SUSE-IU-2024:1753-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:1753-1 Interim 1 1 2026-03-19T08:53:52Z current 2024-11-12T01:00:00Z 2024-11-12T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:1753-1 / google/sles-15-sp5-chost-byos-v20241112-arm64 This image update for google/sles-15-sp5-chost-byos-v20241112-arm64 contains the following changes: Package curl was updated: - Security fix: [bsc#1232528, CVE-2024-9681] * HSTS subdomain overwrites parent cache entry * Add curl-CVE-2024-9681.patch Package lvm2 was updated: - LVM2 mirror attached to another node couldn't be converted into linear LV (bsc#1231796) + bug-1231796_lvconvert-fix-lvconvert-m-0-for-in-sync-legs.patch Package openssl-1_1 was updated: - Security fix: [bsc#1220262, CVE-2023-50782] * Implicit rejection in PKCS#1 v1.5 * Add openssl-CVE-2023-50782.patch Package python3 was updated: - Add CVE-2024-9287-venv_path_unquoted.patch to properly quote path names provided when creating a virtual environment (bsc#1232241, CVE-2024-9287) - Drop .pyc files from docdir for reproducible builds (bsc#1230906). Package libzypp was updated: - PluginFrame: Send unescaped colons in header values (bsc#1231043) According to the STOMP protocol it would be correct to escape a colon in a header-value, but it breaks plugin receivers which do not expect this. The first colon separates header-name from header-value, so escaping in the header-value is not needed anyway. Escaping in the header-value affects especially the urlresolver plugins. The input URL is passed in a header, but sent back as raw data in the frames body. If the plugin receiver does not correctly unescape the URL we may get back a "https\c//" which is not usable. - Do not ignore return value of std::remove_if in MediaSyncFacade (fixes #579) - Fix hang in curl code with no network connection (bsc#1230912) - version 17.35.12 (35) Package shadow was updated: - bsc#1230972: Add useradd warnings when requested UID is outside the default range - add shadow-bsc1230972-useradd-warning.patch - bsc#1228337: chage -d date vs passwd -S output is off by one Remove shadow-bsc1176006-chage-date.patch Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-containers-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: Package wget was updated: - Update 0001-possibly-truncate-pathname-components.patch * Take the patch from savannah repository where the checking of the file length doesn't include path length. * [bsc#1204720, bsc#1231661] Package wicked was updated: - Update to version 0.6.77 - compat-suse: use iftype in sysctl handling (bsc#1230911, gh#openSUSE/wicked#1043) - Always generate the ipv4/ipv6 <enabled>true|false</enabled> node - Inherit all, default and interface sysctl settings also for loopback, except for use_tempaddr and accept_dad. - Consider only interface specific accept_redirects sysctl settings. - Adopt ifsysctl(5) manual page with wicked specific behavior. - route: fix family and destination processing (bsc#1231060) - man: improve wicked-config(5) file description (gh#openSUSE/wicked#1039) - dhcp4: add ignore-rfc3927-1-6 wicked-config(5) option (jsc#PED-10855, gh#openSUSE/wicked#1038) - team: set arp link watcher interval default to 1s (gh#openSUSE/wicked#1037) - systemd: use `BindsTo=dbus.service` in favor of `Requisite=` (bsc#1229745) - compat-suse: fix use of deprecated `INTERFACETYPE=dummy` (boo#1229555) - arp: don't set target broadcast hardware address (gh#openSUSE/wicked#1036) - dbus: don't memcpy empty/NULL array value (gh#openSUSE/wicked#1035) - ethtool: fix leak and free pause data in ethtool_free (gh#openSUSE/wicked#1030) - Removed patches included in the source archive: [- 0001-compat-suse-repair-dummy-interfaces-boo-1229555.patch] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp5-chost-byos-v20241112-arm64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 curl-8.0.1-150400.5.56.1 libcurl4-8.0.1-150400.5.56.1 libdevmapper1_03-2.03.22_1.02.196-150500.7.12.2 libgcc_s1-14.2.0+git10526-150000.1.6.1 libopenssl1_1-1.1.1l-150500.17.37.1 libpython3_6m1_0-3.6.15-150300.10.75.1 libstdc++6-14.2.0+git10526-150000.1.6.1 libzypp-17.35.12-150500.6.21.1 login_defs-4.8.1-150400.10.24.1 openssl-1_1-1.1.1l-150500.17.37.1 python3-3.6.15-150300.10.75.1 python3-base-3.6.15-150300.10.75.1 shadow-4.8.1-150400.10.24.1 suse-build-key-12.0-150000.8.55.1 wget-1.20.3-150000.3.23.2 wicked-0.6.77-150500.3.39.1 wicked-service-0.6.77-150500.3.39.1 curl-8.0.1-150400.5.56.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 libcurl4-8.0.1-150400.5.56.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 libdevmapper1_03-2.03.22_1.02.196-150500.7.12.2 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 libgcc_s1-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 libopenssl1_1-1.1.1l-150500.17.37.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 libpython3_6m1_0-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 libstdc++6-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 libzypp-17.35.12-150500.6.21.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 login_defs-4.8.1-150400.10.24.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 openssl-1_1-1.1.1l-150500.17.37.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 python3-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 python3-base-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 shadow-4.8.1-150400.10.24.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 suse-build-key-12.0-150000.8.55.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 wget-1.20.3-150000.3.23.2 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 wicked-0.6.77-150500.3.39.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 wicked-service-0.6.77-150500.3.39.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64 A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. CVE-2023-50782 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64:libopenssl1_1-1.1.1l-150500.17.37.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64:openssl-1_1-1.1.1l-150500.17.37.1 moderate A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. CVE-2024-9287 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64:python3-3.6.15-150300.10.75.1 moderate When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended. CVE-2024-9681 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64:curl-8.0.1-150400.5.56.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-arm64:libcurl4-8.0.1-150400.5.56.1 moderate