Security update for CaaS Platform 2.0 images
Announcement ID: | SUSE-SU-2018:0053-1 |
---|---|
Rating: | moderate |
References: |
|
Cross-References: |
|
CVSS scores: |
|
Affected Products: |
|
An update that solves 29 vulnerabilities and has 57 security fixes can now be installed.
Description:
The Docker images provided with SUSE CaaS Platform 2.0 have been updated to include the following updates:
binutils:
- Update to version 2.29
- 18750 bsc#1030296 CVE-2014-9939
- 20891 bsc#1030585 CVE-2017-7225
- 20892 bsc#1030588 CVE-2017-7224
- 20898 bsc#1030589 CVE-2017-7223
- 20905 bsc#1030584 CVE-2017-7226
- 20908 bsc#1031644 CVE-2017-7299
- 20909 bsc#1031656 CVE-2017-7300
- 20921 bsc#1031595 CVE-2017-7302
- 20922 bsc#1031593 CVE-2017-7303
- 20924 bsc#1031638 CVE-2017-7301
- 20931 bsc#1031590 CVE-2017-7304
- 21135 bsc#1030298 CVE-2017-7209
- 21137 bsc#1029909 CVE-2017-6965
- 21139 bsc#1029908 CVE-2017-6966
- 21156 bsc#1029907 CVE-2017-6969
- 21157 bsc#1030297 CVE-2017-7210
- 21409 bsc#1037052 CVE-2017-8392
- 21412 bsc#1037057 CVE-2017-8393
- 21414 bsc#1037061 CVE-2017-8394
- 21432 bsc#1037066 CVE-2017-8396
- 21440 bsc#1037273 CVE-2017-8421
- 21580 bsc#1044891 CVE-2017-9746
- 21581 bsc#1044897 CVE-2017-9747
- 21582 bsc#1044901 CVE-2017-9748
- 21587 bsc#1044909 CVE-2017-9750
- 21594 bsc#1044925 CVE-2017-9755
- 21595 bsc#1044927 CVE-2017-9756
- 21787 bsc#1052518 CVE-2017-12448
- 21813 bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450, bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450
- 21933 bsc#1053347 CVE-2017-12799
- 21990 bsc#1058480 CVE-2017-14333
- 22018 bsc#1056312 CVE-2017-13757
- 22047 bsc#1057144 CVE-2017-14129
- 22058 bsc#1057149 CVE-2017-14130
- 22059 bsc#1057139 CVE-2017-14128
- 22113 bsc#1059050 CVE-2017-14529
- 22148 bsc#1060599 CVE-2017-14745
- 22163 bsc#1061241 CVE-2017-14974
- 22170 bsc#1060621 CVE-2017-14729
- Make compressed debug section handling explicit, disable for old products and enable for gas on all architectures otherwise. [bsc#1029995]
- Remove empty rpath component removal optimization from to workaround CMake rpath handling. [bsc#1025282]
- Fix alignment frags for aarch64 (bsc#1003846)
coreutils:
- Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567)
- Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059)
- Significantly speed up df(1) for huge mount lists. (bsc#965780)
file:
- update to version 5.22.
- CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650)
- CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651)
- CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152)
- CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253)
- CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253)
- Fixed a memory corruption during rpmbuild (bsc#1063269)
- Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511)
- file command throws "Composite Document File V2 Document, corrupt: Can't read SSAT" error against excel 97/2003 file format. (bsc#1009966)
gcc7:
- Support for specific IBM Power9 processor instructions.
- Support for specific IBM zSeries z14 processor instructions.
- New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support.
gzip:
- fix mishandling of leading zeros in the end-of-block code (bsc#1067891)
libsolv:
- Many fixes and improvements for cleandeps.
- Always create dup rules for "distupgrade" jobs.
- Use recommends also for ordering packages.
- Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065)
- Expose solver_get_recommendations() in bindings.
- Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations().
- Support 'without' and 'unless' dependencies.
- Use same heuristic as upstream to determine source RPMs.
- Fix memory leak in bindings.
- Add pool_best_solvables() function.
- Fix 64bit integer parsing from RPM headers.
- Enable bzip2 and xz/lzma compression support.
- Enable complex/rich dependencies on distributions with RPM 4.13+.
libtool:
- Add missing dependencies and provides to baselibs.conf to make sure libltdl libraries are properly installed. (bsc#1056381)
libzypp:
- Fix media handling in presence of a repo path prefix. (bsc#1062561)
- Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561)
- Remove unused legacy notify-message script. (bsc#1058783)
- Support multiple product licenses in repomd. (fate#322276)
- Propagate 'rpm --import' errors. (bsc#1057188)
- Fix typos in zypp.conf.
openssl:
- CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058)
- CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242)
- Out of bounds read+crash in DES_fcrypt (bsc#1065363)
- openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825)
perl:
Security issues for perl:
- CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a escape and the case-insensitive modifier. (bnc#1057724)
- CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid escape. (bnc#1057721)
- CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178)
Bug fixes for perl:
- backport set_capture_string changes from upstream (bsc#999735)
- reformat baselibs.conf as source validator workaround
systemd:
- unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995)
- compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249)
- compat-rules: Allow to specify the generation number through the kernel command line.
- scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099)
- tmpfiles: Remove old ICE and X11 sockets at boot.
- tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472)
- pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on.
- shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595)
- shutdown: Fix incorrect fscanf() result check.
- shutdown: Don't remount,ro network filesystems. (bsc#1035386)
- shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641)
- bash-completion: Add support for --now. (bsc#1053137)
- Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152)
- Add a rule to teach hotplug to offline