Security update for CaaS Platform 1.0 images

SUSE Security Update: Security update for CaaS Platform 1.0 images
Announcement ID: SUSE-SU-2017:2861-1
Rating: moderate
References: #1005063 #1008325 #1009269 #1012523 #1025176 #1028485 #1032680 #1036659 #1042781 #1045628 #1045735 #1050767 #1050943 #1054028 #1054088 #1054671 #1055920 #1056995 #1060653 #1061876 #1063824 #903543 #978055 #998893 #999878
Affected Products:
  • SUSE Container as a Service Platform ALL
    		•

    An update that solves three vulnerabilities and has 22 fixes is now available.

    Description:


    The Docker images provided with SUSE CaaS Platform 1.0 have been updated
    to include the following updates:

    audit:

    - Make auditd start by forking the systemd service to fix some
    initialization failures. (bsc#1042781)

    curl:

    - CVE-2017-1000254: FTP PWD response parser out of bounds read.
    (bsc#1061876)
    - CVE-2017-1000257: IMAP FETCH response out of bounds read. (bsc#1063824)
    - Fixed error "error:1408F10B:SSL routines" when connecting to ftps via
    proxy. (bsc#1060653)

    krb5:

    - CVE-2017-11462: Prevent automatic security context deletion to prevent
    double-free. (bsc#1056995)
    - Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf in
    order to improve client security in handling service principal names.
    (bsc#1054028)
    - Prevent kadmind.service startup failure caused by absence of LDAP
    service. (bsc#903543)
    - Remove main package's dependency on systemd (bsc#1032680)

    libzypp:

    - Adapt to work with GnuPG 2.1.23. (bsc#1054088)
    - Support signing with subkeys. (bsc#1008325)
    - Enhance sort order for media.1/products. (bsc#1054671)
    - Fix gpg-pubkey release (creation time) computation. (bsc#1036659)

    lvm2:

    - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links.
    (bsc#1028485)
    - Try to refresh clvmd's device cache on the first failure. (bsc#978055)
    - Fix stale device cache in clvmd. (bsc#978055)
    - Warn if PV size in metadata is larger than disk device size. (bsc#999878)
    - Fix lvm2 activation issue when used on top of multipath. (bsc#998893)

    sg3_utils:

    - Add lunsearch filter to findresized() so that only LUNs specified using
    --luns are rescanned or resized. (bsc#1025176)
    - In case the VPD sysfs attributes are missing or cannot be accessed,
    fallback to use sg_inq --page when using multipath devices in AutoYast2
    installations. (bsc#1012523)
    - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV
    setups. (bsc#1005063)
    - Fix dumping data in hexadecimal format in sg_vpd when using the --hex
    option. (bsc#1050943)
    - Fix ID_SERIAL values for KVM disks by exporting all NAA values and
    removing some validity checking. (bsc#1050767)
    - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269)

    zypper:

    - Also show a gpg key's subkeys. (bsc#1008325)
    - Improve signature check callback messages. (bsc#1045735)
    - Add options to tune the GPG check settings. (bsc#1045735)

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Container as a Service Platform ALL:
      zypper in -t patch SUSE-CAASP-ALL-2017-1782=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Container as a Service Platform ALL (x86_64):
      • sles12-mariadb-docker-image-1.1.0-2.5.19
      • sles12-pause-docker-image-1.1.0-2.5.21
      • sles12-pv-recycler-node-docker-image-1.1.0-2.5.19
      • sles12-salt-api-docker-image-1.1.0-2.5.19
      • sles12-salt-master-docker-image-1.1.0-4.5.18
      • sles12-salt-minion-docker-image-1.1.0-2.5.18
      • sles12-velum-docker-image-1.1.0-4.5.18

    References: