----------------------------------------- Version 4.2.93 2024-05-09T09:00:20 ----------------------------------------- Patch: SUSE-2018-1292 Released: Mon Jul 9 11:57:14 2018 Summary: Security update for openslp Severity: important References: 1090638,CVE-2017-17833 Description: This update for openslp fixes the following issues: - CVE-2017-17833: Prevent heap-related memory corruption issue which may have manifested itself as a denial-of-service or a remote code-execution vulnerability (bsc#1090638) - Prevent out of bounds reads in message parsing ----------------------------------------- Patch: SUSE-2018-1332 Released: Tue Jul 17 09:01:19 2018 Summary: Recommended update for timezone Severity: moderate References: 1073299,1093392 Description: This update for timezone provides the following fixes: - North Korea switches back from +0830 to +09 on 2018-05-05. - Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299) - yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392) ----------------------------------------- Patch: SUSE-2018-2340 Released: Fri Oct 19 16:05:53 2018 Summary: Security update for fuse Severity: moderate References: 1101797,CVE-2018-10906 Description: This update for fuse fixes the following issues: - CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797) ----------------------------------------- Patch: SUSE-2018-2463 Released: Thu Oct 25 14:48:34 2018 Summary: Recommended update for timezone, timezone-java Severity: moderate References: 1104700,1112310 Description: This update for timezone, timezone-java fixes the following issues: The timezone database was updated to 2018f: - Volgograd moves from +03 to +04 on 2018-10-28. - Fiji ends DST 2019-01-13, not 2019-01-20. - Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700) - Corrections to past timestamps of DST transitions - Use 'PST' and 'PDT' for Philippine time - minor code changes to zic handling of the TZif format - documentation updates Other bugfixes: - Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310) ----------------------------------------- Patch: SUSE-2018-2513 Released: Mon Oct 29 11:11:23 2018 Summary: Recommended update for sysstat Severity: moderate References: 1089883 Description: This update for sysstat fixes the following issues: Sysstat was updated to 12.0.2, bringing new features and bugfixes (fate#326576, bsc#1089883) - It contains lots of improvements in SVG output. - New metric additions for hugepages. - New options Please look at http://sebastien.godard.pagesperso-orange.fr/ for a more detailed history of changes. ----------------------------------------- Patch: SUSE-2018-2550 Released: Wed Oct 31 16:16:56 2018 Summary: Recommended update for timezone, timezone-java Severity: moderate References: 1113554 Description: This update provides the latest time zone definitions (2018g), including the following change: - Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554) ----------------------------------------- Patch: SUSE-2018-2569 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Severity: moderate References: 1110700 Description: This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------- Patch: SUSE-2018-2607 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------- Patch: SUSE-2018-2641 Released: Mon Nov 12 20:39:30 2018 Summary: Recommended update for nfsidmap Severity: moderate References: 1098217 Description: This update for nfsidmap fixes the following issues: - Improve support for SAMBA with Active Directory. (bsc#1098217) ----------------------------------------- Patch: SUSE-2018-2742 Released: Thu Nov 22 13:28:36 2018 Summary: Recommended update for rpcbind Severity: moderate References: 969953 Description: This update for rpcbind fixes the following issues: - Fix tool stack buffer overflow aborting (bsc#969953) ----------------------------------------- Patch: SUSE-2018-2825 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Severity: important References: 1115640,CVE-2018-17953 Description: This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------- Patch: SUSE-2018-2861 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Severity: important References: 1103320,1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------- Patch: SUSE-2018-2961 Released: Mon Dec 17 19:51:40 2018 Summary: Recommended update for psmisc Severity: moderate References: 1098697,1112780 Description: This update for psmisc provides the following fix: - Make the fuser option -m work even with mountinfo. (bsc#1098697) - Support also btrFS entries in mountinfo, that is use stat(2) to determine the device of the mounted subvolume (bsc#1098697, bsc#1112780) ----------------------------------------- Patch: SUSE-2018-3044 Released: Fri Dec 21 18:47:21 2018 Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss Severity: important References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 Description: This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues: Issues fixed in MozillaFirefox: - Update to Firefox ESR 60.4 (bsc#1119105) - CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 - CVE-2018-18492: Fixed a use-after-free with select element - CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia - CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs - CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images - CVE-2018-12405: Fixed a few memory safety bugs Issues fixed in mozilla-nss: - Update to NSS 3.40.1 (bsc#1119105) - CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069) - CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873) - CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410) - Fixed a decryption failure during FFDHE key exchange - Various security fixes in the ASN.1 code Issues fixed in mozilla-nspr: - Update mozilla-nspr to 4.20 (bsc#1119105) ----------------------------------------- Patch: SUSE-2019-44 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Severity: low References: 953659 Description: This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------- Patch: SUSE-2019-102 Released: Tue Jan 15 18:02:58 2019 Summary: Recommended update for timezone Severity: moderate References: 1120402 Description: This update for timezone fixes the following issues: - Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402) - Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090 ----------------------------------------- Patch: SUSE-2019-247 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Severity: moderate References: 1123043,CVE-2019-6706 Description: This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------- Patch: SUSE-2019-495 Released: Tue Feb 26 16:42:35 2019 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc Severity: important References: 1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736 Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues: Security issues fixed: - CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899). - CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898). - CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897). - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967). Other changes and fixes: - Update shell completion to use Group: System/Shells. - Add daemon.json file with rotation logs configuration (bsc#1114832) - Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Update go requirements to >= go1.10 - Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429). - Remove the usage of 'cp -r' to reduce noise in the build logs. ----------------------------------------- Patch: SUSE-2019-571 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------- Patch: SUSE-2019-748 Released: Tue Mar 26 14:35:56 2019 Summary: Security update for libmspack Severity: moderate References: 1113038,1113039,CVE-2018-18584,CVE-2018-18585 Description: This update for libmspack fixes the following issues: Security issues fixed: - CVE-2018-18584: The CAB block input buffer was one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038) - CVE-2018-18585: chmd_read_headers accepted a filename that has '\0' as its first or second character (such as the '/\0' name). (bsc#1113039) - Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames. ----------------------------------------- Patch: SUSE-2019-788 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Severity: moderate References: 1119687,CVE-2018-20346 Description: This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------- Patch: SUSE-2019-790 Released: Thu Mar 28 12:06:17 2019 Summary: Recommended update for timezone Severity: moderate References: 1130557 Description: This update for timezone fixes the following issues: timezone was updated 2019a: * Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23 * Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ----------------------------------------- Patch: SUSE-2019-806 Released: Fri Mar 29 13:16:51 2019 Summary: Security update for sysstat Severity: low References: 1117001,1117260,CVE-2018-19416,CVE-2018-19517 Description: This update for sysstat fixes the following issues: Security issues fixed: - CVE-2018-19416: Fixed out-of-bounds read during a memmove call inside the remap_struct function (bsc#1117001). - CVE-2018-19517: Fixed out-of-bounds read during a memset call inside the remap_struct function (bsc#1117260). ----------------------------------------- Patch: SUSE-2019-926 Released: Wed Apr 10 16:33:12 2019 Summary: Security update for tar Severity: moderate References: 1120610,1130496,CVE-2018-20482,CVE-2019-9923 Description: This update for tar fixes the following issues: Security issues fixed: - CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496). - CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610). ----------------------------------------- Patch: SUSE-2019-1127 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 Description: This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------- Patch: SUSE-2019-1229 Released: Tue May 14 11:05:55 2019 Summary: Recommended update for sensors Severity: moderate References: 1108468,1116021 Description: This update for sensors fixes the following issues: sensors was updated to version 3.5.0: The following changes were done: + soname was bumped due to commit dcf2367 which introduced an ABI change. (This was reverted for the SUSE packages, as it was not necessary) + Fixed disappearance of certain hwmon chips with 4.19+ kernels (bsc#1116021). + Add the find-driver script for debugging. + Various documentation and man page improvements. + Fix various issues found by Coverity Scan. + Updated links in documentation to reflect the new home of lm_sensors. + sensors.1: Add reference to sensors-detect and document -j option (json output). + sensors: Add support for json output, add support for power min, lcrit, min_alarm, lcrit_alarm. + sensors-detect changes: * Fix systemd paths. * Add detection of Fintek F81768. * Only probe I/O ports on x86. * Add detection of Nuvoton NCT6793D. * Add detection of Microchip MCP9808. * Mark F71868A as supported by the f71882fg driver. * Mark F81768D as supported by the f71882fg driver. * Mark F81866D as supported by the f71882fg driver. * Add detection of various ITE chips. * Add detection of Nuvoton NCT6795D. * Add detection of DDR4 SPD. * Add detection of ITE IT8987D. * Add detection of AMD Family 17h temperature sensors. * Add detection of AMD KERNCZ SMBus controller. * Add detection of various Intel SMBus controllers. * Add detection of Giantec GT30TS00. * Add detection of ONS CAT34TS02C and CAT34TS04. * Add detection of AMD Family 15h Model 60+ temperature sensors. * Add detection of Nuvoton NCT6796D. * Add detection of AMD Family 15h Model 70+ temperature sensors. + configs: Add sample configuration files. + sensors.conf.default: * Add hardwired inputs of NCT6795D * Add hardwired inputs of F71868A * Add hardwired NCT6796D inputs + vt1211_pwm: replaced deprecated sub shell syntax, run with bash instead of sh. + pwmconfig: replaced deprecated sub shell syntax. + fancontrol: replaced deprecated sub shell syntax, save original pwm values. + fancontrol.8: replaced deprecated sub shell syntax. + libsensors: * Add support for SENSORS_BUS_TYPE_SCSI, add support for power min, lcrit, min_alarm, lcrit_alarm. * Handle hwmon device with thermal device parent (bsc#1108468). - Undo unnecessary libsensors version bump. - Undo the SENSORS_API_VERSION change, to stay source-compatible with upstream. ----------------------------------------- Patch: SUSE-2019-1368 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Severity: important References: 1134524,CVE-2019-5021 Description: This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------- Patch: SUSE-2019-1616 Released: Fri Jun 21 11:04:39 2019 Summary: Recommended update for rpcbind Severity: moderate References: 1134659 Description: This update for rpcbind fixes the following issues: - Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659) - Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update. ----------------------------------------- Patch: SUSE-2019-1631 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Severity: low References: 1135709 Description: This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------- Patch: SUSE-2019-1815 Released: Thu Jul 11 07:47:55 2019 Summary: Recommended update for timezone Severity: moderate References: 1140016 Description: This update for timezone fixes the following issues: - Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation. ----------------------------------------- Patch: SUSE-2019-1892 Released: Thu Jul 18 15:54:35 2019 Summary: Recommended update for openslp Severity: moderate References: 1117969,1136136 Description: This update for openslp fixes the following issues: - Use tcp connects to talk with other directory agents (DAs) (bsc#1117969) - Fix segfault in predicate match if a registered service has a malformed attribute list (bsc#1136136) ----------------------------------------- Patch: SUSE-2019-1998 Released: Fri Jul 26 16:13:22 2019 Summary: Recommended update for sysstat Severity: moderate References: 1138767 Description: This update for sysstat fixes the following issues: - Fix scaling issue with mtab symlinks and automounter. (bsc#1138767) ----------------------------------------- Patch: SUSE-2019-2142 Released: Wed Aug 14 18:14:04 2019 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1141322 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.45 (bsc#1141322) : * New function in pk11pub.h: PK11_FindRawCertsWithSubject * The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374) * Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078). * Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579) * Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262) * Add IPSEC IKE support to softoken (bmo#1546229) * Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616) * Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed. * Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime. mozilla-nspr was updated to version 4.21 * Changed prbit.h to use builtin function on aarch64. * Removed Gonk/B2G references. ----------------------------------------- Patch: SUSE-2019-2189 Released: Wed Aug 21 10:12:23 2019 Summary: Recommended update for sysstat Severity: moderate References: 1142470 Description: This update for sysstat fixes the following issues: - Remove deprecated gettext and require gettext-runtime during build only. (bsc#1142470) ----------------------------------------- Patch: SUSE-2019-2218 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Severity: moderate References: 1141883 Description: This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------- Patch: SUSE-2019-2223 Released: Tue Aug 27 15:42:56 2019 Summary: Security update for podman, slirp4netns and libcontainers-common Severity: moderate References: 1096726,1123156,1123387,1135460,1136974,1137860,1143386,CVE-2018-15664,CVE-2019-10152,CVE-2019-6778 Description: This is a version update for podman to version 1.4.4 (bsc#1143386). Additional changes by SUSE on top: - Remove fuse-overlayfs because it's (currently) an unsatisfied dependency on SLE (bsc#1143386) - Update libpod.conf to use correct infra_command - Update libpod.conf to use better versioned pause container - Update libpod.conf to use official kubic pause container - Update libpod.conf to match latest features set: detach_keys, lock_type, runtime_supports_json - Add podman-remote varlink client Version update podman to v1.4.4: - Features - Podman now has greatly improved support for containers using multiple OCI runtimes. Containers now remember if they were created with a different runtime using --runtime and will always use that runtime - The cached and delegated options for volume mounts are now allowed for Docker compatability (#3340) - The podman diff command now supports the --latest flag - Bugfixes - Fixed a bug where rootless Podman would attempt to use the entire root configuration if no rootless configuration was present for the user, breaking rootless Podman for new installations - Fixed a bug where rootless Podman's pause process would block SIGTERM, preventing graceful system shutdown and hanging until the system's init send SIGKILL - Fixed a bug where running Podman as root with sudo -E would not work after running rootless Podman at least once - Fixed a bug where options for tmpfs volumes added with the --tmpfs flag were being ignored - Fixed a bug where images with no layers could not properly be displayed and removed by Podman - Fixed a bug where locks were not properly freed on failure to create a container or pod - Fixed a bug where podman cp on a single file would create a directory at the target and place the file in it (#3384) - Fixed a bug where podman inspect --format '{{.Mounts}}' would print a hexadecimal address instead of a container's mounts - Fixed a bug where rootless Podman would not add an entry to container's /etc/hosts files for their own hostname (#3405) - Fixed a bug where podman ps --sync would segfault (#3411) - Fixed a bug where podman generate kube would produce an invalid ports configuration (#3408) - Misc - Updated containers/storage to v1.12.13 - Podman now performs much better on systems with heavy I/O load - The --cgroup-manager flag to podman now shows the correct default setting in help if the default was overridden by libpod.conf - For backwards compatability, setting --log-driver=json-file in podman run is now supported as an alias for --log-driver=k8s-file. This is considered deprecated, and json-file will be moved to a new implementation in the future ([#3363](https://github.com/containers/libpo\ d/issues/3363)) - Podman's default libpod.conf file now allows the crun OCI runtime to be used if it is installed Update podman to v1.4.2: - Fixed a bug where Podman could not run containers using an older version of Systemd as init - Updated vendored Buildah to v1.9.0 to resolve a critical bug with Dockerfile RUN instructions - The error message for running podman kill on containers that are not running has been improved - Podman remote client can now log to a file if syslog is not available - The podman exec command now sets its error code differently based on whether the container does not exist, and the command in the container does not exist - The podman inspect command on containers now outputs Mounts JSON that matches that of docker inspect, only including user-specified volumes and differentiating bind mounts and named volumes - The podman inspect command now reports the path to a container's OCI spec with the OCIConfigPath key (only included when the container is initialized or running) - The podman run --mount command now supports the bind-nonrecursive option for bind mounts - Fixed a bug where podman play kube would fail to create containers due to an unspecified log driver - Fixed a bug where Podman would fail to build with musl libc - Fixed a bug where rootless Podman using slirp4netns networking in an environment with no nameservers on the host other than localhost would result in nonfunctional networking - Fixed a bug where podman import would not properly set environment variables, discarding their values and retaining only keys - Fixed a bug where Podman would fail to run when built with Apparmor support but run on systems without the Apparmor kernel module loaded - Remote Podman will now default the username it uses to log in to remote systems to the username of the current user - Podman now uses JSON logging with OCI runtimes that support it, allowing for better error reporting - Updated vendored containers/image to v2.0 - Update conmon to v0.3.0 - Support OOM Monitor under cgroup V2 - Add config binary and make target for configuring conmon with a go library for importing values Updated podman to version 1.4.0 (bsc#1137860) and (bsc#1135460) - Podman checkpoint and podman restore commands can now be used to migrate containers between Podman installations on different systems. - The podman cp now supports pause flag. - The remote client now supports a configuration file for pre-configuring connections to remote Podman installations - CVE-2019-10152: Fixed an iproper dereference of symlinks of the the podman cp command which introduced in version 1.1.0 (bsc#1136974). - Fixed a bug where podman commit could improperly set environment variables that contained = characters - Fixed a bug where rootless podman would sometimes fail to start containers with forwarded ports - Fixed a bug where podman version on the remote client could segfault - Fixed a bug where podman container runlabel would use /proc/self/exe instead of the path of the Podman command when printing the command being executed - Fixed a bug where filtering images by label did not work - Fixed a bug where specifying a bing mount or tmpfs mount over an image volume would cause a container to be unable to start - Fixed a bug where podman generate kube did not work with containers with named volumes - Fixed a bug where rootless podman would receive permission denied errors accessing conmon.pid - Fixed a bug where podman cp with a folder specified as target would replace the folder, as opposed to copying into it - Fixed a bug where rootless Podman commands could double-unlock a lock, causing a crash - Fixed a bug where podman incorrectly set tmpcopyup on /dev/ mounts, causing errors when using the Kata containers runtime - Fixed a bug where podman exec would fail on older kernels - Podman commit command is now usable with the Podman remote client - Signature-policy flag has been deprecated - Updated vendored containers/storage and containers/image libraries with numerous bugfixes - Updated vendored Buildah to v1.8.3 - Podman now requires Conmon v0.2.0 - The podman cp command is now aliased as podman container cp - Rootless podman will now default init_path using root Podman's configuration files (/etc/containers/libpod.conf and /usr/share/containers/libpod.conf) if not overridden in the rootless configuration - Added fuse-overlayfs dependency to support overlay based rootless image manipulations - The podman cp command can now read input redirected to STDIN, and output to STDOUT instead of a file, using - instead of an argument. - The podman remote client now displays version information from both the client and server in podman version - The podman unshare command has been added, allowing easy entry into the user namespace set up by rootless Podman (allowing the removal of files created by rootless podman, among other things) - Fixed a bug where Podman containers with the --rm flag were removing created volumes when they were automatically removed - Fixed a bug where container and pod locks were incorrectly marked as released after a system reboot, causing errors on container and pod removal - Fixed a bug where Podman pods could not be removed if any container in the pod encountered an error during removal - Fixed a bug where Podman pods run with the cgroupfs CGroup driver would encounter a race condition during removal, potentially failing to remove the pod CGroup - Fixed a bug where the podman container checkpoint and podman container restore commands were not visible in the remote client - Fixed a bug where podman remote ps --ns would not print the container's namespaces - Fixed a bug where removing stopped containers with healthchecks could cause an error - Fixed a bug where the default libpod.conf file was causing parsing errors - Fixed a bug where pod locks were not being freed when pods were removed, potentially leading to lock exhaustion - Fixed a bug where 'podman run' with SD_NOTIFY set could, on short-running containers, create an inconsistent state rendering the container unusable - The remote Podman client now uses the Varlink bridge to establish remote connections by default - Fixed an issue with apparmor_parser (bsc#1123387) - Update to libpod v1.4.0 (bsc#1137860): - The podman checkpoint and podman restore commands can now be used to migrate containers between Podman installations on different systems - The podman cp command now supports a pause flag to pause containers while copying into them - The remote client now supports a configuration file for pre-configuring connections to remote Podman installations - Fixed CVE-2019-10152 - The podman cp command improperly dereferenced symlinks in host context - Fixed a bug where podman commit could improperly set environment variables that contained = characters - Fixed a bug where rootless Podman would sometimes fail to start containers with forwarded ports - Fixed a bug where podman version on the remote client could segfault - Fixed a bug where podman container runlabel would use /proc/self/exe instead of the path of the Podman command when printing the command being executed - Fixed a bug where filtering images by label did not work - Fixed a bug where specifying a bing mount or tmpfs mount over an image volume would cause a container to be unable to start - Fixed a bug where podman generate kube did not work with containers with named volumes - Fixed a bug where rootless Podman would receive permission denied errors accessing conmon.pid - Fixed a bug where podman cp with a folder specified as target would replace the folder, as opposed to copying into it - Fixed a bug where rootless Podman commands could double-unlock a lock, causing a crash - Fixed a bug where Podman incorrectly set tmpcopyup on /dev/ mounts, causing errors when using the Kata containers runtime - Fixed a bug where podman exec would fail on older kernels - The podman commit command is now usable with the Podman remote client - The --signature-policy flag (used with several image-related commands) has been deprecated - The podman unshare command now defines two environment variables in the spawned shell: CONTAINERS_RUNROOT and CONTAINERS_GRAPHROOT, pointing to temporary and permanent storage for rootless containers - Updated vendored containers/storage and containers/image libraries with numerous bugfixes - Updated vendored Buildah to v1.8.3 - Podman now requires Conmon v0.2.0 - The podman cp command is now aliased as podman container cp - Rootless Podman will now default init_path using root Podman's configuration files (/etc/containers/libpod.conf and /usr/share/containers/libpod.conf) if not overridden in the rootless configuration - Update to image v1.5.1 - Vendor in latest containers/storage - docker/docker_client: Drop redundant Domain(ref.ref) call - pkg/blobinfocache: Split implementations into subpackages - copy: progress bar: show messages on completion - docs: rename manpages to *.5.command - add container-certs.d.md manpage - pkg/docker/config: Bring auth tests from docker/docker_client_test - Don't allocate a sync.Mutex separately Update to storage v1.12.10: - Add function to parse out mount options from graphdriver - Merge the disparate parts of all of the Unix-like lockfiles - Fix unix-but-not-Linux compilation - Return XDG_RUNTIME_DIR as RootlessRuntimeDir if set - Cherry-pick moby/moby #39292 for CVE-2018-15664 fixes - lockfile: add RecursiveLock() API - Update generated files - Fix crash on tesing of aufs code - Let consumers know when Layers and Images came from read-only stores - chown: do not change owner for the mountpoint - locks: correctly mark updates to the layers list - CreateContainer: don't worry about mapping layers unless necessary - docs: fix manpage for containers-storage.conf - docs: sort configuration options alphabetically - docs: document OSTree file deduplication - Add missing options to man page for containers-storage - overlay: use the layer idmapping if present - vfs: prefer layer custom idmappings - layers: propagate down the idmapping settings - Recreate symlink when not found - docs: fix manpage for configuration file - docs: add special handling for manpages in sect 5 - overlay: fix single-lower test - Recreate symlink when not found - overlay: propagate errors from mountProgram - utils: root in a userns uses global conf file - Fix handling of additional stores - Correctly check permissions on rootless directory - Fix possible integer overflow on 32bit builds - Evaluate device path for lvm - lockfile test: make concurrent RW test determinisitc - lockfile test: make concurrent read tests deterministic - drivers.DirCopy: fix filemode detection - storage: move the logic to detect rootless into utils.go - Don't set (struct flock).l_pid - Improve documentation of getLockfile - Rename getLockFile to createLockerForPath, and document it - Add FILES section to containers-storage.5 man page - add digest locks - drivers/copy: add a non-cgo fallback slirp4netns was updated to 0.3.0: - CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() (bsc#1123156) This update also includes: - fuse3 and fuse-overlayfs to support rootless containers. ----------------------------------------- Patch: SUSE-2019-2533 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Severity: moderate References: 1150137,CVE-2019-16168 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------- Patch: SUSE-2019-2693 Released: Wed Oct 16 16:43:30 2019 Summary: Recommended update for rpcbind Severity: moderate References: 1142343 Description: This update for rpcbind fixes the following issues: - Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343) ----------------------------------------- Patch: SUSE-2019-2722 Released: Mon Oct 21 11:14:20 2019 Summary: Recommended update for pciutils-ids Severity: moderate References: 1127840,1133581 Description: This is a version update for pciutils-ids to version 20190830 (bsc#1133581, bsc#1127840) ----------------------------------------- Patch: SUSE-2019-2730 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------- Patch: SUSE-2019-2749 Released: Wed Oct 23 09:08:41 2019 Summary: Security update for sysstat Severity: moderate References: 1150114,CVE-2019-16167 Description: This update for sysstat fixes the following issue: - CVE-2019-16167: Fixed a memory corruption due to an integer overflow. (bsc#1150114) ----------------------------------------- Patch: SUSE-2019-2762 Released: Thu Oct 24 07:08:44 2019 Summary: Recommended update for timezone Severity: moderate References: 1150451 Description: This update for timezone fixes the following issues: - Fiji observes DST from 2019-11-10 to 2020-01-12. - Norfolk Island starts observing Australian-style DST. ----------------------------------------- Patch: SUSE-2019-2810 Released: Tue Oct 29 14:56:44 2019 Summary: Security update for runc Severity: moderate References: 1131314,1131553,1152308,CVE-2019-16884 Description: This update for runc fixes the following issues: Security issue fixed: - CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308) Non-security issues fixed: - Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553). ----------------------------------------- Patch: SUSE-2019-2997 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------- Patch: SUSE-2019-3061 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 Description: This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------- Patch: SUSE-2019-3086 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 Description: This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------- Patch: SUSE-2019-3104 Released: Fri Nov 29 06:47:08 2019 Summary: Recommended update for sysstat Severity: moderate References: 1144923,SLE-5958 Description: This update for sysstat fixes the following issues: - Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958) ----------------------------------------- Patch: SUSE-2019-3395 Released: Mon Dec 30 14:05:06 2019 Summary: Security update for mozilla-nspr, mozilla-nss Severity: moderate References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.47.1: Security issues fixed: - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). - CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527). - CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322). mozilla-nspr was updated to version 4.23: - Whitespace in C files was cleaned up and no longer uses tab characters for indenting. ----------------------------------------- Patch: SUSE-2020-52 Released: Thu Jan 9 10:09:11 2020 Summary: Optional update for openslp Severity: low References: 1149792 Description: This update for openslp doesn't fix any user visible bugs. ----------------------------------------- Patch: SUSE-2020-225 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Severity: moderate References: 1158830 Description: This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------- Patch: SUSE-2020-525 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Severity: moderate References: 1164562 Description: This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------- Patch: SUSE-2020-689 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Severity: moderate References: 1166510 Description: This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------- Patch: SUSE-2020-697 Released: Mon Mar 16 13:17:10 2020 Summary: Security update for cni, cni-plugins, conmon, fuse-overlayfs, podman Severity: moderate References: 1155217,1160460,1164390,CVE-2019-18466 Description: This update for cni, cni-plugins, conmon, fuse-overlayfs, podman fixes the following issues: podman was updated to 1.8.0: - CVE-2019-18466: Fixed a bug where podman cp would improperly copy files on the host when copying a symlink in the container that included a glob operator (#3829 bsc#1155217) - The name of the cni-bridge in the default config changed from 'cni0' to 'podman-cni0' with podman-1.6.0. Add a %trigger to rename the bridge in the system to the new default if it exists. The trigger is only excuted when updating podman-cni-config from something older than 1.6.0. This is mainly needed for SLE where we're updating from 1.4.4 to 1.8.0 (bsc#1160460). Update podman to v1.8.0 (bsc#1160460): * Features - The podman system service command has been added, providing a preview of Podman's new Docker-compatible API. This API is still very new, and not yet ready for production use, but is available for early testing - Rootless Podman now uses Rootlesskit for port forwarding, which should greatly improve performance and capabilities - The podman untag command has been added to remove tags from images without deleting them - The podman inspect command on images now displays previous names they used - The podman generate systemd command now supports a --new option to generate service files that create and run new containers instead of managing existing containers - Support for --log-opt tag= to set logging tags has been added to the journald log driver - Added support for using Seccomp profiles embedded in images for podman run and podman create via the new --seccomp-policy CLI flag - The podman play kube command now honors pull policy * Bugfixes - Fixed a bug where the podman cp command would not copy the contents of directories when paths ending in /. were given - Fixed a bug where the podman play kube command did not properly locate Seccomp profiles specified relative to localhost - Fixed a bug where the podman info command for remote Podman did not show registry information - Fixed a bug where the podman exec command did not support having input piped into it - Fixed a bug where the podman cp command with rootless Podman on CGroups v2 systems did not properly determine if the container could be paused while copying - Fixed a bug where the podman container prune --force command could possible remove running containers if they were started while the command was running - Fixed a bug where Podman, when run as root, would not properly configure slirp4netns networking when requested - Fixed a bug where podman run --userns=keep-id did not work when the user had a UID over 65535 - Fixed a bug where rootless podman run and podman create with the --userns=keep-id option could change permissions on /run/user/$UID and break KDE - Fixed a bug where rootless Podman could not be run in a systemd service on systems using CGroups v2 - Fixed a bug where podman inspect would show CPUShares as 0, instead of the default (1024), when it was not explicitly set - Fixed a bug where podman-remote push would segfault - Fixed a bug where image healthchecks were not shown in the output of podman inspect - Fixed a bug where named volumes created with containers from pre-1.6.3 releases of Podman would be autoremoved with their containers if the --rm flag was given, even if they were given names - Fixed a bug where podman history was not computing image sizes correctly - Fixed a bug where Podman would not error on invalid values to the --sort flag to podman images - Fixed a bug where providing a name for the image made by podman commit was mandatory, not optional as it should be - Fixed a bug where the remote Podman client would append an extra ' to %PATH - Fixed a bug where the podman build command would sometimes ignore the -f option and build the wrong Containerfile - Fixed a bug where the podman ps --filter command would only filter running containers, instead of all containers, if --all was not passed - Fixed a bug where the podman load command on compressed images would leave an extra copy on disk - Fixed a bug where the podman restart command would not properly clean up the network, causing it to function differently from podman stop; podman start - Fixed a bug where setting the --memory-swap flag to podman create and podman run to -1 (to indicate unlimited) was not supported * Misc - Initial work on version 2 of the Podman remote API has been merged, but is still in an alpha state and not ready for use. Read more here - Many formatting corrections have been made to the manpages - The changes to address (#5009) may cause anonymous volumes created by Podman versions 1.6.3 to 1.7.0 to not be removed when their container is removed - Updated vendored Buildah to v1.13.1 - Updated vendored containers/storage to v1.15.8 - Updated vendored containers/image to v5.2.0 - Add apparmor-abstractions as required runtime dependency to have `tunables/global` available. - fixed the --force flag for the 'container prune' command. (https://github.com/containers/libpod/issues/4844) Update podman to v1.7.0 * Features - Added support for setting a static MAC address for containers - Added support for creating macvlan networks with podman network create, allowing Podman containers to be attached directly to networks the host is connected to - The podman image prune and podman container prune commands now support the --filter flag to filter what will be pruned, and now prompts for confirmation when run without --force (#4410 and #4411) - Podman now creates CGroup namespaces by default on systems using CGroups v2 (#4363) - Added the podman system reset command to remove all Podman files and perform a factory reset of the Podman installation - Added the --history flag to podman images to display previous names used by images (#4566) - Added the --ignore flag to podman rm and podman stop to not error when requested containers no longer exist - Added the --cidfile flag to podman rm and podman stop to read the IDs of containers to be removed or stopped from a file - The podman play kube command now honors Seccomp annotations (#3111) - The podman play kube command now honors RunAsUser, RunAsGroup, and selinuxOptions - The output format of the podman version command has been changed to better match docker version when using the --format flag - Rootless Podman will no longer initialize containers/storage twice, removing a potential deadlock preventing Podman commands from running while an image was being pulled (#4591) - Added tmpcopyup and notmpcopyup options to the --tmpfs and --mount type=tmpfs flags to podman create and podman run to control whether the content of directories are copied into tmpfs filesystems mounted over them - Added support for disabling detaching from containers by setting empty detach keys via --detach-keys='' - The podman build command now supports the --pull and --pull-never flags to control when images are pulled during a build - The podman ps -p command now shows the name of the pod as well as its ID (#4703) - The podman inspect command on containers will now display the command used to create the container - The podman info command now displays information on registry mirrors (#4553) * Bugfixes - Fixed a bug where Podman would use an incorrect runtime directory as root, causing state to be deleted after root logged out and making Podman in systemd services not function properly - Fixed a bug where the --change flag to podman import and podman commit was not being parsed properly in many cases - Fixed a bug where detach keys specified in libpod.conf were not used by the podman attach and podman exec commands, which always used the global default ctrl-p,ctrl-q key combination (#4556) - Fixed a bug where rootless Podman was not able to run podman pod stats even on CGroups v2 enabled systems (#4634) - Fixed a bug where rootless Podman would fail on kernels without the renameat2 syscall (#4570) - Fixed a bug where containers with chained network namespace dependencies (IE, container A using --net container=B and container B using --net container=C) would not properly mount /etc/hosts and /etc/resolv.conf into the container (#4626) - Fixed a bug where podman run with the --rm flag and without -d could, when run in the background, throw a 'container does not exist' error when attempting to remove the container after it exited - Fixed a bug where named volume locks were not properly reacquired after a reboot, potentially leading to deadlocks when trying to start containers using the volume (#4605 and #4621) - Fixed a bug where Podman could not completely remove containers if sent SIGKILL during removal, leaving the container name unusable without the podman rm --storage command to complete removal (#3906) - Fixed a bug where checkpointing containers started with --rm was allowed when --export was not specified (the container, and checkpoint, would be removed after checkpointing was complete by --rm) (#3774) - Fixed a bug where the podman pod prune command would fail if containers were present in the pods and the --force flag was not passed (#4346) - Fixed a bug where containers could not set a static IP or static MAC address if they joined a non-default CNI network (#4500) - Fixed a bug where podman system renumber would always throw an error if a container was mounted when it was run - Fixed a bug where podman container restore would fail with containers using a user namespace - Fixed a bug where rootless Podman would attempt to use the journald events backend even on systems without systemd installed - Fixed a bug where podman history would sometimes not properly identify the IDs of layers in an image (#3359) - Fixed a bug where containers could not be restarted when Conmon v2.0.3 or later was used - Fixed a bug where Podman did not check image OS and Architecture against the host when starting a container - Fixed a bug where containers in pods did not function properly with the Kata OCI runtime (#4353) - Fixed a bug where `podman info --format '{{ json . }}' would not produce JSON output (#4391) - Fixed a bug where Podman would not verify if files passed to --authfile existed (#4328) - Fixed a bug where podman images --digest would not always print digests when they were available - Fixed a bug where rootless podman run could hang due to a race with reading and writing events - Fixed a bug where rootless Podman would print warning-level logs despite not be instructed to do so (#4456) - Fixed a bug where podman pull would attempt to fetch from remote registries when pulling an unqualified image using the docker-daemon transport (#4434) - Fixed a bug where podman cp would not work if STDIN was a pipe - Fixed a bug where podman exec could stop accepting input if anything was typed between the command being run and the exec session starting (#4397) - Fixed a bug where podman logs --tail 0 would print all lines of a container's logs, instead of no lines (#4396) - Fixed a bug where the timeout for slirp4netns was incorrectly set, resulting in an extremely long timeout (#4344) - Fixed a bug where the podman stats command would print CPU utilizations figures incorrectly (#4409) - Fixed a bug where the podman inspect --size command would not print the size of the container's read/write layer if the size was 0 (#4744) - Fixed a bug where the podman kill command was not properly validating signals before use (#4746) - Fixed a bug where the --quiet and --format flags to podman ps could not be used at the same time - Fixed a bug where the podman stop command was not stopping exec sessions when a container was created without a PID namespace (--pid=host) - Fixed a bug where the podman pod rm --force command was not removing anonymous volumes for containers that were removed - Fixed a bug where the podman checkpoint command would not export all changes to the root filesystem of the container if performed more than once on the same container (#4606) - Fixed a bug where containers started with --rm would not be automatically removed on being stopped if an exec session was running inside the container (#4666) * Misc - The fixes to runtime directory path as root can cause strange behavior if an upgrade is performed while containers are running - Updated vendored Buildah to v1.12.0 - Updated vendored containers/storage library to v1.15.4 - Updated vendored containers/image library to v5.1.0 - Kata Containers runtimes (kata-runtime, kata-qemu, and kata-fc) are now present in the default libpod.conf, but will not be available unless Kata containers is installed on the system - Podman previously did not allow the creation of containers with a memory limit lower than 4MB. This restriction has been removed, as the crun runtime can create containers with significantly less memory Update podman to v1.6.4 - Remove winsz FIFO on container restart to allow use with Conmon 2.03 and higher - Ensure volumes reacquire locks on system restart, preventing deadlocks when starting containers - Suppress spurious log messages when running rootless Podman - Update vendored containers/storage to v1.13.6 - Fix a deadlock related to writing events - Do not use the journald event logger when it is not available Update podman to v1.6.2 * Features - Added a --runtime flag to podman system migrate to allow the OCI runtime for all containers to be reset, to ease transition to the crun runtime on CGroups V2 systems until runc gains full support - The podman rm command can now remove containers in broken states which previously could not be removed - The podman info command, when run without root, now shows information on UID and GID mappings in the rootless user namespace - Added podman build --squash-all flag, which squashes all layers (including those of the base image) into one layer - The --systemd flag to podman run and podman create now accepts a string argument and allows a new value, always, which forces systemd support without checking if the the container entrypoint is systemd * Bugfixes - Fixed a bug where the podman top command did not work on systems using CGroups V2 (#4192) - Fixed a bug where rootless Podman could double-close a file, leading to a panic - Fixed a bug where rootless Podman could fail to retrieve some containers while refreshing the state - Fixed a bug where podman start --attach --sig-proxy=false would still proxy signals into the container - Fixed a bug where Podman would unconditionally use a non-default path for authentication credentials (auth.json), breaking podman login integration with skopeo and other tools using the containers/image library - Fixed a bug where podman ps --format=json and podman images --format=json would display null when no results were returned, instead of valid JSON - Fixed a bug where podman build --squash was incorrectly squashing all layers into one, instead of only new layers - Fixed a bug where rootless Podman would allow volumes with options to be mounted (mounting volumes requires root), creating an inconsistent state where volumes reported as mounted but were not (#4248) - Fixed a bug where volumes which failed to unmount could not be removed (#4247) - Fixed a bug where Podman incorrectly handled some errors relating to unmounted or missing containers in containers/storage - Fixed a bug where podman stats was broken on systems running CGroups V2 when run rootless (#4268) - Fixed a bug where the podman start command would print the short container ID, instead of the full ID - Fixed a bug where containers created with an OCI runtime that is no longer available (uninstalled or removed from the config file) would not appear in podman ps and could not be removed via podman rm - Fixed a bug where containers restored via podman container restore --import would retain the CGroup path of the original container, even if their container ID changed; thus, multiple containers created from the same checkpoint would all share the same CGroup * Misc - The default PID limit for containers is now set to 4096. It can be adjusted back to the old default (unlimited) by passing --pids-limit 0 to podman create and podman run - The podman start --attach command now automatically attaches STDIN if the container was created with -i - The podman network create command now validates network names using the same regular expression as container and pod names - The --systemd flag to podman run and podman create will now only enable systemd mode when the binary being run inside the container is /sbin/init, /usr/sbin/init, or ends in systemd (previously detected any path ending in init or systemd) - Updated vendored Buildah to 1.11.3 - Updated vendored containers/storage to 1.13.5 - Updated vendored containers/image to 4.0.1 Update podman to v1.6.1 * Features - The podman network create, podman network rm, podman network inspect, and podman network ls commands have been added to manage CNI networks used by Podman - The podman volume create command can now create and mount volumes with options, allowing volumes backed by NFS, tmpfs, and many other filesystems - Podman can now run containers without CGroups for better integration with systemd by using the --cgroups=disabled flag with podman create and podman run. This is presently only supported with the crun OCI runtime - The podman volume rm and podman volume inspect commands can now refer to volumes by an unambiguous partial name, in addition to full name (e.g. podman volume rm myvol to remove a volume named myvolume) (#3891) - The podman run and podman create commands now support the --pull flag to allow forced re-pulling of images (#3734) - Mounting volumes into a container using --volume, --mount, and --tmpfs now allows the suid, dev, and exec mount options (the inverse of nosuid, nodev, noexec) (#3819) - Mounting volumes into a container using --mount now allows the relabel=Z and relabel=z options to relabel mounts. - The podman push command now supports the --digestfile option to save a file containing the pushed digest - Pods can now have their hostname set via podman pod create --hostname or providing Pod YAML with a hostname set to podman play kube (#3732) - The podman image sign command now supports the --cert-dir flag - The podman run and podman create commands now support the --security-opt label=filetype:$LABEL flag to set the SELinux label for container files - The remote Podman client now supports healthchecks * Bugfixes - Fixed a bug where remote podman pull would panic if a Varlink connection was not available (#4013) - Fixed a bug where podman exec would not properly set terminal size when creating a new exec session (#3903) - Fixed a bug where podman exec would not clean up socket symlinks on the host (#3962) - Fixed a bug where Podman could not run systemd in containers that created a CGroup namespace - Fixed a bug where podman prune -a would attempt to prune images used by Buildah and CRI-O, causing errors (#3983) - Fixed a bug where improper permissions on the ~/.config directory could cause rootless Podman to use an incorrect directory for storing some files - Fixed a bug where the bash completions for podman import threw errors - Fixed a bug where Podman volumes created with podman volume create would not copy the contents of their mountpoint the first time they were mounted into a container (#3945) - Fixed a bug where rootless Podman could not run podman exec when the container was not run inside a CGroup owned by the user (#3937) - Fixed a bug where podman play kube would panic when given Pod YAML without a securityContext (#3956) - Fixed a bug where Podman would place files incorrectly when storage.conf configuration items were set to the empty string (#3952) - Fixed a bug where podman build did not correctly inherit Podman's CGroup configuration, causing crashed on CGroups V2 systems (#3938) - Fixed a bug where remote podman run --rm would exit before the container was completely removed, allowing race conditions when removing container resources (#3870) - Fixed a bug where rootless Podman would not properly handle changes to /etc/subuid and /etc/subgid after a container was launched - Fixed a bug where rootless Podman could not include some devices in a container using the --device flag (#3905) - Fixed a bug where the commit Varlink API would segfault if provided incorrect arguments (#3897) - Fixed a bug where temporary files were not properly cleaned up after a build using remote Podman (#3869) - Fixed a bug where podman remote cp crashed instead of reporting it was not yet supported (#3861) - Fixed a bug where podman exec would run as the wrong user when execing into a container was started from an image with Dockerfile USER (or a user specified via podman run --user) (#3838) - Fixed a bug where images pulled using the oci: transport would be improperly named - Fixed a bug where podman varlink would hang when managed by systemd due to SD_NOTIFY support conflicting with Varlink (#3572) - Fixed a bug where mounts to the same destination would sometimes not trigger a conflict, causing a race as to which was actually mounted - Fixed a bug where podman exec --preserve-fds caused Podman to hang (#4020) - Fixed a bug where removing an unmounted container that was unmounted might sometimes not properly clean up the container (#4033) - Fixed a bug where the Varlink server would freeze when run in a systemd unit file (#4005) - Fixed a bug where Podman would not properly set the $HOME environment variable when the OCI runtime did not set it - Fixed a bug where rootless Podman would incorrectly print warning messages when an OCI runtime was not found (#4012) - Fixed a bug where named volumes would conflict with, instead of overriding, tmpfs filesystems added by the --read-only-tmpfs flag to podman create and podman run - Fixed a bug where podman cp would incorrectly make the target directory when copying to a symlink which pointed to a nonexistent directory (#3894) - Fixed a bug where remote Podman would incorrectly read STDIN when the -i flag was not set (#4095) - Fixed a bug where podman play kube would create an empty pod when given an unsupported YAML type (#4093) - Fixed a bug where podman import --change improperly parsed CMD (#4000) - Fixed a bug where rootless Podman on systems using CGroups V2 would not function with the cgroupfs CGroups manager - Fixed a bug where rootless Podman could not correctly identify the DBus session address, causing containers to fail to start (#4162) - Fixed a bug where rootless Podman with slirp4netns networking would fail to start containers due to mount leaks * Misc - Significant changes were made to Podman volumes in this release. If you have pre-existing volumes, it is strongly recommended to run podman system renumber after upgrading. - Version 0.8.1 or greater of the CNI Plugins is now required for Podman - Version 2.0.1 or greater of Conmon is strongly recommended - Updated vendored Buildah to v1.11.2 - Updated vendored containers/storage library to v1.13.4 - Improved error messages when trying to create a pod with no name via podman play kube - Improved error messages when trying to run podman pause or podman stats on a rootless container on a system without CGroups V2 enabled - TMPDIR has been set to /var/tmp by default to better handle large temporary files - podman wait has been optimized to detect stopped containers more rapidly - Podman containers now include a ContainerManager annotation indicating they were created by libpod - The podman info command now includes information about slirp4netns and fuse-overlayfs if they are available - Podman no longer sets a default size of 65kb for tmpfs filesystems - The default Podman CNI network has been renamed in an attempt to prevent conflicts with CRI-O when both are run on the same system. This should only take effect on system restart - The output of podman volume inspect has been more closely matched to docker volume inspect - Add katacontainers as a recommended package, and include it as an additional OCI runtime in the configuration. Update podman to v1.5.1 * Features - The hostname of pods is now set to the pod's name * Bugfixes - Fixed a bug where podman run and podman create did not honor the --authfile option (#3730) - Fixed a bug where containers restored with podman container restore --import would incorrectly duplicate the Conmon PID file of the original container - Fixed a bug where podman build ignored the default OCI runtime configured in libpod.conf - Fixed a bug where podman run --rm (or force-removing any running container with podman rm --force) were not retrieving the correct exit code (#3795) - Fixed a bug where Podman would exit with an error if any configured hooks directory was not present - Fixed a bug where podman inspect and podman commit would not use the correct CMD for containers run with podman play kube - Fixed a bug created pods when using rootless Podman and CGroups V2 (#3801) - Fixed a bug where the podman events command with the --since or --until options could take a very long time to complete * Misc - Rootless Podman will now inherit OCI runtime configuration from the root configuration (#3781) - Podman now properly sets a user agent while contacting registries (#3788) - Add zsh completion for podman commands Update podman to v1.5.0 * Features - Podman containers can now join the user namespaces of other containers with --userns=container:$ID, or a user namespace at an arbitary path with --userns=ns:$PATH - Rootless Podman can experimentally squash all UIDs and GIDs in an image to a single UID and GID (which does not require use of the newuidmap and newgidmap executables) by passing --storage-opt ignore_chown_errors - The podman generate kube command now produces YAML for any bind mounts the container has created (#2303) - The podman container restore command now features a new flag, --ignore-static-ip, that can be used with --import to import a single container with a static IP multiple times on the same host - Added the ability for podman events to output JSON by specifying --format=json - If the OCI runtime or conmon binary cannot be found at the paths specified in libpod.conf, Podman will now also search for them in the calling user's path - Added the ability to use podman import with URLs (#3609) - The podman ps command now supports filtering names using regular expressions (#3394) - Rootless Podman containers with --privileged set will now mount in all host devices that the user can access - The podman create and podman run commands now support the --env-host flag to forward all environment variables from the host into the container - Rootless Podman now supports healthchecks (#3523) - The format of the HostConfig portion of the output of podman inspect on containers has been improved and synced with Docker - Podman containers now support CGroup namespaces, and can create them by passing --cgroupns=private to podman run or podman create - The podman create and podman run commands now support the --ulimit=host flag, which uses any ulimits currently set on the host for the container - The podman rm and podman rmi commands now use different exit codes to indicate 'no such container' and 'container is running' errors - Support for CGroups V2 through the crun OCI runtime has been greatly improved, allowing resource limits to be set for rootless containers when the CGroups V2 hierarchy is in use * Bugfixes - Fixed a bug where a race condition could cause podman restart to fail to start containers with ports - Fixed a bug where containers restored from a checkpoint would not properly report the time they were started at - Fixed a bug where podman search would return at most 25 results, even when the maximum number of results was set higher - Fixed a bug where podman play kube would not honor capabilities set in imported YAML (#3689) - Fixed a bug where podman run --env, when passed a single key (to use the value from the host), would set the environment variable in the container even if it was not set on the host (#3648) - Fixed a bug where podman commit --changes would not properly set environment variables - Fixed a bug where Podman could segfault while working with images with no history - Fixed a bug where podman volume rm could remove arbitrary volumes if given an ambiguous name (#3635) - Fixed a bug where podman exec invocations leaked memory by not cleaning up files in tmpfs - Fixed a bug where the --dns and --net=container flags to podman run and podman create were not mutually exclusive (#3553) - Fixed a bug where rootless Podman would be unable to run containers when less than 5 UIDs were available - Fixed a bug where containers in pods could not be removed without removing the entire pod (#3556) - Fixed a bug where Podman would not properly clean up all CGroup controllers for created cgroups when using the cgroupfs CGroup driver - Fixed a bug where Podman containers did not properly clean up files in tmpfs, resulting in a memory leak as containers stopped - Fixed a bug where healthchecks from images would not use default settings for interval, retries, timeout, and start period when they were not provided by the image (#3525) - Fixed a bug where healthchecks using the HEALTHCHECK CMD format where not properly supported (#3507) - Fixed a bug where volume mounts using relative source paths would not be properly resolved (#3504) - Fixed a bug where podman run did not use authorization credentials when a custom path was specified (#3524) - Fixed a bug where containers checkpointed with podman container checkpoint did not properly set their finished time - Fixed a bug where running podman inspect on any container not created with podman run or podman create (for example, pod infra containers) would result in a segfault (#3500) - Fixed a bug where healthcheck flags for podman create and podman run were incorrectly named (#3455) - Fixed a bug where Podman commands would fail to find targets if a partial ID was specified that was ambiguous between a container and pod (#3487) - Fixed a bug where restored containers would not have the correct SELinux label - Fixed a bug where Varlink endpoints were not working properly if more was not correctly specified - Fixed a bug where the Varlink PullImage endpoint would crash if an error occurred (#3715) - Fixed a bug where the --mount flag to podman create and podman run did not allow boolean arguments for its ro and rw options (#2980) - Fixed a bug where pods did not properly share the UTS namespace, resulting in incorrect behavior from some utilities which rely on hostname (#3547) - Fixed a bug where Podman would unconditionally append ENTRYPOINT to CMD during podman commit (and when reporting CMD in podman inspect) (#3708) - Fixed a bug where podman events with the journald events backend would incorrectly print 6 previous events when only new events were requested (#3616) - Fixed a bug where podman port would exit prematurely when a port number was specified (#3747) - Fixed a bug where passing . as an argument to the --dns-search flag to podman create and podman run was not properly clearing DNS search domains in the container * Misc - Updated vendored Buildah to v1.10.1 - Updated vendored containers/image to v3.0.2 - Updated vendored containers/storage to v1.13.1 - Podman now requires conmon v2.0.0 or higher - The podman info command now displays the events logger being in use - The podman inspect command on containers now includes the ID of the pod a container has joined and the PID of the container's conmon process - The -v short flag for podman --version has been re-added - Error messages from podman pull should be significantly clearer - The podman exec command is now available in the remote client - The podman-v1.5.0.tar.gz file attached is podman packaged for MacOS. It can be installed using Homebrew. - Update libpod.conf to support latest path discovery feature for `runc` and `conmon` binaries. conmon was included in version 2.0.10. (bsc#1160460, bsc#1164390, jsc#ECO-1048, jsc#SLE-11485, jsc#SLE-11331): fuse-overlayfs was updated to v0.7.6 (bsc#1160460) - do not look in lower layers for the ino if there is no origin xattr set - attempt to use the file path if the operation on the fd fails with ENXIO - do not expose internal xattrs through listxattr and getxattr - fix fallocate for deleted files. - ignore O_DIRECT. It causes issues with libfuse not using an aligned buffer, causing write(2) to fail with EINVAL. - on copyup, do not copy the opaque xattr. - fix a wrong lookup for whiteout files, that could happen on a double unlink. - fix possible segmentation fault in direct_fsync() - use the data store to create missing whiteouts - after a rename, force a directory reload - introduce inodes cache - correctly read inode for unix sockets - avoid hash map lookup when possible - use st_dev for the ino key - check whether writeback is supported - set_attrs: don't require write to S_IFREG - ioctl: do not reuse fi->fh for directories - fix skip whiteout deletion optimization - store the new mode after chmod - support fuse writeback cache and enable it by default - add option to disable fsync - add option to disable xattrs - add option to skip ino number check in lower layers - fix fd validity check - fix memory leak - fix read after free - fix type for flistxattr return - fix warnings reported by lgtm.com - enable parallel dirops cni was updated to 0.7.1: - Set correct CNI version for 99-loopback.conf Update to version 0.7.1 (bsc#1160460): * Library changes: + invoke : ensure custom envs of CNIArgs are prepended to process envs + add GetNetworkListCachedResult to CNI interface + delegate : allow delegation funcs override CNI_COMMAND env automatically in heritance * Documentation & Convention changes: + Update cnitool documentation for spec v0.4.0 + Add cni-route-override to CNI plugin list Update to version 0.7.0: * Spec changes: + Use more RFC2119 style language in specification (must, should...) + add notes about ADD/DEL ordering + Make the container ID required and unique. + remove the version parameter from ADD and DEL commands. + Network interface name matters + be explicit about optional and required structure members + add CHECK method + Add a well-known error for 'try again' + SPEC.md: clarify meaning of 'routes' * Library changes: + pkg/types: Makes IPAM concrete type + libcni: return error if Type is empty + skel: VERSION shouldn't block on stdin + non-pointer instances of types.Route now correctly marshal to JSON + libcni: add ValidateNetwork and ValidateNetworkList functions + pkg/skel: return error if JSON config has no network name + skel: add support for plugin version string + libcni: make exec handling an interface for better downstream testing + libcni: api now takes a Context to allow operations to be timed out or cancelled + types/version: add helper to parse PrevResult + skel: only print about message, not errors + skel,invoke,libcni: implementation of CHECK method + cnitool: Honor interface name supplied via CNI_IFNAME environment variable. + cnitool: validate correct number of args + Don't copy gw from IP4.Gateway to Route.GW When converting from 0.2.0 + add PrintTo method to Result interface + Return a better error when the plugin returns none - Install sleep binary into CNI plugin directory cni-plugins was updated to 0.8.4: Update to version 0.8.4 (bsc#1160460): * add support for mips64le * Add missing cniVersion in README example * bump go-iptables module to v0.4.5 * iptables: add idempotent functions * portmap doesn't fail if chain doesn't exist * fix portmap port forward flakiness * Add Bruce Ma and Piotr Skarmuk as owners Update to version 0.8.3: * Enhancements: * static: prioritize the input sources for IPs (#400). * tuning: send gratuitous ARP in case of MAC address update (#403). * bandwidth: use uint64 for Bandwidth value (#389). * ptp: only override DNS conf if DNS settings provided (#388). * loopback: When prevResults are not supplied to loopback plugin, create results to return (#383). * loopback support CNI CHECK and result cache (#374). * Better input validation: * vlan: add MTU validation to loadNetConf (#405). * macvlan: add MTU validation to loadNetConf (#404). * bridge: check vlan id when loading net conf (#394). * Bugfixes: * bugfix: defer after err check, or it may panic (#391). * portmap: Fix dual-stack support (#379). * firewall: don't return error in DEL if prevResult is not found (#390). * bump up libcni back to v0.7.1 (#377). * Docs: * contributing doc: revise test script name to run (#396). * contributing doc: describe cnitool installation (#397). Update plugins to v0.8.2 + New features: * Support 'args' in static and tuning * Add Loopback DSR support, allow l2tunnel networks to be used with the l2bridge plugin * host-local: return error if same ADD request is seen twice * bandwidth: fix collisions * Support ips capability in static and mac capability in tuning * pkg/veth: Make host-side veth name configurable + Bug fixes: * Fix: failed to set bridge addr: could not add IP address to 'cni0': file exists * host-device: revert name setting to make retries idempotent (#357). * Vendor update go-iptables. Vendor update go-iptables to obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10 * Update go.mod & go.sub * Remove link Down/Up in MAC address change to prevent route flush (#364). * pkg/ip unit test: be agnostic of Linux version, on Linux 4.4 the syscall error message is 'invalid argument' not 'file exists' * bump containernetworking/cni to v0.7.1 Updated plugins to v0.8.1: + Bugs: * bridge: fix ipMasq setup to use correct source address * fix compilation error on 386 * bandwidth: get bandwidth interface in host ns through container interface + Improvements: * host-device: add pciBusID property Updated plugins to v0.8.0: + New plugins: * bandwidth - limit incoming and outgoing bandwidth * firewall - add containers to firewall rules * sbr - convert container routes to source-based routes * static - assign a fixed IP address * win-bridge, win-overlay: Windows plugins + Plugin features / changelog: * CHECK Support * macvlan: - Allow to configure empty ipam for macvlan - Make master config optional * bridge: - Add vlan tag to the bridge cni plugin - Allow the user to assign VLAN tag - L2 bridge Implementation. * dhcp: - Include Subnet Mask option parameter in DHCPREQUEST - Add systemd unit file to activate socket with systemd - Add container ifName to the dhcp clientID, making the clientID value * flannel: - Pass through runtimeConfig to delegate * host-local: - host-local: add ifname to file tracking IP address used * host-device: - Support the IPAM in the host-device - Handle empty netns in DEL for loopback and host-device * tuning: - adds 'ip link' command related feature into tuning + Bug fixes & minor changes * Correctly DEL on ipam failure for all plugins * Fix bug on ip revert if cmdAdd fails on macvlan and host-device * host-device: Ensure device is down before rename * Fix -hostprefix option * some DHCP servers expect to request for explicit router options * bridge: release IP in case of error * change source of ipmasq rule from ipn to ip from version v0.7.5: + This release takes a minor change to the portmap plugin: * Portmap: append, rather than prepend, entry rules + This fixes a potential issue where firewall rules may be bypassed by port mapping ----------------------------------------- Patch: SUSE-2020-825 Released: Tue Mar 31 13:30:37 2020 Summary: Recommended update for openslp Severity: moderate References: 1165050,1165121 Description: This update for openslp fixes the following issues: - Add missing group prerequisites to the openslp-server package. (bsc#1165050) - Add missing openslp prerequisites to the openslp-server package. (bsc#1165121) ----------------------------------------- Patch: SUSE-2020-917 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Severity: moderate References: 1166510 Description: This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------- Patch: SUSE-2020-944 Released: Tue Apr 7 15:49:33 2020 Summary: Security update for runc Severity: moderate References: 1149954,1160452,CVE-2019-19921 Description: This update for runc fixes the following issues: runc was updated to v1.0.0~rc10 - CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452). - Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954). ----------------------------------------- Patch: SUSE-2020-948 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 Description: This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------- Patch: SUSE-2020-1181 Released: Tue May 5 12:02:39 2020 Summary: Recommended update for pciutils-ids Severity: moderate References: 1170160 Description: This update for pciutils-ids fixes the following issues: - Update the PCI utilities database to 20200324. (bsc#1170160) ----------------------------------------- Patch: SUSE-2020-1226 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Severity: moderate References: 1149995,1152590,1167898 Description: This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------- Patch: SUSE-2020-1266 Released: Wed May 13 10:20:54 2020 Summary: Recommended update for jq Severity: moderate References: 1170838 Description: This update for jq fixes the following issues: jq was updated to version 1.6: * Destructuring Alternation * many new builtins (see docs) * Add support for ASAN and UBSAN * Make it easier to use jq with shebangs * Add $ENV builtin variable to access environment * Add JQ_COLORS env var for configuring the output colors * change: Calling jq without a program argument now always assumes '.' for the program, regardless of stdin/stdout * fix: Make sorting stable regardless of qsort. - Make jq depend on libjq1, so upgrading jq upgrades both ----------------------------------------- Patch: SUSE-2020-1294 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Severity: moderate References: 1154661,1169512,CVE-2019-18218 Description: This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------- Patch: SUSE-2020-1298 Released: Mon May 18 07:42:49 2020 Summary: Security update for libbsd Severity: moderate References: 1160551,CVE-2019-20367 Description: This update for libbsd fixes the following issues: - CVE-2019-20367: Fixed an out-of-bounds read during a comparison for a symbol names from the string table (bsc#1160551). ----------------------------------------- Patch: SUSE-2020-1303 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Severity: moderate References: 1169582 Description: This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------- Patch: SUSE-2020-1308 Released: Mon May 18 10:05:46 2020 Summary: Recommended update for psmisc Severity: moderate References: 1170247 Description: This update for psmisc fixes the following issues: - Allow not unique mounts as well as not unique mountpoint. (bsc#1170247) ----------------------------------------- Patch: SUSE-2020-1328 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Severity: moderate References: 1155271 Description: This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------- Patch: SUSE-2020-1419 Released: Tue May 26 12:23:30 2020 Summary: Security update for sysstat Severity: low References: 1159104,CVE-2019-19725 Description: This update for sysstat fixes the following issues: - CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104). ----------------------------------------- Patch: SUSE-2020-1493 Released: Wed May 27 18:55:51 2020 Summary: Security update for libmspack Severity: low References: 1130489,1141680,CVE-2019-1010305 Description: This update for libmspack fixes the following issues: Security issue fixed: - CVE-2019-1010305: Fixed a buffer overflow triggered by a crafted chm file which could have led to information disclosure (bsc#1141680). Other issue addressed: - Enable build-time tests (bsc#1130489) ----------------------------------------- Patch: SUSE-2020-1542 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Severity: moderate References: 1172055 Description: This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) ----------------------------------------- Patch: SUSE-2020-1677 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes mozilla-nspr to version 4.25 ----------------------------------------- Patch: SUSE-2020-1954 Released: Sat Jul 18 03:07:15 2020 Summary: Recommended update for cracklib Severity: moderate References: 1172396 Description: This update for cracklib fixes the following issues: - Fixed a buffer overflow when processing long words. ----------------------------------------- Patch: SUSE-2020-2080 Released: Wed Jul 29 20:09:09 2020 Summary: Recommended update for libtool Severity: moderate References: 1171566 Description: This update for libtool provides missing the libltdl 32bit library. (bsc#1171566) ----------------------------------------- Patch: SUSE-2020-2083 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Severity: moderate References: 1156913 Description: This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------- Patch: SUSE-2020-2470 Released: Wed Sep 2 23:29:43 2020 Summary: Recommended update for lshw Severity: moderate References: 1168865,1169668,1172156 Description: This update for lshw fixes the following issues: - Fixes the detection of powerpc products (bsc#1172156) - Fixed an issue where lshw crashed on powerpc and aarch64 (bsc#1168865, bsc#1169668) ----------------------------------------- Patch: SUSE-2020-2731 Released: Thu Sep 24 07:42:32 2020 Summary: Security update for conmon, fuse-overlayfs, libcontainers-common, podman Severity: moderate References: 1162432,1164090,1165738,1171578,1174075,1175821,1175957,CVE-2020-1726 Description: This update for conmon, fuse-overlayfs, libcontainers-common, podman fixes the following issues: podman was updated to v2.0.6 (bsc#1175821) - install missing systemd units for the new Rest API (bsc#1175957) and a few man-pages that where missing before - Drop varlink API related bits (in favor of the new API) - fix install location for zsh completions * Fixed a bug where running systemd in a container on a cgroups v1 system would fail. * Fixed a bug where /etc/passwd could be re-created every time a container is restarted if the container's /etc/passwd did not contain an entry for the user the container was started as. * Fixed a bug where containers without an /etc/passwd file specifying a non-root user would not start. * Fixed a bug where the --remote flag would sometimes not make remote connections and would instead attempt to run Podman locally. Update to v2.0.6: * Features - Rootless Podman will now add an entry to /etc/passwd for the user who ran Podman if run with --userns=keep-id. - The podman system connection command has been reworked to support multiple connections, and reenabled for use! - Podman now has a new global flag, --connection, to specify a connection to a remote Podman API instance. * Changes - Podman's automatic systemd integration (activated by the --systemd=true flag, set by default) will now activate for containers using /usr/local/sbin/init as their command, instead of just /usr/sbin/init and /sbin/init (and any path ending in systemd). - Seccomp profiles specified by the --security-opt seccomp=... flag to podman create and podman run will now be honored even if the container was created using --privileged. * Bugfixes - Fixed a bug where the podman play kube would not honor the hostIP field for port forwarding (#5964). - Fixed a bug where the podman generate systemd command would panic on an invalid restart policy being specified (#7271). - Fixed a bug where the podman images command could take a very long time (several minutes) to complete when a large number of images were present. - Fixed a bug where the podman logs command with the --tail flag would not work properly when a large amount of output would be printed ((#7230)[https://github.com//issues/7230]). - Fixed a bug where the podman exec command with remote Podman would not return a non-zero exit code when the exec session failed to start (e.g. invoking a non-existent command) (#6893). - Fixed a bug where the podman load command with remote Podman would did not honor user-specified tags (#7124). - Fixed a bug where the podman system service command, when run as a non-root user by Systemd, did not properly handle the Podman pause process and would not restart properly as a result (#7180). - Fixed a bug where the --publish flag to podman create, podman run, and podman pod create did not properly handle a host IP of 0.0.0.0 (attempting to bind to literal 0.0.0.0, instead of all IPs on the system) (#7104). - Fixed a bug where the podman start --attach command would not print the container's exit code when the command exited due to the container exiting. - Fixed a bug where the podman rm command with remote Podman would not remove volumes, even if the --volumes flag was specified (#7128). - Fixed a bug where the podman run command with remote Podman and the --rm flag could exit before the container was fully removed. - Fixed a bug where the --pod new:... flag to podman run and podman create would create a pod that did not share any namespaces. - Fixed a bug where the --preserve-fds flag to podman run and podman exec could close the wrong file descriptors while trying to close user-provided descriptors after passing them into the container. - Fixed a bug where default environment variables ($PATH and $TERM) were not set in containers when not provided by the image. - Fixed a bug where pod infra containers were not properly unmounted after exiting. - Fixed a bug where networks created with podman network create with an IPv6 subnet did not properly set an IPv6 default route. - Fixed a bug where the podman save command would not work properly when its output was piped to another command (#7017). - Fixed a bug where containers using a systemd init on a cgroups v1 system could leak mounts under /sys/fs/cgroup/systemd to the host. - Fixed a bug where podman build would not generate an event on completion (#7022). - Fixed a bug where the podman history command with remote Podman printed incorrect creation times for layers (#7122). - Fixed a bug where Podman would not create working directories specified by the container image if they did not exist. - Fixed a bug where Podman did not clear CMD from the container image if the user overrode ENTRYPOINT (#7115). - Fixed a bug where error parsing image names were not fully reported (part of the error message containing the exact issue was dropped). - Fixed a bug where the podman images command with remote Podman did not support printing image tags in Go templates supplied to the --format flag (#7123). - Fixed a bug where the podman rmi --force command would not attempt to unmount containers it was removing, which could cause a failure to remove the image. - Fixed a bug where the podman generate systemd --new command could incorrectly quote arguments to Podman that contained whitespace, leading to nonfunctional unit files (#7285). - Fixed a bug where the podman version command did not properly include build time and Git commit. - Fixed a bug where running systemd in a Podman container on a system that did not use the systemd cgroup manager would fail (#6734). - Fixed a bug where capabilities from --cap-add were not properly added when a container was started as a non-root user via --user. - Fixed a bug where Pod infra containers were not properly cleaned up when they stopped, causing networking issues (#7103). * API - Fixed a bug where the libpod and compat Build endpoints did not accept the application/tar content type (instead only accepting application/x-tar) (#7185). - Fixed a bug where the libpod Exists endpoint would attempt to write a second header in some error conditions (#7197). - Fixed a bug where compat and libpod Network Inspect and Network Remove endpoints would return a 500 instead of 404 when the requested network was not found. - Added a versioned _ping endpoint (e.g. http://localhost/v1.40/_ping). - Fixed a bug where containers started through a systemd-managed instance of the REST API would be shut down when podman system service shut down due to its idle timeout (#7294). - Added stronger parameter verification for the libpod Network Create endpoint to ensure subnet mask is a valid value. - The Pod URL parameter to the Libpod Container List endpoint has been deprecated; the information previously gated by the Pod boolean will now be included in the response unconditionally. - Change hard requires for AppArmor to Recommends. They are not needed for runtime or with SELinux but already installed if AppArmor is used [jsc#SMO-15] - Add BuildRequires for pkg-config(libselinux) to build with SELinux support [jsc#SMO-15] Update to v2.0.4 * Fixed a bug where the output of podman image search did not populate the Description field as it was mistakenly assigned to the ID field. * Fixed a bug where podman build - and podman build on an HTTP target would fail. * Fixed a bug where rootless Podman would improperly chown the copied-up contents of anonymous volumes (#7130). * Fixed a bug where Podman would sometimes HTML-escape special characters in its CLI output. * Fixed a bug where the podman start --attach --interactive command would print the container ID of the container attached to when exiting (#7068). * Fixed a bug where podman run --ipc=host --pid=host would only set --pid=host and not --ipc=host (#7100). * Fixed a bug where the --publish argument to podman run, podman create and podman pod create would not allow binding the same container port to more than one host port (#7062). * Fixed a bug where incorrect arguments to podman images --format could cause Podman to segfault. * Fixed a bug where podman rmi --force on an image ID with more than one name and at least one container using the image would not completely remove containers using the image (#7153). * Fixed a bug where memory usage in bytes and memory use percentage were swapped in the output of podman stats --format=json. * Fixed a bug where the libpod and compat events endpoints would fail if no filters were specified (#7078). * Fixed a bug where the CgroupVersion field in responses from the compat Info endpoint was prefixed by 'v' (instead of just being '1' or '2', as is documented). - Suggest katacontainers instead of recommending it. It's not enabled by default, so it's just bloat Update to v2.0.3 * Fix handling of entrypoint * log API: add context to allow for cancelling * fix API: Create container with an invalid configuration * Remove all instances of named return 'err' from Libpod * Fix: Correct connection counters for hijacked connections * Fix: Hijacking v2 endpoints to follow rfc 7230 semantics * Remove hijacked connections from active connections list * version/info: format: allow more json variants * Correctly print STDOUT on non-terminal remote exec * Fix container and pod create commands for remote create * Mask out /sys/dev to prevent information leak from the host * Ensure sig-proxy default is propagated in start * Add SystemdMode to inspect for containers * When determining systemd mode, use full command * Fix lint * Populate remaining unused fields in `pod inspect` * Include infra container information in `pod inspect` * play-kube: add suport for 'IfNotPresent' pull type * docs: user namespace can't be shared in pods * Fix 'Error: unrecognized protocol \'TCP\' in port mapping' * Error on rootless mac and ip addresses * Fix & add notes regarding problematic language in codebase * abi: set default umask and rlimits * Used reference package with errors for parsing tag * fix: system df error when an image has no name * Fix Generate API title/description * Add noop function disable-content-trust * fix play kube doesn't override dockerfile ENTRYPOINT * Support default profile for apparmor * Bump github.com/containers/common to v0.14.6 * events endpoint: backwards compat to old type * events endpoint: fix panic and race condition * Switch references from libpod.conf to containers.conf * podman.service: set type to simple * podman.service: set doc to podman-system-service * podman.service: use default registries.conf * podman.service: use default killmode * podman.service: remove stop timeout * systemd: symlink user->system * vendor golang.org/x/text@v0.3.3 * Fix a bug where --pids-limit was parsed incorrectly * search: allow wildcards * [CI:DOCS]Do not copy policy.json into gating image * Fix systemd pid 1 test * Cirrus: Rotate keys post repo. rename * The libpod.conf(5) man page got removed and all references are now pointing towards containers.conf(5), which will be part of the libcontainers-common package. Update to podman v2.0.2 * fix race condition in `libpod.GetEvents(...)` * Fix bug where `podman mount` didn't error as rootless * remove podman system connection * Fix imports to ensure v2 is used with libpod * Update release notes for v2.0.2 * specgen: fix order for setting rlimits * Ensure umask is set appropriately for 'system service' * generate systemd: improve pod-flags filter * Fix a bug with APIv2 compat network remove to log an ErrNetworkNotFound instead of nil * Fixes --remote flag issues * Pids-limit should only be set if the user set it * Set console mode for windows * Allow empty host port in --publish flag * Add a note on the APIs supported by `system service` * fix: Don't override entrypoint if it's `nil` * Set TMPDIR to /var/tmp by default if not set * test: add tests for --user and volumes * container: move volume chown after spec generation * libpod: volume copyup honors namespace mappings * Fix `system service` panic from early hangup in events * stop podman service in e2e tests * Print errors from individual containers in pods * auto-update: clarify systemd-unit requirements * podman ps truncate the command * move go module to v2 * Vendor containers/common v0.14.4 * Bump to imagebuilder v1.1.6 on v2 branch * Account for non-default port number in image name - Changes since v2.0.1 * Update release notes with further v2.0.1 changes * Fix inspect to display multiple label: changes * Set syslog for exit commands on log-level=debug * Friendly amendment for pr 6751 * podman run/create: support all transports * systemd generate: allow manual restart of container units in pods * Revert sending --remote flag to containers * Print port mappings in `ps` for ctrs sharing network * vendor github.com/containers/common@v0.14.3 * Update release notes for v2.0.1 * utils: drop default mapping when running uid!=0 * Set stop signal to 15 when not explicitly set * podman untag: error if tag doesn't exist * Reformat inspect network settings * APIv2: Return `StatusCreated` from volume creation * APIv2:fix: Remove `/json` from compat network EPs * Fix ssh-agent support * libpod: specify mappings to the storage * APIv2:doc: Fix swagger doc to refer to volumes * Add podman network to bash command completions * Fix typo in manpage for `podman auto update`. * Add JSON output field for ps * V2 podman system connection * image load: no args required * Re-add PODMAN_USERNS environment variable * Fix conflicts between privileged and other flags * Bump required go version to 1.13 * Add explicit command to alpine container in test case. * Use POLL_DURATION for timer * Stop following logs using timers * 'pod' was being truncated to 'po' in the names of the generated systemd unit files. * rootless_linux: improve error message * Fix podman build handling of --http-proxy flag * correct the absolute path of `rm` executable * Makefile: allow customizable GO_BUILD * Cirrus: Change DEST_BRANCH to v2.0 Update to podman v2.0.0 * The `podman generate systemd` command now supports the `--new` flag when used with pods, allowing portable services for pods to be created. * The `podman play kube` command now supports running Kubernetes Deployment YAML. * The `podman exec` command now supports the `--detach` flag to run commands in the container in the background. * The `-p` flag to `podman run` and `podman create` now supports forwarding ports to IPv6 addresses. * The `podman run`, `podman create` and `podman pod create` command now support a `--replace` flag to remove and replace any existing container (or, for `pod create`, pod) with the same name * The `--restart-policy` flag to `podman run` and `podman create` now supports the `unless-stopped` restart policy. * The `--log-driver` flag to `podman run` and `podman create` now supports the `none` driver, which does not log the container's output. * The `--mount` flag to `podman run` and `podman create` now accepts `readonly` option as an alias to `ro`. * The `podman generate systemd` command now supports the `--container-prefix`, `--pod-prefix`, and `--separator` arguments to control the name of generated unit files. * The `podman network ls` command now supports the `--filter` flag to filter results. * The `podman auto-update` command now supports specifying an authfile to use when pulling new images on a per-container basis using the `io.containers.autoupdate.authfile` label. * Fixed a bug where the `podman exec` command would log to journald when run in containers loggined to journald ([#6555](https://github.com/containers/libpod/issues/6555)). * Fixed a bug where the `podman auto-update` command would not preserve the OS and architecture of the original image when pulling a replacement ([#6613](https://github.com/containers/libpod/issues/6613)). * Fixed a bug where the `podman cp` command could create an extra `merged` directory when copying into an existing directory ([#6596](https://github.com/containers/libpod/issues/6596)). * Fixed a bug where the `podman pod stats` command would crash on pods run with `--network=host` ([#5652](https://github.com/containers/libpod/issues/5652)). * Fixed a bug where containers logs written to journald did not include the name of the container. * Fixed a bug where the `podman network inspect` and `podman network rm` commands did not properly handle non-default CNI configuration paths ([#6212](https://github.com/containers/libpod/issues/6212)). * Fixed a bug where Podman did not properly remove containers when using the Kata containers OCI runtime. * Fixed a bug where `podman inspect` would sometimes incorrectly report the network mode of containers started with `--net=none`. * Podman is now better able to deal with cases where `conmon` is killed before the container it is monitoring. Update to podman v1.9.3: * Fixed a bug where, on FIPS enabled hosts, FIPS mode secrets were not properly mounted into containers * Fixed a bug where builds run over Varlink would hang * Fixed a bug where podman save would fail when the target image was specified by digest * Fixed a bug where rootless containers with ports forwarded to them could panic and dump core due to a concurrency issue (#6018) * Fixed a bug where rootless Podman could race when opening the rootless user namespace, resulting in commands failing to run * Fixed a bug where HTTP proxy environment variables forwarded into the container by the --http-proxy flag could not be overridden by --env or --env-file * Fixed a bug where rootless Podman was setting resource limits on cgroups v2 systems that were not using systemd-managed cgroups (and thus did not support resource limits), resulting in containers failing to start Update podman to v1.9.1: * Bugfixes - Fixed a bug where healthchecks could become nonfunctional if container log paths were manually set with --log-path and multiple container logs were placed in the same directory - Fixed a bug where rootless Podman could, when using an older libpod.conf, print numerous warning messages about an invalid CGroup manager config - Fixed a bug where rootless Podman would sometimes fail to close the rootless user namespace when joining it Update podman to v1.9.0: * Features - Experimental support has been added for podman run --userns=auto, which automatically allocates a unique UID and GID range for the new container's user namespace - The podman play kube command now has a --network flag to place the created pod in one or more CNI networks - The podman commit command now supports an --iidfile flag to write the ID of the committed image to a file - Initial support for the new containers.conf configuration file has been added. containers.conf allows for much more detailed configuration of some Podman functionality * Changes - There has been a major cleanup of the podman info command resulting in breaking changes. Many fields have been renamed to better suit usage with APIv2 - All uses of the --timeout flag have been switched to prefer the alternative --time. The --timeout flag will continue to work, but man pages and --help will use the --time flag instead * Bugfixes - Fixed a bug where some volume mounts from the host would sometimes not properly determine the flags they should use when mounting - Fixed a bug where Podman was not propagating $PATH to Conmon and the OCI runtime, causing issues for some OCI runtimes that required it - Fixed a bug where rootless Podman would print error messages about missing support for systemd cgroups when run in a container with no cgroup support - Fixed a bug where podman play kube would not properly handle container-only port mappings (#5610) - Fixed a bug where the podman container prune command was not pruning containers in the created and configured states - Fixed a bug where Podman was not properly removing CNI IP address allocations after a reboot (#5433) - Fixed a bug where Podman was not properly applying the default Seccomp profile when --security-opt was not given at the command line * HTTP API - Many Libpod API endpoints have been added, including Changes, Checkpoint, Init, and Restore - Resolved issues where the podman system service command would time out and exit while there were still active connections - Stability overall has greatly improved as we prepare the API for a beta release soon with Podman 2.0 * Misc - The default infra image for pods has been upgraded to k8s.gcr.io/pause:3.2 (from 3.1) to address a bug in the architecture metadata for non-AMD64 images - The slirp4netns networking utility in rootless Podman now uses Seccomp filtering where available for improved security - Updated Buildah to v1.14.8 - Updated containers/storage to v1.18.2 - Updated containers/image to v5.4.3 - Updated containers/common to v0.8.1 - Add 'systemd' BUILDFLAGS to build with support for journald logging (bsc#1162432) Update podman to v1.8.2: * Features - Initial support for automatically updating containers managed via Systemd unit files has been merged. This allows containers to automatically upgrade if a newer version of their image becomes available * Bugfixes - Fixed a bug where unit files generated by podman generate systemd --new would not force containers to detach, causing the unit to time out when trying to start - Fixed a bug where podman system reset could delete important system directories if run as rootless on installations created by older Podman (#4831) - Fixed a bug where image built by podman build would not properly set the OS and Architecture they were built with (#5503) - Fixed a bug where attached podman run with --sig-proxy enabled (the default), when built with Go 1.14, would repeatedly send signal 23 to the process in the container and could generate errors when the container stopped (#5483) - Fixed a bug where rootless podman run commands could hang when forwarding ports - Fixed a bug where rootless Podman would not work when /proc was mounted with the hidepid option set - Fixed a bug where the podman system service command would use large amounts of CPU when --timeout was set to 0 (#5531) * HTTP API - Initial support for Libpod endpoints related to creating and operating on image manifest lists has been added - The Libpod Healthcheck and Events API endpoints are now supported - The Swagger endpoint can now handle cases where no Swagger documentation has been generated Update podman to v1.8.1: * Features - Many networking-related flags have been added to podman pod create to enable customization of pod networks, including --add-host, --dns, --dns-opt, --dns-search, --ip, --mac-address, --network, and --no-hosts - The podman ps --format=json command now includes the ID of the image containers were created with - The podman run and podman create commands now feature an --rmi flag to remove the image the container was using after it exits (if no other containers are using said image) ([#4628](https://github.com/containers/libpod/issues/4628)) - The podman create and podman run commands now support the --device-cgroup-rule flag (#4876) - While the HTTP API remains in alpha, many fixes and additions have landed. These are documented in a separate subsection below - The podman create and podman run commands now feature a --no-healthcheck flag to disable healthchecks for a container (#5299) - Containers now recognize the io.containers.capabilities label, which specifies a list of capabilities required by the image to run. These capabilities will be used as long as they are more restrictive than the default capabilities used - YAML produced by the podman generate kube command now includes SELinux configuration passed into the container via --security-opt label=... (#4950) * Bugfixes - Fixed CVE-2020-1726, a security issue where volumes manually populated before first being mounted into a container could have those contents overwritten on first being mounted into a container - Fixed a bug where Podman containers with user namespaces in CNI networks with the DNS plugin enabled would not have the DNS plugin's nameserver added to their resolv.conf ([#5256](https://github.com/containers/libpod/issues/5256)) - Fixed a bug where trailing / characters in image volume definitions could cause them to not be overridden by a user-specified mount at the same location ([#5219](https://github.com/containers/libpod/issues/5219)) - Fixed a bug where the label option in libpod.conf, used to disable SELinux by default, was not being respected (#5087) - Fixed a bug where the podman login and podman logout commands required the registry to log into be specified (#5146) - Fixed a bug where detached rootless Podman containers could not forward ports (#5167) - Fixed a bug where rootless Podman could fail to run if the pause process had died - Fixed a bug where Podman ignored labels that were specified with only a key and no value (#3854) - Fixed a bug where Podman would fail to create named volumes when the backing filesystem did not support SELinux labelling (#5200) - Fixed a bug where --detach-keys='' would not disable detaching from a container (#5166) - Fixed a bug where the podman ps command was too aggressive when filtering containers and would force --all on in too many situations - Fixed a bug where the podman play kube command was ignoring image configuration, including volumes, working directory, labels, and stop signal (#5174) - Fixed a bug where the Created and CreatedTime fields in podman images --format=json were misnamed, which also broke Go template output for those fields ([#5110](https://github.com/containers/libpod/issues/5110)) - Fixed a bug where rootless Podman containers with ports forwarded could hang when started (#5182) - Fixed a bug where podman pull could fail to parse registry names including port numbers - Fixed a bug where Podman would incorrectly attempt to validate image OS and architecture when starting containers - Fixed a bug where Bash completion for podman build -f would not list available files that could be built (#3878) - Fixed a bug where podman commit --change would perform incorrect validation, resulting in valid changes being rejected (#5148) - Fixed a bug where podman logs --tail could take large amounts of memory when the log file for a container was large (#5131) - Fixed a bug where Podman would sometimes incorrectly generate firewall rules on systems using firewalld - Fixed a bug where the podman inspect command would not display network information for containers properly if a container joined multiple CNI networks ([#4907](https://github.com/containers/libpod/issues/4907)) - Fixed a bug where the --uts flag to podman create and podman run would only allow specifying containers by full ID (#5289) - Fixed a bug where rootless Podman could segfault when passed a large number of file descriptors - Fixed a bug where the podman port command was incorrectly interpreting additional arguments as container names, instead of port numbers - Fixed a bug where units created by podman generate systemd did not depend on network targets, and so could start before the system network was ready (#4130) - Fixed a bug where exec sessions in containers which did not specify a user would not inherit supplemental groups added to the container via --group-add - Fixed a bug where Podman would not respect the $TMPDIR environment variable for placing large temporary files during some operations (e.g. podman pull) ([#5411](https://github.com/containers/libpod/issues/5411)) * HTTP API - Initial support for secure connections to servers via SSH tunneling has been added - Initial support for the libpod create and logs endpoints for containers has been added - Added a /swagger/ endpoint to serve API documentation - The json endpoint for containers has received many fixes - Filtering images and containers has been greatly improved, with many bugs fixed and documentation improved - Image creation endpoints (commit, pull, etc) have seen many fixes - Server timeout has been fixed so that long operations will no longer trigger the timeout and shut the server down - The stats endpoint for containers has seen major fixes and now provides accurate output - Handling the HTTP 304 status code has been fixed for all endpoints - Many fixes have been made to API documentation to ensure it matches the code * Misc - The Created field to podman images --format=json has been renamed to CreatedSince as part of the fix for (#5110). Go templates using the old name shou ld still work - The CreatedTime field to podman images --format=json has been renamed to CreatedAt as part of the fix for (#5110). Go templates using the old name should still work - The before filter to podman images has been renamed to since for Docker compatibility. Using before will still work, but documentation has been changed to use the new since filter - Using the --password flag to podman login now warns that passwords are being passed in plaintext - Some common cases where Podman would deadlock have been fixed to warn the user that podman system renumber must be run to resolve the deadlock - Configure br_netfilter for podman automatically (bsc#1165738) The trigger is only excuted when updating podman-cni-config while the command was running conmon was update to v2.0.20 (bsc#1175821) - journald: fix logging container name - container logging: Implement none driver - 'off', 'null' or 'none' all work. - ctrl: warn if we fail to unlink - Drop fsync calls - Reap PIDs before running exit command - Fix log path parsing - Add --sync option to prevent conmon from double forking - Add --no-sync-log option to instruct conmon to not sync the logs of the containers upon shutting down. This feature fixes a regression where we unconditionally dropped the log sync. It is possible the container logs could be corrupted on a sudden power-off. If you need container logs to remain in consistent state after a sudden shutdown, please update from v2.0.19 to v2.0.20 - Update to v2.0.17: - Add option to delay execution of exit command - Update to v2.0.16: - tty: flush pending data when fd is ready - Enable support for journald logging (bsc#1162432) - Update to v2.0.15: - store status while waiting for pid - Update to v2.0.14: - drop usage of splice(2) - avoid hanging on stdin - stdio: sometimes quit main loop after io is done - ignore sigpipe - Update to v2.0.12 - oom: fix potential race between verification steps - Update to v2.0.11 - log: reject --log-tag with k8s-file - chmod std files pipes - adjust score to -1000 to prevent conmon from ever being OOM killed - container OOM: verify cgroup hasn't been cleaned up before reporting OOM - journal logging: write to /dev/null instead of -1 fuse-overlayfs was updated to 1.1.2 (bsc#1175821): - fix memory leak when creating whiteout files. - fix lookup for overflow uid when it is different than the overflow gid. - use openat2(2) when available. - accept 'ro' as mount option. - fix set mtime for a symlink. - fix some issues reported by static analysis. - fix potential infinite loop on a short read. - fix creating a directory if the destination already exists in the upper layer. - report correctly the number of links for a directory also for subsequent stat calls - stop looking up the ino in the lower layers if the file could not be opened - make sure the destination is deleted before doing a rename(2). It prevents a left over directory to cause delete to fail with EEXIST. - honor --debug. libcontainers-common was updated to fix: - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Added containers/common tarball for containers.conf(5) man page - Install containers.conf default configuration in /usr/share/containers - libpod repository on github got renamed to podman - Update to image 5.5.1 - Add documentation for credHelpera - Add defaults for using the rootless policy path - Update libpod/podman to 2.0.3 - docs: user namespace can't be shared in pods - Switch references from libpod.conf to containers.conf - Allow empty host port in --publish flag - update document login see config.json as valid - Update storage to 1.20.2 - Add back skip_mount_home - Remove remaining difference between SLE and openSUSE package and ship the some mounts.conf default configuration on both platforms. As the sources for the mount point do not exist on openSUSE by default this config will basically have no effect on openSUSE. (jsc#SLE-12122, bsc#1175821) - Update to image 5.4.4 - Remove registries.conf VERSION 2 references from man page - Intial authfile man page - Add $HOME/.config/containers/certs.d to perHostCertDirPath - Add $HOME/.config/containers/registries.conf to config path - registries.conf.d: add stances for the registries.conf - update to libpod 1.9.3 - userns: support --userns=auto - Switch to using --time as opposed to --timeout to better match Docker - Add support for specifying CNI networks in podman play kube - man pages: fix inconsistencies - Update to storage 1.19.1 - userns: add support for auto - store: change the default user to containers - config: honor XDG_CONFIG_HOME - Remove the /var/lib/ca-certificates/pem/SUSE.pem workaround again. It never ended up in SLES and a different way to fix the underlying problem is being worked on. - Add registry.opensuse.org as default registry [bsc#1171578] - Add /var/lib/ca-certificates/pem/SUSE.pem to the SLES mounts. This for making container-suseconnect working in the public cloud on-demand images. It needs that file for being able to verify the server certificates of the RMT servers hosted in the public cloud. (https://github.com/SUSE/container-suseconnect/issues/41) ----------------------------------------- Patch: SUSE-2020-2735 Released: Thu Sep 24 13:32:25 2020 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: 1173034 Description: This update for systemd-rpm-macros fixes the following issues: - Introduce macro '%service_del_postun_without_restart' to resolve blocking new releases based on this. (bsc#1173034) ----------------------------------------- Patch: SUSE-2020-2782 Released: Tue Sep 29 11:40:22 2020 Summary: Recommended update for systemd-rpm-macros Severity: important References: 1176932 Description: This update for systemd-rpm-macros fixes the following issues: - Backport missing macros of directory paths from upstream + %_environmentdir + %_modulesloaddir + %_modprobedir - Make sure %_restart_on_update_never and %_stop_on_removal_never don't expand to the empty string. (bsc#1176932) Otherwise sequences like the following code: if [ ... ]; then %_restart_on_update_never fi would result in the following incorrect shell syntax: if [ ... ]; then fi ----------------------------------------- Patch: SUSE-2020-2947 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 Description: This update for gcc10, nvptx-tools fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Changes in nvptx-tools: - Enable build on aarch64 ----------------------------------------- Patch: SUSE-2020-2958 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Severity: moderate References: 1158830 Description: This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------- Patch: SUSE-2020-2983 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Severity: moderate References: 1176123 Description: This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------- Patch: SUSE-2020-3012 Released: Thu Oct 22 22:36:57 2020 Summary: Recommended update for sysstat Severity: moderate References: 1174227 Description: This update for sysstat fixes the following issues: - Fix for an issue when 'iowait' output of 'sar' can also decrement as a result of inaccurate tracking. (bsc#1174227) ----------------------------------------- Patch: SUSE-2020-3091 Released: Thu Oct 29 16:35:37 2020 Summary: Security update for MozillaThunderbird and mozilla-nspr Severity: important References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969 Description: This update for MozillaThunderbird and mozilla-nspr fixes the following issues: - Mozilla Thunderbird 78.4 * new: MailExtensions: browser.tabs.sendMessage API added * new: MailExtensions: messageDisplayScripts API added * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages * changed: MailExtensions: compose.begin functions now support creating a message with attachments * fixed: Thunderbird could freeze when updating global search index * fixed: Multiple issues with handling of self-signed SSL certificates addressed * fixed: Recipient address fields in compose window could expand to fill all available space * fixed: Inserting emoji characters in message compose window caused unexpected behavior * fixed: Button to restore default folder icon color was not keyboard accessible * fixed: Various keyboard navigation fixes * fixed: Various color-related theme fixes * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4 - Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * Creating a new calendar event did not require an event title - Mozilla Thunderbird 78.3.2 (bsc#1176899) * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes - Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket - Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 Download origin spoofing via redirect * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3 - update mozilla-nspr to version 4.25.1 * The macOS platform code for shared library loading was changed to support macOS 11. * Dependency needed for the MozillaThunderbird udpate ----------------------------------------- Patch: SUSE-2020-3099 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------- Patch: SUSE-2020-3123 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Severity: important References: 1177460,1178346,1178350,1178353 Description: This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460) - Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460) ----------------------------------------- Patch: SUSE-2020-3308 Released: Thu Nov 12 14:20:07 2020 Summary: Recommended update for sysstat Severity: moderate References: 1177747 Description: This update for sysstat fixes the following issues: - Fix iostat switch '-y' to display the correct results. (bsc#1177747) ----------------------------------------- Patch: SUSE-2020-3462 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Severity: moderate References: 1174593,1177858,1178727 Description: This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------- Patch: SUSE-2020-3620 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Severity: moderate References: Description: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------- Patch: SUSE-2020-3791 Released: Mon Dec 14 17:39:19 2020 Summary: Recommended update for gzip Severity: moderate References: Description: This update for gzip fixes the following issue: - Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`. ----------------------------------------- Patch: SUSE-2020-3795 Released: Mon Dec 14 17:43:26 2020 Summary: Optional update for systemd-rpm-macros Severity: low References: 1059627,1178481,1179020 Description: This update for systemd-rpm-macros fixes the following issues: - Deprecate '-f'/'-n' options When used with %service_del_preun, support for these options will be dropped as DISABLE_STOP_ON_REMOVAL support will be removed on the next version of SLE (jsc#SLE-8968) When used with %service_del_postun, they should be replaced with their counterpart %service_del_postun_with_restart/%service_del_postun_without_restart - Introduced %service_del_postun_with_restart() It's the counterpart of %service_del_postun_without_restart() and replaces the '-f' option of %service_del_postun(). - Does no longer apply presets when migrating from a disabled initscript (bsc#1178481) - Fix importing of %{_unitdir} ----------------------------------------- Patch: SUSE-2020-3942 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Severity: moderate References: 1180138 Description: This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------- Patch: SUSE-2021-179 Released: Wed Jan 20 13:38:51 2021 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ----------------------------------------- Patch: SUSE-2021-220 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Severity: moderate References: 1180603 Description: This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------- Patch: SUSE-2021-271 Released: Mon Feb 1 21:04:13 2021 Summary: Recommended update for lshw Severity: moderate References: 1181411 Description: This update for lshw fixes the following issues: - Display UUID on Power VM LPAR. (bsc#1181411, ltc#191040) ----------------------------------------- Patch: SUSE-2021-293 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Severity: moderate References: 1180603 Description: This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------- Patch: SUSE-2021-301 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------- Patch: SUSE-2021-339 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Severity: low References: Description: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------- Patch: SUSE-2021-707 Released: Thu Mar 4 09:19:36 2021 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: 1177039 Description: This update for systemd-rpm-macros fixes the following issues: - Bump to version 6 - Make upstream '%systemd_{pre,post,preun,postun}' aliases to their SUSE counterparts. Packagers can now choose to use the upstream or the SUSE variants indifferently. For consistency the SUSE variants should be preferred since almost all SUSE packages already use them but the upstream versions might be usefull in certain cases where packages need to support multiple distros based on RPM. - Improve the logic used to apply the presets. (bsc#1177039) Before presests were applied at a) package installation b) new units introduced via a package update (but after making sure that it was not a SysV initscript being converted). The problem is that a) didn't handle package a renaming or split properly since the package with the new name is installed rather being updated and therefore the presets were applied even if they were already with the old name. We now cover this case (and the other ones) by applying presets only if the units are new and the services are not being migrated. This regardless of whether this happens during an install or an update. ----------------------------------------- Patch: SUSE-2021-795 Released: Tue Mar 16 10:28:02 2021 Summary: Recommended update for systemd-rpm-macros Severity: low References: 1182661,1183012,1183051 Description: This update for systemd-rpm-macros fixes the following issues: - Added a %systemd_user_pre macro (bsc#1183051, bsc#1183012) - Fixed an issue with %systemd_user_post, where the --global parameter was treated like if it was another service (bsc#1183051, bsc#1182661) ----------------------------------------- Patch: SUSE-2021-930 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Severity: important References: 1172442,1181358,CVE-2020-11080 Description: This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------- Patch: SUSE-2021-953 Released: Thu Mar 25 14:37:26 2021 Summary: Recommended update for psmisc Severity: moderate References: 1178407 Description: This update for psmisc fixes the following issues: - Fix for 'fuser' when it does not show open kvm storage image files such as 'qcow2' files. (bsc#1178407) ----------------------------------------- Patch: SUSE-2021-974 Released: Mon Mar 29 19:31:27 2021 Summary: Security update for tar Severity: low References: 1181131,CVE-2021-20193 Description: This update for tar fixes the following issues: CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131) ----------------------------------------- Patch: SUSE-2021-1007 Released: Thu Apr 1 17:47:20 2021 Summary: Security update for MozillaFirefox Severity: important References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987 Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs ----------------------------------------- Patch: SUSE-2021-1018 Released: Tue Apr 6 14:29:13 2021 Summary: Recommended update for gzip Severity: moderate References: 1180713 Description: This update for gzip fixes the following issues: - Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) ----------------------------------------- Patch: SUSE-2021-1169 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Severity: low References: 1181976 Description: This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------- Patch: SUSE-2021-1289 Released: Wed Apr 21 14:02:46 2021 Summary: Recommended update for gzip Severity: moderate References: 1177047 Description: This update for gzip fixes the following issues: - Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047) ----------------------------------------- Patch: SUSE-2021-1424 Released: Thu Apr 29 06:22:32 2021 Summary: Recommended update for openslp Severity: moderate References: 1166637,1184008 Description: This update for openslp fixes the following issues: - Added automated active discovery retries so that DAs do not get dropped, if they are not reachable for some time (bsc#1166637, bsc#1184008) ----------------------------------------- Patch: SUSE-2021-1549 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Severity: moderate References: 1185417 Description: This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------- Patch: SUSE-2021-1583 Released: Wed May 12 13:40:35 2021 Summary: Recommended update for sensors Severity: moderate References: 1185183 Description: This update for sensors fixes the following issues: - Change PIDFile path from '/var/run' to '/run' as the it is deprecated. (bsc#1185183) ----------------------------------------- Patch: SUSE-2021-1643 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Severity: important References: 1181443,1184358,1185562 Description: This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------- Patch: SUSE-2021-1861 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 Description: This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------- Patch: SUSE-2021-1935 Released: Thu Jun 10 10:45:09 2021 Summary: Recommended update for gzip Severity: moderate References: 1186642 Description: This update for gzip fixes the following issue: - gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-1937 Released: Thu Jun 10 10:47:09 2021 Summary: Recommended update for nghttp2 Severity: moderate References: 1186642 Description: This update for nghttp2 fixes the following issue: - The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-1954 Released: Fri Jun 11 10:45:09 2021 Summary: Security update for containerd, docker, runc Severity: important References: 1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183855,1184768,1184962,1185405,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334,CVE-2021-30465 Description: This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594) * Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476). * CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) * CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730). * btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081) runc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962). * Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821). * Fixed /dev/null is not available (bsc#1168481). * CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405). containerd was updated to v1.4.4 * CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397). * Handle a requirement from docker (bsc#1181594). ----------------------------------------- Patch: SUSE-2021-2002 Released: Thu Jun 17 17:27:47 2021 Summary: Recommended update for open-vm-tools Severity: moderate References: 1186642 Description: This update for open-vm-tools fixes the following issue: - open-vm-tools had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2146 Released: Wed Jun 23 17:55:14 2021 Summary: Recommended update for openssh Severity: moderate References: 1115550,1174162 Description: This update for openssh fixes the following issues: - Fixed a race condition leading to a sshd termination of multichannel sessions with non-root users (bsc#1115550, bsc#1174162). ----------------------------------------- Patch: SUSE-2021-2173 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 Description: This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------- Patch: SUSE-2021-2179 Released: Mon Jun 28 17:36:37 2021 Summary: Recommended update for thin-provisioning-tools Severity: moderate References: 1184124 Description: This update for thin-provisioning-tools fixes the following issues: - Link as position-independent executable (bsc#1184124) ----------------------------------------- Patch: SUSE-2021-2193 Released: Mon Jun 28 18:38:43 2021 Summary: Recommended update for tar Severity: moderate References: 1184124 Description: This update for tar fixes the following issues: - Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124) ----------------------------------------- Patch: SUSE-2021-2196 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 Description: This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------- Patch: SUSE-2021-2224 Released: Thu Jul 1 13:48:44 2021 Summary: Recommended update for psmisc Severity: important References: 1185208 Description: This update for psmisc fixes the following issues: - It does no longer list all processes from different private namespaces when fuser is run on an NFS mount. This led to an issue where the wrong processes were terminated in an SAP application cluster environment (bsc#1185208) ----------------------------------------- Patch: SUSE-2021-2248 Released: Mon Jul 5 15:40:28 2021 Summary: Recommended update for sysstat Severity: low References: 1186827 Description: This update for sysstat fixes the following issues: - Dropped systemd runtime requirement (bsc#1186827) ----------------------------------------- Patch: SUSE-2021-2286 Released: Fri Jul 9 17:38:53 2021 Summary: Recommended update for dosfstools Severity: moderate References: 1172863 Description: This update for dosfstools fixes the following issue: - Fixed a bug that was causing an installation issue when trying to create an EFI partition on an NVMe-over-Fabrics device (bsc#1172863) ----------------------------------------- Patch: SUSE-2021-2320 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 Description: This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------- Patch: SUSE-2021-2456 Released: Thu Jul 22 15:28:39 2021 Summary: Recommended update for pam-config Severity: moderate References: 1187091 Description: This update for pam-config fixes the following issues: - Add 'revoke' to the option list for 'pam_keyinit'. - Fixed an issue when pam-config fails to create a new service config file. (bsc#1187091) ----------------------------------------- Patch: SUSE-2021-2568 Released: Thu Jul 29 14:18:37 2021 Summary: Recommended update for open-vm-tools Severity: moderate References: 1029961,1185103,1185175,1187567 Description: This update for open-vm-tools fixes the following issues: Update to 11.3.0 (bsc#1187567) - Reduce or eliminate Linux dependency on the 'net-tools' package. - The 'ifconfig' and 'netstat' commands are deprecated in more recent releases of Linux. Update the Linux 'vm-support' script to use the 'ip' and 'ss' commands when available. If the new commands are missing a fallback will be used. In Particular, 'ip' has a fallback on 'ifconfig', 'ip route' will fallback on 'route' and 'ss' will fallback on 'netstat'. - Configuring OVT with the '--without-pam' option will implicitly disable 'vgauth'. - When no 'vgauth' option is given alongside '--without-pam', a warning is displayed with a message 'Building without PAM; vgauth will be disabled.'. - When '--disable-vgauth' is supplied alongside '--without-pam', no warning or error message is displayed. - When '--enable-vgauth' is supplied alongside '--without-pam', an error will be shown and the configure stage will be aborted with an error message 'Cannot enable vgauth without PAM. Please configure without --without-pam or without --enable-vgauth.' - Fix issues using GCC 11 with gtk >= 3.20 and glib >=2.66.3 - Fix more GCC 11 failures. (bsc#1185103) - Update the 'FreeBSD' specific sections of 'open-vm-tools' to adjust what necessary for 'ARM64'. - New command line tool 'vmwgfxctrl' introduced in 'open-vm-tools'. - A user can now control various aspects of the 'vmwgfx' Linux kernel module. Currently it can both display and set the current topology of the 'vmwgfx' kernel driver. It is useful when trying to configure custom resolutions on recent Linux distributions, including multi-monitor setups. - New command line tool 'vmware-alias-import' added to 'open-vm-tools' that can be used to import 'vgauth' config data and apply it to the running 'vgauth' service. - Enhancements to support or utilize various vSphere features. - In 'vmtoolsd.service' move the deprecated path '/var/run' to '/run' for it's 'PID' file. (bsc#1185175) - Finalize the 'UsrMerge'. (bsc#1029961) ----------------------------------------- Patch: SUSE-2021-2573 Released: Thu Jul 29 14:21:52 2021 Summary: Recommended update for timezone Severity: moderate References: 1188127 Description: This update for timezone fixes the following issue: - From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are now correctly supported. This update adds the 'tzdata.zi' file (bsc#1188127). ----------------------------------------- Patch: SUSE-2021-2606 Released: Wed Aug 4 13:16:09 2021 Summary: Recommended update for libcbor Severity: moderate References: 1102408 Description: This update for libcbor fixes the following issues: - Implement a fix to avoid building shared library twice. (bsc#1102408) ----------------------------------------- Patch: SUSE-2021-2627 Released: Thu Aug 5 12:10:46 2021 Summary: Recommended maintenance update for systemd-default-settings Severity: moderate References: 1188348 Description: This update for systemd-default-settings fixes the following issue: - Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348) ----------------------------------------- Patch: SUSE-2021-2802 Released: Fri Aug 20 10:47:08 2021 Summary: Security update for libmspack Severity: moderate References: 1103032,CVE-2018-14679,CVE-2018-14681,CVE-2018-14682 Description: This update for libmspack fixes the following issues: - CVE-2018-14681: Bad KWAJ file header extensions could cause a one or two byte overwrite. (bsc#1103032) - CVE-2018-14682: There is an off-by-one error in the TOLOWER() macro for CHM decompression. (bsc#1103032) - CVE-2018-14679: There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service. (bsc#1103032) ----------------------------------------- Patch: SUSE-2021-2895 Released: Tue Aug 31 19:40:32 2021 Summary: Recommended update for unixODBC Severity: moderate References: Description: This update for unixODBC fixes the following issues: - ECO: Update unixODBC to 2.3.9 in SLE 15. (jsc#SLE-18004) - Fix incorrect permission for documentation files. - Update requires and baselibs for new libodbc2. - Employ shared library packaging guideline: new subpacakge libodbc2. - Update to 2.3.9: * Remove '#define UNIXODBC_SOURCE' from unixodbc_conf.h - Update to 2.3.8: * Add configure support for editline * SQLDriversW was ignoring user config * SQLDataSources Fix termination character * Fix for pooling seg fault * Make calling SQLSetStmtAttrW call the W function in the driver is its there * Try and fix race condition clearing system odbc.ini file * Remove trailing space from isql/iusql SQL * When setting connection attributes set before connect also check if the W entry poins can be used * Try calling the W error functions first if available in the driver * Add iconvperdriver configure option to allow calling unicode_setup in SQLAllocHandle * iconv handles was being lost when reusing pooled connection * Catch null copy in iniPropertyInsert * Fix a few leaks - Update to 2.3.7: * Fix for pkg-config file update on no linux platforms * Add W entry for GUI work * Various fixes for SQLBrowseConnect/W, SQLGetConnectAttr/W,and SQLSetConnectAttr/W * Fix buffer overflows in SQLConnect/W and refine behaviour of SQLGet/WritePrivateProfileString * SQLBrowseConnect/W allow disconnecting a started browse session after error * Add --with-stats-ftok-name configure option to allow the selection of a file name used to generate the IPC id when collecting stats. Default is the system odbc.ini file * Improve diag record handling with the behavior of Windows DM and export SQLCancelHandle * bug fix when SQLGetPrivateProfileString() is called to get a list of sections or a list of keys * Connection pooling: Fix liveness check for Unicode drivers ----------------------------------------- Patch: SUSE-2021-2899 Released: Wed Sep 1 08:30:58 2021 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: 1186282,1187332 Description: This update for systemd-rpm-macros fixes the following issues: - Fixed an issue whe zypper ignores the ordering constraints. (bsc#1187332) - Introduce '%sysusers_create_package': '%sysusers_create' and '%sysusers_create_inline' are now deprecated and the new macro should be used instead. - %sysusers_create_inline: use here-docs instead of echo (bsc#1186282) ----------------------------------------- Patch: SUSE-2021-2962 Released: Mon Sep 6 18:23:01 2021 Summary: Recommended update for runc Severity: critical References: 1189743 Description: This update for runc fixes the following issues: - Fixed an issue when toolbox container fails to start. (bsc#1189743) ----------------------------------------- Patch: SUSE-2021-3001 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Severity: moderate References: 1189683 Description: This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------- Patch: SUSE-2021-3052 Released: Thu Sep 16 10:05:24 2021 Summary: Recommended update for lshw Severity: moderate References: Description: This update for lshw fixes the following issues: - Update to version B.02.19.2+git.20210619 (jsc#SLE-19399) ----------------------------------------- Patch: SUSE-2021-3115 Released: Thu Sep 16 14:04:26 2021 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829 Description: This update for mozilla-nspr fixes the following issues: mozilla-nspr was updated to version 4.32: * implement new socket option PR_SockOpt_DontFrag * support larger DNS records by increasing the default buffer size for DNS queries * Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138 * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version. Mozilla NSS was updated to version 3.68: * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. update to NSS 3.67 * bmo#1683710 - Add a means to disable ALPN. * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c. * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte. update to NSS 3.66 * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS. * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * bmo#1708307 - Remove Trustis FPS Root CA from NSS. * bmo#1707097 - Add Certum Trusted Root CA to NSS. * bmo#1707097 - Add Certum EC-384 CA to NSS. * bmo#1703942 - Add ANF Secure Server Root CA to NSS. * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS. * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler. * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators. * bmo#1709291 - Add VerifyCodeSigningCertificateChain. update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. update to NSS 3.64 * bmo#1705286 - Properly detect mips64. * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. * bmo#1698320 - replace __builtin_cpu_supports('vsx') with ppc_crypto_support() for clang. * bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration. Fixed in 3.63 * bmo#1697380 - Make a clang-format run on top of helpful contributions. * bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * bmo#1694214 - tstclnt can't enable middlebox compat mode. * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * bmo#1685880 - Minor fix to prevent unused variable on early return. * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * bmo#1687822 - Turn off Websites trust bit for the “Staat der Nederlanden Root CA - G3” root cert in NSS. * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008’. * bmo#1694291 - Tracing fixes for ECH. update to NSS 3.62 * bmo#1688374 - Fix parallel build NSS-3.61 with make * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt 'cachedCertTable' * bmo#1690583 - Fix CH padding extension size calculation * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail * bmo#1690421 - Install packaged libabigail in docker-builds image * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing * bmo#1674819 - Fixup a51fae403328, enum type may be signed * bmo#1681585 - Add ECH support to selfserv * bmo#1681585 - Update ECH to Draft-09 * bmo#1678398 - Add Export/Import functions for HPKE context * bmo#1678398 - Update HPKE to draft-07 update to NSS 3.61 * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * bmo#1651411 - Improve constant-timeness in RSA operations. * bmo#1677207 - Upgrade Google Test version to latest release. * bmo#1654332 - Add aarch64-make target to nss-try. Update to NSS 3.60.1: Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information. Update to NSS 3.59.1: * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules Update to NSS 3.59: Notable changes: * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. update to NSS 3.57 * The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes update to NSS 3.56 Notable changes * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * bmo#1654142 - Add CPU feature detection for Intel SHA extension. * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. * bmo#1656986 - Properly detect arm64 during GYP build architecture detection. * bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. * bmo#1588941 - Send empty certificate message when scheme selection fails. * bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * bmo#1653975 - Fix 3.53 regression by setting 'all' as the default makefile target. * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * bmo#1656519 - NSPR dependency updated to 4.28 update to NSS 3.55 Notable changes * P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. * PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633) * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). * bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. * bmo#1646594 - Fix AVX2 detection in makefile builds. * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. * bmo#1649226 - Add Wycheproof ECDSA tests. * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover. * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension. update to NSS 3.54 Notable changes * Support for TLS 1.3 external pre-shared keys (bmo#1603042). * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113) * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. * The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. * A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed * bmo#1528113 - Use ARM Cryptography Extension for SHA256. * bmo#1603042 - Add TLS 1.3 external PSK support. * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. * bmo#1645186 - Add 'certSIGN Root CA G2' root certificate. * bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate. * bmo#1641716 - Add Microsoft's non-EV root certificates. * bmo1621151 - Disable email trust bit for 'O=Government Root Certification Authority; C=TW' root. * bmo#1645199 - Remove AddTrust root certificates. * bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate. * bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root certificate. * bmo#1618402 - Remove Symantec root certificates and disable email trust bit. * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26. * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c. * bmo#1642153 - Fix infinite recursion building NSS. * bmo#1642638 - Fix fuzzing assertion crash. * bmo#1642871 - Enable SSL_SendSessionTicket after resumption. * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs. * bmo#1643557 - Fix numerous compile warnings in NSS. * bmo#1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys. * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c. * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding. ----------------------------------------- Patch: SUSE-2021-3182 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Severity: moderate References: 1189996 Description: This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------- Patch: SUSE-2021-3203 Released: Thu Sep 23 14:41:35 2021 Summary: Recommended update for kmod Severity: moderate References: 1189537,1190190 Description: This update for kmod fixes the following issues: - Use docbook 4 rather than docbook 5 for building man pages (bsc#1190190). - Enable support for ZSTD compressed modules - Display module information even for modules built into the running kernel (bsc#1189537) - '/usr/lib' should override '/lib' where both are available. Support '/usr/lib' for depmod.d as well. - Remove test patches included in release 29 - Update to release 29 * Fix `modinfo -F` not working for built-in modules and certain fields. * Fix a memory leak, overflow and double free on error path. ----------------------------------------- Patch: SUSE-2021-3291 Released: Wed Oct 6 16:45:36 2021 Summary: Security update for glibc Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 Description: This update for glibc fixes the following issues: - CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489). - CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911). ----------------------------------------- Patch: SUSE-2021-3490 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Severity: moderate References: 1190793,CVE-2021-39537 Description: This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------- Patch: SUSE-2021-3494 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Severity: moderate References: 1190052 Description: This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------- Patch: SUSE-2021-3500 Released: Fri Oct 22 09:42:21 2021 Summary: Recommended update for open-vm-tools Severity: moderate References: 1190987 Description: This update for open-vm-tools fixes the following issues: - New/Updated features: * Added a configurable logging capability to the network script * The hgfsmounter (mount.vmhgfs) command has been removed from open-vm-tools. It has been replaced by hgfs-fuse. - Resolved issues: * Customization: Retry the Linux reboot if telinit is a soft link to systemctl * open-vm-tools commands would hang if configured with '--enable-valgrind' ----------------------------------------- Patch: SUSE-2021-3506 Released: Mon Oct 25 10:20:22 2021 Summary: Security update for containerd, docker, runc Severity: important References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 Description: This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.9-ce. (bsc#1191355) See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355 - CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282) - Install systemd service file as well (bsc#1190826) Update to runc v1.0.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.2 * Fixed a failure to set CPU quota period in some cases on cgroup v1. * Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. * Made release builds reproducible from now on. * Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec. * Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. Update to runc v1.0.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.1 * Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume. * Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters. * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). * cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. * cgroup/systemd/v2: don't freeze cgroup on Set. * cgroup/systemd/v1: avoid unnecessary freeze on Set. - fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704 Update to runc v1.0.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0 ! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94 * cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available. Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405) Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 Breaking Changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. Regression Fixes: * seccomp: fix 32-bit compilation errors * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code * runc start: fix 'chdir to cwd: permission denied' for some setups ----------------------------------------- Patch: SUSE-2021-3510 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Severity: important References: 1191987 Description: This update for pam fixes the following issues: - Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987) ----------------------------------------- Patch: SUSE-2021-3529 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 Description: This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) ----------------------------------------- Patch: SUSE-2021-3792 Released: Wed Nov 24 06:12:09 2021 Summary: Recommended update for kmod Severity: moderate References: 1192104 Description: This update for kmod fixes the following issues: - Enable ZSTD compression (bsc#1192104)(jsc#SLE-21256) ----------------------------------------- Patch: SUSE-2021-3799 Released: Wed Nov 24 18:07:54 2021 Summary: Recommended update for gcc11 Severity: moderate References: 1187153,1187273,1188623 Description: This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided: To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants. ----------------------------------------- Patch: SUSE-2021-3872 Released: Thu Dec 2 07:25:55 2021 Summary: Recommended update for cracklib Severity: moderate References: 1191736 Description: This update for cracklib fixes the following issues: - Enable build time tests (bsc#1191736) ----------------------------------------- Patch: SUSE-2021-3883 Released: Thu Dec 2 11:47:07 2021 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: Update timezone to 2021e (bsc#1177460) - Palestine will fall back 10-29 (not 10-30) at 01:00 - Fiji suspends DST for the 2021/2022 season - 'zic -r' marks unspecified timestamps with '-00' - Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers - Refresh timezone info for china ----------------------------------------- Patch: SUSE-2021-3891 Released: Fri Dec 3 10:21:49 2021 Summary: Recommended update for keyutils Severity: moderate References: 1029961,1113013,1187654 Description: This update for keyutils fixes the following issues: - Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) keyutils was updated to 1.6.3 (jsc#SLE-20016): * Revert the change notifications that were using /dev/watch_queue. * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). * Allow 'keyctl supports' to retrieve raw capability data. * Allow 'keyctl id' to turn a symbolic key ID into a numeric ID. * Allow 'keyctl new_session' to name the keyring. * Allow 'keyctl add/padd/etc.' to take hex-encoded data. * Add 'keyctl watch*' to expose kernel change notifications on keys. * Add caps for namespacing and notifications. * Set a default TTL on keys that upcall for name resolution. * Explicitly clear memory after it's held sensitive information. * Various manual page fixes. * Fix C++-related errors. * Add support for keyctl_move(). * Add support for keyctl_capabilities(). * Make key=val list optional for various public-key ops. * Fix system call signature for KEYCTL_PKEY_QUERY. * Fix 'keyctl pkey_query' argument passing. * Use keyctl_read_alloc() in dump_key_tree_aux(). * Various manual page fixes. Updated to 1.6: * Apply various specfile cleanups from Fedora. * request-key: Provide a command line option to suppress helper execution. * request-key: Find least-wildcard match rather than first match. * Remove the dependency on MIT Kerberos. * Fix some error messages * keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. * Fix doc and comment typos. * Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). * Add pkg-config support for finding libkeyutils. * upstream isn't offering PGP signatures for the source tarballs anymore Updated to 1.5.11 (bsc#1113013) * Add keyring restriction support. * Add KDF support to the Diffie-Helman function. * DNS: Add support for AFS config files and SRV records ----------------------------------------- Patch: SUSE-2021-3942 Released: Mon Dec 6 14:46:05 2021 Summary: Security update for brotli Severity: moderate References: 1175825,CVE-2020-8927 Description: This update for brotli fixes the following issues: - CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825). ----------------------------------------- Patch: SUSE-2021-3946 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Severity: moderate References: 1192717,CVE-2021-43618 Description: This update for gmp fixes the following issues: - CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717). ----------------------------------------- Patch: SUSE-2021-3950 Released: Mon Dec 6 14:59:37 2021 Summary: Security update for openssh Severity: important References: 1190975,CVE-2021-41617 Description: This update for openssh fixes the following issues: - CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975). ----------------------------------------- Patch: SUSE-2021-3980 Released: Thu Dec 9 16:42:19 2021 Summary: Recommended update for glibc Severity: moderate References: 1191592 Description: glibc was updated to fix the following issue: - Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869) ----------------------------------------- Patch: SUSE-2021-4009 Released: Mon Dec 13 11:24:43 2021 Summary: Recommended update for systemd-rpm-macros Severity: low References: Description: This update for systemd-rpm-macros fixes the following issues: - Introduce rpm macro %_systemd_util_dir ----------------------------------------- Patch: SUSE-2021-4153 Released: Wed Dec 22 11:00:48 2021 Summary: Security update for openssh Severity: important References: 1183137,CVE-2021-28041 Description: This update for openssh fixes the following issues: - CVE-2021-28041: Fixed double free in ssh-agent (bsc#1183137). ----------------------------------------- Patch: SUSE-2021-4165 Released: Wed Dec 22 22:52:11 2021 Summary: Recommended update for kmod Severity: moderate References: 1193430 Description: This update for kmod fixes the following issues: - Ensure that kmod and packages linking to libkmod provide same features. (bsc#1193430) ----------------------------------------- Patch: SUSE-2021-4171 Released: Thu Dec 23 09:55:13 2021 Summary: Security update for runc Severity: moderate References: 1193436,CVE-2021-43784 Description: This update for runc fixes the following issues: Update to runc v1.0.3. * CVE-2021-43784: Fixed a potential vulnerability related to the internal usage of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436) * Fixed inability to start a container with read-write bind mount of a read-only fuse host mount. * Fixed inability to start when read-only /dev in set in spec. * Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2 is used with older systemd. * Fixed returning error from GetStats when hugetlb is unsupported (which causes excessive logging for kubernetes). ----------------------------------------- Patch: SUSE-2022-69 Released: Thu Jan 13 15:12:30 2022 Summary: Security update for libmspack Severity: low References: 1113040,CVE-2018-18586 Description: This update for libmspack fixes the following issues: - CVE-2018-18586: Fixed directory traversal in chmextract by adding anti '../' and leading slash protection (bsc#1113040). ----------------------------------------- Patch: SUSE-2022-84 Released: Mon Jan 17 04:40:30 2022 Summary: Recommended update for dosfstools Severity: moderate References: 1172863,1188401 Description: This update for dosfstools fixes the following issues: - To be able to create filesystems compatible with previous version, add -g command line option to mkfs (bsc#1188401) - BREAKING CHANGES: After fixing of bsc#1172863 in the last update, mkfs started to create different images than before. Applications that depend on exact FAT file format (e. g. embedded systems) may be broken in two ways: * The introduction of the alignment may create smaller images than before, with a different positions of important image elements. It can break existing software that expect images in doststools <= 4.1 style. To work around these problems, use '-a' command line argument. * The new image may contain a different geometry values. Geometry sensitive applications expecting doststools <= 4.1 style images can fails to accept different geometry values. There is no direct work around for this problem. But you can take the old image, use 'file -s $IMAGE', check its 'sectors/track' and 'heads', and use them in the newly introduced '-g' command line argument. ----------------------------------------- Patch: SUSE-2022-184 Released: Tue Jan 25 18:20:56 2022 Summary: Security update for json-c Severity: important References: 1171479,CVE-2020-12762 Description: This update for json-c fixes the following issues: - CVE-2020-12762: Fixed integer overflow and out-of-bounds write. (bsc#1171479) ----------------------------------------- Patch: SUSE-2022-207 Released: Thu Jan 27 09:24:49 2022 Summary: Recommended update for glibc Severity: moderate References: Description: This update for glibc fixes the following issues: - Add support for livepatches on x86_64 for SUSE Linux Enterprise 15 SP4 (jsc#SLE-20049). ----------------------------------------- Patch: SUSE-2022-330 Released: Fri Feb 4 09:29:08 2022 Summary: Security update for glibc Severity: important References: 1194640,1194768,1194770,1194785,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219 Description: This update for glibc fixes the following issues: - CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640) - CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768) - CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770) Features added: - IBM Power 10 string operation improvements (bsc#1194785, jsc#SLE-18195) ----------------------------------------- Patch: SUSE-2022-353 Released: Tue Feb 8 17:41:48 2022 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: Description: This update for systemd-rpm-macros fixes the following issues: - Bump version to 10 - %sysusers_create_inline was wrongly marked as deprecated - %sysusers_create can be useful in certain cases and won't go away until we'll move to file triggers. So don't mark it as deprecated too ----------------------------------------- Patch: SUSE-2022-519 Released: Fri Feb 18 12:44:57 2022 Summary: Recommended update for sysstat Severity: moderate References: 1194679 Description: This update for sysstat fixes the following issues: - Fix possible segfault (bsc#1194679). ----------------------------------------- Patch: SUSE-2022-572 Released: Thu Feb 24 11:58:05 2022 Summary: Recommended update for psmisc Severity: moderate References: 1194172 Description: This update for psmisc fixes the following issues: - Determine the namespace of a process only once to speed up the parsing of 'fdinfo'. (bsc#1194172) ----------------------------------------- Patch: SUSE-2022-775 Released: Wed Mar 9 12:55:03 2022 Summary: Recommended update for pciutils Severity: moderate References: 1192862 Description: This update for pciutils fixes the following issues: - Report the theoretical speeds for PCIe 5.0 and 6.0 (bsc#1192862) ----------------------------------------- Patch: SUSE-2022-789 Released: Thu Mar 10 11:22:05 2022 Summary: Recommended update for update-alternatives Severity: moderate References: 1195654 Description: This update for update-alternatives fixes the following issues: - Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654) ----------------------------------------- Patch: SUSE-2022-808 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Severity: moderate References: 1195468 Description: This update for procps fixes the following issues: - Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468) ----------------------------------------- Patch: SUSE-2022-861 Released: Tue Mar 15 23:31:21 2022 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1182959,1195149,1195792,1195856 Description: This update for openssl-1_1 fixes the following issues: openssl-1_1: - Fix PAC pointer authentication in ARM (bsc#1195856) - Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792) - FIPS: Fix function and reason error codes (bsc#1182959) - Enable zlib compression support (bsc#1195149) glibc: - Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1 linux-glibc-devel: - Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1 libxcrypt: - Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1 zlib: - Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1 ----------------------------------------- Patch: SUSE-2022-936 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Severity: moderate References: 1196275,1196406 Description: This update for filesystem and systemd-rpm-macros fixes the following issues: filesystem: - Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639) systemd-rpm-macros: - Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406) ----------------------------------------- Patch: SUSE-2022-1047 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Severity: moderate References: 1196093,1197024 Description: This update for pam fixes the following issues: - Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093) - Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024) ----------------------------------------- Patch: SUSE-2022-1118 Released: Tue Apr 5 18:34:06 2022 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2022a (bsc#1177460): * Palestine will spring forward on 2022-03-27, not on 03-26 * `zdump -v` now outputs better failure indications * Bug fixes for code that reads corrupted TZif data ----------------------------------------- Patch: SUSE-2022-1158 Released: Tue Apr 12 14:44:43 2022 Summary: Security update for xz Severity: important References: 1198062,CVE-2022-1271 Description: This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) ----------------------------------------- Patch: SUSE-2022-1281 Released: Wed Apr 20 12:26:38 2022 Summary: Recommended update for libtirpc Severity: moderate References: 1196647 Description: This update for libtirpc fixes the following issues: - Add option to enforce connection via protocol version 2 first (bsc#1196647) ----------------------------------------- Patch: SUSE-2022-1374 Released: Mon Apr 25 15:02:13 2022 Summary: Recommended update for openldap2 Severity: moderate References: 1191157,1197004 Description: This update for openldap2 fixes the following issues: - allow specification of max/min TLS version with TLS1.3 (bsc#1191157) - libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004) - restore CLDAP functionality in CLI tools (jsc#PM-3288) ----------------------------------------- Patch: SUSE-2022-1409 Released: Tue Apr 26 12:54:57 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1195628,1196107 Description: This update for gcc11 fixes the following issues: - Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107] - Fixed memory corruption when creating dependences with the D language frontend. - Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628] - Put libstdc++6-pp Requires on the shared library and drop to Recommends. ----------------------------------------- Patch: SUSE-2022-1451 Released: Thu Apr 28 10:47:22 2022 Summary: Recommended update for perl Severity: moderate References: 1193489 Description: This update for perl fixes the following issues: - Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489) ----------------------------------------- Patch: SUSE-2022-1491 Released: Tue May 3 07:09:44 2022 Summary: Recommended update for psmisc Severity: moderate References: 1194172 Description: This update for psmisc fixes the following issues: - Add a fallback if the system call name_to_handle_at() is not supported by the used file system. - Replace the synchronizing over pipes of the sub process for the stat(2) system call with mutex and conditions from pthreads(7) (bsc#1194172) - Use statx(2) or SYS_statx system call to replace the stat(2) system call and avoid the sub process (bsc#1194172) ----------------------------------------- Patch: SUSE-2022-1548 Released: Thu May 5 16:45:28 2022 Summary: Security update for tar Severity: moderate References: 1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193 Description: This update for tar fixes the following issues: - CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131). - CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496). - CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610). - Update to GNU tar 1.34: * Fix extraction over pipe * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131) * Fix extraction when . and .. are unreadable * Gracefully handle duplicate symlinks when extracting * Re-initialize supplementary groups when switching to user privileges - Update to GNU tar 1.33: * POSIX extended format headers do not include PID by default * --delay-directory-restore works for archives with reversed member ordering * Fix extraction of a symbolic link hardlinked to another symbolic link * Wildcards in exclude-vcs-ignore mode don't match slash * Fix the --no-overwrite-dir option * Fix handling of chained renames in incremental backups * Link counting works for file names supplied with -T * Accept only position-sensitive (file-selection) options in file list files - prepare usrmerge (bsc#1029961) - Update to GNU 1.32 * Fix the use of --checkpoint without explicit --checkpoint-action * Fix extraction with the -U option * Fix iconv usage on BSD-based systems * Fix possible NULL dereference (savannah bug #55369) [bsc#1130496] [CVE-2019-9923] * Improve the testsuite - Update to GNU 1.31 * Fix heap-buffer-overrun with --one-top-level, bug introduced with the addition of that option in 1.28 * Support for zstd compression * New option '--zstd' instructs tar to use zstd as compression program. When listing, extractng and comparing, zstd compressed archives are recognized automatically. When '-a' option is in effect, zstd compression is selected if the destination archive name ends in '.zst' or '.tzst'. * The -K option interacts properly with member names given in the command line. Names of members to extract can be specified along with the '-K NAME' option. In this case, tar will extract NAME and those of named members that appear in the archive after it, which is consistent with the semantics of the option. Previous versions of tar extracted NAME, those of named members that appeared before it, and everything after it. * Fix CVE-2018-20482 - When creating archives with the --sparse option, previous versions of tar would loop endlessly if a sparse file had been truncated while being archived. ----------------------------------------- Patch: SUSE-2022-1617 Released: Tue May 10 14:40:12 2022 Summary: Security update for gzip Severity: important References: 1198062,1198922,CVE-2022-1271 Description: This update for gzip fixes the following issues: - CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062) ----------------------------------------- Patch: SUSE-2022-1655 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Severity: moderate References: 1197794 Description: This update for pam fixes the following issue: - Do not include obsolete header files (bsc#1197794) ----------------------------------------- Patch: SUSE-2022-1658 Released: Fri May 13 15:40:20 2022 Summary: Recommended update for libpsl Severity: important References: 1197771 Description: This update for libpsl fixes the following issues: - Fix libpsl compilation issues (bsc#1197771) ----------------------------------------- Patch: SUSE-2022-1670 Released: Mon May 16 10:06:30 2022 Summary: Security update for openldap2 Severity: important References: 1199240,CVE-2022-29155 Description: This update for openldap2 fixes the following issues: - CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240). ----------------------------------------- Patch: SUSE-2022-1709 Released: Tue May 17 17:35:47 2022 Summary: Recommended update for libcbor Severity: important References: 1197743 Description: This update for libcbor fixes the following issues: - Fix build errors occuring on SUSE Linux Enterprise 15 Service Pack 4 ----------------------------------------- Patch: SUSE-2022-1718 Released: Tue May 17 17:44:43 2022 Summary: Security update for e2fsprogs Severity: important References: 1198446,CVE-2022-1304 Description: This update for e2fsprogs fixes the following issues: - CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446) ----------------------------------------- Patch: SUSE-2022-1887 Released: Tue May 31 09:24:18 2022 Summary: Recommended update for grep Severity: moderate References: 1040589 Description: This update for grep fixes the following issues: - Make profiling deterministic. (bsc#1040589, SLE-24115) ----------------------------------------- Patch: SUSE-2022-1899 Released: Wed Jun 1 10:43:22 2022 Summary: Recommended update for libtirpc Severity: important References: 1198176 Description: This update for libtirpc fixes the following issues: - Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176) ----------------------------------------- Patch: SUSE-2022-1909 Released: Wed Jun 1 16:25:35 2022 Summary: Recommended update for glibc Severity: moderate References: 1198751 Description: This update for glibc fixes the following issues: - Add the correct name for the IBM Z16 (bsc#1198751). ----------------------------------------- Patch: SUSE-2022-2019 Released: Wed Jun 8 16:50:07 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1192951,1193659,1195283,1196861,1197065 Description: This update for gcc11 fixes the following issues: Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] * fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065] * use --with-cpu rather than specifying --with-arch/--with-tune * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [bsc#1193659] * fixes issue with debug dumping together with -o /dev/null * fixes libgccjit issue showing up in emacs build [bsc#1192951] * Package mwaitintrin.h ----------------------------------------- Patch: SUSE-2022-2093 Released: Wed Jun 15 17:08:05 2022 Summary: Recommended update for open-vm-tools Severity: moderate References: 1196803,1196804 Description: This update for open-vm-tools fixes the following issues: - Update to 12.0.0 (build 19345655) (bsc#1196803) - Update open-vm-tools 12.0.0. (jsc#SLE-24097) - Support for managing Salt Minion through guest variables. A new open-vm-tools-salt-minion rpm is added to handle this support. - New ComponentMgr plugin to manage (add, remove, monitor) components on the guest VM. - Patch to fix potential Fail to Build from Source. (bsc#1196804) - Build vmhgfs with either libfuse2 or libfuse3. ----------------------------------------- Patch: SUSE-2022-2294 Released: Wed Jul 6 13:34:15 2022 Summary: Security update for expat Severity: important References: 1196025,1196026,1196168,1196169,1196171,1196784,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315 Description: This update for expat fixes the following issues: - CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025). - Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784). - CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026). - CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168). - CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169). - CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171). ----------------------------------------- Patch: SUSE-2022-2305 Released: Wed Jul 6 13:38:42 2022 Summary: Security update for curl Severity: important References: 1200734,1200735,1200736,1200737,CVE-2022-32205,CVE-2022-32206,CVE-2022-32207,CVE-2022-32208 Description: This update for curl fixes the following issues: - CVE-2022-32205: Set-Cookie denial of service (bsc#1200734) - CVE-2022-32206: HTTP compression denial of service (bsc#1200735) - CVE-2022-32207: Unpreserved file permissions (bsc#1200736) - CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737) ----------------------------------------- Patch: SUSE-2022-2341 Released: Fri Jul 8 16:09:12 2022 Summary: Security update for containerd, docker and runc Severity: important References: 1192051,1199460,1199565,1200088,1200145,CVE-2022-29162,CVE-2022-31030 Description: This update for containerd, docker and runc fixes the following issues: containerd: - CVE-2022-31030: Fixed denial of service via invocation of the ExecSync API (bsc#1200145) docker: - Update to Docker 20.10.17-ce. See upstream changelog online at https://docs.docker.com/engine/release-notes/#201017. (bsc#1200145) runc: Update to runc v1.1.3. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.3. * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return `-EPERM` despite the existence of the `-ENOSYS` stub code (this was due to how s390x does syscall multiplexing). * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes. * Inability to compile with recent clang due to an issue with duplicate constants in libseccomp-golang. * When using systemd cgroup driver, skip adding device paths that don't exist, to stop systemd from emitting warnings about those paths. * Socket activation was failing when more than 3 sockets were used. * Various CI fixes. * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. - Fixed issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by that platform's syscall multiplexing semantics. (bsc#1192051 bsc#1199565) Update to runc v1.1.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.2. Security issue fixed: - CVE-2022-29162: A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment. (bsc#1199460) - `runc spec` no longer sets any inheritable capabilities in the created example OCI spec (`config.json`) file. Update to runc v1.1.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.1. * runc run/start can now run a container with read-only /dev in OCI spec, rather than error out. (#3355) * runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403) libcontainer systemd v2 manager no longer errors out if one of the files listed in /sys/kernel/cgroup/delegate do not exist in container's cgroup. (#3387, #3404) * Loosen OCI spec validation to avoid bogus 'Intel RDT is not supported' error. (#3406) * libcontainer/cgroups no longer panics in cgroup v1 managers if stat of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435) Update to runc v1.1.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0. - libcontainer will now refuse to build without the nsenter package being correctly compiled (specifically this requires CGO to be enabled). This should avoid folks accidentally creating broken runc binaries (and incorrectly importing our internal libraries into their projects). (#3331) Update to runc v1.1.0~rc1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1. + Add support for RDMA cgroup added in Linux 4.11. * runc exec now produces exit code of 255 when the exec failed. This may help in distinguishing between runc exec failures (such as invalid options, non-running container or non-existent binary etc.) and failures of the command being executed. + runc run: new --keep option to skip removal exited containers artefacts. This might be useful to check the state (e.g. of cgroup controllers) after the container hasexited. + seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD (the latter is just an alias for SCMP_ACT_KILL). + seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows users to create sophisticated seccomp filters where syscalls can be efficiently emulated by privileged processes on the host. + checkpoint/restore: add an option (--lsm-mount-context) to set a different LSM mount context on restore. + intelrdt: support ClosID parameter. + runc exec --cgroup: an option to specify a (non-top) in-container cgroup to use for the process being executed. + cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1 machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc run/exec now adds the container to the appropriate cgroup under it). + sysctl: allow slashes in sysctl names, to better match sysctl(8)'s behaviour. + mounts: add support for bind-mounts which are inaccessible after switching the user namespace. Note that this does not permit the container any additional access to the host filesystem, it simply allows containers to have bind-mounts configured for paths the user can access but have restrictive access control settings for other users. + Add support for recursive mount attributes using mount_setattr(2). These have the same names as the proposed mount(8) options -- just prepend r to the option name (such as rro). + Add runc features subcommand to allow runc users to detect what features runc has been built with. This includes critical information such as supported mount flags, hook names, and so on. Note that the output of this command is subject to change and will not be considered stable until runc 1.2 at the earliest. The runtime-spec specification for this feature is being developed in opencontainers/runtime-spec#1130. * system: improve performance of /proc/$pid/stat parsing. * cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change the ownership of certain cgroup control files (as per /sys/kernel/cgroup/delegate) to allow for proper deferral to the container process. * runc checkpoint/restore: fixed for containers with an external bind mount which destination is a symlink. * cgroup: improve openat2 handling for cgroup directory handle hardening. runc delete -f now succeeds (rather than timing out) on a paused container. * runc run/start/exec now refuses a frozen cgroup (paused container in case of exec). Users can disable this using --ignore-paused. - Update version data embedded in binary to correctly include the git commit of the release. ----------------------------------------- Patch: SUSE-2022-2360 Released: Tue Jul 12 12:01:39 2022 Summary: Security update for pcre2 Severity: important References: 1199232,CVE-2022-1586 Description: This update for pcre2 fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------- Patch: SUSE-2022-2361 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Severity: important References: 1199232,CVE-2022-1586 Description: This update for pcre fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------- Patch: SUSE-2022-2396 Released: Thu Jul 14 11:57:58 2022 Summary: Security update for logrotate Severity: important References: 1192449,1199652,1200278,1200802,CVE-2022-1348 Description: This update for logrotate fixes the following issues: Security issues fixed: - CVE-2022-1348: Fixed insecure permissions for state file creation (bsc#1199652). - Improved coredump handing for SUID binaries (bsc#1192449). Non-security issues fixed: - Fixed 'logrotate emits unintended warning: keyword size not properly separated, found 0x3d' (bsc#1200278, bsc#1200802). ----------------------------------------- Patch: SUSE-2022-2406 Released: Fri Jul 15 11:49:01 2022 Summary: Recommended update for glibc Severity: moderate References: 1197718,1199140,1200334,1200855 Description: This update for glibc fixes the following issues: - powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334) - Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718) - i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718) - rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051) This readds the s390 32bit glibc and libcrypt1 libraries (glibc-32bit, glibc-locale-base-32bit, libcrypt1-32bit). ----------------------------------------- Patch: SUSE-2022-2469 Released: Thu Jul 21 04:38:31 2022 Summary: Recommended update for systemd Severity: important References: 1137373,1181658,1194708,1195157,1197570,1198732,1200170,1201276 Description: This update for systemd fixes the following issues: - Make {/etc,/usr/lib}/systemd/network owned by both udev and systemd-network. The configuration files put in these directories are read by both udevd and systemd-networkd (bsc#1201276) - Allow control characters in environment variable values (bsc#1200170) - Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570) - Fix parsing error in s390 udev rules conversion script (bsc#1198732) - core/device: device_coldplug(): don't set DEVICE_DEAD - core/device: do not downgrade device state if it is already enumerated - core/device: drop unnecessary condition ----------------------------------------- Patch: SUSE-2022-2493 Released: Thu Jul 21 14:35:08 2022 Summary: Recommended update for rpm-config-SUSE Severity: moderate References: 1193282 Description: This update for rpm-config-SUSE fixes the following issues: - Add SBAT values macros for other packages (bsc#1193282) ----------------------------------------- Patch: SUSE-2022-2494 Released: Thu Jul 21 15:16:42 2022 Summary: Recommended update for glibc Severity: important References: 1200855,1201560,1201640 Description: This update for glibc fixes the following issues: - Remove tunables from static tls surplus patch which caused crashes (bsc#1200855) - i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788) ----------------------------------------- Patch: SUSE-2022-2533 Released: Fri Jul 22 17:37:15 2022 Summary: Security update for mozilla-nss Severity: important References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741 Description: This update for mozilla-nss fixes the following issues: Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4: - Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079). - FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980). - FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298). - FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325). - Run test suite at build time, and make it pass (bsc#1198486). - FIPS: skip algorithms that are hard disabled in FIPS mode. - Prevent expired PayPalEE cert from failing the tests. - Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc. - FIPS: Make the PBKDF known answer test compliant with NIST SP800-132. - Update FIPS validation string to version-release format. - FIPS: remove XCBC MAC from list of FIPS approved algorithms. - Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build. - FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080). - FIPS: allow testing of unapproved algorithms (bsc#1192228). - FIPS: add version indicators. (bmo#1729550, bsc#1192086). - FIPS: fix some secret clearing (bmo#1697303, bsc#1192087). Version update to NSS 3.79: - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. - Update mercurial in clang-format docker image. - Use of uninitialized pointer in lg_init after alloc fail. - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. - Add SECMOD_LockedModuleHasRemovableSlots. - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. - Correct invalid record inner and outer content type alerts. - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. - improve error handling after nssCKFWInstance_CreateObjectHandle. - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. - NSS 3.79 should depend on NSPR 4.34 Version update to NSS 3.78.1: - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple Version update to NSS 3.78: - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests. - Reworked overlong record size checks and added TLS1.3 specific boundaries. - Add ECH Grease Support to tstclnt - Add a strict variant of moz::pkix::CheckCertHostname. - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. - Make SEC_PKCS12EnableCipher succeed - Update zlib in NSS to 1.2.12. Version update to NSS 3.77: - Fix link to TLS page on wireshark wiki - Add two D-TRUST 2020 root certificates. - Add Telia Root CA v2 root certificate. - Remove expired explicitly distrusted certificates from certdata.txt. - support specific RSA-PSS parameters in mozilla::pkix - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. - Remove token member from NSSSlot struct. - Provide secure variants of mpp_pprime and mpp_make_prime. - Support UTF-8 library path in the module spec string. - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. - Update googletest to 1.11.0 - Add SetTls13GreaseEchSize to experimental API. - TLS 1.3 Illegal legacy_version handling/alerts. - Fix calculation of ECH HRR Transcript. - Allow ld path to be set as environment variable. - Ensure we don't read uninitialized memory in ssl gtests. - Fix DataBuffer Move Assignment. - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3 - rework signature verification in mozilla::pkix Version update to NSS 3.76.1 - Remove token member from NSSSlot struct. - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. - Check return value of PK11Slot_GetNSSToken. - Use Wycheproof JSON for RSASSA-PSS - Add SHA256 fingerprint comments to old certdata.txt entries. - Avoid truncating files in nss-release-helper.py. - Throw illegal_parameter alert for illegal extensions in handshake message. Version update to NSS 3.75 - Make DottedOIDToCode.py compatible with python3. - Avoid undefined shift in SSL_CERT_IS while fuzzing. - Remove redundant key type check. - Update ABI expectations to match ECH changes. - Enable CKM_CHACHA20. - check return on NSS_NoDB_Init and NSS_Shutdown. - Run ECDSA test vectors from bltest as part of the CI tests. - Add ECDSA test vectors to the bltest command line tool. - Allow to build using clang's integrated assembler. - Allow to override python for the build. - test HKDF output rather than input. - Use ASSERT macros to end failed tests early. - move assignment operator for DataBuffer. - Add test cases for ECH compression and unexpected extensions in SH. - Update tests for ECH-13. - Tidy up error handling. - Add tests for ECH HRR Changes. - Server only sends GREASE HRR extension if enabled by preference. - Update generation of the Associated Data for ECH-13. - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello. - Allow for compressed, non-contiguous, extensions. - Scramble the PSK extension in CHOuter. - Split custom extension handling for ECH. - Add ECH-13 HRR Handling. - Client side ECH padding. - Stricter ClientHelloInner Decompression. - Remove ECH_inner extension, use new enum format. - Update the version number for ECH-13 and adjust the ECHConfig size. Version update to NSS 3.74 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses - Ensure clients offer consistent ciphersuites after HRR - NSS does not properly restrict server keys based on policy - Set nssckbi version number to 2.54 - Replace Google Trust Services LLC (GTS) R4 root certificate - Replace Google Trust Services LLC (GTS) R3 root certificate - Replace Google Trust Services LLC (GTS) R2 root certificate - Replace Google Trust Services LLC (GTS) R1 root certificate - Replace GlobalSign ECC Root CA R4 - Remove Expired Root Certificates - DST Root CA X3 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate - Add iTrusChina ECC root certificate - Add iTrusChina RSA root certificate - Add ISRG Root X2 root certificate - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate - Avoid a clang 13 unused variable warning in opt build - Check for missing signedData field - Ensure DER encoded signatures are within size limits - enable key logging option (boo#1195040) Version update to NSS 3.73.1: - Add SHA-2 support to mozilla::pkix's OSCP implementation Version update to NSS 3.73 - check for missing signedData field. - Ensure DER encoded signatures are within size limits. - NSS needs FiPS 140-3 version indicators. - pkix_CacheCert_Lookup doesn't return cached certs - sunset Coverity from NSS Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures Version update to NSS 3.72 - Fix nsinstall parallel failure. - Increase KDF cache size to mitigate perf regression in about:logins Version update to NSS 3.71 - Set nssckbi version number to 2.52. - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py - Import of PKCS#12 files with Camellia encryption is not supported - Add HARICA Client ECC Root CA 2021. - Add HARICA Client RSA Root CA 2021. - Add HARICA TLS ECC Root CA 2021. - Add HARICA TLS RSA Root CA 2021. - Add TunTrust Root CA certificate to NSS. Version update to NSS 3.70 - Update test case to verify fix. - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback - Avoid using a lookup table in nssb64d. - Use HW accelerated SHA2 on AArch64 Big Endian. - Change default value of enableHelloDowngradeCheck to true. - Cache additional PBE entries. - Read HPKE vectors from official JSON. Version update to NSS 3.69.1: - Disable DTLS 1.0 and 1.1 by default - integrity checks in key4.db not happening on private components with AES_CBC NSS 3.69: - Disable DTLS 1.0 and 1.1 by default (backed out again) - integrity checks in key4.db not happening on private components with AES_CBC (backed out again) - SSL handling of signature algorithms ignores environmental invalid algorithms. - sqlite 3.34 changed it's open semantics, causing nss failures. - Gtest update changed the gtest reports, losing gtest details in all.sh reports. - NSS incorrectly accepting 1536 bit DH primes in FIPS mode - SQLite calls could timeout in starvation situations. - Coverity/cpp scanner errors found in nss 3.67 - Import the NSS documentation from MDN in nss/doc. - NSS using a tempdir to measure sql performance not active Version Update to 3.68.4 (bsc#1200027) - CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590) Mozilla NSPR was updated to version 4.34: * add an API that returns a preferred loopback IP on hosts that have two IP stacks available. ----------------------------------------- Patch: SUSE-2022-2546 Released: Mon Jul 25 14:43:22 2022 Summary: Security update for gpg2 Severity: important References: 1196125,1201225,CVE-2022-34903 Description: This update for gpg2 fixes the following issues: - CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225). - Use AES as default cipher instead of 3DES when we are in FIPS mode. (bsc#1196125) ----------------------------------------- Patch: SUSE-2022-2566 Released: Wed Jul 27 15:04:49 2022 Summary: Security update for pcre2 Severity: important References: 1199235,CVE-2022-1587 Description: This update for pcre2 fixes the following issues: - CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235). ----------------------------------------- Patch: SUSE-2022-2595 Released: Fri Jul 29 16:00:42 2022 Summary: Security update for mozilla-nss Severity: important References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741 Description: This update for mozilla-nss fixes the following issues: Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4: - Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079). - FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980). - FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298). - FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325). - Run test suite at build time, and make it pass (bsc#1198486). - FIPS: skip algorithms that are hard disabled in FIPS mode. - Prevent expired PayPalEE cert from failing the tests. - Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc. - FIPS: Make the PBKDF known answer test compliant with NIST SP800-132. - Update FIPS validation string to version-release format. - FIPS: remove XCBC MAC from list of FIPS approved algorithms. - Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build. - FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080). - FIPS: allow testing of unapproved algorithms (bsc#1192228). - FIPS: add version indicators. (bmo#1729550, bsc#1192086). - FIPS: fix some secret clearing (bmo#1697303, bsc#1192087). Version update to NSS 3.79: - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. - Update mercurial in clang-format docker image. - Use of uninitialized pointer in lg_init after alloc fail. - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. - Add SECMOD_LockedModuleHasRemovableSlots. - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. - Correct invalid record inner and outer content type alerts. - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. - improve error handling after nssCKFWInstance_CreateObjectHandle. - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. - NSS 3.79 should depend on NSPR 4.34 Version update to NSS 3.78.1: - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple Version update to NSS 3.78: - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests. - Reworked overlong record size checks and added TLS1.3 specific boundaries. - Add ECH Grease Support to tstclnt - Add a strict variant of moz::pkix::CheckCertHostname. - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. - Make SEC_PKCS12EnableCipher succeed - Update zlib in NSS to 1.2.12. Version update to NSS 3.77: - Fix link to TLS page on wireshark wiki - Add two D-TRUST 2020 root certificates. - Add Telia Root CA v2 root certificate. - Remove expired explicitly distrusted certificates from certdata.txt. - support specific RSA-PSS parameters in mozilla::pkix - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. - Remove token member from NSSSlot struct. - Provide secure variants of mpp_pprime and mpp_make_prime. - Support UTF-8 library path in the module spec string. - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. - Update googletest to 1.11.0 - Add SetTls13GreaseEchSize to experimental API. - TLS 1.3 Illegal legacy_version handling/alerts. - Fix calculation of ECH HRR Transcript. - Allow ld path to be set as environment variable. - Ensure we don't read uninitialized memory in ssl gtests. - Fix DataBuffer Move Assignment. - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3 - rework signature verification in mozilla::pkix Version update to NSS 3.76.1 - Remove token member from NSSSlot struct. - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. - Check return value of PK11Slot_GetNSSToken. - Use Wycheproof JSON for RSASSA-PSS - Add SHA256 fingerprint comments to old certdata.txt entries. - Avoid truncating files in nss-release-helper.py. - Throw illegal_parameter alert for illegal extensions in handshake message. Version update to NSS 3.75 - Make DottedOIDToCode.py compatible with python3. - Avoid undefined shift in SSL_CERT_IS while fuzzing. - Remove redundant key type check. - Update ABI expectations to match ECH changes. - Enable CKM_CHACHA20. - check return on NSS_NoDB_Init and NSS_Shutdown. - Run ECDSA test vectors from bltest as part of the CI tests. - Add ECDSA test vectors to the bltest command line tool. - Allow to build using clang's integrated assembler. - Allow to override python for the build. - test HKDF output rather than input. - Use ASSERT macros to end failed tests early. - move assignment operator for DataBuffer. - Add test cases for ECH compression and unexpected extensions in SH. - Update tests for ECH-13. - Tidy up error handling. - Add tests for ECH HRR Changes. - Server only sends GREASE HRR extension if enabled by preference. - Update generation of the Associated Data for ECH-13. - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello. - Allow for compressed, non-contiguous, extensions. - Scramble the PSK extension in CHOuter. - Split custom extension handling for ECH. - Add ECH-13 HRR Handling. - Client side ECH padding. - Stricter ClientHelloInner Decompression. - Remove ECH_inner extension, use new enum format. - Update the version number for ECH-13 and adjust the ECHConfig size. Version update to NSS 3.74 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses - Ensure clients offer consistent ciphersuites after HRR - NSS does not properly restrict server keys based on policy - Set nssckbi version number to 2.54 - Replace Google Trust Services LLC (GTS) R4 root certificate - Replace Google Trust Services LLC (GTS) R3 root certificate - Replace Google Trust Services LLC (GTS) R2 root certificate - Replace Google Trust Services LLC (GTS) R1 root certificate - Replace GlobalSign ECC Root CA R4 - Remove Expired Root Certificates - DST Root CA X3 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate - Add iTrusChina ECC root certificate - Add iTrusChina RSA root certificate - Add ISRG Root X2 root certificate - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate - Avoid a clang 13 unused variable warning in opt build - Check for missing signedData field - Ensure DER encoded signatures are within size limits - enable key logging option (boo#1195040) Version update to NSS 3.73.1: - Add SHA-2 support to mozilla::pkix's OSCP implementation Version update to NSS 3.73 - check for missing signedData field. - Ensure DER encoded signatures are within size limits. - NSS needs FiPS 140-3 version indicators. - pkix_CacheCert_Lookup doesn't return cached certs - sunset Coverity from NSS Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures Version update to NSS 3.72 - Fix nsinstall parallel failure. - Increase KDF cache size to mitigate perf regression in about:logins Version update to NSS 3.71 - Set nssckbi version number to 2.52. - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py - Import of PKCS#12 files with Camellia encryption is not supported - Add HARICA Client ECC Root CA 2021. - Add HARICA Client RSA Root CA 2021. - Add HARICA TLS ECC Root CA 2021. - Add HARICA TLS RSA Root CA 2021. - Add TunTrust Root CA certificate to NSS. Version update to NSS 3.70 - Update test case to verify fix. - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback - Avoid using a lookup table in nssb64d. - Use HW accelerated SHA2 on AArch64 Big Endian. - Change default value of enableHelloDowngradeCheck to true. - Cache additional PBE entries. - Read HPKE vectors from official JSON. Version update to NSS 3.69.1: - Disable DTLS 1.0 and 1.1 by default - integrity checks in key4.db not happening on private components with AES_CBC NSS 3.69: - Disable DTLS 1.0 and 1.1 by default (backed out again) - integrity checks in key4.db not happening on private components with AES_CBC (backed out again) - SSL handling of signature algorithms ignores environmental invalid algorithms. - sqlite 3.34 changed it's open semantics, causing nss failures. - Gtest update changed the gtest reports, losing gtest details in all.sh reports. - NSS incorrectly accepting 1536 bit DH primes in FIPS mode - SQLite calls could timeout in starvation situations. - Coverity/cpp scanner errors found in nss 3.67 - Import the NSS documentation from MDN in nss/doc. - NSS using a tempdir to measure sql performance not active Version Update to 3.68.4 (bsc#1200027) - CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590) ----------------------------------------- Patch: SUSE-2022-2632 Released: Wed Aug 3 09:51:00 2022 Summary: Security update for permissions Severity: important References: 1198720,1200747,1201385 Description: This update for permissions fixes the following issues: * apptainer: fix starter-suid location (bsc#1198720) * static permissions: remove deprecated bind / named chroot entries (bsc#1200747) * postfix: add postlog setgid for maildrop binary (bsc#1201385) ----------------------------------------- Patch: SUSE-2022-2717 Released: Tue Aug 9 12:54:16 2022 Summary: Security update for ncurses Severity: moderate References: 1198627,CVE-2022-29458 Description: This update for ncurses fixes the following issues: - CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627). ----------------------------------------- Patch: SUSE-2022-2735 Released: Wed Aug 10 04:31:41 2022 Summary: Recommended update for tar Severity: moderate References: 1200657 Description: This update for tar fixes the following issues: - Fix race condition while creating intermediate subdirectories (bsc#1200657) ----------------------------------------- Patch: SUSE-2022-2796 Released: Fri Aug 12 14:34:31 2022 Summary: Recommended update for jitterentropy Severity: moderate References: Description: This update for jitterentropy fixes the following issues: jitterentropy is included in version 3.4.0 (jsc#SLE-24941): This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library, used by other FIPS libraries. ----------------------------------------- Patch: SUSE-2022-2825 Released: Tue Aug 16 17:12:47 2022 Summary: Security update for rsync Severity: important References: 1201840,CVE-2022-29154 Description: This update for rsync fixes the following issues: - CVE-2022-29154: Fixed an arbitrary file write when connecting to a malicious server (bsc#1201840). ----------------------------------------- Patch: SUSE-2022-2844 Released: Thu Aug 18 14:41:25 2022 Summary: Recommended update for tar Severity: important References: 1202436 Description: This update for tar fixes the following issues: - A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436) ----------------------------------------- Patch: SUSE-2022-2901 Released: Fri Aug 26 03:34:23 2022 Summary: Recommended update for elfutils Severity: moderate References: Description: This update for elfutils fixes the following issues: - Fix runtime dependency for devel package ----------------------------------------- Patch: SUSE-2022-2904 Released: Fri Aug 26 05:28:34 2022 Summary: Recommended update for openldap2 Severity: moderate References: 1198341 Description: This update for openldap2 fixes the following issues: - Prevent memory reuse which may lead to instability (bsc#1198341) ----------------------------------------- Patch: SUSE-2022-2920 Released: Fri Aug 26 15:17:02 2022 Summary: Recommended update for systemd Severity: important References: 1195059,1201795 Description: This update for systemd fixes the following issues: - Don't replace /etc/systemd/system/tmp.mount symlink with a dangling one pointing to /usr/lib/systemd/ (bsc#1201795) - Drop or soften some of the deprecation warnings (jsc#PED-944) - Ensure root user can login even if systemd-user-sessions.service is not activated yet (bsc#1195059) - Avoid applying presets to any services shipped by the experimental sub-package, as they aren't enabled by default - analyze: Fix offline check for syscal filter - calendarspec: Fix timer skipping the next elapse - core: Allow command argument to be longer - hwdb: Add AV production controllers to hwdb and add uaccess - hwdb: Allow console users access to rfkill - hwdb: Allow end-users root-less access to TL866 EPROM readers - hwdb: Permit unsetting power/persist for USB devices - hwdb: Tag IR cameras as such - hwdb: Fix parsing issue - hwdb: Make usb match patterns uppercase - hwdb: Update the hardware database - journal-file: Stop using the event loop if it's already shutting down - journal-remote: Disable `--trust` option when gnutls is disabled and check_permission() should not be called - journald: Ensure resources are properly allocated for SIGTERM handling - kernel-install: Ensure modules.builtin.alias.bin is removed when no longer needed - macro: Account for negative values in DECIMAL_STR_WIDTH() - manager: Disallow clone3() function call in seccomp filters - missing-syscall: Define MOVE_MOUNT_T_EMPTY_PATH if missing - pid1,cgroup-show: Prevent failure if cgroup.procs in some subcgroups is not readable - resolve: Fix typo in dns_class_is_pseudo() - sd-event: Improve handling of process events and termination of processes - sd-ipv4acd: Fix ARP packet conflicts occurring when sender hardware is one of the host's interfaces - stdio-bridge: Improve the meaning of the error message - tmpfiles: Check for the correct directory ----------------------------------------- Patch: SUSE-2022-2929 Released: Mon Aug 29 11:21:47 2022 Summary: Recommended update for timezone Severity: important References: 1202310 Description: This update for timezone fixes the following issue: - Reflect new Chile DST change (bsc#1202310) ----------------------------------------- Patch: SUSE-2022-2936 Released: Mon Aug 29 14:34:13 2022 Summary: Security update for open-vm-tools Severity: important References: 1202657,1202733,CVE-2022-31676 Description: This update for open-vm-tools fixes the following issues: - Updated to version 12.1.0 (build 20219665) (bsc#1202733): - CVE-2022-31676: Fixed an issue that could allow unprivileged users inside a virtual machine to escalate privileges (bsc#1202657). ----------------------------------------- Patch: SUSE-2022-2939 Released: Mon Aug 29 14:49:17 2022 Summary: Recommended update for mozilla-nss Severity: moderate References: 1201298,1202645 Description: This update for mozilla-nss fixes the following issues: Update to NSS 3.79.1 (bsc#1202645) * compare signature and signatureAlgorithm fields in legacy certificate verifier. * Uninitialized value in cert_ComputeCertType. * protect SFTKSlot needLogin with slotLock. * avoid data race on primary password change. * check for null template in sec_asn1{d,e}_push_state. - FIPS: unapprove the rest of the DSA ciphers, keeping signature verification only (bsc#1201298). ----------------------------------------- Patch: SUSE-2022-2944 Released: Wed Aug 31 05:39:14 2022 Summary: Recommended update for procps Severity: important References: 1181475 Description: This update for procps fixes the following issues: - Fix 'free' command reporting misleading 'used' value (bsc#1181475) ----------------------------------------- Patch: SUSE-2022-3003 Released: Fri Sep 2 15:01:44 2022 Summary: Security update for curl Severity: low References: 1202593,CVE-2022-35252 Description: This update for curl fixes the following issues: - CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593). ----------------------------------------- Patch: SUSE-2022-3019 Released: Mon Sep 5 11:00:23 2022 Summary: Recommended update for lshw Severity: moderate References: Description: This update for lshw fixes the following issues: - Update to version B.02.19.2+git.20220628 * make version check optional - Update to version B.02.19.2+git.20220310: * Set product name for all netdevs sharing the same PCI number - Update to version B.02.19.2+git.20211222: * Add Spanish translation * Fix mistakes in Catalan translation - Update to version B.02.19.2+git.20211102: * Read and parse network transceiver module eeprom * use max (9) Gzip compression * Add Catalan translation * Update POT file * Add more network speeds - Update to version B.02.19.2+git.20211013: * support for new ethtool capabilities * code clean-up * allow pkg-config override * Translate all words of a phrase together ----------------------------------------- Patch: SUSE-2022-3127 Released: Wed Sep 7 04:36:10 2022 Summary: Recommended update for libtirpc Severity: moderate References: 1198752,1200800 Description: This update for libtirpc fixes the following issues: - Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800) - Fix memory leak in params.r_addr assignement (bsc#1198752) ----------------------------------------- Patch: SUSE-2022-3133 Released: Wed Sep 7 05:55:52 2022 Summary: Recommended update for sg3_utils Severity: moderate References: 1199248 Description: This update for sg3_utils fixes the following issues: - Add timeout parameter to rescan-scsi-bus.sh (bsc#1199248) ----------------------------------------- Patch: SUSE-2022-3262 Released: Tue Sep 13 15:34:29 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1199140 Description: This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140) ----------------------------------------- Patch: SUSE-2022-3271 Released: Wed Sep 14 06:45:39 2022 Summary: Security update for perl Severity: moderate References: 1047178,CVE-2017-6512 Description: This update for perl fixes the following issues: - CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178). ----------------------------------------- Patch: SUSE-2022-3304 Released: Mon Sep 19 11:43:25 2022 Summary: Recommended update for libassuan Severity: moderate References: Description: This update for libassuan fixes the following issues: - Add a timeout for writing to a SOCKS5 proxy - Add workaround for a problem with LD_LIBRARY_PATH on newer systems - Fix issue in the logging code - Fix some build trivialities - Upgrade autoconf ----------------------------------------- Patch: SUSE-2022-3305 Released: Mon Sep 19 11:45:57 2022 Summary: Security update for libtirpc Severity: important References: 1201680,CVE-2021-46828 Description: This update for libtirpc fixes the following issues: - CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680). ----------------------------------------- Patch: SUSE-2022-3307 Released: Mon Sep 19 13:26:51 2022 Summary: Security update for sqlite3 Severity: moderate References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 Description: This update for sqlite3 fixes the following issues: - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783). - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802). - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). ----------------------------------------- Patch: SUSE-2022-3327 Released: Wed Sep 21 12:47:17 2022 Summary: Security update for oniguruma Severity: important References: 1142847,1150130,1157805,1164550,1164569,1177179,CVE-2019-13224,CVE-2019-16163,CVE-2019-19203,CVE-2019-19204,CVE-2019-19246,CVE-2020-26159 Description: This update for oniguruma fixes the following issues: - CVE-2019-19246: Fixed an out of bounds access during regular expression matching (bsc#1157805). - CVE-2019-19204: Fixed an out of bounds access when compiling a crafted regular expression (bsc#1164569). - CVE-2019-19203: Fixed an out of bounds access when performing a string search (bsc#1164550). - CVE-2019-16163: Fixed an uncontrolled recursion issue when compiling a crafted regular expression, which could lead to denial of service (bsc#1150130). - CVE-2020-26159: Fixed an off-by-one buffer overflow (bsc#1177179). - CVE-2019-13224: Fixed a potential use-after-free when handling multiple different encodings (bsc#1142847). ----------------------------------------- Patch: SUSE-2022-3328 Released: Wed Sep 21 12:48:56 2022 Summary: Recommended update for jitterentropy Severity: moderate References: 1202870 Description: This update for jitterentropy fixes the following issues: - Hide the non-GNUC constructs that are library internal from the exported header, to make it usable in builds with strict C99 compliance. (bsc#1202870) ----------------------------------------- Patch: SUSE-2022-3353 Released: Fri Sep 23 15:23:40 2022 Summary: Security update for permissions Severity: moderate References: 1203018,CVE-2022-31252 Description: This update for permissions fixes the following issues: - CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018). ----------------------------------------- Patch: SUSE-2022-3435 Released: Tue Sep 27 14:55:38 2022 Summary: Recommended update for runc Severity: important References: 1202821 Description: This update for runc fixes the following issues: - Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd. - Fix 'permission denied' error from runc run on noexec fs - Fix regression causing a failed 'exec' error after systemctl daemon-reload (bsc#1202821) ----------------------------------------- Patch: SUSE-2022-3452 Released: Wed Sep 28 12:13:43 2022 Summary: Recommended update for glibc Severity: moderate References: 1201942 Description: This update for glibc fixes the following issues: - Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942) - powerpc: Optimized memcmp for power10 (jsc#PED-987) ----------------------------------------- Patch: SUSE-2022-3489 Released: Sat Oct 1 13:35:24 2022 Summary: Security update for expat Severity: important References: 1203438,CVE-2022-40674 Description: This update for expat fixes the following issues: - CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438). ----------------------------------------- Patch: SUSE-2022-3555 Released: Mon Oct 10 14:05:12 2022 Summary: Recommended update for aaa_base Severity: important References: 1199492 Description: This update for aaa_base fixes the following issues: - The wrapper rootsh is not a restricted shell. (bsc#1199492) ----------------------------------------- Patch: SUSE-2022-3683 Released: Fri Oct 21 11:48:39 2022 Summary: Security update for libksba Severity: critical References: 1204357,CVE-2022-3515 Description: This update for libksba fixes the following issues: - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357). ----------------------------------------- Patch: SUSE-2022-3785 Released: Wed Oct 26 20:20:19 2022 Summary: Security update for curl Severity: important References: 1204383,1204386,CVE-2022-32221,CVE-2022-42916 Description: This update for curl fixes the following issues: - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). - CVE-2022-42916: Fixed HSTS bypass via IDN (bsc#1204386). ----------------------------------------- Patch: SUSE-2022-3787 Released: Thu Oct 27 04:41:09 2022 Summary: Recommended update for permissions Severity: important References: 1194047,1203911 Description: This update for permissions fixes the following issues: - Fix regression introduced by backport of security fix (bsc#1203911) - Add permissions for enlightenment helper on 32bit arches (bsc#1194047) ----------------------------------------- Patch: SUSE-2022-3806 Released: Thu Oct 27 17:21:11 2022 Summary: Security update for dbus-1 Severity: important References: 1087072,1204111,1204112,1204113,CVE-2022-42010,CVE-2022-42011,CVE-2022-42012 Description: This update for dbus-1 fixes the following issues: - CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111). - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112). - CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113). Bugfixes: - Disable asserts (bsc#1087072). ----------------------------------------- Patch: SUSE-2022-3851 Released: Wed Nov 2 12:34:17 2022 Summary: Recommended update for rsync Severity: important References: 1202970,1204538 Description: This update for rsync fixes the following issues: - Fix regression with `--delay-updates` where files never update after interruption (bsc#1204538) - Add support for `--trust-sender` parameter (bsc#1202970) ----------------------------------------- Patch: SUSE-2022-3873 Released: Fri Nov 4 14:58:08 2022 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1191546,1198980,1201298,1202870,1204729 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nspr was updated to version 4.34.1: * add file descriptor sanity checks in the NSPR poll function. mozilla-nss was updated to NSS 3.79.2 (bsc#1204729): * Bump minimum NSPR version to 4.34.1. * Gracefully handle null nickname in CERT_GetCertNicknameWithValidity. Other fixes that were applied: - FIPS: Allow the use of DSA keys (verification only) (bsc#1201298). - FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file (bsc#1198980). - FIPS: Allow the use of longer symmetric keys via the service level indicator (bsc#1191546). - FIPS: Prevent TLS sessions from getting flagged as non-FIPS (bsc#1191546). - FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298). - FIPS: Use libjitterentropy for entropy (bsc#1202870). - FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled. ----------------------------------------- Patch: SUSE-2022-3884 Released: Mon Nov 7 10:59:26 2022 Summary: Security update for expat Severity: important References: 1204708,CVE-2022-43680 Description: This update for expat fixes the following issues: - CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708). ----------------------------------------- Patch: SUSE-2022-3904 Released: Tue Nov 8 10:52:13 2022 Summary: Recommended update for openssh Severity: moderate References: 1192439 Description: This update for openssh fixes the following issue: - Prevent empty messages from being sent. (bsc#1192439) ----------------------------------------- Patch: SUSE-2022-3910 Released: Tue Nov 8 13:05:04 2022 Summary: Recommended update for pam Severity: moderate References: Description: This update for pam fixes the following issue: - Update pam_motd to the most current version. (PED-1712) ----------------------------------------- Patch: SUSE-2022-3927 Released: Wed Nov 9 14:55:47 2022 Summary: Recommended update for runc Severity: moderate References: 1202021,1202821 Description: This update for runc fixes the following issues: - Update to runc v1.1.4 (bsc#1202021) - Fix failed exec after systemctl daemon-reload (bsc#1202821) - Fix mounting via wrong proc - Fix 'permission denied' error from runc run on noexec filesystem ----------------------------------------- Patch: SUSE-2022-3958 Released: Fri Nov 11 15:20:45 2022 Summary: Recommended update for mozilla-nss Severity: moderate References: 1191546,1198980,1201298,1202870,1204729 Description: This update for mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.79.2 (bsc#1204729) * Bump minimum NSPR version to 4.34.1. * Gracefully handle null nickname in CERT_GetCertNicknameWithValidity. - FIPS: Allow the use of DSA keys (verification only) (bsc#1201298). - FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file (bsc#1198980). - FIPS: Allow the use of longer symmetric keys via the service level indicator (bsc#1191546). - FIPS: Export sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980). - FIPS: Prevent sessions from getting flagged as non-FIPS (bsc#1191546). - FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298). - FIPS: Enable userspace entropy gathering via libjitterentropy (bsc#1202870). - FIPS: Prevent keys from getting flagged as non-FIPS and add remaining TLS mechanisms. - FIPS: Use libjitterentropy for entropy. - FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled. ----------------------------------------- Patch: SUSE-2022-3999 Released: Tue Nov 15 17:08:04 2022 Summary: Security update for systemd Severity: moderate References: 1204179,1204968,CVE-2022-3821 Description: This update for systemd fixes the following issues: - CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968). - Import commit 0cd50eedcc0692c1f907b24424215f8db7d3b428 * 0469b9f2bc pstore: do not try to load all known pstore modules * ad05f54439 pstore: Run after modules are loaded * ccad817445 core: Add trigger limit for path units * 281d818fe3 core/mount: also add default before dependency for automount mount units * ffe5b4afa8 logind: fix crash in logind on user-specified message string - Document udev naming scheme (bsc#1204179) - Make 'sle15-sp3' net naming scheme still available for backward compatibility reason ----------------------------------------- Patch: SUSE-2022-4062 Released: Fri Nov 18 09:05:07 2022 Summary: Recommended update for libusb-1_0 Severity: moderate References: 1201590 Description: This update for libusb-1_0 fixes the following issues: - Fix regression where some devices no longer work if they have a configuration value of 0 (bsc#1201590) ----------------------------------------- Patch: SUSE-2022-4066 Released: Fri Nov 18 10:43:00 2022 Summary: Recommended update for timezone Severity: important References: 1177460,1202324,1204649,1205156 Description: This update for timezone fixes the following issues: Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156): - Mexico will no longer observe DST except near the US border - Chihuahua moves to year-round -06 on 2022-10-30 - Fiji no longer observes DST - In vanguard form, GMT is now a Zone and Etc/GMT a link - zic now supports links to links, and vanguard form uses this - Simplify four Ontario zones - Fix a Y2438 bug when reading TZif data - Enable 64-bit time_t on 32-bit glibc platforms - Omit large-file support when no longer needed - Jordan and Syria switch from +02/+03 with DST to year-round +03 - Palestine transitions are now Saturdays at 02:00 - Simplify three Ukraine zones into one - Improve tzselect on intercontinental Zones - Chile's DST is delayed by a week in September 2022 (bsc#1202324) - Iran no longer observes DST after 2022 - Rename Europe/Kiev to Europe/Kyiv - New `zic -R` command option - Vanguard form now uses %z ----------------------------------------- Patch: SUSE-2022-4081 Released: Fri Nov 18 15:40:46 2022 Summary: Security update for dpkg Severity: low References: 1199944,CVE-2022-1664 Description: This update for dpkg fixes the following issues: - CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944). ----------------------------------------- Patch: SUSE-2022-4135 Released: Mon Nov 21 00:13:40 2022 Summary: Recommended update for libeconf Severity: moderate References: 1198165 Description: This update for libeconf fixes the following issues: - Update to version 0.4.6+git - econftool: Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter. - libeconf: Parse files correctly on space characters (1198165) - Update to version 0.4.5+git - econftool: New call 'syntax' for checking the configuration files only. Returns an error string with line number if error. New options '--comment' and '--delimeters' ----------------------------------------- Patch: SUSE-2022-4160 Released: Tue Nov 22 10:10:37 2022 Summary: Recommended update for nfsidmap Severity: moderate References: 1200901 Description: This update for nfsidmap fixes the following issues: - Various bugfixes and improvemes from upstream In particular, fixed a crash that can happen when a 'static' mapping is configured. (bsc#1200901) ----------------------------------------- Patch: SUSE-2022-4256 Released: Mon Nov 28 12:36:32 2022 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module. The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------- Patch: SUSE-2022-4311 Released: Fri Dec 2 11:02:43 2022 Summary: Recommended update for open-vm-tools Severity: critical References: Description: This update for open-vm-tools fixes the following issues: - Include binaries of open-vm-tools for ARM architecture aarch64 in SUSE Linux Enterprise 15 Service Pack 4 (jsc#SLE-22385) ----------------------------------------- Patch: SUSE-2022-4312 Released: Fri Dec 2 11:16:47 2022 Summary: Recommended update for tar Severity: moderate References: 1200657,1203600 Description: This update for tar fixes the following issues: - Fix unexpected inconsistency when making directory (bsc#1203600) - Update race condition fix (bsc#1200657) ----------------------------------------- Patch: SUSE-2022-4492 Released: Wed Dec 14 13:52:39 2022 Summary: Recommended update for mozilla-nss Severity: moderate References: 1191546,1198980,1201298 Description: This update for mozilla-nss fixes the following issues: - FIPS: Disapprove the creation of DSA keys, i.e. mark them as not-fips (bsc#1201298) - FIPS: Allow the use SHA keygen mechs (bsc#1191546). - FIPS: ensure abort() is called when the repeat integrity check fails (bsc#1198980). ----------------------------------------- Patch: SUSE-2022-4499 Released: Thu Dec 15 10:48:49 2022 Summary: Recommended update for openssh Severity: moderate References: 1179465 Description: This update for openssh fixes the following issues: - Make ssh connections update their dbus environment (bsc#1179465): * Add openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish ----------------------------------------- Patch: SUSE-2022-4597 Released: Wed Dec 21 10:13:11 2022 Summary: Security update for curl Severity: important References: 1206308,1206309,CVE-2022-43551,CVE-2022-43552 Description: This update for curl fixes the following issues: - CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309). - CVE-2022-43551: Fixed HSTS bypass via IDN (bsc#1206308). ----------------------------------------- Patch: SUSE-2022-4601 Released: Wed Dec 21 12:23:59 2022 Summary: Feature update for GNOME 41 Severity: moderate References: 1175622,1179584,1188882,1196205,1200581,1203274,1204867,944832 Description: This update for GNOME 41 fixes the following issues: atkmm1_6: - Version update from 2.28.1 to 2.28.3 (jsc#PED-2235): * Meson build: Avoid unnecessary configuration warnings * Meson build: Perl is not required by new versions of mm-common * Meson build: Require meson >= 0.55.0 * Meson build: Specify 'check' option in run_command(). Will be necessary with future versions of Meson. * Require atk >= 2.12.0 Not a new requirement, but previously it was not specified in configure.ac and meson.build * Support building with Visual Studio 2022 eog: - Version update from 41.1 to 41.2 (jsc#PED-2235): * eog-window: use correct type for display_profile * Fix discovery of Evince for multi-page images evince: - Version update 41.3 to 41.4 (jsc#PED-2235): * shell: Fix failures when thumbnail extraction takes too long * Fix build with meson 0.60.0 and newer evolution: - Ensure evolution-devel is forward compatible with evolution-data-server-devel in a same major version (jsc#PED-2235) evolution-data-center: - Version update from 3.42.4 to 3.42.5 (jsc#PED-2235): * Google OAuth out-of-band (oob) flow will be deprecated folks: - Version update 0.15.3 to 0.15.5 (jsc#PED-2235): * vapi: Add missing generic type argument * Fix docs build against newer eds version * Fix build against newer eds version * Remove volatile keyword from tests gcr: - Version update 3.41.0 to 3.41.1 (jsc#PED-2235): * Add G_SPAWN_CLOEXEC_PIPES flag to all the g_spawn commands * Add gi-docgen dependency which is needed by the docs * Fix build with meson 0.60.0 and newer * Fix build without systemd * Several CI fixes geocode-glib: - Version update from 3.26.2 to 3.26.4 (jsc#PED-2235): * Fix to a test data file not being installed, and a bug fix for a bug in the libsoup3 port * Add support for libsoup 3.x gjs: - Version update from 1.70.1 to 1.70.2 (jsc#PED-2235): * Build and compatibility fixes backported from the development branch * Reverse order of running-from-source checks - Require xorg-x11-Xvfb for proper package build (bsc#1203274) glib2: - Version update from 2.70.4 to 2.70.5 (jsc#PED-2235): * Bugs fixed: glgo#GNOME/GLib#2620, glgo#GNOME/GLib!2537, glgo#GNOME/GLib!2555 * Split gtk-docs from -devel package, these are not needed during building projects using glib2 gnome-control-center: - Fix the size of logo icon in About system (bsc#1200581) - Version update from 41.4 to 41.7 (jsc#PED-2235): * Cellular: Remove duplicate line from .desktop * Info: Allow changing 'Device Name' by pressing 'Enter' * Info: Remove trailing space after CPU name * Keyboard: Fix crash resetting all keyboard shortcuts * Keyboard: Fix leaks * Network: Fix saving passwords for non-wifi connections * Network: Fix critical when opening VPN details page * Wacom: Fix leaks gnome-desktop: - Version update from 41.2 to 41.8 (jsc#PED-2235): * Version increase but no actual changes gnome-music: - Version update from 41.0 to 41.1 (jsc#PED-2235): * Ensure the correct album is played * Fix build with meson 0.61.0 and newer * Fix crash on empty selection * Fix incorrect playlist import * Fix time displayed in RTL languages * Improve async queue work * Make random shuffle actually random * Make shuffle random * Speed increase on first startup on larger collections * Time is reversed in RTL gnome-remote-desktop: - Version update from 41.2 to 41.3 (jsc#PED-2235): * Add Icelandic translation gnome-session: - Clear error messages that can be ignored because expected to happen for GDM sessions (bsc#1204867) - Add fix for gnome-session to exit immediately when lost name on bus (bsc#1175622, bsc#1188882) gnome-shell: - Disable offline update suggestion before shutdown/reboot in SLE and openSUSE Leap (bsc#944832) - Version update from 41.4 to 41.9 (jsc#PED-2235): * Allow extension updates with only Extension Manager installed * Allow more intermediate icon sizes in app grid * Disable workspace switching while in search. * Do not create systemd scope for D-Bus activated apps * Fix calendar to correctly align world clocks header in RTL * Fix drag placeholder position in dash in RTL locales * Fix edge case where windows stay dimmed after a modal is closed * Fix feedback when turning on a11y features by keyboard * Fix focus tracking in magnifier on wayland * Fix fractional timezone offsets in world clock * Fix glitches in overview transition * Fix logging in with realmd * Fix memory leak * Fix opening device settings for enterprise WPA networks * Fix programatically set scrollview fade * Fix regression in ibus support * Fix unresponsive top bar in overview when in fullscreen * Handle monitor changes during startup animation * Hide overview after 'Show Details' from app context menu * Improve Belgian on-screen keyboard layout * Improve CSS shadow appearance * Make sure startup animation completes * Misc. bug fixes and cleanups * Only close messages via delete key if they can be closed * Respect IM hint for candidates list in on-screen keyboard gnome-software: - Disable offline update feature in SUSE Linux Enterprise and openSUSE Leap (bsc#944832) - Version update from 41.4 to 41.5 (jsc#PED-2235): * Added several appstream-related fixed * Disable scroll-by-mouse-wheel on featured carousel * Ensure details page shows app provided on command line gnome-terminal: - Version update from 3.42.2 to 3.42.3 (jsc#PED-2235): * Fix build with meson 0.61.0 and newer * window: Use a normal menu for the popup menu gnome-user-docs: - Version update from 41.1 to 41.5 (jsc#PED-2235): * Added missing icon for network-wired-symbolic gspell: - Version update from 1.8.4 to 1.10.0 (jsc#PED-2235): * Build: distribute more files in tarballs * Documentation improvements gtkmm3: - Version update from 3.24.5 to 3.24.6 (jsc#PED-2235): * Build with Meson: MSVC build: Support Visual Studio 2022 * Check if Perl is required for building documentation * Don't use deprecated python3.path() and execute (..., gui_app...) * GTK: TreeValueProxy: Declare copy constructor = default, avoiding warnings from the claing++ compiler * Object::_release_c_instance(): Unref orphan managed widgets * SizeGroup demo: Set active items in the combo boxs, so something is shown * Specify 'check' option in run_command() gtk-vnc: - Version update from 1.3.0 to 1.3.1 (jsc#PED-2235): * Add 'check' arg to meson run_command() * Fix invalid use of subprojects with meson * Support ZRLE encoding for zero size alpha cursors gupnp-av: - Version update from 0.12.11 to 0.14.1 (jsc#PED-2235): * Add utility function to format GDateTime to the iso variant DIDL expects * Allow to be used as a subproject * Drop autotools * Fix stripping @refID * Fix unsetting subtitleFileType * Make Feature derivable again * Obsolete code removal. * Port to modern GObject * Remove hand-written ref-counting, use RcBox/AtomicRcBox instead. * Switch to meson build system, following upstream - Rename libgupnp-av-1_0-2 subpackage to libgupnp-av-1_0-3, correcting the package name to match the provided library - Conflict with the wrongly provided libgupnp-av-1_0-2 gvfs: - Version update from 1.48.1 to 1.48.2 (jsc#PED-2235): * sftp: Adapt on new OpenSSH password prompts * smb: Rework anonymous handling to avoid EINVAL * smb: Ignore EINVAL for kerberos/ccache login libgsf: - Version update from 1.14.48 to 1.14.50 (jsc#PED-2235): * Fix error handling problem when writing ole files * Fix problems with non-western text in OLE properties * Use g_date_time_new_from_iso8601 and g_date_time_format_iso8601 when available libmediaart: - Version update from 1.9.5 to 1.9.6 (jsc#PED-2235): * build: Add introspection/vapi/tests options * build: Use library() to optionally build a static library libnma: - Version update from 1.8.32 to 1.8.40 (jsc#PED-2235): * Ad-Hoc networks now default to using WPA2 instead of WEP * Add possibility of building libnma-gtk4 library with Gtk4 support * Do not allow setting empty 802.1x domain for EAP TLS * Fixed keyboard accelerator for certificate chooser * Fixed libnma-gtk4 version of mobile-wizard * Include OWE wireless security option * The GtkBuilder files for Gtk4 are now included in the release tarball * WEP is no longer provided as an option for connecting to hidden networks due to its deprecated status - New sub-packages libnma-gtk4-0, typelib-1_0-NMA4-1_0 and libnma-gtk4-devel - Split out documentation files in own docs sub-package libnotify: - Version update from 0.7.10 to 0.7.12 (jsc#PED-2235): * Delete unused notifynotification.xml * Fix potential build errors with old glib version we require * docs/notify-send: Add --transient option to manpage * notification: Bookend calling NotifyActionCallback with temporary reference * notification: Include sender-pid hint by default if not provided * notify-send: Add debug message about server not supporting persistence * notify-send: Add explicit option to create transient notifications * notify-send: Add support for boolean hints * notify-send: Move server capabilities check to a separate function * notify-send: Support passing any hint value, by parsing variant strings libpeas: - Version update from 1.30.0 to 1.32.0 (jsc#PED-2235): * Icon licenses have been corrected * Parallel build system operation fixes * Use gi-docgen for documentation * Various build warnings squashed * Various GIR data that should not have been exported was removed - Stop packaging the demo files/sub-package librsvg: - Version update from 2.52.6 to 2.52.9 (jsc#PED-2235): * Catch circular references when rendering patterns * Fix regressions when computing element geometries * Fix regression outputting all text as paths libsecret: - Version update from 0.20.4 to 0.20.5 (jsc#PED-2235): * Add bash-completion for secret-tool * Add locking capabilities to secret tool * Add support for TPM2 based secret storage * Create default collection after DBus.Error.UnknownObject * Detect local storage in snaps in the same way as flatpaks * Drop autotools-based build * GI annotation and documentation fixes * Port documentation to gi-docgen * Use G_GNUC_NULL_TERMINATED where appropriate collection, methods, prompt: Port to GTask * secret-file-backend: Avoid closing the same file descriptor twice mutter: - Version update from 41.5 to 41.9 (jsc#PED-2235): * Fix '--replace option' * Fix missing root window properties after XWayland start * Fix night light without GAMMA_LUT property * KMS: Survive missing GAMMA_LUT property * wayland: Fix rotation transform * Misc. bug fixes nautilus: - Version update from 41.2 to 41.5(jsc#PED-2235): * Drag-and-drop bugfixes * HighContrast style fixes orca: - Version update from 41.1 to 41.3 (jsc#PED-2235): * Add more event-flood detection and handling for improved performance * Fix bug causing accessing preferences to fail for Esperanto * Web: Fix bug causing widgets descending from off-screen label elements to be skipped over * Web: Fix presentation of the FluentUI react dialog (and any other dialog which has an ARIA document-role descendant) * WebKitGtk: Fail gracefully when structural navigation commands are used in WebKitGtk 2.36.x python-cairo: - Add python3-cairo to SUSE Linux Enterprise Micro 5.3 as it is now required by python3-gobject-cairo python-gobject: - Add dependency on python-cairo to python-gobject-cairo: The introspection wrapper needs pycairo (bsc#1179584) - Version update from 3.42.0 to 3.42.2 (jsc#PED-2235): * Add a workaround for a PyPy 3.9+ bug when threads are used * Do not error out for unknown scopes * Prompt an error instead of crashing when marshaling unsupported fundamental types in some cases * Fix a crash/refcounting error in case marshaling a hash table fails * Fix crashes when marshaling zero terminated arrays for certain item types * Implement DynamicImporter.find_spec() to silence deprecation warning * Make the test suite pass again with PyPy * Some test/CI fixes * gtk overrides: Do not override Treeview.enable_model_drag_xx for GTK4 * gtk overrides: restore Gtk.ListStore.insert_with_valuesv with newer GTK4 * interface: Fix leak when overriding GInterfaceInfo * setup.py: look up pycairo headers without importing the module trackers-python: - Allow system calls used by gstreamer (bsc#1196205) - Version update from 3.2.2 to 3.2.1 (jsc#PED-2235): * Backport seccomp rules for rseq and mbind syscalls vala: - Version update from 0.54.6 to 0.54.8 (jsc#PED-2235): * Add missing TraverseVisitor.visit_data_type() * Add support for 'copy_/free_function' metadata for compact classes * Catch and throw possible inner error of lock statements * Clear SemanticAnalyzer.current_{symbol,source_file} when not needed anymore * Don't count instance-parameter when checking for backwards closure reference * Fix a few binding errors * Free empty stack list for code contexts * Handle duplicated and unnamed symbols. * Improve UI parsing and handling of nested objects and properties * Make sure to drop our 'trap' jump target in case of an error * Move dynamic property errors to semantic analyzer pass * Require lvalue access of delegate target/destroy 'fields' * Show source location when reporting deprecations * Transform assignment of an array element as needed * manual: Update from wiki.gnome.org * parser: Improve handling of nullable VarType in with-statement * parser: Reduce the source reference of main block method to its beginning xdg-desktop-portal-gnome: - Version update from 0.54.6 to 0.54.8 (jsc#PED-2235): * Properly bind property in Lockdown portal ----------------------------------------- Patch: SUSE-2022-4628 Released: Wed Dec 28 09:23:13 2022 Summary: Security update for sqlite3 Severity: moderate References: 1206337,CVE-2022-46908 Description: This update for sqlite3 fixes the following issues: - CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337). ----------------------------------------- Patch: SUSE-2022-4629 Released: Wed Dec 28 09:24:07 2022 Summary: Security update for systemd Severity: important References: 1200723,1205000,CVE-2022-4415 Description: This update for systemd fixes the following issues: - CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000). Bug fixes: - Support by-path devlink for multipath nvme block devices (bsc#1200723). ----------------------------------------- Patch: SUSE-2023-25 Released: Thu Jan 5 09:51:41 2023 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: Version update from 2022f to 2022g (bsc#1177460): - In the Mexican state of Chihuahua: * The border strip near the US will change to agree with nearby US locations on 2022-11-30. * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. * A new Zone America/Ciudad_Juarez splits from America/Ojinaga. - Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time. - Changes for pre-1996 northern Canada - Update to past DST transition in Colombia (1993), Singapore (1981) - 'timegm' is now supported by default ----------------------------------------- Patch: SUSE-2023-48 Released: Mon Jan 9 10:37:54 2023 Summary: Recommended update for libtirpc Severity: moderate References: 1199467 Description: This update for libtirpc fixes the following issues: - Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467) ----------------------------------------- Patch: SUSE-2023-52 Released: Mon Jan 9 10:43:57 2023 Summary: Recommended update for xfsprogs Severity: moderate References: 1205266,1205272,1205284,1205377 Description: This update for xfsprogs fixes the following issues: - mkfs: don't trample the gid set in the protofile (bsc#1205266) - mkfs: prevent corruption of passed-in suboption string values (bsc#1205377) - mkfs: terminate getsubopt arrays properly (bsc#1205284) - xfs_repair: ignore empty xattr leaf blocks (bsc#1205272) ----------------------------------------- Patch: SUSE-2023-54 Released: Mon Jan 9 10:49:19 2023 Summary: Recommended update for bash-completion Severity: moderate References: 1200791 Description: This update for bash-completion fixes the following issues: - Fix curl help completion (bsc#1200791) ----------------------------------------- Patch: SUSE-2023-56 Released: Mon Jan 9 11:13:43 2023 Summary: Security update for libksba Severity: moderate References: 1206579,CVE-2022-47629 Description: This update for libksba fixes the following issues: - CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579). ----------------------------------------- Patch: SUSE-2023-119 Released: Fri Jan 20 10:28:07 2023 Summary: Security update for mozilla-nss Severity: important References: 1204272,1207038,CVE-2022-23491,CVE-2022-3479 Description: This update for mozilla-nss fixes the following issues: - CVE-2022-3479: Fixed a potential crash that could be triggered when a server requested a client authentication certificate, but the client had no certificates stored (bsc#1204272). - Updated to version 3.79.3 (bsc#1207038): - CVE-2022-23491: Removed trust for 3 root certificates from TrustCor. ----------------------------------------- Patch: SUSE-2023-179 Released: Thu Jan 26 21:54:30 2023 Summary: Recommended update for tar Severity: low References: 1202436 Description: This update for tar fixes the following issue: - Fix hang when unpacking test tarball (bsc#1202436) ----------------------------------------- Patch: SUSE-2023-181 Released: Thu Jan 26 21:55:43 2023 Summary: Recommended update for procps Severity: low References: 1206412 Description: This update for procps fixes the following issues: - Improve memory handling/usage (bsc#1206412) - Make sure that correct library version is installed (bsc#1206412) ----------------------------------------- Patch: SUSE-2023-201 Released: Fri Jan 27 15:24:15 2023 Summary: Security update for systemd Severity: moderate References: 1204944,1205000,1207264,CVE-2022-4415 Description: This update for systemd fixes the following issues: - CVE-2022-4415: Fixed an issue where users could access coredumps with changed uid, gid or capabilities (bsc#1205000). Non-security fixes: - Enabled the pstore service (jsc#PED-2663). - Fixed an issue accessing TPM when secure boot is enabled (bsc#1204944). - Fixed an issue where a pamd file could get accidentally overwritten after an update (bsc#1207264). ----------------------------------------- Patch: SUSE-2023-348 Released: Fri Feb 10 15:08:41 2023 Summary: Security update for less Severity: moderate References: 1207815,CVE-2022-46663 Description: This update for less fixes the following issues: - CVE-2022-46663: Fixed denial-of-service by printing specially crafted escape sequences to the terminal (bsc#1207815). ----------------------------------------- Patch: SUSE-2023-429 Released: Wed Feb 15 17:41:22 2023 Summary: Security update for curl Severity: important References: 1207990,1207991,1207992,CVE-2023-23914,CVE-2023-23915,CVE-2023-23916 Description: This update for curl fixes the following issues: - CVE-2023-23914: Fixed HSTS ignored on multiple requests (bsc#1207990). - CVE-2023-23915: Fixed HSTS amnesia with --parallel (bsc#1207991). - CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992). ----------------------------------------- Patch: SUSE-2023-434 Released: Thu Feb 16 09:08:05 2023 Summary: Security update for mozilla-nss Severity: important References: 1208138,CVE-2023-0767 Description: This update for mozilla-nss fixes the following issues: Updated to NSS 3.79.4 (bsc#1208138): - CVE-2023-0767: Fixed handling of unknown PKCS#12 safe bag types. ----------------------------------------- Patch: SUSE-2023-463 Released: Mon Feb 20 16:33:39 2023 Summary: Security update for tar Severity: moderate References: 1202436,1207753,CVE-2022-48303 Description: This update for tar fixes the following issues: - CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753). Bug fixes: - Fix hang when unpacking test tarball (bsc#1202436). ----------------------------------------- Patch: SUSE-2023-464 Released: Mon Feb 20 18:11:37 2023 Summary: Recommended update for systemd Severity: moderate References: Description: This update for systemd fixes the following issues: - Merge of v249.15 - Drop workaround related to systemd-timesyncd that addressed a Factory issue. - Conditionalize the use of /lib/modprobe.d only on systems with split usr support enabled (i.e. SLE). - Make use of the %systemd_* rpm macros consistently. Using the upstream variants will ease the backports of Factory changes to SLE since Factory systemd uses the upstream variants exclusively. - machines.target belongs to systemd-container, do its init/cleanup steps from the scriptlets of this sub-package. - Make sure we apply the presets on units shipped by systemd package. - systemd-testsuite: move the integration tests in a dedicated sub directory. - Move systemd-cryptenroll into udev package. ----------------------------------------- Patch: SUSE-2023-557 Released: Tue Feb 28 09:29:15 2023 Summary: Security update for libxslt Severity: important References: 1208574,CVE-2021-30560 Description: This update for libxslt fixes the following issues: - CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574). ----------------------------------------- Patch: SUSE-2023-617 Released: Fri Mar 3 16:49:06 2023 Summary: Recommended update for jitterentropy Severity: moderate References: 1207789 Description: This update for jitterentropy fixes the following issues: - build jitterentropy library with debuginfo (bsc#1207789) ----------------------------------------- Patch: SUSE-2023-709 Released: Fri Mar 10 16:04:41 2023 Summary: Recommended update for console-setup Severity: moderate References: 1202853 Description: This update for console-setup and kbd fixes the following issue: - Fix Caps_Lock mapping for us.map and others (bsc#1202853) ----------------------------------------- Patch: SUSE-2023-776 Released: Thu Mar 16 17:29:23 2023 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products. SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------- Patch: SUSE-2023-875 Released: Wed Mar 22 19:17:54 2023 Summary: Recommended update for sg3_utils Severity: moderate References: 1207706 Description: This update for sg3_utils fixes the following issues: - Speed large multipath scans (bsc#1207706) ----------------------------------------- Patch: SUSE-2023-1582 Released: Mon Mar 27 10:31:52 2023 Summary: Security update for curl Severity: moderate References: 1209209,1209210,1209211,1209212,1209214,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538 Description: This update for curl fixes the following issues: - CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209). - CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210). - CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211). - CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212). - CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214). ----------------------------------------- Patch: SUSE-2023-1688 Released: Wed Mar 29 18:19:10 2023 Summary: Security update for zstd Severity: moderate References: 1209533,CVE-2022-4899 Description: This update for zstd fixes the following issues: - CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533). ----------------------------------------- Patch: SUSE-2023-1718 Released: Fri Mar 31 15:47:34 2023 Summary: Security update for glibc Severity: moderate References: 1207571,1207957,1207975,1208358,CVE-2023-0687 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975) Other issues fixed: - Fix avx2 strncmp offset compare condition check (bsc#1208358) - elf: Allow dlopen of filter object to work (bsc#1207571) - powerpc: Fix unrecognized instruction errors with recent GCC - x86: Cache computation for AMD architecture (bsc#1207957) ----------------------------------------- Patch: SUSE-2023-1779 Released: Thu Apr 6 08:16:58 2023 Summary: Recommended update for systemd Severity: moderate References: 1208432 Description: This update for systemd fixes the following issues: - Fix return non-zero value when disabling SysVinit service (bsc#1208432) - Drop build requirement on libpci, it's not no longer needed - Move systemd-boot and all components managing (secure) UEFI boot into udev sub-package, so they aren't installed in systemd based containers ----------------------------------------- Patch: SUSE-2023-1805 Released: Tue Apr 11 10:12:41 2023 Summary: Recommended update for timezone Severity: important References: Description: This update for timezone fixes the following issues: - Version update from 2022g to 2023c: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later. ----------------------------------------- Patch: SUSE-2023-1809 Released: Tue Apr 11 11:47:44 2023 Summary: Recommended update for haveged Severity: moderate References: 1203079 Description: This update for haveged fixes the following issues: - Synchronize haveged instances during switching root (bsc#1203079) ----------------------------------------- Patch: SUSE-2023-1813 Released: Tue Apr 11 13:39:36 2023 Summary: Recommended update for open-vm-tools Severity: low References: 1208880 Description: This update for open-vm-tools fixes the following issue: - Ship missing open-vm-tools-salt-minion package. (bsc#1208880) ----------------------------------------- Patch: SUSE-2023-1880 Released: Tue Apr 18 11:11:27 2023 Summary: Recommended update for systemd-rpm-macros Severity: low References: 1208079 Description: This update for systemd-rpm-macros fixes the following issue: - Don't emit a warning when the flag file in /var/lib/systemd/migrated/ is not present as it's expected (bsc#1208079). ----------------------------------------- Patch: SUSE-2023-1939 Released: Fri Apr 21 11:14:30 2023 Summary: Recommended update for mozilla-nss Severity: moderate References: 1191546,1207209,1208242,1208999 Description: This update for mozilla-nss fixes the following issues: - FIPS 140-3: Adjust SLI reporting for PBKDF2 parameter validation (bsc#1208999) - FIPS 140-3: Update session->lastOpWasFIPS before destroying the key after derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE, CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases. (bsc#1191546) - FIPS 140-3: more changes for pairwise consistency checks. (bsc#1207209) - Add manpages to mozilla-nss-tools (bsc#1208242) ----------------------------------------- Patch: SUSE-2023-1994 Released: Tue Apr 25 13:53:25 2023 Summary: Security update for avahi Severity: moderate References: 1210328,CVE-2023-1981 Description: This update for avahi fixes the following issues: - CVE-2023-1981: Fixed crash in avahi-daemon (bsc#1210328). ----------------------------------------- Patch: SUSE-2023-2003 Released: Tue Apr 25 18:05:42 2023 Summary: Security update for runc Severity: important References: 1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642 Description: This update for runc fixes the following issues: Update to runc v1.1.5: Security fixes: - CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884). - CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962). - CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888). Other fixes: - Fix the inability to use `/dev/null` when inside a container. - Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481). - Fix rare runc exec/enter unshare error on older kernels. - nsexec: Check for errors in `write_log()`. - Drop version-specific Go requirement. ----------------------------------------- Patch: SUSE-2023-2039 Released: Wed Apr 26 11:42:49 2023 Summary: Recommended update for lshw Severity: moderate References: 1209531 Description: This update for lshw fixes the following issues: - Update to version B.02.19.2+git.20230320 (bsc#1209531) ----------------------------------------- Patch: SUSE-2023-2060 Released: Thu Apr 27 17:04:25 2023 Summary: Security update for glib2 Severity: moderate References: 1209713,1209714,1210135,CVE-2023-24593,CVE-2023-25180 Description: This update for glib2 fixes the following issues: - CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714). - CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713). The following non-security bug was fixed: - Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978). ----------------------------------------- Patch: SUSE-2023-2104 Released: Thu May 4 21:05:30 2023 Summary: Recommended update for procps Severity: moderate References: 1209122 Description: This update for procps fixes the following issue: - Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122) ----------------------------------------- Patch: SUSE-2023-2111 Released: Fri May 5 14:34:00 2023 Summary: Security update for ncurses Severity: moderate References: 1210434,CVE-2023-29491 Description: This update for ncurses fixes the following issues: - CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434). ----------------------------------------- Patch: SUSE-2023-2131 Released: Tue May 9 13:35:24 2023 Summary: Recommended update for openssh Severity: important References: 1207014 Description: This update for openssh fixes the following issues: - Remove some patches that cause invalid environment assignments (bsc#1207014). ----------------------------------------- Patch: SUSE-2023-2159 Released: Wed May 10 16:49:20 2023 Summary: Recommended update for open-vm-tools Severity: moderate References: 1205962,1209128 Description: This update for open-vm-tools fixes the following issues: - Update to 12.2.0 (bsc#1209128) - Build the containerinfo plugin for TW/SLES15-SP5 and newer.(jsc#PED-1344) ----------------------------------------- Patch: SUSE-2023-2224 Released: Wed May 17 09:53:54 2023 Summary: Security update for curl Severity: important References: 1211230,1211231,1211232,1211233,CVE-2023-28319,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322 Description: This update for curl adds the following feature: Update to version 8.0.1 (jsc#PED-2580) - CVE-2023-28319: use-after-free in SSH sha256 fingerprint check (bsc#1211230). - CVE-2023-28320: siglongjmp race condition (bsc#1211231). - CVE-2023-28321: IDN wildcard matching (bsc#1211232). - CVE-2023-28322: POST-after-PUT confusion (bsc#1211233). ----------------------------------------- Patch: SUSE-2023-2240 Released: Wed May 17 19:56:54 2023 Summary: Recommended update for systemd Severity: moderate References: 1203141,1207410 Description: This update for systemd fixes the following issues: - udev-rules: fix nvme symlink creation on namespace changes (bsc#1207410) - Optimize when hundred workers claim the same symlink with the same priority (bsc#1203141) - Add nss-resolve and systemd-network to Packagehub-Subpackages (MSC-626) ----------------------------------------- Patch: SUSE-2023-2256 Released: Fri May 19 15:26:43 2023 Summary: Security update for runc Severity: important References: 1200441 Description: This update of runc fixes the following issues: - rebuild the package with the go 19.9 secure release (bsc#1200441). ----------------------------------------- Patch: SUSE-2023-2307 Released: Mon May 29 10:29:49 2023 Summary: Recommended update for kbd Severity: low References: 1210702 Description: This update for kbd fixes the following issue: - Add 'ara' vc keymap, 'ara' is slightly better than 'arabic' as it matches the name of its X11 layout counterpart. (bsc#1210702) ----------------------------------------- Patch: SUSE-2023-2481 Released: Fri Jun 9 15:18:12 2023 Summary: Recommended update for dracut Severity: moderate References: 1210909,1211072,1211080 Description: This update for dracut fixes the following issues: - Update to version 055+suse.364.g4c1d0276: - Honor rd.timeout for nvme ctrl_loss_tmo (bsc#1211080) - Suppress warning if hostname is not set (bsc#1211072) - Set netroot=nbft (bsc#1210909) ----------------------------------------- Patch: SUSE-2023-2482 Released: Mon Jun 12 07:19:53 2023 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: 1211272 Description: This update for systemd-rpm-macros fixes the following issues: - Adjust functions so they are disabled when called from a chroot (bsc#1211272) ----------------------------------------- Patch: SUSE-2023-2484 Released: Mon Jun 12 08:49:58 2023 Summary: Security update for openldap2 Severity: moderate References: 1211795,CVE-2023-2953 Description: This update for openldap2 fixes the following issues: - CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795). ----------------------------------------- Patch: 29171 Released: Tue Jun 20 12:29:00 2023 Summary: Security update for openssl-1_1 Severity: important References: 1201627,1207534,1211430,CVE-2022-4304,CVE-2023-2650 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430). - CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534). - Update further expiring certificates that affect tests (bsc#1201627) ----------------------------------------- Patch: SUSE-2023-2604 Released: Thu Jun 22 09:48:53 2023 Summary: Security update for open-vm-tools Severity: moderate References: 1210695,1212143,CVE-2023-20867 Description: This update for open-vm-tools fixes the following issues: - CVE-2023-20867: Fixed authentication bypass vulnerability in the vgauth module (bsc#1212143). Bug fixes: - Fixed build problem with grpc 1.54 (bsc#1210695). ----------------------------------------- Patch: SUSE-2023-2615 Released: Thu Jun 22 14:50:55 2023 Summary: Recommended update for mdadm Severity: important References: 1208618 Description: This update for mdadm fixes the following issues: - Grow: fix possible memory leak (bsc#1208618) - Use source code mdadm-4.2.tar.xz from kernel.org version for checksum ----------------------------------------- Patch: SUSE-2023-2625 Released: Fri Jun 23 17:16:11 2023 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: - Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204 * includes regression and other bug fixes - Speed up builds with --enable-link-serialization. - Update embedded newlib to version 4.2.0 ----------------------------------------- Patch: SUSE-2023-2658 Released: Tue Jun 27 14:46:15 2023 Summary: Recommended update for containerd, docker, runc Severity: moderate References: 1207004,1208074,1210298,1211578 Description: This update for containerd, docker, runc fixes the following issues: - Update to containerd v1.6.21 (bsc#1211578) - Update to Docker 23.0.6-ce (bsc#1211578) - Update to runc v1.1.7 - Require a minimum Go version explicitly (bsc#1210298) - Re-unify packaging for SLE-12 and SLE-15 - Fix build on SLE-12 by switching back to libbtrfs-devel headers - Allow man pages to be built without internet access in OBS - Add apparmor-parser as a Recommends to make sure that most users will end up with it installed even if they are primarily running SELinux - Fix syntax of boolean dependency - Allow to install container-selinux instead of apparmor-parser - Change to using systemd-sysusers - Update runc.keyring to upstream version - Fix the inability to use `/dev/null` when inside a container (bsc#1207004) ----------------------------------------- Patch: SUSE-2023-2740 Released: Fri Jun 30 10:57:08 2023 Summary: Recommended update for dracut Severity: moderate References: 1212662 Description: This update for dracut fixes the following issues: - Update to version 055+suse.366.g14047665 - Continue parsing if ldd prints 'cannot execute binary file' (bsc#1212662) ----------------------------------------- Patch: SUSE-2023-2765 Released: Mon Jul 3 20:28:14 2023 Summary: Security update for libcap Severity: moderate References: 1211418,1211419,CVE-2023-2602,CVE-2023-2603 Description: This update for libcap fixes the following issues: - CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418). - CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419). ----------------------------------------- Patch: SUSE-2023-2788 Released: Thu Jul 6 11:51:02 2023 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1185116,1202118 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nspr was updated to version 4.35 * fixes for building with clang * use the number of online processors for the PR_GetNumberOfProcessors() API on some platforms * fix build on mips+musl libc * Add support for the LoongArch 64-bit architecture mozilla-nss was update to NSS 3.90: * clang-format lib/freebl/stubs.c * Add a constant time select function * Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access. * output early build errors by default * Update the technical constraints for KamuSM * Add BJCA Global Root CA1 and CA2 root certificates * Enable default UBSan Checks * Add explicit handling of zero length records * Tidy up DTLS ACK Error Handling Path * Refactor zero length record tests * Fix compiler warning via correct assert * run linux tests on nss-t/t-linux-xlarge-gcp * In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator * Fix reading raw negative numbers * Repairing unreachable code in clang built with gyp * Integrate Vale Curve25519 * Removing unused flags for Hacl* * Adding a better error message * Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6 * Fall back to the softokn when writing certificate trust * FIPS-104-3 requires we restart post programmatically * cmd/ecperf: fix dangling pointer warning on gcc 13 * Update ACVP dockerfile for compatibility with debian package changes * Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files * Removed deprecated sprintf function and replaced with snprintf * fix rst warnings in nss doc * Fix incorrect pygment style * Change GYP directive to apply across platforms * Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag - Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116) update to NSS 3.89.1 * Update the technical constraints for KamuSM. * Add BJCA Global Root CA1 and CA2 root certificates. update to NSS 3.89 * revert freebl/softoken RSA_MIN_MODULUS_BITS increase * PR_STATIC_ASSERT is cursed * Need to add policy control to keys lengths for signatures * Fix unreachable code warning in fuzz builds * Fix various compiler warnings in NSS * Enable various compiler warnings for clang builds * set PORT error after sftk_HMACCmp failure * Need to add policy control to keys lengths for signatures * remove data length assertion in sec_PKCS7Decrypt * Make high tag number assertion failure an error * CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384 * Tolerate certificate_authorities xtn in ClientHello * Fix build failure on Windows * migrate Win 2012 tasks to Azure * fix title length in doc * Add interop tests for HRR and PSK to GREASE suite * Add presence/absence tests for TLS GREASE * Correct addition of GREASE value to ALPN xtn * CH extension permutation * TLS GREASE (RFC8701) * improve handling of unknown PKCS#12 safe bag types * use a different treeherder symbol for each docker image build task * remove nested table in rst doc * Export NSS_CMSSignerInfo_GetDigestAlgTag * build failure while implicitly casting SECStatus to PRUInt32 update to NSS 3.88.1 * improve handling of unknown PKCS#12 safe bag types update to NSS 3.88 * remove nested table in rst doc * Export NSS_CMSSignerInfo_GetDigestAlgTag. * build failure while implicitly casting SECStatus to PRUInt32 * Add check for ClientHello SID max length * Added EarlyData ALPN test support to BoGo shim * ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup * On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm * ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test * Added Bogo ECH rejection test support * Added ECH 0Rtt support to BoGo shim * RSA OAEP Wycheproof JSON * RSA decrypt Wycheproof JSON * ECDSA Wycheproof JSON * ECDH Wycheproof JSON * PKCS#1v1.5 wycheproof json * Use X25519 wycheproof json * Move scripts to python3 * Properly link FuzzingEngine for oss-fuzz. * Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384) * NSS needs to move off of DSA for integrity checks * Add initial testing with ACVP vector sets using acvp-rust * Don't clone libFuzzer, rely on clang instead update to NSS 3.87 * NULL password encoding incorrect * Fix rng stub signature for fuzzing builds * Updating the compiler parsing for build * Modification of supported compilers * tstclnt crashes when accessing gnutls server without a user cert in the database. * Add configuration option to enable source-based coverage sanitizer * Update ECCKiila generated files. * Add support for the LoongArch 64-bit architecture * add checks for zero-length RSA modulus to avoid memory errors and failed assertions later * Additional zero-length RSA modulus checks update to NSS 3.86 * conscious language removal in NSS * Set nssckbi version number to 2.60 * Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates * Remove Staat der Nederlanden EV Root CA from NSS * Remove EC-ACC root cert from NSS * Remove SwissSign Platinum CA - G2 from NSS * Remove Network Solutions Certificate Authority * compress docker image artifact with zstd * Migrate nss from AWS to GCP * Enable static builds in the CI * Removing SAW docker from the NSS build system * Initialising variables in the rsa blinding code * Implementation of the double-signing of the message for ECDSA * Adding exponent blinding for RSA. update to NSS 3.85 * Modification of the primes.c and dhe-params.c in order to have better looking tables * Update zlib in NSS to 1.2.13 * Skip building modutil and shlibsign when building in Firefox * Mark _nss_version_c unused on clang-cl * bmo#1795668 - Remove redundant variable definitions in lowhashtest * Add note about python executable to build instructions. update to NSS 3.84 * Bump minimum NSPR version to 4.35 * Add a flag to disable building libnssckbi. update to NSS 3.83 * Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags * Set nssckbi version number to 2.58 * Add two SECOM root certificates to NSS * Add two DigitalSign root certificates to NSS * Remove Camerfirma Global Chambersign Root from NSS * Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test * Removed skipping of ECH on equality of private and public server name * Added comment and bug reference to ECHRandomHRRExtension bogo test * Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR * Added check for server only sending ECH extension with retry configs in EncryptedExtensions and if not accepting ECH. Changed config setting behavior to skip configs with unsupported mandatory extensions instead of failing * Added ECH client support to BoGo shim. Changed CHInner creation to skip TLS 1.2 only extensions to comply with BoGo * Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs * Update BoGo tests to recent BoringSSL version * Bump minimum NSPR version to 4.34.1 update to NSS 3.82 * check for null template in sec_asn1{d,e}_push_state * QuickDER: Forbid NULL tags with non-zero length * Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite * Cast the result of GetProcAddress * pk11wrap: Tighten certificate lookup based on PKCS #11 URI. update to NSS 3.81 * Enable aarch64 hardware crypto support on OpenBSD * make NSS_SecureMemcmp 0/1 valued * Add no_application_protocol alert handler and test client error code is set * Gracefully handle null nickname in CERT_GetCertNicknameWithValidity * required for Firefox 104 - raised NSPR requirement to 4.34.1 - changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118) update to NSS 3.80 * Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h. * Add support for asynchronous client auth hooks. * nss-policy-check: make unknown keyword check optional. * GatherBuffer: Reduced plaintext buffer allocations by allocating it on initialization. Replaced redundant code with assert. Debug builds: Added buffer freeing/allocation for each record. * Mark 3.79 as an ESR release. * Bump nssckbi version number for June. * Remove Hellenic Academic 2011 Root. * Add E-Tugra Roots. * Add Certainly Roots. * Add DigitCert Roots. * Protect SFTKSlot needLogin with slotLock. * Compare signature and signatureAlgorithm fields in legacy certificate verifier. * Uninitialized value in cert_VerifyCertChainOld. * Unchecked return code in sec_DecodeSigAlg. * Uninitialized value in cert_ComputeCertType. * Avoid data race on primary password change. * Replace ppc64 dcbzl intrinisic. * Allow LDFLAGS override in makefile builds. ----------------------------------------- Patch: SUSE-2023-2811 Released: Wed Jul 12 11:56:18 2023 Summary: Recommended update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt Severity: moderate References: Description: This update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt fixes the following issues: This update provides a feature update to the FIDO2 stack. Changes in libfido2: - Version 1.13.0 (2023-02-20) * New API calls: + fido_assert_empty_allow_list; + fido_cred_empty_exclude_list. * fido2-token: fix issue when listing large blobs. - Version 1.12.0 (2022-09-22) * Support for COSE_ES384. * Improved support for FIDO 2.1 authenticators. * New API calls: + es384_pk_free; + es384_pk_from_EC_KEY; + es384_pk_from_EVP_PKEY; + es384_pk_from_ptr; + es384_pk_new; + es384_pk_to_EVP_PKEY; + fido_cbor_info_certs_len; + fido_cbor_info_certs_name_ptr; + fido_cbor_info_certs_value_ptr; + fido_cbor_info_maxrpid_minpinlen; + fido_cbor_info_minpinlen; + fido_cbor_info_new_pin_required; + fido_cbor_info_rk_remaining; + fido_cbor_info_uv_attempts; + fido_cbor_info_uv_modality. * Documentation and reliability fixes. - Version 1.11.0 (2022-05-03) * Experimental PCSC support; enable with -DUSE_PCSC. * Improved OpenSSL 3.0 compatibility. * Use RFC1951 raw deflate to compress CTAP 2.1 largeBlobs. * winhello: advertise 'uv' instead of 'clientPin'. * winhello: support hmac-secret in fido_dev_get_assert(). * New API calls: + fido_cbor_info_maxlargeblob. * Documentation and reliability fixes. * Separate build and regress targets. - Version 1.10.0 (2022-01-17) * bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*(); gh#480. * New API calls: - fido_dev_info_set; - fido_dev_io_handle; - fido_dev_new_with_info; - fido_dev_open_with_info. * Cygwin and NetBSD build fixes. * Documentation and reliability fixes. * Support for TPM 2.0 attestation of COSE_ES256 credentials. - Version 1.9.0 (2021-10-27) * Enabled NFC support on Linux. * Support for FIDO 2.1 'minPinLength' extension. * Support for COSE_EDDSA, COSE_ES256, and COSE_RS1 attestation. * Support for TPM 2.0 attestation. * Support for device timeouts; see fido_dev_set_timeout(). * New API calls: - es256_pk_from_EVP_PKEY; - fido_cred_attstmt_len; - fido_cred_attstmt_ptr; - fido_cred_pin_minlen; - fido_cred_set_attstmt; - fido_cred_set_pin_minlen; - fido_dev_set_pin_minlen_rpid; - fido_dev_set_timeout; - rs256_pk_from_EVP_PKEY. * Reliability and portability fixes. * Better handling of HID devices without identification strings; gh#381. - Update to version 1.8.0: * Better support for FIDO 2.1 authenticators. * Support for attestation format 'none'. * New API calls: - fido_assert_set_clientdata; - fido_cbor_info_algorithm_cose; - fido_cbor_info_algorithm_count; - fido_cbor_info_algorithm_type; - fido_cbor_info_transports_len; - fido_cbor_info_transports_ptr; - fido_cred_set_clientdata; - fido_cred_set_id; - fido_credman_set_dev_rk; - fido_dev_is_winhello. * fido2-token: new -Sc option to update a resident credential. * Documentation and reliability fixes. * HID access serialisation on Linux. - Update to version 1.7.0: * hid_win: detect devices with vendor or product IDs > 0x7fff * Support for FIDO 2.1 authenticator configuration. * Support for FIDO 2.1 UV token permissions. * Support for FIDO 2.1 'credBlobs' and 'largeBlobs' extensions. * New API calls * New fido_init flag to disable fido_dev_open’s U2F fallback * Experimental NFC support on Linux. - Enabled hidapi again, issues related to hidapi are fixed upstream - Update to version 1.6.0: * Documentation and reliability fixes. * New API calls: + fido_cred_authdata_raw_len; + fido_cred_authdata_raw_ptr; + fido_cred_sigcount; + fido_dev_get_uv_retry_count; + fido_dev_supports_credman. * Hardened Windows build. * Native FreeBSD and NetBSD support. * Use CTAP2 canonical CBOR when combining hmac-secret and credProtect. - Create a udev subpackage and ship the udev rule. Changes in python-fido2: - update to 0.9.3: * Don't fail device discovery when hidraw doesn't support HIDIOCGRAWUNIQ * Support the latest Windows webauthn.h API (included in Windows 11). * Add product name and serial number to HidDescriptors. * Remove the need for the uhid-freebsd dependency on FreeBSD. - Update to version 0.9.1 * Add new CTAP error codes and improve handling of unknown codes. * Client: API changes to better support extensions. * Client.make_credential now returns a AuthenticatorAttestationResponse, which holds the AttestationObject and ClientData, as well as any client extension results for the credential. * Client.get_assertion now returns an AssertionSelection object, which is used to select between multiple assertions * Renames: The CTAP1 and CTAP2 classes have been renamed to Ctap1 and Ctap2, respectively. * ClientPin: The ClientPin API has been restructured to support multiple PIN protocols, UV tokens, and token permissions. * CTAP 2.1 PRE: Several new features have been added for CTAP 2.1 * HID: The platform specific HID code has been revamped - Version 0.8.1 (released 2019-11-25) * Bugfix: WindowsClient.make_credential error when resident key requirement is unspecified. - Version 0.8.0 (released 2019-11-25) * New fido2.webauthn classes modeled after the W3C WebAuthn spec introduced. * CTAP2 send_cbor/make_credential/get_assertion and U2fClient request/authenticate timeout arguments replaced with event used to cancel a request. * Fido2Client: - make_credential/get_assertion now take WebAuthn options objects. - timeout is now provided in ms in WebAuthn options objects. Event based cancelation also available by passing an Event. * Fido2Server: - ATTESTATION, USER_VERIFICATION, and AUTHENTICATOR_ATTACHMENT enums have been replaced with fido2.webauthn classes. - RelyingParty has been replaced with PublicKeyCredentialRpEntity, and name is no longer optional. - Options returned by register_begin/authenticate_begin now omit unspecified values if they are optional, instead of filling in default values. - Fido2Server.allowed_algorithms now contains a list of PublicKeyCredentialParameters instead of algorithm identifiers. - Fido2Server.timeout is now in ms and of type int. * Support native WebAuthn API on Windows through WindowsClient. - Version 0.7.2 (released 2019-10-24) * Support for the TPM attestation format. * Allow passing custom challenges to register/authenticate in Fido2Server. * Bugfix: CTAP2 CANCEL command response handling fixed. * Bugfix: Fido2Client fix handling of empty allow_list. * Bugfix: Fix typo in CTAP2.get_assertions() causing it to fail. - Version 0.7.1 (released 2019-09-20) * Enforce canonical CBOR on Authenticator responses by default. * PCSC: Support extended APDUs. * Server: Verify that UP flag is set. * U2FFido2Server: Implement AppID exclusion extension. * U2FFido2Server: Allow custom U2F facet verification. * Bugfix: U2FFido2Server.authenticate_complete now returns the result. - Version 0.7.0 (released 2019-06-17) * Add support for NFC devices using PCSC. * Add support for the hmac-secret Authenticator extension. * Honor max credential ID length and number of credentials to Authenticator. * Add close() method to CTAP devices to explicitly release their resources. - Version 0.6.0 (released 2019-05-10) * Don't fail if CTAP2 Info contains unknown fields. * Replace cbor loads/dumps functions with encode/decode/decode_from. * Server: Add support for AuthenticatorAttachment. * Server: Add support for more key algorithms. * Client: Expose CTAP2 Info object as Fido2Client.info. Changes in yubikey-manager: - Update to version 4.0.9 (released 2022-06-17) * Dependency: Add support for python-fido2 1.x * Fix: Drop stated support for Click 6 as features from 7 are being used. - Update to version 4.0.8 (released 2022-01-31) * Bugfix: Fix error message for invalid modhex when programing a YubiOTP credential. * Bugfix: Fix issue with displaying a Steam credential when it is the only account. * Bugfix: Prevent installation of files in site-packages root. * Bugfix: Fix cleanup logic in PIV for protected management key. * Add support for token identifier when programming slot-based HOTP. * Add support for programming NDEF in text mode. * Dependency: Add support for Cryptography ⇐ 38. - version update to 4.0.7 ** Bugfix release: Fix broken naming for 'YubiKey 4', and a small OATH issue with touch Steam credentials. - version 4.0.6 (released 2021-09-08) ** Improve handling of YubiKey device reboots. ** More consistently mask PIN/password input in prompts. ** Support switching mode over CCID for YubiKey Edge. ** Run pkill from PATH instead of fixed location. - version 4.0.5 (released 2021-07-16) ** Bugfix: Fix PIV feature detection for some YubiKey NEO versions. ** Bugfix: Fix argument short form for --period when adding TOTP credentials. ** Bugfix: More strict validation for some arguments, resulting in better error messages. ** Bugfix: Correctly handle TOTP credentials using period != 30 AND touch_required. ** Bugfix: Fix prompting for access code in the otp settings command (now uses '-A -'). - Update to version 4.0.3 * Add support for fido reset over NFC. * Bugfix: The --touch argument to piv change-management-key was ignored. * Bugfix: Don’t prompt for password when importing PIV key/cert if file is invalid. * Bugfix: Fix setting touch-eject/auto-eject for YubiKey 4 and NEO. * Bugfix: Detect PKCS#12 format when outer sequence uses indefinite length. * Dependency: Add support for Click 8. - Update to version 4.0.2 * Update device names * Add read_info output to the --diagnose command, and show exception types. * Bugfix: Fix read_info for YubiKey Plus. * Add support for YK5-based FIPS YubiKeys. * Bugfix: Fix OTP device enumeration on Win32. * Drop reliance on libusb and libykpersonalize. * Support the 'fido' and 'otp' subcommands over NFC * New 'ykman --diagnose' command to aid in troubleshooting. * New 'ykman apdu' command for sending raw APDUs over the smart card interface. * New 'yubikit' package added for custom development and advanced scripting. * OpenPGP: Add support for KDF enabled YubiKeys. * Static password: Add support for FR, IT, UK and BEPO keyboard layouts. - Update to 3.1.1 * Add support for YubiKey 5C NFC * OpenPGP: set-touch now performs compatibility checks before prompting for PIN * OpenPGP: Improve error messages and documentation for set-touch * PIV: read-object command no longer adds a trailing newline * CLI: Hint at missing permissions when opening a device fails * Linux: Improve error handling when pcscd is not running * Windows: Improve how .DLL files are loaded, thanks to Marius Gabriel Mihai for reporting this! * Bugfix: set-touch now accepts the cached-fixed option * Bugfix: Fix crash in OtpController.prepare_upload_key() error parsing * Bugfix: Fix crash in piv info command when a certificate slot contains an invalid certificate * Library: PivController.read_certificate(slot) now wraps certificate parsing exceptions in new exception type InvalidCertificate * Library: PivController.list_certificates() now returns None for slots containing invalid certificate, instead of raising an exception - Version 3.1.0 (released 2019-08-20) * Add support for YubiKey 5Ci * OpenPGP: the info command now prints OpenPGP specification version as well * OpenPGP: Update support for attestation to match OpenPGP v3.4 * PIV: Use UTC time for self-signed certificates * OTP: Static password now supports the Norman keyboard layout - Version 3.0.0 (released 2019-06-24) * Add support for new YubiKey Preview and lightning form factor * FIDO: Support for credential management * OpenPGP: Support for OpenPGP attestation, cardholder certificates and cached touch policies * OTP: Add flag for using numeric keypad when sending digits - Version 2.1.1 (released 2019-05-28) * OTP: Add initial support for uploading Yubico OTP credentials to YubiCloud * Don’t automatically select the U2F applet on YubiKey NEO, it might be blocked by the OS * ChalResp: Always pad challenge correctly * Bugfix: Don’t crash with older versions of cryptography * Bugfix: Password was always prompted in OATH command, even if sent as argument Changes in yubikey-manager-qt: - update to 1.2.5: * Compatibility update for ykman 5.0.1. * Update to Python 3.11. * Update product images. - Update to version 1.2.4 (released 2021-10-26) * Update device names and images. * PIV: Fix import of certificate. - Update to version 1.2.3 * Improved error handling when using Security Key Series devices. * PIV: Fix generation of certificate in slot 9c. - Update to version 1.2.2 * Fix detection of YubiKey Plus * Compatibility update for yubikey-manager 4.0 * Bugfix: Device caching with multiple devices * Drop dependencies on libusb and libykpers. * Add additional product names and images - update to 1.1.5 * Add support for YubiKey 5C NFC - Update to version 1.1.4 * OTP: Add option to upload YubiOTP credential to YubiCloud * Linux: Show hint about pcscd service if opening device fails * Bugfix: Signal handling now compatible with Python 3.8 - Version 1.1.3 (released 2019-08-20) * Add suppport for YubiKey 5Ci * PIV: Use UTC time for self-signed certificates - Version 1.1.2 (released 2019-06-24) * Add support for new YubiKey Preview * PIV: The popup for the management key now have a 'Use default' option * Windows: Fix issue with importing PIV certificates * Bugfix: generate static password now works correctly ----------------------------------------- Patch: SUSE-2023-2814 Released: Wed Jul 12 22:05:25 2023 Summary: Recommended update for mozilla-nss Severity: moderate References: 1185116,1202118 Description: This update for mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.90: * Add a constant time select function * Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access. * output early build errors by default * Update the technical constraints for KamuSM * Add BJCA Global Root CA1 and CA2 root certificates * Enable default UBSan Checks * Add explicit handling of zero length records * Tidy up DTLS ACK Error Handling Path * Refactor zero length record tests * Fix compiler warning via correct assert * run linux tests on nss-t/t-linux-xlarge-gcp * In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator * Fix reading raw negative numbers * Repairing unreachable code in clang built with gyp * Integrate Vale Curve25519 * Removing unused flags for Hacl* * Adding a better error message * Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6 * Fall back to the softokn when writing certificate trust * FIPS-104-3 requires we restart post programmatically * cmd/ecperf: fix dangling pointer warning on gcc 13 * Update ACVP dockerfile for compatibility with debian package changes * Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files * Removed deprecated sprintf function and replaced with snprintf * fix rst warnings in nss doc * Fix incorrect pygment style * Change GYP directive to apply across platforms * Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag - Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116) update to NSS 3.89.1 * Update the technical constraints for KamuSM. * Add BJCA Global Root CA1 and CA2 root certificates. update to NSS 3.89 * revert freebl/softoken RSA_MIN_MODULUS_BITS increase * PR_STATIC_ASSERT is cursed * Need to add policy control to keys lengths for signatures * Fix unreachable code warning in fuzz builds * Fix various compiler warnings in NSS * Enable various compiler warnings for clang builds * set PORT error after sftk_HMACCmp failure * Need to add policy control to keys lengths for signatures * remove data length assertion in sec_PKCS7Decrypt * Make high tag number assertion failure an error * CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384 * Tolerate certificate_authorities xtn in ClientHello * Fix build failure on Windows * migrate Win 2012 tasks to Azure * fix title length in doc * Add interop tests for HRR and PSK to GREASE suite * Add presence/absence tests for TLS GREASE * Correct addition of GREASE value to ALPN xtn * CH extension permutation * TLS GREASE (RFC8701) * improve handling of unknown PKCS#12 safe bag types * use a different treeherder symbol for each docker image build task * remove nested table in rst doc * Export NSS_CMSSignerInfo_GetDigestAlgTag * build failure while implicitly casting SECStatus to PRUInt32 update to NSS 3.88.1 * improve handling of unknown PKCS#12 safe bag types update to NSS 3.88 * remove nested table in rst doc * Export NSS_CMSSignerInfo_GetDigestAlgTag. * build failure while implicitly casting SECStatus to PRUInt32 * Add check for ClientHello SID max length * Added EarlyData ALPN test support to BoGo shim * ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup * On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm * ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test * Added Bogo ECH rejection test support * Added ECH 0Rtt support to BoGo shim * RSA OAEP Wycheproof JSON * RSA decrypt Wycheproof JSON * ECDSA Wycheproof JSON * ECDH Wycheproof JSON * PKCS#1v1.5 wycheproof json * Use X25519 wycheproof json * Move scripts to python3 * Properly link FuzzingEngine for oss-fuzz. * Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384) * NSS needs to move off of DSA for integrity checks * Add initial testing with ACVP vector sets using acvp-rust * Don't clone libFuzzer, rely on clang instead update to NSS 3.87 * NULL password encoding incorrect * Fix rng stub signature for fuzzing builds * Updating the compiler parsing for build * Modification of supported compilers * tstclnt crashes when accessing gnutls server without a user cert in the database. * Add configuration option to enable source-based coverage sanitizer * Update ECCKiila generated files. * Add support for the LoongArch 64-bit architecture * add checks for zero-length RSA modulus to avoid memory errors and failed assertions later * Additional zero-length RSA modulus checks update to NSS 3.86 * conscious language removal in NSS * Set nssckbi version number to 2.60 * Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates * Remove Staat der Nederlanden EV Root CA from NSS * Remove EC-ACC root cert from NSS * Remove SwissSign Platinum CA - G2 from NSS * Remove Network Solutions Certificate Authority * compress docker image artifact with zstd * Migrate nss from AWS to GCP * Enable static builds in the CI * Removing SAW docker from the NSS build system * Initialising variables in the rsa blinding code * Implementation of the double-signing of the message for ECDSA * Adding exponent blinding for RSA. update to NSS 3.85 * Modification of the primes.c and dhe-params.c in order to have better looking tables * Update zlib in NSS to 1.2.13 * Skip building modutil and shlibsign when building in Firefox * Use __STDC_VERSION__ rather than __STDC__ as a guard * Remove redundant variable definitions in lowhashtest * Add note about python executable to build instructions. update to NSS 3.84 * Bump minimum NSPR version to 4.35 * Add a flag to disable building libnssckbi. update to NSS 3.83 * Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags * Set nssckbi version number to 2.58 * Add two SECOM root certificates to NSS * Add two DigitalSign root certificates to NSS * Remove Camerfirma Global Chambersign Root from NSS * Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test * Removed skipping of ECH on equality of private and public server name * Added comment and bug reference to ECHRandomHRRExtension bogo test * Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR * Added check for server only sending ECH extension with retry configs in EncryptedExtensions and if not accepting ECH. Changed config setting behavior to skip configs with unsupported mandatory extensions instead of failing * Added ECH client support to BoGo shim. Changed CHInner creation to skip TLS 1.2 only extensions to comply with BoGo * Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs * Update BoGo tests to recent BoringSSL version * Bump minimum NSPR version to 4.34.1 update to NSS 3.82 * check for null template in sec_asn1{d,e}_push_state * QuickDER: Forbid NULL tags with non-zero length * Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite * Cast the result of GetProcAddress * pk11wrap: Tighten certificate lookup based on PKCS #11 URI. update to NSS 3.81 * Enable aarch64 hardware crypto support on OpenBSD * make NSS_SecureMemcmp 0/1 valued * Add no_application_protocol alert handler and test client error code is set * Gracefully handle null nickname in CERT_GetCertNicknameWithValidity * required for Firefox 104 - raised NSPR requirement to 4.34.1 - changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118) update to NSS 3.80 * Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h. * Add support for asynchronous client auth hooks. * nss-policy-check: make unknown keyword check optional. * GatherBuffer: Reduced plaintext buffer allocations by allocating it on initialization. Replaced redundant code with assert. Debug builds: Added buffer freeing/allocation for each record. * Mark 3.79 as an ESR release. * Bump nssckbi version number for June. * Remove Hellenic Academic 2011 Root. * Add E-Tugra Roots. * Add Certainly Roots. * Add DigitCert Roots. * Protect SFTKSlot needLogin with slotLock. * Compare signature and signatureAlgorithm fields in legacy certificate verifier. * Uninitialized value in cert_VerifyCertChainOld. * Unchecked return code in sec_DecodeSigAlg. * Uninitialized value in cert_ComputeCertType. * Avoid data race on primary password change. * Replace ppc64 dcbzl intrinisic. * Allow LDFLAGS override in makefile builds. ----------------------------------------- Patch: SUSE-2023-2827 Released: Fri Jul 14 11:27:47 2023 Summary: Recommended update for libxml2 Severity: moderate References: Description: This update for libxml2 fixes the following issues: - Build also for modern python version (jsc#PED-68) ----------------------------------------- Patch: SUSE-2023-2847 Released: Mon Jul 17 08:40:42 2023 Summary: Recommended update for audit Severity: moderate References: 1210004 Description: This update for audit fixes the following issues: - Check for AF_UNIX unnamed sockets (bsc#1210004) - Enable livepatching on main library on x86_64 ----------------------------------------- Patch: SUSE-2023-2855 Released: Mon Jul 17 16:35:21 2023 Summary: Recommended update for openldap2 Severity: moderate References: 1212260 Description: This update for openldap2 fixes the following issues: - libldap2 crashes on ldap_sasl_bind_s (bsc#1212260) ----------------------------------------- Patch: SUSE-2023-2877 Released: Wed Jul 19 09:43:42 2023 Summary: Security update for dbus-1 Severity: moderate References: 1212126,CVE-2023-34969 Description: This update for dbus-1 fixes the following issues: - CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126). ----------------------------------------- Patch: SUSE-2023-2882 Released: Wed Jul 19 11:49:39 2023 Summary: Security update for perl Severity: important References: 1210999,CVE-2023-31484 Description: This update for perl fixes the following issues: - CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999). ----------------------------------------- Patch: SUSE-2023-2885 Released: Wed Jul 19 16:58:43 2023 Summary: Recommended update for glibc Severity: moderate References: 1208721,1209229,1211828 Description: This update for glibc fixes the following issues: - getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235) - Exclude static archives from preparation for live patching (bsc#1208721) - resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527) ----------------------------------------- Patch: SUSE-2023-2891 Released: Wed Jul 19 21:14:33 2023 Summary: Security update for curl Severity: moderate References: 1213237,CVE-2023-32001 Description: This update for curl fixes the following issues: - CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237). ----------------------------------------- Patch: SUSE-2023-2901 Released: Thu Jul 20 09:49:16 2023 Summary: Recommended update for lvm2 Severity: important References: 1212613 Description: This update for lvm2 fixes the following issues: - multipath_component_detection = 0 in lvm.conf does not have any effect (bsc#1212613) ----------------------------------------- Patch: SUSE-2023-2918 Released: Thu Jul 20 12:00:17 2023 Summary: Recommended update for gpgme Severity: moderate References: 1089497 Description: This update for gpgme fixes the following issues: gpgme: - Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497) libassuan: - Version upgrade to 2.5.5 in LTSS to address gpgme new requirements ----------------------------------------- Patch: SUSE-2023-2922 Released: Thu Jul 20 18:34:03 2023 Summary: Recommended update for libfido2 Severity: moderate References: Description: This update for libfido2 fixes the following issues: - Use openssl 1.1 still on SUSE Linux Enterprise 15 to avoid pulling unneeded openssl-3 dependency. (jsc#PED-4521) ----------------------------------------- Patch: SUSE-2023-2934 Released: Fri Jul 21 12:46:57 2023 Summary: Recommended update for libcontainers-common Severity: moderate References: 1211124 Description: This update for libcontainers-common fixes the following issues: - New subpackage libcontainers-sles-mounts which adds SLE-specific mounts on SLE systems (bsc#1211124) - Own /etc/containers/systemd and /usr/share/containers/systemd for podman quadlet - Remove container-storage-driver.sh to default to the overlay driver instead of btrfs - Remove obsolete Requires(post): util-linux-systemd - Add registry.suse.com to the unqualified-search-registries ----------------------------------------- Patch: SUSE-2023-2945 Released: Mon Jul 24 09:37:30 2023 Summary: Security update for openssh Severity: important References: 1186673,1209536,1213004,1213008,1213504,CVE-2023-38408 Description: This update for openssh fixes the following issues: - CVE-2023-38408: Fixed a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if those libraries were present on the victim's system and if the agent was forwarded to an attacker-controlled system. [bsc#1213504, CVE-2023-38408] - Close the right filedescriptor and also close fdh in read_hmac to avoid file descriptor leaks. [bsc#1209536] - Attempts to mitigate instances of secrets lingering in memory after a session exits. [bsc#1186673, bsc#1213004, bsc#1213008] ----------------------------------------- Patch: SUSE-2023-2965 Released: Tue Jul 25 12:30:22 2023 Summary: Security update for openssl-1_1 Severity: moderate References: 1213487,CVE-2023-3446 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487). ----------------------------------------- Patch: SUSE-2023-2966 Released: Tue Jul 25 14:26:14 2023 Summary: Recommended update for libxml2 Severity: moderate References: Description: This update for libxml2 fixes the following issues: - Build also for modern python version (jsc#PED-68) ----------------------------------------- Patch: SUSE-2023-2988 Released: Wed Jul 26 16:33:30 2023 Summary: Security update for conmon Severity: important References: 1208737,1209307 Description: This update for conmon fixes the following issues: conmon was updated to version 2.1.7: - Bumped go version to 1.19 (bsc#1209307). Bugfixes: - Fixed leaking symbolic links in the opt_socket_path directory - Fixed oom handling issues (bsc#1208737). - Fixed OOM watcher for cgroupv2 `oom_kill` events ----------------------------------------- Patch: SUSE-2023-3019 Released: Fri Jul 28 21:26:50 2023 Summary: Security update for kernel-firmware Severity: moderate References: 1213286,CVE-2023-20593 Description: This update for kernel-firmware fixes the following issues: Updated to version 20230724 (git commit 59fbffa9ec8e): - CVE-2023-20593: Fixed AMD ucode for ZenBleed vulnerability (bsc#1213286). Bugfixes: - Fix qcom ASoC tglp WHENCE entry - Group all Conexant V4L devices together - Makefile, copy-firmware: support xz/zstd compressed firmware - Updated NXP SR150 UWB firmware - WHENCE: Cleanup Realtek BT firmware provenance - WHENCE: comment out duplicate MediaTek firmware - amdgpu: Add GC 11.0.4 firmware - amdgpu: Add PSP 13.0.11 firmware - amdgpu: DMCUB updates for DCN 3.1.4 and 3.1.5 - amdgpu: DMCUB updates for various AMDGPU asics - amdgpu: Update DCN 3.1.4 firmware - amdgpu: Update GC 11.0.1 and 11.0.4 - amdgpu: Update GC 11.0.1 firmware - amdgpu: Update PSP 13.0.4 firmware - amdgpu: Update SDMA 6.0.1 firmware - amdgpu: add initial GC 11.0.3 firmware - amdgpu: add initial PSP 13.0.10 firmware - amdgpu: add initial SDMA 6.0.3 firmware - amdgpu: add initial SMU 13.0.10 firmware - amdgpu: update 13.0.8 firmware for amd.5.5 release - amdgpu: update DCN 3.1.6 DMCUB firmware - amdgpu: update DMCUB to v0.0.172.0 for various AMDGPU ASICs - amdgpu: update DMCUB to v0.0.175.0 for various AMDGPU ASICs - amdgpu: update GC 10.3.6 firmware for amd.5.5 release - amdgpu: update GC 10.3.7 firmware for amd.5.5 release - amdgpu: update GC 11.0.0 firmware for amd.5.5 release - amdgpu: update GC 11.0.1 firmware for amd.5.5 release - amdgpu: update GC 11.0.2 firmware for amd.5.5 release - amdgpu: update GC 11.0.4 firmware for amd.5.5 release - amdgpu: update PSP 13.0.0 firmware for amd.5.5 release - amdgpu: update PSP 13.0.11 firmware for amd.5.5 release - amdgpu: update PSP 13.0.4 firmware for amd.5.5 release - amdgpu: update PSP 13.0.7 firmware for amd.5.5 release - amdgpu: update Picasso VCN firmware - amdgpu: update SDMA 6.0.1 firmware for amd.5.5 release - amdgpu: update SMU 13.0.0 firmware for amd.5.5 release - amdgpu: update SMU 13.0.7 firmware for amd.5.5 release - amdgpu: update VCN 4.0.0 firmware - amdgpu: update VCN 4.0.0 firmware for amd.5.5 release - amdgpu: update VCN 4.0.4 firmware for amd.5.5 release - amdgpu: update aldebaran firmware for amd.5.5 release - amdgpu: update arcturus firmware for amd.5.5 release - amdgpu: update beige goby firmware for amd.5.5 release - amdgpu: update dimgrey cavefish firmware for amd.5.5 release - amdgpu: update green sardine VCN firmware - amdgpu: update green sardine firmware for amd.5.5 release - amdgpu: update navi10 firmware for amd.5.5 release - amdgpu: update navi12 firmware for amd.5.5 release - amdgpu: update navi14 firmware for amd.5.5 release - amdgpu: update navy flounder firmware for amd.5.5 release - amdgpu: update psp 13.0.5 firmware for amd.5.5 release - amdgpu: update raven VCN firmware - amdgpu: update raven2 VCN firmware - amdgpu: update renoir VCN firmware - amdgpu: update renoir firmware for amd.5.5 release - amdgpu: update sienna cichlid firmware for amd.5.5 release - amdgpu: update vangogh firmware for amd.5.5 release - amdgpu: update vcn 3.1.2 firmware for amd.5.5 release - amdgpu: update vega10 firmware for amd.5.5 release - amdgpu: update vega12 firmware for amd.5.5 release - amdgpu: update vega20 firmware for amd.5.5 release - amdgpu: update yellow carp firmware for amd.5.5 release - ath10k: QCA4019 hw1.0: update board-2.bin - ath10k: QCA6174 hw3.0: update board-2.bin - ath10k: QCA9888 hw2.0: update board-2.bin - ath10k: QCA9984 hw1.0: update board-2.bin - ath10k: QCA99X0 hw2.0: update board-2.bin - ath11k: IPQ6018 hw1.0: update board-2.bin - ath11k: IPQ6018 hw1.0: update to WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 - ath11k: IPQ8074 hw2.0: update board-2.bin - ath11k: IPQ8074 hw2.0: update to WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 - ath11k: QCN9074 hw1.0: update to WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 - ath11k: WCN6750 hw1.0: update to WLAN.MSL.1.0.1-01160-QCAMSLSWPLZ-1 - ath11k: WCN6855 hw2.0: update board-2.bin - brcm: Add symlinks from Pine64 devices to AW-CM256SM.txt - check_whence: Check link targets are valid - check_whence: error if File: is actually a link - check_whence: error if symlinks are in-tree - check_whence: error on directory listed as File - check_whence: error on duplicate file entries - check_whence: strip quotation marks - cirrus: Add CS35L41 firmware for ASUS ROG 2023 Models - cirrus: Add firmware and tuning files for HP G10 series laptops - cirrus: Add firmware and tuning files for Lenovo ThinkPad P1 Gen 6 - cirrus: Add firmware for new Asus ROG Laptops - cnm: update chips&media wave521c firmware. - copy-firmware: drop obsolete backticks, quote - copy-firmware: quote deskdir and dirname - copy-firmware: silence the last shellcheck warnings - copy-firmware: tweak sed invocation - cxgb4: Update firmware to revision 1.27.3.0 - fix broken cirrus firmware symlinks - i915: Add GuC v70.6.6 for MTL - i915: Add HuC v8.5.0 for MTL - i915: update DG2 GuC to v70.8.0 - i915: update to GuC 70.8.0 and HuC 8.5.1 for MTL - ice: update ice DDP comms package to 1.3.40.0 - ice: update ice DDP wireless_edge package to 1.3.10.0 - iwlwifi: add new FWs from core78-32 release - iwlwifi: add new FWs from core80-39 release - iwlwifi: update 9000-family firmwares to core78-32 - iwlwifi: update cc/Qu/QuZ firmwares for core80-39 release - linux-firmware: Add firmware for Cirrus CS35L41 on Lenovo Laptops - linux-firmware: Amphion: Update vpu firmware - linux-firmware: Update AMD cpu microcode - linux-firmware: Update AMD cpu microcode - linux-firmware: Update AMD fam17h cpu microcode - linux-firmware: Update firmware file for Intel Bluetooth AX200 - linux-firmware: Update firmware file for Intel Bluetooth AX201 - linux-firmware: Update firmware file for Intel Bluetooth AX203 - linux-firmware: Update firmware file for Intel Bluetooth AX210 - linux-firmware: Update firmware file for Intel Bluetooth AX211 - linux-firmware: add firmware for MT7981 - linux-firmware: update firmware for MT7916 - linux-firmware: update firmware for MT7921 WiFi device - linux-firmware: update firmware for MT7922 WiFi device - linux-firmware: update firmware for MT7981 - linux-firmware: update firmware for mediatek bluetooth chip (MT7921) - linux-firmware: update firmware for mediatek bluetooth chip (MT7922) - linux-firmware: update firmware for mediatek bluetooth chip (MT7922) - linux-firmware: update qat firmware - linux-firmware: wilc1000: update WILC1000 firmware to v16.0 - mediatek: Update mt8195 SCP firmware to support 10bit mode - mediatek: Update mt8195 SCP firmware to support hevc - mt76xx: Move the old Mediatek WiFi firmware to mediatek - nvidia: update Tu10x and Tu11x signed firmware to support newer Turing HW - qca: Update firmware files for BT chip WCN6750 - qcom: Add Audio firmware for SC8280XP X13s - qcom: Update the microcode files for Adreno a630 GPUs. - qcom: apq8016: add Dragonboard 410c WiFi and modem firmware - qcom: sdm845: rename the modem firmware - qcom: sdm845: update remoteproc firmware - rtl_bt: Add firmware and config files for RTL8851B - rtl_bt: Update RTL8761B BT UART firmware to 0x9DC6_D922 - rtl_bt: Update RTL8761B BT USB firmware to 0xDFC6_D922 - rtl_bt: Update RTL8852A BT USB firmware to 0xDAC7_480D - rtl_bt: Update RTL8852B BT USB firmware to 0xDBC6_B20F - rtl_bt: Update RTL8852C BT USB firmware to 0x040D_7225 - rtl_nic: update firmware of USB devices - rtlwifi: Add firmware v6.0 for RTL8192FU - rtlwifi: Update firmware for RTL8188EU to v28.0 - rtw88: 8822c: Update normal firmware to v9.9.15 - rtw89: 8851b: add firmware v0.29.41.0 - rtw89: 8852b: update format-1 fw to v0.29.29.1 - rtw89: 8852c: update fw to v0.27.56.13 - wfx: update to firmware 3.16.1 ----------------------------------------- Patch: SUSE-2023-3088 Released: Tue Aug 1 09:52:03 2023 Summary: Recommended update for systemd-presets-common-SUSE Severity: moderate References: 1212496 Description: This update for systemd-presets-common-SUSE fixes the following issues: - Fix systemctl being called with an empty argument (bsc#1212496) - Don't call systemctl list-unit-files with an empty argument (bsc#1212496) - Add wtmpdb-update-boot.service and wtmpdb-rotate.timer ----------------------------------------- Patch: SUSE-2023-3102 Released: Tue Aug 1 14:11:53 2023 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1213517 Description: This update for openssl-1_1 fixes the following issues: - Dont pass zero length input to EVP_Cipher (bsc#1213517) ----------------------------------------- Patch: SUSE-2023-3178 Released: Thu Aug 3 13:16:15 2023 Summary: Recommended update for multipath-tools Severity: moderate References: 1212440,1212854 Description: This update for multipath-tools fixes the following issues: - libmultipath: Ignore nvme devices if nvme native multipath is enabled (bsc#1212854) - libmultipath: Fix `dev_loss_tmo` even if not set in configuration (bsc#1212440) Note: This changes user-visible behavior. `multipathd` will not grab any nvme devices for dm-multipath if nvme native multipathing is on (which is the default). ----------------------------------------- Patch: SUSE-2023-3217 Released: Mon Aug 7 16:51:10 2023 Summary: Recommended update for cryptsetup Severity: moderate References: 1211079 Description: This update for cryptsetup fixes the following issues: - Handle system with low memory and no swap space (bsc#1211079) ----------------------------------------- Patch: SUSE-2023-3242 Released: Tue Aug 8 18:19:40 2023 Summary: Security update for openssl-1_1 Severity: moderate References: 1213853,CVE-2023-3817 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) ----------------------------------------- Patch: SUSE-2023-3276 Released: Fri Aug 11 10:20:40 2023 Summary: Recommended update for apparmor Severity: moderate References: 1213472 Description: This update for apparmor fixes the following issues: - Add pam_apparmor README (bsc#1213472) ----------------------------------------- Patch: SUSE-2023-3298 Released: Fri Aug 11 20:04:17 2023 Summary: Security update for kernel-firmware Severity: moderate References: 1213287,CVE-2023-20569 Description: This update for kernel-firmware fixes the following issues: - CVE-2023-20569: Fixed AMD 19h ucode to mitigate a side channel vulnerability in some of the AMD CPUs. (bsc#1213287) ----------------------------------------- Patch: SUSE-2023-3325 Released: Wed Aug 16 08:26:08 2023 Summary: Security update for krb5 Severity: important References: 1214054,CVE-2023-36054 Description: This update for krb5 fixes the following issues: - CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054) ----------------------------------------- Patch: SUSE-2023-3327 Released: Wed Aug 16 08:45:25 2023 Summary: Security update for pcre2 Severity: moderate References: 1213514,CVE-2022-41409 Description: This update for pcre2 fixes the following issues: - CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514). ----------------------------------------- Patch: SUSE-2023-3393 Released: Wed Aug 23 17:41:55 2023 Summary: Recommended update for dracut Severity: important References: 1214081 Description: This update for dracut fixes the following issues: - Protect against broken links pointing to themselves - Exit if resolving executable dependencies fails (bsc#1214081) ----------------------------------------- Patch: SUSE-2023-3410 Released: Thu Aug 24 06:56:32 2023 Summary: Recommended update for audit Severity: moderate References: 1201519,1204844 Description: This update for audit fixes the following issues: - Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519) - Fix rules not loaded when restarting auditd.service (bsc#1204844) ----------------------------------------- Patch: SUSE-2023-3413 Released: Thu Aug 24 07:32:09 2023 Summary: Feature update for LibreOffice and xmlsec1 Severity: important References: 1198666,1200085,1204040,1209242,1210687,1211746,CVE-2023-0950,CVE-2023-2255 Description: This update for LibreOffice and xmlsec1 fixes the following issue: libreoffice: - Version update from 7.4.3.2 to 7.5.4.1 (jsc#PED-3561, jsc#PED-3550, jsc#3549): * For the highlights of changes of version 7.5 please consult the official release notes: https://wiki.documentfoundation.org/ReleaseNotes/7.5 * Security issues fixed: + CVE-2023-0950: Fixed stack underflow in ScInterpreter (bsc#1209242) + CVE-2023-2255: Fixed vulnerability where remote documents could be loaded without prompt via IFrame (bsc#1211746) * Bug fixes: + Fix PPTX shadow effect for table offset (bsc#1204040) + Fix ability to set the default tab size for each text object (bsc#1198666) + Fix PPTX extra vertical space between different text formats (bsc#1200085) + Do not use binutils-gold as the package is unmaintained and will be removed in the future (boo#1210687) * Updated bundled dependencies: * boost version update from 1_77_0 to 1_80_0 * curl version update from 7.83.1 to 8.0.1 * gpgme version update from 1.16.0 to 1.18.0 * icu4c-data version update from 70_1 to 72_1 * icu4c version update from 70_1 to 72_1 * pdfium version update from 4699 to 5408 * poppler version update from 21.11.0 to 22.12.0 xmlsec1: - Version update from 1.2.28 to 1.2.37 required by LibreOffice 7.5.2.2 (jsc#PED-3561, jsc#PED-3550): * Retired the XMLSec mailing list 'xmlsec@aleksey.com' and the XMLSec Online Signature Verifier. * Migration to OpenSSL 3.0 API Note that OpenSSL engines are disabled by default when XMLSec library is compiled against OpenSSL 3.0. To re-enable OpenSSL engines, use `--enable-openssl3-engines` configure flag (there will be a lot of deprecation warnings). * The OpenSSL before 1.1.0 and LibreSSL before 2.7.0 are now deprecated and will be removed in the future versions of XMLSec Library. * Refactored all the integer casts to ensure cast-safety. Fixed all warnings and enabled `-Werror` and `-pedantic` flags on CI builds. * Added configure flag to use size_t for xmlSecSize (currently disabled by default for backward compatibility). * Support for OpenSSL compiled with OPENSSL_NO_ERR. * Full support for LibreSSL 3.5.0 and above * Several other small fixes * Fix decrypting session key for two recipients * Added `--privkey-openssl-engine` option to enhance openssl engine support * Remove MD5 for NSS 3.59 and above * Fix PKCS12_parse return code handling * Fix OpenSSL lookup * xmlSecX509DataGetNodeContent(): don't return 0 for non-empty elements - fix for LibreOffice * Unload error strings in OpenSSL shutdown. * Make userData available when executing preExecCallback function * Add an option to use secure memset. * Enabled XML_PARSE_HUGE for all xml parsers. * Various build and tests fixes and improvements. * Move remaining private header files away from xmlsec/include/`` folder - Other packaging changes: * Relax the crypto policies for the test-suite. It allows the tests using certificates with small key lengths to pass. * Pass `--disable-md5` to configure: The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its use is discouraged at this time. It is not listed as an algorithm in [XMLDSIG-CORE1] https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1 ----------------------------------------- Patch: SUSE-2023-3440 Released: Mon Aug 28 08:57:10 2023 Summary: Security update for gawk Severity: low References: 1214025,CVE-2023-4156 Description: This update for gawk fixes the following issues: - CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025) ----------------------------------------- Patch: SUSE-2023-3451 Released: Mon Aug 28 12:15:22 2023 Summary: Recommended update for systemd Severity: moderate References: 1186606,1194609,1208194,1209741,1210702,1211576,1212434,1213185,1213575,1213873 Description: This update for systemd fixes the following issues: - Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575) - Decrease devlink priority for iso disks (bsc#1213185) - Do not ignore mount point paths longer than 255 characters (bsc#1208194) - Refuse hibernation if there's no possible way to resume (bsc#1186606) - Update 'korean' and 'arabic' keyboard layouts (bsc#1210702) - Drop some entries no longer needed by YaST (bsc#1194609) - The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741) - Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873) ----------------------------------------- Patch: SUSE-2023-3470 Released: Tue Aug 29 10:49:33 2023 Summary: Recommended update for parted Severity: low References: 1182142,1193412 Description: This update for parted fixes the following issues: - fix null pointer dereference (bsc#1193412) - update mkpart options in manpage (bsc#1182142) ----------------------------------------- Patch: SUSE-2023-3472 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Severity: low References: 1214290,CVE-2023-4016 Description: This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------- Patch: SUSE-2023-3485 Released: Tue Aug 29 14:20:56 2023 Summary: Recommended update for lvm2 Severity: moderate References: 1214071 Description: This update for lvm2 fixes the following issues: - blkdeactivate calls wrong mountpoint cmd (bsc#1214071) ----------------------------------------- Patch: SUSE-2023-3497 Released: Wed Aug 30 21:25:05 2023 Summary: Security update for vim Severity: important References: 1210996,1211256,1211257,1211461,CVE-2023-2426,CVE-2023-2609,CVE-2023-2610 Description: This update for vim fixes the following issues: Updated to version 9.0 with patch level 1572. - CVE-2023-2426: Fixed Out-of-range Pointer Offset use (bsc#1210996). - CVE-2023-2609: Fixed NULL Pointer Dereference (bsc#1211256). - CVE-2023-2610: Fixed nteger Overflow or Wraparound (bsc#1211257). ----------------------------------------- Patch: SUSE-2023-3507 Released: Thu Aug 31 19:58:03 2023 Summary: Security update for open-vm-tools Severity: important References: 1214566,CVE-2023-20900 Description: This update for open-vm-tools fixes the following issues: - CVE-2023-20900: Fixed SAML token signature bypass vulnerability (bsc#1214566). This update also ships a open-vm-tools-containerinfo plugin. (jsc#PED-3421) ----------------------------------------- Patch: SUSE-2023-3577 Released: Mon Sep 11 15:04:01 2023 Summary: Recommended update for crypto-policies Severity: low References: 1209998 Description: This update for crypto-policies fixes the following issues: - Update update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. (bsc#1209998) ----------------------------------------- Patch: SUSE-2023-3611 Released: Fri Sep 15 09:28:36 2023 Summary: Recommended update for sysuser-tools Severity: moderate References: 1195391,1205161,1207778,1213240,1214140 Description: This update for sysuser-tools fixes the following issues: - Update to version 3.2 - Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240) - Add 'quilt setup' friendly hint to %sysusers_requires usage - Use append so if a pre file already exists it isn't overridden - Invoke bash for bash scripts (bsc#1195391) - Remove all systemd requires not supported on SLE15 (bsc#1214140) ----------------------------------------- Patch: SUSE-2023-3661 Released: Mon Sep 18 21:44:09 2023 Summary: Security update for gcc12 Severity: important References: 1214052,CVE-2023-4039 Description: This update for gcc12 fixes the following issues: - CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052). ----------------------------------------- Patch: SUSE-2023-3666 Released: Mon Sep 18 21:52:18 2023 Summary: Security update for libxml2 Severity: important References: 1214768,CVE-2023-39615 Description: This update for libxml2 fixes the following issues: - CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768). ----------------------------------------- Patch: SUSE-2023-3717 Released: Thu Sep 21 06:51:51 2023 Summary: Recommended update for apparmor Severity: moderate References: 1214458 Description: This update for apparmor fixes the following issues: - Update zgrep profile to allow egrep helper use (bsc#1214458) ----------------------------------------- Patch: SUSE-2023-3780 Released: Tue Sep 26 10:58:21 2023 Summary: Recommended update hidapi Severity: moderate References: 1214535 Description: This update for hidapi ships the missing libhidapi-raw0 library to SLE and Leap Micro 5.3 and 5.4. ----------------------------------------- Patch: SUSE-2023-3798 Released: Wed Sep 27 10:32:31 2023 Summary: Recommended update for libcontainers-common Severity: important References: 1215291 Description: This update for libcontainers-common fixes the following issues: - Require libcontainers-sles-mounts for *all* SLE products, and not just SLES. (bsc#1215291) ----------------------------------------- Patch: SUSE-2023-3814 Released: Wed Sep 27 18:08:17 2023 Summary: Recommended update for glibc Severity: moderate References: 1211829,1212819,1212910 Description: This update for glibc fixes the following issues: - nscd: Fix netlink cache invalidation if epoll is used (bsc#1212910, BZ #29415) - Restore lookup of IPv4 mapped addresses in files database (bsc#1212819, BZ #25457) - elf: Remove excessive p_align check on PT_LOAD segments (bsc#1211829, BZ #28688) - elf: Properly align PT_LOAD segments (bsc#1211829, BZ #28676) - ld.so: Always use MAP_COPY to map the first segment (BZ #30452) - add GB18030-2022 charmap (jsc#PED-4908, BZ #30243) ----------------------------------------- Patch: SUSE-2023-3823 Released: Wed Sep 27 18:42:38 2023 Summary: Security update for curl Severity: important References: 1215026,CVE-2023-38039 Description: This update for curl fixes the following issues: - CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. (bsc#1215026) ----------------------------------------- Patch: SUSE-2023-3835 Released: Wed Sep 27 19:20:31 2023 Summary: Securitys update for open-vm-tools Severity: important References: 1205927,1214850,CVE-2023-20900 Description: This update for open-vm-tools fixes the following issues: Update to 12.3.0 (build 22234872) (bsc#1214850) - There are no new features in the open-vm-tools 12.3.0 release. This is primarily a maintenance release that addresses a few critical problems, including: - This release integrates CVE-2023-20900 without the need for a patch. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html. - A tools.conf configuration setting is available to temporaily direct Linux quiesced snaphots to restore pre open-vm-tools 12.2.0 behavior of ignoring file systems already frozen. - Building of the VMware Guest Authentication Service (VGAuth) using 'xml-security-c' and 'xerces-c' is being deprecated. - A number of Coverity reported issues have been addressed. - A number of GitHub issues and pull requests have been handled. Please see the Resolves Issues section of the Release Notes. - For issues resolved in this release, see the Resolved Issues section of the Release Notes. - For complete details, see: https://github.com/vmware/open-vm-tools/releases/tag/stable-12.3.0 - Release Notes are available at https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/ReleaseNotes.md - The granular changes that have gone into the 12.3.0 release are in the ChangeLog at https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/open-vm-tools/ChangeLog - Fix (bsc#1205927) - hv_vmbus module is loaded unnecessarily in VMware guests - jsc#PED-1344 - reinable building containerinfo plugin for SLES 15 SP4. ----------------------------------------- Patch: SUSE-2023-3952 Released: Tue Oct 3 20:06:23 2023 Summary: Security update for runc Severity: important References: 1212475 Description: This update of runc fixes the following issues: - Update to runc v1.1.8. Upstream changelog is available from . - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------- Patch: SUSE-2023-3954 Released: Tue Oct 3 20:09:47 2023 Summary: Security update for libeconf Severity: important References: 1211078,CVE-2023-22652,CVE-2023-30078,CVE-2023-30079,CVE-2023-32181 Description: This update for libeconf fixes the following issues: Update to version 0.5.2. - CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078). - CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078) ----------------------------------------- Patch: SUSE-2023-3970 Released: Wed Oct 4 14:17:12 2023 Summary: Recommended update for dracut Severity: moderate References: 1215578 Description: This update for dracut fixes the following issues: - Honor nvme-cli's /etc/nvme/config.json in NVMe/TCP (bsc#1215578) ----------------------------------------- Patch: SUSE-2023-3978 Released: Thu Oct 5 11:45:05 2023 Summary: Recommended update for nfs-utils Severity: moderate References: 1157881,1200710,1209859,1212594 Description: This update for nfs-utils fixes the following issues: - SLE15-SP5 and earlier don't use /usr/lib/modprobe.d (bsc#1200710) - Avoid unhelpful warnings (bsc#1157881) - Fix rpc.nfsd man pages (bsc#1209859) - Cope better with duplicate entries in /etc/exports (bsc#1212594) - Allow scope to be set in sysconfig: NFSD_SCOPE ----------------------------------------- Patch: SUSE-2023-3985 Released: Thu Oct 5 14:05:51 2023 Summary: Recommended update for suse-module-tools Severity: important References: 1201066,1212957,1213428,1213822 Description: This update for suse-module-tools fixes the following issues: - Update to version 15.5.2: * rpm-script: update bootloader after creating initramfs (bsc#1213822) * rpm-script: generate initrd when INITRD_IN_POSTTRANS is set (bsc#1212957) * cert-script: skip cert handling if efivarfs is not writable (bsc#1213428, bsc#1201066) ----------------------------------------- Patch: SUSE-2023-3997 Released: Fri Oct 6 14:13:56 2023 Summary: Security update for nghttp2 Severity: important References: 1215713,CVE-2023-35945 Description: This update for nghttp2 fixes the following issues: - CVE-2023-35945: Fixed memory leak when PUSH_PROMISE or HEADERS frame cannot be sent (bsc#1215713). ----------------------------------------- Patch: SUSE-2023-4003 Released: Mon Oct 9 08:29:33 2023 Summary: Recommended update for apparmor Severity: moderate References: 1215596 Description: This update for apparmor fixes the following issues: - Handle pam-config errors in pam_apparmor %post and %postun scripts (bsc#1215596) ----------------------------------------- Patch: SUSE-2023-4022 Released: Tue Oct 10 11:06:12 2023 Summary: Security update for conmon Severity: important References: 1215806 Description: This update for conmon fixes the following issues: conmon is rebuild with go1.21 to capture current stability, bug and security fixes. (bsc#1215806) ----------------------------------------- Patch: SUSE-2023-4044 Released: Wed Oct 11 09:01:14 2023 Summary: Security update for curl Severity: important References: 1215888,1215889,CVE-2023-38545,CVE-2023-38546 Description: This update for curl fixes the following issues: - CVE-2023-38545: Fixed a heap buffer overflow in SOCKS5. (bsc#1215888) - CVE-2023-38546: Fixed a cookie injection with none file. (bsc#1215889) ----------------------------------------- Patch: SUSE-2023-4073 Released: Fri Oct 13 11:40:26 2023 Summary: Recommended update for rpm Severity: low References: Description: This update for rpm fixes the following issue: - Enables build for all python modules (jsc#PED-68, jsc#PED-1988) ----------------------------------------- Patch: SUSE-2023-4075 Released: Fri Oct 13 14:02:33 2023 Summary: Security update for cni-plugins Severity: important References: 1212475,1216006 Description: This update of cni-plugins fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------- Patch: SUSE-2023-4076 Released: Fri Oct 13 14:02:51 2023 Summary: Security update for cni Severity: important References: 1212475,1216006 Description: This update of cni fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------- Patch: SUSE-2023-4105 Released: Wed Oct 18 08:15:40 2023 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1215215 Description: This update for openssl-1_1 fixes the following issues: - Displays 'fips' in the version string (bsc#1215215) ----------------------------------------- Patch: SUSE-2023-4110 Released: Wed Oct 18 12:35:26 2023 Summary: Security update for glibc Severity: important References: 1215286,1215891,CVE-2023-4813 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931) Also a regression from a previous update was fixed: - elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676) ----------------------------------------- Patch: SUSE-2023-4112 Released: Wed Oct 18 13:04:43 2023 Summary: Recommended update for open-vm-tools Severity: moderate References: 1205927 Description: This update for open-vm-tools fixes the following issue: - Ship correct open-vm-tools version to 15-SP4 (bsc#1205927) ----------------------------------------- Patch: SUSE-2023-4136 Released: Thu Oct 19 14:15:02 2023 Summary: Security update for suse-module-tools Severity: important References: 1205767,1210335,CVE-2023-1829,CVE-2023-23559 Description: This update for suse-module-tools fixes the following issues: - Update to version 15.5.3: - CVE-2023-1829: Blacklisted the Linux kernel tcindex classifier module (bsc#1210335). - CVE-2023-23559: Blacklisted the Linux kernel RNDIS modules (bsc#1205767, jsc#PED-5731). ----------------------------------------- Patch: SUSE-2023-4138 Released: Thu Oct 19 17:15:38 2023 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: Description: This update for systemd-rpm-macros fixes the following issues: - Switch to `systemd-hwdb` tool when updating the HW database. It's been introduced in systemd v219 and replaces the deprecated command `udevadm hwdb`. ----------------------------------------- Patch: SUSE-2023-4139 Released: Fri Oct 20 10:06:58 2023 Summary: Recommended update for containerd, runc Severity: moderate References: 1215323 Description: This update for containerd, runc fixes the following issues: runc was updated to v1.1.9. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.9 containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes: - https://github.com/containerd/containerd/releases/tag/v1.7.7 - https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323 - Add `Provides: cri-runtime` to use containerd as container runtime in Factory Kubernetes packages ----------------------------------------- Patch: SUSE-2023-4153 Released: Fri Oct 20 19:27:58 2023 Summary: Recommended update for systemd Severity: moderate References: 1215313 Description: This update for systemd fixes the following issues: - Fix mismatch of nss-resolve version in Package Hub (no source code changes) ----------------------------------------- Patch: SUSE-2023-4154 Released: Fri Oct 20 19:33:25 2023 Summary: Recommended update for aaa_base Severity: moderate References: 1107342,1215434 Description: This update for aaa_base fixes the following issues: - Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342) ----------------------------------------- Patch: SUSE-2023-4162 Released: Mon Oct 23 15:33:03 2023 Summary: Security update for gcc13 Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039 Description: This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------- Patch: SUSE-2023-4200 Released: Wed Oct 25 12:04:29 2023 Summary: Security update for nghttp2 Severity: important References: 1216123,1216174,CVE-2023-44487 Description: This update for nghttp2 fixes the following issues: - CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) ----------------------------------------- Patch: SUSE-2023-4215 Released: Thu Oct 26 12:19:25 2023 Summary: Security update for zlib Severity: moderate References: 1216378,CVE-2023-45853 Description: This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------- Patch: SUSE-2023-4227 Released: Fri Oct 27 11:26:20 2023 Summary: Security update for open-vm-tools Severity: important References: 1216432,1216433,CVE-2023-34058,CVE-2023-34059 Description: This update for open-vm-tools fixes the following issues: - CVE-2023-34058: Fixed a SAML token signature bypass issue (bsc#1216432). - CVE-2023-34059: Fixed a privilege escalation issue through vmware-user-suid-wrapper (bsc#1216433). ----------------------------------------- Patch: SUSE-2023-4268 Released: Mon Oct 30 16:51:57 2023 Summary: Recommended update for pciutils Severity: important References: 1215265 Description: This update for pciutils fixes the following issues: - Buffer overflow error that would cause lspci to crash on systems with complex topologies (bsc#1215265) ----------------------------------------- Patch: SUSE-2023-4310 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Severity: moderate References: 1196647 Description: This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir ----------------------------------------- Patch: SUSE-2023-4446 Released: Wed Nov 15 07:20:00 2023 Summary: Recommended update for open-vm-tools Severity: moderate References: 1216670 Description: This update for open-vm-tools fixes the following issues: - Update to 12.3.5 (bsc#1216670) ----------------------------------------- Patch: SUSE-2023-4450 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Severity: moderate References: 1209998 Description: This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------- Patch: SUSE-2023-4456 Released: Thu Nov 16 08:40:57 2023 Summary: Recommended update for selinux-policy Severity: moderate References: 1216060 Description: This update for selinux-policy fixes the following issues: - Update to version 20230511+git9.1b35a6ab - Allow keepalived to manage its tmp files (bsc#1216060) ----------------------------------------- Patch: SUSE-2023-4458 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 Description: This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------- Patch: SUSE-2023-4503 Released: Tue Nov 21 13:25:12 2023 Summary: Security update for avahi Severity: moderate References: 1215947,1216419,CVE-2023-38470,CVE-2023-38473 Description: This update for avahi fixes the following issues: - CVE-2023-38470: Ensure each label is at least one byte long (bsc#1215947). - CVE-2023-38473: Fixed a reachable assertion when parsing a host name (bsc#1216419). ----------------------------------------- Patch: SUSE-2023-4504 Released: Tue Nov 21 13:27:50 2023 Summary: Security update for libxml2 Severity: moderate References: 1216129,CVE-2023-45322 Description: This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). ----------------------------------------- Patch: SUSE-2023-4518 Released: Tue Nov 21 17:35:30 2023 Summary: Security update for openssl-1_1 Severity: important References: 1216922,CVE-2023-5678 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). ----------------------------------------- Patch: SUSE-2023-4557 Released: Fri Nov 24 17:04:36 2023 Summary: Security update for vim Severity: important References: 1214922,1214924,1214925,1215004,1215006,1215033,1215940,1216001,1216167,1216696,CVE-2023-46246,CVE-2023-4733,CVE-2023-4734,CVE-2023-4735,CVE-2023-4738,CVE-2023-4752,CVE-2023-4781,CVE-2023-5344,CVE-2023-5441,CVE-2023-5535 Description: This update for vim fixes the following issues: Updated to version 9.0 with patch level 2103, fixes the following security problems * CVE-2023-5344: vim: Heap-based Buffer Overflow in vim prior to 9.0.1969 (bsc#1215940) * CVE-2023-5441: vim: segfault in exmode when redrawing (bsc#1216001) * CVE-2023-5535: vim: use-after-free from buf_contents_changed() (bsc#1216167) * CVE-2023-46246: vim: Integer Overflow in :history command (bsc#1216696) * CVE-2023-4738: vim: heap-buffer-overflow in vim_regsub_both (bsc#1214922) * CVE-2023-4735: vim: OOB Write ops.c (bsc#1214924) * CVE-2023-4734: vim: segmentation fault in function f_fullcommand (bsc#1214925) * CVE-2023-4733: vim: use-after-free in function buflist_altfpos (bsc#1215004) * CVE-2023-4752: vim: Heap Use After Free in function ins_compl_get_exp (bsc#1215006) * CVE-2023-4781: vim: heap-buffer-overflow in function vim_regsub_both (bsc#1215033) ----------------------------------------- Patch: SUSE-2023-4603 Released: Wed Nov 29 08:41:39 2023 Summary: Recommended update for selinux-policy Severity: moderate References: 1215405 Description: This update for selinux-policy fixes the following issues: - Extend module list for targeted policy * timedatex * rrdcached * stratisd * ica (bsc#1215405) * fedoratp * stalld * rhcd * wireguard ----------------------------------------- Patch: SUSE-2023-4619 Released: Thu Nov 30 10:13:52 2023 Summary: Security update for sqlite3 Severity: important References: 1210660,CVE-2023-2137 Description: This update for sqlite3 fixes the following issues: - CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660). ----------------------------------------- Patch: SUSE-2023-4623 Released: Thu Nov 30 19:22:32 2023 Summary: Security update for traceroute Severity: moderate References: 1216591,CVE-2023-46316 Description: This update for traceroute fixes the following issues: - CVE-2023-46316: wrapper scripts do not properly parse command lines (bsc#1216591). ----------------------------------------- Patch: SUSE-2023-4628 Released: Fri Dec 1 09:27:15 2023 Summary: Recommended update for podman Severity: moderate References: 1210299,1215807,1215926 Description: This update for podman fixes the following issues: This update ships podman version 4.7.2: * WSL: Fixed podman compose command. * Fixed a bug in podman compose to try all configured providers before throwing an error (#20502). * Mask /sys/devices/virtual/powercap ( GHSA-jq35-85cj-fj4p) - podman-docker: Provides docker to avoid conflicts when using podman with docker-compose (bsc#1215926) - Update to version 4.7.1: * Bugfixes * Fixed a bug involving non-English locales of Windows where machine installs using user-mode networking were rejected due to erroneous version detection (#20209). * Fixed a regression in --env-file handling (#19565). * Fixed a bug where podman inspect would fail when stat'ing a device failed. * API * The network list compat API endpoint is now much faster (#20035). - Build against latest stable Go version (bsc#1215807) - Update to version 4.7.0: * Security * Now the io.containers.capabilities LABEL in an image can be an empty string. * Features * New command set: podman farm [create,list,remove,update] has been created to 'farm' out builds to machines running Podman for different architectures. * New command: podman compose as a thin wrapper around an external compose provider such as docker-compose or podman-compose. * FreeBSD: podman run --device is now supported. * Linux: Add a new --module flag for Podman. * Podmansh: Timeout is now configurable using the podmansh_timeout option in containers.conf. * SELinux: Add support for confined users to create containers but restrict them from creating privileged containers. * WSL: Registers shared socket bindings on Windows, to allow other WSL distributions easy remote access (#15190). * WSL: Enabling user-mode-networking on older WSL2 generations will now detect an error with upgrade guidance. * The podman build command now supports two new options: --layer-label and --cw. * The podman kube generate command now supports generation of k8s DaemonSet kind (#18899). * The podman kube generate and podman kube play commands now support the k8s TerminationGracePeriodSeconds field (RH BZ#2218061). * The podman kube generate and podman kube play commands now support securityContext.procMount: Unmasked (#19881). * The podman generate kube command now supports a --podman-only flag to allow podman-only reserved annotations to be used in the generated YAML file. These annotations cannot be used by Kubernetes. * The podman kube generate now supports a --no-trunc flag that supports YAML files with annotations longer than 63 characters. Warning: if an annotation is longer than 63 chars, then the generated yaml file is not Kubernetes compatible. * An infra name annotation io.podman.annotations.infra.name is added in the generated yaml when the pod create command has --infra-name set. This annotation can also be used with kube play when wanting to customize the infra container name (#18312). * The syntax of --uidmap and --gidmap has been extended to lookup the parent user namespace and to extend default mappings (#18333). * The podman kube commands now support the List kind (#19052). * The podman kube play command now supports environment variables in kube.yaml (#15983). * The podman push and podman manifest push commands now support the --force-compression optionto prevent reusing other blobs (#18860). * The podman manifest push command now supports --add-compression to push with compressed variants. * The podman manifest push command now honors the add_compression field from containers.conf if --add-compression is not set. * The podman run and podman create --mount commands now support the ramfs type (#19659). * When running under systemd (e.g., via Quadlet), Podman will extend the start timeout in 30 second steps up to a maximum of 5 minutes when pulling an image. * The --add-host option now accepts the special string host-gateway instead of an IP Address, which will be mapped to the host IP address. * The podman generate systemd command is deprecated. Use Quadlet for running containers and pods under systemd. * The podman secret rm command now supports an --ignore option. * The --env-file option now supports multiline variables (#18724). * The --read-only-tmpfs flag now affects /dev and /dev/shm as well as /run, /tmp, /var/tmp (#12937). * The Podman --mount option now supports bind mounts passed as globs. * The --mount option can now be specified in containers.conf using the mounts field. * The podman stats now has an --all option to get all containers stats (#19252). * There is now a new --sdnotify=healthy policy where Podman sends the READY message once the container turns healthy (#6160). * Temporary files created when dealing with images in /var/tmp will automatically be cleaned up on reboot. * There is now a new filter option since for podman volume ls and podman volume prune (#19228). * The podman inspect command now has tab-completion support (#18672). * The podman kube play command now has support for the use of reserved annotations in the generated YAML. * The progress bar is now displayed when decompressing a Podman machine image (#19240). * The podman secret inspect command supports a new option --showsecret which will output the actual secret. * The podman secret create now supports a --replace option, which allows you to modify secrets without replacing containers. * The podman login command can now read the secret for a registry from its secret database created with podman secret create (#18667). * The remote Podman client’s podman play kube command now works with the --userns option (#17392). * Changes * The /tmp and /var/tmp inside of a podman kube play will no longer be noexec. * The limit of inotify instances has been bumped from 128 to 524288 for podman machine (#19848). * The podman kube play has been improved to only pull a newer image for the 'latest' tag (#19801). * Pulling from an oci transport will use the optional name for naming the image. * The podman info command will always display the existence of the Podman socket. * The echo server example in socket_activation.md has been rewritten to use quadlet instead of podman generate systemd. * Kubernetes support table documentation correctly show volumes support. * The podman auto-update manpage and documentation has been updated and now includes references to Quadlet. * Quadlet * Quadlet now supports setting Ulimit values. * Quadlet now supports setting the PidsLimit option in a container. * Quadlet unit files allow DNS field in Network group and DNS, DNSSearch, and DNSOption field in Container group (#19884). * Quadlet now supports ShmSize option in unit files. * Quadlet now recursively calls in user directories for unit files. * Quadlet now allows the user to set the service working directory relative to the YAML or Unit files (17177). * Quadlet now allows setting user-defined names for Volume and Network units via the VolumeName and NetworkName directives, respectively. * Kube quadlets can now support autoupdate. * Bugfixes * Fixed an issue where containers were being restarted after a podman kill. * Fixed a bug where events could report incorrect healthcheck results (#19237). * Fixed a bug where running a container in a pod didn't fail if volumes or mounts were specified in the containers.conf file. * Fixed a bug where pod cgroup limits were not being honored after a reboot (#19175). * Fixed a bug where podman rm -af could fail to remove containers under some circumstances (#18874). * Fixed a bug in rootless to clamp oom_score_adj to current value if it is too low (#19829). * Fixed a bug where --hostuser was being parsed in base 8 instead of base 10 (#19800). * Fixed a bug where kube down would error when an object did not exist (#19711). * Fixed a bug where containers created via DOCKER API without specifying StopTimeout had StopTimeout defaulting to 0 seconds (#19139). * Fixed a bug in podman exec to set umask to match the container it's execing into (#19713). * Fixed a bug where podman kube play failed to set a container's Umask to the default 0022. * Fixed a bug to automatically reassign Podman's machine ssh port on Windows when it conflicts with in-use system ports (#19554). * Fixed a bug where locales weren't passed to conmon correctly, resulting in a crash if some characters were specified over CLI (containers/common/#272). * Fixed a bug where podman top would sometimes not print the full output (#19504). * Fixed a bug were podman logs --tail could return incorrect lines when the k8s-file logger is used (#19545). * Fixed a bug where podman stop did not ignore cidfile not existing when user specified --ignore flag (#19546). * Fixed a bug where a container with an image volume and an inheri... - Update to version 4.6.2: * Changes * Fixed a performance issue when calculating diff sizes in overlay. The podman system df command should see a significant performance improvement (#19467). * Bugfixes * Fixed a bug where containers in a pod would use the pod restart policy over the set container restart policy (#19671). * API * Fixed a bug in the Compat Build endpoint where the pull query parameter did not parse 0/1 as a boolean (#17778). * Misc * Updated the containers/storage library to v1.48.1 - Update to version 4.6.1: * Quadlet * Quadlet now selects the first Quadlet file found when multiple Quadlets exist with the same name. * API * Fixed a bug in the container kill endpoint to correctly return 409 when a container is not running (#19368). * Misc * Updated Buildah to v1.31.2 * Updated the containers/common library to v0.55.3 - Recommend gvisor-tap-vsock, required for `podmand machine` - Update to version 4.6.0: * Features * The podman manifest inspect command now supports the --authfile option, for authentication purposes. * The podman wait command now supports --condition={healthy,unhealthy}, allowing waits on successful health checks. * The podman push command now supports a new option, --compression-level, which specifies the compression level to use (#18939). * The podman machine start command, when run with --log-level=debug, now creates a console window to display the virtual machine while booting. * Podman now supports a new option, --imagestore, which allows images to be stored in a different directory than the graphroot. * The --ip-range option to the podman network create command now accepts a new syntax, -, which allows more flexibility when limiting the ip range that Podman assigns. * [Tech Preview] A new command, podmansh, has been added, which executes a user shell within a container when the user logs into the system. The container that the users get added to can be defined via a Podman Quadlet file. This feature is currently a Tech Preview which means it's ready for users to try out but changes can be expected in upcoming versions. * The podman network create command supports a new --option, bclim, for the macvlan driver. * The podman network create command now supports adding static routes using the --route option. * The podman network create command supports a new --option, no_default_route for all drivers. * The podman info command now prints network information about the binary path, package version, program version and DNS information (#18443). * The podman info command now displays the number of free locks available, helping to debug lock exhaustion scenarios. * The podman info command now outputs information about pasta, if it exists in helper_binaries_dir or $PATH. * The remote Podman client’s podman build command now accepts Containerfiles that are not in the context directory (#18239). * The remote Podman client’s podman play kube command now supports the --configmap option (#17513). * The podman kube play command now supports multi-doc YAML files for configmap arguments. (#18537). * The podman pod create command now supports a new flag, --restart, which sets the restart policy for all the containers in a pod. * The --format={{.Restarts}} option to the podman ps command now shows the number of times a container has been restarted based on its restart policy. * The --format={{.Restarts}} option to the podman pod ps command now shows the total number of container restarts in a pod. * The podman machine provider can now be specified via the CONTAINERS_MACHINE_PROVIDER environment variable, as well as via the provider field in containers.conf (#17116). * A default list of pasta arguments can now be set in containers.conf via pasta_options. * The podman machine init and podman machine set commands now support a new option, --user-mode-networking, which improves interops with VPN configs that drop traffic from WSL networking, on Windows. * The remote Podman client’s podman push command now supports the --digestfile option (#18216). * Podman now supports a new option, --out, that allows redirection or suppression of STDOUT (#18120). * Changes * When looking up an image by digest, the entire repository of the specified value is now considered. This aligns with Docker's behavior since v20.10.20. Previously, both the repository and the tag was ignored and Podman looked for an image with only a matching digest. Ignoring the name, repository, and tag of the specified value can lead to security issues and is considered harmful. * The podman system service command now emits a warning when binding to a TCP socket. This is not a secure configuration and the Podman team recommends against using it. * The podman top command no longer depends on ps(1) being present in the container image and now uses the one from the host (#19001). * The --filter id=xxx option will now treat xxx as a CID prefix, and not as a regular expression (#18471). * The --filter option now requires multiple --filter flags to specify multiple filters. It will no longer support the comma syntax (--filter label=a,label=b). * The slirp4netns binary for will now be searched for in paths specified by the helper_binaries_dir option in containers.conf (#18239). * Podman machine now updates /run/docker.sock within the guest to be consistent with its rootless/rootful setting (#18480). * The podman system df command now counts files which podman generates for use with specific containers as part of the disk space used by those containers, and which can be reclaimed by removing those containers. It also counts space used by files it associates with specific images and volumes as being used by those images and volumes. * The podman build command now returns a clearer error message when the Containerfile cannot be found. (#16354). * Containers created with --pid=host will no longer print errors on podman stop (#18460). * The podman manifest push command no longer requires a destination to be specified. If a destination is not provided, the source is used as the destination (#18360). * The podman system reset command now warns the user that the graphroot and runroot directories will be deleted (#18349), (#18295). * The package and package-install targets in Makefile have now been fixed and also renamed to rpm and rpm-install respectively for clarity (#18817). * Quadlet * Quadlet now exits with a non-zero exit code when errors are found (#18778). * Rootless podman quadlet files can now be installed in /etc/containers/systemd/users directory. * Quadlet now supports the AutoUpdate option. * Quadlet now supports the Mask and Unmask options. * Quadlet now supports the WorkingDir option, which specifies the default working dir in a container. * Quadlet now supports the Sysctl option, which sets namespaced kernel parameters for containers (#18727). * Quadlet now supports the SecurityLabelNetsted=true option, which allows nested SELinux containers. * Quadlet now supports the Pull option in .container files (#18779). * Quadlet now supports the ExitCode field in .kube files, which reflects the exit codes of failed containers. * Quadlet now supports PodmanArgs field. * Quadlet now supports the HostName field, which sets the container's host name, in .container files (#18486). * Bugfixes * Fixed a bug where the podman machine start command would fail with a 255 exit code. It now waits for systemd-user sessions to be up, and for SSH to be ready, addressing the flaky machine starts (#17403). * Fixed a bug where the podman auto update command did not correctly use authentication files when contacting container registries. * Fixed a bug where --label option to the podman volume ls command would return volumes that matched any of the filters, not all of them (#19219). * Fixed a bug where the podman kube play command did not recognize containerPort names inside Kubernetes liveness probes. Now, liveness probes support both containerPort names as well as port numbers (#18645). * Fixed a bug where the --dns option to the podman run command was ignored for macvlan networks (#19169). * Fixed a bug in the podman system service command where setting LISTEN_FDS when listening on TCP would misbehave. * Fixed a bug where hostnames were not recognized as a network alias. Containers can now resolve other hostnames, in addition to their names (#17370). * Fixed a bug where the podman pod run command would error after a reboot on a non-systemd system (#19175). * Fixed a bug where the --syslog option returned a fatal error when no syslog server was found (#19075). * Fixed a bug where the --mount option would parse the readonly option incorrectly (#18995). * Fixed a bug where hook executables invoked by the podman run command set an incorrect working directory. It now sets the correct working directory pointing to the container bundle directory (#18907). * Fixed a bug where the -device-cgroup-rule option was silently ignored in rootless mode ([#18698](https://github.com/containers/podman/issu... - Don't unconditionally Obsolete podman-cni-config, ensure clean upgrade path. - Prefer Podman's new network stack (netavark) exclusively on ALP - Remove unused podman-cni-config subpackage, add systemd - Update to version 4.5.1: * Security * Do not include image annotations when building spec. These annotations can have security implications - crun, for example, allows rootless containers to preserve the user's groups through an annotation. * Quadlet * Fixed a bug in quadlet to recognize the systemd optional prefix '-'. * Bugfixes * Fixed a bug where fully resolving symlink paths included the version number, breaking the path to homebrew-installed qemu files (#18111). * Fixed a bug where Podman was splitting the filter map slightly differently compared to Docker (#18092). * Fixed a bug where running make package did not work on RHEL 8 environments (#18421). * Fixed a bug to allow comma separated dns server IP addresses in podman network create --dns and podman network update --dns-add/--dns-drop (#18663). * Fixed a bug to correctly stop containers created with --restart=always in all cases (#18259). * Fixed a bug in podman-remote logs to correctly display errors reported by the server. * Fixed a bug to correctly tear down the network stack again when an error happened during the setup. * Fixed a bug in the remote API exec inspect call to correctly display updated information, e.g. when the exec process died (#18424). * Fixed a bug so that podman save on windows can now write to stdout by default (#18147). * Fixed a bug where podman machine rm with the qemu backend now correctly removes the machine connection after the confirmation message not before (#18330). * Fixed a problem where podman machine connections would try to connect to the ipv6 localhost ipv6 (::1) (#16470). * API * Fixed a bug in the compat container create endpoint which could result in a 'duplicate mount destination' error when the volume path was not 'clean', e.g. included a final slash at the end. (#18454). * The compat API now correctly accepts a tag in the images/create?fromSrc endpoint (#18597). - Update to version 4.5.0: * Features * The podman kube play command now supports the hostIPC field (#17157). * The podman kube play command now supports a new flag, --wait, that keeps the workload running in foreground until killed with a sigkill or sigterm. The workloads are cleaned up and removed when killed (#14522). * The podman kube generate and podman kube play commands now support SELinux filetype labels. * The podman kube play command now supports sysctl options (#16711). * The podman kube generate command now supports generating the Deployments (#17712). * The podman machine inspect command now shows information about named pipe addresses on Windows (#16860). * The --userns=keep-id option for podman create, run, and kube play now works for root containers by copying the current mapping into a new user namespace (#17337). * A new command has been added, podman secret exists, to verify if a secret with the given name exists. * The podman kube generate and podman kube play commands now support ulimit annotations (#16404). * The podman create, run, pod create, and pod clone commands now support a new option, --shm-size-systemd, that allows limiting tmpfs sizes for systemd-specific mounts (#17037). * The podman create and run commands now support a new option, --group-entry which customizes the entry that is written to the /etc/group file within the container when the --user option is used (#14965). * The podman create and podman run commands now support a new option, --security-opt label=nested, which allows SELinux labeling within a confined container. * A new command, podman machine os apply has been added, which applies OS changes to a Podman machine, from an OCI image. * The podman search command now supports two new options: --cert-dir and --creds. * Defaults for the --cgroup-config option for podman create and podman run can now be set in containers.conf. * Podman now supports auto updates for containers running inside a pod (#17181). * Podman can now use a SQLite database as a backend for increased stability. The default remains the old database, BoltDB. The database to use is selected through the database_backend field in containers.conf. * Netavark plugin support has been added. The netavark network backend now allows users to create custom network drivers. podman network create -d can be used to create a network config for your plugin and then Podman will use it like any other config and takes care of setup/teardown on container start/stop. This requires at least Netavark version 1.6. * DHCP with macvlan and the netavark backend is now supported. * Changes * Remote builds using the podman build command no longer allows .containerignore or .dockerignore files to be symlinks outside the build context. * The podman system reset command now clears build caches. * The podman play kube command now adds ctrName as an alias to the pod network (#16544). * The podman kube generate command no longer adds hostPort to the pod spec when generating service kinds. * Using a private cgroup namespace with systemd containers on a cgroups v1 system will explicitly error (this configuration has never worked) (#17727). * The SYS_CHROOT capability has been re-added to the default set of capabilities. * Listing large quantities of images with the podman images command has seen a significant performance improvement (#17828). * Quadlet * Quadlet now supports the Rootfs= option, allowing containers to be based on rootfs in addition to image. * Quadlet now supports the Secret key in the Container group. * Quadlet now supports the Logdriver key in .container and .kube units. * Quadlet now supports the Mount key in .container files (#17632). * Quadlet now supports specifying static IPv4 and IPv6 addresses in .container files via the IP= and IP6= options. * Quadlet now supports health check configuration in .container files. * Quadlet now supports relative paths in the Volume key in .container files (#17418). * Quadlet now supports setting the UID and GID options for --userns=keep-id (#17908). * Quadlet now supports adding tmpfs filesystems through the Tmpfs key in .container files (#17907). * Quadlet now supports the UserNS option in .container files, which will replace the existing RemapGid, RemapUid, RemapUidSize and RemapUsers options in a future release (#17984). * Quadlet now includes a --version option. * Quadlet now forbids specifying SELinux label types, including disabling selinux separation. * Quadlet now does not set log-driver by default. * Fixed a bug where Quadlet did not recognize paths starting with systemd specifiers as absolute (#17906). * Bugfixes * Fixed a bug in the network list API where a race condition would cause the list to fail if a container had just been removed (#17341). * Fixed a bug in the podman image scp command to correctly use identity settings. * Fixed a bug in the remote Podman client's podman build command where building from stdin would fail. podman --remote build -f - now works correctly (#17495). * Fixed a bug in the podman volume prune command where exclusive (!=) filters would fail (#17051). * Fixed a bug in the --volume option in the podman create, run, pod create, and pod clone commands where specifying relative mappings or idmapped mounts would fail (#17517). * Fixed a bug in the podman kube play command where a secret would be created, but nothing would be printed on the terminal (#17071). * Fixed a bug in the podman kube down command where secrets were not removed. * Fixed a bug where cleaning up after an exited container could segfault on non-Linux operating systems. * Fixed a bug where the podman inspect command did not properly list the network configuration of containers created with --net=none or --net=host (#17385). * Fixed a bug where containers created with user-specified SELinux labels that created anonymous or named volumes would create those volumes with incorrect labels. * Fixed a bug where the podman checkpoint restore command could panic. * Fixed a bug in the podman events command where events could be returned more than once after a log file rotation (#17665). * Fixed a bug where errors from systemd when restarting units during a podman auto-update command were not reported. * Fixed a bug where containers created with the --health-on-failure=restart option were not restarting when the health state turned unhealthy (#17777). * Fixed a bug where containers using the slirp4netns network mode with the cidr option and a custom user namespace did not set proper DNS IPs in resolv.conf. * Fixed a bug where the podman auto-update command could fail to restart systemd units (#17607). * Fixed a bug where the podman play kube command did not properly handle secret.items in volumes (#17829). * Fixed a bug where the podman generate kube command could generate pods with invalid names and hostnames (#18054). * Fixed a bug where names of limits (such as RLIMIT_NOFILE) passed to the --ulimit option to podman create and podman run were case-sensitive (#18077). * Fixed a possible corruption issue with the configuration state of podman machine during system failures on Mac, Linux, and Windows. * API * The Compat Stats endpoint for Containers now returns the Id key as lowercase id to match Docker (#17869). * Fixed a bug where the Compat top endpoint incorrectly returned titles as a string instead of a list (#17524). * Misc * The podman version command no longer joins the rootless user namespace (#17657). * The podman-events --stream option is no longer hidden and is now documented. * Updated Buildah to v1.30.0 * Updated the containers/storage library to v1.46.1 * Updated the containers/image library to v5.25.0 * Updated the containers/common library to v0.52.0 - Don't build against EoL go versions, fixes bsc#1210299 ----------------------------------------- Patch: SUSE-2023-4644 Released: Tue Dec 5 13:46:14 2023 Summary: Recommended update for psmisc Severity: moderate References: Description: This update for psmisc fixes the following issues: - Fix version number when building the package ----------------------------------------- Patch: SUSE-2023-4659 Released: Wed Dec 6 13:04:57 2023 Summary: Security update for curl Severity: moderate References: 1217573,1217574,CVE-2023-46218,CVE-2023-46219 Description: This update for curl fixes the following issues: - CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573). - CVE-2023-46219: HSTS long file name clears contents (bsc#1217574). ----------------------------------------- Patch: SUSE-2023-4660 Released: Wed Dec 6 13:06:12 2023 Summary: Security update for kernel-firmware Severity: important References: 1215823,1215831,CVE-2021-26345,CVE-2021-46766,CVE-2021-46774,CVE-2022-23820,CVE-2022-23830,CVE-2023-20519,CVE-2023-20521,CVE-2023-20526,CVE-2023-20533,CVE-2023-20566,CVE-2023-20592 Description: This update for kernel-firmware fixes the following issues: Update AMD ucode to 20231030 (bsc#1215831): - CVE-2022-23820: Failure to validate the AMD SMM communication buffer may allow an attacker to corrupt the SMRAM potentially leading to arbitrary code execution. - CVE-2021-46774: Insufficient input validation in ABL may enable a privileged attacker to perform arbitrary DRAM writes, potentially resulting in code execution and privilege escalation. - CVE-2023-20533: Insufficient DRAM address validation in System Management Unit (SMU) may allow an attacker using DMA to read/write from/to invalid DRAM address potentially resulting in denial-of-service. 0 CVE-2023-20519: A Use-After-Free vulnerability in the management of an SNP guest context page may allow a malicious hypervisor to masquerade as the guest's migration agent resulting in a potential loss of guest integrity. - CVE-2023-20566: Improper address validation in ASP with SNP enabled may potentially allow an attacker to compromise guest memory integrity. - CVE-2023-20521: TOCTOU in the ASP Bootloader may allow an attacker with physical access to tamper with SPI ROM records after memory content verification, potentially leading to loss of confidentiality or a denial of service. - CVE-2021-46766: Improper clearing of sensitive data in the ASP Bootloader may expose secret keys to a privileged attacker accessing ASP SRAM, potentially leading to a loss of confidentiality. - CVE-2022-23830: SMM configuration may not be immutable, as intended, when SNP is enabled resulting in a potential limited loss of guest memory integrity. - CVE-2023-20526: Insufficient input validation in the ASP Bootloader may enable a privileged attacker with physical access to expose the contents of ASP memory potentially leading to a loss of confidentiality. - CVE-2021-26345: Failure to validate the value in APCB may allow an attacker with physical access to tamper with the APCB token to force an out-of-bounds memory read potentially resulting in a denial of service. - CVE-2023-20592: Issue with INVD instruction aka CacheWarpAttack (bsc#1215823). ----------------------------------------- Patch: SUSE-2023-4671 Released: Wed Dec 6 14:33:41 2023 Summary: Recommended update for man Severity: moderate References: Description: This update of man fixes the following problem: - The 'man' commands is delivered to SUSE Linux Enterprise Micro to allow browsing man pages. ----------------------------------------- Patch: SUSE-2023-4678 Released: Thu Dec 7 01:53:29 2023 Summary: Feature update for lvm2 Severity: important References: 1216938 Description: This update for lvm2 fixes the following issues: Updated lvm2 from LVM2.2.03.16 to LVM2.2.03.22 (jsc#PED-6753,jsc#PED-6754): - Version 2.03.22: * Fixed issues with LVM filters no longer working with SUSE Linux Enterprise 15 Service Pack 5 (bsc#1216938) * Fixed pv_major/pv_minor report field types so they are integers, not strings. * Added `lvmdevices --delnotfound` to delete entries for missing devices. * Always use cachepool name for metadata backup LV for `lvconvert --repair`. * Make metadata backup LVs read-only after pool's `lvconvert --repair`. * Improve VDO and Thin support with lvmlockd. * Handle `lvextend --usepolicies` for pools for all activation variants. * Fixed memleak in vgchange autoactivation setup. * Update py-compile building script. * Support conversion from thick to fully provisioned thin LV. * Cache/Thin-pool can use error and zero volumes for testing. * Individual thin volume can be cached, but cannot take snapshot. * Better internal support for handling error and zero target (for testing). * Resize COW above trimmed maximal size is does not return error. * Support parsing of vdo geometry format version 4. * Added lvm.conf thin_restore and cache_restore settings. * Handle multiple mounts while resizing volume with a FS. * Handle leading/trailing spaces in sys_wwid and sys_serial used by deivce_id. * Enhance lvm_import_vdo and use snapshot when converting VDO volume. * Fixed parsing of VDO metadata. * Fixed failing `-S|--select` for non-reporting cmds if using LV info/status fields. * Allow snapshots of raid+integrity LV. * Fixed multisegment RAID1 allocator to prevent using single disk for more legs. - Version 2.03.21: * Fixed activation of vdo-pool for with 0 length headers (converted pools). * Avoid printing internal init messages when creation integration devices. * Allow (write)cache over raid+integrity LV. - Version 2.03.20: * Fixed segfault if using `-S|--select` with log/report_command_log=1 setting. * Configure now fails when requested lvmlockd dependencies are missing. * Added some configure Gentoo enhancements for static builds. - Version 2.03.19: * Configure supports `--with-systemd-run` executed from udev rules. * Enhancement for build with MuslC systemd and non-bash system shells (dash). * Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices. * Ensure udev is processing origin LV before its thick snapshots LVs. * Fixed and improve runtime memory size detection for VDO volumes. - Version 2.03.18: * Fixed issues reported by coverity scan. * Fixed warning for thin pool overprovisioning on lvextend (2.03.17). * Added support for writecache metadata_only and pause_writeback settings. * Fixed missing error messages in lvmdbusd. - Version 2.03.17: * Added new options (`--fs, --fsmode`) for FS handling when resizing LVs. * Fixed `lvremove -S|--select LV` to not also remove its historical LV right away. * Fixed lv_active field type to binary so --select and --binary applies properly. * Switch to use mallinfo2 and use it only with glibc. * Error out in lvm shell if using a cmd argument not supported in the shell. * Fixed lvm shell's lastlog command to report previous pre-command failures. * Extend VDO and VDOPOOL without flushing and locking fs. * Added `--valuesonly` option to lvmconfig to print only values without keys. * Updates configure with recent autoconf tooling. * Fixed `lvconvert --test --type vdo-pool` execution. * Added json_std output format for more JSON standard compliant version of output. * Fixed vdo_slab_size_mb value for converted VDO volume. * Fixed many corner cases in device_id, including handling of S/N duplicates. * Fixed various issues in lvmdbusd. ----------------------------------------- Patch: SUSE-2023-4680 Released: Thu Dec 7 07:34:12 2023 Summary: Recommended update for selinux-policy Severity: moderate References: 1216747 Description: This update for selinux-policy fixes the following issues: - Trigger rebuild of the policy when pcre2 gets updated to avoid regex version mismatch errors (bsc#1216747) ----------------------------------------- Patch: SUSE-2023-4699 Released: Mon Dec 11 07:02:10 2023 Summary: Recommended update for gpg2 Severity: moderate References: 1217212 Description: This update for gpg2 fixes the following issues: - `dirmngr-client --validate` is broken for DER-encoded files (bsc#1217212) ----------------------------------------- Patch: SUSE-2023-4700 Released: Mon Dec 11 07:03:27 2023 Summary: Recommended update for p11-kit Severity: moderate References: Description: This update for p11-kit fixes the following issues: - Ensure that programs using can be compiled with CRYPTOKI_GNU. Fixes GnuTLS builds (jsc#PED-6705). ----------------------------------------- Patch: SUSE-2023-4703 Released: Mon Dec 11 07:19:53 2023 Summary: Recommended update for dracut Severity: moderate References: 1192986,1217031 Description: This update for dracut fixes the following issues: - Update to version 055+suse.375.g1167ed75 - Fix network device naming in udev-rules (bsc#1192986) ----------------------------------------- Patch: SUSE-2023-4723 Released: Tue Dec 12 09:57:51 2023 Summary: Recommended update for libtirpc Severity: moderate References: 1216862 Description: This update for libtirpc fixes the following issue: - fix sed parsing in specfile (bsc#1216862) ----------------------------------------- Patch: SUSE-2023-4727 Released: Tue Dec 12 12:27:39 2023 Summary: Security update for catatonit, containerd, runc Severity: important References: 1200528,CVE-2022-1996 Description: This update of runc and containerd fixes the following issues: containerd: - Update to containerd v1.7.8. Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.8 * CVE-2022-1996: Fixed CORS bypass in go-restful (bsc#1200528) catatonit: - Update to catatonit v0.2.0. * Change license to GPL-2.0-or-later. - Update to catatont v0.1.7 * This release adds the ability for catatonit to be used as the only process in a pause container, by passing the -P flag (in this mode no subprocess is spawned and thus no signal forwarding is done). - Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to socket activation or features somewhat adjacent to socket activation (such as passing file descriptors). runc: - Update to runc v1.1.10. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.10 ----------------------------------------- Patch: SUSE-2023-4759 Released: Wed Dec 13 10:54:58 2023 Summary: Recommended update for open-iscsi Severity: moderate References: 1210514 Description: This update for open-iscsi fixes the following issue: - Upgrade to upstream version 2.1.9 (bsc#1210514) with tag '2.1.9-suse' (bsc#1210514) * replacing open-iscsi-2.1.8-suse.tar.bz2 with open-iscsi-2.1.9-suse.tar.bz2 * several fixes to harden iscsiuio (v0.7.8.8), including: - logging now uses syslog - shutdown now waits for helper threads to complete - netlink socket cleanup * some minor bug fixes, some helping builds on musl ----------------------------------------- Patch: SUSE-2023-4891 Released: Mon Dec 18 16:31:49 2023 Summary: Security update for ncurses Severity: moderate References: 1201384,1218014,CVE-2023-50495 Description: This update for ncurses fixes the following issues: - CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014) - Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384) ----------------------------------------- Patch: SUSE-2023-4897 Released: Tue Dec 19 08:22:36 2023 Summary: Optional update for openslp Severity: low References: Description: This update for openslp bumps the version number to ensure a clean upgrade path from SLE-12 to SLE-15. This is a no-change rebuild of the packages already available in SLE-15. ----------------------------------------- Patch: SUSE-2023-4901 Released: Tue Dec 19 11:25:47 2023 Summary: Security update for avahi Severity: moderate References: 1216853,CVE-2023-38472 Description: This update for avahi fixes the following issues: - CVE-2023-38472: Fixed reachable assertion in avahi_rdata_parse (bsc#1216853). ----------------------------------------- Patch: SUSE-2023-4902 Released: Tue Dec 19 13:09:42 2023 Summary: Security update for openssh Severity: important References: 1214788,1217950,CVE-2023-48795 Description: This update for openssh fixes the following issues: - CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (bsc#1217950). the following non-security bug was fixed: - Fix the 'no route to host' error when connecting via ProxyJump ----------------------------------------- Patch: SUSE-2023-4937 Released: Wed Dec 20 17:54:20 2023 Summary: Recommended update for sg3_utils Severity: moderate References: 1215720,1215772,1216355 Description: This update for sg3_utils fixes the following issues: - Update to version 1.47+15.b6898b8 - L3-Question: rescan-scsi-bus.sh resize not detected (bsc#1215720). - Packman Discord package upgrade lockout defeat inoperative (bsc#1216355). - sg3_utils package doesn't rebuild initrd (bsc#1215772). - rescan-scsi-bus.sh: improve cleanup on exit (gh#doug-gilbert/sg3_utils#44) ----------------------------------------- Patch: SUSE-2023-4962 Released: Fri Dec 22 13:45:06 2023 Summary: Recommended update for curl Severity: important References: 1216987 Description: This update for curl fixes the following issues: - libssh: Implement SFTP packet size limit (bsc#1216987) This update also ships curl to the INSTALLER channel. ----------------------------------------- Patch: SUSE-2023-4973 Released: Tue Dec 26 04:44:10 2023 Summary: Recommended update for duktape Severity: moderate References: 1216296 Description: This update of duktape fixes the following issue: - duktape-devel is shipped to Basesystem module (bsc#1216296). ----------------------------------------- Patch: SUSE-2024-11 Released: Tue Jan 2 13:24:52 2024 Summary: Recommended update for procps Severity: moderate References: 1029961,1158830,1206798,1209122 Description: This update for procps fixes the following issues: - Update procps to 3.3.17 (jsc#PED-3244 jsc#PED-6369) - For support up to 2048 CPU as well (bsc#1185417) - Allow `-´ as leading character to ignore possible errors on systctl entries (bsc#1209122) - Get the first CPU summary correct (bsc#1121753) - Enable pidof for SLE-15 as this is provided by sysvinit-tools - Use a check on syscall __NR_pidfd_open to decide if the pwait tool and its manual page will be build - Do not truncate output of w with option -n - Prefer logind over utmp (jsc#PED-3144) - Don't install translated man pages for non-installed binaries (uptime, kill). - Fix directory for Ukrainian man pages translations. - Move localized man pages to lang package. - Update to procps-ng-3.3.17 * library: Incremented to 8:3:0 (no removals or additions, internal changes only) * all: properly handle utf8 cmdline translations * kill: Pass int to signalled process * pgrep: Pass int to signalled process * pgrep: Check sanity of SG_ARG_MAX * pgrep: Add older than selection * pidof: Quiet mode * pidof: show worker threads * ps.1: Mention stime alias * ps: check also match on truncated 16 char comm names * ps: Add exe output option * ps: A lot more sorting available * pwait: New command waits for a process * sysctl: Match systemd directory order * sysctl: Document directory order * top: ensure config file backward compatibility * top: add command line 'e' for symmetry with 'E' * top: add '4' toggle for two abreast cpu display * top: add '!' toggle for combining multiple cpus * top: fix potential SEGV involving -p switch * vmstat: Wide mode gives wider proc columns * watch: Add environment variable for interval * watch: Add no linewrap option * watch: Support more colors * free,uptime,slabtop: complain about extra ops - Package translations in procps-lang. - Fix pgrep: cannot allocate 4611686018427387903 bytes when ulimit -s is unlimited. - Enable pidof by default - Update to procps-ng-3.3.16 * library: Increment to 8:2:0 No removals or functions Internal changes only, so revision is incremented. Previous version should have been 8:1:0 not 8:0:1 * docs: Use correct symbols for -h option in free.1 * docs: ps.1 now warns about command name length * docs: install translated man pages * pgrep: Match on runstate * snice: Fix matching on pid * top: can now exploit 256-color terminals * top: preserves 'other filters' in configuration file * top: can now collapse/expand forest view children * top: parent %CPU time includes collapsed children * top: improve xterm support for vim navigation keys * top: avoid segmentation fault at program termination * 'ps -C' does not allow anymore an argument longer than 15 characters (bsc#1158830) ----------------------------------------- Patch: SUSE-2024-26 Released: Thu Jan 4 11:15:24 2024 Summary: Recommended update for mozilla-nss Severity: moderate References: 1214980 Description: This update for mozilla-nss fixes the following issues: Mozilla NSS was updated to NSS 3.90.1 * regenerate NameConstraints test certificates. * add OSXSAVE and XCR0 tests to AVX2 detection. ----------------------------------------- Patch: SUSE-2024-54 Released: Mon Jan 8 07:08:14 2024 Summary: Recommended update for NetworkManager Severity: important References: 1218248 Description: This recommended update for NetworkManager fixes the following issues: - No-change rebuild to include NetworkManager-wwan in the SLE-Module-Desktop-Applications_15-SP5 channels (bsc#1218248) ----------------------------------------- Patch: SUSE-2024-62 Released: Mon Jan 8 11:44:47 2024 Summary: Recommended update for libxcrypt Severity: moderate References: 1215496 Description: This update for libxcrypt fixes the following issues: - fix variable name for datamember [bsc#1215496] - added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2 ----------------------------------------- Patch: SUSE-2024-70 Released: Tue Jan 9 18:29:39 2024 Summary: Security update for tar Severity: low References: 1217969,CVE-2023-39804 Description: This update for tar fixes the following issues: - CVE-2023-39804: Fixed extension attributes in PAX archives incorrect hanling (bsc#1217969). ----------------------------------------- Patch: SUSE-2024-136 Released: Thu Jan 18 09:53:47 2024 Summary: Security update for pam Severity: moderate References: 1217000,1218475,CVE-2024-22365 Description: This update for pam fixes the following issues: - CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475). - Check localtime_r() return value to fix crashing (bsc#1217000) ----------------------------------------- Patch: SUSE-2024-140 Released: Thu Jan 18 11:34:58 2024 Summary: Security update for libssh Severity: important References: 1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918 Description: This update for libssh fixes the following issues: Security fixes: - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209) - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126) - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186) - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm guessing (bsc#1211188) - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190) Other fixes: - Update to version 0.9.8 - Allow @ in usernames when parsing from URI composes - Update to version 0.9.7 - Fix several memory leaks in GSSAPI handling code ----------------------------------------- Patch: SUSE-2024-149 Released: Thu Jan 18 14:23:58 2024 Summary: Recommended update for selinux-policy Severity: moderate References: 1205931,1216060 Description: This update for selinux-policy fixes the following issues: - Allow rebootmgr to read the system state (bsc#1205931) - Allow keepalived_t read+write kernel_t pipes (bsc#1216060) ----------------------------------------- Patch: SUSE-2024-214 Released: Wed Jan 24 16:01:31 2024 Summary: Recommended update for systemd Severity: moderate References: 1214668,1215241,1217460 Description: This update for systemd fixes the following issues: - resolved: actually check authenticated flag of SOA transaction - core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive - core: Add trace logging to mount_add_device_dependencies() - core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460) - core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies - core: wrap some long comment - utmp-wtmp: Handle EINTR gracefully when waiting to write to tty - utmp-wtmp: Fix error in case isatty() fails - homed: Handle EINTR gracefully when waiting for device node - resolved: Handle EINTR returned from fd_wait_for_event() better - sd-netlink: Handle EINTR from poll() gracefully, as success - varlink: Handle EINTR gracefully when waiting for EIO via ppoll() - stdio-bridge: Don't be bothered with EINTR - sd-bus: Handle EINTR return from bus_poll() (bsc#1215241) - core: Replace slice dependencies as they get added (bsc#1214668) ----------------------------------------- Patch: SUSE-2024-231 Released: Thu Jan 25 11:57:37 2024 Summary: Recommended update for suse-module-tools Severity: moderate References: 1217775 Description: This update for suse-module-tools fixes the following issues: - Update to version 15.5.4 - Add symlink /boot/.vmlinuz.hmac (bsc#1217775) ----------------------------------------- Patch: SUSE-2024-238 Released: Fri Jan 26 10:56:41 2024 Summary: Security update for cpio Severity: moderate References: 1218571,CVE-2023-7207 Description: This update for cpio fixes the following issues: - CVE-2023-7207: Fixed a path traversal issue that could lead to an arbitrary file write during archive extraction (bsc#1218571). ----------------------------------------- Patch: SUSE-2024-244 Released: Fri Jan 26 13:01:27 2024 Summary: Recommended update for util-linux Severity: moderate References: 1207987 Description: This update for util-linux fixes the following issues: - Fix performance degradation (bsc#1207987) ----------------------------------------- Patch: SUSE-2024-255 Released: Mon Jan 29 01:52:49 2024 Summary: Recommended update for multipath-tools Severity: moderate References: 1218326 Description: This update for multipath-tools fixes the following issues: - Fixed ANA prioritizer enablement logic (bsc#1218326) ----------------------------------------- Patch: SUSE-2024-295 Released: Thu Feb 1 08:23:17 2024 Summary: Security update for runc Severity: important References: 1218894,CVE-2024-21626 Description: This update for runc fixes the following issues: Update to runc v1.1.11: - CVE-2024-21626: Fixed container breakout. (bsc#1218894) ----------------------------------------- Patch: SUSE-2024-322 Released: Fri Feb 2 15:13:26 2024 Summary: Recommended update for aaa_base Severity: moderate References: 1107342,1215434 Description: This update for aaa_base fixes the following issues: - Set JAVA_HOME correctly (bsc#1107342, bsc#1215434) ----------------------------------------- Patch: SUSE-2024-408 Released: Wed Feb 7 11:06:37 2024 Summary: Recommended update for podman Severity: moderate References: 1217828 Description: This update for podman fixes the following issues: - Update to version 4.8.3: * Update RELEASE_NOTES.md * update module golang.org/x/crypto [security] * Error on HyperV VM start when gvproxy has failed to start - Refactor network backend dependencies: * podman requires either netavark or cni-plugins. On ALP, require netavark, otherwise prefer netavark but don't force it. * This fixes missing cni-plugins in some scenarios * Default to netavark everywhere where it's available - Update to version 4.8.2: * Update RELEASE_NOTES.md * Kube Play - set ReportWriter when building an image * Fix user-mode net init flag on first time install - Default to the new networking backend, netavark, on openSUSE (bsc#1217828) - Update to version 4.8.1: * Handle symlinks when checking DB vs runtime configs * libpod: Detect whether we have a private UTS namespace on FreeBSD * pkg/bindings: add new APIVersionError error type * fix podman-remote exec regression with v4.8 * sqlite: fix issue in ValidateDBConfig() * sqlite: fix missing Commit() in RemovePodContainers() * sqlite: set busy timeout to 100s * Fix locking error in WSL machine rm -f * Gating test fixes * If API calls for kube play --replace, then replace pod * Fix wsl.conf generation when user-mode-networking is disabled - Update to version 4.8.0: * Bump to Buildah v1.33.2 * [CI:DOCS] Update release notes * machine applehv: create better error on start failure * Cirrus: Update operating branch * rootless_tutorial: modernize * Update to libhvee 0.5.0 * vmtypes names cannot be used as machine names * Add support for --compat-auth-file in login/logout * Update tests for a c/common error message change * Update c/image and c/common to latest, c/buildah to main * CI: test overlay and vfs * [CI:DOCS] Add link to podman py docs * Test fixes for debian * pasta tests: remove some skips * VM images: bump to 2023-11-16 * fix(deps): update module k8s.io/kubernetes to v1.28.4 [security] * [CI:DOCS] Machine test timeout env var * Quadlet - add support for UID and GID Mapping * Quadlet - Allow using symlink on the base search paths * [skip-ci] Update dessant/lock-threads action to v5 * Avoid empty SSH keys on applehv * qemu,parseUSB: minor refactor * fix(deps): update module github.com/gorilla/handlers to v1.5.2 * docs: fix relabeling command * Pass secrets from the host down to internal podman containers * (Temporary) Emergency CI fix: quay search is broken * Update podman-stats.1.md.in * [CI:BUILD] packit: handle builds for RC releases * Quadlet test - add case for multi = sign in mount * set RLIMIT_NOFILE soft limit to match the hard limit on mac * rootless: use functionalities from c/storage * CI: e2e: fix a smattering of test bugs that slipped in * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.13.1 * vendor: update c/storage * Improve the documentation of quadlet * Fix socket mapping socket mapping nits * fix(deps): update module golang.org/x/tools to v0.15.0 * fix(deps): update github.com/containers/libhvee digest to 9651e31 * [skip-ci] Update github/issue-labeler action to v3.3 * Document --userns=auto behaviour for rootless users * machine: qemu: add usb host passthrough * fix(deps): update module golang.org/x/net to v0.18.0 * fix(deps): update module github.com/onsi/gomega to v1.30.0 * Refactor Ignition configuration for virt providers * [CI:BUILD] rpm: disable GOPROXY * Automatic code cleanups [JetBrains] * Refactor key machine objects * systests: add [NNN] prefix in logs, NNN = filename * systests: add a last-minute check for db backend * applehv: allow virtiofs to mount to root * Run codespell on podman * update completion scripts for cobra v1.8.0 * Fix man page display of podman-kube-generate * Try to fix the broken formatting of man podman-kube-apply(1). * fix(deps): update module golang.org/x/text to v0.14.0 * docs: make CNI removal explicit * fix(deps): update module github.com/gorilla/mux to v1.8.1 * fix(deps): update module github.com/spf13/cobra to v1.8.0 * fix(deps): update module golang.org/x/sync to v0.5.0 * fix(deps): update module github.com/mattn/go-sqlite3 to v1.14.18 * Podman push --help should reveal default compression * Update container-device-interface (CDI) to v0.6.2 * fix: adjust helper string in machine_common * fix: adjust helper string in machine_common * remote,test: remove .dockerignore which is a symlink * [CI:DOCS] Update dependency golangci/golangci-lint to v1.55.2 * fix: adjust helper string in machine_common * vendor: update github.com/coreos/go-systemd/v22 to latest main * CI: default to sqlite * vendor: update c/common * check system connections before machine init * Consume OCI images for machine image * freebsd: drop dead code * libpod: make removePodCgroup linux specific * containers: drop special handling for ErrCgroupV1Rootless * compose: fix compose provider debug message * image: replace GetStoreImage with ResolveReference * vendor: bump c/image to 373c52a9466f * Refactor machine socket mapping * AppleHV: Fix machine rm error message * Add status messages to podman --remote commit * End-of-Life policy for github issues * fix(deps): update module github.com/shirou/gopsutil/v3 to v3.23.10 * Support passing of Ulimits as -1 to mean max * fix(deps): update github.com/docker/go-connections digest to 0b8c1f4 * fix(deps): update github.com/crc-org/vfkit digest to f3c783d * Log gvproxy and server9 to file on log-level=debug * Change to using gopsutil for cross-OS process ops * Initial addition of 9p code to Podman * libpod: fix /etc/hostname with --uts=host * systests: stty test: retry once on flake * systests: pasta: avoid hangs * Fix secrets scanning GHA Workflow * [skip-ci] Update dawidd6/action-send-mail action to v3.9.0 * docs: clarify systemd cgroup mount * podman build --remote URI Dockerfile shoud not be treated as file * Small fixes for wacko CI environments * Do not add powercap mask if no paths are masked * compose: try all possible providers before throwing an error * podman kube play --replace should force removal of pods and containers * Sort kube options alphabetically * container.conf: support attributed string slices * CI: podman farm tests cleanup * Mask /sys/devices/virtual/powercap * Update module github.com/google/uuid to v1.4.0 * fix(deps): update module github.com/docker/docker to v24.0.7+incompatible * fix(deps): update module go.etcd.io/bbolt to v1.3.8 * CI: systest: safer random_rfc1918_subnet * CI: e2e: safer GetPort() * Fix broken code block markup in Introduction.rst * chore(deps): update module google.golang.org/grpc to v1.57.1 [security] * chore: remove npipe const and use vmtype const for checking * Update module github.com/onsi/gomega to v1.29.0 * CI: try to fix more networking flakes * fix: check wsl npipe when executing podman compose * [CI:DOCS] Update dependency golangci/golangci-lint to v1.55.1 * Quadlet - explicit support for read-only-tmpfs * compat API: fix image-prune --all * Makefile - allow more control over Ginkgo parameters * Add e2e tests for farm build * vendor c/{buildah,common}: appendable containers.conf strings, Part 1 * Add podman farm build command * Add emulation package * Use buildah default isolation when working with podman play kube * docs(API): Fix compat network (dis-)connect * test/e2e: do not import buildah * pkg/specgen: remove config_unsupported.go * pkg/parallel/ctr: add !remote tag * pkg/domain/filters: add !remote tag * pkg/ps: add !remote tag * pkg/systemd/generate: add !remote tag * libpod: add !remote tag * pkg/autoupdate: add !remote tag * vendor latest c/common * libpod: remove build support non linux/freebsd * Fix typo * test/apiv2: adapt apiv2 test on cgroups v1 environment * ginkgo setup: retry cache pulls * Support size option when creating tmpfs volumes * not mounted layers should be reported as info not error * CI: stop using registry.k8s.io * fix(deps): update module github.com/vbatts/git-validation to v1.2.1 * test fixes for c/common tag chnages * vendor latest c/common * hyperV: Update lastUp time * [CI:DOCS] Update dependency golangci/golangci-lint to v1.55.0 * lint: disable testifylint * lint: fix warnings found by perfsprint * lint: fix warnings found by inamedparam * lint: fix warnings found by protogetter * libpod: skip DBUS_SESSION_BUS_ADDRESS in conmon * Use node hostname in kube play when hostNetwork=true * cirrus setup: special-case perl unicode * network: document ports and macvlan interaction * quadlet: document cgroupv2 requirement * [skip-ci] Update actions/checkout digest to b4ffde6 * Revert 'Emergency workaround for CI breakage' * remote: exec: do not leak session IDs on errors * fix(deps): update github.com/containers/storage digest to 79aa304 * fix(deps): update module k8s.io/kubernetes to v1.28.3 * System tests: fix broken silence127 * Add TERM iff TERM not defined in container when podman exec -t * Emergency workaround for CI breakage * Kill gvproxy when machine rm -f * Fix path for omvf vars on Darwin/arm64 * Allow systemd specifiers in User and Group Quadlet keys * libpod: rename confusing import name * use FindInitBinary() for init binary * vendor latest c/common * exec: do not leak session IDs on errors * systests: cp test: lots of cleanup * Define better error message for container name conflicts with external storage. * Quadlet - support ImageName for .image files * test/system: ignore 127 if it is the expected rc * test/apiv2/20-containers.at: fix NanoCPUs tests on cgroups v1 * image history: fix walking layers * fix(api): Ensure compatibality for network connect * [CI:DOCS] Add cross-build target info. * machine set: document --rootful better * libpod: restart+userns cleanup netns correctly * Minor log and doc fixes * Quadlet man page - discuss volume removal explicitly * Quadlet - add support for KubeDownForce * System Test - Quadlet kube oneshot * Fix output of podman --remote top * buildah-bud: test relative TMPDIR * Fix handling of --read-only-tmpfs flag * Vendor common and buildah main * remote,build: wire unsetlabels * test: build with TMPDIR as relative * docs: add unsetlabel * vendor: bump buildah to v1.32.1-0.20231012130144-244170240d85 * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.6.2 * fix: pull error response docker rest api compatibility * Show client info even if remote connection fails * fix(deps): update github.com/containers/libhvee digest to e51be96 * Run codespell * SetLock for all virt providers * Machine: Teardown on init failure * healthcheck: make sure to always show health_status events * Apply suggestions from code review * [CI:DOCS]rtd: implement v2 build file * Quadlet - support oneshot .kube files * libpod: fix deadlock while parallel container create * fix(deps): update module golang.org/x/net to v0.17.0 * api: add `compatMode` paramenter to libpod's pull endpoint * api: break out compat image pull * fix(deps): update module github.com/cpuguy83/go-md2man/v2 to v2.0.3 * use sqlite as default database * vendor latest c/common * fix(deps): update module github.com/nxadm/tail to v1.4.11 * Check for image with /libpod/containers/create * container: always check if mountpoint is mounted * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.13.0 * vendor: update c/storage * api: drop debug statement * Quadlet - add support for global arguments * Add system test * fix(deps): update module golang.org/x/tools to v0.14.0 * Don't ignore containerfiles outside of build context * fix(deps): update github.com/containers/libhvee digest to fcf1cc2 * fix(deps): update module golang.org/x/term to v0.13.0 * Update module golang.org/x/sys to v0.13.0 * [CI:DOCS] Add updating version on podman.io to release process * containers.conf: add `privileged` field to containers table * Implement secrets/credential scanning * Cirrus: Execute Windows podman-machine e2e tests * vendor: bump c/storage * Update module golang.org/x/sync to v0.4.0 * [CI:DOCS] update swagger version on docs.podman.io * Create Qemu command wrapper * Adjust to path name change for resolved unit * Revert 'Fix WSL systemd detection' * [CI:BUILD] rpm/copr: gvforwarder recommends for RHEL * [CI:DOCS] update kube play delete endpoint docs * [CI:DOCS] Remove dead link from README * test/system: --env-file test fixes * Revert 'feat(env): support multiline in env-file' * Revert 'docs(env-file): improve document description' * Revert 'fix(env): parsing --env incorrect in cli' * Filter health_check and exec events for logging in console * inspect: ignore ENOENT during device lookup * test, manifest: test push retry * Fix locale issues with WSL version detection * vendor: update module github.com/docker/distribution to v2.8.3+incompatible * vendor: bump c/common to v0.56.1-0.20231002091908-745eaa498509 * Update github.com/containers/libhvee digest to e9b1811 * windows: Use prebuilt gvproxy/win-sshproxy binaries * Volume create - fast exit when ignore is set and volume exists * Update golang.org/x/exp digest to 9212866 * Update github.com/opencontainers/runtime-spec digest to c0e9043 * remove selinux tag as not needed anymore * [skip-ci] Improve podmansh(1) * Build applehv for Intel Macs * Revert 'GHA Workflow: Faster discussion-locking' * update vfkit vendored code * Add DefaultMode to kube play * Fix broken podman images filters * Remove `c.ExtraFiles` line in machine * podman: run --replace prints only the new container id * New machines should show Never as LastUp * podman machine: disable zincati update service * Revert 'cirrus setup: install en_US.UTF-8 locale' * Cirrus: CI VM images w/ newer automation-library * CI VMs: bump to f39 + f38 * [CI:DOCS] Update podman load doc * Update mac installer to latest gvproxy release * Fix WSL systemd detection * Add documentation for the vrf option on netavark * fix(deps): update github.com/containers/common digest to 9342cdd * fix: typos in links, path and code example * e2e: ExitCleanly(): manual special cases * e2e: ExitCleanly(): the final fron^Wcommit * [CI:DOCS] Add win-sshproxy target to winmake * wsl: enable machine init tests * Update docs/source/markdown/options/rdt-class.md * move IntelRdtClosID to HostConfig * use default when user does not provide rdt-class * Add documentation for Intel RDT support * Add test for Intel RDT support * Add Intel RDT support * [CI:DOCS] Fix podman form update --help examples * Quadlet container mount - support non key=val options * test/e2e: default to netavark * [skip-ci] Update dawidd6/action-send-mail action to v3.9.0 * fix(deps): update module github.com/containers/gvisor-tap-vsock to v0.7.1 * fix(deps): update github.com/containers/common digest to 4619314 * applehv: enable machine tests for start * applehv: machine tests for stop and rm * Update machine tests README * Add podman socket info to machine inspect * Fix podman machine info test for hyperV * libpod: pass entire environment to conmon * e2e: ExitCleanly(): manual fixes to get tests working * e2e: ExitCleanly(): a few more * FCOS+podman-next: correct GHA conditional syntax * pkg/machine/e2e: wsl stop * wsl: machine tests for inspect * wsl: machine tests for ssh * fix(deps): update github.com/containers/common digest to e18cda8 * wsl: machine start test * wsl machine tests: set * wsl: machine tests * Skip proxy test for hyperV * Enable machine e2e test for applehv * hyperV: Respect rootful option on machine init * [CI:BUILD] FCOS image: enable nightly build * e2e: use safe fedora-minimal image * hyperv: machine e2e tests for set command * podman build: correct default pull policy * fix handling of static/volume dir * unbreak CI: useradd not found * hyperv: set more realistic starting state * hyperv: use StopWithForce with remove * Fix all ports exposed by kube play * Fix setting timezone on HyperV * fix(deps): update github.com/containers/gvisor-tap-vsock digest to 97028a6 * Fix farm update to check for connections * Adjust machine CPU tests * Bump version on main * [CI:BUILD] Packit: show SHORT_SHA in `podman --version` for COPR builds * Vendor c/common * pod rm: do not log error if anonymous volume is still used * e2e: ExitCleanly(): manual fixes to get tests passing * e2e: ExitCleanly(): a few more * fixes for pkg/machine/e2e on hyperv * test: fix rootless propagation test * [CI:BUILD] packit: tag @containers/packit-build team on copr build failures * Enable disk resizing for applehv * Various updates for hyperv and machine e2e tests * test: update fedoraMinimal version * specgen, rootless: fix mount of cgroup without a netns * Automatically remove anonymous volumes when removing a container * Use ActiveServiceDestination in ssh remoteConnectionUsername * fix(deps): update github.com/containers/gvisor-tap-vsock digest to 9298405 * e2e: ExitCleanly(): generate_kube_test.go * e2e: generate kube -> kube generate * e2e: ExitCleanly(): generate_kube_test.go * windows cannot 'do' extra files * e2e: ExitCleanly(): Fixes for breaking tests * play kube -> kube play * e2e: ExitCleanly(): play_kube_test.go * introduce pkg/strongunits * Makefile equiv Powershell script * pass --syslog to the cleanup process * vendor of containers/common * fix --authfile auto-update test * compat API: speed up network list * Change priority for cli-flags for remotely operating Podman * libpod: remove unused ContainerState() fucntion * [CI:BUILD] Packit: Enable failure notifications for cockpit tests * e2e: ExitCleanly(): more low-hanging fruit * e2e: ExitCleanly(): more low-hanging fruit * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.12.1 * Enable machine e2e tests for WSL * systests: tighter checks for unwanted warnings * GHA Workflow: Faster discussion-locking * [CI:BUILD] FCOS + podman-next image: pull in wasm * [CI:BUILD] rpm: remove gvproxy subpackage * [CI:DOCS] Tweak podman to Podman in a few farm man pages * Docs on sig-proxy are wrong, we support TTY * e2e: ExitCleanly(): low-hanging fruit, part 2 * e2e: ExitCleanly(): low-hanging fruit, part 1 * Buildtag out unix commands for common OS files * systests: clean up after tests; fix missing path in logs * [CI:BUILD] followup PR for fcos with podman-next * Implement gvproxy networking using cmdline wrapper * fix, test: rmi should work with images w/o layers * vendor: bump c/common to v0.56.1-0.20230919073449-d1d9d38d8282 * Quadlet Image test - rearrange test function * e2e: continuing ExitCleanly() work: manual tweaks * e2e: continuing ExitCleanly() work * [CI:DOCS] Improve podman-tag man page * [CI:DOCS] Improve podman-build man page * [CI:DOCS] Include precheck to release process * [CI:DOCS] consistentize filter options in man pages * Quadlet - add support for .image units * --env-host: use default from containers.conf * error when --module is specified on the command level * man page crossrefs: add --filter autocompletes * Fix specification of unix:///run * Add label! filter and tests to containers and pods * Add test for legacy address without two slashes * Use url with scheme and path for the unix address - Use crun only on selected archs ----------------------------------------- Patch: SUSE-2024-459 Released: Tue Feb 13 15:28:56 2024 Summary: Security update for runc Severity: important References: 1218894,CVE-2024-21626 Description: This update for runc fixes the following issues: - Update to runc v1.1.12 (bsc#1218894) The following CVE was already fixed with the previous release. - CVE-2024-21626: Fixed container breakout. ----------------------------------------- Patch: SUSE-2024-527 Released: Mon Feb 19 10:03:27 2024 Summary: Recommended update for conmon Severity: moderate References: 1215806,1217773 Description: This update for conmon fixes the following issues: - New upstream release 2.1.10 Bug fixes: * Fix incorrect free in conn_sock * logging: Respect log-size-max immediately after open - New upstream release 2.1.9 Bug fixes: * fix some issues flagged by SAST scan * src: fix write after end of buffer * src: open all files with O_CLOEXEC * oom-score: restore oom score before running exit command Features: * Forward more messages on the sd-notify socket * logging: -l passthrough accepts TTYs * [bsc#1215806] Update to version 2.1.8: * stdio: ignore EIO for terminals (bsc#1217773) * ensure console socket buffers are properly sized * conmon: drop return after pexit() * ctrl: make accept4 failures fatal * logging: avoid opening /dev/null for each write * oom: restore old OOM score * Use default umask 0022 * cli: log parsing errors to stderr * Changes to build conmon for riscv64 * Changes to build conmon for ppc64le * Fix close_other_fds on FreeBSD ----------------------------------------- Patch: SUSE-2024-549 Released: Tue Feb 20 17:05:52 2024 Summary: Security update for openssl-1_1 Severity: moderate References: 1219243,CVE-2024-0727 Description: This update for openssl-1_1 fixes the following issues: - CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243). ----------------------------------------- Patch: SUSE-2024-555 Released: Tue Feb 20 17:22:17 2024 Summary: Security update for libxml2 Severity: moderate References: 1219576,CVE-2024-25062 Description: This update for libxml2 fixes the following issues: - CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576). ----------------------------------------- Patch: SUSE-2024-596 Released: Thu Feb 22 20:05:29 2024 Summary: Security update for openssh Severity: important References: 1218215,CVE-2023-51385 Description: This update for openssh fixes the following issues: - CVE-2023-51385: Limit the use of shell metacharacters in host- and user names to avoid command injection. (bsc#1218215) ----------------------------------------- Patch: SUSE-2024-597 Released: Thu Feb 22 20:07:11 2024 Summary: Security update for mozilla-nss Severity: important References: 1216198,CVE-2023-5388 Description: This update for mozilla-nss fixes the following issues: Update to NSS 3.90.2: - CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198) ----------------------------------------- Patch: SUSE-2024-614 Released: Mon Feb 26 11:31:18 2024 Summary: Recommended update for rpm Severity: important References: 1216752 Description: This update for rpm fixes the following issues: - backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752) ----------------------------------------- Patch: SUSE-2024-615 Released: Mon Feb 26 11:32:32 2024 Summary: Recommended update for netcfg Severity: moderate References: 1211886 Description: This update for netcfg fixes the following issues: - Add krb-prop entry (bsc#1211886) ----------------------------------------- Patch: SUSE-2024-637 Released: Tue Feb 27 10:06:55 2024 Summary: Recommended update for duktape Severity: moderate References: Description: This update for duktape fixes the following issues: - Ship libduktape206-32bit: needed by libproxy since version 0.5. ----------------------------------------- Patch: SUSE-2024-764 Released: Tue Mar 5 13:46:25 2024 Summary: Security update for wpa_supplicant Severity: important References: 1219975,CVE-2023-52160 Description: This update for wpa_supplicant fixes the following issues: - CVE-2023-52160: Bypassing WiFi Authentication (bsc#1219975). ----------------------------------------- Patch: SUSE-2024-766 Released: Tue Mar 5 13:50:28 2024 Summary: Recommended update for libssh Severity: important References: 1220385 Description: This update for libssh fixes the following issues: - Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385) ----------------------------------------- Patch: SUSE-2024-792 Released: Thu Mar 7 09:55:23 2024 Summary: Recommended update for timezone Severity: moderate References: Description: This update for timezone fixes the following issues: - Update to version 2024a - Kazakhstan unifies on UTC+5 - Palestine springs forward a week later than previously predicted in 2024 and 2025 - Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 not 00:00 - From 1947 through 1949, Toronto's transitions occurred at 02:00 not 00:00 - In 1911 Miquelon adopted standard time on June 15, not May 15 - The FROM and TO columns of Rule lines can no longer be 'minimum' - localtime no longer mishandle some timestamps - strftime %s now uses tm_gmtoff if available - Ittoqqortoormiit, Greenland changes time zones on 2024-03-31 - Vostok, Antarctica changed time zones on 2023-12-18 - Casey, Antarctica changed time zones five times since 2020 - Code and data fixes for Palestine timestamps starting in 2072 - A new data file zonenow.tab for timestamps starting now - Much of Greenland changed its standard time from -03 to -02 on 2023-03-25 - localtime.c no longer mishandles TZif files that contain a single transition into a DST regime - tzselect no longer creates temporary files - tzselect no longer mishandles the following: * Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION. * TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/ * ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments * Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension * zic no longer mishandles data for Palestine after the year 2075 ----------------------------------------- Patch: SUSE-2024-794 Released: Thu Mar 7 10:33:17 2024 Summary: Security update for sudo Severity: important References: 1219026,1220389,CVE-2023-42465 Description: This update for sudo fixes the following issues: - CVE-2023-42465: Try to make sudo less vulnerable to ROWHAMMER attacks (bsc#1219026). ----------------------------------------- Patch: SUSE-2024-305 Released: Mon Mar 11 14:15:37 2024 Summary: Security update for cpio Severity: moderate References: 1218571,1219238,CVE-2023-7207 Description: This update for cpio fixes the following issues: - Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238) ----------------------------------------- Patch: SUSE-2024-846 Released: Tue Mar 12 13:31:27 2024 Summary: Recommended update for selinux-policy Severity: moderate References: 1220361 Description: This update for selinux-policy fixes the following issues: * Don't audit getty and plymouth the checkpoint_restore capability (bsc#1220361) ----------------------------------------- Patch: SUSE-2024-861 Released: Wed Mar 13 09:12:30 2024 Summary: Recommended update for aaa_base Severity: moderate References: 1218232 Description: This update for aaa_base fixes the following issues: - Silence the output in the case of broken symlinks (bsc#1218232) ----------------------------------------- Patch: SUSE-2024-870 Released: Wed Mar 13 13:05:14 2024 Summary: Security update for glibc Severity: moderate References: 1217445,1217589,1218866 Description: This update for glibc fixes the following issues: Security issues fixed: - qsort: harden handling of degenerated / non transient compare function (bsc#1218866) Other issues fixed: - getaddrinfo: translate ENOMEM to EAI_MEMORY (bsc#1217589, BZ #31163) - aarch64: correct CFI in rawmemchr (bsc#1217445, BZ #31113) ----------------------------------------- Patch: SUSE-2024-876 Released: Wed Mar 13 15:45:34 2024 Summary: Security update for sudo Severity: important References: 1221134,1221151,CVE-2023-42465 Description: This update for sudo fixes the following issues: - CVE-2023-42465: Fixed issues introduced by first patches (bsc#1221151, bsc#1221134). ----------------------------------------- Patch: SUSE-2024-903 Released: Fri Mar 15 06:57:36 2024 Summary: Recommended update for systemd-presets-common-SUSE Severity: moderate References: 1200731 Description: This update for systemd-presets-common-SUSE fixes the following issues: - Split hcn-init.service to hcn-init-NetworkManager and hcn-init-wicked (bsc#1200731) - Support both the old and new service to avoid complex version interdependency ----------------------------------------- Patch: SUSE-2024-907 Released: Fri Mar 15 08:57:38 2024 Summary: Recommended update for audit Severity: moderate References: 1215377 Description: This update for audit fixes the following issue: - Fix plugin termination when using systemd service units (bsc#1215377) ----------------------------------------- Patch: SUSE-2024-929 Released: Tue Mar 19 06:36:24 2024 Summary: Recommended update for coreutils Severity: moderate References: 1219321 Description: This update for coreutils fixes the following issues: - tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321) ----------------------------------------- Patch: SUSE-2024-980 Released: Mon Mar 25 06:18:28 2024 Summary: Recommended update for pam-config Severity: moderate References: 1219767 Description: This update for pam-config fixes the following issues: - Fix pam_gnome_keyring module for AUTH (bsc#1219767) ----------------------------------------- Patch: SUSE-2024-982 Released: Mon Mar 25 12:56:33 2024 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: 1217964 Description: This update for systemd-rpm-macros fixes the following issue: - Order packages that requires systemd after systemd-sysvcompat if needed. (bsc#1217964) ----------------------------------------- Patch: SUSE-2024-984 Released: Mon Mar 25 16:04:44 2024 Summary: Recommended update for runc Severity: important References: 1192051,1221050 Description: This update for runc fixes the following issues: - Add upstream patch to properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050 This allows running 15 SP6 containers on older distributions. ----------------------------------------- Patch: SUSE-2024-997 Released: Tue Mar 26 11:03:37 2024 Summary: Security update for krb5 Severity: important References: 1220770,1220771,1220772,CVE-2024-26458,CVE-2024-26461,CVE-2024-26462 Description: This update for krb5 fixes the following issues: - CVE-2024-26458: Fixed memory leak at /krb5/src/lib/rpc/pmap_rmt.c (bsc#1220770). - CVE-2024-26461: Fixed memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c (bsc#1220771). - CVE-2024-26462: Fixed memory leak at /krb5/src/kdc/ndr.c (bsc#1220772). ----------------------------------------- Patch: SUSE-2024-1007 Released: Wed Mar 27 10:51:42 2024 Summary: Security update for shadow Severity: moderate References: 1144060,1176006,1188307,1203823,1205502,1206627,1210507,1213189,1214806,CVE-2023-29383,CVE-2023-4641 Description: This update for shadow fixes the following issues: - CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507). - CVE-2023-4641: Fixed possible password leak during passwd(1) change (bsc#1214806). The following non-security bugs were fixed: - bsc#1176006: Fix chage date miscalculation - bsc#1188307: Fix passwd segfault - bsc#1203823: Remove pam_keyinit from PAM config files - bsc#1213189: Change lock mechanism to file locking to prevent lock files after power interruptions - bsc#1206627: Add --prefix support to passwd, chpasswd and chage - bsc#1205502: useradd audit event user id field cannot be interpretedd ----------------------------------------- Patch: SUSE-2024-1014 Released: Wed Mar 27 18:33:55 2024 Summary: Security update for avahi Severity: moderate References: 1216594,1216598,CVE-2023-38469,CVE-2023-38471 Description: This update for avahi fixes the following issues: - CVE-2023-38471: Fixed reachable assertion in dbus_set_host_name (bsc#1216594). - CVE-2023-38469: Fixed reachable assertions in avahi (bsc#1216598). ----------------------------------------- Patch: SUSE-2024-1015 Released: Thu Mar 28 06:08:11 2024 Summary: Recommended update for sed Severity: important References: 1221218 Description: This update for sed fixes the following issues: - 'sed -i' now creates temporary files with correct umask (bsc#1221218) ----------------------------------------- Patch: SUSE-2024-1080 Released: Tue Apr 2 06:50:10 2024 Summary: Recommended update for xfsprogs-scrub Severity: low References: 1190495 Description: This update for xfsprogs-scrub fixes the following issues: - Added missing xfsprogs-scrub to Package Hub for SLE-15-SP5 and SLE-15-SP4 (bsc#1190495) ----------------------------------------- Patch: SUSE-2024-1081 Released: Tue Apr 2 06:50:44 2024 Summary: Recommended update for dracut Severity: important References: 1217083,1219841,1220485,1221675 Description: This update for dracut fixes the following issues: - Update to version 055+suse.382.g80b55af2: * Fix regression with multiple `rd.break=` options (bsc#1221675) * Do not call `strcmp` if the `value` argument is NULL (bsc#1219841) * Correct shellcheck regression when parsing ccw args (bsc#1220485) * Skip README for AMD microcode generation (bsc#1217083) ----------------------------------------- Patch: SUSE-2024-1091 Released: Tue Apr 2 12:18:46 2024 Summary: Recommended update for rpm Severity: moderate References: Description: This update for rpm fixes the following issues: - Turn on IMA/EVM file signature support, move the imaevm code that needs the libiamevm library into a plugin, and install this plugin as part of a new 'rpm-imaevmsign' subpackage (jsc#PED-7246). - Backport signature reserved space handling from upstream. ----------------------------------------- Patch: SUSE-2024-1104 Released: Wed Apr 3 14:29:58 2024 Summary: Recommended update for docker, containerd, rootlesskit, catatonit, slirp4netns, fuse-overlayfs Severity: important References: Description: This update for docker fixes the following issues: - Overlay files are world-writable (bsc#1220339) - Allow disabling apparmor support (some products only support SELinux) The other packages in the update (containerd, rootlesskit, catatonit, slirp4netns, fuse-overlayfs) are no-change rebuilds required because the corresponding binary packages were missing in a number of repositories, thus making docker not installable on some products. ----------------------------------------- Patch: SUSE-2024-1129 Released: Mon Apr 8 09:12:08 2024 Summary: Security update for expat Severity: important References: 1219559,1221289,CVE-2023-52425,CVE-2024-28757 Description: This update for expat fixes the following issues: - CVE-2023-52425: Fixed a DoS caused by processing large tokens. (bsc#1219559) - CVE-2024-28757: Fixed an XML Entity Expansion. (bsc#1221289) ----------------------------------------- Patch: SUSE-2024-1133 Released: Mon Apr 8 11:29:02 2024 Summary: Security update for ncurses Severity: moderate References: 1220061,CVE-2023-45918 Description: This update for ncurses fixes the following issues: - CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061). ----------------------------------------- Patch: SUSE-2024-1146 Released: Mon Apr 8 11:34:54 2024 Summary: Security update for podman Severity: important References: 1221677,CVE-2024-1753 Description: This update for podman fixes the following issues: - CVE-2024-1753: Fixed an issue to prevent a full container escape at build time. (bsc#1221677) ----------------------------------------- Patch: SUSE-2024-1151 Released: Mon Apr 8 11:36:23 2024 Summary: Security update for curl Severity: moderate References: 1221665,1221667,CVE-2024-2004,CVE-2024-2398 Description: This update for curl fixes the following issues: - CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665) - CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667) ----------------------------------------- Patch: SUSE-2024-1167 Released: Mon Apr 8 15:11:11 2024 Summary: Security update for nghttp2 Severity: important References: 1221399,CVE-2024-28182 Description: This update for nghttp2 fixes the following issues: - CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399) ----------------------------------------- Patch: SUSE-2024-1172 Released: Tue Apr 9 09:52:32 2024 Summary: Security update for util-linux Severity: important References: 1207987,1221831,CVE-2024-28085 Description: This update for util-linux fixes the following issues: - CVE-2024-28085: Properly neutralize escape sequences in wall. (bsc#1221831) ----------------------------------------- Patch: SUSE-2024-1175 Released: Tue Apr 9 10:06:40 2024 Summary: Recommended update for multipath-tools Severity: moderate References: 1212440,1213809,1219142,1220374 Description: This update for multipath-tools fixes the following issues: - Fixed activation of LVM volume groups during coldplug (bsc#1219142) - Avoid changing SCSI timeouts in 'multipath -d' (bsc#1213809) - Fixed dev_loss_tmo even if not set in configuration (bsc#1212440) - Backport of upstream bug fixes (bsc#1220374): * Avoid setting queue_if_no_path on multipath maps for which the no_path_retry timeout has expired * Fixed memory and error handling for code using aio (marginal path code, directio path checker) * libmultipath: fixed max_sectors_kb on adding path * Fixed warnings reported by udevadm verify * libmultipath: use directio checker for LIO targets * multipathd.service: remove 'Also=multipathd.socket' * libmultipathd: avoid parsing errors due to unsupported designators * libmultipath: return 'pending' state when port is in transition * multipath.rules: fixed 'smart' bug with failed valid path check * libmpathpersist: fixed resource leak in update_map_pr() * libmultipath: keep renames from stopping other multipath actions ----------------------------------------- Patch: SUSE-2024-1192 Released: Wed Apr 10 09:14:37 2024 Summary: Security update for less Severity: important References: 1219901,CVE-2022-48624 Description: This update for less fixes the following issues: - CVE-2022-48624: Fixed LESSCLOSE handling in less that does not quote shell metacharacters (bsc#1219901). ----------------------------------------- Patch: SUSE-2024-1201 Released: Thu Apr 11 10:47:59 2024 Summary: Recommended update for xfsprogs-scrub and jctools Severity: low References: 1190495,1213418 Description: This update for xfsprogs-scrub fixes the following issues: - Added missing xfsprogs-scrub to Package Hub for SLE-15-SP5 (bsc#1190495) - Added missing jctools to Package Hub for SLE-15-SP5 (bsc#1213418) ----------------------------------------- Patch: SUSE-2024-1206 Released: Thu Apr 11 12:56:24 2024 Summary: Recommended update for rpm Severity: moderate References: 1222259 Description: This update for rpm fixes the following issues: - remove imaevmsign plugin from rpm-ndb [bsc#1222259] ----------------------------------------- Patch: SUSE-2024-1231 Released: Thu Apr 11 15:20:40 2024 Summary: Recommended update for glibc Severity: moderate References: 1220441 Description: This update for glibc fixes the following issues: - duplocale: protect use of global locale (bsc#1220441, BZ #23970) ----------------------------------------- Patch: SUSE-2024-1253 Released: Fri Apr 12 08:15:18 2024 Summary: Recommended update for gcc13 Severity: moderate References: 1210959,1214934,1217450,1217667,1218492,1219031,1219520,1220724,1221239 Description: This update for gcc13 fixes the following issues: - Fix unwinding for JIT code. [bsc#1221239] - Revert libgccjit dependency change. [bsc#1220724] - Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520] - Add support for -fmin-function-alignment. [bsc#1214934] - Use %{_target_cpu} to determine host and build. - Fix for building TVM. [bsc#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. - Fixed building mariadb on i686. [bsc#1217667] - Avoid update-alternatives dependency for accelerator crosses. - Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence. - Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450] ----------------------------------------- Patch: SUSE-2024-1272 Released: Fri Apr 12 16:24:28 2024 Summary: Recommended update for elemental-operator, elemental-operator-crds-helm, elemental-operator-helm, operator-image Severity: moderate References: Description: This update for elemental-operator, elemental-operator-crds-helm, elemental-operator-helm, operator-image contains the following fixes: - Update to version 1.4.3: * registration: allow dots in machineInventory names * registration: decouple replacing data-labels from sanitizing strings * registration: move sanitize code in sanitizeString() * V1.4.x fix channel synchronization (#683) * linter: fix copyright dates * Make linter happy ----------------------------------------- Patch: SUSE-2024-1287 Released: Mon Apr 15 15:03:40 2024 Summary: Security update for vim Severity: important References: 1215005,1217316,1217320,1217321,1217324,1217326,1217329,1217330,1217432,1219581,CVE-2023-4750,CVE-2023-48231,CVE-2023-48232,CVE-2023-48233,CVE-2023-48234,CVE-2023-48235,CVE-2023-48236,CVE-2023-48237,CVE-2023-48706,CVE-2024-22667 Description: This update for vim fixes the following issues: Updated to version 9.1.0111, fixes the following security problems - CVE-2023-48231: Use-After-Free in win_close() (bsc#1217316). - CVE-2023-48232: Floating point Exception in adjust_plines_for_skipcol() (bsc#1217320). - CVE-2023-48233: overflow with count for :s command (bsc#1217321). - CVE-2023-48234: overflow in nv_z_get_count (bsc#1217324). - CVE-2023-48235: overflow in ex address parsing (CVE-2023-48235). - CVE-2023-48236: overflow in get_number (bsc#1217329). - CVE-2023-48237: overflow in shift_line (bsc#1217330). - CVE-2023-48706: heap-use-after-free in ex_substitute (bsc#1217432). - CVE-2024-22667: stack-based buffer overflow in did_set_langmap function in map.c (bsc#1219581). - CVE-2023-4750: Heap use-after-free in function bt_quickfix (bsc#1215005). ----------------------------------------- Patch: SUSE-2024-1342 Released: Thu Apr 18 16:35:49 2024 Summary: Recommended update for unixODBC, libtool and libssh2_org Severity: moderate References: 1221622,1221941 Description: This update for unixODBC, libtool and libssh2_org fixes the following issue: - Ship 2 additional 32bit packages: unixODBC-32bit and libssh2-1-32bit for SLES (bsc#1221941). - Fix an issue with Encrypt-then-MAC family. (bsc#1221622) ----------------------------------------- Patch: SUSE-2024-1366 Released: Mon Apr 22 11:04:32 2024 Summary: Recommended update for openssh Severity: moderate References: 1216474,1218871,1221123,1222831 Description: This update for openssh fixes the following issues: - Fix hostbased ssh login failing occasionally with 'signature unverified: incorrect signature' by fixing a typo in patch (bsc#1221123) - Avoid closing IBM Z crypto devices nodes. (bsc#1218871) - Allow usage of IBM Z crypto adapter cards in seccomp filters (bsc#1216474) - Change the default value of UpdateHostKeys to Yes (unless VerifyHostKeyDNS is enabled). This makes ssh update the known_hosts stored keys with all published versions by the server (after it's authenticated with an existing key), which will allow to identify the server with a different key if the existing key is considered insecure at some point in the future (bsc#1222831). ----------------------------------------- Patch: SUSE-2024-1375 Released: Mon Apr 22 14:56:13 2024 Summary: Security update for glibc Severity: important References: 1222992,CVE-2024-2961 Description: This update for glibc fixes the following issues: - iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961, bsc#1222992) ----------------------------------------- Patch: SUSE-2024-1376 Released: Mon Apr 22 16:13:38 2024 Summary: Security update for polkit Severity: low References: 1209282 Description: This update for polkit fixes the following issues: - Change permissions for rules folders (bsc#1209282) ----------------------------------------- Patch: SUSE-2024-1398 Released: Tue Apr 23 13:58:22 2024 Summary: Recommended update for systemd-default-settings Severity: moderate References: Description: This update for systemd-default-settings fixes the following issues: - Disable pids controller limit under user instances (jsc#SLE-10123) - Disable controllers by default (jsc#PED-2276) - The usage of drop-ins is now the official way for configuring systemd and its various daemons on Factory/ALP, hence the early drop-ins SUSE specific 'feature' has been abandoned. - User priority '26' for SLE-Micro - Convert more drop-ins into early ones ----------------------------------------- Patch: SUSE-2024-1458 Released: Mon Apr 29 07:47:34 2024 Summary: Recommended update for vim Severity: moderate References: 1220763 Description: This update for vim fixes the following issues: - Fix segmentation fault after updating to version 9.1.0111-150500.20.9.1 (bsc#1220763) ----------------------------------------- Patch: SUSE-2024-1487 Released: Thu May 2 10:43:53 2024 Summary: Recommended update for aaa_base Severity: moderate References: 1211721,1221361,1221407,1222547 Description: This update for aaa_base fixes the following issues: - home and end button not working from ssh client (bsc#1221407) - use autosetup in prep stage of specfile - drop the stderr redirection for csh (bsc#1221361) - drop sysctl.d/50-default-s390.conf (bsc#1211721) - make sure the script does not exit with 1 if a file with content is found (bsc#1222547) ----------------------------------------- Patch: SUSE-2024-1557 Released: Wed May 8 11:42:34 2024 Summary: Security update for rpm Severity: moderate References: 1189495,1191175,1218686,CVE-2021-3521 Description: This update for rpm fixes the following issues: Security fixes: - CVE-2021-3521: Fixed missing subkey binding signature checking (bsc#1191175) Other fixes: - accept more signature subpackets marked as critical (bsc#1218686) - backport limit support for the autopatch macro (bsc#1189495)