Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2458
Security update for ardana-barbican, grafana, openstack-barbican,
openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui,
openstack-ironic, openstack-keystone, openstack-neutron-gbp,
python-lxml, release-notes-suse-openstack-cloud
20 May 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 9
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2022-29970 CVE-2022-23452 CVE-2022-23451
CVE-2022-22817 CVE-2022-22816 CVE-2022-22815
CVE-2021-44716 CVE-2021-43818 CVE-2021-43813
CVE-2021-41184 CVE-2021-41183 CVE-2021-41182
CVE-2021-40085 CVE-2021-38155 CVE-2021-28957
CVE-2020-27783 CVE-2018-19787 CVE-2014-3146
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221729-1
Comment: CVSS (Max): 8.0 CVE-2021-40085 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for ardana-barbican, grafana,
openstack-barbican, openstack-cinder, openstack-heat-gbp,
openstack-horizon-plugin-gbp-ui, openstack-ironic, openstack-keystone,
openstack-neutron-gbp, python-lxml, release-not
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1729-1
Rating: important
References: #1118088 #1179534 #1184177 #1186380 #1189390 #1189794
#1192070 #1192073 #1192075 #1193597 #1193688 #1193752
#1194521 #1194551 #1194552 #1194952 #1194954 #1199138
Cross-References: CVE-2018-19787 CVE-2020-27783 CVE-2021-28957 CVE-2021-38155
CVE-2021-40085 CVE-2021-41182 CVE-2021-41183 CVE-2021-41184
CVE-2021-43813 CVE-2021-43818 CVE-2021-44716 CVE-2022-22815
CVE-2022-22816 CVE-2022-22817 CVE-2022-23451 CVE-2022-23452
CVE-2022-29970
Affected Products:
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________
es-suse-openstack-cloud
An update that solves 17 vulnerabilities, contains two features and has one
errata is now available.
Description:
This update for ardana-barbican, grafana, openstack-barbican, openstack-cinder,
openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-ironic,
openstack-keystone, openstack-neutron-gbp, python-lxml,
release-notes-suse-openstack-cloud fixes the following issues:
Security fixes included on the update:
ardana-barbican:
o Update policies to protect container secret access (SOC-11621)
o Update policies to protect secret metadata access (SOC-11620)
openstack-neutron:
o CVE-2021-40085: Fixed arbitrary dnsmasq reconfiguration via extra_dhcp_opts
(bsc#1189794).
rubygem-sinatra:
o CVE-2022-29970: Fixed path traversal possible outside of public_dir when
serving static files (bsc#1199138).
python-XStatic-jquery-ui:
o CVE-2021-41182: Fixed XSS in the `altField` option of the Datepicker widget
(bsc#1192070)
o CVE-2021-41183: Fixed XSS in the `of` option of the `.position()` util (bsc
#1192073)
o CVE-2021-41184: Fixed XSS in `*Text` options of the Datepicker widget (bsc#
1192075)
python-lxml:
o CVE-2018-19787: Fixed that the lxml.html.clean module does remove
javascript in lxml/html/clean.py (bsc#1118088).
o CVE-2020-27783: Fixed mXSS due to the use of improper parser (bsc#1179534).
o CVE-2021-28957: Fixed missing input sanitization for formaction HTML5
attributes that may have led to XSS (bsc#1184177).
o CVE-2021-43818: Fixed HTML Cleaner that allowed crafted and SVG embedded
scripts to pass through (bsc#1193752).
openstack-barbican:
o CVE-2022-23451: Disallows authenticated users to add/modify/delete
arbitrary metadata on any secret (bsc#1194952).
o CVE-2022-23452: Disallows anyone with an admin role to add their secrets to
a different project's containers (bsc#1194954).
grafana:
o CVE-2021-44716: Fixed net/http: limit growth of header canonicalization
cache (bsc#1193597).
openstack-keystone:
o CVE-2021-38155: Fixed information disclosure during account locking (bsc#
1189390).
Non-security fixes included on the update:
Changes in ardana-barbican:
o Update to version 9.0+git.1644879908.8a641c1: * Update policies to protect
container secret access (SOC-11621)
o Update to version 9.0+git.1643052417.9a3348e: * update policies to protect
secret metadata access (SOC-11620)
Changes in grafana:
o Add CVE-2021-43813.patch (bsc#1193688, CVE-2021-43813) * directory
traversal vulnerability for .md files
o Bump Go to 1.16 (bsc#1193597, CVE-2021-44716) * Fix Go net/http: limit
growth of header canonicalization cache
Changes in openstack-barbican:
o Add patches
(0001-Fix-RBAC-and-ACL-access-for-managing-secret-containe.patch and
0001-Fix-policy-for-adding-a-secret-to-a-container.patch) to fix the legacy
policy rules for adding a secret to a container and removing a secret from
a container. bsc#1194954,CVE-2022-23452
o Add patch (0001-Fix-secret-metadata-access-rules.patch) to fix the legacy
policy rules for accessing secret metadata by checking that the user making
the request is authenticated for the project that owns the secret. bsc#
1194952,CVE-2022-23451
Changes in openstack-cinder:
o Update to version cinder-13.0.10.dev24: * Correct group:reset\_group\
_snapshot\_status policy
Changes in openstack-cinder:
o Update to version cinder-13.0.10.dev24: * Correct group:reset\_group\
_snapshot\_status policy
Changes in openstack-heat-gbp:
o Update to version group-based-policy-automation-14.0.1.dev4: * Add support
for yoga
o Update to version group-based-policy-automation-14.0.1.dev3: * Python2/3
compatibility fixes
o Update to version group-based-policy-automation-14.0.1.dev2: * Add support
for xena
o Update to version group-based-policy-automation-14.0.1.dev1: * Remove py27
from gate jobs 14.0.0
Changes in openstack-horizon-plugin-gbp-ui:
o Update to version group-based-policy-ui-14.0.1.dev3: * Add support for yoga
o Update to version group-based-policy-ui-14.0.1.dev2: * Python2/3
compatibility changes
o Update to version group-based-policy-ui-14.0.1.dev1: * Add support for xena
14.0.0
Changes in openstack-ironic:
o Update to version ironic-11.1.5.dev18: * Cleanup stable/rocky legacy jobs
Changes in openstack-ironic:
o Update to version ironic-11.1.5.dev18: * Cleanup stable/rocky legacy jobs
Changes in openstack-keystone:
o Update to version keystone-14.2.1.dev9: * Delete system role assignments
from system\_assignment table
Changes in openstack-keystone:
o Add patch (0001-Hide-AccountLocked-exception-from-end-users.patch) to fix
the problem where AccountLocked exception discloses sensitive information.
bsc#1189390,CVE-2021-38155
o Update to version keystone-14.2.1.dev9: * Delete system role assignments
from system\_assignment table
Changes in openstack-neutron-gbp:
o Update to version group-based-policy-14.0.1.dev33: * Populate network mtu
for erspan
o Update to version group-based-policy-14.0.1.dev32: * ERSPAN config error
when Openstack port is created in a different project than network it
belongs to 2014.2.rc1
o Update to version group-based-policy-14.0.1.dev31: * Python2/3
compatibility fixes 2014.2.0rc1
o Update to version group-based-policy-14.0.1.dev29: * Fix oslo\_i18n usage
o Update to version group-based-policy-14.0.1.dev27: * Update mechanism\
_driver cache 2014.2.rc1
o Update to version group-based-policy-14.0.1.dev26: * Add support for xena
o Update to version group-based-policy-14.0.1.dev24: * update\_floatingip\
_status\_while\_deleting\_the\_vm
o Update to version group-based-policy-14.0.1.dev22: * Updating host id by
appending pid in existing host id 2014.2.0rc1
o Update to version group-based-policy-14.0.1.dev20: * Revert "Add workaround
to get\_subnets"
Changes in python-lxml:
o Fix bsc#1179534 (CVE-2020-27783) mXSS due to the use of improper parser
Patch files: 0001-CVE-2020-27783.patch 0002-CVE-2020-27783.patch
o Fix bsc#1118088 (CVE-2018-19787) lxml/html/clean.py in the lxml.html.clean
module does not remove javascript: URLs that use escaping, allowing a
remote attacker to conduct XSS attacks Patch file:
0001-CVE-2018-19787.patch
o Fix bsc#1184177 (CVE-2021-28957) missing input sanitization for formaction
HTML5 attributes may lead to XSS Patch file:
0001-CVE-2021-28957.patch
o Fix bsc#1193752 (CVE-2021-43818) Cleaner: Remove SVG image data URLs since
they can embed script content. Reported as GHSL-2021-1037 and
GHSL-2021-1038 Patch files 0001-CVE-2021-43818.patch
0002-CVE-2021-43818.patch
Changes in openstack-neutron-doc:
o Update to version neutron-13.0.8.dev206: * Wait longer before deleting DPDK
vhu trunk bridges
o Update to version neutron-13.0.8.dev205: * Do no use "--strict" for OF
deletion in TRANSIENT\_TABLE
o Update to version neutron-13.0.8.dev203: * Populate self.floating\_ips\
_dict using "ip rule" information
o Update to version neutron-13.0.8.dev201: * [Functional] Wait for the
initial state of ha router before test * Don't setup bridge controller if
it is already set
o Update to version neutron-13.0.8.dev198: * Remove dhcp\_extra\_opt name
after first newline character
o Update to version neutron-13.0.8.dev196: * [L3] Use processing queue for
network update events * Add extra logs to the network update callback in L3
agent
o Update to version neutron-13.0.8.dev192: * Remove dhcp\_extra\_opt value
after first newline character
o Update to version neutron-13.0.8.dev190: * Don't use singleton in
routes.middleware.RoutesMiddleware
o Update to version neutron-13.0.8.dev189: * Fix notify listener syntax for
SEGMENT\_HOST\_MAPPING
o Update to version neutron-13.0.8.dev188: * Clean port forwarding cache when
router is DOWN
o Update to version neutron-13.0.8.dev186: * Remove FIP agent's gw port when
L3 agent is deleted
o Update to version neutron-13.0.8.dev184: * Force to close http connection
after notify about HA router status
o Update to version neutron-13.0.8.dev183: * Don't configure dnsmasq entries
for "network" ports
o Update to version neutron-13.0.8.dev181: * Exclude fallback tunnel devices
from netns cleanup
o Update to version neutron-13.0.8.dev180: * [DVR] Send allowed address pairs
info to the L3 agents * designate: allow PTR zone creation to fail * Don't
try to create default SG when security groups are disabled
o Update to version neutron-13.0.8.dev174: * Fix update of trunk subports
during live migration
o Update to version neutron-13.0.8.dev172: * [ovs fw] Restrict IPv6 NA and
DHCP(v6) IP and MAC source addresses
o Update to version neutron-13.0.8.dev170: * Call install\_ingress\_direct\
_goto\_flows() when ovs restarts
o Update to version neutron-13.0.8.dev168: * Fix multicast traffic with IGMP
snooping enabled
o Update to version neutron-13.0.8.dev166: * Fix OVS conjunctive IP flows
cleanup
Changes in openstack-neutron:
o Update to version neutron-13.0.8.dev206: * Wait longer before deleting DPDK
vhu trunk bridges
o Update to version neutron-13.0.8.dev205: * Do no use "--strict" for OF
deletion in TRANSIENT\_TABLE
o Update to version neutron-13.0.8.dev203: * Populate self.floating\_ips\
_dict using "ip rule" information
o Update to version neutron-13.0.8.dev201: * [Functional] Wait for the
initial state of ha router before test * Don't setup bridge controller if
it is already set
o Update to version neutron-13.0.8.dev198: * Remove dhcp\_extra\_opt name
after first newline character
o Update to version neutron-13.0.8.dev196: * [L3] Use processing queue for
network update events * Add extra logs to the network update callback in L3
agent
o Remove cve-2021-40085-stable-rocky.patch (merged upstream)
o Update to version neutron-13.0.8.dev192: * Remove dhcp\_extra\_opt value
after first newline character
o Update to version neutron-13.0.8.dev190: * Don't use singleton in
routes.middleware.RoutesMiddleware
o Update to version neutron-13.0.8.dev189: * Fix notify listener syntax for
SEGMENT\_HOST\_MAPPING
o Add cve-2021-40085-stable-rocky.patch (bsc#1189794, CVE-2021-40085) *
Remove dhcp_extra_opt value after first newline character
o Update to version neutron-13.0.8.dev188: * Clean port forwarding cache when
router is DOWN
o Update to version neutron-13.0.8.dev186: * Remove FIP agent's gw port when
L3 agent is deleted
o Update to version neutron-13.0.8.dev184: * Force to close http connection
after notify about HA router status
o Update to version neutron-13.0.8.dev183: * Don't configure dnsmasq entries
for "network" ports
o Update to version neutron-13.0.8.dev181: * Exclude fallback tunnel devices
from netns cleanup
o Update to version neutron-13.0.8.dev180: * [DVR] Send allowed address pairs
info to the L3 agents * designate: allow PTR zone creation to fail * Don't
try to create default SG when security groups are disabled
o Update to version neutron-13.0.8.dev174: * Fix update of trunk subports
during live migration
o Update to version neutron-13.0.8.dev172: * [ovs fw] Restrict IPv6 NA and
DHCP(v6) IP and MAC source addresses
o Update to version neutron-13.0.8.dev170: * Call install\_ingress\_direct\
_goto\_flows() when ovs restarts
o Update to version neutron-13.0.8.dev168: * Fix multicast traffic with IGMP
snooping enabled
o Update to version neutron-13.0.8.dev166: * Fix OVS conjunctive IP flows
cleanup
Changes in python-Pillow:
o Add 030-CVE-2022-22817.patch * From upstream, backported * Fixes
CVE-2022-22817, bsc#1194521 * test from upstream updated for python2
o Add 028-CVE-2022-22815.patch * From upstream, backported * Fixes
CVE-2022-22815, bsc#1194552
o Add 029-CVE-2022-22816.patch * From upstream, backported * Fixes
CVE-2022-22816, bsc#1194551
Changes in python-XStatic-jquery-ui:
o Update to version 1.13.0.1 (bsc#1192070, CVE-2021-41182, bsc#1192073,
CVE-2021-41184, bsc#1192075, CVE-2021-41183) * Fix XSS in the altField
option of the Datepicker widget (CVE-2021-41182) * Fix XSS in *Text options
of the Datepicker widget (CVE-2021-41183) * Fix XSS in the of option of the
.position() util (CVE-2021-41184) * Drop support for Query 1.7 * Accordion:
allow function parameter for selecting header elements * Datepicker: add
optional onUpdateDatepicker callback
Changes in release-notes-suse-openstack-cloud:
o Update to version 9.20220413: * Update release notes to indicate support
for SES7
o Update to version 9.20220112: * Add reference to keystone bcrypt issue to
known limitations (bsc#1186380)
Changes in rubygem-sinatra:
o Add CVE-2022-29970.patch (bsc#1199138, CVE-2022-29970)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE OpenStack Cloud Crowbar 9:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-1729=1
o SUSE OpenStack Cloud 9:
zypper in -t patch SUSE-OpenStack-Cloud-9-2022-1729=1
Package List:
o SUSE OpenStack Cloud Crowbar 9 (x86_64):
grafana-6.7.4-3.26.1
grafana-debuginfo-6.7.4-3.26.1
python-Pillow-5.2.0-3.17.1
python-Pillow-debuginfo-5.2.0-3.17.1
python-Pillow-debugsource-5.2.0-3.17.1
python-lxml-4.2.4-3.3.1
python-lxml-debuginfo-4.2.4-3.3.1
python-lxml-debugsource-4.2.4-3.3.1
ruby2.1-rubygem-sinatra-1.4.6-4.3.1
o SUSE OpenStack Cloud Crowbar 9 (noarch):
openstack-barbican-7.0.1~dev24-3.14.1
openstack-barbican-api-7.0.1~dev24-3.14.1
openstack-barbican-keystone-listener-7.0.1~dev24-3.14.1
openstack-barbican-retry-7.0.1~dev24-3.14.1
openstack-barbican-worker-7.0.1~dev24-3.14.1
openstack-cinder-13.0.10~dev24-3.34.2
openstack-cinder-api-13.0.10~dev24-3.34.2
openstack-cinder-backup-13.0.10~dev24-3.34.2
openstack-cinder-scheduler-13.0.10~dev24-3.34.2
openstack-cinder-volume-13.0.10~dev24-3.34.2
openstack-heat-gbp-14.0.1~dev4-3.9.1
openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1
openstack-ironic-11.1.5~dev18-3.28.2
openstack-ironic-api-11.1.5~dev18-3.28.2
openstack-ironic-conductor-11.1.5~dev18-3.28.2
openstack-keystone-14.2.1~dev9-3.28.2
openstack-neutron-13.0.8~dev206-3.40.1
openstack-neutron-dhcp-agent-13.0.8~dev206-3.40.1
openstack-neutron-gbp-14.0.1~dev33-3.31.1
openstack-neutron-ha-tool-13.0.8~dev206-3.40.1
openstack-neutron-l3-agent-13.0.8~dev206-3.40.1
openstack-neutron-linuxbridge-agent-13.0.8~dev206-3.40.1
openstack-neutron-macvtap-agent-13.0.8~dev206-3.40.1
openstack-neutron-metadata-agent-13.0.8~dev206-3.40.1
openstack-neutron-metering-agent-13.0.8~dev206-3.40.1
openstack-neutron-openvswitch-agent-13.0.8~dev206-3.40.1
openstack-neutron-server-13.0.8~dev206-3.40.1
python-XStatic-jquery-ui-1.13.0.1-4.3.1
python-barbican-7.0.1~dev24-3.14.1
python-cinder-13.0.10~dev24-3.34.2
python-heat-gbp-14.0.1~dev4-3.9.1
python-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1
python-ironic-11.1.5~dev18-3.28.2
python-keystone-14.2.1~dev9-3.28.2
python-neutron-13.0.8~dev206-3.40.1
python-neutron-gbp-14.0.1~dev33-3.31.1
release-notes-suse-openstack-cloud-9.20220413-3.30.1
o SUSE OpenStack Cloud 9 (noarch):
ardana-barbican-9.0+git.1644879908.8a641c1-3.13.1
openstack-barbican-7.0.1~dev24-3.14.1
openstack-barbican-api-7.0.1~dev24-3.14.1
openstack-barbican-keystone-listener-7.0.1~dev24-3.14.1
openstack-barbican-retry-7.0.1~dev24-3.14.1
openstack-barbican-worker-7.0.1~dev24-3.14.1
openstack-cinder-13.0.10~dev24-3.34.2
openstack-cinder-api-13.0.10~dev24-3.34.2
openstack-cinder-backup-13.0.10~dev24-3.34.2
openstack-cinder-scheduler-13.0.10~dev24-3.34.2
openstack-cinder-volume-13.0.10~dev24-3.34.2
openstack-heat-gbp-14.0.1~dev4-3.9.1
openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1
openstack-ironic-11.1.5~dev18-3.28.2
openstack-ironic-api-11.1.5~dev18-3.28.2
openstack-ironic-conductor-11.1.5~dev18-3.28.2
openstack-keystone-14.2.1~dev9-3.28.2
openstack-neutron-13.0.8~dev206-3.40.1
openstack-neutron-dhcp-agent-13.0.8~dev206-3.40.1
openstack-neutron-gbp-14.0.1~dev33-3.31.1
openstack-neutron-ha-tool-13.0.8~dev206-3.40.1
openstack-neutron-l3-agent-13.0.8~dev206-3.40.1
openstack-neutron-linuxbridge-agent-13.0.8~dev206-3.40.1
openstack-neutron-macvtap-agent-13.0.8~dev206-3.40.1
openstack-neutron-metadata-agent-13.0.8~dev206-3.40.1
openstack-neutron-metering-agent-13.0.8~dev206-3.40.1
openstack-neutron-openvswitch-agent-13.0.8~dev206-3.40.1
openstack-neutron-server-13.0.8~dev206-3.40.1
python-XStatic-jquery-ui-1.13.0.1-4.3.1
python-barbican-7.0.1~dev24-3.14.1
python-cinder-13.0.10~dev24-3.34.2
python-heat-gbp-14.0.1~dev4-3.9.1
python-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1
python-ironic-11.1.5~dev18-3.28.2
python-keystone-14.2.1~dev9-3.28.2
python-neutron-13.0.8~dev206-3.40.1
python-neutron-gbp-14.0.1~dev33-3.31.1
release-notes-suse-openstack-cloud-9.20220413-3.30.1
venv-openstack-barbican-x86_64-7.0.1~dev24-3.35.2
venv-openstack-cinder-x86_64-13.0.10~dev24-3.38.1
venv-openstack-designate-x86_64-7.0.2~dev2-3.35.1
venv-openstack-glance-x86_64-17.0.1~dev30-3.33.1
venv-openstack-heat-x86_64-11.0.4~dev4-3.35.1
venv-openstack-horizon-x86_64-14.1.1~dev11-4.39.1
venv-openstack-ironic-x86_64-11.1.5~dev18-4.33.1
venv-openstack-keystone-x86_64-14.2.1~dev9-3.36.1
venv-openstack-magnum-x86_64-7.2.1~dev1-4.35.1
venv-openstack-manila-x86_64-7.4.2~dev60-3.41.1
venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.35.1
venv-openstack-monasca-x86_64-2.7.1~dev10-3.37.1
venv-openstack-neutron-x86_64-13.0.8~dev206-6.39.1
venv-openstack-nova-x86_64-18.3.1~dev91-3.39.1
venv-openstack-octavia-x86_64-3.2.3~dev7-4.35.1
venv-openstack-sahara-x86_64-9.0.2~dev15-3.35.1
venv-openstack-swift-x86_64-2.19.2~dev48-2.30.1
o SUSE OpenStack Cloud 9 (x86_64):
grafana-6.7.4-3.26.1
grafana-debuginfo-6.7.4-3.26.1
python-Pillow-5.2.0-3.17.1
python-Pillow-debuginfo-5.2.0-3.17.1
python-Pillow-debugsource-5.2.0-3.17.1
python-lxml-4.2.4-3.3.1
python-lxml-debuginfo-4.2.4-3.3.1
python-lxml-debugsource-4.2.4-3.3.1
References:
o https://www.suse.com/security/cve/CVE-2018-19787.html
o https://www.suse.com/security/cve/CVE-2020-27783.html
o https://www.suse.com/security/cve/CVE-2021-28957.html
o https://www.suse.com/security/cve/CVE-2021-38155.html
o https://www.suse.com/security/cve/CVE-2021-40085.html
o https://www.suse.com/security/cve/CVE-2021-41182.html
o https://www.suse.com/security/cve/CVE-2021-41183.html
o https://www.suse.com/security/cve/CVE-2021-41184.html
o https://www.suse.com/security/cve/CVE-2021-43813.html
o https://www.suse.com/security/cve/CVE-2021-43818.html
o https://www.suse.com/security/cve/CVE-2021-44716.html
o https://www.suse.com/security/cve/CVE-2022-22815.html
o https://www.suse.com/security/cve/CVE-2022-22816.html
o https://www.suse.com/security/cve/CVE-2022-22817.html
o https://www.suse.com/security/cve/CVE-2022-23451.html
o https://www.suse.com/security/cve/CVE-2022-23452.html
o https://www.suse.com/security/cve/CVE-2022-29970.html
o https://bugzilla.suse.com/1118088
o https://bugzilla.suse.com/1179534
o https://bugzilla.suse.com/1184177
o https://bugzilla.suse.com/1186380
o https://bugzilla.suse.com/1189390
o https://bugzilla.suse.com/1189794
o https://bugzilla.suse.com/1192070
o https://bugzilla.suse.com/1192073
o https://bugzilla.suse.com/1192075
o https://bugzilla.suse.com/1193597
o https://bugzilla.suse.com/1193688
o https://bugzilla.suse.com/1193752
o https://bugzilla.suse.com/1194521
o https://bugzilla.suse.com/1194551
o https://bugzilla.suse.com/1194552
o https://bugzilla.suse.com/1194952
o https://bugzilla.suse.com/1194954
o https://bugzilla.suse.com/1199138
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYobRSckNZI30y1K9AQiEYw//Ua28W/gdiSnLYWnzcEFp4S3GWJTvPbg6
w9yDxwDWKD4EjZG4e0UdZwttbpt2tcy9GnhPbN67nYQEWAdSMP+qn/Uk9g7S3ha2
GGlQzZFCLuotYLRtp8dYC1qxIQP4kOQ0BIQfpCA3dHZR4oIFIfInnx6zSt1akepk
Oy6srbA048Pg46eoxl8GxJBz/jr8ldg9+hdgOnxrp06FxHsl2EbrYfqi+UtyWr/0
/XxKYeQ0YIOYcUMm+YLijoNXe0qyQo1ZZXmm2UoaXV9Cd9VPbFpLZ9AtILfPORGC
CYvtJYDg0573axzrZq8zKJYjln3pUeZn1XhKdsoZI5boUmoPWlgFs4AuUSx3aMNN
WmQVYRBT2vkPYGdFUL+/oTD8ypmti6N6WtgSnYmD4YrBBvyNsTCbBEO6C+Q04MN+
JTRuF2g1zEiwa6hWw2MdbAZMLO9qmvCv/I5ZmcEq2SN73GNsYx//DOiN6Y4d5nXj
RAddgavGtIltIGAOp92dGujwng42y8w/icW9xecky4IWY/fBpd7JWjbZgN4gdurl
1hmTvycAFziPrYG0/iQsezT223WsO1uVBLE2hMfZ6OOcYkfy5TPI0djt91A+byh1
GCLtKqE7Yz1DYHUgF4BI610EbFW8f12Y7EOfssHnK6D0I1Lcxtzamsy1jkZcrL+V
ACulcNoJS3E=
=6lxX
-----END PGP SIGNATURE-----