Security update for conmon

Announcement ID: SUSE-SU-2022:3896-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2022-1708 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H
  • CVE-2022-1708 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • SUSE CaaS Platform 4.0
  • SUSE Enterprise Storage 6
  • SUSE Enterprise Storage 7
  • SUSE Linux Enterprise High Performance Computing 15 SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP2
  • SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS 15-SP2
  • SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  • SUSE Linux Enterprise Server 15 SP1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
  • SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
  • SUSE Linux Enterprise Server 15 SP2
  • SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
  • SUSE Manager Proxy 4.1
  • SUSE Manager Retail Branch Server 4.1
  • SUSE Manager Server 4.1

An update that solves one vulnerability can now be installed.

Description:

This update for conmon fixes the following issues:

conmon was updated to 2.1.3:

  • Stop using g_unix_signal_add() to avoid threads
  • Rename CLI optionlog-size-global-max to log-global-size-max

Update to version 2.1.2:

  • add log-global-size-max option to limit the total output conmon processes (CVE-2022-1708 bsc#1200285)
  • journald: print tag and name if both are specified
  • drop some logs to debug level

Update to version 2.1.0

  • logging: buffer partial messages to journald
  • exit: close all fds >= 3
  • fix: cgroup: Free memory_cgroup_file_path if open fails. Call g_free instead of free.

Update to version 2.0.32

  • Fix: Avoid mainfd_std{in,out} sharing the same file descriptor.
  • exit_command: Fix: unset subreaper attribute before running exit command

Update to version 2.0.31

  • logging: new mode -l passthrough
  • ctr_logs: use container name or ID as SYSLOG_IDENTIFIER for journald
  • conmon: Fix: free userdata files before exec cleanup

Update to version 2.0.30:

  • Remove unreachable code path
  • exit: report if the exit command was killed
  • exit: fix race zombie reaper
  • conn_sock: allow watchdog messages through the notify socket proxy
  • seccomp: add support for seccomp notify

Update to version 2.0.29:

  • Reset OOM score back to 0 for container runtime
  • call functions registered with atexit on SIGTERM
  • conn_sock: fix potential segfault

Update to version 2.0.27:

  • Add CRI-O integration test GitHub action
  • exec: don't fail on EBADFD
  • close_fds: fix close of external fds
  • Add arm64 static build binary

Update to version 2.0.26:

  • conn_sock: do not fail on EAGAIN
  • fix segfault from a double freed pointer
  • Fix a bug where conmon could never spawn a container, because a disagreement between the caller and itself on where the attach socket was.
  • improve --full-attach to ignore the socket-dir directly. that means callers don't need to specify a socket dir at all (and can remove it)
  • add full-attach option to allow callers to not truncate a very long path for the attach socket
  • close only opened FDs
  • set locale to inherit environment

Update to version 2.0.22:

  • added man page
  • attach: always chdir
  • conn_sock: Explicitly free a heap-allocated string
  • refactor I/O and add SD_NOTIFY proxy support

Update to version 2.0.21:

  • protect against kill(-1)
  • Makefile: enable debuginfo generation
  • Remove go.sum file and add go.mod
  • Fail if conmon config could not be written
  • nix: remove double definition for e2fsprogs
  • Speedup static build by utilizing CI cache on /nix folder
  • Fix nix build for failing e2fsprogs tests
  • test: fix CI
  • Use Podman for building

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-3896=1
  • SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-3896=1
  • SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS 15-SP2
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-3896=1
  • SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-3896=1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-3896=1
  • SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-3896=1
  • SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-3896=1
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-3896=1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-3896=1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-3896=1
  • SUSE Manager Proxy 4.1
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-3896=1
  • SUSE Manager Retail Branch Server 4.1
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-3896=1
  • SUSE Manager Server 4.1
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-3896=1
  • SUSE Enterprise Storage 6
    zypper in -t patch SUSE-Storage-6-2022-3896=1
  • SUSE Enterprise Storage 7
    zypper in -t patch SUSE-Storage-7-2022-3896=1
  • SUSE CaaS Platform 4.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

  • SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1 (aarch64 x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64 x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS 15-SP2 (aarch64 x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 (x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (aarch64 ppc64le s390x x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 (x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1 (ppc64le x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Manager Proxy 4.1 (x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Manager Retail Branch Server 4.1 (x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Manager Server 4.1 (ppc64le s390x x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Enterprise Storage 6 (aarch64 x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE Enterprise Storage 7 (aarch64 x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1
  • SUSE CaaS Platform 4.0 (x86_64)
    • conmon-debuginfo-2.1.3-150100.3.9.1
    • conmon-2.1.3-150100.3.9.1

References: