Security update for CaaS Platform 1.0 images (important)

The Docker images provided with SUSE CaaS Platform 1.0 have been updated
to include the following updates:

libzypp:

• CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows,
  mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984)
• Fix gpg-pubkey release (creation time) computation. (bsc#1036659)
• Update lsof blacklist. (bsc#1046417)
• Re-probe on refresh if the repository type changes. (bsc#1048315)
• Propagate proper error code to DownloadProgressReport. (bsc#1047785)
• Allow to trigger an appdata refresh unconditionally. (bsc#1009745)
• Support custom repo variables defined in /etc/zypp/vars.d.
• Adapt loop mounting of ISO images. (bsc#1038132, bsc#1033236)
• Fix potential crash if repository has no baseurl. (bsc#1043218)

zypper:

• CVE-2017-7436: Adapt download callback to report and handle unsigned
  packages. (bsc#1038984)
• Report missing/optional files as ‘not found’ rather than ‘error’.
  (bsc#1047785)
• Document support for custom repository variables defined in
  /etc/zypp/vars.d.
• Emphasize that it depends on how fast PackageKit will respond to a
  ‘quit’ request sent if PK blocks package management.

libgcrypt:

• Fix infinite loop in gnome-keyring-daemon caused by attempt to read from
  random device left open by libgcrypt. (bsc#1043333)
• Avoid seeding the DRBG during FIPS power-up selftests. (bsc#1046659)
• Fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some
  of the tests. (bsc#1046659)
• dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling
  dlsym. (bsc#1047008)

lua51:

• Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket.
  (bsc#1051626)

cyrus-sasl:

• Fix unknown authentication mechanism: kerberos5 (bsc#1026825)
• Really use SASLAUTHD_PARAMS variable (bsc#938657)
• Make sure /usr/sbin/rcsaslauthd exists
• Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service
  (bsc#1014471)
• Silence "GSSAPI client step 1" debug log message (bsc#1044840)

libxml2:

• CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444)

curl:

• CVE-2017-1000100: TFP sends more than buffer size and it could lead to a
  denial of service. (bsc#1051644)
• CVE-2017-1000101: URL globbing out of bounds read could lead to a denial
  of service. (bsc#1051643)

ncurses:

• CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)
• CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry.
  (bsc#1047965)
• CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses
  6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858,
  bsc#1049344)

sed:

• Don’t terminate with a segmentation fault if close of last file
  descriptor fails. (bsc#954661)

openssl:

• Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32
  problem. (bsc#1027908)
• Use getrandom syscall instead of reading from /dev/urandom to get at
  least 128 bits of entropy to comply with FIPS 140.2 IG 7.14.
  (bsc#1027079 bsc#1044175)
• Fix x86 extended feature detection (bsc#1029523)
• Allow runtime switching of s390x capabilities via the "OPENSSL_s390xcap"
  environmental variable. (bsc#1028723)
• Add back certificate initialization set_cert_key_stuff() which was
  removed in a previous update. (bsc#1028281)
• Fix a bug in XTS key handling. (bsc#1019637)
• Don’t run FIPS power-up self-tests when the checksum files aren’t
  installed. (bsc#1042392)

procps:

• Don’t set buffering on invalid file descriptor. (bsc#1053409)

expat:

• CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading
  to unexpected behaviour. (bsc#1047240)
• CVE-2017-9233: External Entity Vulnerability could lead to denial of
  service. (bsc#1047236)

systemd:

• Revert fix for bsc#1004995 which could have caused boot failure on LVM
  (bsc#1048605)
• compat-rules: drop the bogus ‘import everything’ rule (bsc#1046268)
• core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification
  (bsc#1045384 bsc#1047379)
• udev/path_id: introduce support for NVMe devices (bsc#1045987)
• compat-rules: Don’t rely on ID_SERIAL when generating ‘by-id’ links for
  NVMe devices. (bsc#1048679)
• fstab-generator: Handle NFS "bg" mounts correctly. (bsc#874665,
  fate#323464)
• timesyncd: Don’t use compiled-in list if FallbackNTP has been configured
  explicitly.

insserv-compat:

• Add /etc/init.d hierarchy from former "filesystem" package. (bsc#1035062)
• Fix directory argument parsing. (bsc#944903)
• Add perl(Getopt::Long) to list of requirements.

mariadb:

• Update libmysqlclient18 from version 10.0.30 to 10.0.31.

python-pycrypto:

• CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew
  (bsc#1017420).

velum:

• Fix loopback IP for proxy exception during initial configuration.
  (bsc#1052759)
• Set secure flag in cookie. (bsc#1050484)
• Set VERSION to 1.0.0. (bsc#1050396)
• Allow kubeconfig download when master is ready. (bsc#1048483)