[security-announce] SUSE-SU-2017:2470-1: important: Security update for CaaS Platform 1.0 images

14 Sep 2017

      SUSE Security Update: Security update for CaaS Platform 1.0 images
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:2470-1
Rating:             important
References:         #1004995 #1009745 #1014471 #1017420 #1019637 
                    #1026825 #1027079 #1027688 #1027908 #1028281 
                    #1028723 #1029523 #1031756 #1032706 #1033236 
                    #1035062 #1036659 #1038132 #1038444 #1038984 
                    #1042392 #1043218 #1043333 #1044095 #1044107 
                    #1044175 #1044840 #1045384 #1045735 #1045987 
                    #1046268 #1046417 #1046659 #1046853 #1046858 
                    #1047008 #1047236 #1047240 #1047310 #1047379 
                    #1047785 #1047964 #1047965 #1048315 #1048483 
                    #1048605 #1048679 #1048715 #1049344 #1050396 
                    #1050484 #1051626 #1051643 #1051644 #1052030 
                    #1052759 #1053409 #874665 #902364 #938657 
                    #944903 #954661 #960820 #963041 
Cross-References:   CVE-2013-7459 CVE-2016-9063 CVE-2017-1000100
                    CVE-2017-1000101 CVE-2017-10684 CVE-2017-10685
                    CVE-2017-11112 CVE-2017-11113 CVE-2017-3308
                    CVE-2017-3309 CVE-2017-3453 CVE-2017-3456
                    CVE-2017-3464 CVE-2017-7435 CVE-2017-7436
                    CVE-2017-8872 CVE-2017-9233 CVE-2017-9269

Affected Products:
                    SUSE Container as a Service Platform ALL
______________________________________________________________________________

   An update that solves 18 vulnerabilities and has 46 fixes
   is now available.

Description:

   The Docker images provided with SUSE CaaS Platform 1.0 have been updated
   to include the following updates:

   libzypp:

   - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows,
     mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984)
   - Fix gpg-pubkey release (creation time) computation. (bsc#1036659)
   - Update lsof blacklist. (bsc#1046417)
   - Re-probe on refresh if the repository type changes. (bsc#1048315)
   - Propagate proper error code to DownloadProgressReport. (bsc#1047785)
   - Allow to trigger an appdata refresh unconditionally. (bsc#1009745)
   - Support custom repo variables defined in /etc/zypp/vars.d.
   - Adapt loop mounting of ISO images. (bsc#1038132, bsc#1033236)
   - Fix potential crash if repository has no baseurl. (bsc#1043218)

   zypper:

   - CVE-2017-7436: Adapt download callback to report and handle unsigned
     packages. (bsc#1038984)
   - Report missing/optional files as 'not found' rather than 'error'.
     (bsc#1047785)
   - Document support for custom repository variables defined in
     /etc/zypp/vars.d.
   - Emphasize that it depends on how fast PackageKit will respond to a
     'quit' request sent if PK blocks package management.

   libgcrypt:

   - Fix infinite loop in gnome-keyring-daemon caused by attempt to read from
     random device left open by libgcrypt. (bsc#1043333)
   - Avoid seeding the DRBG during FIPS power-up selftests. (bsc#1046659)
   - Fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some
     of the tests. (bsc#1046659)
   - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling
     dlsym. (bsc#1047008)

   lua51:

   - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket.
     (bsc#1051626)

   cyrus-sasl:

   - Fix unknown authentication mechanism: kerberos5 (bsc#1026825)
   - Really use SASLAUTHD_PARAMS variable (bsc#938657)
   - Make sure /usr/sbin/rcsaslauthd exists
   - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service
     (bsc#1014471)
   - Silence "GSSAPI client step 1" debug log message (bsc#1044840)

   libxml2:

   - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444)

   curl:

   - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a
     denial of service. (bsc#1051644)
   - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial
     of service. (bsc#1051643)

   ncurses:

   - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)
   - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry.
     (bsc#1047965)
   - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses
     6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858,
     bsc#1049344)

   sed:

   - Don't terminate with a segmentation fault if close of last file
     descriptor fails. (bsc#954661)

   openssl:

   - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32
     problem. (bsc#1027908)
   - Use getrandom syscall instead of reading from /dev/urandom to get at
     least 128 bits of entropy to comply with FIPS 140.2 IG 7.14.
     (bsc#1027079 bsc#1044175)
   - Fix x86 extended feature detection (bsc#1029523)
   - Allow runtime switching of s390x capabilities via the "OPENSSL_s390xcap"
     environmental variable. (bsc#1028723)
   - Add back certificate initialization set_cert_key_stuff() which was
     removed in a previous update. (bsc#1028281)
   - Fix a bug in XTS key handling. (bsc#1019637)
   - Don't run FIPS power-up self-tests when the checksum files aren't
     installed. (bsc#1042392)

   procps:

   - Don't set buffering on invalid file descriptor. (bsc#1053409)

   expat:

   - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading
     to unexpected behaviour. (bsc#1047240)
   - CVE-2017-9233: External Entity Vulnerability could lead to denial of
     service. (bsc#1047236)

   systemd:

   - Revert fix for bsc#1004995 which could have caused boot failure on LVM
     (bsc#1048605)
   - compat-rules: drop the bogus 'import everything' rule (bsc#1046268)
   - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification
     (bsc#1045384 bsc#1047379)
   - udev/path_id: introduce support for NVMe devices (bsc#1045987)
   - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for
     NVMe devices. (bsc#1048679)
   - fstab-generator: Handle NFS "bg" mounts correctly. (bsc#874665,
     fate#323464)
   - timesyncd: Don't use compiled-in list if FallbackNTP has been configured
     explicitly.

   insserv-compat:

   - Add /etc/init.d hierarchy from former "filesystem" package. (bsc#1035062)
   - Fix directory argument parsing. (bsc#944903)
   - Add perl(Getopt::Long) to list of requirements.

   mariadb:

   - Update libmysqlclient18 from version 10.0.30 to 10.0.31.

   python-pycrypto:

   - CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew
     (bsc#1017420).

   velum:

   - Fix loopback IP for proxy exception during initial configuration.
     (bsc#1052759)
   - Set secure flag in cookie. (bsc#1050484)
   - Set VERSION to 1.0.0. (bsc#1050396)
   - Allow kubeconfig download when master is ready. (bsc#1048483)

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Container as a Service Platform ALL:

      zypper in -t patch SUSE-CAASP-ALL-2017-1531=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Container as a Service Platform ALL (x86_64):

      container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3
      sles12-mariadb-docker-image-1.1.0-2.3.10
      sles12-pause-docker-image-1.1.0-2.3.11
      sles12-pv-recycler-node-docker-image-1.1.0-2.3.10
      sles12-salt-api-docker-image-1.1.0-2.3.9
      sles12-salt-master-docker-image-1.1.0-4.3.10
      sles12-salt-minion-docker-image-1.1.0-2.3.8
      sles12-velum-docker-image-1.1.0-4.3.9

   - SUSE Container as a Service Platform ALL (noarch):

      caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3

References:

   https://www.suse.com/security/cve/CVE-2013-7459.html
   https://www.suse.com/security/cve/CVE-2016-9063.html
   https://www.suse.com/security/cve/CVE-2017-1000100.html
   https://www.suse.com/security/cve/CVE-2017-1000101.html
   https://www.suse.com/security/cve/CVE-2017-10684.html
   https://www.suse.com/security/cve/CVE-2017-10685.html
   https://www.suse.com/security/cve/CVE-2017-11112.html
   https://www.suse.com/security/cve/CVE-2017-11113.html
   https://www.suse.com/security/cve/CVE-2017-3308.html
   https://www.suse.com/security/cve/CVE-2017-3309.html
   https://www.suse.com/security/cve/CVE-2017-3453.html
   https://www.suse.com/security/cve/CVE-2017-3456.html
   https://www.suse.com/security/cve/CVE-2017-3464.html
   https://www.suse.com/security/cve/CVE-2017-7435.html
   https://www.suse.com/security/cve/CVE-2017-7436.html
   https://www.suse.com/security/cve/CVE-2017-8872.html
   https://www.suse.com/security/cve/CVE-2017-9233.html
   https://www.suse.com/security/cve/CVE-2017-9269.html
   https://bugzilla.suse.com/1004995
   https://bugzilla.suse.com/1009745
   https://bugzilla.suse.com/1014471
   https://bugzilla.suse.com/1017420
   https://bugzilla.suse.com/1019637
   https://bugzilla.suse.com/1026825
   https://bugzilla.suse.com/1027079
   https://bugzilla.suse.com/1027688
   https://bugzilla.suse.com/1027908
   https://bugzilla.suse.com/1028281
   https://bugzilla.suse.com/1028723
   https://bugzilla.suse.com/1029523
   https://bugzilla.suse.com/1031756
   https://bugzilla.suse.com/1032706
   https://bugzilla.suse.com/1033236
   https://bugzilla.suse.com/1035062
   https://bugzilla.suse.com/1036659
   https://bugzilla.suse.com/1038132
   https://bugzilla.suse.com/1038444
   https://bugzilla.suse.com/1038984
   https://bugzilla.suse.com/1042392
   https://bugzilla.suse.com/1043218
   https://bugzilla.suse.com/1043333
   https://bugzilla.suse.com/1044095
   https://bugzilla.suse.com/1044107
   https://bugzilla.suse.com/1044175
   https://bugzilla.suse.com/1044840
   https://bugzilla.suse.com/1045384
   https://bugzilla.suse.com/1045735
   https://bugzilla.suse.com/1045987
   https://bugzilla.suse.com/1046268
   https://bugzilla.suse.com/1046417
   https://bugzilla.suse.com/1046659
   https://bugzilla.suse.com/1046853
   https://bugzilla.suse.com/1046858
   https://bugzilla.suse.com/1047008
   https://bugzilla.suse.com/1047236
   https://bugzilla.suse.com/1047240
   https://bugzilla.suse.com/1047310
   https://bugzilla.suse.com/1047379
   https://bugzilla.suse.com/1047785
   https://bugzilla.suse.com/1047964
   https://bugzilla.suse.com/1047965
   https://bugzilla.suse.com/1048315
   https://bugzilla.suse.com/1048483
   https://bugzilla.suse.com/1048605
   https://bugzilla.suse.com/1048679
   https://bugzilla.suse.com/1048715
   https://bugzilla.suse.com/1049344
   https://bugzilla.suse.com/1050396
   https://bugzilla.suse.com/1050484
   https://bugzilla.suse.com/1051626
   https://bugzilla.suse.com/1051643
   https://bugzilla.suse.com/1051644
   https://bugzilla.suse.com/1052030
   https://bugzilla.suse.com/1052759
   https://bugzilla.suse.com/1053409
   https://bugzilla.suse.com/874665
   https://bugzilla.suse.com/902364
   https://bugzilla.suse.com/938657
   https://bugzilla.suse.com/944903
   https://bugzilla.suse.com/954661
   https://bugzilla.suse.com/960820
   https://bugzilla.suse.com/963041

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

opensuse-security＠opensuse.org

tags

participants (1)