SUSE-IU-2024:1177-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:1177-1 Interim 1 1 2025-04-04T15:21:18Z current 2024-09-05T01:00:00Z 2024-09-05T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:1177-1 / google/sles-15-sp6-chost-byos-v20240905-x86-64 This image update for google/sles-15-sp6-chost-byos-v20240905-x86-64 contains the following changes: Package ca-certificates-mozilla was updated: - Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525) - Added: FIRMAPROFESIONAL CA ROOT-A WEB - Distrust: GLOBALTRUST 2020 - Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356) Added: - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 - D-Trust SBR Root CA 1 2022 - D-Trust SBR Root CA 2 2022 - Telekom Security SMIME ECC Root 2021 - Telekom Security SMIME RSA Root 2023 - Telekom Security TLS ECC Root 2020 - Telekom Security TLS RSA Root 2023 - TrustAsia Global Root CA G3 - TrustAsia Global Root CA G4 Removed: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - Chambers of Commerce Root - 2008 - Global Chambersign Root - 2008 - Security Communication Root CA - Symantec Class 1 Public Primary Certification Authority - G6 - Symantec Class 2 Public Primary Certification Authority - G6 - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - VeriSign Class 1 Public Primary Certification Authority - G3 - VeriSign Class 2 Public Primary Certification Authority - G3 - remove-trustcor.patch: removed, now upstream - do a versioned obsoletes of "openssl-certs". Package dmidecode was updated: - Update to upstream version 3.6 (jsc#PED-8574): * Support for SMBIOS 3.6.0. This includes new memory device types, new processor upgrades, and Loongarch support. * Support for SMBIOS 3.7.0. This includes new port types, new processor upgrades, new slot characteristics and new fields for memory modules. * Add bash completion. * Decode HPE OEM records 197, 216, 224, 230, 238, 239, 242 and 245. * Implement options --list-strings and --list-types. * Update HPE OEM records 203, 212, 216, 221, 233 and 236. * Update Redfish support. * Bug fixes: Fix enabled slot characteristics not being printed * Minor improvements: Print slot width on its own line Use standard strings for slot width * Add a --no-quirks option. * Drop the CPUID exception list. * Obsoletes dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch, dmidecode-fortify-entry-point-length-checks.patch, dmidecode-split-table-fetching-from-decoding.patch, dmidecode-write-the-whole-dump-file-at-once.patch, dmioem-fix-segmentation-fault-in-dmi_hp_240_attr.patch, dmioem-hpe-oem-record-237-firmware-change.patch, dmioem-typo-fix-virutal-virtual.patch, ensure-dev-mem-is-a-character-device-file.patch, news-fix-typo.patch and use-read_file-to-read-from-dump.patch. Update for HPE servers from upstream: - dmioem-update-hpe-oem-type-238.patch: Decode PCI bus segment in HPE type 238 records. Package dracut was updated: - Update to version 059+suse.531.g48487c31: * feat(systemd*): include systemd config files from /usr/lib/systemd (bsc#1228398) * fix(convertfs): error in conditional expressions (bsc#1228847) Package grub2 was updated: - Fix btrfs subvolume for platform modules not mounting at runtime when the default subvolume is the topmost root tree (bsc#1228124) * grub2-btrfs-06-subvol-mount.patch - Rediff * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch - Fix error in grub-install when root is on tmpfs (bsc#1226100) * 0001-grub-install-bailout-root-device-probing.patch - Fix input handling in ppc64le grub2 has high latency (bsc#1223535) * 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch Package util-linux was updated: - agetty: Prevent login cursor escape (bsc#1194818, util-linux-agetty-prevent-cursor-escape.patch). - Document unexpected side effects of lazy destruction (bsc#1159034, util-linux-umount-losetup-lazy-destruction.patch, util-linux-umount-losetup-lazy-destruction-generated.patch). - Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them. (bsc#1222285) Package cryptsetup was updated: - cryptsetup-fips140-3.patch: extend the password for PBKDF2 benchmarking to be more than 20 chars to meet FIPS 140-3 requirements (bsc#1229975) Package ldb was updated: - Update to 2.8.1 * Many qsort() comparison functions are non-transitive, which can lead to out-of-bounds access in some circumstances; (bso#15625). Package nfs-utils was updated: - Include source for libnfsidmap 0.26 and build that. This is needed for compatability with SLE15-SP5 and earlier (bsc#1228159) Copied from old nfsidmap package: libnfsidmap-0.26.tar.bz2 idmap-fix-prototype.patch idmap-libnfsidmap-export-symbols.patch idmap-0001-libnfsidmap-add-options-to-aid-id-mapping-in-multi-d.patch idmap-0002-nss_gss_princ_to_ids-and-nss_gss_princ_to_grouplist-.patch idmap-0001-Removed-some-unused-and-set-but-not-used-warnings.patch idmap-0002-Handle-NULL-names-better.patch idmap-0003-Strip-newlines-out-of-IDMAP_LOG-messages.patch idmap-0004-onf_parse_line-Ignore-whitespace-at-the-beginning-of.patch idmap-0005-nss.c-wrong-check-of-return-value.patch idmap-0006-Fixed-a-memory-leak-nss_name_to_gid.patch Package libnvme was updated: - Update to version 1.8+41.g6e8e2d7: * linux: Correct error handling for derive_psk_digest (bsc#1228376) * tree: Add NVM subsystem controller identifier (bsc#1224024) Package openssl-1_1 was updated: - Build with no-afalgeng [bsc#1226463] - Security fix: [bsc#1227138, CVE-2024-5535] * SSL_select_next_proto buffer overread * Add openssl-CVE-2024-5535.patch - Fixed C99 violations in patches bsc1185319-FIPS-KAT-for-ECDSA.patch (need to for explicity typecast) and openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch (missing include) to allow the package to build with GCC 14. [boo#1225907] Package openssl-3 was updated: - Security fix: [bsc#1229465, CVE-2024-6119] * possible denial of service in X.509 name checks * openssl-CVE-2024-6119.patch Package nvme-cli was updated: - Update to version 2.8+44.gb56f5d9: * nvme-print: Print cntlid number for controller (bsc#1224024) Package pam was updated: - Prevent cursor escape from the login prompt [bsc#1194818] * Added: pam-bsc1194818-cursor-escape.patch Package permissions was updated: - Update to version 20240826: * permissions: remove outdated entries (bsc#1228968) - Update to version 20240826: * cockpit: revert path change (bsc#1229329) Package python3-setuptools was updated: - Add patch CVE-2024-6345-code-execution-via-download-funcs.patch: * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105) Package rsyslog was updated: - Upgrade to rsyslog 8.2406.0-patches replaced by upgrade (see details in upgrade logs below) 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch * 2023-11-29: Revert "Update omlibdbi.c" * 2023-11-21: imkmsg: add params "readMode" and "expectedBootCompleteSeconds" * 2023-11-10: testbench: fix "typo" in test case * 2023-11-08: omazureeventhubs: Corrected handling of transport closed failures * 2023-10-31: imkmsg: add module param parseKernelTimestamp * 2023-11-03: imfile: remove state file on file delete fix * 2023-10-30: imklog bugfix: keepKernelTimestamp=off config param did not work * 2023-10-30: Netstreamdriver: deallocate certificate related resources * 2023-10-20: TLS subsystem: add remote hostname to error reporting * 2023-10-21: Fix forking issue do to close_range call * 2023-10-23: replace debian sample systemd service file by readme * 2023-10-20: testbench: bump zookeeper version to match current offering * 2023-10-20: Update rsyslog.service sample unit to the latest version used in Debian Trixie * 2023-10-20: Only keep a single rsyslog.service for Debian * 2023-10-20: Remove no longer used --with-systemdsystemunitdir configure switch * 2023-10-18: use logind instead of utmp for wall messages with systemd * 2023-10-11: Typo fixes * 2023-10-11: Drop CAP_IPC_LOCK capability * 2023-10-04: Add CAP_NET_RAW capability due to the omudpspoof module * 2023-10-03: Add new global config option "libcapng.enable" * 2023-10-02: tcp net subsystem: handle data race gracefully * 2023-08-31: Avoid crash on restart in imrelp SIGTTIN handler - replaces 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch * 2023-09-26: fix startup issue on modern systemd systems * 2023-09-14: Fix misspeling in message. * 2023-09-13: tcpflood bugfix: plain tcp send error not properly reported * 2023-09-12: omprog bugfix: Add CAP_DAC_OVERRIDE to the bounding set * 2023-08-02: testbench: cleanup and improve some more imfile tests * 2023-08-02: lookup tables: fix static analyzer issue * 2023-08-02: lookup tables bugfix: reload on HUP did not work when backgrounded * 2023-07-28: CI: fix and cleaup github workflow * 2023-03-07: imjournal: Support input module * 2023-07-28: testbench: make test more reliable * 2023-07-28: tcpflood: add -A option to NOT abort when sending fails * 2023-07-28: tcpflood: fix today's programming error * 2023-07-28: openssl: Replaced depreceated method SSLv23_method with TLS_method * 2023-07-27: testbench improvement: define state file directories for imfile tests * 2023-07-28: testbench: cleanup a test and some nitfixes to it * 2023-07-27: tcpflood bugfix: TCP sending was not implemented properly * 2023-07-26: testbench: make waiting for HUP processing more reliable * 2023-07-25: build system: make rsyslogd execute when --disable-inet is configured * 2023-07-25: CI: update zookeper download to newer version * 2023-07-10: ossl driver: Using newer INIT API for OpenSSL 1.1+ Versions * 2023-07-11: ossl: Fix CRL File Expire from 1 day to 100 years. * 2023-07-06: PR5175: Add TLS CRL Support for GnuTLS driver and OpenSSL 1.0.2+ * 2022-05-13: omazureeventhubs: Initial implementation of new output module * 2023-07-03: TLS CRL Support Issue 5081 * 2023-06-29: action.resumeintervalmax: the parameter was not respected * 2023-06-28: IMHIREDIS::FIXED:: Restore compatiblity with hiredis < v1.0.0 * 2023-05-15: Add the 'batchsize' parameter to imhiredis * 2023-06-28: Clear undefined behavior in libgcry.c (GH #5167) * 2023-06-22: Do not try to drop capabilities when we don't have any * 2023-06-22: testbench: use newer zookeeper version in tests * 2023-06-22: build system: more precise error message on too-old lib * 2023-05-17: Fix quoting for omprog, improg, mmexternal Package samba was updated: - Fix a crash when joining offline and 'kerberos method' includes keytab; (bsc#1228732); - Fix reading the password from STDIN or environment vars if it was already given in the command line; (bsc#1228732); - Update to 4.19.7 * ldb qsort might r/w out of bounds with an intransitive compare function (ldb 2.8.1 is already released); (bso#15569). * Many qsort() comparison functions are non-transitive, which can lead to out-of-bounds access in some circumstances (ldb 2.8.1 is already released); (bso#15625). * Need to change gitlab-ci.yml tags in all branches to avoid CI bill; (bso#15638). * netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0; (bso#14981). * Anonymous smb3 signing/encryption should be allowed (similar to Windows Server 2022); (bso#15412). * Panic in dreplsrv_op_pull_source_apply_changes_trigger; (bso#15573). * winbindd, net ads join and other things don't work on an ipv6 only host; (bso#15642). * Smbcacls incorrectly propagates inheritance with Inherit-Only flag; (bso#15636). * http library doesn't support 'chunked transfer encoding'; (bso#15611). - Update to 4.19.6 * fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close(); (bso#15527). * samba-gpupdate: Correctly implement site support; (bso#15588). * libgpo: Segfault in python bindings; (bso#15599). * Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED; (bso#15580). Package supportutils was updated: - Changes to version 3.2.8 + Avoid getting duplicate kernel verifications in boot.text (pr#190) + lvm: suppress file descriptor leak warnings from lvm commands (pr#191) + docker_info: Add timestamps to container logs (pr#196) + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198) + Update supportconfig get pam.d sorted (pr#199) + yast_files: Exclude .zcat (pr#201) + Sanitize grub bootloader (bsc#1227127, pr#203) + Sanitize regcodes (pr#204) + Improve product detection (pr#205) + Add read_values for s390x (bsc#1228265, pr#206) + hardware_info: Remove old alsa ver check (pr#209) + drbd_info: Fix incorrect escape of quotes (pr#210) Package suse-build-key was updated: - extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339) - gpg-pubkey-39db7c82-5f68629b.asc + gpg-pubkey-39db7c82-66c5d91a.asc Package xen was updated: - Update to Xen 4.18.3 security bug fix release (bsc#1027519) xen-4.18.3-testing-src.tar.bz2 * No upstream changelog found in sources or webpage - bsc#1228574 - VUL-0: CVE-2024-31145: xen: error handling in x86 IOMMU identity mapping (XSA-460) - bsc#1228575 - VUL-0: CVE-2024-31146: xen: PCI device pass-through with shared resources (XSA-461) - Dropped patches contained in new tarball 6627a4ee-vRTC-UIP-set-for-longer-than-expected.patch 6627a5fc-x86-MTRR-inverted-WC-check.patch 662a6a4c-x86-spec-reporting-of-BHB-clearing.patch 662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch 663090fd-x86-gen-cpuid-syntax.patch 663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch 663a4f3e-x86-cpu-policy-migration-IceLake-to-CascadeLake.patch 663d05b5-x86-ucode-distinguish-up-to-date.patch 663eaa27-libxl-XenStore-error-handling-in-device-creation.patch 66450626-sched-set-all-sched_resource-data-inside-locked.patch 66450627-x86-respect-mapcache_domain_init-failing.patch 6646031f-x86-ucode-further-identify-already-up-to-date.patch 6666ba52-x86-irq-remove-offline-CPUs-from-old-CPU-mask-when.patch 666994ab-x86-SMP-no-shorthand-IPI-in-hotplug.patch 666994f0-x86-IRQ-limit-interrupt-movement-in-fixup_irqs.patch 666b07ee-x86-EPT-special-page-in-epte_get_entry_emt.patch 666b0819-x86-EPT-avoid-marking-np-ents-for-reconfig.patch 666b085a-x86-EPT-drop-questionable-mfn_valid-from-.patch 667187cc-x86-Intel-unlock-CPUID-earlier.patch 66718849-x86-IRQ-old_cpu_mask-in-fixup_irqs.patch 6671885e-x86-IRQ-handle-moving-in-_assign_irq_vector.patch 6672c846-x86-xstate-initialisation-of-XSS-cache.patch 6672c847-x86-CPUID-XSAVE-dynamic-leaves.patch 6673ffdc-x86-IRQ-forward-pending-to-new-dest-in-fixup_irqs.patch xsa458.patch Package xfsprogs was updated: - xfs_repair: allow symlinks with short remote targets (bsc#1229160) - add xfsprogs-xfs_repair-allow-symlinks-with-short-remote-targets.patch The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp6-chost-byos-v20240905-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 ca-certificates-mozilla-2.68-150200.33.1 dmidecode-3.6-150400.16.11.2 docker-25.0.6_ce-150000.207.1 dracut-059+suse.531.g48487c31-150600.3.6.2 grub2-2.12-150600.8.3.1 grub2-i386-pc-2.12-150600.8.3.1 grub2-x86_64-efi-2.12-150600.8.3.1 libblkid1-2.39.3-150600.4.9.4 libcryptsetup12-2.7.0-150600.3.3.1 libfdisk1-2.39.3-150600.4.9.4 libldb2-2.8.1-150600.3.3.4 libmount1-2.39.3-150600.4.9.4 libnfsidmap1-1.0-150600.28.3.2 libnvme-mi1-1.8+41.g6e8e2d7-150600.3.6.2 libnvme1-1.8+41.g6e8e2d7-150600.3.6.2 libopenssl1_1-1.1.1w-150600.5.6.1 libopenssl3-3.1.4-150600.5.15.1 libsmartcols1-2.39.3-150600.4.9.4 libuuid1-2.39.3-150600.4.9.4 nfs-client-2.6.4-150600.28.3.2 nvme-cli-2.8+44.gb56f5d9-150600.3.6.1 openssl-3-3.1.4-150600.5.15.1 pam-1.3.0-150000.6.71.2 permissions-20240826-150600.10.9.1 python3-setuptools-44.1.1-150400.9.9.1 rsyslog-8.2406.0-150600.12.3.2 rsyslog-module-relp-8.2406.0-150600.12.3.2 samba-client-libs-4.19.7+git.357.1d7950ebd62-150600.3.3.2 supportutils-3.2.8-150600.3.3.1 suse-build-key-12.0-150000.8.52.3 util-linux-2.39.3-150600.4.9.4 util-linux-systemd-2.39.3-150600.4.9.4 xen-libs-4.18.3_02-150600.3.6.1 xfsprogs-6.7.0-150600.3.6.2 ca-certificates-mozilla-2.68-150200.33.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 dmidecode-3.6-150400.16.11.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 docker-25.0.6_ce-150000.207.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 dracut-059+suse.531.g48487c31-150600.3.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 grub2-2.12-150600.8.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 grub2-i386-pc-2.12-150600.8.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 grub2-x86_64-efi-2.12-150600.8.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 libblkid1-2.39.3-150600.4.9.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 libcryptsetup12-2.7.0-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 libfdisk1-2.39.3-150600.4.9.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 libldb2-2.8.1-150600.3.3.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 libmount1-2.39.3-150600.4.9.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 libnfsidmap1-1.0-150600.28.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 libnvme-mi1-1.8+41.g6e8e2d7-150600.3.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 libnvme1-1.8+41.g6e8e2d7-150600.3.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 libopenssl1_1-1.1.1w-150600.5.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 libopenssl3-3.1.4-150600.5.15.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 libsmartcols1-2.39.3-150600.4.9.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 libuuid1-2.39.3-150600.4.9.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 nfs-client-2.6.4-150600.28.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 nvme-cli-2.8+44.gb56f5d9-150600.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 openssl-3-3.1.4-150600.5.15.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 pam-1.3.0-150000.6.71.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 permissions-20240826-150600.10.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 python3-setuptools-44.1.1-150400.9.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 rsyslog-8.2406.0-150600.12.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 rsyslog-module-relp-8.2406.0-150600.12.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 samba-client-libs-4.19.7+git.357.1d7950ebd62-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 supportutils-3.2.8-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 suse-build-key-12.0-150000.8.52.3 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 util-linux-2.39.3-150600.4.9.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 util-linux-systemd-2.39.3-150600.4.9.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 xen-libs-4.18.3_02-150600.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 xfsprogs-6.7.0-150600.3.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64 Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. CVE-2024-31145 Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64:xen-libs-4.18.3_02-150600.3.6.1 moderate When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. CVE-2024-31146 Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64:xen-libs-4.18.3_02-150600.3.6.1 moderate Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. CVE-2024-5535 Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64:libopenssl1_1-1.1.1w-150600.5.6.1 moderate Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-6119 Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64:libopenssl3-3.1.4-150600.5.15.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64:openssl-3-3.1.4-150600.5.15.1 important A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. CVE-2024-6345 Public Cloud Image google/sles-15-sp6-chost-byos-v20240905-x86-64:python3-setuptools-44.1.1-150400.9.9.1 important