October 2021 - openSUSE Security Announce

openSUSE-SU-2021:1402-1: important: Security update for python-Pygments
by opensuse-security＠opensuse.org 31 Oct '21

31 Oct '21

openSUSE Security Update: Security update for python-Pygments ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1402-1 Rating: important References: #1183169 Cross-References: CVE-2021-20270 CVSS scores: CVE-2021-20270 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-20270 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-Pygments fixes the following issues: - CVE-2021-20270: Fixed an infinite loop in the SML lexer (bsc#1183169). This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1402=1 Package List: - openSUSE Leap 15.2 (noarch): python3-Pygments-2.6.1-lp152.5.9.1 References: https://www.suse.com/security/cve/CVE-2021-20270.html https://bugzilla.suse.com/1183169

1 0

openSUSE-SU-2021:1420-1: moderate: Security update for go1.16
by opensuse-security＠opensuse.org 31 Oct '21

31 Oct '21

openSUSE Security Update: Security update for go1.16 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1420-1 Rating: moderate References: #1182345 #1191468 Cross-References: CVE-2021-38297 CVSS scores: CVE-2021-38297 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for go1.16 fixes the following issues: Update to go1.16.9 - CVE-2021-38297: misc/wasm, cmd/link: do not let command line args overwrite global data (bsc#1191468) This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1420=1 Package List: - openSUSE Leap 15.2 (x86_64): go1.16-1.16.9-lp152.14.1 go1.16-doc-1.16.9-lp152.14.1 go1.16-race-1.16.9-lp152.14.1 References: https://www.suse.com/security/cve/CVE-2021-38297.html https://bugzilla.suse.com/1182345 https://bugzilla.suse.com/1191468

1 0

openSUSE-SU-2021:1411-1: moderate: Security update for krb5
by opensuse-security＠opensuse.org 31 Oct '21

31 Oct '21

openSUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1411-1 Rating: moderate References: #1189929 Cross-References: CVE-2021-37750 CVSS scores: CVE-2021-37750 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1411=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): krb5-1.16.3-lp152.5.22.1 krb5-client-1.16.3-lp152.5.22.1 krb5-client-debuginfo-1.16.3-lp152.5.22.1 krb5-debuginfo-1.16.3-lp152.5.22.1 krb5-debugsource-1.16.3-lp152.5.22.1 krb5-devel-1.16.3-lp152.5.22.1 krb5-mini-1.16.3-lp152.5.22.1 krb5-mini-debuginfo-1.16.3-lp152.5.22.1 krb5-mini-debugsource-1.16.3-lp152.5.22.1 krb5-mini-devel-1.16.3-lp152.5.22.1 krb5-plugin-kdb-ldap-1.16.3-lp152.5.22.1 krb5-plugin-kdb-ldap-debuginfo-1.16.3-lp152.5.22.1 krb5-plugin-preauth-otp-1.16.3-lp152.5.22.1 krb5-plugin-preauth-otp-debuginfo-1.16.3-lp152.5.22.1 krb5-plugin-preauth-pkinit-1.16.3-lp152.5.22.1 krb5-plugin-preauth-pkinit-debuginfo-1.16.3-lp152.5.22.1 krb5-server-1.16.3-lp152.5.22.1 krb5-server-debuginfo-1.16.3-lp152.5.22.1 - openSUSE Leap 15.2 (x86_64): krb5-32bit-1.16.3-lp152.5.22.1 krb5-32bit-debuginfo-1.16.3-lp152.5.22.1 krb5-devel-32bit-1.16.3-lp152.5.22.1 References: https://www.suse.com/security/cve/CVE-2021-37750.html https://bugzilla.suse.com/1189929

1 0

openSUSE-SU-2021:1401-1: important: Security update for xstream
by opensuse-security＠opensuse.org 31 Oct '21

31 Oct '21

openSUSE Security Update: Security update for xstream ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1401-1 Rating: important References: #1189798 Cross-References: CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144 CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148 CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 CVE-2021-39153 CVE-2021-39154 CVSS scores: CVE-2021-39139 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39139 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39140 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-39141 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39141 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39144 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39144 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39145 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39145 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39146 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39146 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39147 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39147 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39148 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39148 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39149 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39149 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39150 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39150 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-39151 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39151 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39152 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39152 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-39153 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39153 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39154 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39154 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: This update for xstream fixes the following issues: - Upgrade to 1.4.18 - CVE-2021-39139: Fixed an issue that allowed an attacker to execute arbitrary code execution by manipulating the processed input stream with type information. (bsc#1189798) - CVE-2021-39140: Fixed an issue that allowed an attacker to execute a DoS attack by manipulating the processed input stream. (bsc#1189798) - CVE-2021-39141: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39144: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39145: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39146: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39147: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39148: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39149: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39150: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798) - CVE-2021-39151: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39152: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798) - CVE-2021-39153: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39154: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) This update was imported from the SUSE:SLE-15-SP2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1401=1 Package List: - openSUSE Leap 15.2 (noarch): xstream-1.4.18-lp152.2.12.1 xstream-benchmark-1.4.18-lp152.2.12.1 xstream-javadoc-1.4.18-lp152.2.12.1 xstream-parent-1.4.18-lp152.2.12.1 References: https://www.suse.com/security/cve/CVE-2021-39139.html https://www.suse.com/security/cve/CVE-2021-39140.html https://www.suse.com/security/cve/CVE-2021-39141.html https://www.suse.com/security/cve/CVE-2021-39144.html https://www.suse.com/security/cve/CVE-2021-39145.html https://www.suse.com/security/cve/CVE-2021-39146.html https://www.suse.com/security/cve/CVE-2021-39147.html https://www.suse.com/security/cve/CVE-2021-39148.html https://www.suse.com/security/cve/CVE-2021-39149.html https://www.suse.com/security/cve/CVE-2021-39150.html https://www.suse.com/security/cve/CVE-2021-39151.html https://www.suse.com/security/cve/CVE-2021-39152.html https://www.suse.com/security/cve/CVE-2021-39153.html https://www.suse.com/security/cve/CVE-2021-39154.html https://bugzilla.suse.com/1189798

1 0

openSUSE-SU-2021:1399-1: important: Security update for strongswan
by opensuse-security＠opensuse.org 31 Oct '21

31 Oct '21

openSUSE Security Update: Security update for strongswan ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1399-1 Rating: important References: #1191367 #1191435 SLE-20151 Cross-References: CVE-2021-41990 CVE-2021-41991 CVSS scores: CVE-2021-41990 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-41991 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes two vulnerabilities, contains one feature is now available. Description: This update for strongswan fixes the following issues: A feature was added: - Add auth_els plugin to support Marvell FC-SP encryption (jsc#SLE-20151) Security issues fixed: - CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435) - CVE-2021-41990: Fixed an integer Overflow in the gmp Plugin. (bsc#1191367) This update was imported from the SUSE:SLE-15-SP2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1399=1 Package List: - openSUSE Leap 15.2 (noarch): strongswan-doc-5.8.2-lp152.2.18.1 - openSUSE Leap 15.2 (x86_64): strongswan-5.8.2-lp152.2.18.1 strongswan-debuginfo-5.8.2-lp152.2.18.1 strongswan-debugsource-5.8.2-lp152.2.18.1 strongswan-hmac-5.8.2-lp152.2.18.1 strongswan-ipsec-5.8.2-lp152.2.18.1 strongswan-ipsec-debuginfo-5.8.2-lp152.2.18.1 strongswan-libs0-5.8.2-lp152.2.18.1 strongswan-libs0-debuginfo-5.8.2-lp152.2.18.1 strongswan-mysql-5.8.2-lp152.2.18.1 strongswan-mysql-debuginfo-5.8.2-lp152.2.18.1 strongswan-nm-5.8.2-lp152.2.18.1 strongswan-nm-debuginfo-5.8.2-lp152.2.18.1 strongswan-sqlite-5.8.2-lp152.2.18.1 strongswan-sqlite-debuginfo-5.8.2-lp152.2.18.1 References: https://www.suse.com/security/cve/CVE-2021-41990.html https://www.suse.com/security/cve/CVE-2021-41991.html https://bugzilla.suse.com/1191367 https://bugzilla.suse.com/1191435

1 0

openSUSE-SU-2021:1426-1: moderate: Security update for dnsmasq
by opensuse-security＠opensuse.org 31 Oct '21

31 Oct '21

openSUSE Security Update: Security update for dnsmasq ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1426-1 Rating: moderate References: #1173646 #1180914 #1183709 SLE-17936 Cross-References: CVE-2020-14312 CVE-2021-3448 CVSS scores: CVE-2020-14312 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-14312 (SUSE): 4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L CVE-2021-3448 (NVD) : 4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N CVE-2021-3448 (SUSE): 4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that solves two vulnerabilities, contains one feature and has one errata is now available. Description: This update for dnsmasq fixes the following issues: Update to version 2.86 - CVE-2021-3448: fixed outgoing port used when --server is used with an interface name. (bsc#1183709) - CVE-2020-14312: Set --local-service by default (bsc#1173646). - Open inotify socket only when used (bsc#1180914). This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1426=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): dnsmasq-2.86-lp152.7.6.1 dnsmasq-debuginfo-2.86-lp152.7.6.1 dnsmasq-debugsource-2.86-lp152.7.6.1 dnsmasq-utils-2.86-lp152.7.6.1 dnsmasq-utils-debuginfo-2.86-lp152.7.6.1 References: https://www.suse.com/security/cve/CVE-2020-14312.html https://www.suse.com/security/cve/CVE-2021-3448.html https://bugzilla.suse.com/1173646 https://bugzilla.suse.com/1180914 https://bugzilla.suse.com/1183709

1 0

openSUSE-SU-2021:1416-1: moderate: Security update for fetchmail
by opensuse-security＠opensuse.org 31 Oct '21

31 Oct '21

openSUSE Security Update: Security update for fetchmail ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1416-1 Rating: moderate References: #1190069 Cross-References: CVE-2021-39272 CVSS scores: CVE-2021-39272 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for fetchmail fixes the following issues: - CVE-2021-39272: Fix failure to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. (bsc#1190069) This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1416=1 Package List: - openSUSE Leap 15.2 (x86_64): fetchmail-6.3.26-lp152.6.9.1 fetchmail-debuginfo-6.3.26-lp152.6.9.1 fetchmail-debugsource-6.3.26-lp152.6.9.1 fetchmailconf-6.3.26-lp152.6.9.1 References: https://www.suse.com/security/cve/CVE-2021-39272.html https://bugzilla.suse.com/1190069

1 0

openSUSE-SU-2021:1417-1: moderate: Security update for ncurses
by opensuse-security＠opensuse.org 31 Oct '21

31 Oct '21

openSUSE Security Update: Security update for ncurses ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1417-1 Rating: moderate References: #1190793 Cross-References: CVE-2021-39537 CVSS scores: CVE-2021-39537 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1417=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): libncurses5-6.1-lp152.8.3.1 libncurses5-debuginfo-6.1-lp152.8.3.1 libncurses6-6.1-lp152.8.3.1 libncurses6-debuginfo-6.1-lp152.8.3.1 ncurses-debugsource-6.1-lp152.8.3.1 ncurses-devel-6.1-lp152.8.3.1 ncurses-devel-debuginfo-6.1-lp152.8.3.1 ncurses-utils-6.1-lp152.8.3.1 ncurses-utils-debuginfo-6.1-lp152.8.3.1 ncurses5-devel-6.1-lp152.8.3.1 tack-6.1-lp152.8.3.1 tack-debuginfo-6.1-lp152.8.3.1 terminfo-6.1-lp152.8.3.1 terminfo-base-6.1-lp152.8.3.1 terminfo-iterm-6.1-lp152.8.3.1 terminfo-screen-6.1-lp152.8.3.1 - openSUSE Leap 15.2 (x86_64): libncurses5-32bit-6.1-lp152.8.3.1 libncurses5-32bit-debuginfo-6.1-lp152.8.3.1 libncurses6-32bit-6.1-lp152.8.3.1 libncurses6-32bit-debuginfo-6.1-lp152.8.3.1 ncurses-devel-32bit-6.1-lp152.8.3.1 ncurses-devel-32bit-debuginfo-6.1-lp152.8.3.1 ncurses5-devel-32bit-6.1-lp152.8.3.1 References: https://www.suse.com/security/cve/CVE-2021-39537.html https://bugzilla.suse.com/1190793

1 0

openSUSE-SU-2021:1404-1: important: Security update for containerd, docker, runc
by opensuse-security＠opensuse.org 31 Oct '21

31 Oct '21

openSUSE Security Update: Security update for containerd, docker, runc ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1404-1 Rating: important References: #1102408 #1185405 #1187704 #1188282 #1190826 #1191015 #1191121 #1191334 #1191355 #1191434 Cross-References: CVE-2021-30465 CVE-2021-32760 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092 CVE-2021-41103 CVSS scores: CVE-2021-30465 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-30465 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-32760 (NVD) : 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2021-32760 (SUSE): 3 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L CVE-2021-41089 (NVD) : 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2021-41089 (SUSE): 3.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2021-41091 (NVD) : 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2021-41091 (SUSE): 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2021-41092 (NVD) : 5.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVE-2021-41092 (SUSE): 5.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVE-2021-41103 (SUSE): 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has four fixes is now available. Description: This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.9-ce. (bsc#1191355) See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355 - CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282) - Install systemd service file as well (bsc#1190826) Update to runc v1.0.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.2 * Fixed a failure to set CPU quota period in some cases on cgroup v1. * Fixed the inability to start a container with the "adding seccomp filter rule for syscall ..." error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. * Made release builds reproducible from now on. * Fixed a rare debug log race in runc init, which can result in occasional harmful "failed to decode ..." errors from runc run or exec. * Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. Update to runc v1.0.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.1 * Fixed occasional runc exec/run failure ("interrupted system call") on an Azure volume. * Fixed "unable to find groups ... token too long" error with /etc/group containing lines longer than 64K characters. * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). * cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. * cgroup/systemd/v2: don't freeze cgroup on Set. * cgroup/systemd/v1: avoid unnecessary freeze on Set. - fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704 Update to runc v1.0.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0 ! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert "number of IOs" statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94 * cgroups/systemd: fixed returning "unit already exists" error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make "runc --version" output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available. Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405) Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 Breaking Changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. Regression Fixes: * seccomp: fix 32-bit compilation errors * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code * runc start: fix "chdir to cwd: permission denied" for some setups This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1404=1 Package List: - openSUSE Leap 15.2 (noarch): docker-bash-completion-20.10.9_ce-lp152.2.18.1 docker-fish-completion-20.10.9_ce-lp152.2.18.1 docker-zsh-completion-20.10.9_ce-lp152.2.18.1 - openSUSE Leap 15.2 (x86_64): containerd-1.4.11-lp152.2.12.1 containerd-ctr-1.4.11-lp152.2.12.1 docker-20.10.9_ce-lp152.2.18.1 docker-debuginfo-20.10.9_ce-lp152.2.18.1 runc-1.0.2-lp152.2.9.1 runc-debuginfo-1.0.2-lp152.2.9.1 References: https://www.suse.com/security/cve/CVE-2021-30465.html https://www.suse.com/security/cve/CVE-2021-32760.html https://www.suse.com/security/cve/CVE-2021-41089.html https://www.suse.com/security/cve/CVE-2021-41091.html https://www.suse.com/security/cve/CVE-2021-41092.html https://www.suse.com/security/cve/CVE-2021-41103.html https://bugzilla.suse.com/1102408 https://bugzilla.suse.com/1185405 https://bugzilla.suse.com/1187704 https://bugzilla.suse.com/1188282 https://bugzilla.suse.com/1190826 https://bugzilla.suse.com/1191015 https://bugzilla.suse.com/1191121 https://bugzilla.suse.com/1191334 https://bugzilla.suse.com/1191355 https://bugzilla.suse.com/1191434

1 0

openSUSE-SU-2021:1408-1: important: Security update for busybox
by opensuse-security＠opensuse.org 31 Oct '21

31 Oct '21

openSUSE Security Update: Security update for busybox ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1408-1 Rating: important References: #1099260 #1099263 #1121426 #1184522 #951562 Cross-References: CVE-2011-5325 CVE-2018-1000500 CVE-2018-1000517 CVE-2018-20679 CVE-2021-28831 CVSS scores: CVE-2011-5325 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2018-1000500 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-1000500 (SUSE): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2018-1000517 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-1000517 (SUSE): 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2018-20679 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-20679 (SUSE): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-28831 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28831 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for busybox fixes the following issues: - CVE-2021-28831: Fixed invalid free or segmentation fault via malformed gzip data (bsc#1184522). - CVE-2018-20679: Fixed out of bounds read in udhcp (bsc#1121426). - CVE-2018-1000517: Fixed buffer overflow in the retrieve_file_data() (bsc#1099260). - CVE-2011-5325: Fixed a directory traversal related to 'tar' command (bsc#951562). - CVE-2018-1000500: Fixed missing SSL certificate validation related to the 'wget' command (bsc#1099263). This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1408=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): busybox-1.26.2-lp152.5.3.1 - openSUSE Leap 15.2 (x86_64): busybox-static-1.26.2-lp152.5.3.1 References: https://www.suse.com/security/cve/CVE-2011-5325.html https://www.suse.com/security/cve/CVE-2018-1000500.html https://www.suse.com/security/cve/CVE-2018-1000517.html https://www.suse.com/security/cve/CVE-2018-20679.html https://www.suse.com/security/cve/CVE-2021-28831.html https://bugzilla.suse.com/1099260 https://bugzilla.suse.com/1099263 https://bugzilla.suse.com/1121426 https://bugzilla.suse.com/1184522 https://bugzilla.suse.com/951562

1 0