SUSE-IU-2024:1754-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:1754-1 Interim 1 1 2026-03-19T08:53:53Z current 2024-11-12T01:00:00Z 2024-11-12T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:1754-1 / google/sles-15-sp5-chost-byos-v20241112-x86-64 This image update for google/sles-15-sp5-chost-byos-v20241112-x86-64 contains the following changes: Package curl was updated: - Security fix: [bsc#1232528, CVE-2024-9681] * HSTS subdomain overwrites parent cache entry * Add curl-CVE-2024-9681.patch Package lvm2 was updated: - LVM2 mirror attached to another node couldn't be converted into linear LV (bsc#1231796) + bug-1231796_lvconvert-fix-lvconvert-m-0-for-in-sync-legs.patch Package openssl-1_1 was updated: - Security fix: [bsc#1220262, CVE-2023-50782] * Implicit rejection in PKCS#1 v1.5 * Add openssl-CVE-2023-50782.patch Package python3 was updated: - Add CVE-2024-9287-venv_path_unquoted.patch to properly quote path names provided when creating a virtual environment (bsc#1232241, CVE-2024-9287) - Drop .pyc files from docdir for reproducible builds (bsc#1230906). Package libzypp was updated: - PluginFrame: Send unescaped colons in header values (bsc#1231043) According to the STOMP protocol it would be correct to escape a colon in a header-value, but it breaks plugin receivers which do not expect this. The first colon separates header-name from header-value, so escaping in the header-value is not needed anyway. Escaping in the header-value affects especially the urlresolver plugins. The input URL is passed in a header, but sent back as raw data in the frames body. If the plugin receiver does not correctly unescape the URL we may get back a "https\c//" which is not usable. - Do not ignore return value of std::remove_if in MediaSyncFacade (fixes #579) - Fix hang in curl code with no network connection (bsc#1230912) - version 17.35.12 (35) Package shadow was updated: - bsc#1230972: Add useradd warnings when requested UID is outside the default range - add shadow-bsc1230972-useradd-warning.patch - bsc#1228337: chage -d date vs passwd -S output is off by one Remove shadow-bsc1176006-chage-date.patch Package shim was updated: - Update shim-install to apply the missing fix for openSUSE Leap (bsc#1210382) fixed by Gary. * 86b73d1 Fix that bootx64.efi is not updated on Leap - Update shim-install to use the 'removable' way for SL-Micro (bsc#1230316) fixed by Gary. * 433cc4e Always use the removable way for SL-Micro Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-containers-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: Package wget was updated: - Update 0001-possibly-truncate-pathname-components.patch * Take the patch from savannah repository where the checking of the file length doesn't include path length. * [bsc#1204720, bsc#1231661] Package wicked was updated: - Update to version 0.6.77 - compat-suse: use iftype in sysctl handling (bsc#1230911, gh#openSUSE/wicked#1043) - Always generate the ipv4/ipv6 <enabled>true|false</enabled> node - Inherit all, default and interface sysctl settings also for loopback, except for use_tempaddr and accept_dad. - Consider only interface specific accept_redirects sysctl settings. - Adopt ifsysctl(5) manual page with wicked specific behavior. - route: fix family and destination processing (bsc#1231060) - man: improve wicked-config(5) file description (gh#openSUSE/wicked#1039) - dhcp4: add ignore-rfc3927-1-6 wicked-config(5) option (jsc#PED-10855, gh#openSUSE/wicked#1038) - team: set arp link watcher interval default to 1s (gh#openSUSE/wicked#1037) - systemd: use `BindsTo=dbus.service` in favor of `Requisite=` (bsc#1229745) - compat-suse: fix use of deprecated `INTERFACETYPE=dummy` (boo#1229555) - arp: don't set target broadcast hardware address (gh#openSUSE/wicked#1036) - dbus: don't memcpy empty/NULL array value (gh#openSUSE/wicked#1035) - ethtool: fix leak and free pause data in ethtool_free (gh#openSUSE/wicked#1030) - Removed patches included in the source archive: [- 0001-compat-suse-repair-dummy-interfaces-boo-1229555.patch] Package xen was updated: - bsc#1232622 - VUL-0: CVE-2024-45818: xen: Deadlock in x86 HVM standard VGA handling (XSA-463) xsa463-01.patch xsa463-02.patch xsa463-03.patch xsa463-04.patch xsa463-05.patch xsa463-06.patch xsa463-07.patch xsa463-08.patch xsa463-09.patch xsa463-10.patch - bsc#1232624 - VUL-0: CVE-2024-45819: xen: libxl leaks data to PVH guests via ACPI tables (XSA-464) xsa464.patch - Drop the following patches 66e29480-x86-HVM-properly-reject-indirect-VRAM-writes.patch stdvga-cache.patch - bsc#1232542 - remove usage of net-tools-deprecated from supportconfig plugin - bsc#1230366 - VUL-0: CVE-2024-45817: xen: x86: Deadlock in vlapic_error() (XSA-462) 66f2af41-x86-vLAPIC-undue-recursion-of-vlapic_error.patch Drop xsa462.patch - Upstream bug fixes (bsc#1027519) 66cf737b-x86-Dom0-disable-SMAP-for-PV-only.patch 66d6dca8-libxl-nul-termination-in-xen_console_read_line.patch 66d8690f-SUPPORT-split-XSM-from-Flask.patch 66e29480-x86-HVM-properly-reject-indirect-VRAM-writes.patch 66e44ae2-x86-ucode-AMD-buffer-underrun.patch 66f2fd92-x86-ucode-Intel-stricter-sanity-check.patch Package zypper was updated: The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp5-chost-byos-v20241112-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 curl-8.0.1-150400.5.56.1 libcurl4-8.0.1-150400.5.56.1 libdevmapper1_03-2.03.22_1.02.196-150500.7.12.2 libgcc_s1-14.2.0+git10526-150000.1.6.1 libopenssl1_1-1.1.1l-150500.17.37.1 libpython3_6m1_0-3.6.15-150300.10.75.1 libstdc++6-14.2.0+git10526-150000.1.6.1 libzypp-17.35.12-150500.6.21.1 login_defs-4.8.1-150400.10.24.1 openssl-1_1-1.1.1l-150500.17.37.1 python3-3.6.15-150300.10.75.1 python3-base-3.6.15-150300.10.75.1 shadow-4.8.1-150400.10.24.1 shim-15.8-150300.4.23.1 suse-build-key-12.0-150000.8.55.1 wget-1.20.3-150000.3.23.2 wicked-0.6.77-150500.3.39.1 wicked-service-0.6.77-150500.3.39.1 xen-libs-4.17.5_06-150500.3.42.1 curl-8.0.1-150400.5.56.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 libcurl4-8.0.1-150400.5.56.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 libdevmapper1_03-2.03.22_1.02.196-150500.7.12.2 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 libgcc_s1-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 libopenssl1_1-1.1.1l-150500.17.37.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 libpython3_6m1_0-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 libstdc++6-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 libzypp-17.35.12-150500.6.21.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 login_defs-4.8.1-150400.10.24.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 openssl-1_1-1.1.1l-150500.17.37.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 python3-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 python3-base-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 shadow-4.8.1-150400.10.24.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 shim-15.8-150300.4.23.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 suse-build-key-12.0-150000.8.55.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 wget-1.20.3-150000.3.23.2 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 wicked-0.6.77-150500.3.39.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 wicked-service-0.6.77-150500.3.39.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 xen-libs-4.17.5_06-150500.3.42.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64 A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. CVE-2023-50782 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64:libopenssl1_1-1.1.1l-150500.17.37.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64:openssl-1_1-1.1.1l-150500.17.37.1 moderate In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. CVE-2024-45817 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64:xen-libs-4.17.5_06-150500.3.42.1 moderate The hypervisor contains code to accelerate VGA memory accesses for HVM guests, when the (virtual) VGA is in "standard" mode. Locking involved there has an unusual discipline, leaving a lock acquired past the return from the function that acquired it. This behavior results in a problem when emulating an instruction with two memory accesses, both of which touch VGA memory (plus some further constraints which aren't relevant here). When emulating the 2nd access, the lock that is already being held would be attempted to be re-acquired, resulting in a deadlock. This deadlock was already found when the code was first introduced, but was analysed incorrectly and the fix was incomplete. Analysis in light of the new finding cannot find a way to make the existing locking discipline work. In staging, this logic has all been removed because it was discovered to be accidentally disabled since Xen 4.7. Therefore, we are fixing the locking problem by backporting the removal of most of the feature. Note that even with the feature disabled, the lock would still be acquired for any accesses to the VGA MMIO region. CVE-2024-45818 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64:xen-libs-4.17.5_06-150500.3.42.1 moderate PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated is left with its prior contents. CVE-2024-45819 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64:xen-libs-4.17.5_06-150500.3.42.1 moderate A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. CVE-2024-9287 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64:python3-3.6.15-150300.10.75.1 moderate When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended. CVE-2024-9681 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64:curl-8.0.1-150400.5.56.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20241112-x86-64:libcurl4-8.0.1-150400.5.56.1 moderate