Recommended update for openscap
| Announcement ID: | SUSE-RU-2020:3948-1 |
|---|---|
| Rating: | moderate |
| References: | |
| Affected Products: |
|
An update that has five fixes can now be installed.
Description:
This update for openscap fixes the following issues:
OpenSCAP was updated to 1.3.4.
- add CPE dict entries for openSUSE Leap 15.1 and 15.2
- add dbus-1-devel buildrequires to enable systemd tests (bsc#1178301)
openscap 1.3.4:
-
New features
- Add support for FreeBSD
- Make use of HTTP header content-encoding: gzip if available
- Improved yamlfilecontent: updated yaml-filter, extend the schema and probe to be able to work with a set of values in maps
-
Maintenance, bug fixes
- A lot of memory leaks have been plugged
- Refactored rpmverifyfile probe and fixed memory leak
- Fixed SEGFAULT caused by recursive and circular dependencies between OVAL definitions
- Fixed DOM representation of the profile platform
- Test suit: better portability, more granularity in results, inclusion of memory-related tests
- Compatibility with uClibc
- Local and remote file system detection method was improved
- Make the report a valid HTML5 document
- openscap: DISA STIG Viewer URL reference changed (bsc#1180456)
openscap 1.3.3:
Notable improvements in this release:
- a Python script that can be used for CLI tailoring (autotailor) (thank you, Matěj Týč);
- timezone for XCCDF TestResult start and end time (thank you, Jan Černý);
- new yamlfilecontent independent probe (draft implementation), see the proposal https://github.com/OVAL-Community/OVAL/issues/91 for additional information.
There are other changes as well, here is the list:
- Introduced
urn:xccdf:fix:script:kubernetesfix type in XCCDF; - Added ability to generate
machineconfigfix; - Detect ambiguous scan target (utils/oscap-podman);
- Fixed #170: The rpmverifyfile probe can't verify files from '/bin' directory;
- The data system_info probe return for offline and online modes is consistent and actual;
- Prevent crashes when complicated regexes are executed in textfilecontent58 probe;
- Fixed #1512: Severity refinement lost in generated guide;
- Fixed #1453: Pointer lost in Swig API;
- Evaluation Characteristics of the XCCDF report are now consistent with OVAL entities; from system_info probe;
- Fixed filepath pattern matching in offline mode in textfilecontent58 probe;
- Fixed infinite recursion in systemdunitdependency probe;
- Fixed the case when CMake couldn't find libacl or xattr.h.
openscap 1.3.2
- the test suite and build scripts were improved to support Debian 10
- offline mode has received some love with a set of dedicated tests and various fixes in OVAL probes;
- the oscap-docker wrapper is no longer dependent on Atomic
- Python binding are now more robust
- HTML reports and guides, generated by the scanner, are now more accessible for non-visual rendering agents
- Support of multi-check rules has been improved across the whole workflow
There are other changes as well, here is the list:
-
New features
- Offline mode support for environmentvariable58 probe
- The oscap-docker wrapper is available without Atomic
-
Maintenance, bug fixes
- Improved support of multi-check rules (report, remediations, console output)
- Improved HTML report look and feel, including printed version
- Less clutter in verbose mode output; some warnings and errors demoted to verbose mode levels
- Probe rpmverifyfile uses and returns canonical paths
- Improved a11y of HTML reports and guides
- Fixes and improvements for SWIG Python bindings
-
1403 fixed: Scanner would not apply remediation for multicheck rules (verbosity)
- Fixed URL link mechanism for Red Hat Errata
- New STIG Viewer URI: public.cyber.mil
- Probe selinuxsecuritycontext would not check if SELinux is enabled
- Scanner would provide information about unsupported OVAL objects
- Added more tests for offline mode (probes, remediation)
-
528 fixed: Eval SCE script when /tmp is in mode noexec
-
1173, RHBZ#1603347 fixed: Double chdir/chroot in probe rpmverifypackage
- make it build with new RPM (bsc#1160720)
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Software Development Kit 12 SP5
zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3948=1 -
SUSE Linux Enterprise High Performance Computing 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3948=1 -
SUSE Linux Enterprise Server 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3948=1 -
SUSE Linux Enterprise Server for SAP Applications 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3948=1
Package List:
-
SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64)
- openscap-debugsource-1.3.4-3.6.1
- openscap-devel-1.3.4-3.6.1
-
SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
- openscap-utils-1.3.4-3.6.1
- libopenscap_sce25-1.3.4-3.6.1
- openscap-debugsource-1.3.4-3.6.1
- openscap-utils-debuginfo-1.3.4-3.6.1
- openscap-content-1.3.4-3.6.1
- libopenscap25-debuginfo-1.3.4-3.6.1
- libopenscap_sce25-debuginfo-1.3.4-3.6.1
- libopenscap25-1.3.4-3.6.1
- openscap-1.3.4-3.6.1
-
SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
- openscap-utils-1.3.4-3.6.1
- libopenscap_sce25-1.3.4-3.6.1
- openscap-debugsource-1.3.4-3.6.1
- openscap-utils-debuginfo-1.3.4-3.6.1
- openscap-content-1.3.4-3.6.1
- libopenscap25-debuginfo-1.3.4-3.6.1
- libopenscap_sce25-debuginfo-1.3.4-3.6.1
- libopenscap25-1.3.4-3.6.1
- openscap-1.3.4-3.6.1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
- openscap-utils-1.3.4-3.6.1
- libopenscap_sce25-1.3.4-3.6.1
- openscap-debugsource-1.3.4-3.6.1
- openscap-utils-debuginfo-1.3.4-3.6.1
- openscap-content-1.3.4-3.6.1
- libopenscap25-debuginfo-1.3.4-3.6.1
- libopenscap_sce25-debuginfo-1.3.4-3.6.1
- libopenscap25-1.3.4-3.6.1
- openscap-1.3.4-3.6.1