Security update for CaaS Platform 2.0 images

Announcement ID: SUSE-SU-2018:0053-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2017-12448 ( SUSE ): 5.9 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • CVE-2017-12448 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2017-12450 ( SUSE ): 5.9 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • CVE-2017-12450 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2017-12452 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2017-12452 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2017-12453 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2017-12453 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2017-12454 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2017-12454 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2017-12456 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2017-12456 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2017-12799 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
  • CVE-2017-12799 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2017-12837 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2017-12837 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-12883 ( SUSE ): 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
  • CVE-2017-12883 ( NVD ): 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
  • CVE-2017-13757 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2017-13757 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2017-14128 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2017-14128 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2017-14129 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2017-14129 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2017-14130 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2017-14130 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2017-14333 ( SUSE ): 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
  • CVE-2017-14333 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2017-14529 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2017-14529 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2017-14729 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2017-14745 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2017-14974 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2017-14974 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2017-3735 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2017-3735 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2017-3736 ( SUSE ): 7.4 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
  • CVE-2017-3736 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2017-3737 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2017-3737 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2017-3738 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2017-3738 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2017-3738 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2017-6512 ( SUSE ): 5.1 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2017-6512 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2017-6512 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:
  • SUSE Container as a Service Platform 1.0
  • SUSE Container as a Service Platform 2.0

An update that solves 29 vulnerabilities and has 57 security fixes can now be installed.

Description:

The Docker images provided with SUSE CaaS Platform 2.0 have been updated to include the following updates:

binutils:

  • Update to version 2.29
  • 18750 bsc#1030296 CVE-2014-9939
  • 20891 bsc#1030585 CVE-2017-7225
  • 20892 bsc#1030588 CVE-2017-7224
  • 20898 bsc#1030589 CVE-2017-7223
  • 20905 bsc#1030584 CVE-2017-7226
  • 20908 bsc#1031644 CVE-2017-7299
  • 20909 bsc#1031656 CVE-2017-7300
  • 20921 bsc#1031595 CVE-2017-7302
  • 20922 bsc#1031593 CVE-2017-7303
  • 20924 bsc#1031638 CVE-2017-7301
  • 20931 bsc#1031590 CVE-2017-7304
  • 21135 bsc#1030298 CVE-2017-7209
  • 21137 bsc#1029909 CVE-2017-6965
  • 21139 bsc#1029908 CVE-2017-6966
  • 21156 bsc#1029907 CVE-2017-6969
  • 21157 bsc#1030297 CVE-2017-7210
  • 21409 bsc#1037052 CVE-2017-8392
  • 21412 bsc#1037057 CVE-2017-8393
  • 21414 bsc#1037061 CVE-2017-8394
  • 21432 bsc#1037066 CVE-2017-8396
  • 21440 bsc#1037273 CVE-2017-8421
  • 21580 bsc#1044891 CVE-2017-9746
  • 21581 bsc#1044897 CVE-2017-9747
  • 21582 bsc#1044901 CVE-2017-9748
  • 21587 bsc#1044909 CVE-2017-9750
  • 21594 bsc#1044925 CVE-2017-9755
  • 21595 bsc#1044927 CVE-2017-9756
  • 21787 bsc#1052518 CVE-2017-12448
  • 21813 bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450, bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450
  • 21933 bsc#1053347 CVE-2017-12799
  • 21990 bsc#1058480 CVE-2017-14333
  • 22018 bsc#1056312 CVE-2017-13757
  • 22047 bsc#1057144 CVE-2017-14129
  • 22058 bsc#1057149 CVE-2017-14130
  • 22059 bsc#1057139 CVE-2017-14128
  • 22113 bsc#1059050 CVE-2017-14529
  • 22148 bsc#1060599 CVE-2017-14745
  • 22163 bsc#1061241 CVE-2017-14974
  • 22170 bsc#1060621 CVE-2017-14729
  • Make compressed debug section handling explicit, disable for old products and enable for gas on all architectures otherwise. [bsc#1029995]
  • Remove empty rpath component removal optimization from to workaround CMake rpath handling. [bsc#1025282]
  • Fix alignment frags for aarch64 (bsc#1003846)

coreutils:

  • Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567)
  • Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059)
  • Significantly speed up df(1) for huge mount lists. (bsc#965780)

file:

  • update to version 5.22.
  • CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650)
  • CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651)
  • CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152)
  • CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253)
  • CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253)
  • Fixed a memory corruption during rpmbuild (bsc#1063269)
  • Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511)
  • file command throws "Composite Document File V2 Document, corrupt: Can't read SSAT" error against excel 97/2003 file format. (bsc#1009966)

gcc7:

  • Support for specific IBM Power9 processor instructions.
  • Support for specific IBM zSeries z14 processor instructions.
  • New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support.

gzip:

  • fix mishandling of leading zeros in the end-of-block code (bsc#1067891)

libsolv:

  • Many fixes and improvements for cleandeps.
  • Always create dup rules for "distupgrade" jobs.
  • Use recommends also for ordering packages.
  • Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065)
  • Expose solver_get_recommendations() in bindings.
  • Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations().
  • Support 'without' and 'unless' dependencies.
  • Use same heuristic as upstream to determine source RPMs.
  • Fix memory leak in bindings.
  • Add pool_best_solvables() function.
  • Fix 64bit integer parsing from RPM headers.
  • Enable bzip2 and xz/lzma compression support.
  • Enable complex/rich dependencies on distributions with RPM 4.13+.

libtool:

  • Add missing dependencies and provides to baselibs.conf to make sure libltdl libraries are properly installed. (bsc#1056381)

libzypp:

  • Fix media handling in presence of a repo path prefix. (bsc#1062561)
  • Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561)
  • Remove unused legacy notify-message script. (bsc#1058783)
  • Support multiple product licenses in repomd. (fate#322276)
  • Propagate 'rpm --import' errors. (bsc#1057188)
  • Fix typos in zypp.conf.

openssl:

  • CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058)
  • CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242)
  • Out of bounds read+crash in DES_fcrypt (bsc#1065363)
  • openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825)

perl:

Security issues for perl:

  • CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a escape and the case-insensitive modifier. (bnc#1057724)
  • CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid escape. (bnc#1057721)
  • CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178)

Bug fixes for perl:

  • backport set_capture_string changes from upstream (bsc#999735)
  • reformat baselibs.conf as source validator workaround

systemd:

  • unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995)
  • compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249)
  • compat-rules: Allow to specify the generation number through the kernel command line.
  • scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099)
  • tmpfiles: Remove old ICE and X11 sockets at boot.
  • tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472)
  • pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on.
  • shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595)
  • shutdown: Fix incorrect fscanf() result check.
  • shutdown: Don't remount,ro network filesystems. (bsc#1035386)
  • shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641)
  • bash-completion: Add support for --now. (bsc#1053137)
  • Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152)
  • Add a rule to teach hotplug to offline