Recommended update for openscap

Announcement ID:	SUSE-RU-2020:3950-1
Rating:	moderate
References:	bsc#1154380 bsc#1155258 bsc#1178301 bsc#1180456
Affected Products:	Basesystem Module 15-SP2 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1

An update that has four fixes can now be installed.

Description:

This update for openscap fixes the following issues:

OpenSCAP was updated to 1.3.4.

• add CPE dict entries for openSUSE Leap 15.1 and 15.2
• add dbus-1-devel buildrequires to enable systemd tests (bsc#1178301)

openscap 1.3.4:

• New features

  • Add support for FreeBSD
  • Make use of HTTP header content-encoding: gzip if available
  • Improved yamlfilecontent: updated yaml-filter, extend the schema and probe to be able to work with a set of values in maps

• Maintenance, bug fixes

  • A lot of memory leaks have been plugged
  • Refactored rpmverifyfile probe and fixed memory leak
  • Fixed SEGFAULT caused by recursive and circular dependencies between OVAL definitions
  • Fixed DOM representation of the profile platform
  • Test suit: better portability, more granularity in results, inclusion of memory-related tests
  • Compatibility with uClibc
  • Local and remote file system detection method was improved
  • Make the report a valid HTML5 document
  • openscap: DISA STIG Viewer URL reference changed (bsc#1180456)

openscap 1.3.3:

Notable improvements in this release:

• a Python script that can be used for CLI tailoring (autotailor) (thank you, Matěj Týč);
• timezone for XCCDF TestResult start and end time (thank you, Jan Černý);
• new yamlfilecontent independent probe (draft implementation), see the proposal https://github.com/OVAL-Community/OVAL/issues/91 for additional information.

There are other changes as well, here is the list:

• Introduced urn:xccdf:fix:script:kubernetes fix type in XCCDF;
• Added ability to generate machineconfig fix;
• Detect ambiguous scan target (utils/oscap-podman);
• Fixed #170: The rpmverifyfile probe can't verify files from '/bin' directory;
• The data system_info probe return for offline and online modes is consistent and actual;
• Prevent crashes when complicated regexes are executed in textfilecontent58 probe;
• Fixed #1512: Severity refinement lost in generated guide;
• Fixed #1453: Pointer lost in Swig API;
• Evaluation Characteristics of the XCCDF report are now consistent with OVAL entities; from system_info probe;
• Fixed filepath pattern matching in offline mode in textfilecontent58 probe;
• Fixed infinite recursion in systemdunitdependency probe;
• Fixed the case when CMake couldn't find libacl or xattr.h.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3950=1

Package List:

• Basesystem Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • openscap-utils-1.3.4-3.3.1
  • openscap-debuginfo-1.3.4-3.3.1
  • openscap-utils-debuginfo-1.3.4-3.3.1
  • libopenscap25-debuginfo-1.3.4-3.3.1
  • openscap-devel-1.3.4-3.3.1
  • openscap-content-1.3.4-3.3.1
  • openscap-debugsource-1.3.4-3.3.1
  • openscap-1.3.4-3.3.1
  • libopenscap25-1.3.4-3.3.1

References:

• https://bugzilla.suse.com/show_bug.cgi?id=1154380
• https://bugzilla.suse.com/show_bug.cgi?id=1155258
• https://bugzilla.suse.com/show_bug.cgi?id=1178301
• https://bugzilla.suse.com/show_bug.cgi?id=1180456