SUSE-IU-2024:837-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:837-1 Interim 1 1 2025-02-25T12:15:28Z current 2024-08-09T01:00:00Z 2024-08-09T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:837-1 / google/sles-15-sp5-chost-byos-v20240809-arm64 This image update for google/sles-15-sp5-chost-byos-v20240809-arm64 contains the following changes: Package bind was updated: - Upgrade to release 9.16.50 Bug Fixes: * A regression in cache-cleaning code enabled memory use to grow significantly more quickly than before, until the configured max-cache-size limit was reached. This has been fixed. * Using rndc flush inadvertently caused cache cleaning to become less effective. This could ultimately lead to the configured max-cache-size limit being exceeded and has now been fixed. * The logic for cleaning up expired cached DNS records was tweaked to be more aggressive. This change helps with enforcing max-cache-ttl and max-ncache-ttl in a timely manner. * It was possible to trigger a use-after-free assertion when the overmem cache cleaning was initiated. This has been fixed. New Features: * Added RESOLVER.ARPA to the built in empty zones. - Security Fixes: * It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in a cache or zone database. The default is 100, which can be tuned with the new max-types-per-name option. (CVE-2024-1737) [bsc#1228256, bind-9.16-CVE-2024-1737.patch] * Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause excessive CPU load, leading to a denial-of-service condition. Support for SIG(0) message validation was removed from this version of named. (CVE-2024-1975) [bsc#1228257, bind-9.16-CVE-2024-1975.patch] * When looking up the NS records of parent zones as part of looking up DS records, it was possible for named to trigger an assertion failure if serve-stale was enabled. This has been fixed. (CVE-2024-4076) [bsc#1228258, bind-9.16-CVE-2024-4076.patch] Package docker was updated: [NOTE: This update was only ever released in SLES and Leap.]- Update to Docker 25.0.6-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/25.0/#2506> - This update includes a fix for CVE-2024-41110. bsc#1228324 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch * 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Fix BuildKit's symlink resolution logic to correctly handle non-lexical symlinks. Backport of <https://github.com/moby/buildkit/pull/4896> and <https://github.com/moby/buildkit/pull/5060>. bsc#1221916 + 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch - Write volume options atomically so sudden system crashes won't result in future Docker starts failing due to empty files. Backport of <https://github.com/moby/moby/pull/48034>. bsc#1214855 + 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch [NOTE: This update was only ever released in SLES and Leap.] - Update to Docker 25.0.5-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/25.0/#2505> bsc#1223409 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Remove upstreamed patches: - 0007-daemon-overlay2-remove-world-writable-permission-fro.patch - Update --add-runtime to point to correct binary path. Package dracut was updated: - Update to version 055+suse.388.g70c21afa: * feat(crypt): force the inclusion of crypttab entries with x-initrd.attach (bsc#1226529) * fix(mdraid): try to assemble the missing raid device (bsc#1226412) * fix(dracut-install): continue parsing if ldd prints "cannot be preloaded" (bsc#1208690) Package shadow was updated: - bsc#1228770: Fix not copying of skel files Update shadow-CVE-2013-4235.patch - bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition Add shadow-CVE-2013-4235.patch Package python3-lxml was updated: - Add libexpat-2.6.0-backport.patch to fix compatibility with system libexpat in tests (bsc#1222075, CVE-2023-52425). Package python-urllib3 was updated: Package runc was updated: [ This was only ever released for SLES and Leap. ]- Update to runc v1.1.13. Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.1.12>. - Rebase patches: * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch - Backport <https://github.com/opencontainers/runc/pull/3931> to fix a performance issue when running lots of containers, caused by system getting too many mount notifications. bsc#1214960 + 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-containers-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: Package 000release-packages:SLES-release was updated: Package suseconnect-ng was updated: - Update version to 1.11 - Added uname as collector - Added SAP workload detection - Added detection of container runtimes - Multiple fixes on ARM64 detection - Use `read_values` for the CPU collector on Z - Fixed data collection for ppc64le - Grab the home directory from /etc/passwd if needed (bsc#1226128) - Update version to 1.10.0 * Build zypper-migration and zypper-packages-search as standalone binaries rather then one single binary * Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004) * Include /etc/products.d in directories whose content are backed up and restored if a zypper-migration rollback happens. (bsc#1219004) * Add the ability to upload the system uptime logs, produced by the suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report. (jsc#PED-7982) (jsc#PED-8018) * Add support for third party packages in SUSEConnect * Refactor existing system information collection implementation Package wicked was updated: - Update to version 0.6.76 - compat-suse: warn user and create missing parent config of infiniband children (gh#openSUSE/wicked#1027) - client: fix origin in loaded xml-config with obsolete port references but missing port interface config, causing a no-carrier of master (bsc#1226125) - ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976) - wireless: add frequency-list in station mode (jsc#PED-8715) - client: fix crash while hierarchy traversing due to loop in e.g. systemd-nspawn containers (bsc#1226664) - man: add supported bonding options to ifcfg-bonding(5) man page (gh#openSUSE/wicked#1021) - arputil: Document minimal interval for getopts (gh#openSUSE/wicked#1019) - man: (re)generate man pages from md sources (gh#openSUSE/wicked#1018) - client: warn on interface wait time reached (gh#openSUSE/wicked#1017) - compat-suse: fix dummy type detection from ifname to not cause conflicts with e.g. correct vlan config on dummy0.42 interfaces (gh#openSUSE/wicked#1016) - compat-suse: fix infiniband and infiniband child type detection from ifname (gh#openSUSE/wicked#1015) - Removed patches included in the source archive: [- 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch] [- 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp5-chost-byos-v20240809-arm64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 bind-utils-9.16.50-150500.8.21.1 docker-25.0.6_ce-150000.203.1 dracut-055+suse.388.g70c21afa-150500.3.21.2 google-guest-agent-20240314.00-150400.1.48.7 google-guest-configs-20240307.00-150400.13.11.6 google-guest-oslogin-20240311.00-150400.1.45.7 google-osconfig-agent-20240320.00-150400.1.35.7 growpart-rootgrow-1.0.7-150400.1.14.7 libassuan0-2.5.5-150000.4.7.1 login_defs-4.8.1-150400.10.21.1 python-instance-billing-flavor-check-0.0.6-150400.1.11.7 python3-bind-9.16.50-150500.8.21.1 python3-cssselect-1.0.3-150400.3.7.4 python3-lxml-4.9.1-150500.3.4.3 python3-urllib3-1.25.10-150300.4.12.1 runc-1.1.13-150000.67.1 shadow-4.8.1-150400.10.21.1 suseconnect-ng-1.11.0-150500.3.26.4 wicked-0.6.76-150500.3.33.1 wicked-service-0.6.76-150500.3.33.1 bind-utils-9.16.50-150500.8.21.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 docker-25.0.6_ce-150000.203.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 dracut-055+suse.388.g70c21afa-150500.3.21.2 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 google-guest-agent-20240314.00-150400.1.48.7 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 google-guest-configs-20240307.00-150400.13.11.6 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 google-guest-oslogin-20240311.00-150400.1.45.7 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 google-osconfig-agent-20240320.00-150400.1.35.7 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 growpart-rootgrow-1.0.7-150400.1.14.7 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 libassuan0-2.5.5-150000.4.7.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 login_defs-4.8.1-150400.10.21.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 python-instance-billing-flavor-check-0.0.6-150400.1.11.7 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 python3-bind-9.16.50-150500.8.21.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 python3-cssselect-1.0.3-150400.3.7.4 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 python3-lxml-4.9.1-150500.3.4.3 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 python3-urllib3-1.25.10-150300.4.12.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 runc-1.1.13-150000.67.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 shadow-4.8.1-150400.10.21.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 suseconnect-ng-1.11.0-150500.3.26.4 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 wicked-0.6.76-150500.3.33.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 wicked-service-0.6.76-150500.3.33.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64 shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees CVE-2013-4235 Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64:login_defs-4.8.1-150400.10.21.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64:shadow-4.8.1-150400.10.21.1 moderate 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64:python3-lxml-4.9.1-150500.3.4.3 moderate Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1737 Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64:bind-utils-9.16.50-150500.8.21.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64:python3-bind-9.16.50-150500.8.21.1 important If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1975 Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64:bind-utils-9.16.50-150500.8.21.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64:python3-bind-9.16.50-150500.8.21.1 important urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations. CVE-2024-37891 Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64:python3-urllib3-1.25.10-150300.4.12.1 moderate Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-4076 Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64:bind-utils-9.16.50-150500.8.21.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64:python3-bind-9.16.50-150500.8.21.1 important Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege. CVE-2024-41110 Public Cloud Image google/sles-15-sp5-chost-byos-v20240809-arm64:docker-25.0.6_ce-150000.203.1 critical