SUSE-IU-2024:1259-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:1259-1 Interim 1 1 2025-07-10T16:39:48Z current 2024-09-13T01:00:00Z 2024-09-13T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:1259-1 / google/sles-15-sp5-v20240913-x86-64 This image update for google/sles-15-sp5-v20240913-x86-64 contains the following changes: Package binutils was updated: - Update to current 2.43.1 branch [PED-10474]: * PR32109 - fuzzing problem * PR32083 - LTO vs overridden common symbols * PR32067 - crash with LTO-plugin and --oformat=binary * PR31956 - LTO vs wrapper symbols * riscv - add Zimop and Zcmop extensions - Adjusted binutils-2.43-branch.diff.gz. - Update to version 2.43: * new .base64 pseudo-op, allowing base64 encoded data as strings * Intel APX: add support for CFCMOV, CCMP, CTEST, zero-upper, NF (APX_F now fully supported) * x86 Intel syntax now warns about more mnemonic suffixes * macros and .irp/.irpc/.rept bodies can use \+ to get at number of times the macro/body was executed * aarch64: support 'armv9.5-a' for -march, add support for LUT and LUT2 * s390: base register operand in D(X,B) and D(L,B) can now be omitted (ala 'D(X,)'); warn when register type doesn't match operand type (use option 'warn-regtype-mismatch=[strict|relaxed|no]' to adjust) * riscv: support various extensions: Zacas, Zcmp, Zfbfmin, Zvfbfmin, Zvfbfwma, Smcsrind/Sscsrind, XCvMem, XCvBi, XCvElw, XSfCease, all at version 1.0; remove support for assembly of privileged spec 1.9.1 (linking support remains) * arm: remove support for some old co-processors: Maverick and FPA * mips: '--trap' now causes either trap or breakpoint instructions to be emitted as per current ISA, instead of always using trap insn and failing when current ISA was incompatible with that * LoongArch: accept .option pseudo-op for fine-grained control of assembly code options; add support for DT_RELR * readelf: now displays RELR relocations in full detail; add -j/--display-section to show just those section(s) content according to their type * objdump/readelf now dump also .eh_frame_hdr (when present) when dumping .eh_frame * gprofng: add event types for AMD Zen3/Zen4 and Intel Ice Lake processors; add minimal support for riscv * linker: - put .got and .got.plt into relro segment - add -z isa-level-report=[none|all|needed|used] to the x86 ELF linker to report needed and used x86-64 ISA levels - add --rosegment option which changes the -z separate-code option so that only one read-only segment is created (instead of two) - add --section-ordering-file <FILE> option to add extra mapping of input sections to output sections - add -plugin-save-temps to store plugin intermediate files permanently - Removed binutils-2.42.tar.bz2, binutils-2.42-branch.diff.gz. - Added binutils-2.43.tar.bz2, binutils-2.43-branch.diff.gz. - Removed upstream patch riscv-no-relax.patch. - Rebased ld-relro.diff and binutils-revert-rela.diff. - binutils-pr22868.diff: Remove obsolete patch - Undefine _FORTIFY_SOURCE when running checks - Allow to disable profiling - Use %patch -P N instead of deprecated %patchN. - riscv-no-relax.patch: RISC-V: Don't generate branch/jump relocation if symbol is local when no-relax - Add binutils-disable-code-arch-error.diff to demote an error about swapped .arch/.code directives to a warning. It happens in the wild. - Update to version 2.42: * Add support for many aarch64 extensions: SVE2.1, SME2.1, B16B16, RASv2, LSE128, GCS, CHK, SPECRES2, LRCPC3, THE, ITE, D128, XS and flags to enable them: '+fcma', '+jscvt', '+frintts', '+flagm2', '+rcpc2' and '+wfxt' * Add experimantal support for GAS to synthesize call-frame-info for some hand-written asm (--scfi=experimental) on x86-64. * Add support for more x86-64 extensions: APX: 32 GPRs, NDD, PUSH2/POP2, PUSHP/POPP; USER_MSR, AVX10.1, PBNDKB, SM4, SM3, SHA512, AVX-VNNI-INT16. * Add support for more RISC-V extensions: T-Head v2.3.0, CORE-V v1.0, SiFive VCIX v1.0. * BPF assembler: ';' separates statements now, and does not introduce line comments anymore (use '#' or '//' for this). * x86-64 ld: Add '-z mark-plt/-z nomark-plt' to mark PLT entries with dynamic tags. * risc-v ld: Add '--[no-]check-uleb128'. * New linker script directive: REVERSE, to be combined with SORT_BY_NAME or SORT_BY_INIT_PRIORITY, reverses the generated order. * New linker options --warn-execstack-objects (warn only about execstack when input object files request it), and --error-execstack plus - -error-rxw-segments to convert the existing warnings into errors. * objdump: Add -Z/--decompress to be used with -s/--full-contents to decompress section contents before displaying. * readelf: Add --extra-sym-info to be used with --symbols (currently prints section name of references section index). * objcopy: Add --set-section-flags for x86_64 to include SHF_X86_64_LARGE. * s390 disassembly: add target-specific disasm option 'insndesc', as in "objdump -M insndesc" to display an instruction description as comment along with the disassembly. - Add binutils-2.42-branch.diff.gz. - Rebased s390-biarch.diff. - Adjusted binutils-revert-hlasm-insns.diff, binutils-revert-plt32-in-branches.diff and binutils-revert-rela.diff for upstream changes. - Removed binutils-2.41-branch.diff.gz, binutils-2.41.tar.bz2, binutils-2.41-branch.diff.gz. - Removed binutils-use-less-memory.diff, binutils-old-makeinfo.diff and riscv-relro.patch (all upstreamed). - Removed add-ulp-section.diff, we use a different mechanism for live patching since a long time. - Add binutils-use-less-memory.diff to be a little nicer to 32bit userspace and huge links. [bsc#1216908] - riscv-relro.patch: RISC-V: Protect .got with relro - Add libzstd-devel to Requires of binutils-devel. (bsc#1215341) Package cloud-regionsrv-client was updated: - Update to 10.3.4 + Modify the message when network access over a specific IP version does not work. This is an informational message and should not look like an error + Inform the user that LTSS registration takes a little longer + Add fix-for-sles12-no-trans_update.patch + SLE 12 family has no products with transactional-update we do not need to look for this condition - From 10.3.3 (bsc#1229472) + Handle changes in process structure to properly identify the running zypper parent process and only check for 1 PID - From 10.3.2 + Remove rgnsrv-clnt-fix-docker-setup.patch included upstream - From 10.3.1 (jsc#PCT-400) + Add support for LTSS registration + Add fix-for-sles12-disable-registry.patch ~ No container support in SLE 12 Package containerd was updated: - Update to containerd v1.7.21. Upstream release notes: <https://github.com/containerd/containerd/releases/tag/v1.7.21> Fixes CVE-2023-47108. bsc#1217070 Fixes CVE-2023-45142. bsc#1228553 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch Package curl was updated: - Security fix: [bsc#1230093, CVE-2024-8096] * curl: OCSP stapling bypass with GnuTLS * Add curl-CVE-2024-8096.patch - Security fix: [bsc#1228535, CVE-2024-7264] * curl: ASN.1 date parser overread * Add curl-CVE-2024-7264.patch Package deltarpm was updated: - update to deltarpm-3.6.4 * support for threaded zstd * use a tmp file instead of memory to hold the incore data [bsc#1228948] - dropped patches: * deltarpm-b7987f6aa4211df3df03dcfc55a00b2ce7472e0a.patch - deltarpm-b7987f6aa4211df3df03dcfc55a00b2ce7472e0a.patch: fixed some C bugs ( incorrect sized memset() , memcpy instead of strcpy, unsigned int) - update to deltarpm-3.6.3 * support for threaded zstd compression - Actually enable zstd compression - update to deltarpm-3.6.2 * support for zstd compression Package dracut was updated: - Update to version 055+suse.392.g7930ab23: * feat(systemd*): include systemd config files from /usr/lib/systemd (bsc#1228398) * fix(convertfs): error in conditional expressions (bsc#1228847) Package glib2 was updated: - Add glib2-gdbusmessage-cache-arg0.patch: cache the arg0 value in a dbus message. Fixes a possible use after free (boo#1224044). Package glibc was updated: - s390x-wcsncmp.patch: s390x: Fix segfault in wcsncmp (bsc#1228043, BZ [#31934]) Package expat was updated: - Security fix (bsc#1229932, CVE-2024-45492): detect integer overflow in function nextScaffoldPart * Added expat-CVE-2024-45492.patch - Security fix (bsc#1229931, CVE-2024-45491): detect integer overflow in dtdCopy * Added expat-CVE-2024-45491.patch - Security fix (bsc#1229930, CVE-2024-45490): reject negative len for XML_ParseBuffer * Added expat-CVE-2024-45490.patch Package libpcap was updated: - Security fix: [bsc#1230034, CVE-2024-8006] * libpcap: NULL pointer derefence in pcap_findalldevs_ex() * Add libpcap-CVE-2024-8006.patch - Security fix: [bsc#1230020, CVE-2023-7256] * libpcap: double free via addrinfo in sock_initaddress() * Add libpcap-CVE-2023-7256.patch Package libsolv was updated: - removed dependency on external find program in the repo2solv tool- bindings: fix return value of repodata.add_solv() - new SOLVER_FLAG_FOCUS_NEW flag - bump version to 0.7.30 Package systemd was updated: - Import commit a57a6d239c5d6b91fb3dcd269705e60804a03ae1 cd0c9ac4f4 unit: drop ProtectClock=yes from systemd-udevd.service (bsc#1226414) e1eaa86a49 udev: do not set ID_PATH and by-path symlink for nvmf disks a85d211874 man: Document ranges for distributions config files and local config files - Don't mention any rpm macros inside comments, even if escaped (bsc#1228091) Otherwise pesign-obs-integration ends up re-packaging systemd with all macros inside comments unescaped leading to unpredictable behavior. Now why rpm expands rpm macros inside comments is the question... - Update 1011-sysv-generator-add-back-support-for-SysV-scripts-for.patch Really skip redundant dependencies specified the LSB description that references the file name of the service itself for early boot scripts (noticed in bsc#1221479). Package libzypp was updated: - Make sure not to statically linked installed tools (bsc#1228787)- version 17.35.8 (35) - MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208) - version 17.35.7 (35) - Export CredentialManager for legacy YAST versions (bsc#1228420) - version 17.35.6 (35) - Export asSolvable for YAST (bsc#1228420) - Fix 4 typos in zypp.conf. - version 17.35.5 (35) - Fix typo in the geoip update pipeline (bsc#1228206) - Export RepoVariablesStringReplacer for yast2 (bsc#1228138) - version 17.35.4 (35) - Translation: updated .pot file. - Conflict with python zypp-plugin < 0.6.4 (bsc#1227793) Older zypp-plugins reject stomp headers including a '-'. Like the 'content-length' header we may send. - Fix int overflow in Provider (fixes #559) This patch fixes an issue in safe_strtonum which caused timestamps to overflow in the Provider message parser. - Fix error reporting on repoindex.xml parse error (bsc#1227625) - version 17.35.3 (35) - Keep UrlResolverPlugin API public (fixes #560) - Blacklist /snap executables for 'zypper ps' (bsc#1226014) - Fix handling of buddies when applying locks (bsc#1225267) Buddy pairs (like -release package and product) internally share the same status object. When applying locks from query results the locked bit must be set if either item is locked. - version 17.35.2 (35) - Install zypp/APIConfig.h legacy include (fixes #557) - version 17.35.1 (35) - Update soname due to RepoManager refactoring and cleanup. - version 17.35.0 (35) - Workaround broken libsolv-tools-base requirements (fixes openSUSE/zypper#551) - Strip ssl_clientkey from repo urls (bsc#1226030) - Remove protobuf build dependency. - Lazily attach medium during refresh workflows (bsc#1223094) - Refactor RepoManager and add Service workflows. - version 17.34.2 (34) Package mozilla-nss was updated: - Updated nss-fips-approved-crypto-non-ec.patch to enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Package python3-setuptools was updated: - Add patch CVE-2024-6345-code-execution-via-download-funcs.patch: * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105) Package regionServiceClientConfigGCE was updated: - Version 4.2.0 (jsc#PCT-361) + Add IPv6 certs to supprt access of the update infrastructure via IPv6 on GCE instances. - Update to version 4.1.0 (bsc#1217538) + Replace 162.222.182.90 and 35.187.193.56 (length 4096): rgnsrv-gce-asia-northeast1 -> 162.222.182.90 expires in 9 years rgnsrv-gce-us-central1 -> 35.187.193.56 expires in 10 years Package runc was updated: [ This was only ever released for SLES and Leap. ]- Update to runc v1.1.14. Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.1.14>. Includes the patch for CVE-2024-45310. bsc#1230092 - Rebase patches: * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch * 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-containers-release was updated: Package 000release-packages:sle-module-desktop-applications-release was updated: Package 000release-packages:sle-module-development-tools-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-python3-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: Package 000release-packages:sle-module-web-scripting-release was updated: Package supportutils was updated: - Changes to version 3.2.8 + Avoid getting duplicate kernel verifications in boot.text (pr#190) + lvm: suppress file descriptor leak warnings from lvm commands (pr#191) + docker_info: Add timestamps to container logs (pr#196) + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198) + Update supportconfig get pam.d sorted (pr#199) + yast_files: Exclude .zcat (pr#201) + Sanitize grub bootloader (bsc#1227127, pr#203) + Sanitize regcodes (pr#204) + Improve product detection (pr#205) + Add read_values for s390x (bsc#1228265, pr#206) + hardware_info: Remove old alsa ver check (pr#209) + drbd_info: Fix incorrect escape of quotes (pr#210) Package suse-build-key was updated: - extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339) - gpg-pubkey-39db7c82-5f68629b.asc + gpg-pubkey-39db7c82-66c5d91a.asc Package unzip was updated: - Use %patch -P N instead of deprecated %patchN. - Build unzip-rcc using multibuild and update unzip-rcc.spec file Package xen was updated: - Update to Xen 4.17.5 security bug fix release (bsc#1027519) xen-4.17.5-testing-src.tar.bz2 * No upstream changelog found in sources or webpage - bsc#1228574 - VUL-0: CVE-2024-31145: xen: error handling in x86 IOMMU identity mapping (XSA-460) - bsc#1228575 - VUL-0: CVE-2024-31146: xen: PCI device pass-through with shared resources (XSA-461) - Dropped patches contained in new tarball 6617d62c-x86-hvm-Misra-Rule-19-1-regression.patch 6627a4ee-vRTC-UIP-set-for-longer-than-expected.patch 6627a5fc-x86-MTRR-inverted-WC-check.patch 662a6a4c-x86-spec-reporting-of-BHB-clearing.patch 662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch 663090fd-x86-gen-cpuid-syntax.patch 663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch 663a4f3e-x86-cpu-policy-migration-IceLake-to-CascadeLake.patch 663d05b5-x86-ucode-distinguish-up-to-date.patch 663eaa27-libxl-XenStore-error-handling-in-device-creation.patch 66450626-sched-set-all-sched_resource-data-inside-locked.patch 66450627-x86-respect-mapcache_domain_init-failing.patch 6646031f-x86-ucode-further-identify-already-up-to-date.patch 6666ba52-x86-irq-remove-offline-CPUs-from-old-CPU-mask-when.patch 666994ab-x86-SMP-no-shorthand-IPI-in-hotplug.patch 666994f0-x86-IRQ-limit-interrupt-movement-in-fixup_irqs.patch 666b07ee-x86-EPT-special-page-in-epte_get_entry_emt.patch 666b0819-x86-EPT-avoid-marking-np-ents-for-reconfig.patch 666b085a-x86-EPT-drop-questionable-mfn_valid-from-.patch 667187cc-x86-Intel-unlock-CPUID-earlier.patch 66718849-x86-IRQ-old_cpu_mask-in-fixup_irqs.patch 6671885e-x86-IRQ-handle-moving-in-_assign_irq_vector.patch 6672c846-x86-xstate-initialisation-of-XSS-cache.patch 6672c847-x86-CPUID-XSAVE-dynamic-leaves.patch 6673ffdc-x86-IRQ-forward-pending-to-new-dest-in-fixup_irqs.patch xsa458.patch Package yast2-installation was updated: - Don't block in AutoYaST upgrade (bsc#1181625)- 4.5.20 Package zypper was updated: - Show rpm install size before installing (bsc#1224771) If filesystem snapshots are taken before the installation (e.g. by snapper) no disk space is freed by removing old packages. In this case the install size of all packages is a hint how much additional disk space is needed by the new packages static content. - version 1.14.76 - Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly (bsc#1227205) - version 1.14.75 - Let_readline_abort_on_Ctrl-C (bsc#1226493) - packages: add '--system' to show @System packages (bsc#222971) - version 1.14.74 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp5-v20240913-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp5-v20240913-x86-64 binutils-2.43-150100.7.49.1 cloud-regionsrv-client-10.3.4-150300.13.9.1 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.9.1 containerd-1.7.21-150000.117.1 curl-8.0.1-150400.5.50.1 deltarpm-3.6.4-150000.5.3.2 docker-25.0.6_ce-150000.207.1 dracut-055+suse.392.g7930ab23-150500.3.24.2 glib2-tools-2.70.5-150400.3.14.1 glibc-2.31-150300.86.3 glibc-i18ndata-2.31-150300.86.3 glibc-locale-2.31-150300.86.3 glibc-locale-base-2.31-150300.86.3 libctf-nobfd0-2.43-150100.7.49.1 libctf0-2.43-150100.7.49.1 libcurl4-8.0.1-150400.5.50.1 libexpat1-2.4.4-150400.3.22.1 libgio-2_0-0-2.70.5-150400.3.14.1 libglib-2_0-0-2.70.5-150400.3.14.1 libgmodule-2_0-0-2.70.5-150400.3.14.1 libgobject-2_0-0-2.70.5-150400.3.14.1 libpcap1-1.10.1-150400.3.3.2 libsolv-tools-0.7.30-150400.3.27.2 libsolv-tools-base-0.7.30-150400.3.27.2 libsystemd0-249.17-150400.8.43.1 libudev1-249.17-150400.8.43.1 libyui-ncurses-pkg16-4.5.3-150500.3.10.1 libyui-ncurses16-4.5.3-150500.3.10.1 libyui16-4.5.3-150500.3.10.1 libzypp-17.35.8-150500.6.13.1 mozilla-nss-certs-3.101.2-150400.3.51.1 nscd-2.31-150300.86.3 python3-setuptools-44.1.1-150400.9.9.1 python3-solv-0.7.30-150400.3.27.2 python3-zypp-plugin-0.6.4-150400.13.4.1 regionServiceClientConfigGCE-4.2.0-150000.4.15.1 ruby-solv-0.7.30-150400.3.27.2 runc-1.1.14-150000.70.1 sles-release-15.5-150500.61.4.1 supportutils-3.2.8-150300.7.35.33.1 suse-build-key-12.0-150000.8.52.3 systemd-249.17-150400.8.43.1 systemd-sysvinit-249.17-150400.8.43.1 udev-249.17-150400.8.43.1 unzip-6.00-150000.4.14.1 xen-libs-4.17.5_02-150500.3.36.1 yast2-installation-4.5.20-150500.3.12.3 yast2-pkg-bindings-4.5.3-150500.3.10.1 zypper-1.14.76-150500.6.6.15 binutils-2.43-150100.7.49.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 cloud-regionsrv-client-10.3.4-150300.13.9.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.9.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 containerd-1.7.21-150000.117.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 curl-8.0.1-150400.5.50.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 deltarpm-3.6.4-150000.5.3.2 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 docker-25.0.6_ce-150000.207.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 dracut-055+suse.392.g7930ab23-150500.3.24.2 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 glib2-tools-2.70.5-150400.3.14.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 glibc-2.31-150300.86.3 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 glibc-i18ndata-2.31-150300.86.3 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 glibc-locale-2.31-150300.86.3 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 glibc-locale-base-2.31-150300.86.3 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libctf-nobfd0-2.43-150100.7.49.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libctf0-2.43-150100.7.49.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libcurl4-8.0.1-150400.5.50.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libexpat1-2.4.4-150400.3.22.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libgio-2_0-0-2.70.5-150400.3.14.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libglib-2_0-0-2.70.5-150400.3.14.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libgmodule-2_0-0-2.70.5-150400.3.14.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libgobject-2_0-0-2.70.5-150400.3.14.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libpcap1-1.10.1-150400.3.3.2 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libsolv-tools-0.7.30-150400.3.27.2 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libsolv-tools-base-0.7.30-150400.3.27.2 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libsystemd0-249.17-150400.8.43.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libudev1-249.17-150400.8.43.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libyui-ncurses-pkg16-4.5.3-150500.3.10.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libyui-ncurses16-4.5.3-150500.3.10.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libyui16-4.5.3-150500.3.10.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 libzypp-17.35.8-150500.6.13.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 mozilla-nss-certs-3.101.2-150400.3.51.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 nscd-2.31-150300.86.3 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 python3-setuptools-44.1.1-150400.9.9.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 python3-solv-0.7.30-150400.3.27.2 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 python3-zypp-plugin-0.6.4-150400.13.4.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 regionServiceClientConfigGCE-4.2.0-150000.4.15.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 ruby-solv-0.7.30-150400.3.27.2 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 runc-1.1.14-150000.70.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 sles-release-15.5-150500.61.4.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 supportutils-3.2.8-150300.7.35.33.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 suse-build-key-12.0-150000.8.52.3 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 systemd-249.17-150400.8.43.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 systemd-sysvinit-249.17-150400.8.43.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 udev-249.17-150400.8.43.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 unzip-6.00-150000.4.14.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 xen-libs-4.17.5_02-150500.3.36.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 yast2-installation-4.5.20-150500.3.12.3 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 yast2-pkg-bindings-4.5.3-150500.3.10.1 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 zypper-1.14.76-150500.6.6.15 as a component of Public Cloud Image google/sles-15-sp5-v20240913-x86-64 OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it. CVE-2023-45142 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:containerd-1.7.21-150000.117.1 important OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. CVE-2023-47108 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:containerd-1.7.21-150000.117.1 important In affected libpcap versions during the setup of a remote packet capture the internal function sock_initaddress() calls getaddrinfo() and possibly freeaddrinfo(), but does not clearly indicate to the caller function whether freeaddrinfo() still remains to be called after the function returns. This makes it possible in some scenarios that both the function and its caller call freeaddrinfo() for the same allocated memory block. A similar problem was reported in Apple libpcap, to which Apple assigned CVE-2023-40400. CVE-2023-7256 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:libpcap1-1.10.1-150400.3.3.2 moderate Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. CVE-2024-31145 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:xen-libs-4.17.5_02-150500.3.36.1 important When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. CVE-2024-31146 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:xen-libs-4.17.5_02-150500.3.36.1 low runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual user on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested. CVE-2024-45310 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:runc-1.1.14-150000.70.1 low An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:libexpat1-2.4.4-150400.3.22.1 moderate An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:libexpat1-2.4.4-150400.3.22.1 moderate An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:libexpat1-2.4.4-150400.3.22.1 moderate A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. CVE-2024-6345 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:python3-setuptools-44.1.1-150400.9.9.1 important libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. CVE-2024-7264 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:curl-8.0.1-150400.5.50.1 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:libcurl4-8.0.1-150400.5.50.1 moderate Remote packet capture support is disabled by default in libpcap. When a user builds libpcap with remote packet capture support enabled, one of the functions that become available is pcap_findalldevs_ex(). One of the function arguments can be a filesystem path, which normally means a directory with input data files. When the specified path cannot be used as a directory, the function receives NULL from opendir(), but does not check the return value and passes the NULL value to readdir(), which causes a NULL pointer derefence. CVE-2024-8006 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:libpcap1-1.10.1-150400.3.3.2 moderate When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. CVE-2024-8096 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:curl-8.0.1-150400.5.50.1 Public Cloud Image google/sles-15-sp5-v20240913-x86-64:libcurl4-8.0.1-150400.5.50.1 moderate