openSUSE Security Update: Security update for php7
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:2575-1
Rating: moderate
References: #1188037
Cross-References: CVE-2021-21705
CVSS scores:
CVE-2021-21705 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for php7 fixes the following issues:
- CVE-2021-21705 [bsc#1188037]: SSRF bypass in FILTER_VALIDATE_URL
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2575=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
php7-wddx-7.2.5-4.76.5
php7-wddx-debuginfo-7.2.5-4.76.5
- openSUSE Leap 15.3 (noarch):
php7-pear-Archive_Tar-7.2.5-4.76.5
References:
https://www.suse.com/security/cve/CVE-2021-21705.htmlhttps://bugzilla.suse.com/1188037
openSUSE Recommended Update: Recommended update for open-vm-tools
______________________________________________________________________________
Announcement ID: openSUSE-RU-2021:2568-1
Rating: moderate
References: #1029961 #1185103 #1185175 #1187567
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that has four recommended fixes can now be
installed.
Description:
This update for open-vm-tools fixes the following issues:
Update to 11.3.0 (bsc#1187567)
- Reduce or eliminate Linux dependency on the 'net-tools' package.
- The 'ifconfig' and 'netstat' commands are deprecated in more recent
releases of Linux. Update the Linux 'vm-support' script to use the
'ip' and 'ss' commands when available. If the new commands are missing
a fallback will be used. In Particular, 'ip' has a fallback on
'ifconfig', 'ip route' will fallback on 'route' and 'ss' will fallback
on 'netstat'.
- Configuring OVT with the '--without-pam' option will implicitly disable
'vgauth'.
- When no 'vgauth' option is given alongside '--without-pam', a warning
is displayed with a message 'Building without PAM; vgauth will be
disabled.'.
- When '--disable-vgauth' is supplied alongside '--without-pam', no
warning or error message is displayed.
- When '--enable-vgauth' is supplied alongside '--without-pam', an error
will be shown and the configure stage will be aborted with an error
message 'Cannot enable vgauth without PAM. Please configure without
--without-pam or without --enable-vgauth.'
- Fix issues using GCC 11 with gtk >= 3.20 and glib >=2.66.3
- Fix more GCC 11 failures. (bsc#1185103)
- Update the 'FreeBSD' specific sections of 'open-vm-tools' to adjust what
necessary for 'ARM64'.
- New command line tool 'vmwgfxctrl' introduced in 'open-vm-tools'.
- A user can now control various aspects of the 'vmwgfx' Linux kernel
module. Currently it can both display and set the current topology of
the 'vmwgfx' kernel driver. It is useful when trying to configure
custom resolutions on recent Linux distributions, including
multi-monitor setups.
- New command line tool 'vmware-alias-import' added to 'open-vm-tools'
that can be used to import 'vgauth' config data and apply it to the
running 'vgauth' service.
- Enhancements to support or utilize various vSphere features.
- In 'vmtoolsd.service' move the deprecated path '/var/run' to '/run' for
it's 'PID' file. (bsc#1185175)
- Finalize the 'UsrMerge'. (bsc#1029961)
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2568=1
Package List:
- openSUSE Leap 15.3 (aarch64 x86_64):
libvmtools-devel-11.3.0-10.1
libvmtools0-11.3.0-10.1
libvmtools0-debuginfo-11.3.0-10.1
open-vm-tools-11.3.0-10.1
open-vm-tools-debuginfo-11.3.0-10.1
open-vm-tools-debugsource-11.3.0-10.1
open-vm-tools-desktop-11.3.0-10.1
open-vm-tools-desktop-debuginfo-11.3.0-10.1
open-vm-tools-sdmp-11.3.0-10.1
open-vm-tools-sdmp-debuginfo-11.3.0-10.1
References:
https://bugzilla.suse.com/1029961https://bugzilla.suse.com/1185103https://bugzilla.suse.com/1185175https://bugzilla.suse.com/1187567
openSUSE Recommended Update: Recommended update for timezone
______________________________________________________________________________
Announcement ID: openSUSE-RU-2021:2573-1
Rating: moderate
References: #1188127
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This update for timezone fixes the following issue:
- From systemd v249: when enumerating time zones the timedatectl tool will
now consult the 'tzdata.zi' file shipped by the IANA time zone database
package, in addition to 'zone1970.tab', as before. This makes sure time
zone aliases are now correctly supported. This update adds the
'tzdata.zi' file (bsc#1188127).
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2573=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
timezone-2021a-3.47.1
timezone-debuginfo-2021a-3.47.1
timezone-debugsource-2021a-3.47.1
- openSUSE Leap 15.3 (noarch):
timezone-java-2021a-3.47.1
References:
https://bugzilla.suse.com/1188127
openSUSE Security Update: Security update for fastjar
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:2565-1
Rating: low
References: #1188517
Cross-References: CVE-2010-2322
CVSS scores:
CVE-2010-2322 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for fastjar fixes the following issues:
- CVE-2010-2322: Fixed a directory traversal vulnerabilities. (bsc#1188517)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2565=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
fastjar-0.98-3.6.2
fastjar-debuginfo-0.98-3.6.2
fastjar-debugsource-0.98-3.6.2
References:
https://www.suse.com/security/cve/CVE-2010-2322.htmlhttps://bugzilla.suse.com/1188517
openSUSE Recommended Update: Recommended update for openCryptoki
______________________________________________________________________________
Announcement ID: openSUSE-RU-2021:2557-1
Rating: moderate
References: #1182726 #1185976
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that has two recommended fixes can now be
installed.
Description:
This update for openCryptoki fixes the following issues:
- Fixed a segmentation fault with p11sak list-key. (bsc#1182726)
- Fixed an issue when soft token does not check if an EC key is valid.
(bsc#1185976)
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2557=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
openCryptoki-3.15.1-5.3.1
openCryptoki-64bit-3.15.1-5.3.1
openCryptoki-64bit-debuginfo-3.15.1-5.3.1
openCryptoki-debuginfo-3.15.1-5.3.1
openCryptoki-debugsource-3.15.1-5.3.1
openCryptoki-devel-3.15.1-5.3.1
References:
https://bugzilla.suse.com/1182726https://bugzilla.suse.com/1185976
openSUSE Recommended Update: Recommended update for python-pytz
______________________________________________________________________________
Announcement ID: openSUSE-RU-2021:2558-1
Rating: moderate
References: #1185748
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This update for python-pytz fixes the following issues:
- Add %pyunittest shim for platforms where it is missing.
- Remove real directory of %{python_sitelib}/pytz/zoneinfo when upgrading,
before it is replaced by a symlink. (bsc#1185748)
- Bump tzdata_version
- update to 2021.1:
* update to IANA 2021a timezone release
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2558=1
Package List:
- openSUSE Leap 15.3 (noarch):
python2-pytz-2021.1-3.3.1
python3-pytz-2021.1-3.3.1
References:
https://bugzilla.suse.com/1185748
openSUSE Security Update: Security update for git
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:2555-1
Rating: moderate
References: #1168930 #1183026 #1183580 SLE-17838 SLE-18152
Cross-References: CVE-2021-21300
CVSS scores:
CVE-2021-21300 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-21300 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that solves one vulnerability, contains two
features and has two fixes is now available.
Description:
This update for git fixes the following issues:
Update from version 2.26.2 to version 2.31.1 (jsc#SLE-18152)
Security fixes:
- CVE-2021-21300: On case-insensitive file systems with support for
symbolic links, if Git is configured globally to apply delay-capable
clean/smudge filters (such as Git LFS), Git could run remote code during
a clone. (bsc#1183026)
Non security changes:
- Add `sysusers` file to create `git-daemon` user.
- Remove `perl-base` and `openssh-server` dependency on `git-core`and
provide a `perl-Git` package. (jsc#SLE-17838)
- `fsmonitor` bug fixes
- Fix `git bisect` to take an annotated tag as a good/bad endpoint
- Fix a corner case in `git mv` on case insensitive systems
- Require only `openssh-clients` where possible (like Tumbleweed or SUSE
Linux Enterprise >= 15 SP3). (bsc#1183580)
- Drop `rsync` requirement, not necessary anymore.
- Use of `pack-redundant` command is discouraged and will trigger a
warning. The replacement is `repack -d`.
- The `--format=%(trailers)` mechanism gets enhanced to make it easier to
design output for machine consumption.
- No longer give message to choose between rebase or merge upon pull if
the history `fast-forwards`.
- The configuration variable `core.abbrev` can be set to `no` to force no
abbreviation regardless of the hash algorithm
- `git rev-parse` can be explicitly told to give output as absolute or
relative path with the `--path-format=(absolute|relative)` option.
- Bash completion update to make it easier for end-users to add completion
for their custom `git` subcommands.
- `git maintenance` learned to drive scheduled maintenance on platforms
whose native scheduling methods are not 'cron'.
- After expiring a reflog and making a single commit, the reflog for the
branch would record a single entry that knows both `@{0}` and `@{1}`,
but we failed to answer "what commit were we on?", i.e. `@{1}`
- `git bundle` learns `--stdin` option to read its refs from the standard
input. Also, it now does not lose refs when they point at the same
object.
- `git log` learned a new `--diff-merges=<how>` option.
- `git ls-files` can and does show multiple entries when the index is
unmerged, which is a source for confusion unless `-s/-u` option is in
use. A new option `--deduplicate` has been introduced.
- `git worktree list` now annotates worktrees as prunable, shows locked
and prunable attributes in `--porcelain mode`, and gained a `--verbose`
option.
- `git clone` tries to locally check out the branch pointed at by HEAD of
the remote repository after it is done, but the protocol did not convey
the information necessary to do so when copying an empty repository. The
protocol v2 learned how to do so.
- There are other ways than `..` for a single token to denote a `commit
range", namely `<rev>^!` and `<rev>^-<n>`, but `git range-diff` did not
understand them.
- The `git range-diff` command learned `--(left|right)-only` option to
show only one side of the compared range.
- `git mergetool` feeds three versions (base, local and remote) of a
conflicted path unmodified. The command learned to optionally prepare
these files with unconflicted parts already resolved.
- The `.mailmap` is documented to be read only from the root level of a
working tree, but a stray file in a bare repository also was read by
accident, which has been corrected.
- `git maintenance` tool learned a new `pack-refs` maintenance task.
- Improved error message given when a configuration variable that is
expected to have a boolean value.
- Signed commits and tags now allow verification of objects, whose two
object names (one in SHA-1, the other in SHA-256) are both signed.
- `git rev-list` command learned `--disk-usage` option.
- `git diff`, `git log` `--{skip,rotate}-to=<path>` allows the user to
discard diff output for early paths or move them to the end of the
output.
- `git difftool` learned `--skip-to=<path>` option to restart an
interrupted session from an arbitrary path.
- `git grep` has been tweaked to be limited to the sparse checkout paths.
- `git rebase --[no-]fork-point` gained a configuration variable
`rebase.forkPoint` so that users do not have to keep specifying a
non-default setting.
- `git stash` did not work well in a sparsely checked out working tree.
- Newline characters in the host and path part of `git://` URL are now
forbidden.
- `Userdiff` updates for PHP, Rust, CSS
- Avoid administrator error leading to data loss with `git push
--force-with-lease[=<ref>]` by introducing `--force-if-includes`
- only pull `asciidoctor` for the default ruby version
- The `--committer-date-is-author-date` option of `rebase` and `am`
subcommands lost the e-mail address by mistake in 2.29
- The transport protocol v2 has become the default again
- `git worktree` gained a `repair` subcommand, `git init
--separate-git-dir` no longer corrupts administrative data related to
linked worktrees
- `git maintenance` introduced for repository maintenance tasks
- `fetch.writeCommitGraph` is deemed to be still a bit too risky and is no
longer part of the `feature.experimental` set.
- The commands in the `diff` family honors the `diff.relative`
configuration variable.
- `git diff-files` has been taught to say paths that are marked as
`intent-to-add` are new files, not modified from an empty blob.
- `git gui` now allows opening work trees from the start-up dialog.
- `git bugreport` reports what shell is in use.
- Some repositories have commits that record wrong committer timezone;
`git fast-import` has an option to pass these timestamps intact to allow
recreating existing repositories as-is.
- `git describe` will always use the `long` version when giving its output
based misplaced tags
- `git pull` issues a warning message until the `pull.rebase`
configuration variable is explicitly given
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2555=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
git-2.31.1-10.3.1
git-arch-2.31.1-10.3.1
git-core-2.31.1-10.3.1
git-core-debuginfo-2.31.1-10.3.1
git-credential-gnome-keyring-2.31.1-10.3.1
git-credential-gnome-keyring-debuginfo-2.31.1-10.3.1
git-credential-libsecret-2.31.1-10.3.1
git-credential-libsecret-debuginfo-2.31.1-10.3.1
git-cvs-2.31.1-10.3.1
git-daemon-2.31.1-10.3.1
git-daemon-debuginfo-2.31.1-10.3.1
git-debuginfo-2.31.1-10.3.1
git-debugsource-2.31.1-10.3.1
git-email-2.31.1-10.3.1
git-gui-2.31.1-10.3.1
git-p4-2.31.1-10.3.1
git-svn-2.31.1-10.3.1
git-web-2.31.1-10.3.1
gitk-2.31.1-10.3.1
perl-Git-2.31.1-10.3.1
- openSUSE Leap 15.3 (noarch):
git-doc-2.31.1-10.3.1
References:
https://www.suse.com/security/cve/CVE-2021-21300.htmlhttps://bugzilla.suse.com/1168930https://bugzilla.suse.com/1183026https://bugzilla.suse.com/1183580
openSUSE Recommended Update: Recommended update for release-notes-sles
______________________________________________________________________________
Announcement ID: openSUSE-RU-2021:2553-1
Rating: moderate
References: #1187608 #1187615 #1187636 #1187664 #933411
SLE-17030 SLE-17233
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that has 5 recommended fixes and contains two
features can now be installed.
Description:
This update for release-notes-sles fixes the following issues:
- 15.3.20210712 (tracked in bsc#933411)
- Added note about about Salt 3002 (jsc#SLE-17233)
- Added note about kernel changes (bsc#1187615)
- Added link to workaround (bsc#1187636)
- Updated PostgreSQL 13 note (jsc#SLE-17030)
- Updated more links (bsc#1187664)
- Updated links (bsc#1187664)
- Removed note upon request (bsc#1187608)
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2553=1
Package List:
- openSUSE Leap 15.3 (noarch):
release-notes-sles-15.3.20210712-3.6.3
References:
https://bugzilla.suse.com/1187608https://bugzilla.suse.com/1187615https://bugzilla.suse.com/1187636https://bugzilla.suse.com/1187664https://bugzilla.suse.com/933411
openSUSE Recommended Update: Recommended update for fence-agents
______________________________________________________________________________
Announcement ID: openSUSE-RU-2021:2547-1
Rating: moderate
References: #1182701 #1185058 SLE-17998 SLE-18182
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that has two recommended fixes and contains two
features can now be installed.
Description:
This update for fence-agents fixes the following issues:
- Corrections to support Azure SDK greater than 15 - including backward
compatibility (bsc#1185058)
- Fixed an issue when libvirt breaks the connection in every 30 seconds.
- ECO: Update fence-agents. (jsc#SLE-18182)
- Add upstream PR to aws-vpc-move-ip and apply required resource and fence
agent patches. (jsc#SLE-17998)
- Fixed an issue when fence-agent does not restart the node properly.
(bsc#1182701)
- Major rework of the original agent:
* fence_gce: default method moved back to powercycle (#389)
* fence_gce: make serviceaccount work with new libraries
* fence_virt*: simple_auth: use %zu for sizeof to avoid failing verbose
builds on some archs
* configure: dont fail when --with-agents contains virt
* fence_mpath: watchdog retries support
* fencing: add multi plug support for reboot-action
* fence_redfish: add missing diag logic
* fencing: fix issue with hardcoded help text length for metadata
* fencing: add stonith_status_sleep parameter for sleep between status
calls during a STONITH action
* fence_aws: add filter parameter to be able to limit which nodes are
listed
* virt: fix a bunch of coverity scan errors in ip_lookup
* virt: make sure to provide an empty default to strncpy
* virt: make sure buffers are big enough for 0 byte end string
* virt: increase buffer size to avoid overruns
* virt: check return code in virt-sockets
* virt: fix plugin (minor) memory leak and plug in load race
* virt: attempt to open file directly and avoid race condition
* virt: fix different coverity scan errors in common/tcp
* virt: cleanup deadcode in client/vsock
* virt: cleanup deadcode in client/tcp
* virt: fix potential buffer overrun
* virt: fix mcast coverity scan errors
* virt: drop pm-fence plugin
* virt: drop libvirt-qmf plugin
* virt: drop null plugin
* virt: drop fence_virtd non-modular build
* virt: fix plugin installation regression on upgrades
* fence_virt: metadata fixes, implement manpage generation and
metadata/delay/rng checks
* virt: make sure variable is initialized
* zvm: reformat fence_zvm to avoid gcc warnings
* virt: drop -Werror to avoid unnecessary failures
* virt: disable -Wunused for yy generated files
* virt: disable fence-virt on bsd variants
* virt: merge spec files
* build: fix more gcc warnings
* build: remove unused / obsoleted options
* build: fix some annoying warnings at ./autogen.sh time
* virt: move all virt CFLAGS/LDFLAGS in the right location
* virt: fix unused gcc warnings and re-enable all build warnings
* virt: fix write-strings gcc warnings
* virt: fix pointer-arith gcc warnings
* virt: fix declaration-after-statement gcc warnings
* virt: fix build with -Wmissing-prototypes
* build: don��t override clean target
* virt: plug fence_virt into the build
* virt: allow fence_virt build to be optional
* virt: drop support for LSB init script
* virt: collect docs in one location
* virt: remove unnecessary files and move build macros in place
* Ignore fence-virt man pages
* Move fence_virt to the correct location
* spec: use python3 path for newer releases
* spec: undo autosetup change that breaks builds w/git commit hashes
* Ignore unknown options on stdin
* fence_gce: support google-auth and oauthlib and fallback to deprecated
libs when not available
* spec: add aliyun subpackage and fence_mpath_check* to mpath subpackage
* fence_gce: Adds cloud-platform scope for bare metal API and optional
proxy flags (#382)
* fence_virt: Fix minor typo in metadata
* fence_gce: update module reqs for SLES 15 (#383)
* Add fence_ipmilanplus as fence_ipmilan wrapper always enabling lanplus
* fence_redfish: Add diag action
* fence_vbox: updated metadata file
* fence_vbox: do not flood host account with vboxmanage calls
* fence_aws/fence_gce: allow building without cloud libs
* fence_gce: default to onoff
* fence_lpar: Make --managed a required option
* fence_zvmip: fix shell-timeout when using new disable-timeout parameter
* Adds service account authentication to GCE fence agent
* spec: dont build -all subpackage as noarch
* fence_virt: add plug parameter that obsoletes old port parameter
* Try to detect directory for initscripts configuration
* Accept SIGTERM while waiting for initialization.
* Add man pages to fence_virtd service file.
* Fix spelling error in fence_virt.conf.5
* build: fix BRs for suse distros
* build: remove ExclusiveArch
* build: removed gcc-c++ BR
* build: add spec-file and rpm build targets
* build: cleanup/improvements to reworked build system
* [build] rework build system to use automake/libtool
* fence_virtd: Fix segfault in vl_get when no domains are found
* fence_virt: fix core dump
* build: harden and make it possible to build with -fPIE
* fence_virt: dont report success for incorrect parameters
* fence_virt: mcast: config: Warn when provided mcast addr is not used
* fence_virtd: Return control to main loop on select interruption
* fence-virtd: Add missing vsock makefile bits
* fence-virt: Add vsock support
* fence_virtd: Fix transposed arguments in startup message
* fence_virt: Rename challenge functions
* fence_virtd: Cleanup: remove unused configuration options
* fence_virt: Remove remaining references to checkpoints
* fence_virt: Remove remaining references to checkpoints
* fence-virt: Format string cleanup
* fence_virtd: Implment hostlist for the cpg backend
* fence_virt: Fix logic error in fence_xvm
* fence_virtd: Cleanup config module
* fence_virtd: cpg: Fail initialization if no hypervisor connections
* fence_virtd: Make the libvirt backend survive libvirtd restarts
* fence_virtd: Allow the cpg backend to survive libvirt failures
* fence_virtd: cpg: Fix typo
* fence-virtd: Add cpg-virt backend plugin
* fence_virtd: Remove checkpoint, replace it with a CPG only plugin
* fence-virt: Bump version
* fence_virtd: Add better debugging messages for the TCP listner
* fence_virtd: Fix potential unlocked pthread_cond_timedwait()
* fence-virtd: Cleanup small memory leak
* fence_virtd: Fix select logic in listener plugins
* Factor out common libvirt code so that it can be reused by multiple
backends
* Document the fence_virtd -p command line flag
* fence_virtd: Log an error when startup fails
* Retry writes in the TCP, mcast, and serial listener plugins while
sending a response to clients, if the write fails or is incomplete.
* Make the packet authentication code more resilient in the face of
transient failures.
* Disable the libvirt-qmf backend by default
* Bump the versions of the libvirt and checkpoint plugins
* fence-virtd: Enable TCP listener plugin by default
* fence-virtd: Cleanup documentation of the TCP listener
* fence_xvm/fence_virt: Add support for the validate-all status op
* fence-virt: Add list-status command to man page and metadata
* fence-virt: Cleanup numeric argument parsing
* fence-virt: Log message to syslog in addition to stdout/stderr
* fence-virt: Permit explicitly setting delay to 0
* fence-virt: Add 'list-status' operation for compat with other agents
* Allow fence_virtd to run as non-root
* Remove delay from the status, monitor and list functions
* Resolves serveral problems in checkpoint plugin, making it functional.
* daemon_init: Removed PID check and update
* fence_virtd: drop legacy SysVStartPriority from service unit
* fence-virt: client: Do not truncate VM domains in list output
* client: fix "delay" parameter checking (copy-paste)
* fence-virt: Fix broken restrictions on the port ranges
* Clarify debug message
* fence-virtd: Use perror only if the last system call returns an error.
* fence-virtd: Fix printing wrong system call in perror
* fence-virtd: Allow multiple hypervisors for the libvirt backend
* fence-virt: Don't overrwrite saved errno
* fence-virt: Fix small memory leak in the config module
* fence-virt: Fix mismatched sizeof in memset call
* fence-virt: Send complete hostlist info
* fence-virt: Clarify the path option in serial mode
* Bump version
* fence-virt: Bump version
* fence_virtd: Fix broken systemd service file
* fence_virt/fence_xvm: Print status when invoked with -o status
* fence-virt: Fix for missed libvirtd events
* fence-virt: Fail properly if unable to bind the listener socket
* client: dump all arguments structure in debug mode
* Drop executable flag for man pages (finally)
* Honor implicit "ip_family=auto" in fence_xvm w/IPv6 mult.addr.
* Fix using bad struct item for auth algorithm
* Drop executable flag for man pages
* use bswap_X() instead of b_swapX()
* fence_virtd: Fix memcpy size params in the TCP plugin
* Revert "fence-virt: Fix possible descriptor leak"
* fence_virtd: Return success if a domain exists but is already off.
* fence-virt: Add back missing tcp_listener.h file
* fence-virt: Fix a few fd leaks
* fence-virt: Fix free of uninitialized variable
* fence-virt: Fix possible null pointer dereference
* fence-virt: Fix memory leak
* fence-virt: Fix fd leak when finding local addresses
* fence-virt: Fix possible descriptor leak
* fence-virt: Fix possible fd leak
* fence-virt: Fix null pointer deref
* fence-virt: Explicitly set delay to 0
* fence-virt: Fix return with lock held
* fence_virt: Fix typo in fence_virt(8) man page
* fence_virt: Return failure for nonexistent domains
* Improve fence_virt.conf man page description of 'hash'
* Add a TCP listener plugin for use with viosproxy
* In serial mode, return failure if the other end closes the connection
before we see SERIAL_MAGIC in the reply or timeout.
* Stop linking against unnecessary QPid libs.
* Update libvirt-qmf plugin and docs
* Fix crash when we fail to read key file.
* Fix erroneous man page XML
* Add 'interface' directive to example.conf
* Add old wait_for_backend directive handling & docs
* Return proper error if we can't set up our socket.
* Fix startup in systemd environments
* Add systemd unit file and generation
* Don't override user's pick for backend server module
* Use libvirt as default in shipped config
* Clean up compiler warnings
* Fix serial domain handling
* Fix monolithic build
* Clean up build and comments.
* Add missing pm_fence source code
* Disable CMAN / checkpoint build by default
* Rename libvirt-qpid -> libvirt-qmf
* Fix static analysis errors
* Reword assignment to appease static analyzers
* Handle return value from virDomainGetInfo
* Fix bad sizeof()
* Make listen() retry
* Add map_check on 'status' action
* Update README
* Don't reference out-of-scope temporary
* Ensure we don't try to strdup() or atoi() on NULL
* Add libvirt-qmf support to the libvirt-qpid plugin
* Convert libvirt-qpid plugin to QMFv2
* Fix incorrect return value on hash mismatch
* Fix error getting status from libvirt-qpid plugin
* Make fence-virt requests endian clean
* Fix input parsing to allow domain again
* Provide 'domain' in metadata output for compatibility
* High: Fix UUID lookups in checkpoint backend
* Curtail 'list' operation requests
* Fix man page references: fence_virtd.conf -> fence_virt.conf
* Add 'list' operation for plugins; fix missing getopt line
* Fix build with newer versions of qpid
* Make configure.in actually disable plugins
* Rename parameters to match other fencing agents
* Fix fence_xvm man page to point to the right location
* client: Clarify license in serial.c
* Return 2 for 'off' like other fencing agents
* Reset flags before returning from connect_nb
* Use nonblocking connect to vmchannel sockets
* More parity with other fencing agents' parameters
* Fix memory leaks found with valgrind
* Add basic daemon functions
* Fix bug in path pruning support for serial plugin
* Fix libvirt-qpid bugs found while testing
* Fix segfault caused by invalid map pointer assignment
* Fix another compiler warning
* Fix build warnings in client/serial.c
* Add 'monitor' as an alias for 'status'
* Add serial listener to configuration utility
* Make serial/vmchannel module enabled by default
* Add missing 'metadata' option to help text
* Add missing static_map.h
* Add metadata support to fence_xvm/fence_virt
* Allow IPs to be members of groups
* Allow use of static mappings w/ mcast listener
* Make 'path' be a directory
* Remove useless debug printfs
* Enable VM Channel support in serial plugin
* Pass source VM UUID (if known) to backend
* Mirror libvirt-qpid's settings in libvirt-qpid plugin
* libvirt-qpid: clean up global variable
* Enable a configurable host/port on libvirt-qpid plugin
* Minor config utility cleanups
* Remove unnecessary name_mode from multicast plugin
* Add prototypes and clean up build warnings
* Use seqno in serial requests
* Minor debugging message cleanup
* Fix build error due to improper value
* Static map support and permissions reporting
* Sync up on SERIAL_MAGIC while waiting for a response
* Don't build serial vmchannel module by default
* Initial checkin of serial server-side support
* Fix fence_virt.conf man page name
* Add Fedora init script
* Compiler warning cleanups in virt-serial.c
* Add wait-for-backend mode
* Fix up help text for clients
* Minor XML cleanups, add missing free() call
* add missing module_path to fence_virtd.conf.5
* Add capabilities to virt-serial
* Note that serial support is experimental
* Add a serial.so build target
* Add vmchannel serial event interface
* Split fence_virt vs. fence_xvm args
* Add static map functions.
* Fix build warning due to missing #include
* Fix multiple query code
* Better config query & multiple value/tag support
* Add simple configuration mode
* Allow setting config values to NULL to clear them
* Clean up example config file
* Sort plugins by type when printing them
* Revert "Sort plugins by type when printing them"
* Sort plugins by type when printing them
* Clean up some configuration plugin information
* add empty line between names
* Make libvirt to automatically use uuid or names
* Improve error reporting
* Fix build for hostlist functionality
* Hostlist functionality for libvirt, libvirt-qpid
* Work around broken nspr headers
* Fix installation target for man pages
* Add man page build infrastructure
* Make fence_xvm compatibility mode enabled by default
* Fix libvirt / mcast support for name_mode
* Fix agent option parsing
* Fix dlsym mapping of C++ module
* Make uuids work with libvirt-qpid
* Fix uninitialized variable causing false returns
* Add 'help' to fence_virtd
* Fix libvirt-qpid build
* Fix libvirt-qpid build
* Add libvirt-qpid build target
* Initial checking of libvirt-qpid plugin
* Fix build on i686
* Make symlink/compatibilty mode disabled by default
* Add simple tarball / release script
* Use immediate resolution of symbols
* Example config tweaks
* Use sysconfdir for /etc/fence_virt.conf
* Fix package name and install locations
* Add 'maintainer-clean' target
* Fix build errors on Fedora
* Add missing header file
* Ignore automake error
* Make the build script actually build
* Make cluster mode plugin work
* Add basic cpg stuff for later
* Enable 'on' operation for libvirt backend
* Clean up modular build
* Minor build cleanups
* Yet more build fixes
* More build cleanups
* Build cleanups
* Initial port to autoconf
* Add checkpoint.c stub functions
* Add sequence numbers to requests for tracking
* Include missing include
* Call generic history functions
* Make history functions generic
* Make debugging work from modules again
* Revert "Fix build issue breaking debug printing from modules"
* Fix build issue breaking debug printing from modules
* Fix libvirt backend; VALIDATE was wrong
* Cleanups, add daemon support
* Add simple 'null' skeleton backend plugin
* Make all plugins dynamically loaded.
* Fix error message
* Remove dummy serial prototypes
* Remove modules in 'make clean'
* Make listeners plugins.
* Move name_mode to fence_virtd block
* Add name_mode to example.conf
* Move VM naming scheme to top level of config
* Enable UUID use in libvirt.c
* Move options.c to client directory
* Drop duplicate fencing requests
* Don't require specifying an interface in fence_virt.conf
* Fix empty node parsing
* Actually use the default port by default
* Don't overwrite config files
* Install modules, too.
* Add temporary 'make install' target
* Make a default configuration file
* Make mcast work with UUIDs
* Add checkpoint.so to the build
* Fix missing carriage returns on debug prints
* Add architecture overview description
* Make serial_init match mcast_init.
* Make multicast use config file
* Integrate config file processing
* Create server-side plugin architecture
* Make libvirt a built-in plugin
* Fix header in serial.c.
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2547=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
fence-agents-4.9.0+git.1624456340.8d746be9-3.5.1
fence-agents-amt_ws-4.9.0+git.1624456340.8d746be9-3.5.1
fence-agents-debuginfo-4.9.0+git.1624456340.8d746be9-3.5.1
fence-agents-debugsource-4.9.0+git.1624456340.8d746be9-3.5.1
fence-agents-devel-4.9.0+git.1624456340.8d746be9-3.5.1
References:
https://bugzilla.suse.com/1182701https://bugzilla.suse.com/1185058
openSUSE Security Update: Security update for umoci
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1863-1
Rating: important
References: #1184147
Cross-References: CVE-2021-29136
CVSS scores:
CVE-2021-29136 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVE-2021-29136 (SUSE): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for umoci fixes the following issues:
Update to v0.4.7 (bsc#1184147).
- CVE-2021-29136: Fixed overwriting of host files via malicious layer
(bsc#1184147).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-1863=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
umoci-0.4.7-3.12.1
References:
https://www.suse.com/security/cve/CVE-2021-29136.htmlhttps://bugzilla.suse.com/1184147