SUSE-IU-2024:553-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:553-1 Interim 1 1 2025-09-12T16:42:46Z current 2024-04-18T01:00:00Z 2024-04-18T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:553-1 / google/suse-liberty-linux-7-9-byos-v20240418-x86-64 This image update for google/suse-liberty-linux-7-9-byos-v20240418-x86-64 contains the following changes: Package NetworkManager was updated: - Update to 1.18.8 relase- ifcfg-rh: handle "802-1x.{,phase2-}ca-path" (rh #1841397, CVE-2020-10754) - ifcfg-rh: handle 802-1x.pin properties. Package NetworkManager-libnm was updated: - Update to 1.18.8 relase- ifcfg-rh: handle "802-1x.{,phase2-}ca-path" (rh #1841397, CVE-2020-10754) - ifcfg-rh: handle 802-1x.pin properties. Package NetworkManager-team was updated: - Update to 1.18.8 relase- ifcfg-rh: handle "802-1x.{,phase2-}ca-path" (rh #1841397, CVE-2020-10754) - ifcfg-rh: handle 802-1x.pin properties. Package NetworkManager-tui was updated: - Update to 1.18.8 relase- ifcfg-rh: handle "802-1x.{,phase2-}ca-path" (rh #1841397, CVE-2020-10754) - ifcfg-rh: handle 802-1x.pin properties. Package acl was updated: - do not follow symlinks without -L (#1714077)- update project URL (#1579173) Package acpid was updated: - Switched kacpimon to dynamic connections (increased max connections from 20 to 1024) Resolves: rhbz#1450980 Package aic94xx-firmware was updated: Package alsa-firmware was updated: - Fix the alsa-tools-firmware dependency (not updated)- Resolves: rhbz#1112207 Package alsa-lib was updated: - Updated to 1.1.8- Resolves: rhbz#1658083 Package alsa-tools-firmware was updated: - Updated to 1.1.0- Enable hda-verb, hdajackretast, hdajacksensetest for i686/x86_64 - Resolves: rhbz#1172560 Package audit was updated: Package audit-libs was updated: Package augeas-libs was updated: - Krb5: support realms that start with numbers; add more pkinit_* options; improve handling of [dbmodules]; allow include/includedir directives everywhere (RHBZ#1670420) - Grub: handle '+' in kernel command line options (RHBZ#1758357) Package authconfig was updated: Package basesystem was updated: Package bash was updated: - BASH_CMD should not be writable in restricted shell Resolves: #1693181 Package bc was updated: Package bind-export-libs was updated: Package binutils was updated: - Allow the BFD library to handle the copying of files which contain secondary reloc sections. (#1785294)- Implement assembler workaround for Intel JCC microcode bug. (#1778892) Package biosdevname was updated: - prevent infinite recursion in dmidecode.c::smbios_setslot (#1642706)- fix indentation in the man page (#1642706) Package boost-regex was updated: Package btrfs-progs was updated: Package bzip2-libs was updated: - resolves: #1123489 recompiled with -O3 flag for ppc64le arch Package ca-certificates was updated: - Update to CKBI 2.41 from NSS 3.53.0- Removing: - # Certificate "AddTrust Low-Value Services Root" - # Certificate "AddTrust External Root" - # Certificate "UTN USERFirst Email Root CA" - # Certificate "Certplus Class 2 Primary CA" - # Certificate "Deutsche Telekom Root CA 2" - # Certificate "Staat der Nederlanden Root CA - G2" - # Certificate "Swisscom Root CA 2" - # Certificate "Certinomis - Root CA" - Adding: - # Certificate "Entrust Root Certification Authority - G4" - fix permissions on ghosted files. Package chkconfig was updated: Package chrony was updated: - update to 3.4 (#1636117, #1565544, #1565548, #1596239, #1600882)- drop support for HW timestamping on kernels < 3.10.0-613 Package coreutils was updated: - doc: improve description of the --kibibytes option of ls (#1527391)- doc: fix typo in date example (#1620624) - stat,tail: sync the list of file systems with coreutils-8.31 (#1659530) - df: avoid stat() for dummy file systems with -l (#1668137) - df: prioritize mounts nearer the device root (#1042840) Package cpio was updated: Package cracklib was updated: Package cracklib-dicts was updated: Package cronie was updated: - Make cronie restart on failure- Resolves: rhbz#1651730 Package cronie-anacron was updated: - Make cronie restart on failure- Resolves: rhbz#1651730 Package crontabs was updated: Package cryptsetup-libs was updated: - patch: Reinstate missing backing file hint for loop device during unlock. - Resolves: #1726287 Package curl was updated: Package cyrus-sasl-lib was updated: Package dbus was updated: Package dbus-glib was updated: Package dbus-libs was updated: Package dbus-python was updated: - Move modules to libdir to avoid multilib conflicts- And comment out test suite, since we were not actually failing if it failed, but it trips up an rpmdiff check on the output of the suite. - Resolves: #1076411 Package device-mapper was updated: Package device-mapper-libs was updated: Package dhclient was updated: Package dhcp-common was updated: Package dhcp-libs was updated: Package diffutils was updated: Package dmidecode was updated: - Revert this patch("Use larger units for memory device and BIOS size")- Resolves: rhbz#1767323 Package dracut was updated: Package dracut-network was updated: Package e2fsprogs was updated: Package e2fsprogs-libs was updated: Package ebtables was updated: Package elfutils-default-yama-scope was updated: Package elfutils-libelf was updated: Package elfutils-libs was updated: Package ethtool was updated: Package expat was updated: Package file was updated: Package file-libs was updated: Package filesystem was updated: - own /usr/share/locale and /usr/lib/modules- improve filesystem content file to include symlinks and rootdir Package findutils was updated: Package fipscheck was updated: Package fipscheck-lib was updated: Package firewalld was updated: Package firewalld-filesystem was updated: Package freetype was updated: - Fix rendering in monochrome mode- Resolves: #1657479 Package fxload was updated: Package gawk was updated: Package gdbm was updated: Package gdisk was updated: Package gettext was updated: Package gettext-libs was updated: Package glib2 was updated: - Backport patch to limit access to files when copying (CVE-2019-12450) Resolves: #1722099 Package glibc was updated: Package glibc-common was updated: Package gmp was updated: Package gnupg2 was updated: Package gobject-introspection was updated: - Update to 1.56.1- Resolves: #1569272 Package gpgme was updated: Package grep was updated: - Speedup DFA for long patterns and fixed begline/endline matching Resolves: rhbz#1413029 - Added support for GREP_LEGACY_EGREP_FGREP_PS environmental variable which controls how egrep, fgrep show in ps output Resolves: rhbz#1297441 Package groff-base was updated: Package grub2 was updated: Package grub2-common was updated: Package grub2-pc was updated: Package grub2-pc-modules was updated: Package grub2-tools was updated: Package grub2-tools-extra was updated: Package grub2-tools-minimal was updated: Package grubby was updated: - Exclude building on i686 Related: rhbz#1476273 - Fix grubby removing wrong kernel command line parameter Resolves: rhbz#1476273 - Improve man page for --info option (jstodola) Resolves: rhbz#1651673 - Print default image even if isn't a suitable one Resolves: rhbz#1323842 Package gzip was updated: - doc change: missing grep options are now mentioned in the zgrep man pages/help message Resolves: #1437002 Package hardlink was updated: Package hostname was updated: Package hwdata was updated: - Update pci, usb, vendor ids and hwdb files Resolves: #1788059 Package info was updated: - Fix upstream test failure in Pod-Simple-Texinfo Resolves: #970986 - Fix @enumerate does not support start numbers greater than nine Resolves: #1134160 Package initscripts was updated: Package iproute was updated: Package iprutils was updated: Package ipset was updated: - Rebase to 7.1 (RHBZ#1649080): - Add compatibility support for strscpy() - Correct the manpage about the sort option - Add missing functions to libipset.map - configure.ac: Fix build regression on RHEL/CentOS/SL (Serhey Popovych) - Implement sorting for hash types in the ipset tool - Fix to list/save into file specified by option (reported by Isaac Good) - Introduction of new commands and protocol version 7, updated kernel include files - Add compatibility support for async in pernet_operations - Use more robust awk patterns to check for backward compatibility - Prepare the ipset tool to handle multiple protocol version - Fix warning message handlin - Correct to test null valued entry in hash:net6,port,net6 test - Library reworked to support embedding ipset completely - Add compatibility to support kvcalloc() - Validate string type attributes in attr2data() (Stefano Brivio) - manpage: Add comment about matching on destination MAC address (Stefano Brivio) (RHBZ#1649079) - Add compatibility to support is_zero_ether_addr() - Fix use-after-free in ipset_parse_name_compat() (Stefano Brivio) (RHBZ#1649073) - Fix leak in build_argv() on line parsing error (Stefano Brivio) (RHBZ#1649073) - Simplify return statement in ipset_mnl_query() (Stefano Brivio) (RHBZ#1649073) - tests/check_klog.sh: Try dmesg too, don't let shell terminate script (Stefano Brivio) - Fixes: - Fix all shellcheck warnings in init script (RHBZ#1649073) - Make error reporting consistent, introduce different severities (RHBZ#1649877) - While restoring, on invalid entries, remove them and retry (RHBZ#1650297) - Fix covscan SC2166 warning in init script (RHBZ#1649073) - Hardcode triggerin, triggerun versions for ipset-service (RHBZ#1646666) Package ipset-libs was updated: - Rebase to 7.1 (RHBZ#1649080): - Add compatibility support for strscpy() - Correct the manpage about the sort option - Add missing functions to libipset.map - configure.ac: Fix build regression on RHEL/CentOS/SL (Serhey Popovych) - Implement sorting for hash types in the ipset tool - Fix to list/save into file specified by option (reported by Isaac Good) - Introduction of new commands and protocol version 7, updated kernel include files - Add compatibility support for async in pernet_operations - Use more robust awk patterns to check for backward compatibility - Prepare the ipset tool to handle multiple protocol version - Fix warning message handlin - Correct to test null valued entry in hash:net6,port,net6 test - Library reworked to support embedding ipset completely - Add compatibility to support kvcalloc() - Validate string type attributes in attr2data() (Stefano Brivio) - manpage: Add comment about matching on destination MAC address (Stefano Brivio) (RHBZ#1649079) - Add compatibility to support is_zero_ether_addr() - Fix use-after-free in ipset_parse_name_compat() (Stefano Brivio) (RHBZ#1649073) - Fix leak in build_argv() on line parsing error (Stefano Brivio) (RHBZ#1649073) - Simplify return statement in ipset_mnl_query() (Stefano Brivio) (RHBZ#1649073) - tests/check_klog.sh: Try dmesg too, don't let shell terminate script (Stefano Brivio) - Fixes: - Fix all shellcheck warnings in init script (RHBZ#1649073) - Make error reporting consistent, introduce different severities (RHBZ#1649877) - While restoring, on invalid entries, remove them and retry (RHBZ#1650297) - Fix covscan SC2166 warning in init script (RHBZ#1649073) - Hardcode triggerin, triggerun versions for ipset-service (RHBZ#1646666) Package iptables was updated: Package iputils was updated: Package irqbalance was updated: - Refine document for IRQBALANCE_BANNED_CPUS- Resolves: #1361654 Package ivtv-firmware was updated: Package iwl100-firmware was updated: Package iwl1000-firmware was updated: Package iwl105-firmware was updated: Package iwl135-firmware was updated: Package iwl2000-firmware was updated: Package iwl2030-firmware was updated: Package iwl3160-firmware was updated: Package iwl3945-firmware was updated: Package iwl4965-firmware was updated: Package iwl5000-firmware was updated: Package iwl5150-firmware was updated: Package iwl6000-firmware was updated: Package iwl6000g2a-firmware was updated: Package iwl6000g2b-firmware was updated: Package iwl6050-firmware was updated: Package iwl7260-firmware was updated: Package jansson was updated: - Update to 2.10 [1389805]- Merge spec file with Fedora Package json-c was updated: - fix has collision CVE-2013-6371- fix buffer overflow CVE-2013-6370 - enable upstream test suite Package kbd was updated: - Add man page for kbdinfo, link open man page to openvt man page Related: #949015 Package kbd-legacy was updated: - Add man page for kbdinfo, link open man page to openvt man page Related: #949015 Package kbd-misc was updated: - Add man page for kbdinfo, link open man page to openvt man page Related: #949015 Package kernel was updated: Package kernel-tools was updated: Package kernel-tools-libs was updated: Package kexec-tools was updated: Package keyutils-libs was updated: Package kmod was updated: - weak-modules: update_modules_for_krel: always finish sandbox- weak-modules: groupping: use dependencies of extra/ provider Resolves: rhbz#1774925 Package kmod-libs was updated: - weak-modules: update_modules_for_krel: always finish sandbox- weak-modules: groupping: use dependencies of extra/ provider Resolves: rhbz#1774925 Package kpartx was updated: Package krb5-libs was updated: - Disable smoke tests on s390x and remove sleep- Resolves: #1782492 Package less was updated: - The --use-backslash option documented in the man page was missing from online help for less. Resolves: #1109090 Package libacl was updated: - do not follow symlinks without -L (#1714077)- update project URL (#1579173) Package libassuan was updated: Package libattr was updated: Package libblkid was updated: - fix #1826719 - mount -a tries to mount already mounted cifs shares when we cannot query up to root dir- fix #1745657 - mismatch between spec file and uuidd runtime directory Package libcap was updated: Package libcap-ng was updated: Package libcom_err was updated: Package libcroco was updated: - Rebuild with 7.9-z target Related: #1835951 Package libcurl was updated: Package libdaemon was updated: Package libdb was updated: Package libdb-utils was updated: Package libdrm was updated: Package libedit was updated: Package libestr was updated: Package libfastjson was updated: Package libffi was updated: Package libgcc was updated: Package libgcrypt was updated: - add DRBG CAVS driver and other necessary CAVS driver updates (#1172568)- allow ath reinitialization in FIPS mode - allow for auto-initialization of DRBG Package libgomp was updated: Package libgpg-error was updated: Package libgudev1 was updated: Package libicu was updated: - Apply ICU-13634-Adding-integer-overflow-logic-to-ICU4C-num.patch- Apply ICU-20958-Prevent-SEGV_MAPERR-in-append.patch - Resolves: rhbz#1808235 Package libidn was updated: Package libmnl was updated: Package libmodman was updated: Package libmount was updated: - fix #1826719 - mount -a tries to mount already mounted cifs shares when we cannot query up to root dir- fix #1745657 - mismatch between spec file and uuidd runtime directory Package libndp was updated: - ndptool: add -T target support- ndptool: fix target parameter typo Package libnetfilter_conntrack was updated: Package libnfnetlink was updated: Package libnl was updated: Package libnl3 was updated: Package libnl3-cli was updated: Package libpciaccess was updated: Package libpipeline was updated: Package libpng was updated: - Fix CVE-2017-12652- Resolves: #1744870 Package libproxy was updated: Package libpwquality was updated: - fix brittle configuration settings (#1259633)- fix abort when generating large passwords on some architectures Package libseccomp was updated: Package libselinux was updated: Package libselinux-python was updated: Package libselinux-utils was updated: Package libsemanage was updated: - Include user name in ROLE_REMOVE audit events (#1622045)- Improve "reset umask before creating directories" Package libsepol was updated: Package libsmartcols was updated: - fix #1826719 - mount -a tries to mount already mounted cifs shares when we cannot query up to root dir- fix #1745657 - mismatch between spec file and uuidd runtime directory Package libsolv was updated: Package libss was updated: Package libssh2 was updated: Package libstdc++ was updated: Package libsysfs was updated: Package libtasn1 was updated: Package libteam was updated: Package libunistring was updated: Package libuser was updated: - Update Japanese translation Resolves: #1480537 Package libutempter was updated: Package libuuid was updated: - fix #1826719 - mount -a tries to mount already mounted cifs shares when we cannot query up to root dir- fix #1745657 - mismatch between spec file and uuidd runtime directory Package libverto was updated: Package libxml2 was updated: - Fix CVE-2019-19956 (#1793000)- Fix CVE-2019-20388 (#1810057) - Fix CVE-2020-7595 (#1810073) - Fix xsd:any schema validation (#1812145) Package libxml2-python was updated: - Fix CVE-2019-19956 (#1793000)- Fix CVE-2019-20388 (#1810057) - Fix CVE-2020-7595 (#1810073) - Fix xsd:any schema validation (#1812145) Package libzypp was updated: Package linux-firmware was updated: Package logrotate was updated: Package lshw was updated: Package lsscsi was updated: Package lua was updated: Package lz4 was updated: - Rebase to 1.8.3- Drop the patch from 1.7.5-3. It is now part of the upstream archive - Resolves: #1813245 Package lzo was updated: - Built with -fno-strict-aliasing (rpmdiff) Related: CVE-2014-4607 Package m2crypto was updated: - Fix spurious failures of test_cookie_str_changed_mac Resolves: #1073950 - Add support for IP addresses in subjectAltName Resolves: #1080142 Package mailcap was updated: Package make was updated: - Change fatal() to error() when a mix of explicit and implicit targets (in that order) is detected. Resolves: #1582545 Package man-db was updated: - related: #1515352 build and install all translated man pages Package mariadb-libs was updated: - Rebase to 5.5.68 This is the last upstream release. This major version reached upstream EOL - Related to: rhbz#1834835 Package microcode_ctl was updated: - Update Intel CPU microcode to microcode-20200609 release (#1826589): - Fixed a typo in the release note file. Package mozjs17 was updated: - Switch to upstream aarch64 48bit VA patch This reverts the previous API/ABI break on aarch64, so dependencies must be rebuilt again. - Resolves: #1393548 Package ncurses was updated: Package ncurses-base was updated: Package ncurses-libs was updated: Package net-tools was updated: Package newt was updated: Package newt-python was updated: Package nspr was updated: Package nss was updated: - Disable dh timing test because it's unreliable on s390 (from Bob Relyea)- Explicitly enable upgradedb/sharedb test cycles Package nss-pem was updated: Package nss-softokn was updated: - turn of ALTIVEC instruction for powerpc because they require power8 and we need to support power7 on RHEL7 still. - Fix typo in measure. - Make sure only 2048 and greater primes are used in FIPS mode for dh. Package nss-softokn-freebl was updated: - turn of ALTIVEC instruction for powerpc because they require power8 and we need to support power7 on RHEL7 still. - Fix typo in measure. - Make sure only 2048 and greater primes are used in FIPS mode for dh. Package nss-sysinit was updated: - Disable dh timing test because it's unreliable on s390 (from Bob Relyea)- Explicitly enable upgradedb/sharedb test cycles Package nss-tools was updated: - Disable dh timing test because it's unreliable on s390 (from Bob Relyea)- Explicitly enable upgradedb/sharedb test cycles Package nss-util was updated: Package numactl-libs was updated: Package nvme-cli was updated: Package openldap was updated: Package openssh was updated: Package openssh-clients was updated: Package openssh-server was updated: Package openssl was updated: - close the RSA decryption 9 lives of Bleichenbacher cat timing side channel (#1649568) Package openssl-libs was updated: - close the RSA decryption 9 lives of Bleichenbacher cat timing side channel (#1649568) Package os-prober was updated: - Fix regular expression that missed a corner case when detecting extended dos partitions. Resolves: rhbz#1322957 Package p11-kit was updated: - Avoid reference to thread-unsafe strerror rhbz#1378947- Fix PKCS#11 OAEP interface rhbz#1191209 - Update documentation to follow RFC7512 rhbz#1165977 Package p11-kit-trust was updated: - Avoid reference to thread-unsafe strerror rhbz#1378947- Fix PKCS#11 OAEP interface rhbz#1191209 - Update documentation to follow RFC7512 rhbz#1165977 Package pam was updated: - pam_get_authtok_verify: ensure no double verification happens- manual page fixes for pam_tty_audit and pam_wheel - pam_unix: lower the excessive maximum number of closed fd descriptors when spawning handlers - pam_loginuid: do not prevent login in unprivileged containers Package parted was updated: - libparted: Fix starting CHS in protective MBR Resolves: rhbz#1702778 Package passwd was updated: - Fix incorrect -S output when password field in /etc/passwd is empty but the password information in /etc/shadow is set Resolves: #1686436 Package pciutils-libs was updated: Package pcre was updated: - Let [:graph:], [:print:], and [:punct:] POSIX classes to handle Unicode characters in UCP mode to match Perl behavior (bug #1400267) - Fix matching Unicode ranges in JIT mode (bug #1402288) Package perl was updated: Package perl-Business-ISBN was updated: Package perl-Business-ISBN-Data was updated: Package perl-Carp was updated: Package perl-Compress-Raw-Bzip2 was updated: Package perl-Compress-Raw-Zlib was updated: Package perl-Crypt-SSLeay was updated: Package perl-Data-Dumper was updated: Package perl-Digest was updated: Package perl-Digest-MD5 was updated: Package perl-Encode was updated: Package perl-Encode-Locale was updated: Package perl-Exporter was updated: Package perl-File-Listing was updated: Package perl-File-Path was updated: Package perl-File-Temp was updated: Package perl-Filter was updated: Package perl-Getopt-Long was updated: Package perl-HTML-Parser was updated: Package perl-HTML-Tagset was updated: Package perl-HTTP-Cookies was updated: Package perl-HTTP-Daemon was updated: Package perl-HTTP-Date was updated: Package perl-HTTP-Message was updated: Package perl-HTTP-Negotiate was updated: Package perl-HTTP-Tiny was updated: Package perl-IO-Compress was updated: Package perl-IO-HTML was updated: Package perl-IO-Socket-IP was updated: Package perl-IO-Socket-SSL was updated: Package perl-LWP-MediaTypes was updated: Package perl-LWP-Protocol-https was updated: Package perl-Mozilla-CA was updated: Package perl-Net-HTTP was updated: Package perl-Net-LibIDN was updated: Package perl-Net-SSLeay was updated: - Deleted support for SSL_get_tlsa_record_byname (bug #1422435)- Removed tests which fails due to changes openssl 1.0.1h and later Package perl-PathTools was updated: Package perl-Pod-Escapes was updated: Package perl-Pod-Perldoc was updated: Package perl-Pod-Simple was updated: Package perl-Pod-Usage was updated: Package perl-Scalar-List-Utils was updated: Package perl-Socket was updated: Package perl-Storable was updated: Package perl-Sys-Syslog was updated: Package perl-Text-ParseWords was updated: Package perl-Time-HiRes was updated: Package perl-Time-Local was updated: Package perl-TimeDate was updated: Package perl-URI was updated: Package perl-WWW-RobotRules was updated: Package perl-XML-Parser was updated: Package perl-XML-Writer was updated: Package perl-constant was updated: Package perl-libs was updated: Package perl-libwww-perl was updated: Package perl-macros was updated: Package perl-parent was updated: Package perl-podlators was updated: Package perl-threads was updated: Package perl-threads-shared was updated: Package pinentry was updated: Package pkgconfig was updated: Package plymouth was updated: - Drop spool code to hide selinux problem Resolves: #1705083 Package plymouth-core-libs was updated: - Drop spool code to hide selinux problem Resolves: #1705083 Package plymouth-scripts was updated: - Drop spool code to hide selinux problem Resolves: #1705083 Package policycoreutils was updated: Package polkit was updated: - Refined upstream fix of CVE-2018-1116 to avoid ABI changes- Related: rhbz#1601411 Package polkit-pkla-compat was updated: Package popt was updated: Package postfix was updated: - Compiled with USE_LDAP_SASL if both "ldap" and "sasl" options are enabled Resolves: rhbz#1733938 Package procps-ng was updated: - pgrep: uid/gid conversion overflow- vmstat: manpage line about I/O blocked procs unclear - Resolves: rhbz#1624514, rhbz#1796043 Package pth was updated: Package pyOpenSSL was updated: - fix various testsuite failures- fix exception propagation from private key passphrase callback (#1227505) - add optional digest parameter to CRL.export method (#1523772) Package pygobject2 was updated: Package pygpgme was updated: - Drop %check to avoid a hang in pinentry-curses >= 0.8.1-12 Resolves: #1064349 Package pyliblzma was updated: Package python was updated: - Security fix for CVE-2019-16935Resolves: rhbz#1797998 Package python-configobj was updated: Package python-decorator was updated: Package python-dmidecode was updated: - Disable loading the dmidecodemodule on non-x86_64- Resolves: #1688725 Package python-ethtool was updated: - Fix missing error checking when reading from /proc/net/dev- Resolves: rhbz#1467845 Package python-firewall was updated: Package python-gobject-base was updated: Package python-gudev was updated: Package python-hwdata was updated: Package python-iniparse was updated: Package python-libs was updated: - Security fix for CVE-2019-16935Resolves: rhbz#1797998 Package python-linux-procfs was updated: - Need to apply the patch in prepResolves: rhbz#1654311 Package python-perf was updated: Package python-pycurl was updated: Package python-pyudev was updated: - The libudev library loaded in context to workaround cleanup problems Resolves: rhbz#1252833 - Retry interrupted calls Resolves: rhbz#1108921 Package python-schedutils was updated: - python-schedutils-Update-URL-in-python-schedutils.sp.patch- schedutils.c-added-support-for-SCHED_DEADLINE.patch Resolves: rhbz#1298388 Package python-slip was updated: - Fix upstream and source URL'sResolves: rhbz#1502397 Package python-slip-dbus was updated: - Fix upstream and source URL'sResolves: rhbz#1502397 Package python-urlgrabber was updated: - Support HTTP CONNECT method with reget.- Resolves: bug#1585596 Package pyxattr was updated: Package qemu-guest-agent was updated: - qemuga-qga-ignore-non-present-cpus-when-handling-qmp_guest_.patch [bz#1611062]- qemuga-qemu-guest-agent.spec-add-systemd-devel-dependency.patch [bz#1635571] - qemuga-configure-add-test-for-libudev.patch [bz#1635571] - qemuga-qga-linux-report-disk-serial-number.patch [bz#1635571] - qemuga-qga-linux-return-disk-device-in-guest-get-fsinfo.patch [bz#1635571] - Resolves: bz#1611062 ("virsh vcpucount --guest" fails after hotunplug a vcpu with intermediate order by "setvcpu") - Resolves: bz#1635571 ([RFE] Report disk device name and serial number (qemu-guest-agent on Linux)) Package qrencode-libs was updated: Package readline was updated: - Add support for bracketed paste mode Resolves: #1573899 Package rng-tools was updated: Package rootfiles was updated: Package rpm was updated: Package rpm-build-libs was updated: Package rpm-libs was updated: Package rpm-python was updated: Package rsyslog was updated: RHEL 7.9 ERRATUM- added patch resolving buffer overflows in select() function resolves: rhbz#1858297 Package sed was updated: - Fix: "in-place edits on FUSE filesystems create files with all-zero mode bits" Resolves: #1836317 Package selinux-policy was updated: - Allow certmonger add new entries in a generic certificates directoryResolves: rhbz#1879496 - Allow slapd add new entries in ldap certificates directory Resolves: rhbz#1879496 - Add miscfiles_add_entry_generic_cert_dirs() interface Resolves: rhbz#1879496 Package selinux-policy-targeted was updated: - Allow certmonger add new entries in a generic certificates directoryResolves: rhbz#1879496 - Allow slapd add new entries in ldap certificates directory Resolves: rhbz#1879496 - Add miscfiles_add_entry_generic_cert_dirs() interface Resolves: rhbz#1879496 Package setup was updated: - add pcp to /etc/aliases (#1609875)- set PATH if it is empty in csh.login (#1625629) Package sg3_utils was updated: - Reorder 59-fc-wwpn-id.rules to run after 60-persistent-storage.rules (#1785303)- Fix the 59-fc-wwpn-id.rules syntax (#1750417) - Add 59-fc-wwpn-id.rules (#1684302) Package sg3_utils-libs was updated: - Reorder 59-fc-wwpn-id.rules to run after 60-persistent-storage.rules (#1785303)- Fix the 59-fc-wwpn-id.rules syntax (#1750417) - Add 59-fc-wwpn-id.rules (#1684302) Package shadow-utils was updated: - use lckpwdf() again to disable concurrent edits of databases by other applications Package shared-mime-info was updated: - support new toplevel font types Resolves: #1678448 Package slang was updated: Package sles_es-logos was updated: Package sles_es-release-server was updated: Package snappy was updated: Package sqlite was updated: Package sudo was updated: - RHEL-7.9- sudo allows privilege escalation with expire password Resolves: rhbz#1788196 Package suseRegisterInfo was updated: - version 3.0.2-1- fix file permissions (bsc#970550) Package suseconnect-ng was updated: Package systemd was updated: Package systemd-libs was updated: Package systemd-sysv was updated: Package sysvinit-tools was updated: Package tar was updated: Package tcp_wrappers-libs was updated: Package teamd was updated: Package tuned was updated: - Fixed SIGHUP handling Resolves: rhbz#1702724 - Tune irqbalance service Resolves: rhbz#1720042 - Added netcat requirement Resolves: rhbz#1746436 - sysctl: made reapply_sysctl ignore configs from /usr Resolves: rhbz#1776149 - profiles: define variables before use Resolves: rhbz#1781664 Package tzdata was updated: - Rebase to tzdata-2020a - Morocco will spring forward on 2020-05-31 rather than previously predicted 2020-05-24. - Canada's Yukon region changed to year round UTC -07 effective 2020-03-08. - America/Godthab was renamed to America/Nuuk. Package usermode was updated: - Fix inconsistent capitalization in userhelper.8 Fix URL and Source Fix bogus dates Resolves: #1349840, #1502441 Package ustr was updated: Package util-linux was updated: - fix #1826719 - mount -a tries to mount already mounted cifs shares when we cannot query up to root dir- fix #1745657 - mismatch between spec file and uuidd runtime directory Package vim-minimal was updated: Package virt-what was updated: - Add patch to recognize ppc64le virtualization. resolves: rhbz#1147876 Package which was updated: Package wpa_supplicant was updated: Package xfsprogs was updated: Package xz was updated: Package xz-libs was updated: Package yum was updated: Package yum-metadata-parser was updated: Package zlib was updated: Package zypper was updated: The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/suse-liberty-linux-7-9-byos-v20240418-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/suse-liberty-linux-7-9-byos-v20240418-x86-64 Buffer overflow in the printbuf APIs in json-c before 0.12 allows remote attackers to cause a denial of service via unspecified vectors. CVE-2013-6370 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P The hash functionality in json-c before 0.12 allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted JSON data, involving collisions. CVE-2013-6371 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Integer overflow in the LZO algorithm variant in Oberhumer liblzo2 and lzo-2 before 2.07 on 32-bit platforms might allow remote attackers to execute arbitrary code via a crafted Literal Run. CVE-2014-4607 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P libpng before 1.6.32 does not properly check the length of chunks against the user limit. CVE-2017-12652 low 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure. CVE-2018-1116 low 3.6 AV:L/AC:L/Au:N/C:P/I:N/A:P mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes. CVE-2018-12020 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information. CVE-2018-14526 moderate 3.3 AV:A/AC:L/Au:N/C:P/I:N/A:N An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt. CVE-2018-18751 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). CVE-2018-20843 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. CVE-2019-12450 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2019-13734 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. CVE-2019-16935 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. CVE-2019-17498 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. CVE-2019-19956 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. CVE-2019-20388 low 5 AV:N/AC:L/Au:N/C:N/I:N/A:P It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely. CVE-2020-10754 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. CVE-2020-12049 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash). CVE-2020-12243 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. CVE-2020-7595 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P