Security update for CaaS Platform 1.0 images

Announcement ID: SUSE-SU-2017:2861-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2017-1000254 ( SUSE ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2017-1000254 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-1000257 ( SUSE ): 4.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
  • CVE-2017-1000257 ( NVD ): 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
  • CVE-2017-11462 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
  • CVE-2017-11462 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Container as a Service Platform 1.0
  • SUSE Container as a Service Platform 2.0

An update that solves three vulnerabilities and has 22 security fixes can now be installed.

Description:

The Docker images provided with SUSE CaaS Platform 1.0 have been updated to include the following updates:

audit:

  • Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781)

curl:

  • CVE-2017-1000254: FTP PWD response parser out of bounds read. (bsc#1061876)
  • CVE-2017-1000257: IMAP FETCH response out of bounds read. (bsc#1063824)
  • Fixed error "error:1408F10B:SSL routines" when connecting to ftps via proxy. (bsc#1060653)

krb5:

  • CVE-2017-11462: Prevent automatic security context deletion to prevent double-free. (bsc#1056995)
  • Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf in order to improve client security in handling service principal names. (bsc#1054028)
  • Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543)
  • Remove main package's dependency on systemd (bsc#1032680)

libzypp:

  • Adapt to work with GnuPG 2.1.23. (bsc#1054088)
  • Support signing with subkeys. (bsc#1008325)
  • Enhance sort order for media.1/products. (bsc#1054671)
  • Fix gpg-pubkey release (creation time) computation. (bsc#1036659)

lvm2:

  • Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485)
  • Try to refresh clvmd's device cache on the first failure. (bsc#978055)
  • Fix stale device cache in clvmd. (bsc#978055)
  • Warn if PV size in metadata is larger than disk device size. (bsc#999878)
  • Fix lvm2 activation issue when used on top of multipath. (bsc#998893)

sg3_utils:

  • Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176)
  • In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523)
  • Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063)
  • Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943)
  • Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767)
  • Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269)

zypper:

  • Also show a gpg key's subkeys. (bsc#1008325)
  • Improve signature check callback messages. (bsc#1045735)
  • Add options to tune the GPG check settings. (bsc#1045735)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Container as a Service Platform 2.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.
  • SUSE Container as a Service Platform 1.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

  • SUSE Container as a Service Platform 2.0 (x86_64)
    • sles12-salt-minion-docker-image-1.1.0-2.5.18
    • sles12-salt-master-docker-image-1.1.0-4.5.18
    • sles12-pv-recycler-node-docker-image-1.1.0-2.5.19
    • sles12-pause-docker-image-1.1.0-2.5.21
    • sles12-velum-docker-image-1.1.0-4.5.18
    • sles12-salt-api-docker-image-1.1.0-2.5.19
    • sles12-mariadb-docker-image-1.1.0-2.5.19
  • SUSE Container as a Service Platform 1.0 (x86_64)
    • sles12-salt-minion-docker-image-1.1.0-2.5.18
    • sles12-salt-master-docker-image-1.1.0-4.5.18
    • sles12-pv-recycler-node-docker-image-1.1.0-2.5.19
    • sles12-pause-docker-image-1.1.0-2.5.21
    • sles12-velum-docker-image-1.1.0-4.5.18
    • sles12-salt-api-docker-image-1.1.0-2.5.19
    • sles12-mariadb-docker-image-1.1.0-2.5.19

References: