Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2343 SUSE Security Update: Security update for CaaS Platform 1.0 images 15 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CaaS Platform Publisher: SUSE Operating System: SUSE Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-1000101 CVE-2017-1000100 CVE-2017-11113 CVE-2017-11112 CVE-2017-10685 CVE-2017-10684 CVE-2017-9269 CVE-2017-9233 CVE-2017-8872 CVE-2017-7436 CVE-2017-7435 CVE-2017-3464 CVE-2017-3456 CVE-2017-3453 CVE-2017-3309 CVE-2017-3308 CVE-2016-9063 CVE-2013-7459 Reference: ASB-2017.0059 ASB-2016.0107 ESB-2017.2227 ESB-2017.2215 Original Bulletin: https://www.suse.com/support/update/announcement/2017/suse-su-20172470-1/ - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for CaaS Platform 1.0 images ______________________________________________________________________________ Announcement ID: SUSE-SU-2017:2470-1 Rating: important References: #1004995 #1009745 #1014471 #1017420 #1019637 #1026825 #1027079 #1027688 #1027908 #1028281 #1028723 #1029523 #1031756 #1032706 #1033236 #1035062 #1036659 #1038132 #1038444 #1038984 #1042392 #1043218 #1043333 #1044095 #1044107 #1044175 #1044840 #1045384 #1045735 #1045987 #1046268 #1046417 #1046659 #1046853 #1046858 #1047008 #1047236 #1047240 #1047310 #1047379 #1047785 #1047964 #1047965 #1048315 #1048483 #1048605 #1048679 #1048715 #1049344 #1050396 #1050484 #1051626 #1051643 #1051644 #1052030 #1052759 #1053409 #874665 #902364 #938657 #944903 #954661 #960820 #963041 Cross-References: CVE-2013-7459 CVE-2016-9063 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-3308 CVE-2017-3309 CVE-2017-3453 CVE-2017-3456 CVE-2017-3464 CVE-2017-7435 CVE-2017-7436 CVE-2017-8872 CVE-2017-9233 CVE-2017-9269 Affected Products: SUSE Container as a Service Platform ALL ______________________________________________________________________________ An update that solves 18 vulnerabilities and has 46 fixes is now available. Description: The Docker images provided with SUSE CaaS Platform 1.0 have been updated to include the following updates: libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. - Adapt loop mounting of ISO images. (bsc#1038132, bsc#1033236) - Fix potential crash if repository has no baseurl. (bsc#1043218) zypper: - CVE-2017-7436: Adapt download callback to report and handle unsigned packages. (bsc#1038984) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) - Document support for custom repository variables defined in /etc/zypp/vars.d. - Emphasize that it depends on how fast PackageKit will respond to a 'quit' request sent if PK blocks package management. libgcrypt: - Fix infinite loop in gnome-keyring-daemon caused by attempt to read from random device left open by libgcrypt. (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests. (bsc#1046659) - Fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests. (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym. (bsc#1047008) lua51: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) cyrus-sasl: - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence "GSSAPI client step 1" debug log message (bsc#1044840) libxml2: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) curl: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service. (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service. (bsc#1051643) ncurses: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) sed: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) openssl: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem. (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14. (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the "OPENSSL_s390xcap" environmental variable. (bsc#1028723) - Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. (bsc#1028281) - Fix a bug in XTS key handling. (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed. (bsc#1042392) procps: - Don't set buffering on invalid file descriptor. (bsc#1053409) expat: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour. (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service. (bsc#1047236) systemd: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS "bg" mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. insserv-compat: - Add /etc/init.d hierarchy from former "filesystem" package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. mariadb: - Update libmysqlclient18 from version 10.0.30 to 10.0.31. python-pycrypto: - CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew (bsc#1017420). velum: - Fix loopback IP for proxy exception during initial configuration. (bsc#1052759) - Set secure flag in cookie. (bsc#1050484) - Set VERSION to 1.0.0. (bsc#1050396) - Allow kubeconfig download when master is ready. (bsc#1048483) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Container as a Service Platform ALL: zypper in -t patch SUSE-CAASP-ALL-2017-1531=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Container as a Service Platform ALL (x86_64): container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3 sles12-mariadb-docker-image-1.1.0-2.3.10 sles12-pause-docker-image-1.1.0-2.3.11 sles12-pv-recycler-node-docker-image-1.1.0-2.3.10 sles12-salt-api-docker-image-1.1.0-2.3.9 sles12-salt-master-docker-image-1.1.0-4.3.10 sles12-salt-minion-docker-image-1.1.0-2.3.8 sles12-velum-docker-image-1.1.0-4.3.9 - SUSE Container as a Service Platform ALL (noarch): caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3 References: https://www.suse.com/security/cve/CVE-2013-7459.html https://www.suse.com/security/cve/CVE-2016-9063.html https://www.suse.com/security/cve/CVE-2017-1000100.html https://www.suse.com/security/cve/CVE-2017-1000101.html https://www.suse.com/security/cve/CVE-2017-10684.html https://www.suse.com/security/cve/CVE-2017-10685.html https://www.suse.com/security/cve/CVE-2017-11112.html https://www.suse.com/security/cve/CVE-2017-11113.html https://www.suse.com/security/cve/CVE-2017-3308.html https://www.suse.com/security/cve/CVE-2017-3309.html https://www.suse.com/security/cve/CVE-2017-3453.html https://www.suse.com/security/cve/CVE-2017-3456.html https://www.suse.com/security/cve/CVE-2017-3464.html https://www.suse.com/security/cve/CVE-2017-7435.html https://www.suse.com/security/cve/CVE-2017-7436.html https://www.suse.com/security/cve/CVE-2017-8872.html https://www.suse.com/security/cve/CVE-2017-9233.html https://www.suse.com/security/cve/CVE-2017-9269.html https://bugzilla.suse.com/1004995 https://bugzilla.suse.com/1009745 https://bugzilla.suse.com/1014471 https://bugzilla.suse.com/1017420 https://bugzilla.suse.com/1019637 https://bugzilla.suse.com/1026825 https://bugzilla.suse.com/1027079 https://bugzilla.suse.com/1027688 https://bugzilla.suse.com/1027908 https://bugzilla.suse.com/1028281 https://bugzilla.suse.com/1028723 https://bugzilla.suse.com/1029523 https://bugzilla.suse.com/1031756 https://bugzilla.suse.com/1032706 https://bugzilla.suse.com/1033236 https://bugzilla.suse.com/1035062 https://bugzilla.suse.com/1036659 https://bugzilla.suse.com/1038132 https://bugzilla.suse.com/1038444 https://bugzilla.suse.com/1038984 https://bugzilla.suse.com/1042392 https://bugzilla.suse.com/1043218 https://bugzilla.suse.com/1043333 https://bugzilla.suse.com/1044095 https://bugzilla.suse.com/1044107 https://bugzilla.suse.com/1044175 https://bugzilla.suse.com/1044840 https://bugzilla.suse.com/1045384 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1045987 https://bugzilla.suse.com/1046268 https://bugzilla.suse.com/1046417 https://bugzilla.suse.com/1046659 https://bugzilla.suse.com/1046853 https://bugzilla.suse.com/1046858 https://bugzilla.suse.com/1047008 https://bugzilla.suse.com/1047236 https://bugzilla.suse.com/1047240 https://bugzilla.suse.com/1047310 https://bugzilla.suse.com/1047379 https://bugzilla.suse.com/1047785 https://bugzilla.suse.com/1047964 https://bugzilla.suse.com/1047965 https://bugzilla.suse.com/1048315 https://bugzilla.suse.com/1048483 https://bugzilla.suse.com/1048605 https://bugzilla.suse.com/1048679 https://bugzilla.suse.com/1048715 https://bugzilla.suse.com/1049344 https://bugzilla.suse.com/1050396 https://bugzilla.suse.com/1050484 https://bugzilla.suse.com/1051626 https://bugzilla.suse.com/1051643 https://bugzilla.suse.com/1051644 https://bugzilla.suse.com/1052030 https://bugzilla.suse.com/1052759 https://bugzilla.suse.com/1053409 https://bugzilla.suse.com/874665 https://bugzilla.suse.com/902364 https://bugzilla.suse.com/938657 https://bugzilla.suse.com/944903 https://bugzilla.suse.com/954661 https://bugzilla.suse.com/960820 https://bugzilla.suse.com/963041 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWbs/1Ix+lLeg9Ub1AQjsWQ/9GiqNRLjSHMe9ciZroaVh8XAlFrOW5Ckz x3E9Y4ge69Klmn0E0nJPgrH8TOAXxygkCDig6IUgZuAhvUxT13FCs6x1SIe8LGdB 4D1jOEb564g04m43u6+gpsf7mVJ+vTAJJX5vyndYiAu8L/p7Lqdk9dB0+kl5OX3I hCta8x6/ctY3XZDNs1ZYmxoOiTFH6UcTNZ+EgSNbdiivzYIWVwQjghiTs3fLwuaz 0UQBTwjn/p8lUc4Az7Jx6MUeAL5e01xH7GVp03/Fa3SD1oaggXfwfyD8CdcDkaPx oT6n2HEQhLPn+CvgzEX4fAjTWaexas+fsBH58V1T8ndq3Eo+UzQg0indBZY9yMH1 SdpNUjfNB9jIbrLEX3JUzJj7WQQn5Ga09ws5a21J15Wm7CCOw+DvhbM1Q5n3snat 12rlbMKWV976AvJIjIwVDXXAGVdTx0+PVteVAF98DjPCpo/f9a7+Gk7E9SM2GE0o AUNPHLMCNyKlmGshuBlUyy8uhPR1vku+7k7t5mkGKyNLhcXvZbic6aDpwH9g8+RV x7B9Ahzttj7L3hMTgzcdhiFWjKcOIk2BXZ8uMNCwVaVIvxunmg2RXMBuBa3/N6UJ j7N+YnxP7zcp3WNc2Slqr6pNgKa5lYAhESqshCaRSAMtWZI9Q4wxnDM492YMps+t Eh7puk+8iC0= =k8s1 -----END PGP SIGNATURE-----