The Docker images provided with SUSE CaaS Platform 1.0 have been updated
to include the following updates:
libzypp:
- CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows,
mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984)
- Fix gpg-pubkey release (creation time) computation. (bsc#1036659)
- Update lsof blacklist. (bsc#1046417)
- Re-probe on refresh if the repository type changes. (bsc#1048315)
- Propagate proper error code to DownloadProgressReport. (bsc#1047785)
- Allow to trigger an appdata refresh unconditionally. (bsc#1009745)
- Support custom repo variables defined in /etc/zypp/vars.d.
- Adapt loop mounting of ISO images. (bsc#1038132, bsc#1033236)
- Fix potential crash if repository has no baseurl. (bsc#1043218)
zypper:
- CVE-2017-7436: Adapt download callback to report and handle unsigned
packages. (bsc#1038984)
- Report missing/optional files as ‘not found’ rather than ‘error’.
(bsc#1047785)
- Document support for custom repository variables defined in
/etc/zypp/vars.d.
- Emphasize that it depends on how fast PackageKit will respond to a
‘quit’ request sent if PK blocks package management.
libgcrypt:
- Fix infinite loop in gnome-keyring-daemon caused by attempt to read from
random device left open by libgcrypt. (bsc#1043333)
- Avoid seeding the DRBG during FIPS power-up selftests. (bsc#1046659)
- Fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some
of the tests. (bsc#1046659)
- dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling
dlsym. (bsc#1047008)
lua51:
- Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket.
(bsc#1051626)
cyrus-sasl:
- Fix unknown authentication mechanism: kerberos5 (bsc#1026825)
- Really use SASLAUTHD_PARAMS variable (bsc#938657)
- Make sure /usr/sbin/rcsaslauthd exists
- Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service
(bsc#1014471)
- Silence "GSSAPI client step 1" debug log message (bsc#1044840)
libxml2:
- CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444)
curl:
- CVE-2017-1000100: TFP sends more than buffer size and it could lead to a
denial of service. (bsc#1051644)
- CVE-2017-1000101: URL globbing out of bounds read could lead to a denial
of service. (bsc#1051643)
ncurses:
- CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)
- CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry.
(bsc#1047965)
- CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses
6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858,
bsc#1049344)
sed:
- Don’t terminate with a segmentation fault if close of last file
descriptor fails. (bsc#954661)
openssl:
- Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32
problem. (bsc#1027908)
- Use getrandom syscall instead of reading from /dev/urandom to get at
least 128 bits of entropy to comply with FIPS 140.2 IG 7.14.
(bsc#1027079 bsc#1044175)
- Fix x86 extended feature detection (bsc#1029523)
- Allow runtime switching of s390x capabilities via the "OPENSSL_s390xcap"
environmental variable. (bsc#1028723)
- Add back certificate initialization set_cert_key_stuff() which was
removed in a previous update. (bsc#1028281)
- Fix a bug in XTS key handling. (bsc#1019637)
- Don’t run FIPS power-up self-tests when the checksum files aren’t
installed. (bsc#1042392)
procps:
- Don’t set buffering on invalid file descriptor. (bsc#1053409)
expat:
- CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading
to unexpected behaviour. (bsc#1047240)
- CVE-2017-9233: External Entity Vulnerability could lead to denial of
service. (bsc#1047236)
systemd:
- Revert fix for bsc#1004995 which could have caused boot failure on LVM
(bsc#1048605)
- compat-rules: drop the bogus ‘import everything’ rule (bsc#1046268)
- core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification
(bsc#1045384 bsc#1047379)
- udev/path_id: introduce support for NVMe devices (bsc#1045987)
- compat-rules: Don’t rely on ID_SERIAL when generating ‘by-id’ links for
NVMe devices. (bsc#1048679)
- fstab-generator: Handle NFS "bg" mounts correctly. (bsc#874665,
fate#323464)
- timesyncd: Don’t use compiled-in list if FallbackNTP has been configured
explicitly.
insserv-compat:
- Add /etc/init.d hierarchy from former "filesystem" package. (bsc#1035062)
- Fix directory argument parsing. (bsc#944903)
- Add perl(Getopt::Long) to list of requirements.
mariadb:
- Update libmysqlclient18 from version 10.0.30 to 10.0.31.
python-pycrypto:
- CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew
(bsc#1017420).
velum:
- Fix loopback IP for proxy exception during initial configuration.
(bsc#1052759)
- Set secure flag in cookie. (bsc#1050484)
- Set VERSION to 1.0.0. (bsc#1050396)
- Allow kubeconfig download when master is ready. (bsc#1048483)