Security update for CaaS Platform 1.0 images

Announcement ID: SUSE-SU-2017:2470-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2016-9063 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-9063 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-9063 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-1000100 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2017-1000100 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  • CVE-2017-1000101 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
  • CVE-2017-1000101 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  • CVE-2017-10684 ( SUSE ): 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
  • CVE-2017-10684 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-10685 ( SUSE ): 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
  • CVE-2017-10685 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-11112 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
  • CVE-2017-11112 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-11113 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
  • CVE-2017-11113 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-3308 ( NVD ): 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
  • CVE-2017-3308 ( NVD ): 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
  • CVE-2017-3309 ( NVD ): 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
  • CVE-2017-3309 ( NVD ): 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
  • CVE-2017-3453 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-3453 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-3456 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-3456 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-3464 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • CVE-2017-3464 ( NVD ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • CVE-2017-7435 ( SUSE ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-7435 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-7436 ( SUSE ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-7436 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-8872 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • CVE-2017-8872 ( NVD ): 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
  • CVE-2017-9233 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-9233 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-9233 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-9269 ( SUSE ): 7.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
  • CVE-2017-9269 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Container as a Service Platform 1.0
  • SUSE Container as a Service Platform 2.0

An update that solves 18 vulnerabilities and has 46 security fixes can now be installed.

Description:

The Docker images provided with SUSE CaaS Platform 1.0 have been updated to include the following updates:

libzypp:

  • CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984)
  • Fix gpg-pubkey release (creation time) computation. (bsc#1036659)
  • Update lsof blacklist. (bsc#1046417)
  • Re-probe on refresh if the repository type changes. (bsc#1048315)
  • Propagate proper error code to DownloadProgressReport. (bsc#1047785)
  • Allow to trigger an appdata refresh unconditionally. (bsc#1009745)
  • Support custom repo variables defined in /etc/zypp/vars.d.
  • Adapt loop mounting of ISO images. (bsc#1038132, bsc#1033236)
  • Fix potential crash if repository has no baseurl. (bsc#1043218)

zypper:

  • CVE-2017-7436: Adapt download callback to report and handle unsigned packages. (bsc#1038984)
  • Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785)
  • Document support for custom repository variables defined in /etc/zypp/vars.d.
  • Emphasize that it depends on how fast PackageKit will respond to a 'quit' request sent if PK blocks package management.

libgcrypt:

  • Fix infinite loop in gnome-keyring-daemon caused by attempt to read from random device left open by libgcrypt. (bsc#1043333)
  • Avoid seeding the DRBG during FIPS power-up selftests. (bsc#1046659)
  • Fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests. (bsc#1046659)
  • dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym. (bsc#1047008)

lua51:

  • Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626)

cyrus-sasl:

  • Fix unknown authentication mechanism: kerberos5 (bsc#1026825)
  • Really use SASLAUTHD_PARAMS variable (bsc#938657)
  • Make sure /usr/sbin/rcsaslauthd exists
  • Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471)
  • Silence "GSSAPI client step 1" debug log message (bsc#1044840)

libxml2:

  • CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444)

curl:

  • CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service. (bsc#1051644)
  • CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service. (bsc#1051643)

ncurses:

  • CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)
  • CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965)
  • CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344)

sed:

  • Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661)

openssl:

  • Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem. (bsc#1027908)
  • Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14. (bsc#1027079 bsc#1044175)
  • Fix x86 extended feature detection (bsc#1029523)
  • Allow runtime switching of s390x capabilities via the "OPENSSL_s390xcap" environmental variable. (bsc#1028723)
  • Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. (bsc#1028281)
  • Fix a bug in XTS key handling. (bsc#1019637)
  • Don't run FIPS power-up self-tests when the checksum files aren't installed. (bsc#1042392)

procps:

  • Don't set buffering on invalid file descriptor. (bsc#1053409)

expat:

  • CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour. (bsc#1047240)
  • CVE-2017-9233: External Entity Vulnerability could lead to denial of service. (bsc#1047236)

systemd:

  • Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605)
  • compat-rules: drop the bogus 'import everything' rule (bsc#1046268)
  • core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379)
  • udev/path_id: introduce support for NVMe devices (bsc#1045987)
  • compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679)
  • fstab-generator: Handle NFS "bg" mounts correctly. (bsc#874665, fate#323464)
  • timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly.

insserv-compat:

  • Add /etc/init.d hierarchy from former "filesystem" package. (bsc#1035062)
  • Fix directory argument parsing. (bsc#944903)
  • Add perl(Getopt::Long) to list of requirements.

mariadb:

  • Update libmysqlclient18 from version 10.0.30 to 10.0.31.

python-pycrypto:

  • CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew (bsc#1017420).

velum:

  • Fix loopback IP for proxy exception during initial configuration. (bsc#1052759)
  • Set secure flag in cookie. (bsc#1050484)
  • Set VERSION to 1.0.0. (bsc#1050396)
  • Allow kubeconfig download when master is ready. (bsc#1048483)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Container as a Service Platform 2.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.
  • SUSE Container as a Service Platform 1.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

  • SUSE Container as a Service Platform 2.0 (noarch)
    • caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3
  • SUSE Container as a Service Platform 2.0 (x86_64)
    • sles12-salt-api-docker-image-1.1.0-2.3.9
    • sles12-velum-docker-image-1.1.0-4.3.9
    • sles12-pv-recycler-node-docker-image-1.1.0-2.3.10
    • container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3
    • sles12-mariadb-docker-image-1.1.0-2.3.10
    • sles12-pause-docker-image-1.1.0-2.3.11
    • sles12-salt-master-docker-image-1.1.0-4.3.10
    • sles12-salt-minion-docker-image-1.1.0-2.3.8
  • SUSE Container as a Service Platform 1.0 (noarch)
    • caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3
  • SUSE Container as a Service Platform 1.0 (x86_64)
    • sles12-salt-api-docker-image-1.1.0-2.3.9
    • sles12-velum-docker-image-1.1.0-4.3.9
    • sles12-pv-recycler-node-docker-image-1.1.0-2.3.10
    • container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3
    • sles12-mariadb-docker-image-1.1.0-2.3.10
    • sles12-pause-docker-image-1.1.0-2.3.11
    • sles12-salt-master-docker-image-1.1.0-4.3.10
    • sles12-salt-minion-docker-image-1.1.0-2.3.8

References: