154
CVSS scores:
CVE-2021-39139 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39139 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-39140 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-39141 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39141 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-39144 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39144 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-39145 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39145 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-39146 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39146 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-39147 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39147 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-39148 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39148 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-39149 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39149 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-39150 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39150 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2021-39151 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39151 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-39152 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39152 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-39153 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39153 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-39154 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39154 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes 14 vulnerabilities is now available.
Description:
This update for xstream fixes the following issues:
- Upgrade to 1.4.18
- CVE-2021-39139: Fixed an issue that allowed an attacker to execute
arbitrary code execution by manipulating the processed input stream with
type information. (bsc#1189798)
- CVE-2021-39140: Fixed an issue that allowed an attacker to execute a DoS
attack by manipulating the processed input stream. (bsc#1189798)
- CVE-2021-39141: Fixed an issue that allowed an attacker to achieve
arbitrary code execution. (bsc#1189798)
- CVE-2021-39144: Fixed an issue that allowed an attacker to achieve
arbitrary code execution. (bsc#1189798)
- CVE-2021-39145: Fixed an issue that allowed an attacker to achieve
arbitrary code execution. (bsc#1189798)
- CVE-2021-39146: Fixed an issue that allowed an attacker to achieve
arbitrary code execution. (bsc#1189798)
- CVE-2021-39147: Fixed an issue that allowed an attacker to achieve
arbitrary code execution. (bsc#1189798)
- CVE-2021-39148: Fixed an issue that allowed an attacker to achieve
arbitrary code execution. (bsc#1189798)
- CVE-2021-39149: Fixed an issue that allowed an attacker to achieve
arbitrary code execution. (bsc#1189798)
- CVE-2021-39150: Fixed an issue that allowed an attacker to access
protected resources hosted within the intranet or in the host itself.
(bsc#1189798)
- CVE-2021-39151: Fixed an issue that allowed an attacker to achieve
arbitrary code execution. (bsc#1189798)
- CVE-2021-39152: Fixed an issue that allowed an attacker to access
protected resources hosted within the intranet or in the host itself.
(bsc#1189798)
- CVE-2021-39153: Fixed an issue that allowed an attacker to achieve
arbitrary code execution. (bsc#1189798)
- CVE-2021-39154: Fixed an issue that allowed an attacker to achieve
arbitrary code execution. (bsc#1189798)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1401=1
Package List:
- openSUSE Leap 15.2 (noarch):
xstream-1.4.18-lp152.2.12.1
xstream-benchmark-1.4.18-lp152.2.12.1
xstream-javadoc-1.4.18-lp152.2.12.1
xstream-parent-1.4.18-lp152.2.12.1
References:
https://www.suse.com/security/cve/CVE-2021-39139.htmlhttps://www.suse.com/security/cve/CVE-2021-39140.htmlhttps://www.suse.com/security/cve/CVE-2021-39141.htmlhttps://www.suse.com/security/cve/CVE-2021-39144.htmlhttps://www.suse.com/security/cve/CVE-2021-39145.htmlhttps://www.suse.com/security/cve/CVE-2021-39146.htmlhttps://www.suse.com/security/cve/CVE-2021-39147.htmlhttps://www.suse.com/security/cve/CVE-2021-39148.htmlhttps://www.suse.com/security/cve/CVE-2021-39149.htmlhttps://www.suse.com/security/cve/CVE-2021-39150.htmlhttps://www.suse.com/security/cve/CVE-2021-39151.htmlhttps://www.suse.com/security/cve/CVE-2021-39152.htmlhttps://www.suse.com/security/cve/CVE-2021-39153.htmlhttps://www.suse.com/security/cve/CVE-2021-39154.htmlhttps://bugzilla.suse.com/1189798
openSUSE Security Update: Security update for strongswan
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1399-1
Rating: important
References: #1191367 #1191435 SLE-20151
Cross-References: CVE-2021-41990 CVE-2021-41991
CVSS scores:
CVE-2021-41990 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-41991 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes two vulnerabilities, contains one
feature is now available.
Description:
This update for strongswan fixes the following issues:
A feature was added:
- Add auth_els plugin to support Marvell FC-SP encryption (jsc#SLE-20151)
Security issues fixed:
- CVE-2021-41991: Fixed an integer overflow when replacing certificates in
cache. (bsc#1191435)
- CVE-2021-41990: Fixed an integer Overflow in the gmp Plugin.
(bsc#1191367)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1399=1
Package List:
- openSUSE Leap 15.2 (noarch):
strongswan-doc-5.8.2-lp152.2.18.1
- openSUSE Leap 15.2 (x86_64):
strongswan-5.8.2-lp152.2.18.1
strongswan-debuginfo-5.8.2-lp152.2.18.1
strongswan-debugsource-5.8.2-lp152.2.18.1
strongswan-hmac-5.8.2-lp152.2.18.1
strongswan-ipsec-5.8.2-lp152.2.18.1
strongswan-ipsec-debuginfo-5.8.2-lp152.2.18.1
strongswan-libs0-5.8.2-lp152.2.18.1
strongswan-libs0-debuginfo-5.8.2-lp152.2.18.1
strongswan-mysql-5.8.2-lp152.2.18.1
strongswan-mysql-debuginfo-5.8.2-lp152.2.18.1
strongswan-nm-5.8.2-lp152.2.18.1
strongswan-nm-debuginfo-5.8.2-lp152.2.18.1
strongswan-sqlite-5.8.2-lp152.2.18.1
strongswan-sqlite-debuginfo-5.8.2-lp152.2.18.1
References:
https://www.suse.com/security/cve/CVE-2021-41990.htmlhttps://www.suse.com/security/cve/CVE-2021-41991.htmlhttps://bugzilla.suse.com/1191367https://bugzilla.suse.com/1191435
openSUSE Security Update: Security update for dnsmasq
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1426-1
Rating: moderate
References: #1173646 #1180914 #1183709 SLE-17936
Cross-References: CVE-2020-14312 CVE-2021-3448
CVSS scores:
CVE-2020-14312 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-14312 (SUSE): 4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
CVE-2021-3448 (NVD) : 4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2021-3448 (SUSE): 4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that solves two vulnerabilities, contains one
feature and has one errata is now available.
Description:
This update for dnsmasq fixes the following issues:
Update to version 2.86
- CVE-2021-3448: fixed outgoing port used when --server is used with an
interface name. (bsc#1183709)
- CVE-2020-14312: Set --local-service by default (bsc#1173646).
- Open inotify socket only when used (bsc#1180914).
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1426=1
Package List:
- openSUSE Leap 15.2 (i586 x86_64):
dnsmasq-2.86-lp152.7.6.1
dnsmasq-debuginfo-2.86-lp152.7.6.1
dnsmasq-debugsource-2.86-lp152.7.6.1
dnsmasq-utils-2.86-lp152.7.6.1
dnsmasq-utils-debuginfo-2.86-lp152.7.6.1
References:
https://www.suse.com/security/cve/CVE-2020-14312.htmlhttps://www.suse.com/security/cve/CVE-2021-3448.htmlhttps://bugzilla.suse.com/1173646https://bugzilla.suse.com/1180914https://bugzilla.suse.com/1183709
openSUSE Security Update: Security update for fetchmail
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1416-1
Rating: moderate
References: #1190069
Cross-References: CVE-2021-39272
CVSS scores:
CVE-2021-39272 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for fetchmail fixes the following issues:
- CVE-2021-39272: Fix failure to enforce STARTTLS session encryption in
some circumstances, such as a certain situation with IMAP and PREAUTH.
(bsc#1190069)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1416=1
Package List:
- openSUSE Leap 15.2 (x86_64):
fetchmail-6.3.26-lp152.6.9.1
fetchmail-debuginfo-6.3.26-lp152.6.9.1
fetchmail-debugsource-6.3.26-lp152.6.9.1
fetchmailconf-6.3.26-lp152.6.9.1
References:
https://www.suse.com/security/cve/CVE-2021-39272.htmlhttps://bugzilla.suse.com/1190069
openSUSE Security Update: Security update for ncurses
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1417-1
Rating: moderate
References: #1190793
Cross-References: CVE-2021-39537
CVSS scores:
CVE-2021-39537 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for ncurses fixes the following issues:
- CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo.
(bsc#1190793)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1417=1
Package List:
- openSUSE Leap 15.2 (i586 x86_64):
libncurses5-6.1-lp152.8.3.1
libncurses5-debuginfo-6.1-lp152.8.3.1
libncurses6-6.1-lp152.8.3.1
libncurses6-debuginfo-6.1-lp152.8.3.1
ncurses-debugsource-6.1-lp152.8.3.1
ncurses-devel-6.1-lp152.8.3.1
ncurses-devel-debuginfo-6.1-lp152.8.3.1
ncurses-utils-6.1-lp152.8.3.1
ncurses-utils-debuginfo-6.1-lp152.8.3.1
ncurses5-devel-6.1-lp152.8.3.1
tack-6.1-lp152.8.3.1
tack-debuginfo-6.1-lp152.8.3.1
terminfo-6.1-lp152.8.3.1
terminfo-base-6.1-lp152.8.3.1
terminfo-iterm-6.1-lp152.8.3.1
terminfo-screen-6.1-lp152.8.3.1
- openSUSE Leap 15.2 (x86_64):
libncurses5-32bit-6.1-lp152.8.3.1
libncurses5-32bit-debuginfo-6.1-lp152.8.3.1
libncurses6-32bit-6.1-lp152.8.3.1
libncurses6-32bit-debuginfo-6.1-lp152.8.3.1
ncurses-devel-32bit-6.1-lp152.8.3.1
ncurses-devel-32bit-debuginfo-6.1-lp152.8.3.1
ncurses5-devel-32bit-6.1-lp152.8.3.1
References:
https://www.suse.com/security/cve/CVE-2021-39537.htmlhttps://bugzilla.suse.com/1190793
openSUSE Security Update: Security update for containerd, docker, runc
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1404-1
Rating: important
References: #1102408 #1185405 #1187704 #1188282 #1190826
#1191015 #1191121 #1191334 #1191355 #1191434
Cross-References: CVE-2021-30465 CVE-2021-32760 CVE-2021-41089
CVE-2021-41091 CVE-2021-41092 CVE-2021-41103
CVSS scores:
CVE-2021-30465 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-30465 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-32760 (NVD) : 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CVE-2021-32760 (SUSE): 3 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L
CVE-2021-41089 (NVD) : 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
CVE-2021-41089 (SUSE): 3.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CVE-2021-41091 (NVD) : 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CVE-2021-41091 (SUSE): 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CVE-2021-41092 (NVD) : 5.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
CVE-2021-41092 (SUSE): 5.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
CVE-2021-41103 (SUSE): 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that solves 6 vulnerabilities and has four fixes
is now available.
Description:
This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.9-ce. (bsc#1191355)
See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md.
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355
- CVE-2021-32760: Fixed that a archive package allows chmod of file
outside of unpack target directory (bsc#1188282)
- Install systemd service file as well (bsc#1190826)
Update to runc v1.0.2. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.2
* Fixed a failure to set CPU quota period in some cases on cgroup v1.
* Fixed the inability to start a container with the "adding seccomp filter
rule for syscall ..." error, caused by redundant seccomp rules (i.e.
those that has action equal to the default one). Such redundant rules
are now skipped.
* Made release builds reproducible from now on.
* Fixed a rare debug log race in runc init, which can result in occasional
harmful "failed to decode ..." errors from runc run or exec.
* Fixed the check in cgroup v1 systemd manager if a container needs to be
frozen before Set, and add a setting to skip such freeze
unconditionally. The previous fix for that issue, done in runc 1.0.1,
was not working.
Update to runc v1.0.1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.1
* Fixed occasional runc exec/run failure ("interrupted system call") on an
Azure volume.
* Fixed "unable to find groups ... token too long" error with /etc/group
containing lines longer than 64K characters.
* cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent
cgroup is frozen. This is a regression in 1.0.0, not affecting runc
itself but some
of libcontainer users (e.g Kubernetes).
* cgroupv2: bpf: Ignore inaccessible existing programs in case of
permission error when handling replacement of existing bpf cgroup
programs. This fixes a regression in 1.0.0, where some SELinux policies
would block runc from being able to run entirely.
* cgroup/systemd/v2: don't freeze cgroup on Set.
* cgroup/systemd/v1: avoid unnecessary freeze on Set.
- fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704
Update to runc v1.0.0. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0
! The usage of relative paths for mountpoints will now produce a warning
(such configurations are outside of the spec, and in future runc will
produce an error when given such configurations).
* cgroupv2: devices: rework the filter generation to produce consistent
results with cgroupv1, and always clobber any existing eBPF program(s)
to fix runc update and avoid leaking eBPF programs (resulting in errors
when managing containers).
* cgroupv2: correctly convert "number of IOs" statistics in a
cgroupv1-compatible way.
* cgroupv2: support larger than 32-bit IO statistics on 32-bit
architectures.
* cgroupv2: wait for freeze to finish before returning from the freezing
code, optimize the method for checking whether a cgroup is frozen.
* cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in
rc94
* cgroups/systemd: fixed returning "unit already exists" error from a
systemd cgroup manager (regression in rc94)
+ cgroupv2: support SkipDevices with systemd driver
+ cgroup/systemd: return, not ignore, stop unit error from Destroy
+ Make "runc --version" output sane even when built with go get or
otherwise outside of our build scripts.
+ cgroups: set SkipDevices during runc update (so we don't modify cgroups
at all during runc update).
+ cgroup1: blkio: support BFQ weights.
+ cgroupv2: set per-device io weights if BFQ IO scheduler is available.
Update to runc v1.0.0~rc95. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95
This release of runc contains a fix for CVE-2021-30465, and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users). (bsc#1185405)
Update to runc v1.0.0~rc94. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94
Breaking Changes:
* cgroupv1: kernel memory limits are now always ignored, as kmemcg has
been effectively deprecated by the kernel. Users should make use of
regular memory cgroup controls.
Regression Fixes:
* seccomp: fix 32-bit compilation errors
* runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
* runc start: fix "chdir to cwd: permission denied" for some setups
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1404=1
Package List:
- openSUSE Leap 15.2 (noarch):
docker-bash-completion-20.10.9_ce-lp152.2.18.1
docker-fish-completion-20.10.9_ce-lp152.2.18.1
docker-zsh-completion-20.10.9_ce-lp152.2.18.1
- openSUSE Leap 15.2 (x86_64):
containerd-1.4.11-lp152.2.12.1
containerd-ctr-1.4.11-lp152.2.12.1
docker-20.10.9_ce-lp152.2.18.1
docker-debuginfo-20.10.9_ce-lp152.2.18.1
runc-1.0.2-lp152.2.9.1
runc-debuginfo-1.0.2-lp152.2.9.1
References:
https://www.suse.com/security/cve/CVE-2021-30465.htmlhttps://www.suse.com/security/cve/CVE-2021-32760.htmlhttps://www.suse.com/security/cve/CVE-2021-41089.htmlhttps://www.suse.com/security/cve/CVE-2021-41091.htmlhttps://www.suse.com/security/cve/CVE-2021-41092.htmlhttps://www.suse.com/security/cve/CVE-2021-41103.htmlhttps://bugzilla.suse.com/1102408https://bugzilla.suse.com/1185405https://bugzilla.suse.com/1187704https://bugzilla.suse.com/1188282https://bugzilla.suse.com/1190826https://bugzilla.suse.com/1191015https://bugzilla.suse.com/1191121https://bugzilla.suse.com/1191334https://bugzilla.suse.com/1191355https://bugzilla.suse.com/1191434