ESB-2017.2343 - [SUSE] CaaS Platform: Multiple vulnerabilities 2017-09-15

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2343
    SUSE Security Update: Security update for CaaS Platform 1.0 images
                             15 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           CaaS Platform
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-1000101 CVE-2017-1000100 CVE-2017-11113
                   CVE-2017-11112 CVE-2017-10685 CVE-2017-10684
                   CVE-2017-9269 CVE-2017-9233 CVE-2017-8872
                   CVE-2017-7436 CVE-2017-7435 CVE-2017-3464
                   CVE-2017-3456 CVE-2017-3453 CVE-2017-3309
                   CVE-2017-3308 CVE-2016-9063 CVE-2013-7459

Reference:         ASB-2017.0059
                   ASB-2016.0107
                   ESB-2017.2227
                   ESB-2017.2215

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2017/suse-su-20172470-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for CaaS Platform 1.0 images
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:2470-1
Rating:             important
References:         #1004995 #1009745 #1014471 #1017420 #1019637 
                    #1026825 #1027079 #1027688 #1027908 #1028281 
                    #1028723 #1029523 #1031756 #1032706 #1033236 
                    #1035062 #1036659 #1038132 #1038444 #1038984 
                    #1042392 #1043218 #1043333 #1044095 #1044107 
                    #1044175 #1044840 #1045384 #1045735 #1045987 
                    #1046268 #1046417 #1046659 #1046853 #1046858 
                    #1047008 #1047236 #1047240 #1047310 #1047379 
                    #1047785 #1047964 #1047965 #1048315 #1048483 
                    #1048605 #1048679 #1048715 #1049344 #1050396 
                    #1050484 #1051626 #1051643 #1051644 #1052030 
                    #1052759 #1053409 #874665 #902364 #938657 
                    #944903 #954661 #960820 #963041 
Cross-References:   CVE-2013-7459 CVE-2016-9063 CVE-2017-1000100
                    CVE-2017-1000101 CVE-2017-10684 CVE-2017-10685
                    CVE-2017-11112 CVE-2017-11113 CVE-2017-3308
                    CVE-2017-3309 CVE-2017-3453 CVE-2017-3456
                    CVE-2017-3464 CVE-2017-7435 CVE-2017-7436
                    CVE-2017-8872 CVE-2017-9233 CVE-2017-9269
                   
Affected Products:
                    SUSE Container as a Service Platform ALL
______________________________________________________________________________

   An update that solves 18 vulnerabilities and has 46 fixes
   is now available.

Description:

   The Docker images provided with SUSE CaaS Platform 1.0 have been updated
   to include the following updates:

   libzypp:

   - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows,
     mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984)
   - Fix gpg-pubkey release (creation time) computation. (bsc#1036659)
   - Update lsof blacklist. (bsc#1046417)
   - Re-probe on refresh if the repository type changes. (bsc#1048315)
   - Propagate proper error code to DownloadProgressReport. (bsc#1047785)
   - Allow to trigger an appdata refresh unconditionally. (bsc#1009745)
   - Support custom repo variables defined in /etc/zypp/vars.d.
   - Adapt loop mounting of ISO images. (bsc#1038132, bsc#1033236)
   - Fix potential crash if repository has no baseurl. (bsc#1043218)

   zypper:

   - CVE-2017-7436: Adapt download callback to report and handle unsigned
     packages. (bsc#1038984)
   - Report missing/optional files as 'not found' rather than 'error'.
     (bsc#1047785)
   - Document support for custom repository variables defined in
     /etc/zypp/vars.d.
   - Emphasize that it depends on how fast PackageKit will respond to a
     'quit' request sent if PK blocks package management.

   libgcrypt:

   - Fix infinite loop in gnome-keyring-daemon caused by attempt to read from
     random device left open by libgcrypt. (bsc#1043333)
   - Avoid seeding the DRBG during FIPS power-up selftests. (bsc#1046659)
   - Fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some
     of the tests. (bsc#1046659)
   - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling
     dlsym. (bsc#1047008)

   lua51:

   - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket.
     (bsc#1051626)

   cyrus-sasl:

   - Fix unknown authentication mechanism: kerberos5 (bsc#1026825)
   - Really use SASLAUTHD_PARAMS variable (bsc#938657)
   - Make sure /usr/sbin/rcsaslauthd exists
   - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service
     (bsc#1014471)
   - Silence "GSSAPI client step 1" debug log message (bsc#1044840)

   libxml2:

   - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444)

   curl:

   - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a
     denial of service. (bsc#1051644)
   - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial
     of service. (bsc#1051643)

   ncurses:

   - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)
   - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry.
     (bsc#1047965)
   - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses
     6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858,
     bsc#1049344)

   sed:

   - Don't terminate with a segmentation fault if close of last file
     descriptor fails. (bsc#954661)

   openssl:

   - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32
     problem. (bsc#1027908)
   - Use getrandom syscall instead of reading from /dev/urandom to get at
     least 128 bits of entropy to comply with FIPS 140.2 IG 7.14.
     (bsc#1027079 bsc#1044175)
   - Fix x86 extended feature detection (bsc#1029523)
   - Allow runtime switching of s390x capabilities via the "OPENSSL_s390xcap"
     environmental variable. (bsc#1028723)
   - Add back certificate initialization set_cert_key_stuff() which was
     removed in a previous update. (bsc#1028281)
   - Fix a bug in XTS key handling. (bsc#1019637)
   - Don't run FIPS power-up self-tests when the checksum files aren't
     installed. (bsc#1042392)

   procps:

   - Don't set buffering on invalid file descriptor. (bsc#1053409)

   expat:

   - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading
     to unexpected behaviour. (bsc#1047240)
   - CVE-2017-9233: External Entity Vulnerability could lead to denial of
     service. (bsc#1047236)

   systemd:

   - Revert fix for bsc#1004995 which could have caused boot failure on LVM
     (bsc#1048605)
   - compat-rules: drop the bogus 'import everything' rule (bsc#1046268)
   - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification
     (bsc#1045384 bsc#1047379)
   - udev/path_id: introduce support for NVMe devices (bsc#1045987)
   - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for
     NVMe devices. (bsc#1048679)
   - fstab-generator: Handle NFS "bg" mounts correctly. (bsc#874665,
     fate#323464)
   - timesyncd: Don't use compiled-in list if FallbackNTP has been configured
     explicitly.

   insserv-compat:

   - Add /etc/init.d hierarchy from former "filesystem" package. (bsc#1035062)
   - Fix directory argument parsing. (bsc#944903)
   - Add perl(Getopt::Long) to list of requirements.

   mariadb:

   - Update libmysqlclient18 from version 10.0.30 to 10.0.31.

   python-pycrypto:

   - CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew
     (bsc#1017420).

   velum:

   - Fix loopback IP for proxy exception during initial configuration.
     (bsc#1052759)
   - Set secure flag in cookie. (bsc#1050484)
   - Set VERSION to 1.0.0. (bsc#1050396)
   - Allow kubeconfig download when master is ready. (bsc#1048483)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Container as a Service Platform ALL:

      zypper in -t patch SUSE-CAASP-ALL-2017-1531=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Container as a Service Platform ALL (x86_64):

      container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3
      sles12-mariadb-docker-image-1.1.0-2.3.10
      sles12-pause-docker-image-1.1.0-2.3.11
      sles12-pv-recycler-node-docker-image-1.1.0-2.3.10
      sles12-salt-api-docker-image-1.1.0-2.3.9
      sles12-salt-master-docker-image-1.1.0-4.3.10
      sles12-salt-minion-docker-image-1.1.0-2.3.8
      sles12-velum-docker-image-1.1.0-4.3.9

   - SUSE Container as a Service Platform ALL (noarch):

      caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3


References:

   https://www.suse.com/security/cve/CVE-2013-7459.html
   https://www.suse.com/security/cve/CVE-2016-9063.html
   https://www.suse.com/security/cve/CVE-2017-1000100.html
   https://www.suse.com/security/cve/CVE-2017-1000101.html
   https://www.suse.com/security/cve/CVE-2017-10684.html
   https://www.suse.com/security/cve/CVE-2017-10685.html
   https://www.suse.com/security/cve/CVE-2017-11112.html
   https://www.suse.com/security/cve/CVE-2017-11113.html
   https://www.suse.com/security/cve/CVE-2017-3308.html
   https://www.suse.com/security/cve/CVE-2017-3309.html
   https://www.suse.com/security/cve/CVE-2017-3453.html
   https://www.suse.com/security/cve/CVE-2017-3456.html
   https://www.suse.com/security/cve/CVE-2017-3464.html
   https://www.suse.com/security/cve/CVE-2017-7435.html
   https://www.suse.com/security/cve/CVE-2017-7436.html
   https://www.suse.com/security/cve/CVE-2017-8872.html
   https://www.suse.com/security/cve/CVE-2017-9233.html
   https://www.suse.com/security/cve/CVE-2017-9269.html
   https://bugzilla.suse.com/1004995
   https://bugzilla.suse.com/1009745
   https://bugzilla.suse.com/1014471
   https://bugzilla.suse.com/1017420
   https://bugzilla.suse.com/1019637
   https://bugzilla.suse.com/1026825
   https://bugzilla.suse.com/1027079
   https://bugzilla.suse.com/1027688
   https://bugzilla.suse.com/1027908
   https://bugzilla.suse.com/1028281
   https://bugzilla.suse.com/1028723
   https://bugzilla.suse.com/1029523
   https://bugzilla.suse.com/1031756
   https://bugzilla.suse.com/1032706
   https://bugzilla.suse.com/1033236
   https://bugzilla.suse.com/1035062
   https://bugzilla.suse.com/1036659
   https://bugzilla.suse.com/1038132
   https://bugzilla.suse.com/1038444
   https://bugzilla.suse.com/1038984
   https://bugzilla.suse.com/1042392
   https://bugzilla.suse.com/1043218
   https://bugzilla.suse.com/1043333
   https://bugzilla.suse.com/1044095
   https://bugzilla.suse.com/1044107
   https://bugzilla.suse.com/1044175
   https://bugzilla.suse.com/1044840
   https://bugzilla.suse.com/1045384
   https://bugzilla.suse.com/1045735
   https://bugzilla.suse.com/1045987
   https://bugzilla.suse.com/1046268
   https://bugzilla.suse.com/1046417
   https://bugzilla.suse.com/1046659
   https://bugzilla.suse.com/1046853
   https://bugzilla.suse.com/1046858
   https://bugzilla.suse.com/1047008
   https://bugzilla.suse.com/1047236
   https://bugzilla.suse.com/1047240
   https://bugzilla.suse.com/1047310
   https://bugzilla.suse.com/1047379
   https://bugzilla.suse.com/1047785
   https://bugzilla.suse.com/1047964
   https://bugzilla.suse.com/1047965
   https://bugzilla.suse.com/1048315
   https://bugzilla.suse.com/1048483
   https://bugzilla.suse.com/1048605
   https://bugzilla.suse.com/1048679
   https://bugzilla.suse.com/1048715
   https://bugzilla.suse.com/1049344
   https://bugzilla.suse.com/1050396
   https://bugzilla.suse.com/1050484
   https://bugzilla.suse.com/1051626
   https://bugzilla.suse.com/1051643
   https://bugzilla.suse.com/1051644
   https://bugzilla.suse.com/1052030
   https://bugzilla.suse.com/1052759
   https://bugzilla.suse.com/1053409
   https://bugzilla.suse.com/874665
   https://bugzilla.suse.com/902364
   https://bugzilla.suse.com/938657
   https://bugzilla.suse.com/944903
   https://bugzilla.suse.com/954661
   https://bugzilla.suse.com/960820
   https://bugzilla.suse.com/963041

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWbs/1Ix+lLeg9Ub1AQjsWQ/9GiqNRLjSHMe9ciZroaVh8XAlFrOW5Ckz
x3E9Y4ge69Klmn0E0nJPgrH8TOAXxygkCDig6IUgZuAhvUxT13FCs6x1SIe8LGdB
4D1jOEb564g04m43u6+gpsf7mVJ+vTAJJX5vyndYiAu8L/p7Lqdk9dB0+kl5OX3I
hCta8x6/ctY3XZDNs1ZYmxoOiTFH6UcTNZ+EgSNbdiivzYIWVwQjghiTs3fLwuaz
0UQBTwjn/p8lUc4Az7Jx6MUeAL5e01xH7GVp03/Fa3SD1oaggXfwfyD8CdcDkaPx
oT6n2HEQhLPn+CvgzEX4fAjTWaexas+fsBH58V1T8ndq3Eo+UzQg0indBZY9yMH1
SdpNUjfNB9jIbrLEX3JUzJj7WQQn5Ga09ws5a21J15Wm7CCOw+DvhbM1Q5n3snat
12rlbMKWV976AvJIjIwVDXXAGVdTx0+PVteVAF98DjPCpo/f9a7+Gk7E9SM2GE0o
AUNPHLMCNyKlmGshuBlUyy8uhPR1vku+7k7t5mkGKyNLhcXvZbic6aDpwH9g8+RV
x7B9Ahzttj7L3hMTgzcdhiFWjKcOIk2BXZ8uMNCwVaVIvxunmg2RXMBuBa3/N6UJ
j7N+YnxP7zcp3WNc2Slqr6pNgKa5lYAhESqshCaRSAMtWZI9Q4wxnDM492YMps+t
Eh7puk+8iC0=
=k8s1
-----END PGP SIGNATURE-----

« Back to bulletins