Security update for CaaS Platform 1.0 images

SUSE Security Update: Security update for CaaS Platform 1.0 images

---

Announcement ID:	SUSE-SU-2017:2470-1
Rating:	important
References:	#1004995 #1009745 #1014471 #1017420 #1019637 #1026825 #1027079 #1027688 #1027908 #1028281 #1028723 #1029523 #1031756 #1032706 #1033236 #1035062 #1036659 #1038132 #1038444 #1038984 #1042392 #1043218 #1043333 #1044095 #1044107 #1044175 #1044840 #1045384 #1045735 #1045987 #1046268 #1046417 #1046659 #1046853 #1046858 #1047008 #1047236 #1047240 #1047310 #1047379 #1047785 #1047964 #1047965 #1048315 #1048483 #1048605 #1048679 #1048715 #1049344 #1050396 #1050484 #1051626 #1051643 #1051644 #1052030 #1052759 #1053409 #874665 #902364 #938657 #944903 #954661 #960820 #963041
Affected Products:	SUSE Container as a Service Platform ALL

---

An update that solves 18 vulnerabilities and has 46 fixes is now available.

Description:

The Docker images provided with SUSE CaaS Platform 1.0 have been updated
to include the following updates:

libzypp:

- CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows,
mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984)
- Fix gpg-pubkey release (creation time) computation. (bsc#1036659)
- Update lsof blacklist. (bsc#1046417)
- Re-probe on refresh if the repository type changes. (bsc#1048315)
- Propagate proper error code to DownloadProgressReport. (bsc#1047785)
- Allow to trigger an appdata refresh unconditionally. (bsc#1009745)
- Support custom repo variables defined in /etc/zypp/vars.d.
- Adapt loop mounting of ISO images. (bsc#1038132, bsc#1033236)
- Fix potential crash if repository has no baseurl. (bsc#1043218)

zypper:

- CVE-2017-7436: Adapt download callback to report and handle unsigned
packages. (bsc#1038984)
- Report missing/optional files as 'not found' rather than 'error'.
(bsc#1047785)
- Document support for custom repository variables defined in
/etc/zypp/vars.d.
- Emphasize that it depends on how fast PackageKit will respond to a
'quit' request sent if PK blocks package management.

libgcrypt:

- Fix infinite loop in gnome-keyring-daemon caused by attempt to read from
random device left open by libgcrypt. (bsc#1043333)
- Avoid seeding the DRBG during FIPS power-up selftests. (bsc#1046659)
- Fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some
of the tests. (bsc#1046659)
- dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling
dlsym. (bsc#1047008)

lua51:

- Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket.
(bsc#1051626)

cyrus-sasl:

- Fix unknown authentication mechanism: kerberos5 (bsc#1026825)
- Really use SASLAUTHD_PARAMS variable (bsc#938657)
- Make sure /usr/sbin/rcsaslauthd exists
- Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service
(bsc#1014471)
- Silence "GSSAPI client step 1" debug log message (bsc#1044840)

libxml2:

- CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444)

curl:

- CVE-2017-1000100: TFP sends more than buffer size and it could lead to a
denial of service. (bsc#1051644)
- CVE-2017-1000101: URL globbing out of bounds read could lead to a denial
of service. (bsc#1051643)

ncurses:

- CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)
- CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry.
(bsc#1047965)
- CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses
6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858,
bsc#1049344)

sed:

- Don't terminate with a segmentation fault if close of last file
descriptor fails. (bsc#954661)

openssl:

- Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32
problem. (bsc#1027908)
- Use getrandom syscall instead of reading from /dev/urandom to get at
least 128 bits of entropy to comply with FIPS 140.2 IG 7.14.
(bsc#1027079 bsc#1044175)
- Fix x86 extended feature detection (bsc#1029523)
- Allow runtime switching of s390x capabilities via the "OPENSSL_s390xcap"
environmental variable. (bsc#1028723)
- Add back certificate initialization set_cert_key_stuff() which was
removed in a previous update. (bsc#1028281)
- Fix a bug in XTS key handling. (bsc#1019637)
- Don't run FIPS power-up self-tests when the checksum files aren't
installed. (bsc#1042392)

procps:

- Don't set buffering on invalid file descriptor. (bsc#1053409)

expat:

- CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading
to unexpected behaviour. (bsc#1047240)
- CVE-2017-9233: External Entity Vulnerability could lead to denial of
service. (bsc#1047236)

systemd:

- Revert fix for bsc#1004995 which could have caused boot failure on LVM
(bsc#1048605)
- compat-rules: drop the bogus 'import everything' rule (bsc#1046268)
- core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification
(bsc#1045384 bsc#1047379)
- udev/path_id: introduce support for NVMe devices (bsc#1045987)
- compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for
NVMe devices. (bsc#1048679)
- fstab-generator: Handle NFS "bg" mounts correctly. (bsc#874665,
fate#323464)
- timesyncd: Don't use compiled-in list if FallbackNTP has been configured
explicitly.

insserv-compat:

- Add /etc/init.d hierarchy from former "filesystem" package. (bsc#1035062)
- Fix directory argument parsing. (bsc#944903)
- Add perl(Getopt::Long) to list of requirements.

mariadb:

- Update libmysqlclient18 from version 10.0.30 to 10.0.31.

python-pycrypto:

- CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew
(bsc#1017420).

velum:

- Fix loopback IP for proxy exception during initial configuration.
(bsc#1052759)
- Set secure flag in cookie. (bsc#1050484)
- Set VERSION to 1.0.0. (bsc#1050396)
- Allow kubeconfig download when master is ready. (bsc#1048483)

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

• SUSE Container as a Service Platform ALL:
  zypper in -t patch SUSE-CAASP-ALL-2017-1531=1

To bring your system up-to-date, use "zypper patch".

Package List:

• SUSE Container as a Service Platform ALL (x86_64):
  • container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3
  • sles12-mariadb-docker-image-1.1.0-2.3.10
  • sles12-pause-docker-image-1.1.0-2.3.11
  • sles12-pv-recycler-node-docker-image-1.1.0-2.3.10
  • sles12-salt-api-docker-image-1.1.0-2.3.9
  • sles12-salt-master-docker-image-1.1.0-4.3.10
  • sles12-salt-minion-docker-image-1.1.0-2.3.8
  • sles12-velum-docker-image-1.1.0-4.3.9
• SUSE Container as a Service Platform ALL (noarch):
  • caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3

References:

• https://www.suse.com/security/cve/CVE-2013-7459.html
• https://www.suse.com/security/cve/CVE-2016-9063.html
• https://www.suse.com/security/cve/CVE-2017-1000100.html
• https://www.suse.com/security/cve/CVE-2017-1000101.html
• https://www.suse.com/security/cve/CVE-2017-10684.html
• https://www.suse.com/security/cve/CVE-2017-10685.html
• https://www.suse.com/security/cve/CVE-2017-11112.html
• https://www.suse.com/security/cve/CVE-2017-11113.html
• https://www.suse.com/security/cve/CVE-2017-3308.html
• https://www.suse.com/security/cve/CVE-2017-3309.html
• https://www.suse.com/security/cve/CVE-2017-3453.html
• https://www.suse.com/security/cve/CVE-2017-3456.html
• https://www.suse.com/security/cve/CVE-2017-3464.html
• https://www.suse.com/security/cve/CVE-2017-7435.html
• https://www.suse.com/security/cve/CVE-2017-7436.html
• https://www.suse.com/security/cve/CVE-2017-8872.html
• https://www.suse.com/security/cve/CVE-2017-9233.html
• https://www.suse.com/security/cve/CVE-2017-9269.html
• https://bugzilla.suse.com/1004995
• https://bugzilla.suse.com/1009745
• https://bugzilla.suse.com/1014471
• https://bugzilla.suse.com/1017420
• https://bugzilla.suse.com/1019637
• https://bugzilla.suse.com/1026825
• https://bugzilla.suse.com/1027079
• https://bugzilla.suse.com/1027688
• https://bugzilla.suse.com/1027908
• https://bugzilla.suse.com/1028281
• https://bugzilla.suse.com/1028723
• https://bugzilla.suse.com/1029523
• https://bugzilla.suse.com/1031756
• https://bugzilla.suse.com/1032706
• https://bugzilla.suse.com/1033236
• https://bugzilla.suse.com/1035062
• https://bugzilla.suse.com/1036659
• https://bugzilla.suse.com/1038132
• https://bugzilla.suse.com/1038444
• https://bugzilla.suse.com/1038984
• https://bugzilla.suse.com/1042392
• https://bugzilla.suse.com/1043218
• https://bugzilla.suse.com/1043333
• https://bugzilla.suse.com/1044095
• https://bugzilla.suse.com/1044107
• https://bugzilla.suse.com/1044175
• https://bugzilla.suse.com/1044840
• https://bugzilla.suse.com/1045384
• https://bugzilla.suse.com/1045735
• https://bugzilla.suse.com/1045987
• https://bugzilla.suse.com/1046268
• https://bugzilla.suse.com/1046417
• https://bugzilla.suse.com/1046659
• https://bugzilla.suse.com/1046853
• https://bugzilla.suse.com/1046858
• https://bugzilla.suse.com/1047008
• https://bugzilla.suse.com/1047236
• https://bugzilla.suse.com/1047240
• https://bugzilla.suse.com/1047310
• https://bugzilla.suse.com/1047379
• https://bugzilla.suse.com/1047785
• https://bugzilla.suse.com/1047964
• https://bugzilla.suse.com/1047965
• https://bugzilla.suse.com/1048315
• https://bugzilla.suse.com/1048483
• https://bugzilla.suse.com/1048605
• https://bugzilla.suse.com/1048679
• https://bugzilla.suse.com/1048715
• https://bugzilla.suse.com/1049344
• https://bugzilla.suse.com/1050396
• https://bugzilla.suse.com/1050484
• https://bugzilla.suse.com/1051626
• https://bugzilla.suse.com/1051643
• https://bugzilla.suse.com/1051644
• https://bugzilla.suse.com/1052030
• https://bugzilla.suse.com/1052759
• https://bugzilla.suse.com/1053409
• https://bugzilla.suse.com/874665
• https://bugzilla.suse.com/902364
• https://bugzilla.suse.com/938657
• https://bugzilla.suse.com/944903
• https://bugzilla.suse.com/954661
• https://bugzilla.suse.com/960820
• https://bugzilla.suse.com/963041