Oval Definition:	oval:org.opensuse.security:def:49124
Revision Date: 2021-10-12 Version: 1 Title: Security update for containerd, docker, runc (Important) Description: This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.9-ce. (bsc#1191355) See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355 - CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282) Update to runc v1.0.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.2 Fixed a failure to set CPU quota period in some cases on cgroup v1. * Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. * Made release builds reproducible from now on. * Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec. * Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. Update to runc v1.0.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.1 Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume. * Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters. * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). * cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. * cgroup/systemd/v2: don't freeze cgroup on Set. * cgroup/systemd/v1: avoid unnecessary freeze on Set. - fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704 Update to runc v1.0.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0 ! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94 * cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available. Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405) Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 Breaking Changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. Regression Fixes: seccomp: fix 32-bit compilation errors * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code * runc start: fix 'chdir to cwd: permission denied' for some setups Family: unix Class: patch Status: Reference(s): 1013712 1026236 1027519 1051510 1071995 1094555 1096180 1096945 1100691 1102408 1111666 1112374 1114279 1114988 1117025 1121563 1122000 1123333 1123727 1123892 1124153 1125352 1126140 1126141 1126192 1126195 1126196 1126197 1126198 1126201 1126325 1127400 1127620 1128432 1130840 1133283 1134730 1134738 1134978 1135153 1135296 1135642 1136156 1136157 1136271 1136333 1137103 1137194 1137366 1137884 1137985 1138263 1138336 1138374 1138375 1138589 1138681 1138719 1138732 1144621 1149955 1153238 1154862 1156275 1156669 1158108 1158109 1160611 1160612 1160613 1160614 1160615 1174230 1176384 1176756 1176899 1177977 1185405 1187704 1188282 1191015 1191121 1191334 1191355 1191434 CVE-2008-3522 CVE-2011-4516 CVE-2011-4517 CVE-2014-8137 CVE-2014-8138 CVE-2014-8157 CVE-2014-8158 CVE-2014-9029 CVE-2015-5203 CVE-2015-5221 CVE-2015-8863 CVE-2016-10251 CVE-2016-1577 CVE-2016-1867 CVE-2016-2089 CVE-2016-2116 CVE-2016-4074 CVE-2016-8654 CVE-2016-8690 CVE-2016-8691 CVE-2016-8692 CVE-2016-8693 CVE-2016-8880 CVE-2016-8881 CVE-2016-8882 CVE-2016-8883 CVE-2016-8884 CVE-2016-8885 CVE-2016-8886 CVE-2016-8887 CVE-2016-9262 CVE-2016-9387 CVE-2016-9388 CVE-2016-9389 CVE-2016-9390 CVE-2016-9391 CVE-2016-9392 CVE-2016-9393 CVE-2016-9394 CVE-2016-9395 CVE-2016-9396 CVE-2016-9398 CVE-2016-9557 CVE-2016-9560 CVE-2016-9583 CVE-2016-9591 CVE-2016-9600 CVE-2016-9798 CVE-2017-1000050 CVE-2017-5498 CVE-2017-6850 CVE-2018-1000622 CVE-2018-11439 CVE-2018-16871 CVE-2018-19539 CVE-2018-19540 CVE-2018-19541 CVE-2018-19542 CVE-2018-19967 CVE-2018-9055 CVE-2018-9154 CVE-2019-10216 CVE-2019-12083 CVE-2019-12614 CVE-2019-12817 CVE-2019-14861 CVE-2019-14869 CVE-2019-14870 CVE-2019-16056 CVE-2019-16935 CVE-2019-17498 CVE-2019-2126 CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2758 CVE-2019-2805 CVE-2019-2938 CVE-2019-2974 CVE-2019-6454 CVE-2019-9232 CVE-2019-9325 CVE-2019-9371 CVE-2019-9433 CVE-2019-9947 CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 CVE-2020-15683 CVE-2020-15969 CVE-2021-30465 CVE-2021-32760 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092 CVE-2021-41103 SUSE-SU-2019:0426-1 SUSE-SU-2019:0875-1 SUSE-SU-2019:1744-1 SUSE-SU-2019:2348-1 SUSE-SU-2019:2439-1 SUSE-SU-2019:2743-1 SUSE-SU-2019:2981-1 SUSE-SU-2019:3046-1 SUSE-SU-2019:3306-1 SUSE-SU-2019:3318-1 SUSE-SU-2020:0143-1 SUSE-SU-2020:3091-1 SUSE-SU-2021:3336-1 Platform(s): openSUSE Leap 15.0 openSUSE Leap 15.1 SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP4 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SUSE Linux Enterprise Module for additional PackageHub packages 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SP2 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Desktop Applications 15 SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for High Performance Computing 15 SUSE Linux Enterprise Module for Legacy Software 15 SP1 SUSE Linux Enterprise Module for Legacy Software 15 SP2 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Module for Live Patching 15 SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP2 SUSE Linux Enterprise Module for Public Cloud 15 SP1 SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Server Applications 15 SP1 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP2-ESPOS SUSE Linux Enterprise Server 12 SP2-LTSS SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Workstation Extension 15 SP1 SUSE OpenStack Cloud 6 SUSE OpenStack Cloud 7 Product(s): Definition Synopsis openSUSE Leap 15.0 is installed AND Package Information mutt-1.9.1-lp150.1 is installed OR mutt-doc-1.9.1-lp150.1 is installed OR mutt-lang-1.9.1-lp150.1 is installed Definition Synopsis openSUSE Leap 15.1 is installed AND Package Information libsass-3.6.1-lp151.3.3 is installed OR libsass-3_6_1-1-3.6.1-lp151.3.3 is installed OR libsass-devel-3.6.1-lp151.3.3 is installed Definition Synopsis SUSE Linux Enterprise Desktop 11 SP3 is installed AND Package Information e2fsprogs-1.41.9-2.10.11 is installed OR libblkid1-2.19.1-6.62 is installed OR libblkid1-32bit-2.19.1-6.62 is installed OR libcom_err2-1.41.9-2.10.11 is installed OR libcom_err2-32bit-1.41.9-2.10.11 is installed OR libext2fs2-1.41.9-2.10.11 is installed OR libuuid-devel-2.19.1-6.62 is installed OR libuuid1-2.19.1-6.62 is installed OR libuuid1-32bit-2.19.1-6.62 is installed OR uuid-runtime-2.19.1-6.62 is installed Definition Synopsis SUSE Linux Enterprise Desktop 11 SP4 is installed AND Package Information bind-9.9.6P1-0.12 is installed OR bind-libs-9.9.6P1-0.12 is installed OR bind-libs-32bit-9.9.6P1-0.12 is installed OR bind-utils-9.9.6P1-0.12 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 is installed AND Package Information libgnomesu-1.0.0-352 is installed OR libgnomesu-lang-1.0.0-352 is installed OR libgnomesu0-1.0.0-352 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 SP1 is installed AND Package Information gegl-0.2.0-10.3 is installed OR gegl-0_2-0.2.0-10.3 is installed OR gegl-0_2-lang-0.2.0-10.3 is installed OR libgegl-0_2-0-0.2.0-10.3 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 SP2 is installed AND Package Information bind-libs-9.9.9P1-46 is installed OR bind-libs-32bit-9.9.9P1-46 is installed OR bind-utils-9.9.9P1-46 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 SP3 is installed AND patch-2.7.5-7 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 SP4 is installed AND cvs-1.12.12-182.3 is installed Definition Synopsis SUSE Linux Enterprise Module for Containers 12 is installed AND Package Information containerd-1.4.11-16.45.1 is installed OR docker-20.10.9_ce-98.72.1 is installed OR runc-1.0.2-16.14.1 is installed Definition Synopsis SUSE Linux Enterprise Module for additional PackageHub packages 15 SP1 is installed AND libjpeg-turbo-1.5.3-5.12 is installed Definition Synopsis SUSE Linux Enterprise Module for Basesystem 15 is installed AND Package Information ghostscript-9.26a-3.18 is installed OR ghostscript-devel-9.26a-3.18 is installed OR ghostscript-x11-9.26a-3.18 is installed Definition Synopsis SUSE Linux Enterprise Module for Basesystem 15 SP1 is installed AND Package Information kernel-default-4.12.14-197.7 is installed OR kernel-default-base-4.12.14-197.7 is installed OR kernel-default-devel-4.12.14-197.7 is installed OR kernel-default-man-4.12.14-197.7 is installed OR kernel-devel-4.12.14-197.7 is installed OR kernel-macros-4.12.14-197.7 is installed OR kernel-source-4.12.14-197.7 is installed OR kernel-zfcpdump-4.12.14-197.7 is installed Definition Synopsis SUSE Linux Enterprise Module for Basesystem 15 SP2 is installed AND Package Information jq-1.6-3.3 is installed OR libjq-devel-1.6-3.3 is installed OR libjq1-1.6-3.3 is installed Definition Synopsis SUSE Linux Enterprise Module for Desktop Applications 15 is installed AND Package Information bluez-5.48-5.19 is installed OR bluez-devel-5.48-5.19 is installed Definition Synopsis SUSE Linux Enterprise Module for Desktop Applications 15 SP1 is installed AND Package Information libvpx-1.6.1-6.3 is installed OR libvpx-devel-1.6.1-6.3 is installed Definition Synopsis SUSE Linux Enterprise Module for Development Tools 15 is installed AND Package Information cargo-1.36.0-3.21 is installed OR clippy-1.36.0-3.21 is installed OR rls-1.36.0-3.21 is installed OR rust-1.36.0-3.21 is installed OR rust-analysis-1.36.0-3.21 is installed OR rust-gdb-1.36.0-3.21 is installed OR rust-src-1.36.0-3.21 is installed OR rust-std-static-1.36.0-3.21 is installed OR rustfmt-1.36.0-3.21 is installed Definition Synopsis SUSE Linux Enterprise Module for High Performance Computing 15 is installed AND Package Information libpmi0_18_08-18.08.9-1.5 is installed OR libslurm33-18.08.9-1.5 is installed OR pdsh-2.33-7.6 is installed OR pdsh-dshgroup-2.33-7.6 is installed OR pdsh-genders-2.33-7.6 is installed OR pdsh-machines-2.33-7.6 is installed OR pdsh-netgroup-2.33-7.6 is installed OR pdsh-slurm-2.33-7.6 is installed OR pdsh-slurm_18_08-2.33-7.6 is installed OR perl-slurm_18_08-18.08.9-1.5 is installed OR slurm_18_08-18.08.9-1.5 is installed OR slurm_18_08-auth-none-18.08.9-1.5 is installed OR slurm_18_08-config-18.08.9-1.5 is installed OR slurm_18_08-devel-18.08.9-1.5 is installed OR slurm_18_08-doc-18.08.9-1.5 is installed OR slurm_18_08-lua-18.08.9-1.5 is installed OR slurm_18_08-munge-18.08.9-1.5 is installed OR slurm_18_08-node-18.08.9-1.5 is installed OR slurm_18_08-pam_slurm-18.08.9-1.5 is installed OR slurm_18_08-plugins-18.08.9-1.5 is installed OR slurm_18_08-slurmdbd-18.08.9-1.5 is installed OR slurm_18_08-sql-18.08.9-1.5 is installed OR slurm_18_08-torque-18.08.9-1.5 is installed Definition Synopsis SUSE Linux Enterprise Module for Legacy Software 15 SP1 is installed AND Package Information java-1_8_0-openjdk-1.8.0.232-3.27 is installed OR java-1_8_0-openjdk-demo-1.8.0.232-3.27 is installed OR java-1_8_0-openjdk-devel-1.8.0.232-3.27 is installed OR java-1_8_0-openjdk-headless-1.8.0.232-3.27 is installed Definition Synopsis SUSE Linux Enterprise Module for Legacy Software 15 SP2 is installed AND Package Information openldap2-2.4.46-9.34 is installed OR openldap2-back-meta-2.4.46-9.34 is installed OR openldap2-back-perl-2.4.46-9.34 is installed OR openldap2-ppolicy-check-password-1.2-9.34 is installed Definition Synopsis SUSE Linux Enterprise Module for Live Patching 15 is installed AND Package Information kernel-livepatch-4_12_14-25_13-default-8-2 is installed OR kernel-livepatch-SLE15_Update_3-8-2 is installed Definition Synopsis SUSE Linux Enterprise Module for Live Patching 15 SP1 is installed AND Package Information kernel-livepatch-4_12_14-197_7-default-3-2 is installed OR kernel-livepatch-SLE15-SP1_Update_2-3-2 is installed Definition Synopsis SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 is installed AND taglib-1.11.1-4.3 is installed Definition Synopsis SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP1 is installed AND Package Information zeromq-4.2.3-3.8 is installed OR zeromq-tools-4.2.3-3.8 is installed Definition Synopsis SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP2 is installed AND Package Information libpython3_6m1_0-32bit-3.6.10-3.59 is installed OR python3-3.6.10-3.59 is installed OR python3-32bit-3.6.10-3.59 is installed OR python3-base-3.6.10-3.59 is installed OR python3-base-32bit-3.6.10-3.59 is installed OR python3-doc-3.6.10-3.59 is installed OR python3-testsuite-3.6.10-3.59 is installed Definition Synopsis SUSE Linux Enterprise Module for Public Cloud 15 SP1 is installed AND Package Information kernel-azure-4.12.14-8.38 is installed OR kernel-azure-base-4.12.14-8.38 is installed OR kernel-azure-devel-4.12.14-8.38 is installed OR kernel-devel-azure-4.12.14-8.38 is installed OR kernel-source-azure-4.12.14-8.38 is installed OR kernel-syms-azure-4.12.14-8.38 is installed Definition Synopsis SUSE Linux Enterprise Module for Server Applications 15 is installed AND Package Information dovecot23-2.3.3-4.18 is installed OR dovecot23-backend-mysql-2.3.3-4.18 is installed OR dovecot23-backend-pgsql-2.3.3-4.18 is installed OR dovecot23-backend-sqlite-2.3.3-4.18 is installed OR dovecot23-devel-2.3.3-4.18 is installed OR dovecot23-fts-2.3.3-4.18 is installed OR dovecot23-fts-lucene-2.3.3-4.18 is installed OR dovecot23-fts-solr-2.3.3-4.18 is installed OR dovecot23-fts-squat-2.3.3-4.18 is installed Definition Synopsis SUSE Linux Enterprise Module for Server Applications 15 SP1 is installed AND Package Information dovecot23-2.3.3-8 is installed OR dovecot23-backend-mysql-2.3.3-8 is installed OR dovecot23-backend-pgsql-2.3.3-8 is installed OR dovecot23-backend-sqlite-2.3.3-8 is installed OR dovecot23-devel-2.3.3-8 is installed OR dovecot23-fts-2.3.3-8 is installed OR dovecot23-fts-lucene-2.3.3-8 is installed OR dovecot23-fts-solr-2.3.3-8 is installed OR dovecot23-fts-squat-2.3.3-8 is installed Definition Synopsis SUSE Linux Enterprise Module for Server Applications 15 SP2 is installed AND Package Information icu-60.2-3.9 is installed OR libicu60_2-60.2-3.9 is installed OR libicu60_2-bedata-60.2-3.9 is installed OR libicu60_2-ledata-60.2-3.9 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP1 is installed AND Package Information libjavascriptcoregtk-3_0-0-2.4.8-16 is installed OR libwebkitgtk-3_0-0-2.4.8-16 is installed OR libwebkitgtk3-lang-2.4.8-16 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP1-LTSS is installed AND Package Information kgraft-patch-3_12_69-60_64_29-default-5-3 is installed OR kgraft-patch-3_12_69-60_64_29-xen-5-3 is installed OR kgraft-patch-SLE12-SP1_Update_12-5-3 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2 is installed AND Package Information accountsservice-0.6.42-14 is installed OR accountsservice-lang-0.6.42-14 is installed OR libaccountsservice0-0.6.42-14 is installed OR typelib-1_0-AccountsService-1_0-0.6.42-14 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2-BCL is installed AND Package Information LibVNCServer-0.9.9-17.11 is installed OR libvncclient0-0.9.9-17.11 is installed OR libvncserver0-0.9.9-17.11 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2-ESPOS is installed AND Package Information libdcerpc-atsvc0-4.2.4-28.29 is installed OR samba-4.2.4-28.29 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2-LTSS is installed AND Package Information kgraft-patch-4_4_74-92_38-default-9-2 is installed OR kgraft-patch-SLE12-SP2_Update_13-9-2 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3 is installed AND libquicktime0-1.2.4-10 is installed Definition Synopsis SUSE Linux Enterprise Server 15-LTSS is installed AND Package Information ghostscript-9.52-3.27 is installed OR ghostscript-devel-9.52-3.27 is installed OR ghostscript-x11-9.52-3.27 is installed Definition Synopsis SUSE Linux Enterprise Workstation Extension 15 is installed AND enigmail-2.0.11-3.16 is installed Definition Synopsis SUSE Linux Enterprise Workstation Extension 15 SP1 is installed AND Package Information MozillaThunderbird-68.6.0-3.74 is installed OR MozillaThunderbird-translations-common-68.6.0-3.74 is installed OR MozillaThunderbird-translations-other-68.6.0-3.74 is installed Definition Synopsis SUSE OpenStack Cloud 6 is installed AND python-Pillow-2.7.0-1 is installed Definition Synopsis SUSE OpenStack Cloud 7 is installed AND ucode-intel-20180807-13.29 is installed
BACK