SUSE Container Update Advisory: ses/7.1/cephcsi/csi-resizer
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3078-1
Container Tags        : ses/7.1/cephcsi/csi-resizer:v1.7.0 , ses/7.1/cephcsi/csi-resizer:v1.7.0-rev1 , ses/7.1/cephcsi/csi-resizer:v1.7.0-rev1-build3.4.1
Container Release     : 3.4.1
Severity              : important
Type                  : security
References            : 1089497 1158763 1198165 1201627 1202234 1204072 1206627 1207534
                        1208721 1209229 1209279 1209565 1210740 1210999 1211078 1211261
                        1211419 1211661 1211828 1212187 1212187 1212222 1212260 1213189
                        1213231 1213487 1213517 1213557 1213673 1213853 1214052 1214054
                        1214290 1214768 CVE-2022-4304 CVE-2023-22652 CVE-2023-2603 CVE-2023-30078
                        CVE-2023-30079 CVE-2023-31484 CVE-2023-32181 CVE-2023-3446 CVE-2023-36054
                        CVE-2023-3817 CVE-2023-39615 CVE-2023-4016 CVE-2023-4039 
-----------------------------------------------------------------

The container ses/7.1/cephcsi/csi-resizer was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2497-1
Released:    Tue Jun 13 15:37:25 2023
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    important
References:  1211661,1212187
This update for libzypp fixes the following issues:

- Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]
- Do not unconditionally release a medium if provideFile failed. [bsc#1211661]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2625-1
Released:    Fri Jun 23 17:16:11 2023
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
References:  
This update for gcc12 fixes the following issues:

- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

  * includes regression and other bug fixes

- Speed up builds with --enable-link-serialization.

- Update embedded newlib to version 4.2.0

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2742-1
Released:    Fri Jun 30 11:40:56 2023
Summary:     Recommended update for autoyast2, libzypp, yast2-pkg-bindings, yast2-update, zypper
Type:        recommended
Severity:    moderate
References:  1202234,1209565,1211261,1212187,1212222
This update for yast2-pkg-bindings fixes the following issues:

libzypp was updated to version 17.31.14 (22):

- Curl: trim all custom headers (bsc#1212187)
  HTTP/2 RFC 9113 forbids fields ending with a space. So we make
  sure all custom headers are trimmed. This also includes headers
  returned by URL-Resolver plugins.
- build: honor libproxy.pc's includedir (bsc#1212222)

zypper was updated to version 1.14.61:

- targetos: Add an error note if XPath:/product/register/target
  is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)

yast2-pkg-bindings, autoyast:

- Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565)
- Selected products are not installed after resetting the package manager internally (bsc#1202234)

yast2-update:

- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2855-1
Released:    Mon Jul 17 16:35:21 2023
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1212260
This update for openldap2 fixes the following issues:

- libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2882-1
Released:    Wed Jul 19 11:49:39 2023
Summary:     Security update for perl
Type:        security
Severity:    important
References:  1210999,CVE-2023-31484
This update for perl fixes the following issues:


  - CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2885-1
Released:    Wed Jul 19 16:58:43 2023
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1208721,1209229,1211828
This update for glibc fixes the following issues:

- getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
- Exclude static archives from preparation for live patching (bsc#1208721)
- resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2918-1
Released:    Thu Jul 20 12:00:17 2023
Summary:     Recommended update for gpgme
Type:        recommended
Severity:    moderate
References:  1089497
This update for gpgme fixes the following issues:

gpgme:

- Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)
    
libassuan:

- Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2956-1
Released:    Tue Jul 25 08:33:38 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211419,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3179-1
Released:    Thu Aug  3 13:59:38 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1201627,1207534,1213487,CVE-2022-4304,CVE-2023-3446
This update for openssl-1_1 fixes the following issues:

- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
  The previous fix for this timing side channel turned out to cause a
  severe 2-3x performance regression in the typical use case (bsc#1207534).
- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

- Update further expiring certificates that affect tests [bsc#1201627]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3284-1
Released:    Fri Aug 11 10:29:50 2023
Summary:     Recommended update for shadow
Type:        recommended
Severity:    moderate
References:  1206627,1213189
This update for shadow fixes the following issues:

- Prevent lock files from remaining after power interruptions (bsc#1213189)
- Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3291-1
Released:    Fri Aug 11 12:51:21 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213517,1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3365-1
Released:    Fri Aug 18 20:35:01 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1214054,CVE-2023-36054
This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3472-1
Released:    Tue Aug 29 10:55:16 2023
Summary:     Security update for procps
Type:        security
Severity:    low
References:  1214290,CVE-2023-4016
This update for procps fixes the following issues:

  - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3515-1
Released:    Fri Sep  1 15:54:25 2023
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1158763,1210740,1213231,1213557,1213673
This update for libzypp, zypper fixes the following issues:

- Fix occasional isue with downloading very small files (bsc#1213673)
- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
- Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
- Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
- Revised explanation of --force-resolution in man page (bsc#1213557)
- Print summary hint if policies were violated due to --force-resolution (bsc#1213557)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3639-1
Released:    Mon Sep 18 13:33:16 2023
Summary:     Security update for libeconf
Type:        security
Severity:    moderate
References:  1198165,1211078,CVE-2023-22652,CVE-2023-30078,CVE-2023-30079,CVE-2023-32181
This update for libeconf fixes the following issues:

Update to version 0.5.2.

- CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).
- CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)

The following non-security bug was fixed:

- Fixed parsing files correctly which have space characters AND none space characters as delimiters (bsc#1198165).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3661-1
Released:    Mon Sep 18 21:44:09 2023
Summary:     Security update for gcc12
Type:        security
Severity:    important
References:  1214052,CVE-2023-4039
This update for gcc12 fixes the following issues:

- CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3698-1
Released:    Wed Sep 20 11:01:15 2023
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1214768,CVE-2023-39615
This update for libxml2 fixes the following issues:

- CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3720-1
Released:    Thu Sep 21 09:01:11 2023
Summary:     Recommended update for ceph-csi, csi-external-attacher, csi-external-provisioner, csi-external-resizer, csi-external-snapshotter, csi-node-driver-registrar, rook
Type:        recommended
Severity:    moderate
References:  1204072,1209279
This update for ceph-csi, csi-external-attacher, csi-external-provisioner, csi-external-resizer, csi-external-snapshotter, csi-node-driver-registrar, rook fixes the following issues:

- Update to v4.1.0

  * Updated Kubernetes dependencies to 1.26.0 (#395, @sunnylovestiramisu)

- Update version to 3.4.0

  Feature

  * Add support for cross-namespace data sources alpha feature (#805, [@ttakahashi21]
  * Register metrics exposed by sig-storage-lib (#792, @RaunakShah)
  * Update the annotation that needs to be applies to VolumeSnapshotContents from snapshot.storage.kubernetes.io/allowVolumeModeChange to snapshot.storage.kubernetes.io/allow-volume-mode-change (#791, @RaunakShah)

  Bug or Regression

  * Fix string pointer comparison for source volume mode conversion (#793, @RaunakShah)
  * Fix nil pointer crash for PV without ClaimRef (#796, @zezaeoh)

  Uncategorized

  * Update go to 1.19 and dependencies for k8s v1.26.0 (#834, @sunnylovestiramisu)

- Update to version 1.7.0

  * Fix panic in recovery path if marking pvc as resize in progress fails (#246, @gnufied)

- Update to version 6.2.1

  Feature

  * Add --retry-crd-interval-max flag to the snapshot-controller in order to allow customization of CRD detection on startup. (#777, @mattcary)

  Uncategorized

  * Change webhook example to be compatible with TLS-type secrets. (#793, @haslersn)
  * Fixes an issue introduced by PR 793 by respecting the format of TLS-type secrets in the script. (#796, @haslersn)
  * Update go to v1.19 and kubernetes dependencies to 1.26.0. (#797, @sunnylovestiramisu)

- Update to version 2.7.0

  * Revert of #214, node-driver-registrar will create the path specified by --kubelet-registration-path (#247, @mauriciopoppe)

- Regular upgrade bsc#1204072

- Update to 1.11.9

  Rook v1.11.9 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

  * multus: Fix 'deletecollection' permission not present (#12437, @sudharsanomprakash)
  * dashboard: Remove deprecated kubernetes.io/ingress.class annotation (#12418, @Jeansen)
  * external: Make import script idempotent (#12417, @parth-gr)
  * exporter: Ignore failed deletion of service monitor (#12430, @travisn)
  * multus: Add config file for validation tool (#12396, @BlaineEXE)
  * object: Clarify success message when reconciling CephObjectStoreUser (#12406, @polyedre)
  * docs: Update storage architecture diagram (#12252, @galexrt)
  * operator: Add ceph image version label to PVC (#12372, @YZ775)
  * object : Add SSL ref in cephobjectstore user secret (#12341, @thotz)

- Update to 1.11.8

  Rook v1.11.8 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

  * helm: add EC Block Pool config in helm chart (#12324, @Javlopez)
  * pool: Add .mgr pool to the stretch cluster examples (#12360, @travisn)
  * nfs: Add Spec.Security.Kerberos.DomainName to the CRD to configure /etc/idmapd.conf (#12220, @spuiuk)
  * mgr: Removing unnecessary rook-ceph-mgr rbac entries (#12337, @rkachach)
  * core: typo in logs to print fullname of CephCluster (#12217, @takirala)
  * core: empty ceph-daemons-sock-dir for osd onPVC (#12299, @avanthakkar)
  * docs: prevent to delete other clusters data on cluster deletion (#12334, @satoru-takeuchi)
  * docs: improve external doc format (#12383, @parth-gr)
  * docs: Suggest qemu driver for minikube on apple silicon (#11722, @BlaineEXE)

- Update to 1.11.7

  Rook v1.11.7 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

  * core: Delete exporter resources if ceph version is not supported (#12271, @avanthakkar)
  * external: FQDN should be persisted instead of using the ip endpoint (#12264, @parth-gr)
  * object: Implement more capabilities for object store users (#12256, @thotz)
  * test: Add CI e2e test for multus validation test (#12282, @BlaineEXE)
  * core: Use default-* logging flags for ceph daemons so they can be overridden (#12302, @Javlopez)
  * helm: Add exporter resource entry to ceph cluster documentation (#12251, @galexrt)
  * mgr: Allow other namespaces in the ServiceMonitor resource (#12293, @kerryeon)
  * object: Add missing cephcluster spec addition in object controller (#12273, @thotz)
  * monitoring: Service monitor should not use mgr_role label (#12268, @travisn)
  * test: Allow specifying custom nginx image for multus validation (#12231, @iPraveenParihar)
  * operator: Pull multus validation test images before test (#12211, @BlaineEXE)
  * rbdmirror: Ensure rbd mirror daemon is upgraded (#12247, @travisn)

- Update to 1.11.6

  Rook v1.11.6 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

  * osd: Support expanding lvm osd on pvc (#12164, @satoru-takeuchi)
  * monitoring: Skip creating the service monitor for the exporter if monitoring is not enabled (#12216, @travisn)
  * docs: Generate documentation for CRDs (#12110 #12179, @Javlopez)
  * core: Add termination grace period for exporter pods (#12215, @avanthakkar)
  * csi: servicemonitor for rook-ceph csi drivers (#12170, @jouve)
  * monitoring: Configurable option to disable prometheus metrics (#12193, @travisn)
  * mgr: Default to active mgr label if only one mgr is running (#12137, @travisn)
  * osd: Allow scanning devices with filter (#11976, @Javlopez)
  * core: Disable controller runtime metrics server (#12194, @Madhu-1)
  * mgr: Use mgr_role dynamic label to tag the active ceph manager (#11845, @rkachach)
  * operator: use KUBECONFIG context for cli if present (#12192, @BlaineEXE)
  * external: fix rgw multisite config check (#12182 #12238, @parth-gr)
  * operator: validate multus validation networks in cli (#12187, @BlaineEXE)
  * operator: Fix package logger name for rookcli (#12186, @BlaineEXE)
  * ceph: Unset the encryption configuration before updating the setting (#12181, @Madhu-1)

- Update to 1.11.5

  Rook v1.11.5 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

  * mgr: Retry creating ceph dashboard credentials (#12149, @parth-gr)
  * nfs: Reduce size CephNFS CRD from unnecessary file volume sources (#12155, @BlaineEXE)
  * core: Update k8s API references to more recent version (#12161, @subhamkrai)
  * test: Add multus validation test routine to rook binary (#12069, @BlaineEXE)
  * external: check that the pool and cluster name is provided (#12132, @parth-gr)
  * core: Skip OBC controllers if not needed based (#12075, @sp98)
  * Add an ingress for Ceph object stores (#12109, @jouve)
  * core: Disable the exporter service (#12118, @avanthakkar)
  * nfs: Fixes for mounting CephNFS using Kerberos auth (#12086, @spuiuk)

- Update to 1.11.4

  Rook v1.11.4 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

  * core: Update default image to Ceph v17.2.6 (#12068, @travisn)
  * core: Disable the Ceph exporter daemon (#12077, @avanthakkar)
  * helm: Add option to scale down rook operator (#12048, @TomHellier)
  * helm: Drop snapshot.storage.k8s.io/v1beta1 (#12051, @sathieu)
  * external: Add support for RGW multisite in external cluster script (#12037, @parth-gr)
  * external: Do not require the monitoring endpoint (#12061, @neoaggelos)
  * external: Allow creating pools with special characters in name (#12056, @parth-gr)
  * external: Do not enforce rbd, cephfs and rgw flags for the external cluster (#12028, @parth-gr)
  * core: Use cluster ID for ns lookup on exported multi-cluster service (#12064, @sp98)
  * docs: Add scenario for deleted namespace to the disaster recovery guide (#11895, @gaord)
  * mgr: Failed to update the port of dashboard (#11932, @zhucan)

- Update to 1.11.3

  Rook v1.11.3 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

  * csi: Make AttachRequired as configurable for RWX volumes (#11899, @Madhu-1)
  * nfs: Add support for nfs-ganesha metrics monitoring (#12007, @synarete)
  * mgr: Add option to disable the prometheus mgr module (#11980, @thenamehasbeentake)
  * object: Check OBC provisioner for bucket notification (#11975, @thotz)
  * external: Make rgw call separate from cephfs and rbd in export script (#11947, @parth-gr)
  * core: Update vault pkg to 1.13.1 (#12013, @subhamkrai)
  * core: Fix config format for msgr2 ipv6 monitors (#11993, @heliochronix)
  * osd: Handle global or node-local device class configuration correctly (#11966, @satoru-takeuchi)
  * csi: IPv6 compatibility for requiring msgr2 (#11992, @travisn)
  * mon: Remove condition to use 6790 mon port (#11963, @sp98)

- Update to 1.11.2

  Rook v1.11.2 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

  * osd: Implemented encryption key rotation (#11749, @Rakshith-R)
  * core: Remove unnecessary ceph-conf-dir volume mount from exporter (#11950, @avanthakkar)
  * core: Set key rotation default in code instead of in CRDs (#11951, @travisn)
  * external: Use f-strings for formatting (#11944, @Sheetalpamecha)
  * core: Use msgr2 if compression is enabled (#11928, @uhthomas)
  * ci: Skip building csv on arm64 (#11906, @subhamkrai)
  * osd: Validate and remove duplicate topology labels (#11823, @parth-gr)
  * rgw: RGW dashboard can be disabled in the object CR (#11908, @thenamehasbeentake)
  * external: Pool and metadata EC pools were reversed in scripts (#11919, @dragon2611)
  * rgw: Skip objectstore name length validation when cluster is external (#11911, @parth-gr)
  * nfs: Network mode can be set separately for cephcluster and nfs (#11777, @taxilian)
  * csi: Update port to 3300 if msgr2 is required (#11859, @travisn)
  * core: Add FSID to the additionalPrinterColumns on cephcluster CRD (#11864, @thenamehasbeentake)
  * core: Add missing labels in exporter deployment (#11866, @avanthakkar)

- Update to 1.11.1

Rook v1.11.1 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

  * ceph: Fix host networking by only adding OSD ports when required for multi-cluster config (#11797, @sp98)
  * core: Ceph exporter requires ceph config where OSDs are not running (#11848, @avanthakkar)
  * monitoring: Remove prometheus alerts that don't apply to rook (#11842, @travisn)
  * mgr: Revert readiness probe and go back to the original sidecar HA implementation (#11829, @rkachach)
  * manifest: Align whitespace in example cluster.yaml (#11804, @gauravsitlani)
  * external: Add realm support for external cluster (#11584, @parth-gr)
  * object: Make OBC genUserID unique across clusters (#11665, @BlaineEXE)
  * file: Check if a filesystem exists before checking dependencies during deletion (#11221, @zhucan)
  * core: On crash pod ensure rook version label is not set (#11760, @gaord)

- Update to 1.11.0

  Breaking Changes

  * The minimum version of K8s version supported is v1.21.
  * The minimum version of the Ceph-CSI driver is v3.7.
  * Removed support for MachineDisruptionBudgets, including settings removed from the CephCluster CR:

    * manageMachineDisruptionBudgets
    * machineDisruptionBudgetNamespace

  * Versions of golang supported during development are v1.19 and v1.20.

  Features

  * Ceph-CSI v3.8 is now the version deployed by default with Rook. The driver has a number of important updates to add more storage features available to clients.
  * Added setting requireMsgr2 on the CephCluster CR to allow clusters with a kernel of 5.11 or newer to fully communicate with msgr2 and disable the msgr1 port.
    This allows for more flexibility to enable msgr2 features such as encryption and compression on the wire.
  * Change pspEnable default value to false in helm charts, and remove documentation for enabling PSP.
    If still using a version of K8s where PSPs are required, see the v1.10 documentation.
  * Object store bucket notifications and topics are now marked as stable features.
  * The Ceph exporter daemon is configured as the source of metrics based on performance counters from Ceph daemons. The exporter daemon provides more scalability of
    metrics collection to reduce load on the Ceph mgr.
  * Read affinity for RBD volumes is now available, leveraging the krbd map options to allow serving reads from an OSD in proximity to the client, according to
    OSD locations defined in the CRUSH map and topology labels on nodes.
  * Mirroring data across clusters with overlapping networks is now supported. Mon and OSD services will be configured with global IPs across multiple
    clusters with overlapping CIDRs. The clusters must be configured using an MCS API-compatible applications such as submariner globalnet.
    This feature is supported for Ceph version v17.2.6 or later.
  * The Ceph Mgr standby now is managed with a readiness probe instead of a sidecar.
    Note that the standby mgr is expected to fail the readiness probe, while the active mgr passes the readiness probe.


The following package changes have been done:

- csi-external-resizer-1.7.0-150300.3.6.1 updated
- glibc-2.31-150300.52.2 updated
- krb5-1.19.2-150300.13.1 updated
- libassuan0-2.5.5-150000.4.5.2 updated
- libcap2-2.26-150000.4.9.1 updated
- libeconf0-0.5.2-150300.3.11.1 updated
- libgcc_s1-12.3.0+git1204-150000.1.16.1 updated
- libldap-2_4-2-2.4.46-150200.14.17.1 updated
- libldap-data-2.4.46-150200.14.17.1 updated
- libopenssl1_1-hmac-1.1.1d-150200.11.75.1 updated
- libopenssl1_1-1.1.1d-150200.11.75.1 updated
- libprocps7-3.3.15-150000.7.34.1 updated
- libprotobuf-lite20-3.9.2-150200.4.21.1 updated
- libsolv-tools-0.7.24-150200.20.2 updated
- libstdc++6-12.3.0+git1204-150000.1.16.1 updated
- libxml2-2-2.9.7-150000.3.60.1 updated
- libzypp-17.31.20-150200.75.1 updated
- login_defs-4.8.1-150300.4.9.1 updated
- openssl-1_1-1.1.1d-150200.11.75.1 updated
- perl-base-5.26.1-150300.17.14.1 updated
- procps-3.3.15-150000.7.34.1 updated
- shadow-4.8.1-150300.4.9.1 updated
- zypper-1.14.63-150200.59.1 updated
- container:sles15-image-15.0.0-17.20.185 updated

SUSE: 2023:3078-1 ses/7.1/cephcsi/csi-resizer Security Update

September 21, 2023
The container ses/7.1/cephcsi/csi-resizer was updated

Summary

Advisory ID: SUSE-RU-2023:2497-1 Released: Tue Jun 13 15:37:25 2023 Summary: Recommended update for libzypp Type: recommended Severity: important Advisory ID: SUSE-RU-2023:2625-1 Released: Fri Jun 23 17:16:11 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:2742-1 Released: Fri Jun 30 11:40:56 2023 Summary: Recommended update for autoyast2, libzypp, yast2-pkg-bindings, yast2-update, zypper Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:2855-1 Released: Mon Jul 17 16:35:21 2023 Summary: Recommended update for openldap2 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2882-1 Released: Wed Jul 19 11:49:39 2023 Summary: Security update for perl Type: security Severity: important Advisory ID: SUSE-RU-2023:2885-1 Released: Wed Jul 19 16:58:43 2023 Summary: Recommended update for glibc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:2918-1 Released: Thu Jul 20 12:00:17 2023 Summary: Recommended update for gpgme Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2956-1 Released: Tue Jul 25 08:33:38 2023 Summary: Security update for libcap Type: security Severity: moderate Advisory ID: SUSE-SU-2023:3179-1 Released: Thu Aug 3 13:59:38 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate Advisory ID: SUSE-RU-2023:3284-1 Released: Fri Aug 11 10:29:50 2023 Summary: Recommended update for shadow Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:3291-1 Released: Fri Aug 11 12:51:21 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate Advisory ID: SUSE-SU-2023:3365-1 Released: Fri Aug 18 20:35:01 2023 Summary: Security update for krb5 Type: security Severity: important Advisory ID: SUSE-SU-2023:3472-1 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Type: security Severity: low Advisory ID: SUSE-RU-2023:3515-1 Released: Fri Sep 1 15:54:25 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:3639-1 Released: Mon Sep 18 13:33:16 2023 Summary: Security update for libeconf Type: security Severity: moderate Advisory ID: SUSE-SU-2023:3661-1 Released: Mon Sep 18 21:44:09 2023 Summary: Security update for gcc12 Type: security Severity: important Advisory ID: SUSE-SU-2023:3698-1 Released: Wed Sep 20 11:01:15 2023 Summary: Security update for libxml2 Type: security Severity: important Advisory ID: SUSE-RU-2023:3720-1 Released: Thu Sep 21 09:01:11 2023 Summary: Recommended update for ceph-csi, csi-external-attacher, csi-external-provisioner, csi-external-resizer, csi-external-snapshotter, csi-node-driver-registrar, rook Type: recommended Severity: moderate

References

References : 1089497 1158763 1198165 1201627 1202234 1204072 1206627 1207534

1208721 1209229 1209279 1209565 1210740 1210999 1211078 1211261

1211419 1211661 1211828 1212187 1212187 1212222 1212260 1213189

1213231 1213487 1213517 1213557 1213673 1213853 1214052 1214054

1214290 1214768 CVE-2022-4304 CVE-2023-22652 CVE-2023-2603 CVE-2023-30078

CVE-2023-30079 CVE-2023-31484 CVE-2023-32181 CVE-2023-3446 CVE-2023-36054

CVE-2023-3817 CVE-2023-39615 CVE-2023-4016 CVE-2023-4039

1211661,1212187

This update for libzypp fixes the following issues:

- Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]

- Do not unconditionally release a medium if provideFile failed. [bsc#1211661]

This update for gcc12 fixes the following issues:

- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

* includes regression and other bug fixes

- Speed up builds with --enable-link-serialization.

- Update embedded newlib to version 4.2.0

1202234,1209565,1211261,1212187,1212222

This update for yast2-pkg-bindings fixes the following issues:

libzypp was updated to version 17.31.14 (22):

- Curl: trim all custom headers (bsc#1212187)

HTTP/2 RFC 9113 forbids fields ending with a space. So we make

sure all custom headers are trimmed. This also includes headers

returned by URL-Resolver plugins.

- build: honor libproxy.pc's includedir (bsc#1212222)

zypper was updated to version 1.14.61:

- targetos: Add an error note if XPath:/product/register/target

is not defined in /etc/products.d/baseproduct (bsc#1211261)

- targetos: Update help and man page (bsc#1211261)

yast2-pkg-bindings, autoyast:

- Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565)

- Selected products are not installed after resetting the package manager internally (bsc#1202234)

yast2-update:

- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)

1212260

This update for openldap2 fixes the following issues:

- libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)

1210999,CVE-2023-31484

This update for perl fixes the following issues:

- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

1208721,1209229,1211828

This update for glibc fixes the following issues:

- getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)

- Exclude static archives from preparation for live patching (bsc#1208721)

- resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

1089497

This update for gpgme fixes the following issues:

gpgme:

- Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)

libassuan:

- Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

1211419,CVE-2023-2603

This update for libcap fixes the following issues:

- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

1201627,1207534,1213487,CVE-2022-4304,CVE-2023-3446

This update for openssl-1_1 fixes the following issues:

- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.

The previous fix for this timing side channel turned out to cause a

severe 2-3x performance regression in the typical use case (bsc#1207534).

- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

- Update further expiring certificates that affect tests [bsc#1201627]

1206627,1213189

This update for shadow fixes the following issues:

- Prevent lock files from remaining after power interruptions (bsc#1213189)

- Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

1213517,1213853,CVE-2023-3817

This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

1214054,CVE-2023-36054

This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

1214290,CVE-2023-4016

This update for procps fixes the following issues:

- CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

1158763,1210740,1213231,1213557,1213673

This update for libzypp, zypper fixes the following issues:

- Fix occasional isue with downloading very small files (bsc#1213673)

- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)

- Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)

- Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)

- Revised explanation of --force-resolution in man page (bsc#1213557)

- Print summary hint if policies were violated due to --force-resolution (bsc#1213557)

1198165,1211078,CVE-2023-22652,CVE-2023-30078,CVE-2023-30079,CVE-2023-32181

This update for libeconf fixes the following issues:

Update to version 0.5.2.

- CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).

- CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)

The following non-security bug was fixed:

- Fixed parsing files correctly which have space characters AND none space characters as delimiters (bsc#1198165).

1214052,CVE-2023-4039

This update for gcc12 fixes the following issues:

- CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

1214768,CVE-2023-39615

This update for libxml2 fixes the following issues:

- CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

1204072,1209279

This update for ceph-csi, csi-external-attacher, csi-external-provisioner, csi-external-resizer, csi-external-snapshotter, csi-node-driver-registrar, rook fixes the following issues:

- Update to v4.1.0

* Updated Kubernetes dependencies to 1.26.0 (#395, @sunnylovestiramisu)

- Update version to 3.4.0

Feature

* Add support for cross-namespace data sources alpha feature (#805, [@ttakahashi21]

* Register metrics exposed by sig-storage-lib (#792, @RaunakShah)

* Update the annotation that needs to be applies to VolumeSnapshotContents from snapshot.storage.kubernetes.io/allowVolumeModeChange to snapshot.storage.kubernetes.io/allow-volume-mode-change (#791, @RaunakShah)

Bug or Regression

* Fix string pointer comparison for source volume mode conversion (#793, @RaunakShah)

* Fix nil pointer crash for PV without ClaimRef (#796, @zezaeoh)

Uncategorized

* Update go to 1.19 and dependencies for k8s v1.26.0 (#834, @sunnylovestiramisu)

- Update to version 1.7.0

* Fix panic in recovery path if marking pvc as resize in progress fails (#246, @gnufied)

- Update to version 6.2.1

Feature

* Add --retry-crd-interval-max flag to the snapshot-controller in order to allow customization of CRD detection on startup. (#777, @mattcary)

Uncategorized

* Change webhook example to be compatible with TLS-type secrets. (#793, @haslersn)

* Fixes an issue introduced by PR 793 by respecting the format of TLS-type secrets in the script. (#796, @haslersn)

* Update go to v1.19 and kubernetes dependencies to 1.26.0. (#797, @sunnylovestiramisu)

- Update to version 2.7.0

* Revert of #214, node-driver-registrar will create the path specified by --kubelet-registration-path (#247, @mauriciopoppe)

- Regular upgrade bsc#1204072

- Update to 1.11.9

Rook v1.11.9 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

* multus: Fix 'deletecollection' permission not present (#12437, @sudharsanomprakash)

* dashboard: Remove deprecated kubernetes.io/ingress.class annotation (#12418, @Jeansen)

* external: Make import script idempotent (#12417, @parth-gr)

* exporter: Ignore failed deletion of service monitor (#12430, @travisn)

* multus: Add config file for validation tool (#12396, @BlaineEXE)

* object: Clarify success message when reconciling CephObjectStoreUser (#12406, @polyedre)

* docs: Update storage architecture diagram (#12252, @galexrt)

* operator: Add ceph image version label to PVC (#12372, @YZ775)

* object : Add SSL ref in cephobjectstore user secret (#12341, @thotz)

- Update to 1.11.8

Rook v1.11.8 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

* helm: add EC Block Pool config in helm chart (#12324, @Javlopez)

* pool: Add .mgr pool to the stretch cluster examples (#12360, @travisn)

* nfs: Add Spec.Security.Kerberos.DomainName to the CRD to configure /etc/idmapd.conf (#12220, @spuiuk)

* mgr: Removing unnecessary rook-ceph-mgr rbac entries (#12337, @rkachach)

* core: typo in logs to print fullname of CephCluster (#12217, @takirala)

* core: empty ceph-daemons-sock-dir for osd onPVC (#12299, @avanthakkar)

* docs: prevent to delete other clusters data on cluster deletion (#12334, @satoru-takeuchi)

* docs: improve external doc format (#12383, @parth-gr)

* docs: Suggest qemu driver for minikube on apple silicon (#11722, @BlaineEXE)

- Update to 1.11.7

Rook v1.11.7 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

* core: Delete exporter resources if ceph version is not supported (#12271, @avanthakkar)

* external: FQDN should be persisted instead of using the ip endpoint (#12264, @parth-gr)

* object: Implement more capabilities for object store users (#12256, @thotz)

* test: Add CI e2e test for multus validation test (#12282, @BlaineEXE)

* core: Use default-* logging flags for ceph daemons so they can be overridden (#12302, @Javlopez)

* helm: Add exporter resource entry to ceph cluster documentation (#12251, @galexrt)

* mgr: Allow other namespaces in the ServiceMonitor resource (#12293, @kerryeon)

* object: Add missing cephcluster spec addition in object controller (#12273, @thotz)

* monitoring: Service monitor should not use mgr_role label (#12268, @travisn)

* test: Allow specifying custom nginx image for multus validation (#12231, @iPraveenParihar)

* operator: Pull multus validation test images before test (#12211, @BlaineEXE)

* rbdmirror: Ensure rbd mirror daemon is upgraded (#12247, @travisn)

- Update to 1.11.6

Rook v1.11.6 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

* osd: Support expanding lvm osd on pvc (#12164, @satoru-takeuchi)

* monitoring: Skip creating the service monitor for the exporter if monitoring is not enabled (#12216, @travisn)

* docs: Generate documentation for CRDs (#12110 #12179, @Javlopez)

* core: Add termination grace period for exporter pods (#12215, @avanthakkar)

* csi: servicemonitor for rook-ceph csi drivers (#12170, @jouve)

* monitoring: Configurable option to disable prometheus metrics (#12193, @travisn)

* mgr: Default to active mgr label if only one mgr is running (#12137, @travisn)

* osd: Allow scanning devices with filter (#11976, @Javlopez)

* core: Disable controller runtime metrics server (#12194, @Madhu-1)

* mgr: Use mgr_role dynamic label to tag the active ceph manager (#11845, @rkachach)

* operator: use KUBECONFIG context for cli if present (#12192, @BlaineEXE)

* external: fix rgw multisite config check (#12182 #12238, @parth-gr)

* operator: validate multus validation networks in cli (#12187, @BlaineEXE)

* operator: Fix package logger name for rookcli (#12186, @BlaineEXE)

* ceph: Unset the encryption configuration before updating the setting (#12181, @Madhu-1)

- Update to 1.11.5

Rook v1.11.5 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

* mgr: Retry creating ceph dashboard credentials (#12149, @parth-gr)

* nfs: Reduce size CephNFS CRD from unnecessary file volume sources (#12155, @BlaineEXE)

* core: Update k8s API references to more recent version (#12161, @subhamkrai)

* test: Add multus validation test routine to rook binary (#12069, @BlaineEXE)

* external: check that the pool and cluster name is provided (#12132, @parth-gr)

* core: Skip OBC controllers if not needed based (#12075, @sp98)

* Add an ingress for Ceph object stores (#12109, @jouve)

* core: Disable the exporter service (#12118, @avanthakkar)

* nfs: Fixes for mounting CephNFS using Kerberos auth (#12086, @spuiuk)

- Update to 1.11.4

Rook v1.11.4 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

* core: Update default image to Ceph v17.2.6 (#12068, @travisn)

* core: Disable the Ceph exporter daemon (#12077, @avanthakkar)

* helm: Add option to scale down rook operator (#12048, @TomHellier)

* helm: Drop snapshot.storage.k8s.io/v1beta1 (#12051, @sathieu)

* external: Add support for RGW multisite in external cluster script (#12037, @parth-gr)

* external: Do not require the monitoring endpoint (#12061, @neoaggelos)

* external: Allow creating pools with special characters in name (#12056, @parth-gr)

* external: Do not enforce rbd, cephfs and rgw flags for the external cluster (#12028, @parth-gr)

* core: Use cluster ID for ns lookup on exported multi-cluster service (#12064, @sp98)

* docs: Add scenario for deleted namespace to the disaster recovery guide (#11895, @gaord)

* mgr: Failed to update the port of dashboard (#11932, @zhucan)

- Update to 1.11.3

Rook v1.11.3 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

* csi: Make AttachRequired as configurable for RWX volumes (#11899, @Madhu-1)

* nfs: Add support for nfs-ganesha metrics monitoring (#12007, @synarete)

* mgr: Add option to disable the prometheus mgr module (#11980, @thenamehasbeentake)

* object: Check OBC provisioner for bucket notification (#11975, @thotz)

* external: Make rgw call separate from cephfs and rbd in export script (#11947, @parth-gr)

* core: Update vault pkg to 1.13.1 (#12013, @subhamkrai)

* core: Fix config format for msgr2 ipv6 monitors (#11993, @heliochronix)

* osd: Handle global or node-local device class configuration correctly (#11966, @satoru-takeuchi)

* csi: IPv6 compatibility for requiring msgr2 (#11992, @travisn)

* mon: Remove condition to use 6790 mon port (#11963, @sp98)

- Update to 1.11.2

Rook v1.11.2 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

* osd: Implemented encryption key rotation (#11749, @Rakshith-R)

* core: Remove unnecessary ceph-conf-dir volume mount from exporter (#11950, @avanthakkar)

* core: Set key rotation default in code instead of in CRDs (#11951, @travisn)

* external: Use f-strings for formatting (#11944, @Sheetalpamecha)

* core: Use msgr2 if compression is enabled (#11928, @uhthomas)

* ci: Skip building csv on arm64 (#11906, @subhamkrai)

* osd: Validate and remove duplicate topology labels (#11823, @parth-gr)

* rgw: RGW dashboard can be disabled in the object CR (#11908, @thenamehasbeentake)

* external: Pool and metadata EC pools were reversed in scripts (#11919, @dragon2611)

* rgw: Skip objectstore name length validation when cluster is external (#11911, @parth-gr)

* nfs: Network mode can be set separately for cephcluster and nfs (#11777, @taxilian)

* csi: Update port to 3300 if msgr2 is required (#11859, @travisn)

* core: Add FSID to the additionalPrinterColumns on cephcluster CRD (#11864, @thenamehasbeentake)

* core: Add missing labels in exporter deployment (#11866, @avanthakkar)

- Update to 1.11.1

Rook v1.11.1 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

* ceph: Fix host networking by only adding OSD ports when required for multi-cluster config (#11797, @sp98)

* core: Ceph exporter requires ceph config where OSDs are not running (#11848, @avanthakkar)

* monitoring: Remove prometheus alerts that don't apply to rook (#11842, @travisn)

* mgr: Revert readiness probe and go back to the original sidecar HA implementation (#11829, @rkachach)

* manifest: Align whitespace in example cluster.yaml (#11804, @gauravsitlani)

* external: Add realm support for external cluster (#11584, @parth-gr)

* object: Make OBC genUserID unique across clusters (#11665, @BlaineEXE)

* file: Check if a filesystem exists before checking dependencies during deletion (#11221, @zhucan)

* core: On crash pod ensure rook version label is not set (#11760, @gaord)

- Update to 1.11.0

Breaking Changes

* The minimum version of K8s version supported is v1.21.

* The minimum version of the Ceph-CSI driver is v3.7.

* Removed support for MachineDisruptionBudgets, including settings removed from the CephCluster CR:

* manageMachineDisruptionBudgets

* machineDisruptionBudgetNamespace

* Versions of golang supported during development are v1.19 and v1.20.

Features

* Ceph-CSI v3.8 is now the version deployed by default with Rook. The driver has a number of important updates to add more storage features available to clients.

* Added setting requireMsgr2 on the CephCluster CR to allow clusters with a kernel of 5.11 or newer to fully communicate with msgr2 and disable the msgr1 port.

This allows for more flexibility to enable msgr2 features such as encryption and compression on the wire.

* Change pspEnable default value to false in helm charts, and remove documentation for enabling PSP.

If still using a version of K8s where PSPs are required, see the v1.10 documentation.

* Object store bucket notifications and topics are now marked as stable features.

* The Ceph exporter daemon is configured as the source of metrics based on performance counters from Ceph daemons. The exporter daemon provides more scalability of

metrics collection to reduce load on the Ceph mgr.

* Read affinity for RBD volumes is now available, leveraging the krbd map options to allow serving reads from an OSD in proximity to the client, according to

OSD locations defined in the CRUSH map and topology labels on nodes.

* Mirroring data across clusters with overlapping networks is now supported. Mon and OSD services will be configured with global IPs across multiple

clusters with overlapping CIDRs. The clusters must be configured using an MCS API-compatible applications such as submariner globalnet.

This feature is supported for Ceph version v17.2.6 or later.

* The Ceph Mgr standby now is managed with a readiness probe instead of a sidecar.

Note that the standby mgr is expected to fail the readiness probe, while the active mgr passes the readiness probe.

The following package changes have been done:

- csi-external-resizer-1.7.0-150300.3.6.1 updated

- glibc-2.31-150300.52.2 updated

- krb5-1.19.2-150300.13.1 updated

- libassuan0-2.5.5-150000.4.5.2 updated

- libcap2-2.26-150000.4.9.1 updated

- libeconf0-0.5.2-150300.3.11.1 updated

- libgcc_s1-12.3.0+git1204-150000.1.16.1 updated

- libldap-2_4-2-2.4.46-150200.14.17.1 updated

- libldap-data-2.4.46-150200.14.17.1 updated

- libopenssl1_1-hmac-1.1.1d-150200.11.75.1 updated

- libopenssl1_1-1.1.1d-150200.11.75.1 updated

- libprocps7-3.3.15-150000.7.34.1 updated

- libprotobuf-lite20-3.9.2-150200.4.21.1 updated

- libsolv-tools-0.7.24-150200.20.2 updated

- libstdc++6-12.3.0+git1204-150000.1.16.1 updated

- libxml2-2-2.9.7-150000.3.60.1 updated

- libzypp-17.31.20-150200.75.1 updated

- login_defs-4.8.1-150300.4.9.1 updated

- openssl-1_1-1.1.1d-150200.11.75.1 updated

- perl-base-5.26.1-150300.17.14.1 updated

- procps-3.3.15-150000.7.34.1 updated

- shadow-4.8.1-150300.4.9.1 updated

- zypper-1.14.63-150200.59.1 updated

- container:sles15-image-15.0.0-17.20.185 updated

Severity
Container Advisory ID : SUSE-CU-2023:3078-1
Container Tags : ses/7.1/cephcsi/csi-resizer:v1.7.0 , ses/7.1/cephcsi/csi-resizer:v1.7.0-rev1 , ses/7.1/cephcsi/csi-resizer:v1.7.0-rev1-build3.4.1
Container Release : 3.4.1
Severity : important
Type : security

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo