SUSE-IU-2024:1233-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:1233-1 Interim 1 1 2025-04-10T12:42:30Z current 2024-09-12T01:00:00Z 2024-09-12T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:1233-1 / google/sles-15-sp5-chost-byos-v20240912-arm64 This image update for google/sles-15-sp5-chost-byos-v20240912-arm64 contains the following changes: Package containerd was updated: - Update to containerd v1.7.21. Upstream release notes: <https://github.com/containerd/containerd/releases/tag/v1.7.21> Fixes CVE-2023-47108. bsc#1217070 Fixes CVE-2023-45142. bsc#1228553 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch Package curl was updated: - Security fix: [bsc#1230093, CVE-2024-8096] * curl: OCSP stapling bypass with GnuTLS * Add curl-CVE-2024-8096.patch - Security fix: [bsc#1228535, CVE-2024-7264] * curl: ASN.1 date parser overread * Add curl-CVE-2024-7264.patch Package dracut was updated: - Update to version 055+suse.392.g7930ab23: * feat(systemd*): include systemd config files from /usr/lib/systemd (bsc#1228398) * fix(convertfs): error in conditional expressions (bsc#1228847) Package glibc was updated: - s390x-wcsncmp.patch: s390x: Fix segfault in wcsncmp (bsc#1228043, BZ [#31934]) Package expat was updated: - Security fix (bsc#1229932, CVE-2024-45492): detect integer overflow in function nextScaffoldPart * Added expat-CVE-2024-45492.patch - Security fix (bsc#1229931, CVE-2024-45491): detect integer overflow in dtdCopy * Added expat-CVE-2024-45491.patch - Security fix (bsc#1229930, CVE-2024-45490): reject negative len for XML_ParseBuffer * Added expat-CVE-2024-45490.patch Package glib2 was updated: - Add glib2-gdbusmessage-cache-arg0.patch: cache the arg0 value in a dbus message. Fixes a possible use after free (boo#1224044). Package libpcap was updated: - Security fix: [bsc#1230034, CVE-2024-8006] * libpcap: NULL pointer derefence in pcap_findalldevs_ex() * Add libpcap-CVE-2024-8006.patch - Security fix: [bsc#1230020, CVE-2023-7256] * libpcap: double free via addrinfo in sock_initaddress() * Add libpcap-CVE-2023-7256.patch Package libsolv was updated: - removed dependency on external find program in the repo2solv tool- bindings: fix return value of repodata.add_solv() - new SOLVER_FLAG_FOCUS_NEW flag - bump version to 0.7.30 Package systemd was updated: - Import commit a57a6d239c5d6b91fb3dcd269705e60804a03ae1 cd0c9ac4f4 unit: drop ProtectClock=yes from systemd-udevd.service (bsc#1226414) e1eaa86a49 udev: do not set ID_PATH and by-path symlink for nvmf disks a85d211874 man: Document ranges for distributions config files and local config files - Don't mention any rpm macros inside comments, even if escaped (bsc#1228091) Otherwise pesign-obs-integration ends up re-packaging systemd with all macros inside comments unescaped leading to unpredictable behavior. Now why rpm expands rpm macros inside comments is the question... - Update 1011-sysv-generator-add-back-support-for-SysV-scripts-for.patch Really skip redundant dependencies specified the LSB description that references the file name of the service itself for early boot scripts (noticed in bsc#1221479). Package libzypp was updated: - Make sure not to statically linked installed tools (bsc#1228787)- version 17.35.8 (35) - MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208) - version 17.35.7 (35) - Export CredentialManager for legacy YAST versions (bsc#1228420) - version 17.35.6 (35) - Export asSolvable for YAST (bsc#1228420) - Fix 4 typos in zypp.conf. - version 17.35.5 (35) - Fix typo in the geoip update pipeline (bsc#1228206) - Export RepoVariablesStringReplacer for yast2 (bsc#1228138) - version 17.35.4 (35) - Translation: updated .pot file. - Conflict with python zypp-plugin < 0.6.4 (bsc#1227793) Older zypp-plugins reject stomp headers including a '-'. Like the 'content-length' header we may send. - Fix int overflow in Provider (fixes #559) This patch fixes an issue in safe_strtonum which caused timestamps to overflow in the Provider message parser. - Fix error reporting on repoindex.xml parse error (bsc#1227625) - version 17.35.3 (35) - Keep UrlResolverPlugin API public (fixes #560) - Blacklist /snap executables for 'zypper ps' (bsc#1226014) - Fix handling of buddies when applying locks (bsc#1225267) Buddy pairs (like -release package and product) internally share the same status object. When applying locks from query results the locked bit must be set if either item is locked. - version 17.35.2 (35) - Install zypp/APIConfig.h legacy include (fixes #557) - version 17.35.1 (35) - Update soname due to RepoManager refactoring and cleanup. - version 17.35.0 (35) - Workaround broken libsolv-tools-base requirements (fixes openSUSE/zypper#551) - Strip ssl_clientkey from repo urls (bsc#1226030) - Remove protobuf build dependency. - Lazily attach medium during refresh workflows (bsc#1223094) - Refactor RepoManager and add Service workflows. - version 17.34.2 (34) Package python3-setuptools was updated: - Add patch CVE-2024-6345-code-execution-via-download-funcs.patch: * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105) Package runc was updated: [ This was only ever released for SLES and Leap. ]- Update to runc v1.1.14. Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.1.14>. Includes the patch for CVE-2024-45310. bsc#1230092 - Rebase patches: * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch * 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-containers-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: Package supportutils was updated: - Changes to version 3.2.8 + Avoid getting duplicate kernel verifications in boot.text (pr#190) + lvm: suppress file descriptor leak warnings from lvm commands (pr#191) + docker_info: Add timestamps to container logs (pr#196) + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198) + Update supportconfig get pam.d sorted (pr#199) + yast_files: Exclude .zcat (pr#201) + Sanitize grub bootloader (bsc#1227127, pr#203) + Sanitize regcodes (pr#204) + Improve product detection (pr#205) + Add read_values for s390x (bsc#1228265, pr#206) + hardware_info: Remove old alsa ver check (pr#209) + drbd_info: Fix incorrect escape of quotes (pr#210) Package suse-build-key was updated: - extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339) - gpg-pubkey-39db7c82-5f68629b.asc + gpg-pubkey-39db7c82-66c5d91a.asc Package zypper was updated: - Show rpm install size before installing (bsc#1224771) If filesystem snapshots are taken before the installation (e.g. by snapper) no disk space is freed by removing old packages. In this case the install size of all packages is a hint how much additional disk space is needed by the new packages static content. - version 1.14.76 - Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly (bsc#1227205) - version 1.14.75 - Let_readline_abort_on_Ctrl-C (bsc#1226493) - packages: add '--system' to show @System packages (bsc#222971) - version 1.14.74 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp5-chost-byos-v20240912-arm64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 containerd-1.7.21-150000.117.1 containerd-ctr-1.7.21-150000.117.1 curl-8.0.1-150400.5.50.1 docker-25.0.6_ce-150000.207.1 dracut-055+suse.392.g7930ab23-150500.3.24.2 glibc-2.31-150300.86.3 glibc-locale-2.31-150300.86.3 glibc-locale-base-2.31-150300.86.3 libcurl4-8.0.1-150400.5.50.1 libexpat1-2.4.4-150400.3.22.1 libglib-2_0-0-2.70.5-150400.3.14.1 libpcap1-1.10.1-150400.3.3.2 libsolv-tools-0.7.30-150400.3.27.2 libsolv-tools-base-0.7.30-150400.3.27.2 libsystemd0-249.17-150400.8.43.1 libudev1-249.17-150400.8.43.1 libzypp-17.35.8-150500.6.13.1 python3-setuptools-44.1.1-150400.9.9.1 runc-1.1.14-150000.70.1 sles-release-15.5-150500.61.4.1 supportutils-3.2.8-150300.7.35.33.1 suse-build-key-12.0-150000.8.52.3 systemd-249.17-150400.8.43.1 systemd-sysvinit-249.17-150400.8.43.1 udev-249.17-150400.8.43.1 zypper-1.14.76-150500.6.6.15 containerd-1.7.21-150000.117.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 containerd-ctr-1.7.21-150000.117.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 curl-8.0.1-150400.5.50.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 docker-25.0.6_ce-150000.207.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 dracut-055+suse.392.g7930ab23-150500.3.24.2 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 glibc-2.31-150300.86.3 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 glibc-locale-2.31-150300.86.3 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 glibc-locale-base-2.31-150300.86.3 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 libcurl4-8.0.1-150400.5.50.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 libexpat1-2.4.4-150400.3.22.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 libglib-2_0-0-2.70.5-150400.3.14.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 libpcap1-1.10.1-150400.3.3.2 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 libsolv-tools-0.7.30-150400.3.27.2 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 libsolv-tools-base-0.7.30-150400.3.27.2 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 libsystemd0-249.17-150400.8.43.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 libudev1-249.17-150400.8.43.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 libzypp-17.35.8-150500.6.13.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 python3-setuptools-44.1.1-150400.9.9.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 runc-1.1.14-150000.70.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 sles-release-15.5-150500.61.4.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 supportutils-3.2.8-150300.7.35.33.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 suse-build-key-12.0-150000.8.52.3 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 systemd-249.17-150400.8.43.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 systemd-sysvinit-249.17-150400.8.43.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 udev-249.17-150400.8.43.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 zypper-1.14.76-150500.6.6.15 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64 OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it. CVE-2023-45142 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:containerd-1.7.21-150000.117.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:containerd-ctr-1.7.21-150000.117.1 important OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. CVE-2023-47108 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:containerd-1.7.21-150000.117.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:containerd-ctr-1.7.21-150000.117.1 important In affected libpcap versions during the setup of a remote packet capture the internal function sock_initaddress() calls getaddrinfo() and possibly freeaddrinfo(), but does not clearly indicate to the caller function whether freeaddrinfo() still remains to be called after the function returns. This makes it possible in some scenarios that both the function and its caller call freeaddrinfo() for the same allocated memory block. A similar problem was reported in Apple libpcap, to which Apple assigned CVE-2023-40400. CVE-2023-7256 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:libpcap1-1.10.1-150400.3.3.2 moderate runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual user on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested. CVE-2024-45310 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:runc-1.1.14-150000.70.1 low An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:libexpat1-2.4.4-150400.3.22.1 moderate An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:libexpat1-2.4.4-150400.3.22.1 moderate An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:libexpat1-2.4.4-150400.3.22.1 moderate A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. CVE-2024-6345 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:python3-setuptools-44.1.1-150400.9.9.1 important libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. CVE-2024-7264 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:curl-8.0.1-150400.5.50.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:libcurl4-8.0.1-150400.5.50.1 moderate Remote packet capture support is disabled by default in libpcap. When a user builds libpcap with remote packet capture support enabled, one of the functions that become available is pcap_findalldevs_ex(). One of the function arguments can be a filesystem path, which normally means a directory with input data files. When the specified path cannot be used as a directory, the function receives NULL from opendir(), but does not check the return value and passes the NULL value to readdir(), which causes a NULL pointer derefence. CVE-2024-8006 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:libpcap1-1.10.1-150400.3.3.2 moderate When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. CVE-2024-8096 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:curl-8.0.1-150400.5.50.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20240912-arm64:libcurl4-8.0.1-150400.5.50.1 moderate