SUSE-IU-2024:778-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:778-1 Interim 1 1 2025-02-21T13:26:15Z current 2024-08-08T01:00:00Z 2024-08-08T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:778-1 / google/sles-15-sp5-byos-v20240808-x86-64 This image update for google/sles-15-sp5-byos-v20240808-x86-64 contains the following changes: Package cloud-regionsrv-client was updated: - Update to version 10.3.0 (bsc#1227308, bsc#1222985) + Add support for sidecar registry Podman and rootless Docker support to set up the necessary configuration for the container engines to run as defined + Add running command as root through sudoers file - Update to version 10.2.0 (bsc#1223571, bsc#1224014, bsc#1224016) + In addition to logging, write message to stderr when registration fails + Detect transactional-update system with read only setup and use the transactional-update command to register + Handle operation in a different target root directory for credentials checking Package containerd was updated: - Revert noarch for devel subpackage Switching to noarch causes issues on SLES maintenance updates, reverting it fixes our image builds Package docker was updated: [NOTE: This update was only ever released in SLES and Leap.]- Update to Docker 25.0.6-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/25.0/#2506&gt; - This update includes a fix for CVE-2024-41110. bsc#1228324 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch * 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Fix BuildKit's symlink resolution logic to correctly handle non-lexical symlinks. Backport of &lt;https://github.com/moby/buildkit/pull/4896&gt; and &lt;https://github.com/moby/buildkit/pull/5060&gt;. bsc#1221916 + 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch - Write volume options atomically so sudden system crashes won't result in future Docker starts failing due to empty files. Backport of &lt;https://github.com/moby/moby/pull/48034&gt;. bsc#1214855 + 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch [NOTE: This update was only ever released in SLES and Leap.] - Update to Docker 25.0.5-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/25.0/#2505&gt; bsc#1223409 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Remove upstreamed patches: - 0007-daemon-overlay2-remove-world-writable-permission-fro.patch - Update --add-runtime to point to correct binary path. Package dracut was updated: - Update to version 055+suse.388.g70c21afa: * feat(crypt): force the inclusion of crypttab entries with x-initrd.attach (bsc#1226529) * fix(mdraid): try to assemble the missing raid device (bsc#1226412) * fix(dracut-install): continue parsing if ldd prints &quot;cannot be preloaded&quot; (bsc#1208690) Package krb5 was updated: - Fix vulnerabilities in GSS message token handling, add patch 0011-Fix-vulnerabilities-in-GSS-message-token-handling.patch * CVE-2024-37370, bsc#1227186 * CVE-2024-37371, bsc#1227187 Package oniguruma was updated: - Added oniguruma-6.8.2-CVE-2019-13225-fix.patch (boo#1141157 CVE-2019-13225) oniguruma: null-pointer dereference in match_at() in regexec.c Package suseconnect-ng was updated: - Update version to 1.11 - Added uname as collector - Added SAP workload detection - Added detection of container runtimes - Multiple fixes on ARM64 detection - Use `read_values` for the CPU collector on Z - Fixed data collection for ppc64le - Grab the home directory from /etc/passwd if needed (bsc#1226128) - Update version to 1.10.0 * Build zypper-migration and zypper-packages-search as standalone binaries rather then one single binary * Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004) * Include /etc/products.d in directories whose content are backed up and restored if a zypper-migration rollback happens. (bsc#1219004) * Add the ability to upload the system uptime logs, produced by the suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report. (jsc#PED-7982) (jsc#PED-8018) * Add support for third party packages in SUSEConnect * Refactor existing system information collection implementation Package libxml2 was updated: - Security fix (CVE-2024-34459, bsc#1224282) buffer over-read in xmlHTMLPrintFileContext in xmllint.c * Added libxml2-CVE-2024-34459.patch Package shadow was updated: - bsc#1228770: Fix not copying of skel files Update shadow-CVE-2013-4235.patch - bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition Add shadow-CVE-2013-4235.patch Package mozilla-nss was updated: - Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh depends on it and will create a broken, empty config, if sed is missing (bsc#1227918) - update to NSS 3.101.2 * bmo#1905691 - ChaChaXor to return after the function - Added nss-fips-safe-memset.patch, fixing bsc#1222811. - Removed some dead code from nss-fips-constructor-self-tests.patch. - Rebased nss-fips-approved-crypto-non-ec.patch on above changes. - Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830. - Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118. - Updated nss-fips-approved-crypto-non-ec.patch and nss-fips-constructor-self-tests.patch, fixing bsc#1222807, bsc#1222828, bsc#1222834. - Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116. - update to NSS 3.101.1 * bmo#1901932 - missing sqlite header. * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. - update to NSS 3.101 * bmo#1900413 - add diagnostic assertions for SFTKObject refcount. * bmo#1899759 - freeing the slot in DeleteCertAndKey if authentication failed * bmo#1899883 - fix formatting issues. * bmo#1889671 - Add Firmaprofesional CA Root-A Web to NSS. * bmo#1899593 - remove invalid acvp fuzz test vectors. * bmo#1898830 - pad short P-384 and P-521 signatures gtests. * bmo#1898627 - remove unused FreeBL ECC code. * bmo#1898830 - pad short P-384 and P-521 signatures. * bmo#1898825 - be less strict about ECDSA private key length. * bmo#1854439 - Integrate HACL* P-521. * bmo#1854438 - Integrate HACL* P-384. * bmo#1898074 - memory leak in create_objects_from_handles. * bmo#1898858 - ensure all input is consumed in a few places in mozilla::pkix * bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy * bmo#1748105 - clean up escape handling * bmo#1896353 - Use lib::pkix as default validator instead of the old-one * bmo#1827444 - Need to add high level support for PQ signing. * bmo#1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation * bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy * bmo#1893404 - Allow for non-full length ecdsa signature when using softoken * bmo#1830415 - Modification of .taskcluster.yml due to mozlint indent defects * bmo#1793811 - Implement support for PBMAC1 in PKCS#12 * bmo#1897487 - disable VLA warnings for fuzz builds. * bmo#1895032 - remove redundant AllocItem implementation. * bmo#1893334 - add PK11_ReadDistrustAfterAttribute. * bmo#215997 - Clang-formatting of SEC_GetMgfTypeByOidTag update * bmo#1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure * bmo#1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile. * bmo#1830415 - Switch to the mozillareleases/image_builder image - Follow upstream changes in nss-fips-constructor-self-tests.patch (switch from ec_field_GFp to ec_field_plain) - Remove part of nss-fips-zeroization.patch that got removed upstream - update to NSS 3.100 - bmo#1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations. - bmo#1893752 - remove ckcapi. - bmo#1893162 - avoid a potential PK11GenericObject memory leak. - bmo#671060 - Remove incomplete ESDH code. - bmo#215997 - Decrypt RSA OAEP encrypted messages. - bmo#1887996 - Fix certutil CRLDP URI code. - bmo#1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys. - bmo#676118 - Add ability to encrypt and decrypt CMS messages using ECDH. - bmo#676100 - Correct Templates for key agreement in smime/cmsasn.c. - bmo#1548723 - Moving the decodedCert allocation to NSS. - bmo#1885404 - Allow developers to speed up repeated local execution of NSS tests that depend on certificates. - update to NSS 3.99 * Removing check for message len in ed25519 (bmo#1325335) * add ed25519 to SECU_ecName2params. (bmo#1884276) * add EdDSA wycheproof tests. (bmo#1325335) * nss/lib layer code for EDDSA. (bmo#1325335) * Adding EdDSA implementation. (bmo#1325335) * Exporting Certificate Compression types (bmo#1881027) * Updating ACVP docker to rust 1.74 (bmo#1880857) * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335) * Add NSS_CMSRecipient_IsSupported. (bmo#1877730) - update to NSS 3.98 * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS * bmo#1879513 - Certificate Compression: enabling the check that the compression was advertised * bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha * bmo#1879945 - Remove Email trust bit from OISTE WISeKey Global Root GC CA * bmo#1877344 - Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss` * bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression * bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation * bmo#1875356 - Add valgrind annotations to freebl kyber operations for constant-time execution tests * bmo#1870673 - Set nssckbi version number to 2.66 * bmo#1874017 - Add Telekom Security roots * bmo#1873095 - Add D-Trust 2022 S/MIME roots * bmo#1865450 - Remove expired Security Communication RootCA1 root * bmo#1876179 - move keys to a slot that supports concatenation in PK11_ConcatSymKeys * bmo#1876800 - remove unmaintained tls-interop tests * bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim flags * bmo#1874937 - bogo: add support for the -curves shim flag and update Kyber expectations * bmo#1874937 - bogo: adjust expectation for a key usage bit test * bmo#1757758 - mozpkix: add option to ignore invalid subject alternative names * bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value * bmo#1876390 - take ownership of ecckilla shims * bmo#1874458 - add valgrind annotations to freebl/ec.c * bmo#864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip * bmo#1875965 - Update zlib to 1.3.1 - Use %patch -P N instead of deprecated %patchN. - update to NSS 3.97 * bmo#1875506 - make Xyber768d00 opt-in by policy * bmo#1871631 - add libssl support for xyber768d00 * bmo#1871630 - add PK11_ConcatSymKeys * bmo#1775046 - add Kyber and a PKCS#11 KEM interface to softoken * bmo#1871152 - add a FreeBL API for Kyber * bmo#1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff * bmo#1826451 - part 1: add a script for vendoring kyber from pq-crystals repo * bmo#1835828 - Removing the calls to RSA Blind from loader.* * bmo#1874111 - fix worker type for level3 mac tasks * bmo#1835828 - RSA Blind implementation * bmo#1869642 - Remove DSA selftests * bmo#1873296 - read KWP testvectors from JSON * bmo#1822450 - Backed out changeset dcb174139e4f * bmo#1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation * bmo#1871219 - Wrap CC shell commands in gyp expansions - update to NSS 3.96.1 * bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh * bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups) * bmo#1867408 - add a defensive check for large ssl_DefSend return values * bmo#1869378 - Add dependency to the taskcluster script for Darwin * bmo#1869378 - Upgrade version of the MacOS worker for the CI - add nss-allow-slow-tests-s390x.patch: &quot;certutil dump keys with explicit default trust flags&quot; test needs longer than the allowed 6 seconds on s390x - update to NSS 3.95 * bmo#1842932 - Bump builtins version number. * bmo#1851044 - Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert. * bmo#1855318 - Remove 4 DigiCert (Symantec/Verisign) Root Certificates * bmo#1851049 - Remove 3 TrustCor Root Certificates from NSS. * bmo#1850982 - Remove Camerfirma root certificates from NSS. * bmo#1842935 - Remove old Autoridad de Certificacion Firmaprofesional Certificate. * bmo#1860670 - Add four Commscope root certificates to NSS. * bmo#1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates. * bmo#1863605 - Include P-384 and P-521 Scalar Validation from HACL* * bmo#1861728 - Include P-256 Scalar Validation from HACL*. * bmo#1861265 - After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level * bmo#1837987 - Add means to provide library parameters to C_Initialize * bmo#1573097 - clang format * bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection. * bmo#1858241 - Typo in ssl3_AppendHandshakeNumber * bmo#1858241 - Introducing input check of ssl3_AppendHandshakeNumber * bmo#1573097 - Fix Invalid casts in instance.c - update to NSS 3.94 * bmo#1853737 - Updated code and commit ID for HACL* * bmo#1840510 - update ACVP fuzzed test vector: refuzzed with current NSS * bmo#1827303 - Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants * bmo#1774659 - NSS needs a database tool that can dump the low level representation of the database * bmo#1852179 - declare string literals using char in pkixnames_tests.cpp * bmo#1852179 - avoid implicit conversion for ByteString * bmo#1818766 - update rust version for acvp docker * bmo#1852011 - Moving the init function of the mpi_ints before clean-up in ec.c * bmo#1615555 - P-256 ECDH and ECDSA from HACL* * bmo#1840510 - Add ACVP test vectors to the repository * bmo#1849077 - Stop relying on std::basic_string&lt;uint8_t&gt; * bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp - rebased patches - added nss-fips-test.patch to fix broken test - Update to NSS 3.93: * bmo#1849471 - Update zlib in NSS to 1.3. * bmo#1848183 - softoken: iterate hashUpdate calls for long inputs. * bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980). - Rebase nss-fips-pct-pubkeys.patch. - update to NSS 3.92 * bmo#1822935 - Set nssckbi version number to 2.62 * bmo#1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS * bmo#1839992 - Add 4 SSL.com Root CA certificates * bmo#1840429 - Add Sectigo E46 and R46 Root CA certificates * bmo#1840437 - Add LAWtrust Root CA2 (4096) * bmo#1822936 - Remove E-Tugra Certification Authority root * bmo#1827224 - Remove Camerfirma Chambers of Commerce Root. * bmo#1840505 - Remove Hongkong Post Root CA 1 * bmo#1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3 * bmo#1842937 - Avoid redefining BYTE_ORDER on hppa Linux - update to NSS 3.91 * bmo#1837431 - Implementation of the HW support check for ADX instruction * bmo#1836925 - Removing the support of Curve25519 * bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData * bmo#1839327 - Adding args to enable-legacy-db build * bmo#1835357 - dbtests.sh failure in &quot;certutil dump keys with explicit default trust flags&quot; * bmo#1837617 - Initialize flags in slot structures * bmo#1835425 - Improve the length check of RSA input to avoid heap overflow * bmo#1829112 - Followup Fixes * bmo#1784253 - avoid processing unexpected inputs by checking for m_exptmod base sign * bmo#1826652 - add a limit check on order_k to avoid infinite loop * bmo#1834851 - Update HACL* to commit 5f6051d2 * bmo#1753026 - add SHA3 to cryptohi and softoken * bmo#1753026 - HACL SHA3 * bmo#1836781 - Disabling ASM C25519 for A but X86_64 - removed upstreamed patch nss-fix-bmo1836925.patch - update to NSS 3.90.3 * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * bmo#1748105 - clean up escape handling. * bmo#1895032 - remove redundant AllocItem implementation. * bmo#1836925 - Disable ASM support for Curve25519. * bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64. - remove upstreamed nss-fix-bmo1836925.patch - Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox when using FIPS-mode (bsc#1223724). - Added &quot;Provides: nss&quot; so other RPMs that require 'nss' can be installed (jira PED-6358). Package patterns-base was updated: - Added a fips-certified pattern matching the exact certified FIPS versions Package python3-lxml was updated: - Add libexpat-2.6.0-backport.patch to fix compatibility with system libexpat in tests (bsc#1222075, CVE-2023-52425). Package salt was updated: - Speed up salt.matcher.confirm_top by using __context__- Do not call the async wrapper calls with the separate thread - Prevent OOM with high amount of batch async calls (bsc#1216063) - Add missing contextvars dependency in salt.version - Skip tests for unsupported algorithm on old OpenSSL version - Remove redundant `_file_find` call to the master - Prevent possible exception in tornado.concurrent.Future._set_done - Make reactor engine less blocking the EventPublisher - Make salt-master self recoverable on killing EventPublisher - Improve broken events catching and reporting - Make logging calls lighter - Remove unused import causing delays on starting salt-master - Mark python3-CherryPy as recommended package for the testsuite - Added: * skip-tests-for-unsupported-algorithm-on-old-openssl-.patch * make-reactor-engine-less-blocking-the-eventpublisher.patch * remove-unused-import-causing-delays-on-starting-salt.patch * make-logging-calls-lighter.patch * remove-redundant-_file_find-call-to-the-master.patch * prevent-possible-exception-in-tornado.concurrent.fut.patch * do-not-call-the-async-wrapper-calls-with-the-separat.patch * add-missing-contextvars-dependency-in-salt.version.patch * prevent-oom-with-high-amount-of-batch-async-calls-bs.patch * speed-up-salt.matcher.confirm_top-by-using-__context.patch * improve-broken-events-catching-and-reporting.patch * make-salt-master-self-recoverable-on-killing-eventpu.patch Package python-urllib3 was updated: Package runc was updated: [ This was only ever released for SLES and Leap. ]- Update to runc v1.1.13. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.12&gt;. - Rebase patches: * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch - Backport &lt;https://github.com/opencontainers/runc/pull/3931&gt; to fix a performance issue when running lots of containers, caused by system getting too many mount notifications. bsc#1214960 + 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-containers-release was updated: Package 000release-packages:sle-module-desktop-applications-release was updated: Package 000release-packages:sle-module-development-tools-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: Package 000release-packages:SLES-release was updated: Package suse-build-key was updated: - added missing ; in shell script (bsc#1227681) - Added new keys of the SLE Micro 6.0 / SLES 16 series, and auto import them. (bsc#1227429) gpg-pubkey-09d9ea69-645b99ce.asc: Main SLE Micro 6/SLES 16 key gpg-pubkey-73f03759-626bd414.asc: Backup SLE Micro 6/SLES 16 key. Package wicked was updated: - Update to version 0.6.76 - compat-suse: warn user and create missing parent config of infiniband children (gh#openSUSE/wicked#1027) - client: fix origin in loaded xml-config with obsolete port references but missing port interface config, causing a no-carrier of master (bsc#1226125) - ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976) - wireless: add frequency-list in station mode (jsc#PED-8715) - client: fix crash while hierarchy traversing due to loop in e.g. systemd-nspawn containers (bsc#1226664) - man: add supported bonding options to ifcfg-bonding(5) man page (gh#openSUSE/wicked#1021) - arputil: Document minimal interval for getopts (gh#openSUSE/wicked#1019) - man: (re)generate man pages from md sources (gh#openSUSE/wicked#1018) - client: warn on interface wait time reached (gh#openSUSE/wicked#1017) - compat-suse: fix dummy type detection from ifname to not cause conflicts with e.g. correct vlan config on dummy0.42 interfaces (gh#openSUSE/wicked#1016) - compat-suse: fix infiniband and infiniband child type detection from ifname (gh#openSUSE/wicked#1015) - Removed patches included in the source archive: [- 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch] [- 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch] Package xen was updated: - bsc#1227355 - VUL-0: CVE-2024-31143: xen: double unlock in x86 guest IRQ handling (XSA-458) xsa458.patch - bsc#1214718 - The system hangs intermittently when Power Control Mode is set to Minimum Power on SLES15SP5 Xen 6666ba52-x86-irq-remove-offline-CPUs-from-old-CPU-mask-when.patch 666994ab-x86-SMP-no-shorthand-IPI-in-hotplug.patch 666994f0-x86-IRQ-limit-interrupt-movement-in-fixup_irqs.patch 66718849-x86-IRQ-old_cpu_mask-in-fixup_irqs.patch 6671885e-x86-IRQ-handle-moving-in-_assign_irq_vector.patch 6673ffdc-x86-IRQ-forward-pending-to-new-dest-in-fixup_irqs.patch - Upstream bug fixes (bsc#1027519) 6646031f-x86-ucode-further-identify-already-up-to-date.patch 666b07ee-x86-EPT-special-page-in-epte_get_entry_emt.patch 666b0819-x86-EPT-avoid-marking-np-ents-for-reconfig.patch 666b085a-x86-EPT-drop-questionable-mfn_valid-from-.patch 667187cc-x86-Intel-unlock-CPUID-earlier.patch 6672c846-x86-xstate-initialisation-of-XSS-cache.patch 6672c847-x86-CPUID-XSAVE-dynamic-leaves.patch - bsc#1221984 - VUL-0: CVE-2023-46842: xen: x86 HVM hypercalls may trigger Xen bug check (XSA-454) 6617d62c-x86-hvm-Misra-Rule-19-1-regression.patch - Upstream bug fixes (bsc#1027519) 6627a4ee-vRTC-UIP-set-for-longer-than-expected.patch 6627a5fc-x86-MTRR-inverted-WC-check.patch 662a6a4c-x86-spec-reporting-of-BHB-clearing.patch 662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch 663090fd-x86-gen-cpuid-syntax.patch 663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch 663a4f3e-x86-cpu-policy-migration-IceLake-to-CascadeLake.patch 663d05b5-x86-ucode-distinguish-up-to-date.patch 663eaa27-libxl-XenStore-error-handling-in-device-creation.patch 66450626-sched-set-all-sched_resource-data-inside-locked.patch 66450627-x86-respect-mapcache_domain_init-failing.patch Package xfsprogs was updated: - xfs_copy: don't use cached buffer reads until after libxfs_mount (bsc#1227150) - Add xfsprogs-xfs_copy-don-t-use-cached-buffer-reads-until-after-l.patch The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp5-byos-v20240808-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 cloud-regionsrv-client-10.3.0-150500.2.1 cloud-regionsrv-client-plugin-gce-1.0.0-150500.2.1 containerd-1.7.17-150000.114.1 docker-25.0.6_ce-150000.203.1 dracut-055+suse.388.g70c21afa-150500.3.21.2 google-guest-agent-20240314.00-150400.1.48.7 google-guest-configs-20240307.00-150400.13.11.6 google-guest-oslogin-20240311.00-150400.1.45.7 google-osconfig-agent-20240320.00-150400.1.35.7 growpart-rootgrow-1.0.7-150400.1.14.7 krb5-1.20.1-150500.3.9.1 krb5-client-1.20.1-150500.3.9.1 libassuan0-2.5.5-150000.4.7.1 libonig4-6.7.0-150000.3.6.1 libprocps8-3.3.17-150000.7.39.1 libpython3_6m1_0-3.6.15-150300.10.65.1 libsuseconnect-1.11.0-150500.3.26.4 libxcb1-1.13-150000.3.11.1 libxml2-2-2.10.3-150500.5.17.1 login_defs-4.8.1-150400.10.21.1 mozilla-nss-certs-3.101.2-150400.3.48.1 patterns-base-minimal_base-20200124-150400.20.10.1 procps-3.3.17-150000.7.39.1 python-instance-billing-flavor-check-0.0.6-150400.1.11.7 python3-3.6.15-150300.10.65.2 python3-base-3.6.15-150300.10.65.1 python3-cssselect-1.0.3-150400.3.7.4 python3-curses-3.6.15-150300.10.65.2 python3-lxml-4.9.1-150500.3.4.3 python3-salt-3006.0-150500.4.38.2 python3-urllib3-1.25.10-150300.4.12.1 runc-1.1.13-150000.67.1 salt-3006.0-150500.4.38.2 salt-minion-3006.0-150500.4.38.2 shadow-4.8.1-150400.10.21.1 suse-build-key-12.0-150000.8.49.2 suseconnect-ng-1.11.0-150500.3.26.4 suseconnect-ruby-bindings-1.11.0-150500.3.26.4 wicked-0.6.76-150500.3.33.1 wicked-service-0.6.76-150500.3.33.1 xen-libs-4.17.4_04-150500.3.33.1 xfsprogs-5.13.0-150400.3.10.2 cloud-regionsrv-client-10.3.0-150500.2.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 cloud-regionsrv-client-plugin-gce-1.0.0-150500.2.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 containerd-1.7.17-150000.114.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 docker-25.0.6_ce-150000.203.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 dracut-055+suse.388.g70c21afa-150500.3.21.2 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 google-guest-agent-20240314.00-150400.1.48.7 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 google-guest-configs-20240307.00-150400.13.11.6 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 google-guest-oslogin-20240311.00-150400.1.45.7 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 google-osconfig-agent-20240320.00-150400.1.35.7 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 growpart-rootgrow-1.0.7-150400.1.14.7 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 krb5-1.20.1-150500.3.9.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 krb5-client-1.20.1-150500.3.9.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 libassuan0-2.5.5-150000.4.7.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 libonig4-6.7.0-150000.3.6.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 libprocps8-3.3.17-150000.7.39.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 libpython3_6m1_0-3.6.15-150300.10.65.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 libsuseconnect-1.11.0-150500.3.26.4 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 libxcb1-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 libxml2-2-2.10.3-150500.5.17.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 login_defs-4.8.1-150400.10.21.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 mozilla-nss-certs-3.101.2-150400.3.48.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 patterns-base-minimal_base-20200124-150400.20.10.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 procps-3.3.17-150000.7.39.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 python-instance-billing-flavor-check-0.0.6-150400.1.11.7 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 python3-3.6.15-150300.10.65.2 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 python3-base-3.6.15-150300.10.65.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 python3-cssselect-1.0.3-150400.3.7.4 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 python3-curses-3.6.15-150300.10.65.2 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 python3-lxml-4.9.1-150500.3.4.3 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 python3-salt-3006.0-150500.4.38.2 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 python3-urllib3-1.25.10-150300.4.12.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 runc-1.1.13-150000.67.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 salt-3006.0-150500.4.38.2 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 salt-minion-3006.0-150500.4.38.2 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 shadow-4.8.1-150400.10.21.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 suse-build-key-12.0-150000.8.49.2 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 suseconnect-ng-1.11.0-150500.3.26.4 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 suseconnect-ruby-bindings-1.11.0-150500.3.26.4 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 wicked-0.6.76-150500.3.33.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 wicked-service-0.6.76-150500.3.33.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 xen-libs-4.17.4_04-150500.3.33.1 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 xfsprogs-5.13.0-150400.3.10.2 as a component of Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64 shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees CVE-2013-4235 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:login_defs-4.8.1-150400.10.21.1 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:shadow-4.8.1-150400.10.21.1 moderate 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. CVE-2019-13225 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:libonig4-6.7.0-150000.3.6.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash. CVE-2023-46842 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:xen-libs-4.17.4_04-150500.3.33.1 moderate libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:python3-lxml-4.9.1-150500.3.4.3 moderate NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. CVE-2023-5388 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:mozilla-nss-certs-3.101.2-150400.3.48.1 moderate An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. CVE-2024-31143 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:xen-libs-4.17.4_04-150500.3.33.1 important An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. CVE-2024-34459 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:libxml2-2-2.10.3-150500.5.17.1 low In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. CVE-2024-37370 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:krb5-1.20.1-150500.3.9.1 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:krb5-client-1.20.1-150500.3.9.1 important In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. CVE-2024-37371 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:krb5-1.20.1-150500.3.9.1 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:krb5-client-1.20.1-150500.3.9.1 moderate urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations. CVE-2024-37891 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:python3-urllib3-1.25.10-150300.4.12.1 moderate Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege. CVE-2024-41110 Public Cloud Image google/sles-15-sp5-byos-v20240808-x86-64:docker-25.0.6_ce-150000.203.1 critical