openSUSE Security Announce
Threads by month
- ----- 2024 -----
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
May 2022
- 1 participants
- 77 discussions
SUSE-SU-2022:1666-1: important: Security update for slurm
by opensuse-security@opensuse.org 16 May '22
by opensuse-security@opensuse.org 16 May '22
16 May '22
SUSE Security Update: Security update for slurm
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1666-1
Rating: important
References: #1199278 #1199279
Cross-References: CVE-2022-29500 CVE-2022-29501
CVSS scores:
CVE-2022-29500 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-29500 (SUSE): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2022-29501 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-29501 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
SUSE Linux Enterprise Module for HPC 15-SP3
SUSE Linux Enterprise Module for HPC 15-SP4
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for slurm fixes the following issues:
- CVE-2022-29500: Fixed architectural flaw that could have been exploited
to allow an unprivileged user to execute arbitrary processes as root
(bsc#1199278).
- CVE-2022-29501: Fixed a problem that an unprivileged user could have
sent data to arbitrary unix socket as root (bsc#1199279).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1666=1
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1666=1
- SUSE Linux Enterprise Module for HPC 15-SP4:
zypper in -t patch SUSE-SLE-Module-HPC-15-SP4-2022-1666=1
- SUSE Linux Enterprise Module for HPC 15-SP3:
zypper in -t patch SUSE-SLE-Module-HPC-15-SP3-2022-1666=1
Package List:
- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
libnss_slurm2-20.11.9-150300.4.6.1
libnss_slurm2-debuginfo-20.11.9-150300.4.6.1
libpmi0-20.11.9-150300.4.6.1
libpmi0-debuginfo-20.11.9-150300.4.6.1
libslurm36-20.11.9-150300.4.6.1
libslurm36-debuginfo-20.11.9-150300.4.6.1
perl-slurm-20.11.9-150300.4.6.1
perl-slurm-debuginfo-20.11.9-150300.4.6.1
slurm-20.11.9-150300.4.6.1
slurm-auth-none-20.11.9-150300.4.6.1
slurm-auth-none-debuginfo-20.11.9-150300.4.6.1
slurm-config-20.11.9-150300.4.6.1
slurm-config-man-20.11.9-150300.4.6.1
slurm-cray-20.11.9-150300.4.6.1
slurm-cray-debuginfo-20.11.9-150300.4.6.1
slurm-debuginfo-20.11.9-150300.4.6.1
slurm-debugsource-20.11.9-150300.4.6.1
slurm-devel-20.11.9-150300.4.6.1
slurm-doc-20.11.9-150300.4.6.1
slurm-hdf5-20.11.9-150300.4.6.1
slurm-hdf5-debuginfo-20.11.9-150300.4.6.1
slurm-lua-20.11.9-150300.4.6.1
slurm-lua-debuginfo-20.11.9-150300.4.6.1
slurm-munge-20.11.9-150300.4.6.1
slurm-munge-debuginfo-20.11.9-150300.4.6.1
slurm-node-20.11.9-150300.4.6.1
slurm-node-debuginfo-20.11.9-150300.4.6.1
slurm-openlava-20.11.9-150300.4.6.1
slurm-pam_slurm-20.11.9-150300.4.6.1
slurm-pam_slurm-debuginfo-20.11.9-150300.4.6.1
slurm-plugins-20.11.9-150300.4.6.1
slurm-plugins-debuginfo-20.11.9-150300.4.6.1
slurm-rest-20.11.9-150300.4.6.1
slurm-rest-debuginfo-20.11.9-150300.4.6.1
slurm-seff-20.11.9-150300.4.6.1
slurm-sjstat-20.11.9-150300.4.6.1
slurm-slurmdbd-20.11.9-150300.4.6.1
slurm-slurmdbd-debuginfo-20.11.9-150300.4.6.1
slurm-sql-20.11.9-150300.4.6.1
slurm-sql-debuginfo-20.11.9-150300.4.6.1
slurm-sview-20.11.9-150300.4.6.1
slurm-sview-debuginfo-20.11.9-150300.4.6.1
slurm-torque-20.11.9-150300.4.6.1
slurm-torque-debuginfo-20.11.9-150300.4.6.1
slurm-webdoc-20.11.9-150300.4.6.1
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
libnss_slurm2-20.11.9-150300.4.6.1
libnss_slurm2-debuginfo-20.11.9-150300.4.6.1
libpmi0-20.11.9-150300.4.6.1
libpmi0-debuginfo-20.11.9-150300.4.6.1
libslurm36-20.11.9-150300.4.6.1
libslurm36-debuginfo-20.11.9-150300.4.6.1
perl-slurm-20.11.9-150300.4.6.1
perl-slurm-debuginfo-20.11.9-150300.4.6.1
slurm-20.11.9-150300.4.6.1
slurm-auth-none-20.11.9-150300.4.6.1
slurm-auth-none-debuginfo-20.11.9-150300.4.6.1
slurm-config-20.11.9-150300.4.6.1
slurm-config-man-20.11.9-150300.4.6.1
slurm-cray-20.11.9-150300.4.6.1
slurm-cray-debuginfo-20.11.9-150300.4.6.1
slurm-debuginfo-20.11.9-150300.4.6.1
slurm-debugsource-20.11.9-150300.4.6.1
slurm-devel-20.11.9-150300.4.6.1
slurm-doc-20.11.9-150300.4.6.1
slurm-hdf5-20.11.9-150300.4.6.1
slurm-hdf5-debuginfo-20.11.9-150300.4.6.1
slurm-lua-20.11.9-150300.4.6.1
slurm-lua-debuginfo-20.11.9-150300.4.6.1
slurm-munge-20.11.9-150300.4.6.1
slurm-munge-debuginfo-20.11.9-150300.4.6.1
slurm-node-20.11.9-150300.4.6.1
slurm-node-debuginfo-20.11.9-150300.4.6.1
slurm-openlava-20.11.9-150300.4.6.1
slurm-pam_slurm-20.11.9-150300.4.6.1
slurm-pam_slurm-debuginfo-20.11.9-150300.4.6.1
slurm-plugins-20.11.9-150300.4.6.1
slurm-plugins-debuginfo-20.11.9-150300.4.6.1
slurm-rest-20.11.9-150300.4.6.1
slurm-rest-debuginfo-20.11.9-150300.4.6.1
slurm-seff-20.11.9-150300.4.6.1
slurm-sjstat-20.11.9-150300.4.6.1
slurm-slurmdbd-20.11.9-150300.4.6.1
slurm-slurmdbd-debuginfo-20.11.9-150300.4.6.1
slurm-sql-20.11.9-150300.4.6.1
slurm-sql-debuginfo-20.11.9-150300.4.6.1
slurm-sview-20.11.9-150300.4.6.1
slurm-sview-debuginfo-20.11.9-150300.4.6.1
slurm-torque-20.11.9-150300.4.6.1
slurm-torque-debuginfo-20.11.9-150300.4.6.1
slurm-webdoc-20.11.9-150300.4.6.1
- SUSE Linux Enterprise Module for HPC 15-SP4 (aarch64 x86_64):
libnss_slurm2-20.11.9-150300.4.6.1
libnss_slurm2-debuginfo-20.11.9-150300.4.6.1
libpmi0-20.11.9-150300.4.6.1
libpmi0-debuginfo-20.11.9-150300.4.6.1
libslurm36-20.11.9-150300.4.6.1
libslurm36-debuginfo-20.11.9-150300.4.6.1
perl-slurm-20.11.9-150300.4.6.1
perl-slurm-debuginfo-20.11.9-150300.4.6.1
slurm-20.11.9-150300.4.6.1
slurm-auth-none-20.11.9-150300.4.6.1
slurm-auth-none-debuginfo-20.11.9-150300.4.6.1
slurm-config-20.11.9-150300.4.6.1
slurm-config-man-20.11.9-150300.4.6.1
slurm-cray-20.11.9-150300.4.6.1
slurm-cray-debuginfo-20.11.9-150300.4.6.1
slurm-debuginfo-20.11.9-150300.4.6.1
slurm-debugsource-20.11.9-150300.4.6.1
slurm-devel-20.11.9-150300.4.6.1
slurm-doc-20.11.9-150300.4.6.1
slurm-lua-20.11.9-150300.4.6.1
slurm-lua-debuginfo-20.11.9-150300.4.6.1
slurm-munge-20.11.9-150300.4.6.1
slurm-munge-debuginfo-20.11.9-150300.4.6.1
slurm-node-20.11.9-150300.4.6.1
slurm-node-debuginfo-20.11.9-150300.4.6.1
slurm-pam_slurm-20.11.9-150300.4.6.1
slurm-pam_slurm-debuginfo-20.11.9-150300.4.6.1
slurm-plugins-20.11.9-150300.4.6.1
slurm-plugins-debuginfo-20.11.9-150300.4.6.1
slurm-rest-20.11.9-150300.4.6.1
slurm-rest-debuginfo-20.11.9-150300.4.6.1
slurm-slurmdbd-20.11.9-150300.4.6.1
slurm-slurmdbd-debuginfo-20.11.9-150300.4.6.1
slurm-sql-20.11.9-150300.4.6.1
slurm-sql-debuginfo-20.11.9-150300.4.6.1
slurm-sview-20.11.9-150300.4.6.1
slurm-sview-debuginfo-20.11.9-150300.4.6.1
slurm-torque-20.11.9-150300.4.6.1
slurm-torque-debuginfo-20.11.9-150300.4.6.1
slurm-webdoc-20.11.9-150300.4.6.1
- SUSE Linux Enterprise Module for HPC 15-SP3 (aarch64 x86_64):
libnss_slurm2-20.11.9-150300.4.6.1
libnss_slurm2-debuginfo-20.11.9-150300.4.6.1
libpmi0-20.11.9-150300.4.6.1
libpmi0-debuginfo-20.11.9-150300.4.6.1
libslurm36-20.11.9-150300.4.6.1
libslurm36-debuginfo-20.11.9-150300.4.6.1
perl-slurm-20.11.9-150300.4.6.1
perl-slurm-debuginfo-20.11.9-150300.4.6.1
slurm-20.11.9-150300.4.6.1
slurm-auth-none-20.11.9-150300.4.6.1
slurm-auth-none-debuginfo-20.11.9-150300.4.6.1
slurm-config-20.11.9-150300.4.6.1
slurm-config-man-20.11.9-150300.4.6.1
slurm-debuginfo-20.11.9-150300.4.6.1
slurm-debugsource-20.11.9-150300.4.6.1
slurm-devel-20.11.9-150300.4.6.1
slurm-doc-20.11.9-150300.4.6.1
slurm-lua-20.11.9-150300.4.6.1
slurm-lua-debuginfo-20.11.9-150300.4.6.1
slurm-munge-20.11.9-150300.4.6.1
slurm-munge-debuginfo-20.11.9-150300.4.6.1
slurm-node-20.11.9-150300.4.6.1
slurm-node-debuginfo-20.11.9-150300.4.6.1
slurm-pam_slurm-20.11.9-150300.4.6.1
slurm-pam_slurm-debuginfo-20.11.9-150300.4.6.1
slurm-plugins-20.11.9-150300.4.6.1
slurm-plugins-debuginfo-20.11.9-150300.4.6.1
slurm-rest-20.11.9-150300.4.6.1
slurm-rest-debuginfo-20.11.9-150300.4.6.1
slurm-slurmdbd-20.11.9-150300.4.6.1
slurm-slurmdbd-debuginfo-20.11.9-150300.4.6.1
slurm-sql-20.11.9-150300.4.6.1
slurm-sql-debuginfo-20.11.9-150300.4.6.1
slurm-sview-20.11.9-150300.4.6.1
slurm-sview-debuginfo-20.11.9-150300.4.6.1
slurm-torque-20.11.9-150300.4.6.1
slurm-torque-debuginfo-20.11.9-150300.4.6.1
slurm-webdoc-20.11.9-150300.4.6.1
References:
https://www.suse.com/security/cve/CVE-2022-29500.html
https://www.suse.com/security/cve/CVE-2022-29501.html
https://bugzilla.suse.com/1199278
https://bugzilla.suse.com/1199279
1
0
SUSE-SU-2022:1676-1: important: Security update for the Linux Kernel
by opensuse-security@opensuse.org 16 May '22
by opensuse-security@opensuse.org 16 May '22
16 May '22
SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1676-1
Rating: important
References: #1028340 #1065729 #1071995 #1121726 #1137728
#1152489 #1177028 #1179878 #1182073 #1183723
#1187055 #1191647 #1193556 #1193842 #1195926
#1196018 #1196114 #1196367 #1196514 #1196639
#1196942 #1197157 #1197391 #1197656 #1197660
#1197914 #1197926 #1198217 #1198330 #1198400
#1198413 #1198437 #1198448 #1198484 #1198515
#1198516 #1198660 #1198742 #1198825 #1199012
#1199024 SLE-13208 SLE-13513 SLE-15172 SLE-15175
SLE-15176 SLE-8449
Cross-References: CVE-2020-27835 CVE-2021-0707 CVE-2021-20292
CVE-2021-20321 CVE-2021-38208 CVE-2021-4154
CVE-2022-0812 CVE-2022-1158 CVE-2022-1280
CVE-2022-1353 CVE-2022-1419 CVE-2022-1516
CVE-2022-28356 CVE-2022-28748 CVE-2022-28893
CVE-2022-29156
CVSS scores:
CVE-2020-27835 (SUSE): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-0707 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-0707 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-20292 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-20292 (SUSE): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-20321 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2021-20321 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2021-38208 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2021-38208 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2021-4154 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-4154 (SUSE): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2022-0812 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-1158 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-1280 (NVD) : 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
CVE-2022-1280 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-1353 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CVE-2022-1353 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
CVE-2022-1419 (SUSE): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-1516 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-1516 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-28356 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-28356 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-28748 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2022-28893 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-28893 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-29156 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-29156 (SUSE): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products:
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Module for Public Cloud 15-SP3
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Manager Proxy 4.2
SUSE Manager Server 4.2
openSUSE Leap 15.3
______________________________________________________________________________
An update that solves 16 vulnerabilities, contains 6
features and has 25 fixes is now available.
Description:
The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various
security and bugfixes.
The following security bugs were fixed:
- CVE-2020-27835: Fixed a use after free vulnerability in infiniband hfi1
driver in the way user calls Ioctl after open dev file and fork. A local
user could use this flaw to crash the system (bnc#1179878).
- CVE-2021-0707: Fixed a use after free vulnerability in dma_buf_release
of dma-buf.c, which may lead to local escalation of privilege with no
additional execution privileges needed (bnc#1198437).
- CVE-2021-20292: Fixed object validation prior to performing operations
on the object in nouveau_sgdma_create_ttm in Nouveau DRM subsystem
(bnc#1183723).
- CVE-2021-20321: Fixed a race condition accessing file object in the
OverlayFS subsystem in the way users do rename in specific way with
OverlayFS. A local user could have used this flaw to crash the system
(bnc#1191647).
- CVE-2021-38208: Fixed a denial of service (NULL pointer dereference and
BUG) by making a getsockname call after a certain type of failure of a
bind call (bnc#1187055).
- CVE-2021-4154: Fixed a use-after-free vulnerability in
cgroup1_parse_param in kernel/cgroup/cgroup-v1.c, allowing a local
privilege escalation by an attacker with user privileges by exploiting
the fsconfig syscall parameter, leading to a container breakout and a
denial of service on the system (bnc#1193842).
- CVE-2022-0812: Fixed information leak when a file is read from RDMA
(bsc#1196639)
- CVE-2022-1158: Fixed a vulnerability in the kvm module that may lead to
a use-after-free write or denial of service (bsc#1197660).
- CVE-2022-1280: Fixed a use-after-free vulnerability in drm_lease_held in
drivers/gpu/drm/drm_lease.c (bnc#1197914).
- CVE-2022-1353: Fixed access controll to kernel memory in the
pfkey_register function in net/key/af_key.c (bnc#1198516).
- CVE-2022-1419: Fixed a concurrency use-after-free in
vgem_gem_dumb_create (bsc#1198742).
- CVE-2022-1516: Fixed null-ptr-deref caused by x25_disconnect
(bsc#1199012).
- CVE-2022-28356: Fixed a refcount leak bug in net/llc/af_llc.c
(bnc#1197391).
- CVE-2022-28748: Fixed memory lead over the network by ax88179_178a
devices (bsc#1196018).
- CVE-2022-28893: Fixed a use after free vulnerability in inet_put_port
where some sockets are not closed before xs_xprt_free() (bsc#1198330).
- CVE-2022-29156: Fixed a double free vulnerability related to
rtrs_clt_dev_release.ate (jsc#SLE-15176 bsc#1198515).
The following non-security bugs were fixed:
- ACPI/APEI: Limit printable size of BERT table data (git-fixes).
- ACPI: processor idle: Check for architectural support for LPI
(git-fixes).
- ACPICA: Avoid walking the ACPI Namespace if it is not there (git-fixes).
- ALSA: cs4236: fix an incorrect NULL check on list iterator (git-fixes).
- ALSA: hda/hdmi: fix warning about PCM count when used with SOF
(git-fixes).
- ALSA: hda/realtek: Add alc256-samsung-headphone fixup (git-fixes).
- ALSA: hda/realtek: Add quirk for Clevo PD50PNT (git-fixes).
- ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020
(git-fixes).
- ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
(git-fixes).
- ALSA: usb-audio: Cap upper limits of buffer/period bytes for implicit fb
(git-fixes).
- ALSA: usb-audio: Increase max buffer size (git-fixes).
- ALSA: usb-audio: Limit max buffer and period sizes per time (git-fixes).
- ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek
(git-fixes).
- ASoC: codecs: wcd934x: do not switch off SIDO Buck when codec is in use
(git-fixes).
- ASoC: mediatek: mt6358: add missing EXPORT_SYMBOLs (git-fixes).
- ASoC: msm8916-wcd-digital: Check failure for
devm_snd_soc_register_component (git-fixes).
- ASoC: soc-compress: Change the check for codec_dai (git-fixes).
- ASoC: soc-compress: prevent the potentially use of null pointer
(git-fixes).
- ASoC: soc-core: skip zero num_dai component in searching dai name
(git-fixes).
- ASoC: soc-dapm: fix two incorrect uses of list iterator (git-fixes).
- Bluetooth: Fix use after free in hci_send_acl (git-fixes).
- Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt (git-fixes).
- Bluetooth: hci_serdev: call init_rwsem() before p->open() (git-fixes).
- Documentation: add link to stable release candidate tree (git-fixes).
- HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports (git-fixes).
- IB/hfi1: Allow larger MTU without AIP (jsc#SLE-13208).
- Input: omap4-keypad - fix pm_runtime_get_sync() error checking
(git-fixes).
- KEYS: fix length validation in keyctl_pkey_params_get_2() (git-fixes).
- NFSv4: fix open failure with O_ACCMODE flag (git-fixes).
- PCI: aardvark: Fix reading PCI_EXP_RTSTA_PME bit on emulated bridge
(git-fixes).
- PCI: aardvark: Fix support for MSI interrupts (git-fixes).
- PCI: imx6: Allow to probe when dw_pcie_wait_for_link() fails (git-fixes).
- PCI: pciehp: Add Qualcomm quirk for Command Completed erratum
(git-fixes).
- PCI: pciehp: Clear cmd_busy bit in polling mode (git-fixes).
- PM: core: keep irq flags in device_pm_check_callbacks() (git-fixes).
- RDMA/core: Set MR type in ib_reg_user_mr (jsc#SLE-8449).
- RDMA/mlx5: Add a missing update of cache->last_add (jsc#SLE-15175).
- RDMA/mlx5: Do not remove cache MRs when a delay is needed
(jsc#SLE-15175).
- RDMA/mlx5: Fix the flow of a miss in the allocation of a cache ODP MR
(jsc#SLE-15175).
- SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()
(git-fixes).
- SUNRPC: Fix the svc_deferred_event trace class (git-fixes).
- SUNRPC: Handle ENOMEM in call_transmit_status() (git-fixes).
- SUNRPC: Handle low memory situations in call_status() (git-fixes).
- SUNRPC: change locking for xs_swap_enable/disable (bsc#1196367).
- USB: serial: pl2303: add IBM device IDs (git-fixes).
- USB: serial: simple: add Nokia phone driver (git-fixes).
- USB: storage: ums-realtek: fix error code in rts51x_read_mem()
(git-fixes).
- USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c
(git-fixes).
- USB: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm
(git-fixes).
- USB: gadget: uvc: Fix crash when encoding data for usb request
(git-fixes).
- adm8211: fix error return code in adm8211_probe() (git-fixes).
- arm64/sve: Use correct size when reinitialising SVE state (git-fixes)
- arm64: clear_page() shouldn't use DC ZVA when DCZID_EL0.DZP == 1
(git-fixes)
- arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node (git-fixes)
- arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode (git-fixes)
- arm64: dts: exynos: correct GIC CPU interfaces address range on
(git-fixes)
- arm64: dts: ls1028a: fix memory node (git-fixes)
- arm64: dts: ls1028a: fix node name for the sysclk (git-fixes)
- arm64: dts: lx2160a: fix scl-gpios property name (git-fixes)
- arm64: dts: marvell: armada-37xx: Extend PCIe MEM space (git-fixes)
- arm64: dts: marvell: armada-37xx: Fix reg for standard variant of
(git-fixes)
- arm64: dts: marvell: armada-37xx: Remap IO space to bus address 0x0
(git-fixes)
- arm64: dts: rockchip: Fix GPU register width for RK3328 (git-fixes)
- arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from (git-fixes)
- arm64: dts: zii-ultra: fix 12V_MAIN voltage (git-fixes)
- arm64: head: avoid over-mapping in map_memory (git-fixes)
- ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
(git-fixes).
- ata: sata_dwc_460ex: Fix crash due to OOB write (git-fixes).
- ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern
(git-fixes).
- ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 (git-fixes).
- ath5k: fix building with LEDS=m (git-fixes).
- ath9k: Fix usage of driver-private space in tx_info (git-fixes).
- ath9k: Properly clear TX status area before reporting to mac80211
(git-fixes).
- ath9k_htc: fix uninit value bugs (git-fixes).
- bareudp: use ipv6_mod_enabled to check if IPv6 enabled (jsc#SLE-15172).
- bfq: Avoid merging queues with different parents (bsc#1197926).
- bfq: Drop pointless unlock-lock pair (bsc#1197926).
- bfq: Get rid of __bio_blkcg() usage (bsc#1197926).
- bfq: Make sure bfqg for which we are queueing requests is online
(bsc#1197926).
- bfq: Remove pointless bfq_init_rq() calls (bsc#1197926).
- bfq: Split shared queues on move between cgroups (bsc#1197926).
- bfq: Track whether bfq_group is still online (bsc#1197926).
- bfq: Update cgroup information before merging bio (bsc#1197926).
- block: Drop leftover references to RQF_SORTED (bsc#1182073).
- bnx2x: fix napi API usage sequence (bsc#1198217).
- bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT
(git-fixes bsc#1177028).
- brcmfmac: firmware: Allocate space for default boardrev in nvram
(git-fixes).
- brcmfmac: pcie: Fix crashes due to early IRQs (git-fixes).
- brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path
(git-fixes).
- brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio
(git-fixes).
- carl9170: fix missing bit-wise or operator for tx_params (git-fixes).
- cfg80211: hold bss_lock while updating nontrans_list (git-fixes).
- cifs: fix bad fids sent over wire (bsc#1197157).
- clk: Enforce that disjoints limits are invalid (git-fixes).
- clk: si5341: fix reported clk_rate when output divider is 2 (git-fixes).
- direct-io: clean up error paths of do_blockdev_direct_IO (bsc#1197656).
- direct-io: defer alignment check until after the EOF check (bsc#1197656).
- direct-io: do not force writeback for reads beyond EOF (bsc#1197656).
- dma-debug: fix return value of __setup handlers (git-fixes).
- dma: at_xdmac: fix a missing check on list iterator (git-fixes).
- dmaengine: Revert "dmaengine: shdma: Fix runtime PM imbalance on error"
(git-fixes).
- dmaengine: idxd: add RO check for wq max_batch_size write (git-fixes).
- dmaengine: idxd: add RO check for wq max_transfer_size write (git-fixes).
- dmaengine: imx-sdma: Fix error checking in sdma_event_remap (git-fixes).
- dmaengine: mediatek:Fix PM usage reference leak of
mtk_uart_apdma_alloc_chan_resources (git-fixes).
- drm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj
(git-fixes).
- drm/amd/display: Fix a NULL pointer dereference in
amdgpu_dm_connector_add_common_modes() (git-fixes).
- drm/amd/display: Fix allocate_mst_payload assert on resume (git-fixes).
- drm/amd/display: do not ignore alpha property on pre-multiplied mode
(git-fixes).
- drm/amd: Add USBC connector ID (git-fixes).
- drm/amdgpu: Fix recursive locking warning (git-fixes).
- drm/amdgpu: fix off by one in amdgpu_gfx_kiq_acquire() (git-fixes).
- drm/amdkfd: Check for potential null return of kmalloc_array()
(git-fixes).
- drm/amdkfd: Fix Incorrect VMIDs passed to HWS (git-fixes).
- drm/amdkfd: make CRAT table missing message informational only
(git-fixes).
- drm/bridge: Add missing pm_runtime_disable() in __dw_mipi_dsi_probe
(git-fixes).
- drm/bridge: Fix free wrong object in sii8620_init_rcp_input_dev
(git-fixes).
- drm/bridge: cdns-dsi: Make sure to to create proper aliases for dt
(git-fixes).
- drm/edid: Do not clear formats if using deep color (git-fixes).
- drm/edid: check basic audio support on CEA extension block (git-fixes).
- drm/i915/gem: Flush coherency domains on first set-domain-ioctl
(git-fixes).
- drm/i915: Call i915_globals_exit() if pci_register_device() fails
(git-fixes).
- drm/imx: Fix memory leak in imx_pd_connector_get_modes (git-fixes).
- drm/mediatek: Add AAL output size configuration (git-fixes).
- drm/mediatek: Fix aal size config (git-fixes).
- drm/msm/dsi: Use connector directly in msm_dsi_manager_connector_init()
(git-fixes).
- drm/panel/raspberrypi-touchscreen: Avoid NULL deref if not initialised
(git-fixes).
- drm/panel/raspberrypi-touchscreen: Initialise the bridge in prepare
(git-fixes).
- drm/tegra: Fix reference leak in tegra_dsi_ganged_probe (git-fixes).
- drm/vc4: Use pm_runtime_resume_and_get to fix pm_runtime_get_sync()
usage (git-fixes).
- drm: Add orientation quirk for GPD Win Max (git-fixes).
- drm: add a locked version of drm_is_current_master (bsc#1197914).
- drm: add a locked version of drm_is_current_master (bsc#1197914).
- drm: drm_file struct kABI compatibility workaround (bsc#1197914).
- drm: drm_file struct kABI compatibility workaround (bsc#1197914).
- drm: protect drm_master pointers in drm_lease.c (bsc#1197914).
- drm: protect drm_master pointers in drm_lease.c (bsc#1197914).
- drm: serialize drm_file.master with a new spinlock (bsc#1197914).
- drm: serialize drm_file.master with a new spinlock (bsc#1197914).
- drm: use the lookup lock in drm_is_current_master (bsc#1197914).
- drm: use the lookup lock in drm_is_current_master (bsc#1197914).
- e1000e: Fix possible overflow in LTR decoding (git-fixes).
- fibmap: Reject negative block numbers (bsc#1198448).
- fibmap: Use bmap instead of ->bmap method in ioctl_fibmap (bsc#1198448).
- firmware: arm_scmi: Fix sorting of retrieved clock rates (git-fixes).
- gpiolib: acpi: use correct format characters (git-fixes).
- gpu: ipu-v3: Fix dev_dbg frequency output (git-fixes).
- hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER
(git-fixes).
- i2c: dev: Force case user pointers in compat_i2cdev_ioctl() (git-fixes).
- ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module
(git-fixes).
- ipmi: Move remove_work to dedicated workqueue (git-fixes).
- ipmi: bail out if init_srcu_struct fails (git-fixes).
- iwlwifi: Fix -EIO error code that is never returned (git-fixes).
- iwlwifi: mvm: Fix an error code in iwl_mvm_up() (git-fixes).
- livepatch: Do not block removal of patches that are safe to unload
(bsc#1071995).
- lz4: fix LZ4_decompress_safe_partial read out of bound (git-fixes).
- media: cx88-mpeg: clear interrupt status register before streaming video
(git-fixes).
- media: hdpvr: initialize dev->worker at hdpvr_register_videodev
(git-fixes).
- memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
(git-fixes).
- mfd: asic3: Add missing iounmap() on error asic3_mfd_probe (git-fixes).
- mfd: mc13xxx: Add check for mc13xxx_irq_request (git-fixes).
- mmc: host: Return an error when ->enable_sdio_irq() ops is missing
(git-fixes).
- mmc: mmci: stm32: correctly check all elements of sg list (git-fixes).
- mmc: mmci_sdmmc: Replace sg_dma_xxx macros (git-fixes).
- mmc: renesas_sdhi: do not overwrite TAP settings when HS400 tuning is
complete (git-fixes).
- mtd: onenand: Check for error irq (git-fixes).
- mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init
(git-fixes).
- mtd: rawnand: gpmi: fix controller timings setting (git-fixes).
- mwl8k: Fix a double Free in mwl8k_probe_hw (git-fixes).
- net: asix: add proper error handling of usb read errors (git-fixes).
- net: mcs7830: handle usb read errors properly (git-fixes).
- net: usb: aqc111: Fix out-of-bounds accesses in RX fixup (git-fixes).
- nfc: nci: add flush_workqueue to prevent uaf (git-fixes).
- power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe
(git-fixes).
- power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init
(git-fixes).
- power: supply: axp20x_battery: properly report current when discharging
(git-fixes).
- power: supply: axp288-charger: Set Vhold to 4.4V (git-fixes).
- power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong
false return (git-fixes).
- power: supply: wm8350-power: Add missing free in free_charger_irq
(git-fixes).
- power: supply: wm8350-power: Handle error for wm8350_register_irq
(git-fixes).
- powerpc/perf: Fix power10 event alternatives (jsc#SLE-13513 git-fixes).
- powerpc/perf: Fix power9 event alternatives (bsc#1137728, LTC#178106,
git-fixes).
- ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE
(bsc#1198413).
- random: check for signal_pending() outside of need_resched() check
(git-fixes).
- ray_cs: Check ioremap return value (git-fixes).
- regulator: wm8994: Add an off-on delay for WM8994 variant (git-fixes).
- rtc: check if __rtc_read_time was successful (git-fixes).
- rtc: wm8350: Handle error for wm8350_register_irq (git-fixes).
- scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands
(git-fixes).
- scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()
(git-fixes).
- scsi: mpt3sas: Page fault in reply q processing (git-fixes).
- scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() (bsc#1028340
bsc#1198825).
- spi: Fix erroneous sgs value with min_t() (git-fixes).
- spi: Fix invalid sgs value (git-fixes).
- spi: atmel-quadspi: Fix the buswidth adjustment between spi-mem and
controller (git-fixes).
- spi: bcm-qspi: fix MSPI only access with bcm_qspi_exec_mem_op()
(git-fixes).
- spi: mxic: Fix the transmit path (git-fixes).
- spi: tegra20: Use of_device_get_match_data() (git-fixes).
- staging: mt7621-dts: fix LEDs and pinctrl on GB-PC1 devicetree
(git-fixes).
- vgacon: Propagate console boot parameters before calling `vc_resize'
(bsc#1152489)
- video: fbdev: atari: Atari 2 bpp (STe) palette bugfix (git-fixes).
- video: fbdev: cirrusfb: check pixclock to avoid divide by zero
(git-fixes).
- video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow
(git-fixes).
- video: fbdev: sm712fb: Fix crash in smtcfb_read() (git-fixes).
- video: fbdev: sm712fb: Fix crash in smtcfb_write() (git-fixes).
- video: fbdev: udlfb: properly check endpoint type (bsc#1152489)
- video: fbdev: w100fb: Reset global state (git-fixes).
- virtio_console: break out of buf poll on remove (git-fixes).
- virtio_console: eliminate anonymous module_init & module_exit
(git-fixes).
- w1: w1_therm: fixes w1_seq for ds28ea00 sensors (git-fixes).
- x86/pm: Save the MSR validity status at context setup (bsc#1198400).
- x86/sev: Unroll string mmio with CC_ATTR_GUEST_UNROLL_STRING_IO
(git-fixes).
- x86/speculation: Restore speculation related MSRs during S3 resume
(bsc#1198400).
- xen/blkfront: fix comment for need_copy (git-fixes).
- xen/x86: obtain full video frame buffer address for Dom0 also under EFI
(bsc#1193556).
- xen/x86: obtain upper 32 bits of video frame buffer address for Dom0
(bsc#1193556).
- xen: fix is_xen_pmu() (git-fixes).
- xhci: fix runtime PM imbalance in USB2 resume (git-fixes).
- xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx()
(git-fixes).
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1676=1
- SUSE Linux Enterprise Module for Public Cloud 15-SP3:
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2022-1676=1
Package List:
- openSUSE Leap 15.3 (noarch):
kernel-devel-azure-5.3.18-150300.38.56.1
kernel-source-azure-5.3.18-150300.38.56.1
- openSUSE Leap 15.3 (x86_64):
cluster-md-kmp-azure-5.3.18-150300.38.56.1
cluster-md-kmp-azure-debuginfo-5.3.18-150300.38.56.1
dlm-kmp-azure-5.3.18-150300.38.56.1
dlm-kmp-azure-debuginfo-5.3.18-150300.38.56.1
gfs2-kmp-azure-5.3.18-150300.38.56.1
gfs2-kmp-azure-debuginfo-5.3.18-150300.38.56.1
kernel-azure-5.3.18-150300.38.56.1
kernel-azure-debuginfo-5.3.18-150300.38.56.1
kernel-azure-debugsource-5.3.18-150300.38.56.1
kernel-azure-devel-5.3.18-150300.38.56.1
kernel-azure-devel-debuginfo-5.3.18-150300.38.56.1
kernel-azure-extra-5.3.18-150300.38.56.1
kernel-azure-extra-debuginfo-5.3.18-150300.38.56.1
kernel-azure-livepatch-devel-5.3.18-150300.38.56.1
kernel-azure-optional-5.3.18-150300.38.56.1
kernel-azure-optional-debuginfo-5.3.18-150300.38.56.1
kernel-syms-azure-5.3.18-150300.38.56.1
kselftests-kmp-azure-5.3.18-150300.38.56.1
kselftests-kmp-azure-debuginfo-5.3.18-150300.38.56.1
ocfs2-kmp-azure-5.3.18-150300.38.56.1
ocfs2-kmp-azure-debuginfo-5.3.18-150300.38.56.1
reiserfs-kmp-azure-5.3.18-150300.38.56.1
reiserfs-kmp-azure-debuginfo-5.3.18-150300.38.56.1
- SUSE Linux Enterprise Module for Public Cloud 15-SP3 (noarch):
kernel-devel-azure-5.3.18-150300.38.56.1
kernel-source-azure-5.3.18-150300.38.56.1
- SUSE Linux Enterprise Module for Public Cloud 15-SP3 (x86_64):
kernel-azure-5.3.18-150300.38.56.1
kernel-azure-debuginfo-5.3.18-150300.38.56.1
kernel-azure-debugsource-5.3.18-150300.38.56.1
kernel-azure-devel-5.3.18-150300.38.56.1
kernel-azure-devel-debuginfo-5.3.18-150300.38.56.1
kernel-syms-azure-5.3.18-150300.38.56.1
References:
https://www.suse.com/security/cve/CVE-2020-27835.html
https://www.suse.com/security/cve/CVE-2021-0707.html
https://www.suse.com/security/cve/CVE-2021-20292.html
https://www.suse.com/security/cve/CVE-2021-20321.html
https://www.suse.com/security/cve/CVE-2021-38208.html
https://www.suse.com/security/cve/CVE-2021-4154.html
https://www.suse.com/security/cve/CVE-2022-0812.html
https://www.suse.com/security/cve/CVE-2022-1158.html
https://www.suse.com/security/cve/CVE-2022-1280.html
https://www.suse.com/security/cve/CVE-2022-1353.html
https://www.suse.com/security/cve/CVE-2022-1419.html
https://www.suse.com/security/cve/CVE-2022-1516.html
https://www.suse.com/security/cve/CVE-2022-28356.html
https://www.suse.com/security/cve/CVE-2022-28748.html
https://www.suse.com/security/cve/CVE-2022-28893.html
https://www.suse.com/security/cve/CVE-2022-29156.html
https://bugzilla.suse.com/1028340
https://bugzilla.suse.com/1065729
https://bugzilla.suse.com/1071995
https://bugzilla.suse.com/1121726
https://bugzilla.suse.com/1137728
https://bugzilla.suse.com/1152489
https://bugzilla.suse.com/1177028
https://bugzilla.suse.com/1179878
https://bugzilla.suse.com/1182073
https://bugzilla.suse.com/1183723
https://bugzilla.suse.com/1187055
https://bugzilla.suse.com/1191647
https://bugzilla.suse.com/1193556
https://bugzilla.suse.com/1193842
https://bugzilla.suse.com/1195926
https://bugzilla.suse.com/1196018
https://bugzilla.suse.com/1196114
https://bugzilla.suse.com/1196367
https://bugzilla.suse.com/1196514
https://bugzilla.suse.com/1196639
https://bugzilla.suse.com/1196942
https://bugzilla.suse.com/1197157
https://bugzilla.suse.com/1197391
https://bugzilla.suse.com/1197656
https://bugzilla.suse.com/1197660
https://bugzilla.suse.com/1197914
https://bugzilla.suse.com/1197926
https://bugzilla.suse.com/1198217
https://bugzilla.suse.com/1198330
https://bugzilla.suse.com/1198400
https://bugzilla.suse.com/1198413
https://bugzilla.suse.com/1198437
https://bugzilla.suse.com/1198448
https://bugzilla.suse.com/1198484
https://bugzilla.suse.com/1198515
https://bugzilla.suse.com/1198516
https://bugzilla.suse.com/1198660
https://bugzilla.suse.com/1198742
https://bugzilla.suse.com/1198825
https://bugzilla.suse.com/1199012
https://bugzilla.suse.com/1199024
1
0
SUSE-SU-2022:1678-1: important: Security update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core
by opensuse-security@opensuse.org 16 May '22
by opensuse-security@opensuse.org 16 May '22
16 May '22
SUSE Security Update: Security update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1678-1
Rating: important
References: #1177616 #1182481 #1197132
Cross-References: CVE-2020-25649 CVE-2020-28491 CVE-2020-36518
CVSS scores:
CVE-2020-25649 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2020-25649 (SUSE): 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2020-28491 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-28491 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-36518 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-36518 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
SUSE Enterprise Storage 7
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise Desktop 15-SP4
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP4
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP4
SUSE Linux Enterprise Module for Development Tools 15-SP3
SUSE Linux Enterprise Module for Development Tools 15-SP4
SUSE Linux Enterprise Module for SUSE Manager Server 4.3
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server 15-SP4
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP4
SUSE Manager Proxy 4.1
SUSE Manager Proxy 4.2
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
SUSE Manager Server 4.2
SUSE Manager Server 4.3
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for jackson-databind, jackson-dataformats-binary,
jackson-annotations, jackson-bom, jackson-core fixes the following issues:
Security issues fixed:
- CVE-2020-36518: Fixed a Java stack overflow exception and denial of
service via a large depth of nested objects in jackson-databind.
(bsc#1197132)
- CVE-2020-25649: Fixed an insecure entity expansion in jackson-databind
which was vulnerable to XML external entity (XXE). (bsc#1177616)
- CVE-2020-28491: Fixed a bug which could cause
`java.lang.OutOfMemoryError` exception in jackson-dataformats-binary.
(bsc#1182481)
Non security fixes:
jackson-annotations - update from version 2.10.2 to version 2.13.0:
+ Build with source/target levels 8
+ Add 'mvnw' wrapper
+ 'JsonSubType.Type' should accept array of names
+ Jackson version alignment with Gradle 6
+ Add '@JsonIncludeProperties'
+ Add '@JsonTypeInfo(use=DEDUCTION)'
+ Ability to use '@JsonAnyGetter' on fields
+ Add '@JsonKey' annotation
+ Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same
mapping
+ Add 'namespace' property for '@JsonProperty' (for XML module)
+ Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue'
+ 'JsonPattern.Value.pattern' retained as "", never (accidentally)
exposed as 'null'
+ Rewrite to use `ant` for building in order to be able to use it in
packages that have to be built before maven
jackson-bom - update from version 2.10.2 to version 2.13.0:
+ Configure moditect plugin with '<jvmVersion>11</jvmVersion>'
+ jackson-bom manages the version of 'junit:junit'
+ Drop 'jackson-datatype-hibernate3' (support for Hibernate 3.x
datatypes)
+ Removed "jakarta" classifier variants of JAXB/JSON-P/JAX-RS modules
due to the addition of new Jakarta artifacts (Jakarta-JSONP,
Jakarta-xmlbind-annotations, Jakarta-rs-providers)
+ Add version for 'jackson-datatype-jakarta-jsonp' module (introduced
after 2.12.2)
+ Add (beta) version for 'jackson-dataformat-toml'
+ Jakarta 9 artifact versions are missing from jackson-bom
+ Add default settings for 'gradle-module-metadata-maven-plugin'
(gradle metadata)
+ Add default settings for 'build-helper-maven-plugin'
+ Drop 'jackson-module-scala_2.10' entry (not released for Jackson 2.12
or later)
+ Add override for 'version.plugin.bundle' (for 5.1.1) to help build on
JDK 15+
+ Add missing version for jackson-datatype-eclipse-collections
jackson-core - update from version 2.10.2 to version 2.13.0:
+ Build with source and target levels 8
+ Misleading exception for input source when processing byte buffer
with start offset
+ Escape contents of source document snippet for
'JsonLocation._appendSourceDesc()'
+ Add 'StreamWriteException' type to eventually replace
'JsonGenerationException'
+ Replace 'getCurrentLocation()'/'getTokenLocation()' with
'currentLocation()'/'currentTokenLocation()' in 'JsonParser'
+ Replace 'JsonGenerator.writeObject()' (and related) with 'writePOJO()'
+ Replace 'getCurrentValue()'/'setCurrentValue()' with
'currentValue()'/'assignCurrentValue()' in 'JsonParser'/'JsonGenerator
+ Introduce O(n^1.5) BigDecimal parser implementation
+ ByteQuadsCanonicalizer.addName(String, int, int) has incorrect
handling for case of q2 == null
+ UTF32Reader ArrayIndexOutOfBoundsException
+ Improve exception/JsonLocation handling for binary content: don't
show content, include byte offset
+ Fix an issue with the TokenFilter unable to ignore properties when
deserializing.
+ Optimize array allocation by 'JsonStringEncoder'
+ Add 'mvnw' wrapper
+ (partial) Optimize array allocation by 'JsonStringEncoder'
+ Add back accidentally removed 'JsonStringEncoder' related methods in
'BufferRecyclers' (like 'getJsonStringEncoder()')
+ 'ArrayOutOfBoundException' at
'WriterBasedJsonGenerator.writeString(Reader, int)'
+ Allow "optional-padding" for 'Base64Variant'
+ More customizable TokenFilter inclusion (using
'Tokenfilter.Inclusion')
+ Publish Gradle Module Metadata
+ Add 'StreamReadCapability' for further format-based/format-agnostic
handling improvements
+ Add 'JsonParser.isExpectedNumberIntToken()' convenience method
+ Add 'StreamWriteCapability' for further format-based/format-agnostic
handling improvements
+ Add 'JsonParser.getNumberValueExact()' to allow precision-retaining
buffering
+ Limit initial allocated block size by 'ByteArrayBuilder' to max block
size
+ Add 'JacksonException' as parent class of 'JsonProcessingException'
+ Make 'JsonWriteContext.reset()' and 'JsonReadContext.reset()' methods
public
+ Deprecate 'JsonParser.getCurrentTokenId()' (use '#currentTokenId()'
instead)
+ Full "LICENSE" included in jar for easier access by compliancy tools
+ Fix NPE in 'writeNumber(String)' method of 'UTF8JsonGenerator',
'WriterBasedJsonGenerator'
+ Add a String Array write method in the Streaming API
+ Synchronize variants of 'JsonGenerator#writeNumberField' with
'JsonGenerator#writeNumber'
+ Add JsonGenerator#writeNumber(char[], int, int) method
+ Do not clear aggregated contents of 'TextBuffer' when
'releaseBuffers()' called
+ 'FilteringGeneratorDelegate' does not handle 'writeString(Reader,
int)'
+ Optionally allow leading decimal in float tokens
+ Rewrite to use ant for building in order to be able to use it in
packages that have to be built before maven
+ Parsing JSON with 'ALLOW_MISSING_VALUE' enabled results in endless
stream of 'VALUE_NULL' tokens
+ Handle case when system property access is restricted
+ 'FilteringGeneratorDelegate' does not handle 'writeString(Reader,
int)'
+ DataFormatMatcher#getMatchedFormatName throws NPE when no match exists
+ 'JsonParser.getCurrentLocation()' byte/char offset update incorrectly
for big payloads
jackson-databind - update from version 2.10.5.1 to version 2.13.0:
+ '@JsonValue' with integer for enum does not deserialize correctly
+ 'AnnotatedMethod.getValue()/setValue()' doesn't have useful exception
message
+ Add 'DatabindException' as intermediate subtype of
'JsonMappingException'
+ Jackson does not support deserializing new Java 9 unmodifiable
collections
+ Allocate TokenBuffer instance via context objects (to allow
format-specific buffer types)
+ Add mechanism for setting default 'ContextAttributes' for
'ObjectMapper'
+ Add 'DeserializationContext.readTreeAsValue()' methods for more
convenient conversions for deserializers to use
+ Clean up support of typed "unmodifiable", "singleton"
Maps/Sets/Collections
+ Extend internal bitfield of 'MapperFeature' to be 'long'
+ Add 'removeMixIn()' method in 'MapperBuilder'
+ Backport 'MapperBuilder' lambda-taking methods:
'withConfigOverride()', 'withCoercionConfig()',
'withCoercionConfigDefaults()'
+ configOverrides(boolean.class) silently ignored, whereas
.configOverride(Boolean.class) works for both primitives and boxed
boolean values
+ Dont track unknown props in buffer if 'ignoreAllUnknown' is true
+ Should allow deserialization of java.time types via
opaque 'JsonToken.VALUE_EMBEDDED_OBJECT'
+ Optimize "AnnotatedConstructor.call()" case by passing explicit null
+ Add AnnotationIntrospector.XmlExtensions interface for decoupling
javax dependencies
+ Custom SimpleModule not included in list returned by
ObjectMapper.getRegisteredModuleIds() after registration
+ Use more limiting default visibility settings for JDK types (java.*,
javax.*)
+ Deep merge for 'JsonNode' using 'ObjectReader.readTree()'
+ IllegalArgumentException: Conflicting setter definitions for property
with more than 2 setters
+ Serializing java.lang.Thread fails on JDK 11 and above
+ String-based 'Map' key deserializer is not deterministic when there
is no single arg constructor
+ Add ArrayNode#set(int index, primitive_type value)
+ JsonStreamContext "currentValue" wrongly references to
'@JsonTypeInfo' annotated object
+ DOM 'Node' serialization omits the default namespace declaration
+ Support 'suppressed' property when deserializing 'Throwable'
+ 'AnnotatedMember.equals()' does not work reliably
+ Add 'MapperFeature.APPLY_DEFAULT_VALUES', initially for Scala module
+ For an absent property Jackson injects 'NullNode' instead of 'null'
to a JsonNode-typed constructor argument of a
'@ConstructorProperties'-annotated constructor
+ 'XMLGregorianCalendar' doesn't work with default typing
+ Content 'null' handling not working for root values
+ StdDeserializer rejects blank (all-whitespace) strings for ints
+ 'USE_BASE_TYPE_AS_DEFAULT_IMPL' not working with
'DefaultTypeResolverBuilder'
+ Add PropertyNamingStrategies.UpperSnakeCaseStrategy (and
UPPER_SNAKE_CASE constant)
+ StackOverflowError when serializing JsonProcessingException
+ Support for BCP 47 'java.util.Locale' serialization/deserialization
+ String property deserializes null as "null" for
JsonTypeInfo.As.EXISTING_PROPERTY
+ Can not deserialize json to enum value with Object-/Array-valued
input, '@JsonCreator'
+ Fix to avoid problem with 'BigDecimalNode', scale of
'Integer.MIN_VALUE'
+ Extend handling of 'FAIL_ON_NULL_FOR_PRIMITIVES' to cover coercion
from (Empty) String via 'AsNull'
+ Add 'mvnw' wrapper
+ (regression) Factory method generic type resolution does not use
Class-bound type parameter
+ Deserialization of "empty" subtype with DEDUCTION failed
+ Merge findInjectableValues() results in AnnotationIntrospectorPair
+ READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE doesn't work with empty
strings
+ 'TypeFactory' cannot convert 'Collection' sub-type without type
parameters to canonical form and back
+ Fix for [modules-java8#207]: prevent fail on secondary Java 8
date/time types
+ EXTERNAL_PROPERTY does not work well with '@JsonCreator' and
'FAIL_ON_UNKNOWN_PROPERTIES'
+ String property deserializes null as "null" for
'JsonTypeInfo.As.EXTERNAL_PROPERTY'
+ Property ignorals cause 'BeanDeserializer 'to forget how to read from
arrays (not copying '_arrayDelegateDeserializer')
+ UntypedObjectDeserializer' mixes multiple unwrapped collections
(related to #2733)
+ Two cases of incorrect error reporting about DeserializationFeature
+ Bug in polymorphic deserialization with '@JsonCreator',
'@JsonAnySetter', 'JsonTypeInfo.As.EXTERNAL_PROPERTY'
+ Polymorphic subtype deduction ignores 'defaultImpl' attribute
+ MismatchedInputException: Cannot deserialize instance
of 'com.fasterxml.jackson.databind.node.ObjectNode' out of
VALUE_NULL token
+ Missing override for 'hasAsKey()' in 'AnnotationIntrospectorPair'
+ Creator lookup fails with 'InvalidDefinitionException' for conflict
between single-double/single-Double arg constructor
+ 'MapDeserializer' forcing 'JsonMappingException' wrapping even if
WRAP_EXCEPTIONS set to false
+ Auto-detection of constructor-based creator method skipped if there
is an annotated factory-based creator method (regression from 2.11)
+ 'ObjectMapper.treeToValue()' no longer invokes
'JsonDeserializer.getNullValue()'
+ DeserializationProblemHandler is not invoked when trying to
deserialize String
+ Fix failing 'double' JsonCreators in jackson 2.12.0
+ Conflicting in POJOPropertiesCollector when having namingStrategy
+ Breaking API change in 'BasicClassIntrospector' (2.12.0)
+ 'JsonNode.requiredAt()' does NOT fail on some path expressions
+ Exception thrown when 'Collections.synchronizedList()' is serialized
with type info, deserialized
+ Add option to resolve type from multiple existing properties,
'@JsonTypeInfo(use=DEDUCTION)'
+ '@JsonIgnoreProperties' does not prevent Exception Conflicting
getter/setter definitions for property
+ Deserialization Not Working Right with Generic Types and Builders
+ Add '@JsonIncludeProperties(propertyNames)' (reverse of
'@JsonIgnoreProperties')
+ '@JsonAnyGetter' should be allowed on a field
+ Allow handling of single-arg constructor as property based by default
+ Allow case insensitive deserialization of String value into
'boolean'/'Boolean' (esp for Excel)
+ Allow use of '@JsonFormat(with=JsonFormat.Feature
.ACCEPT_CASE_INSENSITIVE_PROPERTIES)' on Class
+ Abstract class included as part of known type ids for error message
when using JsonSubTypes
+ Distinguish null from empty string for UUID deserialization
+ 'ReferenceType' does not expose valid containedType
+ Add 'CoercionConfig[s]' mechanism for configuring allowed coercions
+ 'JsonProperty.Access.READ_ONLY' does not work with "getter-as-setter"
'Collection's
+ Support 'BigInteger' and 'BigDecimal' creators in
'StdValueInstantiator'
+ 'JsonProperty.Access.READ_ONLY' fails with collections when a
property name is specified
+ 'BigDecimal' precision not retained for polymorphic deserialization
+ Support use of 'Void' valued properties
('MapperFeature.ALLOW_VOID_VALUED_PROPERTIES')
+ Explicitly fail (de)serialization of 'java.time.*' types in absence
of registered custom (de)serializers
+ Improve description included in by
'DeserializationContext.handleUnexpectedToken()'
+ Support for JDK 14 record types ('java.lang.Record')
+ 'PropertyNamingStrategy' class initialization depends
on its subclass, this can lead to class loading deadlock
+ 'FAIL_ON_IGNORED_PROPERTIES' does not throw on 'READONLY' properties
with an explicit name
+ Add Gradle Module Metadata for version alignment with Gradle 6
+ Allow 'JsonNode' auto-convert into 'ArrayNode' if duplicates found
(for XML)
+ Allow values of "untyped" auto-convert into 'List' if duplicates
found (for XML)
+ Add 'ValueInstantiator.createContextual(...)
+ Support multiple names in 'JsonSubType.Type'
+ Disabling 'FAIL_ON_INVALID_SUBTYPE' breaks polymorphic
deserialization of Enums
+ Explicitly fail (de)serialization of 'org.joda.time.*' types in
absence of registered custom (de)serializers
+ Trailing zeros are stripped when deserializing BigDecimal values
inside a @JsonUnwrapped property
+ Extract getter/setter/field name mangling from 'BeanUtil' into
pluggable 'AccessorNamingStrategy'
+ Throw 'InvalidFormatException' instead of 'MismatchedInputException'
for ACCEPT_FLOAT_AS_INT coercion failures
+ Add '@JsonKey' annotation (similar to '@JsonValue') for customizable
serialization of Map keys
+ 'MapperFeature.ACCEPT_CASE_INSENSITIVE_ENUMS' should work for enum as
keys
+ Add support for disabling special handling of "Creator properties"
wrt alphabetic property ordering
+ Add 'JsonNode.canConvertToExactIntegral()' to indicate whether
floating-point/BigDecimal values could be converted to integers
losslessly
+ Improve static factory method generic type resolution logic
+ Allow preventing "Enum from integer" coercion using new
'CoercionConfig' system
+ '@JsonValue' not considered when evaluating inclusion
+ Make some java platform modules optional
+ Add support for serializing 'java.sql.Blob'
+ 'AnnotatedCreatorCollector' should avoid processing synthetic static
(factory) methods
+ Add errorprone static analysis profile to detect bugs at build time
+ Problem with implicit creator name detection for constructor detection
+ Add 'BeanDeserializerBase.isCaseInsensitive()'
+ Refactoring of 'CollectionDeserializer' to solve CSV array handling
issues
+ Full "LICENSE" included in jar for easier access by compliancy tools
+ Fix type resolution for static methods (regression in 2.11.3)
+ '@JsonCreator' on constructor not compatible with
'@JsonIdentityInfo', 'PropertyGenerator'
+ Add debug improvements about 'ClassUtil.getClassMethods()'
+ Cannot detect creator arguments of mixins for JDK types
+ Add 'JsonFormat.Shape' awareness for UUID serialization
('UUIDSerializer')
+ Json serialization fails or a specific case that contains generics
and static methods with generic parameters (2.11.1 -> 2.11.2
regression)
+ 'ObjectMapper.activateDefaultTypingAsProperty()' is not using
parameter 'PolymorphicTypeValidator'
+ Problem deserialization "raw generic" fields (like 'Map') in 2.11.2
+ Fix issues with 'MapLikeType.isTrueMapType()',
'CollectionLikeType.isTrueCollectionType()'
+ Parser/Generator features not set when using
'ObjectMapper.createParser()', 'createGenerator()'
+ Polymorphic subtypes not registering on copied ObjectMapper (2.11.1)
+ Failure to read AnnotatedField value in Jackson 2.11
+ 'TypeFactory.constructType()' does not take 'TypeBindings' correctly
+ Builder Deserialization with JsonCreator Value vs Array
+ JsonCreator on static method in Enum and Enum used as key in map
fails randomly
+ 'StdSubtypeResolver' is not thread safe (possibly due to copy not
being made with 'ObjectMapper.copy()')
+ "Conflicting setter definitions for property" exception for 'Map'
subtype during deserialization
+ Fail to deserialize local Records
+ Rearranging of props when property-based generator is in use leads to
incorrect output
+ Jackson doesn't respect 'CAN_OVERRIDE_ACCESS_MODIFIERS=false' for
deserializer properties
+ 'DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS' don't support
'Map' type field
+ JsonParser from MismatchedInputException cannot getText() for
floating-point value
+ i-I case conversion problem in Turkish locale with case-insensitive
deserialization
+ '@JsonInject' fails on trying to find deserializer even if inject-only
+ Polymorphic deserialization should handle case-insensitive Type Id
property name if 'MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES'
is enabled
+ TreeTraversingParser and UTF8StreamJsonParser create contexts
differently
+ Support use of '@JsonAlias' for enum values
+ 'declaringClass' of "enum-as-POJO" not removed for 'ObjectMapper'
with a naming strategy
+ Fix 'JavaType.isEnumType()' to support sub-classes
+ BeanDeserializerBuilder Protected Factory Method for Extension
+ Support '@JsonSerialize(keyUsing)' and '@JsonDeserialize(keyUsing)'
on Key class
+ Add 'SerializationFeature.WRITE_SELF_REFERENCES_AS_NULL'
+ 'ObjectMapper.registerSubtypes(NamedType...)' doesn't allow
registering same POJO for two different type ids
+ 'DeserializationContext.handleMissingInstantiator()' throws
'MismatchedInputException' for non-static inner classes
+ Incorrect 'JsonStreamContext' for 'TokenBuffer' and
'TreeTraversingParser'
+ Add 'AnnotationIntrospector.findRenameByField()' to support Kotlin's
"is-getter" naming convention
+ Use '@JsonProperty(index)' for sorting properties on serialization
+ Java 8 'Optional' not working with '@JsonUnwrapped' on unwrappable
type
+ Add 'MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES' to allow
blocking use of unsafe base type for polymorphic deserialization
+ 'ObjectMapper.setSerializationInclusion()' is ignored for
'JsonAnyGetter'
+ 'ValueInstantiationException' when deserializing using a builder and
'UNWRAP_SINGLE_VALUE_ARRAYS'
+ JsonIgnoreProperties(ignoreUnknown = true) does not work on field and
method level
+ Failure to resolve generic type parameters on serialization
+ JsonParser cannot getText() for input stream on
MismatchedInputException
+ ObjectReader readValue lacks Class<T> argument
+ Change default textual serialization of 'java.util.Date'/'Calendar'
to include colon in timezone
offset
+ Add 'ObjectMapper.createParser()' and 'createGenerator()' methods
+ Allow serialization of 'Properties' with non-String values
+ Add new factory method for creating custom 'EnumValues' to pass to
'EnumDeserializer
+ 'IllegalArgumentException' thrown for mismatched subclass
deserialization
+ Add convenience methods for creating 'List', 'Map' valued
'ObjectReader's (ObjectMapper.readerForListOf())
+ 'SerializerProvider.findContentValueSerializer()' methods
jackson-dataformats-binary - update from version 2.10.1 to version 2.13.0:
+ (cbor) Should validate UTF-8 multi-byte validity for short decode
path too
+ (ion) Deprecate 'CloseSafeUTF8Writer', remove use
+ (smile) Make 'SmileFactory' support
'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
+ (cbor) Make 'CBORFactory' support
'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
+ (cbor) Handle case of BigDecimal with Integer.MIN_VALUE for scale
gracefully
+ (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by
ossfuzzer)
+ (cbor) Another uncaught exception in CBORParser._nextChunkedByte2 (by
ossfuzzer)
+ (smile) Add 'SmileGenerator.Feature.LENIENT_UTF_ENCODING' for lenient
handling of broken Unicode surrogate pairs on writing
+ (avro) Add 'logicalType' support for some 'java.time' types; add
'AvroJavaTimeModule' for native ser/deser
+ Support base64 strings in 'getBinaryValue()' for CBOR and Smile
+ (cbor) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
+ (avro) Generate logicalType switch
+ (smile) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
+ (ion) 'jackson-dataformat-ion' does not handle null.struct
deserialization correctly
+ 'Ion-java' dep 1.4.0 -> 1.8.0
+ Minor change to Ion module registration names (fully-qualified)
+ (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by
ossfuzzer)
+ (cbor) Uncaught exception in CBORParser._findDecodedFromSymbols() (by
ossfuzzer)
+ (smile) Uncaught validation problem wrt Smile "BigDecimal" type
+ (smile) ArrayIndexOutOfBoundsException for malformed Smile header
+ (cbor) Failed to handle case of alleged String with length of
Integer.MAX_VALUE
+ (smile) Allocate byte[] lazily for longer Smile binary data payloads
+ (cbor) CBORParser need to validate zero-length byte[] for BigInteger
+ (smile) Handle invalid chunked-binary-format length gracefully
+ (smile) Allocate byte[] lazily for longer Smile binary data payloads
(7-bit encoded)
+ (smile) ArrayIndexOutOfBoundsException in
SmileParser._decodeShortUnicodeValue()
+ (smile) Handle sequence of Smile header markers without recursion
+ (cbor) CBOR loses 'Map' entries with specific 'long' Map key values
(32-bit boundary)
+ (ion) Ion Polymorphic deserialization in 2.12 breaks wrt use of
Native Type Ids when upgrading from 2.8
+ (cbor) 'ArrayIndexOutOfBoundsException' in 'CBORParser' for invalid
UTF-8 String
+ (cbor) Handle invalid CBOR content like '[0x84]' (incomplete array)
+ (ion) Respect 'WRITE_ENUMS_USING_TO_STRING' in
'EnumAsIonSymbolSerializer'
+ (ion) Add support for generating IonSexps
+ (ion) Add support for deserializing IonTimestamps and IonBlobs
+ (ion) Add 'IonObjectMapper.builderForBinaryWriters()' /
'.builderforTextualWriters()' convenience methods
+ (ion) Enabling pretty-printing fails Ion serialization
+ (ion) Allow disabling native type ids in IonMapper
+ (smile) Small bug in byte-alignment for long field names in Smile,
symbol table reuse
+ (ion) Add 'IonFactory.getIonSystem()' accessor
+ (ion) Optimize 'IonParser.getNumberType()' using
'IonReader.getIntegerSize()'
+ (cbor) Add 'CBORGenerator.Feature.LENIENT_UTF_ENCODING' for lenient
handling of Unicode surrogate pairs on writing
+ (cbor) Add support for decoding unassigned "simple values" (type 7)
+ Add Gradle Module Metadata
(https://blog.gradle.org/alignment-with-gradle-module-metadata)
+ (avro) Cache record names to avoid hitting class loader
+ (avro) Avro null deserialization
+ (ion) Add 'IonFactory.getIonSystem()' accessor
+ (avro) Add 'AvroGenerator.canWriteBinaryNatively()' to support binary
writes, fix 'java.util.UUID' representation
+ (ion) Allow 'IonObjectMapper' with class name annotation introspector
to deserialize generic subtypes
+ Remove dependencies upon Jackson 1.X and Avro's JacksonUtils
+ 'jackson-databind' should not be full dependency for (cbor, protobuf,
smile) modules
+ 'CBORGenerator.Feature.WRITE_MINIMAL_INTS' does not write most
compact form for all integers
+ 'AvroGenerator' overrides 'getOutputContext()' properly
+ (ion) Add 'IonFactory.getIonSystem()' accessor
+ (avro) Fix schema evolution involving maps of non-scalar
+ (protobuf) Parsing a protobuf message doesn't properly skip unknown
fields
+ (ion) IonObjectMapper close()s the provided IonWriter unnecessarily
+ ion-java dependency 1.4.0 -> 1.5.1
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1678=1
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1678=1
- SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1678=1
- SUSE Manager Retail Branch Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1678=1
- SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1678=1
- SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1678=1
- SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1678=1
- SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1678=1
- SUSE Linux Enterprise Realtime Extension 15-SP2:
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1678=1
- SUSE Linux Enterprise Module for SUSE Manager Server 4.3:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2022-1678=1
- SUSE Linux Enterprise Module for Development Tools 15-SP4:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2022-1678=1
- SUSE Linux Enterprise Module for Development Tools 15-SP3:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1678=1
- SUSE Linux Enterprise Module for Basesystem 15-SP4:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-1678=1
- SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1678=1
- SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1678=1
- SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1678=1
- SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-1678=1
Package List:
- openSUSE Leap 15.4 (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-annotations-javadoc-2.13.0-150200.3.6.1
jackson-bom-2.13.0-150200.3.3.1
jackson-core-2.13.0-150200.3.6.1
jackson-core-javadoc-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-databind-javadoc-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
jackson-dataformat-smile-2.13.0-150200.3.3.3
jackson-dataformats-binary-2.13.0-150200.3.3.3
jackson-dataformats-binary-javadoc-2.13.0-150200.3.3.3
- openSUSE Leap 15.3 (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-annotations-javadoc-2.13.0-150200.3.6.1
jackson-bom-2.13.0-150200.3.3.1
jackson-core-2.13.0-150200.3.6.1
jackson-core-javadoc-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-databind-javadoc-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
jackson-dataformat-smile-2.13.0-150200.3.3.3
jackson-dataformats-binary-2.13.0-150200.3.3.3
jackson-dataformats-binary-javadoc-2.13.0-150200.3.3.3
- SUSE Manager Server 4.1 (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
- SUSE Manager Retail Branch Server 4.1 (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
- SUSE Manager Proxy 4.1 (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
- SUSE Linux Enterprise Server for SAP 15-SP2 (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
- SUSE Linux Enterprise Server 15-SP2-LTSS (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
- SUSE Linux Enterprise Server 15-SP2-BCL (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
- SUSE Linux Enterprise Realtime Extension 15-SP2 (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
- SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
- SUSE Linux Enterprise Module for Development Tools 15-SP4 (noarch):
jackson-dataformat-cbor-2.13.0-150200.3.3.3
- SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
- SUSE Linux Enterprise Module for Basesystem 15-SP4 (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
- SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-annotations-javadoc-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-core-javadoc-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-databind-javadoc-2.13.0-150200.3.9.1
- SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
- SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
- SUSE Enterprise Storage 7 (noarch):
jackson-annotations-2.13.0-150200.3.6.1
jackson-core-2.13.0-150200.3.6.1
jackson-databind-2.13.0-150200.3.9.1
jackson-dataformat-cbor-2.13.0-150200.3.3.3
References:
https://www.suse.com/security/cve/CVE-2020-25649.html
https://www.suse.com/security/cve/CVE-2020-28491.html
https://www.suse.com/security/cve/CVE-2020-36518.html
https://bugzilla.suse.com/1177616
https://bugzilla.suse.com/1182481
https://bugzilla.suse.com/1197132
1
0
SUSE-SU-2022:1665-1: important: Security update for pidgin
by opensuse-security@opensuse.org 16 May '22
by opensuse-security@opensuse.org 16 May '22
16 May '22
SUSE Security Update: Security update for pidgin
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1665-1
Rating: important
References: #1199025
Cross-References: CVE-2022-26491
CVSS scores:
CVE-2022-26491 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected Products:
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Linux Enterprise Workstation Extension 15-SP3
SUSE Manager Proxy 4.2
SUSE Manager Server 4.2
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for pidgin fixes the following issues:
- CVE-2022-26491: Fixed MITM vulnerability when DNSSEC wasn't used
(bsc#1199025).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1665=1
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1665=1
- SUSE Linux Enterprise Workstation Extension 15-SP3:
zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-1665=1
- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-1665=1
Package List:
- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
finch-2.13.0-150200.12.6.1
finch-debuginfo-2.13.0-150200.12.6.1
finch-devel-2.13.0-150200.12.6.1
libpurple-2.13.0-150200.12.6.1
libpurple-debuginfo-2.13.0-150200.12.6.1
libpurple-devel-2.13.0-150200.12.6.1
libpurple-plugin-sametime-2.13.0-150200.12.6.1
libpurple-plugin-sametime-debuginfo-2.13.0-150200.12.6.1
libpurple-tcl-2.13.0-150200.12.6.1
libpurple-tcl-debuginfo-2.13.0-150200.12.6.1
pidgin-2.13.0-150200.12.6.1
pidgin-debuginfo-2.13.0-150200.12.6.1
pidgin-debugsource-2.13.0-150200.12.6.1
pidgin-devel-2.13.0-150200.12.6.1
- openSUSE Leap 15.4 (noarch):
libpurple-branding-upstream-2.13.0-150200.12.6.1
libpurple-lang-2.13.0-150200.12.6.1
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
finch-2.13.0-150200.12.6.1
finch-debuginfo-2.13.0-150200.12.6.1
finch-devel-2.13.0-150200.12.6.1
libpurple-2.13.0-150200.12.6.1
libpurple-debuginfo-2.13.0-150200.12.6.1
libpurple-devel-2.13.0-150200.12.6.1
libpurple-plugin-sametime-2.13.0-150200.12.6.1
libpurple-plugin-sametime-debuginfo-2.13.0-150200.12.6.1
libpurple-tcl-2.13.0-150200.12.6.1
libpurple-tcl-debuginfo-2.13.0-150200.12.6.1
pidgin-2.13.0-150200.12.6.1
pidgin-debuginfo-2.13.0-150200.12.6.1
pidgin-debugsource-2.13.0-150200.12.6.1
pidgin-devel-2.13.0-150200.12.6.1
- openSUSE Leap 15.3 (noarch):
libpurple-branding-upstream-2.13.0-150200.12.6.1
libpurple-lang-2.13.0-150200.12.6.1
- SUSE Linux Enterprise Workstation Extension 15-SP3 (noarch):
libpurple-branding-upstream-2.13.0-150200.12.6.1
libpurple-lang-2.13.0-150200.12.6.1
- SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64):
libpurple-2.13.0-150200.12.6.1
libpurple-debuginfo-2.13.0-150200.12.6.1
libpurple-devel-2.13.0-150200.12.6.1
libpurple-plugin-sametime-2.13.0-150200.12.6.1
libpurple-plugin-sametime-debuginfo-2.13.0-150200.12.6.1
pidgin-2.13.0-150200.12.6.1
pidgin-debuginfo-2.13.0-150200.12.6.1
pidgin-debugsource-2.13.0-150200.12.6.1
pidgin-devel-2.13.0-150200.12.6.1
- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x):
finch-2.13.0-150200.12.6.1
finch-debuginfo-2.13.0-150200.12.6.1
finch-devel-2.13.0-150200.12.6.1
libpurple-2.13.0-150200.12.6.1
libpurple-debuginfo-2.13.0-150200.12.6.1
libpurple-devel-2.13.0-150200.12.6.1
libpurple-plugin-sametime-2.13.0-150200.12.6.1
libpurple-plugin-sametime-debuginfo-2.13.0-150200.12.6.1
libpurple-tcl-2.13.0-150200.12.6.1
libpurple-tcl-debuginfo-2.13.0-150200.12.6.1
pidgin-2.13.0-150200.12.6.1
pidgin-debuginfo-2.13.0-150200.12.6.1
pidgin-debugsource-2.13.0-150200.12.6.1
pidgin-devel-2.13.0-150200.12.6.1
- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (noarch):
libpurple-branding-upstream-2.13.0-150200.12.6.1
libpurple-lang-2.13.0-150200.12.6.1
References:
https://www.suse.com/security/cve/CVE-2022-26491.html
https://bugzilla.suse.com/1199025
1
0
SUSE-SU-2022:1657-1: moderate: Security update for curl
by opensuse-security@opensuse.org 13 May '22
by opensuse-security@opensuse.org 13 May '22
13 May '22
SUSE Security Update: Security update for curl
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1657-1
Rating: moderate
References: #1198614 #1198723 #1198766
Cross-References: CVE-2022-22576 CVE-2022-27775 CVE-2022-27776
CVSS scores:
CVE-2022-22576 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2022-27775 (SUSE): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2022-27776 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Products:
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Micro 5.1
SUSE Linux Enterprise Micro 5.2
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Manager Proxy 4.2
SUSE Manager Server 4.2
openSUSE Leap 15.3
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for curl fixes the following issues:
- CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766)
- CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723)
- CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use
(bsc#1198614)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1657=1
- SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1657=1
- SUSE Linux Enterprise Micro 5.2:
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-1657=1
- SUSE Linux Enterprise Micro 5.1:
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-1657=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
curl-7.66.0-150200.4.30.1
curl-debuginfo-7.66.0-150200.4.30.1
curl-debugsource-7.66.0-150200.4.30.1
libcurl-devel-7.66.0-150200.4.30.1
libcurl4-7.66.0-150200.4.30.1
libcurl4-debuginfo-7.66.0-150200.4.30.1
- openSUSE Leap 15.3 (x86_64):
libcurl-devel-32bit-7.66.0-150200.4.30.1
libcurl4-32bit-7.66.0-150200.4.30.1
libcurl4-32bit-debuginfo-7.66.0-150200.4.30.1
- SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64):
curl-7.66.0-150200.4.30.1
curl-debuginfo-7.66.0-150200.4.30.1
curl-debugsource-7.66.0-150200.4.30.1
libcurl-devel-7.66.0-150200.4.30.1
libcurl4-7.66.0-150200.4.30.1
libcurl4-debuginfo-7.66.0-150200.4.30.1
- SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64):
libcurl4-32bit-7.66.0-150200.4.30.1
libcurl4-32bit-debuginfo-7.66.0-150200.4.30.1
- SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64):
curl-7.66.0-150200.4.30.1
curl-debuginfo-7.66.0-150200.4.30.1
curl-debugsource-7.66.0-150200.4.30.1
libcurl4-7.66.0-150200.4.30.1
libcurl4-debuginfo-7.66.0-150200.4.30.1
- SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64):
curl-7.66.0-150200.4.30.1
curl-debuginfo-7.66.0-150200.4.30.1
curl-debugsource-7.66.0-150200.4.30.1
libcurl4-7.66.0-150200.4.30.1
libcurl4-debuginfo-7.66.0-150200.4.30.1
References:
https://www.suse.com/security/cve/CVE-2022-22576.html
https://www.suse.com/security/cve/CVE-2022-27775.html
https://www.suse.com/security/cve/CVE-2022-27776.html
https://bugzilla.suse.com/1198614
https://bugzilla.suse.com/1198723
https://bugzilla.suse.com/1198766
1
0
SUSE-SU-2022:1644-1: important: Security update for clamav
by opensuse-security@opensuse.org 12 May '22
by opensuse-security@opensuse.org 12 May '22
12 May '22
SUSE Security Update: Security update for clamav
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1644-1
Rating: important
References: #1199242 #1199244 #1199245 #1199246 #1199274
Cross-References: CVE-2022-20770 CVE-2022-20771 CVE-2022-20785
CVE-2022-20792 CVE-2022-20796
CVSS scores:
CVE-2022-20770 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2022-20771 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-20785 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-20792 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-20796 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise Desktop 15-SP4
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP4
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP4
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server 15-SP4
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP4
SUSE Manager Proxy 4.2
SUSE Manager Server 4.2
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes 5 vulnerabilities is now available.
Description:
This update for clamav fixes the following issues:
- CVE-2022-20770: Fixed a possible infinite loop vulnerability in the CHM
file parser (bsc#1199242).
- CVE-2022-20796: Fixed a possible NULL-pointer dereference crash in the
scan verdict cache check (bsc#1199246).
- CVE-2022-20771: Fixed a possible infinite loop vulnerability in the TIFF
file parser (bsc#1199244).
- CVE-2022-20785: Fixed a possible memory leak in the HTML file parser /
Javascript normalizer (bsc#1199245).
- CVE-2022-20792: Fixed a possible multi-byte heap buffer overflow write
vulnerability in the signature database load module (bsc#1199274).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1644=1
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1644=1
- SUSE Linux Enterprise Module for Basesystem 15-SP4:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-1644=1
- SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1644=1
Package List:
- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
clamav-0.103.6-150000.3.38.1
clamav-debuginfo-0.103.6-150000.3.38.1
clamav-debugsource-0.103.6-150000.3.38.1
clamav-devel-0.103.6-150000.3.38.1
libclamav9-0.103.6-150000.3.38.1
libclamav9-debuginfo-0.103.6-150000.3.38.1
libfreshclam2-0.103.6-150000.3.38.1
libfreshclam2-debuginfo-0.103.6-150000.3.38.1
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
clamav-0.103.6-150000.3.38.1
clamav-debuginfo-0.103.6-150000.3.38.1
clamav-debugsource-0.103.6-150000.3.38.1
clamav-devel-0.103.6-150000.3.38.1
libclamav9-0.103.6-150000.3.38.1
libclamav9-debuginfo-0.103.6-150000.3.38.1
libfreshclam2-0.103.6-150000.3.38.1
libfreshclam2-debuginfo-0.103.6-150000.3.38.1
- SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64 ppc64le s390x x86_64):
clamav-0.103.6-150000.3.38.1
clamav-debuginfo-0.103.6-150000.3.38.1
clamav-debugsource-0.103.6-150000.3.38.1
clamav-devel-0.103.6-150000.3.38.1
libclamav9-0.103.6-150000.3.38.1
libclamav9-debuginfo-0.103.6-150000.3.38.1
libfreshclam2-0.103.6-150000.3.38.1
libfreshclam2-debuginfo-0.103.6-150000.3.38.1
- SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64):
clamav-0.103.6-150000.3.38.1
clamav-debuginfo-0.103.6-150000.3.38.1
clamav-debugsource-0.103.6-150000.3.38.1
clamav-devel-0.103.6-150000.3.38.1
libclamav9-0.103.6-150000.3.38.1
libclamav9-debuginfo-0.103.6-150000.3.38.1
libfreshclam2-0.103.6-150000.3.38.1
libfreshclam2-debuginfo-0.103.6-150000.3.38.1
References:
https://www.suse.com/security/cve/CVE-2022-20770.html
https://www.suse.com/security/cve/CVE-2022-20771.html
https://www.suse.com/security/cve/CVE-2022-20785.html
https://www.suse.com/security/cve/CVE-2022-20792.html
https://www.suse.com/security/cve/CVE-2022-20796.html
https://bugzilla.suse.com/1199242
https://bugzilla.suse.com/1199244
https://bugzilla.suse.com/1199245
https://bugzilla.suse.com/1199246
https://bugzilla.suse.com/1199274
1
0
SUSE-SU-2022:1617-1: important: Security update for gzip
by opensuse-security@opensuse.org 10 May '22
by opensuse-security@opensuse.org 10 May '22
10 May '22
SUSE Security Update: Security update for gzip
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1617-1
Rating: important
References: #1198062 #1198922
Cross-References: CVE-2022-1271
CVSS scores:
CVE-2022-1271 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
SUSE Enterprise Storage 7
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise Desktop 15-SP4
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP4
SUSE Linux Enterprise Micro 5.0
SUSE Linux Enterprise Micro 5.1
SUSE Linux Enterprise Micro 5.2
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP4
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server 15-SP4
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP4
SUSE Manager Proxy 4.1
SUSE Manager Proxy 4.2
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
SUSE Manager Server 4.2
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for gzip fixes the following issues:
- CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1617=1
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1617=1
- SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1617=1
- SUSE Manager Retail Branch Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1617=1
- SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1617=1
- SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1617=1
- SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1617=1
- SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1617=1
- SUSE Linux Enterprise Realtime Extension 15-SP2:
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1617=1
- SUSE Linux Enterprise Module for Basesystem 15-SP4:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-1617=1
- SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1617=1
- SUSE Linux Enterprise Micro 5.2:
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-1617=1
- SUSE Linux Enterprise Micro 5.1:
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-1617=1
- SUSE Linux Enterprise Micro 5.0:
zypper in -t patch SUSE-SUSE-MicroOS-5.0-2022-1617=1
- SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1617=1
- SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1617=1
- SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-1617=1
Package List:
- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Manager Server 4.1 (ppc64le s390x x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Manager Retail Branch Server 4.1 (x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Manager Proxy 4.1 (x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Linux Enterprise Server 15-SP2-BCL (x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64 ppc64le s390x x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Linux Enterprise Micro 5.0 (aarch64 x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64 x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64 x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
- SUSE Enterprise Storage 7 (aarch64 x86_64):
gzip-1.10-150200.10.1
gzip-debuginfo-1.10-150200.10.1
gzip-debugsource-1.10-150200.10.1
References:
https://www.suse.com/security/cve/CVE-2022-1271.html
https://bugzilla.suse.com/1198062
https://bugzilla.suse.com/1198922
1
0
openSUSE-SU-2022:0132-1: important: Security update for php-composer
by opensuse-security@opensuse.org 10 May '22
by opensuse-security@opensuse.org 10 May '22
10 May '22
openSUSE Security Update: Security update for php-composer
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:0132-1
Rating: important
References: #1198494
Cross-References: CVE-2021-41116 CVE-2022-24828
CVSS scores:
CVE-2021-41116 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-24828 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-24828 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Backports SLE-15-SP3
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for php-composer fixes the following issues:
php-composer was updated to version 1.10.26:
* Security: Fixed command injection vulnerability in HgDriver/GitDriver:
CVE-2022-24828 boo#1198494
Update to version 1.10.25
* Fix regression with PHP 8.1.0 and 8.1.1
Update to version 1.10.24
* Fixed PHP 8.1 compatibility
Update to version 1.10.23
* Security: Fixed command injection vulnerability CVE-2021-41116
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP3:
zypper in -t patch openSUSE-2022-132=1
Package List:
- openSUSE Backports SLE-15-SP3 (noarch):
php-composer-1.10.26-bp153.2.6.1
References:
https://www.suse.com/security/cve/CVE-2021-41116.html
https://www.suse.com/security/cve/CVE-2022-24828.html
https://bugzilla.suse.com/1198494
1
0
SUSE-SU-2022:1583-1: important: Security update for rsyslog
by opensuse-security@opensuse.org 09 May '22
by opensuse-security@opensuse.org 09 May '22
09 May '22
SUSE Security Update: Security update for rsyslog
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1583-1
Rating: important
References: #1199061
Cross-References: CVE-2022-24903
CVSS scores:
CVE-2022-24903 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
SUSE Enterprise Storage 7
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Server Applications 15-SP3
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Manager Proxy 4.1
SUSE Manager Proxy 4.2
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
SUSE Manager Server 4.2
openSUSE Leap 15.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for rsyslog fixes the following issues:
- CVE-2022-24903: Fixed potential heap buffer overflow in modules for TCP
syslog reception (bsc#1199061).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1583=1
- SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1583=1
- SUSE Manager Retail Branch Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1583=1
- SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1583=1
- SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1583=1
- SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1583=1
- SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1583=1
- SUSE Linux Enterprise Realtime Extension 15-SP2:
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1583=1
- SUSE Linux Enterprise Module for Server Applications 15-SP3:
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2022-1583=1
- SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1583=1
- SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1583=1
- SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1583=1
- SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-1583=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
rsyslog-8.2106.0-150200.4.26.1
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
rsyslog-diag-tools-8.2106.0-150200.4.26.1
rsyslog-diag-tools-debuginfo-8.2106.0-150200.4.26.1
rsyslog-doc-8.2106.0-150200.4.26.1
rsyslog-module-dbi-8.2106.0-150200.4.26.1
rsyslog-module-dbi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-elasticsearch-8.2106.0-150200.4.26.1
rsyslog-module-elasticsearch-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gcrypt-8.2106.0-150200.4.26.1
rsyslog-module-gcrypt-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gtls-8.2106.0-150200.4.26.1
rsyslog-module-gtls-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mysql-8.2106.0-150200.4.26.1
rsyslog-module-mysql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-omamqp1-8.2106.0-150200.4.26.1
rsyslog-module-omamqp1-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-omhttpfs-8.2106.0-150200.4.26.1
rsyslog-module-omhttpfs-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-omtcl-8.2106.0-150200.4.26.1
rsyslog-module-omtcl-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-ossl-8.2106.0-150200.4.26.1
rsyslog-module-ossl-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-relp-8.2106.0-150200.4.26.1
rsyslog-module-relp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-snmp-8.2106.0-150200.4.26.1
rsyslog-module-snmp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-debuginfo-8.2106.0-150200.4.26.1
- SUSE Manager Server 4.1 (ppc64le s390x x86_64):
rsyslog-8.2106.0-150200.4.26.1
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gtls-8.2106.0-150200.4.26.1
rsyslog-module-gtls-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mysql-8.2106.0-150200.4.26.1
rsyslog-module-mysql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-relp-8.2106.0-150200.4.26.1
rsyslog-module-relp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-snmp-8.2106.0-150200.4.26.1
rsyslog-module-snmp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-debuginfo-8.2106.0-150200.4.26.1
- SUSE Manager Retail Branch Server 4.1 (x86_64):
rsyslog-8.2106.0-150200.4.26.1
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gtls-8.2106.0-150200.4.26.1
rsyslog-module-gtls-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mysql-8.2106.0-150200.4.26.1
rsyslog-module-mysql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-relp-8.2106.0-150200.4.26.1
rsyslog-module-relp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-snmp-8.2106.0-150200.4.26.1
rsyslog-module-snmp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-debuginfo-8.2106.0-150200.4.26.1
- SUSE Manager Proxy 4.1 (x86_64):
rsyslog-8.2106.0-150200.4.26.1
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gtls-8.2106.0-150200.4.26.1
rsyslog-module-gtls-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mysql-8.2106.0-150200.4.26.1
rsyslog-module-mysql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-relp-8.2106.0-150200.4.26.1
rsyslog-module-relp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-snmp-8.2106.0-150200.4.26.1
rsyslog-module-snmp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-debuginfo-8.2106.0-150200.4.26.1
- SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64):
rsyslog-8.2106.0-150200.4.26.1
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gtls-8.2106.0-150200.4.26.1
rsyslog-module-gtls-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mysql-8.2106.0-150200.4.26.1
rsyslog-module-mysql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-relp-8.2106.0-150200.4.26.1
rsyslog-module-relp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-snmp-8.2106.0-150200.4.26.1
rsyslog-module-snmp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-debuginfo-8.2106.0-150200.4.26.1
- SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64):
rsyslog-8.2106.0-150200.4.26.1
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gtls-8.2106.0-150200.4.26.1
rsyslog-module-gtls-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mysql-8.2106.0-150200.4.26.1
rsyslog-module-mysql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-relp-8.2106.0-150200.4.26.1
rsyslog-module-relp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-snmp-8.2106.0-150200.4.26.1
rsyslog-module-snmp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-debuginfo-8.2106.0-150200.4.26.1
- SUSE Linux Enterprise Server 15-SP2-BCL (x86_64):
rsyslog-8.2106.0-150200.4.26.1
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gtls-8.2106.0-150200.4.26.1
rsyslog-module-gtls-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mysql-8.2106.0-150200.4.26.1
rsyslog-module-mysql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-relp-8.2106.0-150200.4.26.1
rsyslog-module-relp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-snmp-8.2106.0-150200.4.26.1
rsyslog-module-snmp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-debuginfo-8.2106.0-150200.4.26.1
- SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64):
rsyslog-8.2106.0-150200.4.26.1
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gtls-8.2106.0-150200.4.26.1
rsyslog-module-gtls-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mysql-8.2106.0-150200.4.26.1
rsyslog-module-mysql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-relp-8.2106.0-150200.4.26.1
rsyslog-module-relp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-snmp-8.2106.0-150200.4.26.1
rsyslog-module-snmp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-debuginfo-8.2106.0-150200.4.26.1
- SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64):
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gtls-8.2106.0-150200.4.26.1
rsyslog-module-gtls-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mysql-8.2106.0-150200.4.26.1
rsyslog-module-mysql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-relp-8.2106.0-150200.4.26.1
rsyslog-module-relp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-snmp-8.2106.0-150200.4.26.1
rsyslog-module-snmp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-debuginfo-8.2106.0-150200.4.26.1
- SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64):
rsyslog-8.2106.0-150200.4.26.1
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
- SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64 x86_64):
rsyslog-8.2106.0-150200.4.26.1
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gtls-8.2106.0-150200.4.26.1
rsyslog-module-gtls-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mysql-8.2106.0-150200.4.26.1
rsyslog-module-mysql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-relp-8.2106.0-150200.4.26.1
rsyslog-module-relp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-snmp-8.2106.0-150200.4.26.1
rsyslog-module-snmp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-debuginfo-8.2106.0-150200.4.26.1
- SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64 x86_64):
rsyslog-8.2106.0-150200.4.26.1
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gtls-8.2106.0-150200.4.26.1
rsyslog-module-gtls-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mysql-8.2106.0-150200.4.26.1
rsyslog-module-mysql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-relp-8.2106.0-150200.4.26.1
rsyslog-module-relp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-snmp-8.2106.0-150200.4.26.1
rsyslog-module-snmp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-debuginfo-8.2106.0-150200.4.26.1
- SUSE Enterprise Storage 7 (aarch64 x86_64):
rsyslog-8.2106.0-150200.4.26.1
rsyslog-debuginfo-8.2106.0-150200.4.26.1
rsyslog-debugsource-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-8.2106.0-150200.4.26.1
rsyslog-module-gssapi-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-gtls-8.2106.0-150200.4.26.1
rsyslog-module-gtls-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-8.2106.0-150200.4.26.1
rsyslog-module-mmnormalize-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-mysql-8.2106.0-150200.4.26.1
rsyslog-module-mysql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-8.2106.0-150200.4.26.1
rsyslog-module-pgsql-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-relp-8.2106.0-150200.4.26.1
rsyslog-module-relp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-snmp-8.2106.0-150200.4.26.1
rsyslog-module-snmp-debuginfo-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-8.2106.0-150200.4.26.1
rsyslog-module-udpspoof-debuginfo-8.2106.0-150200.4.26.1
References:
https://www.suse.com/security/cve/CVE-2022-24903.html
https://bugzilla.suse.com/1199061
1
0
09 May '22
SUSE Security Update: Security update for ldb
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1576-1
Rating: low
References: #1198397
Cross-References: CVE-2021-3670
CVSS scores:
CVE-2021-3670 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Micro 5.1
SUSE Linux Enterprise Micro 5.2
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Manager Proxy 4.2
SUSE Manager Server 4.2
openSUSE Leap 15.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for ldb fixes the following issues:
- Update to version 2.4.2
- CVE-2021-3670: Fixed an issue where the LDAP server MaxQueryDuration
value would not be honoured (bsc#1198397).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1576=1
- SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1576=1
- SUSE Linux Enterprise Micro 5.2:
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-1576=1
- SUSE Linux Enterprise Micro 5.1:
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-1576=1
- SUSE Enterprise Storage 7.1:
zypper in -t patch SUSE-Storage-7.1-2022-1576=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
ldb-debugsource-2.4.2-150300.3.15.1
ldb-tools-2.4.2-150300.3.15.1
ldb-tools-debuginfo-2.4.2-150300.3.15.1
libldb-devel-2.4.2-150300.3.15.1
libldb2-2.4.2-150300.3.15.1
libldb2-debuginfo-2.4.2-150300.3.15.1
python3-ldb-2.4.2-150300.3.15.1
python3-ldb-debuginfo-2.4.2-150300.3.15.1
python3-ldb-devel-2.4.2-150300.3.15.1
- openSUSE Leap 15.3 (x86_64):
libldb2-32bit-2.4.2-150300.3.15.1
libldb2-32bit-debuginfo-2.4.2-150300.3.15.1
python3-ldb-32bit-2.4.2-150300.3.15.1
python3-ldb-32bit-debuginfo-2.4.2-150300.3.15.1
- SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64):
ldb-debugsource-2.4.2-150300.3.15.1
ldb-tools-2.4.2-150300.3.15.1
ldb-tools-debuginfo-2.4.2-150300.3.15.1
libldb-devel-2.4.2-150300.3.15.1
libldb2-2.4.2-150300.3.15.1
libldb2-debuginfo-2.4.2-150300.3.15.1
python3-ldb-2.4.2-150300.3.15.1
python3-ldb-debuginfo-2.4.2-150300.3.15.1
python3-ldb-devel-2.4.2-150300.3.15.1
- SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64):
libldb2-32bit-2.4.2-150300.3.15.1
libldb2-32bit-debuginfo-2.4.2-150300.3.15.1
- SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64):
ldb-debugsource-2.4.2-150300.3.15.1
libldb2-2.4.2-150300.3.15.1
libldb2-debuginfo-2.4.2-150300.3.15.1
- SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64):
ldb-debugsource-2.4.2-150300.3.15.1
libldb2-2.4.2-150300.3.15.1
libldb2-debuginfo-2.4.2-150300.3.15.1
- SUSE Enterprise Storage 7.1 (aarch64 x86_64):
ldb-debugsource-2.4.2-150300.3.15.1
libldb2-2.4.2-150300.3.15.1
libldb2-debuginfo-2.4.2-150300.3.15.1
python3-ldb-2.4.2-150300.3.15.1
python3-ldb-debuginfo-2.4.2-150300.3.15.1
References:
https://www.suse.com/security/cve/CVE-2021-3670.html
https://bugzilla.suse.com/1198397
1
0