{"affected":[{"ecosystem_specific":{"binaries":[{"kubevirt-manifests":"0.49.0-150300.8.13.1","kubevirt-virtctl":"0.49.0-150300.8.13.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Containers 15 SP3","name":"kubevirt","purl":"pkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.49.0-150300.8.13.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"kubevirt-container-disk":"0.49.0-150300.8.13.1","kubevirt-manifests":"0.49.0-150300.8.13.1","kubevirt-tests":"0.49.0-150300.8.13.1","kubevirt-virt-api":"0.49.0-150300.8.13.1","kubevirt-virt-controller":"0.49.0-150300.8.13.1","kubevirt-virt-handler":"0.49.0-150300.8.13.1","kubevirt-virt-launcher":"0.49.0-150300.8.13.1","kubevirt-virt-operator":"0.49.0-150300.8.13.1","kubevirt-virtctl":"0.49.0-150300.8.13.1","obs-service-kubevirt_containers_meta":"0.49.0-150300.8.13.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.3","name":"kubevirt","purl":"pkg:rpm/opensuse/kubevirt&distro=openSUSE%20Leap%2015.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.49.0-150300.8.13.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2022-1798: Fix arbitrary file read on the host from KubeVirt VMs (bsc#1202516)\n\nSecurity issues fixed in vendored dependencies:\n\n- CVE-2022-1996: Fixed go-restful CORS bypass (bsc#1200528)\n- CVE-2022-29162: Fixed runc incorrect handling of inheritable capabilities in default configuration (bsc#1199460)\n\nOther fixes:\n\n- Pack nft rules and nsswitch.conf for virt-handler\n- Only create 1MiB-aligned disk images (bsc#1199603)\n- Avoid to return nil failure message\n- Use semantic equality comparison\n- Allow to configure utility containers for update test\n- Install nftables to manage network rules\n- Install tar to allow kubectl cp ...\n- Symlink nsswitch.conf and nft rules to proper locations\n- Enable USB redirection support for QEMU\n- Install vim-small instread of vim\n- Drop libvirt-daemon-driver-storage-core\n- Install ethtool and gawk (bsc#1199392)\n- Use non-versioned appliance to avoid redundant rpm query\n- Explicitly state the dependency on kubevirt main package\n","id":"SUSE-SU-2022:3321-1","modified":"2022-09-20T15:19:24Z","published":"2022-09-20T15:19:24Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2022/suse-su-20223321-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1199392"},{"type":"REPORT","url":"https://bugzilla.suse.com/1199460"},{"type":"REPORT","url":"https://bugzilla.suse.com/1199603"},{"type":"REPORT","url":"https://bugzilla.suse.com/1200528"},{"type":"REPORT","url":"https://bugzilla.suse.com/1202516"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-1798"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-1996"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-29162"}],"related":["CVE-2022-1798","CVE-2022-1996","CVE-2022-29162"],"summary":"Security update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container","upstream":["CVE-2022-1798","CVE-2022-1996","CVE-2022-29162"]}