SUSE 5180 Published by

SUSE has received a couple of security upgrades, including chrome, libopenssl-3-devel, traefik, and coredns:

openSUSE-SU-2024:0314-1: important: Security update for chromium
openSUSE-SU-2024:14366-1: moderate: libopenssl-3-devel-3.1.4-14.1 on GA media
openSUSE-SU-2024:14367-1: moderate: traefik2-2.11.10-1.1 on GA media
openSUSE-SU-2024:0319-1: moderate: Security update for coredns




openSUSE-SU-2024:0314-1: important: Security update for chromium


openSUSE Security Update: Security update for chromium
_______________________________

Announcement ID: openSUSE-SU-2024:0314-1
Rating: important
References: #1230964
Cross-References: CVE-2024-9120 CVE-2024-9121 CVE-2024-9122
CVE-2024-9123
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for chromium fixes the following issues:

Chromium 129.0.6668.70 (stable released 2024-09-24) (boo#1230964)

* CVE-2024-9120: Use after free in Dawn
* CVE-2024-9121: Inappropriate implementation in V8
* CVE-2024-9122: Type Confusion in V8
* CVE-2024-9123: Integer overflow in Skia

- bump BR for nodejs to minimal 20.0

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-314=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 x86_64):

chromedriver-129.0.6668.70-bp156.2.32.1
chromium-129.0.6668.70-bp156.2.32.1

References:

https://www.suse.com/security/cve/CVE-2024-9120.html
https://www.suse.com/security/cve/CVE-2024-9121.html
https://www.suse.com/security/cve/CVE-2024-9122.html
https://www.suse.com/security/cve/CVE-2024-9123.html
https://bugzilla.suse.com/1230964



openSUSE-SU-2024:14366-1: moderate: libopenssl-3-devel-3.1.4-14.1 on GA media


# libopenssl-3-devel-3.1.4-14.1 on GA media

Announcement ID: openSUSE-SU-2024:14366-1
Rating: moderate

Cross-References:

* CVE-2024-41996

CVSS scores:

* CVE-2024-41996 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-41996 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the libopenssl-3-devel-3.1.4-14.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* libopenssl-3-devel 3.1.4-14.1
* libopenssl-3-devel-32bit 3.1.4-14.1
* libopenssl-3-fips-provider 3.1.4-14.1
* libopenssl-3-fips-provider-32bit 3.1.4-14.1
* libopenssl-3-fips-provider-x86-64-v3 3.1.4-14.1
* libopenssl3 3.1.4-14.1
* libopenssl3-32bit 3.1.4-14.1
* libopenssl3-x86-64-v3 3.1.4-14.1
* openssl-3 3.1.4-14.1
* openssl-3-doc 3.1.4-14.1

## References:

* https://www.suse.com/security/cve/CVE-2024-41996.html



openSUSE-SU-2024:14367-1: moderate: traefik2-2.11.10-1.1 on GA media


# traefik2-2.11.10-1.1 on GA media

Announcement ID: openSUSE-SU-2024:14367-1
Rating: moderate

Cross-References:

* CVE-2024-45410

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the traefik2-2.11.10-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* traefik2 2.11.10-1.1

## References:

* https://www.suse.com/security/cve/CVE-2024-45410.html



openSUSE-SU-2024:0319-1: moderate: Security update for coredns


openSUSE Security Update: Security update for coredns
_______________________________

Announcement ID: openSUSE-SU-2024:0319-1
Rating: moderate
References:
Cross-References: CVE-2022-27191 CVE-2022-28948 CVE-2023-28452
CVE-2023-30464 CVE-2024-0874 CVE-2024-22189

CVSS scores:
CVE-2022-27191 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-28948 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2024-22189 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes 6 vulnerabilities is now available.

Description:

This update for coredns fixes the following issues:

Update to version 1.11.3:

* optimize the performance for high qps (#6767)
* bump deps
* Fix zone parser error handling (#6680)
* Add alternate option to forward plugin (#6681)
* fix: plugin/file: return error when parsing the file fails (#6699)
* [fix:documentation] Clarify autopath README (#6750)
* Fix outdated test (#6747)
* Bump go version from 1.21.8 to 1.21.11 (#6755)
* Generate zplugin.go correctly with third-party plugins (#6692)
* dnstap: uses pointer receiver for small response writer (#6644)
* chore: fix function name in comment (#6608)
* [plugin/forward] Strip local zone from IPV6 nameservers (#6635)
- fixes CVE-2023-30464
- fixes CVE-2023-28452

Update to upstream head (git commit #5a52707):

* bump deps to address security issue CVE-2024-22189
* Return RcodeServerFailure when DNS64 has no next plugin (#6590)
* add plusserver to adopters (#6565)
* Change the log flags to be a variable that can be set prior to calling
Run (#6546)
* Enable Prometheus native histograms (#6524)
* forward: respect context (#6483)
* add client labels to k8s plugin metadata (#6475)
* fix broken link in webpage (#6488)
* Repo controlled Go version (#6526)
* removed the mutex locks with atomic bool (#6525)

Update to version 1.11.2:

* rewrite: fix multi request concurrency issue in cname rewrite (#6407)
* plugin/tls: respect the path specified by root plugin (#6138)
* plugin/auto: warn when auto is unable to read elements of the
directory tree (#6333)
* fix: make the codeowners link relative (#6397)
* plugin/etcd: the etcd client adds the DialKeepAliveTime parameter
(#6351)
* plugin/cache: key cache on Checking Disabled (CD) bit (#6354)
* Use the correct root domain name in the proxy plugin's TestHealthX
tests (#6395)
* Add PITS Global Data Recovery Services as an adopter (#6304)
* Handle UDP responses that overflow with TC bit with test case (#6277)
* plugin/rewrite: add rcode as a rewrite option (#6204)

- CVE-2024-0874: coredns: CD bit response is cached and served later

- Update to version 1.11.1:

* Revert âplugin/forward: Continue waiting after receiving malformed
responses
* plugin/dnstap: add support for âextraâ field in payload
* plugin/cache: fix keepttl parsing

- Update to version 1.11.0:

* Adds support for accepting DNS connections over QUIC (doq).
* Adds CNAME target rewrites to the rewrite plugin.
* Plus many bug fixes, and some security improvements.
* This release introduces the following backward incompatible changes:
+ In the kubernetes plugin, we have dropped support for watching
Endpoint and Endpointslice v1beta, since all supported K8s versions
now use Endpointslice.
+ The bufsize plugin changed its default size limit value to 1232
+ Some changes to forward plugin metrics.

- Update to version 1.10.1:

* Corrected architecture labels in multi-arch image manifest
* A new plugin timeouts that allows configuration of server listener
timeout durations
* acl can drop queries as an action
* template supports creating responses with extended DNS errors
* New weighted policy in loadbalance
* Option to serve original record TTLs from cache

- Update to version 1.10.0:

* core: add log listeners for k8s_event plugin (#5451)
* core: log DoH HTTP server error logs in CoreDNS format (#5457)
* core: warn when domain names are not in RFC1035 preferred syntax (#5414)
* plugin/acl: add support for extended DNS errors (#5532)
* plugin/bufsize: do not expand query UDP buffer size if already set to a
smaller value (#5602)
* plugin/cache: add cache disable option (#5540)
* plugin/cache: add metadata for wildcard record responses (#5308)
* plugin/cache: add option to adjust SERVFAIL response cache TTL (#5320)
* plugin/cache: correct responses to Authenticated Data requests (#5191)
* plugin/dnstap: add identity and version support for the dnstap plugin
(#5555)
* plugin/file: add metadata for wildcard record responses (#5308)
* plugin/forward: enable multiple forward declarations (#5127)
* plugin/forward: health_check needs to normalize a specified domain name
(#5543)
* plugin/forward: remove unused coredns_forward_sockets_open metric
(#5431)
* plugin/header: add support for query modification (#5556)
* plugin/health: bypass proxy in self health check (#5401)
* plugin/health: don't go lameduck when reloading (#5472)
* plugin/k8s_external: add support for PTR requests (#5435)
* plugin/k8s_external: resolve headless services (#5505)
* plugin/kubernetes: make kubernetes client log in CoreDNS format (#5461)
* plugin/ready: reset list of readiness plugins on startup (#5492)
* plugin/rewrite: add PTR records to supported types (#5565)
* plugin/rewrite: fix a crash in rewrite plugin when rule type is missing
(#5459)
* plugin/rewrite: fix out-of-index issue in rewrite plugin (#5462)
* plugin/rewrite: support min and max TTL values (#5508)
* plugin/trace : make zipkin HTTP reporter more configurable using
Corefile (#5460)
* plugin/trace: read trace context info from headers for DOH (#5439)
* plugin/tsig: add new plugin TSIG for validating TSIG requests and
signing responses (#4957)
* core: update gopkg.in/yaml.v3 to fix CVE-2022-28948
* core: update golang.org/x/crypto to fix CVE-2022-27191
* plugin/acl: adding a check to parse out zone info
* plugin/dnstap: support FQDN TCP endpoint
* plugin/errors: add stacktrace option to log a stacktrace during panic
recovery
* plugin/template: return SERVFAIL for zone-match regex-no-match case

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-319=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 x86_64):

coredns-1.11.3-bp156.4.3.1

- openSUSE Backports SLE-15-SP6 (noarch):

coredns-extras-1.11.3-bp156.4.3.1

References:

https://www.suse.com/security/cve/CVE-2022-27191.html
https://www.suse.com/security/cve/CVE-2022-28948.html
https://www.suse.com/security/cve/CVE-2023-28452.html
https://www.suse.com/security/cve/CVE-2023-30464.html
https://www.suse.com/security/cve/CVE-2024-0874.html
https://www.suse.com/security/cve/CVE-2024-22189.html