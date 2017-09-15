SUSE Security Update: Security update for CaaS Platform 1.0 images

Announcement ID: SUSE-SU-2017:2470-1

Rating: important

Affected Products:

SUSE Container as a Service Platform ALL

An update that solves 18 vulnerabilities and has 46 fixes

is now available.



Description:



The Docker images provided with SUSE CaaS Platform 1.0 have been updated

to include the following updates:



libzypp:



- CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows,

mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984)

- Fix gpg-pubkey release (creation time) computation. (bsc#1036659)

- Update lsof blacklist. (bsc#1046417)

- Re-probe on refresh if the repository type changes. (bsc#1048315)

- Propagate proper error code to DownloadProgressReport. (bsc#1047785)

- Allow to trigger an appdata refresh unconditionally. (bsc#1009745)

- Support custom repo variables defined in /etc/zypp/vars.d.

- Adapt loop mounting of ISO images. (bsc#1038132, bsc#1033236)

- Fix potential crash if repository has no baseurl. (bsc#1043218)



zypper:



- CVE-2017-7436: Adapt download callback to report and handle unsigned

packages. (bsc#1038984)

- Report missing/optional files as 'not found' rather than

'error'.

(bsc#1047785)

- Document support for custom repository variables defined in

/etc/zypp/vars.d.

- Emphasize that it depends on how fast PackageKit will respond to a

'quit' request sent if PK blocks package management.



libgcrypt:



- Fix infinite loop in gnome-keyring-daemon caused by attempt to read from

random device left open by libgcrypt. (bsc#1043333)

- Avoid seeding the DRBG during FIPS power-up selftests. (bsc#1046659)

- Fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some

of the tests. (bsc#1046659)

- dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling

dlsym. (bsc#1047008)



lua51:



- Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket.

(bsc#1051626)



cyrus-sasl:



- Fix unknown authentication mechanism: kerberos5 (bsc#1026825)

- Really use SASLAUTHD_PARAMS variable (bsc#938657)

- Make sure /usr/sbin/rcsaslauthd exists

- Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service

(bsc#1014471)

- Silence "GSSAPI client step 1" debug log message (bsc#1044840)



libxml2:



- CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444)



curl:



- CVE-2017-1000100: TFP sends more than buffer size and it could lead to a

denial of service. (bsc#1051644)

- CVE-2017-1000101: URL globbing out of bounds read could lead to a denial

of service. (bsc#1051643)



ncurses:



- CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)

- CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry.

(bsc#1047965)

- CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses

6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858,

bsc#1049344)



sed:



- Don't terminate with a segmentation fault if close of last file

descriptor fails. (bsc#954661)



openssl:



- Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32

problem. (bsc#1027908)

- Use getrandom syscall instead of reading from /dev/urandom to get at

least 128 bits of entropy to comply with FIPS 140.2 IG 7.14.

(bsc#1027079 bsc#1044175)

- Fix x86 extended feature detection (bsc#1029523)

- Allow runtime switching of s390x capabilities via the

"OPENSSL_s390xcap"

environmental variable. (bsc#1028723)

- Add back certificate initialization set_cert_key_stuff() which was

removed in a previous update. (bsc#1028281)

- Fix a bug in XTS key handling. (bsc#1019637)

- Don't run FIPS power-up self-tests when the checksum files aren't

installed. (bsc#1042392)



procps:



- Don't set buffering on invalid file descriptor. (bsc#1053409)



expat:



- CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading

to unexpected behaviour. (bsc#1047240)

- CVE-2017-9233: External Entity Vulnerability could lead to denial of

service. (bsc#1047236)



systemd:



- Revert fix for bsc#1004995 which could have caused boot failure on LVM

(bsc#1048605)

- compat-rules: drop the bogus 'import everything' rule

(bsc#1046268)

- core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification

(bsc#1045384 bsc#1047379)

- udev/path_id: introduce support for NVMe devices (bsc#1045987)

- compat-rules: Don't rely on ID_SERIAL when generating 'by-id'

links for

NVMe devices. (bsc#1048679)

- fstab-generator: Handle NFS "bg" mounts correctly. (bsc#874665,

fate#323464)

- timesyncd: Don't use compiled-in list if FallbackNTP has been

configured

explicitly.



insserv-compat:



- Add /etc/init.d hierarchy from former "filesystem" package.

(bsc#1035062)

- Fix directory argument parsing. (bsc#944903)

- Add perl(Getopt::Long) to list of requirements.



mariadb:



- Update libmysqlclient18 from version 10.0.30 to 10.0.31.



python-pycrypto:



- CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew

(bsc#1017420).



velum:



- Fix loopback IP for proxy exception during initial configuration.

(bsc#1052759)

- Set secure flag in cookie. (bsc#1050484)

- Set VERSION to 1.0.0. (bsc#1050396)

- Allow kubeconfig download when master is ready. (bsc#1048483)





Patch Instructions:



To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:



- SUSE Container as a Service Platform ALL:



zypper in -t patch SUSE-CAASP-ALL-2017-1531=1



To bring your system up-to-date, use "zypper patch".





Package List:



- SUSE Container as a Service Platform ALL (x86_64):



container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3

sles12-mariadb-docker-image-1.1.0-2.3.10

sles12-pause-docker-image-1.1.0-2.3.11

sles12-pv-recycler-node-docker-image-1.1.0-2.3.10

sles12-salt-api-docker-image-1.1.0-2.3.9

sles12-salt-master-docker-image-1.1.0-4.3.10

sles12-salt-minion-docker-image-1.1.0-2.3.8

sles12-velum-docker-image-1.1.0-4.3.9



- SUSE Container as a Service Platform ALL (noarch):



caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3





