SUSE: 2022:917-1 trento/trento-runner Security Update
Summary
Advisory ID: SUSE-SU-2019:926-1 Released: Wed Apr 10 16:33:12 2019 Summary: Security update for tar Type: security Severity: moderate Advisory ID: SUSE-SU-2021:974-1 Released: Mon Mar 29 19:31:27 2021 Summary: Security update for tar Type: security Severity: low Advisory ID: SUSE-RU-2021:2193-1 Released: Mon Jun 28 18:38:43 2021 Summary: Recommended update for tar Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:844-1 Released: Tue Mar 15 11:33:57 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-RU-2022:861-1 Released: Tue Mar 15 23:30:48 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:884-1 Released: Thu Mar 17 09:47:43 2022 Summary: Recommended update for python-jsonschema, python-rfc3987, python-strict-rfc3339 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:905-1 Released: Mon Mar 21 08:46:09 2022 Summary: Recommended update for util-linux Type: recommended Severity: important Advisory ID: SUSE-RU-2022:936-1 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:942-1 Released: Thu Mar 24 10:30:15 2022 Summary: Security update for python3 Type: security Severity: moderate Advisory ID: SUSE-RU-2022:1047-1 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1061-1 Released: Wed Mar 30 18:27:06 2022 Summary: Security update for zlib Type: security Severity: important Advisory ID: SUSE-RU-2022:1099-1 Released: Mon Apr 4 12:53:05 2022 Summary: Recommended update for aaa_base Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1107-1 Released: Mon Apr 4 17:49:17 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1118-1 Released: Tue Apr 5 18:34:06 2022 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1158-1 Released: Tue Apr 12 14:44:43 2022 Summary: Security update for xz Type: security Severity: important Advisory ID: SUSE-RU-2022:1170-1 Released: Tue Apr 12 18:20:07 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1281-1 Released: Wed Apr 20 12:26:38 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1302-1 Released: Fri Apr 22 10:04:46 2022 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1333-1 Released: Mon Apr 25 11:29:26 2022 Summary: Recommended update for sles15-image Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1454-1 Released: Thu Apr 28 11:15:06 2022 Summary: Security update for python-pip Type: security Severity: moderate Advisory ID: SUSE-SU-2022:1548-1 Released: Thu May 5 16:45:28 2022 Summary: Security update for tar Type: security Severity: moderate
References
References : 1029961 1082318 1120610 1120610 1130496 1130496 1172427 1176262
1177460 1181131 1181131 1182959 1184124 1186819 1191502 1193086
1194642 1194642 1194883 1195149 1195247 1195529 1195792 1195831
1195856 1195899 1196025 1196093 1196275 1196406 1196567 1196647
1196784 1196939 1197024 1197459 1198062 CVE-2018-20482 CVE-2018-20482
CVE-2018-25032 CVE-2019-20916 CVE-2019-9923 CVE-2019-9923 CVE-2021-20193
CVE-2021-20193 CVE-2021-3572 CVE-2022-1271 CVE-2022-25236
1120610,1130496,CVE-2018-20482,CVE-2019-9923
This update for tar fixes the following issues:
Security issues fixed:
- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).
1181131,CVE-2021-20193
This update for tar fixes the following issues:
CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)
1184124
This update for tar fixes the following issues:
- Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)
1196025,1196784,CVE-2022-25236
This update for expat fixes the following issues:
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
1182959,1195149,1195792,1195856
This update for openssl-1_1 fixes the following issues:
openssl-1_1:
- Fix PAC pointer authentication in ARM (bsc#1195856)
- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
- FIPS: Fix function and reason error codes (bsc#1182959)
- Enable zlib compression support (bsc#1195149)
glibc:
- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1
linux-glibc-devel:
- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1
libxcrypt:
- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1
zlib:
- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1
1082318
This update for python-jsonschema, python-rfc3987, python-strict-rfc3339 fixes the following issues:
- Add patch to fix build with new webcolors.
- update to version 3.2.0 (jsc#SLE-18756):
* Added a format_nongpl setuptools extra, which installs only format
dependencies that are non-GPL (#619).
- specfile:
* require python-importlib-metadata
- update to version 3.1.1:
* Temporarily revert the switch to js-regex until #611 and #612 are
resolved.
- changes from version 3.1.0:
- Regular expressions throughout schemas now respect the ECMA 262
dialect, as recommended by the specification (#609).
- Activate more of the test suite
- Remove tests and benchmarking from the runtime package
- Update to v3.0.2
- Fixed a bug where 0 and False were considered equal by
const and enum
- from v3.0.1
- Fixed a bug where extending validators did not preserve their
notion of which validator property contains $id information.
- Update to 3.0.1:
- Support for Draft 6 and Draft 7
- Draft 7 is now the default
- New TypeChecker object for more complex type definitions (and overrides)
- Falling back to isodate for the date-time format checker is no longer attempted, in accordance with the specification
- Use %license instead of %doc (bsc#1082318)
- Remove hashbang from runtime module
- Replace PyPI URL with https://github.com/dgerber/rfc3987
- Activate doctests
- Add missing runtime dependency on timezone
- Replace dead link with GitHub URL
- Activate test suite
- Trim bias from descriptions.
- Initial commit, needed by flex
1172427,1194642
This update for util-linux fixes the following issues:
- Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
- Make uuidd lock state file usable and time based UUIDs safer. (bsc#1194642)
- Fix `su -s` bash completion. (bsc#1172427)
1196275,1196406
This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:
- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)
systemd-rpm-macros:
- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)
1186819,CVE-2021-3572
This update for python3 fixes the following issues:
- CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).
1196093,1197024
This update for pam fixes the following issues:
- Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
- Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable.
This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)
1197459,CVE-2018-25032
This update for zlib fixes the following issues:
- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).
1194883
This update for aaa_base fixes the following issues:
- Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
- Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8
multi byte characters as well as support the vi mode of readline library
1194642
This update for util-linux fixes the following issue:
- Improve throughput and reduce clock sequence increments for high load situation with time based
version 1 uuids. (bsc#1194642)
1177460
This update for timezone fixes the following issues:
- timezone update 2022a (bsc#1177460):
* Palestine will spring forward on 2022-03-27, not on 03-26
* `zdump -v` now outputs better failure indications
* Bug fixes for code that reads corrupted TZif data
1198062,CVE-2022-1271
This update for xz fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
1191502,1193086,1195247,1195529,1195899,1196567
This update for systemd fixes the following issues:
- Fix the default target when it's been incorrectly set to one of the runlevel targets (bsc#1196567)
- When migrating from sysvinit to systemd (it probably won't happen anymore),
let's use the default systemd target, which is the graphical.target one.
- Don't open /var journals in volatile mode when runtime_journal==NULL
- udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
- man: tweak description of auto/noauto (bsc#1191502)
- shared/install: ignore failures for auxiliary files
- install: make UnitFileChangeType enum anonymous
- shared/install: reduce scope of iterator variables
- systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23867)
- Update s390 udev rules conversion script to include the case when the legacy rule was also 41-* (bsc#1195247)
- Drop or soften some of the deprecation warnings (bsc#1193086)
1196647
This update for libtirpc fixes the following issues:
- Add option to enforce connection via protocol version 2 first (bsc#1196647)
1196939
This update for e2fsprogs fixes the following issues:
- Add support for 'libreadline7' for Leap. (bsc#1196939)
This update for sles15-image fixes the following issues:
- Add zypper explicitly to work around obs-build bug (gh#openSUSE/obs-build#562)
- Add com.suse.supportlevel label (jsc#BCI-40)
1176262,1195831,CVE-2019-20916
This update for python-pip fixes the following issues:
- Add wheel subpackage with the generated wheel for this package
(bsc#1176262, CVE-2019-20916).
- Make wheel a separate build run to avoid the setuptools/wheel build
cycle.
- Switch this package to use update-alternatives for all files
in %{_bindir} so it doesn't collide with the versions on
'the latest' versions of Python interpreter (jsc#SLE-18038,
bsc#1195831).
1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193
This update for tar fixes the following issues:
- CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
- CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
- CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).
- Update to GNU tar 1.34:
* Fix extraction over pipe
* Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)
* Fix extraction when . and .. are unreadable
* Gracefully handle duplicate symlinks when extracting
* Re-initialize supplementary groups when switching to user
privileges
- Update to GNU tar 1.33:
* POSIX extended format headers do not include PID by default
* --delay-directory-restore works for archives with reversed
member ordering
* Fix extraction of a symbolic link hardlinked to another
symbolic link
* Wildcards in exclude-vcs-ignore mode don't match slash
* Fix the --no-overwrite-dir option
* Fix handling of chained renames in incremental backups
* Link counting works for file names supplied with -T
* Accept only position-sensitive (file-selection) options in file
list files
- prepare usrmerge (bsc#1029961)
- Update to GNU 1.32
* Fix the use of --checkpoint without explicit --checkpoint-action
* Fix extraction with the -U option
* Fix iconv usage on BSD-based systems
* Fix possible NULL dereference (savannah bug #55369)
[bsc#1130496] [CVE-2019-9923]
* Improve the testsuite
- Update to GNU 1.31
* Fix heap-buffer-overrun with --one-top-level, bug introduced
with the addition of that option in 1.28
* Support for zstd compression
* New option '--zstd' instructs tar to use zstd as compression
program. When listing, extractng and comparing, zstd compressed
archives are recognized automatically. When '-a' option is in
effect, zstd compression is selected if the destination archive
name ends in '.zst' or '.tzst'.
* The -K option interacts properly with member names given in the
command line. Names of members to extract can be specified along
with the '-K NAME' option. In this case, tar will extract NAME
and those of named members that appear in the archive after it,
which is consistent with the semantics of the option. Previous
versions of tar extracted NAME, those of named members that
appeared before it, and everything after it.
* Fix CVE-2018-20482 - When creating archives with the --sparse
option, previous versions of tar would loop endlessly if a
sparse file had been truncated while being archived.
The following package changes have been done:
- libldap-data-2.4.46-9.64.1 updated
- filesystem-15.0-11.8.1 updated
- libtirpc-netconfig-1.2.6-150300.3.3.1 updated
- glibc-2.31-150300.20.7 updated
- libuuid1-2.36.2-150300.4.20.1 updated
- libsmartcols1-2.36.2-150300.4.20.1 updated
- libcrypt1-4.4.15-150300.4.2.41 updated
- libblkid1-2.36.2-150300.4.20.1 updated
- libfdisk1-2.36.2-150300.4.20.1 updated
- libz1-1.2.11-150000.3.30.1 updated
- liblzma5-5.2.3-150000.4.7.1 updated
- libcom_err2-1.43.8-150000.4.29.1 updated
- libopenssl1_1-1.1.1d-11.43.1 updated
- libopenssl1_1-hmac-1.1.1d-11.43.1 updated
- libudev1-246.16-150300.7.42.1 updated
- libmount1-2.36.2-150300.4.20.1 updated
- libtirpc3-1.2.6-150300.3.3.1 updated
- libldap-2_4-2-2.4.46-9.64.1 updated
- libsystemd0-246.16-150300.7.42.1 updated
- pam-1.3.0-150000.6.55.3 updated
- util-linux-2.36.2-150300.4.20.1 updated
- aaa_base-84.87+git20180409.04c9dae-3.57.1 updated
- openssl-1_1-1.1.1d-11.43.1 updated
- tar-1.34-150000.3.12.1 added
- libexpat1-2.2.5-3.19.1 updated
- timezone-2022a-150000.75.7.1 updated
- python3-base-3.6.15-150300.10.21.1 updated
- libpython3_6m1_0-3.6.15-150300.10.21.1 updated
- python3-3.6.15-150300.10.21.1 updated
- python3-six-1.14.0-12.1 updated
- python3-pip-20.0.2-150100.6.18.1 updated
- container:sles15-image-15.0.0-17.12.1 updated
- golang-github-prometheus-node_exporter-1.1.2-3.9.3 removed
- trento-premium-0.9.1+git.dev82.1646995460.425fc30-150300.3.13.1 removed
