----------------------------------------- Version 0 2023-09-05T17:12:36 ----------------------------------------- Patch: SUSE-2018-1277 Released: Thu Jul 5 08:38:06 2018 Summary: Security update for unzip Severity: moderate References: 1080074,910683,914442,CVE-2014-9636,CVE-2018-1000035 Description: This update for unzip fixes the following issues: - CVE-2014-9636: Prevent denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression (bsc#914442) - CVE-2018-1000035: Prevent heap-based buffer overflow in the processing of password-protected archives that allowed an attacker to perform a denial of service or to possibly achieve code execution (bsc#1080074) This non-security issue was fixed: +- Allow processing of Windows zip64 archives (Windows archivers set total_disks field to 0 but per standard, valid values are 1 and higher) (bnc#910683) ----------------------------------------- Patch: SUSE-2018-1279 Released: Thu Jul 5 08:41:25 2018 Summary: Security update for tiff Severity: moderate References: 1074317,1082332,1082825,1086408,1092949,CVE-2017-11613,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905 Description: This update for tiff fixes the following security issues: These security issues were fixed: - CVE-2017-18013: Fixed a NULL pointer dereference in the tif_print.cTIFFPrintDirectory function that could have lead to denial of service (bsc#1074317). - CVE-2018-10963: Fixed an assertion failure in the TIFFWriteDirectorySec() function in tif_dirwrite.c, which allowed remote attackers to cause a denial of service via a crafted file (bsc#1092949). - CVE-2018-7456: Prevent a NULL Pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825). - CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332). - CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408). ----------------------------------------- Patch: SUSE-2018-1280 Released: Thu Jul 5 08:43:02 2018 Summary: Security update for exiv2 Severity: moderate References: 1048883,1050257,1051188,1054590,1054592,1054593,1060995,1060996,1061000,1061023,CVE-2017-11337,CVE-2017-11338,CVE-2017-11339,CVE-2017-11340,CVE-2017-11553,CVE-2017-11591,CVE-2017-11592,CVE-2017-11683,CVE-2017-12955,CVE-2017-12956,CVE-2017-12957,CVE-2017-14859,CVE-2017-14860,CVE-2017-14862,CVE-2017-14864 Description: This update for exiv2 to 0.26 fixes the following security issues: - CVE-2017-14864: Prevent invalid memory address dereference in Exiv2::getULong that could have caused a segmentation fault and application crash, which leads to denial of service (bsc#1060995). - CVE-2017-14862: Prevent invalid memory address dereference in Exiv2::DataValue::read that could have caused a segmentation fault and application crash, which leads to denial of service (bsc#1060996). - CVE-2017-14859: Prevent invalid memory address dereference in Exiv2::StringValueBase::read that could have caused a segmentation fault and application crash, which leads to denial of service (bsc#1061000). - CVE-2017-14860: Prevent heap-based buffer over-read in the Exiv2::Jp2Image::readMetadata function via a crafted input that could have lead to a denial of service attack (bsc#1061023). - CVE-2017-11337: Prevent invalid free in the Action::TaskFactory::cleanup function via a crafted input that could have lead to a remote denial of service attack (bsc#1048883). - CVE-2017-11338: Prevent infinite loop in the Exiv2::Image::printIFDStructure function via a crafted input that could have lead to a remote denial of service attack (bsc#1048883). - CVE-2017-11339: Prevent heap-based buffer overflow in the Image::printIFDStructure function via a crafted input that could have lead to a remote denial of service attack (bsc#1048883). - CVE-2017-11340: Prevent Segmentation fault in the XmpParser::terminate() function via a crafted input that could have lead to a remote denial of service attack (bsc#1048883). - CVE-2017-12955: Prevent heap-based buffer overflow. The vulnerability caused an out-of-bounds write in Exiv2::Image::printIFDStructure(), which may lead to remote denial of service or possibly unspecified other impact (bsc#1054593). - CVE-2017-12956: Preventn illegal address access in Exiv2::FileIo::path[abi:cxx11]() that could have lead to remote denial of service (bsc#1054592). - CVE-2017-12957: Prevent heap-based buffer over-read that was triggered in the Exiv2::Image::io function and could have lead to remote denial of service (bsc#1054590). - CVE-2017-11683: Prevent reachable assertion in the Internal::TiffReader::visitDirectory function that could have lead to a remote denial of service attack via crafted input (bsc#1051188). - CVE-2017-11591: Prevent Floating point exception in the Exiv2::ValueType function that could have lead to a remote denial of service attack via crafted input (bsc#1050257). - CVE-2017-11553: Prevent illegal address access in the extend_alias_table function via a crafted input could have lead to remote denial of service. - CVE-2017-11592: Prevent mismatched Memory Management Routines vulnerability in the Exiv2::FileIo::seek function that could have lead to a remote denial of service attack (heap memory corruption) via crafted input. ----------------------------------------- Patch: SUSE-2018-1281 Released: Thu Jul 5 08:44:42 2018 Summary: Security update for ghostscript Severity: moderate References: 1090099,CVE-2018-10194 Description: This update for ghostscript fixes the following issues: - CVE-2018-10194: The set_text_distance function did not prevent overflows in text-positioning calculation, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document (bsc#1090099). ----------------------------------------- Patch: SUSE-2018-1282 Released: Thu Jul 5 08:46:19 2018 Summary: Security update for libvorbis Severity: moderate References: 1091070,CVE-2018-10392 Description: This update for libvorbis fixes the following issues: The following security issue was fixed: - Fixed the validation of channels in mapping0_forward(), which previously allowed remote attackers to cause a denial of service via specially crafted files (CVE-2018-10392, bsc#1091070) ----------------------------------------- Patch: SUSE-2018-1292 Released: Mon Jul 9 11:57:14 2018 Summary: Security update for openslp Severity: important References: 1090638,CVE-2017-17833 Description: This update for openslp fixes the following issues: - CVE-2017-17833: Prevent heap-related memory corruption issue which may have manifested itself as a denial-of-service or a remote code-execution vulnerability (bsc#1090638) - Prevent out of bounds reads in message parsing ----------------------------------------- Patch: SUSE-2018-1307 Released: Wed Jul 11 17:25:54 2018 Summary: Recommended update for google-compute-engine Severity: moderate References: 1097378 Description: This update for google-compute-engine fixes the following issues: - Ensure that google-ip-forwarding-daemon service and google-network-setup are stopped and disabled during upgrade. - Ensure that google-network-daemon service is enabled and started during upgrade. - Set run_dir to /var/run. (bsc#1097378, #1097616) ----------------------------------------- Patch: SUSE-2018-1319 Released: Thu Jul 12 11:04:25 2018 Summary: Security update for java-1_8_0-openjdk Severity: important References: 1087066,1090023,1090024,1090025,1090026,1090027,1090028,1090029,1090030,1090032,1090033,CVE-2018-2790,CVE-2018-2794,CVE-2018-2795,CVE-2018-2796,CVE-2018-2797,CVE-2018-2798,CVE-2018-2799,CVE-2018-2800,CVE-2018-2814,CVE-2018-2815 Description: This update for java-1_8_0-openjdk to version 8u171 fixes the following issues: These security issues were fixed: - S8180881: Better packaging of deserialization - S8182362: Update CipherOutputStream Usage - S8183032: Upgrade to LittleCMS 2.9 - S8189123: More consistent classloading - S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries - S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability - S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability - S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability - S8189989, CVE-2018-2798, bsc#1090028: Improve container portability - S8189993, CVE-2018-2799, bsc#1090029: Improve document portability - S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms - S8190478: Improved interface method selection - S8190877: Better handling of abstract classes - S8191696: Better mouse positioning - S8192025, CVE-2018-2814, bsc#1090032: Less referential references - S8192030: Better MTSchema support - S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation - S8193409: Improve AES supporting classes - S8193414: Improvements in MethodType lookups - S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support For other changes please consult the changelog. ----------------------------------------- Patch: SUSE-2018-1323 Released: Fri Jul 13 09:26:19 2018 Summary: Security update for libopenmpt Severity: moderate References: 1089080,1095644,CVE-2018-10017,CVE-2018-11710 Description: This update for libopenmpt to version 0.3.9 fixes the following issues: These security issues were fixed: - CVE-2018-11710: Prevent write near address 0 in out-of-memory situations when reading AMS files (bsc#1095644) - CVE-2018-10017: Preven out-of-bounds memory read with IT/ITP/MO3 files containing pattern loops (bsc#1089080) These non-security issues were fixed: - [Bug] openmpt123: Fixed build failure in C++17 due to use of removed feature std::random_shuffle. - STM: Having both Bxx and Cxx commands in a pattern imported the Bxx command incorrectly. - STM: Last character of sample name was missing. - Speed up reading of truncated ULT files. - ULT: Portamento import was sometimes broken. - The resonant filter was sometimes unstable when combining low-volume samples, low cutoff and high mixing rates. - Keep track of active SFx macro during seeking. - The 'note cut' duplicate note action did not volume-ramp the previously playing sample. - A song starting with non-existing patterns could not be played. - DSM: Support restart position and 16-bit samples. - DTM: Import global volume. ----------------------------------------- Patch: SUSE-2018-1332 Released: Tue Jul 17 09:01:19 2018 Summary: Recommended update for timezone Severity: moderate References: 1073299,1093392 Description: This update for timezone provides the following fixes: - North Korea switches back from +0830 to +09 on 2018-05-05. - Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299) - yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392) ----------------------------------------- Patch: SUSE-2018-1335 Released: Tue Jul 17 10:13:39 2018 Summary: Recommended update for cloud-netconfig Severity: moderate References: 1095485 Description: This update for cloud-netconfig fixes the following issues: - Make interface names in Azure persistent. (bsc#1095485) ----------------------------------------- Patch: SUSE-2018-1348 Released: Thu Jul 19 09:32:11 2018 Summary: Security update for wireshark Severity: moderate References: 1094301,CVE-2018-11356,CVE-2018-11357,CVE-2018-11358,CVE-2018-11359,CVE-2018-11360,CVE-2018-11362 Description: This update for wireshark fixes vulnerabilities that could be used to trigger dissector crashes or cause dissectors to go into large infinite loops by making Wireshark read specially crafted packages from the network or capture files (bsc#1094301). This includes: - CVE-2018-11356: DNS dissector crash - CVE-2018-11357: Multiple dissectors could consume excessive memory - CVE-2018-11358: Q.931 dissector crash - CVE-2018-11359: The RRC dissector and other dissectors could crash - CVE-2018-11360: GSM A DTAP dissector crash - CVE-2018-11362: LDSS dissector crash ----------------------------------------- Patch: SUSE-2018-1349 Released: Thu Jul 19 09:35:42 2018 Summary: Security update for rubygem-sprockets Severity: moderate References: 1098369,CVE-2018-3760 Description: This update for rubygem-sprockets fixes the following issues: The following security vulnerability was addressed: - CVE-2018-3760: Fixed a path traversal issue in sprockets/server.rb:forbidden_request?(), which allowed remote attackers to read arbitrary files (bsc#1098369) ----------------------------------------- Patch: SUSE-2018-1371 Released: Mon Jul 23 10:37:01 2018 Summary: Security update for openssl-1_1 Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl-1_1 fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------- Patch: SUSE-2018-1398 Released: Thu Jul 26 16:27:58 2018 Summary: Security update for java-1_8_0-ibm Severity: important References: 1085449,1093311,CVE-2018-1417,CVE-2018-2783,CVE-2018-2790,CVE-2018-2794,CVE-2018-2795,CVE-2018-2796,CVE-2018-2797,CVE-2018-2798,CVE-2018-2799,CVE-2018-2800,CVE-2018-2814,CVE-2018-2825,CVE-2018-2826 Description: IBM Java was updated to version 8.0.5.15 [bsc#1093311, bsc#1085449] Security fixes: - CVE-2018-2826 CVE-2018-2825 CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2800 CVE-2018-2790 CVE-2018-1417 - Removed translations in the java-1_8_0-ibm-devel-32bit package as they conflict with those in java-1_8_0-ibm-devel. ----------------------------------------- Patch: SUSE-2018-1404 Released: Thu Jul 26 16:41:42 2018 Summary: Security update for libsndfile Severity: moderate References: 1071767,1071777,1100167,CVE-2017-17456,CVE-2017-17457,CVE-2018-13139 Description: This update for libsndfile fixes the following issues: Security issues fixed: - CVE-2018-13139: Fix a stack-based buffer overflow in psf_memset in common.c that allows remote attackers to cause a denial of service (bsc#1100167). - CVE-2017-17456: Prevent segmentation fault in the function d2alaw_array() that may have lead to a remote DoS (bsc#1071777) - CVE-2017-17457: Prevent segmentation fault in the function d2ulaw_array() that may have lead to a remote DoS, a different vulnerability than CVE-2017-14246 (bsc#1071767) ----------------------------------------- Patch: SUSE-2018-1411 Released: Fri Jul 27 06:48:11 2018 Summary: Recommended update for SAPHanaSR-ScaleOut Severity: moderate References: 1091988,1092331 Description: This update for SAPHanaSR-ScaleOut provides the following fixes: - Fix a problem that was causing SAPHanaSR-showAttr to fail opening an archived cib file. (bsc#1092331) - Make sure SAPHanaSR-monitor depends only on packages available in SLES. (bsc#1091988) - Move SAPHanaSR-showAttr, SAPHanaSR-monitor to /usr/sbin to match the file layout in SAPHanaSR-ScaleUp. ----------------------------------------- Patch: SUSE-2018-1416 Released: Fri Jul 27 12:47:55 2018 Summary: Security update for mutt Severity: important References: 1094717,1101428,1101566,1101567,1101568,1101569,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101583,1101588,1101589,CVE-2014-9116,CVE-2018-14349,CVE-2018-14350,CVE-2018-14351,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14360,CVE-2018-14361,CVE-2018-14362,CVE-2018-14363 Description: This update for mutt fixes the following issues: Security issues fixed: - bsc#1101428: Mutt 1.10.1 security release update. - CVE-2018-14351: Fix imap/command.c that mishandles long IMAP status mailbox literal count size (bsc#1101583). - CVE-2018-14353: Fix imap_quote_string in imap/util.c that has an integer underflow (bsc#1101581). - CVE-2018-14362: Fix pop.c that does not forbid characters that may have unsafe interaction with message-cache pathnames (bsc#1101567). - CVE-2018-14354: Fix arbitrary command execution from remote IMAP servers via backquote characters (bsc#1101578). - CVE-2018-14352: Fix imap_quote_string in imap/util.c that does not leave room for quote characters (bsc#1101582). - CVE-2018-14356: Fix pop.c that mishandles a zero-length UID (bsc#1101576). - CVE-2018-14355: Fix imap/util.c that mishandles '..' directory traversal in a mailbox name (bsc#1101577). - CVE-2018-14349: Fix imap/command.c that mishandles a NO response without a message (bsc#1101589). - CVE-2018-14350: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along INTERNALDATE field (bsc#1101588). - CVE-2018-14363: Fix newsrc.c that does not properlyrestrict '/' characters that may have unsafe interaction with cache pathnames (bsc#1101566). - CVE-2018-14359: Fix buffer overflow via base64 data (bsc#1101570). - CVE-2018-14358: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along RFC822.SIZE field (bsc#1101571). - CVE-2018-14360: Fix nntp_add_group in newsrc.c that has a stack-based buffer overflow because of incorrect sscanf usage (bsc#1101569). - CVE-2018-14357: Fix that remote IMAP servers are allowed to execute arbitrary commands via backquote characters (bsc#1101573). - CVE-2018-14361: Fix that nntp.c proceeds even if memory allocation fails for messages data (bsc#1101568). Bug fixes: - mutt reports as neomutt and incorrect version (bsc#1094717) ----------------------------------------- Patch: SUSE-2018-1458 Released: Tue Jul 31 12:48:18 2018 Summary: Recommended update for lapack Severity: moderate References: 1087426 Description: This update for lapack fixes the following issues: - Build tmglib and fold contents into existing liblapack{.a,.so.3}. (bsc#1087426) ----------------------------------------- Patch: SUSE-2018-1462 Released: Tue Jul 31 14:04:41 2018 Summary: Security update for java-11-openjdk Severity: moderate References: 1101645,1101651,1101655,1101656,CVE-2018-2940,CVE-2018-2952,CVE-2018-2972,CVE-2018-2973 Description: This java-11-openjdk update to version jdk-11+24 fixes the following issues: Security issues fixed: - CVE-2018-2940: Fix unspecified vulnerability in subcomponent Libraries (bsc#1101645). - CVE-2018-2952: Fix unspecified vulnerability in subcomponent Concurrency (bsc#1101651). - CVE-2018-2972: Fix unspecified vulnerability in subcomponent Security (bsc#1101655). - CVE-2018-2973: Fix unspecified vulnerability in subcomponent JSSE (bsc#1101656). ----------------------------------------- Patch: SUSE-2018-1476 Released: Thu Aug 2 14:20:03 2018 Summary: Security update for cups Severity: moderate References: 1096405,1096406,1096407,1096408,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183 Description: This update for cups fixes the following issues: The following security vulnerabilities were fixed: - Fixed a local privilege escalation to root and sandbox bypasses in the scheduler - CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend (bsc#1096405) - CVE-2018-4181: Limited local file reads as root via cupsd.conf include directive (bsc#1096406) - CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling (bsc#1096407) - CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration (bsc#1096408) ----------------------------------------- Patch: SUSE-2018-1509 Released: Tue Aug 7 09:39:07 2018 Summary: Security update for clamav Severity: moderate References: 1101410,1101412,1101654,1103040,CVE-2018-0360,CVE-2018-0361 Description: This update for clamav to version 0.100.1 fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-0360: HWP integer overflow, infinite loop vulnerability (bsc#1101410) - CVE-2018-0361: PDF object length check, unreasonably long time to parse relatively small file (bsc#1101412) - Buffer over-read in unRAR code due to missing max value checks in table initialization - Libmspack heap buffer over-read in CHM parser (bsc#1103040) - PDF parser bugs The following other changes were made: - Disable YARA support for licensing reasons (bsc#1101654). - Add HTTPS support for clamsubmit - Fix for DNS resolution for users on IPv4-only machines where IPv6 is not available or is link-local only ----------------------------------------- Patch: SUSE-2018-1512 Released: Tue Aug 7 12:48:02 2018 Summary: Security update for libcdio Severity: low References: 1082821,1082877,CVE-2017-18199,CVE-2017-18201 Description: This update for libcdio fixes the following issues: The following security vulnerabilities were addressed: - CVE-2017-18199: Fixed a NULL pointer dereference in realloc_symlink in rock.c (bsc#1082821) - CVE-2017-18201: Fixed a double free vulnerability in get_cdtext_generic() in _cdio_generic.c (bsc#1082877) - Fixed several memory leaks (bsc#1082821) ----------------------------------------- Patch: SUSE-2018-1514 Released: Tue Aug 7 18:05:04 2018 Summary: Security update for enigmail Severity: moderate References: 1094781,1096745,1097525,CVE-2018-12019,CVE-2018-12020 Description: This update for enigmail to 2.0.7 fixes the following issues: These security issues were fixed: - CVE-2018-12020: Mitigation against GnuPG signature spoofing: Email signatures could be spoofed via an embedded '--filename' parameter in OpenPGP literal data packets. This update prevents this issue from being exploited if GnuPG was not updated (boo#1096745) - CVE-2018-12019: The signature verification routine interpreted User IDs as status/control messages and did not correctly keep track of the status of multiple signatures. This allowed remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids (boo#1097525) - Disallow plaintext (literal packets) outside of encrpyted packets - Replies to a partially encrypted message may have revealed protected information - no longer display PGP/MIME message part followed by unencrypted data (bsc#1094781) - Fix signature Spoofing via Inline-PGP in HTML Mails These non-security issues were fixed: - Fix filter actions forgetting selected mail folder names - Fix compatibility issue with Thunderbird 60b7 ----------------------------------------- Patch: SUSE-2018-1539 Released: Fri Aug 10 11:39:36 2018 Summary: Security update for wireshark Severity: moderate References: 1101776,1101777,1101786,1101788,1101791,1101794,1101800,1101802,1101804,1101810,CVE-2018-14339,CVE-2018-14340,CVE-2018-14341,CVE-2018-14342,CVE-2018-14343,CVE-2018-14344,CVE-2018-14367,CVE-2018-14368,CVE-2018-14369,CVE-2018-14370 Description: This update for wireshark fixes the following issues: Security issues fixed: - CVE-2018-14342: BGP dissector large loop (wnpa-sec-2018-34, bsc#1101777) - CVE-2018-14344: ISMP dissector crash (wnpa-sec-2018-35, bsc#1101788) - CVE-2018-14340: Multiple dissectors could crash (wnpa-sec-2018-36, bsc#1101804) - CVE-2018-14343: ASN.1 BER dissector crash (wnpa-sec-2018-37, bsc#1101786) - CVE-2018-14339: MMSE dissector infinite loop (wnpa-sec-2018-38, bsc#1101810) - CVE-2018-14341: DICOM dissector crash (wnpa-sec-2018-39, bsc#1101776) - CVE-2018-14368: Bazaar dissector infinite loop (wnpa-sec-2018-40, bsc#1101794) - CVE-2018-14369: HTTP2 dissector crash (wnpa-sec-2018-41, bsc#1101800) - CVE-2018-14367: CoAP dissector crash (wnpa-sec-2018-42, bsc#1101791) - CVE-2018-14370: IEEE 802.11 dissector crash (wnpa-sec-2018-43, bsc#1101802) Bug fixes: - Further bug fixes and updated protocol support as listed in: https://www.wireshark.org/docs/relnotes/wireshark-2.4.8.html ----------------------------------------- Patch: SUSE-2018-1642 Released: Thu Aug 16 16:55:54 2018 Summary: Security update for perl-Archive-Zip Severity: moderate References: 1099497,CVE-2018-10860 Description: This update for perl-Archive-Zip fixes the following security issue: - CVE-2018-10860: Prevent directory traversal caused by not properly sanitizing paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could have used this flaw to write or overwrite arbitrary files in the context of the perl interpreter (bsc#1099497) ----------------------------------------- Patch: SUSE-2018-1705 Released: Mon Aug 20 16:31:22 2018 Summary: Recommended update for quota Severity: important References: 1104898 Description: This update for quota fixes the following issues: - Fix issue with high cpu load if RQUOTAD_PORT is set in /etc/sysconfig/nfs. (bsc#1104898) ----------------------------------------- Patch: SUSE-2018-1756 Released: Fri Aug 24 17:12:55 2018 Summary: Recommended update for growpart Severity: moderate References: 1097455,1098681 Description: This update for growpart provides the following fix: - Support btrfs resize and handle ro setup in rootgrow. (bsc#1097455, bsc#1098681) ----------------------------------------- Patch: SUSE-2018-1782 Released: Tue Aug 28 18:20:02 2018 Summary: Recommended update for SAPHanaSR Severity: moderate References: 1062267,1091074 Description: This update for SAPHanaSR provides the following fixes: - Remove show_SAPHanaSR_attributes. The user is advised to use SAPHanaSR-showAttr instead. (bsc#1091074) - Adjust HAWK2 Wizards to run on both Python 2 and 3. (fate#323526) - SAPHanaSR wizard sets IPAddr2 agent's NIC to eth0. (bsc#1062267) ----------------------------------------- Patch: SUSE-2018-1804 Released: Fri Aug 31 13:02:24 2018 Summary: Recommended update for docker Severity: moderate References: 1065609,1073877,1099277,1100727 Description: This update for docker fixes the following issues: - Build the client binary with -buildmode=pie to fix issues on POWER. (bsc#1100727) - Fix an issue where changed AppArmor profiles don't actually get applied on Docker daemon reboot. (bsc#1099277) - Update to AppArmor patch so that signal mediation also works for signals between in-container processes. (bsc#1073877) - Do not log incorrect warnings when attempting to inject non-existent host files. (bsc#1065609) ----------------------------------------- Patch: SUSE-2018-1853 Released: Thu Sep 6 19:41:23 2018 Summary: Security update for enigmail Severity: moderate References: 1104036 Description: This update for enigmail to 2.0.8 fixes the following issues: The enigmail 2.0.8 release addresses a security issue and solves a few regression bugs. * A security issue has been fixed that allows an attacker to prepare a plain, unauthenticated HTML message in a way that it looks like it's signed and/or encrypted (boo#1104036) ----------------------------------------- Patch: SUSE-2018-1861 Released: Mon Sep 10 11:38:53 2018 Summary: Recommended update for firewalld and susefirewall2-to-firewalld Severity: moderate References: 1096542,1098986,1099698,1105157,1105170 Description: This update for firewalld and susefirewall2-to-firewalld fixes the following issues: firewalld: - Drop global read permissions from the log file (bsc#1098986) - Add missing ipv6-icmp protocol to UI drop-down list (bsc#1099698) - Fix some untranslated strings in the creation of rich rules and firewall-config. (bsc#1096542) - fw: If failure occurs during startup set state to FAILED. - fw_direct: Avoid log for untracked passthrough queries. - Rich Rule Masquerade inverted source-destination in Forward Chain. - Don't forward interface to zone requests to NM for generated interfaces. - firewall-cmd, firewall-offline-cmd: Add --check-config option. - ipset: Check type when parsing ipset definition. - firewall-config: Add ipv6-icmp to the protocol dropdown box. - core/logger: Remove world-readable bit from logfile. - IPv6 rpfilter: Explicitly allow neighbor solicitation. susefirewall2-to-firewalld: - Do not try to handle unknown iptables chains. - Handle source whitelisting. (bsc#1105157) ----------------------------------------- Patch: SUSE-2018-1897 Released: Thu Sep 13 15:18:20 2018 Summary: Recommended update for python3-gcemetadata Severity: moderate References: 1097505 Description: This update for python3-gcemetadata fixes the following issues: - Support instances with multiple Nics. (bsc#1097505) ----------------------------------------- Patch: SUSE-2018-1901 Released: Fri Sep 14 12:38:11 2018 Summary: Recommended update for vncmanager Severity: moderate References: 1103552 Description: This update for vncmanager fixes the following issues: - Declare the service as part of xvnc.target so it can be used as dependency for xvnc-novnc.service. (bsc#1103552) ----------------------------------------- Patch: SUSE-2018-1911 Released: Mon Sep 17 14:36:44 2018 Summary: Recommended update for python3-susepubliccloudinfo Severity: moderate References: 1103684 Description: This update for python3-susepubliccloudinfo fixes the following issues: - Avoid traceback on improper query options. (bsc#1103684) ----------------------------------------- Patch: SUSE-2018-1962 Released: Fri Sep 21 13:48:37 2018 Summary: Recommended update for icewm Severity: important References: 1096917 Description: This update for icewm fixes the following issues: - Renamed icewm-session.desktop to icewm.desktop to fix a upgrade issue (bsc#1096917). ----------------------------------------- Patch: SUSE-2018-1978 Released: Mon Sep 24 10:37:23 2018 Summary: Recommended update for myspell-dictionaries Severity: low References: 1099508,1102294 Description: This update brings myspell-dictionaries to version 20180704, providing the following fixes: - Indonesian spelling dictionary, thesaurus and hyphenation added. - English updates. - Croatian updates. - Bulgarian files converted to UTF8 in order to avoid bugs. (bsc#1102294, bsc#1099508) - Other smaller updates. ----------------------------------------- Patch: SUSE-2018-1998 Released: Tue Sep 25 08:19:41 2018 Summary: Recommended update for wireless-regdb Severity: moderate References: 1095397,1106528 Description: This update for wireless-regdb fixes the following issues: - Fix power limit in 5725-5785 GHz rule for France. - Updated regulatory database for France and Panama. - Fixes in python3 scripts. ----------------------------------------- Patch: SUSE-2018-1999 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Severity: moderate References: 1071321 Description: This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------- Patch: SUSE-2018-2022 Released: Wed Sep 26 09:48:09 2018 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1103388,1104120,1106523 Description: This update fixes the following issues: hwdata: - Update to version 0.314: + Updated pci, usb and vendor ids. spacewalk-backend: - Channels to be actually un-subscribed from the assigned systems when being removed using spacewalk-remove-channel tool. (bsc#1104120) - Take only text files from /srv/salt to make spacewalk-debug smaller. (bsc#1103388) ----------------------------------------- Patch: SUSE-2018-2044 Released: Wed Sep 26 15:12:18 2018 Summary: Recommended update for firewalld-rpcbind-helper Severity: moderate References: 1096064 Description: This update for firewalld-rpcbind-helper fixes the following issues: - Fix error when running in python3 context, because of a missing decode() call. (bsc#1096064) - Don't raise Exceptions when one of the target sysconfig files isn't installed. (bsc#1096064) ----------------------------------------- Patch: SUSE-2018-2052 Released: Thu Sep 27 12:03:08 2018 Summary: Security update for wireshark Severity: moderate References: 1106514,CVE-2018-16056,CVE-2018-16057,CVE-2018-16058 Description: This update for wireshark to version 2.4.9 fixes the following issues: Security issues fixed (bsc#1106514): - CVE-2018-16058: Bluetooth AVDTP dissector crash (wnpa-sec-2018-44) - CVE-2018-16056: Bluetooth Attribute Protocol dissector crash (wnpa-sec-2018-45) - CVE-2018-16057: Radiotap dissector crash (wnpa-sec-2018-46) Further bug fixes and updated protocol support as listed in: https://www.wireshark.org/docs/relnotes/wireshark-2.4.9.html ----------------------------------------- Patch: SUSE-2018-2054 Released: Thu Sep 27 12:04:23 2018 Summary: Security update for mgetty Severity: important References: 1108752,1108756,1108757,1108761,1108762,CVE-2018-16741,CVE-2018-16742,CVE-2018-16743,CVE-2018-16744,CVE-2018-16745 Description: This update for mgetty fixes the following issues: - CVE-2018-16741: The function do_activate() did not properly sanitize shell metacharacters to prevent command injection (bsc#1108752). - CVE-2018-16745: The mail_to parameter was not sanitized, leading to a buffer overflow if long untrusted input reached it (bsc#1108756). - CVE-2018-16744: The mail_to parameter was not sanitized, leading to command injection if untrusted input reached reach it (bsc#1108757). - CVE-2018-16742: Prevent stack-based buffer overflow that could have been triggered via a command-line parameter (bsc#1108762). - CVE-2018-16743: The command-line parameter username wsa passed unsanitized to strcpy(), which could have caused a stack-based buffer overflow (bsc#1108761). ----------------------------------------- Patch: SUSE-2018-2060 Released: Thu Sep 27 15:06:52 2018 Summary: Recommended update for SAPHanaSR-ScaleOut Severity: moderate References: 1098979 Description: This update for SAPHanaSR-ScaleOut provides the following fix: - Allow virtual host names in SAPHanaTopology and SAPHanaController to prevent a wrong promotion scoring. (bsc#1098979) ----------------------------------------- Patch: SUSE-2018-2077 Released: Fri Sep 28 14:52:24 2018 Summary: Recommended update for pidentd Severity: important References: 1101107,1101600 Description: This update for pidentd fixes the following issues: - IPv6 support was accidentally dropped when upgrading to 3.0.19. This update reenables IPv6 support. (bsc#1101600) - Drop uname -r of buildhost from binary for reproducible builds (bsc#1101107) ----------------------------------------- Patch: SUSE-2018-2078 Released: Fri Sep 28 14:54:53 2018 Summary: Recommended update for sapconf Severity: moderate References: 1093843,1093844,1096498,1099101 Description: This update for sapconf provides the following fixes: - Sapconf should not change the system settings for kernel.sem, so remove the variables SEM* from it. (bsc#1099101) - Correct the SAP Note references in the man pages and in the sysconfig file of the sapconf package. (bsc#1096498) - Avoid stopping or disabling uuidd.socket in sapconf as it is mandatory for every SAP application running. (bsc#1093843) - Remove hardcoded default value for VSZ_TMPFS_PERCENT. This allows an admin to exclude VSZ_TMPFS settings from the sysconfig file, so the current system value will remain untouched. This value only got used in the previous version, if the variable VSZ_TMPFS_PERCENT was removed from the sapconf configuration file /etc/sysconfig/sapconf. If the value of the variable was only changed (increased or decreased) in the sapconf configuration file everything works fine. (bsc#1093844) - Remove the no longer needed sysconfig file. - Remove the pagecache references from the sysconfig file. ----------------------------------------- Patch: SUSE-2018-2082 Released: Sun Sep 30 14:06:27 2018 Summary: Security update for libX11 Severity: moderate References: 1102062,1102068,1102073,CVE-2018-14598,CVE-2018-14599,CVE-2018-14600 Description: This update for libX11 fixes the following security issues: - CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact (bsc#1102062) - CVE-2018-14600: The function XListExtensions interpreted a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution (bsc#1102068) - CVE-2018-14598: A malicious server could have sent a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault) (bsc#1102073) ----------------------------------------- Patch: SUSE-2018-2095 Released: Mon Oct 1 16:02:00 2018 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1089039,1097158,1101470,1104789,1106197,CVE-2018-0732,CVE-2018-0737 Description: This update for openssl-1_0_0 to 1.0.2p fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks This non-security issue was fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------- Patch: SUSE-2018-2119 Released: Tue Oct 2 16:31:25 2018 Summary: Security update for ghostscript Severity: important References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105,CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183 Description: This update for ghostscript to version 9.25 fixes the following issues: These security issues were fixed: - CVE-2018-17183: Remote attackers were be able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code (bsc#1109105) - CVE-2018-15909: Prevent type confusion using the .shfill operator that could have been used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code (bsc#1106172). - CVE-2018-15908: Prevent attackers that are able to supply malicious PostScript files to bypass .tempfile restrictions and write files (bsc#1106171). - CVE-2018-15910: Prevent a type confusion in the LockDistillerParams parameter that could have been used to crash the interpreter or execute code (bsc#1106173). - CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode operator that could have been used to crash the interpreter or potentially execute code (bsc#1106195). - CVE-2018-16513: Prevent a type confusion in the setcolor function that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107412). - CVE-2018-16509: Incorrect 'restoration of privilege' checking during handling of /invalidaccess exceptions could be have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction (bsc#1107410). - CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF primitives could have been used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact (bsc#1107411). - CVE-2018-16542: Prevent attackers able to supply crafted PostScript files from using insufficient interpreter stack-size checking during error handling to crash the interpreter (bsc#1107413). - CVE-2018-16541: Prevent attackers able to supply crafted PostScript files from using incorrect free logic in pagedevice replacement to crash the interpreter (bsc#1107421). - CVE-2018-16540: Prevent use-after-free in copydevice handling that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107420). - CVE-2018-16539: Prevent attackers able to supply crafted PostScript files from using incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable (bsc#1107422). - CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to have an unspecified impact (bsc#1107423). - CVE-2018-16511: A type confusion in 'ztype' could have been used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107426). - CVE-2018-16585: The .setdistillerkeys PostScript command was accepted even though it is not intended for use during document processing (e.g., after the startup phase). This lead to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107581). - CVE-2018-16802: Incorrect 'restoration of privilege' checking when running out of stack during exception handling could have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. This is due to an incomplete fix for CVE-2018-16509 (bsc#1108027). These non-security issues were fixed: * Fixes problems with argument handling, some unintended results of the security fixes to the SAFER file access restrictions (specifically accessing ICC profile files). * Avoid that ps2epsi fails with 'Error: /undefined in --setpagedevice--' For additional changes please check http://www.ghostscript.com/doc/9.25/News.htm ----------------------------------------- Patch: SUSE-2018-2165 Released: Fri Oct 5 15:22:38 2018 Summary: Security update for java-1_8_0-openjdk Severity: important References: 1101644,1101645,1101651,1101656,1106812,CVE-2018-2938,CVE-2018-2940,CVE-2018-2952,CVE-2018-2973 Description: This update for java-1_8_0-openjdk to the jdk8u181 (icedtea 3.9.0) release fixes the following issues: These security issues were fixed: - CVE-2018-2938: Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE (bsc#1101644). - CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data (bsc#1101645) - CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit (bsc#1101651) - CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data (bsc#1101656) These non-security issues were fixed: - Improve desktop file usage - Better Internet address support - speculative traps break when classes are redefined - sun/security/pkcs11/ec/ReadCertificates.java fails intermittently - Clean up code that saves the previous versions of redefined classes - Prevent SIGSEGV in ReceiverTypeData::clean_weak_klass_links - RedefineClasses() tests fail assert(((Metadata*)obj)->is_valid()) failed: obj is valid - NMT is not enabled if NMT option is specified after class path specifiers - EndEntityChecker should not process custom extensions after PKIX validation - SupportedDSAParamGen.java failed with timeout - Montgomery multiply intrinsic should use correct name - When determining the ciphersuite lists, there is no debug output for disabled suites. - sun/security/mscapi/SignedObjectChain.java fails on Windows - On Windows Swing changes keyboard layout on a window activation - IfNode::range_check_trap_proj() should handler dying subgraph with single if proj - Even better Internet address support - Newlines in JAXB string values of SOAP-requests are escaped to ' ' - TestFlushableGZIPOutputStream failing with IndexOutOfBoundsException - Unable to use JDWP API in JDK 8 to debug JDK 9 VM - Hotspot crash on Cassandra 3.11.1 startup with libnuma 2.0.3 - Performance drop with Java JDK 1.8.0_162-b32 - Upgrade time-zone data to tzdata2018d - Fix potential crash in BufImg_SetupICM - JDK 8u181 l10n resource file update - Remove debug print statements from RMI fix - (tz) Upgrade time-zone data to tzdata2018e - ObjectInputStream filterCheck method throws NullPointerException - adjust reflective access checks - Fixed builds on s390 (bsc#1106812) ----------------------------------------- Patch: SUSE-2018-2171 Released: Mon Oct 8 10:31:29 2018 Summary: Security update for soundtouch Severity: moderate References: 1103676,CVE-2018-1000223 Description: This update for soundtouch fixes the following security issue: - CVE-2018-1000223: Prevent buffer overflow in WavInFile::readHeaderBlock() that could have resulted in arbitrary code execution when opening maliocius file in soundstretch utility (bsc#1103676) ----------------------------------------- Patch: SUSE-2018-2183 Released: Tue Oct 9 11:30:31 2018 Summary: Security update for java-1_8_0-ibm Severity: moderate References: 1104668,CVE-2016-0705,CVE-2017-3732,CVE-2017-3736,CVE-2018-12539,CVE-2018-1517,CVE-2018-1656,CVE-2018-2940,CVE-2018-2952,CVE-2018-2964,CVE-2018-2973 Description: This update for java-1_8_0-ibm to 8.0.5.20 fixes the following issues: - CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit (bsc#1104668). - CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data (bsc#1104668). - CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data (bsc#1104668). - CVE-2018-2964: Vulnerability in subcomponent: Deployment. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE. (bsc#1104668). - CVE-2016-0705: Prevent double free in the dsa_priv_decode function that allowed remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key (bsc#1104668). - CVE-2017-3732: Prevent carry propagating bug in the x86_64 Montgomery squaring procedure (bsc#1104668). - CVE-2017-3736: Prevent carry propagating bug in the x86_64 Montgomery squaring procedure (bsc#1104668). - CVE-2018-12539: Users other than the process owner might have been able to use Java Attach API to connect to an IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code (bsc#1104668) - CVE-2018-1517: Unspecified vulnerability (bsc#1104668). - CVE-2018-1656: Unspecified vulnerability (bsc#1104668) ----------------------------------------- Patch: SUSE-2018-2193 Released: Wed Oct 10 13:20:50 2018 Summary: Recommended update for dialog Severity: moderate References: 1094836 Description: This update for dialog fixes the following issues: - Fixes a bug where scrolling is not possible (bsc#1094836) ----------------------------------------- Patch: SUSE-2018-2298 Released: Wed Oct 17 17:02:57 2018 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1111162,1112142,1112143,1112144,1112145,1112146,1112147,1112148,1112149,CVE-2018-3136,CVE-2018-3139,CVE-2018-3149,CVE-2018-3150,CVE-2018-3157,CVE-2018-3169,CVE-2018-3180,CVE-2018-3183 Description: This update for java-11-openjdk fixes the following issues: Update to upstream tag jdk-11.0.1+13 (Oracle October 2018 CPU) Security fixes: - S8202936, CVE-2018-3183, bsc#1112148: Improve script engine support - S8199226, CVE-2018-3169, bsc#1112146: Improve field accesses - S8199177, CVE-2018-3149, bsc#1112144: Enhance JNDI lookups - S8202613, CVE-2018-3180, bsc#1112147: Improve TLS connections stability - S8208209, CVE-2018-3180, bsc#1112147: Improve TLS connection stability again - S8199172, CVE-2018-3150, bsc#1112145: Improve jar attribute checks - S8200648, CVE-2018-3157, bsc#1112149: Make midi code more sound - S8194534, CVE-2018-3136, bsc#1112142: Manifest better support - S8208754, CVE-2018-3136, bsc#1112142: The fix for JDK-8194534 needs updates - S8196902, CVE-2018-3139, bsc#1112143: Better HTTP Redirection Security-In-Depth fixes: - S8194546: Choosier FileManagers - S8195874: Improve jar specification adherence - S8196897: Improve PRNG support - S8197881: Better StringBuilder support - S8201756: Improve cipher inputs - S8203654: Improve cypher state updates - S8204497: Better formatting of decimals - S8200666: Improve LDAP support - S8199110: Address Internet Addresses Update to upstream tag jdk-11+28 (OpenJDK 11 rc1) - S8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy - S8207838: AArch64: Float registers incorrectly restored in JNI call - S8209637: [s390x] Interpreter doesn't call result handler after native calls - S8209670: CompilerThread releasing code buffer in destructor is unsafe - S8209735: Disable avx512 by default - S8209806: API docs should be updated to refer to javase11 - Report version without the '-internal' postfix - Don't build against gdk making the accessibility depend on a particular version of gtk. Update to upstream tag jdk-11+27 - S8031761: [TESTBUG] Add a regression test for JDK-8026328 - S8151259: [TESTBUG] nsk/jvmti/RedefineClasses/redefclass030 fails with 'unexpected values of outer fields of the class' when running with -Xcomp - S8164639: Configure PKCS11 tests to use user-supplied NSS libraries - S8189667: Desktop#moveToTrash expects incorrect '<>' FilePermission - S8194949: [Graal] gc/TestNUMAPageSize.java fail with OOM in -Xcomp - S8195156: [Graal] serviceability/jvmti/GetModulesInfo/ /JvmtiGetAllModulesTest.java fails with Graal in Xcomp mode - S8199081: [Testbug] compiler/linkage/LinkageErrors.java fails if run twice - S8201394: Update java.se module summary to reflect removal of java.se.ee module - S8204931: Colors with alpha are painted incorrectly on Linux - S8204966: [TESTBUG] hotspot/test/compiler/whitebox/ /IsMethodCompilableTest.java test fails with -XX:CompileThreshold=1 - S8205608: Fix 'frames()' in ThreadReferenceImpl.c to prevent quadratic runtime behavior - S8205687: TimeoutHandler generates huge core files - S8206176: Remove the temporary tls13VN field - S8206258: [Test Error] sun/security/pkcs11 tests fail if NSS libs not found - S8206965: java/util/TimeZone/Bug8149452.java failed on de_DE and ja_JP locale. - S8207009: TLS 1.3 half-close and synchronization issues - S8207046: arm32 vm crash: C1 arm32 platform functions parameters type mismatch - S8207139: NMT is not enabled on Windows 2016/10 - S8207237: SSLSocket#setEnabledCipherSuites is accepting empty string - S8207355: C1 compilation hangs in ComputeLinearScanOrder::compute_dominator - S8207746: C2: Lucene crashes on AVX512 instruction - S8207765: HeapMonitorTest.java intermittent failure - S8207944: java.lang.ClassFormatError: Extra bytes at the end of class file test' possibly violation of JVMS 4.7.1 - S8207948: JDK 11 L10n resource file update msg drop 10 - S8207966: HttpClient response without content-length does not return body - S8208125: Cannot input text into JOptionPane Text Input Dialog - S8208164: (str) improve specification of String::lines - S8208166: Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029 - S8208189: ProblemList compiler/graalunit/JttThreadsTest.java - S8208205: ProblemList tests that fail due to 'Error attaching to process: Can't create thread_db agent!' - S8208226: ProblemList com/sun/jdi/BasicJDWPConnectionTest.java - S8208251: serviceability/jvmti/HeapMonitor/MyPackage/ /HeapMonitorGCCMSTest.java fails intermittently on Linux-X64 - S8208305: ProblemList compiler/jvmci/compilerToVM/GetFlagValueTest.java - S8208347: ProblemList compiler/cpuflags/TestAESIntrinsicsOnSupportedConfig.java - S8208353: Upgrade JDK 11 to libpng 1.6.35 - S8208358: update bug ids mentioned in tests - S8208370: fix typo in ReservedStack tests' @requires - S8208391: Differentiate response and connect timeouts in HTTP Client API - S8208466: Fix potential memory leak in harfbuzz shaping. - S8208496: New Test to verify concurrent behavior of TLS. - S8208521: ProblemList more tests that fail due to 'Error attaching to process: Can't create thread_db agent!' - S8208640: [a11y] [macos] Unable to navigate between Radiobuttons in Radio group using keyboard. - S8208663: JDK 11 L10n resource file update msg drop 20 - S8208676: Missing NULL check and resource leak in NetworkPerformanceInterface::NetworkPerformance::network_utilization - S8208691: Tighten up jdk.includeInExceptions security property - S8209011: [TESTBUG] AArch64: sun/security/pkcs11/Secmod/ /TestNssDbSqlite.java fails in aarch64 platforms - S8209029: ProblemList tests that fail due to 'Error attaching to process: Can't create thread_db agent!' in jdk-11+25 testing - S8209149: [TESTBUG] runtime/RedefineTests/ /RedefineRunningMethods.java needs a longer timeout - S8209451: Please change jdk 11 milestone to FCS - S8209452: VerifyCACerts.java failed with 'At least one cacert test failed' - S8209506: Add Google Trust Services GlobalSign root certificates - S8209537: Two security tests failed after JDK-8164639 due to dependency was missed ----------------------------------------- Patch: SUSE-2018-2302 Released: Thu Oct 18 14:29:31 2018 Summary: Security update for zziplib Severity: moderate References: 1110687,CVE-2018-17828 Description: This update for zziplib fixes the following issues: - CVE-2018-17828: Remove any '../' components from pathnames of extracted files to avoid path traversal during unpacking. (bsc#1110687) ----------------------------------------- Patch: SUSE-2018-2307 Released: Thu Oct 18 14:42:54 2018 Summary: Recommended update for libxcb Severity: moderate References: 1101560 Description: This update for libxcb provides the following fix: - Fix some IO errors when using KWin in combination with the NVIDIA driver. (bsc#1101560) ----------------------------------------- Patch: SUSE-2018-2335 Released: Fri Oct 19 15:06:23 2018 Summary: Security update for clamav Severity: moderate References: 1103040,1104457,1110723,CVE-2018-14680,CVE-2018-14681,CVE-2018-14682,CVE-2018-15378 Description: This update for clamav fixes the following issues: clamav was updated to version 0.100.2. Following security issues were fixed: - CVE-2018-15378: Vulnerability in ClamAV's MEW unpacking feature that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. (bsc#1110723) - CVE-2018-14680, CVE-2018-14681, CVE-2018-14682: more fixes for embedded libmspack. (bsc#1103040) Following non-security issues were addressed: - Make freshclam more robust against lagging signature mirrors. - On-Access 'Extra Scanning', an opt-in minor feature of OnAccess scanning on Linux systems, has been disabled due to a known issue with resource cleanup OnAccessExtraScanning will be re-enabled in a future release when the issue is resolved. In the mean-time, users who enabled the feature in clamd.conf will see a warning informing them that the feature is not active. For details, see: https://bugzilla.clamav.net/show_bug.cgi?id=12048 - Restore exit code compatibility of freshclam with versions before 0.100.0 when the virus database is already up to date (bsc#1104457) ----------------------------------------- Patch: SUSE-2018-2340 Released: Fri Oct 19 16:05:53 2018 Summary: Security update for fuse Severity: moderate References: 1101797,CVE-2018-10906 Description: This update for fuse fixes the following issues: - CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797) ----------------------------------------- Patch: SUSE-2018-2343 Released: Sat Oct 20 09:51:54 2018 Summary: Recommended update for dejagnu Severity: moderate References: 1100206 Description: This update for dejagnu fixes the following issues: - Use separate kill command for each pid (bsc#1100206) - Install LICENSE file in the correct directory. ----------------------------------------- Patch: SUSE-2018-2364 Released: Mon Oct 22 13:13:28 2018 Summary: Security update for wireshark Severity: important References: 1111647,CVE-2018-12086,CVE-2018-18227 Description: This update for wireshark fixes the following issues: Wireshark was updated to 2.4.10 (bsc#1111647). Following security issues were fixed: - CVE-2018-18227: MS-WSP dissector crash (wnpa-sec-2018-47) - CVE-2018-12086: OpcUA dissector crash (wnpa-sec-2018-50) Further bug fixes and updated protocol support that were done are listed in: https://www.wireshark.org/docs/relnotes/wireshark-2.4.10.html ----------------------------------------- Patch: SUSE-2018-2370 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Severity: moderate References: 1102310,1104531 Description: This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------- Patch: SUSE-2018-2392 Released: Tue Oct 23 12:45:51 2018 Summary: Security update for tiff Severity: moderate References: 1092480,1106853,1108627,1108637,1110358,CVE-2018-10779,CVE-2018-16335,CVE-2018-17100,CVE-2018-17101,CVE-2018-17795 Description: This update for tiff fixes the following issues: Security issue fixed: - CVE-2018-10779: TIFFWriteScanline in tif_write.c had a heap-based buffer over-read, as demonstrated by bmp2tiff.(bsc#1092480) - CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637) - CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627) - CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358) - CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853) ----------------------------------------- Patch: SUSE-2018-2411 Released: Tue Oct 23 17:27:40 2018 Summary: Recommended update for libXaw Severity: moderate References: 1098411 Description: This update for libXaw provides the following fix: - Fix a crash when the required font is not installed. (bsc#1098411) ----------------------------------------- Patch: SUSE-2018-2431 Released: Wed Oct 24 13:05:29 2018 Summary: Security update for ntp Severity: moderate References: 1083424,1098531,1111853,CVE-2018-12327,CVE-2018-7170 Description: NTP was updated to 4.2.8p12 (bsc#1111853): - CVE-2018-12327: Fixed stack buffer overflow in the openhost() command-line call of NTPQ/NTPDC. (bsc#1098531) - CVE-2018-7170: Add further tweaks to improve the fix for the ephemeral association time spoofing additional protection (bsc#1083424) Please also see https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/ for more information. ----------------------------------------- Patch: SUSE-2018-2441 Released: Wed Oct 24 16:38:48 2018 Summary: Initial release of python-pyinotify Severity: low References: 1111493 Description: This update provides python-pyinotify required for salt beacons ----------------------------------------- Patch: SUSE-2018-2442 Released: Wed Oct 24 16:39:09 2018 Summary: Recommended update for python-msrestazure and it's dependencies Severity: moderate References: 1109694 Description: This update for python-adal, python-isodate, python-msrest, python-msrestazure fixes the following issues: python-msrestazure: - Update to version 0.5.0 + Features * Implementation is now using ADAL and not request-oauthlib. This allows more AD scenarios (like federated). * Add additionalInfo parsing for CloudError. * Implement new LRO options of Autorest. * Improve MSI for VM token polling algorithm. * MSIAuthentication now uses IMDS endpoint if available. * MSIAuthentication can be used in any environment that defines MSI_ENDPOINT env variable. * CloudError now includes the 'innererror' attribute to match OData v4. * Introduces ARMPolling implementation of Azure Resource Management LRO. * Add support for WebApp/Functions in MSIAuthentication classes. * Add parse_resource_id(), resource_id(), validate_resource_id() to parse ARM ids. * Retry strategy now n reach 24 seconds (instead of 12 seconds). * Add Managed Service Integrated (MSI) authentication. * Add 'timeout' to ServicePrincipalCredentials and UserPasswordCredentials. * Threads created by AzureOperationPoller have now a name prefixed by 'AzureOperationPoller' to help identify them. * Improve MSIAuthentication to support User Assigned Identity. + Bugfixes * MSIAuthentication regression for KeyVault since IMDS support. * MSIAuthentication should initialize the token attribute on creation. * Fixes refreshToken in UserPassCredentials and AADTokenCredentials. * Fix US government cloud definition. * Reduce max MSI polling time for VM. * IMDS/MSI: Retry on more error codes. * IMDS/MSI: Fix a boundary case on timeout. * Fix parse_resource_id() tool to be case*insensitive to keywords when matching. * Add missing baseclass init call for AdalAuthentication. * Fix LRO result if POST uses AsyncOperation header. * Remove a possible infinite loop with MSIAuthentication. * Fix session obj for cloudmetadata endpoint. * Fix authentication resource node for AzureSatck. * Better detection of AppService with MSIAuthentication. * get_cloud_from_metadata_endpoint incorrect on AzureStack. * get_cloud_from_metadata_endpoint certificate issue. * Fix AttributeError if error JSON from ARM does not follow ODatav4 (as it should). * Fix AttributeError if input JSON is not a dict. * Fix AdalError handling in some scenarios. * Update Azure Gov login endpoint. * Update metadata ARM endpoint parser. + Incompatible changes * Remove unused auth_uri, state, client and token_uri attributes in ServicePrincipalCredentials, UserPassCredentials and AADTokenCredentials. * Remove token caching based on 'keyring'. Token caching should be implemented using ADAL now. * Remove InteractiveCredentials. This class was deprecated and unusable. Use ADAL device code instead. python-msrest - Update to version 0.5.0 + Require python-enum32 and python-typing. + Features * Support additionalProperties and XML. * Deserialize/from_dict now accepts a content*type parameter to parse XML strings. * Add XML support * Add many type hints, and MyPY testing on CI. * HTTP calls are made through a HTTPDriver API. Only implementation is `requests` for now. This driver API is *not* considered stable and you should pin your msrest version if you want to provide a personal implementation. * msrest is now able to keep the 'requests.Session' alive for performance. * All Authentication classes now define `signed_session` and `refresh_session` with an optional `session` parameter. * Disable HTTP log by default (security), add `enable_http_log` to restore it. * Add TopicCredentials for EventGrid client. * Add LROPoller class. This is a customizable LRO engine. * Model now accept kwargs in constructor for future kwargs models. * Add support for additional_properties. * The interpretation of Swagger 2.0 'discriminator' is now lenient. * Add ApiKeyCredentials class. This can be used to support OpenAPI ApiKey feature. * Add CognitiveServicesAuthentication class. Pre*declared ApiKeyCredentials class for Cognitive Services. * Add Configuration.session_configuration_callback to customize the requests.Session if necessary. * Add a flag to Serializer to disable client*side*validation. * Remove 'import requests' from 'exceptions.py' for apps that require fast loading time. * Input is now more lenient. * Model have a 'validate' method to check content constraints. * Model have now new methods for serialize, as_dict, deserialize and from_dict. + Bugfixes * Fix a serialization issue if additional_properties is declared, and 'automatic model' syntax is used ('automatic model' being the ability to pass a dict to command and have the model auto*created). * Better parse empty node and not string types. * Improve 'object' XML parsing. * Fix some XML serialization subtle scenarios. * Fix some complex XML Swagger definitions. * Lower Accept header overwrite logging message. * Fix 'object' type and XML format. * Incorrect milliseconds serialization for some datetime object. * Improve `SDKClient.__exit__` to take exc_details as optional parameters and not required. * Refresh_session should also use the permanent HTTP session if available. * Fix incorrect date parsing if ms precision is over 6 digits. * Fix minimal dependency of isodate. * Fix serialisation from dict if datetime provided. * Date parsing is now compliant with Autorest / Swagger 2.0 specification (less lenient). * Accept to deserialize enum of different type if content string match. * Stop failing on deserialization if enum string is unkwon. Return the string instead. * Do not validate additional_properties. * Improve validation error if expected type is dict, but actual type is not. * Fix additional_properties if Swagger was flatten. * Optional formdata parameters were raising an exception. * 'application/x*www*form*urlencoded' form was sent using 'multipart/form*data'. * Fix regression: accept 'set' as a valid '[str]' * Always log response body. * Improved exception message if error JSON is Odata v4. * Refuse 'str' as a valid '[str]' type. * Better exception handling if input from server is not JSON valid. * Fix regression introduced in msrest 0.4.12 * dict syntax with enum modeled as string and enum used. * Fix regression introduced in msrest 0.4.12 * dict syntax using isodate.Duration. * Better Enum checking. + Internal optimisation * Call that does not return a streamable object are now executed in requests stream mode False (was True whatever the type of the call). This should reduce the number of leaked opened session and allow urllib3 to manage connection pooling more efficiently. Only clients generated with Autorest.Python >= 2.1.31 (not impacted otherwise, fully backward compatible) + Deprecation * Trigger DeprecationWarning for _client.add_header and _client.send_formdata. python-adal - Update to version 1.0.2 python-isodate - Update to version 0.6.0 + Support incomplete month date. + Rely on duck typing when doing duration maths. + Support ':' as separator in fractional time zones. ----------------------------------------- Patch: SUSE-2018-2445 Released: Wed Oct 24 16:41:09 2018 Summary: Recommended update for iotop Severity: moderate References: 1094694,1094823 Description: This update for iotop provides the following fix: - Fix a crash when /proc/*/status doesn't have the tab character or when it has invalid lines. (bsc#1094823, bsc#1094694) ----------------------------------------- Patch: SUSE-2018-2463 Released: Thu Oct 25 14:48:34 2018 Summary: Recommended update for timezone, timezone-java Severity: moderate References: 1104700,1112310 Description: This update for timezone, timezone-java fixes the following issues: The timezone database was updated to 2018f: - Volgograd moves from +03 to +04 on 2018-10-28. - Fiji ends DST 2019-01-13, not 2019-01-20. - Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700) - Corrections to past timestamps of DST transitions - Use 'PST' and 'PDT' for Philippine time - minor code changes to zic handling of the TZif format - documentation updates Other bugfixes: - Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310) ----------------------------------------- Patch: SUSE-2018-2484 Released: Fri Oct 26 10:16:04 2018 Summary: Security update for wpa_supplicant Severity: moderate References: 1080798,1098854,1099835,1104205,1109209,1111873,CVE-2018-14526 Description: This update for wpa_supplicant provides the following fixes: This security issues was fixe: - CVE-2018-14526: Under certain conditions, the integrity of EAPOL-Key messages was not checked, leading to a decryption oracle. An attacker within range of the Access Point and client could have abused the vulnerability to recover sensitive information (bsc#1104205) These non-security issues were fixed: - Fix reading private key passwords from the configuration file. (bsc#1099835) - Enable PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network. (bsc#1109209) - compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - Enabled timestamps in log file when being invoked by systemd service file (bsc#1080798). - Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854). ----------------------------------------- Patch: SUSE-2018-2505 Released: Fri Oct 26 16:12:37 2018 Summary: Security update for audiofile Severity: moderate References: 1111586,CVE-2018-17095 Description: This update for audiofile fixes the following issues: - CVE-2018-17095: A heap-based buffer overflow in Expand3To4Module::run could occurred when running sfconvert leading to crashes or code execution when handling untrusted soundfiles (bsc#1111586). ----------------------------------------- Patch: SUSE-2018-2507 Released: Fri Oct 26 16:27:56 2018 Summary: Recommended update for s3fs Severity: moderate References: 1111267 Description: This update for s3fs fixes the following issues: - Add fuse package as required in runtime to allow mounting with systemd, mount command or /etc/fstab (bsc#1111267) ----------------------------------------- Patch: SUSE-2018-2513 Released: Mon Oct 29 11:11:23 2018 Summary: Recommended update for sysstat Severity: moderate References: 1089883 Description: This update for sysstat fixes the following issues: Sysstat was updated to 12.0.2, bringing new features and bugfixes (fate#326576, bsc#1089883) - It contains lots of improvements in SVG output. - New metric additions for hugepages. - New options Please look at http://sebastien.godard.pagesperso-orange.fr/ for a more detailed history of changes. ----------------------------------------- Patch: SUSE-2018-2514 Released: Mon Oct 29 11:11:47 2018 Summary: Recommended update for nfs4-acl-tools Severity: moderate References: 1104803,967251 Description: This update for nfs4-acl-tools fixes the following issues: - Allow recursive set_acl to set inheritance flags. (bsc#967251, bsc#1104803) ----------------------------------------- Patch: SUSE-2018-2529 Released: Tue Oct 30 16:05:19 2018 Summary: Recommended update for dapl Severity: moderate References: 1094657 Description: This update for dapl fixes the following issues: - Fix a 'deadlock' that causes socket connection to timeout when net.ipv4.tcp_syncookies=0. (bsc#1094657) ----------------------------------------- Patch: SUSE-2018-2550 Released: Wed Oct 31 16:16:56 2018 Summary: Recommended update for timezone, timezone-java Severity: moderate References: 1113554 Description: This update provides the latest time zone definitions (2018g), including the following change: - Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554) ----------------------------------------- Patch: SUSE-2018-2565 Released: Fri Nov 2 17:10:31 2018 Summary: Security update for soundtouch Severity: moderate References: 1108630,1108631,1108632,CVE-2018-17096,CVE-2018-17097,CVE-2018-17098 Description: This update for soundtouch fixes the following issues: - CVE-2018-17098: The WavFileBase class allowed remote attackers to cause a denial of service (heap corruption from size inconsistency) or possibly have unspecified other impact, as demonstrated by SoundStretch. (bsc#1108632) - CVE-2018-17097: The WavFileBase class allowed remote attackers to cause a denial of service (double free) or possibly have unspecified other impact, as demonstrated by SoundStretch. (double free) (bsc#1108631) - CVE-2018-17096: The BPMDetect class allowed remote attackers to cause a denial of service (assertion failure and application exit), as demonstrated by SoundStretch. (bsc#1108630) ----------------------------------------- Patch: SUSE-2018-2569 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Severity: moderate References: 1110700 Description: This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------- Patch: SUSE-2018-2607 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------- Patch: SUSE-2018-2616 Released: Thu Nov 8 17:53:23 2018 Summary: Security update for libepubgen, liblangtag, libmwaw, libnumbertext, libreoffice, libstaroffice, libwps, myspell-dictionaries, xmlsec1 Severity: moderate References: 1050305,1088263,1091606,1094779,1095601,1095639,1096360,1098891,1104876,CVE-2018-10583 Description: This update for LibreOffice, libepubgen, liblangtag, libmwaw, libnumbertext, libstaroffice, libwps, myspell-dictionaries, xmlsec1 fixes the following issues: LibreOffice was updated to 6.1.3.2 (fate#326624) and contains new features and lots of bugfixes: The full changelog can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.1 Bugfixes: - bsc#1095639 Exporting to PPTX results in vertical labels being shown horizontally - bsc#1098891 Table in PPTX misplaced and partly blue - bsc#1088263 Labels in chart change (from white and other colors) to black when saving as PPTX - bsc#1095601 Exporting to PPTX shifts arrow shapes quite a bit - Add more translations: * Belarusian * Bodo * Dogri * Frisian * Gaelic * Paraguayan_Guaran * Upper_Sorbian * Konkani * Kashmiri * Luxembourgish * Monglolian * Manipuri * Burnese * Occitan * Kinyarwanda * Santali * Sanskrit * Sindhi * Sidamo * Tatar * Uzbek * Upper Sorbian * Venetian * Amharic * Asturian * Tibetian * Bosnian * English GB * English ZA * Indonesian * Icelandic * Georgian * Khmer * Lao * Macedonian * Nepali * Oromo * Albanian * Tajik * Uyghur * Vietnamese * Kurdish - Try to build all languages see bsc#1096360 - Make sure to install the KDE5/Qt5 UI/filepicker - Try to implement safeguarding to avoid bsc#1050305 - Disable base-drivers-mysql as it needs mysqlcppcon that is only for mysql and not mariadb, causes issues bsc#1094779 * Users can still connect using jdbc/odbc - Fix java detection on machines with too many cpus - CVE-2018-10583: An information disclosure vulnerability occured when LibreOffice automatically processed and initiated an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document. (bsc#1091606) libepubgen was updated to 0.1.1: - Avoid
inside

or . - Avoid writin vertical-align attribute without a value. - Fix generation of invalid XHTML when there is a link starting at the beginning of a footnote. - Handle relative width for images. - Fixed layout: write chapter names to improve navigation. - Support writing mode. - Start a new HTML file at every page span in addition to the splits induced by the chosen split method. This is to ensure that specified writing mode works correctly, as it is HTML attribute. liblangtag was updated to 0.6.2: - use standard function - fix leak in test libmwaw was updated to 0.3.14: - Support MS Multiplan 1.1 files libnumbertext was update to 1.0.5: - Various fixes in numerical calculations and issues reported on libreoffice tracker libstaroffice was updated to 0.0.6: - retrieve some StarMath's formula, - retrieve some charts as graphic, - retrieve some fields in sda/sdc/sdp text-boxes, - .sdw: retrieve more attachments. libwps was updated to 0.4.9: - QuattroPro: add parser to .wb3 files - Multiplan: add parser to DOS v1-v3 files - charts: try to retrieve charts in .wk*, .wq* files - QuattroPro: add parser to .wb[12] files myspell-dictionaries was updated to 20181025: - Turkish dictionary added - Updated French dictionary xmlsec1 was updated to 1.2.26: - Added xmlsec-mscng module based on Microsoft Cryptography API: Next Generation - Added support for GOST 2012 and fixed CryptoPro CSP provider for GOST R 34.10-2001 in xmlsec-mscrypto ----------------------------------------- Patch: SUSE-2018-2625 Released: Mon Nov 12 08:58:25 2018 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1113734 Description: This update for java-11-openjdk fixes the following issues: Merge into the JDK following modules from github.com/javaee: * com.sum.xml.fastinfoset * org.jvnet.staxex * com.sun.istack.runtime * com.sun.xml.txw2 * com.sun.xml.bind This provides a default implementation of JAXB-API that existed in JDK before Java 11 and that some applications depend on. ----------------------------------------- Patch: SUSE-2018-2626 Released: Mon Nov 12 09:51:00 2018 Summary: Recommended update for bash-completion Severity: moderate References: 1104531 Description: This update for bash-completion fixes the following issues: - Fix an issue where bash-completion was not working with mksh (bsc#1104531) ----------------------------------------- Patch: SUSE-2018-2641 Released: Mon Nov 12 20:39:30 2018 Summary: Recommended update for nfsidmap Severity: moderate References: 1098217 Description: This update for nfsidmap fixes the following issues: - Improve support for SAMBA with Active Directory. (bsc#1098217) ----------------------------------------- Patch: SUSE-2018-2649 Released: Tue Nov 13 14:49:19 2018 Summary: Recommended update for guile Severity: moderate References: 1110085 Description: - The patch fixes a coredump when using guile with japanese locales based on Shift-JIS (LC_CTYPE=ja_JP.sjis) (bsc#1110085) ----------------------------------------- Patch: SUSE-2018-2716 Released: Tue Nov 20 16:15:16 2018 Summary: Recommended update for llvm5 Severity: moderate References: 1111190 Description: This update for llvm5 fixes the following issues: - Build TableGen component as its own shared library because it is not included in the libLLVM library and is needed for ldc. (bsc#1111190) ----------------------------------------- Patch: SUSE-2018-2742 Released: Thu Nov 22 13:28:36 2018 Summary: Recommended update for rpcbind Severity: moderate References: 969953 Description: This update for rpcbind fixes the following issues: - Fix tool stack buffer overflow aborting (bsc#969953) ----------------------------------------- Patch: SUSE-2018-2761 Released: Thu Nov 22 16:26:11 2018 Summary: Security update for libwpd Severity: important References: 1115713,CVE-2018-19208 Description: This update for libwpd fixes the following issues: Security issue fixed: - CVE-2018-19208: Fixed illegal address access inside libwpd at function WP6ContentListener:defineTable (bsc#1115713). ----------------------------------------- Patch: SUSE-2018-2763 Released: Thu Nov 22 16:26:44 2018 Summary: Security update for java-1_8_0-ibm Severity: important References: 1116574,CVE-2018-13785,CVE-2018-3136,CVE-2018-3139,CVE-2018-3149,CVE-2018-3169,CVE-2018-3180,CVE-2018-3183,CVE-2018-3214 Description: java-1_8_0-ibm was updated to Java 8.0 Service Refresh 5 Fix Pack 25 (bsc#1116574) * Class Libraries: - IJ10934 CVE-2018-13785 - IJ10935 CVE-2018-3136 - IJ10895 CVE-2018-3139 - IJ10932 CVE-2018-3149 - IJ10894 CVE-2018-3180 - IJ10930 CVE-2018-3183 - IJ10933 CVE-2018-3214 - IJ09315 FLOATING POINT EXCEPTION FROM JAVA.TEXT.DECIMALFORMAT. FORMAT - IJ09088 INTRODUCING A NEW PROPERTY FOR TURKEY TIMEZONE FOR PRODUCTS NOT IDENTIFYING TRT - IJ10800 REMOVE EXPIRING ROOT CERTIFICATES IN IBM JDK’S CACERTS. - IJ10566 SUPPORT EBCDIC CODE PAGE IBM-274 – BELGIUM EBCDIC * Java Virtual Machine - IJ08730 APPLICATION SIGNAL HANDLER NOT INVOKED FOR SIGABRT - IJ10453 ASSERTION FAILURE AT CLASSPATHITEM.CPP - IJ09574 CLASSLOADER DEFINED THROUGH SYSTEM PROPERTY ‘JAVA.SYSTEM.CLASS.LOADE R’ IS NOT HONORED. - IJ10931 CVE-2018-3169 - IJ10618 GPU SORT: UNSPECIFIED LAUNCH FAILURE - IJ10619 INCORRECT ILLEGALARGUMENTEXCEPTION BECAUSE OBJECT IS NOT AN INSTANCE OF DECLARING CLASS ON REFLECTIVE INVOCATION - IJ10135 JVM HUNG IN GARBAGECOLLECTORMXBEAN.G ETLASTGCINFO() API - IJ10680 RECURRENT ABORTED SCAVENGE * ORB - IX90187 CLIENTREQUESTIMPL.REINVO KE FAILS WITH JAVA.LANG.INDEXOUTOFBOUN DSEXCEPTION * Reliability and Serviceability - IJ09600 DTFJ AND JDMPVIEW FAIL TO PARSE WIDE REGISTER VALUES * Security - IJ10492 'EC KEYSIZE < 384' IS NOT HONORED USING THE 'JDK.TLS.DISABLEDALGORIT HMS' SECURITY PROPERTY - IJ10310 ADD NULL CHECKING ON THE ENCRYPTION TYPES LIST TO CREDENTIALS.GETDEFAULTNA TIVECREDS() METHOD - IJ10491 AES/GCM CIPHER – AAD NOT RESET TO UN-INIT STATE AFTER DOFINAL( ) AND INIT( ) - IJ08442 HTTP PUBLIC KEY PINNING FINGERPRINT,PROBLEM WITH CONVERTING TO JKS KEYSTORE - IJ09107 IBMPKCS11IMPL CRYPTO PROVIDER – INTERMITTENT ERROR WITH SECP521R1 SIGNATURE ON Z/OS - IJ10136 IBMPKCS11IMPL – INTERMITTENT ERROR WITH SECP521R1 SIG ON Z/OS AND Z/LINUX - IJ08530 IBMPKCS11IMPL PROVIDER USES THE WRONG RSA CIPHER MECHANISM FOR THE RSA/ECB/PKCS1PADDING CIPHER - IJ08723 JAAS THROWS A ‘ARRAY INDEX OUT OF RANGE’ EXCEPTION - IJ08704 THE SECURITY PROPERTY ‘JDK.CERTPATH.DISABLEDAL GORITHMS’ IS MISTAKENLY BEING USED TO FILTER JAR SIGNING ALGORITHMS * z/OS Extentions - PH03889 ADD SUPPORT FOR TRY-WITH-RESOURCES TO COM.IBM.JZOS.ENQUEUE - PH03414 ROLLOVER FROM SYE TO SAE FOR ICSF REASON CODE 3059 - PH04008 ZERTJSSE – Z SYSTEMS ENCRYPTION READINESS TOOL (ZERT) NEW SUPPORT IN THE Z/OS JAVA SDK This includes the update to Java 8.0 Service Refresh 5 Fix Pack 22: * Java Virtual Machine - IJ09139 CUDA4J NOT AVAILABLE ON ALL PLATFORMS * JIT Compiler - IJ09089 CRASH DURING COMPILATION IN USEREGISTER ON X86-32 - IJ08655 FLOATING POINT ERROR (SIGFPE) IN ZJ9SYM1 OR ANY VM/JIT MODULE ON AN INSTRUCTION FOLLOWING A VECTOR INSTRUCTION - IJ08850 CRASH IN ARRAYLIST$ITR.NEXT() - IJ09601 JVM CRASHES ON A SIGBUS SIGNAL WHEN ACCESSING A DIRECTBYTEBUFFER * z/OS Extentions - PH02999 JZOS data management classes accept dataset names in code pages supported by z/OS system services - PH01244 OUTPUT BUFFER TOO SHORT FOR GCM MODE ENCRYPTION USING IBMJCEHYBRID Also the update to Java 8.0 Service Refresh 5 Fix Pack 21 * Class Libraries - IJ08569 JAVA.IO.IOEXCEPTION OCCURS WHEN A FILECHANNEL IS BIGGER THAN 2GB ON AIX PLATFORM - IJ08570 JAVA.LANG.UNSATISFIEDLIN KERROR WITH JAVA OPTION -DSUN.JAVA2D.CMM=SUN.JAV A2D.CMM.KCMS.KCMSSERVICE PROVIDER ON AIX PLATFORM * Java Virtual Machine - IJ08001 30% THROUGHPUT DROP FOR CERTAIN SYNCHRONIZATION WORKLOADS - IJ07997 TRACEASSERT IN GARBAGE COLLECTOR(MEMORYSUBSPACE) * JIT Compiler - IJ08503 ASSERTION IS HIT DUE TO UNEXPECTED STACK HEIGHT IN DEBUGGING MODE - IJ08375 CRASH DURING HARDWARE GENERATED GUARDED STORAGE EVENT WITHIN A TRANSACTIONAL EXECUTION REGION WHEN RUNNING WITH -XGC:CONCURRENTS - IJ08205 CRASH WHILE COMPILING - IJ09575 INCORRECT RESULT WHEN USING JAVA.LANG.MATH.MIN OR MAX ON 31-BIT JVM - IJ07886 INCORRECT CALUCATIONS WHEN USING NUMBERFORMAT.FORMAT() AND BIGDECIMAL.{FLOAT/DOUBLE }VALUE() ----------------------------------------- Patch: SUSE-2018-2792 Released: Tue Nov 27 10:52:31 2018 Summary: Recommended update for autofs Severity: moderate References: 1093436 Description: This update for autofs fixes the following issues: - Fix file descriptor leak (bsc#1093436) ----------------------------------------- Patch: SUSE-2018-2793 Released: Tue Nov 27 13:38:46 2018 Summary: Security update for tiff Severity: moderate References: 1099257,1113094,1113672,CVE-2018-12900,CVE-2018-18557,CVE-2018-18661 Description: This update for tiff fixes the following issues: Security issues fixed: - CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257). - CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672). - CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094). Non-security issues fixed: - asan_build: build ASAN included - debug_build: build more suitable for debugging ----------------------------------------- Patch: SUSE-2018-2797 Released: Tue Nov 27 15:54:44 2018 Summary: Security update for rubygem-loofah Severity: moderate References: 1113969,CVE-2018-16468 Description: This update for rubygem-loofah fixes the following issues: Security issue fixed: - CVE-2018-16468: Fixed XXS by removing the svg animate attribute `from` from the allowlist (bsc#1113969). ----------------------------------------- Patch: SUSE-2018-2798 Released: Wed Nov 28 07:48:35 2018 Summary: Recommended update for make Severity: moderate References: 1100504 Description: This update for make fixes the following issues: - Use a non-blocking read with pselect to avoid hangs (bsc#1100504) ----------------------------------------- Patch: SUSE-2018-2818 Released: Fri Nov 30 14:32:24 2018 Summary: Recommended update for skopeo Severity: moderate References: 1115165 Description: This update for skopeo to version 0.1.32 adds the following feature: - implement `skopeo sync` command (bsc#1115165) ----------------------------------------- Patch: SUSE-2018-2825 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Severity: important References: 1115640,CVE-2018-17953 Description: This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------- Patch: SUSE-2018-2857 Released: Thu Dec 6 09:40:03 2018 Summary: Security update for rubygem-activejob-5_1 Severity: low References: 1117632,CVE-2018-16476 Description: This update for rubygem-activejob-5_1 fixes the following issues: Security issue fixed: - CVE-2018-16476: Fixed broken access control vulnerability (bsc#1117632). ----------------------------------------- Patch: SUSE-2018-2861 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Severity: important References: 1103320,1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------- Patch: SUSE-2018-2862 Released: Thu Dec 6 14:33:19 2018 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1100078,1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl-1_0_0 fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Added elliptic curve scalar multiplication timing attack defenses that fixes 'PortSmash' (bsc#1113534). Non-security issues fixed: - Added missing timing side channel patch for DSA signature generation (bsc#1113742). - Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078). - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209) ----------------------------------------- Patch: SUSE-2018-2864 Released: Fri Dec 7 10:21:20 2018 Summary: Security update for tiff Severity: moderate References: 1017693,1054594,1115717,990460,CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210 Description: This update for tiff fixes the following issues: Security issues fixed: - CVE-2018-19210: Fixed NULL pointer dereference in the TIFFWriteDirectorySec function (bsc#1115717). - CVE-2017-12944: Fixed denial of service issue in the TIFFReadDirEntryArray function (bsc#1054594). - CVE-2016-10094: Fixed heap-based buffer overflow in the _tiffWriteProc function (bsc#1017693). - CVE-2016-10093: Fixed heap-based buffer overflow in the _TIFFmemcpy function (bsc#1017693). - CVE-2016-10092: Fixed heap-based buffer overflow in the TIFFReverseBits function (bsc#1017693). - CVE-2016-6223: Fixed out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() (bsc#990460). ----------------------------------------- Patch: SUSE-2018-2866 Released: Fri Dec 7 12:04:49 2018 Summary: Recommended update for helm-mirror Severity: low References: 1116182 Description: This update provides helm-mirror to the Containers module. This utility mirrors Helm repositories to a local directory and it can extract used container images. ----------------------------------------- Patch: SUSE-2018-2882 Released: Mon Dec 10 08:07:44 2018 Summary: Security update for cups Severity: important References: 1115750,CVE-2018-4700 Description: This update for cups fixes the following issues: Security issue fixed: - CVE-2018-4700: Fixed extremely predictable cookie generation that is effectively breaking the CSRF protection of the CUPS web interface (bsc#1115750). ----------------------------------------- Patch: SUSE-2018-2908 Released: Tue Dec 11 21:48:30 2018 Summary: Recommended update for susefirewall2-to-firewalld Severity: moderate References: 1115001 Description: This update for susefirewall2-to-firewalld fixes the following issues: - Add input and forward zone to the known ones (bsc#1115001) - Stop guessing firewall service from port/proto ----------------------------------------- Patch: SUSE-2018-2914 Released: Wed Dec 12 13:37:46 2018 Summary: Security update for ghostscript Severity: important References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331,CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477 Description: This update for ghostscript to version 9.26 fixes the following issues: Security issues fixed: - CVE-2018-19475: Fixed bypass of an intended access restriction in psi/zdevice2.c (bsc#1117327) - CVE-2018-19476: Fixed bypass of an intended access restriction in psi/zicc.c (bsc#1117313) - CVE-2018-19477: Fixed bypass of an intended access restriction in psi/zfjbig2.c (bsc#1117274) - CVE-2018-19409: Check if another device is used correctly in LockSafetyParams (bsc#1117022) - CVE-2018-18284: Fixed potential sandbox escape through 1Policy operator (bsc#1112229) - CVE-2018-18073: Fixed leaks through operator in saved execution stacks (bsc#1111480) - CVE-2018-17961: Fixed a -dSAFER sandbox escape by bypassing executeonly (bsc#1111479) - CVE-2018-17183: Fixed a potential code injection by specially crafted PostScript files (bsc#1109105) Version update to 9.26 (bsc#1117331): - Security issues have been the primary focus - Minor bug fixes and improvements - For release summary see: http://www.ghostscript.com/doc/9.26/News.htm ----------------------------------------- Patch: SUSE-2018-2926 Released: Thu Dec 13 11:24:58 2018 Summary: Recommended update for java-1_8_0-ibm Severity: important References: 1119213 Description: This update for java-1_8_0-ibm fixes the following issues: - Update to Java 8.0 Service Refresh 5 Fix Pack 26 [bsc#1119213] * Fixes several crashes that could have caused problems with SUSE Manager installations ----------------------------------------- Patch: SUSE-2018-2939 Released: Fri Dec 14 13:59:54 2018 Summary: Recommended update for libcdio Severity: moderate References: 1108134 Description: This update for libcdio fixes the following issues: - Remove API/ABI breaking changes from libcdio patch (bsc#1108134). ----------------------------------------- Patch: SUSE-2018-2961 Released: Mon Dec 17 19:51:40 2018 Summary: Recommended update for psmisc Severity: moderate References: 1098697,1112780 Description: This update for psmisc provides the following fix: - Make the fuser option -m work even with mountinfo. (bsc#1098697) - Support also btrFS entries in mountinfo, that is use stat(2) to determine the device of the mounted subvolume (bsc#1098697, bsc#1112780) ----------------------------------------- Patch: SUSE-2018-2970 Released: Mon Dec 17 19:53:42 2018 Summary: Recommended update for libmtp Severity: moderate References: 1110868 Description: This update for libmtp fixes the following issues: - Adjusted udev rules for new kernel versions (bsc#1110868) - Added lots of new USB ids - Some more small bug fixes ----------------------------------------- Patch: SUSE-2018-3024 Released: Fri Dec 21 11:23:50 2018 Summary: Security update for enigmail Severity: moderate References: 1118935 Description: This update for enigmail to version 2.0.9 fixes the following issues: Security issue fixed: - When using Web Key Discovery, a HTTP authentication may be triggered. This may trick users into possibly sending e-mail credentials (bsc#1118935). Non-security issues fixed: - pEp - PGP/MIME signed-only messages are ignored - Autocrypt overrules manually created Per-Recipient Rules - 'Re:' prefix on subject line disappears when editing encrypted, saved draft ----------------------------------------- Patch: SUSE-2018-3044 Released: Fri Dec 21 18:47:21 2018 Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss Severity: important References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 Description: This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues: Issues fixed in MozillaFirefox: - Update to Firefox ESR 60.4 (bsc#1119105) - CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 - CVE-2018-18492: Fixed a use-after-free with select element - CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia - CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs - CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images - CVE-2018-12405: Fixed a few memory safety bugs Issues fixed in mozilla-nss: - Update to NSS 3.40.1 (bsc#1119105) - CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069) - CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873) - CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410) - Fixed a decryption failure during FFDHE key exchange - Various security fixes in the ASN.1 code Issues fixed in mozilla-nspr: - Update mozilla-nspr to 4.20 (bsc#1119105) ----------------------------------------- Patch: SUSE-2018-3064 Released: Fri Dec 28 18:39:08 2018 Summary: Security update for containerd, docker and go Severity: important References: 1047218,1074971,1080978,1081495,1084533,1086185,1094680,1095817,1098017,1102522,1104821,1105000,1108038,1113313,1113978,1114209,1118897,1118898,1118899,1119634,1119706,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2018-7187 Description: This update for containerd, docker and go fixes the following issues: containerd and docker: - Add backport for building containerd (bsc#1102522, bsc#1113313) - Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce. (bsc#1102522) - Enable seccomp support on SLE12 (fate#325877) - Update to containerd v1.1.1, which is the required version for the Docker v18.06.0-ce upgrade. (bsc#1102522) - Put containerd under the podruntime slice (bsc#1086185) - 3rd party registries used the default Docker certificate (bsc#1084533) - Handle build breakage due to missing 'export GOPATH' (caused by resolution of boo#1119634). I believe Docker is one of the only packages with this problem. go: - golang: arbitrary command execution via VCS path (bsc#1081495, CVE-2018-7187) - Make profile.d/go.sh no longer set GOROOT=, in order to make switching between versions no longer break. This ends up removing the need for go.sh entirely (because GOPATH is also set automatically) (boo#1119634) - Fix a regression that broke go get for import path patterns containing '...' (bsc#1119706) Additionally, the package go1.10 has been added. ----------------------------------------- Patch: SUSE-2018-3066 Released: Fri Dec 28 18:39:32 2018 Summary: Security update for wireshark Severity: moderate References: 1117740,CVE-2018-19622,CVE-2018-19623,CVE-2018-19624,CVE-2018-19625,CVE-2018-19626,CVE-2018-19627 Description: This update for wireshark fixes the following issues: Update to Wireshark 2.4.11 (bsc#1117740). Security issues fixed: - CVE-2018-19625: The Wireshark dissection engine could crash (wnpa-sec-2018-51) - CVE-2018-19626: The DCOM dissector could crash (wnpa-sec-2018-52) - CVE-2018-19623: The LBMPDM dissector could crash (wnpa-sec-2018-53) - CVE-2018-19622: The MMSE dissector could go into an infinite loop (wnpa-sec-2018-54) - CVE-2018-19627: The IxVeriWave file parser could crash (wnpa-sec-2018-55) - CVE-2018-19624: The PVFS dissector could crash (wnpa-sec-2018-56) Further bug fixes and updated protocol support as listed in: - https://www.wireshark.org/docs/relnotes/wireshark-2.4.11.html ----------------------------------------- Patch: SUSE-2019-5 Released: Wed Jan 2 13:54:39 2019 Summary: Security update for libraw Severity: moderate References: 1097975,1103200,1103206,CVE-2018-5804,CVE-2018-5813,CVE-2018-5815,CVE-2018-5816 Description: This update for libraw fixes the following issues: Security issues fixed: The following security vulnerabilities were addressed: - CVE-2018-5813: Fixed an error within the 'parse_minolta()' function (dcraw/dcraw.c) that could be exploited to trigger an infinite loop via a specially crafted file. This could be exploited to cause a DoS.(boo#1103200). - CVE-2018-5815: Fixed an integer overflow in the internal/dcraw_common.cpp:parse_qt() function, that could be exploited to cause an infinite loop via a specially crafted Apple QuickTime file. (boo#1103206) - CVE-2018-5804,CVE-2018-5816: Fixed a type confusion error in the identify function (bsc#1097975) ----------------------------------------- Patch: SUSE-2019-6 Released: Wed Jan 2 20:25:25 2019 Summary: Recommended update for gcc7 Severity: moderate References: 1099119,1099192 Description: GCC 7 was updated to the GCC 7.4 release. - Fix AVR configuration to not use __cxa_atexit or libstdc++ headers. Point to /usr/avr/sys-root/include as system header include directory. - Includes fix for build with ISL 0.20. - Pulls fix for libcpp lexing bug on ppc64le manifesting during build with gcc8. [bsc#1099119] - Pulls fix for forcing compile-time tuning even when building with -march=z13 on s390x. [bsc#1099192] - Fixes support for 32bit ASAN with glibc 2.27+ ----------------------------------------- Patch: SUSE-2019-9 Released: Wed Jan 2 20:26:17 2019 Summary: Recommended update for mirror Severity: moderate References: 1117110 Description: This update for mirror provides the following fix: - Check if a directory must be removed. In case all the previous content of a directory is removed, but new content for the directory was downloaded, do not remove it. (bsc#1117110) ----------------------------------------- Patch: SUSE-2019-32 Released: Tue Jan 8 13:03:20 2019 Summary: Recommended update for librdkafka Severity: moderate References: 1119963 Description: This update ships librdkafka 0.11.6 to SUSE Linux Enterprise Server 15. librdkafka is a C library implementation of the Apache Kafka protocol, containing both Producer and Consumer support. ----------------------------------------- Patch: SUSE-2019-44 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Severity: low References: 953659 Description: This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------- Patch: SUSE-2019-48 Released: Wed Jan 9 17:24:55 2019 Summary: Security update for helm-mirror Severity: moderate References: 1116182,1118897,1118898,1118899,1120762,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875 Description: This update for helm-mirror to version 0.2.1 fixes the following issues: Security issues fixed: - CVE-2018-16873: Fixed a remote command execution (bsc#1118897) - CVE-2018-16874: Fixed a directory traversal in 'go get' via curly braces in import path (bsc#1118898) - CVE-2018-16875: Fixed a CPU denial of service (bsc#1118899) Non-security issue fixed: - Update to v0.2.1 (bsc#1120762) - Include helm-mirror into the containers module (bsc#1116182) ----------------------------------------- Patch: SUSE-2019-58 Released: Thu Jan 10 16:03:31 2019 Summary: Security update for java-1_8_0-openjdk Severity: important References: 1112142,1112143,1112144,1112146,1112147,1112148,1112152,1112153,CVE-2018-13785,CVE-2018-16435,CVE-2018-3136,CVE-2018-3139,CVE-2018-3149,CVE-2018-3169,CVE-2018-3180,CVE-2018-3183,CVE-2018-3214 Description: This update for java-1_8_0-openjdk to version 8u191 fixes the following issues: Security issues fixed: - CVE-2018-3136: Manifest better support (bsc#1112142) - CVE-2018-3139: Better HTTP Redirection (bsc#1112143) - CVE-2018-3149: Enhance JNDI lookups (bsc#1112144) - CVE-2018-3169: Improve field accesses (bsc#1112146) - CVE-2018-3180: Improve TLS connections stability (bsc#1112147) - CVE-2018-3214: Better RIFF reading support (bsc#1112152) - CVE-2018-13785: Upgrade JDK 8u to libpng 1.6.35 (bsc#1112153) - CVE-2018-3183: Improve script engine support (bsc#1112148) - CVE-2018-16435: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile ----------------------------------------- Patch: SUSE-2019-75 Released: Fri Jan 11 13:29:22 2019 Summary: Recommended update for azure-li-services, python-Cerberus Severity: moderate References: 1103542,1119702 Description: This update for azure-li-services, python-Cerberus fixes the following issues: azure-li-services and its dependency python-Cerberus were added to the Public Cloud Module. (fate#326575 bsc#1103542) 'azure-li-services' is a package providing services to setup a system suitable to run SAP workloads on it. ----------------------------------------- Patch: SUSE-2019-76 Released: Fri Jan 11 13:46:45 2019 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching adds lifecycle data for following live patches: - 4_12_14-23, 4_12_14-25_13, 4_12_14-25_16, 4_12_14-25_19, 4_12_14-25_22, 4_12_14-25_25, 4_12_14-25_3, 4_12_14-25_6. (bsc#1020320) ----------------------------------------- Patch: SUSE-2019-82 Released: Fri Jan 11 17:16:48 2019 Summary: Recommended update for suse-build-key Severity: moderate References: 1044232 Description: This update for suse-build-key fixes the following issues: - Include the SUSE PTF GPG key in the key directory to avoid it being stripped via %doc stripping in CAASP. (bsc#1044232) ----------------------------------------- Patch: SUSE-2019-89 Released: Tue Jan 15 13:15:33 2019 Summary: Recommended update for python3-susepubliccloudinfo Severity: moderate References: 1121150,1121151 Description: This update for python3-susepubliccloudinfo fixes the following issues: Update to version 1.1.0 (bsc#1121151, bsc#1121150) + Support new inactive state + Remove awscvsgen and associated subpackage ----------------------------------------- Patch: SUSE-2019-90 Released: Tue Jan 15 13:15:42 2019 Summary: Recommended update for regionServiceClientConfigEC2 Severity: moderate References: 1121114 Description: This update for regionServiceClientConfigEC2 2.1.0 fixes the following issues: Add the SUSE server IP 34.197.223.242 to the configuration. (bsc#1121114) ----------------------------------------- Patch: SUSE-2019-93 Released: Tue Jan 15 14:48:33 2019 Summary: Security update for wget Severity: important References: 1120382,CVE-2018-20483 Description: This update for wget fixes the following issues: Security issue fixed: - CVE-2018-20483: Fixed an information disclosure through file metadata (bsc#1120382) ----------------------------------------- Patch: SUSE-2019-97 Released: Tue Jan 15 18:01:38 2019 Summary: Recommended update for rpmlint Severity: moderate References: 1015141,1076467,1089114,1089340,1095769,1097339,1102836,1104110,1108037,1109938,1111254,1116686,1116758,1119975 Description: This update for rpmlint fixes the following issues: - Update rpmlint-checks to version master (bsc#1116686) - whitelist boltd dbus service (bsc#1119975) - whitelist pam_slurm_adopt (bsc#1116758) - Add user/group 'slurm' for package slurm (FATE#316379) - whitelist keepalived dbus service (bsc#1015141) - remove openswan whitelisting (bsc#1089340) - whitelist systemd-timesyncd (bsc#1111254) - whitelist NetworkManager-fortisslvpn (bsc#1109938) - whitelist iwd D-Bus service (bsc#1108037) - whitelist xpra D-Bus service (bsc#1102836) - adjust maximum valid suse_version to 1550 (bsc#1104110) - whitelist ratbagd D-Bus service (bsc#1076467) - whitelist pam_oath PAM module after audit (bsc#1089114) - Update rpmlint-checks to version master (bsc#1097339) - whitelisting NetworkManager-libreswan plugin (bsc#1089340) - add Lua/NodeJS related groups to list of valid groups (bsc#1095769) ----------------------------------------- Patch: SUSE-2019-102 Released: Tue Jan 15 18:02:58 2019 Summary: Recommended update for timezone Severity: moderate References: 1120402 Description: This update for timezone fixes the following issues: - Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402) - Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090 ----------------------------------------- Patch: SUSE-2019-110 Released: Thu Jan 17 14:17:05 2019 Summary: Security update for zeromq Severity: important References: 1121717,CVE-2019-6250 Description: This update for zeromq fixes the following issues: Security issue fixed: - CVE-2019-6250: fix a remote execution vulnerability due to pointer arithmetic overflow (bsc#1121717) ----------------------------------------- Patch: SUSE-2019-112 Released: Thu Jan 17 14:19:30 2019 Summary: Security update for soundtouch Severity: moderate References: 1108631,1108632,CVE-2018-17097,CVE-2018-17098 Description: This update for soundtouch fixes the following issues: Security issues fixed: - CVE-2018-17098: Fixed a heap corruption from size inconsistency, which allowed remote attackers to cause a denial of service or possibly have other unspecified impact (bsc#1108632) - CVE-2018-17097: Fixed a double free, which allowed remote attackers to cause a denial of service or possibly have other unspecified impact (bsc#1108631) ----------------------------------------- Patch: SUSE-2019-130 Released: Fri Jan 18 16:30:56 2019 Summary: Security update for wireshark Severity: moderate References: 1121232,1121233,1121234,1121235,CVE-2019-5717,CVE-2019-5718,CVE-2019-5719,CVE-2019-5721 Description: This update for wireshark to version 2.4.12 fixes the following issues: Security issues fixed: - CVE-2019-5717: Fixed a denial of service in the P_MUL dissector (bsc#1121232) - CVE-2019-5718: Fixed a denial of service in the RTSE dissector and other dissectors (bsc#1121233) - CVE-2019-5719: Fixed a denial of service in the ISAKMP dissector (bsc#1121234) - CVE-2019-5721: Fixed a denial of service in the ISAKMP dissector (bsc#1121235) ----------------------------------------- Patch: SUSE-2019-133 Released: Mon Jan 21 09:35:52 2019 Summary: Security update for libraw Severity: moderate References: 1120498,1120499,1120500,1120515,1120516,1120517,1120519,CVE-2018-20337,CVE-2018-20363,CVE-2018-20364,CVE-2018-20365,CVE-2018-5817,CVE-2018-5818,CVE-2018-5819 Description: This update for libraw fixes the following issues: Security issues fixed: - CVE-2018-20337: Fixed a stack-based buffer overflow in the parse_makernote function of dcraw_common.cpp (bsc#1120519) - CVE-2018-20365: Fixed a heap-based buffer overflow in the raw2image function of libraw_cxx.cpp (bsc#1120500) - CVE-2018-20364: Fixed a NULL pointer dereference in the copy_bayer function of libraw_cxx.cpp (bsc#1120499) - CVE-2018-20363: Fixed a NULL pointer dereference in the raw2image function of libraw_cxx.cpp (bsc#1120498) - CVE-2018-5817: Fixed an infinite loop in the unpacked_load_raw function of dcraw_common.cpp (bsc#1120515) - CVE-2018-5818: Fixed an infinite loop in the parse_rollei function of dcraw_common.cpp (bsc#1120516) - CVE-2018-5819: Fixed a denial of service in the parse_sinar_ia function of dcraw_common.cpp (bsc#1120517) ----------------------------------------- Patch: SUSE-2019-145 Released: Wed Jan 23 15:55:42 2019 Summary: Security update for ghostscript Severity: important References: 1122319,CVE-2019-6116 Description: This update for ghostscript version 9.26a fixes the following issues: Security issue fixed: - CVE-2019-6116: subroutines within pseudo-operators must themselves be pseudo-operators (bsc#1122319) ----------------------------------------- Patch: SUSE-2019-155 Released: Thu Jan 24 13:50:25 2019 Summary: Recommended update for csync Severity: moderate References: 1113889 Description: This update for csync fixes the following issues: - Fix a compile error on Leap 15.1 (bsc#1113889) ----------------------------------------- Patch: SUSE-2019-201 Released: Tue Jan 29 20:19:32 2019 Summary: Recommended update for google-compute-engine Severity: moderate References: 1119029,1119110,1122172 Description: This update for google-compute-engine provides the following fixes: - Fixes from version 20181206 (bsc#1119029, bsc#1119110): + Google Compute Engine * Support enabling OS Login two factor authentication. * Improve accounts support for FreeBSD. + Google Compute Engine OS Login * Support OS Login two factor authentication (Alpha). * Improve SELinux support. - Fixes from version 20181023: + Google Compute Engine * Fix: Update sudoer group membership without overriding local groups. - Fixes from version 20181018: + Google Compute Engine * Fix: Remove users from sudoers group on account removal. - Fixes from version 20181011: + Google Compute Engine * Revert: Remove users from sudoers group on account removal. - Fixes from version 20181008: + Google Compute Engine * Remove users from sudoers group on account removal. * Remove gsutil dependency for metadata scripts. - Fixes from version 20180905: + Google Compute Engine * Remove ntp package dependency. * Support Debian 10 Buster. * Restart the network daemon if networking is restarted. * Prevent setup of the default ethernet interface. * Accounts daemon verifies username is 32 characters or less. + Google Compute Engine OS Login * Add user name validation to pam modules. * Return false on failed final load. * Support FreeBSD. * Support Debian 10 Buster. - Fixes from version 20180611: + Google Compute Engine * Prevent IP forwarding daemon log spam. * Make default shell configurable when executing metadata scripts. * Rename distro directory to distro_lib. ----------------------------------------- Patch: SUSE-2019-207 Released: Tue Jan 29 20:20:24 2019 Summary: Recommended update for container-suseconnect Severity: moderate References: 1119496 Description: This update for container-suseconnect fixes the following issues: container-suseconnect was updated to 2.0.0 (bsc#1119496): - Added command line interface - Added `ADDITIONAL_MODULES` capability to enable further extension modules during image build and run - Added documentation about how to build docker images on non SLE distributions - Improve documentation to clarify how container-suseconnect works in a Dockerfile - Improve error handling on non SLE hosts - Fix bug which makes container-suseconnect work on SLE15 based distributions ----------------------------------------- Patch: SUSE-2019-221 Released: Fri Feb 1 15:20:56 2019 Summary: Security update for java-11-openjdk Severity: important References: 1120431,1122293,1122299,CVE-2018-11212,CVE-2019-2422,CVE-2019-2426 Description: This update for java-11-openjdk to version 11.0.2+7 fixes the following issues: Security issues fixed: - CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293) - CVE-2019-2426: Improve web server connections - CVE-2018-11212: Improve JPEG processing (bsc#1122299) - Better route routing - Better interface enumeration - Better interface lists - Improve BigDecimal support - Improve robot support - Better icon support - Choose printer defaults - Proper allocation handling - Initial class initialization - More reliable p11 transactions - Improve NIO stability - Better loading of classloader classes - Strengthen Windows Access Bridge Support - Improved data set handling - Improved LSA authentication - Libsunmscapi improved interactions Non-security issues fix: - Do not resolve by default the added JavaEE modules (bsc#1120431) - ~2.5% regression on compression benchmark starting with 12-b11 - java.net.http.HttpClient hangs on 204 reply without Content-length 0 - Add additional TeliaSonera root certificate - Add more ld preloading related info to hs_error file on Linux - Add test to exercise server-side client hello processing - AES encrypt performance regression in jdk11b11 - AIX: ProcessBuilder: Piping between created processes does not work. - AIX: Some class library files are missing the Classpath exception - AppCDS crashes for some uses with JRuby - Automate vtable/itable stub size calculation - BarrierSetC1::generate_referent_check() confuses register allocator - Better HTTP Redirection - Catastrophic size_t underflow in BitMap::*_large methods - Clip.isRunning() may return true after Clip.stop() was called - Compiler thread creation should be bounded by available space in memory and Code Cache - com.sun.net.httpserver.HttpServer returns Content-length header for 204 response code - Default mask register for avx512 instructions - Delayed starting of debugging via jcmd - Disable all DES cipher suites - Disable anon and NULL cipher suites - Disable unsupported GCs for Zero - Epsilon alignment adjustments can overflow max TLAB size - Epsilon elastic TLAB sizing may cause misalignment - HotSpot update for vm_version.cpp to recognise updated VS2017 - HttpClient does not retrieve files with large sizes over HTTP/1.1 - IIOException 'tEXt chunk length is not proper' on opening png file - Improve TLS connection stability again - InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection - Inspect stack during error reporting - Instead of circle rendered in appl window, but ellipse is produced JEditor Pane - Introduce diagnostic flag to abort VM on failed JIT compilation - Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap - jar has issues with UNC-path arguments for the jar -C parameter [windows] - java.net.http HTTP client should allow specifying Origin and Referer headers - java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8 - JDK 11.0.1 l10n resource file update - JDWP Transport Listener: dt_socket thread crash - JVMTI ResourceExhausted should not be posted in CompilerThread - LDAPS communication failure with jdk 1.8.0_181 - linux: Poor StrictMath performance due to non-optimized compilation - Missing synchronization when reading counters for live threads and peak thread count - NPE in SupportedGroupsExtension - OpenDataException thrown when constructing CompositeData for StackTraceElement - Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader - Populate handlers while holding streamHandlerLock - ppc64: Enable POWER9 CPU detection - print_location is not reliable enough (printing register info) - Reconsider default option for ClassPathURLCheck change done in JDK-8195874 - Register to register spill may use AVX 512 move instruction on unsupported platform. - s390: Use of shift operators not covered by cpp standard - serviceability/sa/TestUniverse.java#id0 intermittently fails with assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded - SIGBUS in CodeHeapState::print_names() - SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls - Soft reference reclamation race in com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator - Swing apps are slow if displaying from a remote source to many local displays - switch jtreg to 4.2b13 - Test library OSInfo.getSolarisVersion cannot determine Solaris version - TestOptionsWithRanges.java is very slow - TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails intermittently - The Japanese message of FileNotFoundException garbled - The 'supported_groups' extension in ServerHellos - ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData - TimeZone.getDisplayName given Locale.US doesn't always honor the Locale. - TLS 1.2 Support algorithm in SunPKCS11 provider - TLS 1.3 handshake server name indication is missing on a session resume - TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes - TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth - tz: Upgrade time-zone data to tzdata2018g - Undefined behaviour in ADLC - Update avx512 implementation - URLStreamHandler initialization race - UseCompressedOops requirement check fails fails on 32-bit system - windows: Update OS detection code to recognize Windows Server 2019 - x86: assert on unbound assembler Labels used as branch targets - x86: jck tests for ldc2_w bytecode fail - x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization - '-XX:OnOutOfMemoryError' uses fork instead of vfork ----------------------------------------- Patch: SUSE-2019-225 Released: Mon Feb 4 13:36:52 2019 Summary: Recommended update for hmaccalc Severity: moderate References: 1122491 Description: This update for hmaccalc fixes the following issues: - require libfreebl3-hmac and libsoftokn3-hmac during building (bsc#1122491) ----------------------------------------- Patch: SUSE-2019-247 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Severity: moderate References: 1123043,CVE-2019-6706 Description: This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------- Patch: SUSE-2019-259 Released: Wed Feb 6 11:26:09 2019 Summary: Recommended update for man-pages-posix Severity: low References: 1116987 Description: This update for man-pages-posix fixes the following issues: - Supplements the package 'man' in order to install some missing man pages. (bnc#1116987) ----------------------------------------- Patch: SUSE-2019-270 Released: Wed Feb 6 15:43:23 2019 Summary: Recommended update for mariadb-connector-c Severity: important References: 1097938,1116686 Description: This update for mariadb-connector-c fixes the following issues: - Update to version 3.0.7 (bsc#1116686) - Fixed installation issue where libmysqlclient.so.18 link was missing (bsc#1097938). ----------------------------------------- Patch: SUSE-2019-276 Released: Wed Feb 6 19:12:35 2019 Summary: Recommended update for rollback-helper Severity: moderate References: 1108618,1113048,1115555 Description: This update for rollback-helper fixes the following issues: - Added handling for separate /var subvolumes (bsc#1115555) - Run before any other services calling zypper (bsc#1113048) - Retry network connection if it doesn't work yet (bsc#1108618) ----------------------------------------- Patch: SUSE-2019-286 Released: Thu Feb 7 13:45:27 2019 Summary: Security update for docker Severity: moderate References: 1001161,1112980,1115464,1118897,1118898,1118899,1118990,1121412,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875 Description: This update for containerd, docker, docker-runc and golang-github-docker-libnetwork fixes the following issues: Security issues fixed for containerd, docker, docker-runc and golang-github-docker-libnetwork: - CVE-2018-16873: cmd/go: remote command execution during 'go get -u' (bsc#1118897) - CVE-2018-16874: cmd/go: directory traversal in 'go get' via curly braces in import paths (bsc#1118898) - CVE-2018-16875: crypto/x509: CPU denial of service (bsc#1118899) Non-security issues fixed for docker: - Disable leap based builds for kubic flavor (bsc#1121412) - Allow users to explicitly specify the NIS domainname of a container (bsc#1001161) - Update docker.service to match upstream and avoid rlimit problems (bsc#1112980) - Allow docker images larger then 23GB (bsc#1118990) - Docker version update to version 18.09.0-ce (bsc#1115464) ----------------------------------------- Patch: SUSE-2019-317 Released: Mon Feb 11 16:08:23 2019 Summary: Recommended update for sendmail Severity: moderate References: 1116675 Description: This update for sendmail addresses the following issues: - Fixes an issue with symlink creation on package installation. In order for the wrong symlink to be removed, the service needs to be disabled and re-enabled. (bsc#1116675) ----------------------------------------- Patch: SUSE-2019-362 Released: Wed Feb 13 13:31:56 2019 Summary: Security update for docker-runc Severity: important References: 1121967,CVE-2019-5736 Description: This update for docker-runc fixes the following issues: Security issue fixed: - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967) ----------------------------------------- Patch: SUSE-2019-364 Released: Wed Feb 13 14:00:08 2019 Summary: Recommended update for ipset Severity: moderate References: 1122853 Description: This update for ipset fixes the following issues: - Fixed parsing service names for ports. Parsing is attempted both for numbers and service names and the temporary stored error message triggered to reset the state parameters about the set [bsc#1122853] ----------------------------------------- Patch: SUSE-2019-366 Released: Wed Feb 13 14:00:29 2019 Summary: Recommended update for wireless-regdb Severity: moderate References: 1121466 Description: This update for wireless-regdb provides the following fixes: - Changes in version 2018.10.24 (bsc#1121466): * Remove dependency to python attr. * Sync DE with ETSI EN 301 893 V2.1.1. * Sync FR with ETSI EN 301 893 V2.1.1. - Changes in version 2018.09.07: * Update source of info for CU and ES. * Update regulatory rules for Switzerland (CH), and Liechtenstein. * Update regulatory rules for Finland (FI) on 5GHz (SRD devices). * Update rules for Hungary (HU) on 2.4/5/60G, 5725-5875MHz. ----------------------------------------- Patch: SUSE-2019-371 Released: Wed Feb 13 14:02:17 2019 Summary: Recommended update for ypbind Severity: moderate References: 1114640 Description: This update for ypbind fixes the following issues: - Fixes crash on reload. (bsc#1114640) - Enhanced yp.conf manual page ----------------------------------------- Patch: SUSE-2019-374 Released: Wed Feb 13 14:03:02 2019 Summary: Recommended update for xrdb Severity: moderate References: 1120004 Description: This update for xrdb fixes the following issues: - Now no warnings will be shown when parsing valid comments. (bsc#1120004) ----------------------------------------- Patch: SUSE-2019-443 Released: Tue Feb 19 18:53:19 2019 Summary: Recommended update for google-compute-engine Severity: moderate References: 1123671,1123672 Description: This update for google-compute-engine fixes the following issues: Google Compute Engine was updated to version 20190124 (bsc#1123671, bsc#1123672) * Fix metadata script retrieval to support Python 3. ----------------------------------------- Patch: SUSE-2019-464 Released: Fri Feb 22 09:43:52 2019 Summary: Recommended update for xkeyboard-config Severity: moderate References: 1123784 Description: This update for xkeyboard-config fixes the following issues: - Fixes missing mappings for evdev keys KEY_RFKILL and KEY_WWAN. (bsc#1123784) ----------------------------------------- Patch: SUSE-2019-487 Released: Mon Feb 25 17:42:01 2019 Summary: Recommended update for cloud-regionsrv-client Severity: moderate References: 1029162,1114985,1120980 Description: This update for cloud-regionsrv-client fixes the following issues: Updated to version 8.1.3 + Fix file permissions for generated credentials rw root only + Generate instance data as string as expected by zypper plugin handling + Write the proper credentials file when switching back to RIS service + Support registration against RMT + Implement URL resolver to facilitate instance verification for zypper access + Fixes related to bsc#1120980 also need server side support + IPv6 support + Fix handling of older cached SMT objects loaded from cached file ----------------------------------------- Patch: SUSE-2019-495 Released: Tue Feb 26 16:42:35 2019 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc Severity: important References: 1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736 Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues: Security issues fixed: - CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899). - CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898). - CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897). - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967). Other changes and fixes: - Update shell completion to use Group: System/Shells. - Add daemon.json file with rotation logs configuration (bsc#1114832) - Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Update go requirements to >= go1.10 - Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429). - Remove the usage of 'cp -r' to reduce noise in the build logs. ----------------------------------------- Patch: SUSE-2019-500 Released: Tue Feb 26 19:11:26 2019 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320,1126443 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Fixed package names in the data file. (bsc#1126443) - Added data for 4_12_14-25_28. (bsc#1020320) ----------------------------------------- Patch: SUSE-2019-529 Released: Fri Mar 1 13:46:51 2019 Summary: Recommended update for cloud-netconfig Severity: moderate References: 1112822,1118783,1122013,1123008 Description: This update for cloud-netconfig provides the following fixes: - Run cloud-netconfig periodically. (bsc#1118783, bsc#1122013) - Do not treat eth0 special with regard to routing policies. (bsc#1123008) - Reduce the timeout on metadata read. (bsc#1112822) ----------------------------------------- Patch: SUSE-2019-533 Released: Fri Mar 1 13:47:40 2019 Summary: Recommended update for mirror Severity: low References: 1123661 Description: This update for mirror provides the following fix: - Remove a warning that dump() will no longer be available in Perl 5.30. (bsc#1123661) ----------------------------------------- Patch: SUSE-2019-550 Released: Tue Mar 5 14:46:46 2019 Summary: Recommended update for sapconf Severity: moderate References: 1111243,1122741 Description: This update for sapconf fixes the following issues: - Source /etc/sysconfig/sapconf entries correctly, even if the /etc filesystem is read-only. (bsc#1122741) - log skipping of existing /etc/systemd/logind.conf.d/sap.conf file during package installation. (bsc#1111243) ----------------------------------------- Patch: SUSE-2019-567 Released: Thu Mar 7 17:49:00 2019 Summary: Recommended update for arpwatch Severity: moderate References: 1119851 Description: This update for arpwatch provides the following fix: - Prevent a memory leak in gethname. (bsc#1119851) ----------------------------------------- Patch: SUSE-2019-571 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------- Patch: SUSE-2019-574 Released: Fri Mar 8 15:22:51 2019 Summary: Security update for java-1_8_0-openjdk Severity: important References: 1122293,1122299,CVE-2018-11212,CVE-2019-2422 Description: This update for java-1_8_0-openjdk to version jdk8u201 (icedtea 3.11.0) fixes the following issues: Security issues fixed: - CVE-2019-2422: Fixed a memory disclosure in FileChannelImpl (bsc#1122293). - CVE-2018-11212: Fixed an issue in alloc_sarray function in jmemmgr.c (bsc#1122299). Complete list of changes: https://mail.openjdk.java.net/pipermail/distro-pkg-dev/2019-March/041223.html ----------------------------------------- Patch: SUSE-2019-585 Released: Tue Mar 12 12:59:09 2019 Summary: Security update for java-1_8_0-ibm Severity: important References: 1122292,1122293,1122299,1128158,CVE-2018-11212,CVE-2018-1890,CVE-2019-2422,CVE-2019-2449 Description: This update for java-1_8_0-ibm to version 8.0.5.30 fixes the following issues: Security issues fixed: - CVE-2019-2422: Fixed a memory disclosure in FileChannelImpl (bsc#1122293). - CVE-2018-11212: Fixed an issue in alloc_sarray function in jmemmgr.c (bsc#1122299). - CVE-2018-1890: Fixed a local privilege escalation via RPATHs (bsc#1128158). - CVE-2019-2449: Fixed a vulnerabilit which could allow remote atackers to delete arbitrary files (bsc#1122292). More information: https://www-01.ibm.com/support/docview.wss?uid=ibm10873332 ----------------------------------------- Patch: SUSE-2019-600 Released: Tue Mar 12 18:40:17 2019 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1117951,1127080,CVE-2019-1559 Description: This update for openssl-1_0_0 fixes the following issues: Security issues fixed: - The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951) - CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080). ----------------------------------------- Patch: SUSE-2019-605 Released: Wed Mar 13 12:40:48 2019 Summary: Recommended update for azure-li-services Severity: moderate References: 1127923,1127924 Description: This update for azure-li-services to version 1.1.27 provides the following: - Azure Large instances password reset and MAC based ifnames support (bsc#1127924) - Azure Very Large instances support for bonding (bsc#1127924) ----------------------------------------- Patch: SUSE-2019-608 Released: Wed Mar 13 15:21:02 2019 Summary: Recommended update for cups Severity: moderate References: 1118118 Description: This update for cups fixes the following issues: - Fixed validation of UTF-8 filenames to avoid crashes (bsc#1118118) ----------------------------------------- Patch: SUSE-2019-619 Released: Fri Mar 15 15:38:37 2019 Summary: Security update for wireshark Severity: moderate References: 1127367,1127369,1127370,CVE-2019-9208,CVE-2019-9209,CVE-2019-9214 Description: This update for wireshark to version 2.4.13 fixes the following issues: Security issues fixed: - CVE-2019-9214: Avoided a dereference of a null coversation which could make RPCAP dissector crash (bsc#1127367). - CVE-2019-9209: Fixed a buffer overflow in time values which could make ASN.1 BER and related dissectors crash (bsc#1127369). - CVE-2019-9208: Fixed a null pointer dereference which could make TCAP dissector crash (bsc#1127370). Release notes: https://www.wireshark.org/docs/relnotes/wireshark-2.4.13.html ----------------------------------------- Patch: SUSE-2019-637 Released: Tue Mar 19 09:26:52 2019 Summary: Security update for libssh2_org Severity: moderate References: 1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493,CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863 Description: This update for libssh2_org fixes the following issues: Security issues fixed: - CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH packets (bsc#1128490). - CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially crafted message channel request packet (bsc#1128492). - CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP packets (bsc#1128481). - CVE-2019-3863: Fixed an Integer overflow in user authenicate keyboard interactive which could allow out-of-bounds writes with specially crafted keyboard responses (bsc#1128493). - CVE-2019-3856: Fixed a potential Integer overflow in keyboard interactive handling which could allow out-of-bounds write with specially crafted payload (bsc#1128472). - CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require and _libssh2_packet_requirev (bsc#1128480). - CVE-2019-3855: Fixed a potential Integer overflow in transport read which could allow out-of-bounds write with specially crafted payload (bsc#1128471). - CVE-2019-3858: Fixed a potential zero-byte allocation which could lead to an out-of-bounds read with a specially crafted SFTP packet (bsc#1128476). - CVE-2019-3857: Fixed a potential Integer overflow which could lead to zero-byte allocation and out-of-bounds with specially crafted message channel request SSH packet (bsc#1128474). ----------------------------------------- Patch: SUSE-2019-654 Released: Wed Mar 20 10:29:13 2019 Summary: Security update for openwsman Severity: important References: 1092206,1122623,CVE-2019-3816,CVE-2019-3833 Description: This update for openwsman fixes the following issues: Security issues fixed: - CVE-2019-3816: Fixed a vulnerability in openwsmand deamon which could lead to arbitary file disclosure (bsc#1122623). - CVE-2019-3833: Fixed a vulnerability in process_connection() which could allow an attacker to trigger an infinite loop which leads to Denial of Service (bsc#1122623). Other issues addressed: - Added OpenSSL 1.1 compatibility - Compilation in debug mode fixed - Directory listing without authentication fixed (bsc#1092206). ----------------------------------------- Patch: SUSE-2019-665 Released: Wed Mar 20 14:54:29 2019 Summary: Recommended update for xf86-input-wacom Severity: low References: 1120405 Description: This update for xf86-input-wacom provides the following fix: - Re-added support for serial input devices. (bsc#1120405) ----------------------------------------- Patch: SUSE-2019-707 Released: Fri Mar 22 13:32:07 2019 Summary: Security update for unzip Severity: moderate References: 1110194,CVE-2018-18384 Description: This update for unzip fixes the following issues: - CVE-2018-18384: Fixed a buffer overflow when listing archives (bsc#1110194) ----------------------------------------- Patch: SUSE-2019-718 Released: Fri Mar 22 16:50:25 2019 Summary: Security update for ghostscript Severity: important References: 1129186,CVE-2019-3838 Description: This update for ghostscript fixes the following issue: Security issue fixed: - CVE-2019-3838: Fixed a vulnerability which made forceput operator in DefineResource to be still accessible which could allow access to file system outside of the constraints of -dSAFER (bsc#1129186). ----------------------------------------- Patch: SUSE-2019-720 Released: Fri Mar 22 16:53:55 2019 Summary: Security update for libgxps Severity: moderate References: 1092125,CVE-2018-10733 Description: This update for libgxps fixes the following issues: - CVE-2018-10733: Fixed a heap-based buffer over-read issue in ft_font_face_hash (bsc#1092125). ----------------------------------------- Patch: SUSE-2019-732 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1088524,1118364,1128246 Description: This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------- Patch: SUSE-2019-748 Released: Tue Mar 26 14:35:56 2019 Summary: Security update for libmspack Severity: moderate References: 1113038,1113039,CVE-2018-18584,CVE-2018-18585 Description: This update for libmspack fixes the following issues: Security issues fixed: - CVE-2018-18584: The CAB block input buffer was one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038) - CVE-2018-18585: chmd_read_headers accepted a filename that has '\0' as its first or second character (such as the '/\0' name). (bsc#1113039) - Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames. ----------------------------------------- Patch: SUSE-2019-772 Released: Wed Mar 27 10:37:12 2019 Summary: Security update for wavpack Severity: moderate References: 1120929,1120930,CVE-2018-19840,CVE-2018-19841 Description: This update for wavpack fixes the following issues: Security issues fixed: - CVE-2018-19840: Fixed a denial-of-service in the WavpackPackInit function from pack_utils.c (bsc#1120930) - CVE-2018-19841: Fixed a denial-of-service in the WavpackVerifySingleBlock function from open_utils.c (bsc#1120929) ----------------------------------------- Patch: SUSE-2019-777 Released: Wed Mar 27 12:23:34 2019 Summary: Security update for ntp Severity: moderate References: 1128525,CVE-2019-8936 Description: This update for ntp fixes the following issues: Security issue fixed: - CVE-2019-8936: Fixed a null pointer exception which could allow an authenticated attcker to cause segmentation fault to ntpd (bsc#1128525). Other issues addressed: - Fixed several bugs in the BANCOMM reclock driver. - Fixed ntp_loopfilter.c snprintf compilation warnings. - Fixed spurious initgroups() error message. - Fixed STA_NANO struct timex units. - Fixed GPS week rollover in libparse. - Fixed incorrect poll interval in packet. - Added a missing check for ENABLE_CMAC. ----------------------------------------- Patch: SUSE-2019-786 Released: Thu Mar 28 11:21:38 2019 Summary: Security update for tiff Severity: moderate References: 1108606,1115717,1121626,1125113,CVE-2018-17000,CVE-2018-19210,CVE-2019-6128,CVE-2019-7663 Description: This update for tiff fixes the following issues: Security issues fixed: - CVE-2018-19210: Fixed a NULL pointer dereference in TIFFWriteDirectorySec function (bsc#1115717). - CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606). - CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626). - CVE-2019-7663: Fixed an invalid address dereference in the TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113) ----------------------------------------- Patch: SUSE-2019-788 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Severity: moderate References: 1119687,CVE-2018-20346 Description: This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------- Patch: SUSE-2019-790 Released: Thu Mar 28 12:06:17 2019 Summary: Recommended update for timezone Severity: moderate References: 1130557 Description: This update for timezone fixes the following issues: timezone was updated 2019a: * Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23 * Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ----------------------------------------- Patch: SUSE-2019-806 Released: Fri Mar 29 13:16:51 2019 Summary: Security update for sysstat Severity: low References: 1117001,1117260,CVE-2018-19416,CVE-2018-19517 Description: This update for sysstat fixes the following issues: Security issues fixed: - CVE-2018-19416: Fixed out-of-bounds read during a memmove call inside the remap_struct function (bsc#1117001). - CVE-2018-19517: Fixed out-of-bounds read during a memset call inside the remap_struct function (bsc#1117260). ----------------------------------------- Patch: SUSE-2019-855 Released: Wed Apr 3 11:49:58 2019 Summary: Security update for netpbm Severity: moderate References: 1086777,CVE-2018-8975 Description: This update for netpbm fixes the following issues: - CVE-2018-8975: The pm_mallocarray2 function allowed remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file (bsc#1086777). ----------------------------------------- Patch: SUSE-2019-861 Released: Wed Apr 3 16:09:41 2019 Summary: Security update for clamav Severity: important References: 1130721,CVE-2019-1787,CVE-2019-1788,CVE-2019-1789 Description: This update for clamav to version 0.100.3 fixes the following issues: Security issues fixed (bsc#1130721): - CVE-2019-1787: Fixed an out-of-bounds heap read condition which may occur when scanning PDF documents. - CVE-2019-1789: Fixed an out-of-bounds heap read condition which may occur when scanning PE files (i.e. Windows EXE and DLL files). - CVE-2019-1788: Fixed an out-of-bounds heap write condition which may occur when scanning OLE2 files such as Microsoft Office 97-2003 documents. ----------------------------------------- Patch: SUSE-2019-869 Released: Thu Apr 4 11:46:13 2019 Summary: Recommended update for mariadb-connector-c Severity: moderate References: 1126088 Description: This update for mariadb-connector-c fixes the following issues: - Bugfix: libmariadb.pc installed in seemingly wrong location (bsc#1126088) ----------------------------------------- Patch: SUSE-2019-887 Released: Fri Apr 5 07:55:32 2019 Summary: Recommended update for zypper-docker Severity: moderate References: 1018823,1022052,1097442,1098017 Description: This update for zypper-docker to version 2.0.0 contains the following changes: Features: * Allow inspection of stopped containers Using zypper-docker luc,lpc or pchkc on a stopped container is now possible. * Analyze container instead of base image by default Note: This is a backwards incompatible change. If the base image of a container needs to be analyzed, which was the former default a new --base flag can be used. e.g. zypper-docker pchkc --base Minor Improvements / Fixes: * Add short forms of commands to help section (bsc#1022052) * Fix bug that caused images not to be removed properly in some cases * Fix bug that caused lpc command to log to stdout * Fix bug that caused force flag not to work with zypper-docker images * Fix zypper-docker ps command * Fix bug with zypper-docker up/patch --no-recommends * Fix update behavior when getting a zypper update Other: * Update and use zypper exit codes (bsc#1018823) * Support recent version of the docker API ----------------------------------------- Patch: SUSE-2019-895 Released: Mon Apr 8 10:58:32 2019 Summary: Recommended update for speech-dispatcher Severity: moderate References: 1129586 Description: This update for speech-dispatcher fixes the following issues: - set includedir to fix the entries in the pkg-config file (bsc#1129586) ----------------------------------------- Patch: SUSE-2019-905 Released: Mon Apr 8 16:48:02 2019 Summary: Recommended update for gcc Severity: moderate References: 1096008 Description: This update for gcc fixes the following issues: - Fix gcc-PIE spec to properly honor -no-pie at link time. (bsc#1096008) ----------------------------------------- Patch: SUSE-2019-917 Released: Tue Apr 9 13:08:12 2019 Summary: Security update for SDL Severity: moderate References: 1124799,1124800,1124802,1124803,1124805,1124806,1124824,1124825,1124826,1124827,1125099,CVE-2019-7572,CVE-2019-7573,CVE-2019-7574,CVE-2019-7575,CVE-2019-7576,CVE-2019-7577,CVE-2019-7578,CVE-2019-7635,CVE-2019-7636,CVE-2019-7637,CVE-2019-7638 Description: This update for SDL fixes the following issues: Security issues fixed: - CVE-2019-7572: Fixed a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.(bsc#1124806). - CVE-2019-7578: Fixed a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c (bsc#1125099). - CVE-2019-7576: Fixed heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (bsc#1124799). - CVE-2019-7573: Fixed a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (bsc#1124805). - CVE-2019-7635: Fixed a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c. (bsc#1124827). - CVE-2019-7636: Fixed a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c (bsc#1124826). - CVE-2019-7638: Fixed a heap-based buffer over-read in Map1toN in video/SDL_pixels.c (bsc#1124824). - CVE-2019-7574: Fixed a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c (bsc#1124803). - CVE-2019-7575: Fixed a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c (bsc#1124802). - CVE-2019-7637: Fixed a heap-based buffer overflow in SDL_FillRect function in SDL_surface.c (bsc#1124825). - CVE-2019-7577: Fixed a buffer over read in SDL_LoadWAV_RW in audio/SDL_wave.c (bsc#1124800). ----------------------------------------- Patch: SUSE-2019-919 Released: Tue Apr 9 15:47:42 2019 Summary: Security update for blktrace Severity: low References: 1091942,CVE-2018-10689 Description: This update for blktrace fixes the following issues: - CVE-2018-10689: Prevent buffer overflow in the dev_map_read function because the device and devno arrays were too small (bsc#1091942) ----------------------------------------- Patch: SUSE-2019-920 Released: Tue Apr 9 16:52:38 2019 Summary: Security update for flac Severity: low References: 1091045,CVE-2017-6888 Description: This update for flac fixes the following issues: - CVE-2017-6888: An error in the 'read_metadata_vorbiscomment_()' function could be exploited to cause a memory leak via a specially crafted FLAC file (bsc#1091045). ----------------------------------------- Patch: SUSE-2019-925 Released: Wed Apr 10 16:32:50 2019 Summary: Security update for wget Severity: important References: 1131493,CVE-2019-5953 Description: This update for wget fixes the following issues: Security issue fixed: - CVE-2019-5953: Fixed a buffer overflow vulnerability which might cause code execution (bsc#1131493). ----------------------------------------- Patch: SUSE-2019-926 Released: Wed Apr 10 16:33:12 2019 Summary: Security update for tar Severity: moderate References: 1120610,1130496,CVE-2018-20482,CVE-2019-9923 Description: This update for tar fixes the following issues: Security issues fixed: - CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496). - CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610). ----------------------------------------- Patch: SUSE-2019-940 Released: Fri Apr 12 13:20:03 2019 Summary: Security update for audiofile Severity: low References: 1100523,CVE-2018-13440 Description: This update for audiofile fixes the following issues: Security issue fixed: - CVE-2018-13440: Return AF_FAIL instead of causing NULL pointer dereferences later (bsc#1100523). ----------------------------------------- Patch: SUSE-2019-947 Released: Fri Apr 12 21:49:31 2019 Summary: Recommended update for cluster-glue Severity: moderate References: 1098758 Description: This update for cluster-glue provides the following fix: - stonith:ibmhmc: Add 'managedsyspat' and 'password' as supported parameters. (bsc#1098758) ----------------------------------------- Patch: SUSE-2019-954 Released: Tue Apr 16 13:05:59 2019 Summary: Security update for openexr Severity: low References: 1113455,CVE-2018-18444 Description: This update for openexr fixes the following issues: Security issue fixed: - CVE-2018-18444: Fixed Out-of-bounds write in makeMultiView.cpp (bsc#1113455). ----------------------------------------- Patch: SUSE-2019-1001 Released: Wed Apr 24 09:41:15 2019 Summary: Security update for ntfs-3g_ntfsprogs Severity: moderate References: 1130165,CVE-2019-9755 Description: This update for ntfs-3g_ntfsprogs fixes the following issues: Security issues fixed: - CVE-2019-9755: Fixed a heap-based buffer overflow which could lead to local privilege escalation (bsc#1130165). ----------------------------------------- Patch: SUSE-2019-1002 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Severity: moderate References: 1110304,1129576 Description: This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------- Patch: SUSE-2019-1018 Released: Wed Apr 24 13:02:28 2019 Summary: Security update for jasper Severity: moderate References: 1010783,1117505,1117511,CVE-2016-9396,CVE-2018-19539,CVE-2018-19542 Description: This update for jasper fixes the following issues: Security issues fixed: - CVE-2018-19542: Fixed a denial of service in jp2_decode (bsc#1117505). - CVE-2018-19539: Fixed a denial of service in jas_image_readcmpt (bsc#1117511). - CVE-2016-9396: Fixed a denial of service in jpc_cox_getcompparms (bsc#1010783). ----------------------------------------- Patch: SUSE-2019-1022 Released: Wed Apr 24 13:46:51 2019 Summary: Recommended update for hwdata Severity: moderate References: 1121410 Description: This update for hwdata fixes the following issues: Update to version 0.320 (bsc#1121410): - Updated the pci, usb and vendor ids vendor and product databases. ----------------------------------------- Patch: SUSE-2019-1034 Released: Thu Apr 25 13:39:50 2019 Summary: Recommended update for docker-runc Severity: important References: 1131314,1131553 Description: This update for docker-runc fixes the following issues: - Backport various upstream patches to fix some kernel regression related to O_TMPFILE. bsc#1131314 bsc#1131553 ----------------------------------------- Patch: SUSE-2019-1036 Released: Thu Apr 25 14:53:44 2019 Summary: Security update for wireshark Severity: moderate References: 1131945,CVE-2019-10894,CVE-2019-10895,CVE-2019-10896,CVE-2019-10899,CVE-2019-10901,CVE-2019-10903 Description: This update for wireshark to version 2.4.14 fixes the following issues: Security issues fixed: - CVE-2019-10895: NetScaler file parser crash. - CVE-2019-10899: SRVLOC dissector crash. - CVE-2019-10894: GSS-API dissector crash. - CVE-2019-10896: DOF dissector crash. - CVE-2019-10901: LDSS dissector crash. - CVE-2019-10903: DCERPC SPOOLSS dissector crash. Non-security issue fixed: - Update to version 2.4.14 (bsc#1131945). ----------------------------------------- Patch: SUSE-2019-1040 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 Description: This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------- Patch: SUSE-2019-1052 Released: Fri Apr 26 14:33:42 2019 Summary: Security update for java-11-openjdk Severity: moderate References: 1132728,1132732,CVE-2019-2602,CVE-2019-2684 Description: This update for java-11-openjdk to version 11.0.3+7 fixes the following issues: Security issues fixed: - CVE-2019-2602: Fixed excessive use of CPU time in the BigDecimal implementation (bsc#1132728). - CVE-2019-2684: Fixed a flaw in the RMI registry implementation which could lead to selection of an incorrect skeleton class (bsc#1132732). Non-security issues fixed: - Multiple bug fixes and improvements. ----------------------------------------- Patch: SUSE-2019-1059 Released: Sat Apr 27 09:44:01 2019 Summary: Security update for libssh2_org Severity: important References: 1130103,1133528,CVE-2019-3859 Description: This update for libssh2_org fixes the following issues: - Incorrect upstream fix for CVE-2019-3859 broke public key authentication [bsc#1133528, bsc#1130103] ----------------------------------------- Patch: SUSE-2019-1090 Released: Mon Apr 29 14:32:33 2019 Summary: Security update for rubygem-actionpack-5_1 Severity: moderate References: 1129271,1129272,CVE-2019-5418,CVE-2019-5419 Description: This update for rubygem-actionpack-5_1 fixes the following issues: Security issues fixed: - CVE-2019-5418: Fixed a file content disclosure vulnerability in Action View which could be exploited via specially crafted accept headers in combination with calls to render file (bsc#1129272). - CVE-2019-5419: Fixed a resource exhaustion issue in Action View which could make the server unable to process requests (bsc#1129271). ----------------------------------------- Patch: SUSE-2019-1105 Released: Tue Apr 30 12:10:58 2019 Summary: Recommended update for gcc7 Severity: moderate References: 1084842,1114592,1124644,1128794,1129389,1131264,SLE-6738 Description: This update for gcc7 fixes the following issues: Update to gcc-7-branch head (r270528). - Disables switch jump-tables when retpolines are used. This restores some lost performance for kernel builds with retpolines. (bsc#1131264, jsc#SLE-6738) - Fix ICE compiling tensorflow on aarch64. (bsc#1129389) - Fix for aarch64 FMA steering pass use-after-free. (bsc#1128794) - Fix for s390x FP load-and-test issue. (bsc#1124644) - Improve build reproducability by disabling address-space randomization during build. - Adjust gnat manual entries in the info directory. (bsc#1114592) - Includes fix to no longer try linking -lieee with -mieee-fp. (bsc#1084842) ----------------------------------------- Patch: SUSE-2019-1113 Released: Tue Apr 30 14:08:42 2019 Summary: Recommended update for python-pycurl Severity: moderate References: 1128355 Description: This update for python-pycurl fixes the following issues: - bsc#1128355: update to the Factory package to get multibuild and better working tests. - Update to 7.43.0.2: * Added perform_rb and perform_rs methods to Curl objects to return response body as byte string and string, respectively. * Added OPT_COOKIELIST constant for consistency with other option constants. * PycURL is now able to report errors triggered by libcurl via CURLOPT_FAILONERROR mechanism when the error messages are not decodable in Python's default encoding (GitHub issue #259). * Added getinfo_raw method to Curl objects to return byte strings as is from libcurl without attempting to decode them (GitHub issue #493). * When adding a Curl easy object to CurlMulti via add_handle, the easy objects now have their reference counts increased so that the application is no longer required to keep references to them to keep them from being garbage collected (GitHub issue #171). * PycURL easy, multi and share objects can now be weak referenced. * set_ca_certs now accepts byte strings as it should have been all along. * Use OpenSSL 1.1 and 1.0 specific APIs for controlling thread locks depending on OpenSSL version (patch by Vitaly Murashev). * Fixed a crash when closesocket callback failed (patch by Gisle Vanem and toddrme2178). * Added CURLOPT_PROXY_SSLCERT, CURLOPT_PROXY_SSLCERTTYPE, CURLOPT_PROXY_SSLKEY, CURLOPT_PROXY_SSLKEYTYPE, CURLOPT_PROXY_SSL_VERIFYPEER (libcurl 7.52.0+, patch by Casey Miller). * Added CURLOPT_PRE_PROXY (libcurl 7.52.0+, patch by ziggy). * Added SOCKET_BAD constant and it is now recognized as a valid return value from OPENSOCKET callback. ----------------------------------------- Patch: SUSE-2019-1127 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 Description: This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------- Patch: SUSE-2019-1130 Released: Thu May 2 13:07:59 2019 Summary: Recommended update for azure-li-services Severity: moderate References: 1125372,1125373 Description: This update for azure-li-services fixes the following issues: - Create /etc/sysconfig/sbd configuration Write /etc/sysconfig/sbd which contains the disk device name used to initialize the SBD device - Add support for iSCSI SBD device setup In a new an optional stonith section the configuration for the iSCSI initiator and ip address can be setup. Once present the process to setup the iSCSI initiator as well as the device discovery is started. (bsc#1125373 and bsc#1125372) ----------------------------------------- Patch: SUSE-2019-1134 Released: Thu May 2 17:57:27 2019 Summary: Recommended update for quota Severity: moderate References: 1131513,SLE-5734 Description: This update for quota fixes the following issues: Quota was updated to 4.05 release jsc#SLE-5734 bsc#1131513: * This release includes mostly various smaller cleanups and fixes in various areas. * Most visible changes are addition of f2fs and exfs among recognized filesystems. * Remove quot binary functionality could be achieved by using repquota instead ----------------------------------------- Patch: SUSE-2019-1145 Released: Fri May 3 16:03:10 2019 Summary: Recommended update for aws-efs-utils Severity: moderate References: 1101451,1124652,1125133 Description: This update for aws-efs-utils fixes the following issues: This ships aws-efs-utils 1.7 to the SUSE Linux Enterprise Module for Public Cloud (bsc#1101451, fate#327220, bsc#1124652, fate#327221) This package provides utilities for using the EFS file systems. ----------------------------------------- Patch: SUSE-2019-1152 Released: Fri May 3 18:06:09 2019 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1131378 Description: This update for java-11-openjdk fixes the following issues: - Require update-ca-certificates by the headless subpackage (bsc#1131378) - Removed a font rendering patch with broke related to other font changes. ----------------------------------------- Patch: SUSE-2019-1156 Released: Mon May 6 13:46:07 2019 Summary: Security update for python-Jinja2 Severity: important References: 1125815,1132174,1132323,CVE-2016-10745,CVE-2019-10906,CVE-2019-8341 Description: This update for python-Jinja2 to version 2.10.1 fixes the following issues: Security issues fixed: - CVE-2019-8341: Fixed a command injection in from_string() (bsc#1125815). - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323). ----------------------------------------- Patch: SUSE-2019-1176 Released: Tue May 7 16:19:23 2019 Summary: Recommended update for rpmlint Severity: moderate References: 1132530 Description: This update for rpmlint fixes the following issues: - fix rpmlint-tests build by reverting changes to reference output that do not apply on SLE15 (bsc#1132530) ----------------------------------------- Patch: SUSE-2019-1199 Released: Fri May 10 07:44:05 2019 Summary: Recommended update for nvmetcli Severity: moderate References: 1130981 Description: This update for nvmetcli fixes the following issues: - Add ANA support to nvmetcli (bsc#1130981) ----------------------------------------- Patch: SUSE-2019-1211 Released: Fri May 10 14:09:09 2019 Summary: Security update for java-1_8_0-openjdk Severity: important References: 1132728,1132729,1132732,1133135,CVE-2018-3639,CVE-2019-2602,CVE-2019-2684,CVE-2019-2698 Description: This update for java-1_8_0-openjdk to version 8u212 fixes the following issues: Security issues fixed: - CVE-2019-2602: Better String parsing (bsc#1132728). - CVE-2019-2684: More dynamic RMI interactions (bsc#1132732). - CVE-2019-2698: Fuzzing TrueType fonts - setCurrGlyphID() (bsc#1132729). - CVE-2018-3639: fix revision to prefer PR_SPEC_DISABLE_NOEXEC to PR_SPEC_DISABLE Non-Security issue fixed: - Disable LTO (bsc#1133135). - Added Japanese new era name. ----------------------------------------- Patch: SUSE-2019-1229 Released: Tue May 14 11:05:55 2019 Summary: Recommended update for sensors Severity: moderate References: 1108468,1116021 Description: This update for sensors fixes the following issues: sensors was updated to version 3.5.0: The following changes were done: + soname was bumped due to commit dcf2367 which introduced an ABI change. (This was reverted for the SUSE packages, as it was not necessary) + Fixed disappearance of certain hwmon chips with 4.19+ kernels (bsc#1116021). + Add the find-driver script for debugging. + Various documentation and man page improvements. + Fix various issues found by Coverity Scan. + Updated links in documentation to reflect the new home of lm_sensors. + sensors.1: Add reference to sensors-detect and document -j option (json output). + sensors: Add support for json output, add support for power min, lcrit, min_alarm, lcrit_alarm. + sensors-detect changes: * Fix systemd paths. * Add detection of Fintek F81768. * Only probe I/O ports on x86. * Add detection of Nuvoton NCT6793D. * Add detection of Microchip MCP9808. * Mark F71868A as supported by the f71882fg driver. * Mark F81768D as supported by the f71882fg driver. * Mark F81866D as supported by the f71882fg driver. * Add detection of various ITE chips. * Add detection of Nuvoton NCT6795D. * Add detection of DDR4 SPD. * Add detection of ITE IT8987D. * Add detection of AMD Family 17h temperature sensors. * Add detection of AMD KERNCZ SMBus controller. * Add detection of various Intel SMBus controllers. * Add detection of Giantec GT30TS00. * Add detection of ONS CAT34TS02C and CAT34TS04. * Add detection of AMD Family 15h Model 60+ temperature sensors. * Add detection of Nuvoton NCT6796D. * Add detection of AMD Family 15h Model 70+ temperature sensors. + configs: Add sample configuration files. + sensors.conf.default: * Add hardwired inputs of NCT6795D * Add hardwired inputs of F71868A * Add hardwired NCT6796D inputs + vt1211_pwm: replaced deprecated sub shell syntax, run with bash instead of sh. + pwmconfig: replaced deprecated sub shell syntax. + fancontrol: replaced deprecated sub shell syntax, save original pwm values. + fancontrol.8: replaced deprecated sub shell syntax. + libsensors: * Add support for SENSORS_BUS_TYPE_SCSI, add support for power min, lcrit, min_alarm, lcrit_alarm. * Handle hwmon device with thermal device parent (bsc#1108468). - Undo unnecessary libsensors version bump. - Undo the SENSORS_API_VERSION change, to stay source-compatible with upstream. ----------------------------------------- Patch: SUSE-2019-1234 Released: Tue May 14 18:31:52 2019 Summary: Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork Severity: important References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 Description: This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2019-5736: containerd: Fixing container breakout vulnerability (bsc#1121967). - CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013). - CVE-2018-16873: go secuirty release, fixing cmd/go remote command execution (bsc#1118897). - CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898). - CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899). Other changes and bug fixes: - Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, bsc#1134068). - Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, bsc#1134068). - Update to Docker 18.09.5-ce see upstream changelog in the packaged (bsc#1128376, bsc#1134068). - docker-test: Improvements to test packaging (bsc#1128746). - Move daemon.json file to /etc/docker directory (bsc#1114832). - Revert golang(API) removal since it turns out this breaks >= requires in certain cases (bsc#1114209). - Fix go build failures (bsc#1121397). ----------------------------------------- Patch: SUSE-2019-1282 Released: Fri May 17 13:14:19 2019 Summary: Recommended update for azure-li-services Severity: moderate References: 1133162 Description: This update for azure-li-services to 1.1.31 fixes the following issues: - Umount LUN only on cleanup If one service(A) needs the LUN and another service(B) that needs the LUN too runs in parallel a potential race condition exists in a way the service A could have umounted the LUN exactly at a time service B accesses it. Thus this patch changes the services such that only the last service, the cleanup service umounts the LUN. - Load softdog module when STONITH is set up It loads the module and make the load boot persistant - Fixup system-setup service dependencies The setup of the stonith SBD device requires the network to be up beforehand because the target is an iSCSI endpoint. ----------------------------------------- Patch: SUSE-2019-1291 Released: Mon May 20 09:57:16 2019 Summary: Security update for transfig Severity: low References: 1106531,CVE-2018-16140 Description: This update for transfig fixes the following issues: Security issue fixed: - CVE-2018-16140: Fixed a buffer underwrite vulnerability in get_line() in read.c, which allowed an attacker to write prior to the beginning of the buffer via specially crafted .fig file (bsc#1106531) ----------------------------------------- Patch: SUSE-2019-1302 Released: Tue May 21 13:05:02 2019 Summary: Recommended update for monitoring-plugins Severity: moderate References: 1132350,1132903,1133107 Description: This update for monitoring-plugins fixes the following issues: - update AppArmor profiles for usrMerge (related to bsc#1132350) - grep in check_cups - ps in check_procs and check_procs.sle15 - update usr.lib.nagios.plugins.check_procs to bash in /usr - support IPv4 ping for dual stacked host again (bsc#1132903) - update usr.lib.nagios.plugins.check_procs again for sle15 and above so that ptrace is allowed (bsc#1133107) - add /etc/nrpe.d/*.cfg snipplets - copy usr.lib.nagios.plugins.check_procs as usr.lib.nagios.plugins.check_procs.sle15 and use that for sle15 and above. 'ptrace' to enable ptrace globally is needed here. ----------------------------------------- Patch: SUSE-2019-1308 Released: Tue May 21 18:35:23 2019 Summary: Security update for java-1_8_0-ibm Severity: important References: 1132728,1132729,1132732,1132734,1134718,CVE-2019-10245,CVE-2019-2602,CVE-2019-2684,CVE-2019-2697,CVE-2019-2698 Description: This update for java-1_8_0-ibm fixes the following issues: Update to Java 8.0 Service Refresh 5 Fix Pack 35. Security issues fixed: - CVE-2019-10245: Fixed Java bytecode verifier issue causing crashes (bsc#1134718). - CVE-2019-2698: Fixed out of bounds access flaw in the 2D component (bsc#1132729). - CVE-2019-2697: Fixed flaw inside the 2D component (bsc#1132734). - CVE-2019-2602: Fixed flaw inside BigDecimal implementation (Component: Libraries) (bsc#1132728). - CVE-2019-2684: Fixed flaw was found in the RMI registry implementation (bsc#1132732). ----------------------------------------- Patch: SUSE-2019-1312 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1096191 Description: This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------- Patch: SUSE-2019-1318 Released: Thu May 23 12:45:16 2019 Summary: Recommended update for orc Severity: moderate References: 1130085 Description: This update for orc does not fix any customer visible issues and does only address an issue with its test suite (bsc#1130085) ----------------------------------------- Patch: SUSE-2019-1327 Released: Thu May 23 18:09:53 2019 Summary: Recommended update for speech-dispatcher Severity: moderate References: 1129586 Description: This update for speech-dispatcher fixes the following issues: - Remove a work-around that was necessary in previous versions but since speech-dispatcher 0.8.4 no longer is. (bsc#1129586) ----------------------------------------- Patch: SUSE-2019-1328 Released: Thu May 23 18:10:08 2019 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Added data for 4_12_14-150_14. (bsc#1020320) ----------------------------------------- Patch: SUSE-2019-1340 Released: Fri May 24 12:57:31 2019 Summary: Security update for libu2f-host Severity: low References: 1124781,CVE-2018-20340 Description: This update for libu2f-host fixes the following issues: Security issue fixed: - CVE-2018-20340: Fixed an unchecked buffer, which could allow a buffer overflow with a custom made malicious USB device (bsc#1124781). ----------------------------------------- Patch: SUSE-2019-1343 Released: Fri May 24 13:58:40 2019 Summary: Recommended update for google-compute-engine Severity: moderate References: 1128392,1134179 Description: This update for google-compute-engine fixes the following issues: google-compute-engine was updated to version 20190416 (bsc#1128392, bsc#1134179): - Google Compute Engine OS Login * Fix pam_group ordering detection. * Restart cron from the OS Login control file. * Add PAM entry to su:account stack. Update to version 20190315: - Google Compute Engine OS Login * Fix alternate challenge section for two factor authentication. Update to version 20190304: - Google Compute Engine * Set oom_score_adjust for google_accounts_daemon. - Google Compute Engine OS Login * Use pam_group to provide users with default groups. * Add compat.h to support FreeBSD. * Exit immediately after a two factor authentication failure. * Add support for Google phone prompt challenges. - Include systemd service file to run google_optimize_local_ssd command - Include systemd service file to run google_set_multiqueue command - Install journald configuration files into /usr/lib/systemd/journald.conf.d ----------------------------------------- Patch: SUSE-2019-1367 Released: Tue May 28 12:41:43 2019 Summary: Recommended update for tcsh Severity: moderate References: 1129112 Description: This update for tcsh fixes the following issues: - Incorrect postcmd handling could have caused miscalculation of a while loop start resulting in an infinite loop (bsc#1129112) ----------------------------------------- Patch: SUSE-2019-1368 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Severity: important References: 1134524,CVE-2019-5021 Description: This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------- Patch: SUSE-2019-1372 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Severity: moderate References: 1105435,CVE-2018-1000654 Description: This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------- Patch: SUSE-2019-1374 Released: Wed May 29 10:15:39 2019 Summary: Security update for taglib Severity: low References: 1096180,CVE-2018-11439 Description: This update for taglib fixes the following issues: - CVE-2018-11439: The TagLib::Ogg::FLAC::File::scan function allowed remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file (bsc#1096180) ----------------------------------------- Patch: SUSE-2019-1376 Released: Wed May 29 13:31:29 2019 Summary: Recommended update for openal-soft Severity: low References: 1131808 Description: This update for openal-soft provides the following fixes: - Remove an unused file licensed under Apache-2.0 (and thus incompatible with the rest of the stack). (bsc#1131808) ----------------------------------------- Patch: SUSE-2019-1380 Released: Wed May 29 15:10:22 2019 Summary: Recommended update for ipa-ex-fonts Severity: moderate References: 1112183 Description: This update for ipa-ex-fonts fixes the following issues: - Update to version 004.01 * new glyph U+32FF 'SQUARE ERA NAME REIWA' (boo#1112183) * add standardized variation sequences of 93 characters * update spaces of the two glyphs (U+26FF8, U+663B) - remove old Obsoletes and Provides for the past naming rule change ----------------------------------------- Patch: SUSE-2019-1393 Released: Fri May 31 10:18:34 2019 Summary: Recommended update for pesign Severity: moderate References: 1130588,1134670 Description: This update for pesign fixes the following issues: - Enable build on %arm as we can sign kernel on %arm (bsc#1134670) - Require shadow instead of old pwdutils (bsc#192328) ----------------------------------------- Patch: SUSE-2019-1398 Released: Fri May 31 12:54:22 2019 Summary: Security update for libpng16 Severity: low References: 1100687,1121624,1124211,CVE-2018-13785,CVE-2019-7317 Description: This update for libpng16 fixes the following issues: Security issues fixed: - CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when png_image_free() was called under png_safe_execute (bsc#1124211). - CVE-2018-13785: Fixed a wrong calculation of row_factor in the png_check_chunk_length function in pngrutil.c, which could haved triggered and integer overflow and result in an divide-by-zero while processing a crafted PNG file, leading to a denial of service (bsc#1100687) ----------------------------------------- Patch: SUSE-2019-1403 Released: Mon Jun 3 10:45:52 2019 Summary: Recommended update for fio Severity: moderate References: 1129706 Description: This update ships the performance measurement tool 'fio' to the SUSE Linux Enterprise 15 Module for Basesystem. (bsc#1129706) ----------------------------------------- Patch: SUSE-2019-1409 Released: Mon Jun 3 16:28:25 2019 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Added data 4_12_14_-150_17 for lifecycle-data-sle-live-patching. (bsc#1020320) ----------------------------------------- Patch: SUSE-2019-1412 Released: Tue Jun 4 07:58:12 2019 Summary: Recommended update for wireless-regdb Severity: moderate References: 1134213 Description: This update for wireless-regdb provides the following fixes: - Update to version 2019.03.01: (bsc#1134213) * Sync IN with G.S.R. 1048(E). * Update regulatory rules for Sweden (SE) on 2.4/5/60 GHz. * Update 60ghz band rules for US. * Add 5725-5875 MHz rule for Portugal (PT). * Add URLs in README. * Delete outdated comment for DE. * Update source of info for CU and ES. ----------------------------------------- Patch: SUSE-2019-1415 Released: Tue Jun 4 13:18:42 2019 Summary: Recommended update for fping Severity: moderate References: 1133988 Description: This update for fping fixes the following issues: - Fix fping on servers with disabled IPv6 [bsc#1133988] ----------------------------------------- Patch: SUSE-2019-1417 Released: Tue Jun 4 15:40:25 2019 Summary: Recommended update for libselinux, policycoreutils, setools Severity: moderate References: 1130097,1136515 Description: This update for libselinux, policycoreutils, setools fixes the following issues: This update provides policycoreutils-python that contains binaries necessary for SELinux administration. (bsc#1130097) Also necessary dependencies for this package have been included in the update. python2-setools and python3-setools are shipped instead of python-setools. ----------------------------------------- Patch: SUSE-2019-1447 Released: Fri Jun 7 12:28:24 2019 Summary: Recommended update for sap-suse-cluster-connector Severity: moderate References: 1119137,1135487 Description: This update for sap-suse-cluster-connector fixes the following issues: - Support groups and primitives names containing dashes. (bsc#1135487) - Adjust detection of cluster resources, if multiple SAPInstance resource are found. - Fix smm function, add set_maintenance_mode function and split function list_sap_resources into a frontend (list_sap_resources) and a backend (get_resource_and_status) to get a proper smm handling in sap_suse_cluster_connector. (bsc#1119137) ----------------------------------------- Patch: SUSE-2019-1457 Released: Tue Jun 11 10:09:14 2019 Summary: Security update for vim Severity: important References: 1137443,CVE-2019-12735 Description: This update for vim fixes the following issue: Security issue fixed: - CVE-2019-12735: Fixed a potential arbitrary code execution vulnerability in getchar.c (bsc#1137443). ----------------------------------------- Patch: SUSE-2019-1492 Released: Thu Jun 13 14:51:01 2019 Summary: Recommended update for libidn Severity: low References: 1132869 Description: This update for libidn fixes the following issue: - The missing libidn11-32bit compat library package was provided. (bsc#1132869) ----------------------------------------- Patch: SUSE-2019-1525 Released: Mon Jun 17 17:31:04 2019 Summary: Security update for netpbm Severity: moderate References: 1024288,1024291,1136936,CVE-2017-2579,CVE-2017-2580 Description: This update for netpbm fixes the following issues: Security issues fixed: - CVE-2017-2579: Fixed out-of-bounds read in expandCodeOntoStack() (bsc#1024288). - CVE-2017-2580: Fixed out-of-bounds write of heap data in addPixelToRaster() function (bsc#1024291). - create netpbm-vulnerable subpackage and move pstopnm there, as ghostscript is used to convert (bsc#1136936) ----------------------------------------- Patch: SUSE-2019-1560 Released: Wed Jun 19 08:57:17 2019 Summary: Recommended update for cloud-netconfig Severity: moderate References: 1135257,1135263 Description: This update for cloud-netconfig fixes the following issues: - cloud-netconfig will now pause and retry if API call throttling is detected in Azure (bsc#1135257, bsc#1135263) ----------------------------------------- Patch: SUSE-2019-1562 Released: Wed Jun 19 09:16:07 2019 Summary: Security update for docker Severity: moderate References: 1096726,CVE-2018-15664 Description: This update for docker fixes the following issues: Security issue fixed: - CVE-2018-15664: Fixed an issue which could make docker cp vulnerable to symlink-exchange race attacks (bsc#1096726). ----------------------------------------- Patch: SUSE-2019-1565 Released: Wed Jun 19 11:55:42 2019 Summary: Recommended update for google-compute-engine Severity: moderate References: 1136266,1136267 Description: This update for google-compute-engine fixes the following issues: Update to version 20190522 (bsc#1136266, bsc#1136267) + Google Compute Engine * Fix guest attributes flow in Python 3. + Google Compute Engine OS Login * Update OS Login control file for FreeBSD support. Update to version 20190521: + Google Compute Engine * Retry download for metadata scripts. * Fix script retrieval in Python 3. * Disable boto config in Python 3. * Update SSH host keys in guest attributes. * Fix XPS settings with more than 64 vCPUs. ----------------------------------------- Patch: SUSE-2019-1576 Released: Thu Jun 20 12:49:40 2019 Summary: Security update for enigmail Severity: important References: 1135855,CVE-2019-12269 Description: This update for enigmail to version 2.0.11 fixes the following issues: Security issue fixed: - CVE-2019-12269: Fixed an issue where a specially crafted inline PGP messages could spoof a 'correctly signed' message (bsc#1135855). ----------------------------------------- Patch: SUSE-2019-1603 Released: Fri Jun 21 10:23:33 2019 Summary: Security update for exempi Severity: moderate References: 1098946,CVE-2018-12648 Description: This update for exempi fixes the following issues: - CVE-2018-12648: Fixed a NULL pointer dereference (crash) issue when processing webp files (bsc#1098946). ----------------------------------------- Patch: SUSE-2019-1607 Released: Fri Jun 21 10:26:45 2019 Summary: Security update for wireshark Severity: moderate References: 1136021 Description: This update for wireshark to version 2.4.15 fixes the following issues: Security issue fixed: - Fixed a denial of service in the dissection engine (bsc#1136021). ----------------------------------------- Patch: SUSE-2019-1616 Released: Fri Jun 21 11:04:39 2019 Summary: Recommended update for rpcbind Severity: moderate References: 1134659 Description: This update for rpcbind fixes the following issues: - Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659) - Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update. ----------------------------------------- Patch: SUSE-2019-1631 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Severity: low References: 1135709 Description: This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------- Patch: SUSE-2019-1728 Released: Tue Jul 2 17:35:39 2019 Summary: Recommended update for openssl-1_0_0 Severity: moderate References: 1130041 Description: This update for openssl-1_0_0 fixes the following issues: - Add back the steam subpackage on openSUSE Leap 15 whose openssl-1_0_0 package is inherited from this package (bsc#1130041) This update also ships openssl-1_0_0 to the SUSE Manager Client Tools 15 repository, to be used for phantomjs / grafana. ----------------------------------------- Patch: SUSE-2019-1741 Released: Wed Jul 3 21:13:18 2019 Summary: Recommended update for perl-Tk Severity: moderate References: 1134134 Description: This update for perl-Tk fixes the following issues: - Tk::Photo importer fails on some XPM files. (bsc#1134134) ----------------------------------------- Patch: SUSE-2019-1747 Released: Thu Jul 4 11:44:06 2019 Summary: Recommended update for cluster-glue Severity: moderate References: 1131545 Description: This update for cluster-glue fixes the following issues: - Directory /var/run/heartbeat/rsctmp will now get created if it doesn't exist (bsc#1131545) ----------------------------------------- Patch: SUSE-2019-1750 Released: Thu Jul 4 16:07:32 2019 Summary: Security update for libu2f-host, pam_u2f Severity: moderate References: 1128140,1135727,1135729,CVE-2019-12209,CVE-2019-12210,CVE-2019-9578 Description: This update for libu2f-host and pam_u2f to version 1.0.8 fixes the following issues: Security issues fixed for libu2f-host: - CVE-2019-9578: Fixed a memory leak due to a wrong parse of init's response (bsc#1128140). Security issues fixed for pam_u2f: - CVE-2019-12209: Fixed an issue where symlinks in the user's directory were followed (bsc#1135729). - CVE-2019-12210: Fixed file descriptor leaks (bsc#1135727). ----------------------------------------- Patch: SUSE-2019-1776 Released: Mon Jul 8 18:18:37 2019 Summary: Security update for zeromq Severity: important References: 1082318,1140255,CVE-2019-13132 Description: This update for zeromq fixes the following issues: - CVE-2019-13132: An unauthenticated remote attacker could have exploited a stack overflow vulnerability on a server that is supposed to be protected by encryption and authentication to potentially gain a remote code execution. (bsc#1140255) - Correctly mark license files as licence instead of documentation (bsc#1082318) ----------------------------------------- Patch: SUSE-2019-1780 Released: Mon Jul 8 20:24:24 2019 Summary: Recommended update for icewm Severity: moderate References: 1076817 Description: This update for icewm fixes the following issues: - Disabled icewm's suspend function in order to allow systemd the handling of power key events (bsc#1076817) ----------------------------------------- Patch: SUSE-2019-1795 Released: Tue Jul 9 23:39:25 2019 Summary: Recommended update for saptune Severity: moderate References: 1116799,1123808,1124485,1124486,1124487,1124488,1124489,1126220,1128322,1128325 Description: This update for saptune fixes the following issues: - Resetting all values to clean the system during package removal - Fix saptune issues with /etc/security/limits.conf. (bsc#1124485) - Add deprecated message to the description of some notes set scheduler for note SUSE-GUIDE-01 correctly.(bsc#1123808) - Ship both versions of saptune in one package to support a smooth migration controlled by the customer. See man saptune-migrate(5) for more information. - Support note name changes and note deletion during update of saptune v2 from SLE12 to SLE15. - Support different SAP Note definitions and solution definitions related to the used operation system version (distinguish between SLE12 and SLE15 at the moment) - Remove calculation of optimized values, only set the values from the configuration file irrespective of the current system value. Current system value can be increase or decrease. ATTENTION: saptune no longer respects higher system values. Use the override option to change the values of the Note definition files, if needed. (bsc#1124488) - Mark the Notes SUSE-GUIDE-01 and SUSE-GUIDE-02 as deprecated in saptune v1 and remove these Note definitions from saptune v2. (bsc#1116799) - Add bash-completion for saptune. - Add action 'show' to the 'note' operation to print content of the note definition file to stdout. - Add new action 'create' to support the customer/vendor while creating a vendor or customer specific file in /etc/saptune/extra using the template file /usr/share/saptune/NoteTemplate.conf - Simplify file name syntax for the vendor files available in /etc/saptune/extra. Old file names still valid and supported. - Add header support (version, date, description) for the vendor files available in /etc/saptune/extra as already available for the note definition files in /usr/share/saptune/notes - No longer write or remove entries from /etc/security/limits.conf. Instead add or remove drop-in files in /etc/security/limits.d The filename syntax for the drop-in files /etc/security/limits.d is saptune---.conf. The limits entry syntax inside the Note definition files changed to support more than one limits settings in the definition file. (bsc#1128322) - Preserve comment sections of the security limits file /etc/security/limits.conf. Especially, if this is the only content of the file. (bsc#1124485) - Work with the current Note definition file to define the pagecache settings. (bsc#1126220) - Setting of UserTaskMax by applying the related SAP Notes in the postinstall of the package. (bsc#1124489) - Starting to support severities INFO, WARNING, ERROR and DEBUG for the logging and add a defined format for the log messages. - Remove saptune as active tuned profile during action 'saptune daemon stop' - start/stop services, if requested by SAP Notes, but do not enable/disable these services. (bsc#1128325) - Adapt the parameter oriented save state file handling (store and revert) to the special needs of the security limits parameter. (bsc#1124485) - Disable parameter settings using an override file. (bsc#1124486) - Store the order of the note as they are applied to get the same system tuning result after a system reboot as before. - Correct the revert of the vm.dirty parameters by handling their counterpart parameters in addition. (bsc#1124487) - Adjust operation customize to the new configuration files and override location and enable customize option for vendor and customer specific files in /etc/saptune/extra. (bsc#1124487) - Change output format of the operations list, verify and simulate. (bsc#1124487) - Display footnotes during 'verify' and 'simulate'. (bsc#1124487) - Remove Netweaver formula for page cache calculation. Use the HANA approach '2% system memory' for both. - Display a warning message, if a [block] section is found in the Note definition file because on systems with a huge number of block devices this operation may take some time. - Add force_latency handling to 'cpu' section. Use the files in /sys/devices/system/cpu/cpu* instead of /dev/cpu_dma_latency. Remove the parameter from the tuned.conf file and add it to the SAP note files '1984787' and '2205917' - Add action 'saptune revert all' and add parameter based saved state files to support proper revert functionality. (bsc#1124487) - Add override file handling for the solution definition using /etc/saptune/override/solution. (bsc#1124486) - Read solution definition from file /usr/share/saptune/solution instead of static coding inside of saptune. (bsc#1124486) - Make sure a note, which is part of an applied solution definition, but was reverted manually later, will NOT applied again after a system reboot. - One configuration file per SAP Note. (bsc#1124486) - Add new SAP Notes and adapt content of SAP Notes. - Handle different locations of the new configuration files (/usr/share/saptune/note, /etc/saptune/extra). (bsc#1124486) - Allow parameter override by the customer. (bsc#1124486) - Expand section handling of the 'ini file' handler to handle the new configuration file entries. Supported sections: version, reminder, login, mem, vm, block, limits, sysctl, pagecache, cpu, service, rpm, grub. (bsc#1124486) ----------------------------------------- Patch: SUSE-2019-1804 Released: Wed Jul 10 10:40:44 2019 Summary: Security update for ruby-bundled-gems-rpmhelper, ruby2.5 Severity: important References: 1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130028,1130611,1130617,1130620,1130622,1130623,1130627,1133790,CVE-2017-17742,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325 Description: This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues: Changes in ruby2.5: Update to 2.5.5 and 2.5.4: https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/ Security issues fixed: - CVE-2019-8320: Delete directory using symlink when decompressing tar (bsc#1130627) - CVE-2019-8321: Escape sequence injection vulnerability in verbose (bsc#1130623) - CVE-2019-8322: Escape sequence injection vulnerability in gem owner (bsc#1130622) - CVE-2019-8323: Escape sequence injection vulnerability in API response handling (bsc#1130620) - CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution (bsc#1130617) - CVE-2019-8325: Escape sequence injection vulnerability in errors (bsc#1130611) Ruby 2.5 was updated to 2.5.3: This release includes some bug fixes and some security fixes. Security issues fixed: - CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives (bsc#1112532) - CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly (bsc#1112530) Ruby 2.5 was updated to 2.5.1: This release includes some bug fixes and some security fixes. Security issues fixed: - CVE-2017-17742: HTTP response splitting in WEBrick (bsc#1087434) - CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441) - CVE-2018-8777: DoS by large request in WEBrick (bsc#1087436) - CVE-2018-8778: Buffer under-read in String#unpack (bsc#1087433) - CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440) - CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437) - Multiple vulnerabilities in RubyGems were fixed: - CVE-2018-1000079: Fixed path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058) - CVE-2018-1000075: Fixed infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014) - CVE-2018-1000078: Fixed XSS vulnerability in homepage attribute when displayed via gem server (bsc#1082011) - CVE-2018-1000077: Fixed that missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL (bsc#1082010) - CVE-2018-1000076: Fixed improper verification of signatures in tarball allows to install mis-signed gem (bsc#1082009) - CVE-2018-1000074: Fixed unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (bsc#1082008) - CVE-2018-1000073: Fixed path traversal when writing to a symlinked basedir outside of the root (bsc#1082007) Other changes: - Fixed Net::POPMail methods modify frozen literal when using default arg - ruby: change over of the Japanese Era to the new emperor May 1st 2019 (bsc#1133790) - build with PIE support (bsc#1130028) Changes in ruby-bundled-gems-rpmhelper: - Add a new helper for bundled ruby gems. ----------------------------------------- Patch: SUSE-2019-1807 Released: Wed Jul 10 13:13:21 2019 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1137264 Description: This update ships the OpenJDK LTS version 11 in the java-11-openjdk packages. (FATE#326347 bsc#1137264) ----------------------------------------- Patch: SUSE-2019-1815 Released: Thu Jul 11 07:47:55 2019 Summary: Recommended update for timezone Severity: moderate References: 1140016 Description: This update for timezone fixes the following issues: - Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation. ----------------------------------------- Patch: SUSE-2019-1864 Released: Wed Jul 17 12:22:37 2019 Summary: Recommended update for osc Severity: moderate References: 1138165 Description: This update for osc fixes the following issues: - Version update to version 0.165.1 (bsc#1138165) * fix oscssl 'urldefrag is not defined error' * osc release command now python3 compatible * add more decode logic in get_commitlog * osc add 'dir' in compressed mode now works with python3 * osc getbinaries now prints the output instead of using the quiet mode as a default ----------------------------------------- Patch: SUSE-2019-1892 Released: Thu Jul 18 15:54:35 2019 Summary: Recommended update for openslp Severity: moderate References: 1117969,1136136 Description: This update for openslp fixes the following issues: - Use tcp connects to talk with other directory agents (DAs) (bsc#1117969) - Fix segfault in predicate match if a registered service has a malformed attribute list (bsc#1136136) ----------------------------------------- Patch: SUSE-2019-1894 Released: Thu Jul 18 16:18:10 2019 Summary: Security update for LibreOffice Severity: moderate References: 1089811,1116451,1121874,1123131,1123455,1124062,1124869,1127760,1127857,1128845,1135189,1135228,CVE-2018-16858 Description: This update for libreoffice and libraries fixes the following issues: LibreOffice was updated to 6.2.5.2 (fate#327121 bsc#1128845 bsc#1123455), bringing lots of bug and stability fixes. Additional bugfixes: - If there is no firebird engine we still need java to run hsqldb (bsc#1135189) - PPTX: Rectangle turns from green to blue and loses transparency when transparency is set (bsc#1135228) - Slide deck compression doesn't, hmm, compress too much (bsc#1127760) - Psychedelic graphics in LibreOffice (but not PowerPoint) (bsc#1124869) - Image from PPTX shown in a square, not a circle (bsc#1121874) libixion was updated to 0.14.1: * Updated for new orcus liborcus was updated to 0.14.1: * Boost 1.67 support * Various cell handling issues fixed libwps was updated to 0.4.10: * QuattroPro: add parser of .qwp files * all: support complex encoding mdds was updated to 1.4.3: * Api change to 1.4 * More multivector operations and tweaks * Various multi vector fixes * flat_segment_tree: add segment iterator and functions * fix to handle out-of-range insertions on flat_segment_tree * Another api version -> rename to mdds-1_2 myspell-dictionaries was updated to 20190423: * Serbian dictionary updated * Update af_ZA hunspell * Update Spanish dictionary * Update Slovenian dictionary * Update Breton dictionary * Update Galician dictionary ----------------------------------------- Patch: SUSE-2019-1916 Released: Mon Jul 22 08:44:01 2019 Summary: Recommended update for yast2-saptune Severity: moderate References: 1077615,1135879 Description: This update for yast2-saptune fixes the following issues: - Fix to disable tuned daemon, if saptune is not configured (bsc#1135879) ----------------------------------------- Patch: SUSE-2019-1963 Released: Wed Jul 24 11:41:43 2019 Summary: Security update for openexr Severity: moderate References: 1040109,1040113,1040115,CVE-2017-9111,CVE-2017-9113,CVE-2017-9115 Description: This update for openexr fixes the following issues: Security issues fixed: - CVE-2017-9111: Fixed an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h (bsc#1040109). - CVE-2017-9113: Fixed an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp (bsc#1040113). - CVE-2017-9115: Fixed an invalid write of size 2 in the = operator function inhalf.h (bsc#1040115). ----------------------------------------- Patch: SUSE-2019-1998 Released: Fri Jul 26 16:13:22 2019 Summary: Recommended update for sysstat Severity: moderate References: 1138767 Description: This update for sysstat fixes the following issues: - Fix scaling issue with mtab symlinks and automounter. (bsc#1138767) ----------------------------------------- Patch: SUSE-2019-2001 Released: Fri Jul 26 18:09:41 2019 Summary: Recommended update for docker Severity: important References: 1138920 Description: This update for docker fixes the following issues: - Mark daemon.json as %config(noreplace) to not overwrite it during installation (bsc#1138920) ----------------------------------------- Patch: SUSE-2019-2002 Released: Mon Jul 29 13:00:27 2019 Summary: Security update for java-11-openjdk Severity: important References: 1115375,1140461,1141780,1141781,1141782,1141783,1141784,1141785,1141787,1141788,1141789,CVE-2019-2745,CVE-2019-2762,CVE-2019-2766,CVE-2019-2769,CVE-2019-2786,CVE-2019-2816,CVE-2019-2818,CVE-2019-2821,CVE-2019-7317 Description: This update for java-11-openjdk to version jdk-11.0.4+11 fixes the following issues: Security issues fixed: - CVE-2019-2745: Improved ECC Implementation (bsc#1141784). - CVE-2019-2762: Exceptional throw cases (bsc#1141782). - CVE-2019-2766: Improve file protocol handling (bsc#1141789). - CVE-2019-2769: Better copies of CopiesList (bsc#1141783). - CVE-2019-2786: More limited privilege usage (bsc#1141787). - CVE-2019-7317: Improve PNG support options (bsc#1141780). - CVE-2019-2818: Better Poly1305 support (bsc#1141788). - CVE-2019-2816: Normalize normalization (bsc#1141785). - CVE-2019-2821: Improve TLS negotiation (bsc#1141781). - Certificate validation improvements Non-security issues fixed: - Do not fail installation when the manpages are not present (bsc#1115375) - Backport upstream fix for JDK-8208602: Cannot read PEM X.509 cert if there is whitespace after the header or footer (bsc#1140461) ----------------------------------------- Patch: SUSE-2019-2003 Released: Mon Jul 29 13:01:22 2019 Summary: Security update for libreoffice Severity: important References: 1110348,1112112,1112113,1112114,1116451,1117195,1117300,1121874,1123131,1123455,1124062,1124658,1124869,1127760,1127857,1128845,1135189,1135228,882383,CVE-2018-16858 Description: This update for libreoffice fixes the following issues: LibreOffice was updated to 6.2.5.2 (fate#327121). Security issue fixed: - CVE-2018-16858: LibreOffice was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location. (bsc#1124062) Other bugfixes: - If there is no firebird engine we still need java to run hsqldb (bsc#1135189) - Require firebird as default driver for base if enabled - PPTX: Rectangle turns from green to blue and loses transparency when transparency is set (bsc1135228) - Slide deck compression doesn't, hmm, compress too much (bsc#1127760) - Psychedelic graphics in LibreOffice (but not PowerPoint) (bsc#1124869) - Image from PPTX shown in a square, not a circle (bsc#1121874) - Switch to the new web based help system bsc#1116451 - Enable new approach for mariadb connector again - PPTX: SmartArt: Basic rendering of the Organizational Chart (bsc#1112114) - PPTX: SmartArt: Basic rendering of Accent Process and Continuous Block Process (bsc#1112113) - Saving a new document can silently overwrite an existing document (bsc#1117300) - Install also C++ libreofficekit headers bsc#1117195 - Chart in PPTX lacks color and is too large (bsc#882383) - PPTX: SmartArt: Basic rendering of several list types (bsc#1112112) - PPTX: Charts having weird/darker/ugly background versus Office 365 and strange artefacts where overlapping (bsc#1110348) ----------------------------------------- Patch: SUSE-2019-2005 Released: Mon Jul 29 13:02:15 2019 Summary: Recommended update for cloud-init Severity: moderate References: 1116767,1119397,1121878,1123694,1125950,1125992,1126101,1132692,1136440 Description: This update for cloud-init fixes the following issues: - Fixes a bug where only the last defined route was written to the routes configuration file (bsc#1132692) - Fixes a bug where a new network rules file for network devices didn't apply immediately (bsc#1125950) - Improved the writing of route config files to avoid issues (bsc#1125992) - Fixes a bug where OpenStack instances where not detected on VIO (bsc#1136440) - Fixes a bug where IPv4 and IPv6 were not set up as default routes (bsc#1121878) - Added a fix to prevent the resolv.conf to be empty (bsc#1119397) - Uses now the proper name to designate IPv6 addresses in ifcfg-* files (bsc#1126101) - Fixes an issue where the ifroute-eth0 file got corrupted when cloning an existing instance (bsc#1123694) Some more fixes were included within the 19.1 update of cloud-init. Please refer to the package changelog for more details. ----------------------------------------- Patch: SUSE-2019-2020 Released: Tue Jul 30 13:18:31 2019 Summary: Security update for mariadb, mariadb-connector-c Severity: important References: 1126088,1132666,1136035,CVE-2019-2614,CVE-2019-2627,CVE-2019-2628 Description: This update for mariadb and mariadb-connector-c fixes the following issues: mariadb: - Update to version 10.2.25 (bsc#1136035) - CVE-2019-2628: Fixed a remote denial of service by an privileged attacker (bsc#1136035). - CVE-2019-2627: Fixed another remote denial of service by an privileged attacker (bsc#1136035). - CVE-2019-2614: Fixed a potential remote denial of service by an privileged attacker (bsc#1136035). - Fixed reading options for multiple instances if my${INSTANCE}.cnf is used (bsc#1132666) mariadb-connector-c: - Update to version 3.1.2 (bsc#1136035) - Moved libmariadb.pc from /usr/lib/pkgconfig to /usr/lib64/pkgconfig for x86_64 (bsc#1126088) ----------------------------------------- Patch: SUSE-2019-2021 Released: Tue Jul 30 16:38:55 2019 Summary: Security update for java-1_8_0-openjdk Severity: important References: 1115375,1141780,1141782,1141783,1141784,1141785,1141786,1141787,1141789,CVE-2019-2745,CVE-2019-2762,CVE-2019-2766,CVE-2019-2769,CVE-2019-2786,CVE-2019-2816,CVE-2019-2842,CVE-2019-7317 Description: This update for java-1_8_0-openjdk to version 8u222 fixes the following issues: Security issues fixed: - CVE-2019-2745: Improved ECC Implementation (bsc#1141784). - CVE-2019-2762: Exceptional throw cases (bsc#1141782). - CVE-2019-2766: Improve file protocol handling (bsc#1141789). - CVE-2019-2769: Better copies of CopiesList (bsc#1141783). - CVE-2019-2786: More limited privilege usage (bsc#1141787). - CVE-2019-2816: Normalize normalization (bsc#1141785). - CVE-2019-2842: Extended AES support (bsc#1141786). - CVE-2019-7317: Improve PNG support (bsc#1141780). - Certificate validation improvements Non-security issue fixed: - Fixed an issue where the installation failed when the manpages are not present (bsc#1115375) ----------------------------------------- Patch: SUSE-2019-2039 Released: Fri Aug 2 08:34:40 2019 Summary: Recommended update for transfig Severity: moderate References: 1136882 Description: This update for transfig fixes the following issues: - Fix export to PDF, PNG from. (bsc#1136882) ----------------------------------------- Patch: SUSE-2019-2043 Released: Fri Aug 2 15:18:37 2019 Summary: Security update for openexr Severity: moderate References: 1061305,CVE-2017-14988 Description: This update for openexr fixes the following issues: - CVE-2017-14988: Fixed a denial of service in Header::readfrom() (bsc#1061305). ----------------------------------------- Patch: SUSE-2019-2060 Released: Tue Aug 6 14:27:41 2019 Summary: Recommended update for libreoffice-share-linker Severity: moderate References: 1139727 Description: This update for libreoffice-share-linker fixes the following issues: - Work with paranoid umask settings. (bsc#1139727) ----------------------------------------- Patch: SUSE-2019-2061 Released: Tue Aug 6 14:28:33 2019 Summary: Recommended update for several bugs for Hawk2 Severity: moderate References: 1089802,1137891 Description: Update for Hawk2 for the following issues: - Fix display in case of nameless cluster (bsc#1137891) - Fix utility method for checking ACL version in Hawk (bsc#1089802) ----------------------------------------- Patch: SUSE-2019-2067 Released: Tue Aug 6 17:22:07 2019 Summary: Security update for osc Severity: important References: 1129889,1138977,1140697,1142518,1142662,1144211,CVE-2019-3685 Description: This update for osc to version 0.165.4 fixes the following issues: Security issue fixed: - CVE-2019-3685: Fixed broken TLS certificate handling allowing for a Man-in-the-middle attack (bsc#1142518). Non-security issues fixed: - support different token operations (runservice, release and rebuild) (requires OBS 2.10) - fix osc token decode error - offline build mode is now really offline and does not try to download the buildconfig - osc build -define now works with python3 - fixes an issue where the error message on osc meta -e was not parsed correctly - osc maintainer -s now works with python3 - simplified and fixed osc meta -e (bsc#1138977) - osc lbl now works with non utf8 encoding (bsc#1129889) - add simpleimage as local build type - allow optional fork when creating a maintenance request - fix RPMError fallback - fix local caching for all package formats - fix appname for trusted cert store - osc -h does not break anymore when using plugins - switch to difflib.diff_bytes and sys.stdout.buffer.write for diffing. This will fix all decoding issues with osc diff, osc ci and osc rq -d - fix osc ls -lb handling empty size and mtime - removed decoding on osc api command. ----------------------------------------- Patch: SUSE-2019-2077 Released: Wed Aug 7 10:54:05 2019 Summary: Recommended update for wireless-regdb Severity: moderate References: 1138177 Description: This update for wireless-regdb fixes the following issues: - Update to version 2019.06.03 (bsc#1138177): * Expand 60 GHz band for Japan to 57-66 GHz * update source of information for CU * Update regulatory rules for South Korea * Update regulatory rules for Japan (JP) on 5GHz * update source of information for ES ----------------------------------------- Patch: SUSE-2019-2094 Released: Fri Aug 9 06:56:18 2019 Summary: Recommended update for glm Severity: moderate References: 1135667 Description: This update for glm fixes the following issues: - Create a glm.pc file (fixes bsc#1135667) ----------------------------------------- Patch: SUSE-2019-2095 Released: Fri Aug 9 06:56:48 2019 Summary: Recommended update for container-suseconnect Severity: moderate References: 1138731 Description: This update for container-suseconnect fixes the following issues: container-suseconnect was updated to 2.1.0 (bsc#1138731), fixing interacting with SCC behind proxy and SMT. ----------------------------------------- Patch: SUSE-2019-2096 Released: Fri Aug 9 06:57:23 2019 Summary: Recommended update for docker-img-store-setup Severity: moderate References: 1138201 Description: This update for docker-img-store-setup fixes the following issues: - Support creation of the container storage filesystem with XFS to use the overlay fs driver. (bsc#1138201) ----------------------------------------- Patch: SUSE-2019-2103 Released: Fri Aug 9 13:16:36 2019 Summary: Security update for wireshark Severity: moderate References: 1141980,CVE-2019-13619 Description: This update for wireshark to version 2.4.16 fixes the following issues: Security issue fixed: - CVE-2019-13619: ASN.1 BER and related dissectors crash (bsc#1141980). ----------------------------------------- Patch: SUSE-2019-2116 Released: Tue Aug 13 07:43:01 2019 Summary: Recommended update for aide Severity: moderate References: 1098360 Description: This update for aide fixes the following issues: - Remove not available gcrypt algorithm 7 DB_HAVAL (bsc#1098360). ----------------------------------------- Patch: SUSE-2019-2117 Released: Tue Aug 13 14:56:55 2019 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Severity: important References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409,CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736 Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Docker: - CVE-2019-14271: Fixed a code injection if the nsswitch facility dynamically loaded a library inside a chroot (bsc#1143409). - CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160). - Update to version 19.03.1-ce, see changelog at /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413, bsc#1139649). runc: - Use %config(noreplace) for /etc/docker/daemon.json (bsc#1138920). - Update to runc 425e105d5a03, which is required by Docker (bsc#1139649). containerd: - CVE-2019-5736: Fixed a container breakout vulnerability (bsc#1121967). - Update to containerd v1.2.6, which is required by docker (bsc#1139649). golang-github-docker-libnetwork: - Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by docker (bsc#1142413, bsc#1139649). ----------------------------------------- Patch: SUSE-2019-2121 Released: Wed Aug 14 11:17:51 2019 Summary: Optional update for susemanager-cloud-setup Severity: moderate References: 1138254 Description: This is the initial release of the susemanager-cloud-setup packages (bsc#1138254, fate#327820) ----------------------------------------- Patch: SUSE-2019-2122 Released: Wed Aug 14 11:17:59 2019 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Added data for 4_12_14-150_14, 4_12_14-150_17, 4_12_14-150_22, 4_12_14-195, 4_12_14-197_4, 4_12_14-197_7, 4_12_14-25_28. (bsc#1020320) ----------------------------------------- Patch: SUSE-2019-2134 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Severity: moderate References: 1136717,1137624,1141059,SLE-5807 Description: This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------- Patch: SUSE-2019-2139 Released: Wed Aug 14 12:53:22 2019 Summary: Recommended update for google-compute-engine Severity: moderate References: 1144092,1144170 Description: This update for google-compute-engine fixes the following issues: - updated to version 20190801 (bsc#1144092, bsc#1144170) * Fix for 2FA on RHEL 8 * Support for Debian 10 * Support for Google Private Access over IPv6 * Support root disk expansion in RHEL 8 and Debian 10 Some more minor bug fixes were included in this maintenance update. The full list can be retrieved from this rpm's changelog file. ----------------------------------------- Patch: SUSE-2019-2141 Released: Wed Aug 14 14:45:18 2019 Summary: Recommended update for cloud-regionsrv-client Severity: moderate References: 1136112,1136113,1137384,1137385 Description: This update for cloud-regionsrv-client fixes the following issues: - If the credentials are not valid, an error is issued and the user is instructed to re-register the system - Fixes a bug where the registration client aborted with a traceback when the instance data cannot be retrieved (bsc#1137384, bsc#1137385) This maintenance update for cloud-regionsrv-client includes some more smaller bug fixes as well. Please refer to this rpm's changelog file to receive a full list of all changes. ----------------------------------------- Patch: SUSE-2019-2142 Released: Wed Aug 14 18:14:04 2019 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1141322 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.45 (bsc#1141322) : * New function in pk11pub.h: PK11_FindRawCertsWithSubject * The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374) * Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078). * Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579) * Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262) * Add IPSEC IKE support to softoken (bmo#1546229) * Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616) * Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed. * Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime. mozilla-nspr was updated to version 4.21 * Changed prbit.h to use builtin function on aarch64. * Removed Gonk/B2G references. ----------------------------------------- Patch: SUSE-2019-2145 Released: Thu Aug 15 07:33:19 2019 Summary: Recommended update for python3-susepubliccloudinfo Severity: moderate References: 1144100,1144102 Description: This update for python3-susepubliccloudinfo fixes the following issues: - Added support for 'oracle' framework for images only (bsc#1144100, bsc#1144102) ----------------------------------------- Patch: SUSE-2019-2188 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1140647 Description: This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------- Patch: SUSE-2019-2189 Released: Wed Aug 21 10:12:23 2019 Summary: Recommended update for sysstat Severity: moderate References: 1142470 Description: This update for sysstat fixes the following issues: - Remove deprecated gettext and require gettext-runtime during build only. (bsc#1142470) ----------------------------------------- Patch: SUSE-2019-2191 Released: Wed Aug 21 17:59:24 2019 Summary: Security update for wavpack Severity: low References: 1133384,1141334,CVE-2019-1010319,CVE-2019-11498 Description: This update for wavpack fixes the following issues: Security issues fixed: - CVE-2019-1010319: Fixed use of uninitialized variable in ParseWave64HeaderConfig that can result in unexpected control flow, crashes, and segfaults (bsc#1141334). - CVE-2019-11498: Fixed possible denial of service (application crash) in WavpackSetConfiguration64 via a DFF file that lacks valid sample-rate data (bsc#1133384). ----------------------------------------- Patch: SUSE-2019-2198 Released: Thu Aug 22 14:35:15 2019 Summary: Recommended update for cloud-regionsrv-client Severity: important References: 1144754,1146321,1146462,1146463,1146467,1146468,1146610 Description: This update for cloud-regionsrv-client fixes the following issues: - Adds a dependency to python3-urllib3 (bsc#1146610, bsc#1146321, bsc#1144754) - Fixes an issue where the registration client exited with a traceback since the last update (bsc#1146462, bsc#1146463) - Clear the new-registration marker if the instance has a cache of update servers (bsc#1146467, bsc#1146468) ----------------------------------------- Patch: SUSE-2019-2200 Released: Thu Aug 22 14:36:04 2019 Summary: Recommended update for quota Severity: low References: 1144265 Description: This update for quota fixes the following issues: - quota will stop processing the config file in case of errors (bsc#1144265) ----------------------------------------- Patch: SUSE-2019-2218 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Severity: moderate References: 1141883 Description: This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------- Patch: SUSE-2019-2223 Released: Tue Aug 27 15:42:56 2019 Summary: Security update for podman, slirp4netns and libcontainers-common Severity: moderate References: 1096726,1123156,1123387,1135460,1136974,1137860,1143386,CVE-2018-15664,CVE-2019-10152,CVE-2019-6778 Description: This is a version update for podman to version 1.4.4 (bsc#1143386). Additional changes by SUSE on top: - Remove fuse-overlayfs because it's (currently) an unsatisfied dependency on SLE (bsc#1143386) - Update libpod.conf to use correct infra_command - Update libpod.conf to use better versioned pause container - Update libpod.conf to use official kubic pause container - Update libpod.conf to match latest features set: detach_keys, lock_type, runtime_supports_json - Add podman-remote varlink client Version update podman to v1.4.4: - Features - Podman now has greatly improved support for containers using multiple OCI runtimes. Containers now remember if they were created with a different runtime using --runtime and will always use that runtime - The cached and delegated options for volume mounts are now allowed for Docker compatability (#3340) - The podman diff command now supports the --latest flag - Bugfixes - Fixed a bug where rootless Podman would attempt to use the entire root configuration if no rootless configuration was present for the user, breaking rootless Podman for new installations - Fixed a bug where rootless Podman's pause process would block SIGTERM, preventing graceful system shutdown and hanging until the system's init send SIGKILL - Fixed a bug where running Podman as root with sudo -E would not work after running rootless Podman at least once - Fixed a bug where options for tmpfs volumes added with the --tmpfs flag were being ignored - Fixed a bug where images with no layers could not properly be displayed and removed by Podman - Fixed a bug where locks were not properly freed on failure to create a container or pod - Fixed a bug where podman cp on a single file would create a directory at the target and place the file in it (#3384) - Fixed a bug where podman inspect --format '{{.Mounts}}' would print a hexadecimal address instead of a container's mounts - Fixed a bug where rootless Podman would not add an entry to container's /etc/hosts files for their own hostname (#3405) - Fixed a bug where podman ps --sync would segfault (#3411) - Fixed a bug where podman generate kube would produce an invalid ports configuration (#3408) - Misc - Updated containers/storage to v1.12.13 - Podman now performs much better on systems with heavy I/O load - The --cgroup-manager flag to podman now shows the correct default setting in help if the default was overridden by libpod.conf - For backwards compatability, setting --log-driver=json-file in podman run is now supported as an alias for --log-driver=k8s-file. This is considered deprecated, and json-file will be moved to a new implementation in the future ([#3363](https://github.com/containers/libpo\ d/issues/3363)) - Podman's default libpod.conf file now allows the crun OCI runtime to be used if it is installed Update podman to v1.4.2: - Fixed a bug where Podman could not run containers using an older version of Systemd as init - Updated vendored Buildah to v1.9.0 to resolve a critical bug with Dockerfile RUN instructions - The error message for running podman kill on containers that are not running has been improved - Podman remote client can now log to a file if syslog is not available - The podman exec command now sets its error code differently based on whether the container does not exist, and the command in the container does not exist - The podman inspect command on containers now outputs Mounts JSON that matches that of docker inspect, only including user-specified volumes and differentiating bind mounts and named volumes - The podman inspect command now reports the path to a container's OCI spec with the OCIConfigPath key (only included when the container is initialized or running) - The podman run --mount command now supports the bind-nonrecursive option for bind mounts - Fixed a bug where podman play kube would fail to create containers due to an unspecified log driver - Fixed a bug where Podman would fail to build with musl libc - Fixed a bug where rootless Podman using slirp4netns networking in an environment with no nameservers on the host other than localhost would result in nonfunctional networking - Fixed a bug where podman import would not properly set environment variables, discarding their values and retaining only keys - Fixed a bug where Podman would fail to run when built with Apparmor support but run on systems without the Apparmor kernel module loaded - Remote Podman will now default the username it uses to log in to remote systems to the username of the current user - Podman now uses JSON logging with OCI runtimes that support it, allowing for better error reporting - Updated vendored containers/image to v2.0 - Update conmon to v0.3.0 - Support OOM Monitor under cgroup V2 - Add config binary and make target for configuring conmon with a go library for importing values Updated podman to version 1.4.0 (bsc#1137860) and (bsc#1135460) - Podman checkpoint and podman restore commands can now be used to migrate containers between Podman installations on different systems. - The podman cp now supports pause flag. - The remote client now supports a configuration file for pre-configuring connections to remote Podman installations - CVE-2019-10152: Fixed an iproper dereference of symlinks of the the podman cp command which introduced in version 1.1.0 (bsc#1136974). - Fixed a bug where podman commit could improperly set environment variables that contained = characters - Fixed a bug where rootless podman would sometimes fail to start containers with forwarded ports - Fixed a bug where podman version on the remote client could segfault - Fixed a bug where podman container runlabel would use /proc/self/exe instead of the path of the Podman command when printing the command being executed - Fixed a bug where filtering images by label did not work - Fixed a bug where specifying a bing mount or tmpfs mount over an image volume would cause a container to be unable to start - Fixed a bug where podman generate kube did not work with containers with named volumes - Fixed a bug where rootless podman would receive permission denied errors accessing conmon.pid - Fixed a bug where podman cp with a folder specified as target would replace the folder, as opposed to copying into it - Fixed a bug where rootless Podman commands could double-unlock a lock, causing a crash - Fixed a bug where podman incorrectly set tmpcopyup on /dev/ mounts, causing errors when using the Kata containers runtime - Fixed a bug where podman exec would fail on older kernels - Podman commit command is now usable with the Podman remote client - Signature-policy flag has been deprecated - Updated vendored containers/storage and containers/image libraries with numerous bugfixes - Updated vendored Buildah to v1.8.3 - Podman now requires Conmon v0.2.0 - The podman cp command is now aliased as podman container cp - Rootless podman will now default init_path using root Podman's configuration files (/etc/containers/libpod.conf and /usr/share/containers/libpod.conf) if not overridden in the rootless configuration - Added fuse-overlayfs dependency to support overlay based rootless image manipulations - The podman cp command can now read input redirected to STDIN, and output to STDOUT instead of a file, using - instead of an argument. - The podman remote client now displays version information from both the client and server in podman version - The podman unshare command has been added, allowing easy entry into the user namespace set up by rootless Podman (allowing the removal of files created by rootless podman, among other things) - Fixed a bug where Podman containers with the --rm flag were removing created volumes when they were automatically removed - Fixed a bug where container and pod locks were incorrectly marked as released after a system reboot, causing errors on container and pod removal - Fixed a bug where Podman pods could not be removed if any container in the pod encountered an error during removal - Fixed a bug where Podman pods run with the cgroupfs CGroup driver would encounter a race condition during removal, potentially failing to remove the pod CGroup - Fixed a bug where the podman container checkpoint and podman container restore commands were not visible in the remote client - Fixed a bug where podman remote ps --ns would not print the container's namespaces - Fixed a bug where removing stopped containers with healthchecks could cause an error - Fixed a bug where the default libpod.conf file was causing parsing errors - Fixed a bug where pod locks were not being freed when pods were removed, potentially leading to lock exhaustion - Fixed a bug where 'podman run' with SD_NOTIFY set could, on short-running containers, create an inconsistent state rendering the container unusable - The remote Podman client now uses the Varlink bridge to establish remote connections by default - Fixed an issue with apparmor_parser (bsc#1123387) - Update to libpod v1.4.0 (bsc#1137860): - The podman checkpoint and podman restore commands can now be used to migrate containers between Podman installations on different systems - The podman cp command now supports a pause flag to pause containers while copying into them - The remote client now supports a configuration file for pre-configuring connections to remote Podman installations - Fixed CVE-2019-10152 - The podman cp command improperly dereferenced symlinks in host context - Fixed a bug where podman commit could improperly set environment variables that contained = characters - Fixed a bug where rootless Podman would sometimes fail to start containers with forwarded ports - Fixed a bug where podman version on the remote client could segfault - Fixed a bug where podman container runlabel would use /proc/self/exe instead of the path of the Podman command when printing the command being executed - Fixed a bug where filtering images by label did not work - Fixed a bug where specifying a bing mount or tmpfs mount over an image volume would cause a container to be unable to start - Fixed a bug where podman generate kube did not work with containers with named volumes - Fixed a bug where rootless Podman would receive permission denied errors accessing conmon.pid - Fixed a bug where podman cp with a folder specified as target would replace the folder, as opposed to copying into it - Fixed a bug where rootless Podman commands could double-unlock a lock, causing a crash - Fixed a bug where Podman incorrectly set tmpcopyup on /dev/ mounts, causing errors when using the Kata containers runtime - Fixed a bug where podman exec would fail on older kernels - The podman commit command is now usable with the Podman remote client - The --signature-policy flag (used with several image-related commands) has been deprecated - The podman unshare command now defines two environment variables in the spawned shell: CONTAINERS_RUNROOT and CONTAINERS_GRAPHROOT, pointing to temporary and permanent storage for rootless containers - Updated vendored containers/storage and containers/image libraries with numerous bugfixes - Updated vendored Buildah to v1.8.3 - Podman now requires Conmon v0.2.0 - The podman cp command is now aliased as podman container cp - Rootless Podman will now default init_path using root Podman's configuration files (/etc/containers/libpod.conf and /usr/share/containers/libpod.conf) if not overridden in the rootless configuration - Update to image v1.5.1 - Vendor in latest containers/storage - docker/docker_client: Drop redundant Domain(ref.ref) call - pkg/blobinfocache: Split implementations into subpackages - copy: progress bar: show messages on completion - docs: rename manpages to *.5.command - add container-certs.d.md manpage - pkg/docker/config: Bring auth tests from docker/docker_client_test - Don't allocate a sync.Mutex separately Update to storage v1.12.10: - Add function to parse out mount options from graphdriver - Merge the disparate parts of all of the Unix-like lockfiles - Fix unix-but-not-Linux compilation - Return XDG_RUNTIME_DIR as RootlessRuntimeDir if set - Cherry-pick moby/moby #39292 for CVE-2018-15664 fixes - lockfile: add RecursiveLock() API - Update generated files - Fix crash on tesing of aufs code - Let consumers know when Layers and Images came from read-only stores - chown: do not change owner for the mountpoint - locks: correctly mark updates to the layers list - CreateContainer: don't worry about mapping layers unless necessary - docs: fix manpage for containers-storage.conf - docs: sort configuration options alphabetically - docs: document OSTree file deduplication - Add missing options to man page for containers-storage - overlay: use the layer idmapping if present - vfs: prefer layer custom idmappings - layers: propagate down the idmapping settings - Recreate symlink when not found - docs: fix manpage for configuration file - docs: add special handling for manpages in sect 5 - overlay: fix single-lower test - Recreate symlink when not found - overlay: propagate errors from mountProgram - utils: root in a userns uses global conf file - Fix handling of additional stores - Correctly check permissions on rootless directory - Fix possible integer overflow on 32bit builds - Evaluate device path for lvm - lockfile test: make concurrent RW test determinisitc - lockfile test: make concurrent read tests deterministic - drivers.DirCopy: fix filemode detection - storage: move the logic to detect rootless into utils.go - Don't set (struct flock).l_pid - Improve documentation of getLockfile - Rename getLockFile to createLockerForPath, and document it - Add FILES section to containers-storage.5 man page - add digest locks - drivers/copy: add a non-cgo fallback slirp4netns was updated to 0.3.0: - CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() (bsc#1123156) This update also includes: - fuse3 and fuse-overlayfs to support rootless containers. ----------------------------------------- Patch: SUSE-2019-2229 Released: Wed Aug 28 07:58:29 2019 Summary: Security update for slurm Severity: important References: 1140709,CVE-2019-12838 Description: This update for slurm to version 18.08.8 fixes the following issues: Security issue fixed: - CVE-2019-12838: Fixed a SQL injection in slurmdbd (bsc#1140709). ----------------------------------------- Patch: SUSE-2019-2249 Released: Thu Aug 29 08:18:30 2019 Summary: Recommended update for python-kiwi Severity: moderate References: 1141168 Description: This update for python-kiwi fixes the following issues: - kiwi will no longer create an empty machine-id file in case it is not provided during the system installation (bsc#1141168) ----------------------------------------- Patch: SUSE-2019-2283 Released: Wed Sep 4 13:41:47 2019 Summary: Recommended update for google-compute-engine Severity: moderate References: 1146172 Description: This update for google-compute-engine fixes the following issues: - Fix install location of NSS and PAM shared libraries (bsc#1146172) - Switch RPM group for oslogin package from Hardware to System/Daemons ----------------------------------------- Patch: SUSE-2019-2291 Released: Wed Sep 4 16:48:52 2019 Summary: Security update for java-1_8_0-ibm Severity: important References: 1122292,1122299,1141780,1141782,1141783,1141785,1141787,1141789,1147021,CVE-2018-11212,CVE-2019-11771,CVE-2019-11772,CVE-2019-11775,CVE-2019-2449,CVE-2019-2762,CVE-2019-2766,CVE-2019-2769,CVE-2019-2786,CVE-2019-2816,CVE-2019-4473,CVE-2019-7317 Description: This update for java-1_8_0-ibm fixes the following issues: Update to Java 8.0 Service Refresh 5 Fix Pack 40. Security issues fixed: - CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021) - CVE-2019-11772: IBM Security Update July 2019 (bsc#1147021) - CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021) - CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021) - CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780). - CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783). - CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782). - CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785). - CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789). - CVE-2019-2786: Fixed issue inside Component Security (bsc#1141787). ----------------------------------------- Patch: SUSE-2019-2323 Released: Fri Sep 6 09:19:52 2019 Summary: Recommended update for pesign Severity: moderate References: 1144441 Description: This update for pesign contains the following fixes: - Fix the build failure with NSS 3.44. (bsc#1144441) ----------------------------------------- Patch: SUSE-2019-2340 Released: Tue Sep 10 09:31:35 2019 Summary: Security update for skopeo Severity: important References: 1144065,CVE-2019-10214 Description: This update for skopeo fixes the following issues: Security issues fixed: - CVE-2019-10214: Fixed missing enforcement of TLS connections (bsc#1144065). ----------------------------------------- Patch: SUSE-2019-2344 Released: Tue Sep 10 12:47:25 2019 Summary: Recommended update for cloud-regionsrv-client Severity: important References: 1148644,1149840 Description: This update for cloud-regionsrv-client fixes the following issues: - Fixes an issue where repositories where missing on a system (bsc#1148644, bsc#1149840) ----------------------------------------- Patch: SUSE-2019-2348 Released: Tue Sep 10 14:51:43 2019 Summary: Security update for ghostscript Severity: moderate References: 1144621,CVE-2019-10216 Description: This update for ghostscript fixes the following issues: Security issue fixed: - CVE-2019-10216: Fix privilege escalation via specially crafted PostScript file (bsc#1144621). ----------------------------------------- Patch: SUSE-2019-2357 Released: Wed Sep 11 13:26:14 2019 Summary: Recommended update for lmdb Severity: moderate References: 1136132 Description: This update for lmdb fixes the following issues: - Fix occasional crash when freed pages landed on the dirty list twice (bsc#1136132). ----------------------------------------- Patch: SUSE-2019-2362 Released: Thu Sep 12 07:55:13 2019 Summary: Recommended update for python-cairo Severity: moderate References: 1142582 Description: This update for python-cairo does not fix any visible issues to users. ----------------------------------------- Patch: SUSE-2019-2378 Released: Fri Sep 13 13:21:51 2019 Summary: Recommended update for apache2-mod_nss Severity: moderate References: 1150133 Description: This update for apache2-mod_nss fixes the following issues: - Use a stronger password in gencert to pass the stricter tests in FIPS mode (bsc#1150133) ----------------------------------------- Patch: SUSE-2019-2423 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1146866,SLE-9132 Description: This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------- Patch: SUSE-2019-2435 Released: Mon Sep 23 13:57:12 2019 Summary: Security update for libopenmpt Severity: moderate References: 1143578,1143581,1143582,1143584,CVE-2018-20860,CVE-2018-20861,CVE-2019-14382,CVE-2019-14383 Description: This update for libopenmpt fixes the following issues: Security issues fixed: - CVE-2018-20861: Fixed crash with certain malformed custom tunings in MPTM files (bsc#1143578). - CVE-2018-20860: Fixed crash with malformed MED files (bsc#1143581). - CVE-2019-14383: Fixed J2B that allows an assertion failure during file parsing with debug STLs (bsc#1143584). - CVE-2019-14382: Fixed DSM that allows an assertion failure during file parsing with debug STLs (bsc#1143582). ----------------------------------------- Patch: SUSE-2019-2443 Released: Tue Sep 24 09:17:39 2019 Summary: Recommended update for libcdio Severity: moderate References: 1094761 Description: This update for libcdio fixes the following issues: - Fix warning when BigEndian and LittleEndian sizes do not match. (bsc#1094761) - Fix that libcdio doesn't bail out when processing non-compliant ISO files. ----------------------------------------- Patch: SUSE-2019-2460 Released: Wed Sep 25 09:25:34 2019 Summary: Security update for ghostscript Severity: important References: 1129180,1129186,1134156,1140359,1146882,1146884,CVE-2019-12973,CVE-2019-14811,CVE-2019-14812,CVE-2019-14813,CVE-2019-14817,CVE-2019-3835,CVE-2019-3839 Description: This update for ghostscript fixes the following issues: Security issues fixed: - CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180) - CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156) - CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359) - CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882) - CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882) - CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882) - CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884) ----------------------------------------- Patch: SUSE-2019-2466 Released: Wed Sep 25 23:24:08 2019 Summary: Recommended update for SAPHanaSR Severity: important References: 1082974,1101373,1133024,1133866,1134106,1139715,1149829 Description: This update for SAPHanaSR fixes the following issues: - Fixes a bug where an attribute was not correctly set for remoteNode (bsc#1082974) - Does no longer set attributes to prevent unlogged failovers because of empty or unknown attributes (bsc#1134106, bsc#1133024, bsc#1101373) - Will now return $OCF_RUNNING_MASTER (8) instead of $OCF_SUCCESS (0) when probing a promoted node (bsc#1133866) - Using crm-attributes written by a SAP HANA SR provider hook does improve the data integrity in special error conditions with multiple errors coming in a short time frame (bsc#1139715) - Fix a typo in a condition statement that was breaking SAPHanaSR-monitor output. (bnc#1149829) ----------------------------------------- Patch: SUSE-2019-2477 Released: Thu Sep 26 12:09:46 2019 Summary: Recommended update for openwsman Severity: moderate References: 1105331 Description: This update for openwsman fixes the following issues: - Adds CIM_NAMESPACE if it's not already present (bsc#1105331) ----------------------------------------- Patch: SUSE-2019-2482 Released: Fri Sep 27 13:40:42 2019 Summary: Recommended update for google-compute-engine Severity: important References: 1150058 Description: This update for google-compute-engine fixes the following issues: - Fixes an issue where the implementation of Google Private Access over IPv6 was not complete and thus crashed the application (bsc#1150058) ----------------------------------------- Patch: SUSE-2019-2483 Released: Fri Sep 27 14:16:23 2019 Summary: Optional update for python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate. Severity: low References: 1088358 Description: This update ships python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate for the SUSE Linux Enterprise Public Cloud 15 module. ----------------------------------------- Patch: SUSE-2019-2494 Released: Mon Sep 30 16:22:20 2019 Summary: Recommended update for cloud-init Severity: important References: 1141969,1144363,1144881 Description: This update for cloud-init provides the following fixes: - Properly handle static routes. The EphemeralDHCP context manager did not parse or handle rfc3442 classless static routes which prevented reading datasource metadata in some clouds. (bsc#1141969) - The __str__ implementation no longer delivers the name of the interface, use the 'name' attribute instead to form a proper path in the sysfs tree. (bsc#1144363) - If no routes are set for a subnet but the subnet has a gateway specified, set the gateway as the default route for the interface. (bsc#1144881) ----------------------------------------- Patch: SUSE-2019-2495 Released: Mon Sep 30 16:22:27 2019 Summary: Recommended update for firewalld-rpcbind-helper Severity: moderate References: 1146188 Description: This update for firewalld-rpcbind-helper fixes the following issues: - Fixes an error when running in python3 context and a port in `rpcinfo -p` is running neither as tcp nor in udp protocol (bsc#1146188) ----------------------------------------- Patch: SUSE-2019-2512 Released: Wed Oct 2 10:47:58 2019 Summary: Security update for jasper Severity: moderate References: 1117507,1117508,CVE-2018-19540,CVE-2018-19541 Description: This update for jasper fixes the following issues: Security issues fixed: - CVE-2018-19540: Fixed a heap based overflow in jas_icctxtdesc_input (bsc#1117508). - CVE-2018-19541: Fix heap based overread in jas_image_depalettize (bsc#1117507). ----------------------------------------- Patch: SUSE-2019-2533 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Severity: moderate References: 1150137,CVE-2019-16168 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------- Patch: SUSE-2019-2561 Released: Fri Oct 4 14:09:56 2019 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1131291,1150003,1150250,CVE-2019-1547,CVE-2019-1563 Description: This update for openssl-1_0_0 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) In addition fixed invalid curve attacks by validating that an EC point lies on the curve (bsc#1131291). ----------------------------------------- Patch: SUSE-2019-2622 Released: Wed Oct 9 15:23:35 2019 Summary: Security update for libopenmpt Severity: important References: 1153102,CVE-2019-17113 Description: This update for libopenmpt to version 0.3.19 fixes the following issues: - CVE-2019-17113: Fixed a buffer overflow in ModPlug_InstrumentName and ModPlug_SampleName (bsc#1153102). ----------------------------------------- Patch: SUSE-2019-2642 Released: Fri Oct 11 17:10:51 2019 Summary: Recommended update for python-kiwi Severity: important References: 1112357,1124885,1127173,1129566,1132455,1136444,1142899,1143033,1149686 Description: This update for python-kiwi fixes the following issues: - Added --add-bootstrap-packages option (bsc#1149686) - Avoids now the default installation of dracut kiwi modules (bsc#1142899, bsc#1136444) - Add support for custom fstab script extension (bsc#1129566) - Fixes an issue where python-kiwi crashed when the HOME directory is missing (bsc#1149686) - New spare partition types have been added: (bsc#1129566) * spare_part_fs='fsname' * spare_part_mountpoint='/location' * spare_part_is_last='true|false' - Preserve licenses/other txt files by baseStripFirmware (bsc#1132455 - Added support for fstab.patch file (bsc#1129566) - Makes the bundler shasum file compatible with 'sha256sum --check' command (bsc#1127173) - Fixes an issue when importing signing keys (bsc#1112357) - Fixes an issue where grub2 didn't display UTF-8 characters properly (bsc#1124885) ----------------------------------------- Patch: SUSE-2019-2657 Released: Mon Oct 14 17:04:07 2019 Summary: Security update for dhcp Severity: moderate References: 1089524,1134078,1136572,CVE-2019-6470 Description: This update for dhcp fixes the following issues: Secuirty issue fixed: - CVE-2019-6470: Fixed DHCPv6 server crashes (bsc#1134078). Bug fixes: - Add compile option --enable-secs-byteorder to avoid duplicate lease warnings (bsc#1089524). - Use IPv6 when called as dhclient6, dhcpd6, and dhcrelay6 (bsc#1136572). ----------------------------------------- Patch: SUSE-2019-2675 Released: Tue Oct 15 21:06:30 2019 Summary: Recommended update for clone-master-clean-up Severity: moderate References: 1139667,1149322 Description: This update for clone-master-clean-up fixes the following issues: - Bugfixes: * Deleted /var/lib/wicked/* files for cloning. If machines with identical settings exist in the same network multiple times, IP addresses may change with each renewal (bsc#1139667) ----------------------------------------- Patch: SUSE-2019-2681 Released: Tue Oct 15 22:01:40 2019 Summary: Recommended update for libdb-4_8 Severity: moderate References: 1148244 Description: This update for libdb-4_8 fixes the following issues: - Add off-page deadlock patch as found and documented by Red Hat. (bsc#1148244) ----------------------------------------- Patch: SUSE-2019-2693 Released: Wed Oct 16 16:43:30 2019 Summary: Recommended update for rpcbind Severity: moderate References: 1142343 Description: This update for rpcbind fixes the following issues: - Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343) ----------------------------------------- Patch: SUSE-2019-2702 Released: Wed Oct 16 18:41:30 2019 Summary: Security update for gcc7 Severity: moderate References: 1071995,1141897,1142649,1148517,1149145,CVE-2019-14250,CVE-2019-15847 Description: This update for gcc7 to r275405 fixes the following issues: Security issues fixed: - CVE-2019-14250: Fixed an integer overflow in binutils (bsc#1142649). - CVE-2019-15847: Fixed an optimization in the POWER9 backend of gcc that could reduce the entropy of the random number generator (bsc#1149145). Non-security issue fixed: - Move Live Patching technology stack from kGraft to upstream klp (bsc#1071995, fate#323487). ----------------------------------------- Patch: SUSE-2019-2705 Released: Thu Oct 17 13:05:45 2019 Summary: Recommended update for yast2-hana-firewall and for yast2-sap-ha Severity: moderate References: 1117765,1146220 Description: This update for yast2-hana-firewall provides the following fix: - Fix the following crash in Yast2 HA Setup for SAP Products: 'cannot import namespace 'SystemdService'. (bsc#1146220) This update for yast2-sap-ha fixes the following issues: - Fix break caused by systemd service library reorganization. (bsc#1146220) - Fix bug stopping the non-productive HANA system in the cost-optimized scenario. (bsc#1117765) - Enhanced the module to be used on Azure with unattended mode support. (fate#324542, fate#325956) - Fix the rpc server error when Y2DIR variable is set. (fate#325957) - Fix the copy_ssfs_keys method to not fail when no password is informed but there is passwordless ssh access between the nodes. (fate#325957) - Enhanced the module to be used in hands-free WF on Bare Metal. (fate#325957) ----------------------------------------- Patch: SUSE-2019-2722 Released: Mon Oct 21 11:14:20 2019 Summary: Recommended update for pciutils-ids Severity: moderate References: 1127840,1133581 Description: This is a version update for pciutils-ids to version 20190830 (bsc#1133581, bsc#1127840) ----------------------------------------- Patch: SUSE-2019-2730 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------- Patch: SUSE-2019-2734 Released: Tue Oct 22 11:00:58 2019 Summary: Recommended update for tcsh Severity: moderate References: 1151630 Description: This update for tcsh fixes the following issues: - Restore cleanup routines in case of an error (bsc#1151630) ----------------------------------------- Patch: SUSE-2019-2737 Released: Tue Oct 22 12:02:36 2019 Summary: Security update for openconnect Severity: moderate References: 1151178,CVE-2019-16239 Description: This update for openconnect fixes the following issues: - CVE-2019-16239: Fixed a buffer overflow when a malicious server uses HTTP chunked encoding with crafted chunk sizes. (bsc#1151178) ----------------------------------------- Patch: SUSE-2019-2746 Released: Tue Oct 22 16:50:50 2019 Summary: Recommended update for yast2-sap-ha Severity: important References: 1146220 Description: This update for yast2-sap-ha fixes the following issues: - Update yast2-sap-ha to version 1.0.8. - Fix a regression that was introduced in a previous update. Under certain circumstances, HA Setup for SAP Products used to crash with the error message 'cannot import namespace 'SystemdService''. [bsc#1146220] ----------------------------------------- Patch: SUSE-2019-2749 Released: Wed Oct 23 09:08:41 2019 Summary: Security update for sysstat Severity: moderate References: 1150114,CVE-2019-16167 Description: This update for sysstat fixes the following issue: - CVE-2019-16167: Fixed a memory corruption due to an integer overflow. (bsc#1150114) ----------------------------------------- Patch: SUSE-2019-2750 Released: Wed Oct 23 09:22:42 2019 Summary: Security update for zziplib Severity: moderate References: 1107424,1129403,CVE-2018-16548 Description: This update for zziplib fixes the following issues: Security issue fixed: - CVE-2018-16548: Prevented memory leak from __zzip_parse_root_directory(). Free allocated structure if its address is not passed back. (bsc#1107424) Other issue addressed: - Prevented a division by zero (bsc#1129403). ----------------------------------------- Patch: SUSE-2019-2762 Released: Thu Oct 24 07:08:44 2019 Summary: Recommended update for timezone Severity: moderate References: 1150451 Description: This update for timezone fixes the following issues: - Fiji observes DST from 2019-11-10 to 2020-01-12. - Norfolk Island starts observing Australian-style DST. ----------------------------------------- Patch: SUSE-2019-2763 Released: Thu Oct 24 07:08:52 2019 Summary: Recommended update for mysql-connector-cpp Severity: moderate References: 1149792 Description: This update for mysql-connector-cpp fixes the following issues: - Add missing zlib build dependency, which used to be pulled in by libopenssl-devel. (bsc#1149792) ----------------------------------------- Patch: SUSE-2019-2766 Released: Thu Oct 24 07:09:49 2019 Summary: Recommended update for migrate-sles-to-sles4sap Severity: moderate References: 1112548 Description: This update for migrate-sles-to-sles4sap fixes the following issues: - Fixed /etc/os-release issue after using migration script from SLES to SLES4SAP: (bsc#1112548) * Removed several hacks that aren't necessary anymore, due to changes in SUSEConnect * Bootloader change isn't necessary anymore as SLES will always be shown in GRUB2 regardless if SLES or SLES for SAP * removed hardcoded version dependencies to make the script version independent * added rollback in case of failed migration * added additional runtime warnings and infos for user * restructured code for cleaner readability * fixed ShellCheck issues * changed parsing for variables like VERSION and CPE from /etc/os-release to /etc/products.d/baseproduct, as /etc/os-release doesn't differ on SLES and SLES for SAP * Checks the SSL certificate of SMT and RMT servers. * Added user input to allow self-signed SSL certificates on SMT and RMT servers. * Fixed RMT registration issue. ----------------------------------------- Patch: SUSE-2019-2772 Released: Thu Oct 24 13:55:37 2019 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Added data for 4_12_14-150_27, 4_12_14-150_32, 4_12_14-150_35, 4_12_14-197_10, 4_12_14-197_15. (bsc#1020320) ----------------------------------------- Patch: SUSE-2019-2777 Released: Thu Oct 24 16:13:20 2019 Summary: Recommended update for fipscheck Severity: moderate References: 1149792 Description: This update for fipscheck fixes the following issues: - Remove #include of unused fips.h to fix build with OpenSSL 1.1.1 (bsc#1149792) ----------------------------------------- Patch: SUSE-2019-2779 Released: Thu Oct 24 16:57:42 2019 Summary: Security update for binutils Severity: moderate References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206 Description: This update for binutils fixes the following issues: binutils was updated to current 2.32 branch [jsc#ECO-368]. Includes following security fixes: - CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412) - CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413) - CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414) - CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827) - CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996) - CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535) - CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534) - CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255) - CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252) - CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247) - CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831) - CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830) - CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035) - CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034) - CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056) - CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640) - CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772) - enable xtensa architecture (Tensilica lc6 and related) - Use -ffat-lto-objects in order to provide assembly for static libs (bsc#1141913). - Fixed some LTO build issues (bsc#1133131 bsc#1133232). - riscv: Don't check ABI flags if no code section - Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016). - Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590). Update to binutils 2.32: * The binutils now support for the C-SKY processor series. * The x86 assembler now supports a -mvexwig=[0|1] option to control encoding of VEX.W-ignored (WIG) VEX instructions. It also has a new -mx86-used-note=[yes|no] option to generate (or not) x86 GNU property notes. * The MIPS assembler now supports the Loongson EXTensions R2 (EXT2), the Loongson EXTensions (EXT) instructions, the Loongson Content Address Memory (CAM) ASE and the Loongson MultiMedia extensions Instructions (MMI) ASE. * The addr2line, c++filt, nm and objdump tools now have a default limit on the maximum amount of recursion that is allowed whilst demangling strings. This limit can be disabled if necessary. * Objdump's --disassemble option can now take a parameter, specifying the starting symbol for disassembly. Disassembly will continue from this symbol up to the next symbol or the end of the function. * The BFD linker will now report property change in linker map file when merging GNU properties. * The BFD linker's -t option now doesn't report members within archives, unless -t is given twice. This makes it more useful when generating a list of files that should be packaged for a linker bug report. * The GOLD linker has improved warning messages for relocations that refer to discarded sections. - Improve relro support on s390 [fate#326356] - Fix broken debug symbols (bsc#1118644) - Handle ELF compressed header alignment correctly. ----------------------------------------- Patch: SUSE-2019-2782 Released: Fri Oct 25 14:27:52 2019 Summary: Security update for nfs-utils Severity: moderate References: 1150733,CVE-2019-3689 Description: This update for nfs-utils fixes the following issues: - CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733) ----------------------------------------- Patch: SUSE-2019-2786 Released: Fri Oct 25 15:56:35 2019 Summary: Security update for docker-runc Severity: moderate References: 1152308,CVE-2019-16884 Description: This update for docker-runc fixes the following issues: - CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308) ----------------------------------------- Patch: SUSE-2019-2790 Released: Mon Oct 28 14:54:13 2019 Summary: Recommended update for java-1_8_0-ibm Severity: moderate References: 1143080 Description: This update for java-1_8_0-ibm fixes the following issues: Update to Java 8.0 Service Refresh 5 Fix Pack 41 [bsc#1143080]: * JIT compiler crash: Remove implicit sign extension assumptions from iRegStore evaluator (https://github.com/eclipse/omr/pull/4103) ----------------------------------------- Patch: SUSE-2019-2799 Released: Mon Oct 28 17:11:16 2019 Summary: Recommended update for tcsh Severity: important References: 1153839,1154877 Description: This update for tcsh fixes the following issues: - Avoid breakage in sourcing standard system files (bsc#1153839) - A regression has been fixed where glob expansion would not work properly. (bsc#1154877) ----------------------------------------- Patch: SUSE-2019-2806 Released: Tue Oct 29 11:47:15 2019 Summary: Recommended update for libspectre Severity: moderate References: 1153337 Description: This update for libspectre aligns the libspectre build with the current ghostscript 9.27 release. (bsc#1153337) ----------------------------------------- Patch: SUSE-2019-2810 Released: Tue Oct 29 14:56:44 2019 Summary: Security update for runc Severity: moderate References: 1131314,1131553,1152308,CVE-2019-16884 Description: This update for runc fixes the following issues: Security issue fixed: - CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308) Non-security issues fixed: - Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553). ----------------------------------------- Patch: SUSE-2019-2811 Released: Tue Oct 29 14:57:18 2019 Summary: Recommended update for llvm7 Severity: moderate References: 1138457 Description: This update for llvm7 doesn't address any user visible issues. ----------------------------------------- Patch: SUSE-2019-2870 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1051143,1138869,1151023 Description: This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------- Patch: SUSE-2019-2888 Released: Mon Nov 4 17:33:58 2019 Summary: Recommended update for neon Severity: low References: 1149792 Description: This update for neon provides the following fixes: - Fix build with openssl 1.1.1. (bsc#1149792) - Make sure the license gets installed properly. ----------------------------------------- Patch: SUSE-2019-2891 Released: Mon Nov 4 17:47:10 2019 Summary: Security update for python-ecdsa Severity: moderate References: 1153165,1154217,CVE-2019-14853,CVE-2019-14859 Description: This update for python-ecdsa to version 0.13.3 fixes the following issues: Security issues fixed: - CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165). - CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217). ----------------------------------------- Patch: SUSE-2019-2905 Released: Wed Nov 6 12:10:59 2019 Summary: Recommended update for scout Severity: moderate References: 1135598 Description: This update for scout fixes the following issues: - Fix bug where sbin packages would print as bytes strings (bsc#1135598) ----------------------------------------- Patch: SUSE-2019-2908 Released: Wed Nov 6 13:49:01 2019 Summary: Recommended update for perl-Mail-SPF Severity: low References: 1141089 Description: This update for perl-Mail-SPF fixes the following issues: - Sets the executable bit for the /usr/sbin/spfd binary (bsc#1141089) - The license file is now located in the /usr/share/licenses directory of perl-Mail-SPF ----------------------------------------- Patch: SUSE-2019-2913 Released: Thu Nov 7 11:33:39 2019 Summary: Security update for gdb Severity: moderate References: 1115034,1142772,1145692,CVE-2019-1010180,ECO-368 Description: This update for gdb fixes the following issues: Update to gdb 8.3.1: (jsc#ECO-368) Security issues fixed: - CVE-2019-1010180: Fixed a potential buffer overflow when loading ELF sections larger than the file. (bsc#1142772) Upgrade libipt from v2.0 to v2.0.1. - Enable librpm for version > librpm.so.3 [bsc#1145692]: * Allow any librpm.so.x * Add %build test to check for 'zypper install ' message - Copy gdbinit from fedora master @ 25caf28. Add gdbinit.without-python, and use it for --without=python. Rebase to 8.3 release (as in fedora 30 @ 1e222a3). * DWARF index cache: GDB can now automatically save indices of DWARF symbols on disk to speed up further loading of the same binaries. * Ada task switching is now supported on aarch64-elf targets when debugging a program using the Ravenscar Profile. * Terminal styling is now available for the CLI and the TUI. * Removed support for old demangling styles arm, edg, gnu, hp and lucid. * Support for new native configuration RISC-V GNU/Linux (riscv*-*-linux*). - Implemented access to more POWER8 registers. [fate#326120, fate#325178] - Handle most of new s390 arch13 instructions. [fate#327369, jsc#ECO-368] ----------------------------------------- Patch: SUSE-2019-2933 Released: Fri Nov 8 11:46:01 2019 Summary: Recommended update for llvm7 Severity: moderate References: 1139584 Description: This update for llvm7 fixes the following issues: - Enable RTTI (run time type information) by built for LLVM. (bsc#1139584) ----------------------------------------- Patch: SUSE-2019-2934 Released: Fri Nov 8 13:17:50 2019 Summary: Security update for apache2-mod_auth_openidc Severity: important References: 1153666,CVE-2019-14857 Description: This update for apache2-mod_auth_openidc fixes the following issues: - CVE-2019-14857: Fixed an open redirect issue that exists in URLs with trailing slashes (bsc#1153666). ----------------------------------------- Patch: SUSE-2019-2978 Released: Thu Nov 14 22:42:51 2019 Summary: Recommended update for helm-mirror Severity: moderate References: 1153244 Description: This update for helm-mirror fixes the following issues: - Getting charts now only downloads the altest versions of the charts. (bsc#1153244) - The --all-versions flags allows to download all versions of the charts. (bsc#1153244) - The flags --chart-name and --chart-version allow the user to only get the desired chart. (bsc#1153244) - Fixes issue with go module when installing with `helm plugin install`. (bsc#1153244) ----------------------------------------- Patch: SUSE-2019-2981 Released: Fri Nov 15 10:46:06 2019 Summary: Security update for ghostscript Severity: important References: 1156275,CVE-2019-14869 Description: This update for ghostscript fixes the following issues: - CVE-2019-14869: Fixed a possible dSAFER escape which could have allowed an attacker to gain high privileges by a specially crafted Postscript code (bsc#1156275). ----------------------------------------- Patch: SUSE-2019-2982 Released: Fri Nov 15 10:46:21 2019 Summary: Security update for enigmail Severity: moderate References: 1141025,1151317 Description: This update for enigmail fixes the following issues: - SeaMonkey is no longer supported. Update description and no longer put in SeaMonkey addons path (bsc#1151317) enigmail was updated 2.1.2: * compatibility with Mozilla Thunderbird 68 * New simplified setup wizard * Full support for keys.openpgp.org * Default to ECC keys on GnuPG 2.1 or later * Autocrypt: implemented key-gossip and updates to known keys enimail was updated to 2.0.12: * set the default keyserver to keys.openpgp.org in order to mitigate the SKS Keyserver Network Attack (bsc#1141025) ----------------------------------------- Patch: SUSE-2019-2993 Released: Mon Nov 18 11:52:23 2019 Summary: Recommended update for tftp Severity: moderate References: 1153625 Description: This update for tftp fixes the following issues: - Add tftp.socket requirement to the service unit section. (bsc#1153625) ----------------------------------------- Patch: SUSE-2019-2997 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------- Patch: SUSE-2019-2998 Released: Mon Nov 18 15:17:23 2019 Summary: Security update for java-11-openjdk Severity: important References: 1152856,1154212,CVE-2019-2894,CVE-2019-2933,CVE-2019-2945,CVE-2019-2949,CVE-2019-2958,CVE-2019-2962,CVE-2019-2964,CVE-2019-2973,CVE-2019-2975,CVE-2019-2977,CVE-2019-2978,CVE-2019-2981,CVE-2019-2983,CVE-2019-2987,CVE-2019-2988,CVE-2019-2989,CVE-2019-2992,CVE-2019-2999 Description: This update for java-11-openjdk to version jdk-11.0.5-10 fixes the following issues: Security issues fixed (October 2019 CPU bsc#1154212): - CVE-2019-2933: Windows file handling redux - CVE-2019-2945: Better socket support - CVE-2019-2949: Better Kerberos ccache handling - CVE-2019-2958: Build Better Processes - CVE-2019-2964: Better support for patterns - CVE-2019-2962: Better Glyph Images - CVE-2019-2973: Better pattern compilation - CVE-2019-2975: Unexpected exception in jjs - CVE-2019-2978: Improved handling of jar files - CVE-2019-2977: Improve String index handling - CVE-2019-2981: Better Path supports - CVE-2019-2983: Better serial attributes - CVE-2019-2987: Better rendering of native glyphs - CVE-2019-2988: Better Graphics2D drawing - CVE-2019-2989: Improve TLS connection support - CVE-2019-2992: Enhance font glyph mapping - CVE-2019-2999: Commentary on Javadoc comments - CVE-2019-2894: Enhance ECDSA operations (bsc#1152856). ----------------------------------------- Patch: SUSE-2019-3008 Released: Tue Nov 19 11:38:27 2019 Summary: Recommended update for fwupdate Severity: moderate References: 1152928 Description: This update for fwupdate fixes the following issues: - Add update to the linker script for AArch64 to match the one in gnu-efi. (bsc#1152928) ----------------------------------------- Patch: SUSE-2019-3009 Released: Tue Nov 19 18:10:39 2019 Summary: Recommended update for cloud-regionsrv-client Severity: moderate References: 1149528,1152567,1154533 Description: This update for cloud-regionsrv-client fixes the following issues: - Ignore exception if the new registration flag file does not exist but there is an attempt to remove it. (bsc#1149528) - Include requirement for python3-six in specfile. (bsc#1152567) - Adds support for repositories with different credentials files (bsc#1154533) ----------------------------------------- Patch: SUSE-2019-3012 Released: Tue Nov 19 18:11:26 2019 Summary: Recommended update for brp-check-suse Severity: moderate References: 1114695 Description: This update for brp-check-suse fixes the following issues: - Deal with libs where file outputs more text after 'not stripped'. (bsc#1114695) ----------------------------------------- Patch: SUSE-2019-3018 Released: Wed Nov 20 12:48:21 2019 Summary: Recommended update for xkeyboard-config Severity: moderate References: 1153774 Description: This update for xkeyboard-config fixes the following issues: - Fix capslock in Old Hungarian layout (bsc#1153774) ----------------------------------------- Patch: SUSE-2019-3030 Released: Thu Nov 21 19:11:25 2019 Summary: Security update for cups Severity: important References: 1146358,1146359,CVE-2019-8675,CVE-2019-8696 Description: This update for cups fixes the following issues: - CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358). - CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359). ----------------------------------------- Patch: SUSE-2019-3053 Released: Mon Nov 25 17:28:17 2019 Summary: Security update for clamav Severity: moderate References: 1144504,1149458,1151839,CVE-2019-12625,CVE-2019-12900 Description: This update for clamav fixes the following issues: Security issue fixed: - CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and heuristics for zips with overlapping files (bsc#1144504). - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1149458). Non-security issues fixed: - Added the --max-scantime clamscan option and MaxScanTime clamd configuration option (bsc#1144504). - Increased the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed (bsc#1151839). ----------------------------------------- Patch: SUSE-2019-3061 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 Description: This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------- Patch: SUSE-2019-3086 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 Description: This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------- Patch: SUSE-2019-3096 Released: Thu Nov 28 16:48:21 2019 Summary: Security update for cloud-init Severity: moderate References: 1099358,1129124,1136440,1142988,1144363,1151488,1154092,CVE-2019-0816 Description: This update for cloud-init to version 19.2 fixes the following issues: Security issue fixed: - CVE-2019-0816: Fixed the unnecessary extra ssh keys that were added to authorized_keys (bsc#1129124). Non-security issues fixed: - Short circuit the conditional for identifying the sysconfig renderer (bsc#1154092, bsc#1142988). - If /etc/resolv.conf is a symlink, break it. This will avoid netconfig from clobbering the changes cloud-init applied (bsc#1151488). ----------------------------------------- Patch: SUSE-2019-3104 Released: Fri Nov 29 06:47:08 2019 Summary: Recommended update for sysstat Severity: moderate References: 1144923,SLE-5958 Description: This update for sysstat fixes the following issues: - Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958) ----------------------------------------- Patch: SUSE-2019-3166 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1007715,1084934,1157278 Description: This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------- Patch: SUSE-2019-3170 Released: Wed Dec 4 11:45:48 2019 Summary: Recommended update for cjose Severity: moderate References: 1149887 Description: This update for cjose provides the following fix: - Fix concatkdf failures on big endian architectures. (bsc#1149887) ----------------------------------------- Patch: SUSE-2019-3173 Released: Wed Dec 4 20:22:45 2019 Summary: Recommended update for growpart, growpart-rootgrow Severity: moderate References: 1154357,ECO-550 Description: This update for growpart, growpart-rootgrow contains the following fixes: growpart: - Removed rootgrow sub-package as it is a standalone package now. (bsc#1154357, jsc#ECO-550) growpart-rootgrow: - Added growpart-rootgrow as a standalone package. (bsc#1154357, jsc#ECO-550) - Bump from version 1.0.0 to 1.0.1: - Fixed binary location in service unit file. ----------------------------------------- Patch: SUSE-2019-3176 Released: Thu Dec 5 11:41:01 2019 Summary: Security update for clamav Severity: important References: 1157763,CVE-2019-15961 Description: This update for clamav fixes the following issues: - CVE-2019-15961: Fixed a denial of service which might occur when scanning a specially crafted email file as (bsc#1157763). ----------------------------------------- Patch: SUSE-2019-3195 Released: Thu Dec 5 21:32:12 2019 Summary: Recommended update for perl-DBD-mysql Severity: low References: 1149792 Description: This update for perl-DBD-mysql fixes the following issues: - Fix the package build by adding the missing zlib-devel build dependency. It used to be pulled in by libopenssl-devel but has changed. (bsc#1149792) ----------------------------------------- Patch: SUSE-2019-3205 Released: Mon Dec 9 13:48:28 2019 Summary: Recommended update for insserv-compat Severity: moderate References: 1052837,1133306 Description: This update for insserv-compat fixes the following issues: - Fix handling of start parameters. (bsc#1133306) - Remove unnecessary entry from configuration file. (bsc#1052837) ----------------------------------------- Patch: SUSE-2019-3210 Released: Tue Dec 10 08:54:15 2019 Summary: Recommended update for rubygem-mail Severity: moderate References: 1156721 Description: This update for rubygem-mail fixes the following issues: Compatibility fixes: - Restore conversions for properly encoded non-binary emails. - Gracefully parse certain invalid Content-Type headers. (rafbm) Bug fixes: - Fix transfer encoding when message encoding is blank. (bsc#1156721) - Fix 7bit/base64 content transfer encoding mismatch. (bsc#1156721) - Fix UTF-8 attachment filename quoting. (bsc#1156721) - Fix 'delete_all' using a readonly IMAP connection. (bsc#1156721) ----------------------------------------- Patch: SUSE-2019-3238 Released: Tue Dec 10 10:21:59 2019 Summary: Security update for java-1_8_0-openjdk Severity: important References: 1138529,1152856,1154212,CVE-2019-2894,CVE-2019-2933,CVE-2019-2945,CVE-2019-2949,CVE-2019-2958,CVE-2019-2962,CVE-2019-2964,CVE-2019-2973,CVE-2019-2975,CVE-2019-2978,CVE-2019-2981,CVE-2019-2983,CVE-2019-2987,CVE-2019-2988,CVE-2019-2989,CVE-2019-2992,CVE-2019-2999 Description: This update for java-1_8_0-openjdk (jdk8u232/icedtea 3.14.0) fixes the following issues: Security issues fixed (bsc#1154212): - CVE-2019-2933: Windows file handling redux - CVE-2019-2945: Better socket support - CVE-2019-2949: Better Kerberos ccache handling - CVE-2019-2958: Build Better Processes - CVE-2019-2964: Better support for patterns - CVE-2019-2962: Better Glyph Images - CVE-2019-2973: Better pattern compilation - CVE-2019-2975: Unexpected exception in jjs - CVE-2019-2978: Improved handling of jar files - CVE-2019-2981: Better Path supports - CVE-2019-2983: Better serial attributes - CVE-2019-2987: Better rendering of native glyphs - CVE-2019-2988: Better Graphics2D drawing - CVE-2019-2989: Improve TLS connection support - CVE-2019-2992: Enhance font glyph mapping - CVE-2019-2999: Commentary on Javadoc comments - CVE-2019-2894: Enhance ECDSA operations (bsc#1152856) Bug fixes: - Fixed build failuers on ARM (bsc#1138529). ----------------------------------------- Patch: SUSE-2019-3245 Released: Wed Dec 11 10:12:19 2019 Summary: Recommended update for azure-li-services Severity: moderate References: 1157040,1157041 Description: This update for azure-li-services fixes the following issues: - Bump version: 1.2.3 to 1.2.4 - Reference commit for SUSE maintenance This submission creates a reference to bsc#1157041 - Reference commit for SUSE maintenance This submission creates a reference to bsc#1157040 - Bump version: 1.2.2 to 1.2.3 - Right name for vli sp2 folder - Add folder for SLES15 SP2 VLI images - Fixed VLI package list for sle15 cpp48 does not exist on sle15, instead the cpp package by its name provides is used. On sle15 this resolved to cpp7. This is related to Issue #186 - Bump version: 1.2.1 to 1.2.2 - Added Microsoft requested packages to VLI images This Fixes #186 - Add retry loop to setup sbd device There is no deterministic way to know when the iSCSI device is ready to be processed by sbd. Thus the calls to setup the sbd device has been placed into a retry loop that runs max 3 times with a 2sec wait period in between. This Fixes #188 - Add directory for SLES15-SP2 - Saptune setup As pointed before, saptune supersedes sapconf. This is the right path to setup saptune. Update image descriptions not to install sapconf. This Fixes #185 - Update LI image versions For the refresh of the images in the SUSE namespace the version number has been increased - Bump version: 1.2.0 to 1.2.1 - Right sequence saptune One of the issues is that `saptune` is a different tool that supersedes `sapconf`. Then the `saptune daemon restart` command will always overwrite the profile with `saptune`. Two different tools that can't be mixed. Only one should be used. In case of SLES (not SLES for SAP), the sequence should be For SLES 12 ``` tuned-adm profile sap-hana systemctl enable --now sapconf.service ``` and for SLES15 ``` tuned-adm profile sapconf systemctl enable --now sapconf.service ``` For SLES for SAP, the sequence is the same for 12 and 15: ``` saptune daemon start saptune solution apply HANA ``` This Fixes #172 - Bump version: 1.1.39 to 1.2.0 - Change the setup of the login shell The login shell was setup based on assumption regarding other user attributes set. This way caused some negative side effects which lets us change the behavior. This patch does the following * Adds a new attribute named: loginshell * If loginshell is present the value for loginshell will be used, if not the default /sbin/nologin applies * All implicit assumptions for setting up the login shell got deleted This Fixes #178 - sbd device to wait for udev to finish This Fixes #179 - Bump version: 1.1.38 to 1.1.39 - Consolidate all image descriptions in git Instead of maintaining image descriptions in obs we want to maintain them in git. With this change only a service and multibuild configuration applies in obs but the data to build the image will live in git. This allows for real development and review regarding changes to the kiwi image descriptions. - Restart iscsi subsystem after device discovery Only after restart of the iscsi subsystem the device nodes from a previous device discovery gets created properly. This Fixes #170 - Bump version: 1.1.37 to 1.1.38 - Added more logging to the process Add a log file /var/log/azure-li-services.log which adds logging information from the service process. Usually error log information is present on the systemd level but for checking the process, it's calls and potential further information it's also useful to have a processing log file. The log file will be created on the host and gets also copied to the config lun in the same way as the systemd workload log - Bump version: 1.1.36 to 1.1.37 - Delete ineffective startup.nsh code startup.nsh is read by the firmware in an early boot phase. It doesn't make sense to write that file as part of the boot services because it's too late in the process. startup.nsh if required needs to be provided by the image itself - Extend storage service dependencies The storage service can be used for remote storage like NFS storage to be attached to the machine. This requires the network to be online. Having the network only configured is not enough it must also be online. Thus the storage service unit is extended to wait for the network-online.target - Bump version: 1.1.35 to 1.1.36 - Fixed network setup for bonding on vlan vlan network definitions that uses bonding etherdevices were missing a switch to correctly assign the ip configuration This Fixes #164 - Bump version: 1.1.34 to 1.1.35 - Apply saptune startup sequence suggested by $MS Implementing startup sequence as suggested in SAP Note 1275776. This Fixes #149 - Log command calls on the console Implements a simple logging facility for the Command classes and write the commands called to the console. This will lead to more detailed information about the command calls in the systemd status information - Load yaml in safe mode The default yaml loader is unsafe, thus we should switch to the safe_load method. For details see: https://msg.pyyaml.org/load - Bump version: 1.1.33 to 1.1.34 - Start saptune daemon after applying profile For some reason the saptune daemon needs to restart if a profile has been set through the tuned-adm profile command. This Fixes #149 - Revert fix for service order of saptune daemon It has turned out that the simple change in order did not solve the problem. In fact the daemon needs to be restarted on profile setup - Allow ssh access with shell Allow access through ssh without shadow hash and with shell. Fixes #151 - Bump version: 1.1.32 to 1.1.33 - Fix service order on startup of saptune daemon The tuned profile must be applied prior to the start of the saptune daemon. This Fixes #149 - Bump version: 1.1.31 to 1.1.32 - Fixed travis badge link - Mount LUN in sync mode Per request from Microsoft the location that holds the config file and is also used for the status flag and log should be mounted with the sync option. This Fixes #144 - Activate SAP Hana profile via tuned-adm Check for the presence of the sap-hana profile and switch to sapconf if not found. Activate the selected profile via the tuned-adm control command. This Fixes #142 ----------------------------------------- Patch: SUSE-2019-3298 Released: Sat Dec 14 00:59:01 2019 Summary: Recommended update for gnu-compilers-hpc Severity: moderate References: 1149414,SLE-7765,SLE-7766 Description: This update for gnu-compilers-hpc fixes the following issues: - Add support for gcc7 and gcc8 variants of gnu-compilers-hpc (jsc#SLE-7766) - For the base compiler add a 'Provides' for the versioned form. ----------------------------------------- Patch: SUSE-2019-3301 Released: Mon Dec 16 10:47:20 2019 Summary: Recommended update for mariadb-connector-c Severity: moderate References: 1156669 Description: This update for mariadb-connector-c fixes the following issues: New upstream version 3.1.5 (bsc#1156669) - Plugin dialog could not be loaded (wrong path) - Fix for unknown/not handled schannel error codes - Use windows crypto libraries on Windows platforms - Fix crash in GnuTLS when key and certificate are in the same file - Fix location of PLUGINDIR if Connector/C is a subproject ----------------------------------------- Patch: SUSE-2019-3327 Released: Tue Dec 17 15:45:47 2019 Summary: Recommended update for libtcnative-1-0 Severity: moderate References: 1130843,202339,622430 Description: This update for libtcnative-1-0 fixes the following issues: - Fix incompatibility with Tomcat. (bsc#1130843) - Include 'libtcnative-1.so' in the main package. (bsc#622430) - Enable 'jsvc' and 'apr/epoll' in Tomcat packages. (bsc#202339) ----------------------------------------- Patch: SUSE-2019-3329 Released: Tue Dec 17 15:46:18 2019 Summary: Recommended update to python-tornado Severity: low References: 1149792 Description: - Add patch to skip tests failing with OpenSSL 1.1.1 (bsc#1149792) * it happens only when using TLS 1.3, so if user wants to use tornado, they can hand disable the TLS 1.3 and continue ----------------------------------------- Patch: SUSE-2019-3345 Released: Thu Dec 19 15:02:29 2019 Summary: Optional update for container-diff Severity: low References: 1148768,ECO-338 Description: Added container-diff package to SUSE Linux Enterprise 15 Containers Module and SUSE Linux Enterprise 15 SP1 Containers Module. ----------------------------------------- Patch: SUSE-2019-3348 Released: Thu Dec 19 16:13:04 2019 Summary: Security update for spectre-meltdown-checker Severity: moderate References: 1117665,1139073,CVE-2018-12207,CVE-2019-11135 Description: This update for spectre-meltdown-checker fixes the following issues: - feat: implement TAA detection (CVE-2019-11135 bsc#1139073) - feat: implement MCEPSC / iTLB Multihit detection (CVE-2018-12207 bsc#1117665) - feat: taa: add TSX_CTRL MSR detection in hardware info - feat: fwdb: use both Intel GitHub repo and MCEdb to build our firmware version database - feat: use --live with --kernel/--config/--map to override file detection in live mode - enh: rework the vuln logic of MDS with --paranoid (fixes #307) - enh: explain that Enhanced IBRS is better for performance than classic IBRS - enh: kernel: autodetect customized arch kernels from cmdline - enh: kernel decompression: better tolerance against missing tools - enh: mock: implement reading from /proc/cmdline - fix: variant3a: Silvermont CPUs are not vulnerable to variant 3a - fix: lockdown: detect Red Hat locked down kernels (impacts MSR writes) - fix: lockdown: detect locked down mode in vanilla 5.4+ kernels - fix: sgx: on locked down kernels, fallback to CPUID bit for detection - fix: fwdb: builtin version takes precedence if the local cached version is older - fix: pteinv: don't check kernel image if not available - fix: silence useless error from grep (fixes #322) - fix: msr: fix msr module detection under Ubuntu 19.10 (fixes #316) - fix: mocking value for read_msr - chore: rename mcedb cmdline parameters to fwdb, and change db version scheme - chore: fwdb: update to v130.20191104+i20191027 - chore: add GitHub check workflow ----------------------------------------- Patch: SUSE-2019-3383 Released: Mon Dec 23 16:55:01 2019 Summary: Recommended update for google-compute-engine Severity: moderate References: 1151398 Description: This update for google-compute-engine the following fix: - Add a wait limit to retrying DNS resolution to avoid a forever loop. (bsc#1151398) ----------------------------------------- Patch: SUSE-2019-3391 Released: Fri Dec 27 13:33:16 2019 Summary: Security update for dia Severity: moderate References: 1158194,CVE-2019-19451 Description: This update for dia fixes the following issue: - CVE-2019-19451: Fixed an endless loop on filenames with invalid encoding (bsc#1158194). ----------------------------------------- Patch: SUSE-2019-3395 Released: Mon Dec 30 14:05:06 2019 Summary: Security update for mozilla-nspr, mozilla-nss Severity: moderate References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.47.1: Security issues fixed: - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). - CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527). - CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322). mozilla-nspr was updated to version 4.23: - Whitespace in C files was cleaned up and no longer uses tab characters for indenting. ----------------------------------------- Patch: SUSE-2019-3400 Released: Tue Dec 31 08:18:40 2019 Summary: Recommended update for libsodium Severity: moderate References: 1146257 Description: This update for libsodium fixes the following issues: - build libsodium23-32bit, which is required by zeromq's -32bit packages. (bsc#1146257) ----------------------------------------- Patch: SUSE-2020-1 Released: Thu Jan 2 09:47:04 2020 Summary: Security update for java-1_8_0-ibm Severity: moderate References: 1154212,1158442,CVE-2019-17631,CVE-2019-2933,CVE-2019-2945,CVE-2019-2958,CVE-2019-2962,CVE-2019-2964,CVE-2019-2973,CVE-2019-2975,CVE-2019-2978,CVE-2019-2981,CVE-2019-2983,CVE-2019-2988,CVE-2019-2989,CVE-2019-2992,CVE-2019-2996,CVE-2019-2999 Description: This update for java-1_8_0-ibm fixes the following issues: - Update to Java 8.0 Service Refresh 6 [bsc#1158442, bsc#1154212] * Security fixes: CVE-2019-2933 CVE-2019-2945 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964 CVE-2019-2975 CVE-2019-2978 CVE-2019-2983 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2996 CVE-2019-2999 CVE-2019-2973 CVE-2019-2981 CVE-2019-17631 ----------------------------------------- Patch: SUSE-2020-10 Released: Thu Jan 2 12:35:06 2020 Summary: Recommended update for gcc7 Severity: moderate References: 1146475 Description: This update for gcc7 fixes the following issues: - Fix miscompilation with thread-safe localstatic initialization (gcc#85887). - Fix debug info created for array definitions that complete an earlier declaration (bsc#1146475). ----------------------------------------- Patch: SUSE-2020-17 Released: Tue Jan 7 11:19:17 2020 Summary: Security update for virglrenderer Severity: important References: 1159478,1159479,1159482,1159486,CVE-2019-18388,CVE-2019-18389,CVE-2019-18390,CVE-2019-18391 Description: This update for virglrenderer fixes the following issues: - CVE-2019-18388: Fixed a null pointer dereference which could have led to denial of service (bsc#1159479). - CVE-2019-18390: Fixed an out of bound read which could have led to denial of service (bsc#1159478). - CVE-2019-18389: Fixed a heap buffer overflow which could have led to guest escape or denial of service (bsc#1159482). - CVE-2019-18391: Fixed a heap based buffer overflow which could have led to guest escape or denial of service (bsc#1159486). ----------------------------------------- Patch: SUSE-2020-19 Released: Tue Jan 7 11:28:10 2020 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Added data for 4_12_14-150_38, 4_12_14-150_41, 4_12_14-197_18, 4_12_14-197_21, 4_12_14-197_26. (bsc#1020320) ----------------------------------------- Patch: SUSE-2020-32 Released: Tue Jan 7 16:09:04 2020 Summary: Recommended update for rpmlint Severity: moderate References: 1151418,1157663 Description: This update for rpmlint contains the following fixes: - Whitelist sssd infopipe. (bsc#1157663) - Whitelist sysprof3 D-Bus services. (bsc#1151418) ----------------------------------------- Patch: SUSE-2020-35 Released: Wed Jan 8 09:06:32 2020 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Severity: moderate References: 1122469,1143349,1150397,1152308,1153367,1158590,CVE-2019-16884 Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issue fixed: - CVE-2019-16884: Fixed incomplete patch for LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308). Bug fixes: - Update to Docker 19.03.5-ce (bsc#1158590). - Update to Docker 19.03.3-ce (bsc#1153367). - Update to Docker 19.03.2-ce (bsc#1150397). - Fixed default installation such that --userns-remap=default works properly (bsc#1143349). - Fixed nginx blocked by apparmor (bsc#1122469). ----------------------------------------- Patch: SUSE-2020-37 Released: Wed Jan 8 10:42:00 2020 Summary: - Fix test getdate [bsc#1159990] Severity: low References: Description: - Fix test getdate [bsc#1159990] - Add perl-TimeDate-getdate.patch ----------------------------------------- Patch: SUSE-2020-45 Released: Wed Jan 8 14:56:48 2020 Summary: Security update for git Severity: important References: 1082023,1149792,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604 Description: This update for git fixes the following issues: Security issues fixed: - CVE-2019-1349: Fixed issue on Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (bsc#1158787). - CVE-2019-19604: Fixed a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (bsc#1158795). - CVE-2019-1387: Fixed recursive clones that are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (bsc#1158793). - CVE-2019-1354: Fixed issue on Windows that refuses to write tracked files with filenames that contain backslashes (bsc#1158792). - CVE-2019-1353: Fixed issue when run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (bsc#1158791). - CVE-2019-1352: Fixed issue on Windows was unaware of NTFS Alternate Data Streams (bsc#1158790). - CVE-2019-1351: Fixed issue on Windows mistakes drive letters outside of the US-English alphabet as relative paths (bsc#1158789). - CVE-2019-1350: Fixed incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (bsc#1158788). - CVE-2019-1348: Fixed the --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (bsc#1158785). - Fixes an issue where git send-email failed to authenticate with SMTP server (bsc#1082023) Bug fixes: - Add zlib dependency, which used to be provided by openssl-devel, so that package can compile successfully after openssl upgrade to 1.1.1. (bsc#1149792). ----------------------------------------- Patch: SUSE-2020-52 Released: Thu Jan 9 10:09:11 2020 Summary: Optional update for openslp Severity: low References: 1149792 Description: This update for openslp doesn't fix any user visible bugs. ----------------------------------------- Patch: SUSE-2020-58 Released: Thu Jan 9 13:29:49 2020 Summary: Security update for LibreOffice Severity: moderate References: 1061210,1105173,1144522,1152684,CVE-2019-9853,SLE-8705 Description: This update libreoffice and libraries fixes the following issues: LibreOffice was updated to 6.3.3 (jsc#SLE-8705), bringing many bug and stability fixes. More information for the 6.3 release at: https://wiki.documentfoundation.org/ReleaseNotes/6.3 Security issue fixed: - CVE-2019-9853: Fixed an issue where by executing macros, the security settings could have been bypassed (bsc#1152684). Other issues addressed: - Dropped disable-kde4 switch, since it is no longer known by configure - Disabled gtk2 because it will be removed in future releases - librelogo is now a standalone sub-package (bsc#1144522). - Partial fixes for an issue where Table(s) from DOCX showed wrong position or color (bsc#1061210). cmis-client was updated to 0.5.2: * Removed header for Uuid's sha1 header(bsc#1105173). * Fixed Google Drive login * Added support for Google Drive two-factor authentication * Fixed access to SharePoint root folder * Limited the maximal number of redirections to 20 * Switched library implementation to C++11 (the API remains C++98-compatible) * Fixed encoding of OAuth2 credentials * Dropped cppcheck run from 'make check'. A new 'make cppcheck' target was created for it * Added proper API symbol exporting * Speeded up building of tests a bit * Fixed a few issues found by coverity and cppcheck libixion was updated to 0.15.0: * Updated for new liborcus * Switched to spdlog for compile-time debug log outputs * Fixed various issues libmwaw was updated 0.3.15: * Fixed fuzzing issues liborcus was updated to 0.15.3: * Fixed various xml related bugs * Improved performance * Fixed multiple parser issues * Added map and structure mode to orcus-json * Other improvements and fixes mdds was updated to 1.5.0: * API changed to 1.5 * Moved the API incompatibility notes from README to the rst doc. * Added the overview section for flat_segment_tree. myspell-dictionaries was updated to 20191016: * Updated Slovenian thesaurus * Updated the da_DK dictionary * Removed the abbreviations from Thai hunspell dictionary * Updated the English dictionaries * Fixed the logo management for 'ca' spdlog was updated to 0.16.3: * Fixed sleep issue under MSVC that happens when changing the clock backwards * Ensured that macros always expand to expressions * Added global flush_on function ----------------------------------------- Patch: SUSE-2020-64 Released: Fri Jan 10 11:02:19 2020 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1158809,CVE-2019-1551 Description: This update for openssl-1_0_0 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). ----------------------------------------- Patch: SUSE-2020-94 Released: Tue Jan 14 12:28:26 2020 Summary: Recommended update for icu Severity: important References: 1103893,1146907 Description: This update for icu fixes the following issues: - Porting upstream's Japanese new era name support. (bsc#1103893, fate#325570, fate#325419) - Remove old obsoletes/provides for migration from very old products, as they break our shared library policy. (bsc#1146907) - IMPORTANT: Please force this update to install with 'zypper -f' to override the major version if you already installed the version 64. ----------------------------------------- Patch: SUSE-2020-108 Released: Wed Jan 15 14:19:08 2020 Summary: Recommended update for ClusterTools2 Severity: moderate References: 1084925,1097134 Description: This update for ClusterTools2 fixes the following issues: - Replace cron jobs with systemd timers. (bsc#1097134, jsc#SLE-9199) - Script refinement and first steps for an adaption to SLE15 codestream using 'shellcheck' to find and correct syntax problems, spelling errors and other problems. - Added /etc/ClusterTools2/cs_make_sbd_devices avoiding stuck and exit in case of doing a dump. (bsc#1084925) ----------------------------------------- Patch: SUSE-2020-109 Released: Wed Jan 15 14:19:28 2020 Summary: Recommended update for hawk2 Severity: moderate References: 1158681 Description: This update for hawk2 fixes the following issues: - Fix the 'acl_version' method when parsing the cib.xml avoid hanging of HAWK2 (bsc#1158681) ----------------------------------------- Patch: SUSE-2020-119 Released: Thu Jan 16 15:42:39 2020 Summary: Recommended update for python-jsonpatch Severity: moderate References: 1160978 Description: This update for python-jsonpatch fixes the following issues: - Drop jsondiff binary to avoid conflict with python-jsondiff package. ----------------------------------------- Patch: SUSE-2020-122 Released: Fri Jan 17 10:56:07 2020 Summary: Recommended update for container-suseconnect Severity: moderate References: 1138731,1154247,1157960 Description: This update for container-suseconnect fixes the following issues: - Fix usage with RMT and SMT. (bsc#1157960) - Parse the /etc/products.d/*.prod files. - Fix function comments based on best practices from Effective Go. (bsc#1138731) - Implement interacting with SCC behind proxy and SMT. (bsc#1154247) ----------------------------------------- Patch: SUSE-2020-125 Released: Fri Jan 17 12:27:07 2020 Summary: Recommended update for icu Severity: important References: 1161007 Description: This update for icu provides the following fix: - Re-add the libicu provides to the spec file to fix installation of SAP HANA on SLE-15 and SLE-15-SP1. (bsc#1161007) ----------------------------------------- Patch: SUSE-2020-143 Released: Mon Jan 20 16:10:38 2020 Summary: Security update for libvpx Severity: important References: 1160611,1160612,1160613,1160614,1160615,CVE-2019-2126,CVE-2019-9232,CVE-2019-9325,CVE-2019-9371,CVE-2019-9433 Description: This update for libvpx fixes the following issues: - CVE-2019-2126: Fixed a double free in ParseContentEncodingEntry() (bsc#1160611). - CVE-2019-9325: Fixed an out-of-bounds read (bsc#1160612). - CVE-2019-9232: Fixed an out-of-bounds memory access on fuzzed data (bsc#1160613). - CVE-2019-9433: Fixed a use-after-free in vp8_deblock() (bsc#1160614). - CVE-2019-9371: Fixed a resource exhaustion after memory leak (bsc#1160615). ----------------------------------------- Patch: SUSE-2020-213 Released: Wed Jan 22 15:38:15 2020 Summary: Security update for java-11-openjdk Severity: important References: 1160968,CVE-2020-2583,CVE-2020-2590,CVE-2020-2593,CVE-2020-2601,CVE-2020-2604,CVE-2020-2654,CVE-2020-2655 Description: This update for java-11-openjdk fixes the following issues: Update to version jdk-11.0.6-10 (January 2020 CPU, bsc#1160968) Fixing these security related issues: - CVE-2020-2583: Unlink Set of LinkedHashSets - CVE-2020-2590: Improve Kerberos interop capabilities - CVE-2020-2593: Normalize normalization for all - CVE-2020-2601: Better Ticket Granting Services - CVE-2020-2604: Better serial filter handling - CVE-2020-2655: Better TLS messaging support - CVE-2020-2654: Improve Object Identifier Processing ----------------------------------------- Patch: SUSE-2020-217 Released: Thu Jan 23 07:50:32 2020 Summary: Recommended update for perl-Crypt-SSLeay Severity: moderate References: 1149792 Description: This update for perl-Crypt-SSLeay fixes the following issues: - Fix build not testing content of returned version strings - Add missing zlib build dependency, which used to be pulled in by libopenssl-devel. (bsc#1149792) ----------------------------------------- Patch: SUSE-2020-225 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Severity: moderate References: 1158830 Description: This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------- Patch: SUSE-2020-231 Released: Fri Jan 24 13:34:17 2020 Summary: Security update for java-1_8_0-openjdk Severity: important References: 1160968,CVE-2020-2583,CVE-2020-2590,CVE-2020-2593,CVE-2020-2601,CVE-2020-2604,CVE-2020-2654,CVE-2020-2659 Description: This update for java-1_8_0-openjdk fixes the following issues: Update java-1_8_0-openjdk to version jdk8u242 (icedtea 3.15.0) (January 2020 CPU, bsc#1160968): - CVE-2020-2583: Unlink Set of LinkedHashSets - CVE-2020-2590: Improve Kerberos interop capabilities - CVE-2020-2593: Normalize normalization for all - CVE-2020-2601: Better Ticket Granting Services - CVE-2020-2604: Better serial filter handling - CVE-2020-2659: Enhance datagram socket support - CVE-2020-2654: Improve Object Identifier Processing ----------------------------------------- Patch: SUSE-2020-237 Released: Mon Jan 27 10:15:16 2020 Summary: Recommended update for saptune Severity: moderate References: 1142467,1142526,1149002,1152598,1159671 Description: This update for saptune fixes the following issues: - Add function 'delete' and 'rename' to the 'note' operation to manipulate a customer or vendor specific note, with confirmation. (jsc#SLE-9283) - Inform the customer that the command 'saptune note customise [NoteID]' does not apply changes immediately but writes the changes into a configuration file that can be applied in a second step. (bsc#1142467) - Add warning to man page, not to rename/remove/modify active configurations. (bsc#1149002) - Implement support of multi-queue I/O scheduler for block devices. (bsc#1152598) - Add missing search pattern to the update helper script to find all old and superfluous notes during upgrade from SLE12 to SLE15. (bsc#1142526) - If a parameter is not supported by the system, the note action 'verify' will no longer report this as an error even if the value is not compliant. (bsc#1159671) ----------------------------------------- Patch: SUSE-2020-245 Released: Tue Jan 28 09:42:30 2020 Summary: Recommended update for cloud-init Severity: moderate References: 1155376,1156139,1157894,1161132,1161133 Description: This update for cloud-init fixes the following issues: - Fixed an issue where it was not possible to add SSH keys and thus it was not possible to log into the system (bsc#1161132, bsc#1161133) - Fixes an issue where the IPv6 interface variable was not correctly set in an ifcfg file (bsc#1156139) - The route's destination network will now be written in CIDR notation. This provides support for correctly recording IPv6 routes (bsc#1155376) - Many smaller fixes came with this package as well. For a full list of all changes, refer to the rpm's changes file. ----------------------------------------- Patch: SUSE-2020-256 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1157794,1160970 Description: This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------- Patch: SUSE-2020-303 Released: Mon Feb 3 15:11:40 2020 Summary: Recommended update for perl-ldap Severity: moderate References: 1158918 Description: This update for perl-ldap fixes the following issues: The package is added to the Basesystem module, as it is required by the YAST modules 'dhcp-server' and 'dns-server'. (bsc#1158918) ----------------------------------------- Patch: SUSE-2020-314 Released: Tue Feb 4 14:13:27 2020 Summary: Recommended update for gssproxy Severity: moderate References: 1024309 Description: This update for gssproxy fixes the following issues: - Fix paths in tests and replace python's f-string usage - Initial check-in of gssproxy is needed on the NFS server if krb5 is used for NFS authentication using an AD directory server. (bsc#1024309)(FATE#322526) - 'krb5' may need 'auth_to_local = RULE:[1:$1@$0]' on the 'realms' section when 'winbind' is used for nsswitch.conf. (bsc#1024309)(FATE#322526) Also ding-libs was updated from 0.6.0 to 0.6.1 (jsc#ECO-248): - libini now supports validators that check for well-formed INI files. ----------------------------------------- Patch: SUSE-2020-322 Released: Wed Feb 5 09:02:56 2020 Summary: Recommended update for terraform-provider-aws, terraform-provider-susepubliccloud Severity: moderate References: 1162585 Description: This update for terraform-provider-aws, terraform-provider-susepubliccloud fixes the following issues: - terraform-provider-susepubliccloud was released in version 0.0.1 (bsc#1162585 jsc#ECO-134) - terraform-provider-aws was released in v2.29.0 (bsc#1162585 jsc#ECO-134) ----------------------------------------- Patch: SUSE-2020-325 Released: Wed Feb 5 14:57:02 2020 Summary: Recommended update for dmidecode Severity: moderate References: 1153533,1158833 Description: This update for dmidecode fixes the following issues: - Add enumerated values from SMBIOS 3.3.0 preventing incorrect report of new VGA card. (bsc#1153533, bsc#1158833, jsc#SLE-10875) - Only scan '/dev/mem' for entry point on x86 (fixes reboot on ARM64). - Fix formatting of TPM table output (missing newlines). - Fix displaying system slot information for PCIe SSD. ----------------------------------------- Patch: SUSE-2020-336 Released: Thu Feb 6 12:45:08 2020 Summary: Recommended update for opus Severity: moderate References: 1162395 Description: This update for opus fixes the following issues: - Fixes an issue with the analysis on files with digital silence (all zeros), especially on x87 builds (mostly affects 32-bit builds) - Improved speech/music detection based on a neural network - Low-bitrate speech improvements - Added support for immersive audio using ambisonics - Improved tone quality This update also improves the security of this software. ----------------------------------------- Patch: SUSE-2020-338 Released: Thu Feb 6 13:00:23 2020 Summary: Recommended update for apr Severity: moderate References: 1151059 Description: This update for apr fixes the following issues: - Increase timeout to fix random failure of testsuite [bsc#1151059]. ----------------------------------------- Patch: SUSE-2020-343 Released: Thu Feb 6 13:08:13 2020 Summary: Recommended update for SAPHanaSR Severity: moderate References: 1155423,1156067,1156150,1157453 Description: This update for SAPHanaSR fixes the following issues: - Restart sapstartsrv service on master nameserver node during monitor action, if needed. But NOT during probes. (bsc#1157453, bsc#1156150) - The SAPHana resource agent must not down-score a SAP HANA Database site, but keep high scoring during recovery of the master name server. (bsc#1156067) - Change HAWK2 templates to python3. (bsc#1155423) ----------------------------------------- Patch: SUSE-2020-344 Released: Thu Feb 6 13:08:33 2020 Summary: Recommended update for python-kiwi Severity: moderate References: 1139915,1150190,1155815,1156694,1156908,1157104,1157354,1159235,1159538 Description: This update for python-kiwi fixes the following issues: - Update libyui-ncurses-pkg10 to libyui-ncurses-pkg11 Tumbleweed there is no longer the libyui-ncurses-pkg10 its been superseded by libyui-ncurses-pkg11. (bsc#1159538) - Fix grub2 configuration for shim fallback setup if shim fallback setup is enabled the grub.cfg is copied to the EFI partition. (bsc#1159235, bsc#1155815) - No swap volume is added on btrfs as the volume manager is not LVM, so swap has its own volume. (bsc#1156908) - Fixed setup of default grub config preventing grub2-mkconfig to place the root device information twice. (bsc#1156908) - Include 'grub.cfg' inside the efi partition the vfat. (bsc#1157354) - Fix for kiwi relative path in repository element. (bsc#1157104) - Fixed 'zipl' bootloader setup for 's390' images. (bsc#1156694) - Fix the sha256 generated file content in a 'kiwi result bundle' call includes the filename with the correct extension. (bsc#1139915) - Fixed rpmdb compat link setup removing the hardcoded path '/var/lib/rpm' and use the rpm macro definition instead. (bsc#1150190) ----------------------------------------- Patch: SUSE-2020-359 Released: Fri Feb 7 10:39:59 2020 Summary: Security update for rubygem-rack Severity: moderate References: 1114828,1116600,1159548,CVE-2018-16471,CVE-2019-16782 Description: This update for rubygem-rack to version 2.0.8 fixes the following issues: - CVE-2018-16471: Fixed a cross-site scripting (XSS) flaw via the scheme method on Rack::Request (bsc#1116600). - CVE-2019-16782: Fixed a possible information leak and session hijack vulnerability (bsc#1159548). ----------------------------------------- Patch: SUSE-2020-362 Released: Fri Feb 7 11:14:20 2020 Summary: Recommended update for libXi Severity: moderate References: 1153311 Description: This update for libXi fixes the following issue: - The libXi6-32bit library on x86_64 are now shipped in the Basesystem module. (bsc#1153311) ----------------------------------------- Patch: SUSE-2020-365 Released: Fri Feb 7 13:48:54 2020 Summary: Recommended update for lmdb Severity: moderate References: 1159086 Description: This update for lmdb fixes the following issues: - Fix assert in LMBD during 'mdb_page_search_root'. (bsc#1159086). ----------------------------------------- Patch: SUSE-2020-375 Released: Fri Feb 7 17:30:25 2020 Summary: Security update for docker-runc Severity: moderate References: 1160452,CVE-2019-19921 Description: This update for docker-runc fixes the following issues: - CVE-2019-19921: Fixed a volume mount race condition with shared mounts (bsc#1160452). ----------------------------------------- Patch: SUSE-2020-392 Released: Tue Feb 18 11:23:50 2020 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Removed duplicate records and added data for 4_12_14-150_47, 4_12_14-197_29. (bsc#1020320) ----------------------------------------- Patch: SUSE-2020-395 Released: Tue Feb 18 14:16:48 2020 Summary: Recommended update for gcc7 Severity: moderate References: 1160086 Description: This update for gcc7 fixes the following issue: - Fixed a miscompilation in zSeries code (bsc#1160086) ----------------------------------------- Patch: SUSE-2020-398 Released: Tue Feb 18 16:59:27 2020 Summary: Recommended update for gnu-compilers-hpc Severity: moderate References: 1160924 Description: This update for gnu-compilers-hpc fixes the following issues: - Added gcc9 flavors (jsc#SLE-8604 bsc#1160924) ----------------------------------------- Patch: SUSE-2020-413 Released: Wed Feb 19 10:21:41 2020 Summary: Security update for enigmail Severity: moderate References: 1159973 Description: This update for enigmail fixes the following issues: enigmail was updated to 2.1.5: * Security issue: unsigned MIME parts displayed as signed (bsc#1159973) * Ensure that upgrading GnuPG 2.0.x to 2.2.x upgrade converts keyring format * Make Enigmail Compatible with Protected-Headers spec, draft 2 enigmail 2.1.4: * Fixes for UI glitches * Option to 'Attach public key to messages' was not restored properly enigmail 2.1.3: * fix a bug in the setup wizard that could lead the wizard to never complete scanning the inbox ----------------------------------------- Patch: SUSE-2020-31 Released: Mon Feb 24 10:36:36 2020 Summary: Recommended update for cloud-netconfig Severity: moderate References: 1135592,1144282,1157117,1157190 Description: This update for cloud-netconfig contains the following fixes: - Removed obsolete Group tag from spec file. - Update to version 1.3: + Fix IPv4 address handling on secondary NICs in Azure. - Update to version 1.2: + support AWS IMDSv2 token. - Update to version 1.1: + fix use of GATEWAY variable. (bsc#1157117, bsc#1157190) + remove secondary IPv4 address only when added by cloud-netconfig. (bsc#1144282) + simplify routing setup for single NIC systems (partly fixes bsc#1135592) ----------------------------------------- Patch: SUSE-2020-440 Released: Mon Feb 24 15:31:42 2020 Summary: Security update for python-azure-agent Severity: moderate References: 1127838,CVE-2019-0804 Description: This update for python-azure-agent fixes the following issues: python-azure-agent was updated to version 2.2.45 (jsc#ECO-80) + Add support for Gen2 VM resource disks + Use alternate systemd detection + Fix /proc/net/route requirement that causes errors on FreeBSD + Add cloud-init auto-detect to prevent multiple provisioning mechanisms from relying on configuration for coordination + Disable cgroups when daemon is setup incorrectly + Remove upgrade extension loop for the same goal state + Add container id for extension telemetry events + Be more exact when detecting IMDS service health + Changing add_event to start sending missing fields From 2.2.44 update: + Remove outdated extension ZIP packages + Improved error handling when starting extensions using systemd + Reduce provisioning time of some custom images + Improve the handling of extension download errors + New API for extension authors to handle errors during extension update + Fix handling of errors in calls to openssl + Improve logic to determine current distro + Reduce verbosity of several logging statements From 2.2.42 update: + Poll for artifact blob, addresses goal state procesing issue From 2.2.41 update: + Rewriting the mechanism to start the extension using systemd-run for systems using systemd for managing + Refactoring of resource monitoring framework using cgroup for both systemd and non-systemd approaches [#1530, #1534] + Telemetry pipeline for resource monitoring data From 2.2.40 update: + Fixed tracking of memory/cpu usage + Do not prevent extensions from running if setting up cgroups fails + Enable systemd-aware deprovisioning on all versions >= 18.04 + Add systemd support for Debian Jessie, Stretch, and Buster + Support for Linux Openwrt From 2.2.38 update: Security issue fixed: + CVE-2019-0804: An issue with swapfile handling in the agent creates a data leak situation that exposes system memory data. (bsc#1127838) + Add fixes for handling swap file and other nit fixes From 2.2.37 update: + Improves re-try logic to handle errors while downloading extensions ----------------------------------------- Patch: SUSE-2020-445 Released: Tue Feb 25 10:49:36 2020 Summary: Recommended update for gdb Severity: moderate References: 1146167,1146475,1156284,1158539 Description: This update for gdb fixes the following issues: - Added support for official name of IBM s390 Arch13: z15. - Added descriptions for arch13 instructions. (jsc#SLE-7903) - Fixed build with gcc 10 [bsc#1158539, swo#24653]. - Make fpc optional (bsc#1156284) as fpc requires itself for bootstrapping. - Fixed a debugging information problem with a forwarding array declaration (bsc#1146475) - Fixed that logging redirect doesn't work for user-defined command (bsc#1146167) ----------------------------------------- Patch: SUSE-2020-453 Released: Tue Feb 25 10:51:53 2020 Summary: Recommended update for binutils Severity: moderate References: 1160590 Description: This update for binutils fixes the following issues: - Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464) ----------------------------------------- Patch: SUSE-2020-458 Released: Tue Feb 25 11:01:37 2020 Summary: Security update for libexif Severity: moderate References: 1120943,1160770,CVE-2018-20030,CVE-2019-9278 Description: This update for libexif fixes the following issues: - CVE-2019-9278: Fixed an integer overflow (bsc#1160770). - CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943). ----------------------------------------- Patch: SUSE-2020-466 Released: Tue Feb 25 11:59:19 2020 Summary: Security update for java-1_8_0-ibm Severity: important References: 1160968,1162972,CVE-2019-4732,CVE-2020-2583,CVE-2020-2593,CVE-2020-2604,CVE-2020-2659 Description: This update for java-1_8_0-ibm fixes the following issues: Java 8.0 was updated to Service Refresh 6 Fix Pack 5 (bsc#1162972, bsc#1160968) - CVE-2020-2583: Unlink Set of LinkedHashSets - CVE-2019-4732: Untrusted DLL search path vulnerability - CVE-2020-2593: Normalize normalization for all - CVE-2020-2604: Better serial filter handling - CVE-2020-2659: Enhance datagram socket support ----------------------------------------- Patch: SUSE-2020-480 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1160735 Description: This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------- Patch: SUSE-2020-481 Released: Tue Feb 25 17:39:22 2020 Summary: Recommended update for perl-TimeDate Severity: moderate References: 1162433 Description: This update for perl-TimeDate fixes the following issues: - Fix for issues parsing date strings into time values correctly. (bsc#1162433) ----------------------------------------- Patch: SUSE-2020-489 Released: Wed Feb 26 11:44:03 2020 Summary: Security update for ppp Severity: important References: 1162610,CVE-2020-8597 Description: This update for ppp fixes the following security issue: - CVE-2020-8597: Fixed a buffer overflow in the eap_request and eap_response functions (bsc#1162610). ----------------------------------------- Patch: SUSE-2020-498 Released: Wed Feb 26 17:59:44 2020 Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized Severity: moderate References: 1122669,1136184,1146853,1146854,1159018 Description: This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues: python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507): Upgrade to 1.11.0: * Add ReservedConcurrentExecutions to globals * Fix ElasticsearchHttpPostPolicy resource reference * Support using AWS::Region in Ref and Sub * Documentation and examples updates * Add VersionDescription property to Serverless::Function * Update ServerlessRepoReadWriteAccessPolicy * Add additional template validation Upgrade to 1.10.0: * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy * Add DynamoDBReconfigurePolicy * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy * Add EKSDescribePolicy * Add SESBulkTemplatedCrudPolicy * Add FilterLogEventsPolicy * Add SSMParameterReadPolicy * Add SESEmailTemplateCrudPolicy * Add s3:PutObjectAcl to S3CrudPolicy * Add allow_credentials CORS option * Add support for AccessLogSetting and CanarySetting Serverless::Api properties * Add support for X-Ray in Serverless::Api * Add support for MinimumCompressionSize in Serverless::Api * Add Auth to Serverless::Api globals * Remove trailing slashes from APIGW permissions * Add SNS FilterPolicy and an example application * Add Enabled property to Serverless::Function event sources * Add support for PermissionsBoundary in Serverless::Function * Fix boto3 client initialization * Add PublicAccessBlockConfiguration property to S3 bucket resource * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable * Add limited support for resolving intrinsics in Serverless::LayerVersion * SAM now uses Flake8 * Add example application for S3 Events written in Go * Updated several example applications python-cfn-lint was added in version 0.21.4: - Add upstream patch to fix EOL dates for lambda runtimes - Add upstream patch to fix test_config_expand_paths test - Rename to python-cfn-lint. This package has a python API, which is required by python-moto. Update to version 0.21.4: + Features * Include more resource types in W3037 + CloudFormation Specifications * Add Resource Type `AWS::CDK::Metadata` + Fixes * Uncap requests dependency in setup.py * Check Join functions have lists in the correct sections * Pass a parameter value for AutoPublishAlias when doing a Transform * Show usage examples when displaying the help Update to version 0.21.3 + Fixes * Support dumping strings for datetime objects when doing a Transform Update to version 0.21.2 + CloudFormation Specifications * Update CloudFormation specs to 3.3.0 * Update instance types from pricing API as of 2019.05.23 Update to version 0.21.1 + Features * Add `Info` logging capability and set the default logging to `NotSet` + Fixes * Only do rule logging (start/stop/time) when the rule is going to be called * Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub` * Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub` * Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type Update to version 0.21.0 + Features * New rule E3038 to check if a Serverless resource includes the appropriate Transform * New rule E2531 to validate a Lambda's runtime against the deprecated dates * New rule W2531 to validate a Lambda's runtime against the EOL dates * Update rule E2541 to include updates to Code Pipeline capabilities * Update rule E2503 to include checking of values for load balancer attributes + CloudFormation Specifications * Update CloudFormation specs to 3.2.0 * Update instance types from pricing API as of 2019.05.20 + Fixes * Include setuptools in setup.py requires Update to version 0.20.3 + CloudFormation Specifications * Update instance types from pricing API as of 2019.05.16 + Fixes * Update E7001 to allow float/doubles for mapping values * Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed * Pin requests to be below or equal to 2.21.0 to prevent issues with botocore Update to version 0.20.2 + Features * Add support for List Parameter types + CloudFormation Specifications * Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet * Create new property type for Security Group IDs or Names * Add new Lambda runtime environment for NodeJs 10.x * Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive * Update Glue Crawler Role to take an ARN or a name * Remove PrimitiveType from MaintenanceWindowTarget Targets * Add Min/Max values for Load Balancer Ports to be between 1-65535 + Fixes * Include License file in the pypi package to help with downstream projects * Filter out dynamic references from rule E3031 and E3030 * Convert Python linting and Code Coverage from Python 3.6 to 3.7 Update to version 0.20.1 + Fixes * Update rule E8003 to support more functions inside a Fn::Equals Update to version 0.20.0 + Features * Allow a rule's exception to be defined in a resource's metadata * Add rule configuration capabilities * Update rule E3012 to allow for non strict property checking * Add rule E8003 to test Fn::Equals structure and syntax * Add rule E8004 to test Fn::And structure and syntax * Add rule E8005 to test Fn::Not structure and syntax * Add rule E8006 to test Fn::Or structure and syntax * Include Path to error in the JSON output * Update documentation to describe how to install cfn-lint from brew + CloudFormation Specifications * Update CloudFormation specs to version 3.0.0 * Add new region ap-east-1 * Add list min/max and string min/max for CloudWatch Alarm Actions * Add allowed values for EC2::LaunchTemplate * Add allowed values for EC2::Host * Update allowed values for Amazon MQ to include 5.15.9 * Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions * Add AWS::EC2::VPCEndpointService to all regions * Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN * Patch spec files for SSM MaintenanceWindow to look for Target and not Targets * Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit. + Fixes * Fix rule E3033 to check the string size when the string is inside a list * Fix an issue in which AWS::NotificationARNs was not a list * Add AWS::EC2::Volume to rule W3010 * Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger * Fix rule W3010 to not error when the availability zone is 'all' Update to version 0.19.1 + Fixes * Fix core Condition processing to support direct Condition in another Condition * Fix the W2030 to check numbers against string allowed values Update to version 0.19.0 + Features * Add NS and PTR Route53 record checking to rule E3020 * New rule E3050 to check if a Ref to IAM Role has a Role path of '/' * New rule E3037 to look for duplicates in a list that doesn't support duplicates * New rule I3037 to look for duplicates in a list when duplicates are allowed + CloudFormation Specifications * Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds * Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument * Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl NetworkInterface, PlacementGroup, and Volume * Add Min/max values to AWS::Budgets::Budget.Notification Threshold * Update RDS Instance types by database engine and license definitions using the pricing API * Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN * Update AWS::ECS::Service Role to support Role Name or ARN + Fixes * Update E3025 to support the new structure of data in the RDS instance type json * Update E2540 to remove all nested conditions from the object * Update E3030 to not do strict type checking * Update E3020 to support conditions nested in the record sets * Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats Update to version 0.18.1 + CloudFormation Specifications * Update CloudFormation Specs to 2.30.0 * Fix IAM Regex Path to support more character types * Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an InstanceProfile or GetAtt the InstanceProfile Arn * Allow VPC IDs to Ref a Parameter of type String + Fixes * Fix E3502 to check the size of the property instead of the parent object Update to version 0.18.0 + Features * New rule E3032 to check the size of lists * New rule E3502 to check JSON Object Size using definitions in the spec file * New rule E3033 to test the minimum and maximum length of a string * New rule E3034 to validate the min and max of a number * Remove Ebs Iops check from E2504 and use rule E3034 instead * Remove rule E2509 and use rule E3033 instead * Remove rule E2508 as it replaced by E3032 and E3502 * Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs * SAM requirement upped to minimal version of 1.10.0 + CloudFormation Specifications * Extend specs to include: > `ListMin` and `ListMax` for the minimum and maximum size of a list > `JsonMax` to check the max size of a JSON Object > `StringMin` and `StringMax` to check the minimum and maximum length of a String > `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long * Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy * Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance * Add AllowedValues for the AWS::GuardDuty Resources * Add AllowedValues for AWS::EC2 VPC and VPN Resources * Switch IAM Instance Profiles for certain resources to the type that only takes the name * Add regex pattern for IAM Instance Profile when a name (not Arn) is used * Add regex pattern for IAM Paths * Add Regex pattern for IAM Role Arn * Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2 + Fixes * Fix serverless transform to use DefinitionBody when Auth is in the API definition * Fix rule W2030 to not error when checking SSM or List Parameters Update to version 0.17.1 + Features * Update rule E2503 to make sure NLBs don't have a Security Group configured + CloudFormation Specifications * Add all the allowed values of the `AWS::Glue` Resources * Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics` * Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic` * Update CloudFormation specs to 2.29.0 * Fix type with MariaDB in the AllowedValues * Update pricing information for data available on 2018.3.29 + Fixes * Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies * Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+` * Fix rule E2532 to allow for `Parameters` inside a `Pass` action * Fix an issue when getting the location of an error in which numbers are causing an attribute error Update to version 0.17.0 + Features * Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released * Add new rule W3037 to validate IAM resource policies. Status: Experimental * Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released + CloudFormation Specifications * Update Spec files to 2.28.0 * Add all the allowed values of the AWS::Redshift::* Resources * Add all the allowed values of the AWS::Neptune::* Resources * Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required * Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required + Fixes * Remove extra blank lines when there is no errors in the output * Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition * Update rule E1029 to allow for literals in a Sub * Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check * Correct typos for errors in rule W1001 * Switch from parsing a template as Yaml to Json when finding an escape character * Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers * Fix an issue with rule E2541 when non strings were used for Stage Names Update to version 0.16.0 + Features * Add rule E3031 to look for regex patterns based on the patched spec file * Remove regex checks from rule E2509 * Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting + CloudFormation Specifications * Update Spec files to 2.26.0 * Add all the allowed values of the AWS::DirectoryService::* Resources * Add all the allowed values of the AWS::DynamoDB::* Resources * Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2 * Patch the spec file with regex patterns * Add all the allowed values of the AWS::DocDb::* Resources + Fixes * Update rule E2504 to have '20000' as the max value * Update rule E1016 to not allow ImportValue inside of Conditions * Update rule E2508 to check conditions when providing limit checks on managed policies * Convert unicode to strings when in Py 3.4/3.5 and updating specs * Convert from `awslabs` to `aws-cloudformation` organization * Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with samtranslator 1.10.0 Update to version 0.15.0 + Features * Add scaffolding for arbitrary Match attributes, adding attributes for Type checks * Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST + CloudFormation Specifications * Update Spec files to 2.24.0 * Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName * Add all the allowed values of the AWS::CloudFront::* Resources * Add all the allowed values of the AWS::DAX::* Resources + Fixes * Update config parsing to use the builtin Yaml decoder * Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules * Update rule E1029 to better check Resource strings inside IAM Policies * Improve the line/column information of a Match with array support Update to version 0.14.1 + CloudFormation Specifications * Update CloudFormation Specs to version 2.23.0 * Add allowed values for AWS::Config::* resources * Add allowed values for AWS::ServiceDiscovery::* resources * Fix allowed values for Apache MQ + Fixes * Update rule E3008 to not error when using a list from a custom resource * Support simple types in the CloudFormation spec * Add tests for the formatters Update to version 0.14.0 + Features * Add rule E3035 to check the values of DeletionPolicy * Add rule E3036 to check the values of UpdateReplacePolicy * Add rule E2014 to check that there are no REFs in the Parameter section * Update rule E2503 to support TLS on NLBs + CloudFormation Specifications * Update CloudFormation spec to version 2.22.0 * Add allowed values for AWS::Cognito::* resources + Fixes * Update rule E3002 to allow GetAtts to Custom Resources under a Condition Update to version 0.13.2 + Features * Introducing the cfn-lint logo! * Update SAM dependency version + Fixes * Fix CloudWatchAlarmComparisonOperator allowed values. * Fix typo resoruce_type_spec in several files * Better support for nested And, Or, and Not when processing Conditions Update to version 0.13.1 + CloudFormation Specifications * Add allowed values for AWS::CloudTrail::Trail resources * Patch spec to have AWS::CodePipeline::CustomActionType Version included + Fixes * Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified Update to version 0.13.0 + Features * New rule W1011 to check if a FindInMap is using the correct map name and keys * New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used * Removed logic in E1011 and moved it to W1011 for validating keys * Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne * Update rule E2505 to check the netmask bit * Include the ability to update the CloudFormation Specs using the Pricing API + CloudFormation Specifications * Update to version 2.21.0 * Add allowed values for AWS::Budgets::Budget * Add allowed values for AWS::CertificateManager resources * Add allowed values for AWS::CodePipeline resources * Add allowed values for AWS::CodeCommit resources * Add allowed values for EC2 InstanceTypes from pricing API * Add allowed values for RedShift InstanceTypes from pricing API * Add allowed values for MQ InstanceTypes from pricing API * Add allowed values for RDS InstanceTypes from pricing API + Fixes * Fixed README indentation issue with .pre-commit-config.yaml * Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task * Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record * Update rule E3001 to support UpdateReplacePolicy * Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder * Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content - Initial build + Version 0.12.1 Update to 0.9.1 * the prof plugin now uses cProfile instead of hotshot for profiling * skipped tests now include the user's reason in junit XML's message field * the prettyassert plugin mishandled multi-line function definitions * Using a plugin's CLI flag when the plugin is already enabled via config no longer errors * nose2.plugins.prettyassert, enabled with --pretty-assert * Cleanup code for EOLed python versions * Dropped support for distutils. * Result reporter respects failure status set by other plugins * JUnit XML plugin now includes the skip reason in its output Upgrade to 0.8.0: - List of changes is too long to show here, see https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst changes between 0.6.5 and 0.8.0 Update to 0.7.0: * Added parameterized_class feature, for parameterizing entire test classes (many thanks to @TobyLL for their suggestions and help testing!) * Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh; https://github.com/wolever/parameterized/issues/67) * Make sure that `setUp` and `tearDown` methods work correctly (#40) * Raise a ValueError when input is empty (thanks @danielbradburn; https://github.com/wolever/parameterized/pull/48) * Fix the order when number of cases exceeds 10 (thanks @ntflc; https://github.com/wolever/parameterized/pull/49) aws-cli was updated to version 1.16.223: For detailed changes see the changes entries: https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing lots of bugs and adding features (bsc#1146853, bsc#1146854) ----------------------------------------- Patch: SUSE-2020-521 Released: Thu Feb 27 18:08:56 2020 Summary: Recommended update for c-ares Severity: moderate References: 1125306,1159006 Description: This update for c-ares fixes the following issues: c-ares version update to 1.15.0: * Add ares_init_options() configurability for path to resolv.conf file * Ability to exclude building of tools (adig, ahost, acountry) in CMake * Report ARES_ENOTFOUND for .onion domain names as per RFC7686 (bsc#1125306) * Apply the IPv6 server blacklist to all nameserver sources * Prevent changing name servers while queries are outstanding * ares_set_servers_csv() on failure should not leave channel in a bad state * getaddrinfo - avoid infinite loop in case of NXDOMAIN * ares_getenv - return NULL in all cases * implement ares_getaddrinfo - Fixed a regression in DNS results that contain both A and AAAA answers. - Add netcfg as the build requirement and runtime requirement. ----------------------------------------- Patch: SUSE-2020-525 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Severity: moderate References: 1164562 Description: This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------- Patch: SUSE-2020-556 Released: Mon Mar 2 13:32:14 2020 Summary: Recommended update for 389-ds Severity: moderate References: 1155951 Description: This update for 389-ds to version 1.4.2.2 fixes the following issues: 389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes. Issue addressed: - Enabled python lib389 installer tooling to match upstream and suse documentation. More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html ----------------------------------------- Patch: SUSE-2020-562 Released: Mon Mar 2 17:37:15 2020 Summary: Recommended update for mariadb-connector-c Severity: moderate References: 1162388 Description: This update for mariadb-connector-c fixes the following issues: New upstream version 3.1.7 (bsc#1162388) - TLS/SSL: when the client doesn't provide a CA file and the option ssl_verify_server_cert was set, the peer certificate will be validated against the system CA. - ERROR 2026 (HY000): SSL connection error due to Certificate signature check failed - Provide error code and message for SChannel errors - SEC_E_INVALID_TOKEN when server sends large message during SSL handshake ----------------------------------------- Patch: SUSE-2020-567 Released: Tue Mar 3 10:46:37 2020 Summary: Recommended update for sendmail Severity: moderate References: 1164084 Description: This update for sendmail fixes the following issues: - If sendmail tried to reuse an SMTP session which had already been closed by the server, then the connection cache could have invalid information about the session, possibly STARTTLS was not used even if it was offered. (bsc#1164084) ----------------------------------------- Patch: SUSE-2020-575 Released: Tue Mar 3 14:51:50 2020 Summary: Recommended update for hfst-ospell Severity: moderate References: 1164440 Description: This update for hfst-ospell fixes the following issue: - Fix the build with new ICU 65 (bsc#1164440) The fix is required for building the package on SLE-15-SP2 after upgrading to the new International Components for Unicode (ICU) 65 ----------------------------------------- Patch: SUSE-2020-591 Released: Thu Mar 5 12:33:06 2020 Summary: Recommended update for libfreehand Severity: moderate References: 1164434 Description: This update for libfreehand fixes the following issue: - Solve build errors with International Components for Unicode (ICU) 65.1: (bsc#1164434) ----------------------------------------- Patch: SUSE-2020-593 Released: Thu Mar 5 13:25:06 2020 Summary: Recommended update for umoci Severity: moderate References: 1165161 Description: This update for umoci fixes the following issues: Update to umoci v0.4.4: * Added full-stack verification of blob hashes and descriptors for all operations (improving our hardening against bad images). * For details, see CHANGELOG.md in the package. Update to umoci v0.4.3: * Added --no-history to all commands with --history.* flags. Should only be used for umoci-config(1). * Added `umoci insert --tag` to allow non-destructive modifications. * For details, see packaged /usr/share/doc/packages/umoci/CHANGELOG.md. Update to umoci v0.4.2: * umoci now has an exposed Go API * Added `umoci unpack --keep-dirlinks` * `umoci insert` now supports whiteouts two ways. * For details, see CHANGELOG.md in the package. Update to umoci v0.4.1. * Support more tags (the valid set of characters in tags has expanded). * Add 'umoci insert' and 'umoci raw unpack'. * 'umoci unpack' correctly handles out-of-order whiteouts now. * 'umoci unpack' and 'umoci repack' make sure of a more optimised gzip implementation now -- in some benchmarks 'umoci repack' can have a speedup of up to 3x. * For details, see CHANGELOG.md in the package. Update to umoci v0.4.0: + `umoci repack` now supports `--refresh-bundle` which will update the OCI bundle's metadata (mtree and umoci-specific manifests) after packing the image tag. This means that the bundle can be used as a base layer for future diffs without needing to unpack the image again. openSUSE/umoci#196 + Added a website, and reworked the documentation to be better structured. You can visit the website at [`umo.ci`][umo.ci]. openSUSE/umoci#188 + Added support for the `user.rootlesscontainers` specification, which allows for persistent on-disk emulation of `chown(2)` inside rootless containers. This implementation is interoperable with [@AkihiroSuda's `PRoot` fork][as-proot-fork] (though we do not test its interoperability at the moment) as both tools use [the same protobuf specification][rootlesscontainers-proto]. openSUSE/umoci#227 + `umoci unpack` now has support for opaque whiteouts (whiteouts which remove all children of a directory in the lower layer), though `umoci repack` does not currently have support for generating them. While this is technically a spec requirement, through testing we've never encountered an actual user of these whiteouts. openSUSE/umoci#224 openSUSE/umoci#229 + `umoci unpack` will now use some rootless tricks inside user namespaces for operations that are known to fail (such as `mknod(2)`) while other operations will be carried out as normal (such as `lchown(2)`). It should be noted that the `/proc/self/uid_map` checking we do can be tricked into not detecting user namespaces, but you would need to be trying to break it on purpose. openSUSE/umoci#171 openSUSE/umoci#230 * Fix a bug in our 'parent directory restore' code, which is responsible for ensuring that the mtime and other similar properties of a directory are not modified by extraction inside said directory. The bug would manifest as xattrs not being restored properly in certain edge-cases (which we incidentally hit in a test-case). openSUSE/umoci#161 openSUSE/umoci#162 * `umoci unpack` will now 'clean up' the bundle generated if an error occurs during unpacking. Previously this didn't happen, which made cleaning up the responsibility of the caller (which was quite difficult if you were unprivileged). This is a breaking change, but is in the error path so it's not critical. openSUSE/umoci#174 openSUSE/umoci#187 * `umoci gc` now will no longer remove unknown files and directories that aren't `flock(2)`ed, thus ensuring that any possible OCI image-spec extensions or other users of an image being operated on will no longer break. openSUSE/umoci#198 * `umoci unpack --rootless` will now correctly handle regular file unpacking when overwriting a file that `umoci` doesn't have write access to. In addition, the semantics of pre-existing hardlinks to a clobbered file are clarified (the hard-links will not refer to the new layer's inode). openSUSE/umoci#222 openSUSE/umoci#223 [as-proot-fork]: https://github.com/AkihiroSuda/runrootless [rootlesscontainers-proto]: https://rootlesscontaine.rs/proto/rootlesscontainers.proto [umo.ci]: https://umo.ci/ ----------------------------------------- Patch: SUSE-2020-624 Released: Tue Mar 10 10:39:09 2020 Summary: Recommended update for python-PyNaCl Severity: important References: 1161557 Description: This update for python-PyNaCl fixes the following issues: - Add python-dkimpy as the python-PyNaCl requires that. (SLE-7686, bsc#1161557) ----------------------------------------- Patch: SUSE-2020-627 Released: Tue Mar 10 12:27:48 2020 Summary: Recommended update for osc Severity: important References: 1136584,1137477,1154972,1155953,1156501 Description: This update for osc fixes the following issues: - Fix for 'vc' option '--file=foo bar.changes' now writes the content from foo into bar.changes instead of creating a new file. (bsc#1155953) - Fix local build outside of the working copy of a package. (bsc#1136584) - Enable not to enforce password reuse. (bsc#1156501) - New password handling backend supporting password stores like 'plaintext', 'obfuscated', 'python-keyring' (kwallet, secret store), 'gnome-keyring' or not storing at all. (bsc#1154972) - Fix for using non-UTF8 characters in labels. (bsc#1137477) ----------------------------------------- Patch: SUSE-2020-633 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1139939,1151023 Description: This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------- Patch: SUSE-2020-637 Released: Wed Mar 11 11:29:56 2020 Summary: Recommended update for cloud-netconfig Severity: moderate References: 1162705,1162707 Description: This update for cloud-netconfig fixes the following issues: - Copy routes from the default routing table. (bsc#1162705, bsc#1162707) On multi-NIC systems, cloud-netconfig creates separate routing tables with different default routes, so packets get routed via the network interfaces associated with the source IP address. Systems may have additional routing in place and in that case cloud-netconfig's NIC specific routing may bypass those routes. - Make the key CLOUD_NETCONFIG_MANAGE enable by default. Any network interface that has been configured automatically via cloud-netconfig has a configuration file associated. If the value is set to 'NO' (or the pair is removed altogether), cloud-netconfig will not handle secondary IPv4 addresses and routing policies for the associated network interface. ----------------------------------------- Patch: SUSE-2020-654 Released: Thu Mar 12 11:35:09 2020 Summary: Recommended update for wpa_supplicant Severity: moderate References: 1165266 Description: This update for wpa_supplicant fixes the following issues: - Adjust the wpa_supplicant service to start after network.target (bsc#1165266) ----------------------------------------- Patch: SUSE-2020-655 Released: Thu Mar 12 13:17:03 2020 Summary: Recommended update for growpart Severity: moderate References: 1164736 Description: This update for growpart fixes the following issues: - Operation system disk is not automatically resized beyond 2TB on Azure hosts. (bsc#1164736) ----------------------------------------- Patch: SUSE-2020-657 Released: Thu Mar 12 15:06:48 2020 Summary: Recommended update for cloud-regionsrv-client Severity: moderate References: 1158664 Description: This update for cloud-regionsrv-client contains the following fixes: - Update to version 9.0.8: + Properly handle IPv6 addresses in URLs - Update to version 9.0.7: + Fix crash with a stack trace if no current_smt is present. (bsc#1158664) ----------------------------------------- Patch: SUSE-2020-689 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Severity: moderate References: 1166510 Description: This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------- Patch: SUSE-2020-690 Released: Fri Mar 13 17:09:28 2020 Summary: Recommended update for suse-build-key Severity: moderate References: 1166334 Description: This update for suse-build-key fixes the following issues: - created a new security@suse.de communication key (bsc#1166334) ----------------------------------------- Patch: SUSE-2020-697 Released: Mon Mar 16 13:17:10 2020 Summary: Security update for cni, cni-plugins, conmon, fuse-overlayfs, podman Severity: moderate References: 1155217,1160460,1164390,CVE-2019-18466 Description: This update for cni, cni-plugins, conmon, fuse-overlayfs, podman fixes the following issues: podman was updated to 1.8.0: - CVE-2019-18466: Fixed a bug where podman cp would improperly copy files on the host when copying a symlink in the container that included a glob operator (#3829 bsc#1155217) - The name of the cni-bridge in the default config changed from 'cni0' to 'podman-cni0' with podman-1.6.0. Add a %trigger to rename the bridge in the system to the new default if it exists. The trigger is only excuted when updating podman-cni-config from something older than 1.6.0. This is mainly needed for SLE where we're updating from 1.4.4 to 1.8.0 (bsc#1160460). Update podman to v1.8.0 (bsc#1160460): * Features - The podman system service command has been added, providing a preview of Podman's new Docker-compatible API. This API is still very new, and not yet ready for production use, but is available for early testing - Rootless Podman now uses Rootlesskit for port forwarding, which should greatly improve performance and capabilities - The podman untag command has been added to remove tags from images without deleting them - The podman inspect command on images now displays previous names they used - The podman generate systemd command now supports a --new option to generate service files that create and run new containers instead of managing existing containers - Support for --log-opt tag= to set logging tags has been added to the journald log driver - Added support for using Seccomp profiles embedded in images for podman run and podman create via the new --seccomp-policy CLI flag - The podman play kube command now honors pull policy * Bugfixes - Fixed a bug where the podman cp command would not copy the contents of directories when paths ending in /. were given - Fixed a bug where the podman play kube command did not properly locate Seccomp profiles specified relative to localhost - Fixed a bug where the podman info command for remote Podman did not show registry information - Fixed a bug where the podman exec command did not support having input piped into it - Fixed a bug where the podman cp command with rootless Podman on CGroups v2 systems did not properly determine if the container could be paused while copying - Fixed a bug where the podman container prune --force command could possible remove running containers if they were started while the command was running - Fixed a bug where Podman, when run as root, would not properly configure slirp4netns networking when requested - Fixed a bug where podman run --userns=keep-id did not work when the user had a UID over 65535 - Fixed a bug where rootless podman run and podman create with the --userns=keep-id option could change permissions on /run/user/$UID and break KDE - Fixed a bug where rootless Podman could not be run in a systemd service on systems using CGroups v2 - Fixed a bug where podman inspect would show CPUShares as 0, instead of the default (1024), when it was not explicitly set - Fixed a bug where podman-remote push would segfault - Fixed a bug where image healthchecks were not shown in the output of podman inspect - Fixed a bug where named volumes created with containers from pre-1.6.3 releases of Podman would be autoremoved with their containers if the --rm flag was given, even if they were given names - Fixed a bug where podman history was not computing image sizes correctly - Fixed a bug where Podman would not error on invalid values to the --sort flag to podman images - Fixed a bug where providing a name for the image made by podman commit was mandatory, not optional as it should be - Fixed a bug where the remote Podman client would append an extra ' to %PATH - Fixed a bug where the podman build command would sometimes ignore the -f option and build the wrong Containerfile - Fixed a bug where the podman ps --filter command would only filter running containers, instead of all containers, if --all was not passed - Fixed a bug where the podman load command on compressed images would leave an extra copy on disk - Fixed a bug where the podman restart command would not properly clean up the network, causing it to function differently from podman stop; podman start - Fixed a bug where setting the --memory-swap flag to podman create and podman run to -1 (to indicate unlimited) was not supported * Misc - Initial work on version 2 of the Podman remote API has been merged, but is still in an alpha state and not ready for use. Read more here - Many formatting corrections have been made to the manpages - The changes to address (#5009) may cause anonymous volumes created by Podman versions 1.6.3 to 1.7.0 to not be removed when their container is removed - Updated vendored Buildah to v1.13.1 - Updated vendored containers/storage to v1.15.8 - Updated vendored containers/image to v5.2.0 - Add apparmor-abstractions as required runtime dependency to have `tunables/global` available. - fixed the --force flag for the 'container prune' command. (https://github.com/containers/libpod/issues/4844) Update podman to v1.7.0 * Features - Added support for setting a static MAC address for containers - Added support for creating macvlan networks with podman network create, allowing Podman containers to be attached directly to networks the host is connected to - The podman image prune and podman container prune commands now support the --filter flag to filter what will be pruned, and now prompts for confirmation when run without --force (#4410 and #4411) - Podman now creates CGroup namespaces by default on systems using CGroups v2 (#4363) - Added the podman system reset command to remove all Podman files and perform a factory reset of the Podman installation - Added the --history flag to podman images to display previous names used by images (#4566) - Added the --ignore flag to podman rm and podman stop to not error when requested containers no longer exist - Added the --cidfile flag to podman rm and podman stop to read the IDs of containers to be removed or stopped from a file - The podman play kube command now honors Seccomp annotations (#3111) - The podman play kube command now honors RunAsUser, RunAsGroup, and selinuxOptions - The output format of the podman version command has been changed to better match docker version when using the --format flag - Rootless Podman will no longer initialize containers/storage twice, removing a potential deadlock preventing Podman commands from running while an image was being pulled (#4591) - Added tmpcopyup and notmpcopyup options to the --tmpfs and --mount type=tmpfs flags to podman create and podman run to control whether the content of directories are copied into tmpfs filesystems mounted over them - Added support for disabling detaching from containers by setting empty detach keys via --detach-keys='' - The podman build command now supports the --pull and --pull-never flags to control when images are pulled during a build - The podman ps -p command now shows the name of the pod as well as its ID (#4703) - The podman inspect command on containers will now display the command used to create the container - The podman info command now displays information on registry mirrors (#4553) * Bugfixes - Fixed a bug where Podman would use an incorrect runtime directory as root, causing state to be deleted after root logged out and making Podman in systemd services not function properly - Fixed a bug where the --change flag to podman import and podman commit was not being parsed properly in many cases - Fixed a bug where detach keys specified in libpod.conf were not used by the podman attach and podman exec commands, which always used the global default ctrl-p,ctrl-q key combination (#4556) - Fixed a bug where rootless Podman was not able to run podman pod stats even on CGroups v2 enabled systems (#4634) - Fixed a bug where rootless Podman would fail on kernels without the renameat2 syscall (#4570) - Fixed a bug where containers with chained network namespace dependencies (IE, container A using --net container=B and container B using --net container=C) would not properly mount /etc/hosts and /etc/resolv.conf into the container (#4626) - Fixed a bug where podman run with the --rm flag and without -d could, when run in the background, throw a 'container does not exist' error when attempting to remove the container after it exited - Fixed a bug where named volume locks were not properly reacquired after a reboot, potentially leading to deadlocks when trying to start containers using the volume (#4605 and #4621) - Fixed a bug where Podman could not completely remove containers if sent SIGKILL during removal, leaving the container name unusable without the podman rm --storage command to complete removal (#3906) - Fixed a bug where checkpointing containers started with --rm was allowed when --export was not specified (the container, and checkpoint, would be removed after checkpointing was complete by --rm) (#3774) - Fixed a bug where the podman pod prune command would fail if containers were present in the pods and the --force flag was not passed (#4346) - Fixed a bug where containers could not set a static IP or static MAC address if they joined a non-default CNI network (#4500) - Fixed a bug where podman system renumber would always throw an error if a container was mounted when it was run - Fixed a bug where podman container restore would fail with containers using a user namespace - Fixed a bug where rootless Podman would attempt to use the journald events backend even on systems without systemd installed - Fixed a bug where podman history would sometimes not properly identify the IDs of layers in an image (#3359) - Fixed a bug where containers could not be restarted when Conmon v2.0.3 or later was used - Fixed a bug where Podman did not check image OS and Architecture against the host when starting a container - Fixed a bug where containers in pods did not function properly with the Kata OCI runtime (#4353) - Fixed a bug where `podman info --format '{{ json . }}' would not produce JSON output (#4391) - Fixed a bug where Podman would not verify if files passed to --authfile existed (#4328) - Fixed a bug where podman images --digest would not always print digests when they were available - Fixed a bug where rootless podman run could hang due to a race with reading and writing events - Fixed a bug where rootless Podman would print warning-level logs despite not be instructed to do so (#4456) - Fixed a bug where podman pull would attempt to fetch from remote registries when pulling an unqualified image using the docker-daemon transport (#4434) - Fixed a bug where podman cp would not work if STDIN was a pipe - Fixed a bug where podman exec could stop accepting input if anything was typed between the command being run and the exec session starting (#4397) - Fixed a bug where podman logs --tail 0 would print all lines of a container's logs, instead of no lines (#4396) - Fixed a bug where the timeout for slirp4netns was incorrectly set, resulting in an extremely long timeout (#4344) - Fixed a bug where the podman stats command would print CPU utilizations figures incorrectly (#4409) - Fixed a bug where the podman inspect --size command would not print the size of the container's read/write layer if the size was 0 (#4744) - Fixed a bug where the podman kill command was not properly validating signals before use (#4746) - Fixed a bug where the --quiet and --format flags to podman ps could not be used at the same time - Fixed a bug where the podman stop command was not stopping exec sessions when a container was created without a PID namespace (--pid=host) - Fixed a bug where the podman pod rm --force command was not removing anonymous volumes for containers that were removed - Fixed a bug where the podman checkpoint command would not export all changes to the root filesystem of the container if performed more than once on the same container (#4606) - Fixed a bug where containers started with --rm would not be automatically removed on being stopped if an exec session was running inside the container (#4666) * Misc - The fixes to runtime directory path as root can cause strange behavior if an upgrade is performed while containers are running - Updated vendored Buildah to v1.12.0 - Updated vendored containers/storage library to v1.15.4 - Updated vendored containers/image library to v5.1.0 - Kata Containers runtimes (kata-runtime, kata-qemu, and kata-fc) are now present in the default libpod.conf, but will not be available unless Kata containers is installed on the system - Podman previously did not allow the creation of containers with a memory limit lower than 4MB. This restriction has been removed, as the crun runtime can create containers with significantly less memory Update podman to v1.6.4 - Remove winsz FIFO on container restart to allow use with Conmon 2.03 and higher - Ensure volumes reacquire locks on system restart, preventing deadlocks when starting containers - Suppress spurious log messages when running rootless Podman - Update vendored containers/storage to v1.13.6 - Fix a deadlock related to writing events - Do not use the journald event logger when it is not available Update podman to v1.6.2 * Features - Added a --runtime flag to podman system migrate to allow the OCI runtime for all containers to be reset, to ease transition to the crun runtime on CGroups V2 systems until runc gains full support - The podman rm command can now remove containers in broken states which previously could not be removed - The podman info command, when run without root, now shows information on UID and GID mappings in the rootless user namespace - Added podman build --squash-all flag, which squashes all layers (including those of the base image) into one layer - The --systemd flag to podman run and podman create now accepts a string argument and allows a new value, always, which forces systemd support without checking if the the container entrypoint is systemd * Bugfixes - Fixed a bug where the podman top command did not work on systems using CGroups V2 (#4192) - Fixed a bug where rootless Podman could double-close a file, leading to a panic - Fixed a bug where rootless Podman could fail to retrieve some containers while refreshing the state - Fixed a bug where podman start --attach --sig-proxy=false would still proxy signals into the container - Fixed a bug where Podman would unconditionally use a non-default path for authentication credentials (auth.json), breaking podman login integration with skopeo and other tools using the containers/image library - Fixed a bug where podman ps --format=json and podman images --format=json would display null when no results were returned, instead of valid JSON - Fixed a bug where podman build --squash was incorrectly squashing all layers into one, instead of only new layers - Fixed a bug where rootless Podman would allow volumes with options to be mounted (mounting volumes requires root), creating an inconsistent state where volumes reported as mounted but were not (#4248) - Fixed a bug where volumes which failed to unmount could not be removed (#4247) - Fixed a bug where Podman incorrectly handled some errors relating to unmounted or missing containers in containers/storage - Fixed a bug where podman stats was broken on systems running CGroups V2 when run rootless (#4268) - Fixed a bug where the podman start command would print the short container ID, instead of the full ID - Fixed a bug where containers created with an OCI runtime that is no longer available (uninstalled or removed from the config file) would not appear in podman ps and could not be removed via podman rm - Fixed a bug where containers restored via podman container restore --import would retain the CGroup path of the original container, even if their container ID changed; thus, multiple containers created from the same checkpoint would all share the same CGroup * Misc - The default PID limit for containers is now set to 4096. It can be adjusted back to the old default (unlimited) by passing --pids-limit 0 to podman create and podman run - The podman start --attach command now automatically attaches STDIN if the container was created with -i - The podman network create command now validates network names using the same regular expression as container and pod names - The --systemd flag to podman run and podman create will now only enable systemd mode when the binary being run inside the container is /sbin/init, /usr/sbin/init, or ends in systemd (previously detected any path ending in init or systemd) - Updated vendored Buildah to 1.11.3 - Updated vendored containers/storage to 1.13.5 - Updated vendored containers/image to 4.0.1 Update podman to v1.6.1 * Features - The podman network create, podman network rm, podman network inspect, and podman network ls commands have been added to manage CNI networks used by Podman - The podman volume create command can now create and mount volumes with options, allowing volumes backed by NFS, tmpfs, and many other filesystems - Podman can now run containers without CGroups for better integration with systemd by using the --cgroups=disabled flag with podman create and podman run. This is presently only supported with the crun OCI runtime - The podman volume rm and podman volume inspect commands can now refer to volumes by an unambiguous partial name, in addition to full name (e.g. podman volume rm myvol to remove a volume named myvolume) (#3891) - The podman run and podman create commands now support the --pull flag to allow forced re-pulling of images (#3734) - Mounting volumes into a container using --volume, --mount, and --tmpfs now allows the suid, dev, and exec mount options (the inverse of nosuid, nodev, noexec) (#3819) - Mounting volumes into a container using --mount now allows the relabel=Z and relabel=z options to relabel mounts. - The podman push command now supports the --digestfile option to save a file containing the pushed digest - Pods can now have their hostname set via podman pod create --hostname or providing Pod YAML with a hostname set to podman play kube (#3732) - The podman image sign command now supports the --cert-dir flag - The podman run and podman create commands now support the --security-opt label=filetype:$LABEL flag to set the SELinux label for container files - The remote Podman client now supports healthchecks * Bugfixes - Fixed a bug where remote podman pull would panic if a Varlink connection was not available (#4013) - Fixed a bug where podman exec would not properly set terminal size when creating a new exec session (#3903) - Fixed a bug where podman exec would not clean up socket symlinks on the host (#3962) - Fixed a bug where Podman could not run systemd in containers that created a CGroup namespace - Fixed a bug where podman prune -a would attempt to prune images used by Buildah and CRI-O, causing errors (#3983) - Fixed a bug where improper permissions on the ~/.config directory could cause rootless Podman to use an incorrect directory for storing some files - Fixed a bug where the bash completions for podman import threw errors - Fixed a bug where Podman volumes created with podman volume create would not copy the contents of their mountpoint the first time they were mounted into a container (#3945) - Fixed a bug where rootless Podman could not run podman exec when the container was not run inside a CGroup owned by the user (#3937) - Fixed a bug where podman play kube would panic when given Pod YAML without a securityContext (#3956) - Fixed a bug where Podman would place files incorrectly when storage.conf configuration items were set to the empty string (#3952) - Fixed a bug where podman build did not correctly inherit Podman's CGroup configuration, causing crashed on CGroups V2 systems (#3938) - Fixed a bug where remote podman run --rm would exit before the container was completely removed, allowing race conditions when removing container resources (#3870) - Fixed a bug where rootless Podman would not properly handle changes to /etc/subuid and /etc/subgid after a container was launched - Fixed a bug where rootless Podman could not include some devices in a container using the --device flag (#3905) - Fixed a bug where the commit Varlink API would segfault if provided incorrect arguments (#3897) - Fixed a bug where temporary files were not properly cleaned up after a build using remote Podman (#3869) - Fixed a bug where podman remote cp crashed instead of reporting it was not yet supported (#3861) - Fixed a bug where podman exec would run as the wrong user when execing into a container was started from an image with Dockerfile USER (or a user specified via podman run --user) (#3838) - Fixed a bug where images pulled using the oci: transport would be improperly named - Fixed a bug where podman varlink would hang when managed by systemd due to SD_NOTIFY support conflicting with Varlink (#3572) - Fixed a bug where mounts to the same destination would sometimes not trigger a conflict, causing a race as to which was actually mounted - Fixed a bug where podman exec --preserve-fds caused Podman to hang (#4020) - Fixed a bug where removing an unmounted container that was unmounted might sometimes not properly clean up the container (#4033) - Fixed a bug where the Varlink server would freeze when run in a systemd unit file (#4005) - Fixed a bug where Podman would not properly set the $HOME environment variable when the OCI runtime did not set it - Fixed a bug where rootless Podman would incorrectly print warning messages when an OCI runtime was not found (#4012) - Fixed a bug where named volumes would conflict with, instead of overriding, tmpfs filesystems added by the --read-only-tmpfs flag to podman create and podman run - Fixed a bug where podman cp would incorrectly make the target directory when copying to a symlink which pointed to a nonexistent directory (#3894) - Fixed a bug where remote Podman would incorrectly read STDIN when the -i flag was not set (#4095) - Fixed a bug where podman play kube would create an empty pod when given an unsupported YAML type (#4093) - Fixed a bug where podman import --change improperly parsed CMD (#4000) - Fixed a bug where rootless Podman on systems using CGroups V2 would not function with the cgroupfs CGroups manager - Fixed a bug where rootless Podman could not correctly identify the DBus session address, causing containers to fail to start (#4162) - Fixed a bug where rootless Podman with slirp4netns networking would fail to start containers due to mount leaks * Misc - Significant changes were made to Podman volumes in this release. If you have pre-existing volumes, it is strongly recommended to run podman system renumber after upgrading. - Version 0.8.1 or greater of the CNI Plugins is now required for Podman - Version 2.0.1 or greater of Conmon is strongly recommended - Updated vendored Buildah to v1.11.2 - Updated vendored containers/storage library to v1.13.4 - Improved error messages when trying to create a pod with no name via podman play kube - Improved error messages when trying to run podman pause or podman stats on a rootless container on a system without CGroups V2 enabled - TMPDIR has been set to /var/tmp by default to better handle large temporary files - podman wait has been optimized to detect stopped containers more rapidly - Podman containers now include a ContainerManager annotation indicating they were created by libpod - The podman info command now includes information about slirp4netns and fuse-overlayfs if they are available - Podman no longer sets a default size of 65kb for tmpfs filesystems - The default Podman CNI network has been renamed in an attempt to prevent conflicts with CRI-O when both are run on the same system. This should only take effect on system restart - The output of podman volume inspect has been more closely matched to docker volume inspect - Add katacontainers as a recommended package, and include it as an additional OCI runtime in the configuration. Update podman to v1.5.1 * Features - The hostname of pods is now set to the pod's name * Bugfixes - Fixed a bug where podman run and podman create did not honor the --authfile option (#3730) - Fixed a bug where containers restored with podman container restore --import would incorrectly duplicate the Conmon PID file of the original container - Fixed a bug where podman build ignored the default OCI runtime configured in libpod.conf - Fixed a bug where podman run --rm (or force-removing any running container with podman rm --force) were not retrieving the correct exit code (#3795) - Fixed a bug where Podman would exit with an error if any configured hooks directory was not present - Fixed a bug where podman inspect and podman commit would not use the correct CMD for containers run with podman play kube - Fixed a bug created pods when using rootless Podman and CGroups V2 (#3801) - Fixed a bug where the podman events command with the --since or --until options could take a very long time to complete * Misc - Rootless Podman will now inherit OCI runtime configuration from the root configuration (#3781) - Podman now properly sets a user agent while contacting registries (#3788) - Add zsh completion for podman commands Update podman to v1.5.0 * Features - Podman containers can now join the user namespaces of other containers with --userns=container:$ID, or a user namespace at an arbitary path with --userns=ns:$PATH - Rootless Podman can experimentally squash all UIDs and GIDs in an image to a single UID and GID (which does not require use of the newuidmap and newgidmap executables) by passing --storage-opt ignore_chown_errors - The podman generate kube command now produces YAML for any bind mounts the container has created (#2303) - The podman container restore command now features a new flag, --ignore-static-ip, that can be used with --import to import a single container with a static IP multiple times on the same host - Added the ability for podman events to output JSON by specifying --format=json - If the OCI runtime or conmon binary cannot be found at the paths specified in libpod.conf, Podman will now also search for them in the calling user's path - Added the ability to use podman import with URLs (#3609) - The podman ps command now supports filtering names using regular expressions (#3394) - Rootless Podman containers with --privileged set will now mount in all host devices that the user can access - The podman create and podman run commands now support the --env-host flag to forward all environment variables from the host into the container - Rootless Podman now supports healthchecks (#3523) - The format of the HostConfig portion of the output of podman inspect on containers has been improved and synced with Docker - Podman containers now support CGroup namespaces, and can create them by passing --cgroupns=private to podman run or podman create - The podman create and podman run commands now support the --ulimit=host flag, which uses any ulimits currently set on the host for the container - The podman rm and podman rmi commands now use different exit codes to indicate 'no such container' and 'container is running' errors - Support for CGroups V2 through the crun OCI runtime has been greatly improved, allowing resource limits to be set for rootless containers when the CGroups V2 hierarchy is in use * Bugfixes - Fixed a bug where a race condition could cause podman restart to fail to start containers with ports - Fixed a bug where containers restored from a checkpoint would not properly report the time they were started at - Fixed a bug where podman search would return at most 25 results, even when the maximum number of results was set higher - Fixed a bug where podman play kube would not honor capabilities set in imported YAML (#3689) - Fixed a bug where podman run --env, when passed a single key (to use the value from the host), would set the environment variable in the container even if it was not set on the host (#3648) - Fixed a bug where podman commit --changes would not properly set environment variables - Fixed a bug where Podman could segfault while working with images with no history - Fixed a bug where podman volume rm could remove arbitrary volumes if given an ambiguous name (#3635) - Fixed a bug where podman exec invocations leaked memory by not cleaning up files in tmpfs - Fixed a bug where the --dns and --net=container flags to podman run and podman create were not mutually exclusive (#3553) - Fixed a bug where rootless Podman would be unable to run containers when less than 5 UIDs were available - Fixed a bug where containers in pods could not be removed without removing the entire pod (#3556) - Fixed a bug where Podman would not properly clean up all CGroup controllers for created cgroups when using the cgroupfs CGroup driver - Fixed a bug where Podman containers did not properly clean up files in tmpfs, resulting in a memory leak as containers stopped - Fixed a bug where healthchecks from images would not use default settings for interval, retries, timeout, and start period when they were not provided by the image (#3525) - Fixed a bug where healthchecks using the HEALTHCHECK CMD format where not properly supported (#3507) - Fixed a bug where volume mounts using relative source paths would not be properly resolved (#3504) - Fixed a bug where podman run did not use authorization credentials when a custom path was specified (#3524) - Fixed a bug where containers checkpointed with podman container checkpoint did not properly set their finished time - Fixed a bug where running podman inspect on any container not created with podman run or podman create (for example, pod infra containers) would result in a segfault (#3500) - Fixed a bug where healthcheck flags for podman create and podman run were incorrectly named (#3455) - Fixed a bug where Podman commands would fail to find targets if a partial ID was specified that was ambiguous between a container and pod (#3487) - Fixed a bug where restored containers would not have the correct SELinux label - Fixed a bug where Varlink endpoints were not working properly if more was not correctly specified - Fixed a bug where the Varlink PullImage endpoint would crash if an error occurred (#3715) - Fixed a bug where the --mount flag to podman create and podman run did not allow boolean arguments for its ro and rw options (#2980) - Fixed a bug where pods did not properly share the UTS namespace, resulting in incorrect behavior from some utilities which rely on hostname (#3547) - Fixed a bug where Podman would unconditionally append ENTRYPOINT to CMD during podman commit (and when reporting CMD in podman inspect) (#3708) - Fixed a bug where podman events with the journald events backend would incorrectly print 6 previous events when only new events were requested (#3616) - Fixed a bug where podman port would exit prematurely when a port number was specified (#3747) - Fixed a bug where passing . as an argument to the --dns-search flag to podman create and podman run was not properly clearing DNS search domains in the container * Misc - Updated vendored Buildah to v1.10.1 - Updated vendored containers/image to v3.0.2 - Updated vendored containers/storage to v1.13.1 - Podman now requires conmon v2.0.0 or higher - The podman info command now displays the events logger being in use - The podman inspect command on containers now includes the ID of the pod a container has joined and the PID of the container's conmon process - The -v short flag for podman --version has been re-added - Error messages from podman pull should be significantly clearer - The podman exec command is now available in the remote client - The podman-v1.5.0.tar.gz file attached is podman packaged for MacOS. It can be installed using Homebrew. - Update libpod.conf to support latest path discovery feature for `runc` and `conmon` binaries. conmon was included in version 2.0.10. (bsc#1160460, bsc#1164390, jsc#ECO-1048, jsc#SLE-11485, jsc#SLE-11331): fuse-overlayfs was updated to v0.7.6 (bsc#1160460) - do not look in lower layers for the ino if there is no origin xattr set - attempt to use the file path if the operation on the fd fails with ENXIO - do not expose internal xattrs through listxattr and getxattr - fix fallocate for deleted files. - ignore O_DIRECT. It causes issues with libfuse not using an aligned buffer, causing write(2) to fail with EINVAL. - on copyup, do not copy the opaque xattr. - fix a wrong lookup for whiteout files, that could happen on a double unlink. - fix possible segmentation fault in direct_fsync() - use the data store to create missing whiteouts - after a rename, force a directory reload - introduce inodes cache - correctly read inode for unix sockets - avoid hash map lookup when possible - use st_dev for the ino key - check whether writeback is supported - set_attrs: don't require write to S_IFREG - ioctl: do not reuse fi->fh for directories - fix skip whiteout deletion optimization - store the new mode after chmod - support fuse writeback cache and enable it by default - add option to disable fsync - add option to disable xattrs - add option to skip ino number check in lower layers - fix fd validity check - fix memory leak - fix read after free - fix type for flistxattr return - fix warnings reported by lgtm.com - enable parallel dirops cni was updated to 0.7.1: - Set correct CNI version for 99-loopback.conf Update to version 0.7.1 (bsc#1160460): * Library changes: + invoke : ensure custom envs of CNIArgs are prepended to process envs + add GetNetworkListCachedResult to CNI interface + delegate : allow delegation funcs override CNI_COMMAND env automatically in heritance * Documentation & Convention changes: + Update cnitool documentation for spec v0.4.0 + Add cni-route-override to CNI plugin list Update to version 0.7.0: * Spec changes: + Use more RFC2119 style language in specification (must, should...) + add notes about ADD/DEL ordering + Make the container ID required and unique. + remove the version parameter from ADD and DEL commands. + Network interface name matters + be explicit about optional and required structure members + add CHECK method + Add a well-known error for 'try again' + SPEC.md: clarify meaning of 'routes' * Library changes: + pkg/types: Makes IPAM concrete type + libcni: return error if Type is empty + skel: VERSION shouldn't block on stdin + non-pointer instances of types.Route now correctly marshal to JSON + libcni: add ValidateNetwork and ValidateNetworkList functions + pkg/skel: return error if JSON config has no network name + skel: add support for plugin version string + libcni: make exec handling an interface for better downstream testing + libcni: api now takes a Context to allow operations to be timed out or cancelled + types/version: add helper to parse PrevResult + skel: only print about message, not errors + skel,invoke,libcni: implementation of CHECK method + cnitool: Honor interface name supplied via CNI_IFNAME environment variable. + cnitool: validate correct number of args + Don't copy gw from IP4.Gateway to Route.GW When converting from 0.2.0 + add PrintTo method to Result interface + Return a better error when the plugin returns none - Install sleep binary into CNI plugin directory cni-plugins was updated to 0.8.4: Update to version 0.8.4 (bsc#1160460): * add support for mips64le * Add missing cniVersion in README example * bump go-iptables module to v0.4.5 * iptables: add idempotent functions * portmap doesn't fail if chain doesn't exist * fix portmap port forward flakiness * Add Bruce Ma and Piotr Skarmuk as owners Update to version 0.8.3: * Enhancements: * static: prioritize the input sources for IPs (#400). * tuning: send gratuitous ARP in case of MAC address update (#403). * bandwidth: use uint64 for Bandwidth value (#389). * ptp: only override DNS conf if DNS settings provided (#388). * loopback: When prevResults are not supplied to loopback plugin, create results to return (#383). * loopback support CNI CHECK and result cache (#374). * Better input validation: * vlan: add MTU validation to loadNetConf (#405). * macvlan: add MTU validation to loadNetConf (#404). * bridge: check vlan id when loading net conf (#394). * Bugfixes: * bugfix: defer after err check, or it may panic (#391). * portmap: Fix dual-stack support (#379). * firewall: don't return error in DEL if prevResult is not found (#390). * bump up libcni back to v0.7.1 (#377). * Docs: * contributing doc: revise test script name to run (#396). * contributing doc: describe cnitool installation (#397). Update plugins to v0.8.2 + New features: * Support 'args' in static and tuning * Add Loopback DSR support, allow l2tunnel networks to be used with the l2bridge plugin * host-local: return error if same ADD request is seen twice * bandwidth: fix collisions * Support ips capability in static and mac capability in tuning * pkg/veth: Make host-side veth name configurable + Bug fixes: * Fix: failed to set bridge addr: could not add IP address to 'cni0': file exists * host-device: revert name setting to make retries idempotent (#357). * Vendor update go-iptables. Vendor update go-iptables to obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10 * Update go.mod & go.sub * Remove link Down/Up in MAC address change to prevent route flush (#364). * pkg/ip unit test: be agnostic of Linux version, on Linux 4.4 the syscall error message is 'invalid argument' not 'file exists' * bump containernetworking/cni to v0.7.1 Updated plugins to v0.8.1: + Bugs: * bridge: fix ipMasq setup to use correct source address * fix compilation error on 386 * bandwidth: get bandwidth interface in host ns through container interface + Improvements: * host-device: add pciBusID property Updated plugins to v0.8.0: + New plugins: * bandwidth - limit incoming and outgoing bandwidth * firewall - add containers to firewall rules * sbr - convert container routes to source-based routes * static - assign a fixed IP address * win-bridge, win-overlay: Windows plugins + Plugin features / changelog: * CHECK Support * macvlan: - Allow to configure empty ipam for macvlan - Make master config optional * bridge: - Add vlan tag to the bridge cni plugin - Allow the user to assign VLAN tag - L2 bridge Implementation. * dhcp: - Include Subnet Mask option parameter in DHCPREQUEST - Add systemd unit file to activate socket with systemd - Add container ifName to the dhcp clientID, making the clientID value * flannel: - Pass through runtimeConfig to delegate * host-local: - host-local: add ifname to file tracking IP address used * host-device: - Support the IPAM in the host-device - Handle empty netns in DEL for loopback and host-device * tuning: - adds 'ip link' command related feature into tuning + Bug fixes & minor changes * Correctly DEL on ipam failure for all plugins * Fix bug on ip revert if cmdAdd fails on macvlan and host-device * host-device: Ensure device is down before rename * Fix -hostprefix option * some DHCP servers expect to request for explicit router options * bridge: release IP in case of error * change source of ipmasq rule from ipn to ip from version v0.7.5: + This release takes a minor change to the portmap plugin: * Portmap: append, rather than prepend, entry rules + This fixes a potential issue where firewall rules may be bypassed by port mapping ----------------------------------------- Patch: SUSE-2020-705 Released: Tue Mar 17 15:04:10 2020 Summary: Security update for apache2-mod_auth_openidc Severity: moderate References: 1164459,CVE-2019-20479 Description: This update for apache2-mod_auth_openidc fixes the following issues: - CVE-2019-20479: Fixed an open redirect issue in URLs with slash and backslash (bsc#1164459). ----------------------------------------- Patch: SUSE-2020-712 Released: Wed Mar 18 10:26:53 2020 Summary: Security update for skopeo Severity: moderate References: 1159530,1165715,CVE-2019-10214 Description: This update for skopeo fixes the following issues: Update to skopeo v0.1.41 (bsc#1165715): - Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1 - Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8 - Bump github.com/containers/common from 0.0.7 to 0.1.4 - Remove the reference to openshift/api - vendor github.com/containers/image/v5@v5.2.0 - Manually update buildah to v1.13.1 - add specific authfile options to copy (and sync) command. - Bump github.com/containers/buildah from 1.11.6 to 1.12.0 - Add context to --encryption-key / --decryption-key processing failures - Bump github.com/containers/storage from 1.15.2 to 1.15.3 - Bump github.com/containers/buildah from 1.11.5 to 1.11.6 - remove direct reference on c/image/storage - Makefile: set GOBIN - Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7 - Bump github.com/containers/storage from 1.15.1 to 1.15.2 - Introduce the sync command - openshift cluster: remove .docker directory on teardown - Bump github.com/containers/storage from 1.14.0 to 1.15.1 - document installation via apk on alpine - Fix typos in doc for image encryption - Image encryption/decryption support in skopeo - make vendor-in-container - Bump github.com/containers/buildah from 1.11.4 to 1.11.5 - Travis: use go v1.13 - Use a Windows Nano Server image instead of Server Core for multi-arch testing - Increase test timeout to 15 minutes - Run the test-system container without --net=host - Mount /run/systemd/journal/socket into test-system containers - Don't unnecessarily filter out vendor from (go list ./...) output - Use -mod=vendor in (go {list,test,vet}) - Bump github.com/containers/buildah from 1.8.4 to 1.11.4 - Bump github.com/urfave/cli from 1.20.0 to 1.22.1 - skopeo: drop support for ostree - Don't critically fail on a 403 when listing tags - Revert 'Temporarily work around auth.json location confusion' - Remove references to atomic - Remove references to storage.conf - Dockerfile: use golang-github-cpuguy83-go-md2man - bump version to v0.1.41-dev - systemtest: inspect container image different from current platform arch Changes in v0.1.40: - vendor containers/image v5.0.0 - copy: add a --all/-a flag - System tests: various fixes - Temporarily work around auth.json location confusion - systemtest: copy: docker->storage->oci-archive - systemtest/010-inspect.bats: require only PATH - systemtest: add simple env test in inspect.bats - bash completion: add comments to keep scattered options in sync - bash completion: use read -r instead of disabling SC2207 - bash completion: support --opt arg completion - bash-completion: use replacement instead of sed - bash completion: disable shellcheck SC2207 - bash completion: double-quote to avoid re-splitting - bash completions: use bash replacement instead of sed - bash completion: remove unused variable - bash-completions: split decl and assignment to avoid masking retvals - bash completion: double-quote fixes - bash completion: hard-set PROG=skopeo - bash completion: remove unused variable - bash completion: use `||` instead of `-o` - bash completion: rm eval on assigned variable - copy: add --dest-compress-format and --dest-compress-level - flag: add optionalIntValue - Makefile: use go proxy - inspect --raw: skip the NewImage() step - update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f - inspect.go: inspect env variables - ostree: use both image and & storage buildtags Update to skopeo v0.1.39 (bsc#1159530): - inspect: add a --config flag - Add --no-creds flag to skopeo inspect - Add --quiet option to skopeo copy - New progress bars - Parallel Pulls and Pushes for major speed improvements - containers/image moved to a new progress-bar library to fix various issues related to overlapping bars and redundant entries. - enforce blocking of registries - Allow storage-multiple-manifests - When copying images and the output is not a tty (e.g., when piping to a file) print single lines instead of using progress bars. This avoids long and hard to parse output - man pages: add --dest-oci-accept-uncompressed-layers - completions: - Introduce transports completions - Fix bash completions when a option requires a argument - Use only spaces in indent - Fix completions with a global option - add --dest-oci-accept-uncompressed-layers ----------------------------------------- Patch: SUSE-2020-737 Released: Fri Mar 20 13:47:16 2020 Summary: Recommended update for ruby2.5 Severity: important References: 1140844,1152990,1152992,1152994,1152995,1162396,1164804,CVE-2012-6708,CVE-2015-9251,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2020-8130 Description: This update for ruby2.5 toversion 2.5.7 fixes the following issues: ruby 2.5 was updated to version 2.5.7 - CVE-2020-8130: Fixed a command injection in intree copy of rake (bsc#1164804). - CVE-2019-16255: Fixed a code injection vulnerability of Shell#[] and Shell#test (bsc#1152990). - CVE-2019-16254: Fixed am HTTP response splitting in WEBrick (bsc#1152992). - CVE-2019-15845: Fixed a null injection vulnerability of File.fnmatch and File.fnmatch? (bsc#1152994). - CVE-2019-16201: Fixed a regular expression denial of service of WEBrick Digest access authentication (bsc#1152995). - CVE-2012-6708: Fixed an XSS in JQuery - CVE-2015-9251: Fixed an XSS in JQuery - Fixed unit tests (bsc#1140844) - Removed some unneeded test files (bsc#1162396). ----------------------------------------- Patch: SUSE-2020-751 Released: Mon Mar 23 16:32:44 2020 Summary: Security update for cloud-init Severity: moderate References: 1162936,1162937,1163178,CVE-2020-8631,CVE-2020-8632 Description: This update for cloud-init fixes the following security issues: - CVE-2020-8631: Replaced the theoretically predictable deterministic RNG with the system RNG (bsc#1162937). - CVE-2020-8632: Increased the default random password length from 9 to 20 (bsc#1162936). ----------------------------------------- Patch: SUSE-2020-753 Released: Mon Mar 23 18:31:11 2020 Summary: Recommended update for metis Severity: moderate References: Description: This update for metis fixes the following issues: - Add support for gcc8/9 building (jsc#SLE-8604). - Build HPC master package for 'examples'. ----------------------------------------- Patch: SUSE-2020-755 Released: Tue Mar 24 09:20:53 2020 Summary: Recommended update for taglib Severity: moderate References: 1166467 Description: This update for taglib fixes the following issue: - Disable rpath explicitly to solve a build issue on Leap 15.2 (bsc#1166467) ----------------------------------------- Patch: SUSE-2020-758 Released: Tue Mar 24 11:36:02 2020 Summary: Recommended update for saptune Severity: moderate References: 1160564,1161791 Description: This update for saptune fixes the following issues: - Fix for the issue when the display manager does not start after upgrade. (bsc#1161791) - Implement commands for listing enabled Notes/Solutions to saptune. (bsc#1160564) ----------------------------------------- Patch: SUSE-2020-774 Released: Tue Mar 24 17:37:55 2020 Summary: Recommended update for libcgroup Severity: moderate References: 1166968 Description: This update for libcgroup fixes the following issue: libcgroup is provided to SUSE Linux Enterprise 15 SP1 in the Legacy Module. (jsc#SLE-10792 jsc#ECO-1225 bsc#1166968) Usage of cgroups via libcgroup conflicts with cgroups used by systemd, so please make sure their usages do not conflict. ----------------------------------------- Patch: SUSE-2020-787 Released: Wed Mar 25 10:16:38 2020 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issue: - Live kernel patching update data for for 4_12_14-197_34. (bsc#1020320) ----------------------------------------- Patch: SUSE-2020-801 Released: Thu Mar 26 17:29:16 2020 Summary: Security update for ldns Severity: moderate References: 1068709,1068711,CVE-2017-1000231,CVE-2017-1000232 Description: This update for ldns fixes the following issues: - CVE-2017-1000231: Fixed a buffer overflow during token parsing (bsc#1068711). - CVE-2017-1000232: Fixed a double-free vulnerability in str2host.c (bsc#1068709). ----------------------------------------- Patch: SUSE-2020-811 Released: Mon Mar 30 10:33:19 2020 Summary: Security update for spamassassin Severity: important References: 1118987,1162197,1162200,862963,CVE-2018-11805,CVE-2020-1930,CVE-2020-1931 Description: This update for spamassassin fixes the following issues: Security issues fixed: - CVE-2018-11805: Fixed an issue with delimiter handling in rule files related to is_regexp_valid() (bsc#1118987). - CVE-2020-1930: Fixed an issue with rule configuration (.cf) files which can be configured to run system commands (bsc#1162197). - CVE-2020-1931: Fixed an issue with rule configuration (.cf) files which can be configured to run system commands with warnings (bsc#1162200). Non-security issue fixed: - Altering hash requires restarting loop (bsc#862963). ----------------------------------------- Patch: SUSE-2020-814 Released: Mon Mar 30 16:23:40 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Severity: moderate References: 1161816,1162152,1167223 Description: This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------- Patch: SUSE-2020-819 Released: Tue Mar 31 13:01:34 2020 Summary: Security update for icu Severity: important References: 1166844,CVE-2020-10531 Description: This update for icu fixes the following issues: - CVE-2020-10531: Fixed a potential integer overflow in UnicodeString:doAppend (bsc#1166844). ----------------------------------------- Patch: SUSE-2020-821 Released: Tue Mar 31 13:05:59 2020 Summary: Recommended update for podman, slirp4netns Severity: moderate References: 1167850 Description: This update for podman, slirp4netns fixes the following issues: slirp4netns was updated to 0.4.4 (bsc#1167850): * libslirp: Update to v4.2.0: * New API function slirp_add_unix: add a forward rule to a Unix socket. * New API function slirp_remove_guestfwd: remove a forward rule previously added by slirp_add_exec, slirp_add_unix or slirp_add_guestfwd * New SlirpConfig.outbound_addr{,6} fields to bind output socket to a specific address * socket: do not fallback on host loopback if get_dns_addr() failed or the address is in slirp network * ncsi: fix checksum OOB memory access * tcp_emu(): fix OOB accesses * tftp: restrict relative path access * state: fix loading of guestfwd state Update to 0.4.3: * api: raise an error if the socket path is too long * libslirp: update to v4.1.0: Including the fix for libslirp sends RST to app in response to arriving FIN when containerized socket is shutdown() with SHUT_WR * Fix create_sandbox error Update to 0.4.2: * Do not propagate mounts to the parent ns in sandbox Update to 0.4.1: * Support specifying netns path (slirp4netns --netns-type=path PATH TAPNAME) * Support specifying --userns-path * Vendor https://gitlab.freedesktop.org/slirp/libslirp (QEMU v4.1+) * Bring up loopback device when --configure is specified * Support sandboxing by creating a mount namespace (--enable-sandbox) * Support seccomp (--enable-seccomp) - Add new build dependencies libcap-devel and libseccomp-devel Update to 0.3.3: * Fix use-after-free in libslirp Update to 0.3.2: * Fix heap overflow in `ip_reass` on big packet input Update to 0.3.1: * Fix use-after-free Changes in podman: - Fixed dependency on slirp4netns. We need at least 0.4.0 now (bsc#1167850) ----------------------------------------- Patch: SUSE-2020-824 Released: Tue Mar 31 13:28:28 2020 Summary: Recommended update for python-paramiko Severity: moderate References: 1166758 Description: This update for python-paramiko fixes the following issues: - Added support for the new OpenSSH >= 7.8p1 private key format (bsc#1166758) ----------------------------------------- Patch: SUSE-2020-825 Released: Tue Mar 31 13:30:37 2020 Summary: Recommended update for openslp Severity: moderate References: 1165050,1165121 Description: This update for openslp fixes the following issues: - Add missing group prerequisites to the openslp-server package. (bsc#1165050) - Add missing openslp prerequisites to the openslp-server package. (bsc#1165121) ----------------------------------------- Patch: SUSE-2020-827 Released: Tue Mar 31 13:33:09 2020 Summary: Recommended update for susemanager-cloud-setup Severity: moderate References: 1158691 Description: This update for susemanager-cloud-setup fixes the following issues: - Improve handling of storage volumes. (bsc#1158691) ----------------------------------------- Patch: SUSE-2020-829 Released: Tue Mar 31 13:46:43 2020 Summary: Recommended update for geolite2legacy Severity: moderate References: 1156194 Description: This update for geolite2legacy fixes the following issues: - Create the initial package of GeoIP 2 Legacy, as the GeoIP is discontinued. (bsc#1156194) ----------------------------------------- Patch: SUSE-2020-840 Released: Wed Apr 1 11:25:34 2020 Summary: Recommended update for python-kiwi Severity: moderate References: 1143454,1163978,1164310,1165578,1167746 Description: This update for python-kiwi fixes the following issues: - Upgrade from version 9.19.8 to 9.20.5 * Fixed result map for OEM pxe install. (bsc#1165578) * Add SECURE_BOOT parameter for grub2 in efi mode. (bsc#1167746) This commit adds the SECURE_BOOT parameter on bootloader sysconfig for grub2. * Fix order in fstab. (bsc#1164310) Any mount point directly under / should be just right after the root mountpoint and before the custom mountpoints based on user's subvolume configuration. * Fixed handling of fillup templates. (bsc#1163978) Systems using a template tool to generate config files might not be effective when they see the intermediate config files we need from the host to let certain package managers work correctly. Therefore the cleanup code in kiwi takes care to restore from an optionally existing template file if no other custom variant is present. * Start using tftp system user package (bsc#1143454) This update starts requiring the tftp system user package. This user was created and managed by multiple packages before, with the risk of having inconsistent criteria on its defaults. With the system user package every package that requires this user should just require this package and do not create or modify the tftp user. ----------------------------------------- Patch: SUSE-2020-848 Released: Thu Apr 2 11:24:38 2020 Summary: Recommended update for GeoIP Severity: moderate References: 1156194 Description: This update for GeoIP fixes the following issues: - Update README.SUSE with a description how to get the latest Geo IP data after the distribution changes. (jsc#SLE-11184, bsc#1156194, jsc#ECO-1405) ----------------------------------------- Patch: SUSE-2020-913 Released: Fri Apr 3 12:03:35 2020 Summary: Recommended update for wpa_supplicant Severity: moderate References: 1166933 Description: This update for wpa_supplicant fixes the following issue: - Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (bsc#1166933) ----------------------------------------- Patch: SUSE-2020-917 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Severity: moderate References: 1166510 Description: This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------- Patch: SUSE-2020-921 Released: Fri Apr 3 17:14:11 2020 Summary: Security update for exiv2 Severity: moderate References: 1040973,1068873,1088424,1097599,1097600,1109175,1109176,1109299,1115364,1117513,1142684,CVE-2017-1000126,CVE-2017-9239,CVE-2018-12264,CVE-2018-12265,CVE-2018-17229,CVE-2018-17230,CVE-2018-17282,CVE-2018-19108,CVE-2018-19607,CVE-2018-9305,CVE-2019-13114 Description: This update for exiv2 fixes the following issues: exiv2 was updated to latest 0.26 branch, fixing bugs and security issues: - CVE-2017-1000126: Fixed an out of bounds read in webp parser (bsc#1068873). - CVE-2017-9239: Fixed a segmentation fault in TiffImageEntry::doWriteImage function (bsc#1040973). - CVE-2018-12264: Fixed an integer overflow in LoaderTiff::getData() which might have led to an out-of-bounds read (bsc#1097600). - CVE-2018-12265: Fixed integer overflows in LoaderExifJpeg which could have led to memory corruption (bsc#1097599). - CVE-2018-17229: Fixed a heap based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109175). - CVE-2018-17230: Fixed a heap based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109176). - CVE-2018-17282: Fixed a null pointer dereference in Exiv2::DataValue::copy (bsc#1109299). - CVE-2018-19108: Fixed an integer overflow in Exiv2::PsdImage::readMetadata which could have led to infinite loop (bsc#1115364). - CVE-2018-19607: Fixed a null pointer dereference in Exiv2::isoSpeed which might have led to denial of service (bsc#1117513). - CVE-2018-9305: Fixed an out of bounds read in IptcData::printStructure which might have led to to information leak or denial of service (bsc#1088424). - CVE-2019-13114: Fixed a null pointer dereference which might have led to denial of service via a crafted response of an malicious http server (bsc#1142684). ----------------------------------------- Patch: SUSE-2020-925 Released: Mon Apr 6 10:08:27 2020 Summary: Recommended update for python3-azuremetadata, regionServiceClientConfigAzure, regionServiceClientConfigSAPAzure Severity: moderate References: 1158698,1158707,1164818,1164819 Description: This update for python3-azuremetadata, regionServiceClientConfigAzure, regionServiceClientConfigSAPAzure fixes the following issues: regionServiceClientConfigAzure was updated to version 0.0.5: + Don't specify root device name explicitly (bsc#1158698, bsc#1158707) regionServiceClientConfigSAPAzure was updated to version 1.0.2: + Don't specify root device name explicitly (bsc#1158698, bsc#1158707) Changes in python3-azuremetadata: - Version 5.0.0 - Support new Azure metadata API (bsc#1164818, bsc#1164819) - Automatically detect root device (bsc#1158698, bsc#1158707) ----------------------------------------- Patch: SUSE-2020-934 Released: Tue Apr 7 03:46:20 2020 Summary: Recommended update for wget Severity: moderate References: 1167919 Description: This update for wget fixes the following issues: wget was updated to 1.20.3, fixing various bugs, including: - Fix for wget ignoring domains with leading '.' in environment variable 'no_proxy'. (bsc#1167919) ----------------------------------------- Patch: SUSE-2020-943 Released: Tue Apr 7 15:24:19 2020 Summary: Recommended update for nvmetcli Severity: moderate References: 1167644 Description: This update for nvmetcli fixes the following issues: - Update from version 0.6 to version 0.7: * nvmetcli: ANA configuration support * nvmetcli: simplify the enabled logic * nvmetcli: pep8 fixes * nvmetcli: support inline_data_size port parameter * Revert 'nvmetcli: expose nvmet port status and state' * Support python3 dictionary access. * nvmetcli: expose nvmet port status and state - 'clear' command doesn't handle ANA groups correctly. (bsc#1167644) The first ANA group is maintained by the kernel so it cannot be deleted. ----------------------------------------- Patch: SUSE-2020-944 Released: Tue Apr 7 15:49:33 2020 Summary: Security update for runc Severity: moderate References: 1149954,1160452,CVE-2019-19921 Description: This update for runc fixes the following issues: runc was updated to v1.0.0~rc10 - CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452). - Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954). ----------------------------------------- Patch: SUSE-2020-948 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 Description: This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------- Patch: SUSE-2020-957 Released: Wed Apr 8 12:28:03 2020 Summary: Security update for mgetty Severity: moderate References: 1142770,1168170,CVE-2019-1010190 Description: This update for mgetty fixes the following issues: - CVE-2019-1010190: Fixed a denial of service which could be caused by a local attacker in putwhitespan() (bsc#1142770). - Fixed a permission issue which have resulted in build failures (bsc#1168170). ----------------------------------------- Patch: SUSE-2020-958 Released: Wed Apr 8 12:38:15 2020 Summary: Recommended update for python3-ec2metadata Severity: moderate References: 1157901,1157902 Description: This update for python3-ec2metadata contains the following fixes: - Update to version 3.0.2: (bsc#1157901, bsc#1157902) + Add man page. + Support accessing IMDS with a token (API change) to support disabling unauthenticated access of IMDS; ----------------------------------------- Patch: SUSE-2020-693 Released: Wed Apr 8 14:11:14 2020 Summary: Security update for wireshark Severity: moderate References: 1093733,1094301,1101776,1101777,1101786,1101788,1101791,1101794,1101800,1101802,1101804,1101810,1106514,1111647,1117740,1121231,1121232,1121233,1121234,1121235,1127367,1127369,1127370,1131941,1131945,1136021,1141980,1150690,1156288,1158505,1161052,1165241,1165710,957624,CVE-2018-11354,CVE-2018-11355,CVE-2018-11356,CVE-2018-11357,CVE-2018-11358,CVE-2018-11359,CVE-2018-11360,CVE-2018-11361,CVE-2018-11362,CVE-2018-12086,CVE-2018-14339,CVE-2018-14340,CVE-2018-14341,CVE-2018-14342,CVE-2018-14343,CVE-2018-14344,CVE-2018-14367,CVE-2018-14368,CVE-2018-14369,CVE-2018-14370,CVE-2018-16056,CVE-2018-16057,CVE-2018-16058,CVE-2018-18225,CVE-2018-18226,CVE-2018-18227,CVE-2018-19622,CVE-2018-19623,CVE-2018-19624,CVE-2018-19625,CVE-2018-19626,CVE-2018-19627,CVE-2018-19628,CVE-2019-10894,CVE-2019-10895,CVE-2019-10896,CVE-2019-10897,CVE-2019-10898,CVE-2019-10899,CVE-2019-10900,CVE-2019-10901,CVE-2019-10902,CVE-2019-10903,CVE-2019-13619,CVE-2019-16319,CVE-2019-19553,CVE-2019-5716,CVE-2019-5717,CVE-2019-5718,CVE-2019-5719,CVE-2019-5721,CVE-2019-9208,CVE-2019-9209,CVE-2019-9214,CVE-2020-7044,CVE-2020-9428,CVE-2020-9429,CVE-2020-9430,CVE-2020-9431 Description: This update for wireshark and libmaxminddb fixes the following issues: Update wireshark to new major version 3.2.2 and introduce libmaxminddb for GeoIP support (bsc#1156288). New features include: - Added support for 111 new protocols, including WireGuard, LoRaWAN, TPM 2.0, 802.11ax and QUIC - Improved support for existing protocols, like HTTP/2 - Improved analytics and usability functionalities ----------------------------------------- Patch: SUSE-2020-966 Released: Thu Apr 9 09:44:18 2020 Summary: Recommended update for libcgroup Severity: moderate References: 1166968 Description: This update for libcgroup fixes the following issues: - rename sysconfig.libcgroup back to sysconfig.cgred to keep SUSE Linux Enterprise 12 compatibility (bsc#1166968) ----------------------------------------- Patch: SUSE-2020-987 Released: Tue Apr 14 13:21:07 2020 Summary: Recommended update for python-azure-mgmt-compute Severity: moderate References: 1140565 Description: This update for python-azure-mgmt-compute fixes the following issues: New upstream release 4.6.2 (bsc#1140565, jsc#ECO-1257, jsc#PM-1598): + For detailed information about changes see the HISTORY.txt file provided with this package ----------------------------------------- Patch: SUSE-2020-994 Released: Wed Apr 15 07:57:24 2020 Summary: Recommended update for clamav Severity: moderate References: 1119353 Description: This update for clamav fixes the following issues: - Fix freshclam usage in FIPS mode (bsc#1119353). ----------------------------------------- Patch: SUSE-2020-995 Released: Wed Apr 15 08:30:39 2020 Summary: Security update for ruby2.5 Severity: moderate References: 1167244,1168938,CVE-2020-10663,CVE-2020-10933 Description: This update for ruby2.5 to version 2.5.8 fixes the following issues: - CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (bsc#1167244). - CVE-2020-10933: Heap exposure vulnerability in the socket library (bsc#1168938). ----------------------------------------- Patch: SUSE-2020-919 Released: Wed Apr 15 10:43:21 2020 Summary: Recommended update for python-pyroute2 Severity: moderate References: 1160933,1161898 Description: This update provides python-pyroute2 for use by the gcp-vpc-move-route agent in resource-agents. ----------------------------------------- Patch: SUSE-2020-998 Released: Wed Apr 15 13:00:05 2020 Summary: Recommended update for python-pycups Severity: moderate References: 735865 Description: This update for python-pycups fixes the following issues: - add BuildRequires: python-cups to printer driver packages. (bsc#735865) Package /usr/lib/rpm/postscriptdriver.prov again, in the new 'cups-rpm-helper' subpackage. The file hasn't been packaged any more after the switch from python-cups to python-pycups. ----------------------------------------- Patch: SUSE-2020-1000 Released: Wed Apr 15 14:18:56 2020 Summary: Recommended update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager Severity: moderate References: 1014478,1054413,1140565,982804,999200 Description: This update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager fixes the following issues: The Azure python modules and client tool stack was updated to the 2020 state. Various other python modules were added and updated. - python-PyYAML was updated to 5.1.2. - python-humanfriendly was updated 4.16.1. ----------------------------------------- Patch: SUSE-2020-1005 Released: Thu Apr 16 06:22:32 2020 Summary: Recommended update for ypbind Severity: moderate References: 1163252 Description: This update for ypbind fixes the following issues: - Fix for setting domain name by waiting that network becomes online, so it can be properly configured in sysconfig. (bsc#1163252) ----------------------------------------- Patch: SUSE-2020-1016 Released: Thu Apr 16 16:15:45 2020 Summary: Recommended update for python-cachetools, python-google-api-python-client, python-google-auth, python-google-auth-httplib2 Severity: moderate References: 1088358,1160933 Description: This update for python-cachetools, python-google-api-python-client, python-google-auth, python-google-auth-httplib2 fixes the following issues: python-cachetools was updated to version 2.0.1: * Officially support Python 3.6. * Move documentation to RTD. * Documentation: Update import paths for key functions (courtesy of slavkoja). update to 2.0.0: - Drop support for deprecated features (breaking change). - Move key functions to separate package (breaking change). - Accept non-integer ``maxsize`` in ``Cache.__repr__()``. update to 1.1.6: - Reimplement ``LRUCache`` and ``TTLCache`` using ``collections.OrderedDict``. Note that this will break pickle compatibility with previous versions. - Fix ``TTLCache`` not calling ``__missing__()`` of derived classes. - Handle ``ValueError`` in ``Cache.__missing__()`` for consistency with caching decorators. - Improve how ``TTLCache`` handles expired items. - Use ``Counter.most_common()`` for ``LFUCache.popitem()``. - Refactor ``Cache`` base class. Note that this will break pickle compatibility with previous versions. - Clean up ``LRUCache`` and ``TTLCache`` implementations. - Refactor ``LRUCache`` and ``TTLCache`` implementations. Note that this will break pickle compatibility with previous versions. - Document pending removal of deprecated features. - Minor documentation improvements. - Fix pickle tests. - Fix pickling of large ``LRUCache`` and ``TTLCache`` instances. - Improve key functions. - Improve documentation. - Improve unit test coverage. - Add ``@cached`` function decorator. - Add ``hashkey`` and ``typedkey`` fuctions. - Add `key` and `lock` arguments to ``@cachedmethod``. - Set ``__wrapped__`` attributes for Python versions < 3.2. - Move ``functools`` compatible decorators to ``cachetools.func``. - Deprecate ``@cachedmethod`` `typed` argument. - Deprecate `cache` attribute for ``@cachedmethod`` wrappers. - Deprecate `getsizeof` and `lock` arguments for `cachetools.func` decorator. python-google-api-python-client was updated to: - Upgrade to 1.7.4: just series of minor bugfixes Changes in python-google-auth was updated to 1.5.1: - Fix check for error text on Python 3.7. (#278) - Use new Auth URIs. (#281) - Add code-of-conduct document. (#270) - Fix some typos in test_urllib3.py (#268) - Warn when using user credentials from the Cloud SDK (#266) - Add compute engine-based IDTokenCredentials (#236) - Corrected some typos (#265) Update to 1.4.2: - Raise a helpful exception when trying to refresh credentials without a refresh token. (#262) - Fix links to README and CONTRIBUTING in docs/index.rst. (#260) - Fix a typo in credentials.py. (#256) - Use pytest instead of py.test per upstream recommendation, #dropthedot. (#255) - Fix typo on exemple of jwt usage (#245) New upstream release 1.4.1 (bsc#1088358) - Added a check for the cryptography version before attempting to use it. + From version 1.4.0 - Added `cryptography`-based RSA signer and verifier. - Added `google.oauth2.service_account.IDTokenCredentials`. - Improved documentation around ID Tokens + From version 1.3.0 - Added ``google.oauth2.credentials.Credentials.from_authorized_user_file``. - Dropped direct pyasn1 dependency in favor of letting ``pyasn1-modules`` specify the right version. - ``default()`` now checks for the project ID environment var before warning about missing project ID. - Fixed the docstrings for ``has_scopes()`` and ``with_scopes()``. - Fixed example in docstring for ``ReadOnlyScoped``. - Made ``transport.requests`` use timeouts and retries to improve reliability. python-google-auth-httplib2 initially shipped: python-pytest-localserver was updated to 0.4.1: Update to version 0.3.6: + Add trove classifiers to make sure that package shows up on PyPI's Python 3 list. + Remove test method which rely on thread to be finished first. + OpenSSL is no longer necessary with werkzeug 0.10. + Tests now work under Python 3.3 \o/ + Fix for Python 3.5 (fixes #13). + Add new Python version to classifiers. + Update repository url + Use @pytest.fixture to declare fixtures + Remove old-style test fixtures from tests and README, too. ----------------------------------------- Patch: SUSE-2020-1033 Released: Mon Apr 20 09:12:45 2020 Summary: Recommended update for perl-CGI Severity: moderate References: 1162868 Description: This update for perl-CGI fixes the following issues: Update from version 4.38 to 4.46 (bsc#1162868) * Add support for SameSite=None cookies and update the documentation * Replace only use of 'base' with 'parent' given that CGI already depends on 'parent' * Support unquoted multipart/form-data name values * Update the package license from 'Artistic-1.0 or GPL-1.0+' to 'Artistic-2.0' * Support perls < 5.10.1 and specify CONFIGURE_REQUIRES in Makefile.PL for being more dynamic ----------------------------------------- Patch: SUSE-2020-1034 Released: Mon Apr 20 09:15:18 2020 Summary: Recommended update for psqlODBC Severity: moderate References: 1166821 Description: This update for psqlODBC fixes the following issue: - Fix build with PostgreSQL 11 and newer. (bsc#1166821) ----------------------------------------- Patch: SUSE-2020-1037 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Severity: low References: 1002895,1107105,1138666,1167732 Description: This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------- Patch: SUSE-2020-1038 Released: Mon Apr 20 10:50:20 2020 Summary: Recommended update for seccheck Severity: moderate References: 1132919,985802 Description: This update for seccheck fixes the following issues: - adapt WantedBy so the timers are actually started at boot time when enabled (#1132919) - correct indentation of SECCHK_FROM (#985802) for the weekly and monthly mails so that the mail header lines are recognised by the receiving mail client ----------------------------------------- Patch: SUSE-2020-1039 Released: Mon Apr 20 11:33:39 2020 Summary: Recommended update for python-kiwi Severity: important References: 1165960,1168480 Description: This update for python-kiwi fixes the following issues: - Fix for systems that use efi with grub2 version less than 2.04 there is no support for dynamic EFI environment checking. (bsc#1165960, bsc#1168480) ----------------------------------------- Patch: SUSE-2020-1048 Released: Tue Apr 21 10:33:46 2020 Summary: Recommended update for python-kiwi Severity: moderate References: 1165823 Description: This update for python-kiwi fixes the following issues: - Fixed _get_grub2_mkconfig_tool Last patch on this method breaks the search for alternative mkconfig names. It returns always on the first lookup which could be none. This breaks on systems that uses a different name than grub2-mkconfig, like on Ubuntu. - Increase spare space on disk repart (bsc#1165823) The sizing of the virtual cylinders in parted seems to be unfavorable, as with some disks and SD cards here the device size is not a multiple of the cylinder size, so the last incomplete cylinder is wasted. If this wasted space is more than 5MiB, kiwi tries to resize indefinitely. Therefore min_additional_mbytes gets increased to prevent running into this situation. ----------------------------------------- Patch: SUSE-2020-1055 Released: Tue Apr 21 15:53:44 2020 Summary: Recommended update for patterns-server-enterprise Severity: moderate References: 1168416,1169042 Description: This update for patterns-server-enterprise fixes the following issues: - added libgnutls30-hmac to the FIPS pattern. (bsc#1169042 bsc#1168416) - remove strongswan-hmac-32bit (not used currently) ----------------------------------------- Patch: SUSE-2020-1056 Released: Tue Apr 21 16:26:22 2020 Summary: Recommended update for cloud-init Severity: important References: 1099358,1144881,1145622,1148645,1163178,1165296 Description: This update for cloud-init contains the following fixes: - Update previous patches with the following additions: + In cases where the config contains 2 or more default gateway specifications for an interface only write the first default route, log warning message about skipped routes + Avoid writing invalid route specification if neither the network nor destination is specified in the route configuration + Still need to consider the 'network' configuration uption for the v1 config implementation. Fixes regression introduced with update from Wed Feb 12 19:30:42. + Add the default gateway to the ifroute config file when specified as part of the subnet configuration. (bsc#1165296) + Fix typo to properly extrakt provided netmask data (bsc#1163178, bsc#1165296) + Fix for default gateway and IPv6. (bsc#1144881) + Routes will be written if there is only a default gateway. (bsc#1148645) - BuildRequire pkgconfig(udev) instead of udev, which allow OS to shortcut through the -mini flavor. - Update to cloud-init 19.2. (bsc#1099358, bsc#1145622) ----------------------------------------- Patch: SUSE-2020-1060 Released: Wed Apr 22 09:55:41 2020 Summary: Recommended update for sapconf Severity: moderate References: 1124453,1139176,1148163,1150868,1150870 Description: This update for sapconf fixes the following issues: - Removing SAP configuration from logind during the package update, as it is not needed any longer. (bsc#1148163, jsc#SLE-10123) - Fix for sapconf detecting an improper tuned profile during start, it will write an information to the log file and the start of the sapconf service will fail to guide the administrator to the problem. (bsc#1139176) - Use absolute path to 'script.sh' in 'tuned.conf' file. (bsc#1124453) - Fix for rpm macros in postinstall script replacing invalid commands. (bsc#1150868, bsc#1150870) ----------------------------------------- Patch: SUSE-2020-1083 Released: Thu Apr 23 11:31:23 2020 Summary: Security update for cups Severity: important References: 1168422,CVE-2020-3898 Description: This update for cups fixes the following issues: - CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422). ----------------------------------------- Patch: SUSE-2020-1094 Released: Thu Apr 23 16:34:21 2020 Summary: Recommended update for python-google-api-python-client Severity: moderate References: 1088358,1160933 Description: This update for python-google-api-python-client fixes the following issues: - Fix dependencies to use google-auth instead of deprecated oauth2client (bsc#1160933, jsc#ECO-1148) python-cachetools 2.0.1 is shipped to the Public Cloud Module. python-google-auth 1.5.1 is shipped to the Public Cloud Module. python-google-api-python-client was updated to: - Upgrade to 1.7.4: just series of minor bugfixes - Fix check for error text on Python 3.7. (#278) - Use new Auth URIs. (#281) - Add code-of-conduct document. (#270) - Fix some typos in test_urllib3.py (#268) - Warn when using user credentials from the Cloud SDK (#266) - Add compute engine-based IDTokenCredentials (#236) - Corrected some typos (#265) Update to 1.4.2: - Raise a helpful exception when trying to refresh credentials without a refresh token. (#262) - Fix links to README and CONTRIBUTING in docs/index.rst. (#260) - Fix a typo in credentials.py. (#256) - Use pytest instead of py.test per upstream recommendation, #dropthedot. (#255) - Fix typo on exemple of jwt usage (#245) New upstream release 1.4.1 (bsc#1088358) - Added a check for the cryptography version before attempting to use it. + From version 1.4.0 - Added `cryptography`-based RSA signer and verifier. - Added `google.oauth2.service_account.IDTokenCredentials`. - Improved documentation around ID Tokens + From version 1.3.0 - Added ``google.oauth2.credentials.Credentials.from_authorized_user_file``. - Dropped direct pyasn1 dependency in favor of letting ``pyasn1-modules`` specify the right version. - ``default()`` now checks for the project ID environment var before warning about missing project ID. - Fixed the docstrings for ``has_scopes()`` and ``with_scopes()``. - Fixed example in docstring for ``ReadOnlyScoped``. - Made ``transport.requests`` use timeouts and retries to improve reliability. ----------------------------------------- Patch: SUSE-2020-1096 Released: Thu Apr 23 16:35:05 2020 Summary: Recommended update for google-compute-engine Severity: moderate References: 1167810 Description: This update for google-compute-engine fixes the following issues: - Rename the sysctl file that applies the GCE network settings, so it is run after the default config and adjusts net.ipv4.conf.all.rp_filter correctly. (bsc#1167810) ----------------------------------------- Patch: SUSE-2020-1097 Released: Thu Apr 23 21:12:03 2020 Summary: Recommended update for python3-azuremetadata Severity: moderate References: 1169921 Description: This update for python3-azuremetadata fixes the following issues: - Use lsblk for root device detection (bsc#1169921) ----------------------------------------- Patch: SUSE-2020-1112 Released: Fri Apr 24 16:44:20 2020 Summary: Recommended update for suse-build-key Severity: moderate References: 1170347 Description: This update for suse-build-key fixes the following issues: - add a /usr/share/container-keys/ directory for GPG based Container verification. - Add the SUSE build key as 'suse-container-key.asc'. (PM-1845 bsc#1170347) ----------------------------------------- Patch: SUSE-2020-1160 Released: Thu Apr 30 17:40:19 2020 Summary: Recommended update for cloud-regionsrv-client Severity: moderate References: 1169599 Description: This update for cloud-regionsrv-client contains the following fix: - Update to version 9.0.9: (bsc#1169599) + Handle the /etc/hosts file with Python 3.4 if there are non ascii characters in the file. ----------------------------------------- Patch: SUSE-2020-1170 Released: Mon May 4 15:17:47 2020 Summary: Recommended update for aws-cli, python-boto, python-boto3, python-botocore, python-s3transfer Severity: moderate References: 1116204,1117074,1122668,1129696,1166924,1168943 Description: This update for aws-cli, python-boto, python-boto3, python-botocore, python-s3transfer fixes the following issues: aws-cli was updated to version 1.18.38 (bsc#1166924, bsc#1168943): + For detailed changes see https://github.com/aws/aws-cli/blob/1.18.38/CHANGELOG.rst + Forward port hide_py_pckgmgmt.patch + Update Requires in spec file from setup.py Update to version 1.18.35 + For detailed changes see https://github.com/aws/aws-cli/blob/1.18.35/CHANGELOG.rst + Forward port hide_py_pckgmgmt.patch + Update Requires in spec file from setup.py Update to version 1.18.27 + For detailed changes see https://github.com/aws/aws-cli/blob/1.18.27/CHANGELOG.rst + Forward port hide_py_pckgmgmt.patch + Update Requires in spec file from setup.py Update to version 1.18.0 + For detailed changes see https://github.com/aws/aws-cli/blob/1.18.0/CHANGELOG.rst + Forward port hide_py_pckgmgmt.patch + Install aws bash completetion script into system path + Install aws zsh completion script into /etc/zsh_completion.d + Update Requires in spec file from setup.py - make it possible to find the package under the name 'awscli' - Add bash command completion capability (bsc#1117074) Update to version 1.17.9 + For detailed changes see https://github.com/aws/aws-cli/blob/1.17.9/CHANGELOG.rst + Forward port hide_py_pckgmgmt.patch + Update Requires in spec file from setup.py Update to version 1.16.297 + For detailed changes see https://github.com/aws/aws-cli/blob/1.16.297/CHANGELOG.rst + Forward port hide_py_pckgmgmt.patch + Update Requires in spec file from setup.py Update to version 1.16.281 + For detailed changes see https://github.com/aws/aws-cli/blob/1.16.281/CHANGELOG.rst + Forward port hide_py_pckgmgmt.patch + Update Requires in spec file from setup.py Update to version 1.16.258 + For detailed changes see https://github.com/aws/aws-cli/blob/1.16.258/CHANGELOG.rst python-boto3 was updated to 1.12.38 (bsc#1166924, bsc#1168943) * api-change:``apigateway``: [``botocore``] Update apigateway client to latest version * api-change:``codeguru-reviewer``: [``botocore``] Update codeguru-reviewer client to latest version * api-change:``mediaconnect``: [``botocore``] Update mediaconnect client to latest version - from version 1.12.37 * api-change:``transcribe``: [``botocore``] Update transcribe client to latest version * api-change:``chime``: [``botocore``] Update chime client to latest version * api-change:``iam``: [``botocore``] Update iam client to latest version * api-change:``elasticbeanstalk``: [``botocore``] Update elasticbeanstalk client to latest version - from version 1.12.36 * api-change:``personalize-runtime``: [``botocore``] Update personalize-runtime client to latest version * api-change:``robomaker``: [``botocore``] Update robomaker client to latest version - Version update 1.12.35 * api-change:``medialive``: [``botocore``] Update medialive client to latest version * api-change:``redshift``: [``botocore``] Update redshift client to latest version * api-change:``gamelift``: [``botocore``] Update gamelift client to latest version * api-change:``cloudwatch``: [``botocore``] Update cloudwatch client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version - from version 1.12.34 * api-change:``iot``: [``botocore``] Update iot client to latest version * api-change:``mediaconnect``: [``botocore``] Update mediaconnect client to latest version - from version 1.12.33 * api-change:``opsworkscm``: [``botocore``] Update opsworkscm client to latest version * api-change:``wafv2``: [``botocore``] Update wafv2 client to latest version * api-change:``glue``: [``botocore``] Update glue client to latest version * api-change:``elastic-inference``: [``botocore``] Update elastic-inference client to latest version * api-change:``lambda``: [``botocore``] Update lambda client to latest version * api-change:``mediastore``: [``botocore``] Update mediastore client to latest version * api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version * api-change:``storagegateway``: [``botocore``] Update storagegateway client to latest version * api-change:``rekognition``: [``botocore``] Update rekognition client to latest version * api-change:``fms``: [``botocore``] Update fms client to latest version * api-change:``organizations``: [``botocore``] Update organizations client to latest version * api-change:``detective``: [``botocore``] Update detective client to latest version * api-change:``appconfig``: [``botocore``] Update appconfig client to latest version - from version 1.12.32 * api-change:``accessanalyzer``: [``botocore``] Update accessanalyzer client to latest version - from version 1.12.31 * api-change:``globalaccelerator``: [``botocore``] Update globalaccelerator client to latest version * api-change:``kendra``: [``botocore``] Update kendra client to latest version * api-change:``servicecatalog``: [``botocore``] Update servicecatalog client to latest version - from version 1.12.30 * api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version * api-change:``fsx``: [``botocore``] Update fsx client to latest version * api-change:``securityhub``: [``botocore``] Update securityhub client to latest version - from version 1.12.29 * api-change:``managedblockchain``: [``botocore``] Update managedblockchain client to latest version * api-change:``ce``: [``botocore``] Update ce client to latest version * api-change:``application-insights``: [``botocore``] Update application-insights client to latest version * api-change:``detective``: [``botocore``] Update detective client to latest version * api-change:``es``: [``botocore``] Update es client to latest version * api-change:``xray``: [``botocore``] Update xray client to latest version - from version 1.12.28 * api-change:``athena``: [``botocore``] Update athena client to latest version * api-change:``rds-data``: [``botocore``] Update rds-data client to latest version * api-change:``eks``: [``botocore``] Update eks client to latest version * api-change:``organizations``: [``botocore``] Update organizations client to latest version - Update BuildRequires and Requires from setup.py - Version update to 1.12.27 * api-change:``apigatewayv2``: [``botocore``] Update apigatewayv2 client to latest version * api-change:``eks``: [``botocore``] Update eks client to latest version * api-change:``route53``: [``botocore``] Update route53 client to latest version - from version 1.12.26 * api-change:``servicecatalog``: [``botocore``] Update servicecatalog client to latest version - from version 1.12.25 * api-change:``outposts``: [``botocore``] Update outposts client to latest version * api-change:``acm``: [``botocore``] Update acm client to latest version - from version 1.12.24 * api-change:``rds``: [``botocore``] Update rds client to latest version * api-change:``mediaconnect``: [``botocore``] Update mediaconnect client to latest version * api-change:``personalize``: [``botocore``] Update personalize client to latest version - from version 1.12.23 * api-change:``mediaconvert``: [``botocore``] Update mediaconvert client to latest version - from version 1.12.22 * api-change:``s3control``: [``botocore``] Update s3control client to latest version * bugfix:Stubber: [``botocore``] fixes `#1884 `__ * api-change:``cognito-idp``: [``botocore``] Update cognito-idp client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``ecs``: [``botocore``] Update ecs client to latest version * api-change:``elasticache``: [``botocore``] Update elasticache client to latest version - from version 1.12.21 * api-change:``appconfig``: [``botocore``] Update appconfig client to latest version - from version 1.12.20 * api-change:``lex-models``: [``botocore``] Update lex-models client to latest version * api-change:``securityhub``: [``botocore``] Update securityhub client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``apigatewayv2``: [``botocore``] Update apigatewayv2 client to latest version * api-change:``iot``: [``botocore``] Update iot client to latest version - from version 1.12.19 * api-change:``efs``: [``botocore``] Update efs client to latest version * api-change:``redshift``: [``botocore``] Update redshift client to latest version - from version 1.12.18 * api-change:``serverlessrepo``: [``botocore``] Update serverlessrepo client to latest version * api-change:``iotevents``: [``botocore``] Update iotevents client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * enhancement:timezones: [``botocore``] Improved timezone parsing for Windows with new fallback method (#1939) * api-change:``marketplacecommerceanalytics``: [``botocore``] Update marketplacecommerceanalytics client to latest version - from version 1.12.17 * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``medialive``: [``botocore``] Update medialive client to latest version * api-change:``dms``: [``botocore``] Update dms client to latest version - from version 1.12.16 * api-change:``signer``: [``botocore``] Update signer client to latest version * api-change:``guardduty``: [``botocore``] Update guardduty client to latest version * api-change:``appmesh``: [``botocore``] Update appmesh client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``robomaker``: [``botocore``] Update robomaker client to latest version - from version 1.12.15 * api-change:``eks``: [``botocore``] Update eks client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``opsworkscm``: [``botocore``] Update opsworkscm client to latest version * api-change:``guardduty``: [``botocore``] Update guardduty client to latest version - from version 1.12.14 * api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version - from version 1.12.13 * api-change:``ec2``: [``botocore``] Update ec2 client to latest version - from version 1.12.12 * api-change:``cloudwatch``: [``botocore``] Update cloudwatch client to latest version * api-change:``comprehendmedical``: [``botocore``] Update comprehendmedical client to latest version - from version 1.12.11 * api-change:``config``: [``botocore``] Update config client to latest version - from version 1.12.10 * api-change:``config``: [``botocore``] Update config client to latest version * api-change:``glue``: [``botocore``] Update glue client to latest version * api-change:``sagemaker-a2i-runtime``: [``botocore``] Update sagemaker-a2i-runtime client to latest version * api-change:``appmesh``: [``botocore``] Update appmesh client to latest version * api-change:``elbv2``: [``botocore``] Update elbv2 client to latest version * api-change:``workdocs``: [``botocore``] Update workdocs client to latest version * api-change:``quicksight``: [``botocore``] Update quicksight client to latest version * api-change:``accessanalyzer``: [``botocore``] Update accessanalyzer client to latest version * api-change:``codeguruprofiler``: [``botocore``] Update codeguruprofiler client to latest version - from version 1.12.9 * api-change:``lightsail``: [``botocore``] Update lightsail client to latest version * api-change:``globalaccelerator``: [``botocore``] Update globalaccelerator client to latest version - from version 1.12.8 * api-change:``transcribe``: [``botocore``] Update transcribe client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version * api-change:``securityhub``: [``botocore``] Update securityhub client to latest version - from version 1.12.7 * api-change:``stepfunctions``: [``botocore``] Update stepfunctions client to latest version * api-change:``kafka``: [``botocore``] Update kafka client to latest version * api-change:``secretsmanager``: [``botocore``] Update secretsmanager client to latest version * api-change:``outposts``: [``botocore``] Update outposts client to latest version - from version 1.12.6 * api-change:``iotevents``: [``botocore``] Update iotevents client to latest version * api-change:``docdb``: [``botocore``] Update docdb client to latest version * api-change:``snowball``: [``botocore``] Update snowball client to latest version * api-change:``fsx``: [``botocore``] Update fsx client to latest version * api-change:``events``: [``botocore``] Update events client to latest version - from version 1.12.5 * api-change:``imagebuilder``: [``botocore``] Update imagebuilder client to latest version * api-change:``wafv2``: [``botocore``] Update wafv2 client to latest version * api-change:``redshift``: [``botocore``] Update redshift client to latest version - from version 1.12.4 * api-change:``savingsplans``: [``botocore``] Update savingsplans client to latest version * api-change:``appconfig``: [``botocore``] Update appconfig client to latest version * api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version - from version 1.12.3 * api-change:``autoscaling``: [``botocore``] Update autoscaling client to latest version * api-change:``servicecatalog``: [``botocore``] Update servicecatalog client to latest version * api-change:``lambda``: [``botocore``] Update lambda client to latest version - from version 1.12.2 * api-change:``autoscaling``: [``botocore``] Update autoscaling client to latest version * api-change:``chime``: [``botocore``] Update chime client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version - from version 1.12.1 * api-change:``cloud9``: [``botocore``] Update cloud9 client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``dynamodb``: [``botocore``] Update dynamodb client to latest version * api-change:``rekognition``: [``botocore``] Update rekognition client to latest version - Version update to 1.12.0 * feature:retries: [``botocore``] Add support for retry modes, including ``standard`` and ``adaptive`` modes (`#1972 `__) * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``mediatailor``: [``botocore``] Update mediatailor client to latest version * api-change:``securityhub``: [``botocore``] Update securityhub client to latest version * api-change:``shield``: [``botocore``] Update shield client to latest version - from version 1.11.17 * api-change:``mediapackage-vod``: [``botocore``] Update mediapackage-vod client to latest version - from version 1.11.16 * api-change:``glue``: [``botocore``] Update glue client to latest version * api-change:``chime``: [``botocore``] Update chime client to latest version * api-change:``workmail``: [``botocore``] Update workmail client to latest version * api-change:``ds``: [``botocore``] Update ds client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``es``: [``botocore``] Update es client to latest version * api-change:``neptune``: [``botocore``] Update neptune client to latest version - from version 1.11.15 * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``cognito-idp``: [``botocore``] Update cognito-idp client to latest version * api-change:``cloudformation``: [``botocore``] Update cloudformation client to latest version - from version 1.11.14 * api-change:``docdb``: [``botocore``] Update docdb client to latest version * api-change:``kms``: [``botocore``] Update kms client to latest version - from version 1.11.13 * api-change:``robomaker``: [``botocore``] Update robomaker client to latest version * api-change:``imagebuilder``: [``botocore``] Update imagebuilder client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version - from version 1.11.12 * api-change:``ebs``: [``botocore``] Update ebs client to latest version * api-change:``appsync``: [``botocore``] Update appsync client to latest version * api-change:``lex-models``: [``botocore``] Update lex-models client to latest version * api-change:``ecr``: [``botocore``] Update ecr client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``codebuild``: [``botocore``] Update codebuild client to latest version - from version 1.11.11 * api-change:``groundstation``: [``botocore``] Update groundstation client to latest version * api-change:``mediaconvert``: [``botocore``] Update mediaconvert client to latest version * api-change:``dlm``: [``botocore``] Update dlm client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``forecastquery``: [``botocore``] Update forecastquery client to latest version * api-change:``securityhub``: [``botocore``] Update securityhub client to latest version * api-change:``resourcegroupstaggingapi``: [``botocore``] Update resourcegroupstaggingapi client to latest version - from version 1.11.10 * api-change:``workmail``: [``botocore``] Update workmail client to latest version * api-change:``iot``: [``botocore``] Update iot client to latest version * api-change:``cloudfront``: [``botocore``] Update cloudfront client to latest version * api-change:``storagegateway``: [``botocore``] Update storagegateway client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``kafka``: [``botocore``] Update kafka client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version - Version update to 1.11.9 * api-change:``ecs``: [``botocore``] Update ecs client to latest version * api-change:``opsworkscm``: [``botocore``] Update opsworkscm client to latest version * api-change:``workspaces``: [``botocore``] Update workspaces client to latest version * api-change:``datasync``: [``botocore``] Update datasync client to latest version * api-change:``eks``: [``botocore``] Update eks client to latest version - from version 1.11.8 * api-change:``rds``: [``botocore``] Update rds client to latest version * api-change:``iam``: [``botocore``] Update iam client to latest version - from version 1.11.7 * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``codepipeline``: [``botocore``] Update codepipeline client to latest version * api-change:``discovery``: [``botocore``] Update discovery client to latest version * api-change:``iotevents``: [``botocore``] Update iotevents client to latest version * api-change:``marketplacecommerceanalytics``: [``botocore``] Update marketplacecommerceanalytics client to latest version - from version 1.11.6 * api-change:``lambda``: [``botocore``] Update lambda client to latest version * api-change:``application-insights``: [``botocore``] Update application-insights client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``cloudwatch``: [``botocore``] Update cloudwatch client to latest version * api-change:``kms``: [``botocore``] Update kms client to latest version * api-change:``alexaforbusiness``: [``botocore``] Update alexaforbusiness client to latest version - from version 1.11.5 * api-change:``mediaconvert``: [``botocore``] Update mediaconvert client to latest version * api-change:``neptune``: [``botocore``] Update neptune client to latest version * api-change:``cloudhsmv2``: [``botocore``] Update cloudhsmv2 client to latest version * api-change:``redshift``: [``botocore``] Update redshift client to latest version * api-change:``batch``: [``botocore``] Update batch client to latest version * api-change:``ecs``: [``botocore``] Update ecs client to latest version - from version 1.11.4 * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version * api-change:``ds``: [``botocore``] Update ds client to latest version - from version 1.11.3 * api-change:``securityhub``: [``botocore``] Update securityhub client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``organizations``: [``botocore``] Update organizations client to latest version - from version 1.11.2 * api-change:``ec2``: [``botocore``] Update ec2 client to latest version - from version 1.11.1 * api-change:``efs``: [``botocore``] Update efs client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``backup``: [``botocore``] Update backup client to latest version - from version 1.11.0 * api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version * feature:Python: Dropped support for Python 2.6 and 3.3. * api-change:``chime``: [``botocore``] Update chime client to latest version * api-change:``transfer``: [``botocore``] Update transfer client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * feature:Python: [``botocore``] Dropped support for Python 2.6 and 3.3. * api-change:``workspaces``: [``botocore``] Update workspaces client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version - from version 1.10.50 * api-change:``logs``: [``botocore``] Update logs client to latest version - from version 1.10.49 * api-change:``fms``: [``botocore``] Update fms client to latest version * api-change:``translate``: [``botocore``] Update translate client to latest version * api-change:``ce``: [``botocore``] Update ce client to latest version - from version 1.10.48 * api-change:``codebuild``: [``botocore``] Update codebuild client to latest version * api-change:``mgh``: [``botocore``] Update mgh client to latest version * api-change:``xray``: [``botocore``] Update xray client to latest version - from version 1.10.47 * api-change:``comprehend``: [``botocore``] Update comprehend client to latest version * api-change:``mediapackage``: [``botocore``] Update mediapackage client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version - from version 1.10.46 * api-change:``lex-models``: [``botocore``] Update lex-models client to latest version * api-change:``ecr``: [``botocore``] Update ecr client to latest version * api-change:``lightsail``: [``botocore``] Update lightsail client to latest version * api-change:``ce``: [``botocore``] Update ce client to latest version - from version 1.10.45 * api-change:``fsx``: [``botocore``] Update fsx client to latest version * api-change:``health``: [``botocore``] Update health client to latest version * api-change:``detective``: [``botocore``] Update detective client to latest version - from version 1.10.44 * api-change:``transcribe``: [``botocore``] Update transcribe client to latest version * api-change:``eks``: [``botocore``] Update eks client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``redshift``: [``botocore``] Update redshift client to latest version * api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version * api-change:``securityhub``: [``botocore``] Update securityhub client to latest version * api-change:``devicefarm``: [``botocore``] Update devicefarm client to latest version - from version 1.10.43 * api-change:``transcribe``: [``botocore``] Update transcribe client to latest version * api-change:``dlm``: [``botocore``] Update dlm client to latest version * api-change:``lex-models``: [``botocore``] Update lex-models client to latest version * api-change:``personalize-runtime``: [``botocore``] Update personalize-runtime client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``codestar-connections``: [``botocore``] Update codestar-connections client to latest version * api-change:``gamelift``: [``botocore``] Update gamelift client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version - from version 1.10.42 * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``s3``: [``botocore``] Update s3 client to latest version * api-change:``resourcegroupstaggingapi``: [``botocore``] Update resourcegroupstaggingapi client to latest version * api-change:``cloudfront``: [``botocore``] Update cloudfront client to latest version * api-change:``opsworkscm``: [``botocore``] Update opsworkscm client to latest version - from version 1.10.41 * api-change:``kinesisanalyticsv2``: [``botocore``] Update kinesisanalyticsv2 client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``medialive``: [``botocore``] Update medialive client to latest version * api-change:``iot``: [``botocore``] Update iot client to latest version * api-change:``ecs``: [``botocore``] Update ecs client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version - from version 1.10.40 * api-change:``mq``: [``botocore``] Update mq client to latest version * api-change:``comprehendmedical``: [``botocore``] Update comprehendmedical client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version - from version 1.10.39 * api-change:``codebuild``: [``botocore``] Update codebuild client to latest version * api-change:``detective``: [``botocore``] Update detective client to latest version * api-change:``sesv2``: [``botocore``] Update sesv2 client to latest version - from version 1.10.38 * api-change:``accessanalyzer``: [``botocore``] Update accessanalyzer client to latest version - from version 1.10.37 * api-change:``ec2``: [``botocore``] Update ec2 client to latest version - from version 1.10.36 * api-change:``kendra``: [``botocore``] Update kendra client to latest version - from version 1.10.35 * bugfix:s3: [``botocore``] Add stricter validation to s3 control account id parameter. * api-change:``quicksight``: [``botocore``] Update quicksight client to latest version * api-change:``kms``: [``botocore``] Update kms client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``kafka``: [``botocore``] Update kafka client to latest version - from version 1.10.34 * bugfix:s3: [``botocore``] Fixed an issue where the request path was set incorrectly if access point name was present in key path. - Version update to 1.10.33 * api-change:``kinesisvideo``: [``botocore``] Update kinesisvideo client to latest version * api-change:``kinesis-video-signaling``: [``botocore``] Update kinesis-video-signaling client to latest version * api-change:``apigatewayv2``: [``botocore``] Update apigatewayv2 client to latest version - from version 1.10.32 * api-change:``ebs``: [``botocore``] Update ebs client to latest version * api-change:``stepfunctions``: [``botocore``] Update stepfunctions client to latest version * api-change:``application-autoscaling``: [``botocore``] Update application-autoscaling client to latest version * api-change:``lambda``: [``botocore``] Update lambda client to latest version * api-change:``rekognition``: [``botocore``] Update rekognition client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version * api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version - from version 1.10.31 * api-change:``textract``: [``botocore``] Update textract client to latest version * api-change:``s3control``: [``botocore``] Update s3control client to latest version * api-change:``ecs``: [``botocore``] Update ecs client to latest version * api-change:``s3``: [``botocore``] Update s3 client to latest version * api-change:``outposts``: [``botocore``] Update outposts client to latest version * api-change:``kendra``: [``botocore``] Update kendra client to latest version * api-change:``eks``: [``botocore``] Update eks client to latest version * api-change:``networkmanager``: [``botocore``] Update networkmanager client to latest version * api-change:``compute-optimizer``: [``botocore``] Update compute-optimizer client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``frauddetector``: [``botocore``] Update frauddetector client to latest version * api-change:``sagemaker-a2i-runtime``: [``botocore``] Update sagemaker-a2i-runtime client to latest version * api-change:``codeguru-reviewer``: [``botocore``] Update codeguru-reviewer client to latest version * api-change:``codeguruprofiler``: [``botocore``] Update codeguruprofiler client to latest version * api-change:``es``: [``botocore``] Update es client to latest version - from version 1.10.30 * api-change:``accessanalyzer``: [``botocore``] Update accessanalyzer client to latest version - from version 1.10.29 * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``license-manager``: [``botocore``] Update license-manager client to latest version * api-change:``imagebuilder``: [``botocore``] Update imagebuilder client to latest version * api-change:``schemas``: [``botocore``] Update schemas client to latest version - from version 1.10.28 * api-change:``rds-data``: [``botocore``] Update rds-data client to latest version * api-change:``ds``: [``botocore``] Update ds client to latest version * api-change:``workspaces``: [``botocore``] Update workspaces client to latest version * api-change:``resourcegroupstaggingapi``: [``botocore``] Update resourcegroupstaggingapi client to latest version * api-change:``cognito-idp``: [``botocore``] Update cognito-idp client to latest version * api-change:``dynamodb``: [``botocore``] Update dynamodb client to latest version * api-change:``elastic-inference``: [``botocore``] Update elastic-inference client to latest version * api-change:``organizations``: [``botocore``] Update organizations client to latest version * api-change:``mediatailor``: [``botocore``] Update mediatailor client to latest version * api-change:``quicksight``: [``botocore``] Update quicksight client to latest version * api-change:``serverlessrepo``: [``botocore``] Update serverlessrepo client to latest version - from version 1.10.27 * api-change:``cognito-idp``: [``botocore``] Update cognito-idp client to latest version * api-change:``redshift``: [``botocore``] Update redshift client to latest version * api-change:``elbv2``: [``botocore``] Update elbv2 client to latest version * api-change:``wafv2``: [``botocore``] Update wafv2 client to latest version * api-change:``dlm``: [``botocore``] Update dlm client to latest version * api-change:``iot``: [``botocore``] Update iot client to latest version * api-change:``lex-runtime``: [``botocore``] Update lex-runtime client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``athena``: [``botocore``] Update athena client to latest version * api-change:``iotsecuretunneling``: [``botocore``] Update iotsecuretunneling client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``application-insights``: [``botocore``] Update application-insights client to latest version * api-change:``mediapackage-vod``: [``botocore``] Update mediapackage-vod client to latest version * api-change:``appconfig``: [``botocore``] Update appconfig client to latest version * api-change:``mediaconvert``: [``botocore``] Update mediaconvert client to latest version * api-change:``kinesisanalyticsv2``: [``botocore``] Update kinesisanalyticsv2 client to latest version * api-change:``medialive``: [``botocore``] Update medialive client to latest version * api-change:``lambda``: [``botocore``] Update lambda client to latest version * api-change:``cloudwatch``: [``botocore``] Update cloudwatch client to latest version * api-change:``sesv2``: [``botocore``] Update sesv2 client to latest version * api-change:``application-autoscaling``: [``botocore``] Update application-autoscaling client to latest version * api-change:``greengrass``: [``botocore``] Update greengrass client to latest version * api-change:``alexaforbusiness``: [``botocore``] Update alexaforbusiness client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version * api-change:``ce``: [``botocore``] Update ce client to latest version * api-change:``ram``: [``botocore``] Update ram client to latest version * api-change:``codebuild``: [``botocore``] Update codebuild client to latest version * api-change:``comprehend``: [``botocore``] Update comprehend client to latest version * api-change:``kms``: [``botocore``] Update kms client to latest version - from version 1.10.26 * api-change:``acm``: [``botocore``] Update acm client to latest version * api-change:``autoscaling-plans``: [``botocore``] Update autoscaling-plans client to latest version * api-change:``codebuild``: [``botocore``] Update codebuild client to latest version * api-change:``mediapackage-vod``: [``botocore``] Update mediapackage-vod client to latest version * api-change:``emr``: [``botocore``] Update emr client to latest version * api-change:``sns``: [``botocore``] Update sns client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``application-autoscaling``: [``botocore``] Update application-autoscaling client to latest version * api-change:``sts``: [``botocore``] Update sts client to latest version * api-change:``forecast``: [``botocore``] Update forecast client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``rekognition``: [``botocore``] Update rekognition client to latest version - from version 1.10.25 * bugfix:IMDS metadata: [``botocore``] Add 405 case to metadata fetching logic. - from version 1.10.24 * api-change:``glue``: [``botocore``] Update glue client to latest version * api-change:``transcribe``: [``botocore``] Update transcribe client to latest version * api-change:``connectparticipant``: [``botocore``] Update connectparticipant client to latest version * api-change:``dynamodb``: [``botocore``] Update dynamodb client to latest version * api-change:``lex-runtime``: [``botocore``] Update lex-runtime client to latest version * api-change:``connect``: [``botocore``] Update connect client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``meteringmarketplace``: [``botocore``] Update meteringmarketplace client to latest version * api-change:``config``: [``botocore``] Update config client to latest version * api-change:``lex-models``: [``botocore``] Update lex-models client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``amplify``: [``botocore``] Update amplify client to latest version * api-change:``appsync``: [``botocore``] Update appsync client to latest version - from version 1.10.23 * api-change:``datasync``: [``botocore``] Update datasync client to latest version * api-change:``dlm``: [``botocore``] Update dlm client to latest version * api-change:``mediastore``: [``botocore``] Update mediastore client to latest version * api-change:``cloudtrail``: [``botocore``] Update cloudtrail client to latest version * api-change:``mgh``: [``botocore``] Update mgh client to latest version * api-change:``storagegateway``: [``botocore``] Update storagegateway client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``codecommit``: [``botocore``] Update codecommit client to latest version * api-change:``s3``: [``botocore``] Update s3 client to latest version * api-change:``fsx``: [``botocore``] Update fsx client to latest version * api-change:``migrationhub-config``: [``botocore``] Update migrationhub-config client to latest version * api-change:``firehose``: [``botocore``] Update firehose client to latest version * api-change:``transcribe``: [``botocore``] Update transcribe client to latest version * api-change:``ecs``: [``botocore``] Update ecs client to latest version * api-change:``discovery``: [``botocore``] Update discovery client to latest version * api-change:``chime``: [``botocore``] Update chime client to latest version * api-change:``quicksight``: [``botocore``] Update quicksight client to latest version - from version 1.10.22 * bugfix:IMDS: [``botocore``] Fix regression in IMDS credential resolution. Fixes `#1892 `__. - from version 1.10.21 * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``cloudformation``: [``botocore``] Update cloudformation client to latest version * api-change:``elbv2``: [``botocore``] Update elbv2 client to latest version * api-change:``lambda``: [``botocore``] Update lambda client to latest version * api-change:``config``: [``botocore``] Update config client to latest version * api-change:``iam``: [``botocore``] Update iam client to latest version * api-change:``codebuild``: [``botocore``] Update codebuild client to latest version * api-change:``iot``: [``botocore``] Update iot client to latest version * api-change:``autoscaling``: [``botocore``] Update autoscaling client to latest version - from version 1.10.20 * api-change:``cloudformation``: [``botocore``] Update cloudformation client to latest version * api-change:``s3``: [``botocore``] Update s3 client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version * api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version * api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version * api-change:``sagemaker-runtime``: [``botocore``] Update sagemaker-runtime client to latest version * api-change:``ce``: [``botocore``] Update ce client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version - from version 1.10.19 * api-change:``cognito-idp``: [``botocore``] Update cognito-idp client to latest version * api-change:``elbv2``: [``botocore``] Update elbv2 client to latest version * api-change:``workspaces``: [``botocore``] Update workspaces client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``logs``: [``botocore``] Update logs client to latest version * api-change:``guardduty``: [``botocore``] Update guardduty client to latest version * api-change:``emr``: [``botocore``] Update emr client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``mediaconvert``: [``botocore``] Update mediaconvert client to latest version * api-change:``eks``: [``botocore``] Update eks client to latest version * api-change:``chime``: [``botocore``] Update chime client to latest version - from version 1.10.18 * api-change:``meteringmarketplace``: [``botocore``] Update meteringmarketplace client to latest version * api-change:``cognito-idp``: [``botocore``] Update cognito-idp client to latest version * api-change:``connect``: [``botocore``] Update connect client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``personalize``: [``botocore``] Update personalize client to latest version - Update BuildRequires and Requires in spec file from setup.py - Version update to 1.10.17 * api-change:``sesv2``: [``botocore``] Update sesv2 client to latest version * api-change:``dataexchange``: [``botocore``] Update dataexchange client to latest version * api-change:``iot``: [``botocore``] Update iot client to latest version * api-change:``cloudsearch``: [``botocore``] Update cloudsearch client to latest version * api-change:``dlm``: [``botocore``] Update dlm client to latest version - from version 1.10.16 * api-change:``transcribe``: [``botocore``] Update transcribe client to latest version * api-change:``marketplace-catalog``: [``botocore``] Update marketplace-catalog client to latest version * api-change:``dynamodb``: [``botocore``] Update dynamodb client to latest version * api-change:``codepipeline``: [``botocore``] Update codepipeline client to latest version * api-change:``elbv2``: [``botocore``] Update elbv2 client to latest version - from version 1.10.15 * api-change:``ce``: [``botocore``] Update ce client to latest version * api-change:``cloudformation``: [``botocore``] Update cloudformation client to latest version - from version 1.10.14 * api-change:``cognito-identity``: [``botocore``] Update cognito-identity client to latest version * api-change:``ecr``: [``botocore``] Update ecr client to latest version - from version 1.10.13 * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``sso``: [``botocore``] Update sso client to latest version * api-change:``sso-oidc``: [``botocore``] Update sso-oidc client to latest version * api-change:``comprehend``: [``botocore``] Update comprehend client to latest version - from version 1.10.12 * api-change:``savingsplans``: [``botocore``] Update savingsplans client to latest version - from version 1.10.11 * api-change:``codebuild``: [``botocore``] Update codebuild client to latest version * api-change:``budgets``: [``botocore``] Update budgets client to latest version * api-change:``efs``: [``botocore``] Update efs client to latest version * api-change:``ce``: [``botocore``] Update ce client to latest version * api-change:``savingsplans``: [``botocore``] Update savingsplans client to latest version * api-change:``signer``: [``botocore``] Update signer client to latest version - from version 1.10.10 * api-change:``rds``: [``botocore``] Update rds client to latest version * api-change:``codestar-notifications``: [``botocore``] Update codestar-notifications client to latest version - from version 1.10.9 * api-change:``dax``: [``botocore``] Update dax client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``robomaker``: [``botocore``] Update robomaker client to latest version - from version 1.10.8 * api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version * api-change:``cloudtrail``: [``botocore``] Update cloudtrail client to latest version * api-change:``dms``: [``botocore``] Update dms client to latest version - from version 1.10.7 * api-change:``support``: [``botocore``] Update support client to latest version * api-change:``amplify``: [``botocore``] Update amplify client to latest version * api-change:``s3``: [``botocore``] Update s3 client to latest version - from version 1.10.6 * api-change:``elasticache``: [``botocore``] Update elasticache client to latest version - from version 1.10.5 * api-change:``cloud9``: [``botocore``] Update cloud9 client to latest version * api-change:``appstream``: [``botocore``] Update appstream client to latest version - from version 1.10.4 * api-change:``s3``: [``botocore``] Update s3 client to latest version - from version 1.10.3 * api-change:``elasticache``: [``botocore``] Update elasticache client to latest version * api-change:``transfer``: [``botocore``] Update transfer client to latest version * api-change:``ecr``: [``botocore``] Update ecr client to latest version - from version 1.10.2 * api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version * api-change:``gamelift``: [``botocore``] Update gamelift client to latest version * enhancement:``sts``: [``botocore``] Add support for configuring the use of regional STS endpoints. * api-change:``chime``: [``botocore``] Update chime client to latest version * api-change:``appmesh``: [``botocore``] Update appmesh client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version - from version 1.10.1 * api-change:``polly``: [``botocore``] Update polly client to latest version * api-change:``connect``: [``botocore``] Update connect client to latest version - from version 1.10.0 * api-change:``opsworkscm``: [``botocore``] Update opsworkscm client to latest version * api-change:``iotevents``: [``botocore``] Update iotevents client to latest version * feature:``botocore.vendored.requests``: [``botocore``] Removed vendored version of ``requests`` (`#1829 `__) - from version 1.9.253 * api-change:``cloudwatch``: [``botocore``] Update cloudwatch client to latest version - from version 1.9.252 * api-change:``batch``: [``botocore``] Update batch client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version - from version 1.9.251 * api-change:``kafka``: [``botocore``] Update kafka client to latest version * api-change:``marketplacecommerceanalytics``: [``botocore``] Update marketplacecommerceanalytics client to latest version * api-change:``robomaker``: [``botocore``] Update robomaker client to latest version - from version 1.9.250 * api-change:``kinesis-video-archived-media``: [``botocore``] Update kinesis-video-archived-media client to latest version - from version 1.9.249 * api-change:``personalize``: [``botocore``] Update personalize client to latest version * api-change:``workspaces``: [``botocore``] Update workspaces client to latest version - Update BuildRequires and Requires in spec file from setup.py - Version update to 1.9.248 * api-change:``greengrass``: [``botocore``] Update greengrass client to latest version - from version 1.9.247 * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``lex-runtime``: [``botocore``] Update lex-runtime client to latest version * api-change:``fms``: [``botocore``] Update fms client to latest version * api-change:``iotanalytics``: [``botocore``] Update iotanalytics client to latest version - from version 1.9.246 * api-change:``kafka``: [``botocore``] Update kafka client to latest version * api-change:``elasticache``: [``botocore``] Update elasticache client to latest version * api-change:``mediaconvert``: [``botocore``] Update mediaconvert client to latest version - from version 1.9.245 * api-change:``organizations``: [``botocore``] Update organizations client to latest version * api-change:``events``: [``botocore``] Update events client to latest version * api-change:``firehose``: [``botocore``] Update firehose client to latest version * api-change:``datasync``: [``botocore``] Update datasync client to latest version - from version 1.9.244 * api-change:``snowball``: [``botocore``] Update snowball client to latest version * api-change:``directconnect``: [``botocore``] Update directconnect client to latest version * api-change:``firehose``: [``botocore``] Update firehose client to latest version * api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version * api-change:``glue``: [``botocore``] Update glue client to latest version * api-change:``pinpoint-email``: [``botocore``] Update pinpoint-email client to latest version - from version 1.9.243 * api-change:``cognito-idp``: [``botocore``] Update cognito-idp client to latest version * api-change:``mediapackage``: [``botocore``] Update mediapackage client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version - from version 1.9.242 * api-change:``es``: [``botocore``] Update es client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``application-autoscaling``: [``botocore``] Update application-autoscaling client to latest version * api-change:``devicefarm``: [``botocore``] Update devicefarm client to latest version - from version 1.9.241 * api-change:``lightsail``: [``botocore``] Update lightsail client to latest version - from version 1.9.240 * api-change:``docdb``: [``botocore``] Update docdb client to latest version - from version 1.9.239 * api-change:``waf``: [``botocore``] Update waf client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version * api-change:``mq``: [``botocore``] Update mq client to latest version - from version 1.9.238 * api-change:``amplify``: [``botocore``] Update amplify client to latest version * api-change:``ecs``: [``botocore``] Update ecs client to latest version - from version 1.9.237 * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``codepipeline``: [``botocore``] Update codepipeline client to latest version - from version 1.9.236 * api-change:``globalaccelerator``: [``botocore``] Update globalaccelerator client to latest version * api-change:``dms``: [``botocore``] Update dms client to latest version * api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version - from version 1.9.235 * api-change:``transcribe``: [``botocore``] Update transcribe client to latest version * api-change:``comprehendmedical``: [``botocore``] Update comprehendmedical client to latest version * api-change:``datasync``: [``botocore``] Update datasync client to latest version - from version 1.9.234 * api-change:``rds-data``: [``botocore``] Update rds-data client to latest version * api-change:``redshift``: [``botocore``] Update redshift client to latest version - from version 1.9.233 * api-change:``workspaces``: [``botocore``] Update workspaces client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``greengrass``: [``botocore``] Update greengrass client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version - from version 1.9.232 * api-change:``mediaconnect``: [``botocore``] Update mediaconnect client to latest version * api-change:``glue``: [``botocore``] Update glue client to latest version * api-change:``ecs``: [``botocore``] Update ecs client to latest version - from version 1.9.231 * api-change:``ram``: [``botocore``] Update ram client to latest version * api-change:``waf-regional``: [``botocore``] Update waf-regional client to latest version * api-change:``apigateway``: [``botocore``] Update apigateway client to latest version - from version 1.9.230 * api-change:``iam``: [``botocore``] Update iam client to latest version * api-change:``athena``: [``botocore``] Update athena client to latest version * api-change:``personalize``: [``botocore``] Update personalize client to latest version - from version 1.9.229 * api-change:``eks``: [``botocore``] Update eks client to latest version * api-change:``mediaconvert``: [``botocore``] Update mediaconvert client to latest version - from version 1.9.228 * api-change:``elbv2``: [``botocore``] Update elbv2 client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``workmailmessageflow``: [``botocore``] Update workmailmessageflow client to latest version * api-change:``medialive``: [``botocore``] Update medialive client to latest version - from version 1.9.227 * api-change:``stepfunctions``: [``botocore``] Update stepfunctions client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``mediaconnect``: [``botocore``] Update mediaconnect client to latest version * api-change:``ses``: [``botocore``] Update ses client to latest version * api-change:``config``: [``botocore``] Update config client to latest version - from version 1.9.226 * api-change:``storagegateway``: [``botocore``] Update storagegateway client to latest version - from version 1.9.225 * api-change:``qldb``: [``botocore``] Update qldb client to latest version * api-change:``marketplacecommerceanalytics``: [``botocore``] Update marketplacecommerceanalytics client to latest version * api-change:``appstream``: [``botocore``] Update appstream client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``robomaker``: [``botocore``] Update robomaker client to latest version * api-change:``appmesh``: [``botocore``] Update appmesh client to latest version * api-change:``qldb-session``: [``botocore``] Update qldb-session client to latest version - from version 1.9.224 * api-change:``kinesisanalytics``: [``botocore``] Update kinesisanalytics client to latest version - from version 1.9.223 * api-change:``config``: [``botocore``] Update config client to latest version - from version 1.9.222 * api-change:``stepfunctions``: [``botocore``] Update stepfunctions client to latest version * api-change:``transcribe``: [``botocore``] Update transcribe client to latest version * api-change:``eks``: [``botocore``] Update eks client to latest version - from version 1.9.221 * api-change:``ecs``: [``botocore``] Update ecs client to latest version * api-change:``resourcegroupstaggingapi``: [``botocore``] Update resourcegroupstaggingapi client to latest version * api-change:``gamelift``: [``botocore``] Update gamelift client to latest version - from version 1.9.220 * api-change:``mq``: [``botocore``] Update mq client to latest version * api-change:``apigatewaymanagementapi``: [``botocore``] Update apigatewaymanagementapi client to latest version * api-change:``ecs``: [``botocore``] Update ecs client to latest version - from version 1.9.219 * api-change:``codepipeline``: [``botocore``] Update codepipeline client to latest version * api-change:``application-autoscaling``: [``botocore``] Update application-autoscaling client to latest version * api-change:``elasticache``: [``botocore``] Update elasticache client to latest version * api-change:``lambda``: [``botocore``] Update lambda client to latest version * api-change:``ecs``: [``botocore``] Update ecs client to latest version - from version 1.9.218 * api-change:``sqs``: [``botocore``] Update sqs client to latest version * api-change:``globalaccelerator``: [``botocore``] Update globalaccelerator client to latest version * api-change:``mediaconvert``: [``botocore``] Update mediaconvert client to latest version - from version 1.9.217 * api-change:``organizations``: [``botocore``] Update organizations client to latest version - from version 1.9.216 * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``securityhub``: [``botocore``] Update securityhub client to latest version - from version 1.9.215 * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``mediapackage-vod``: [``botocore``] Update mediapackage-vod client to latest version * api-change:``transcribe``: [``botocore``] Update transcribe client to latest version - from version 1.9.214 * api-change:``datasync``: [``botocore``] Update datasync client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version python-botocore was updated to 1.15.38 (bsc#1166924, bsc#1168943) * api-change:``apigateway``: Update apigateway client to latest version * api-change:``codeguru-reviewer``: Update codeguru-reviewer client to latest version * api-change:``mediaconnect``: Update mediaconnect client to latest version - from version 1.15.37 * api-change:``transcribe``: Update transcribe client to latest version * api-change:``chime``: Update chime client to latest version * api-change:``iam``: Update iam client to latest version * api-change:``elasticbeanstalk``: Update elasticbeanstalk client to latest version - from version 1.15.36 * api-change:``personalize-runtime``: Update personalize-runtime client to latest version * api-change:``robomaker``: Update robomaker client to latest version - Version update to 1.15.35 * api-change:``medialive``: Update medialive client to latest version * api-change:``redshift``: Update redshift client to latest version * api-change:``gamelift``: Update gamelift client to latest version * api-change:``cloudwatch``: Update cloudwatch client to latest version * api-change:``rds``: Update rds client to latest version - from version 1.15.34 * api-change:``iot``: Update iot client to latest version * api-change:``mediaconnect``: Update mediaconnect client to latest version - from version 1.15.33 * api-change:``opsworkscm``: Update opsworkscm client to latest version * api-change:``wafv2``: Update wafv2 client to latest version * api-change:``glue``: Update glue client to latest version * api-change:``elastic-inference``: Update elastic-inference client to latest version * api-change:``lambda``: Update lambda client to latest version * api-change:``mediastore``: Update mediastore client to latest version * api-change:``pinpoint``: Update pinpoint client to latest version * api-change:``storagegateway``: Update storagegateway client to latest version * api-change:``rekognition``: Update rekognition client to latest version * api-change:``fms``: Update fms client to latest version * api-change:``organizations``: Update organizations client to latest version * api-change:``detective``: Update detective client to latest version * api-change:``appconfig``: Update appconfig client to latest version - from version 1.15.32 * api-change:``accessanalyzer``: Update accessanalyzer client to latest version - from version 1.15.31 * api-change:``globalaccelerator``: Update globalaccelerator client to latest version * api-change:``kendra``: Update kendra client to latest version * api-change:``servicecatalog``: Update servicecatalog client to latest version - from version 1.15.30 * api-change:``sagemaker``: Update sagemaker client to latest version * api-change:``fsx``: Update fsx client to latest version * api-change:``securityhub``: Update securityhub client to latest version - from version 1.15.29 * api-change:``managedblockchain``: Update managedblockchain client to latest version * api-change:``ce``: Update ce client to latest version * api-change:``application-insights``: Update application-insights client to latest version * api-change:``detective``: Update detective client to latest version * api-change:``es``: Update es client to latest version * api-change:``xray``: Update xray client to latest version - from version 1.15.28 * api-change:``athena``: Update athena client to latest version * api-change:``rds-data``: Update rds-data client to latest version * api-change:``eks``: Update eks client to latest version * api-change:``organizations``: Update organizations client to latest version - Version update to 1.15.27 * api-change:``apigatewayv2``: Update apigatewayv2 client to latest version * api-change:``eks``: Update eks client to latest version * api-change:``route53``: Update route53 client to latest version - from version 1.15.26 * api-change:``servicecatalog``: Update servicecatalog client to latest version - from version 1.15.25 * api-change:``outposts``: Update outposts client to latest version * api-change:``acm``: Update acm client to latest version - from version 1.15.24 * api-change:``rds``: Update rds client to latest version * api-change:``mediaconnect``: Update mediaconnect client to latest version * api-change:``personalize``: Update personalize client to latest version - from version 1.15.23 * api-change:``mediaconvert``: Update mediaconvert client to latest version - from version 1.15.22 * api-change:``s3control``: Update s3control client to latest version * bugfix:Stubber: fixes `#1884 `__ * api-change:``cognito-idp``: Update cognito-idp client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``ecs``: Update ecs client to latest version * api-change:``elasticache``: Update elasticache client to latest version - from version 1.15.21 * api-change:``appconfig``: Update appconfig client to latest version - from version 1.15.20 * api-change:``lex-models``: Update lex-models client to latest version * api-change:``securityhub``: Update securityhub client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``apigatewayv2``: Update apigatewayv2 client to latest version * api-change:``iot``: Update iot client to latest version - from version 1.15.19 * api-change:``efs``: Update efs client to latest version * api-change:``redshift``: Update redshift client to latest version - from version 1.15.18 * api-change:``serverlessrepo``: Update serverlessrepo client to latest version * api-change:``iotevents``: Update iotevents client to latest version * api-change:``ec2``: Update ec2 client to latest version * enhancement:timezones: Improved timezone parsing for Windows with new fallback method (#1939) * api-change:``marketplacecommerceanalytics``: Update marketplacecommerceanalytics client to latest version - from version 1.15.17 * api-change:``ec2``: Update ec2 client to latest version * api-change:``medialive``: Update medialive client to latest version * api-change:``dms``: Update dms client to latest version - from version 1.15.16 * api-change:``signer``: Update signer client to latest version * api-change:``guardduty``: Update guardduty client to latest version * api-change:``appmesh``: Update appmesh client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``robomaker``: Update robomaker client to latest version - from version 1.15.15 * api-change:``eks``: Update eks client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``opsworkscm``: Update opsworkscm client to latest version * api-change:``guardduty``: Update guardduty client to latest version - from version 1.15.14 * api-change:``pinpoint``: Update pinpoint client to latest version - from version 1.15.13 * api-change:``ec2``: Update ec2 client to latest version - from version 1.15.12 * api-change:``cloudwatch``: Update cloudwatch client to latest version * api-change:``comprehendmedical``: Update comprehendmedical client to latest version - from version 1.15.11 * api-change:``config``: Update config client to latest version - from version 1.15.10 * api-change:``config``: Update config client to latest version * api-change:``glue``: Update glue client to latest version * api-change:``sagemaker-a2i-runtime``: Update sagemaker-a2i-runtime client to latest version * api-change:``appmesh``: Update appmesh client to latest version * api-change:``elbv2``: Update elbv2 client to latest version * api-change:``workdocs``: Update workdocs client to latest version * api-change:``quicksight``: Update quicksight client to latest version * api-change:``accessanalyzer``: Update accessanalyzer client to latest version * api-change:``codeguruprofiler``: Update codeguruprofiler client to latest version - from version 1.15.9 * api-change:``lightsail``: Update lightsail client to latest version * api-change:``globalaccelerator``: Update globalaccelerator client to latest version - from version 1.15.8 * api-change:``transcribe``: Update transcribe client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``sagemaker``: Update sagemaker client to latest version * api-change:``securityhub``: Update securityhub client to latest version - from version 1.15.7 * api-change:``stepfunctions``: Update stepfunctions client to latest version * api-change:``kafka``: Update kafka client to latest version * api-change:``secretsmanager``: Update secretsmanager client to latest version * api-change:``outposts``: Update outposts client to latest version - from version 1.15.6 * api-change:``iotevents``: Update iotevents client to latest version * api-change:``docdb``: Update docdb client to latest version * api-change:``snowball``: Update snowball client to latest version * api-change:``fsx``: Update fsx client to latest version * api-change:``events``: Update events client to latest version - from version 1.15.5 * api-change:``imagebuilder``: Update imagebuilder client to latest version * api-change:``wafv2``: Update wafv2 client to latest version * api-change:``redshift``: Update redshift client to latest version - from version 1.15.4 * api-change:``savingsplans``: Update savingsplans client to latest version * api-change:``appconfig``: Update appconfig client to latest version * api-change:``pinpoint``: Update pinpoint client to latest version - from version 1.15.3 * api-change:``autoscaling``: Update autoscaling client to latest version * api-change:``servicecatalog``: Update servicecatalog client to latest version * api-change:``lambda``: Update lambda client to latest version - from version 1.15.2 * api-change:``autoscaling``: Update autoscaling client to latest version * api-change:``chime``: Update chime client to latest version * api-change:``rds``: Update rds client to latest version - from version 1.15.1 * api-change:``cloud9``: Update cloud9 client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``dynamodb``: Update dynamodb client to latest version * api-change:``rekognition``: Update rekognition client to latest version - Version update to 1.15.0 * feature:retries: Add support for retry modes, including ``standard`` and ``adaptive`` modes (`#1972 `__) * api-change:``ec2``: Update ec2 client to latest version * api-change:``mediatailor``: Update mediatailor client to latest version * api-change:``securityhub``: Update securityhub client to latest version * api-change:``shield``: Update shield client to latest version - from version 1.14.17 * api-change:``mediapackage-vod``: Update mediapackage-vod client to latest version - from version 1.14.16 * api-change:``glue``: Update glue client to latest version * api-change:``chime``: Update chime client to latest version * api-change:``workmail``: Update workmail client to latest version * api-change:``ds``: Update ds client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``es``: Update es client to latest version * api-change:``neptune``: Update neptune client to latest version - from version 1.14.15 * api-change:``ec2``: Update ec2 client to latest version * api-change:``cognito-idp``: Update cognito-idp client to latest version * api-change:``cloudformation``: Update cloudformation client to latest version - from version 1.14.14 * api-change:``docdb``: Update docdb client to latest version * api-change:``kms``: Update kms client to latest version - from version 1.14.13 * api-change:``robomaker``: Update robomaker client to latest version * api-change:``imagebuilder``: Update imagebuilder client to latest version * api-change:``rds``: Update rds client to latest version - from version 1.14.12 * api-change:``ebs``: Update ebs client to latest version * api-change:``appsync``: Update appsync client to latest version * api-change:``lex-models``: Update lex-models client to latest version * api-change:``ecr``: Update ecr client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``codebuild``: Update codebuild client to latest version - from version 1.14.11 * api-change:``groundstation``: Update groundstation client to latest version * api-change:``mediaconvert``: Update mediaconvert client to latest version * api-change:``dlm``: Update dlm client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``forecastquery``: Update forecastquery client to latest version * api-change:``securityhub``: Update securityhub client to latest version * api-change:``resourcegroupstaggingapi``: Update resourcegroupstaggingapi client to latest version - from version 1.14.10 * api-change:``workmail``: Update workmail client to latest version * api-change:``iot``: Update iot client to latest version * api-change:``cloudfront``: Update cloudfront client to latest version * api-change:``storagegateway``: Update storagegateway client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``kafka``: Update kafka client to latest version * api-change:``ec2``: Update ec2 client to latest version - Refresh patches for new version + hide_py_pckgmgmt.patch - Version update to 1.14.9 * api-change:``ecs``: Update ecs client to latest version * api-change:``opsworkscm``: Update opsworkscm client to latest version * api-change:``workspaces``: Update workspaces client to latest version * api-change:``datasync``: Update datasync client to latest version * api-change:``eks``: Update eks client to latest version - from version 1.14.8 * api-change:``rds``: Update rds client to latest version * api-change:``iam``: Update iam client to latest version - from version 1.14.7 * api-change:``ec2``: Update ec2 client to latest version * api-change:``codepipeline``: Update codepipeline client to latest version * api-change:``discovery``: Update discovery client to latest version * api-change:``iotevents``: Update iotevents client to latest version * api-change:``marketplacecommerceanalytics``: Update marketplacecommerceanalytics client to latest version - from version 1.14.6 * api-change:``lambda``: Update lambda client to latest version * api-change:``application-insights``: Update application-insights client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``cloudwatch``: Update cloudwatch client to latest version * api-change:``kms``: Update kms client to latest version * api-change:``alexaforbusiness``: Update alexaforbusiness client to latest version - from version 1.14.5 * api-change:``mediaconvert``: Update mediaconvert client to latest version * api-change:``neptune``: Update neptune client to latest version * api-change:``cloudhsmv2``: Update cloudhsmv2 client to latest version * api-change:``redshift``: Update redshift client to latest version * api-change:``batch``: Update batch client to latest version * api-change:``ecs``: Update ecs client to latest version - from version 1.14.4 * api-change:``ec2``: Update ec2 client to latest version * api-change:``sagemaker``: Update sagemaker client to latest version * api-change:``ds``: Update ds client to latest version - from version 1.14.3 * api-change:``securityhub``: Update securityhub client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``organizations``: Update organizations client to latest version - from version 1.14.2 * api-change:``ec2``: Update ec2 client to latest version - from version 1.14.1 * api-change:``efs``: Update efs client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``backup``: Update backup client to latest version - from version 1.14.0 * api-change:``sagemaker``: Update sagemaker client to latest version * api-change:``chime``: Update chime client to latest version * api-change:``transfer``: Update transfer client to latest version * api-change:``ec2``: Update ec2 client to latest version * feature:Python: Dropped support for Python 2.6 and 3.3. * api-change:``workspaces``: Update workspaces client to latest version * api-change:``rds``: Update rds client to latest version - from version 1.13.50 * api-change:``logs``: Update logs client to latest version - from version 1.13.49 * api-change:``fms``: Update fms client to latest version * api-change:``translate``: Update translate client to latest version * api-change:``ce``: Update ce client to latest version - from version 1.13.48 * api-change:``codebuild``: Update codebuild client to latest version * api-change:``mgh``: Update mgh client to latest version * api-change:``xray``: Update xray client to latest version - from version 1.13.47 * api-change:``comprehend``: Update comprehend client to latest version * api-change:``mediapackage``: Update mediapackage client to latest version * api-change:``ec2``: Update ec2 client to latest version - from version 1.13.46 * api-change:``lex-models``: Update lex-models client to latest version * api-change:``ecr``: Update ecr client to latest version * api-change:``lightsail``: Update lightsail client to latest version * api-change:``ce``: Update ce client to latest version - from version 1.13.45 * api-change:``fsx``: Update fsx client to latest version * api-change:``health``: Update health client to latest version * api-change:``detective``: Update detective client to latest version - from version 1.13.44 * api-change:``transcribe``: Update transcribe client to latest version * api-change:``eks``: Update eks client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``rds``: Update rds client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``redshift``: Update redshift client to latest version * api-change:``pinpoint``: Update pinpoint client to latest version * api-change:``securityhub``: Update securityhub client to latest version * api-change:``devicefarm``: Update devicefarm client to latest version - from version 1.13.43 * api-change:``transcribe``: Update transcribe client to latest version * api-change:``dlm``: Update dlm client to latest version * api-change:``lex-models``: Update lex-models client to latest version * api-change:``personalize-runtime``: Update personalize-runtime client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``codestar-connections``: Update codestar-connections client to latest version * api-change:``gamelift``: Update gamelift client to latest version * api-change:``ec2``: Update ec2 client to latest version - from version 1.13.42 * api-change:``ec2``: Update ec2 client to latest version * api-change:``s3``: Update s3 client to latest version * api-change:``resourcegroupstaggingapi``: Update resourcegroupstaggingapi client to latest version * api-change:``cloudfront``: Update cloudfront client to latest version * enhancement:``s3``: Add support for opting into using the us-east-1 regional endpoint. * api-change:``opsworkscm``: Update opsworkscm client to latest version - from version 1.13.41 * api-change:``kinesisanalyticsv2``: Update kinesisanalyticsv2 client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``medialive``: Update medialive client to latest version * api-change:``iot``: Update iot client to latest version * api-change:``ecs``: Update ecs client to latest version * api-change:``ec2``: Update ec2 client to latest version - from version 1.13.40 * api-change:``mq``: Update mq client to latest version * api-change:``comprehendmedical``: Update comprehendmedical client to latest version * api-change:``ec2``: Update ec2 client to latest version - from version 1.13.39 * api-change:``codebuild``: Update codebuild client to latest version * api-change:``detective``: Update detective client to latest version * api-change:``sesv2``: Update sesv2 client to latest version - from version 1.13.38 * api-change:``accessanalyzer``: Update accessanalyzer client to latest version - from version 1.13.37 * api-change:``ec2``: Update ec2 client to latest version - from version 1.13.36 * api-change:``kendra``: Update kendra client to latest version - from version 1.13.35 * bugfix:s3: Add stricter validation to s3 control account id parameter. * api-change:``quicksight``: Update quicksight client to latest version * api-change:``kms``: Update kms client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``kafka``: Update kafka client to latest version - from version 1.13.34 * bugfix:s3: Fixed an issue where the request path was set incorrectly if access point name was present in key path. - Version update to 1.13.33 * api-change:``kinesisvideo``: Update kinesisvideo client to latest version * api-change:``kinesis-video-signaling``: Update kinesis-video-signaling client to latest version * api-change:``apigatewayv2``: Update apigatewayv2 client to latest version - from version 1.13.32 * api-change:``ebs``: Update ebs client to latest version * api-change:``stepfunctions``: Update stepfunctions client to latest version * api-change:``application-autoscaling``: Update application-autoscaling client to latest version * api-change:``lambda``: Update lambda client to latest version * api-change:``rekognition``: Update rekognition client to latest version * api-change:``rds``: Update rds client to latest version * api-change:``sagemaker``: Update sagemaker client to latest version - from version 1.13.31 * api-change:``textract``: Update textract client to latest version * api-change:``s3control``: Update s3control client to latest version * api-change:``ecs``: Update ecs client to latest version * api-change:``s3``: Update s3 client to latest version * api-change:``outposts``: Update outposts client to latest version * api-change:``kendra``: Update kendra client to latest version * api-change:``eks``: Update eks client to latest version * api-change:``networkmanager``: Update networkmanager client to latest version * api-change:``compute-optimizer``: Update compute-optimizer client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``frauddetector``: Update frauddetector client to latest version * api-change:``sagemaker-a2i-runtime``: Update sagemaker-a2i-runtime client to latest version * api-change:``codeguru-reviewer``: Update codeguru-reviewer client to latest version * api-change:``codeguruprofiler``: Update codeguruprofiler client to latest version * api-change:``es``: Update es client to latest version - from version 1.13.30 * api-change:``accessanalyzer``: Update accessanalyzer client to latest version - from version 1.13.29 * api-change:``ec2``: Update ec2 client to latest version * api-change:``license-manager``: Update license-manager client to latest version * api-change:``imagebuilder``: Update imagebuilder client to latest version * api-change:``schemas``: Update schemas client to latest version - from version 1.13.28 * api-change:``rds-data``: Update rds-data client to latest version * api-change:``ds``: Update ds client to latest version * api-change:``workspaces``: Update workspaces client to latest version * api-change:``resourcegroupstaggingapi``: Update resourcegroupstaggingapi client to latest version * api-change:``cognito-idp``: Update cognito-idp client to latest version * api-change:``dynamodb``: Update dynamodb client to latest version * api-change:``elastic-inference``: Update elastic-inference client to latest version * api-change:``organizations``: Update organizations client to latest version * api-change:``mediatailor``: Update mediatailor client to latest version * api-change:``quicksight``: Update quicksight client to latest version * api-change:``serverlessrepo``: Update serverlessrepo client to latest version - from version 1.13.27 * api-change:``cognito-idp``: Update cognito-idp client to latest version * api-change:``redshift``: Update redshift client to latest version * api-change:``elbv2``: Update elbv2 client to latest version * api-change:``wafv2``: Update wafv2 client to latest version * api-change:``dlm``: Update dlm client to latest version * api-change:``iot``: Update iot client to latest version * api-change:``lex-runtime``: Update lex-runtime client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``athena``: Update athena client to latest version * api-change:``iotsecuretunneling``: Update iotsecuretunneling client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``application-insights``: Update application-insights client to latest version * api-change:``mediapackage-vod``: Update mediapackage-vod client to latest version * api-change:``appconfig``: Update appconfig client to latest version * api-change:``mediaconvert``: Update mediaconvert client to latest version * api-change:``kinesisanalyticsv2``: Update kinesisanalyticsv2 client to latest version * api-change:``medialive``: Update medialive client to latest version * api-change:``lambda``: Update lambda client to latest version * api-change:``cloudwatch``: Update cloudwatch client to latest version * api-change:``sesv2``: Update sesv2 client to latest version * api-change:``application-autoscaling``: Update application-autoscaling client to latest version * api-change:``greengrass``: Update greengrass client to latest version * api-change:``alexaforbusiness``: Update alexaforbusiness client to latest version * api-change:``rds``: Update rds client to latest version * api-change:``ce``: Update ce client to latest version * api-change:``ram``: Update ram client to latest version * api-change:``codebuild``: Update codebuild client to latest version * api-change:``comprehend``: Update comprehend client to latest version * api-change:``kms``: Update kms client to latest version - from version 1.13.26 * api-change:``acm``: Update acm client to latest version * api-change:``autoscaling-plans``: Update autoscaling-plans client to latest version * api-change:``codebuild``: Update codebuild client to latest version * api-change:``mediapackage-vod``: Update mediapackage-vod client to latest version * api-change:``emr``: Update emr client to latest version * api-change:``sns``: Update sns client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``application-autoscaling``: Update application-autoscaling client to latest version * api-change:``sts``: Update sts client to latest version * api-change:``forecast``: Update forecast client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``rekognition``: Update rekognition client to latest version - from version 1.13.25 * bugfix:IMDS metadata: Add 405 case to metadata fetching logic. - from version 1.13.24 * api-change:``glue``: Update glue client to latest version * api-change:``transcribe``: Update transcribe client to latest version * api-change:``connectparticipant``: Update connectparticipant client to latest version * api-change:``dynamodb``: Update dynamodb client to latest version * api-change:``lex-runtime``: Update lex-runtime client to latest version * api-change:``connect``: Update connect client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``meteringmarketplace``: Update meteringmarketplace client to latest version * api-change:``config``: Update config client to latest version * api-change:``lex-models``: Update lex-models client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``amplify``: Update amplify client to latest version * api-change:``appsync``: Update appsync client to latest version - from version 1.13.23 * api-change:``datasync``: Update datasync client to latest version * api-change:``dlm``: Update dlm client to latest version * api-change:``mediastore``: Update mediastore client to latest version * api-change:``cloudtrail``: Update cloudtrail client to latest version * api-change:``mgh``: Update mgh client to latest version * api-change:``storagegateway``: Update storagegateway client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``codecommit``: Update codecommit client to latest version * api-change:``s3``: Update s3 client to latest version * api-change:``fsx``: Update fsx client to latest version * api-change:``migrationhub-config``: Update migrationhub-config client to latest version * api-change:``firehose``: Update firehose client to latest version * api-change:``transcribe``: Update transcribe client to latest version * api-change:``ecs``: Update ecs client to latest version * api-change:``discovery``: Update discovery client to latest version * api-change:``chime``: Update chime client to latest version * api-change:``quicksight``: Update quicksight client to latest version - from version 1.13.22 * bugfix:IMDS: Fix regression in IMDS credential resolution. Fixes `#1892 `__. - from version 1.13.21 * api-change:``ec2``: Update ec2 client to latest version * api-change:``cloudformation``: Update cloudformation client to latest version * api-change:``elbv2``: Update elbv2 client to latest version * api-change:``lambda``: Update lambda client to latest version * api-change:``config``: Update config client to latest version * api-change:``iam``: Update iam client to latest version * api-change:``codebuild``: Update codebuild client to latest version * api-change:``iot``: Update iot client to latest version * api-change:``autoscaling``: Update autoscaling client to latest version - from version 1.13.20 * api-change:``cloudformation``: Update cloudformation client to latest version * api-change:``s3``: Update s3 client to latest version * api-change:``rds``: Update rds client to latest version * api-change:``pinpoint``: Update pinpoint client to latest version * api-change:``sagemaker``: Update sagemaker client to latest version * api-change:``sagemaker-runtime``: Update sagemaker-runtime client to latest version * api-change:``ce``: Update ce client to latest version * api-change:``ssm``: Update ssm client to latest version - from version 1.13.19 * api-change:``cognito-idp``: Update cognito-idp client to latest version * api-change:``elbv2``: Update elbv2 client to latest version * api-change:``workspaces``: Update workspaces client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``logs``: Update logs client to latest version * api-change:``guardduty``: Update guardduty client to latest version * api-change:``emr``: Update emr client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``mediaconvert``: Update mediaconvert client to latest version * api-change:``eks``: Update eks client to latest version * api-change:``chime``: Update chime client to latest version - from version 1.13.18 * api-change:``meteringmarketplace``: Update meteringmarketplace client to latest version * api-change:``cognito-idp``: Update cognito-idp client to latest version * api-change:``connect``: Update connect client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``personalize``: Update personalize client to latest version - Version update to 1.13.17 (bsc#1129696) * api-change:``sesv2``: Update sesv2 client to latest version * api-change:``dataexchange``: Update dataexchange client to latest version * api-change:``iot``: Update iot client to latest version * api-change:``cloudsearch``: Update cloudsearch client to latest version * api-change:``dlm``: Update dlm client to latest version - from version 1.13.16 * api-change:``transcribe``: Update transcribe client to latest version * api-change:``marketplace-catalog``: Update marketplace-catalog client to latest version * api-change:``dynamodb``: Update dynamodb client to latest version * api-change:``codepipeline``: Update codepipeline client to latest version * api-change:``elbv2``: Update elbv2 client to latest version - from version 1.13.15 * api-change:``ce``: Update ce client to latest version * api-change:``cloudformation``: Update cloudformation client to latest version - from version 1.13.14 * api-change:``cognito-identity``: Update cognito-identity client to latest version * api-change:``ecr``: Update ecr client to latest version - from version 1.13.13 * api-change:``ssm``: Update ssm client to latest version * api-change:``sso``: Update sso client to latest version * api-change:``sso-oidc``: Update sso-oidc client to latest version * api-change:``comprehend``: Update comprehend client to latest version - from version 1.13.12 * api-change:``savingsplans``: Update savingsplans client to latest version - from version 1.13.11 * api-change:``codebuild``: Update codebuild client to latest version * api-change:``budgets``: Update budgets client to latest version * api-change:``efs``: Update efs client to latest version * api-change:``ce``: Update ce client to latest version * api-change:``savingsplans``: Update savingsplans client to latest version * api-change:``signer``: Update signer client to latest version - from version 1.13.10 * api-change:``rds``: Update rds client to latest version * api-change:``codestar-notifications``: Update codestar-notifications client to latest version - from version 1.13.9 * api-change:``dax``: Update dax client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``robomaker``: Update robomaker client to latest version - from version 1.13.8 * api-change:``pinpoint``: Update pinpoint client to latest version * api-change:``cloudtrail``: Update cloudtrail client to latest version * api-change:``dms``: Update dms client to latest version - from version 1.13.7 * api-change:``support``: Update support client to latest version * api-change:``amplify``: Update amplify client to latest version * api-change:``s3``: Update s3 client to latest version - from version 1.13.6 * api-change:``elasticache``: Update elasticache client to latest version - from version 1.13.5 * api-change:``cloud9``: Update cloud9 client to latest version * api-change:``appstream``: Update appstream client to latest version - from version 1.13.4 * api-change:``s3``: Update s3 client to latest version - from version 1.13.3 * api-change:``elasticache``: Update elasticache client to latest version * api-change:``transfer``: Update transfer client to latest version * api-change:``ecr``: Update ecr client to latest version - from version 1.13.2 * api-change:``sagemaker``: Update sagemaker client to latest version * api-change:``gamelift``: Update gamelift client to latest version * enhancement:``sts``: Add support for configuring the use of regional STS endpoints. * api-change:``chime``: Update chime client to latest version * api-change:``appmesh``: Update appmesh client to latest version * api-change:``ec2``: Update ec2 client to latest version - from version 1.13.1 * api-change:``polly``: Update polly client to latest version * api-change:``connect``: Update connect client to latest version - from version 1.13.0 * api-change:``opsworkscm``: Update opsworkscm client to latest version * api-change:``iotevents``: Update iotevents client to latest version * feature:``botocore.vendored.requests``: Removed vendored version of ``requests`` (`#1829 `__) - from version 1.12.253 * api-change:``cloudwatch``: Update cloudwatch client to latest version - from version 1.12.252 * api-change:``batch``: Update batch client to latest version * api-change:``rds``: Update rds client to latest version - from version 1.12.251 * api-change:``kafka``: Update kafka client to latest version * api-change:``marketplacecommerceanalytics``: Update marketplacecommerceanalytics client to latest version * api-change:``robomaker``: Update robomaker client to latest version - from version 1.12.250 * api-change:``kinesis-video-archived-media``: Update kinesis-video-archived-media client to latest version - from version 1.12.249 * api-change:``personalize``: Update personalize client to latest version * api-change:``workspaces``: Update workspaces client to latest version - Refresh patches for new version + hide_py_pckgmgmt.patch - Version update to 1.12.248 * api-change:``greengrass``: Update greengrass client to latest version - from version 1.12.247 * api-change:``ec2``: Update ec2 client to latest version * api-change:``lex-runtime``: Update lex-runtime client to latest version * api-change:``fms``: Update fms client to latest version * api-change:``iotanalytics``: Update iotanalytics client to latest version - from version 1.12.246 * api-change:``kafka``: Update kafka client to latest version * api-change:``elasticache``: Update elasticache client to latest version * api-change:``mediaconvert``: Update mediaconvert client to latest version - from version 1.12.245 * api-change:``organizations``: Update organizations client to latest version * api-change:``events``: Update events client to latest version * api-change:``firehose``: Update firehose client to latest version * api-change:``datasync``: Update datasync client to latest version - from version 1.12.244 * api-change:``snowball``: Update snowball client to latest version * api-change:``directconnect``: Update directconnect client to latest version * api-change:``firehose``: Update firehose client to latest version * api-change:``pinpoint``: Update pinpoint client to latest version * api-change:``glue``: Update glue client to latest version * api-change:``pinpoint-email``: Update pinpoint-email client to latest version - from version 1.12.243 * api-change:``cognito-idp``: Update cognito-idp client to latest version * api-change:``mediapackage``: Update mediapackage client to latest version * api-change:``ssm``: Update ssm client to latest version - from version 1.12.242 * api-change:``es``: Update es client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``application-autoscaling``: Update application-autoscaling client to latest version * api-change:``devicefarm``: Update devicefarm client to latest version - from version 1.12.241 * api-change:``lightsail``: Update lightsail client to latest version - from version 1.12.240 * api-change:``docdb``: Update docdb client to latest version - from version 1.12.239 * api-change:``waf``: Update waf client to latest version * api-change:``rds``: Update rds client to latest version * api-change:``mq``: Update mq client to latest version - from version 1.12.238 * api-change:``amplify``: Update amplify client to latest version * api-change:``ecs``: Update ecs client to latest version - from version 1.12.237 * api-change:``ssm``: Update ssm client to latest version * api-change:``codepipeline``: Update codepipeline client to latest version - from version 1.12.236 * api-change:``globalaccelerator``: Update globalaccelerator client to latest version * api-change:``dms``: Update dms client to latest version * api-change:``sagemaker``: Update sagemaker client to latest version - from version 1.12.235 * api-change:``transcribe``: Update transcribe client to latest version * api-change:``comprehendmedical``: Update comprehendmedical client to latest version * api-change:``datasync``: Update datasync client to latest version - from version 1.12.234 * api-change:``rds-data``: Update rds-data client to latest version * api-change:``redshift``: Update redshift client to latest version - from version 1.12.233 * api-change:``workspaces``: Update workspaces client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``greengrass``: Update greengrass client to latest version * api-change:``rds``: Update rds client to latest version - from version 1.12.232 * api-change:``mediaconnect``: Update mediaconnect client to latest version * api-change:``glue``: Update glue client to latest version * api-change:``ecs``: Update ecs client to latest version - from version 1.12.231 * api-change:``ram``: Update ram client to latest version * api-change:``waf-regional``: Update waf-regional client to latest version * api-change:``apigateway``: Update apigateway client to latest version - from version 1.12.230 * api-change:``iam``: Update iam client to latest version * api-change:``athena``: Update athena client to latest version * api-change:``personalize``: Update personalize client to latest version - from version 1.12.229 * api-change:``eks``: Update eks client to latest version * api-change:``mediaconvert``: Update mediaconvert client to latest version - from version 1.12.228 * api-change:``elbv2``: Update elbv2 client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``workmailmessageflow``: Update workmailmessageflow client to latest version * api-change:``medialive``: Update medialive client to latest version - from version 1.12.227 * api-change:``stepfunctions``: Update stepfunctions client to latest version * api-change:``rds``: Update rds client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``mediaconnect``: Update mediaconnect client to latest version * api-change:``ses``: Update ses client to latest version * api-change:``config``: Update config client to latest version - from version 1.12.226 * api-change:``storagegateway``: Update storagegateway client to latest version - from version 1.12.225 * api-change:``qldb``: Update qldb client to latest version * api-change:``marketplacecommerceanalytics``: Update marketplacecommerceanalytics client to latest version * api-change:``appstream``: Update appstream client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``robomaker``: Update robomaker client to latest version * api-change:``appmesh``: Update appmesh client to latest version * api-change:``qldb-session``: Update qldb-session client to latest version - from version 1.12.224 * api-change:``kinesisanalytics``: Update kinesisanalytics client to latest version - from version 1.12.223 * api-change:``config``: Update config client to latest version - from version 1.12.222 * api-change:``stepfunctions``: Update stepfunctions client to latest version * api-change:``transcribe``: Update transcribe client to latest version * api-change:``eks``: Update eks client to latest version - from version 1.12.221 * api-change:``ecs``: Update ecs client to latest version * api-change:``resourcegroupstaggingapi``: Update resourcegroupstaggingapi client to latest version * api-change:``gamelift``: Update gamelift client to latest version - from version 1.12.220 * api-change:``mq``: Update mq client to latest version * api-change:``apigatewaymanagementapi``: Update apigatewaymanagementapi client to latest version * api-change:``ecs``: Update ecs client to latest version - from version 1.12.219 * api-change:``codepipeline``: Update codepipeline client to latest version * api-change:``application-autoscaling``: Update application-autoscaling client to latest version * api-change:``elasticache``: Update elasticache client to latest version * api-change:``lambda``: Update lambda client to latest version * api-change:``ecs``: Update ecs client to latest version - from version 1.12.218 * api-change:``sqs``: Update sqs client to latest version * api-change:``globalaccelerator``: Update globalaccelerator client to latest version * api-change:``mediaconvert``: Update mediaconvert client to latest version - from version 1.12.217 * api-change:``organizations``: Update organizations client to latest version - from version 1.12.216 * api-change:``ssm``: Update ssm client to latest version * api-change:``securityhub``: Update securityhub client to latest version - from version 1.12.215 * api-change:``ec2``: Update ec2 client to latest version * api-change:``mediapackage-vod``: Update mediapackage-vod client to latest version * api-change:``transcribe``: Update transcribe client to latest version - from version 1.12.214 * api-change:``datasync``: Update datasync client to latest version * api-change:``rds``: Update rds client to latest version python-s3transfer was updated to 0.3.3: * bugfix:dependency: Updated botocore version range Update to version 0.3.2 * bugfix:s3: Fixes boto/botocore`#1916 `__ from version 0.3.1 * enhancement:TransferManager: Expose client and config properties * enhancement:Tags: Add support for Tagging and TaggingDirective from version 0.3.0 * feature:Python: Dropped support for Python 2.6 and 3.3. python-boto was updated to fix: * Removed the upstream builtin root certificate data for trusted CAs, as SUSE ships them seperately. (bsc#1116204) ----------------------------------------- Patch: SUSE-2020-1172 Released: Mon May 4 18:15:17 2020 Summary: Recommended update for osc Severity: moderate References: 1160446,1166537,1168862 Description: This update for osc fixes the following issues: Update from version 0.167.2 to 0.168.2 (bsc#1168862) - Use helper method _html_escape to enable python3.8 and python2.* compatibility. (bsc#1166537) - Fix support for python3.8 - Spec: temporary disable tests as they explode under python 3.8 - Spec: fix destination of fish completion file to /usr/share/fish/vendor_completions.d - MR creation honors orev now (bsc#1160446) - Allow 'osc r --vertical' for projects - Cleanup old functions and remove python2.6 compatibility code - Support zstd arch linux files in local build - Fix deleterequest for repositories - Append --norootforbuild as default to build command - Fix decoding in interactive request mode - Use signdummy for product builds - Print release project when creating MR - Improve SSLError message for TLSv1 validation - osc maintained --version prints the version of each maintained package - Print web url links after creating requests (New general bool option 'print_web_links' must be set in oscrc) - Fix checkout_no_colon on project level - Handle empty release number of rpm packages in build.py - Handle bytes vs. str error when parsing meta - Custom exception if importing m2crypto fails - Fix missing oscerr import in util.helper - Several fixes for keyring handling - Fix arch zst magic in util.packagequery - Ship fish completion file. ----------------------------------------- Patch: SUSE-2020-1177 Released: Tue May 5 09:50:10 2020 Summary: Security update for rpmlint Severity: moderate References: 1129452,1169365 Description: This update for rpmlint fixes the following issues: - whitelist certmonger (bsc#1169365, bsc#1129452) ----------------------------------------- Patch: SUSE-2020-1178 Released: Tue May 5 10:27:30 2020 Summary: Security update for rubygem-actionview-5_1 Severity: moderate References: 1167240,CVE-2020-5267 Description: This update for rubygem-actionview-5_1 fixes the following issues: - CVE-2020-5267: Fixed an XSS vulnerability in ActionView's JavaScript literal escape helpers (bsc#1167240). ----------------------------------------- Patch: SUSE-2020-1181 Released: Tue May 5 12:02:39 2020 Summary: Recommended update for pciutils-ids Severity: moderate References: 1170160 Description: This update for pciutils-ids fixes the following issues: - Update the PCI utilities database to 20200324. (bsc#1170160) ----------------------------------------- Patch: SUSE-2020-1183 Released: Tue May 5 12:09:56 2020 Summary: Recommended update for geoipupdate Severity: moderate References: 1169766 Description: This update for geoipupdate fixes the following issue: - Fix license, it's actually Apache-2.0 or MIT. (bsc#1169766) ----------------------------------------- Patch: SUSE-2020-1187 Released: Tue May 5 12:51:09 2020 Summary: Recommended update for python-paramiko Severity: moderate References: 1169489 Description: This update for python-paramiko fixes the following issues: - Fixed a problem from the last fix that caused Vorta to fail (bsc#1169489) ----------------------------------------- Patch: SUSE-2020-1159 Released: Tue May 5 16:24:36 2020 Summary: Recommended update for python3-azuremetadata Severity: moderate References: 1170598,1170599,1170605,1170606 Description: This update for python3-azuremetadata fixes the following issues: python3-azuremetadata was updated to version 5.1.0: - Produce well-formed JSON and XML output when multiple filters are specified (bsc#1170598, bsc#1170599) regionServiceClientConfigSAPAzure was updated to 1.0.3 and regionServiceClientConfigAzure was updated to 0.0.6: - Report subscriptionId during registration (bsc#1170605, bsc#1170606) ----------------------------------------- Patch: SUSE-2020-1197 Released: Wed May 6 13:52:04 2020 Summary: Security update for slirp4netns Severity: important References: 1170940,CVE-2020-1983 Description: This update for slirp4netns fixes the following issues: Security issue fixed: - CVE-2020-1983: Fixed a use-after-free in ip_reass (bsc#1170940). ----------------------------------------- Patch: SUSE-2020-1199 Released: Wed May 6 13:53:40 2020 Summary: Security update for php7 Severity: moderate References: 1168326,1168352,CVE-2020-7064,CVE-2020-7066 Description: This update for php7 fixes the following issues: - CVE-2020-7064: Fixed a one byte read of uninitialized memory in exif_read_data() (bsc#1168326). - CVE-2020-7066: Fixed URL truncation get_headers() if the URL contains zero (\0) character (bsc#1168352). ----------------------------------------- Patch: SUSE-2020-1201 Released: Wed May 6 15:46:46 2020 Summary: Recommended update for cluster-glue Severity: moderate References: 1131545,1169784 Description: This update for cluster-glue fixes the following issues: - Fix for profile parameter handling EC2 stonith plugin to avoid possible cluster resource failures. (bsc#1169784) - Fix for handling in 'stonith' command by creating '/var/run/heartbeat/rsctmp' directory. (bsc#1131545) ----------------------------------------- Patch: SUSE-2020-1202 Released: Wed May 6 15:51:16 2020 Summary: Recommended update for supportutils-plugin-ha-sap Severity: moderate References: 1170085 Description: This update for supportutils-plugin-ha-sap fixes the following issues: - Implement SAP plugin for supportutils. (jsc#ECO-862, bsc#1170085) ----------------------------------------- Patch: SUSE-2020-1220 Released: Thu May 7 17:11:57 2020 Summary: Security update for ghostscript Severity: important References: 1170603,CVE-2020-12268 Description: This update for ghostscript to version 9.52 fixes the following issues: - CVE-2020-12268: Fixed a heap-based buffer overflow in jbig2_image_compose (bsc#1170603). ----------------------------------------- Patch: SUSE-2020-1222 Released: Fri May 8 08:23:57 2020 Summary: Recommended update for python-azure-agent Severity: moderate References: 1167601,1167602 Description: This update for python-azure-agent fixes the following issues: - Set the hostname using hostnamectl to ensure setting is properly applied (bsc#1167601, bsc#1167602) ----------------------------------------- Patch: SUSE-2020-1226 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Severity: moderate References: 1149995,1152590,1167898 Description: This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------- Patch: SUSE-2020-1230 Released: Mon May 11 07:29:21 2020 Summary: Recommended update for md_monitor Severity: moderate References: 1081286,1091619,1095141,1096363,1104770,1116560,1123046,1125281,1136542,1139268,1149316,1157098,1157754 Description: This update for md_monitor fixes the following issues: - Fix for preventing too long I/O after maintenance of a 'Direct Access Storage Device'. (bsc#1116560) - Fix for a potential memory leak can be triggered by database I/O. (bsc#1157754) - Fix for an issue when 'md_monitor' thread remains in system shutdown and blocks 'Direct Access Storage Device' offline action by grabbing the device. (bsc#1125281, bsc#1157098) - Fix for 'ArrayResync' and 'MonitorStatus' by md_monitor not working properly. (bsc#1149316) - Fix 'md_monitor' to use correct blocksize and prevent disk failure. (bsc#1139268) - Add newly (re-)discovered devices to the device list. (bsc#1136542) - Fix for an issue when md_monitor is stopped with process fault during system start and the host has only RAID0 array. (bsc#1123046) - Fix for an issue when 'md_monitor' does not get 'MirrorStatus' and 'MonitorStatus' properly. (bsc#1104770, bsc#1095141) - Fix crash on 'MonitorStatus' calling update request for 'md_monitor'. (bsc#1096363, bsc#1081286) - Ignore NewArray message if does not exists yet (bsc#1091619) ----------------------------------------- Patch: SUSE-2020-1260 Released: Tue May 12 18:00:45 2020 Summary: Optional update for terraform-provider-susepubliccloud Severity: low References: 1166049 Description: This update for terraform-provider-susepubliccloud doesn't fix any issues and just adjusts some packaging meta information. ----------------------------------------- Patch: SUSE-2020-1261 Released: Tue May 12 18:40:18 2020 Summary: Recommended update for hwdata Severity: moderate References: 1168806 Description: This update for hwdata fixes the following issues: Update from version 0.320 to version 0.324 (bsc#1168806) - Updated pci, usb and vendor ids. - Replace pciutils-ids package providing compatibility symbolic link ----------------------------------------- Patch: SUSE-2020-1263 Released: Wed May 13 08:24:14 2020 Summary: Recommended update for hawk2 Severity: moderate References: 1054027,1068942,1069217,1069296,1071481,1074856,1076421,1080439,1085318,1085343,1085515,1089709,1089802,1090562,1090657,1090667,1092108,1092122,1093420,1098637,1137891,1158681,1162221,1165587 Description: This update for hawk2 fixes the following issues: WIP * Implement mechanism to switch binaries in case (bsc#1165587) * Work around the removal of Dir::Tmpname#make_tmpname (bsc#1162221) * Fix cib.xml parsing for acl_version (bsc#1158681) * Fix mime type issue in MS windows (bsc#1098637) * Fix nameless cluster display (bsc#1137891) * High: Set secure flag to enforce https (bsc#1090657) * Medium: Improve hawk-server side cookie handling (bsc#1090667) * Medium: Set Symmetrical to False when score is Serialize (bsc#1085515) * Medium: Make resource stop/start icon dependent on target-role (bsc#1076421) * Api: Add advance resource type(group|clone|master|bundle) in resource route(fate#323437) * Api: return nil if elem is nil(fate#323437) in some case, param in determine_online_status_fencing is nil, this will cause NoMethodError * Medium: Fix acl_version check (bsc#1089802) * High: Fetch correct meta data (bsc#1092122) * Medium: Fix history explorer views (bsc#1093420) * High: Update links to release notes and documentation (bsc#1089709) * High: Return after redirect in reports (bsc#1090562) * Medium: Comply routes' id with resources' ID (bsc#1092108) * Api: Add registration route (fate#323437) * High: Calculate guest node state correctly (bsc#1074856) * Use Promotable etc. (bsc#1085318) (bsc#1085343) * High: Fix remote nodes iteration (bsc#1080439) * High: Support guest nodes (bsc#1074856) * Ensure certificate/key is group readable (bsc#1071481) * Test: Add test suit for (bsc#1069296) * Dev: Fix acl_enabled? (bsc#1069296) * Dev: Dev: Handle redirection correctly after renaming resources (bsc#1068942) * Dev: Handle redirection correctly after renaming constraints (bsc#1068942) * Dev: Dev: split rename action for constraints to edit/update (bsc#1068942) * Dev: Refactor resouces.js (bsc#1068942) * Dev: Change the rename path for resources (#bsc#1068942) * Dev: split rename action to edit/update (bsc#1068942) * Fix node/resource event injection in simulator (bsc#1069217) * Show descriptions in cluster config (bsc#1054027) ----------------------------------------- Patch: SUSE-2020-1266 Released: Wed May 13 10:20:54 2020 Summary: Recommended update for jq Severity: moderate References: 1170838 Description: This update for jq fixes the following issues: jq was updated to version 1.6: * Destructuring Alternation * many new builtins (see docs) * Add support for ASAN and UBSAN * Make it easier to use jq with shebangs * Add $ENV builtin variable to access environment * Add JQ_COLORS env var for configuring the output colors * change: Calling jq without a program argument now always assumes '.' for the program, regardless of stdin/stdout * fix: Make sorting stable regardless of qsort. - Make jq depend on libjq1, so upgrading jq upgrades both ----------------------------------------- Patch: SUSE-2020-1252 Released: Wed May 13 13:51:29 2020 Summary: Recommended update for regionServiceClientConfigEC2 Severity: moderate References: 1171232,1171233 Description: This update for regionServiceClientConfigEC2 fixes the following issues: - Improved the way how regions are resolved by IP addresses. ----------------------------------------- Patch: SUSE-2020-1280 Released: Thu May 14 14:27:51 2020 Summary: Recommended update for postgresql, postgresql10, postgresql12 Severity: moderate References: 1138034,1151591,1153168,1163985,1167541,CVE-2019-10164,CVE-2020-1720 Description: This update for postgresql, postgresql10, postgresql12 fixes the following issues: Changes in the postgresql wrapper package: - Sync ownership of /run/postgresql in the file list with tmpfiles. - Use the correct content for .bash_profile (bsc#1153168). - Stop shipping SUSEfirewall2 config files (bsc#1151591). - Use /run/postgresql instead of /var/run/postgresql in %ghost and postgresql-tmpfiles.conf to avoid rpmlint warnings and errors. - add /var/run/postgresql to the filelist. as %ghost for systemd systems and directly for non systemd systems Changes in postgresql10: - packaging changed to no longer build the libraries, these now come from postgresql12. Changes in postgresql12: Initial package for the postgresql 12 branch https://www.postgresql.org/about/news/1976/ - Update to 12.2 (CVE-2020-1720) https://www.postgresql.org/about/news/2011/ https://www.postgresql.org/docs/12/release-12-2.html - Avoid the dependency from the devel package to the main package. devel packages are exclusive, thus ecpg does not require update-alternatives. - Remove unused build dependencies from the client libs package: LVM, icu, selinux, systemd. - Update to 12.1 https://www.postgresql.org/docs/12/release-12-1.html https://www.postgresql.org/about/news/1994/ - add requires to the server-devel package for the libs that are returned by pg_config --libs python-psycopg2 was updated to 2.8.4 to allow working with postgresql12. ----------------------------------------- Patch: SUSE-2020-1286 Released: Fri May 15 11:05:14 2020 Summary: Recommended update for cdrtools Severity: moderate References: 1169420 Description: This update for cdrtools fixes the following issues: - Fix for an issue when 'mediacheck' fails if ISO sizes are larger than 4GB. (bsc#1169420) ----------------------------------------- Patch: SUSE-2020-1288 Released: Fri May 15 11:27:01 2020 Summary: Recommended update for regionServiceClientConfigAzure Severity: critical References: 1171465 Description: This update for regionServiceClientConfigAzure fixes the following issues: - Unify region server setup for SLES and SLES4SAP that provides configuring traffic routing through the datacenter. (bsc#1171465) ----------------------------------------- Patch: SUSE-2020-1291 Released: Fri May 15 16:40:53 2020 Summary: Recommended update for shared-python-startup Severity: moderate References: 1170411 Description: This update for shared-python-startup fixes the following issues: This package contains common python startup files. (bsc#1170411) ----------------------------------------- Patch: SUSE-2020-1293 Released: Mon May 18 07:38:06 2020 Summary: Security update for openexr Severity: moderate References: 1146648,1169549,1169573,1169574,1169575,1169576,1169578,1169580,CVE-2020-11758,CVE-2020-11760,CVE-2020-11761,CVE-2020-11762,CVE-2020-11763,CVE-2020-11764,CVE-2020-11765 Description: This update for openexr provides the following fix: Security issues fixed: - CVE-2020-11765: Fixed an off-by-one error in use of the ImfXdr.h read function by DwaCompressor:Classifier:Classifier (bsc#1169575). - CVE-2020-11764: Fixed an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp (bsc#1169574). - CVE-2020-11763: Fixed an out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp (bsc#1169576). - CVE-2020-11762: Fixed an out-of-bounds read and write in DwaCompressor:uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case (bsc#1169549). - CVE-2020-11761: Fixed an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder:refill in ImfFastHuf.cpp (bsc#1169578). - CVE-2020-11760: Fixed an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp (bsc#1169580). - CVE-2020-11758: Fixed an out-of-bounds read in ImfOptimizedPixelReading.h (bsc#1169573). Non-security issue fixed: - Enable tests when building the package on x86_64. (bsc#1146648) ----------------------------------------- Patch: SUSE-2020-1294 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Severity: moderate References: 1154661,1169512,CVE-2019-18218 Description: This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------- Patch: SUSE-2020-1297 Released: Mon May 18 07:42:18 2020 Summary: Security update for libvpx Severity: moderate References: 1166066,CVE-2020-0034 Description: This update for libvpx fixes the following issues: - CVE-2020-0034: Fixed an out-of-bounds read on truncated key frames (bsc#1166066). ----------------------------------------- Patch: SUSE-2020-1298 Released: Mon May 18 07:42:49 2020 Summary: Security update for libbsd Severity: moderate References: 1160551,CVE-2019-20367 Description: This update for libbsd fixes the following issues: - CVE-2019-20367: Fixed an out-of-bounds read during a comparison for a symbol names from the string table (bsc#1160551). ----------------------------------------- Patch: SUSE-2020-1303 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Severity: moderate References: 1169582 Description: This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------- Patch: SUSE-2020-1308 Released: Mon May 18 10:05:46 2020 Summary: Recommended update for psmisc Severity: moderate References: 1170247 Description: This update for psmisc fixes the following issues: - Allow not unique mounts as well as not unique mountpoint. (bsc#1170247) ----------------------------------------- Patch: SUSE-2020-1309 Released: Mon May 18 10:08:16 2020 Summary: Recommended update for gnome-themes-standard Severity: moderate References: 1170757 Description: This update for gnome-themes-standard fixes the following issue: - Remove the is_opensuse tag to close the gap between Leap and SLE (bsc#1170757, jsc#SLE-11890). ----------------------------------------- Patch: SUSE-2020-1310 Released: Mon May 18 10:09:22 2020 Summary: Recommended update for icewm, icewm-theme-branding Severity: moderate References: 1170420 Description: This update for icewm, icewm-theme-branding fixes the following issues: Changes in icewm: - Explicitly require icewm-theme-branding on SLE and Leap. (jsc#SLE-11888, bsc#1170420). - Add Conflicts between icewm-config-upstream and icewm-theme-branding. - Improve build tag consistency between SLE and Leap. (jsc#SLE-11888, bsc#1170420). * Recommend polkit-gnome to both Leap and SLE. Changes in icewm-theme-branding: - Improve build tag consistency between SLE and Leap. (jsc#SLE-11888, bsc#1170420). * Build the branding package separately for openSUSE and SLE, like most of other branding packages did. ----------------------------------------- Patch: SUSE-2020-1315 Released: Mon May 18 10:38:42 2020 Summary: Recommended update for eiciel Severity: moderate References: 1170756 Description: This update for eiciel fixes the following issue: - Enable translation-update-upstream for both SLE and openSUSE. (bsc#1170756, jsc#SLE-11889) ----------------------------------------- Patch: SUSE-2020-1319 Released: Mon May 18 11:43:44 2020 Summary: Recommended update for tcsh Severity: moderate References: 1170527 Description: This update for tcsh fixes the following issues: - Fix for an issue when Midnight Commander freezes changing directory using tcsh shell. (bsc#1170527) ----------------------------------------- Patch: SUSE-2020-1321 Released: Mon May 18 11:45:10 2020 Summary: Recommended update for regionServiceClientConfigGCE Severity: important References: 1171467,1171469 Description: This update for regionServiceClientConfigGCE fixes the following issues: - Unify region server setup for SLES and SLES4SAP that provides configuring traffic routing through the datacenter. (bsc#1171467, bsc#1171469) ----------------------------------------- Patch: SUSE-2020-1323 Released: Mon May 18 11:49:02 2020 Summary: Recommended update for python3-gcemetadata Severity: important References: 1134510 Description: This update for python3-gcemetadata fixes the following issues: - Fix for the identity data of the instance may not be accessible from the metadata server in Google Cloud client. (bsc#1134510) ----------------------------------------- Patch: SUSE-2020-1327 Released: Mon May 18 17:15:48 2020 Summary: Recommended update for ntfs-3g_ntfsprogs Severity: moderate References: 1170609 Description: This update for ntfs-3g_ntfsprogs fixes the following issue: - the libntfs-3g-devel package is shipped into the Workstation Extension (bsc#1170609) ----------------------------------------- Patch: SUSE-2020-1328 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Severity: moderate References: 1155271 Description: This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------- Patch: SUSE-2020-1337 Released: Tue May 19 13:20:44 2020 Summary: Security update for openconnect Severity: moderate References: 1170452,CVE-2020-12105 Description: This update for openconnect fixes the following issues: Security issue fixed: - CVE-2020-12105: Fixed the improper handling of negative return values from X509_check_ function calls that might have allowed MITM attacks (bsc#1170452). ----------------------------------------- Patch: SUSE-2020-1353 Released: Wed May 20 13:02:32 2020 Summary: Security update for freetype2 Severity: moderate References: 1079603,1091109,CVE-2018-6942 Description: This update for freetype2 to version 2.10.1 fixes the following issues: Security issue fixed: - CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603). Non-security issues fixed: - Update to version 2.10.1 * The bytecode hinting of OpenType variation fonts was flawed, since the data in the `CVAR' table wasn't correctly applied. * Auto-hinter support for Mongolian. * The handling of the default character in PCF fonts as introduced in version 2.10.0 was partially broken, causing premature abortion of charmap iteration for many fonts. * If `FT_Set_Named_Instance' was called with the same arguments twice in a row, the function returned an incorrect error code the second time. * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug introduced in version 2.10.0). * Increased precision while computing OpenType font variation instances. * The flattening algorithm of cubic Bezier curves was slightly changed to make it faster. This can cause very subtle rendering changes, which aren't noticeable by the eye, however. * The auto-hinter now disables hinting if there are blue zones defined for a `style' (i.e., a certain combination of a script and its related typographic features) but the font doesn't contain any characters needed to set up at least one blue zone. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * A bunch of new functions has been added to access and process COLR/CPAL data of OpenType fonts with color-layered glyphs. * As a GSoC 2018 project, Nikhil Ramakrishnan completely overhauled and modernized the API reference. * The logic for computing the global ascender, descender, and height of OpenType fonts has been slightly adjusted for consistency. * `TT_Set_MM_Blend' could fail if called repeatedly with the same arguments. * The precision of handling deltas in Variation Fonts has been increased.The problem did only show up with multidimensional designspaces. * New function `FT_Library_SetLcdGeometry' to set up the geometry of LCD subpixels. * FreeType now uses the `defaultChar' property of PCF fonts to set the glyph for the undefined character at glyph index 0 (as FreeType already does for all other supported font formats). As a consequence, the order of glyphs of a PCF font if accessed with FreeType can be different now compared to previous versions. This change doesn't affect PCF font access with cmaps. * `FT_Select_Charmap' has been changed to allow parameter value `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT formats to access built-in cmaps that don't have a predefined `FT_Encoding' value. * A previously reserved field in the `FT_GlyphSlotRec' structure now holds the glyph index. * The usual round of fuzzer bug fixes to better reject malformed fonts. * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have been removed.These two functions were public by oversight only and were never documented. * A new function `FT_Error_String' returns descriptions of error codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is defined. * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new functions limited to Adobe MultiMaster fonts to directly set and get the weight vector. - Enable subpixel rendering with infinality config: - Re-enable freetype-config, there is just too many fallouts. - Update to version 2.9.1 * Type 1 fonts containing flex features were not rendered correctly (bug introduced in version 2.9). * CVE-2018-6942: Older FreeType versions can crash with certain malformed variation fonts. * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage. * Emboldening of bitmaps didn't work correctly sometimes, showing various artifacts (bug introduced in version 2.8.1). * The auto-hinter script ranges have been updated for Unicode 11. No support for new scripts have been added, however, with the exception of Georgian Mtavruli. - freetype-config is now deprecated by upstream and not enabled by default. - Update to version 2.10.1 * The `ftmulti' demo program now supports multiple hidden axes with the same name tag. * `ftview', `ftstring', and `ftgrid' got a `-k' command line option to emulate a sequence of keystrokes at start-up. * `ftview', `ftstring', and `ftgrid' now support screen dumping to a PNG file. * The bytecode debugger, `ttdebug', now supports variation TrueType fonts; a variation font instance can be selected with the new `-d' command line option. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * The `ftdump' demo program has new options `-c' and `-C' to display charmaps in compact and detailed format, respectively. Option `-V' has been removed. * The `ftview', `ftstring', and `ftgrid' demo programs use a new command line option `-d' to specify the program window's width, height, and color depth. * The `ftview' demo program now displays red boxes for zero-width glyphs. * `ftglyph' has limited support to display fonts with color-layered glyphs.This will be improved later on. * `ftgrid' can now display bitmap fonts also. * The `ttdebug' demo program has a new option `-f' to select a member of a TrueType collection (TTC). * Other various improvements to the demo programs. - Remove 'Supplements: fonts-config' to avoid accidentally pulling in Qt dependencies on some non-Qt based desktops.(bsc#1091109) fonts-config is fundamental but ft2demos seldom installs by end users. only fonts-config maintainers/debuggers may use ft2demos along to debug some issues. - Update to version 2.9.1 * No changelog upstream. ----------------------------------------- Patch: SUSE-2020-1370 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Severity: moderate References: 1171656 Description: This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------- Patch: SUSE-2020-1378 Released: Thu May 21 19:08:52 2020 Summary: Recommended update for google-compute-engine Severity: moderate References: 1170719,1170720 Description: This update for google-compute-engine contain the following fix: - Do not add the created user to the adm, docker, or lxd groups if they exist. (bsc#1170719, bsc#1170720) ----------------------------------------- Patch: SUSE-2020-1381 Released: Fri May 22 08:01:14 2020 Summary: Security update for memcached Severity: moderate References: 1133817,1149110,CVE-2019-11596,CVE-2019-15026 Description: This update for memcached fixes the following issues: Security issue fixed: - CVE-2019-11596: Fixed a NULL pointer dereference in process_lru_command (bsc#1133817). - CVE-2019-15026: Fixed a stack-based buffer over-read (bsc#1149110). ----------------------------------------- Patch: SUSE-2020-1388 Released: Fri May 22 10:58:17 2020 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Live kernel patching update data for 4_12_14-197_37, 4_12_14-197_40. (bsc#1020320) ----------------------------------------- Patch: SUSE-2020-1402 Released: Mon May 25 14:17:17 2020 Summary: Recommended update for mrsh Severity: moderate References: 1144051 Description: This update for mrsh fixes the following issues: - Use systemd_ordering instead of systemd_requires: systemd is never a strict requirement; but in case the system is scheduled for installation together with systemd, we want systemd to be installed prior to mrsh. - Add pam_keyinit.so to /etc/pam.d/mrsh|mrlogind. (bsc#1144051) To fully support the use of kernel keyrings by systemd the mrsh package must include the pam_keyinit.so module in its mrsh and mrlogin configuration files. - Add README.SUSE: Describe the steps required to set up and run mrshd/mrlogind. - Add missing services in pre/post/preun/postun scripts. ----------------------------------------- Patch: SUSE-2020-1404 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Severity: moderate References: 1138793,1166260 Description: This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------- Patch: SUSE-2020-1407 Released: Mon May 25 15:55:08 2020 Summary: Recommended update for amazon-ssm-agent Severity: moderate References: 1085670,1108265,1170935 Description: This update for amazon-ssm-agent fixes the following issues: - Update to 2.3.978.0 (2020-04-08) (bsc#1170935) + Stop pty on receiving TerminateSession request + Add support for Debian arm64 architecture + Refactoring session log generation logic - Update to 2.3.930.0 (2020-03-17) + Bug fix for CloudWatch agent version showing twice in Inventory console + Bug fix for retrieving minor version for CentOS7 + Add snap appData collection for inventory in ubuntu 18 + Add validation for contents of os release files + Add retry for fingerprint generation - Update to 2.3.871.0 (2020-02-20) + Various bug fix for SSM Agent - Update to 2.3.842.0 (2020-01-29) + Bug fix for updating document state file prior agent reboot + Add support to restart agent after SIGPIPE exit status - Update to 2.3.814.0 (2020-01-16) + Bug fix for metadata service V2 + Update Golang version 1.12 for travis + Optimize session manager retry logic - Update to 2.3.786.0 (2019-12-19) + Add support for Oracle Linux v7.5 and v7.7 + Bug fix for Inventory data provider to support special characters + Bug fix for SSM MDS service name - Update to 2.3.772.0 (2019-12-13) + Upgrade AWS SDK + Add logging for fingerprint generation - Update to 2.3.760.0 (2019-11-15) + Session manager supports handling of Task metadata - Update to 2.3.758.0 (2019-11-11) + Add support to update SSM Distributor packages in place - Update to 2.3.756.0 (2019-11-05) + Terminate port forwarding session on receiving TerminateSession flag + Bug fix to reload SSM client if region has not been initialize correctly + Bug fix for retrieval of user groups on Linux - Update to 2.3.722.0 (2019-10-11) + Bug fix for the delay when registering non-EC2 on-prem instances + Bug fix for missing ACL when uploading logs to S3 buckets + Upgrade GoLang version from 1.9 to 1.12 - Update to 2.3.714.0 (2019-09-26) + For port forwarding session, close server connection when client drops it's connection + Bug fix for missing condition of rules from inventory registry + Update service domain information fetch logic from EC2 Metadata - Update to 2.3.707.0 (2019-09-11) + Bug fix for characters dropping from session manager shell output + Bug fix for session manager freezing caused by non utf8 character + Switch the request protocol order for getting S3 Header + Keep port forwarding session open until session is terminated - Update to 2.3.701.0 (2019-08-21) + Send platform type information in controlChannel input - Update to 2.3.687.0 (2019-08-05) + Bug fix for runPowershellScript plugin on linux platform + Add support for document 2.x version to ssm-cli - Update to 2.3.680.0 (2019-07-24) + Added a new Inventory gatherer AWS:BillingInfo which will gather the billing product ids for LicenseIncluded and Marketplace instance - Update to 2.3.672.0 (2019-07-09) + Add Port plugin for SSH/SCP + Add support for Session Manager RunAs functionality on Linux platform - Update to 2.3.668.0 (2019-07-01) + Add Session Manager InteractiveCommands plugin + Bug fix for log formatting issue for session manager - Update to 2.3.662.0 (2019-06-19) + Bug fix for Session Manager when handling line endings on Windows platform + Bug fix for token validation for aws:downloadContent plugin + Check if log group exists before uploading Session Manager logs to CloudWatch + Bug fix for broken S3 urls when using custom documents - Update to 2.3.634.0 (2019-05-28) + Disable appconfig to load credential from specific profile path, add EC2 credentials as the default fallback + Remove sudoers file creation logic if ssm-user already exists + Enable supplementary groups for ssm-user on Linux - Update to 2.3.612.0 (2019-05-08) + Bug fix for UTF-8 encoded issue caused by locale activation on Ubuntu 16.04 instance + Refactor ssm-user creation logic + Bug fix for reporting IP address with wrong network interface + Update configure package document arn pattern - Update to 2.3.542.0 (2019-04-18) + Bug fix for on-premises instance registration in CN region - Update to 2.3.539.0 (2019-04-04) + Add support for further encryption of session data using AWS KMS + Bug fix for excessive instance-id fetching by document workers - Update to 2.3.479.0 (2019-03-06) + Bug fix for downloading content failure caused by wrong S3 endpoint + Bug fix for reboot failure caused by session manager panic + Bug fix for session manager shell output dropping character + Bug fix for mgs endpoint configuration consistency - Update to 2.3.444.0 (2019-02-10) + Updates to UpdateInstanceInformation call, Windows initialization - Update to 2.3.415.0 (2019-01-25) + Bug fix addressing issues in Distributor package upgrade - Update to 2.3.372.0 (2019-01-08) + Bug fix to allow installation of Distributor packages that do not have a version name. + Bug fix for agent crash with message 'WaitGroup is reused before previous Wait has returned'. - Update to 2.3.344.0 (2018-12-14) + Add frequent collector to detect changed inventory types and upload it to SSM service between two scheduled collections. + Change AWS Systems Manager Distributor to reduce calls to GetDocument by calling DescribeDocument. + Add exit code when ssm-cli execution fails. + Create ssm-user only after the control channel has been successfully created. - Update to 2.3.274.0 (2018-11-26) + Enabled AWS Systems Manager Distributor that lets you securely distribute and install software packages. + Add support for the arm64 architecture on Amazon Linux 2, Ubuntu 16.04/18.04, and RHEL 7.6 to support EC2 A1 instances. - Update to 2.3.235.0 (2018-10-23) + Bug fix for session manager logging on Windows + Bug fix for ConfigureCloudWatch plugin + Bug fix for update SSM agent occasionally failing due to SSM agent service stuck in starting state - Update to 2.3.193.0 (2018-10-23) + Bug fix for past sessions occasionally stuck in terminating state + Darwin masquerades as Linux to bypass OS validation on the backend until official support can be added - Update to 2.3.169.0 (2018-10-23) + Update managed instance role token more frequently - Update to 2.3.136.0 (2018-10-09) + Bug fix for issue that GatherInventory throw out error when there is no Windows Update in instance + Add more filters when getting the Windows event logs at startup to improve performance + Add random jitter before call PutInventory in inventory datauploader - Update to 2.3.117.0 (2018-10-02) + Bug fix for issues during process termination on instances where IAM policy does not grant ssmmessages permissions. - Update to 2.3.101.0 (2018-10-02) + Bug fix to prevent defunct processes when creating the local user ssm-user. + Bug fix for sudoersFile permission to avoid 'sudo' command warnings in Session Manager. + Disable hibernation on Windows platform if Cloudwatch configuration is present. - Update to 2.3.68.0 (2018-09-17) + Enables the Session Manager capability that lets you manage your Amazon EC2 instance through an interactive one-click browser-based shell or through the AWS CLI. + Beginning this agent version, SSM Agent will create a local user 'ssm-user' and either add it to /etc/sudoers (Linux) or to the Administrators group (Windows) every time the agent starts. The ssm-user is the default OS user when a Session Manager session is started, and the password for this user is reset on every session. You can change the permissions by moving the ssm-user to a less-privileged group or by changing the sudoers file. The ssm-user is not removed from the system when SSM Agent is uninstalled. - Add patch to remove unused import + remove-unused-import.patch - Build-Depend on pkgconfig(systemd) instead of systemd + Allows OBS to depend on the -mini flavors - Refresh patches for new version + fix-version.patch - Update to 2.3.50.0 2018-09-12 (bsc#1108265) + Enables the Session Manager capability that lets you manage your Amazon EC2 instance through an interactive one-click browser-based shell or through the AWS CLI. + Beginning this agent version, SSM Agent will create a local user 'ssm-user' and either add it to /etc/sudoers (Linux) or to the Administrators group (Windows) every time the agent starts. The ssm-user is the default OS user when a Session Manager session is started, and the password for this user is reset on every session. You can change the permissions by moving the ssm-user to a less-privileged group or by changing the sudoers file. The ssm-user is not removed from the system when SSM Agent is uninstalled. - Update to 2.3.13.0 2018-08-16 + Bug fix for the SSM Agent service remaining in 'Starting' state on Windows when unable to authenticate to the Systems Manager service. - Update to 2.2.916.0 2018-08-02 + NOTE: This build should not be installed for Windows since the SSM Agent service may remain in starting status if unable to authenticate to the Systems Manager service, which is fixed in the latest release. + Bug fix for missing cloudwatch.exe seen in SSM Agent version 2.2.902.0 - Update to 2.2.902.0 2018-07-31 + NOTE: This build should not be installed for Windows since you might see the error - 'Encountered error while starting the plugin: Unable to locate cloudwatch.exe' for Cloudwatch plugin. This bug has been fixed in SSM Agent version 2.2.916.0. Also SSM Agent service may remain in starting status if unable to authenticate to the Systems Manager service, which is fixed in the latest release. + Initial support for developer builds on macOS + Retry sending Run Command execution results for up to 2 hours + More detailed error messages are returned for inventory plugin failures during State Manager association executions - Update to 2.2.800.0 2018-06-26 + Bug fix to clean the orchestration directory + Streaming AWS Systems Manager Run Command output to CloudWatch Logs + Reducing number of retries for serial port opening + Add retry logic to installation verification - Update to 2.2.619.0 2018-05-29 + Various bug fixes - Update to 2.2.607.0 2018-05-23 + Various bug fixes - Update to 2.2.546.0 2018-05-07 + Bug fix to retry sending document results if they couldn't reach the service - Update to 2.2.493.0 2018-04-25 + NOTE: Downgrade to this version using AWS-UpdateSSMAgent is not permitted for agent installed using snap + Added support for Ubuntu Snap packaging + Bug fix so that aws:downloadContent does not change permissions of directories + Bug fix to Cloudwatch plugin where StartType has duplicated Enabled value - Update to 2.2.392.0 2018-03-27 + Added support for agent hibernation so that Agent backs off or enters hibernation mode if it does not have access to the service + Various bug fixes - Update to 2.2.355.0 2018-03-16 + Fix S3Download to download from cross regions. + Various bug fixes - Refresh patches for new version + fix-config.patch + fix-version.patch - Update to 2.2.325.0 2018-03-07 (bsc#1085670) + Bug fix to change sourceHashType to be default sha256 on psmodule. - Update to 2.2.257.0 2018-02-23 + Bug fix to address an issue that can prevent the agent from processing associations after a restart. - Update to 2.2.160.0 2018-01-15 + Execute 'pwsh' on linux when using runPowershellScript plugin. - Update to 2.2.93.0 2017-11-14 + Update to latest AWS SDK. - Update to 2.2.58.0 2017-10-23 + Switching to use Birdwatcher distribution service for AWS packages. ----------------------------------------- Patch: SUSE-2020-1413 Released: Tue May 26 09:45:41 2020 Summary: Recommended update for vncmanager Severity: moderate References: 1169732,1171344 Description: This update for vncmanager fixes the following issues: - Fix tight compression decoder on big-endian systems. (bsc#1171344) - Fix tight decoder with 888 pixel encodings. (bsc#1169732) - Fix PixelFormat::ntoh() and PixelFormat::hton(). (bsc#1169732) ----------------------------------------- Patch: SUSE-2020-1415 Released: Tue May 26 11:17:05 2020 Summary: Recommended update for gdb Severity: moderate References: 1168394,1169368,1169495 Description: This update for gdb fixes the following issues: - Fix .debug_types problems. (bsc#1168394) This will solve a range loop index in find_method and will fix toplevel types when a program is compiled with -fdebug-types-section - Fix python 3.8 warning. (bsc#1169495) Fix incorrect use of 'is' operator for comparison in python/lib/gdb/command/prompt.py The 'is' operator is not meant to be used for comparisons - Fix build with gcc 10 improving endianess detection. (bsc#1169368) - Fix hang after SIGKILL ----------------------------------------- Patch: SUSE-2020-1419 Released: Tue May 26 12:23:30 2020 Summary: Security update for sysstat Severity: low References: 1159104,CVE-2019-19725 Description: This update for sysstat fixes the following issues: - CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104). ----------------------------------------- Patch: SUSE-2020-1420 Released: Tue May 26 12:23:54 2020 Summary: Security update for jasper Severity: low References: 1092115,CVE-2018-9154 Description: This update for jasper fixes the following issues: - CVE-2018-9154: Fixed a potential denial of service in jpc_dec_process_sot() (bsc#1092115). ----------------------------------------- Patch: SUSE-2020-1423 Released: Tue May 26 14:33:06 2020 Summary: Security update for mariadb-connector-c Severity: important References: 1171550,CVE-2020-13249 Description: This update for mariadb-connector-c fixes the following issues: Security issue fixed: - CVE-2020-13249: Fixed an improper validation of OK packets received from clients (bsc#1171550). Non-security issues fixed: - Update to release 3.1.8 (bsc#1171550) * CONC-304: Rename the static library to libmariadb.a and other libmariadb files in a consistent manner * CONC-441: Default user name for C/C is wrong if login user is different from effective user * CONC-449: Check $MARIADB_HOME/my.cnf in addition to $MYSQL_HOME/my.cnf * CONC-457: mysql_list_processes crashes in unpack_fields * CONC-458: mysql_get_timeout_value crashes when used improper * CONC-464: Fix static build for auth_gssapi_client plugin ----------------------------------------- Patch: SUSE-2020-1426 Released: Tue May 26 14:54:32 2020 Summary: Recommended update for python-boto Severity: moderate References: 1171769 Description: This update for python-boto fixes the following issues: - Update in SLE-15: (bsc#1171769) - Fix build under python3.8 by skipping more tests that break with previous release. - Skip the tests for the flavors not being built - Remove old comment - Fix breakages caused by removing boto.cacerts module which is imported elsewhere in the package. The file boto/cacerts/cacerts.txt is removed instead, and boto-no-builtin-certs.patch is trimmed. - Activate the test suite, adding many build dependencies with versions. 11 failing Cloudfront signings tests are skipped only on Python 3. - Add versions to runtime dependencies. - python-rsa is added as a Recommends as it is needed for Cloudfront. - python-requests is added as a Recommends as it is needed for Cloudsearch. - python-requests is added as a Suggests as it is used for contrib ymlmessage. ----------------------------------------- Patch: SUSE-2020-1427 Released: Tue May 26 14:55:16 2020 Summary: Recommended update for docker-runc Severity: moderate References: 1168481 Description: This update for docker-runc contains the following fixes: - Backport upstream fix that enable access to /dev/null in containers. Resolves many issues with the implementation of the runc devices cgroup code. Removes some of the disruptive aspects of 'runc update'. (bsc#1168481) ----------------------------------------- Patch: SUSE-2020-1487 Released: Wed May 27 15:24:08 2020 Summary: Recommended update for cloud-regionsrv-client Severity: important References: 1171704,1171705 Description: This update for cloud-regionsrv-client contains the following fixes: - Improve error message for failed update server access to determine product status. - Update to version 9.0.10. (bsc#1171704, bsc#1171705) + While the service starts After=network-online.target this is no guarantee that the cloud framework has configured the outgoing routing for the instance. This configuration on the framework side may take longer. Introduce a wait look that retries connections to the update infrastructure 3 times before giving up. ----------------------------------------- Patch: SUSE-2020-1493 Released: Wed May 27 18:55:51 2020 Summary: Security update for libmspack Severity: low References: 1130489,1141680,CVE-2019-1010305 Description: This update for libmspack fixes the following issues: Security issue fixed: - CVE-2019-1010305: Fixed a buffer overflow triggered by a crafted chm file which could have led to information disclosure (bsc#1141680). Other issue addressed: - Enable build-time tests (bsc#1130489) ----------------------------------------- Patch: SUSE-2020-1494 Released: Wed May 27 20:29:48 2020 Summary: Recommended update for python-psycopg2 Severity: moderate References: 1171213 Description: This update for python-psycopg2 fixes the following issues: - Sort out the syntax of the dependencies to fix possible build failures. (bsc#1171213) ----------------------------------------- Patch: SUSE-2020-1506 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1087982,1170527 Description: This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------- Patch: SUSE-2020-1507 Released: Fri May 29 17:23:52 2020 Summary: Recommended update for publicsuffix Severity: moderate References: 1171819 Description: This update for publicsuffix fixes the following issues: - Update from version 20180312 to version 20200506. (bsc#1171819). - New in version 20200506: * gTLD autopull: 2020-05-06 (#1030) * Update public_suffix_list.dat (#993) * Add shopware.store domain (#958) * Add clic2000.net to Private Section (#1010) * Add Fabrica apps domain: onfabrica.com (#999) * Add dyndns.dappnode.io (#912) * Added curv.dev to public_suffix_list.dat (#968) * Add panel.gg and daemon.panel.gg (#978) * adding sth.ac.at (#997) * Add netlify.app (#1012) * Added Wiki Link as info resource (#1011) * Add schulserver.de, update IServ GmbH contact information (#996) * Add conn.uk, copro.uk, couk.me and ukco.me domains (#963) * Remove flynnhub.com (#971) * Added graphox.us domain (#960) * Add domains for FASTVPS EESTI OU (#941) * Add platter.dev user app domains (#935) * Add playstation-cloud.com (#1006) * gTLD autopull: 2020-04-02 (#1005) * ACI prefix (#930) * Update public_suffix_list.dat (#923) * Add toolforge.org and wmcloud.org (#970) * gTLD autopull: 2020-03-29 (#1003) - New in version 20200326: * aero registry removal * Add Mineduc subregistry for public schools: aprendemas.cl * Update public_suffix_list.dat - Existing Section * gTLD autopull: 2020-03-15 * Add 'urown.cloud' and 'dnsupdate.info' * Remove site.builder.nu * Remove unnecessary trailing whitespace for name.fj * Update .eu IDNs to add Greek and URL for Cyrillic * Update fj entry - New in version 20200201: * gTLD autopull: 2020-02-01 (#952) * gTLD autopull: 2020-01-31 (#951) * Add WoltLab Cloud domains (#947) * Add qbuser.com domain (#943) * Added senseering domain (#946) * Add u.channelsdvr.net to PSL (#950) * Add discourse.team (#949) * gTLD autopull: 2020-01-06 (#942) * gTLD autopull: 2019-12-25 (#939) * Urgent removal of eq.edu.au (#924) * gTLD autopull: 2019-12-20 (#938) * gTLD autopull: 2019-12-11 (#932) * Added adobeaemcloud domains (#931) * Add Observable domain: observableusercontent.com. (#914) * Correct v.ua sorting * add v.ua (#919) * Add en-root.fr domain (#910) * add Datawire private domain (#925) * Add amsw.nl private domain to PSL (#929) * Add *.on-k3s.io (#922) * Add *.r.appspot.com to public suffix list (#920) * Added gentapps.com (#916) * Add oya.to (#908) * Add Group 53, LLC Domains (#900) * Add perspecta.cloud (#898) * Add 0e.vc to PSL (#896) * Add skygearapp.com (#892) * Update Hostbip Section (#871) * Add qcx.io and *.sys.qcx.io (#868) * Add builtwithdark.com to the public suffix list (#857) * Add_customer-oci.com (#811) * Move out old .ru reserved domains * gTLD autopull: 2019-12-02 (#928) * gTLD autopull: 2019-11-20 (#926) - New in version 20191115: * Add gov.scot for Scottish Government * update gTLD list to 2019-11-15 state * remove go-vip.co, go-vip.net, wpcomstaging.com - New in version 20191025: * gTLD list updated to 2019-10-24 state * Update .so suffix list * Add the new TLD .ss * Add xn--mgbah1a3hjkrd (موريتانيا) * Add lolipop.io * Add altervista.org * Remove zone.id from list * Add new domain to Synology dynamic dns service - New in version 20190808: * tools: update newgtlds.go to filter removed gTLDs (#860) * gTLD autopull: 2019-08-08 (#862) * Remove non-public nuernberg.museum nuremberg.museum domains (#859) * gTLD autopull: 2019-08-02 (#858) * Update public_suffix_list.dat (#825) * Update reference as per #855 * add nic.za * Update contact for SymfonyCloud (#854) * Add lelux.site (#849) * Add *.webhare.dev (#847) * Update Hostbip Section (#846) * Add Yandex Cloud domains (#850) * Add ASEINet domains (#844) * Update nymnom section (#771) * Add Handshake zones (#796) * Add iserv.dev for IServ GmbH (#826) * Add trycloudflare.com to Cloudflare's domains (#835) * Add shopitsite.com (#838) * Add pubtls.org (#839) * Add qualifio.com domains (#840) * Update newgtlds tooling & associated gTLD data. (#834) * Add web.app for Google (#830) * Add iobb.net (#828) * Add cloudera.site (#829) - New in version 20190529: * Add Balena domains (#814) * Add KingHost domains (#827) * Add dyn53.io (#820) * Add azimuth.network and arvo.network (#812) * Update .rw domains per ccTLD (#821) * Add b-data.io (#759) * Add co.bn (#789) * Add Zitcom domains (#817) * Add Carrd suffixes (#816) * Add Linode Suffixes (#810) * Add lab.ms (#807) * Add wafflecell.com (#805) * Add häkkinen.fi (#804) * Add prvcy.page (#803) * Add SRCF user domains: soc.srcf.net, user.srcf.net (#802) * Add KaasHosting (#801) * Adding cloud66.zone (#797) * Add gehirn.ne.jp and usercontent.jp for Gehirn Inc. (#795) * Add Clerk user domains (#791) * Add loginline (.app, .dev, .io, .services, .site) (#790) * Add wnext.app (#785) * Add Hostbip Registry Domains (#770) * Add glitch.me (#769) * added thingdustdata.com (#767) * Add dweb.link (#766) * Add onred.one (#764) * Add mo-siemens.io (#762) * Add Render domains (#761) * Add *.moonscale.io (#757) * Add Stackhero domain (#755) * Add voorloper.cloud (#750) * Add repl.co and repl.run (#748) * Add edugit.org (#736) * Add Hakaran domains (#733) * Add barsy.ca (#732) * Add Names.of.London Domains (#543) * Add nctu.me (#746) * Br 201904 update (#809) * Delete DOHA * Add app.banzaicloud.io (#730) * Update .TR (#741) * Add Nabu Casa (#781) * Added uk0.bigv.io under Bytemark Hosting (#745) * Add GOV.UK PaaS client domains (#765) * Add discourse.group for Civilized Discourse Construction Kit, Inc. (#768) * Add on-rancher.cloud and on-rio.io (#779) * Syncloud dynamic dns service (#727) * Add git-pages.rit.edu (#690) * Add workers.dev (#772) * Update .AM (#756) * Add go-vip.net. (#793) * Add site.builder.nu (#723) * Update .FR sectorial domains (#527) * Remove ACTIVE * Remove SPIEGEL * Remove EPOST * Remove ZIPPO * Remove BLANCO - New in version 20190205: * Add domains of Individual Network Berlin e.V. (#711) * Added bss.design to PSL (#685) * Add fastly-terrarium.com (#729) * Add Swisscom Application Cloud domains (#698) * Update public_suffix_list.dat with api.stdlib.com (#751) * Add regional domain for filegear.me (#713) * Remove bv.nl (#758) * Update public_suffix_list.dat - Link public_suffix_list.dat to effective_tld_names.dat for the purpose of httpcomponents-client - Do not pull in full python3, psl-make-dafsa already pulls in what it needs to generate the things - New in version 20181227: * Add run.app and a.run.app to the psl (#681) * Add telebit.io .app .xyz (#726) * Add Leadpages domains (#731) * Add public suffix entries for dapps.earth (#708) * Add Bytemark Hosting domains (#620) * Remove .STATOIL * linter: Expect rules to be in NFKC (#725) * Convert list data from NFKD to NFKC (#720) * Update LS (#718) - New in version 20181030: * Add readthedocs.io (#722) * Remove trailing whitespace from L11948 (#721) * Add krasnik.pl, leczna.pl, lubartow.pl, lublin.pl, poniatowa.pl and swidnik.pl domains to the Public Suffix List (#670) * Add instantcloud.cn by Redstar Consultants (#696) * Add Fermax and mydobiss.com domain (#706) * Add shop.th & online.th (#716) * Add siteleaf.net (#655) * Add wpcomstaging.com and go-vip.co to the PSL (#719) - Update to version 20181003: * Remove deleted TLDs (#710) * Added apigee.io (#712) * Add AWS ElasticBeanstalk Ningxia, CN region (#597) * Add Github PULL REQUEST TEMPLATE (#699) * Add ong.br 2nd level domain (#707) - Update to version 20180813: * Update .ID list (#703) * Updated .bn ccTLD. Removed wildcard. (#702) * Remove stackspace.space from PSL (#691) * Remove XPERIA (#697) - Update to version 20180719: * Remove .IWC * Update Kuwait's ccTLD (.kw) * Use https for www.transip.nl * Remove MEO and SAPO - New in version 20180523: * Remove 1password domains (#632) * Add cleverapps.io (Clever Cloud) (#634) * Remove .BOOTS * Add azurecontainer.io to Microsoft domains (#637) * Change the patchnewgtlds tool for the updated .zw domain * Add new gTLDs up to 2018-04-17 and new ccTLDs up to 2018-04-17 * cloud.muni.cz cloud subdomains (#622) * Add YunoHost DynDns domains: nohost.me & noho.st (#615) * Use a custom token for the newGTLD list (#645) * lug.org.uk (#514) * Adding xnbay.com,u2.xnbay.com,u2-local.xnbay.com to public_suffix_list.dat. (#506) * Adding customer.speedpartner.de (#585) * Adding ravendb.net subdomains (#535) * Adding own.pm (#544) * pcloud.host (#531) * Add additional Lukanet Ltd domains (#652) * Add zone.id (#575) * Add half.host (#571) * Update 香港 TLD (#568) * Add Now-DNS domains (#560) * Added blackbaudcdn.net private domain to PSL (#558) * Adding IServ GmbH domains (#552) * Add FASTVPS EESTI OU domains (#541) * nic.it - update regions and provinces (#524) * Update Futureweb OG Private Domains (#520) * add United Gameserver virtualuser domains (#600) * Add Lightmaker Property Manager, Inc domains (#604) * Update Uberspace domains (#616) * Add Datto, Inc domains * Add memset hosting domains (#625) * Add utwente.io (#626) * Add bci.dnstrace.pro (#630) * Add May First domains (#635) * Add Linki Tools domains (#636) * Update NymNom domains * Add Co & Co domains (#650) * Add new gTLDs up to 2018-05-08 (#653) * Correct linter issues (#654) * Add cnpy.gdn as private domain (#633) * Add freedesktop.org (#619) * Add Omnibond Systems (#656) * Add hasura.app to the list (#668) * Update gu ccTLD suffixes (#669) - New in version 20180328: * Add gwiddle.co.uk (#521) * Add ox.rs (#522) * Add myjino.ru (#512) * Add ras.ru domains (#511) * Add AWS ElasticBeanstalk Osaka, JP region (#628) * Remove trailing whitespace (#621) ----------------------------------------- Patch: SUSE-2020-1508 Released: Fri May 29 17:32:31 2020 Summary: Recommended update for apache2-mod_jk Severity: moderate References: 1167896 Description: This update for apache2-mod_jk fixes the following issues: - Update jk.conf. (bsc#1167896) * Specify the location of JkShmFile. * Update tomcat-webapps paths. - Fix Aliases to be compatible with the tomcat example URLs. (bsc#1167896) ----------------------------------------- Patch: SUSE-2020-1511 Released: Fri May 29 18:03:39 2020 Summary: Security update for java-11-openjdk Severity: important References: 1167462,1169511,CVE-2020-2754,CVE-2020-2755,CVE-2020-2756,CVE-2020-2757,CVE-2020-2767,CVE-2020-2773,CVE-2020-2778,CVE-2020-2781,CVE-2020-2800,CVE-2020-2803,CVE-2020-2805,CVE-2020-2816,CVE-2020-2830 Description: This update for java-11-openjdk fixes the following issues: Java was updated to jdk-11.0.7+10 (April 2020 CPU, bsc#1169511). Security issues fixed: - CVE-2020-2754: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2755: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2756: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2757: Fixed an object deserialization issue that could have resulted in denial of service via crafted serialized input (bsc#1169511). - CVE-2020-2767: Fixed an incorrect handling of certificate messages during TLS handshakes (bsc#1169511). - CVE-2020-2773: Fixed the incorrect handling of exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature() (bsc#1169511). - CVE-2020-2778: Fixed the incorrect handling of SSLParameters in setAlgorithmConstraints(), which could have been abused to override the defined systems security policy and lead to the use of weak crypto algorithms (bsc#1169511). - CVE-2020-2781: Fixed the incorrect re-use of single null TLS sessions (bsc#1169511). - CVE-2020-2800: Fixed an HTTP header injection issue caused by mishandling of CR/LF in header values (bsc#1169511). - CVE-2020-2803: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2805: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2816: Fixed an incorrect handling of application data packets during TLS handshakes (bsc#1169511). - CVE-2020-2830: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). ----------------------------------------- Patch: SUSE-2020-1512 Released: Fri May 29 18:11:37 2020 Summary: Recommended update for unrar_wrapper Severity: important References: 1170792 Description: This update for unrar_wrapper fixes the following issues: - Add missing requirement 'python3-setuptools'. (bsc#1170792) ----------------------------------------- Patch: SUSE-2020-1520 Released: Tue Jun 2 19:53:03 2020 Summary: Recommended update for psqlODBC Severity: moderate References: 1166821 Description: This update for psqlODBC provides the following fixes: - Update to 12.01.0000: * Fix the bug that causes 'Error : A parameter cannot be found that matches parameter name'. + Enclose the command part * Find_VSDir $vc_ver * with parentheses so that the subsequent * -ne '' * isn't considered to be a parameter. * Cope with the removal of pg_class.relhasoids in PG12 correctly when retrieving updatable cursors. - Changes in 12.00.0000: * Fix the bug that SQLGetDescField() for Field SQL_DESC_COUNT returns SQLINTEGER value which should be of type SQLSMALLINT. * SQLGetTypeInfo() filters SQL_TYPE_DATE, SQL_TYPE_TIME and SQL_TYPE_TIMESTAMP for ODBC 2.x applications. * Added support for scalar functions TIMESTAMPADD(), TIMESTAMPDIFF() and EXTRACT(). * The macro IS_NOT_SPACE() is used for not pointers but integers. * Fix a crash bug when SQLProcedureColumns() handles satisfies_hash_partition(). The proargmodes column of satisfies_hash_partition()'s pg_proc entry is not null but the proallargtypes column is null. - Changes in 11.01.0000: * Correct the rgbInfoValue returned by SQLGetInfo(SQL_TIMEDATE_FUNCTIONS, ..). * Because the field 'relhasoids' was dropped in PG12, psqlodbc drivers would have some problems with PG12 servers. * Register drivers {PostgreSQL ANSI} and {PostgreSQL Unicode} during installation on 64bit Windows so that users could use the same connection strings in both x86 and x64 environments. * Correct the rgbInfoValue returned by SQLGetInfo(SQL_LIKE_ESCAPE_CLAUSE, ..). * Fix a typo in SQLForeignKeys-ResultSet-Column. 'deferrablity' should be 'DEFERRABILITY'. * Correct the rgbInfoValue returned by SQLGetInfo(.., SQL_NUMERIC_FUNCTIONS(SQL_SYSTEM_FUNCTIONS or SQL_STRING_FUNCTIONS, ..). * Bug fix: do not forget to set parameter numbers while handling escaped ODBC functions. * Fix test_connection() in setup.c so that settings of conn_settings and pqopt option are reflected properly. - Changes in 11.00.0000: * Remove obsolete maps pointed out. * Remove connSettings option and/or pqopt option from the OutConnectionString parameter of SQLDriverConnect() when each option doesn't exist in InConnectionString parameter. * The parameters should be cast because parameters of concat() function are variadic 'any'. * Add an alias DX of *Database* keyword for connection strings to aviod the use of 'database' keyword which has a special meaning in some apps or middlewares. * Numeric items without precision are unlimited and there's no natural map between SQL data types. Add an option *Numeric(without precision) as* * Fix a bug that SQLSpecialColumns() returns oid/xmin incorrectly when a table does not exist. - Fix build with PostgreSQL 11 that does not have pg_config in the regular devel package anymore. (bsc#1166821) - Changes in 10.03.0000: * Put back the handling of lock_CC_for_rb variable. The variable lock_CC_for_rb should be held per connection. * Fix SQLGetTypeInfo() so that it filters SQL_TYPE_DATE, SQL_TYPE_TIME or SQL_TYPE_TIMESTAMP for ODBC 2.x applications. * Revise ConfigDSN() so that it handles the 4th parameter(lpszAttribues) correctly. * Fix a crash bug when handling error messages. Also modified some error messages. * Let SQLTables() or SQLTablePrivileges() show partition tables. * Fix build on Solaris defined(__SUNPRO_C) using Solaris Studio. * Reduce DB access to pg_class or pg_index by caching relhasoids, relhassubclass etc. It would improve the performance of SQLSetPos() or SQLBulkOperations() very much in some cases. - Changes in 10.02.0000: * It's safer to call setlocale(LC_CTYPE, '') than calling setlocale(LC_ALL, '') * Avoid replacing effective notice messages. * Handle MALLOC/REALLOC errors while fetching tuples more effectively. * Make SQLSetPos(SQL_DELETE/SQL_REFRESH) more effective. Because queries calling currtid(2) like select .. from .. where ctid=currtid2(.., ..) cause Seq Scan, their execution may be very slow. It is better to execute queries using subqueries like select .. from .. where ctid=(select currtid2(.., ..)) because they cause Tid Scan. * Fix a crash bug in AddDeleted(). ----------------------------------------- Patch: SUSE-2020-1527 Released: Wed Jun 3 13:34:59 2020 Summary: Optional update for alsa-plugins Severity: low References: 1171586 Description: This update for alsa-plugins doesn't fix any user visible issues, but changes the way the package is being built. An installation is optional and not required. (bsc#1171586, jsc#SLE-11987) ----------------------------------------- Patch: SUSE-2020-1542 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Severity: moderate References: 1172055 Description: This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) ----------------------------------------- Patch: SUSE-2020-1551 Released: Mon Jun 8 09:31:41 2020 Summary: Security update for vim Severity: moderate References: 1172225,CVE-2019-20807 Description: This update for vim fixes the following issues: - CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim was possible using interfaces (bsc#1172225). ----------------------------------------- Patch: SUSE-2020-1553 Released: Mon Jun 8 09:32:53 2020 Summary: Security update for libexif Severity: moderate References: 1055857,1059893,1120943,1160770,1171475,1171847,1172105,1172116,1172121,CVE-2016-6328,CVE-2017-7544,CVE-2018-20030,CVE-2019-9278,CVE-2020-0093,CVE-2020-12767,CVE-2020-13112,CVE-2020-13113,CVE-2020-13114 Description: This update for libexif to 0.6.22 fixes the following issues: Security issues fixed: - CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857). - CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893). - CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943). - CVE-2019-9278: Fixed an integer overflow (bsc#1160770). - CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847). - CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475). - CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121). - CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105). - CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116). Non-security issues fixed: - libexif was updated to version 0.6.22: * New translations: ms * Updated translations for most languages * Some useful EXIF 2.3 tag added: * EXIF_TAG_GAMMA * EXIF_TAG_COMPOSITE_IMAGE * EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE * EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE * EXIF_TAG_GPS_H_POSITIONING_ERROR * EXIF_TAG_CAMERA_OWNER_NAME * EXIF_TAG_BODY_SERIAL_NUMBER * EXIF_TAG_LENS_SPECIFICATION * EXIF_TAG_LENS_MAKE * EXIF_TAG_LENS_MODEL * EXIF_TAG_LENS_SERIAL_NUMBER ----------------------------------------- Patch: SUSE-2020-1560 Released: Mon Jun 8 12:08:28 2020 Summary: Recommended update for llvm7 Severity: low References: 1171512 Description: This update for llvm7 fixes the following issues: -Fix for build failures when using 'llvm7' on i586. (bsc#1171512) ----------------------------------------- Patch: SUSE-2020-1569 Released: Tue Jun 9 11:13:16 2020 Summary: Security update for java-1_8_0-openjdk Severity: important References: 1160398,1169511,1171352,CVE-2020-2754,CVE-2020-2755,CVE-2020-2756,CVE-2020-2757,CVE-2020-2773,CVE-2020-2781,CVE-2020-2800,CVE-2020-2803,CVE-2020-2805,CVE-2020-2830 Description: This update for java-1_8_0-openjdk to version jdk8u252 fixes the following issues: - CVE-2020-2754: Forward references to Nashorn (bsc#1169511) - CVE-2020-2755: Improve Nashorn matching (bsc#1169511) - CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511) - CVE-2020-2757: Less Blocking Array Queues (bsc#1169511) - CVE-2020-2773: Better signatures in XML (bsc#1169511) - CVE-2020-2781: Improve TLS session handling (bsc#1169511) - CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511) - CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511) - CVE-2020-2805: Enhance typing of methods (bsc#1169511) - CVE-2020-2830: Better Scanner conversions (bsc#1169511) - Ignore whitespaces after the header or footer in PEM X.509 cert (bsc#1171352) ----------------------------------------- Patch: SUSE-2020-1582 Released: Tue Jun 9 18:20:10 2020 Summary: Security update for rubygem-bundler Severity: moderate References: 1143436,CVE-2019-3881 Description: This update for rubygem-bundler fixes the following issue: - CVE-2019-3881: Fixed insecure permissions on a directory in /tmp/ that allowed malicious code execution (bsc#1143436). ----------------------------------------- Patch: SUSE-2020-1616 Released: Fri Jun 12 10:51:28 2020 Summary: Recommended update for SAPHanaSR-ScaleOut Severity: moderate References: 1156067,1156150,1157685 Description: This update for SAPHanaSR-ScaleOut fixes the following issues: - Restart 'sapstartsrv' service on master nameserver node. (bsc#1156150) - Use a fall-back scoring for the master nameserver nodes, if the current roles of the node(s) got lost. (bsc#1156067) - SAPHanaSR-ScaleOut-doc will no longer be installable when SAPHanaSR-doc is installed (bsc#1157685) ----------------------------------------- Patch: SUSE-2020-1631 Released: Wed Jun 17 09:53:58 2020 Summary: Recommended update for fonts-config Severity: important References: 1049056,1092737,1101985,1106850,1111791,1172022 Description: This update for fonts-config fixes the following issues: - Update version from 20160921 to version 20200609+git0.42e2b1b * Check if it's required to use some default settings in /etc/sysconfig/fonts-config. (bsc#1172022) * Add variable to allow fonts-config to update default settings * Fix en-US, en-GB font matching. * Allow non-ASCII letters in font names. (bsc#1049056, bsc#1101985). * Update subpixel rendering config * Fix misspelling in configuration file. (bsc#1111791) * Fix wrong visualization for special characters and numbers. (bsc#1092737) * Support color emoji * Modern fonts for symbol * Add configurations for Noto Sans/Serif CJK * No longer create encodings.dir in /usr/share/fonts/encodings/ (bsc#1106850) ----------------------------------------- Patch: SUSE-2020-1635 Released: Wed Jun 17 14:20:56 2020 Summary: Recommended update for susemanager-cloud-setup Severity: important References: 1172645 Description: This update for susemanager-cloud-setup contains the following fix: - Update to version 1.5: * adapt to new azuremetadata output (bsc#1172645) ----------------------------------------- Patch: SUSE-2020-1657 Released: Thu Jun 18 10:49:53 2020 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Severity: moderate References: 1172377,CVE-2020-13401 Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Docker was updated to 19.03.11-ce runc was updated to version 1.0.0-rc10 containerd was updated to version 1.2.13 - CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial of service (bsc#1172377). ----------------------------------------- Patch: SUSE-2020-1677 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes mozilla-nspr to version 4.25 ----------------------------------------- Patch: SUSE-2020-1684 Released: Fri Jun 19 09:48:36 2020 Summary: Security update for java-1_8_0-ibm Severity: important References: 1160968,1169511,1171352,1172277,CVE-2019-2949,CVE-2020-2654,CVE-2020-2754,CVE-2020-2755,CVE-2020-2756,CVE-2020-2757,CVE-2020-2781,CVE-2020-2800,CVE-2020-2803,CVE-2020-2805,CVE-2020-2830 Description: This update for java-1_8_0-ibm fixes the following issues: java-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10 (bsc#1172277,bsc#1169511,bsc#1160968) - CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service - CVE-2020-2754: Forwarded references to Nashorn - CVE-2020-2755: Improved Nashorn matching - CVE-2020-2756: Improved mapping of serial ENUMs - CVE-2020-2757: Less Blocking Array Queues - CVE-2020-2781: Improved TLS session handling - CVE-2020-2800: Improved Headings for HTTP Servers - CVE-2020-2803: Enhanced buffering of byte buffers - CVE-2020-2805: Enhanced typing of methods - CVE-2020-2830: Improved Scanner conversions - CVE-2019-2949: Fixed an issue which could have resulted in unauthorized access to critical data - Added RSA PSS SUPPORT TO IBMPKCS11IMPL - The pack200 and unpack200 alternatives should be slaves of java (bsc#1171352). ----------------------------------------- Patch: SUSE-2020-1695 Released: Fri Jun 19 14:54:47 2020 Summary: Security update for osc Severity: moderate References: 1122675,CVE-2019-3681 Description: This update for osc to 0.169.1 fixes the following issues: Security issue fixed: - CVE-2019-3681: Fixed an insufficient validation of network-controlled filesystem paths (bsc#1122675). Non-security issues fixed: - Improved the speed and usability of osc bash completion. - improved some error messages. - osc add: support git@ (private github) or git:// URLs correctly. - Split dependson and whatdependson commands. - Added support for osc build --shell-cmd. - Added pkg-ccache support for osc build. - Added --ccache option to osc getbinaries ----------------------------------------- Patch: SUSE-2020-1704 Released: Mon Jun 22 11:21:12 2020 Summary: Recommended update for susefirewall2-to-firewalld Severity: moderate References: 1170461 Description: This update for susefirewall2-to-firewalld fixes the following issues: - Fixed 'INVALID_PORT' error message with certain SuSEfirewall2 configurations (bsc#1170461). ----------------------------------------- Patch: SUSE-2020-1706 Released: Mon Jun 22 14:34:34 2020 Summary: Recommended update for susemanager-cloud-setup Severity: important References: 1172838 Description: This update for susemanager-cloud-setup contains the following fix: - Update to version 1.6 * suma-storage: handle /var/spacewalk correctly. (bsc#1172838) ----------------------------------------- Patch: SUSE-2020-1707 Released: Tue Jun 23 10:02:48 2020 Summary: Recommended update for gnu-free-fonts Severity: moderate References: 1170856 Description: This update for gnu-free-fonts fixes the following issue: - Fix building with fontforge 20190801. (bsc#1170856) ----------------------------------------- Patch: SUSE-2020-1727 Released: Tue Jun 23 15:33:07 2020 Summary: Recommended update for python3-gcemetadata Severity: moderate References: 1173136 Description: This update for python3-gcemetadata fixes the following issues: Update to version 1.0.4 (bsc#1173136) - Fixed typo, missing '=' for 'identity' option in processed command line options causes mis-identification of instance as missing identity data access ----------------------------------------- Patch: SUSE-2020-1730 Released: Wed Jun 24 09:41:15 2020 Summary: Security update for libssh2_org Severity: moderate References: 1154862,CVE-2019-17498 Description: This update for libssh2_org fixes the following issue: - CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862). ----------------------------------------- Patch: SUSE-2020-1771 Released: Fri Jun 26 08:04:23 2020 Summary: Security update for mutt Severity: important References: 1172906,1172935,1173197,CVE-2020-14093,CVE-2020-14154,CVE-2020-14954 Description: This update for mutt fixes the following issues: - CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was affecting IMAP, SMTP, and POP3 (bsc#1173197). - CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935). - CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was proceeding with a connection (bsc#1172906, bsc#1172935). ----------------------------------------- Patch: SUSE-2020-1772 Released: Fri Jun 26 08:05:06 2020 Summary: Security update for unbound Severity: important References: 1157268,1171889,CVE-2019-18934,CVE-2020-12662,CVE-2020-12663 Description: This update for unbound fixes the following issues: - CVE-2020-12662: Fixed an issue where unbound could have been tricked into amplifying an incoming query into a large number of queries directed to a target (bsc#1171889). - CVE-2020-12663: Fixed an issue where malformed answers from upstream name servers could have been used to make unbound unresponsive (bsc#1171889). - CVE-2019-18934: Fixed a vulnerability in the IPSec module which could have allowed code execution after receiving a special crafted answer (bsc#1157268). ----------------------------------------- Patch: SUSE-2020-1785 Released: Fri Jun 26 09:26:09 2020 Summary: Recommended update for perl-TimeDate Severity: moderate References: 1172834 Description: This update for perl-TimeDate fixes the following issue: - Parse out the century if specified (strptime). (bsc#1172834) ----------------------------------------- Patch: SUSE-2020-1801 Released: Tue Jun 30 13:07:01 2020 Summary: Recommended update for zeromq Severity: low References: 1171566 Description: This update of zeromq fixes the following issue. - the libzmq5-32bit package is shipped on x86_64 platforms. (bsc#1171566) ----------------------------------------- Patch: SUSE-2020-1802 Released: Tue Jun 30 13:15:44 2020 Summary: Recommended update for ucode-intel Severity: moderate References: 1172466,1172856 Description: This update for ucode-intel fixes the following issues: Updated Intel CPU Microcode to 20200616 official release (bsc#1172856) - revert 06-4e-03 Skylake U/Y, U23e ucode back to 000000d6 release - revert 06-5e-03 Skylake H/S ucode back to 000000d6 release, as both cause stability issues. (bsc#1172856) Updated Intel CPU Microcode to 20200609 official release (bsc#1172466) - no changes to 20200602 prerelease ----------------------------------------- Patch: SUSE-2020-1823 Released: Thu Jul 2 11:32:22 2020 Summary: Security update for ntp Severity: moderate References: 1125401,1169740,1171355,1172651,1173334,992038,CVE-2018-8956,CVE-2020-11868,CVE-2020-13817,CVE-2020-15025 Description: This update for ntp fixes the following issues: ntp was updated to 4.2.8p15 - CVE-2020-11868: Fixed an issue which a server mode packet with spoofed source address frequently send to the client ntpd could have caused denial of service (bsc#1169740). - CVE-2018-8956: Fixed an issue which could have allowed remote attackers to prevent a broadcast client from synchronizing its clock with a broadcast NTP server via spoofed mode 3 and mode 5 packets (bsc#1171355). - CVE-2020-13817: Fixed an issue which an off-path attacker with the ability to query time from victim's ntpd instance could have modified the victim's clock by a limited amount (bsc#1172651). - CVE-2020-15025: Fixed an issue which remote attacker could have caused denial of service by consuming the memory when a CMAC key was used andassociated with a CMAC algorithm in the ntp.keys (bsc#1173334). - Removed an OpenSSL version warning (bsc#992038 and bsc#1125401). ----------------------------------------- Patch: SUSE-2020-1843 Released: Mon Jul 6 12:13:40 2020 Summary: Security update for nasm Severity: moderate References: 1084631,1086186,1086227,1086228,1090519,1090840,1106878,1107592,1107594,1108404,1115758,1115774,1115795,1173538,CVE-2018-1000667,CVE-2018-10016,CVE-2018-10254,CVE-2018-10316,CVE-2018-16382,CVE-2018-16517,CVE-2018-16999,CVE-2018-19214,CVE-2018-19215,CVE-2018-19216,CVE-2018-8881,CVE-2018-8882,CVE-2018-8883 Description: This update for nasm fixes the following issues: nasm was updated to version 2.14.02. This allows building of Mozilla Firefox 78ESR and also contains lots of bugfixes, security fixes and improvements. * Fix crash due to multiple errors or warnings during the code generation pass if a list file is specified. * Create all system-defined macros defore processing command-line given preprocessing directives (-p, -d, -u, --pragma, --before). * If debugging is enabled, define a __DEBUG_FORMAT__ predefined macro. See section 4.11.7. * Fix an assert for the case in the obj format when a SEG operator refers to an EXTERN symbol declared further down in the code. * Fix a corner case in the floating-point code where a binary, octal or hexadecimal floating-point having at least 32, 11, or 8 mantissa digits could produce slightly incorrect results under very specific conditions. * Support -MD without a filename, for gcc compatibility. -MF can be used to set the dependencies output filename. See section 2.1.7. * Fix -E in combination with -MD. See section 2.1.21. * Fix missing errors on redefined labels; would cause convergence failure instead which is very slow and not easy to debug. * Duplicate definitions of the same label with the same value is now explicitly permitted (2.14 would allow it in some circumstances.) * Add the option --no-line to ignore %line directives in the source. See section 2.1.33 and section 4.10.1. * Changed -I option semantics by adding a trailing path separator unconditionally. * Fixed null dereference in corrupted invalid single line macros. * Fixed division by zero which may happen if source code is malformed. * Fixed out of bound access in processing of malformed segment override. * Fixed out of bound access in certain EQU parsing. * Fixed buffer underflow in float parsing. * Added SGX (Intel Software Guard Extensions) instructions. * Added +n syntax for multiple contiguous registers. * Fixed subsections_via_symbols for macho object format. * Added the --gprefix, --gpostfix, --lprefix, and --lpostfix command line options, to allow command line base symbol renaming. See section 2.1.28. * Allow label renaming to be specified by %pragma in addition to from the command line. See section 6.9. * Supported generic %pragma namespaces, output and debug. See section 6.10. * Added the --pragma command line option to inject a %pragma directive. See section 2.1.29. * Added the --before command line option to accept preprocess statement before input. See section 2.1.30. * Added AVX512 VBMI2 (Additional Bit Manipulation), VNNI (Vector Neural Network), BITALG (Bit Algorithm), and GFNI (Galois Field New Instruction) instructions. * Added the STATIC directive for local symbols that should be renamed using global-symbol rules. See section 6.8. * Allow a symbol to be defined as EXTERN and then later overridden as GLOBAL or COMMON. Furthermore, a symbol declared EXTERN and then defined will be treated as GLOBAL. See section 6.5. * The GLOBAL directive no longer is required to precede the definition of the symbol. * Support private_extern as macho specific extension to the GLOBAL directive. See section 7.8.5. * Updated UD0 encoding to match with the specification * Added the --limit-X command line option to set execution limits. See section 2.1.31. * Updated the Codeview version number to be aligned with MASM. * Added the --keep-all command line option to preserve output files. See section 2.1.32. * Added the --include command line option, an alias to -P (section 2.1.18). * Added the --help command line option as an alias to -h (section 3.1). * Added -W, -D, and -Q suffix aliases for RET instructions so the operand sizes of these instructions can be encoded without using o16, o32 or o64. New upstream version 2.13.03: * Add flags: AES, VAES, VPCLMULQDQ * Add VPCLMULQDQ instruction * elf: Add missing dwarf loc section * documentation updates ----------------------------------------- Patch: SUSE-2020-1852 Released: Mon Jul 6 16:50:23 2020 Summary: Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts Severity: moderate References: 1169444 Description: This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues: Changes in fontforge: - Support transforming bitmap glyphs from python. (bsc#1169444) - Allow python-Sphinx >= 3 Changes in ttf-converter: - Update from version 1.0 to version 1.0.6: * ftdump is now shipped additionally as new dependency for ttf-converter * Standardize output when converting vector and bitmap fonts * Add more subfamilies fixes (bsc#1169444) * Add --family and --subfamily arguments to force values on those fields * Add parameters to fix glyph unicode values --fix-glyph-unicode : Try to fix unicode points and glyph names based on glyph names containing hexadecimal codes (like '$0C00', 'char12345' or 'uni004F') --replace-unicode-values: When passed 2 comma separated numbers a,b the glyph with an unicode value of a is replaced with the unicode value b. Can be used more than once. --shift-unicode-values: When passed 3 comma separated numbers a,b,c this shifts the unicode values of glyphs between a and b (both included) by adding c. Can be used more than once. * Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444) When used, all glyphs are modified with the transformation function and values passed as parameters. The parameter has three values separated by commas: fliph|flipv|rotate90cw|rotate90ccw|rotate180|skew|transmove,xoff,yoff * Add support to convert bitmap fonts (bsc#1169444) * Rename MediumItalic subfamily to Medium Italic * Show some more information when removing duplicated glyphs * Add a --force-monospaced argument instead of hardcoding font names * Convert `BoldCond` subfamily to `Bold Condensed` * Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41) * Add a --version argument * Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41) Changes in xorg-x11-fonts: - Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage - Include the subfamily in the filename of converted fonts - Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41) - Replace some unicode values in cu-pua12.pcf.gz to fix them - Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs don't pretend to be latin characters when they're not. - Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444) Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular, MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular Changes in ghostscript-fonts: - Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41) Use the --force-monospaced argument of ttf-converter 1.0.3 ----------------------------------------- Patch: SUSE-2020-1870 Released: Tue Jul 7 15:13:13 2020 Summary: Recommended update for llvm9 Severity: moderate References: 1173202 Description: This update for llvm9 fixes the following issues: - Fix miscompilations with rustc 1.43 that lead to LTO failures (bsc#1173202) ----------------------------------------- Patch: SUSE-2020-1871 Released: Tue Jul 7 15:14:11 2020 Summary: Recommended update for llvm7 Severity: moderate References: 1173202 Description: This update for llvm7 fixes the following issues: - Fix miscompilations with rustc 1.43 that lead to LTO failures (bsc#1173202) ----------------------------------------- Patch: SUSE-2020-1885 Released: Fri Jul 10 14:54:22 2020 Summary: Recommended update for cloud-init Severity: moderate References: 1170154,1171546,1171995 Description: This update for cloud-init contains the following fixes: - rsyslog warning, '~' is deprecated: (bsc#1170154) + replace deprecated syntax '& ~' by '& stop' for more information please see https://www.rsyslog.com/rsyslog-error-2307/. + Explicitly test for netconfig version 1 as well as 2. + Handle netconfig v2 device configurations (bsc#1171546, bsc#1171995) ----------------------------------------- Patch: SUSE-2020-1894 Released: Mon Jul 13 10:40:16 2020 Summary: Optional update for python-Cerberus Severity: moderate References: 1121858,1173465 Description: This update for python-Cerberus fixes the following issues: - Update to version 1.3.2 * includes various features and improvements - please refer to the changelog for a detailed technical list of changes ----------------------------------------- Patch: SUSE-2020-1903 Released: Tue Jul 14 15:46:28 2020 Summary: Recommended update for lifecycle-data-sle-module-desktop-productivity Severity: moderate References: 1173407 Description: This update for lifecycle-data-sle-module-desktop-productivity fixes the following issues: - Update lifecycle data, most of python2 is now in its own module. (bsc#1173407) - Ensure package is installed with its corresponding module when lifecycle package is installed. (bsc#1173407) ----------------------------------------- Patch: SUSE-2020-1905 Released: Tue Jul 14 15:56:17 2020 Summary: Recommended update for lifecycle-data-sle-module-basesystem Severity: moderate References: 1173407 Description: This update for lifecycle-data-sle-module-basesystem fixes the following issues: - Update lifecycle data, most of python2 is now in its own module. (bsc#1173407) - Ensure package is installed with its corresponding module when lifecycle package is installed. (bsc#1173407) ----------------------------------------- Patch: SUSE-2020-1906 Released: Tue Jul 14 15:58:16 2020 Summary: Recommended update for lifecycle-data-sle-module-development-tools Severity: moderate References: 1173407 Description: This update for lifecycle-data-sle-module-development-tools fixes the following issue: - Ensure package is installed with its corresponding module when lifecycle package is installed. (bsc#1173407) ----------------------------------------- Patch: SUSE-2020-1907 Released: Tue Jul 14 16:01:25 2020 Summary: Recommended update for lifecycle-data-sle-module-hpc Severity: moderate References: 1173407 Description: This update for lifecycle-data-sle-module-hpc fixes the following issues: - Update lifecycle data, most of python2 is now in its own module. (bsc#1173407) - Ensure package is installed with its corresponding module when lifecycle package is installed. (bsc#1173407) ----------------------------------------- Patch: SUSE-2020-1908 Released: Tue Jul 14 16:03:22 2020 Summary: Recommended update for lifecycle-data-sle-module-server-applications Severity: moderate References: 1173407 Description: This update for lifecycle-data-sle-module-server-applications fixes the following issues: - Update lifecycle data, no python2 module are shipped in this module. (bsc#1173407) - Ensure package is installed with its corresponding module when lifecycle package is installed. (bsc#1173407) ----------------------------------------- Patch: SUSE-2020-1909 Released: Tue Jul 14 16:05:26 2020 Summary: Recommended update for lifecycle-data-sle-module-desktop-applications Severity: moderate References: 1173407 Description: This update for lifecycle-data-sle-module-desktop-applications fixes the following issues: - Update lifecycle data, all python2 packages in desktop applications module are in python2 module. (bsc#1173407) - Ensure package is installed with its corresponding module when lifecycle package is installed. (bsc#1173407) ----------------------------------------- Patch: SUSE-2020-1915 Released: Wed Jul 15 09:34:15 2020 Summary: Security update for slirp4netns Severity: important References: 1172380,CVE-2020-10756 Description: This update for slirp4netns fixes the following issues: - Update to 0.4.7 (bsc#1172380) * libslirp: update to v4.3.1 (Fix CVE-2020-10756) * Fix config_from_options() to correctly enable ipv6 ----------------------------------------- Patch: SUSE-2020-1919 Released: Wed Jul 15 10:56:06 2020 Summary: Security update for rubygem-puma Severity: moderate References: 1172175,1172176,CVE-2020-11076,CVE-2020-11077 Description: This update for rubygem-puma to version 4.3.5 fixes the following issues: - CVE-2020-11077: Fixed a HTTP smuggling issue related to proxy usage (bsc#1172175). - CVE-2020-11076: Fixed a HTTP smuggling issue when using an invalid transfer-encoding header (bsc#1172176). - Disabled TLSv1.0 and TLSv1.1 (jsc#SLE-6965). ----------------------------------------- Patch: SUSE-2020-1930 Released: Wed Jul 15 15:05:07 2020 Summary: Security update for openconnect Severity: moderate References: 1171862,CVE-2020-12823 Description: This update for openconnect fixes the following issues: - CVE-2020-12823: Fixed a buffer overflow via crafted certificate data which could have led to denial of service (bsc#1171862). ----------------------------------------- Patch: SUSE-2020-1931 Released: Wed Jul 15 15:05:43 2020 Summary: Security update for openexr Severity: moderate References: 1173466,1173467,1173469,CVE-2020-15304,CVE-2020-15305,CVE-2020-15306 Description: This update for openexr fixes the following issues: - CVE-2020-15304: Fixed a NULL pointer dereference in TiledInputFile:TiledInputFile() (bsc#1173466). - CVE-2020-15305: Fixed a use-after-free in DeepScanLineInputFile:DeepScanLineInputFile() (bsc#1173467). - CVE-2020-15306: Fixed a heap buffer overflow in getChunkOffsetTableSize() (bsc#1173469). ----------------------------------------- Patch: SUSE-2020-1934 Released: Wed Jul 15 15:07:30 2020 Summary: Security update for google-compute-engine Severity: important References: 1169978,1173258,CVE-2020-8903,CVE-2020-8907,CVE-2020-8933 Description: This update for google-compute-engine fixes the following issues: - Don't enable and start google-network-daemon.service when it's already installed (bsc#1169978) + Do not add the created user to the adm (CVE-2020-8903), docker (CVE-2020-8907), or lxd (CVE-2020-8933) groups if they exist (bsc#1173258) ----------------------------------------- Patch: SUSE-2020-1935 Released: Wed Jul 15 16:25:57 2020 Summary: Recommended update for azure-li-services Severity: moderate References: Description: This update for azure-li-services fixes the following issues: - Update the motd to reflect the new link for the SUSE forums. - Add prometheus monitoring modules. (jsc#SLE-10545, jsc#SLE-10902, jsc#SLE-10903, jsc#ECO-817, jsc#ECO-818. - Added devel package auto submission - Deployment of HANA Scale-up Performance Optimized Scenario from Salt. (jsc#SLE-11453) - Automate setup of DRBD NFS-Share in SALT and Terraform. (jsc#SLE-11454) ----------------------------------------- Patch: SUSE-2020-1944 Released: Fri Jul 17 13:50:40 2020 Summary: Security update for ant Severity: moderate References: 1171696,CVE-2020-1945 Description: This update for ant fixes the following issues: - CVE-2020-1945: Fixed an inseure temorary file vulnerability which could have potentially leaked sensitive information (bsc#1171696). ----------------------------------------- Patch: SUSE-2020-1954 Released: Sat Jul 18 03:07:15 2020 Summary: Recommended update for cracklib Severity: moderate References: 1172396 Description: This update for cracklib fixes the following issues: - Fixed a buffer overflow when processing long words. ----------------------------------------- Patch: SUSE-2020-1957 Released: Mon Jul 20 13:47:31 2020 Summary: Security update for cni-plugins Severity: moderate References: 1172410,CVE-2020-10749 Description: This update for cni-plugins fixes the following issues: cni-plugins updated to version 0.8.6 - CVE-2020-10749: Fixed a potential Man-in-the-Middle attacks in IPv4 clusters by spoofing IPv6 router advertisements (bsc#1172410). Release notes: https://github.com/containernetworking/plugins/releases/tag/v0.8.6 ----------------------------------------- Patch: SUSE-2020-1979 Released: Tue Jul 21 02:41:47 2020 Summary: Recommended update for golang-github-prometheus-node_exporter Severity: moderate References: 1143913 Description: This update for golang-github-prometheus-node_exporter fixes the following issues: - Update from version 0.17.0 to version 0.18.1 (jsc#ECO-2110) 0.18.1 / 2019-06-04 * [BUGFIX] Fix incorrect sysctl call in BSD meminfo collector, resulting in broken swap metrics on FreeBSD * [BUGFIX] Fix rollover bug in mountstats collector 0.18.0 / 2019-05-09 * Renamed interface label to device in netclass collector for consistency with other network metrics * The cpufreq metrics now separate the cpufreq and scaling data based on what the driver provides. * The labels for the network_up metric have changed * Bonding collector now uses mii_status instead of operstatus * Several systemd metrics have been turned off by default to improve performance * These include unit_tasks_current, unit_tasks_max, service_restart_total, and unit_start_time_seconds * The systemd collector blacklist now includes automount, device, mount, and slice units by default. * [CHANGE] Bonding state uses mii_status * [CHANGE] Add a limit to the number of in-flight requests * [CHANGE] Renamed interface label to device in netclass collector * [CHANGE] Add separate cpufreq and scaling metrics * [CHANGE] Several systemd metrics have been turned off by default to improve performance * [CHANGE] Expand systemd collector blacklist * [CHANGE] Split cpufreq metrics into a separate collector * [FEATURE] Add a flag to disable exporter metrics * [FEATURE] Add kstat-based Solaris metrics for boottime, cpu and zfs collectors * [FEATURE] Add uname collector for FreeBSD * [FEATURE] Add diskstats collector for OpenBSD * [FEATURE] Add pressure collector exposing pressure stall information for Linux * [FEATURE] Add perf exporter for Linux * [ENHANCEMENT] Add Infiniband counters * [ENHANCEMENT] Add TCPSynRetrans to netstat default filter * [ENHANCEMENT] Move network_up labels into new metric network_info * [ENHANCEMENT] Use 64-bit counters for Darwin netstat * [BUGFIX] Add fallback for missing /proc/1/mounts * [BUGFIX] Fix node_textfile_mtime_seconds to work properly on symlinks - Add network-online (Wants and After) dependency to systemd unit. (bsc#1143913) ----------------------------------------- Patch: SUSE-2020-1983 Released: Tue Jul 21 08:31:44 2020 Summary: Security update for tomcat Severity: important References: 1173389,CVE-2020-11996 Description: This update for tomcat fixes the following issues: Tomcat was updated to 9.0.36 See changelog at - CVE-2020-11996: Fixed an issue which by sending a specially crafted sequence of HTTP/2 requests could have triggered high CPU usage for several seconds making potentially the server unresponsive (bsc#1173389). ----------------------------------------- Patch: SUSE-2020-1986 Released: Tue Jul 21 16:06:29 2020 Summary: Recommended update for openvswitch Severity: moderate References: 1172861,1172929 Description: This update for openvswitch fixes the following issues: - Preserve the old default OVS_USER_ID for users that removed the override at /etc/sysconfig/openvswitch. (bsc#1172861) - Fix possible changes of openvswitch configuration during upgrades. (bsc#1172929) ----------------------------------------- Patch: SUSE-2020-2000 Released: Wed Jul 22 09:04:41 2020 Summary: Recommended update for efivar Severity: important References: 1100077,1101023,1120862,1127544 Description: This update for efivar fixes the following issues: - fix logic that checks for UCS-2 string termination (bsc#1127544) - fix casting of IPv4 addresses - Don't require an EUI for NVMe (bsc#1100077) - Add support for ACPI Generic Container and Embedded Controller root nodes (bsc#1101023) - fix for compilation failures bsc#1120862 ----------------------------------------- Patch: SUSE-2020-2002 Released: Wed Jul 22 09:43:24 2020 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Live kernel patching update data for 4_12_14-150_52, 4_12_14-197_45. (bsc#1020320) ----------------------------------------- Patch: SUSE-2020-2006 Released: Wed Jul 22 16:00:52 2020 Summary: Recommended update for postgresql, postgresql12 Severity: moderate References: 1148643,1171924 Description: This update for postgresql, postgresql12 fixes the following issues: Postgresql12 was updated to 12.3 (bsc#1171924). - https://www.postgresql.org/about/news/2038/ - https://www.postgresql.org/docs/12/release-12-3.html - Let postgresqlXX conflict with postgresql-noarch < 12.0.1 to get a clean and complete cutover to the new packaging schema. Also changed in the postgresql wrapper package: - Bump version to 12.0.1, so that the binary packages also have a cut-point to conflict with. - Conflict with versions of the binary packages prior to the May 2020 update, because we changed the package layout at that point and need a clean cutover. - Bump package version to 12, but leave default at 10 for SLE-15 and SLE-15-SP1. ----------------------------------------- Patch: SUSE-2020-2025 Released: Thu Jul 23 13:32:32 2020 Summary: Security update for perl-YAML-LibYAML Severity: moderate References: 1173703 Description: This update for perl-YAML-LibYAML fixes the following issues: perl-YAML-LibYAML was updated to 0.69: [bsc#1173703] * Security fix: Add $LoadBlessed option to turn on/off loading objects: Default is set to true. Note that, the behavior is unchanged. * Clarify documentation about exported functions * Dump() was modifying original data, adding a PV to numbers * Support standard tags !!str, !!map and !!seq instead of dying. * Support JSON::PP::Boolean and boolean.pm via $YAML::XS::Boolean. * Fix regex roundtrip. Fix loading of many regexes. ----------------------------------------- Patch: SUSE-2020-2029 Released: Thu Jul 23 13:50:04 2020 Summary: Security update for libraw Severity: moderate References: 1173674,CVE-2020-15503 Description: This update for libraw fixes the following issues: - security update - added patches fix CVE-2020-15503 [bsc#1173674], lack of thumbnail size range check can lead to buffer overflow + libraw-CVE-2020-15503.patch ----------------------------------------- Patch: SUSE-2020-2042 Released: Fri Jul 24 13:59:31 2020 Summary: Recommended update for SAPHanaSR Severity: moderate References: 1173581 Description: This update for SAPHanaSR fixes the following issues: - Fix for log empty site names, but do not generate bad formatted cluster attribute name. (bsc#1173581) - Fix for documentation of some parameter defaults. - Adjust start/stop/promote/monitor action timeouts to match official recommendations. ----------------------------------------- Patch: SUSE-2020-2047 Released: Fri Jul 24 14:09:14 2020 Summary: Security update for tomcat Severity: important References: 1174117,1174121,CVE-2020-13934,CVE-2020-13935 Description: This update for tomcat fixes the following issues: - Fixed CVEs: * CVE-2020-13934 (bsc#1174121) * CVE-2020-13935 (bsc#1174117) ----------------------------------------- Patch: SUSE-2020-2071 Released: Wed Jul 29 12:47:19 2020 Summary: Recommended update for sapconf Severity: moderate References: 1124453,1139176,1150868,1150870,1166925,1168067,1168840 Description: This update for sapconf fixes the following issues: - Check the values of the 'vm.dirty_*' settings to be in a valid range before activating or restoring these system values. (bsc#1168067) - Add a logrotate drop-in file for sapconf to control the size of the logfile. (bsc#1166925) - Implement and use the system wide security limits. (bsc#1168840) - Add support multi-queued scheduler for block devices. (jsc#SLE-11141, jsc#SLE-11144) - Remove usage of tuned from sapconf (jsc#SLE-10986, jsc#SLE-10989): - Only ONE configuration file for sapconf - All parameters of the tuned profile defined in tuned.conf sapconf - Implement Switching a sapconf profile. - Prevent sapconf related tuned error messages by turning off tuned in the preinstall phase and removing the 'active' sapconf profile. - If sapconf detects an improper tuned profile during start notes that the log, fails the start deliberatly and guides the administrator to the problem. (bsc#1139176) - Use absolute path in the configuration file. (bsc#1124453) - Replace the delimiter for a sed command in postinstall script, because of conflicts with rpm macros. (bsc#1150868, bsc#1150870) ----------------------------------------- Patch: SUSE-2020-2080 Released: Wed Jul 29 20:09:09 2020 Summary: Recommended update for libtool Severity: moderate References: 1171566 Description: This update for libtool provides missing the libltdl 32bit library. (bsc#1171566) ----------------------------------------- Patch: SUSE-2020-2082 Released: Thu Jul 30 09:49:35 2020 Summary: Recommended update for google-guest-agent, google-guest-configs, and google-guest-oslogin Severity: moderate References: 1174304,1174306 Description: The python based packages google-compute-engine-init and google-compute-engine-oslogin were deprecated and are now replaced by the new Go based packages google-guest-agent, google-guest-configs, and google-guest-oslogin (jsc#ECO-2099) ----------------------------------------- Patch: SUSE-2020-2083 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Severity: moderate References: 1156913 Description: This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------- Patch: SUSE-2020-2091 Released: Thu Jul 30 14:55:00 2020 Summary: Recommended update for python-kiwi Severity: moderate References: 1156677,1168973,1172928 Description: This update for python-kiwi fixes the following issues: - Fixed checking for root device in grub config. (bsc#1172928) - Fix for conflicting files of man-pages between different versions. (bsc#1168973, bsc#1156677) ----------------------------------------- Patch: SUSE-2020-2093 Released: Thu Jul 30 14:57:24 2020 Summary: Recommended update for tftpboot-installation-common Severity: low References: 1172161 Description: This update for tftpboot-installation-common fixes the following issues: - Fix typo in service file. (bsc#1172161) ----------------------------------------- Patch: SUSE-2020-2095 Released: Thu Jul 30 17:10:15 2020 Summary: Security update for ghostscript Severity: important References: 1174415,CVE-2020-15900 Description: This update for ghostscript fixes the following issues: - fixed CVE-2020-15900 Memory Corruption (SAFER Sandbox Breakout) cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582 (bsc#1174415) ----------------------------------------- Patch: SUSE-2020-2115 Released: Tue Aug 4 12:12:10 2020 Summary: Recommended update for opus Severity: moderate References: 1172526 Description: This update for opus fixes the following issues: - Fix for an issue when the 'CELTDecoder' can be larger than 21 and cauese crash by builds with custom modes or hardening. (bsc#1172526) ----------------------------------------- Patch: SUSE-2020-2116 Released: Tue Aug 4 15:12:41 2020 Summary: Security update for libX11 Severity: important References: 1174628,CVE-2020-14344 Description: This update for libX11 fixes the following issues: - Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628) ----------------------------------------- Patch: SUSE-2020-2126 Released: Wed Aug 5 09:26:46 2020 Summary: Recommended update for cloud-regionsrv-client Severity: moderate References: 1173474,1173475 Description: This update for cloud-regionsrv-client fixes the following issues: - Introduce containerbuild-regionsrv service to allow container building tools to access required data for accessing Public Cloud RMTs (bsc#1173474, bsc#1173475) ----------------------------------------- Patch: SUSE-2020-2127 Released: Wed Aug 5 10:28:23 2020 Summary: Recommended update for python-azure-agent Severity: important References: 1173866 Description: This update for python-azure-agent fixes the following issues: - Properly set the DHCP configuration to push the hostname to the DHCP server. (bsc#1173866) - Do not bring the interface down to push the hostname, just use 'ifup'. (bsc#1173866) ----------------------------------------- Patch: SUSE-2020-2128 Released: Wed Aug 5 10:28:47 2020 Summary: Recommended update for cryptctl Severity: moderate References: Description: cryptctl was updated to fix the following issue - crypto is shipped into the Basesystem module. (ECO-2067) ----------------------------------------- Patch: SUSE-2020-2130 Released: Wed Aug 5 13:01:43 2020 Summary: Recommended update for aws-iam-authenticator, cni, cni-plugins Severity: moderate References: 1098521 Description: This update ships initial versions of the aws-iam-authenticator, cni, cni-plugins packages to the Public Cloud module. (jsc#PM-1449, jsc#SLE-10777, bsc#1098521) This provides support for Amazon EKS. ----------------------------------------- Patch: SUSE-2020-2142 Released: Thu Aug 6 11:05:34 2020 Summary: Security update for xrdp Severity: important References: 1173580,CVE-2020-4044 Description: This update for xrdp fixes the following issues: - Update to version 0.9.13.1 + This is a security fix release that includes fixes for the following local buffer overflow vulnerability (bsc#1173580): CVE-2020-4044 ----------------------------------------- Patch: SUSE-2020-2143 Released: Thu Aug 6 11:06:49 2020 Summary: Security update for java-11-openjdk Severity: important References: 1174157,CVE-2020-14556,CVE-2020-14562,CVE-2020-14573,CVE-2020-14577,CVE-2020-14581,CVE-2020-14583,CVE-2020-14593,CVE-2020-14621 Description: This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.8+10 (July 2020 CPU, bsc#1174157) * Security fixes: + JDK-8230613: Better ASCII conversions + JDK-8231800: Better listing of arrays + JDK-8232014: Expand DTD support + JDK-8233234: Better Zip Naming + JDK-8233239, CVE-2020-14562: Enhance TIFF support + JDK-8233255: Better Swing Buttons + JDK-8234032: Improve basic calendar services + JDK-8234042: Better factory production of certificates + JDK-8234418: Better parsing with CertificateFactory + JDK-8234836: Improve serialization handling + JDK-8236191: Enhance OID processing + JDK-8236867, CVE-2020-14573: Enhance Graal interface handling + JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior + JDK-8237592, CVE-2020-14577: Enhance certificate verification + JDK-8238002, CVE-2020-14581: Better matrix operations + JDK-8238013: Enhance String writing + JDK-8238804: Enhance key handling process + JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable + JDK-8238843: Enhanced font handing + JDK-8238920, CVE-2020-14583: Better Buffer support + JDK-8238925: Enhance WAV file playback + JDK-8240119, CVE-2020-14593: Less Affine Transformations + JDK-8240482: Improved WAV file playback + JDK-8241379: Update JCEKS support + JDK-8241522: Manifest improved jar headers redux + JDK-8242136, CVE-2020-14621: Better XML namespace handling * Other changes: + JDK-6933331: (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created + JDK-7124307: JSpinner and changing value by mouse + JDK-8022574: remove HaltNode code after uncommon trap calls + JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails + JDK-8040630: Popup menus and tooltips flicker with previous popup contents when first shown + JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) + JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ThreadMXBeanProxy.java Expected non-null LockInfo + JDK-8051349: nsk/jvmti/scenarios/sampling/SP06/sp06t003 fails in nightly + JDK-8080353: JShell: Better error message on attempting to add default method + JDK-8139876: Exclude hanging nsk/stress/stack from execution with deoptimization enabled + JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails with -XX:+DeoptimizeALot + JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout + JDK-8156207: Resource allocated BitMaps are often cleared unnecessarily + JDK-8159740: JShell: corralled declarations do not have correct source to wrapper mapping + JDK-8175984: ICC_Profile has un-needed, not-empty finalize method + JDK-8176359: Frame#setMaximizedbounds not working properly in multi screen environments + JDK-8183369: RFC unconformity of HttpURLConnection with proxy + JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT + JDK-8189861: Refactor CacheFind + JDK-8191169: java/net/Authenticator/B4769350.java failed intermittently + JDK-8191930: [Graal] emits unparseable XML into compile log + JDK-8193879: Java debugger hangs on method invocation + JDK-8196019: java/awt/Window/Grab/GrabTest.java fails on Windows + JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails + JDK-8198000: java/awt/List/EmptyListEventTest/EmptyListEventTest.java debug assert on Windows + JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/ /WrongParentAfterRemoveMenu.java debug assert on Windows + JDK-8198339: Test javax/swing/border/Test6981576.java is unstable + JDK-8200701: jdk/jshell/ExceptionsTest.java fails on Windows, after JDK-8198801 + JDK-8203264: JNI exception pending in PlainDatagramSocketImpl.c:740 + JDK-8203672: JNI exception pending in PlainSocketImpl.c + JDK-8203673: JNI exception pending in DualStackPlainDatagramSocketImpl.c:398 + JDK-8204834: Fix confusing 'allocate' naming in OopStorage + JDK-8205399: Set node color on pinned HashMap.TreeNode deletion + JDK-8205653: test/jdk/sun/management/jmxremote/bootstrap/ /RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with handshake_failure + JDK-8206179: com/sun/management/OperatingSystemMXBean/ /GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value + JDK-8207334: VM times out in VM_HandshakeAllThreads::doit() with RunThese30M + JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages ----------------------------------------- Patch: SUSE-2020-2144 Released: Thu Aug 6 11:07:58 2020 Summary: Security update for wireshark Severity: moderate References: 1169063,1171899,1173606,CVE-2020-11647,CVE-2020-13164,CVE-2020-15466 Description: This update for wireshark fixes the following issues: - Wireshark to 3.2.5: * CVE-2020-15466: GVCP dissector infinite loop (bsc#1173606) * CVE-2020-13164: NFS dissector crash (bsc#1171899) * CVE-2020-11647: The BACapp dissector could crash (bsc#1169063) - Further features, bug fixes and updated protocol support as listed in: https://www.wireshark.org/docs/relnotes/wireshark-3.2.5.html ----------------------------------------- Patch: SUSE-2020-2147 Released: Thu Aug 6 13:36:01 2020 Summary: Security update for MozillaFirefox Severity: important References: 1171433,1174538,CVE-2020-15652,CVE-2020-15653,CVE-2020-15654,CVE-2020-15655,CVE-2020-15656,CVE-2020-15657,CVE-2020-15658,CVE-2020-15659,CVE-2020-6463,CVE-2020-6514 Description: This update for MozillaFirefox fixes the following issues: This update for MozillaFirefox and pipewire fixes the following issues: MozillaFirefox Extended Support Release 78.1.0 ESR * Fixed: Various stability, functionality, and security fixes (bsc#1174538) * CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker * CVE-2020-6514: WebRTC data channel leaks internal address to peer * CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy * CVE-2020-15653: Bypassing iframe sandbox when allowing popups * CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture * CVE-2020-15656: Type confusion for special arguments in IonMonkey * CVE-2020-15658: Overriding file type when saving to disk * CVE-2020-15657: DLL hijacking due to incorrect loading path * CVE-2020-15654: Custom cursor can overlay user interface * CVE-2020-15659: Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1 pipewire was updated to version 0.3.6 (bsc#1171433, jsc#ECO-2308): * Extensive memory leak fixing and stress testing was done. A big leak in screen sharing with DMA-BUF was fixed. * Compile fixes * Stability improvements in jack and pulseaudio layers. * Added the old portal module to make the Camera portal work again. This will be moved to the session manager in future versions. * Improvements to the GStreamer source and sink shutdown. * Fix compatibility with v2 clients again when negotiating buffers. ----------------------------------------- Patch: SUSE-2020-2148 Released: Thu Aug 6 13:36:17 2020 Summary: Recommended update for ca-certificates-mozilla Severity: important References: 1174673 Description: This update for ca-certificates-mozilla fixes the following issues: Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 ----------------------------------------- Patch: SUSE-2020-2172 Released: Fri Aug 7 16:11:00 2020 Summary: Security update for perl-XML-Twig Severity: moderate References: 1008644,CVE-2016-9180 Description: This update for perl-XML-Twig fixes the following issues: - Security fix [bsc#1008644, CVE-2016-9180] * Setting expand_external_ents to 0 or -1 currently doesn't work as expected; To completely turn off expanding external entities use no_xxe. * Update documentation for XML::Twig to mention problems with expand_external_ents and add information about new no_xxe argument ----------------------------------------- Patch: SUSE-2020-2197 Released: Tue Aug 11 13:32:49 2020 Summary: Security update for libX11 Severity: important References: 1174628,CVE-2020-14344 Description: This update for libX11 fixes the following issues: - Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628). ----------------------------------------- Patch: SUSE-2020-2210 Released: Wed Aug 12 06:24:02 2020 Summary: Recommended update for osc Severity: moderate References: 1173926 Description: This update for osc fixes the following issues: - Fix for performance issues by assuming utf-8 or latin-1 as default, and speed up decoding. (bsc#1173926) ----------------------------------------- Patch: SUSE-2020-2219 Released: Wed Aug 12 15:47:42 2020 Summary: Recommended update for supportutils-plugin-suse-public-cloud and python3-azuremetadata Severity: moderate References: 1170475,1170476,1173238,1173240,1173357,1174618,1174847 Description: This update for supportutils-plugin-suse-public-cloud and python3-azuremetadata fixes the following issues: supportutils-plugin-suse-public-cloud: - Fixes an error when supportutils-plugin-suse-public-cloud and supportutils-plugin-salt are installed at the same time (bsc#1174618) - Sensitive information like credentials (such as access keys) will be removed when the metadata is being collected (bsc#1170475, bsc#1170476) python3-azuremetadata: - Added latest support for `--listapis` and `--api` (bsc#1173238, bsc#1173240) - Detects when the VM is running in ASM (Azure Classic) and does now handle the condition to generate the data without requiring access to the full IMDS available, only in ARM instances (bsc#1173357, bsc#1174847) ----------------------------------------- Patch: SUSE-2020-2220 Released: Wed Aug 12 16:23:08 2020 Summary: Recommended update for hawk2 Severity: moderate References: Description: This update for hawk2 fixes the following issue: Update to version 2.1.2+git.1594886920.d00b94aa: - Update puma rubygem requirement to version 4.3.5 for disabling TLSv1.0 and TLSv1.1 (jsc#SLE-6965) ----------------------------------------- Patch: SUSE-2020-2236 Released: Thu Aug 13 13:06:27 2020 Summary: Recommended update for wireguard-tools Severity: moderate References: Description: This update for wireguard-tools fixes the following issues: Update to version 1.0.20200513 * Makefile: remember to install all systemd units * ipc: openbsd: switch to array ioctl interface Update to version 1.0.20200510 * ipc: add support for openbsd kernel implementation * ipc: cleanup openbsd support * wg-quick: add support for openbsd kernel implementation * wg-quick: cleanup openbsd support * wg-quick: support dns search domains * Makefile: simplify silent cleaning * git: add gitattributes so tarball doesn't have gitignore files * terminal: specialize color_mode to stdout only * highlighter: insist on 256-bit keys, not 257-bit or 258-bit * wg-quick: android: support application whitelist * systemd: add wg-quick.target Update to version 1.0.20200319 * netlink: initialize mostly unused field * curve25519: squelch warnings on clang * man: fix grammar in wg(8) and wg-quick(8) * man: backlink wg-quick(8) in wg(8) * man: add a warning to the SaveConfig description * wincompat: use string_list instead of inflatable_buffer Update to version 1.0.20200206 * man: document dynamic debug trick for Linux * extract-{handshakes,keys}: rework for upstream kernel * netlink: remove libmnl requirement * embeddable-wg-library: use newer string_list * netlink: don't pretend that sysconf isn't a function * Small cleanups. Update to version 1.0.20200121 * Makefile: add standard 'all' target * ipc: simplify inflatable buffer and add fuzzer * fuzz: add generic command argument fuzzer * fuzz: add set and setconf fuzzers * netlink: make sure to clear return value when trying again * Makefile: sort inputs to linker so that build is reproducible - Initial package, version 1.0.20200102 ----------------------------------------- Patch: SUSE-2020-2252 Released: Mon Aug 17 14:16:31 2020 Summary: Recommended update for python-parallax Severity: moderate References: 1174894 Description: This update for python-parallax fixes the following issue: - Change format of scp command for ipv6 compatibility. (bsc#1174894) ----------------------------------------- Patch: SUSE-2020-2254 Released: Mon Aug 17 15:07:18 2020 Summary: Recommended update for prometheus-sap_host_exporter and prometheus-ha_cluster_exporter Severity: moderate References: 1174429 Description: This update for prometheus-sap_host_exporter and prometheus-ha_cluster_exporter fixes the following issues: prometheus-sap_host_exporter: - Added * --version command line parameter - Fixed * Some usage details are now further clarified prometheus-ha_cluster_exporter: - Features * Added support for corosync v3 - Changed * The CLI flag --enable-timestamps and its config option have been marked as deprecated - Fixes * Fixed an issue with `corosync-quorumtool` parsing in Corosync v2.3.6 ----------------------------------------- Patch: SUSE-2020-2256 Released: Mon Aug 17 15:08:46 2020 Summary: Recommended update for sysfsutils Severity: moderate References: 1155305 Description: This update for sysfsutils fixes the following issue: - Fix cdev name comparison. (bsc#1155305) ----------------------------------------- Patch: SUSE-2020-2265 Released: Tue Aug 18 12:08:55 2020 Summary: Security update for postgresql12 Severity: important References: 1175193,1175194,CVE-2020-14349,CVE-2020-14350 Description: This update for postgresql12 fixes the following issues: - update to 12.4: * CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers * CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure. * https://www.postgresql.org/docs/12/release-12-4.html ----------------------------------------- Patch: SUSE-2020-2280 Released: Wed Aug 19 21:27:31 2020 Summary: Recommended update for devscripts Severity: moderate References: 1174163 Description: This update for devscripts fixes the following issue: Update from version 2.15.1 to version 2.19.5 (bsc#1174163) - Add conflicts on packages with the same binaries. - Fixed license tag as suggested by licensedigger. - Changed download location for source tarball from Debian package pool to salsa.debian.org to avoid download errors. - Remove support for ancient openSUSE and non-SUSE distributions. ----------------------------------------- Patch: SUSE-2020-2281 Released: Wed Aug 19 21:28:12 2020 Summary: Recommended update for openssl-1_0_0 Severity: moderate References: 1174459 Description: This update for openssl-1_0_0 fixes the following issue: - Versioning the exported symbols and avoid failures due to the lack of versioning. (bsc#1174459) ----------------------------------------- Patch: SUSE-2020-2282 Released: Wed Aug 19 21:28:40 2020 Summary: Recommended update for libgit2 Severity: moderate References: 1157473 Description: This update for libgit2 provides the following fix: - Include the libgit2 package in SUSE Manager Server 4.0, no source changes made. (bsc#1157473) ----------------------------------------- Patch: SUSE-2020-2289 Released: Fri Aug 21 10:58:57 2020 Summary: Recommended update for davfs2 Severity: moderate References: 1173419 Description: This update for davfs2 fixes the following issue: - Respect nofail option and avoid to fail upon boot if the remote resource is not available. (bsc#1173419) ----------------------------------------- Patch: SUSE-2020-2314 Released: Tue Aug 25 15:31:17 2020 Summary: Recommended update for cloud-regionsrv-client Severity: moderate References: 1174731,1174732,1174743,1174791,1174837,1174937 Description: This update for cloud-regionsrv-client contains the following fixes: - Update to version 9.1.2: (bsc#1174791, bsc#1174937) + Implement changes to configure the client to use https only for outbound traffic - plugin-ec2 to version 1.0.1 (bsc#1174743, bsc#1174837) + Prefer IMDSv2 and switch all IMDS access requests to support v2 token based access method. - Update to version 9.1.1: (bsc#1174731, bsc#1174732) + Do not immediately failover to a sibling system. Upon contact failure to the target system give the server/route time to recover. We have seen network instability trigger a pre-mature failover during initial registration causing problems later during updates. + When we do failover make sure the access credentials are known to the new target ----------------------------------------- Patch: SUSE-2020-2316 Released: Tue Aug 25 15:38:19 2020 Summary: Recommended update for regionServiceClientConfigEC2 Severity: moderate References: 1174791,1174937 Description: This update for regionServiceClientConfigEC2 contains the following fixes: - Update to version 2.2.1 (bsc#1174791, bsc#1174937) + New configuration to switch to https only outgoing traffic. ----------------------------------------- Patch: SUSE-2020-2318 Released: Tue Aug 25 15:39:22 2020 Summary: Recommended update for python3-ec2metadata Severity: moderate References: 1174743,1174837 Description: This update for python3-ec2metadata contains the following fixes: - Update to version 3.0.3 (bsc#1174743, bsc#1174837) + Prefer IMDSv2 and switch all IMDS access requests to support v2 token based access method. ----------------------------------------- Patch: SUSE-2020-2240 Released: Tue Aug 25 19:03:12 2020 Summary: Security update for xorg-x11-server Severity: important References: 1174633,1174635,1174638,CVE-2020-14345,CVE-2020-14346,CVE-2020-14347 Description: This update for xorg-x11-server fixes the following issues: - CVE-2020-14347: Leak of uninitialized heap memory from the X server to clients on pixmap allocation (bsc#1174633, ZDI-CAN-11426). - CVE-2020-14346: XIChangeHierarchy Integer Underflow Privilege Escalation Vulnerability (bsc#1174638, ZDI-CAN-11429). - CVE-2020-14345: XKB out-of-bounds access privilege escalation vulnerability (bsc#1174635, ZDI-CAN-11428). ----------------------------------------- Patch: SUSE-2020-2338 Released: Wed Aug 26 13:45:01 2020 Summary: Recommended update for cloud-regionsrv-client Severity: important References: 1175752,1175753 Description: This update for cloud-regionsrv-client fixes the following issues: - Fixed an issue where the cache object for the update server was incomplete (bsc#1175752, bsc#1175753) ----------------------------------------- Patch: SUSE-2020-2341 Released: Wed Aug 26 15:57:46 2020 Summary: Recommended update for regionServiceClientConfigGCE Severity: moderate References: 1174791,1174937 Description: This update for regionServiceClientConfigGCE contains the following fixes: - Update to version 3.0.1. (bsc#1174791, bsc#1174937) + New configuration to switch to https only outgoing traffic. ----------------------------------------- Patch: SUSE-2020-2349 Released: Wed Aug 26 17:15:21 2020 Summary: Recommended update for hyper-v Severity: moderate References: 1093910,1174443,1174444 Description: This update for hyper-v fixes the following issues: - Remove dependency to network-online.target now that gethostname is used in kvp_daemon. (bsc#1174443, bsc#1174444) - Reopen the devices if read() or write() returns errors. - Use either python2 or python3 for lsvmbus. (bsc#1093910) - Remove sysv init scripts. - Enable build on aarch64. ----------------------------------------- Patch: SUSE-2020-2373 Released: Fri Aug 28 12:58:51 2020 Summary: Security update for SUSE Manager 4.1.1 Severity: moderate References: 1136857,1165572,1169553,1169780,1170244,1170468,1170654,1171281,1172279,1172504,1172709,1172807,1172831,1172839,1173169,1173522,1173535,1173554,1173566,1173584,1173932,1173982,1173997,1174025,1174167,1174201,1174229,1174325,1174405,1174470,1174965,1175485,1175555,1175558,1175724,1175791,678126,CVE-2020-11022 Description: This consolidated update includes multiple patchinfos for SUSE Manager Server and Proxy. This patchinfo is used for the codestream release only. ----------------------------------------- Patch: SUSE-2020-2378 Released: Fri Aug 28 14:52:31 2020 Summary: Recommended update for python-azure-agent Severity: moderate References: 1175198 Description: This update for python-azure-agent contains the following fix: - Drop paa_sudo_sle15_nopwd.patch (bsc#1175198) + sudoers file is managed by cloud-init we no longer need this hack ----------------------------------------- Patch: SUSE-2020-2380 Released: Fri Aug 28 14:54:08 2020 Summary: Recommended update for supportutils-plugin-suse-public-cloud Severity: moderate References: 1175250,1175251 Description: This update for supportutils-plugin-suse-public-cloud contains the following fix: - Update to version 1.0.5: (bsc#1175250, bsc#1175251) + Query for new GCE initialization code packages ----------------------------------------- Patch: SUSE-2020-2394 Released: Mon Aug 31 17:16:14 2020 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issue: Live kernel patching update data. (bsc#1020320) - New data for 4_12_14-150_55, 4_12_14-197_48, 5_3_18-22, 5_3_18-24_9. ----------------------------------------- Patch: SUSE-2020-2415 Released: Tue Sep 1 13:45:00 2020 Summary: Recommended update for python-kiwi Severity: moderate References: 1096738,1165730,1172908,1173226,1173356,1174009 Description: This update for python-kiwi contains the following fixes: - Bump version up to 9.21.7: This version upgrade includes several fixes: * Skip filesystem check for XFS prior xfs_grow running xfs_repair check isn't strictly necessary before resizing, and in some cases it may even prevent resizing by giving an error that would be cleared through mounting the fs (e.g. when the fs wasn't cleanly umounted, and thus letting xfs recover and replay its journal). Given that xfs can only grow online (while being mounted), this is sufficient to ensure that the fs is in a state where it can be resized. This is related to bsc#1174009. (bsc#1174009) * Fixed grub setup in EFI/BOOT directory kiwi copied the same grub.cfg file as it exists in boot/grub2 to the efi path. This is wrong as the setup in the efi boot directory is used to enable normal grub loading and not providing the user grub configuration. In addition the changes here makes sure that the early grub boot code is placed into the system in any EFI case except for secure boot when shim-install is present. If shim-install is present it also creates the early grub boot setup such that kiwi doesn't have to do it. This Fixes #1491 and Fixes bsc#1172908. (bsc#1172908) * Use rsync in inplace transfer mode Using the --inplace option in rsync helps to save space on syncing the rootfs data and prevents e.g OBS workers from running out of VM space when transfering root filesystem data. Also using --inplace allows to keep hardlinks intact. This is related to bsc#1096738. (bsc#1096738) * Don't keep copy of grub2-install in the system To prevent shim-install from calling grub2-install in uefi mode kiwi temporary replaces the tool by a noop. This acts as a workaround for an issue in shim-install. However the workaround left a file copy of grub2-install in the system which should not happen. This commit Fixes bsc#1173226 and Fixes #1490. (bsc#1173226) * Fixes live ISOs This commit fixes iso images. Due to a change introduced in c7ed1cf live ISOs were no longer booting as the rootfs.img filesystem was copied to the squashfs container while being still mounted. Because of that, at boot time, it refused to mount. This commit adds umount method for the filesystem base class, so it can be umounted before deleting the instance. Fixes #1489 and bsc#1173356. (bsc#1173356) * Support grub timeout_style parameter Grub supports a style setting that influences the display of the menu depending on the configured timeout value. With this patch kiwi allows to specify the style via a new bootloader parameter named timeout_style='hidden|countdown'. If not set the grub default applies which shows the menu in any case. This Fixes bsc#1165730 and Fixes #1404. (bsc#1165730) * Use auto video mode as default for grub An explicit video mode 800x600 was used for grub if no video mode setup exists in the XML description. For grub this should better result in the auto mode. Related to bsc#1165730. (bsc#1165730) ----------------------------------------- Patch: SUSE-2020-2420 Released: Tue Sep 1 13:48:35 2020 Summary: Recommended update for zlib Severity: moderate References: 1174551,1174736 Description: This update for zlib provides the following fixes: - Permit a deflateParams() parameter change as soon as possible. (bsc#1174736) - Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551) ----------------------------------------- Patch: SUSE-2020-2424 Released: Tue Sep 1 13:53:52 2020 Summary: Recommended update for yast2-rmt Severity: moderate References: 1171555,1172674 Description: This update for yast2-rmt fixes the following issues: - Handle Common Name length. (bsc#1172674) - Changed placeholders in translatable strings to support better the 'gettext' language format tags. (bsc#1171555) ----------------------------------------- Patch: SUSE-2020-2425 Released: Tue Sep 1 13:54:05 2020 Summary: Recommended update for nfs-utils Severity: moderate References: 1174260 Description: This update for nfs-utils fixes the following issues: - Fix a bug when concurrent 'gssd' requests arrive from kernel, causing hanging NFS mounts. (bsc#1174260) ----------------------------------------- Patch: SUSE-2020-2440 Released: Tue Sep 1 22:14:33 2020 Summary: Recommended update for libmaxminddb Severity: moderate References: 1175006 Description: This update for libmaxminddb fixes the following issues: - update to 1.4.3: * Use of uninitialized memory in dump_entry_data_list() could have cause a heap buffer flow in mmdblookup [bsc#1175006] ----------------------------------------- Patch: SUSE-2020-2452 Released: Wed Sep 2 13:58:24 2020 Summary: Security update for xorg-x11-server Severity: important References: 1174910,1174913,CVE-2020-14361,CVE-2020-14362 Description: This update for xorg-x11-server fixes the following issues: - CVE-2020-14361: Fix XkbSelectEvents() integer underflow (bsc#1174910 ZDI-CAN-11573). - CVE-2020-14362: Fix XRecordRegisterClients() Integer underflow (bsc#1174913 ZDI-CAN-11574). ----------------------------------------- Patch: SUSE-2020-2453 Released: Wed Sep 2 13:59:21 2020 Summary: Security update for java-1_8_0-ibm Severity: moderate References: 1174157,1175259,CVE-2019-17639,CVE-2020-14556,CVE-2020-14577,CVE-2020-14578,CVE-2020-14579,CVE-2020-14581,CVE-2020-14583,CVE-2020-14593,CVE-2020-14621 Description: This update for java-1_8_0-ibm fixes the following issues: - Update to Java 8.0 Service Refresh 6 Fix Pack 15 [bsc#1175259, bsc#1174157] CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581 CVE-2020-14556 CVE-2020-14621 CVE-2020-14593 CVE-2020-14583 CVE-2019-17639 * Class Libraries: - JAVA.UTIL.ZIP.DEFLATER OPERATIONS THROW JAVA.LANG.INTERNALERROR - JAVA 8 DECODER OBJECTS CONSUME A LARGE AMOUNT OF JAVA HEAP - TRANSLATION MESSAGES UPDATE FOR JCL - UPDATE TIMEZONE INFORMATION TO TZDATA2020A * Java Virtual Machine: - IBM JAVA REGISTERS A HANDLER BY DEFAULT FOR SIGABRT - LARGE MEMORY FOOTPRINT HELD BY TRACECONTEXT OBJECT * JIT Compiler: - CRASH IN THE INTERPRETER AFTER OSR FROM INLINED SYNCHRONIZED METHOD IN DEBUGGING MODE - INTERMITTENT ASSERTION FAILURE REPORTED - CRASH IN RESOLVECLASSREF() DURING AOT LOAD - JIT CRASH DURING CLASS UNLOADING IN J9METHOD_HT::ONCLASSUNLOADING() - SEGMENTATION FAULT WHILE COMPILING A METHOD - UNEXPECTED CLASSCASTEXCEPTION THROWN IN HIGH LEVEL PARALLEL APPLICATION ON IBM Z PLATFORM * Security: - CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO NON DEFAULT VALUE - CHANGES TO IBMJCE AND IBMJCEPLUS PROVIDERS - IBMJCEPLUS FAILS, WHEN THE SECURITY MANAGER IS ENABLED, WITH DEFAULT PERMISSIONS, SPECIFIED IN JAVA.POLICY FILE - IN CERTAIN INSTANCES, IBMJCEPLUS PROVIDER THROWS EXCEPTION FROM KEYFACTORY CLASS ----------------------------------------- Patch: SUSE-2020-2464 Released: Wed Sep 2 23:25:41 2020 Summary: Recommended update for icewm Severity: moderate References: 1170420,1173441 Description: This update for icewm fixes the following issues: - Fixes an issue where icewm updates could no longer be installed (bsc#1173441, bsc#1170420) ----------------------------------------- Patch: SUSE-2020-2470 Released: Wed Sep 2 23:29:43 2020 Summary: Recommended update for lshw Severity: moderate References: 1168865,1169668,1172156 Description: This update for lshw fixes the following issues: - Fixes the detection of powerpc products (bsc#1172156) - Fixed an issue where lshw crashed on powerpc and aarch64 (bsc#1168865, bsc#1169668) ----------------------------------------- Patch: SUSE-2020-2474 Released: Thu Sep 3 12:10:29 2020 Summary: Security update for libX11 Severity: moderate References: 1175239,CVE-2020-14363 Description: This update for libX11 fixes the following issues: - CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239). ----------------------------------------- Patch: SUSE-2020-2489 Released: Fri Sep 4 11:39:19 2020 Summary: Recommended update for fwupdate Severity: moderate References: 1174543 Description: This update of fwupdate fixes the following issue: - rebuilt with new signing key. (bsc#1174543) ----------------------------------------- Patch: SUSE-2020-2549 Released: Fri Sep 4 18:25:50 2020 Summary: Recommended update for OpenStack clients Severity: moderate References: 1121610,1174571,917818 Description: Updated OpenStack clients to the latest OpenStack release named Ussuri. ----------------------------------------- Patch: SUSE-2020-2556 Released: Mon Sep 7 14:31:43 2020 Summary: Recommended update for python3-azuremetadata Severity: moderate References: 1175609,1175610 Description: This update for python3-azuremetadata contains the following fix: - Fix provides directive (bsc#1175609, bsc#1175610) + The provides directive must set a version or update does not work as expected ----------------------------------------- Patch: SUSE-2020-2558 Released: Mon Sep 7 14:32:59 2020 Summary: Recommended update for tomcat Severity: moderate References: 1092163,1172562,1173103 Description: This update for tomcat fixes the following issues: - Fixed the package alternatives for tomcat-servlet-4_0-api to use /usr/share/java/servlet.jar instead of /usr/share/java/tomcat-servlet.jar - We kept /usr/share/java/tomcat-servlet.jar as a symlink for compatibility reasons (bsc#1092163) - Removed write permissions on several files and directories for the tomcat group (bsc#1172562) - Changed the tomcat.pid location from /var/run to /run (bsc#1173103) ----------------------------------------- Patch: SUSE-2020-2559 Released: Mon Sep 7 14:33:27 2020 Summary: Recommended update for xrdp Severity: moderate References: 1171415 Description: This update for xrdp fixes the following issue: - Fallback session to icewm when a selected desktop environment is not found (bsc#1171415) ----------------------------------------- Patch: SUSE-2020-2567 Released: Tue Sep 8 12:03:33 2020 Summary: Recommended update for azure-li-services Severity: important References: Description: This update for azure-li-services fixes the following issues: - Update prometheus monitoring modules for the LI and VLI images for SLE15-SP1/SP2 and GA. (jsc#SLE-10545, jsc#SLE-10902, jsc#SLE-10903, jsc#ECO-817, jsc#ECO-818) ----------------------------------------- Patch: SUSE-2020-2568 Released: Tue Sep 8 13:55:56 2020 Summary: Optional update for iscsi-formula Severity: important References: Description: This update adds iscsi-formula to the SLES for SAP products. (jsc#ECO-2443, jsc#ECO-1965, jsc#SLE-4047) ----------------------------------------- Patch: SUSE-2020-2594 Released: Thu Sep 10 14:02:49 2020 Summary: Recommended update for clone-master-clean-up Severity: moderate References: 1174147 Description: This update for clone-master-clean-up fixes the following issues: - Cleanup salt client ID and 'osad' authentication configuration file and the system ID. (bsc#1174147) ----------------------------------------- Patch: SUSE-2020-2616 Released: Mon Sep 14 10:34:31 2020 Summary: Recommended update for python-argparse-manpage Severity: low References: Description: This update for python-argparse-manpage fixes the following issues: - Made the multiline text look better ----------------------------------------- Patch: SUSE-2020-2630 Released: Mon Sep 14 18:26:03 2020 Summary: Recommended update for biosdevname Severity: moderate References: 1174491 Description: This update for biosdevname fixes the following issues: - Read DMI info rom sysfs. (bsc#1174491) A kernel with Secure Boot lockdown may prohibit reading the contents of /dev/mem, hence biosdevname fails. The recent kernel provides the DMI byte contents in /sys/firmware/dmi/tables/*. - Add buffer read helper using read explicitly. mmap can't work well with a sysfs file and it's required to read the contents explicitly via read, even if USE_MMAP is enabled. ----------------------------------------- Patch: SUSE-2020-2639 Released: Tue Sep 15 16:23:43 2020 Summary: Recommended update for realmd Severity: moderate References: 1175616 Description: This update for realmd fixes the following issue: - Fix pam misconfiguration. (bsc#1175616) ----------------------------------------- Patch: SUSE-2020-2646 Released: Wed Sep 16 12:07:28 2020 Summary: Security update for perl-DBI Severity: important References: 1176409,1176412,CVE-2020-14392,CVE-2020-14393 Description: This update for perl-DBI fixes the following issues: Security issues fixed: - CVE-2020-14392: Memory corruption in XS functions when Perl stack is reallocated (bsc#1176412). - CVE-2020-14393: Fixed a buffer overflow on an overlong DBD class name (bsc#1176409). ----------------------------------------- Patch: SUSE-2020-2651 Released: Wed Sep 16 14:42:55 2020 Summary: Recommended update for zlib Severity: moderate References: 1175811,1175830,1175831 Description: This update for zlib fixes the following issues: - Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831) - Enable hardware compression on s390/s390x (jsc#SLE-13776) ----------------------------------------- Patch: SUSE-2020-2655 Released: Wed Sep 16 14:44:27 2020 Summary: Recommended update for google-guest-agent, google-guest-configs, google-guest-oslogin Severity: moderate References: 1174745,1175173,1175740,1175741 Description: This update for google-guest-agent, google-guest-configs, google-guest-oslogin contains the following fixes: - Update to version 20200819.00. (bsc#1175740, bsc#1175741) * handle oslogin enable/disable cases (#70). (bsc#1175173) * add README (#69) * Fix metric for addIPForwardEntry (#68) * Correctly determine default route index (#67) * oslogin: dont add entry to pam.d/su (#66) * end group.conf with newline (#64) * Add source field in googet spec (#59) * Set route to metadata on interface with default route (#47) * fix typo in boto.cfg (#62) - Properly handle enabling of systemd services when upgrading from the old google-compute-engine-init package (bsc#1174745) - Update to version 20200626.00. (bsc#1175740, bsc#1175741) * Updates the udev rules for local SSD disks. (#9) * Fix tx affinity logic when number of CPUs is above 32 (#6) - Switch udev requires to pkgconfig to allow the build service to use the -mini package for build optimization - Update to version 20200819.00. (bsc#1175740, bsc#1175741) * deny non-2fa users (#37) * use asterisks instead (#39) * set passwords to ! (#38) * correct index 0 bug (#36) * Support security key generated OTP challenges. (#35) - No post action for ssh ----------------------------------------- Patch: SUSE-2020-2658 Released: Wed Sep 16 14:45:24 2020 Summary: Recommended update for build Severity: moderate References: 1170956,1172563,1174854 Description: This update for build fixes the following issues: - fix factory version in config file (bsc#1170956) - add missing ignores for Leap 15.2 (bsc#1174854) - fix sysrq handling for KVM builds - avoid double removal of obscpio files - docker: * support builds using USER root statements * proper error handling when obs-docker-support gets called as non-root * helm build target support * support milestone handling - support repo files without types set (SLE 15 SP2 zypp) - add default substitute for system-packages:repo-creation - Support recursive kiwi profile usage - fix dependencies for Fedora 33 - Set $YAML::XS::LoadBlessed = 0 for Appimage/Snapcraft - add a new variable to track build time needed for ccache eviction - create folder for ccache archive to be copied before rsync - also package pkg-config files by default into baselibs. (bsc#1172563) - Use shorter kernel flag for mitigations - Ignore, if shutdown behavior changed by build in z/VM - Control disk-space consumption while creating ccache archive - cleaning ccache - create folders before trying to copy ccache.tar - Generate .packages and .basepackages files for docker builds - enable sysrq operations on boot - Set kvm_serial_device to virtio-serial in the fixup - Split console arg setting code into kvm_add_console_args - Update for zVM to make container builds work. - Write to /proc/sys/kernel/hostname if the hostname command is not available - Use --cgroup-manager=cgroupfs when calling podman - Also squash by default in podman builds - Support different interpreters in prein/postin scriptlets - Use grep -E instead of egrep to check for the needsbinariesforbuild flag - Use new Build::Intrepo module - Add new Intrepo module to read/write build's internal repo format - remove .gz from _ccache archive as it is no longer compressed - Add support for Arch in build-recipe-kiwi - Autodetect whether to use --pipe option of systemd-nspawn. - Split parse_depfile() from readdeps() - enable compression on ccache - add bugzilla numbers for s390 workaround - extend --ccache to generate _ccache.tar.gz and implement --pkg-ccache - disable transparent_hugepage on s390x guests for now, causes hangs - set buildflavor also for Build::parse - Leap 15.2 config update (libzstd1 for rpm) - handle obscpio extraction error as fatal - Return correct exit code from systemd-nspawn build - Spec parser: do not parse included files from end to start - running disk full check also outside of VM - run disk full check only for chroot - Spec parser: add support for %elif, %elifarch, %elifos - Support rpm's %include statement (EXPERIMENTAL, known limitations) - Do not do vminstall expansion in expanddeps unless --vm is used - 15.2 config: preinstall gcrypt deps again - Recommends for Fedora based distros - support obsgendiff functionality - various smaller code cleanups - additional test cases for spec file parsing - various fixes for cornercases during spec file parsing - fix regression in && operator handling of rpm spec file parser - Correctly expand macros defined with %global - 15.2 config: temporary revert gcrypt preinstall until distro has changed - factory config: ignore libxtables for iproute2, not needed for ip tool - Follow upstream rpm changes in regard to logical ops - Fix macro expansion of lines containing newlines - add missing header file to avoid compile warnings - support OBS-Milestone comment for kiwi - switch to preinstall expansion for factory ----------------------------------------- Patch: SUSE-2020-2659 Released: Wed Sep 16 14:46:06 2020 Summary: Recommended update for openwsman Severity: moderate References: 1174541,1175631 Description: This update for openwsman fixes the following issues: - Don't crash if OpenSSL SSL context fails to initialize. (bsc#1175631) - Adapt to openssl 1.1.1. (bsc#1174541) ----------------------------------------- Patch: SUSE-2020-2667 Released: Thu Sep 17 14:46:50 2020 Summary: Recommended update for openssl-1_0_0 Severity: moderate References: 1175429 Description: This update for openssl-1_0_0 fixes the following issues: - Provide the same symbols as other distros in a compatible package. (bsc#1175429) - Add OPENSSL_1.0.1_EC symbol. (bsc#1175429) ----------------------------------------- Patch: SUSE-2020-2676 Released: Thu Sep 17 23:48:03 2020 Summary: Recommended update for star Severity: moderate References: 1170726 Description: This update for star fixes the following issues: - Support backreferences for spax. (bsc#1170726) The subst command for pax now supports the \1, \2, ... escapes for \(...\) selections in the from pattern, like it is used by sed(1). ----------------------------------------- Patch: SUSE-2020-2689 Released: Mon Sep 21 10:56:11 2020 Summary: Security update for jasper Severity: moderate References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807,CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 Description: This update for jasper fixes the following issues: - CVE-2016-9398: Improved patch for already fixed issue (bsc#1010979). - CVE-2016-9399: Fix assert in calcstepsizes (bsc#1010980). - CVE-2017-5499: Validate component depth bit (bsc#1020451). - CVE-2017-5503: Check bounds in jas_seq2d_bindsub() (bsc#1020456). - CVE-2017-5504: Check bounds in jas_seq2d_bindsub() (bsc#1020458). - CVE-2017-5505: Check bounds in jas_seq2d_bindsub() (bsc#1020460). - CVE-2017-14132: Fix heap base overflow in by checking components (bsc#1057152). - CVE-2018-9252: Fix reachable assertion in jpc_abstorelstepsize (bsc#1088278). - CVE-2018-18873: Fix null pointer deref in ras_putdatastd (bsc#1114498). - CVE-2018-19139: Fix mem leaks by registering jpc_unk_destroyparms (bsc#1115637). - CVE-2018-19543, bsc#1045450 CVE-2017-9782: Fix numchans mixup (bsc#1117328). - CVE-2018-20570: Fix heap based buffer over-read in jp2_encode (bsc#1120807). - CVE-2018-20622: Fix memory leak in jas_malloc.c (bsc#1120805). ----------------------------------------- Patch: SUSE-2020-2706 Released: Tue Sep 22 15:08:19 2020 Summary: Recommended update for xorg-x11-server Severity: moderate References: 1176015 Description: This update for xorg-x11-server fixes the following issues: - fix crash in XWayland when undocking laptop. (bsc#1176015) - fix for XWayland abort in Present code. (bsc#1176015) - Import various fixes from 1.20 branch solving XWayland crashes. (bsc#1176015) ----------------------------------------- Patch: SUSE-2020-2709 Released: Tue Sep 22 15:35:58 2020 Summary: Recommended update for pdate to version 1.0.5 (bsc#1174791, bsc#1174937) Severity: low References: 1174791,1174937 Description: - Update to version 1.0.5 (bsc#1174791, bsc#1174937) + New configuration to switch to https only outgoing traffic + Use latest API to query the metadata server and send additional data ----------------------------------------- Patch: SUSE-2020-2710 Released: Tue Sep 22 17:06:19 2020 Summary: Security update for rubygem-actionpack-5_1 Severity: important References: 1172177,CVE-2020-8164 Description: This update for rubygem-actionpack-5_1 fixes the following issues: - CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack. There is a strong parameters bypass vector in ActionPack. (bsc#1172177) ----------------------------------------- Patch: SUSE-2020-2731 Released: Thu Sep 24 07:42:32 2020 Summary: Security update for conmon, fuse-overlayfs, libcontainers-common, podman Severity: moderate References: 1162432,1164090,1165738,1171578,1174075,1175821,1175957,CVE-2020-1726 Description: This update for conmon, fuse-overlayfs, libcontainers-common, podman fixes the following issues: podman was updated to v2.0.6 (bsc#1175821) - install missing systemd units for the new Rest API (bsc#1175957) and a few man-pages that where missing before - Drop varlink API related bits (in favor of the new API) - fix install location for zsh completions * Fixed a bug where running systemd in a container on a cgroups v1 system would fail. * Fixed a bug where /etc/passwd could be re-created every time a container is restarted if the container's /etc/passwd did not contain an entry for the user the container was started as. * Fixed a bug where containers without an /etc/passwd file specifying a non-root user would not start. * Fixed a bug where the --remote flag would sometimes not make remote connections and would instead attempt to run Podman locally. Update to v2.0.6: * Features - Rootless Podman will now add an entry to /etc/passwd for the user who ran Podman if run with --userns=keep-id. - The podman system connection command has been reworked to support multiple connections, and reenabled for use! - Podman now has a new global flag, --connection, to specify a connection to a remote Podman API instance. * Changes - Podman's automatic systemd integration (activated by the --systemd=true flag, set by default) will now activate for containers using /usr/local/sbin/init as their command, instead of just /usr/sbin/init and /sbin/init (and any path ending in systemd). - Seccomp profiles specified by the --security-opt seccomp=... flag to podman create and podman run will now be honored even if the container was created using --privileged. * Bugfixes - Fixed a bug where the podman play kube would not honor the hostIP field for port forwarding (#5964). - Fixed a bug where the podman generate systemd command would panic on an invalid restart policy being specified (#7271). - Fixed a bug where the podman images command could take a very long time (several minutes) to complete when a large number of images were present. - Fixed a bug where the podman logs command with the --tail flag would not work properly when a large amount of output would be printed ((#7230)[https://github.com//issues/7230]). - Fixed a bug where the podman exec command with remote Podman would not return a non-zero exit code when the exec session failed to start (e.g. invoking a non-existent command) (#6893). - Fixed a bug where the podman load command with remote Podman would did not honor user-specified tags (#7124). - Fixed a bug where the podman system service command, when run as a non-root user by Systemd, did not properly handle the Podman pause process and would not restart properly as a result (#7180). - Fixed a bug where the --publish flag to podman create, podman run, and podman pod create did not properly handle a host IP of 0.0.0.0 (attempting to bind to literal 0.0.0.0, instead of all IPs on the system) (#7104). - Fixed a bug where the podman start --attach command would not print the container's exit code when the command exited due to the container exiting. - Fixed a bug where the podman rm command with remote Podman would not remove volumes, even if the --volumes flag was specified (#7128). - Fixed a bug where the podman run command with remote Podman and the --rm flag could exit before the container was fully removed. - Fixed a bug where the --pod new:... flag to podman run and podman create would create a pod that did not share any namespaces. - Fixed a bug where the --preserve-fds flag to podman run and podman exec could close the wrong file descriptors while trying to close user-provided descriptors after passing them into the container. - Fixed a bug where default environment variables ($PATH and $TERM) were not set in containers when not provided by the image. - Fixed a bug where pod infra containers were not properly unmounted after exiting. - Fixed a bug where networks created with podman network create with an IPv6 subnet did not properly set an IPv6 default route. - Fixed a bug where the podman save command would not work properly when its output was piped to another command (#7017). - Fixed a bug where containers using a systemd init on a cgroups v1 system could leak mounts under /sys/fs/cgroup/systemd to the host. - Fixed a bug where podman build would not generate an event on completion (#7022). - Fixed a bug where the podman history command with remote Podman printed incorrect creation times for layers (#7122). - Fixed a bug where Podman would not create working directories specified by the container image if they did not exist. - Fixed a bug where Podman did not clear CMD from the container image if the user overrode ENTRYPOINT (#7115). - Fixed a bug where error parsing image names were not fully reported (part of the error message containing the exact issue was dropped). - Fixed a bug where the podman images command with remote Podman did not support printing image tags in Go templates supplied to the --format flag (#7123). - Fixed a bug where the podman rmi --force command would not attempt to unmount containers it was removing, which could cause a failure to remove the image. - Fixed a bug where the podman generate systemd --new command could incorrectly quote arguments to Podman that contained whitespace, leading to nonfunctional unit files (#7285). - Fixed a bug where the podman version command did not properly include build time and Git commit. - Fixed a bug where running systemd in a Podman container on a system that did not use the systemd cgroup manager would fail (#6734). - Fixed a bug where capabilities from --cap-add were not properly added when a container was started as a non-root user via --user. - Fixed a bug where Pod infra containers were not properly cleaned up when they stopped, causing networking issues (#7103). * API - Fixed a bug where the libpod and compat Build endpoints did not accept the application/tar content type (instead only accepting application/x-tar) (#7185). - Fixed a bug where the libpod Exists endpoint would attempt to write a second header in some error conditions (#7197). - Fixed a bug where compat and libpod Network Inspect and Network Remove endpoints would return a 500 instead of 404 when the requested network was not found. - Added a versioned _ping endpoint (e.g. http://localhost/v1.40/_ping). - Fixed a bug where containers started through a systemd-managed instance of the REST API would be shut down when podman system service shut down due to its idle timeout (#7294). - Added stronger parameter verification for the libpod Network Create endpoint to ensure subnet mask is a valid value. - The Pod URL parameter to the Libpod Container List endpoint has been deprecated; the information previously gated by the Pod boolean will now be included in the response unconditionally. - Change hard requires for AppArmor to Recommends. They are not needed for runtime or with SELinux but already installed if AppArmor is used [jsc#SMO-15] - Add BuildRequires for pkg-config(libselinux) to build with SELinux support [jsc#SMO-15] Update to v2.0.4 * Fixed a bug where the output of podman image search did not populate the Description field as it was mistakenly assigned to the ID field. * Fixed a bug where podman build - and podman build on an HTTP target would fail. * Fixed a bug where rootless Podman would improperly chown the copied-up contents of anonymous volumes (#7130). * Fixed a bug where Podman would sometimes HTML-escape special characters in its CLI output. * Fixed a bug where the podman start --attach --interactive command would print the container ID of the container attached to when exiting (#7068). * Fixed a bug where podman run --ipc=host --pid=host would only set --pid=host and not --ipc=host (#7100). * Fixed a bug where the --publish argument to podman run, podman create and podman pod create would not allow binding the same container port to more than one host port (#7062). * Fixed a bug where incorrect arguments to podman images --format could cause Podman to segfault. * Fixed a bug where podman rmi --force on an image ID with more than one name and at least one container using the image would not completely remove containers using the image (#7153). * Fixed a bug where memory usage in bytes and memory use percentage were swapped in the output of podman stats --format=json. * Fixed a bug where the libpod and compat events endpoints would fail if no filters were specified (#7078). * Fixed a bug where the CgroupVersion field in responses from the compat Info endpoint was prefixed by 'v' (instead of just being '1' or '2', as is documented). - Suggest katacontainers instead of recommending it. It's not enabled by default, so it's just bloat Update to v2.0.3 * Fix handling of entrypoint * log API: add context to allow for cancelling * fix API: Create container with an invalid configuration * Remove all instances of named return 'err' from Libpod * Fix: Correct connection counters for hijacked connections * Fix: Hijacking v2 endpoints to follow rfc 7230 semantics * Remove hijacked connections from active connections list * version/info: format: allow more json variants * Correctly print STDOUT on non-terminal remote exec * Fix container and pod create commands for remote create * Mask out /sys/dev to prevent information leak from the host * Ensure sig-proxy default is propagated in start * Add SystemdMode to inspect for containers * When determining systemd mode, use full command * Fix lint * Populate remaining unused fields in `pod inspect` * Include infra container information in `pod inspect` * play-kube: add suport for 'IfNotPresent' pull type * docs: user namespace can't be shared in pods * Fix 'Error: unrecognized protocol \'TCP\' in port mapping' * Error on rootless mac and ip addresses * Fix & add notes regarding problematic language in codebase * abi: set default umask and rlimits * Used reference package with errors for parsing tag * fix: system df error when an image has no name * Fix Generate API title/description * Add noop function disable-content-trust * fix play kube doesn't override dockerfile ENTRYPOINT * Support default profile for apparmor * Bump github.com/containers/common to v0.14.6 * events endpoint: backwards compat to old type * events endpoint: fix panic and race condition * Switch references from libpod.conf to containers.conf * podman.service: set type to simple * podman.service: set doc to podman-system-service * podman.service: use default registries.conf * podman.service: use default killmode * podman.service: remove stop timeout * systemd: symlink user->system * vendor golang.org/x/text@v0.3.3 * Fix a bug where --pids-limit was parsed incorrectly * search: allow wildcards * [CI:DOCS]Do not copy policy.json into gating image * Fix systemd pid 1 test * Cirrus: Rotate keys post repo. rename * The libpod.conf(5) man page got removed and all references are now pointing towards containers.conf(5), which will be part of the libcontainers-common package. Update to podman v2.0.2 * fix race condition in `libpod.GetEvents(...)` * Fix bug where `podman mount` didn't error as rootless * remove podman system connection * Fix imports to ensure v2 is used with libpod * Update release notes for v2.0.2 * specgen: fix order for setting rlimits * Ensure umask is set appropriately for 'system service' * generate systemd: improve pod-flags filter * Fix a bug with APIv2 compat network remove to log an ErrNetworkNotFound instead of nil * Fixes --remote flag issues * Pids-limit should only be set if the user set it * Set console mode for windows * Allow empty host port in --publish flag * Add a note on the APIs supported by `system service` * fix: Don't override entrypoint if it's `nil` * Set TMPDIR to /var/tmp by default if not set * test: add tests for --user and volumes * container: move volume chown after spec generation * libpod: volume copyup honors namespace mappings * Fix `system service` panic from early hangup in events * stop podman service in e2e tests * Print errors from individual containers in pods * auto-update: clarify systemd-unit requirements * podman ps truncate the command * move go module to v2 * Vendor containers/common v0.14.4 * Bump to imagebuilder v1.1.6 on v2 branch * Account for non-default port number in image name - Changes since v2.0.1 * Update release notes with further v2.0.1 changes * Fix inspect to display multiple label: changes * Set syslog for exit commands on log-level=debug * Friendly amendment for pr 6751 * podman run/create: support all transports * systemd generate: allow manual restart of container units in pods * Revert sending --remote flag to containers * Print port mappings in `ps` for ctrs sharing network * vendor github.com/containers/common@v0.14.3 * Update release notes for v2.0.1 * utils: drop default mapping when running uid!=0 * Set stop signal to 15 when not explicitly set * podman untag: error if tag doesn't exist * Reformat inspect network settings * APIv2: Return `StatusCreated` from volume creation * APIv2:fix: Remove `/json` from compat network EPs * Fix ssh-agent support * libpod: specify mappings to the storage * APIv2:doc: Fix swagger doc to refer to volumes * Add podman network to bash command completions * Fix typo in manpage for `podman auto update`. * Add JSON output field for ps * V2 podman system connection * image load: no args required * Re-add PODMAN_USERNS environment variable * Fix conflicts between privileged and other flags * Bump required go version to 1.13 * Add explicit command to alpine container in test case. * Use POLL_DURATION for timer * Stop following logs using timers * 'pod' was being truncated to 'po' in the names of the generated systemd unit files. * rootless_linux: improve error message * Fix podman build handling of --http-proxy flag * correct the absolute path of `rm` executable * Makefile: allow customizable GO_BUILD * Cirrus: Change DEST_BRANCH to v2.0 Update to podman v2.0.0 * The `podman generate systemd` command now supports the `--new` flag when used with pods, allowing portable services for pods to be created. * The `podman play kube` command now supports running Kubernetes Deployment YAML. * The `podman exec` command now supports the `--detach` flag to run commands in the container in the background. * The `-p` flag to `podman run` and `podman create` now supports forwarding ports to IPv6 addresses. * The `podman run`, `podman create` and `podman pod create` command now support a `--replace` flag to remove and replace any existing container (or, for `pod create`, pod) with the same name * The `--restart-policy` flag to `podman run` and `podman create` now supports the `unless-stopped` restart policy. * The `--log-driver` flag to `podman run` and `podman create` now supports the `none` driver, which does not log the container's output. * The `--mount` flag to `podman run` and `podman create` now accepts `readonly` option as an alias to `ro`. * The `podman generate systemd` command now supports the `--container-prefix`, `--pod-prefix`, and `--separator` arguments to control the name of generated unit files. * The `podman network ls` command now supports the `--filter` flag to filter results. * The `podman auto-update` command now supports specifying an authfile to use when pulling new images on a per-container basis using the `io.containers.autoupdate.authfile` label. * Fixed a bug where the `podman exec` command would log to journald when run in containers loggined to journald ([#6555](https://github.com/containers/libpod/issues/6555)). * Fixed a bug where the `podman auto-update` command would not preserve the OS and architecture of the original image when pulling a replacement ([#6613](https://github.com/containers/libpod/issues/6613)). * Fixed a bug where the `podman cp` command could create an extra `merged` directory when copying into an existing directory ([#6596](https://github.com/containers/libpod/issues/6596)). * Fixed a bug where the `podman pod stats` command would crash on pods run with `--network=host` ([#5652](https://github.com/containers/libpod/issues/5652)). * Fixed a bug where containers logs written to journald did not include the name of the container. * Fixed a bug where the `podman network inspect` and `podman network rm` commands did not properly handle non-default CNI configuration paths ([#6212](https://github.com/containers/libpod/issues/6212)). * Fixed a bug where Podman did not properly remove containers when using the Kata containers OCI runtime. * Fixed a bug where `podman inspect` would sometimes incorrectly report the network mode of containers started with `--net=none`. * Podman is now better able to deal with cases where `conmon` is killed before the container it is monitoring. Update to podman v1.9.3: * Fixed a bug where, on FIPS enabled hosts, FIPS mode secrets were not properly mounted into containers * Fixed a bug where builds run over Varlink would hang * Fixed a bug where podman save would fail when the target image was specified by digest * Fixed a bug where rootless containers with ports forwarded to them could panic and dump core due to a concurrency issue (#6018) * Fixed a bug where rootless Podman could race when opening the rootless user namespace, resulting in commands failing to run * Fixed a bug where HTTP proxy environment variables forwarded into the container by the --http-proxy flag could not be overridden by --env or --env-file * Fixed a bug where rootless Podman was setting resource limits on cgroups v2 systems that were not using systemd-managed cgroups (and thus did not support resource limits), resulting in containers failing to start Update podman to v1.9.1: * Bugfixes - Fixed a bug where healthchecks could become nonfunctional if container log paths were manually set with --log-path and multiple container logs were placed in the same directory - Fixed a bug where rootless Podman could, when using an older libpod.conf, print numerous warning messages about an invalid CGroup manager config - Fixed a bug where rootless Podman would sometimes fail to close the rootless user namespace when joining it Update podman to v1.9.0: * Features - Experimental support has been added for podman run --userns=auto, which automatically allocates a unique UID and GID range for the new container's user namespace - The podman play kube command now has a --network flag to place the created pod in one or more CNI networks - The podman commit command now supports an --iidfile flag to write the ID of the committed image to a file - Initial support for the new containers.conf configuration file has been added. containers.conf allows for much more detailed configuration of some Podman functionality * Changes - There has been a major cleanup of the podman info command resulting in breaking changes. Many fields have been renamed to better suit usage with APIv2 - All uses of the --timeout flag have been switched to prefer the alternative --time. The --timeout flag will continue to work, but man pages and --help will use the --time flag instead * Bugfixes - Fixed a bug where some volume mounts from the host would sometimes not properly determine the flags they should use when mounting - Fixed a bug where Podman was not propagating $PATH to Conmon and the OCI runtime, causing issues for some OCI runtimes that required it - Fixed a bug where rootless Podman would print error messages about missing support for systemd cgroups when run in a container with no cgroup support - Fixed a bug where podman play kube would not properly handle container-only port mappings (#5610) - Fixed a bug where the podman container prune command was not pruning containers in the created and configured states - Fixed a bug where Podman was not properly removing CNI IP address allocations after a reboot (#5433) - Fixed a bug where Podman was not properly applying the default Seccomp profile when --security-opt was not given at the command line * HTTP API - Many Libpod API endpoints have been added, including Changes, Checkpoint, Init, and Restore - Resolved issues where the podman system service command would time out and exit while there were still active connections - Stability overall has greatly improved as we prepare the API for a beta release soon with Podman 2.0 * Misc - The default infra image for pods has been upgraded to k8s.gcr.io/pause:3.2 (from 3.1) to address a bug in the architecture metadata for non-AMD64 images - The slirp4netns networking utility in rootless Podman now uses Seccomp filtering where available for improved security - Updated Buildah to v1.14.8 - Updated containers/storage to v1.18.2 - Updated containers/image to v5.4.3 - Updated containers/common to v0.8.1 - Add 'systemd' BUILDFLAGS to build with support for journald logging (bsc#1162432) Update podman to v1.8.2: * Features - Initial support for automatically updating containers managed via Systemd unit files has been merged. This allows containers to automatically upgrade if a newer version of their image becomes available * Bugfixes - Fixed a bug where unit files generated by podman generate systemd --new would not force containers to detach, causing the unit to time out when trying to start - Fixed a bug where podman system reset could delete important system directories if run as rootless on installations created by older Podman (#4831) - Fixed a bug where image built by podman build would not properly set the OS and Architecture they were built with (#5503) - Fixed a bug where attached podman run with --sig-proxy enabled (the default), when built with Go 1.14, would repeatedly send signal 23 to the process in the container and could generate errors when the container stopped (#5483) - Fixed a bug where rootless podman run commands could hang when forwarding ports - Fixed a bug where rootless Podman would not work when /proc was mounted with the hidepid option set - Fixed a bug where the podman system service command would use large amounts of CPU when --timeout was set to 0 (#5531) * HTTP API - Initial support for Libpod endpoints related to creating and operating on image manifest lists has been added - The Libpod Healthcheck and Events API endpoints are now supported - The Swagger endpoint can now handle cases where no Swagger documentation has been generated Update podman to v1.8.1: * Features - Many networking-related flags have been added to podman pod create to enable customization of pod networks, including --add-host, --dns, --dns-opt, --dns-search, --ip, --mac-address, --network, and --no-hosts - The podman ps --format=json command now includes the ID of the image containers were created with - The podman run and podman create commands now feature an --rmi flag to remove the image the container was using after it exits (if no other containers are using said image) ([#4628](https://github.com/containers/libpod/issues/4628)) - The podman create and podman run commands now support the --device-cgroup-rule flag (#4876) - While the HTTP API remains in alpha, many fixes and additions have landed. These are documented in a separate subsection below - The podman create and podman run commands now feature a --no-healthcheck flag to disable healthchecks for a container (#5299) - Containers now recognize the io.containers.capabilities label, which specifies a list of capabilities required by the image to run. These capabilities will be used as long as they are more restrictive than the default capabilities used - YAML produced by the podman generate kube command now includes SELinux configuration passed into the container via --security-opt label=... (#4950) * Bugfixes - Fixed CVE-2020-1726, a security issue where volumes manually populated before first being mounted into a container could have those contents overwritten on first being mounted into a container - Fixed a bug where Podman containers with user namespaces in CNI networks with the DNS plugin enabled would not have the DNS plugin's nameserver added to their resolv.conf ([#5256](https://github.com/containers/libpod/issues/5256)) - Fixed a bug where trailing / characters in image volume definitions could cause them to not be overridden by a user-specified mount at the same location ([#5219](https://github.com/containers/libpod/issues/5219)) - Fixed a bug where the label option in libpod.conf, used to disable SELinux by default, was not being respected (#5087) - Fixed a bug where the podman login and podman logout commands required the registry to log into be specified (#5146) - Fixed a bug where detached rootless Podman containers could not forward ports (#5167) - Fixed a bug where rootless Podman could fail to run if the pause process had died - Fixed a bug where Podman ignored labels that were specified with only a key and no value (#3854) - Fixed a bug where Podman would fail to create named volumes when the backing filesystem did not support SELinux labelling (#5200) - Fixed a bug where --detach-keys='' would not disable detaching from a container (#5166) - Fixed a bug where the podman ps command was too aggressive when filtering containers and would force --all on in too many situations - Fixed a bug where the podman play kube command was ignoring image configuration, including volumes, working directory, labels, and stop signal (#5174) - Fixed a bug where the Created and CreatedTime fields in podman images --format=json were misnamed, which also broke Go template output for those fields ([#5110](https://github.com/containers/libpod/issues/5110)) - Fixed a bug where rootless Podman containers with ports forwarded could hang when started (#5182) - Fixed a bug where podman pull could fail to parse registry names including port numbers - Fixed a bug where Podman would incorrectly attempt to validate image OS and architecture when starting containers - Fixed a bug where Bash completion for podman build -f would not list available files that could be built (#3878) - Fixed a bug where podman commit --change would perform incorrect validation, resulting in valid changes being rejected (#5148) - Fixed a bug where podman logs --tail could take large amounts of memory when the log file for a container was large (#5131) - Fixed a bug where Podman would sometimes incorrectly generate firewall rules on systems using firewalld - Fixed a bug where the podman inspect command would not display network information for containers properly if a container joined multiple CNI networks ([#4907](https://github.com/containers/libpod/issues/4907)) - Fixed a bug where the --uts flag to podman create and podman run would only allow specifying containers by full ID (#5289) - Fixed a bug where rootless Podman could segfault when passed a large number of file descriptors - Fixed a bug where the podman port command was incorrectly interpreting additional arguments as container names, instead of port numbers - Fixed a bug where units created by podman generate systemd did not depend on network targets, and so could start before the system network was ready (#4130) - Fixed a bug where exec sessions in containers which did not specify a user would not inherit supplemental groups added to the container via --group-add - Fixed a bug where Podman would not respect the $TMPDIR environment variable for placing large temporary files during some operations (e.g. podman pull) ([#5411](https://github.com/containers/libpod/issues/5411)) * HTTP API - Initial support for secure connections to servers via SSH tunneling has been added - Initial support for the libpod create and logs endpoints for containers has been added - Added a /swagger/ endpoint to serve API documentation - The json endpoint for containers has received many fixes - Filtering images and containers has been greatly improved, with many bugs fixed and documentation improved - Image creation endpoints (commit, pull, etc) have seen many fixes - Server timeout has been fixed so that long operations will no longer trigger the timeout and shut the server down - The stats endpoint for containers has seen major fixes and now provides accurate output - Handling the HTTP 304 status code has been fixed for all endpoints - Many fixes have been made to API documentation to ensure it matches the code * Misc - The Created field to podman images --format=json has been renamed to CreatedSince as part of the fix for (#5110). Go templates using the old name shou ld still work - The CreatedTime field to podman images --format=json has been renamed to CreatedAt as part of the fix for (#5110). Go templates using the old name should still work - The before filter to podman images has been renamed to since for Docker compatibility. Using before will still work, but documentation has been changed to use the new since filter - Using the --password flag to podman login now warns that passwords are being passed in plaintext - Some common cases where Podman would deadlock have been fixed to warn the user that podman system renumber must be run to resolve the deadlock - Configure br_netfilter for podman automatically (bsc#1165738) The trigger is only excuted when updating podman-cni-config while the command was running conmon was update to v2.0.20 (bsc#1175821) - journald: fix logging container name - container logging: Implement none driver - 'off', 'null' or 'none' all work. - ctrl: warn if we fail to unlink - Drop fsync calls - Reap PIDs before running exit command - Fix log path parsing - Add --sync option to prevent conmon from double forking - Add --no-sync-log option to instruct conmon to not sync the logs of the containers upon shutting down. This feature fixes a regression where we unconditionally dropped the log sync. It is possible the container logs could be corrupted on a sudden power-off. If you need container logs to remain in consistent state after a sudden shutdown, please update from v2.0.19 to v2.0.20 - Update to v2.0.17: - Add option to delay execution of exit command - Update to v2.0.16: - tty: flush pending data when fd is ready - Enable support for journald logging (bsc#1162432) - Update to v2.0.15: - store status while waiting for pid - Update to v2.0.14: - drop usage of splice(2) - avoid hanging on stdin - stdio: sometimes quit main loop after io is done - ignore sigpipe - Update to v2.0.12 - oom: fix potential race between verification steps - Update to v2.0.11 - log: reject --log-tag with k8s-file - chmod std files pipes - adjust score to -1000 to prevent conmon from ever being OOM killed - container OOM: verify cgroup hasn't been cleaned up before reporting OOM - journal logging: write to /dev/null instead of -1 fuse-overlayfs was updated to 1.1.2 (bsc#1175821): - fix memory leak when creating whiteout files. - fix lookup for overflow uid when it is different than the overflow gid. - use openat2(2) when available. - accept 'ro' as mount option. - fix set mtime for a symlink. - fix some issues reported by static analysis. - fix potential infinite loop on a short read. - fix creating a directory if the destination already exists in the upper layer. - report correctly the number of links for a directory also for subsequent stat calls - stop looking up the ino in the lower layers if the file could not be opened - make sure the destination is deleted before doing a rename(2). It prevents a left over directory to cause delete to fail with EEXIST. - honor --debug. libcontainers-common was updated to fix: - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Added containers/common tarball for containers.conf(5) man page - Install containers.conf default configuration in /usr/share/containers - libpod repository on github got renamed to podman - Update to image 5.5.1 - Add documentation for credHelpera - Add defaults for using the rootless policy path - Update libpod/podman to 2.0.3 - docs: user namespace can't be shared in pods - Switch references from libpod.conf to containers.conf - Allow empty host port in --publish flag - update document login see config.json as valid - Update storage to 1.20.2 - Add back skip_mount_home - Remove remaining difference between SLE and openSUSE package and ship the some mounts.conf default configuration on both platforms. As the sources for the mount point do not exist on openSUSE by default this config will basically have no effect on openSUSE. (jsc#SLE-12122, bsc#1175821) - Update to image 5.4.4 - Remove registries.conf VERSION 2 references from man page - Intial authfile man page - Add $HOME/.config/containers/certs.d to perHostCertDirPath - Add $HOME/.config/containers/registries.conf to config path - registries.conf.d: add stances for the registries.conf - update to libpod 1.9.3 - userns: support --userns=auto - Switch to using --time as opposed to --timeout to better match Docker - Add support for specifying CNI networks in podman play kube - man pages: fix inconsistencies - Update to storage 1.19.1 - userns: add support for auto - store: change the default user to containers - config: honor XDG_CONFIG_HOME - Remove the /var/lib/ca-certificates/pem/SUSE.pem workaround again. It never ended up in SLES and a different way to fix the underlying problem is being worked on. - Add registry.opensuse.org as default registry [bsc#1171578] - Add /var/lib/ca-certificates/pem/SUSE.pem to the SLES mounts. This for making container-suseconnect working in the public cloud on-demand images. It needs that file for being able to verify the server certificates of the RMT servers hosted in the public cloud. (https://github.com/SUSE/container-suseconnect/issues/41) ----------------------------------------- Patch: SUSE-2020-2735 Released: Thu Sep 24 13:32:25 2020 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: 1173034 Description: This update for systemd-rpm-macros fixes the following issues: - Introduce macro '%service_del_postun_without_restart' to resolve blocking new releases based on this. (bsc#1173034) ----------------------------------------- Patch: SUSE-2020-2744 Released: Thu Sep 24 17:56:23 2020 Summary: Security update for tiff Severity: moderate References: 1146608,CVE-2019-14973 Description: This update for tiff fixes the following issues: - CVE-2019-14973: Fixed an improper check which was depended on the compiler which could have led to integer overflow (bsc#1146608). ----------------------------------------- Patch: SUSE-2020-2749 Released: Fri Sep 25 11:10:33 2020 Summary: Security update for MozillaFirefox Severity: important References: 1167976,1173986,1173991,1174284,1174420,1175686,1176756,CVE-2020-15663,CVE-2020-15664,CVE-2020-15670,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678 Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.3.0 ESR (bsc#1176756, MFSA 2020-43) - CVE-2020-15677: Download origin spoofing via redirect - CVE-2020-15676: Fixed an XSS when pasting attacker-controlled data into a contenteditable element - CVE-2020-15678: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario - CVE-2020-15673: Fixed memory safety bugs - Enhance fix for wayland-detection (bsc#1174420) - Attempt to fix langpack-parallelization by introducing separate obj-dirs for each lang (bsc#1173986, bsc#1167976) - Firefox was updated to 78.2.0 ESR (bsc#1175686, MFSA 2020-38) - CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege - CVE-2020-15664: Attacker-induced prompt for extension installation - CVE-2020-15670: Fixed memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2 - Fixed Firefox tab crash in FIPS mode (bsc#1174284). - Fixed broken translation-loading (bsc#1173991) - allow addon sideloading - mark signatures for langpacks non-mandatory - do not autodisable user profile scopes - Google API key is not usable for geolocation service any more ----------------------------------------- Patch: SUSE-2020-2757 Released: Fri Sep 25 19:45:40 2020 Summary: Recommended update for nfs-utils Severity: moderate References: 1173104 Description: This update for nfs-utils fixes the following issue: - Some scripts are requiring Python2 while it is not installed by default and they can work with Python3. (bsc#1173104) ----------------------------------------- Patch: SUSE-2020-2758 Released: Fri Sep 25 19:46:16 2020 Summary: Optional update for pyzy Severity: low References: Description: This update for pyzy doesn't fix any user visible issues, but improves the building of the package from its source. ----------------------------------------- Patch: SUSE-2020-2773 Released: Tue Sep 29 08:15:31 2020 Summary: Recommended update for python3-susepubliccloudinfo Severity: moderate References: 1176102,1176103 Description: This update for python3-susepubliccloudinfo contains the following fixes: - Update to version 1.2.2: (bsc#1176102, bsc#1176103) + Support query for providers/frameworks, regions, and image states. ----------------------------------------- Patch: SUSE-2020-2782 Released: Tue Sep 29 11:40:22 2020 Summary: Recommended update for systemd-rpm-macros Severity: important References: 1176932 Description: This update for systemd-rpm-macros fixes the following issues: - Backport missing macros of directory paths from upstream + %_environmentdir + %_modulesloaddir + %_modprobedir - Make sure %_restart_on_update_never and %_stop_on_removal_never don't expand to the empty string. (bsc#1176932) Otherwise sequences like the following code: if [ ... ]; then %_restart_on_update_never fi would result in the following incorrect shell syntax: if [ ... ]; then fi ----------------------------------------- Patch: SUSE-2020-2613 Released: Tue Sep 29 14:06:01 2020 Summary: Recommended update for certification-sles-eal4, installation-images, patterns-certification, system-role-common-criteria Severity: moderate References: 1172898,1176112 Description: This update for certification-sles-eal4, installation-images, patterns-certification, system-role-common-criteria fixes the following issues: This updates provided various packages required for Common Criteria certification. certification-sles-eal4: - This package contains setup scripts that are used after installation of a common criteria system role. patterns-certification: - This package contains the packages to be installed. system-role-common-criteria: - This system role is used in the installer to be select and enable the Common Critera installation role. ----------------------------------------- Patch: SUSE-2020-2796 Released: Tue Sep 29 14:30:55 2020 Summary: Recommended update for hyper-v Severity: moderate References: 1116957 Description: This update for hyper-v fixes the following issues: - Fixes an issue when hyper-v services not running after booting from SLES12SP3 ISO. (bsc#1116957) ----------------------------------------- Patch: SUSE-2020-2804 Released: Wed Sep 30 11:43:16 2020 Summary: Recommended update for xiterm Severity: moderate References: 1158271 Description: This update for xiterm fixes the following issues: - Fix for not enabled application keypad mode. (bsc#1158271) ----------------------------------------- Patch: SUSE-2020-2811 Released: Thu Oct 1 09:19:57 2020 Summary: Optional update for adding Grafana dashboards to SLES for SAP Severity: moderate References: Description: This update adds grafana-ha-cluster-dashboards, grafana-sap-hana-dashboards, grafana-sap-netweaver-dashboards, grafana-sap-providers to SLES for SAP (jsc#ECO-2237) grafana-ha-cluster-dashboards: - Release 1.0.2 * update title and description * fixed datasource variable initialization * minor Grafana 7 compatibility fixes * use recommends instead of requires on grafana (jsc#SLE-10545) grafana-sap-providers: - First release grafana-sap-hana-dashboards: - Release 1.0.1 * Remove 'detail' word from file names for simplicity * Update title and description grafana-sap-netweaver-dashboards: - Release 1.0.1 * Update schema to Grafana 7 * Update title and description ----------------------------------------- Patch: SUSE-2020-2825 Released: Fri Oct 2 08:44:28 2020 Summary: Recommended update for suse-build-key Severity: moderate References: 1170347,1176759 Description: This update for suse-build-key fixes the following issues: - The SUSE Notary Container key is different from the build signing key, include this key instead as suse-container-key. (PM-1845 bsc#1170347) - The SUSE build key for SUSE Linux Enterprise 12 and 15 is extended by 4 more years. (bsc#1176759) ----------------------------------------- Patch: SUSE-2020-2828 Released: Fri Oct 2 10:33:22 2020 Summary: Security update for perl-DBI Severity: important References: 1176764,CVE-2019-20919 Description: This update for perl-DBI fixes the following issues: - CVE-2019-20919: Fixed a NULL profile dereference in dbi_profile (bsc#1176764). ----------------------------------------- Patch: SUSE-2020-2842 Released: Fri Oct 2 12:17:55 2020 Summary: Recommended update for golang-github-prometheus-node_exporter Severity: moderate References: 1151557 Description: This update for golang-github-prometheus-node_exporter fixes the following issues: - Add missing sysconfig file in rpm bsc#1151557 - Changes from 1.0.1 * Changes to build specification + Modify spec: update golang version to 1.14 + Remove update tarball script + Add _service file to allow for updates via `osc service disabledrun` * Bug fixes + [BUGFIX] filesystem_freebsd: Fix label values #1728 + [BUGFIX] Update prometheus/procfs to fix log noise #1735 + [BUGFIX] Fix build tags for collectors #1745 + [BUGFIX] Handle no data from powersupplyclass #1747, #1749 - Changes from 1.0.0 * Bug fixes + [BUGFIX] Read /proc/net files with a single read syscall #1380 + [BUGFIX] Renamed label state to name on node_systemd_service_restart_total. #1393 + [BUGFIX] Fix netdev nil reference on Darwin #1414 + [BUGFIX] Strip path.rootfs from mountpoint labels #1421 + [BUGFIX] Fix seconds reported by schedstat #1426 + [BUGFIX] Fix empty string in path.rootfs #1464 + [BUGFIX] Fix typo in cpufreq metric names #1510 + [BUGFIX] Read /proc/stat in one syscall #1538 + [BUGFIX] Fix OpenBSD cache memory information #1542 + [BUGFIX] Refactor textfile collector to avoid looping defer #1549 + [BUGFIX] Fix network speed math #1580 + [BUGFIX] collector/systemd: use regexp to extract systemd version #1647 + [BUGFIX] Fix initialization in perf collector when using multiple CPUs #1665 + [BUGFIX] Fix accidentally empty lines in meminfo_linux #1671 * Several enhancements + See https://github.com/prometheus/node_exporter/releases/tag/v1.0.0 - Changes from 1.0.0-rc.0 Breaking changes * The netdev collector CLI argument --collector.netdev.ignored-devices was renamed to --collector.netdev.device-blacklist in order to conform with the systemd collector. #1279 * The label named state on node_systemd_service_restart_total metrics was changed to name to better describe the metric. #1393 * Refactoring of the mdadm collector changes several metrics node_md_disks_active is removed node_md_disks now has a state label for 'fail', 'spare', 'active' disks. node_md_is_active is replaced by node_md_state with a state set of 'active', 'inactive', 'recovering', 'resync'. * Additional label mountaddr added to NFS device metrics to distinguish mounts from the same URL, but different IP addresses. #1417 * Metrics node_cpu_scaling_frequency_min_hrts and node_cpu_scaling_frequency_max_hrts of the cpufreq collector were renamed to node_cpu_scaling_frequency_min_hertz and node_cpu_scaling_frequency_max_hertz. #1510 * Collectors that are enabled, but are unable to find data to collect, now return 0 for node_scrape_collector_success. ----------------------------------------- Patch: SUSE-2020-2863 Released: Tue Oct 6 09:28:41 2020 Summary: Recommended update for efivar Severity: moderate References: 1175989 Description: This update for efivar fixes the following issues: - Fixed an issue when segmentation fault are caused on non-EFI systems. (bsc#1175989) ----------------------------------------- Patch: SUSE-2020-2869 Released: Tue Oct 6 16:13:20 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1011548,1153943,1153946,1161239,1171762 Description: This update for aaa_base fixes the following issues: - DIR_COLORS (bug#1006973): - add screen.xterm-256color - add TERM rxvt-unicode-256color - sort and merge TERM entries in etc/DIR_COLORS - check for Packages.db and use this instead of Packages. (bsc#1171762) - Rename path() to _path() to avoid using a general name. - refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548) - etc/profile add some missing ;; in case esac statements - profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946) - backup-rpmdb: exit if zypper is running (bsc#1161239) - Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943) ----------------------------------------- Patch: SUSE-2020-2885 Released: Fri Oct 9 14:50:51 2020 Summary: Recommended update for xmlsec1 Severity: moderate References: 1177233 Description: This update for xmlsec1 fixes the following issue: - xmlsec1-devel, xmlsec1-openssl-devel and xmlsec-nss-devel are added to the Basesystem module. (bsc#1177233) ----------------------------------------- Patch: SUSE-2020-2899 Released: Tue Oct 13 14:18:03 2020 Summary: Security update for rubygem-activesupport-5_1 Severity: critical References: 1172186,CVE-2020-8165 Description: This update for rubygem-activesupport-5_1 fixes the following issues: - CVE-2020-8165: Fixed deserialization of untrusted data in MemCacheStore potentially resulting in remote code execution (bsc#1172186) ----------------------------------------- Patch: SUSE-2020-2910 Released: Tue Oct 13 16:02:04 2020 Summary: Recommended update for cloud-regionsrv-client Severity: moderate References: 1176858,1176859 Description: This update for cloud-regionsrv-client contains the following fixes: - Update to version 9.1.4 (bsc#1176858, bsc#1176859) + Properly handle the exit code for SUSEConnect and provide log message with failure details for registration failure ----------------------------------------- Patch: SUSE-2020-2945 Released: Fri Oct 16 10:06:06 2020 Summary: Recommended update for python-azure-agent Severity: critical References: 1176368,1176369,1177161,1177257 Description: This update for python-azure-agent fixes the following issues: - Fixes an issue when the 'python-azure-agent' fails to initialize Azure instances. (bsc#1177161, bsc#1177257) Update to version 2.2.49.2 (bsc#1176368, bsc#1176369) + Do not use --unit with systemd-cgls (#1910) + Report processes that do not belong to the agent's cgroup (#1908) + Use controller mount point for extension cgroup path (#1899) + Improvements in setup of cgroups (#1896) + Remove ExtensionsMetricsData and per-process Memory data (#1884) + Fix return value of start_extension_command (#1927) + Remove import * (#1900) + Fix flaky ExtensionCleanupTest class (#1898) + Fix codecov badge (#1883) + Changed codecov to run on py3.8 (#1875) + Update documentation on /dev/random (#1909) + Mount options are in mount(8) (#1893) + Remove ssh host key thumbprint in report ready (#1913) + Emit AutoUpdate value at service start only (#1907) + Add logging for version mismatch (#1895) + Send telemetry event if libdir changes (#1897) + Add log collector utility (#1847) + Move AutoUpdate reporting to HeartBeat event (#1919) + Removing infinite download of extension manifest without a new GS (#1874) + Fix wrongful dir deletion (#1873) + Fix the cleanup-outdated-handlers to only delete handlers that are not present in the GS (#1889) + Expose periods of environment thread in waagent.conf (#1891) + Added user @kevinclark19a as Contributor. (#1906) - From 2.2.48.1 + Refactoring GoalState class out of Protocol, making Protocol thread-safe, removing stale dependencies of Protocol and removing the dependency on the file system to read the Protocol info + Fetch goal state when creating HostPluginProtocol (#1799) + Separate goal state from the protocol class (#1777) + Make protocol util a singleton per thread (#1743, #1756) + Fetch goal state before sending telemetry (#1751) + Remove file dependency (#1754) + Others (#1758, #1767, #1744, #1749, #1816, #1820) + New logs for goal state fetch (#1797) and refresh (#1794). + Thread name added to logs (#1778) + Populate telemetry events at creation time (#1791) + Periodic HeartBeat to be logged to the file (#1755) + Add unit test to verify call stacks on telemetry events (#1828) + Others (#1841, #1842, #1846) + Handling errors while reading extension status files (Limiting Size and Transient issues)(#1761) + Enable SWAP on Resource Disk as Application Certification Support suggested (#1762) + Update 'Provisioning' options in default configs ( #1853) + Drop Metadata Server Support (#1806, #1839, #1840 ) + Improve documentation of ResourceDisk.EnableSwapEncryption (#1782) + Removed is_snappy function (#1774) + Handle exceptions in monitor thread (#1770) + Fix timestamp for periodic operations in the monitor thread (#1879) + Fix permissions on the Ubuntu systemd service file (#1814) + Update hostname setting for SUSE distros (#1832) + Python 3.8 improvements + support for Ubuntu 20.04 (#1860, #1865, #1738) + Testing and dev-infra improvements [#1771, #1768, #1800, #1826, #1827, #1833] + Others (#1854, #1858) - From 2.2.46 + [#1741] Do not update goal state when refreshing the host plugin + [#1731] Fix upgrade sequence when update command fails + [#1725] Initialize CPU usage + [#1716, #1737] Added UTC logging and correcting the format + [#1651, #1729] Start sending PerformanceCounter metrics and additional memory information for Cgroups ----------------------------------------- Patch: SUSE-2020-2947 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 Description: This update for gcc10, nvptx-tools fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Changes in nvptx-tools: - Enable build on aarch64 ----------------------------------------- Patch: SUSE-2020-2950 Released: Fri Oct 16 15:49:51 2020 Summary: Recommended update for python-aliyun-python-sdk, python-aliyun-python-sdk-aas, python-aliyun-python-sdk-acm, python-aliyun-python-sdk-acms-open, python-aliyun-python-sdk-actiontrail, python-aliyun-python-sdk-adb, python-aliyun-python-sdk-address-purification, python-aliyun-python-sdk-aegis, python-aliyun-python-sdk-afs, python-aliyun-python-sdk-airec, python-aliyun-python-sdk-alidns, python-aliyun-python-sdk-aligreen-console, python-aliyun-python-sdk-alimt, python-aliyun-python-sdk-alinlp, python-aliyun-python-sdk-aliyuncvc, python-aliyun-python-sdk-amqp-open, python-aliyun-python-sdk-appmallsservice, python-aliyun-python-sdk-arms, python-aliyun-python-sdk-arms4finance, python-aliyun-python-sdk-baas, python-aliyun-python-sdk-brinekingdom, python-aliyun-python-sdk-bss, python-aliyun-python-sdk-bssopenapi, python-aliyun-python-sdk-cams, python-aliyun-python-sdk-cas, python-aliyun-python-sdk-cassandra, python-aliyun-python-sdk-cbn, python-aliyun-python-sdk-ccc, python-aliyun-python-sdk-ccs, python-aliyun-python-sdk-cdn, python-aliyun-python-sdk-chatbot, python-aliyun-python-sdk-clickhouse, python-aliyun-python-sdk-cloudapi, python-aliyun-python-sdk-cloudauth, python-aliyun-python-sdk-cloudesl, python-aliyun-python-sdk-cloudgame, python-aliyun-python-sdk-cloudmarketing, python-aliyun-python-sdk-cloudphoto, python-aliyun-python-sdk-cloudwf, python-aliyun-python-sdk-cms, python-aliyun-python-sdk-codeup, python-aliyun-python-sdk-companyreg, python-aliyun-python-sdk-core, python-aliyun-python-sdk-cr, python-aliyun-python-sdk-crm, python-aliyun-python-sdk-cs, python-aliyun-python-sdk-csb, python-aliyun-python-sdk-cspro, python-aliyun-python-sdk-cusanalytic_sc_online, python-aliyun-python-sdk-das, python-aliyun-python-sdk-dataworks-public, python-aliyun-python-sdk-dbfs, python-aliyun-python-sdk-dbs, python-aliyun-python-sdk-dcdn, python-aliyun-python-sdk-dds, python-aliyun-python-sdk-democenter, python-aliyun-python-sdk-devops-rdc, python-aliyun-python-sdk-dms-enterprise, python-aliyun-python-sdk-domain, python-aliyun-python-sdk-domain-intl, python-aliyun-python-sdk-drds, python-aliyun-python-sdk-dts, python-aliyun-python-sdk-dybaseapi, python-aliyun-python-sdk-dyplsapi, python-aliyun-python-sdk-dypnsapi, python-aliyun-python-sdk-dysmsapi, python-aliyun-python-sdk-dyvmsapi, python-aliyun-python-sdk-eas, python-aliyun-python-sdk-eci, python-aliyun-python-sdk-ecs, python-aliyun-python-sdk-edas, python-aliyun-python-sdk-ehpc, python-aliyun-python-sdk-elasticsearch, python-aliyun-python-sdk-emr, python-aliyun-python-sdk-ens, python-aliyun-python-sdk-ess, python-aliyun-python-sdk-faas, python-aliyun-python-sdk-facebody, python-aliyun-python-sdk-fnf, python-aliyun-python-sdk-foas, python-aliyun-python-sdk-ft, python-aliyun-python-sdk-geoip, python-aliyun-python-sdk-goodstech, python-aliyun-python-sdk-gpdb, python-aliyun-python-sdk-green, python-aliyun-python-sdk-gts-phd, python-aliyun-python-sdk-hbase, python-aliyun-python-sdk-hbr, python-aliyun-python-sdk-highddos, python-aliyun-python-sdk-hiknoengine, python-aliyun-python-sdk-hivisengine, python-aliyun-python-sdk-hpc, python-aliyun-python-sdk-hsm, python-aliyun-python-sdk-httpdns, python-aliyun-python-sdk-imageaudit, python-aliyun-python-sdk-imageenhan, python-aliyun-python-sdk-imageprocess, python-aliyun-python-sdk-imagerecog, python-aliyun-python-sdk-imagesearch, python-aliyun-python-sdk-imageseg, python-aliyun-python-sdk-imgsearch, python-aliyun-python-sdk-imm, python-aliyun-python-sdk-industry-brain, python-aliyun-python-sdk-iot, python-aliyun-python-sdk-iqa, python-aliyun-python-sdk-ivision, python-aliyun-python-sdk-ivpd, python-aliyun-python-sdk-jaq, python-aliyun-python-sdk-jarvis, python-aliyun-python-sdk-jarvis-public, python-aliyun-python-sdk-kms, python-aliyun-python-sdk-ledgerdb, python-aliyun-python-sdk-linkedmall, python-aliyun-python-sdk-linkface, python-aliyun-python-sdk-linkwan, python-aliyun-python-sdk-live, python-aliyun-python-sdk-lubancloud, python-aliyun-python-sdk-market, python-aliyun-python-sdk-mopen, python-aliyun-python-sdk-mts, python-aliyun-python-sdk-multimediaai, python-aliyun-python-sdk-nas, python-aliyun-python-sdk-netana, python-aliyun-python-sdk-nlp-automl, python-aliyun-python-sdk-nls-cloud-meta, python-aliyun-python-sdk-objectdet, python-aliyun-python-sdk-ocr, python-aliyun-python-sdk-ocs, python-aliyun-python-sdk-oms, python-aliyun-python-sdk-ons, python-aliyun-python-sdk-onsmqtt, python-aliyun-python-sdk-oos, python-aliyun-python-sdk-openanalytics, python-aliyun-python-sdk-openanalytics-open, python-aliyun-python-sdk-opensearch, python-aliyun-python-sdk-ossadmin, python-aliyun-python-sdk-ots, python-aliyun-python-sdk-outboundbot, python-aliyun-python-sdk-paistudio, python-aliyun-python-sdk-petadata, python-aliyun-python-sdk-polardb, python-aliyun-python-sdk-productcatalog, python-aliyun-python-sdk-pts, python-aliyun-python-sdk-push, python-aliyun-python-sdk-pvtz, python-aliyun-python-sdk-qualitycheck, python-aliyun-python-sdk-quickbi-public, python-aliyun-python-sdk-r-kvstore, python-aliyun-python-sdk-ram, python-aliyun-python-sdk-rdc, python-aliyun-python-sdk-rds, python-aliyun-python-sdk-reid, python-aliyun-python-sdk-resourcemanager, python-aliyun-python-sdk-retailcloud, python-aliyun-python-sdk-risk, python-aliyun-python-sdk-ros, python-aliyun-python-sdk-rtc, python-aliyun-python-sdk-sae, python-aliyun-python-sdk-saf, python-aliyun-python-sdk-sas, python-aliyun-python-sdk-sas-api, python-aliyun-python-sdk-scdn, python-aliyun-python-sdk-schedulerx2, python-aliyun-python-sdk-sddp, python-aliyun-python-sdk-slb, python-aliyun-python-sdk-smartag, python-aliyun-python-sdk-smc, python-aliyun-python-sdk-snsuapi, python-aliyun-python-sdk-status, python-aliyun-python-sdk-sts, python-aliyun-python-sdk-tag, python-aliyun-python-sdk-tesladam, python-aliyun-python-sdk-teslamaxcompute, python-aliyun-python-sdk-teslastream, python-aliyun-python-sdk-trademark, python-aliyun-python-sdk-ubsms, python-aliyun-python-sdk-uis, python-aliyun-python-sdk-unimkt, python-aliyun-python-sdk-vcs, python-aliyun-python-sdk-viapiutils, python-aliyun-python-sdk-videoenhan, python-aliyun-python-sdk-videorecog, python-aliyun-python-sdk-videosearch, python-aliyun-python-sdk-videoseg, python-aliyun-python-sdk-visionai, python-aliyun-python-sdk-visionai-poc, python-aliyun-python-sdk-vod, python-aliyun-python-sdk-voicenavigator, python-aliyun-python-sdk-vpc, python-aliyun-python-sdk-vs, python-aliyun-python-sdk-waf-openapi, python-aliyun-python-sdk-webplus, python-aliyun-python-sdk-welfare-inner, python-aliyun-python-sdk-workorder, python-aliyun-python-sdk-xspace, python-aliyun-python-sdk-xtrace, python-aliyun-python-sdk-yundun, python-aliyun-python-sdk-yundun-ds, python-pycryptodome Severity: moderate References: 1175230 Description: This update for python-aliyun-python-sdk, python-aliyun-python-sdk-aas, python-aliyun-python-sdk-acm, python-aliyun-python-sdk-acms-open, python-aliyun-python-sdk-actiontrail, python-aliyun-python-sdk-adb, python-aliyun-python-sdk-address-purification, python-aliyun-python-sdk-aegis, python-aliyun-python-sdk-afs, python-aliyun-python-sdk-airec, python-aliyun-python-sdk-alidns, python-aliyun-python-sdk-aligreen-console, python-aliyun-python-sdk-alimt, python-aliyun-python-sdk-alinlp, python-aliyun-python-sdk-aliyuncvc, python-aliyun-python-sdk-amqp-open, python-aliyun-python-sdk-appmallsservice, python-aliyun-python-sdk-arms, python-aliyun-python-sdk-arms4finance, python-aliyun-python-sdk-baas, python-aliyun-python-sdk-brinekingdom, python-aliyun-python-sdk-bss, python-aliyun-python-sdk-bssopenapi, python-aliyun-python-sdk-cams, python-aliyun-python-sdk-cas, python-aliyun-python-sdk-cassandra, python-aliyun-python-sdk-cbn, python-aliyun-python-sdk-ccc, python-aliyun-python-sdk-ccs, python-aliyun-python-sdk-cdn, python-aliyun-python-sdk-chatbot, python-aliyun-python-sdk-clickhouse, python-aliyun-python-sdk-cloudapi, python-aliyun-python-sdk-cloudauth, python-aliyun-python-sdk-cloudesl, python-aliyun-python-sdk-cloudgame, python-aliyun-python-sdk-cloudmarketing, python-aliyun-python-sdk-cloudphoto, python-aliyun-python-sdk-cloudwf, python-aliyun-python-sdk-cms, python-aliyun-python-sdk-codeup, python-aliyun-python-sdk-companyreg, python-aliyun-python-sdk-core, python-aliyun-python-sdk-cr, python-aliyun-python-sdk-crm, python-aliyun-python-sdk-cs, python-aliyun-python-sdk-csb, python-aliyun-python-sdk-cspro, python-aliyun-python-sdk-cusanalytic_sc_online, python-aliyun-python-sdk-das, python-aliyun-python-sdk-dataworks-public, python-aliyun-python-sdk-dbfs, python-aliyun-python-sdk-dbs, python-aliyun-python-sdk-dcdn, python-aliyun-python-sdk-dds, python-aliyun-python-sdk-democenter, python-aliyun-python-sdk-devops-rdc, python-aliyun-python-sdk-dms-enterprise, python-aliyun-python-sdk-domain, python-aliyun-python-sdk-domain-intl, python-aliyun-python-sdk-drds, python-aliyun-python-sdk-dts, python-aliyun-python-sdk-dybaseapi, python-aliyun-python-sdk-dyplsapi, python-aliyun-python-sdk-dypnsapi, python-aliyun-python-sdk-dysmsapi, python-aliyun-python-sdk-dyvmsapi, python-aliyun-python-sdk-eas, python-aliyun-python-sdk-eci, python-aliyun-python-sdk-ecs, python-aliyun-python-sdk-edas, python-aliyun-python-sdk-ehpc, python-aliyun-python-sdk-elasticsearch, python-aliyun-python-sdk-emr, python-aliyun-python-sdk-ens, python-aliyun-python-sdk-ess, python-aliyun-python-sdk-faas, python-aliyun-python-sdk-facebody, python-aliyun-python-sdk-fnf, python-aliyun-python-sdk-foas, python-aliyun-python-sdk-ft, python-aliyun-python-sdk-geoip, python-aliyun-python-sdk-goodstech, python-aliyun-python-sdk-gpdb, python-aliyun-python-sdk-green, python-aliyun-python-sdk-gts-phd, python-aliyun-python-sdk-hbase, python-aliyun-python-sdk-hbr, python-aliyun-python-sdk-highddos, python-aliyun-python-sdk-hiknoengine, python-aliyun-python-sdk-hivisengine, python-aliyun-python-sdk-hpc, python-aliyun-python-sdk-hsm, python-aliyun-python-sdk-httpdns, python-aliyun-python-sdk-imageaudit, python-aliyun-python-sdk-imageenhan, python-aliyun-python-sdk-imageprocess, python-aliyun-python-sdk-imagerecog, python-aliyun-python-sdk-imagesearch, python-aliyun-python-sdk-imageseg, python-aliyun-python-sdk-imgsearch, python-aliyun-python-sdk-imm, python-aliyun-python-sdk-industry-brain, python-aliyun-python-sdk-iot, python-aliyun-python-sdk-iqa, python-aliyun-python-sdk-ivision, python-aliyun-python-sdk-ivpd, python-aliyun-python-sdk-jaq, python-aliyun-python-sdk-jarvis, python-aliyun-python-sdk-jarvis-public, python-aliyun-python-sdk-kms, python-aliyun-python-sdk-ledgerdb, python-aliyun-python-sdk-linkedmall, python-aliyun-python-sdk-linkface, python-aliyun-python-sdk-linkwan, python-aliyun-python-sdk-live, python-aliyun-python-sdk-lubancloud, python-aliyun-python-sdk-market, python-aliyun-python-sdk-mopen, python-aliyun-python-sdk-mts, python-aliyun-python-sdk-multimediaai, python-aliyun-python-sdk-nas, python-aliyun-python-sdk-netana, python-aliyun-python-sdk-nlp-automl, python-aliyun-python-sdk-nls-cloud-meta, python-aliyun-python-sdk-objectdet, python-aliyun-python-sdk-ocr, python-aliyun-python-sdk-ocs, python-aliyun-python-sdk-oms, python-aliyun-python-sdk-ons, python-aliyun-python-sdk-onsmqtt, python-aliyun-python-sdk-oos, python-aliyun-python-sdk-openanalytics, python-aliyun-python-sdk-openanalytics-open, python-aliyun-python-sdk-opensearch, python-aliyun-python-sdk-ossadmin, python-aliyun-python-sdk-ots, python-aliyun-python-sdk-outboundbot, python-aliyun-python-sdk-paistudio, python-aliyun-python-sdk-petadata, python-aliyun-python-sdk-polardb, python-aliyun-python-sdk-productcatalog, python-aliyun-python-sdk-pts, python-aliyun-python-sdk-push, python-aliyun-python-sdk-pvtz, python-aliyun-python-sdk-qualitycheck, python-aliyun-python-sdk-quickbi-public, python-aliyun-python-sdk-r-kvstore, python-aliyun-python-sdk-ram, python-aliyun-python-sdk-rdc, python-aliyun-python-sdk-rds, python-aliyun-python-sdk-reid, python-aliyun-python-sdk-resourcemanager, python-aliyun-python-sdk-retailcloud, python-aliyun-python-sdk-risk, python-aliyun-python-sdk-ros, python-aliyun-python-sdk-rtc, python-aliyun-python-sdk-sae, python-aliyun-python-sdk-saf, python-aliyun-python-sdk-sas, python-aliyun-python-sdk-sas-api, python-aliyun-python-sdk-scdn, python-aliyun-python-sdk-schedulerx2, python-aliyun-python-sdk-sddp, python-aliyun-python-sdk-slb, python-aliyun-python-sdk-smartag, python-aliyun-python-sdk-smc, python-aliyun-python-sdk-snsuapi, python-aliyun-python-sdk-status, python-aliyun-python-sdk-sts, python-aliyun-python-sdk-tag, python-aliyun-python-sdk-tesladam, python-aliyun-python-sdk-teslamaxcompute, python-aliyun-python-sdk-teslastream, python-aliyun-python-sdk-trademark, python-aliyun-python-sdk-ubsms, python-aliyun-python-sdk-uis, python-aliyun-python-sdk-unimkt, python-aliyun-python-sdk-vcs, python-aliyun-python-sdk-viapiutils, python-aliyun-python-sdk-videoenhan, python-aliyun-python-sdk-videorecog, python-aliyun-python-sdk-videosearch, python-aliyun-python-sdk-videoseg, python-aliyun-python-sdk-visionai, python-aliyun-python-sdk-visionai-poc, python-aliyun-python-sdk-vod, python-aliyun-python-sdk-voicenavigator, python-aliyun-python-sdk-vpc, python-aliyun-python-sdk-vs, python-aliyun-python-sdk-waf-openapi, python-aliyun-python-sdk-webplus, python-aliyun-python-sdk-welfare-inner, python-aliyun-python-sdk-workorder, python-aliyun-python-sdk-xspace, python-aliyun-python-sdk-xtrace, python-aliyun-python-sdk-yundun, python-aliyun-python-sdk-yundun-ds, python-pycryptodome contains the following changes: Initial shipment for Alibaba Cloud SDK and dependencies. (bsc#1175230, jsc#ECO-2011, jsc#PM-1919) The following packages are being added: python-aliyun-python-sdk-aas python-aliyun-python-sdk-acms-open python-aliyun-python-sdk-acm python-aliyun-python-sdk-actiontrail python-aliyun-python-sdk-adb python-aliyun-python-sdk-address-purification python-aliyun-python-sdk-aegis python-aliyun-python-sdk-afs python-aliyun-python-sdk-airec python-aliyun-python-sdk-alidns python-aliyun-python-sdk-aligreen-console python-aliyun-python-sdk-alimt python-aliyun-python-sdk-alinlp python-aliyun-python-sdk-aliyuncvc python-aliyun-python-sdk-amqp-open python-aliyun-python-sdk-appmallsservice python-aliyun-python-sdk-arms4finance python-aliyun-python-sdk-arms python-aliyun-python-sdk-baas python-aliyun-python-sdk-brinekingdom python-aliyun-python-sdk-bssopenapi python-aliyun-python-sdk-bss python-aliyun-python-sdk-cams python-aliyun-python-sdk-cassandra python-aliyun-python-sdk-cas python-aliyun-python-sdk-cbn python-aliyun-python-sdk-ccc python-aliyun-python-sdk-ccs python-aliyun-python-sdk-cdn python-aliyun-python-sdk-chatbot python-aliyun-python-sdk-clickhouse python-aliyun-python-sdk-cloudapi python-aliyun-python-sdk-cloudauth python-aliyun-python-sdk-cloudesl python-aliyun-python-sdk-cloudgame python-aliyun-python-sdk-cloudmarketing python-aliyun-python-sdk-cloudphoto python-aliyun-python-sdk-cloudwf python-aliyun-python-sdk-cms python-aliyun-python-sdk-codeup python-aliyun-python-sdk-companyreg python-aliyun-python-sdk-core python-aliyun-python-sdk-crm python-aliyun-python-sdk-cr python-aliyun-python-sdk-csb python-aliyun-python-sdk-cspro python-aliyun-python-sdk-cs python-aliyun-python-sdk-cusanalytic_sc_online python-aliyun-python-sdk-das python-aliyun-python-sdk-dataworks-public python-aliyun-python-sdk-dbfs python-aliyun-python-sdk-dbs python-aliyun-python-sdk-dcdn python-aliyun-python-sdk-dds python-aliyun-python-sdk-democenter python-aliyun-python-sdk-devops-rdc python-aliyun-python-sdk-dms-enterprise python-aliyun-python-sdk-domain-intl python-aliyun-python-sdk-domain python-aliyun-python-sdk-drds python-aliyun-python-sdk-dts python-aliyun-python-sdk-dybaseapi python-aliyun-python-sdk-dyplsapi python-aliyun-python-sdk-dypnsapi python-aliyun-python-sdk-dysmsapi python-aliyun-python-sdk-dyvmsapi python-aliyun-python-sdk-eas python-aliyun-python-sdk-eci python-aliyun-python-sdk-ecs python-aliyun-python-sdk-edas python-aliyun-python-sdk-ehpc python-aliyun-python-sdk-elasticsearch python-aliyun-python-sdk-emr python-aliyun-python-sdk-ens python-aliyun-python-sdk-ess python-aliyun-python-sdk-faas python-aliyun-python-sdk-facebody python-aliyun-python-sdk-fnf python-aliyun-python-sdk-foas python-aliyun-python-sdk-ft python-aliyun-python-sdk-geoip python-aliyun-python-sdk-goodstech python-aliyun-python-sdk-gpdb python-aliyun-python-sdk-green python-aliyun-python-sdk-gts-phd python-aliyun-python-sdk-hbase python-aliyun-python-sdk-hbr python-aliyun-python-sdk-highddos python-aliyun-python-sdk-hiknoengine python-aliyun-python-sdk-hivisengine python-aliyun-python-sdk-hpc python-aliyun-python-sdk-hsm python-aliyun-python-sdk-httpdns python-aliyun-python-sdk-imageaudit python-aliyun-python-sdk-imageenhan python-aliyun-python-sdk-imageprocess python-aliyun-python-sdk-imagerecog python-aliyun-python-sdk-imagesearch python-aliyun-python-sdk-imageseg python-aliyun-python-sdk-imgsearch python-aliyun-python-sdk-imm python-aliyun-python-sdk-industry-brain python-aliyun-python-sdk-iot python-aliyun-python-sdk-iqa python-aliyun-python-sdk-ivision python-aliyun-python-sdk-ivpd python-aliyun-python-sdk-jaq python-aliyun-python-sdk-jarvis-public python-aliyun-python-sdk-jarvis python-aliyun-python-sdk-kms python-aliyun-python-sdk-ledgerdb python-aliyun-python-sdk-linkedmall python-aliyun-python-sdk-linkface python-aliyun-python-sdk-linkwan python-aliyun-python-sdk-live python-aliyun-python-sdk-lubancloud python-aliyun-python-sdk-market python-aliyun-python-sdk-mopen python-aliyun-python-sdk-mts python-aliyun-python-sdk-multimediaai python-aliyun-python-sdk-nas python-aliyun-python-sdk-netana python-aliyun-python-sdk-nlp-automl python-aliyun-python-sdk-nls-cloud-meta python-aliyun-python-sdk-objectdet python-aliyun-python-sdk-ocr python-aliyun-python-sdk-ocs python-aliyun-python-sdk-oms python-aliyun-python-sdk-onsmqtt python-aliyun-python-sdk-ons python-aliyun-python-sdk-oos python-aliyun-python-sdk-openanalytics-open python-aliyun-python-sdk-openanalytics python-aliyun-python-sdk-opensearch python-aliyun-python-sdk-ossadmin python-aliyun-python-sdk-ots python-aliyun-python-sdk-outboundbot python-aliyun-python-sdk-paistudio python-aliyun-python-sdk-petadata python-aliyun-python-sdk-polardb python-aliyun-python-sdk-productcatalog python-aliyun-python-sdk-pts python-aliyun-python-sdk-push python-aliyun-python-sdk-pvtz python-aliyun-python-sdk-qualitycheck python-aliyun-python-sdk-quickbi-public python-aliyun-python-sdk-ram python-aliyun-python-sdk-rdc python-aliyun-python-sdk-rds python-aliyun-python-sdk-reid python-aliyun-python-sdk-resourcemanager python-aliyun-python-sdk-retailcloud python-aliyun-python-sdk-risk python-aliyun-python-sdk-r-kvstore python-aliyun-python-sdk-ros python-aliyun-python-sdk-rtc python-aliyun-python-sdk-sae python-aliyun-python-sdk-saf python-aliyun-python-sdk-sas-api python-aliyun-python-sdk-sas python-aliyun-python-sdk-scdn python-aliyun-python-sdk-schedulerx2 python-aliyun-python-sdk-sddp python-aliyun-python-sdk-slb python-aliyun-python-sdk-smartag python-aliyun-python-sdk-smc python-aliyun-python-sdk-snsuapi python-aliyun-python-sdk-status python-aliyun-python-sdk-sts python-aliyun-python-sdk python-aliyun-python-sdk-tag python-aliyun-python-sdk-tesladam python-aliyun-python-sdk-teslamaxcompute python-aliyun-python-sdk-teslastream python-aliyun-python-sdk-trademark python-aliyun-python-sdk-ubsms python-aliyun-python-sdk-uis python-aliyun-python-sdk-unimkt python-aliyun-python-sdk-vcs python-aliyun-python-sdk-viapiutils python-aliyun-python-sdk-videoenhan python-aliyun-python-sdk-videorecog python-aliyun-python-sdk-videosearch python-aliyun-python-sdk-videoseg python-aliyun-python-sdk-visionai-poc python-aliyun-python-sdk-visionai python-aliyun-python-sdk-vod python-aliyun-python-sdk-voicenavigator python-aliyun-python-sdk-vpc python-aliyun-python-sdk-vs python-aliyun-python-sdk-waf-openapi python-aliyun-python-sdk-webplus python-aliyun-python-sdk-welfare-inner python-aliyun-python-sdk-workorder python-aliyun-python-sdk-xspace python-aliyun-python-sdk-xtrace python-aliyun-python-sdk-yundun-ds python-aliyun-python-sdk-yundun python-pycryptodome ----------------------------------------- Patch: SUSE-2020-2951 Released: Fri Oct 16 16:09:38 2020 Summary: Security update for transfig Severity: moderate References: 1143650,CVE-2019-14275 Description: This update for transfig fixes the following issues: Security issue fixed: - CVE-2019-14275: Fixed stack-based buffer overflow in the calc_arrow function (bsc#1143650). ----------------------------------------- Patch: SUSE-2020-2958 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Severity: moderate References: 1158830 Description: This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------- Patch: SUSE-2020-2965 Released: Tue Oct 20 13:27:21 2020 Summary: Recommended update for cni, cni-plugins Severity: moderate References: 1172786 Description: This update ships cni and cni-plugins to the Public Cloud Module of SUSE Linux Enterprise 15 SP2. ----------------------------------------- Patch: SUSE-2020-2966 Released: Tue Oct 20 16:03:58 2020 Summary: Security update for hunspell Severity: low References: 1151867,CVE-2019-16707 Description: This update for hunspell fixes the following issues: - CVE-2019-16707: Fixed an invalid read in SuggestMgr:leftcommonsubstring (bsc#1151867). ----------------------------------------- Patch: SUSE-2020-2971 Released: Tue Oct 20 16:41:36 2020 Summary: Recommended update for shim-susesigned Severity: moderate References: 1177315 Description: This update contains changes needed for Common criteria certification. shim: * add a temporary shim loader EFI signed by SUSE that contains additional checks of Extended Key Usage for Codesigning (bsc#1177315) The Common Criteria system role for 15-SP2 was adjusted: * Configure alternative shim (bsc#1177315) * Remove curve25519-sha256@libssh.org as it doesn't work in fips mode * doc: logrotate is started via timer ----------------------------------------- Patch: SUSE-2020-2983 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Severity: moderate References: 1176123 Description: This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------- Patch: SUSE-2020-2985 Released: Wed Oct 21 15:11:39 2020 Summary: Recommended update for prometheus-ha_cluster_exporter Severity: moderate References: Description: This update for prometheus-ha_cluster_exporter fixes the following issues: - Implement SBD watchdog and 'msgwait' timeout metrics. - Handle correctly corosync membership parsing with 'qdevice' enabled. ----------------------------------------- Patch: SUSE-2020-2992 Released: Thu Oct 22 09:10:59 2020 Summary: Recommended update for prometheus-hanadb_exporter Severity: moderate References: Description: This update for prometheus-hanadb_exporter fixes the following issue: Release 0.7.2 - Lookup for `/usr/etc` and the fallback `/etc` directory for config files. ----------------------------------------- Patch: SUSE-2020-2994 Released: Thu Oct 22 09:11:50 2020 Summary: Recommended update for grafana-sap-netweaver-dashboards Severity: moderate References: 1177229 Description: This update for grafana-sap-netweaver-dashboards fixes the following issue: Release 1.0.3 - Add variable for prometheus datasource. (bsc#1177229) ----------------------------------------- Patch: SUSE-2020-2995 Released: Thu Oct 22 10:03:09 2020 Summary: Security update for freetype2 Severity: important References: 1177914,CVE-2020-15999 Description: This update for freetype2 fixes the following issues: - CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914). ----------------------------------------- Patch: SUSE-2020-3004 Released: Thu Oct 22 17:44:31 2020 Summary: Recommended update for python-shaptools, salt-shaptools, habootstrap-formula, saphanabootstrap-formula, sapnwbootstrap-formula Severity: moderate References: 1174994,1175709 Description: python-shaptools: - Fix how HANA database is started and stopped to work in multi host environment. sapcontrol commands are used instead of HDB now. (jsc#SLE-4047) - Fix issue when secondary registration fails after a successful 'SSFS' files copy process. (bsc#1175709) Now the registration return code will be checked in the new call. salt-shaptools: - Fix how HANA database is started and stopped to work in multi host environment. sapcontrol commands are used instead of HDB now. (jsc#SLE-4047) habootstrap-formula: - Update the prevalidation logic to check for valid sbd entries (jsc#SLE-4047) - Improve Formula with form description (jsc#SLE-4047) - Update the SUMA form.yml file and prevalidation state with latest changes in project - Include the pillar example file in package. (bsc#1174994) - Fix how HANA database is started and stopped to work in multi host environment. sapcontrol commands are used instead of HDB now. (jsc#SLE-4047) saphanabootstrap-formula: - Update the package version after SUMA form update and extraction logic update (jsc#SLE-4047) - Fix the hana media extraction and installation logics when using exe archives - Update the SUMA hana form metadata, to show hana form under SAP deployment group - Update SUMA form.yml file and prevalidation state with latest changes in formula - Change the default 'hana_extract_dir' hana media extraction location - Remove copy of config files for exporters since we use /usr/etc - Include the pillar example file in package. (bsc#1174994, jsc#SLE-4047) - Add hana active/active resources to the cluster template - Change `route_table` by `route_name` to make the variable usage more meaningful - Add support to extract zip,rar,exe,sar hana media - This change in non backward compatible. The variable hdbserver_extract_dir is replaced by hana_extract_dir - Fix provisioning of hanadb_exporter in SLE12, where python3-pip must be always installed. - Fix how HANA database is started and stopped to work in multi host environment. sapcontrol commands are used instead of HDB now. (jsc#SLE-4047) sapnwbootstrap-formula: - Create SUMA form based on latest pillar and formula data (jsc#SLE-4047) - Implement the differences between ENSA1 and ENSA2 versions - Add the keepalive configuration changes - Include the pillar example file in package. (bsc#1174994, jsc#SLE-4047) - Add support to extract nw media archives. This change is non backward compatible. - Remove default swpm installer extract directory and add nw_extract_dir variable to store all extracted NW media - Fix how HANA database is started and stopped to work in multi host environment. sapcontrol commands are used instead of HDB now. (jsc#SLE-4047) ----------------------------------------- Patch: SUSE-2020-3007 Released: Thu Oct 22 17:51:48 2020 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Added data for 4_12_14-150_58, 4_12_14-197_51, 4_12_14-197_56, 5_3_18-24_12, 5_3_18-24_15. (bsc#1020320) ----------------------------------------- Patch: SUSE-2020-3012 Released: Thu Oct 22 22:36:57 2020 Summary: Recommended update for sysstat Severity: moderate References: 1174227 Description: This update for sysstat fixes the following issues: - Fix for an issue when 'iowait' output of 'sar' can also decrement as a result of inaccurate tracking. (bsc#1174227) ----------------------------------------- Patch: SUSE-2020-3021 Released: Fri Oct 23 14:20:03 2020 Summary: Security update for MozillaFirefox Severity: important References: 1176756,1177872,CVE-2020-15683,CVE-2020-15969 Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.4.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2020-46 (bsc#1177872, bsc#1176756) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4 * Fixed: Fixed legacy preferences not being properly applied when set via GPO ----------------------------------------- Patch: SUSE-2020-3025 Released: Fri Oct 23 15:33:09 2020 Summary: Recommended update for myspell-dictionaries Severity: moderate References: 1176716 Description: This update of myspell-dictionaries provides the following fix: - Ship the de_AT and de_CH dictionaries to the SLE Basesystem 15-SP2 module. (bsc#1176716) ----------------------------------------- Patch: SUSE-2020-3026 Released: Fri Oct 23 15:35:51 2020 Summary: Optional update for the Public Cloud Module Severity: moderate References: Description: This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398). The following packages were included: - python3-grpcio - python3-protobuf - python3-google-api-core - python3-google-cloud-core - python3-google-cloud-storage - python3-google-resumable-media - python3-googleapis-common-protos - python3-grpcio-gcp - python3-mock (updated to version 3.0.5) ----------------------------------------- Patch: SUSE-2020-3041 Released: Tue Oct 27 09:25:30 2020 Summary: Recommended update for java-1_8_0-ibm Severity: moderate References: 1175295 Description: This update for java-1_8_0-ibm fixes the following issues: - Fix a Java ifix for z15 compression problem. (bsc#1175295) ----------------------------------------- Patch: SUSE-2020-3046 Released: Tue Oct 27 14:41:21 2020 Summary: Recommended update for shim-susesigned Severity: moderate References: 1177315 Description: This update for shim-susesigned fixes the following issues: - Fix a buffer use-after-free at the end of the EKU verification in shim-susesigned (bsc#1177315) ----------------------------------------- Patch: SUSE-2020-3058 Released: Wed Oct 28 06:11:14 2020 Summary: Recommended update for catatonit Severity: moderate References: 1176155 Description: This update for catatonit fixes the following issues: - Fixes an issue when catatonit hangs when process dies in very specific way. (bsc#1176155) ----------------------------------------- Patch: SUSE-2020-3059 Released: Wed Oct 28 06:11:23 2020 Summary: Recommended update for sysconfig Severity: moderate References: 1173391,1176285,1176325 Description: This update for sysconfig fixes the following issues: - Fix for 'netconfig' to run with a new library including fallback to the previous location. (bsc#1176285) - Fix for changing content of such files like '/etc/resolv.conf' to avoid linked applications re-read them and unnecessarily re-initializes themselves accordingly. (bsc#1176325) - Fix for 'chrony helper' calling in background. (bsc#1173391) - Fix for configuration file by creating a symlink for it to prevent false ownership on the file. (bsc#1159566) ----------------------------------------- Patch: SUSE-2020-3060 Released: Wed Oct 28 08:09:21 2020 Summary: Security update for binutils Severity: moderate References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077 Description: This update for binutils fixes the following issues: binutils was updated to version 2.35. (jsc#ECO-2373) Update to binutils 2.35: * The assembler can now produce DWARF-5 format line number tables. * Readelf now has a 'lint' mode to enable extra checks of the files it is processing. * Readelf will now display '[...]' when it has to truncate a symbol name. The old behaviour - of displaying as many characters as possible, up to the 80 column limit - can be restored by the use of the --silent-truncation option. * The linker can now produce a dependency file listing the inputs that it has processed, much like the -M -MP option supported by the compiler. - fix DT_NEEDED order with -flto [bsc#1163744] Update to binutils 2.34: * The disassembler (objdump --disassemble) now has an option to generate ascii art thats show the arcs between that start and end points of control flow instructions. * The binutils tools now have support for debuginfod. Debuginfod is a HTTP service for distributing ELF/DWARF debugging information as well as source code. The tools can now connect to debuginfod servers in order to download debug information about the files that they are processing. * The assembler and linker now support the generation of ELF format files for the Z80 architecture. - Add new subpackages for libctf and libctf-nobfd. - Disable LTO due to bsc#1163333. - Includes fixes for these CVEs: bsc#1153768 aka CVE-2019-17451 aka PR25070 bsc#1153770 aka CVE-2019-17450 aka PR25078 - fix various build fails on aarch64 (PR25210, bsc#1157755). Update to binutils 2.33.1: * Adds support for the Arm Scalable Vector Extension version 2 (SVE2) instructions, the Arm Transactional Memory Extension (TME) instructions and the Armv8.1-M Mainline and M-profile Vector Extension (MVE) instructions. * Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE, Cortex-A76AE, and Cortex-A77 processors. * Adds a .float16 directive for both Arm and AArch64 to allow encoding of 16-bit floating point literals. * For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not) Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no] configure time option to set the default behavior. Set the default if the configure option is not used to 'no'. * The Cortex-A53 Erratum 843419 workaround now supports a choice of which workaround to use. The option --fix-cortex-a53-843419 now takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp] which can be used to force a particular workaround to be used. See --help for AArch64 for more details. * Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties in the AArch64 ELF linker. * Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI on inputs and use PLTs protected with BTI. * Add -z pac-plt for AArch64 to pick PAC enabled PLTs. * Add --source-comment[=] option to objdump which if present, provides a prefix to source code lines displayed in a disassembly. * Add --set-section-alignment = option to objcopy to allow the changing of section alignments. * Add --verilog-data-width option to objcopy for verilog targets to control width of data elements in verilog hex format. * The separate debug info file options of readelf (--debug-dump=links and --debug-dump=follow) and objdump (--dwarf=links and --dwarf=follow-links) will now display and/or follow multiple links if more than one are present in a file. (This usually happens when gcc's -gsplit-dwarf option is used). In addition objdump's --dwarf=follow-links now also affects its other display options, so that for example, when combined with --syms it will cause the symbol tables in any linked debug info files to also be displayed. In addition when combined with --disassemble the --dwarf= follow-links option will ensure that any symbol tables in the linked files are read and used when disassembling code in the main file. * Add support for dumping types encoded in the Compact Type Format to objdump and readelf. - Includes fixes for these CVEs: bsc#1126826 aka CVE-2019-9077 aka PR1126826 bsc#1126829 aka CVE-2019-9075 aka PR1126829 bsc#1126831 aka CVE-2019-9074 aka PR24235 bsc#1140126 aka CVE-2019-12972 aka PR23405 bsc#1143609 aka CVE-2019-14444 aka PR24829 bsc#1142649 aka CVE-2019-14250 aka PR90924 * Add xBPF target * Fix various problems with DWARF 5 support in gas * fix nm -B for objects compiled with -flto and -fcommon. ----------------------------------------- Patch: SUSE-2020-3063 Released: Wed Oct 28 08:45:07 2020 Summary: Recommended update for rubygem-railties-5_1 Severity: moderate References: 1174315 Description: This update for rubygem-railties-5_1 fixes the following issue: - Fix rubygems dependencies for puma update and respect older version. (bnc#1174315) ----------------------------------------- Patch: SUSE-2020-3065 Released: Wed Oct 28 09:38:43 2020 Summary: Security update for sane-backends Severity: important References: 1172524,CVE-2020-12861,CVE-2020-12862,CVE-2020-12863,CVE-2020-12864,CVE-2020-12865,CVE-2020-12866,CVE-2020-12867 Description: This update for sane-backends fixes the following issues: sane-backends was updated to 1.0.31 to further improve hardware enablement for scanner devices (jsc#ECO-2418 jsc#SLE-15561 jsc#SLE-15560) and also fix various security issues: - CVE-2020-12861,CVE-2020-12865: Fixed an out of bounds write (bsc#1172524) - CVE-2020-12862,CVE-2020-12863,CVE-2020-12864,: Fixed an out of bounds read (bsc#1172524) - CVE-2020-12866,CVE-2020-12867: Fixed a null pointer dereference (bsc#1172524) The upstream changelogs can be found here: - https://gitlab.com/sane-project/backends/-/releases/1.0.28 - https://gitlab.com/sane-project/backends/-/releases/1.0.29 - https://gitlab.com/sane-project/backends/-/releases/1.0.30 - https://gitlab.com/sane-project/backends/-/releases/1.0.31 ----------------------------------------- Patch: SUSE-2020-3068 Released: Wed Oct 28 11:46:10 2020 Summary: Security update for tomcat Severity: moderate References: 1177582,CVE-2020-13943 Description: This update for tomcat fixes the following issues: - CVE-2020-13943: Fixed HTTP/2 Request mix-up (bsc#1177582) ----------------------------------------- Patch: SUSE-2020-3074 Released: Thu Oct 29 08:27:49 2020 Summary: Recommended update for certification-sles-eal4 Severity: moderate References: 1178169 Description: This update for certification-sles-eal4 fixes the following issues: * Fixed typo in the CC system role (bsc#1178169) ----------------------------------------- Patch: SUSE-2020-3091 Released: Thu Oct 29 16:35:37 2020 Summary: Security update for MozillaThunderbird and mozilla-nspr Severity: important References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969 Description: This update for MozillaThunderbird and mozilla-nspr fixes the following issues: - Mozilla Thunderbird 78.4 * new: MailExtensions: browser.tabs.sendMessage API added * new: MailExtensions: messageDisplayScripts API added * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages * changed: MailExtensions: compose.begin functions now support creating a message with attachments * fixed: Thunderbird could freeze when updating global search index * fixed: Multiple issues with handling of self-signed SSL certificates addressed * fixed: Recipient address fields in compose window could expand to fill all available space * fixed: Inserting emoji characters in message compose window caused unexpected behavior * fixed: Button to restore default folder icon color was not keyboard accessible * fixed: Various keyboard navigation fixes * fixed: Various color-related theme fixes * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4 - Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * Creating a new calendar event did not require an event title - Mozilla Thunderbird 78.3.2 (bsc#1176899) * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes - Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket - Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 Download origin spoofing via redirect * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3 - update mozilla-nspr to version 4.25.1 * The macOS platform code for shared library loading was changed to support macOS 11. * Dependency needed for the MozillaThunderbird udpate ----------------------------------------- Patch: SUSE-2020-3099 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------- Patch: SUSE-2020-3101 Released: Thu Oct 29 19:35:22 2020 Summary: Recommended update for p7zip Severity: moderate References: 1177648 Description: This update for p7zip provides the following fix: - Add p7zip-full to SLE-Module-Basesystem 15-SP2 to fix building RPM packages that have 7z source files. (bsc#1177648) ----------------------------------------- Patch: SUSE-2020-3116 Released: Mon Nov 2 13:45:14 2020 Summary: Recommended update for dash Severity: moderate References: 1160260,1177691 Description: This update for dash fixes the following issues: - Update to version 0.5.11.2 (bsc#1177691) * Add -fcommon to %optflags (bsc#1160260) * Fix a pathname expansion bug in dash (bsc#1177691) ----------------------------------------- Patch: SUSE-2020-3123 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Severity: important References: 1177460,1178346,1178350,1178353 Description: This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460) - Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460) ----------------------------------------- Patch: SUSE-2020-3137 Released: Tue Nov 3 12:13:55 2020 Summary: Recommended update for bcache-tools Severity: moderate References: 1174075,1176244 Description: This update for bcache-tools fixes the following issues: - Remove dependency of 'smartcols' as bcache-tools code doesn't need it anymore. (jsc#SLE-9807) - Implement 'bcache-status'. (jsc#SLE-9807) - Remove the dependency on libsmartcols. (jsc#SLE-9807) - Fix for potential coredump issues. (jsc#SLE-9807) - Add more swap bitwise for different CPU endians. (jsc#SLE-9807) - Fixed an issue when an rpm macro '%{_libexecdir}' results braking packages. (bsc#1174075) - Fixed an issue when 'bcache' causing system crashing by using a legacy path. (bsc#1176244) ----------------------------------------- Patch: SUSE-2020-3148 Released: Wed Nov 4 11:04:22 2020 Summary: Recommended update for dbxtool Severity: moderate References: Description: This update for dbxtool fixes the following issues: dbxtool version 8 is included in SUSE Linux Enterprise. (jsc#ECO-2560 jsc#PM-2042 jsc#SLE-16062) This contains the dbxtool for handling and storing the UEFI DBX database, to deploy deny lists of UEFI binaries e.g. in regards to the BootHole security issue. ----------------------------------------- Patch: SUSE-2020-3152 Released: Wed Nov 4 11:07:07 2020 Summary: Security update for apache-commons-httpclient Severity: important References: 1178171,945190,CVE-2014-3577,CVE-2015-5262 Description: This update for apache-commons-httpclient fixes the following issues: - http/conn/ssl/SSLConnectionSocketFactory.java ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262] - org.apache.http.conn.ssl.AbstractVerifier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows MITM attackers to spoof SSL servers via a 'CN=' string in a field in the distinguished name (DN) of a certificate. [bsc#1178171, CVE-2014-3577] ----------------------------------------- Patch: SUSE-2020-3157 Released: Wed Nov 4 15:37:05 2020 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1177864 Description: This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------- Patch: SUSE-2020-3166 Released: Thu Nov 5 10:37:34 2020 Summary: Security update for wireshark Severity: moderate References: 1175204,1176908,1176909,1176910,CVE-2020-17498,CVE-2020-25862,CVE-2020-25863,CVE-2020-25866 Description: This update for wireshark fixes the following issues: - Update to wireshark 3.2.7: * CVE-2020-25863: MIME Multipart dissector crash (bsc#1176908) * CVE-2020-25862: TCP dissector crash (bsc#1176909) * CVE-2020-25866: BLIP dissector crash (bsc#1176910) * CVE-2020-17498: Kafka dissector crash (bsc#1175204) ----------------------------------------- Patch: SUSE-2020-3248 Released: Fri Nov 6 17:02:05 2020 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1167907,1169664 Description: This update fixes the following issues: dracut-saltboot: - Support autosign grains in saltboot intrd grafana: - Update to version 7.1.5: * Features / Enhancements - Stats: Stop counting the same user multiple times. - Field overrides: Filter by field name using regex. - AzureMonitor: map more units. - Explore: Don't run queries on datasource change. - Graph: Support setting field unit & override data source (automatic) unit. - Explore: Unification of logs/metrics/traces user interface - Table: JSON Cell should try to convert strings to JSON - Variables: enables cancel for slow query variables queries. - TimeZone: unify the time zone pickers to one that can rule them all. - Search: support URL query params. - Grafana-UI: Add FileUpload. - TablePanel: Sort numbers correctly. * Bug fixes - Alerting: remove LongToWide call in alerting. - AzureMonitor: fix panic introduced in 7.1.4 when unit was unspecified and alias was used. - Variables: Fixes issue with All variable not being resolved. - Templating: Fixes so texts show in picker not the values. - Templating: Templating: Fix undefined result when using raw interpolation format - TextPanel: Fix content overflowing panel boundaries. - StatPanel: Fix stat panel display name not showing when explicitly set. - Query history: Fix search filtering if null value. - Flux: Ensure connections to InfluxDB are closed. - Dashboard: Fix for viewer can enter panel edit mode by modifying url (but cannot not save anything). - Prometheus: Fix prom links in mixed mode. - Sign In Use correct url for the Sign In button. - StatPanel: Fixes issue with name showing for single series / field results - BarGauge: Fix space bug in single series mode. - Auth: Fix POST request failures with anonymous access - Templating: Fix recursive loop of template variable queries when changing ad-hoc-variable - Templating: Fixed recursive queries triggered when switching dashboard settings view - GraphPanel: Fix annotations overflowing panels. - Prometheus: Fix performance issue in processing of histogram labels. - Datasources: Handle URL parsing error. - Security: Use Header.Set and Header.Del for X-Grafana-User header. * Changes in spec file - Fix golang version = 1.14 to avoid dependency conflicts on some OBS projects grafana-ha-cluster-dashboards: - Add the package to the SUSE Manager Client Tools 12 channels. grafana-sap-hana-dashboards: - Add the package to the SUSE Manager Client Tools 12 channels. grafana-sap-netweaver-dashboards: - Add the package to the SUSE Manager Client Tools 12 channels. grafana-sap-providers: - Add the package to the SUSE Manager Client Tools 12 channels. mgr-daemon: - Update translation strings spacecmd: - Python3 fixes for errata in spacecmd (bsc#1169664) - Added support for i18n of user-facing strings - Python3 fix for sorted usage (bsc#1167907) spacewalk-client-tools: - Remove RH references in Python/Ruby localization and use the product name instead ----------------------------------------- Patch: SUSE-2020-3261 Released: Tue Nov 10 09:45:30 2020 Summary: Security update for SDL Severity: moderate References: 1141844,CVE-2019-13616 Description: This update for SDL fixes the following issues: Security issue fixed: - CVE-2019-13616: Fixed heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit (bsc#1141844). ----------------------------------------- Patch: SUSE-2020-3264 Released: Tue Nov 10 09:50:29 2020 Summary: Security update for zeromq Severity: moderate References: 1176116,1176256,1176257,1176258,1176259,CVE-2020-15166 Description: This update for zeromq fixes the following issues: - CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116). - Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256) - Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257) - Fixed memory leak when processing PUB messages with metadata (bsc#1176259) - Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258) ----------------------------------------- Patch: SUSE-2020-3269 Released: Tue Nov 10 15:57:24 2020 Summary: Security update for python-waitress Severity: moderate References: 1160790,1161088,1161089,1161670,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792 Description: This update for python-waitress to 1.4.3 fixes the following security issues: - CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling (bsc#1161088). - CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089). - CVE-2019-16789: HTTP request smuggling through invalid whitespace characters (bsc#1160790). - CVE-2019-16792: HTTP request smuggling by sending the Content-Length header twice (bsc#1161670). ----------------------------------------- Patch: SUSE-2020-3271 Released: Tue Nov 10 19:05:17 2020 Summary: Security update for ucode-intel Severity: moderate References: 1170446,1173594,CVE-2020-8695,CVE-2020-8698 Description: This update for ucode-intel fixes the following issues: - Intel CPU Microcode updated to 20201027 pre-release - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) # New Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile # Updated Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile ----------------------------------------- Patch: SUSE-2020-3308 Released: Thu Nov 12 14:20:07 2020 Summary: Recommended update for sysstat Severity: moderate References: 1177747 Description: This update for sysstat fixes the following issues: - Fix iostat switch '-y' to display the correct results. (bsc#1177747) ----------------------------------------- Patch: SUSE-2020-3312 Released: Thu Nov 12 16:05:57 2020 Summary: Security update for MozillaFirefox Severity: important References: 1178588,CVE-2020-26950 Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.4.1 ESR * Fixed: Security fix MFSA 2020-49 (bsc#1178588) * CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for ----------------------------------------- Patch: SUSE-2020-3317 Released: Fri Nov 13 08:53:23 2020 Summary: Recommended update for SAPHanaSR-ScaleOut Severity: moderate References: 1144729,1174610,1176330 Description: This update for SAPHanaSR-ScaleOut fixes the following issues: - adapt man page SAPHanaSR-showAttr(8) and the README. (bsc#1144729) - Fixed an issue when takeover in maintenance mode master node still has PROMOTED status. (bsc#1176330) - Score of secondary in takeover phase increased from 122 to 145 to avoid promotion of former primary masternameserver candidates. (bsc#1174610) - Fixed typos and improved descriptions in comments. - Change default timeouts and intervals to match the official recommendations. ----------------------------------------- Patch: SUSE-2020-3321 Released: Fri Nov 13 13:16:01 2020 Summary: Recommended update for rpmlint Severity: moderate References: 1176676,1177684 Description: This update for rpmlint fixes the following issues: - Backported systemd portable1 D-Bus whitelisting (bsc#1176676). - Backporsted pam_pwquality whitelisting for PackageHub (bsc#1177684). ----------------------------------------- Patch: SUSE-2020-3323 Released: Fri Nov 13 15:25:55 2020 Summary: Recommended update for cloud-init Severity: moderate References: 1174443,1174444,1177526 Description: This update for cloud-init contains the following fixes: + Avoid exception if no gateway information is present and warning is triggered for existing routing. (bsc#1177526) Update to version 20.2 (bsc#1174443, bsc#1174444) + doc/format: reference make-mime.py instead of an inline script (#334) + Add docs about creating parent folders (#330) [Adrian Wilkins] + DataSourceNoCloud/OVF: drop claim to support FTP (#333) (LP: #1875470) + schema: ignore spurious pylint error (#332) + schema: add json schema for write_files module (#152) + BSD: find_devs_with_ refactoring (#298) [Gonéri Le Bouder] + nocloud: drop work around for Linux 2.6 (#324) [Gonéri Le Bouder] + cloudinit: drop dependencies on unittest2 and contextlib2 (#322) + distros: handle a potential mirror filtering error case (#328) + log: remove unnecessary import fallback logic (#327) + .travis.yml: don't run integration test on ubuntu/* branches (#321) + More unit test documentation (#314) + conftest: introduce disable_subp_usage autouse fixture (#304) + YAML align indent sizes for docs readability (#323) [Tak Nishigori] + network_state: add missing space to log message (#325) + tests: add missing mocks for get_interfaces_by_mac (#326) (LP: #1873910) + test_mounts: expand happy path test for both happy paths (#319) + cc_mounts: fix incorrect format specifiers (#316) (LP: #1872836) + swap file 'size' being used before checked if str (#315) [Eduardo Otubo] + HACKING.rst: add pytest version gotchas section (#311) + docs: Add steps to re-run cloud-id and cloud-init (#313) [Joshua Powers] + readme: OpenBSD is now supported (#309) [Gonéri Le Bouder] + net: ignore 'renderer' key in netplan config (#306) (LP: #1870421) + Add support for NFS/EFS mounts (#300) [Andrew Beresford] (LP: #1870370) + openbsd: set_passwd should not unlock user (#289) [Gonéri Le Bouder] + tools/.github-cla-signers: add beezly as CLA signer (#301) + util: remove unnecessary lru_cache import fallback (#299) + HACKING.rst: reorganise/update CLA signature info (#297) + distros: drop leading/trailing hyphens from mirror URL labels (#296) + HACKING.rst: add note about variable annotations (#295) + CiTestCase: stop using and remove sys_exit helper (#283) + distros: replace invalid characters in mirror URLs with hyphens (#291) (LP: #1868232) + rbxcloud: gracefully handle arping errors (#262) [Adam Dobrawy] + Fix cloud-init ignoring some misdeclared mimetypes in user-data. [Kurt Garloff] + net: ubuntu focal prioritize netplan over eni even if both present (#267) (LP: #1867029) + cloudinit: refactor util.is_ipv4 to net.is_ipv4_address (#292) + net/cmdline: replace type comments with annotations (#294) + HACKING.rst: add Type Annotations design section (#293) + net: introduce is_ip_address function (#288) + CiTestCase: remove now-unneeded parse_and_read helper method (#286) + .travis.yml: allow 30 minutes of inactivity in cloud tests (#287) + sources/tests/test_init: drop use of deprecated inspect.getargspec (#285) + setup.py: drop NIH check_output implementation (#282) + Identify SAP Converged Cloud as OpenStack [Silvio Knizek] + add Openbsd support (#147) [Gonéri Le Bouder] + HACKING.rst: add examples of the two test class types (#278) + VMWware: support to update guest info gc status if enabled (#261) [xiaofengw-vmware] + Add lp-to-git mapping for kgarloff (#279) + set_passwords: avoid chpasswd on BSD (#268) [Gonéri Le Bouder] + HACKING.rst: add Unit Testing design section (#277) + util: read_cc_from_cmdline handle urlencoded yaml content (#275) + distros/tests/test_init: add tests for _get_package_mirror_info (#272) + HACKING.rst: add links to new Code Review Process doc (#276) + freebsd: ensure package update works (#273) [Gonéri Le Bouder] + doc: introduce Code Review Process documentation (#160) + tools: use python3 (#274) + cc_disk_setup: fix RuntimeError (#270) (LP: #1868327) + cc_apt_configure/util: combine search_for_mirror implementations (#271) + bsd: boottime does not depend on the libc soname (#269) [Gonéri Le Bouder] + test_oracle,DataSourceOracle: sort imports (#266) + DataSourceOracle: update .network_config docstring (#257) + cloudinit/tests: remove unneeded with_logs configuration (#263) + .travis.yml: drop stale comment (#255) + .gitignore: add more common directories (#258) + ec2: render network on all NICs and add secondary IPs as static (#114) (LP: #1866930) + ec2 json validation: fix the reference to the 'merged_cfg' key (#256) [Paride Legovini] + releases.yaml: quote the Ubuntu version numbers (#254) [Paride Legovini] + cloudinit: remove six from packaging/tooling (#253) + util/netbsd: drop six usage (#252) + workflows: introduce stale pull request workflow (#125) + cc_resolv_conf: introduce tests and stabilise output across Python versions (#251) + fix minor issue with resolv_conf template (#144) [andreaf74] + doc: CloudInit also support NetBSD (#250) [Gonéri Le Bouder] + Add Netbsd support (#62) [Gonéri Le Bouder] + tox.ini: avoid substition syntax that causes a traceback on xenial (#245) + Add pub_key_ed25519 to cc_phone_home (#237) [Daniel Hensby] + Introduce and use of a list of GitHub usernames that have signed CLA (#244) + workflows/cla.yml: use correct username for CLA check (#243) + tox.ini: use xenial version of jsonpatch in CI (#242) + workflows: CLA validation altered to fail status on pull_request (#164) + tox.ini: bump pyflakes version to 2.1.1 (#239) + cloudinit: move to pytest for running tests (#211) + instance-data: add cloud-init merged_cfg and sys_info keys to json (#214) (LP: #1865969) + ec2: Do not fallback to IMDSv1 on EC2 (#216) + instance-data: write redacted cfg to instance-data.json (#233) (LP: #1865947) + net: support network-config:disabled on the kernel commandline (#232) (LP: #1862702) + ec2: only redact token request headers in logs, avoid altering request (#230) (LP: #1865882) + docs: typo fixed: dta → data [Alexey Vazhnov] + Fixes typo on Amazon Web Services (#217) [Nick Wales] + Fix docs for OpenStack DMI Asset Tag (#228) [Mark T. Voelker] (LP: #1669875) + Add physical network type: cascading to openstack helpers (#200) [sab-systems] + tests: add focal integration tests for ubuntu (#225) - From 20.1 (first vesrion after 19.4) + ec2: Do not log IMDSv2 token values, instead use REDACTED (#219) (LP: #1863943) + utils: use SystemRandom when generating random password. (#204) [Dimitri John Ledkov] + docs: mount_default_files is a list of 6 items, not 7 (#212) + azurecloud: fix issues with instances not starting (#205) (LP: #1861921) + unittest: fix stderr leak in cc_set_password random unittest output. (#208) + cc_disk_setup: add swap filesystem force flag (#207) + import sysvinit patches from freebsd-ports tree (#161) [Igor Galić] + docs: fix typo (#195) [Edwin Kofler] + sysconfig: distro-specific config rendering for BOOTPROTO option (#162) [Robert Schweikert] (LP: #1800854) + cloudinit: replace 'from six import X' imports (except in util.py) (#183) + run-container: use 'test -n' instead of 'test ! -z' (#202) [Paride Legovini] + net/cmdline: correctly handle static ip= config (#201) [Dimitri John Ledkov] (LP: #1861412) + Replace mock library with unittest.mock (#186) + HACKING.rst: update CLA link (#199) + Scaleway: Fix DatasourceScaleway to avoid backtrace (#128) [Louis Bouchard] + cloudinit/cmd/devel/net_convert.py: add missing space (#191) + tools/run-container: drop support for python2 (#192) [Paride Legovini] + Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789) + Make the RPM build use Python 3 (#190) [Paride Legovini] + cc_set_password: increase random pwlength from 9 to 20 (#189) (LP: #1860795) + .travis.yml: use correct Python version for xenial tests (#185) + cloudinit: remove ImportError handling for mock imports (#182) + Do not use fallocate in swap file creation on xfs. (#70) [Eduardo Otubo] (LP: #1781781) + .readthedocs.yaml: install cloud-init when building docs (#181) (LP: #1860450) + Introduce an RTD config file, and pin the Sphinx version to the RTD default (#180) + Drop most of the remaining use of six (#179) + Start removing dependency on six (#178) + Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy] + docs: add proposed SRU testing procedure (#167) + util: rename get_architecture to get_dpkg_architecture (#173) + Ensure util.get_architecture() runs only once (#172) + Only use gpart if it is the BSD gpart (#131) [Conrad Hoffmann] + freebsd: remove superflu exception mapping (#166) [Gonéri Le Bouder] + ssh_auth_key_fingerprints_disable test: fix capitalization (#165) [Paride Legovini] + util: move uptime's else branch into its own boottime function (#53) [Igor Galić] (LP: #1853160) + workflows: add contributor license agreement checker (#155) + net: fix rendering of 'static6' in network config (#77) (LP: #1850988) + Make tests work with Python 3.8 (#139) [Conrad Hoffmann] + fixed minor bug with mkswap in cc_disk_setup.py (#143) [andreaf74] + freebsd: fix create_group() cmd (#146) [Gonéri Le Bouder] + doc: make apt_update example consistent (#154) + doc: add modules page toc with links (#153) (LP: #1852456) + Add support for the amazon variant in cloud.cfg.tmpl (#119) [Frederick Lefebvre] + ci: remove Python 2.7 from CI runs (#137) + modules: drop cc_snap_config config module (#134) + migrate-lp-user-to-github: ensure Launchpad repo exists (#136) + docs: add initial troubleshooting to FAQ (#104) [Joshua Powers] + doc: update cc_set_hostname frequency and descrip (#109) [Joshua Powers] (LP: #1827021) + freebsd: introduce the freebsd renderer (#61) [Gonéri Le Bouder] + cc_snappy: remove deprecated module (#127) + HACKING.rst: clarify that everyone needs to do the LP->GH dance (#130) + freebsd: cloudinit service requires devd (#132) [Gonéri Le Bouder] + cloud-init: fix capitalisation of SSH (#126) + doc: update cc_ssh clarify host and auth keys [Joshua Powers] (LP: #1827021) + ci: emit names of tests run in Travis (#120) ----------------------------------------- Patch: SUSE-2020-3327 Released: Sat Nov 14 07:22:33 2020 Summary: Recommended update for sap-suse-cluster-connector Severity: moderate References: 1136933,1166647,1177507 Description: This update for sap-suse-cluster-connector fixes the following issues: - Add new cluster action names according to the documentation that leads out the old action names. (bsc#1166647) - Support the output format of different versions of the command '/usr/sbin/crm_simulate'. (bsc#1177507) - Remove unused and outdated /etc/sap_suse_cluster_connector file. (bsc#1136933) ----------------------------------------- Patch: SUSE-2020-3338 Released: Mon Nov 16 13:11:28 2020 Summary: Recommended update for prometheus-hanadb_exporter Severity: moderate References: 1178339 Description: This update for prometheus-hanadb_exporter fixes the following issues: - Fix using systemd macros in spec file. (bsc#1178339) ----------------------------------------- Patch: SUSE-2020-3352 Released: Tue Nov 17 09:31:48 2020 Summary: Security update for raptor Severity: important References: 1178593,CVE-2017-18926 Description: This update for raptor fixes the following issues: - Fixed a heap overflow vulnerability (bsc#1178593, CVE-2017-18926). ----------------------------------------- Patch: SUSE-2020-3359 Released: Tue Nov 17 13:18:30 2020 Summary: Security update for java-11-openjdk Severity: moderate References: 1177943,CVE-2020-14779,CVE-2020-14781,CVE-2020-14782,CVE-2020-14792,CVE-2020-14796,CVE-2020-14797,CVE-2020-14798,CVE-2020-14803 Description: This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.9-11 (October 2020 CPU, bsc#1177943) * New features + JDK-8250784: Shenandoah: A Low-Pause-Time Garbage Collector * Security fixes + JDK-8233624: Enhance JNI linkage + JDK-8236196: Improve string pooling + JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + JDK-8237995, CVE-2020-14782: Enhance certificate processing + JDK-8240124: Better VM Interning + JDK-8241114, CVE-2020-14792: Better range handling + JDK-8242680, CVE-2020-14796: Improved URI Support + JDK-8242685, CVE-2020-14797: Better Path Validation + JDK-8242695, CVE-2020-14798: Enhanced buffer support + JDK-8243302: Advanced class supports + JDK-8244136, CVE-2020-14803: Improved Buffer supports + JDK-8244479: Further constrain certificates + JDK-8244955: Additional Fix for JDK-8240124 + JDK-8245407: Enhance zoning of times + JDK-8245412: Better class definitions + JDK-8245417: Improve certificate chain handling + JDK-8248574: Improve jpeg processing + JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + JDK-8253019: Enhanced JPEG decoding * Other changes + JDK-6532025: GIF reader throws misleading exception with truncated images + JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/ /PDialogTest.java needs update by removing an infinite loop + JDK-8022535: [TEST BUG] javax/swing/text/html/parser/ /Test8017492.java fails + JDK-8062947: Fix exception message to correctly represent LDAP connection failure + JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed + JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/ /CloseServerSocket.java fails intermittently with Address already in use + JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect + JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider + JDK-8172404: Tools should warn if weak algorithms are used before restricting them + JDK-8193367: Annotated type variable bounds crash javac + JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails intermittently: Connection reset + JDK-8203026: java.rmi.NoSuchObjectException: no such object in table + JDK-8203281: [Windows] JComboBox change in ui when editor.setBorder() is called + JDK-8203382: Rename SystemDictionary::initialize_wk_klass to resolve_wk_klass + JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout + JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell script tests to java + JDK-8204963: javax.swing.border.TitledBorder has a memory leak + JDK-8204994: SA might fail to attach to process with 'Windbg Error: WaitForEvent failed' + JDK-8205534: Remove SymbolTable dependency from serviceability agent + JDK-8206309: Tier1 SA tests fail + JDK-8208281: java/nio/channels/ /AsynchronousSocketChannel/Basic.java timed out + JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version - step1 + JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect + JDK-8209342: Problemlist SA tests on Solaris due to Error attaching to process: Can't create thread_db agent! + JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful + JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout + JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version - step2 + JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC + JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java + JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ /ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code + JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version - step3 + JDK-8210527: JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack + JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests + JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds + JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify which output is the pending reply after a timeout + JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version - step4 + JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject + JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test + JDK-8211694: JShell: Redeclared variable should be reset + JDK-8212200: assert when shared java.lang.Object is redefined by JVMTI agent + JDK-8212629: [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest + JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55 + JDK-8212807: tools/jar/multiRelease/Basic.java times out + JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when shared java.lang.Object is redefined by JVMTI agent) + JDK-8213214: Set -Djava.io.tmpdir= when running tests + JDK-8213275: ReplaceCriticalClasses.java fails with jdk.internal.vm.PostVMInitHook not found + JDK-8213574: Deadlock in string table expansion when dumping lots of CDS classes + JDK-8213703: LambdaConversionException: Invalid receiver type not a subtype of implementation type interface + JDK-8214074: Ghash optimization using AVX instructions + JDK-8214491: Upgrade to JLine 3.9.0 + JDK-8214797: TestJmapCoreMetaspace.java timed out + JDK-8215243: JShell tests failing intermitently with 'Problem cleaning up the following threads:' + JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference failed + JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash optimization using AVX instructions) + JDK-8215438: jshell tool: Ctrl-D causes EOF + JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows + JDK-8216974: HttpConnection not returned to the pool after 204 response + JDK-8218948: SimpleDateFormat :: format - Zone Names are not reflected correctly during run time + JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs + JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs + JDK-8221658: aarch64: add necessary predicate for ubfx patterns + JDK-8221759: Crash when completing 'java.io.File.path' + JDK-8221918: runtime/SharedArchiveFile/serviceability/ /ReplaceCriticalClasses.java fails: Shared archive not found + JDK-8222074: Enhance auto vectorization for x86 + JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp + JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely on hostname command + JDK-8223688: JShell: crash on the instantiation of raw anonymous class + JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper does not result in an error + JDK-8223940: Private key not supported by chosen signature algorithm + JDK-8224184: jshell got IOException at exiting with AIX + JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc + JDK-8225037: java.net.JarURLConnection::getJarEntry() throws NullPointerException + JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions + JDK-8226536: Catch OOM from deopt that fails rematerializing objects + JDK-8226575: OperatingSystemMXBean should be made container aware + JDK-8226697: Several tests which need the @key headful keyword are missing it. + JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous + JDK-8227059: sun/security/tools/keytool/ /DefaultSignatureAlgorithm.java timed out + JDK-8227269: Slow class loading when running with JDWP + JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails due to 'exitValue = 6' + JDK-8228448: Jconsole can't connect to itself + JDK-8228967: Trust/Key store and SSL context utilities for tests + JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow + JDK-8229815: Upgrade Jline to 3.12.1 + JDK-8230000: some httpclients testng tests run zero test + JDK-8230002: javax/xml/jaxp/unittest/transform/ /SecureProcessingTest.java runs zero test + JDK-8230010: Remove jdk8037819/BasicTest1.java + JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter + JDK-8230402: Allocation of compile task fails with assert: 'Leaking compilation tasks?' + JDK-8230767: FlightRecorderListener returns null recording + JDK-8230870: (zipfs) Add a ZIP FS test that is similar to test/jdk/java/util/zip/EntryCount64k.java + JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread + JDK-8231586: enlarge encoding space for OopMapValue offsets + JDK-8231953: Wrong assumption in assertion in oop::register_oop + JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes + JDK-8232083: Minimal VM is broken after JDK-8231586 + JDK-8232161: Align some one-way conversion in MS950 charset with Windows + JDK-8232855: jshell missing word in /help help + JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration + JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR + JDK-8233386: Initialize NULL fields for unused decorations + JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result + JDK-8233686: XML transformer uses excessive amount of memory + JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 + VAES instructions + JDK-8233829: javac cannot find non-ASCII module name under non-UTF8 environment + JDK-8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose + JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater() + JDK-8234058: runtime/CompressedOops/ /CompressedClassPointers.java fails with 'Narrow klass base: 0x0000000000000000' missing from stdout/stderr + JDK-8234149: Several regression tests do not dispose Frame at end + JDK-8234347: 'Turkey' meta time zone does not generate composed localized names + JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/ /bug6980209.java fails in linux nightly + JDK-8234535: Cross compilation fails due to missing CFLAGS for the BUILD_CC + JDK-8234541: C1 emits an empty message when it inlines successfully + JDK-8234687: change javap reporting on unknown attributes + JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11 + JDK-8236548: Localized time zone name inconsistency between English and other locales + JDK-8236617: jtreg test containers/docker/ /TestMemoryAwareness.java fails after 8226575 + JDK-8237182: Update copyright header for shenandoah and epsilon files + JDK-8237888: security/infra/java/security/cert/ /CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval + JDK-8237977: Further update javax/net/ssl/compatibility/Compatibility.java + JDK-8238270: java.net HTTP/2 client does not decrease stream count when receives 204 response + JDK-8238284: [macos] Zero VM build fails due to an obvious typo + JDK-8238380: java.base/unix/native/libjava/childproc.c 'multiple definition' link errors with GCC10 + JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c 'multiple definition' link errors with GCC10 + JDK-8238388: libj2gss/NativeFunc.o 'multiple definition' link errors with GCC10 + JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes + JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with non-zero code + JDK-8239083: C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), 'should be non-static concrete method'); + JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD + JDK-8240169: javadoc fails to link to non-modular api docs + JDK-8240295: hs_err elapsed time in seconds is not accurate enough + JDK-8240360: NativeLibraryEvent has wrong library name on Linux + JDK-8240676: Meet not symmetric failure when running lucene on jdk8 + JDK-8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support + JDK-8241065: Shenandoah: remove leftover code after JDK-8231086 + JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows + JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException + JDK-8241138: http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector + JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark + JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java fails with OOME + JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure + JDK-8241750: x86_32 build failure after JDK-8227269 + JDK-8242184: CRL generation error with RSASSA-PSS + JDK-8242283: Can't start JVM when java home path includes non-ASCII character + JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array + JDK-8243029: Rewrite javax/net/ssl/compatibility/ /Compatibility.java with a flexible interop test framework + JDK-8243138: Enhance BaseLdapServer to support starttls extended request + JDK-8243320: Add SSL root certificates to Oracle Root CA program + JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program + JDK-8243389: enhance os::pd_print_cpu_info on linux + JDK-8243453: java --describe-module failed with non-ASCII module name under non-UTF8 environment + JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp + JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions + JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows) + JDK-8244087: 2020-04-24 public suffix list update + JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 + JDK-8244164: AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base + JDK-8244196: adjust output in os_linux + JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in + JDK-8244287: JFR: Methods samples have line number 0 + JDK-8244703: 'platform encoding not initialized' exceptions with debugger, JNI + JDK-8244719: CTW: C2 compilation fails with 'assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it' + JDK-8244729: Shenandoah: remove resolve paths from SBSA::generate_shenandoah_lrb + JDK-8244763: Update --release 8 symbol information after JSR 337 MR3 + JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor + JDK-8245151: jarsigner should not raise duplicate warnings on verification + JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9 + JDK-8245714: 'Bad graph detected in build_loop_late' when loads are pinned on loop limit check uncommon branch + JDK-8245801: StressRecompilation triggers assert 'redundunt OSR recompilation detected. memory leak in CodeCache!' + JDK-8245832: JDK build make-static-libs should build all JDK libraries + JDK-8245880: Shenandoah: check class unloading flag early in concurrent code root scan + JDK-8245981: Upgrade to jQuery 3.5.1 + JDK-8246027: Minimal fastdebug build broken after JDK-8245801 + JDK-8246094: [macos] Sound Recording and playback is not working + JDK-8246153: TestEliminateArrayCopy fails with -XX:+StressReflectiveCode + JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ + JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails with AssertionError + JDK-8246203: Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN + JDK-8246330: Add TLS Tests for Legacy ECDSA curves + JDK-8246453: TestClone crashes with 'all collected exceptions must come from the same place' + JDK-8247246: Add explicit ResolvedJavaType.link and expose presence of default methods + JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node + JDK-8247502: PhaseStringOpts crashes while optimising effectively dead code + JDK-8247615: Initialize the bytes left for the heap sampler + JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in SBC2Support::pin_and_expand + JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' + JDK-8247979: aarch64: missing side effect of killing flags for clearArray_reg_reg + JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention + JDK-8248219: aarch64: missing memory barrier in fast_storefield and fast_accessfield + JDK-8248348: Regression caused by the update to BCEL 6.0 + JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1 + JDK-8248495: [macos] zerovm is broken due to libffi headers location + JDK-8248851: CMS: Missing memory fences between free chunk check and klass read + JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows + JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650 + JDK-8249215: JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows. + JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel + JDK-8249255: Build fails if source code in cygwin home dir + JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in OpenJDK 11 + JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList + JDK-8249560: Shenandoah: Fix racy GC request handling + JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle + JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases + JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets + JDK-8250609: C2 crash in IfNode::fold_compares + JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics + JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java + JDK-8250787: Provider.put no longer registering aliases in FIPS env + JDK-8250826: jhsdb does not work with coredump which comes from Substrate VM + JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead count before/after parallel walk + JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the bounds + JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher + JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test failure + JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U + JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java + JDK-8251487: Shenandoah: missing detail timing tracking for final mark cleaning phase + JDK-8252120: compiler/oracle/TestCompileCommand.java misspells 'occured' + JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility + JDK-8252258: [11u] JDK-8242154 changes the default vendor + JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport of 8234011 + JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11 + JDK-8253283: [11u] Test build/translations/ /VerifyTranslations.java failing after JDK-8252258 + JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes + Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)' introduced in jdk 11.0.9 ----------------------------------------- Patch: SUSE-2020-3373 Released: Thu Nov 19 09:27:44 2020 Summary: Security update for ucode-intel Severity: moderate References: 1170446,1173592,1173594,CVE-2020-8695,CVE-2020-8696,CVE-2020-8698 Description: This update for ucode-intel fixes the following issues: - Updated Intel CPU Microcode to 20201110 official release. - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) - CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592) - Release notes: - Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html). - Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html). - Update for functional issues. Refer to [Second Generation Intel® Xeon® Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel® Xeon® Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel® Xeon® Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel® Core™ Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel® Core™ Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel® Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel® Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel® Xeon® E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel® Xeon® E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details. ### New Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile ### Updated Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile ----------------------------------------- Patch: SUSE-2020-3376 Released: Thu Nov 19 09:29:13 2020 Summary: Security update for wireshark Severity: moderate References: 1177406,1178291,CVE-2020-26575,CVE-2020-28030 Description: This update for wireshark fixes the following issues: - wireshark was updated to 3.2.8: - CVE-2020-26575: Fixed an issue where FBZERO dissector was entering in infinite loop (bsc#1177406) - CVE-2020-28030: Fixed an issue where GQUIC dissector was crashing (bsc#1178291) * Infinite memory allocation while parsing this tcp packet ----------------------------------------- Patch: SUSE-2020-3380 Released: Thu Nov 19 09:31:15 2020 Summary: Security update for wpa_supplicant Severity: moderate References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079,CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499 Description: This update for wpa_supplicant fixes the following issues: Security issue fixed: - CVE-2019-16275: Fixed an AP mode PMF disconnection protection bypass (bsc#1150934). Non-security issues fixed: - Enable SAE support (jsc#SLE-14992). - Limit P2P_DEVICE name to appropriate ifname size. - Fix wicked wlan (bsc#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331) - With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331) - Fix WLAN config on boot with wicked. (bsc#1166933) - Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Changed service-files for start after network (systemd-networkd). ----------------------------------------- Patch: SUSE-2020-3382 Released: Thu Nov 19 11:03:01 2020 Summary: Recommended update for dmidecode Severity: moderate References: 1174257 Description: This update for dmidecode fixes the following issues: - Add partial support for SMBIOS 3.4.0. (bsc#1174257) - Skip details of uninstalled memory modules. (bsc#1174257) ----------------------------------------- Patch: SUSE-2020-3384 Released: Thu Nov 19 11:33:53 2020 Summary: Security update for perl-DBI Severity: moderate References: 1176492,CVE-2014-10401,CVE-2014-10402 Description: This update for perl-DBI fixes the following issues: - DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). [bsc#1176492, CVE-2014-10401, CVE-2014-10402] ----------------------------------------- Patch: SUSE-2020-3450 Released: Thu Nov 19 17:39:23 2020 Summary: Recommended update for hawk-apiserver Severity: moderate References: 1178228 Description: This update for hawk-apiserver fixes the following issues: - Update from version 0.0.2 to version 0.0.4: - various enhancement security https related (bsc#1178228) - update go modules to 1.13 - add -version flag to show build version ----------------------------------------- Patch: SUSE-2020-3452 Released: Thu Nov 19 19:42:47 2020 Summary: Recommended update for tomcat Severity: moderate References: 1178396 Description: This update for tomcat fixes the following issues: - Fixes an issue when after removing package rest remained in 'examples'. - Remove 'tomcat-9.0.init' and '/usr/lib/tmpfiles.d/tomcat.conf' because of using systemd. (bsc#1178396) ----------------------------------------- Patch: SUSE-2020-3458 Released: Fri Nov 20 11:09:46 2020 Summary: Security update for MozillaFirefox Severity: important References: 1178824,CVE-2020-15999,CVE-2020-16012,CVE-2020-26951,CVE-2020-26953,CVE-2020-26956,CVE-2020-26958,CVE-2020-26959,CVE-2020-26960,CVE-2020-26961,CVE-2020-26965,CVE-2020-26966,CVE-2020-26968 Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.5.0 ESR (bsc#1178824) * CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953: Fullscreen could be enabled without displaying the security UI * CVE-2020-26956: XSS through paste (manual and clipboard API) * CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions * CVE-2020-26959: Use-after-free in WebRequestService * CVE-2020-26960: Potential use-after-free in uses of nsTArray * CVE-2020-15999: Heap buffer overflow in freetype * CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses * CVE-2020-26965: Software keyboards may have remembered typed passwords * CVE-2020-26966: Single-word search queries were also broadcast to local network * CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5 ----------------------------------------- Patch: SUSE-2020-3460 Released: Fri Nov 20 12:41:23 2020 Summary: Security update for java-1_8_0-openjdk Severity: moderate References: 1174157,1177943,CVE-2020-14556,CVE-2020-14577,CVE-2020-14578,CVE-2020-14579,CVE-2020-14581,CVE-2020-14583,CVE-2020-14593,CVE-2020-14621,CVE-2020-14779,CVE-2020-14781,CVE-2020-14782,CVE-2020-14792,CVE-2020-14796,CVE-2020-14797,CVE-2020-14798,CVE-2020-14803 Description: This update for java-1_8_0-openjdk fixes the following issues: - Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)', introduced in October 2020 CPU. - Update to version jdk8u272 (icedtea 3.17.0) (July 2020 CPU, bsc#1174157, and October 2020 CPU, bsc#1177943) * New features + JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7 + PR3796: Allow the number of curves supported to be specified * Security fixes + JDK-8028431, CVE-2020-14579: NullPointerException in DerValue.equals(DerValue) + JDK-8028591, CVE-2020-14578: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString() + JDK-8230613: Better ASCII conversions + JDK-8231800: Better listing of arrays + JDK-8232014: Expand DTD support + JDK-8233255: Better Swing Buttons + JDK-8233624: Enhance JNI linkage + JDK-8234032: Improve basic calendar services + JDK-8234042: Better factory production of certificates + JDK-8234418: Better parsing with CertificateFactory + JDK-8234836: Improve serialization handling + JDK-8236191: Enhance OID processing + JDK-8236196: Improve string pooling + JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior + JDK-8237592, CVE-2020-14577: Enhance certificate verification + JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + JDK-8237995, CVE-2020-14782: Enhance certificate processing + JDK-8238002, CVE-2020-14581: Better matrix operations + JDK-8238804: Enhance key handling process + JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable + JDK-8238843: Enhanced font handing + JDK-8238920, CVE-2020-14583: Better Buffer support + JDK-8238925: Enhance WAV file playback + JDK-8240119, CVE-2020-14593: Less Affine Transformations + JDK-8240124: Better VM Interning + JDK-8240482: Improved WAV file playback + JDK-8241114, CVE-2020-14792: Better range handling + JDK-8241379: Update JCEKS support + JDK-8241522: Manifest improved jar headers redux + JDK-8242136, CVE-2020-14621: Better XML namespace handling + JDK-8242680, CVE-2020-14796: Improved URI Support + JDK-8242685, CVE-2020-14797: Better Path Validation + JDK-8242695, CVE-2020-14798: Enhanced buffer support + JDK-8243302: Advanced class supports + JDK-8244136, CVE-2020-14803: Improved Buffer supports + JDK-8244479: Further constrain certificates + JDK-8244955: Additional Fix for JDK-8240124 + JDK-8245407: Enhance zoning of times + JDK-8245412: Better class definitions + JDK-8245417: Improve certificate chain handling + JDK-8248574: Improve jpeg processing + JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + JDK-8253019: Enhanced JPEG decoding * Import of OpenJDK 8 u262 build 01 + JDK-4949105: Access Bridge lacks html tags parsing + JDK-8003209: JFR events for network utilization + JDK-8030680: 292 cleanup from default method code assessment + JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java and some tests failed on windows intermittently + JDK-8041626: Shutdown tracing event + JDK-8141056: Erroneous assignment in HeapRegionSet.cpp + JDK-8149338: JVM Crash caused by Marlin renderer not handling NaN coordinates + JDK-8151582: (ch) test java/nio/channels/ /AsyncCloseAndInterrupt.java failing due to 'Connection succeeded' + JDK-8165675: Trace event for thread park has incorrect unit for timeout + JDK-8176182: 4 security tests are not run + JDK-8178910: Problemlist sample tests + JDK-8183925: Decouple crash protection from watcher thread + JDK-8191393: Random crashes during cfree+0x1c + JDK-8195817: JFR.stop should require name of recording + JDK-8195818: JFR.start should increase autogenerated name by one + JDK-8195819: Remove recording=x from jcmd JFR.check output + JDK-8199712: Flight Recorder + JDK-8202578: Revisit location for class unload events + JDK-8202835: jfr/event/os/TestSystemProcess.java fails on missing events + JDK-8203287: Zero fails to build after JDK-8199712 (Flight Recorder) + JDK-8203346: JFR: Inconsistent signature of jfr_add_string_constant + JDK-8203664: JFR start failure after AppCDS archive created with JFR StartFlightRecording + JDK-8203921: JFR thread sampling is missing fixes from JDK-8194552 + JDK-8203929: Limit amount of data for JFR.dump + JDK-8205516: JFR tool + JDK-8207392: [PPC64] Implement JFR profiling + JDK-8207829: FlightRecorderMXBeanImpl is leaking the first classloader which calls it + JDK-8209960: -Xlog:jfr* doesn't work with the JFR + JDK-8210024: JFR calls virtual is_Java_thread from ~Thread() + JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD 1.0.7 + JDK-8211239: Build fails without JFR: empty JFR events signatures mismatch + JDK-8212232: Wrong metadata for the configuration of the cutoff for old object sample events + JDK-8213015: Inconsistent settings between JFR.configure and -XX:FlightRecorderOptions + JDK-8213421: Line number information for execution samples always 0 + JDK-8213617: JFR should record the PID of the recorded process + JDK-8213734: SAXParser.parse(File, ..) does not close resources when Exception occurs. + JDK-8213914: [TESTBUG] Several JFR VM events are not covered by tests + JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by test + JDK-8213966: The ZGC JFR events should be marked as experimental + JDK-8214542: JFR: Old Object Sample event slow on a deep heap in debug builds + JDK-8214750: Unnecessary

tags in jfr classes + JDK-8214896: JFR Tool left files behind + JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java fails with UnsatisfiedLinkError + JDK-8214925: JFR tool fails to execute + JDK-8215175: Inconsistencies in JFR event metadata + JDK-8215237: jdk.jfr.Recording javadoc does not compile + JDK-8215284: Reduce noise induced by periodic task getFileSize() + JDK-8215355: Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1) + JDK-8215362: JFR GTest JfrTestNetworkUtilization fails + JDK-8215771: The jfr tool should pretty print reference chains + JDK-8216064: -XX:StartFlightRecording:settings= doesn't work properly + JDK-8216486: Possibility of integer overflow in JfrThreadSampler::run() + JDK-8216528: test/jdk/java/rmi/transport/ /runtimeThreadInheritanceLeak/ /RuntimeThreadInheritanceLeak.java failing with Xcomp + JDK-8216559: [JFR] Native libraries not correctly parsed from /proc/self/maps + JDK-8216578: Remove unused/obsolete method in JFR code + JDK-8216995: Clean up JFR command line processing + JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some systems due to process surviving SIGINT + JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR TestShutdownEvent + JDK-8218935: Make jfr strncpy uses GCC 8.x friendly + JDK-8223147: JFR Backport + JDK-8223689: Add JFR Thread Sampling Support + JDK-8223690: Add JFR BiasedLock Event Support + JDK-8223691: Add JFR G1 Region Type Change Event Support + JDK-8223692: Add JFR G1 Heap Summary Event Support + JDK-8224172: assert(jfr_is_event_enabled(id)) failed: invariant + JDK-8224475: JTextPane does not show images in HTML rendering + JDK-8226253: JAWS reports wrong number of radio buttons when buttons are hidden. + JDK-8226779: [TESTBUG] Test JFR API from Java agent + JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys + JDK-8227011: Starting a JFR recording in response to JVMTI VMInit and / or Java agent premain corrupts memory + JDK-8227605: Kitchensink fails 'assert((((klass)->trace_id() & (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0)) failed: invariant' + JDK-8229366: JFR backport allows unchecked writing to memory + JDK-8229401: Fix JFR code cache test failures + JDK-8229708: JFR backport code does not initialize + JDK-8229873: 8229401 broke jdk8u-jfr-incubator + JDK-8230448: [test] JFRSecurityTestSuite.java is failing on Windows + JDK-8230707: JFR related tests are failing + JDK-8230782: Robot.createScreenCapture() fails if 'awt.robot.gtk' is set to false + JDK-8230856: Java_java_net_NetworkInterface_getByName0 on unix misses ReleaseStringUTFChars in early return + JDK-8230947: TestLookForUntestedEvents.java is failing after JDK-8230707 + JDK-8231995: two jtreg tests failed after 8229366 is fixed + JDK-8233623: Add classpath exception to copyright in EventHandlerProxyCreator.java file + JDK-8236002: CSR for JFR backport suggests not leaving out the package-info + JDK-8236008: Some backup files were accidentally left in the hotspot tree + JDK-8236074: Missed package-info + JDK-8236174: Should update javadoc since tags + JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport + JDK-8238452: Keytool generates wrong expiration date if validity is set to 2050/01/01 + JDK-8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB + JDK-8238589: Necessary code cleanup in JFR for JDK8u + JDK-8238590: Enable JFR by default during compilation in 8u + JDK-8239055: Wrong implementation of VMState.hasListener + JDK-8239476: JDK-8238589 broke windows build by moving OrderedPair + JDK-8239479: minimal1 and zero builds are failing + JDK-8239867: correct over use of INCLUDE_JFR macro + JDK-8240375: Disable JFR by default for July 2020 release + JDK-8241444: Metaspace::_class_vsm not initialized if compressed class pointers are disabled + JDK-8241902: AIX Build broken after integration of JDK-8223147 (JFR Backport) + JDK-8242788: Non-PCH build is broken after JDK-8191393 * Import of OpenJDK 8 u262 build 02 + JDK-8130737: AffineTransformOp can't handle child raster with non-zero x-offset + JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation in java/awt/image/Raster/TestChildRasterOp.java + JDK-8230926: [macosx] Two apostrophes are entered instead of one with 'U.S. International - PC' layout + JDK-8240576: JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges + JDK-8242883: Incomplete backport of JDK-8078268: backport test part * Import of OpenJDK 8 u262 build 03 + JDK-8037866: Replace the Fun class in tests with lambdas + JDK-8146612: C2: Precedence edges specification violated + JDK-8150986: serviceability/sa/jmap-hprof/ /JMapHProfLargeHeapTest.java failing because expects HPROF JAVA PROFILE 1.0.1 file format + JDK-8229888: (zipfs) Updating an existing zip file does not preserve original permissions + JDK-8230597: Update GIFlib library to the 5.2.1 + JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return + JDK-8233880, PR3798: Support compilers with multi-digit major version numbers + JDK-8239852: java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed + JDK-8241638: launcher time metrics always report 1 on Linux when _JAVA_LAUNCHER_DEBUG set + JDK-8243059: Build fails when --with-vendor-name contains a comma + JDK-8243474: [TESTBUG] removed three tests of 0 bytes + JDK-8244461: [JDK 8u] Build fails with glibc 2.32 + JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result * Import of OpenJDK 8 u262 build 04 + JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't throw NPE if timeout is less than, or equal to zero when unit == null + JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering + JDK-8171934: ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification() does not recognize OpenJDK's HotSpot VM + JDK-8196969: JTreg Failure: serviceability/sa/ClhsdbJstack.java causes NPE + JDK-8243539: Copyright info (Year) should be updated for fix of 8241638 + JDK-8244777: ClassLoaderStats VM Op uses constant hash value * Import of OpenJDK 8 u262 build 05 + JDK-7147060: com/sun/org/apache/xml/internal/security/ /transforms/ClassLoaderTest.java doesn't run in agentvm mode + JDK-8178374: Problematic ByteBuffer handling in CipherSpi.bufferCrypt method + JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds + JDK-8227269: Slow class loading when running with JDWP + JDK-8229899: Make java.io.File.isInvalid() less racy + JDK-8236996: Incorrect Roboto font rendering on Windows with subpixel antialiasing + JDK-8241750: x86_32 build failure after JDK-8227269 + JDK-8244407: JVM crashes after transformation in C2 IdealLoopTree::split_fall_in + JDK-8244843: JapanEraNameCompatTest fails * Import of OpenJDK 8 u262 build 06 + JDK-8246223: Windows build fails after JDK-8227269 * Import of OpenJDK 8 u262 build 07 + JDK-8233197: Invert JvmtiExport::post_vm_initialized() and Jfr:on_vm_start() start-up order for correct option parsing + JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a + JDK-8245167: Top package in method profiling shows null in JMC + JDK-8246703: [TESTBUG] Add test for JDK-8233197 * Import of OpenJDK 8 u262 build 08 + JDK-8220293: Deadlock in JFR string pool + JDK-8225068: Remove DocuSign root certificate that is expiring in May 2020 + JDK-8225069: Remove Comodo root certificate that is expiring in May 2020 * Import of OpenJDK 8 u262 build 09 + JDK-8248399: Build installs jfr binary when JFR is disabled * Import of OpenJDK 8 u262 build 10 + JDK-8248715: New JavaTimeSupplementary localisation for 'in' installed in wrong package * Import of OpenJDK 8 u265 build 01 + JDK-8249677: Regression in 8u after JDK-8237117: Better ForkJoinPool behavior + JDK-8250546: Expect changed behaviour reported in JDK-8249846 * Import of OpenJDK 8 u272 build 01 + JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY test/compiler/7177917/Test7177917.java + JDK-8035493: JVMTI PopFrame capability must instruct compilers not to prune locals + JDK-8036088: Replace strtok() with its safe equivalent strtok_s() in DefaultProxySelector.c + JDK-8039082: [TEST_BUG] Test java/awt/dnd/ /BadSerializationTest/BadSerializationTest.java fails + JDK-8075774: Small readability and performance improvements for zipfs + JDK-8132206: move ScanTest.java into OpenJDK + JDK-8132376: Add @requires os.family to the client tests with access to internal OS-specific API + JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java + JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/ /appletviewer/IOExceptionIfEncodedURLTest/ /IOExceptionIfEncodedURLTest.sh + JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/ /MTGraphicsAccessTest.java hangs on Win. 8 + JDK-8151788: NullPointerException from ntlm.Client.type3 + JDK-8151834: Test SmallPrimeExponentP.java times out intermittently + JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout + JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary public + JDK-8156169: Some sound tests rarely hangs because of incorrect synchronization + JDK-8165936: Potential Heap buffer overflow when seaching timezone info files + JDK-8166148: Fix for JDK-8165936 broke solaris builds + JDK-8167300: Scheduling failures during gcm should be fatal + JDK-8167615: Opensource unit/regression tests for JavaSound + JDK-8172012: [TEST_BUG] delays needed in javax/swing/JTree/4633594/bug4633594.java + JDK-8177628: Opensource unit/regression tests for ImageIO + JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java + JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/ /AppletContextTest/BadPluginConfigurationTest.sh + JDK-8193137: Nashorn crashes when given an empty script file + JDK-8194298: Add support for per Socket configuration of TCP keepalive + JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java throws error + JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java fails + JDK-8210147: adjust some WSAGetLastError usages in windows network coding + JDK-8211714: Need to update vm_version.cpp to recognise VS2017 minor versions + JDK-8214862: assert(proj != __null) at compile.cpp:3251 + JDK-8217606: LdapContext#reconnect always opens a new connection + JDK-8217647: JFR: recordings on 32-bit systems unreadable + JDK-8226697: Several tests which need the @key headful keyword are missing it. + JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow + JDK-8230303: JDB hangs when running monitor command + JDK-8230711: ConnectionGraph::unique_java_object(Node* N) return NULL if n is not in the CG + JDK-8234617: C1: Incorrect result of field load due to missing narrowing conversion + JDK-8235243: handle VS2017 15.9 and VS2019 in abstract_vm_version + JDK-8235325: build failure on Linux after 8235243 + JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink + JDK-8237951: CTW: C2 compilation fails with 'malformed control flow' + JDK-8238225: Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary + JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD + JDK-8239819: XToolkit: Misread of screen information memory + JDK-8240295: hs_err elapsed time in seconds is not accurate enough + JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one + JDK-8242498: Invalid 'sun.awt.TimedWindowEvent' object leads to JVM crash + JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions + JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor + JDK-8246310: Clean commented-out code about ModuleEntry and PackageEntry in JFR + JDK-8246384: Enable JFR by default on supported architectures for October 2020 release + JDK-8248643: Remove extra leading space in JDK-8240295 8u backport + JDK-8249610: Make sun.security.krb5.Config.getBooleanObject(String... keys) method public * Import of OpenJDK 8 u272 build 02 + JDK-8023697: failed class resolution reports different class name in detail message for the first and subsequent times + JDK-8025886: replace [[ and == bash extensions in regtest + JDK-8046274: Removing dependency on jakarta-regexp + JDK-8048933: -XX:+TraceExceptions output should include the message + JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/ /fileaccess/FontFile.java fails + JDK-8148854: Class names 'SomeClass' and 'LSomeClass;' treated by JVM as an equivalent + JDK-8154313: Generated javadoc scattered all over the place + JDK-8163251: Hard coded loop limit prevents reading of smart card data greater than 8k + JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java fails with compiler.whitebox.SimpleTestCaseHelper(int) must be compiled + JDK-8183349: Better cleanup for jdk/test/javax/imageio/ /plugins/shared/CanWriteSequence.java and WriteAfterAbort.java + JDK-8191678: [TESTBUG] Add keyword headful in java/awt FocusTransitionTest test. + JDK-8201633: Problems with AES-GCM native acceleration + JDK-8211049: Second parameter of 'initialize' method is not used + JDK-8219566: JFR did not collect call stacks when MaxJavaStackTraceDepth is set to zero + JDK-8220165: Encryption using GCM results in RuntimeException- input length out of bound + JDK-8220555: JFR tool shows potentially misleading message when it cannot access a file + JDK-8224217: RecordingInfo should use textual representation of path + JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate + JDK-8238380, PR3798: java.base/unix/native/libjava/childproc.c 'multiple definition' link errors with GCC10 + JDK-8238386, PR3798: (sctp) jdk.sctp/unix/native/libsctp/ /SctpNet.c 'multiple definition' link errors with GCC10 + JDK-8238388, PR3798: libj2gss/NativeFunc.o 'multiple definition' link errors with GCC10 + JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array + JDK-8250755: Better cleanup for jdk/test/javax/imageio/ /plugins/shared/CanWriteSequence.java * Import of OpenJDK 8 u272 build 03 + JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes + JDK-8148754: C2 loop unrolling fails due to unexpected graph shape + JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied + JDK-8203357: Container Metrics + JDK-8209113: Use WeakReference for lastFontStrike for created Fonts + JDK-8216283: Allow shorter method sampling interval than 10 ms + JDK-8221569: JFR tool produces incorrect output when both --categories and --events are specified + JDK-8233097: Fontmetrics for large Fonts has zero width + JDK-8248851: CMS: Missing memory fences between free chunk check and klass read + JDK-8250875: Incorrect parameter type for update_number in JDK_Version::jdk_update * Import of OpenJDK 8 u272 build 04 + JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws IllegalArgumentException for flags of type double + JDK-8177334: Update xmldsig implementation to Apache Santuario 2.1.1 + JDK-8217878: ENVELOPING XML signature no longer works in JDK 11 + JDK-8218629: XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10 + JDK-8243138: Enhance BaseLdapServer to support starttls extended request * Import of OpenJDK 8 u272 build 05 + JDK-8026236: Add PrimeTest for BigInteger + JDK-8057003: Large reference arrays cause extremely long synchronization times + JDK-8060721: Test runtime/SharedArchiveFile/ /LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler + JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings + JDK-8168517: java/lang/ProcessBuilder/Basic.java failed + JDK-8211163: UNIX version of Java_java_io_Console_echo does not return a clean boolean + JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in docker container only works with debug JVMs + JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo + JDK-8236645: JDK 8u231 introduces a regression with incompatible handling of XML messages + JDK-8240676: Meet not symmetric failure when running lucene on jdk8 + JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program + JDK-8249158: THREAD_START and THREAD_END event posted in primordial phase + JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics + JDK-8251546: 8u backport of JDK-8194298 breaks AIX and Solaris builds + JDK-8252084: Minimal VM fails to bootcycle: undefined symbol: AgeTableTracer::is_tenuring_distribution_event_enabled * Import of OpenJDK 8 u272 build 06 + JDK-8064319: Need to enable -XX:+TraceExceptions in release builds + JDK-8080462, PR3801: Update SunPKCS11 provider with PKCS11 v2.40 support + JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider + JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions() not working + JDK-8169925, PR3801: PKCS #11 Cryptographic Token Interface license + JDK-8184762: ZapStackSegments should use optimized memset + JDK-8193234: When using -Xcheck:jni an internally allocated buffer can leak + JDK-8219919: RuntimeStub name lost with PrintFrameConverterAssembly + JDK-8220313: [TESTBUG] Update base image for Docker testing to OL 7.6 + JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp + JDK-8225695: 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support) + JDK-8226575: OperatingSystemMXBean should be made container aware + JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous + JDK-8228835: Memory leak in PKCS11 provider when using AES GCM + JDK-8233621: Mismatch in jsse.enableMFLNExtension property name + JDK-8238898, PR3801: Missing hash characters for header on license file + JDK-8243320: Add SSL root certificates to Oracle Root CA program + JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 + JDK-8245467: Remove 8u TLSv1.2 implementation files + JDK-8245469: Remove DTLS protocol implementation + JDK-8245470: Fix JDK8 compatibility issues + JDK-8245471: Revert JDK-8148188 + JDK-8245472: Backport JDK-8038893 to JDK8 + JDK-8245473: OCSP stapling support + JDK-8245474: Add TLS_KRB5 cipher suites support according to RFC-2712 + JDK-8245476: Disable TLSv1.3 protocol in the ClientHello message by default + JDK-8245477: Adjust TLS tests location + JDK-8245653: Remove 8u TLS tests + JDK-8245681: Add TLSv1.3 regression test from 11.0.7 + JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher + JDK-8251120, PR3793: [8u] HotSpot build assumes ENABLE_JFR is set to either true or false + JDK-8251341: Minimal Java specification change + JDK-8251478: Backport TLSv1.3 regression tests to JDK8u * Import of OpenJDK 8 u272 build 07 + JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ * Import of OpenJDK 8 u272 build 08 + JDK-8062947: Fix exception message to correctly represent LDAP connection failure + JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect + JDK-8252573: 8u: Windows build failed after 8222079 backport * Import of OpenJDK 8 u272 build 09 + JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java : Compilation failed * Import of OpenJDK 8 u272 build 10 + JDK-8254673: Call to JvmtiExport::post_vm_start() was removed by the fix for JDK-8249158 + JDK-8254937: Revert JDK-8148854 for 8u272 * Backports + JDK-8038723, PR3806: Openup some PrinterJob tests + JDK-8041480, PR3806: ArrayIndexOutOfBoundsException when JTable contains certain string + JDK-8058779, PR3805: Faster implementation of String.replace(CharSequence, CharSequence) + JDK-8130125, PR3806: [TEST_BUG] add @modules to the several client tests unaffected by the automated bulk update + JDK-8144015, PR3806: [PIT] failures of text layout font tests + JDK-8144023, PR3806: [PIT] failure of text measurements in javax/swing/text/html/parser/Parser/6836089/bug6836089.java + JDK-8144240, PR3806: [macosx][PIT] AIOOB in closed/javax/swing/text/GlyphPainter2/6427244/bug6427244.java + JDK-8145542, PR3806: The case failed automatically and thrown java.lang.ArrayIndexOutOfBoundsException exception + JDK-8151725, PR3806: [macosx] ArrayIndexOOB exception when displaying Devanagari text in JEditorPane + JDK-8152358, PR3800: code and comment cleanups found during the hunt for 8077392 + JDK-8152545, PR3804: Use preprocessor instead of compiling a program to generate native nio constants + JDK-8152680, PR3806: Regression in GlyphVector.getGlyphCharIndex behaviour + JDK-8158924, PR3806: Incorrect i18n text document layout + JDK-8166003, PR3806: [PIT][TEST_BUG] missing helper for javax/swing/text/GlyphPainter2/6427244/bug6427244.java + JDK-8166068, PR3806: test/java/awt/font/GlyphVector/ /GetGlyphCharIndexTest.java does not compile + JDK-8169879, PR3806: [TEST_BUG] javax/swing/text/ /GlyphPainter2/6427244/bug6427244.java - compilation failed + JDK-8191512, PR3806: T2K font rasterizer code removal + JDK-8191522, PR3806: Remove Bigelow&Holmes Lucida fonts from JDK sources + JDK-8236512, PR3801: PKCS11 Connection closed after Cipher.doFinal and NoPadding + JDK-8254177, PR3809: (tz) Upgrade time-zone data to tzdata2020b * Bug fixes + PR3798: Fix format-overflow error on GCC 10, caused by passing NULL to a '%s' directive + PR3795: ECDSAUtils for XML digital signatures should support the same curve set as the rest of the JDK + PR3799: Adapt elliptic curve patches to JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7 + PR3808: IcedTea does not install the JFR *.jfc files + PR3810: Enable JFR on x86 (32-bit) now that JDK-8252096 has fixed its use with Shenandoah + PR3811: Don't attempt to install JFR files when JFR is disabled * Shenandoah + [backport] 8221435: Shenandoah should not mark through weak roots + [backport] 8221629: Shenandoah: Cleanup class unloading logic + [backport] 8222992: Shenandoah: Pre-evacuate all roots + [backport] 8223215: Shenandoah: Support verifying subset of roots + [backport] 8223774: Shenandoah: Refactor ShenandoahRootProcessor and family + [backport] 8224210: Shenandoah: Refactor ShenandoahRootScanner to support scanning CSet codecache roots + [backport] 8224508: Shenandoah: Need to update thread roots in final mark for piggyback ref update cycle + [backport] 8224579: ResourceMark not declared in shenandoahRootProcessor.inline.hpp with --disable-precompiled-headers + [backport] 8224679: Shenandoah: Make ShenandoahParallelCodeCacheIterator noncopyable + [backport] 8224751: Shenandoah: Shenandoah Verifier should select proper roots according to current GC cycle + [backport] 8225014: Separate ShenandoahRootScanner method for object_iterate + [backport] 8225216: gc/logging/TestMetaSpaceLog.java doesn't work for Shenandoah + [backport] 8225573: Shenandoah: Enhance ShenandoahVerifier to ensure roots to-space invariant + [backport] 8225590: Shenandoah: Refactor ShenandoahClassLoaderDataRoots API + [backport] 8226413: Shenandoah: Separate root scanner for SH::object_iterate() + [backport] 8230853: Shenandoah: replace leftover assert(is_in(...)) with rich asserts + [backport] 8231198: Shenandoah: heap walking should visit all roots most of the time + [backport] 8231244: Shenandoah: all-roots heap walking misses some weak roots + [backport] 8237632: Shenandoah: accept NULL fwdptr to cooperate with JVMTI and JFR + [backport] 8239786: Shenandoah: print per-cycle statistics + [backport] 8239926: Shenandoah: Shenandoah needs to mark nmethod's metadata + [backport] 8240671: Shenandoah: refactor ShenandoahPhaseTimings + [backport] 8240749: Shenandoah: refactor ShenandoahUtils + [backport] 8240750: Shenandoah: remove leftover files and mentions of ShenandoahAllocTracker + [backport] 8240868: Shenandoah: remove CM-with-UR piggybacking cycles + [backport] 8240872: Shenandoah: Avoid updating new regions from start of evacuation + [backport] 8240873: Shenandoah: Short-cut arraycopy barriers + [backport] 8240915: Shenandoah: Remove unused fields in init mark tasks + [backport] 8240948: Shenandoah: cleanup not-forwarded-objects paths after JDK-8240868 + [backport] 8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support + [backport] 8241062: Shenandoah: rich asserts trigger 'empty statement' inspection + [backport] 8241081: Shenandoah: Do not modify update-watermark concurrently + [backport] 8241093: Shenandoah: editorial changes in flag descriptions + [backport] 8241139: Shenandoah: distribute mark-compact work exactly to minimize fragmentation + [backport] 8241142: Shenandoah: should not use parallel reference processing with single GC thread + [backport] 8241351: Shenandoah: fragmentation metrics overhaul + [backport] 8241435: Shenandoah: avoid disabling pacing with 'aggressive' + [backport] 8241520: Shenandoah: simplify region sequence numbers handling + [backport] 8241534: Shenandoah: region status should include update watermark + [backport] 8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure + [backport] 8241583: Shenandoah: turn heap lock asserts into macros + [backport] 8241668: Shenandoah: make ShenandoahHeapRegion not derive from ContiguousSpace + [backport] 8241673: Shenandoah: refactor anti-false-sharing padding + [backport] 8241675: Shenandoah: assert(n->outcnt() > 0) at shenandoahSupport.cpp:2858 with java/util/Collections/FindSubList.java + [backport] 8241692: Shenandoah: remove ShenandoahHeapRegion::_reserved + [backport] 8241700: Shenandoah: Fold ShenandoahKeepAliveBarrier flag into ShenandoahSATBBarrier + [backport] 8241740: Shenandoah: remove ShenandoahHeapRegion::_heap + [backport] 8241743: Shenandoah: refactor and inline ShenandoahHeap::heap() + [backport] 8241748: Shenandoah: inline MarkingContext TAMS methods + [backport] 8241838: Shenandoah: no need to trash cset during final mark + [backport] 8241841: Shenandoah: ditch one of allocation type counters in ShenandoahHeapRegion + [backport] 8241842: Shenandoah: inline ShenandoahHeapRegion::region_number + [backport] 8241844: Shenandoah: rename ShenandoahHeapRegion::region_number + [backport] 8241845: Shenandoah: align ShenandoahHeapRegions to cache lines + [backport] 8241926: Shenandoah: only print heap changes for operations that directly affect it + [backport] 8241983: Shenandoah: simplify FreeSet logging + [backport] 8241985: Shenandoah: simplify collectable garbage logging + [backport] 8242040: Shenandoah: print allocation failure type + [backport] 8242041: Shenandoah: adaptive heuristics should account evac reserve in free target + [backport] 8242042: Shenandoah: tune down ShenandoahGarbageThreshold + [backport] 8242054: Shenandoah: New incremental-update mode + [backport] 8242075: Shenandoah: rename ShenandoahHeapRegionSize flag + [backport] 8242082: Shenandoah: Purge Traversal mode + [backport] 8242083: Shenandoah: split 'Prepare Evacuation' tracking into cset/freeset counters + [backport] 8242089: Shenandoah: per-worker stats should be summed up, not averaged + [backport] 8242101: Shenandoah: coalesce and parallelise heap region walks during the pauses + [backport] 8242114: Shenandoah: remove ShenandoahHeapRegion::reset_alloc_metadata_to_shared + [backport] 8242130: Shenandoah: Simplify arraycopy-barrier dispatching + [backport] 8242211: Shenandoah: remove ShenandoahHeuristics::RegionData::_seqnum_last_alloc + [backport] 8242212: Shenandoah: initialize ShenandoahHeuristics::_region_data eagerly + [backport] 8242213: Shenandoah: remove ShenandoahHeuristics::_bytes_in_cset + [backport] 8242217: Shenandoah: Enable GC mode to be diagnostic/experimental and have a name + [backport] 8242227: Shenandoah: transit regions to cset state when adding to collection set + [backport] 8242228: Shenandoah: remove unused ShenandoahCollectionSet methods + [backport] 8242229: Shenandoah: inline ShenandoahHeapRegion liveness-related methods + [backport] 8242267: Shenandoah: regions space needs to be aligned by os::vm_allocation_granularity() + [backport] 8242271: Shenandoah: add test to verify GC mode unlock + [backport] 8242273: Shenandoah: accept either SATB or IU barriers, but not both + [backport] 8242301: Shenandoah: Inline LRB runtime call + [backport] 8242316: Shenandoah: Turn NULL-check into assert in SATB slow-path entry + [backport] 8242353: Shenandoah: micro-optimize region liveness handling + [backport] 8242365: Shenandoah: use uint16_t instead of jushort for liveness cache + [backport] 8242375: Shenandoah: Remove ShenandoahHeuristic::record_gc_start/end methods + [backport] 8242641: Shenandoah: clear live data and update TAMS optimistically + [backport] 8243238: Shenandoah: explicit GC request should wait for a complete GC cycle + [backport] 8243301: Shenandoah: ditch ShenandoahAllowMixedAllocs + [backport] 8243307: Shenandoah: remove ShCollectionSet::live_data + [backport] 8243395: Shenandoah: demote guarantee in ShenandoahPhaseTimings::record_workers_end + [backport] 8243463: Shenandoah: ditch total_pause counters + [backport] 8243464: Shenandoah: print statistic counters in time order + [backport] 8243465: Shenandoah: ditch unused pause_other, conc_other counters + [backport] 8243487: Shenandoah: make _num_phases illegal phase type + [backport] 8243494: Shenandoah: set counters once per cycle + [backport] 8243573: Shenandoah: rename GCParPhases and related code + [backport] 8243848: Shenandoah: Windows build fails after JDK-8239786 + [backport] 8244180: Shenandoah: carry Phase to ShWorkerTimingsTracker explicitly + [backport] 8244200: Shenandoah: build breakages after JDK-8241743 + [backport] 8244226: Shenandoah: per-cycle statistics contain worker data from previous cycles + [backport] 8244326: Shenandoah: global statistics should not accept bogus samples + [backport] 8244509: Shenandoah: refactor ShenandoahBarrierC2Support::test_* methods + [backport] 8244551: Shenandoah: Fix racy update of update_watermark + [backport] 8244667: Shenandoah: SBC2Support::test_gc_state takes loop for wrong control + [backport] 8244730: Shenandoah: gc/shenandoah/options/ /TestHeuristicsUnlock.java should only verify the heuristics + [backport] 8244732: Shenandoah: move heuristics code to gc/shenandoah/heuristics + [backport] 8244737: Shenandoah: move mode code to gc/shenandoah/mode + [backport] 8244739: Shenandoah: break superclass dependency on ShenandoahNormalMode + [backport] 8244740: Shenandoah: rename ShenandoahNormalMode to ShenandoahSATBMode + [backport] 8245461: Shenandoah: refine mode name()-s + [backport] 8245463: Shenandoah: refine ShenandoahPhaseTimings constructor arguments + [backport] 8245464: Shenandoah: allocate collection set bitmap at lower addresses + [backport] 8245465: Shenandoah: test_in_cset can use more efficient encoding + [backport] 8245726: Shenandoah: lift/cleanup ShenandoahHeuristics names and properties + [backport] 8245754: Shenandoah: ditch ShenandoahAlwaysPreTouch + [backport] 8245757: Shenandoah: AlwaysPreTouch should not disable heap resizing or uncommits + [backport] 8245773: Shenandoah: Windows assertion failure after JDK-8245464 + [backport] 8245812: Shenandoah: compute root phase parallelism + [backport] 8245814: Shenandoah: reconsider format specifiers for stats + [backport] 8245825: Shenandoah: Remove diagnostic flag ShenandoahConcurrentScanCodeRoots + [backport] 8246162: Shenandoah: full GC does not mark code roots when class unloading is off + [backport] 8247310: Shenandoah: pacer should not affect interrupt status + [backport] 8247358: Shenandoah: reconsider free budget slice for marking + [backport] 8247367: Shenandoah: pacer should wait on lock instead of exponential backoff + [backport] 8247474: Shenandoah: Windows build warning after JDK-8247310 + [backport] 8247560: Shenandoah: heap iteration holds root locks all the time + [backport] 8247593: Shenandoah: should not block pacing reporters + [backport] 8247751: Shenandoah: options tests should run with smaller heaps + [backport] 8247754: Shenandoah: mxbeans tests can be shorter + [backport] 8247757: Shenandoah: split heavy tests by heuristics to improve parallelism + [backport] 8247860: Shenandoah: add update watermark line in rich assert failure message + [backport] 8248041: Shenandoah: pre-Full GC root updates may miss some roots + [backport] 8248652: Shenandoah: SATB buffer handling may assume no forwarded objects + [backport] 8249560: Shenandoah: Fix racy GC request handling + [backport] 8249649: Shenandoah: provide per-cycle pacing stats + [backport] 8249801: Shenandoah: Clear soft-refs on requested GC cycle + [backport] 8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases + Fix slowdebug build after JDK-8230853 backport + JDK-8252096: Shenandoah: adjust SerialPageShiftCount for x86_32 and JFR + JDK-8252366: Shenandoah: revert/cleanup changes in graphKit.cpp + Shenandoah: add JFR roots to root processor after JFR integration + Shenandoah: add root statistics for string dedup table/queues + Shenandoah: enable low-frequency STW class unloading + Shenandoah: fix build failures after JDK-8244737 backport + Shenandoah: Fix build failure with +JFR -PCH + Shenandoah: fix forceful pacer claim + Shenandoah: fix formats in ShenandoahStringSymbolTableUnlinkTask + Shenandoah: fix runtime linking failure due to non-compiled shenandoahBarrierSetC1 + Shenandoah: hook statistics printing to PrintGCDetails, not PrintGC + Shenandoah: JNI weak roots are always cleared before Full GC mark + Shenandoah: missing SystemDictionary roots in ShenandoahHeapIterationRootScanner + Shenandoah: move barrier sets to their proper locations + Shenandoah: move parallelCleaning.* to shenandoah/ + Shenandoah: pacer should use proper Atomics for intptr_t + Shenandoah: properly deallocates class loader metadata + Shenandoah: specialize String Table scans for better pause performance + Shenandoah: Zero build fails after recent Atomic cleanup in Pacer * AArch64 port + JDK-8161072, PR3797: AArch64: jtreg compiler/uncommontrap/TestDeoptOOM failure + JDK-8171537, PR3797: aarch64: compiler/c1/Test6849574.java generates guarantee failure in C1 + JDK-8183925, PR3797: [AArch64] Decouple crash protection from watcher thread + JDK-8199712, PR3797: [AArch64] Flight Recorder + JDK-8203481, PR3797: Incorrect constraint for unextended_sp in frame:safe_for_sender + JDK-8203699, PR3797: java/lang/invoke/SpecialInterfaceCall fails with SIGILL on aarch64 + JDK-8209413, PR3797: AArch64: NPE in clhsdb jstack command + JDK-8215961, PR3797: jdk/jfr/event/os/TestCPUInformation.java fails on AArch64 + JDK-8216989, PR3797: CardTableBarrierSetAssembler::gen_write_ref_array_post_barrier() does not check for zero length on AARCH64 + JDK-8217368, PR3797: AArch64: C2 recursive stack locking optimisation not triggered + JDK-8221658, PR3797: aarch64: add necessary predicate for ubfx patterns + JDK-8237512, PR3797: AArch64: aarch64TestHook leaks a BufferBlob + JDK-8246482, PR3797: Build failures with +JFR -PCH + JDK-8247979, PR3797: aarch64: missing side effect of killing flags for clearArray_reg_reg + JDK-8248219, PR3797: aarch64: missing memory barrier in fast_storefield and fast_accessfield ----------------------------------------- Patch: SUSE-2020-3462 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Severity: moderate References: 1174593,1177858,1178727 Description: This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------- Patch: SUSE-2020-3463 Released: Fri Nov 20 13:49:58 2020 Summary: Security update for postgresql12 Severity: important References: 1178666,1178667,1178668,CVE-2020-25694,CVE-2020-25695,CVE-2020-25696 Description: This update for postgresql12 fixes the following issues: - Upgrade to version 12.5: * CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries. * CVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb. b) When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used. * CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from modifying specially-treated variables. * Fix recently-added timetz test case so it works when the USA is not observing daylight savings time. * https://www.postgresql.org/about/news/2111/ * https://www.postgresql.org/docs/12/release-12-5.html - Stop building the mini and lib packages as they are now coming from postgresql13. ----------------------------------------- Patch: SUSE-2020-3470 Released: Fri Nov 20 17:42:57 2020 Summary: Recommended update for monitoring-plugins Severity: moderate References: 1175828 Description: This update for monitoring-plugins fixes the following issues: - Fixed a bug for hosts, that ran out of swap memory and reported 'ok' when running monitoring-plugins with '-n ok'. (bsc#1175828) ----------------------------------------- Patch: SUSE-2020-3471 Released: Fri Nov 20 17:43:45 2020 Summary: Optional update for brp-check-suse Severity: low References: 1074711 Description: This update for brp-check-suse doesn't fix any runtime specific errors, but improves the packaging related build procedure (bsc#1074711) ----------------------------------------- Patch: SUSE-2020-3478 Released: Mon Nov 23 09:33:17 2020 Summary: Security update for c-ares Severity: moderate References: 1178882,CVE-2020-8277 Description: This update for c-ares fixes the following issues: - Version update to 1.17.0 * CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882) * For further details see https://c-ares.haxx.se/changelog.html ----------------------------------------- Patch: SUSE-2020-3480 Released: Mon Nov 23 10:34:36 2020 Summary: Security update for dash Severity: moderate References: 1178978 Description: This update for dash fixes the following issues: - Fixed an issue where code was executed even if noexec ('-n') was specified (bsc#1178978). ----------------------------------------- Patch: SUSE-2020-3481 Released: Mon Nov 23 11:17:09 2020 Summary: Optional update for vim Severity: low References: 1166602,1173256,1174564,1176549 Description: This update for vim doesn't fix any user visible issues and it is optional to install. - Introduce vim-small package with reduced requirements for small installations (bsc#1166602). - Stop owning /etc/vimrc so the old, distro provided config actually gets removed. - Own some dirs in vim-data-common so installation of vim-small doesn't leave not owned directories. (bsc#1173256) - Add vi as slave to update-alternatives so that every package has a matching 'vi' symlink. (bsc#1174564, bsc#1176549) ----------------------------------------- Patch: SUSE-2020-3495 Released: Tue Nov 24 06:22:06 2020 Summary: Optional update for ec2-instance-connect Severity: low References: 1131916,1152806 Description: This patch ships the package ec2-instance-connect for the first time. It enables support for the AWS EC2 instance connect. ----------------------------------------- Patch: SUSE-2020-3500 Released: Tue Nov 24 13:49:59 2020 Summary: Security update for mariadb Severity: moderate References: 1175596,1177472,1178428,CVE-2020-14765,CVE-2020-14776,CVE-2020-14789,CVE-2020-14812,CVE-2020-15180 Description: This update for mariadb and mariadb-connector-c fixes the following issues: - Update mariadb to 10.2.36 GA [bsc#1177472, bsc#1178428] fixing for the following security vulnerabilities: CVE-2020-14812, CVE-2020-14765, CVE-2020-14776, CVE-2020-14789 CVE-2020-15180 - Update mariadb-connector-c to 3.1.11 [bsc#1177472 and bsc#1178428] ----------------------------------------- Patch: SUSE-2020-3525 Released: Wed Nov 25 17:00:31 2020 Summary: Recommended update for ucode-intel Severity: important References: 1178971 Description: This update for ucode-intel fixes the following issues: - Updated Intel CPU Microcode to 20201118 official release. (bsc#1178971) - Removed TGL/06-8c-01/80 due to functional issues with some OEM platforms. ----------------------------------------- Patch: SUSE-2020-3535 Released: Thu Nov 26 15:14:08 2020 Summary: Recommended update for python-kiwi Severity: moderate References: 1170863,1175729,1176129,1176134,1176977 Description: This update for python-kiwi fixes the following issues: Update from version 9.21.7 to version 9.21.23 - Do not exclude filesystem folders in OCI images. (bsc#1176129) This commit does not exclude filesystem folders during the rsync call in OCI images. It has been noted that including an empty /dev folder does not hurt and it can eventually help to work around some limitations of container related tools such as buildah. - Fix/Refactor s390 support (bsc#1170863, bsc#1176977, bsc#1170863,bsc#1175729, bsc#1176134) - On s390 the boot process is based on zipl which boots into an initrd from which a userspace grub process is started to support the grub capabilities. The implementation of this concept is provided via the grub2-s390x-emu package. Once installed the setup of the bootloader is done via the grub2-mkconfig and grub2-install commands and therefore from a caller perspective the same as with any other grub2 setup process. For kiwi this means no extra zipl bootloader target code is needed. Therefore this commit deletes the zipl setup from kiwi and puts on the standard grub2 process. - To support different targettypes the grub2-s390x-emu provided zipl template must be adapted. Parts of the former zipl bootloader setup therefore now applies to an update of the zipl2grub template file - Support for CDL/LDL DASD targets has been disabled in the schema When testing 4k devices and a respective zipl2grub template setup for CDL/LDL targettype it has turned out that grub2-install is not able to run on such a device. My assumption is that the device code in grub2-install does not work for 4k devices with an fdasd created partition table. As this needs further investigations and most probably adaptions on the grub toolchain for s390, we disabled the setup of these modes for now. emulated DASD (FBA) and SCSI targets stays supported. - Fix compat link for rpmdb location Fix the symlink creation for `/var/lib/rpm`. More specific or derived container images in which the base root tree already included the `/var/lib/rpm` the link, the `ln` command was creating a symlink inside the `/var/lib/rpm` folder given that it was following the already existing symlink. Adding the `--no-target-directory` force `ln` command to treat `/var/lib/rpm` path as the fully qualified symlink name. - Fixed s390/sle15 Virtual disk integration test The integration test used FBA mode as target. As the target is expected to be KVM this is the wrong setting. SCSI should be used instead. - Support dynamic linux/linuxefi in any case Instead of restricting the dynamic linux vs. linuxefi setup to a specific grub version, support this setup for any version of grub. ----------------------------------------- Patch: SUSE-2020-3547 Released: Fri Nov 27 11:21:56 2020 Summary: Recommended update for xrdp Severity: moderate References: Description: This update for xrdp fixes the following issues: - Introduce more buffer protection fixes (jsc#SLE-11518): - Address memory allocation overflow security issues - Remove unnecessary g_malloc() call - Add checks to prevent buffer overruns during data chunk re-assembly ----------------------------------------- Patch: SUSE-2020-3551 Released: Fri Nov 27 14:54:37 2020 Summary: Security update for libssh2_org Severity: moderate References: 1130103,1178083,CVE-2019-17498,CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863 Description: This update for libssh2_org fixes the following issues: - Version update to 1.9.0: [bsc#1178083, jsc#SLE-16922] Enhancements and bugfixes: * adds ECDSA keys and host key support when using OpenSSL * adds ED25519 key and host key support when using OpenSSL 1.1.1 * adds OpenSSH style key file reading * adds AES CTR mode support when using WinCNG * adds PEM passphrase protected file support for Libgcrypt and WinCNG * adds SHA256 hostkey fingerprint * adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path() * adds explicit zeroing of sensitive data in memory * adds additional bounds checks to network buffer reads * adds the ability to use the server default permissions when creating sftp directories * adds support for building with OpenSSL no engine flag * adds support for building with LibreSSL * increased sftp packet size to 256k * fixed oversized packet handling in sftp * fixed building with OpenSSL 1.1 * fixed a possible crash if sftp stat gets an unexpected response * fixed incorrect parsing of the KEX preference string value * fixed conditional RSA and AES-CTR support * fixed a small memory leak during the key exchange process * fixed a possible memory leak of the ssh banner string * fixed various small memory leaks in the backends * fixed possible out of bounds read when parsing public keys from the server * fixed possible out of bounds read when parsing invalid PEM files * no longer null terminates the scp remote exec command * now handle errors when diffie hellman key pair generation fails * improved building instructions * improved unit tests - Version update to 1.8.2: [bsc#1130103] Bug fixes: * Fixed the misapplied userauth patch that broke 1.8.1 * moved the MAX size declarations from the public header ----------------------------------------- Patch: SUSE-2020-3561 Released: Mon Nov 30 13:18:20 2020 Summary: Optional update for kubernetes1.18 Severity: low References: Description: This patch provides the Kubernetes client at version 1.18.10. ----------------------------------------- Patch: SUSE-2020-3568 Released: Mon Nov 30 16:58:38 2020 Summary: Security update for mutt Severity: important References: 1179035,1179113,CVE-2020-28896 Description: This update for mutt fixes the following issues: - CVE-2020-28896: incomplete connection termination could lead to sending credentials over unencrypted connections (bsc#1179035) - Avoid that message with a million tiny parts can freeze MUA for several minutes (bsc#1179113) ----------------------------------------- Patch: SUSE-2020-3576 Released: Tue Dec 1 09:34:12 2020 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Added data for the live patches 4_12_14-197_61, 4_12_14-197_64, 4_12_14-197_67, 5_3_18-24_24, 5_3_18-24_29, 5_3_18-24_34, 5_3_18-24_37. (bsc#1020320) ----------------------------------------- Patch: SUSE-2020-3578 Released: Tue Dec 1 10:33:36 2020 Summary: Recommended update for bcache-tools Severity: moderate References: 1178725 Description: This update for bcache-tools fixes the following issues: - Install *bcache-status*. (jsc#SLE-9807, bsc#1178725) - Add *_sbindir/bcache-status* for the new added *bcache-status* python script. (jsc#SLE-9807, bsc#1178725) ----------------------------------------- Patch: SUSE-2020-3588 Released: Tue Dec 1 16:31:58 2020 Summary: Security update for xorg-x11-server Severity: important References: 1174908,1177596,CVE-2020-14360,CVE-2020-25712 Description: This update for xorg-x11-server fixes the following issues: - CVE-2020-25712: Fixed a heap-based buffer overflow which could have led to privilege escalation (bsc#1177596). - CVE-2020-14360: Fixed an out of bounds memory accesses on too short request which could lead to denial of service (bsc#1174908). ----------------------------------------- Patch: SUSE-2020-3590 Released: Tue Dec 1 18:09:24 2020 Summary: Recommended update for hawk2 Severity: moderate References: 1163381 Description: This update for hawk2 fixes the following issues: - Update from version 2.1.2+git.1594886920.d00b94aa to version 2.2.0+git.1603969748.10468582: - Fix server error after authentication if a resource has the same name as a node (bsc#1163381) - Allow also users in haclient to view history explorer (jsc#SLE-7358) ----------------------------------------- Patch: SUSE-2020-3591 Released: Wed Dec 2 09:58:31 2020 Summary: Security update for java-1_8_0-openjdk Severity: important References: 1179441 Description: This update for java-1_8_0-openjdk fixes the following issues: - Update to version jdk8u275 (icedtea 3.17.1) * JDK-8214440, bsc#1179441: Fix StartTLS functionality that was broken in openjdk272. (bsc#1179441) * JDK-8223940: Private key not supported by chosen signature algorithm * JDK-8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding * JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool) * PR3815: Fix new s390 size_t issue in g1ConcurrentMarkObjArrayProcessor.cpp ----------------------------------------- Patch: SUSE-2020-3592 Released: Wed Dec 2 10:31:34 2020 Summary: Security update for python-cryptography Severity: moderate References: 1178168,CVE-2020-25659 Description: This update for python-cryptography fixes the following issues: - CVE-2020-25659: Attempted to mitigate Bleichenbacher attacks on RSA decryption (bsc#1178168). ----------------------------------------- Patch: SUSE-2020-3603 Released: Wed Dec 2 15:11:46 2020 Summary: Recommended update for lifecycle-data-sle-module-development-tools Severity: moderate References: Description: This update for lifecycle-data-sle-module-development-tools fixes the following issues: - Added expiration data for the GCC 9 yearly update for the Toolchain/Development modules. (jsc#ECO-2373, jsc#SLE-10950, jsc#SLE-10951) ----------------------------------------- Patch: SUSE-2020-3608 Released: Wed Dec 2 18:16:12 2020 Summary: Recommended update for cloud-init Severity: important References: 1177526,1179150,1179151 Description: This update for cloud-init contains the following fixes: - Add cloud-init-azure-def-usr-pass.patch (bsc#1179150, bsc#1179151) + Properly set the password for the default user in all circumstances - Patch the full package version into the cloud-init version file - Update cloud-init-write-routes.patch (bsc#1177526) + Fix missing default route when dual stack network setup is used. Once a default route was configured for Ipv6 or IPv4 the default route configuration for the othre protocol was skipped. ----------------------------------------- Patch: SUSE-2020-3613 Released: Thu Dec 3 09:34:21 2020 Summary: Security update for rpmlint Severity: moderate References: 1169614 Description: This update for rpmlint fixes the following issues: - Whitelist PAM modules and DBUS rules for cockpit (bsc#1169614) ----------------------------------------- Patch: SUSE-2020-3616 Released: Thu Dec 3 10:56:12 2020 Summary: Recommended update for c-ares Severity: moderate References: 1178882 Description: - Fixed incomplete c-ares-devel dependencies introduced by the privous update (bsc#1178882). ----------------------------------------- Patch: SUSE-2020-3620 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Severity: moderate References: Description: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------- Patch: SUSE-2020-3633 Released: Mon Dec 7 11:51:47 2020 Summary: Recommended update for mutt Severity: important References: 1179461 Description: This update for mutt fixes the following issue: - Find and display the content of messages properly. (bsc#1179461) ----------------------------------------- Patch: SUSE-2020-3640 Released: Mon Dec 7 13:24:41 2020 Summary: Recommended update for binutils Severity: important References: 1179036,1179341 Description: This update for binutils fixes the following issues: Update binutils 2.35 branch to commit 1c5243df: * Fixes PR26520, aka [bsc#1179036], a problem in addr2line with certain DWARF variable descriptions. * Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878, PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869, PR26711 * The above includes fixes for dwo files produced by modern dwp, fixing several problems in the DWARF reader. Update binutils to 2.35.1 and rebased branch diff: * This is a point release over the previous 2.35 version, containing bug fixes, and as an exception to the usual rule, one new feature. The new feature is the support for a new directive in the assembler: '.nop'. This directive creates a single no-op instruction in whatever encoding is correct for the target architecture. Unlike the .space or .fill this is a real instruction, and it does affect the generation of DWARF line number tables, should they be enabled. This fixes an incompatibility introduced in the latest update that broke the install scripts of the Oracle server. [bsc#1179341] ----------------------------------------- Patch: SUSE-2020-3703 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1179431 Description: This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------- Patch: SUSE-2020-3708 Released: Tue Dec 8 10:22:36 2020 Summary: Recommended update for python-shaptools, salt-shaptools Severity: moderate References: Description: This update for python-shaptools, salt-shaptools fixes the following issues: python-shaptools: Update from version 0.3.10+git.1600699158.46fca28 to version 0.3.11+git.1605798399.b036435 - Retrieve the currently installed ENSA version for Netweaver (only for ASCS and ERS instances). (jsc#SLE-4047) salt-shaptools: Update from version 0.3.10+git.1600699854.f5950bc to version 0.3.11+git.1605797958.ae2f08a - Improve extract_pydbapi to check recursively in subfolders (jsc#SLE-4047) - Implement a new state to set the ENSA version grains data ----------------------------------------- Patch: SUSE-2020-3731 Released: Wed Dec 9 15:52:32 2020 Summary: Recommended update for realmd Severity: moderate References: 1175617 Description: This update for realmd fixes the following issues: - Fix the `Name Service Switch` (`nsswitch`) handling when joining and leaving a domain. (bsc#1175617) ----------------------------------------- Patch: SUSE-2020-3737 Released: Wed Dec 9 18:21:04 2020 Summary: Security update for python-pip, python-scripttest Severity: moderate References: 1175297,1176262,CVE-2019-20916 Description: This update for python-pip, python-scripttest fixes the following issues: - Update in SLE-15 (bsc#1175297, jsc#ECO-3035, jsc#PM-2318) python-pip was updated to 20.0.2: * Fix a regression in generation of compatibility tags * Rename an internal module, to avoid ImportErrors due to improper uninstallation * Switch to a dedicated CLI tool for vendoring dependencies. * Remove wheel tag calculation from pip and use packaging.tags. This should provide more tags ordered better than in prior releases. * Deprecate setup.py-based builds that do not generate an .egg-info directory. * The pip>=20 wheel cache is not retro-compatible with previous versions. Until pip 21.0, pip will continue to take advantage of existing legacy cache entries. * Deprecate undocumented --skip-requirements-regex option. * Deprecate passing install-location-related options via --install-option. * Use literal 'abi3' for wheel tag on CPython 3.x, to align with PEP 384 which only defines it for this platform. * Remove interpreter-specific major version tag e.g. cp3-none-any from consideration. This behavior was not documented strictly, and this tag in particular is not useful. Anyone with a use case can create an issue with pypa/packaging. * Wheel processing no longer permits wheels containing more than one top-level .dist-info directory. * Support for the git+git@ form of VCS requirement is being deprecated and will be removed in pip 21.0. Switch to git+https:// or git+ssh://. git+git:// also works but its use is discouraged as it is insecure. * Default to doing a user install (as if --user was passed) when the main site-packages directory is not writeable and user site-packages are enabled. * Warn if a path in PATH starts with tilde during pip install. * Cache wheels built from Git requirements that are considered immutable, because they point to a commit hash. * Add option --no-python-version-warning to silence warnings related to deprecation of Python versions. * Cache wheels that pip wheel built locally, matching what pip install does. This particularly helps performance in workflows where pip wheel is used for building before installing. Users desiring the original behavior can use pip wheel --no-cache-dir * Display CA information in pip debug. * Show only the filename (instead of full URL), when downloading from PyPI. * Suggest a more robust command to upgrade pip itself to avoid confusion when the current pip command is not available as pip. * Define all old pip console script entrypoints to prevent import issues in stale wrapper scripts. * The build step of pip wheel now builds all wheels to a cache first, then copies them to the wheel directory all at once. Before, it built them to a temporary directory and moved them to the wheel directory one by one. * Expand ~ prefix to user directory in path options, configs, and environment variables. Values that may be either URL or path are not currently supported, to avoid ambiguity: --find-links --constraint, -c --requirement, -r --editable, -e * Correctly handle system site-packages, in virtual environments created with venv (PEP 405). * Fix case sensitive comparison of pip freeze when used with -r option. * Enforce PEP 508 requirement format in pyproject.toml build-system.requires. * Make ensure_dir() also ignore ENOTEMPTY as seen on Windows. * Fix building packages which specify backend-path in pyproject.toml. * Do not attempt to run setup.py clean after a pep517 build error, since a setup.py may not exist in that case. * Fix passwords being visible in the index-url in 'Downloading ' message. * Change method from shutil.remove to shutil.rmtree in noxfile.py. * Skip running tests which require subversion, when svn isn't installed * Fix not sending client certificates when using --trusted-host. * Make sure pip wheel never outputs pure python wheels with a python implementation tag. Better fix/workaround for #3025 by using a per-implementation wheel cache instead of caching pure python wheels with an implementation tag in their name. * Include subdirectory URL fragments in cache keys. * Fix typo in warning message when any of --build-option, --global-option and --install-option is used in requirements.txt * Fix the logging of cached HTTP response shown as downloading. * Effectively disable the wheel cache when it is not writable, as is the case with the http cache. * Correctly handle relative cache directory provided via --cache-dir. ----------------------------------------- Patch: SUSE-2020-3744 Released: Thu Dec 10 11:32:41 2020 Summary: Recommended update for enigmail Severity: moderate References: 1179505 Description: This update for enigmail fixes the following issues: Update from version 2.1.5 to version 2.2.4 - Enigmail version 2.2.x is a specially modified version, which only works with Thunderbird 78 and later version. Enigmail 2.2.x doesn't provide the traditional functionality, rather it exists to help you migrate your keys and settings to Thunderbird 78. Fixes included from version 2.1.5 to 2.1.8: - 'Encrypt to key' action destroys PGP/MIME signature. - Filter fails silently on Enigmail's 'Encrypt to key' action. - Disable autocrypt header on custom sender address. - `VKS` keyserver with custom port cannot be accessed. - Thunderbird dies immediately when sending a signed empty-bodied mail. - Decrypted mail has empty `Content-Type` in the `MIME` part. - Improper `Content-Type` setting for keyserver upload. - Display information about Thunderbird 78. - Minor rendering problem with `Deep Dark` theme. - Setup Wizard gets Stuck if Keys in GnuPG available. - Cannot confirm publish GnuPG key on `WKS` server. - Automatic Key Refresh doesn't work with `keys.openpgp.org`. - Per-recipients rule `set enigmail rules for` field unable to edit. - File names of attachments are not encrypted. ----------------------------------------- Patch: SUSE-2020-3749 Released: Thu Dec 10 14:39:28 2020 Summary: Security update for gcc7 Severity: moderate References: 1150164,1161913,1167939,1172798,1178577,1178614,1178624,1178675,CVE-2020-13844 Description: This update for gcc7 fixes the following issues: - CVE-2020-13844: Added mitigation for aarch64 Straight Line Speculation issue (bsc#1172798) - Enable fortran for the nvptx offload compiler. - Update README.First-for.SuSE.packagers - avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel. - Backport the aarch64 -moutline-atomics feature and accumulated fixes but not its default enabling. [jsc#SLE-12209, bsc#1167939] - Fixed 32bit libgnat.so link. [bsc#1178675] - Fixed memcpy miscompilation on aarch64. [bsc#1178624, bsc#1178577] - Fixed debug line info for try/catch. [bsc#1178614] - Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is used to build gcc7 (ie when ada is enabled) - Fixed corruption of pass private ->aux via DF. [gcc#94148] - Fixed debug information issue with inlined functions and passed by reference arguments. [gcc#93888] - Fixed binutils release date detection issue. - Fixed register allocation issue with exception handling code on s390x. [bsc#1161913] - Fixed miscompilation of some atomic code on aarch64. [bsc#1150164] ----------------------------------------- Patch: SUSE-2020-3762 Released: Fri Dec 11 14:12:48 2020 Summary: Security update for openssl-1_0_0 Severity: important References: 1155346,1176029,1177479,1177575,1177673,1177793,1179491,CVE-2020-1971 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). - Initialized dh->nid to NID_undef in DH_new_method() (bsc#1177673). - Fixed a test failure in apache_ssl in fips mode (bsc#1177793). - Renamed BN_get_rfc3526_prime_* functions back to get_rfc3526_prime_* (bsc#1177575). - Restored private key check in EC_KEY_check_key (bsc#1177479). - Added shared secret KAT to FIPS DH selftest (bsc#1176029). - Included ECDH/DH Requirements from SP800-56Arev3 (bsc#1176029). - Used SHA-2 in the RSA pairwise consistency check (bsc#1155346) ----------------------------------------- Patch: SUSE-2020-3772 Released: Mon Dec 14 11:11:29 2020 Summary: Recommended update for hamcrest Severity: moderate References: 1174544 Description: This update for hamcrest fixes the following issue: - Add obsoletes in the core API to solve conflicts during updates. (bsc#1174544) ----------------------------------------- Patch: SUSE-2020-3773 Released: Mon Dec 14 11:12:18 2020 Summary: Recommended update for cdrtools and schily-libs Severity: moderate References: 1178692 Description: This update for cdrtools and schily-libs fixes the following issues: cdrtools: - Initialize memory that created the partition table instead of writing random bytes to it. (bsc#1178692) schily-libs: - Initialize memory that created the partition table instead of writing random bytes to it. (bsc#1178692) ----------------------------------------- Patch: SUSE-2020-3790 Released: Mon Dec 14 15:01:22 2020 Summary: Security update for clamav Severity: moderate References: 1104457,1118459,1130721,1144504,1149458,1157763,CVE-2019-12625,CVE-2019-12900,CVE-2019-15961,CVE-2019-1785,CVE-2019-1786,CVE-2019-1787,CVE-2019-1788,CVE-2019-1789,CVE-2019-1798,CVE-2020-3123,CVE-2020-3327,CVE-2020-3341,CVE-2020-3350,CVE-2020-3481 Description: This update for clamav fixes the following issues: clamav was updated to the new major release 0.103.0. (jsc#ECO-3010,bsc#1118459) Note that libclamav was changed incompatible, if you have a 3rd party application that uses libclamav, it needs to be rebuilt. Update to 0.103.0 * clamd can now reload the signature database without blocking scanning. This multi-threaded database reload improvement was made possible thanks to a community effort. - Non-blocking database reloads are now the default behavior. Some systems that are more constrained on RAM may need to disable non-blocking reloads as it will temporarily consume two times as much memory. We added a new clamd config option ConcurrentDatabaseReload, which may be set to no. * Fix clamav-milter.service (requires clamd.service to run) Update to 0.102.4 * CVE-2020-3350: Fix a vulnerability wherein a malicious user could replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (eg. a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan, and clamonacc. * CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking results in an out-of-bounds read which could cause a crash. The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly resolves the issue. * CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition. Improper error handling may result in a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in versions affected by the vulnerability. Update to 0.102.3 * CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. * CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash. * Fix 'Attempt to allocate 0 bytes' error when parsing some PDF documents. * Fix a couple of minor memory leaks. * Updated libclamunrar to UnRAR 5.9.2. Update to 0.102.2: * CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash. * Significantly improved the scan speed of PDF files on Windows. * Re-applied a fix to alleviate file access issues when scanning RAR files in downstream projects that use libclamav where the scanning engine is operating in a low-privilege process. This bug was originally fixed in 0.101.2 and the fix was mistakenly omitted from 0.102.0. * Fixed an issue where freshclam failed to update if the database version downloaded is one version older than advertised. This situation may occur after a new database version is published. The issue affected users downloading the whole CVD database file. * Changed the default freshclam ReceiveTimeout setting to 0 (infinite). The ReceiveTimeout had caused needless database update failures for users with slower internet connections. * Correctly display the number of kilobytes (KiB) in progress bar and reduced the size of the progress bar to accommodate 80-character width terminals. * Fixed an issue where running freshclam manually causes a daemonized freshclam process to fail when it updates because the manual instance deletes the temporary download directory. The freshclam temporary files will now download to a unique directory created at the time of an update instead of using a hardcoded directory created/destroyed at the program start/exit. * Fix for freshclam's OnOutdatedExecute config option. * Fixes a memory leak in the error condition handling for the email parser. * Improved bound checking and error handling in ARJ archive parser. * Improved error handling in PDF parser. * Fix for memory leak in byte-compare signature handler. - The freshclam.service should not be started before the network is online (it checks for updates immediately upon service start) Update to 0.102.1: * CVE-2019-15961, bsc#1157763: A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation. * Build system fixes to build clamav-milter, to correctly link with libxml2 when detected, and to correctly detect fanotify for on-access scanning feature support. * Signature load time is significantly reduced by changing to a more efficient algorithm for loading signature patterns and allocating the AC trie. Patch courtesy of Alberto Wu. * Introduced a new configure option to statically link libjson-c with libclamav. Static linking with libjson is highly recommended to prevent crashes in applications that use libclamav alongside another JSON parsing library. * Null-dereference fix in email parser when using the --gen-json metadata option. * Fixes for Authenticode parsing and certificate signature (.crb database) bugs. Update to 0.102.0: * The On-Access Scanning feature has been migrated out of clamd and into a brand new utility named clamonacc. This utility is similar to clamdscan and clamav-milter in that it acts as a client to clamd. This separation from clamd means that clamd no longer needs to run with root privileges while scanning potentially malicious files. Instead, clamd may drop privileges to run under an account that does not have super-user. In addition to improving the security posture of running clamd with On-Access enabled, this update fixed a few outstanding defects: - On-Access scanning for created and moved files (Extra-Scanning) is fixed. - VirusEvent for On-Access scans is fixed. - With clamonacc, it is now possible to copy, move, or remove a file if the scan triggered an alert, just like with clamdscan. * The freshclam database update utility has undergone a significant update. This includes: - Added support for HTTPS. - Support for database mirrors hosted on ports other than 80. - Removal of the mirror management feature (mirrors.dat). - An all new libfreshclam library API. - created new subpackage libfreshclam2 Update to 0.101.4: * CVE-2019-12900: An out of bounds write in the NSIS bzip2 (bsc#1149458) * CVE-2019-12625: Introduce a configurable time limit to mitigate zip bomb vulnerability completely. Default is 2 minutes, configurable useing the clamscan --max-scantime and for clamd using the MaxScanTime config option (bsc#1144504) Update to version 0.101.3: * bsc#1144504: ZIP bomb causes extreme CPU spikes Update to version 0.101.2 (bsc#1130721) * CVE-2019-1787: An out-of-bounds heap read condition may occur when scanning PDF documents. The defect is a failure to correctly keep track of the number of bytes remaining in a buffer when indexing file data. * CVE-2019-1789: An out-of-bounds heap read condition may occur when scanning PE files (i.e. Windows EXE and DLL files) that have been packed using Aspack as a result of inadequate bound-checking. * CVE-2019-1788: An out-of-bounds heap write condition may occur when scanning OLE2 files such as Microsoft Office 97-2003 documents. The invalid write happens when an invalid pointer is mistakenly used to initialize a 32bit integer to zero. This is likely to crash the application. * CVE-2019-1786: An out-of-bounds heap read condition may occur when scanning malformed PDF documents as a result of improper bounds-checking. * CVE-2019-1785: A path-traversal write condition may occur as a result of improper input validation when scanning RAR archives. * CVE-2019-1798: A use-after-free condition may occur as a result of improper error handling when scanning nested RAR archives. ----------------------------------------- Patch: SUSE-2020-3791 Released: Mon Dec 14 17:39:19 2020 Summary: Recommended update for gzip Severity: moderate References: Description: This update for gzip fixes the following issue: - Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`. ----------------------------------------- Patch: SUSE-2020-3793 Released: Mon Dec 14 17:39:29 2020 Summary: Recommended update for sblim-sfcb Severity: moderate References: 1178415 Description: This update for sblim-sfcb fixes the following issues: - Allow older SSL protocols to be disabled. - Add a configuration option `sslNoTLSv1_1` to optionally disable `TLSv1.1.` (bsc#1178415) When the protocol version is disabled, the connection will fail and the error will be recorded in the logs. ----------------------------------------- Patch: SUSE-2020-3795 Released: Mon Dec 14 17:43:26 2020 Summary: Optional update for systemd-rpm-macros Severity: low References: 1059627,1178481,1179020 Description: This update for systemd-rpm-macros fixes the following issues: - Deprecate '-f'/'-n' options When used with %service_del_preun, support for these options will be dropped as DISABLE_STOP_ON_REMOVAL support will be removed on the next version of SLE (jsc#SLE-8968) When used with %service_del_postun, they should be replaced with their counterpart %service_del_postun_with_restart/%service_del_postun_without_restart - Introduced %service_del_postun_with_restart() It's the counterpart of %service_del_postun_without_restart() and replaces the '-f' option of %service_del_postun(). - Does no longer apply presets when migrating from a disabled initscript (bsc#1178481) - Fix importing of %{_unitdir} ----------------------------------------- Patch: SUSE-2020-3619 Released: Tue Dec 15 13:41:16 2020 Summary: Recommended update for cloud-netconfig, google-guest-agent Severity: moderate References: 1159460,1178486,1179031,1179032 Description: This update for cloud-netconfig, google-guest-agent fixes the following issues: cloud-netconfig: - Update to version 1.5: + Add support for GCE (bsc#1159460, bsc#1178486, jsc#ECO-2800) + Improve default gateway determination google-guest-agent: - Update to version 20201026.00 * remove old unused workflow files * fallback to IP for metadata * getPasswd: Check full prefix of line for username - dont_overwrite_ifcfg.patch: Do not overwrite existing ifcfg files to allow manual configuration and compatibility with cloud-netconfig. (bsc#1159460, bsc#1178486) - Update to version 20200929.00 * correct varname * don't call dhclient -x on network setup * add instance id dir override * update agent systemd service file * typo, change to noadjfile * add gaohannk to OWNERS * remove illfelder from OWNERS * Add all license files to packages ----------------------------------------- Patch: SUSE-2020-3812 Released: Tue Dec 15 15:23:59 2020 Summary: Recommended update for grafana-ha-cluster-dashboards Severity: moderate References: Description: This update for grafana-ha-cluster-dashboards fixes the following issue: - Update from version 1.0.3+git.1600360477.8b8f9ce to version 1.1.0+git.1605027022.a84d536 - Split the provider file to the sub-package grafana-sleha-provider ----------------------------------------- Patch: SUSE-2020-3840 Released: Wed Dec 16 10:32:03 2020 Summary: Recommended update for llvm7 Severity: moderate References: 1176964,1179155 Description: This update for llvm7 fixes the following issues: - Fix dsymutil crash on ELF file. (bsc#1176964) - Add Conflicts: clang-tools to clang7 and llvm7 packages to properly handle newer llvm versions. (bsc#1179155) ----------------------------------------- Patch: SUSE-2020-3856 Released: Wed Dec 16 17:56:03 2020 Summary: Recommended update for ucode-intel Severity: important References: 1179224 Description: This update for ucode-intel fixes the following issues: - Reverted 3 CPU microcodes back to 20200616 release level after regression reports. (bsc#1179224) - SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | Xeon Scalable - SKX-D | M1 | 06-55-04/b7 | 02006906 | Xeon D-21xx - CLX-SP | B0 | 06-55-06/bf | 04002f01 | Xeon Scalable Gen2 - CLX-SP | B1 | 06-55-07/bf | 05002f01 | Xeon Scalable Gen2 ----------------------------------------- Patch: SUSE-2020-3868 Released: Thu Dec 17 12:44:47 2020 Summary: Recommended update for perl-Test-Warnings Severity: moderate References: Description: This update for perl-Test-Warnings fixes the following issues: Update from version 0.026 to version 0.030 - Fix tests that can fail when there is already an installed module named `Foo::Bar::Baz` - `report_warnings` feature, for printing all of the (unexpected) warning content when `had_no_warnings()` is called - Allow for calling `warnings->import` being called after importing the 'warnings' sub - `fail_on_warning` feature, for more easily seeing where the surprising warning appeared during testing ----------------------------------------- Patch: SUSE-2020-3901 Released: Mon Dec 21 20:07:56 2020 Summary: Security update for MozillaFirefox Severity: critical References: 1180039,CVE-2020-16042,CVE-2020-26971,CVE-2020-26973,CVE-2020-26974,CVE-2020-26978,CVE-2020-35111,CVE-2020-35112,CVE-2020-35113 Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.6.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2020-55 (bsc#1180039) * CVE-2020-16042 (bmo#1679003) Operations on a BigInt could have caused uninitialized memory to be exposed * CVE-2020-26971 (bmo#1663466) Heap buffer overflow in WebGL * CVE-2020-26973 (bmo#1680084) CSS Sanitizer performed incorrect sanitization * CVE-2020-26974 (bmo#1681022) Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free * CVE-2020-26978 (bmo#1677047) Internal network hosts could have been probed by a malicious webpage * CVE-2020-35111 (bmo#1657916) The proxy.onRequest API did not catch view-source URLs * CVE-2020-35112 (bmo#1661365) Opening an extension-less download may have inadvertently launched an executable instead * CVE-2020-35113 (bmo#1664831, bmo#1673589) Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 ----------------------------------------- Patch: SUSE-2020-3917 Released: Tue Dec 22 14:16:53 2020 Summary: Security update for groovy Severity: moderate References: 1179729,CVE-2020-17521 Description: This update for groovy fixes the following issues: - groovy was updated to 2.4.21 - CVE-2020-17521: Fixed an information disclosure vulnerability (bsc#1179729). ----------------------------------------- Patch: SUSE-2020-3920 Released: Tue Dec 22 15:16:47 2020 Summary: Recommended update for mutt Severity: moderate References: 1179461 Description: This update for mutt fixes the following issues: - Add a further correction in for external bodies as well. (bsc#1179461) ----------------------------------------- Patch: SUSE-2020-3922 Released: Tue Dec 22 15:20:46 2020 Summary: Security update for jetty-minimal Severity: moderate References: 1179727,CVE-2020-27218 Description: This update for jetty-minimal fixes the following issues: - jetty-minimal was upgraded to version 9.4.35.v20201120 - CVE-2020-27218: Fixed an issue where buffer not correctly recycled in Gzip Request inflation (bsc#1179727). ----------------------------------------- Patch: SUSE-2020-3929 Released: Wed Dec 23 10:06:31 2020 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issue: - Added data for 4_12_14-150_63, 4_12_14-197_72, 4_12_14-197_75, 5_3_18-24_43. (bsc#1020320) ----------------------------------------- Patch: SUSE-2020-3932 Released: Wed Dec 23 18:21:59 2020 Summary: Security update for java-1_8_0-ibm Severity: moderate References: 1177943,1180063,CVE-2020-14779,CVE-2020-14781,CVE-2020-14792,CVE-2020-14796,CVE-2020-14797,CVE-2020-14798,CVE-2020-14803 Description: This update for java-1_8_0-ibm fixes the following issues: - Update to Java 8.0 Service Refresh 6 Fix Pack 20 [bsc#1180063,bsc#1177943] CVE-2020-14792 CVE-2020-14797 CVE-2020-14781 CVE-2020-14779 CVE-2020-14798 CVE-2020-14796 CVE-2020-14803 * Class libraries: - SOCKETADAPTOR$SOCKETINPUTSTREAM.READ is blocking for more time that the set timeout - Z/OS specific C function send_file is changing the file pointer position * Java Virtual Machine: - Crash on iterate java stack - Java process hang on SIGTERM * JIT Compiler: - JMS performance regression from JDK8 SR5 FP40 TO FP41 * Class Libraries: - z15 high utilization following Z/VM and Linux migration from z14 To z15 * Java Virtual Machine: - Assertion failed when trying to write a class file - Assertion failure at modronapi.cpp - Improve the performance of defining and finding classes * JIT Compiler: - An assert in ppcbinaryencoding.cpp may trigger when running with traps disabled on power - AOT field offset off by n bytes - Segmentation fault in jit module on ibm z platform ----------------------------------------- Patch: SUSE-2020-3933 Released: Thu Dec 24 12:35:40 2020 Summary: Security update for flac Severity: moderate References: 1180099,1180112,CVE-2020-0487,CVE-2020-0499 Description: This update for flac fixes the following issues: - CVE-2020-0487: Fixed a memory leak (bsc#1180112). - CVE-2020-0499: Fixed an out-of-bounds access (bsc#1180099). ----------------------------------------- Patch: SUSE-2020-3934 Released: Thu Dec 24 12:37:11 2020 Summary: Security update for openexr Severity: moderate References: 1179879,CVE-2020-16587,CVE-2020-16588,CVE-2020-16589 Description: This update for openexr fixes the following issues: Security issues fixed: - CVE-2020-16587: Fixed a heap-based buffer overflow in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp (bsc#1179879). - CVE-2020-16588: Fixed a null pointer deference in generatePreview (bsc#1179879). - CVE-2020-16589: Fixed a heap-based buffer overflow in writeTileData in ImfTiledOutputFile.cpp (bsc#1179879). ----------------------------------------- Patch: SUSE-2020-3935 Released: Fri Dec 25 09:26:54 2020 Summary: Security update for MozillaThunderbird Severity: critical References: 1179530,1180039,CVE-2020-16042,CVE-2020-26970,CVE-2020-26971,CVE-2020-26973,CVE-2020-26974,CVE-2020-26978,CVE-2020-35111,CVE-2020-35112,CVE-2020-35113 Description: This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird 78.6 * new: MailExtensions: Added browser.windows.openDefaultBrowser() (bmo#1664708) * changed: Thunderbird now only shows quota exceeded indications on the main window (bmo#1671748) * changed: MailExtensions: menus API enabled in messages being composed (bmo#1670832) * changed: MailExtensions: Honor allowScriptsToClose argument in windows.create API function (bmo#1675940) * changed: MailExtensions: APIs that returned an accountId will reflect the account the message belongs to, not what is stored in message headers (bmo#1644032) * fixed: Keyboard shortcut for toggling message 'read' status not shown in menus (bmo#1619248) * fixed: OpenPGP: After importing a secret key, Key Manager displayed properties of the wrong key (bmo#1667054) * fixed: OpenPGP: Inline PGP parsing improvements (bmo#1660041) * fixed: OpenPGP: Discovering keys online via Key Manager sometimes failed on Linux (bmo#1634053) * fixed: OpenPGP: Encrypted attachment 'Decrypt and Open/Save As' did not work (bmo#1663169) * fixed: OpenPGP: Importing keys failed on macOS (bmo#1680757) * fixed: OpenPGP: Verification of clear signed UTF-8 text failed (bmo#1679756) * fixed: Address book: Some columns incorrectly displayed no data (bmo#1631201) * fixed: Address book: The address book view did not update after changing the name format in the menu (bmo#1678555) * fixed: Calendar: Could not import an ICS file into a CalDAV calendar (bmo#1652984) * fixed: Calendar: Two 'Home' calendars were visible on a new profile (bmo#1656782) * fixed: Calendar: Dark theme was incomplete on Linux (bmo#1655543) * fixed: Dark theme did not apply to new mail notification popups (bmo#1681083) * fixed: Folder icon, message list, and contact side bar visual improvements (bmo#1679436) * fixed: MailExtensions: HTTP refresh in browser content tabs did not work (bmo#1667774) * fixed: MailExtensions: messageDisplayScripts failed to run in main window (bmo#1674932) * fixed: Various security fixes MFSA 2020-56 (bsc#1180039) * CVE-2020-16042 (bmo#1679003) Operations on a BigInt could have caused uninitialized memory to be exposed * CVE-2020-26971 (bmo#1663466) Heap buffer overflow in WebGL * CVE-2020-26973 (bmo#1680084) CSS Sanitizer performed incorrect sanitization * CVE-2020-26974 (bmo#1681022) Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free * CVE-2020-26978 (bmo#1677047) Internal network hosts could have been probed by a malicious webpage * CVE-2020-35111 (bmo#1657916) The proxy.onRequest API did not catch view-source URLs * CVE-2020-35112 (bmo#1661365) Opening an extension-less download may have inadvertently launched an executable instead * CVE-2020-35113 (bmo#1664831, bmo#1673589) Memory safety bugs fixed in Thunderbird 78.6 Mozilla Thunderbird 78.5.1 * new: OpenPGP: Added option to disable email subject encryption (bmo#1666073) * changed: OpenPGP public key import now supports multi-file selection and bulk accepting imported keys (bmo#1665145) * changed: MailExtensions: getComposeDetails will wait for 'compose-editor-ready' event (bmo#1675012) * fixed: New mail icon was not removed from the system tray at shutdown (bmo#1664586) * fixed: 'Place replies in the folder of the message being replied to' did not work when using 'Reply to List' (bmo#522450) * fixed: Thunderbird did not honor the 'Run search on server' option when searching messages (bmo#546925) * fixed: Highlight color for folders with unread messages wasn't visible in dark theme (bmo#1676697) * fixed: OpenPGP: Key were missing from Key Manager (bmo#1674521) * fixed: OpenPGP: Option to import keys from clipboard always disabled (bmo#1676842) * fixed: The 'Link' button on the large attachments info bar failed to open up Filelink section in Options if the user had not yet configured Filelink (bmo#1677647) * fixed: Address book: Printing members of a mailing list resulted in incorrect output (bmo#1676859) * fixed: Unable to connect to LDAP servers configured with a self-signed SSL certificate (bmo#1659947) * fixed: Autoconfig via LDAP did not work as expected (bmo#1662433) * fixed: Calendar: Pressing Ctrl-Enter in the new event dialog would create duplicate events (bmo#1668478) * fixed: Various security fixes MFSA 2020-53 (bsc#1179530) * CVE-2020-26970 (bmo#1677338) Stack overflow due to incorrect parsing of SMTP server response codes ----------------------------------------- Patch: SUSE-2020-3936 Released: Fri Dec 25 09:27:40 2020 Summary: Recommended update for gdb Severity: moderate References: Description: This update for gdb fixes the following issues: * gdb powerpc remove 512 bytes region limit if 2nd dawr is avaliable (jsc#SLE-13656) Rebase to 10.1 release (as in fedora 33 @ 6c8ccd6). * Debuginfod support. * Multi-target debugging support. * Multithreaded symbol loading enabled by default. * New command set exec-file-mismatch. * New command tui new-layout. * Alias command can now specify default args for an alias. - Update libipt to v2.0.2. - Enable CTF support also for riscv64 - Add BuildRequire babeltrace-devel. On Factory this adds bdeps babeltrace-devel, libuuid-devel, babeltrace, libglib-2_0-0, and libgmodule-2_0-0. - Fix internal error on aarch64 [swo#26316]. Rebase to 9.2 release. Rebase to 9.1 release. * Breakpoints on nested functions and subroutines in Fortran. * Multithreaded symbol loading, disabled by default. Enable using 'maint set worker-threads unlimited'. * Multi-target debugging support. * New command pipe. * New command set logging debugredirect [on|off]. * New fortran commands info modules, info module functions, info module variables. ----------------------------------------- Patch: SUSE-2020-3942 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Severity: moderate References: 1180138 Description: This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------- Patch: SUSE-2021-10 Released: Mon Jan 4 10:01:52 2021 Summary: Recommended update for dmidecode Severity: moderate References: 1174257 Description: This update for dmidecode fixes the following issue: - Two missing commas in the data arrays cause 'OUT OF SPEC' messages during the index resolution. (bnc#1174257) ----------------------------------------- Patch: SUSE-2021-28 Released: Tue Jan 5 15:57:44 2021 Summary: Security update for dovecot23 Severity: important References: 1174920,1174922,1174923,1180405,1180406,CVE-2020-12100,CVE-2020-12673,CVE-2020-12674,CVE-2020-24386,CVE-2020-25275 Description: This update for dovecot23 fixes the following issues: Security issues fixed: - CVE-2020-12100: Fixed a resource exhaustion caused by deeply nested MIME parts (bsc#1174920). - CVE-2020-12673: Fixed an improper implementation of NTLM that did not check the message buffer size (bsc#1174922). - CVE-2020-12674: Fixed an improper implementation of the RPA mechanism (bsc#1174923). - CVE-2020-24386: Fixed an issue with IMAP hibernation that allowed users to access other users' emails (bsc#1180405). - CVE-2020-25275: Fixed a crash when the 10000th MIME part was message/rfc822 (bsc#1180406). Non-security issues fixed: - Pigeonhole was updated to version 0.5.11. - Dovecot was updated to version 2.3.11.3. ----------------------------------------- Patch: SUSE-2021-35 Released: Wed Jan 6 12:31:37 2021 Summary: Recommended update for taglib Severity: moderate References: 1179817 Description: This update for taglib fixes the following issues: - Fixed a possible file corruption of ogg files (bsc#1179817, gh#taglib/taglib#864): ----------------------------------------- Patch: SUSE-2021-41 Released: Thu Jan 7 11:51:31 2021 Summary: Security update for tomcat Severity: moderate References: 1179602,CVE-2020-17527 Description: This update for tomcat fixes the following issue: - CVE-2020-17527: Fixed a HTTP/2 request header mix-up (bsc#1179602). ----------------------------------------- Patch: SUSE-2021-65 Released: Mon Jan 11 15:11:49 2021 Summary: Recommended update for hamcrest Severity: low References: 1120493,1179994 Description: This update for hamcrest fixes the following issues: - Make hamcrest build reproducibly. (bsc#1120493) - Fix typo in hamcrest-core description. (bsc#1179994) ----------------------------------------- Patch: SUSE-2021-71 Released: Tue Jan 12 08:30:53 2021 Summary: Security update for MozillaFirefox Severity: important References: 1180623,CVE-2020-16044 Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.6.1 ESR * Fixed: Critical security issue MFSA 2021-01 (bsc#1180623) * CVE-2020-16044 Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk ----------------------------------------- Patch: SUSE-2021-79 Released: Tue Jan 12 10:49:34 2021 Summary: Recommended update for gcc7 Severity: moderate References: 1167939 Description: This update for gcc7 fixes the following issues: - Amend the gcc7 aarch64 atomics for glibc namespace violation with getauxval. [bsc#1167939] ----------------------------------------- Patch: SUSE-2021-88 Released: Tue Jan 12 14:33:31 2021 Summary: Security update for hawk2 Severity: important References: 1179998,CVE-2020-35458 Description: This update for hawk2 fixes the following security issue: - CVE-2020-35458: Fixed an insufficient input handler that could have led to remote code execution (bsc#1179998). ----------------------------------------- Patch: SUSE-2021-105 Released: Tue Jan 12 19:50:06 2021 Summary: Recommended update for postgresql12 Severity: low References: 1178961 Description: This update for postgresql12 fixes the following issues: - Marked symlinks to pg_config and ecpg as ghost files, so that rpm doesn't complain when they are not there (bsc#1178961) ----------------------------------------- Patch: SUSE-2021-111 Released: Wed Jan 13 11:47:54 2021 Summary: Recommended update for prometheus-ha_cluster_exporter Severity: moderate References: Description: This update for prometheus-ha_cluster_exporter fixes the following issue: Update to version 1.2.1 - Remove Pacemaker dependency from systemd unit (jsc#TEAM-2169) ----------------------------------------- Patch: SUSE-2021-119 Released: Thu Jan 14 10:13:15 2021 Summary: Recommended update for bcache-tools Severity: moderate References: Description: This update for bcache-tools fixes the following issues: - Fix typo from `SUUP` to `SUPP` (jsc#SLE-9807) - change from `BCH_FEATURE_COMPAT_SUUP` to `BCH_FEATURE_COMPAT_SUPP` - change from `BCH_FEATURE_INCOMPAT_SUUP` to `BCH_FEATURE_INCOMPAT_SUPP` - change from `BCH_FEATURE_INCOMPAT_SUUP` to `BCH_FEATURE_RO_COMPAT_SUPP` - Call `set_bucket_size()` only for cache device (jsc#SLE-9807) - Add `BCH_FEATURE_INCOMPAT_LARGE_BUCKET` to `BCH_FEATURE_INCOMPAT_SUPP` (jsc#SLE-9807) - `BCH_FEATURE_INCOMPAT_LARGE_BUCKET` is a feature to support 32bits bucket size, which is incompatible feature for existing on-disk layout. This fix adds this feature bit to `BCH_FEATURE_INCOMPAT_SUPP` feature set. - Check for incompatible feature set (jsc#SLE-9807) - Introduce `BCH_FEATURE_INCOMPAT_LOG_LARGE_BUCKET_SIZE` for large bucket (jsc#SLE-9807) - Display obsoleted bucket size configuration (jsc#SLE-9807) - Recover the missing `sb.csum` for showing `bcache` device super block (jsc#SLE-9807) - Call `to_cache_sb()` only for `bcache` device in `may_add_item()` (jsc#SLE-9807) - Improve column alignment for `bcache show -m` output (jsc#SLE-9807) ----------------------------------------- Patch: SUSE-2021-123 Released: Thu Jan 14 10:28:40 2021 Summary: Security update for MozillaThunderbird Severity: important References: 1180623,CVE-2020-16044 Description: This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird 78.6.1 * changed: MailExtensions: browserAction, composeAction, and messageDisplayAction toolbar buttons now support label and default_label properties (bmo#1583478) * fixed: Running a quicksearch that returned no results did not offer to re-run as a global search (bmo#1663153) * fixed: Message search toolbar fixes (bmo#1681010) * fixed: Very long subject lines distorted the message compose and display windows, making them unusable (bmo#77806) * fixed: Compose window: Recipient addresses that had not yet been autocompleted were lost when clicking Send button (bmo#1674054) * fixed: Compose window: New message is no longer marked as 'changed' just from tabbing out of the recipient field without editing anything (bmo#1681389) * fixed: Account autodiscover fixes when using MS Exchange servers (bmo#1679759) * fixed: LDAP address book stability fix (bmo#1680914) * fixed: Messages with invalid vcard attachments were not marked as read when viewed in the preview window (bmo#1680468) * fixed: Chat: Could not add TLS certificate exceptions for XMPP connections (bmo#1590471) * fixed: Calendar: System timezone was not always properly detected (bmo#1678839) * fixed: Calendar: Descriptions were sometimes blank when editing a single occurrence of a repeating event (bmo#1664731) * fixed: Various printing bugfixes (bmo#1676166) * fixed: Visual consistency and theme improvements (bmo#1682808) MFSA 2021-02 (bsc#1180623) * CVE-2020-16044 (bmo#1683964) Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk ----------------------------------------- Patch: SUSE-2021-130 Released: Thu Jan 14 13:08:01 2021 Summary: Recommended update for aide Severity: moderate References: 1180165 Description: This update for aide fixes the following issue: - Add a `syslog_format` to Advanced Intrusion Detection Environment (AIDE). (bsc#1180165) ----------------------------------------- Patch: SUSE-2021-134 Released: Fri Jan 15 10:30:56 2021 Summary: Recommended update for gnu-compilers-hpc Severity: important References: 1174439 Description: This update for gnu-compilers-hpc fixes the following issues: - Add build support for gcc10 to HPC build. (bsc#1174439) - Fix version parsing for gcc10 and up. ----------------------------------------- Patch: SUSE-2021-175 Released: Wed Jan 20 09:23:50 2021 Summary: Security update for postgresql, postgresql13 Severity: moderate References: 1178666,1178667,1178668,1178961,CVE-2020-25694,CVE-2020-25695,CVE-2020-25696 Description: This update for postgresql, postgresql13 fixes the following issues: This update ships postgresql13. Upgrade to version 13.1: * CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries. * CVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb. b) When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used. * CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from modifying specially-treated variables. * Fix recently-added timetz test case so it works when the USA is not observing daylight savings time. (obsoletes postgresql-timetz.patch) * https://www.postgresql.org/about/news/2111/ * https://www.postgresql.org/docs/13/release-13-1.html Initial packaging of PostgreSQL 13: * https://www.postgresql.org/about/news/2077/ * https://www.postgresql.org/docs/13/release-13.html - bsc#1178961: %ghost the symlinks to pg_config and ecpg. Changes in postgresql wrapper package: - Bump major version to 13. - We also transfer PostgreSQL 9.4.26 to the new package layout in SLE12-SP2 and newer. Reflect this in the conflict with postgresql94. - Also conflict with PostgreSQL versions before 9. - Conflicting with older versions is not limited to SLE. ----------------------------------------- Patch: SUSE-2021-176 Released: Wed Jan 20 09:49:05 2021 Summary: Security update for xstream Severity: important References: 1180145,1180146,1180994,CVE-2020-26217,CVE-2020-26258,CVE-2020-26259 Description: This update for xstream fixes the following issues: xstream was updated to version 1.4.15. - CVE-2020-26217: Fixed a remote code execution due to insecure XML deserialization when relying on blocklists (bsc#1180994). - CVE-2020-26258: Fixed a server-side request forgery vulnerability (bsc#1180146). - CVE-2020-26259: Fixed an arbitrary file deletion vulnerability (bsc#1180145). ----------------------------------------- Patch: SUSE-2021-179 Released: Wed Jan 20 13:38:51 2021 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ----------------------------------------- Patch: SUSE-2021-183 Released: Thu Jan 21 11:35:36 2021 Summary: Security update for perl-Convert-ASN1 Severity: moderate References: 1168934,CVE-2013-7488 Description: This update for perl-Convert-ASN1 fixes the following issue: - CVE-2013-7488: Fixed an infinite loop via unexpected input (bsc#1168934). ----------------------------------------- Patch: SUSE-2021-186 Released: Thu Jan 21 14:55:16 2021 Summary: Security update for wavpack Severity: moderate References: 1091340,1091341,1091342,1091343,1091344,1180414,CVE-2018-10536,CVE-2018-10537,CVE-2018-10538,CVE-2018-10539,CVE-2018-10540,CVE-2018-19840,CVE-2018-19841,CVE-2018-6767,CVE-2018-7253,CVE-2018-7254,CVE-2019-1010319,CVE-2019-11498,CVE-2020-35738 Description: This update for wavpack fixes the following issues: - Update to version 5.4.0 * CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples (bsc#1180414) * fixed: disable A32 asm code when building for Apple silicon * fixed: issues with Adobe-style floating-point WAV files * added: --normalize-floats option to wvunpack for correctly exporting un-normalized floating-point files - Update to version 5.3.0 * fixed: OSS-Fuzz issues 19925, 19928, 20060, 20448 * fixed: trailing garbage characters on imported ID3v2 TXXX tags * fixed: various minor undefined behavior and memory access issues * fixed: sanitize tag extraction names for length and path inclusion * improved: reformat wvunpack 'help' and split into long + short versions * added: regression testing to Travis CI for OSS-Fuzz crashers - Updated to version 5.2.0 *fixed: potential security issues including the following CVEs: CVE-2018-19840, CVE-2018-19841, CVE-2018-10536 (bsc#1091344), CVE-2018-10537 (bsc#1091343) CVE-2018-10538 (bsc#1091342), CVE-2018-10539 (bsc#1091341), CVE-2018-10540 (bsc#1091340), CVE-2018-7254, CVE-2018-7253, CVE-2018-6767, CVE-2019-11498 and CVE-2019-1010319 * added: support for CMake, Travis CI, and Google's OSS-fuzz * fixed: use correction file for encode verify (pipe input, Windows) * fixed: correct WAV header with actual length (pipe input, -i option) * fixed: thumb interworking and not needing v6 architecture (ARM asm) * added: handle more ID3v2.3 tag items and from all file types * fixed: coredump on Sparc64 (changed MD5 implementation) * fixed: handle invalid ID3v2.3 tags from sacd-ripper * fixed: several corner-case memory leaks ----------------------------------------- Patch: SUSE-2021-194 Released: Fri Jan 22 13:31:01 2021 Summary: Security update for stunnel Severity: moderate References: 1177580,1178533 Description: This update for stunnel fixes the following issues: Security issue fixed: - The 'redirect' option was fixed to properly handle 'verifyChain = yes' (bsc#1177580). Non-security issues fixed: - Fix startup problem of the stunnel daemon (bsc#1178533) - update to 5.57: * Security bugfixes * New features - New securityLevel configuration file option. - Support for modern PostgreSQL clients - TLS 1.3 configuration updated for better compatibility. * Bugfixes - Fixed a transfer() loop bug. - Fixed memory leaks on configuration reloading errors. - DH/ECDH initialization restored for client sections. - Delay startup with systemd until network is online. - A number of testing framework fixes and improvements. - update to 5.56: - Various text files converted to Markdown format. - Support for realpath(3) implementations incompatible with POSIX.1-2008, such as 4.4BSD or Solaris. - Support for engines without PRNG seeding methods (thx to Petr Mikhalitsyn). - Retry unsuccessful port binding on configuration file reload. - Thread safety fixes in SSL_SESSION object handling. - Terminate clients on exit in the FORK threading model. - Fixup stunnel.conf handling: * Remove old static openSUSE provided stunnel.conf. * Use upstream stunnel.conf and tailor it for openSUSE using sed. * Don't show README.openSUSE when installing. - enable /etc/stunnel/conf.d - re-enable openssl.cnf ----------------------------------------- Patch: SUSE-2021-195 Released: Fri Jan 22 15:17:17 2021 Summary: Security update for mutt Severity: moderate References: 1181221,CVE-2021-3181 Description: This update for mutt fixes the following issue: - CVE-2021-3181: Fixed a memory leak in recipient parsing (bsc#1181221). ----------------------------------------- Patch: SUSE-2021-200 Released: Fri Jan 22 15:39:33 2021 Summary: Security update for hawk2 Severity: critical References: 1179998,CVE-2020-35458 Description: This update for hawk2 fixes the following issues: hawk2 was updated to version 2.4.0+git.1611141202.2fe6369e. Security issue fixed: - Fixed another possible code execution vulnerability in the controller code (bsc#1179998). ----------------------------------------- Patch: SUSE-2021-207 Released: Mon Jan 25 16:16:05 2021 Summary: Recommended update for python-websockify Severity: moderate References: 1163513 Description: This update for python-websockify fixes the following issues: - Add 'python-numpy' as requirement. (bsc#1163513) ----------------------------------------- Patch: SUSE-2021-220 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Severity: moderate References: 1180603 Description: This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------- Patch: SUSE-2021-228 Released: Tue Jan 26 23:05:38 2021 Summary: Recommended update for python-kiwi Severity: moderate References: 1179562,1180781 Description: This update for python-kiwi fixes the following issues: - Azure generated images are not bootable. (bsc#1180781) - Fixed validation of bool value in dracut module. - The `oem-multipath-scan` setup results in a bool variable inside of the initrd code. The variable `kiwi_oemmultipath_scan` is therefore either set to `true` or `false`. This update fixes the validation to make use of the `bool()` method provided for these type of variables. - Azure `LI/VLI` Production image boot process drops to dracut rescue shell during boot randomly (bsc#1179562) - Omit multipath module by default - The plain installation of the multipath toolkit activates the dracut multipath code. The setup if the target image runs in a multipath environment or not should however be decided explicitly in the image description via `` and not implicitly by the presence of tools - Fixed multipath disk device assignment in kiwi lib - The former lookup of the multipath mapped disk device contained a race condition. If the lookup of the device mapper files happened before multipathd has finished the initialization, kiwi continues with the unix node name and fails when the device mapper keeps a busy state on it. Now, in case of an explicit request to use multipath the lookup of the mapped device becomes a mandatory process that runs until the `DEVICE_TIMEOUT` is reached. Default timeout is set to 60 sec. ----------------------------------------- Patch: SUSE-2021-237 Released: Thu Jan 28 18:22:24 2021 Summary: Recommended update for habootstrap-formula Severity: moderate References: 1177860 Description: This update for drbd-formula, habootstrap-formula, iscsi-formula, saphanabootstrap-formula, sapnwbootstrap-formula fixes the following issues: drbd-formula: - Version 0.4.0 - Change `salt-formulas-configuration` requirement in SLE12 codestream to a recommendation (bsc#1177860) habootstrap-formula: - Version 0.4.0 - Change `salt-formulas-configuration` requirement in SLE12 codestream to a recommendation (bsc#1177860) - Remove lock states as this is done in `crmsh` now - Fix ssh keys management to run them once the first node is initialized - Remove `--no-overwrite-sshkey` option from the formula - `qdevice` support: it can be created when initializing a cluster when multiple nodes are joining in parallel iscsi-formula: - Change `salt-formulas-configuration` requirement in SLE12 codestream to a recommendation (bsc#1177860) saphanabootstrap-formula: - Version 0.7.0 - Change `salt-formulas-configuration` requirement in SLE12 codestream to a recommendation (bsc#1177860) - Start the `saptune` daemon service - Add requisite of HANA installation to subsequent salt states - Add support to extract and install HANA Client `sar` packages - Set the native fence mechanism usage for `CSP` as optional (jsc#SLE-4047) - Fix the HANA media extraction and installation logics when using `exe` archives - Update the SUSE Manager HANA form metadata, to show HANA form under SAP deployment group - Update SUSe Manager `form.yml` file and prevalidation state with latest changes in formula sapnwbootstrap-formula: - Version 0.6.0 - Change `salt-formulas-configuration` requirement in SLE12 codestream to a recommendation (bsc#1177860) - Add requisites of `netweaver` installation to subsequent salt states - Start the `saptune` systemd service - Fix `additional_dvds` variable usage when salt uses python 2. - The variable is filtered by `tojson` option to avoid `u` prefix in lists - Set the native fence mechanism usage for `CSP` as optional - Add instance name suffix to `socat` resources - Remove meta `resource-stickness` to the `ERS` resources group - Update the db installation template to use correctly the schema names for S/4HANA - Update the default `nw_extract_dir` `SWPM` media extraction location ----------------------------------------- Patch: SUSE-2021-243 Released: Fri Jan 29 09:37:29 2021 Summary: Security update for jackson-databind Severity: moderate References: 1177616,1180391,1181118,CVE-2020-25649,CVE-2020-35728,CVE-2021-20190 Description: This update for jackson-databind fixes the following issues: jackson-databind was updated to 2.10.5.1: * #2589: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent external entity expansion in all cases (CVE-2020-25649, bsc#1177616) * #2787 (partial fix): NPE after add mixin for enum * #2679: 'ObjectMapper.readValue('123', Void.TYPE)' throws 'should never occur' ----------------------------------------- Patch: SUSE-2021-257 Released: Mon Feb 1 14:46:06 2021 Summary: Security update for MozillaThunderbird Severity: important References: 1181414,CVE-2020-15685,CVE-2020-26976,CVE-2021-23953,CVE-2021-23954,CVE-2021-23960,CVE-2021-23964 Description: This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird was updated to 78.7.0 ESR (MFSA 2021-05, bsc#1181414) * CVE-2021-23953: Fixed a Cross-origin information leakage via redirected PDF requests * CVE-2021-23954: Fixed a type confusion when using logical assignment operators in JavaScript switch statements * CVE-2020-26976: Fixed an issue where HTTPS pages could have been intercepted by a registered service worker when they should not have been * CVE-2021-23960: Fixed a use-after-poison for incorrectly redeclared JavaScript variables during GC * CVE-2021-23964: Fixed Memory safety bugs * CVE-2020-15685: Fixed an IMAP Response Injection when using STARTTLS ----------------------------------------- Patch: SUSE-2021-259 Released: Mon Feb 1 14:50:33 2021 Summary: Security update for MozillaFirefox Severity: important References: 1181414,CVE-2020-26976,CVE-2021-23953,CVE-2021-23954,CVE-2021-23960,CVE-2021-23964 Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.7.0 ESR (MFSA 2021-04, bsc#1181414) * CVE-2021-23953: Fixed a Cross-origin information leakage via redirected PDF requests * CVE-2021-23954: Fixed a type confusion when using logical assignment operators in JavaScript switch statements * CVE-2020-26976: Fixed an issue where HTTPS pages could have been intercepted by a registered service worker when they should not have been * CVE-2021-23960: Fixed a use-after-poison for incorrectly redeclared JavaScript variables during GC * CVE-2021-23964: Fixed Memory safety bugs ----------------------------------------- Patch: SUSE-2021-263 Released: Mon Feb 1 15:01:07 2021 Summary: Security update for terraform Severity: moderate References: 1168921,1170264,1177421,CVE-2020-14039 Description: This update for terraform fixes the following issues: - Updated terraform to version 0.13.4 (bsc#1177421) * Many features, bug fixes, and enhancements were made during this update. Please refer to the terraform rpm changelog, for a full list of all changes. - The following terraform providers were updated: * terraform-provider-aws * terraform-provider-azurerm * terraform-provider-external * terraform-provider-google * terraform-provider-helm * terraform-provider-kubernetes * terraform-provider-local * terraform-provider-null * terraform-provider-random * terraform-provider-tls ----------------------------------------- Patch: SUSE-2021-271 Released: Mon Feb 1 21:04:13 2021 Summary: Recommended update for lshw Severity: moderate References: 1181411 Description: This update for lshw fixes the following issues: - Display UUID on Power VM LPAR. (bsc#1181411, ltc#191040) ----------------------------------------- Patch: SUSE-2021-283 Released: Tue Feb 2 12:21:47 2021 Summary: Recommended maintenacne update for papi Severity: low References: 1181485 Description: This update for papi fixes the following issue: - Provide the missing `papi-devel`package. (bsc#1181485) ----------------------------------------- Patch: SUSE-2021-285 Released: Tue Feb 2 13:08:54 2021 Summary: Security update for cups Severity: moderate References: 1170671,1180520,CVE-2019-8842,CVE-2020-10001 Description: This update for cups fixes the following issues: - CVE-2020-10001: Fixed an out-of-bounds read in the ippReadIO function (bsc#1180520). - CVE-2019-8842: Fixed an out-of-bounds read in an extension field (bsc#1170671). ----------------------------------------- Patch: SUSE-2021-289 Released: Tue Feb 2 15:20:09 2021 Summary: Recommended update for arpwatch Severity: low References: Description: This update for arpwatch fixes the following issues: - Included arp2ethers script (jsc#SLE-17224) ----------------------------------------- Patch: SUSE-2021-292 Released: Wed Feb 3 11:46:32 2021 Summary: Recommended update for python-azure-agent Severity: moderate References: 1180719,1181600,1181601 Description: This update for python-azure-agent contains the following fix: - Added sysvinit-tools as dependency (bsc#1181600, bsc#1181601) - Recognise SLE_HPC as SLES and use the proper RDMA handler and distro specific initialization code (bsc#1180719) ----------------------------------------- Patch: SUSE-2021-293 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Severity: moderate References: 1180603 Description: This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------- Patch: SUSE-2021-294 Released: Wed Feb 3 12:54:28 2021 Summary: Recommended update for libprotobuf Severity: moderate References: Description: libprotobuf was updated to fix: - ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911) ----------------------------------------- Patch: SUSE-2021-301 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------- Patch: SUSE-2021-337 Released: Mon Feb 8 13:14:24 2021 Summary: Recommended update for build Severity: low References: 1181646 Description: This update for build fixes the following issues: Features: - initial flatpak build support added - ccache support added - debtransform: Add Debian revision if not present - allow nodirindex filesystems via BuildFlags: vmfsoptions:nodirindex - rich dep handling for PreReqs - kiwi image: configure ndb database if we install the rpm-ndb package - Implement alternative method to specify build-ignores A lot of fixes came with this update, please refer to this rpm's changelog to obtain a full list of all changes. ----------------------------------------- Patch: SUSE-2021-339 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Severity: low References: Description: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------- Patch: SUSE-2021-352 Released: Tue Feb 9 15:02:05 2021 Summary: Security update for java-11-openjdk Severity: important References: 1181239 Description: This update for java-11-openjdk fixes the following issues: java-11-openjdk was upgraded to include January 2021 CPU (bsc#1181239) - Enable Sheandoah GC for x86_64 (jsc#ECO-3171) ----------------------------------------- Patch: SUSE-2021-417 Released: Wed Feb 10 12:02:41 2021 Summary: Recommended update for osc Severity: moderate References: 235071 Description: This update for osc fixes the following issues: - support --lastsucceeded/--last-succeeded in 'osc buildlog', 'osc remotebuildlog' + friends (perform the corresponding operation on the build log of the last successful build) - several fixes in request related code paths (no double html_escape of a request's description etc.) - fix potential TypeErrors+UnicodeEncodeErrors in the util.cpio and util.ar modules - support local flatpak builds (requires a recent build version) - 'osc init ' works for a non-existent (server-side) project - .old dir support for source services so that some services have access to the results of a previous service run - maintainer search: lookup via package name by default and binary as fallback - fix crash on console resize when downloading files during build - add proper repourls to osc reporuls - new command osc releaserequest: This command is used to transfer sources and binaries without rebuilding them. - It requires defined release targets set to trigger='manual'. - some improvements on output of help and error messages - Fix path and permissions for fish completion file to /usr/share/fish/vendor_completions.d ----------------------------------------- Patch: SUSE-2021-421 Released: Wed Feb 10 12:05:23 2021 Summary: Recommended update for hwdata Severity: low References: 1180422,1180482 Description: This update for hwdata fixes the following issues: - Added merge-pciids.pl to fully duplicate behavior of pciutils-ids (bsc#1180422, bsc#1180482) - Updated pci, usb and vendor ids. ----------------------------------------- Patch: SUSE-2021-430 Released: Wed Feb 10 19:21:55 2021 Summary: Security update for MozillaFirefox Severity: low References: 1181848 Description: This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 78.7.1 ESR (bsc#1181848) - Fixed: Prevent access to NTFS special paths that could lead to filesystem corruption. - Buffer overflow in depth pitch calculations for compressed textures ----------------------------------------- Patch: SUSE-2021-435 Released: Thu Feb 11 14:47:25 2021 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Severity: important References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285 Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969). - CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) - CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730) Non-security issues fixed: - Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401) - Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243 - Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708 - Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14 - Enable fish-completion - Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) - Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708 - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires. - Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support). - Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly. - Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243 - Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) ----------------------------------------- Patch: SUSE-2021-443 Released: Thu Feb 11 16:36:24 2021 Summary: Security update for wpa_supplicant Severity: important References: 1181777,CVE-2021-0326 Description: This update for wpa_supplicant fixes the following issues: - CVE-2021-0326: P2P group information processing vulnerability (bsc#1181777). ----------------------------------------- Patch: SUSE-2021-450 Released: Fri Feb 12 11:38:29 2021 Summary: Recommended update for drbd-formula, habootstrap-formula, saphanabootstrap-formula, sapnwbootstrap-formula Severity: moderate References: 1177860,1181453 Description: This update for drbd-formula, habootstrap-formula, saphanabootstrap-formula, sapnwbootstrap-formula fixes the following issues: habootstrap-formula: - Version 0.4.1 - Improved handling of sshkeys entry in pillar file (bsc#1181453) - Change `salt-formulas-configuration` requirement in SLE12 codestream to a recommendation (bsc#1177860) - Remove lock states as this is done in `crmsh` now - Fix ssh keys management to run them once the first node is initialized - Remove `--no-overwrite-sshkey` option from the formula - `qdevice` support: it can be created when initializing a cluster when multiple nodes are joining in parallel saphanabootstrap-formula: - Version 0.7.0 - Change `salt-formulas-configuration` requirement in SLE12 codestream to a recommendation (bsc#1177860) - Start the `saptune` daemon service - Add requisite of HANA installation to subsequent salt states - Add support to extract and install HANA Client `sar` packages - Set the native fence mechanism usage for `CSP` as optional (jsc#SLE-4047) - Fix the HANA media extraction and installation logics when using `exe` archives - Update the SUSE Manager HANA form metadata, to show HANA form under SAP deployment group - Update SUSE Manager `form.yml` file and prevalidation state with latest changes in formula sapnwbootstrap-formula: - Version 0.6.0 - Change `salt-formulas-configuration` requirement in SLE12 codestream to a recommendation (bsc#1177860) - Add requisites of `netweaver` installation to subsequent salt states - Start the `saptune` systemd service - Fix `additional_dvds` variable usage when salt uses python 2. - The variable is filtered by `tojson` option to avoid `u` prefix in lists - Set the native fence mechanism usage for `CSP` as optional - Add instance name suffix to `socat` resources - Remove meta `resource-stickness` to the `ERS` resources group - Update the db installation template to use correctly the schema names for S/4HANA - Update the default `nw_extract_dir` `SWPM` media extraction location drbd-formula: - Version 0.4.0 - Change `salt-formulas-configuration` requirement in SLE12 codestream to a recommendation (bsc#1177860) ----------------------------------------- Patch: SUSE-2021-483 Released: Tue Feb 16 10:04:38 2021 Summary: Security update for python-bottle Severity: important References: 1182181,CVE-2020-28473 Description: This update for python-bottle fixes the following issues: - CVE-2020-28473: Fixed Web Cache Poisoning vulnerability using parameter cloaking (bsc#1182181). ----------------------------------------- Patch: SUSE-2021-488 Released: Tue Feb 16 12:42:38 2021 Summary: Security update for jasper Severity: important References: 1179748,1181483,CVE-2020-27828,CVE-2021-3272 Description: This update for jasper fixes the following issues: - bsc#1179748 CVE-2020-27828: Fix heap overflow by checking maxrlvls - bsc#1181483 CVE-2021-3272: Fix buffer over-read in jp2_decode ----------------------------------------- Patch: SUSE-2021-492 Released: Wed Feb 17 09:40:06 2021 Summary: Security update for screen Severity: important References: 1182092,CVE-2021-26937 Description: This update for screen fixes the following issues: - CVE-2021-26937: Fixed double width combining char handling that could lead to a denial of service or code execution (bsc#1182092). ----------------------------------------- Patch: SUSE-2021-493 Released: Wed Feb 17 11:25:46 2021 Summary: Recommended update for python-kiwi Severity: moderate References: 1170863,1175729,1176129,1176134,1176977,1179562,1180781 Description: This update for python-kiwi fixes the following issues: Update to version 9.21.23 - Azure generated images are not bootable. (bsc#1180781) - Fixed validation of bool value in dracut module. (bsc#1179562) - The `oem-multipath-scan` setup results in a bool variable inside of the initrd code. The variable `kiwi_oemmultipath_scan` is therefore either set to _true_ or _false_. This update fixes the validation to make use of the `bool()` method provided for these type of variables. - Omit multipath module by default (bsc#1179562) - The plain installation of the multipath toolkit activates the dracut multipath code. The setup if the target image runs in a multipath environment or not should however be decided explicitly in the image description via `` and not implicitly by the presence of tools. - Fixed multipath disk device assignment in kiwi lib (bsc#1179562) - The former lookup of the multipath mapped disk device contained a race condition. If the lookup of the device mapper files happened before multipathd has finished the initialization, kiwi continues with the unix node name and fails when the device mapper keeps a busy state on it. This update changes the code such that in case of an explicit request to use multipath the lookup of the mapped device becomes a mandatory process that runs until the `DEVICE_TIMEOUT` is reached. Default timeout is set to 60 sec. - Do not exclude filesystem folders in OCI images (bsc#1176129) - This update does not exclude filesystem folders during the rsync call in OCI images. It has been noted that including an empty `/dev` folder does not hurt and it can eventually help to workaround some limitations of container related tools such as `buildah`. - Fix/Refactor s390 support (bsc#1170863) - This changes the s390 support on several stages: - On s390 the boot process is based on zipl which boots into an initrd from which a userspace grub process is started to support the grub capabilities. The implementation of this concept is provided via the `grub2-s390x-emu` package. Once installed the setup of the bootloader is done via the `grub2-mkconfig` and `grub2-install` commands and therefore from a caller perspective the same as with any other grub2 setup process. For kiwi this means no extra zipl bootloader target code is needed. Therefore this update deletes the zipl setup from kiwi and puts on the standard grub2 process. - To support different targettypes the `grub2-s390x-emu` provided zipl template must be adapted. Parts of the former zipl bootloader setup therefore now applies to an update of the `zipl2grub` template file - Support for `CDL/LDL DASD` targets has been disabled in the schema. When testing 4k devices and a respective zipl2grub template setup for `CDL/LDL` targettype it has turned out that `grub2-install` is not able to run on such a device. Probably the device code in `grub2-install` does not work for 4k devices with an fdasd created partition table. As this needs further investigations and most probably adaptions on the grub toolchain for s390, we disabled the setup of these modes for now. Emulated DASD (FBA) and SCSI targets stays supported. - Fix compat link for rpmdb location. (bsc#1176977) - This update fixes the symbolic link creation for `/var/lib/rpm`. More specific for derived container images in which the base root tree already included the `/var/lib/rpm` the link, the `ln` command was creating a symbolic link inside the `/var/lib/rpm` folder givent that it was following the already existing symbolic link. Adding the `--no-target-directory` force `ln` command to treat `/var/lib/rpm` path as the fully qualified symlink name. - Fixed s390/sle15 Virtual disk integration test. (bsc#1170863) - The integration test used FBA mode as target. As the target is expected to be KVM this is the wrong setting. SCSI should be used instead. - Support dynamic `linux/linuxefi` in any case. (bsc#1175729, bsc#1176134) - Instead of restricting the dynamic linux vs. linuxefi setup to a specific grub version, support this setup for any version of grub. ----------------------------------------- Patch: SUSE-2021-499 Released: Wed Feb 17 19:07:44 2021 Summary: Recommended update for MozillaThunderbird Severity: moderate References: 1181848 Description: This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird 78.7.1 (bsc#1181848) * changed: Building OpenPGP shared library linked to system libraries now supported * changed: MailExtension errors now shown in Developer Tools console by default * changed: MailExtensions: Dynamic registration of calendar providers now supported * fixed: OpenPGP improvements * fixed: Message preview was sometimes blank after upgrading from Thunderbird 68 * fixed: Email addresses whitelisted for remote content not displayed in preferences * fixed: Importing data from Seamonkey did not work * fixed: Renaming a mail list did not update the side bar * fixed: MailExtensions: messenger.* namespace was undefined ----------------------------------------- Patch: SUSE-2021-509 Released: Thu Feb 18 12:11:19 2021 Summary: Recommended update for ucode-intel Severity: important References: 1179224,1182347 Description: This update for ucode-intel fixes the following issues: Updated Intel CPU Microcode to 20210216 official release. (bsc#1182347 bsc#1179224) - | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products - |:---------------|:---------|:------------|:---------|:---------|:--------- - | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a08 | 02006a0a | Xeon Scalable - | SKX-D | M1 | 06-55-04/b7 | 02006a08 | 02006a0a | Xeon D-21xx - | CLX-SP | B0 | 06-55-06/bf | 04003003 | 04003006 | Xeon Scalable Gen2 - | CLX-SP | B1 | 06-55-07/bf | 05003003 | 05003006 | Xeon Scalable Gen2 ----------------------------------------- Patch: SUSE-2021-516 Released: Thu Feb 18 14:42:51 2021 Summary: Recommended update for docker, golang-github-docker-libnetwork Severity: moderate References: 1178801,1180401,1182168 Description: This update for docker, golang-github-docker-libnetwork fixes the following issues: - A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168) ----------------------------------------- Patch: SUSE-2021-518 Released: Thu Feb 18 17:57:56 2021 Summary: Recommended update for highlight Severity: moderate References: 1142155 Description: This update for highlight fixes the following issues: Update from version 3.42 to 3.59: - HTML output: Added `white-space: pre-wrap` to pre tag CSS. - Updated mark_lines.lua plug-in accept a line range as input parameter and output xterm256 terminal sequences. - Improved Ruby code folding of the outhtml_codefold plug-in. - Updated astyle lib to rev 672. - Added support for reStructured Text. - Added support for Rego (openpolicyagent.org). - Added `outhtml_copy_clipboard.lua` plugin. - CLI: Adapted default xterm256/truecolor theme to terminal background colour. - CLI: Adapted ANSI line numbers to terminal background colour. - CLI: Fixed segfault if the user home directory cannot be determined. - GUI: Initial font set to Monospace. - GUI: Replaced highlight.xpm by highlight.png icon. - Add hicolor-icon-themes as build requirement: Required since move of highlight-gui icon. - Improved `--force` fallback argument handling. - Added C++ attribute syntax support. - Added Lua fuction `StoreValue` to set and retrieve information across Lua states. - Added `extras/eclipse-themes/eclipse_color_themes.py` script to retrieve themes from eclipsecolorthemes.org. - Added support for Web Assembly Text. - Updated mark_lines.lua to output 16m terminal sequences - Fixed issues in bash.lang. - Fixed Bash heredoc highlighting in bash_functions.lua - CLI: `highlight --version -q` only prints the version number. * GUI: Added theme contrast indicator. - Added support for Haml. - Added support for Wren. * Added Lua function `OverrideParam`. - Fixed regression in xterm256 or truecolor output * Fixed `--list-scripts` with read-only language definitions - Improved several language definitions. * Added support for Sequence Alignment Maps (SAM files). * Added empty-file mode to --no-trailing-nl - Fixed issue with --syntax-by-name waiting for stdin - Fixed issue with --syntax reading matching files in the current working directory - Fixed string parsing in lisp.lang * Fixed output of UTF-8 text in xterm256 or truecolor output * Fixed regex in js.lang. * Fixed calculation of testcase markers with UTF-8 input. - Allowed number literals with underscores in Java, Scala, D, Julia, C#, Perl and Ada definitions. * Added Nord theme. - Improved handling of empty files in xterm256 and truecolor output - Added EncodingHint attributes to filetypes.conf and language definitions - CLI: Allowed file paths as --theme and --syntax argument * GUI: Removed deprecated QTime API call. - Fixed default colour output in BBCode - Fixed corner case in sh.lang. * Fixed syntax tests with UTF-8 input - Added support for Bash in outhtml_codefold.lua plug-in. * Added ballerina.lang. * Added block strings to java.lang. - Added author hints in themes and language definitions. * Added C++20 reserved words in c.lang. - Added editorconfig file and validated all files accordingly. * CLI: Fixed --list-scripts with -d or HIGHLIGHT_DATADIR env variable * GUI: Removed AsciiDoc instruction lines from the README popup window. - Use lang_package macro for highlight-gui-lang declaration. - Fixed out-of-range exception with repeated AddKeyword calls. - Added KeywordFormatHints, Priority and Constraints elements to syntax definitions. - Added Lua function AddPersistentState - Renamed md.lang to markdown.lang. - Added Fish syntax definition. - Makefile: added _FILE_OFFSET_BITS=64 flag. - CLI: added optional fallback syntax to --force - CLI: added option --max-size * GUI: added multibyte path trace window. * GUI: fixed superfluous creation of the same stylesheet file. - Fix build instability (bsc#1142155). - Added negation `~` to test state indicators - Added support for Hugo. * Added 5 duotone themes. - CLI: fixed segfault with `--force` * GUI: limited font selection to monospace fonts * SVG output: Added `white-space: pre` in styles. - HTML output: Replaced `'` by `'` - HTML output: Fixed index file format (missing close tags). - CLI: Moved syntax recognition functions to DataDir class. * CLI: Added regular expressions and default false values to --verbose output. - CLI: Fixed `--list-cat` without `--list-scripts` * CLI: Added optional argument to `--base16` * CLI: Added default base16 themes - CLI: Added `--isolate` option - Added lineno, column parameters to OnStateChange hook. - Added support for Crystal. - Added support for Slim. - Fixed several typos in documentaion and manpages. * CLI: Added `--syntax-by-name` option. * CLI: Removed deprecated `--list-langs` and`--list-themes` options. - GUI: Added terminal sequence output options - Added support for Meson, Solidity, TOML and Terraform. - Improved Perl and Yaml highlighting. - Added Categories field to all config files. - CLI: added category info in --list-scripts output. * CLI: added --list-cat option - CLI: added optional topic parameter to --help. * GUI: added theme category selection. - GUI: display categories of selected syntax or theme. - Fixed --list-scripts abortion with Fedora default compile options * Fixed a problem with syntax test indicators reporting wrong states after comments. - Improved Verilog syntax. - Improved quoted string highlighting for Perl and Ruby. - Detection of pkg-config's Lua version in src/makefile. - Fixed xterm256 and truecolor whitespace output #2 - Fixed LaTeX, TeX, SVG and ODT whitespace output (regression of version 3.45). * Added darkplus theme. * Converted ChangeLog to AsciiDoc. - Allowed state test indicators to match both whitespace (ws) and the enclosing state (others). - CLI: Default output changed to xterm256 or truecolor if run in a terminal with color support and only a single file is outputted. - GUI: Added checkbox in the clipboard tab to output selected lines only. - Fixed xterm256 and truecolor whitespace output - Converted manuals to AsciiDoc. - Added DocumentHeader and DocumentFooter plug-in hooks. - Added RemoveKeyword Lua function for syntax definitions. - Added syntax test indicators (see README_TESTCASES). - Added support for ISO and R10 variants of Modula2. - Fixed R identifiers. - Fixed ALAN IF identifiers. - Fixed issue with Bash string interpolation. - Added Swift keywords and types. - Added Gradle extension mapping. - Fixed Ruby string interpolation - Added support for ALAN IF. - Added 107 Base16 themes. * Updated Rust and Java reserved words lists. * Revised documentation. - Moved extras/css-themes into extras/themes-resources. * Added extras/themes-resources/base16. * GUI: added Base16 theme selection checkbox. * CLI: added --base16 option to enable the new themes. - CLI: accept - as argument to read from stdin - Make the build of gui subpackage conditional (built by default). - Updated astyle code to release 3.1 (Rev. 655). - Added webkit reformatting style. - Improved several language definitions. - Fixed Matlab string recognition - Fixed Autohotkey escape sequence recognition. - Added excel.lang - Improved Qt pro file - CLI: Added --reformat-option * CLI: Added --line-range - GUI: Added Bulgarian translation. ----------------------------------------- Patch: SUSE-2021-526 Released: Fri Feb 19 12:46:27 2021 Summary: Recommended update for python-distro Severity: moderate References: Description: This update for python-distro fixes the following issues: Upgrade from version 1.2.0 to 1.5.0 (jsc#ECO-3212) - Backward compatibility: - Keep output as native string so we can compatible with python2 interface - Prefer the `VERSION_CODENAME` field of `os-release` to parsing it from `VERSION` - Bug Fixes: - Fix detection of RHEL 6 `ComputeNode` - Fix Oracle 4/5 `lsb_release` id and names - Ignore `/etc/plesk-release` file while parsing distribution - Return `_uname_info` from the `uname_info()` method - Fixed `CloudLinux` id discovery - Update Oracle matching - Warn about wrong locale. - Documentation: - Distro is the recommended replacement for `platform.linux_distribution` - Add Ansible reference implementation and fix arch-linux link - Add facter reference implementation ----------------------------------------- Patch: SUSE-2021-531 Released: Fri Feb 19 14:54:06 2021 Summary: Security update for tomcat Severity: moderate References: 1180947,CVE-2021-24122 Description: This update for tomcat fixes the following issues: - CVE-2021-24122: Fixed an information disclosure if resources are served from the NTFS file system (bsc#1180947). ----------------------------------------- Patch: SUSE-2021-542 Released: Mon Feb 22 12:14:19 2021 Summary: Recommended update for poppler Severity: moderate References: 1181551 Description: This update for poppler fixes the following issues: - Fixed an issue where it was not possible to open signed DocuSign documents with poppler (bsc#1181551) ----------------------------------------- Patch: SUSE-2021-543 Released: Mon Feb 22 13:54:49 2021 Summary: Security update for postgresql13 Severity: moderate References: 1179765,1182039,1182040,CVE-2021-20229,CVE-2021-3393 Description: This update for postgresql13 fixes the following issues: Upgrade to version 13.2: * Updating stored views and reindexing might be needed after applying this update. * CVE-2021-3393, bsc#1182040: Fix information leakage in constraint-violation error messages. * CVE-2021-20229, bsc#1182039: Fix failure to check per-column SELECT privileges in some join queries. ----------------------------------------- Patch: SUSE-2021-554 Released: Tue Feb 23 11:14:46 2021 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issue: - Added data for 4_12_14-150_66, 4_12_14-197_78, 5_3_18-24_46, 5_3_18-24_49. (bsc#1020320) ----------------------------------------- Patch: SUSE-2021-571 Released: Tue Feb 23 16:11:33 2021 Summary: Recommended update for cloud-init Severity: moderate References: 1180176 Description: This update for cloud-init contains the following fixes: - Update cloud-init-write-routes.patch (bsc#1180176) + Follow up to previous changes. Fix order of operations error to make gateway comparison between subnet configuration and route configuration valuable rather than self-comparing. - Add cloud-init-sle12-compat.patch (jsc#PM-2335) - Python 3.4 compatibility in setup.py - Disable some test for mock version compatibility ----------------------------------------- Patch: SUSE-2021-577 Released: Wed Feb 24 10:00:26 2021 Summary: Recommended update for fio Severity: moderate References: Description: This update for fio fixes the following issues: - Fixes for several bug fixes and issues. - Added support for NBD and ZBD For a full list of changes, please refer to this rpm's changelog. ----------------------------------------- Patch: SUSE-2021-579 Released: Wed Feb 24 10:38:22 2021 Summary: Recommended update for arpwatch Severity: moderate References: 1181936 Description: This update for arpwatch fixes the following issues: - Fix arp2ethers script (bsc#1181936). ----------------------------------------- Patch: SUSE-2021-582 Released: Wed Feb 24 11:24:09 2021 Summary: Optional update for netpbm Severity: low References: 1181571 Description: This update for netpbm fixes the following issues: - Skips failing test cases for armv7hl (bsc#1181571) This patch is optional to install. It doesn't fix any issues for users. ----------------------------------------- Patch: SUSE-2021-589 Released: Thu Feb 25 06:11:06 2021 Summary: Recommended update for hawk2 Severity: moderate References: 1181436,1182163 Description: This update for hawk2 fixes the following issues: - Fixed an issue where the path to /usr/sbin/attrd_updater was wrong (bsc#1181436) - Removed the use of %x (bsc#1182163) ----------------------------------------- Patch: SUSE-2021-594 Released: Thu Feb 25 09:29:35 2021 Summary: Security update for python-cryptography Severity: important References: 1182066,CVE-2020-36242 Description: This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). ----------------------------------------- Patch: SUSE-2021-596 Released: Thu Feb 25 10:26:30 2021 Summary: Recommended update for gcc7 Severity: moderate References: 1181618 Description: This update for gcc7 fixes the following issues: - Fixed webkit2gtk3 build (bsc#1181618) - Change GCC exception licenses to SPDX format - Remove include-fixed/pthread.h ----------------------------------------- Patch: SUSE-2021-612 Released: Fri Feb 26 04:55:47 2021 Summary: Optional update for m4 Severity: low References: 1181571 Description: This update for m4 fixes the following issues: - Fixed an issue in building against newer glibc versions (bsc#1181571) ----------------------------------------- Patch: SUSE-2021-654 Released: Fri Feb 26 20:01:10 2021 Summary: Security update for python-Jinja2 Severity: important References: 1181944,1182244,CVE-2020-28493 Description: This update for python-Jinja2 fixes the following issues: - CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944). ----------------------------------------- Patch: SUSE-2021-656 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Severity: moderate References: 1177127 Description: This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------- Patch: SUSE-2021-659 Released: Mon Mar 1 13:41:20 2021 Summary: Security update for MozillaFirefox Severity: important References: 1182357,1182614,CVE-2021-23968,CVE-2021-23969,CVE-2021-23973,CVE-2021-23978 Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.8.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-08 (bsc#1182614) * CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 ----------------------------------------- Patch: SUSE-2021-661 Released: Mon Mar 1 16:12:47 2021 Summary: Security update for MozillaThunderbird Severity: important References: 1182357,1182614,CVE-2021-23968,CVE-2021-23969,CVE-2021-23973,CVE-2021-23978 Description: This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird 78.8 * fixed: Importing an address book from a CSV file always reported an error * fixed: Security information for S/MIME messages was not displayed correctly prior to a draft being saved * fixed: Calendar: FileLink UI fixes for Caldav calendars * fixed: Recurring tasks were always marked incomplete; unable to use filters * fixed: Various UI widgets not working * fixed: Dark theme improvements * fixed: Extension manager was missing link to addon support web page * fixed: Various security fixes MFSA 2021-09 (bsc#1182614) * CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978: Memory safety bugs fixed in Thunderbird 78.8 ----------------------------------------- Patch: SUSE-2021-665 Released: Mon Mar 1 16:15:47 2021 Summary: Security update for java-1_8_0-openjdk Severity: moderate References: 1181239,CVE-2020-14803 Description: This update for java-1_8_0-openjdk fixes the following issues: - Update to version jdk8u282 (icedtea 3.18.0) * January 2021 CPU (bsc#1181239) * Security fixes + JDK-8247619: Improve Direct Buffering of Characters (CVE-2020-14803) * Import of OpenJDK 8 u282 build 01 + JDK-6962725: Regtest javax/swing/JFileChooser/6738668/ /bug6738668.java fails under Linux + JDK-8025936: Windows .pdb and .map files does not have proper dependencies setup + JDK-8030350: Enable additional compiler warnings for GCC + JDK-8031423: Test java/awt/dnd/DisposeFrameOnDragCrash/ /DisposeFrameOnDragTest.java fails by Timeout on Windows + JDK-8036122: Fix warning 'format not a string literal' + JDK-8051853: new URI('x/').resolve('..').getSchemeSpecificPart() returns null! + JDK-8132664: closed/javax/swing/DataTransfer/DefaultNoDrop/ /DefaultNoDrop.java locks on Windows + JDK-8134632: Mark javax/sound/midi/Devices/ /InitializationHang.java as headful + JDK-8148854: Class names 'SomeClass' and 'LSomeClass;' treated by JVM as an equivalent + JDK-8148916: Mark bug6400879.java as intermittently failing + JDK-8148983: Fix extra comma in changes for JDK-8148916 + JDK-8160438: javax/swing/plaf/nimbus/8057791/bug8057791.java fails + JDK-8165808: Add release barriers when allocating objects with concurrent collection + JDK-8185003: JMX: Add a version of ThreadMXBean.dumpAllThreads with a maxDepth argument + JDK-8202076: test/jdk/java/io/File/WinSpecialFiles.java on windows with VS2017 + JDK-8207766: [testbug] Adapt tests for Aix. + JDK-8212070: Introduce diagnostic flag to abort VM on failed JIT compilation + JDK-8213448: [TESTBUG] enhance jfr/jvm/TestDumpOnCrash + JDK-8215727: Restore JFR thread sampler loop to old / previous behavior + JDK-8220657: JFR.dump does not work when filename is set + JDK-8221342: [TESTBUG] Generate Dockerfile for docker testing + JDK-8224502: [TESTBUG] JDK docker test TestSystemMetrics.java fails with access issues and OOM + JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread + JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes + JDK-8232114: JVM crashed at imjpapi.dll in native code + JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect numbers for Compiler area + JDK-8234339: replace JLI_StrTok in java_md_solinux.c + JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes + JDK-8242335: Additional Tests for RSASSA-PSS + JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in + JDK-8245400: Upgrade to LittleCMS 2.11 + JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention + JDK-8249176: Update GlobalSignR6CA test certificates + JDK-8250665: Wrong translation for the month name of May in ar_JO,LB,SY + JDK-8250928: JFR: Improve hash algorithm for stack traces + JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java + JDK-8251840: Java_sun_awt_X11_XToolkit_getDefaultScreenData should not be in make/mapfiles/libawt_xawt/mapfile-vers + JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider rather than JRE + JDK-8252395: [8u] --with-native-debug-symbols=external doesn't include debuginfo files for binaries + JDK-8252497: Incorrect numeric currency code for ROL + JDK-8252754: Hash code calculation of JfrStackTrace is inconsistent + JDK-8252904: VM crashes when JFR is used and JFR event class is transformed + JDK-8252975: [8u] JDK-8252395 breaks the build for --with-native-debug-symbols=internal + JDK-8253284: Zero OrderAccess barrier mappings are incorrect + JDK-8253550: [8u] JDK-8252395 breaks the build for make STRIP_POLICY=no_strip + JDK-8253752: test/sun/management/jmxremote/bootstrap/ /RmiBootstrapTest.java fails randomly + JDK-8254081: java/security/cert/PolicyNode/ /GetPolicyQualifiers.java fails due to an expired certificate + JDK-8254144: Non-x86 Zero builds fail with return-type warning in os_linux_zero.cpp + JDK-8254166: Zero: return-type warning in zeroInterpreter_zero.cpp + JDK-8254683: [TEST_BUG] jdk/test/sun/tools/jconsole/ /WorkerDeadlockTest.java fails + JDK-8255003: Build failures on Solaris ----------------------------------------- Patch: SUSE-2021-670 Released: Mon Mar 1 17:35:51 2021 Summary: Security update for java-1_8_0-ibm Severity: important References: 1181239,1182186,CVE-2020-14803,CVE-2020-27221 Description: This update for java-1_8_0-ibm fixes the following issues: - Update to Java 8.0 Service Refresh 6 Fix Pack 25 [bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803] * CVE-2020-27221: Potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. * CVE-2020-14803: Unauthenticated attacker with network access via multiple protocols allows to compromise Java SE. ----------------------------------------- Patch: SUSE-2021-672 Released: Tue Mar 2 09:13:31 2021 Summary: Recommended update for bcache-tools Severity: moderate References: Description: This update for bcache-tools fixes the following issues: - Update super block version to fix the status tool reading 'sysfs' data properly. (jsc#SLE-9807) ----------------------------------------- Patch: SUSE-2021-690 Released: Wed Mar 3 17:14:42 2021 Summary: Recommended update for scap-security-guide Severity: moderate References: Description: This update for scap-security-guide fixes the following issues: This update ships the ComplianceAsCode build version 0.1.54, containing the following supported file: - SCAP STIG automation for SUSE Linux Enterprise 12 (SUSE supplied) - CIS automation for SUSE Linux Enterprise 15 (community supplied) It can be evaluated using 'oscap' from 'openscap-utils', e.g. by doing on SUSE Linux Enterprise 12: - oscap xccdf eval --profile stig /usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml or the community supplied CIS on SUSE Linux Enterprise 15: - oscap xccdf eval --profile cis /suse/meissner/scap/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml More content will be added in future updates. Also supplied are Red Hat, CentOS, Fedora, Debian, Ubuntu and related builds from ComplianceAsCode. ----------------------------------------- Patch: SUSE-2021-701 Released: Thu Mar 4 09:17:25 2021 Summary: Recommended update for sane-backends Severity: moderate References: 1179065 Description: This update for sane-backends fixes the following issues: - updated sane-backends to 1.0.32: * Fixed double height image with the avision backend (bsc#1179065) * Removed udev rules mangling for USB devices (ATTR vs ATTRS) * Does no longer add SCSI id twice for EPSON Perfection 1640SU Many more fixes came with this version bump. Please refer to the changelog file of this package. ----------------------------------------- Patch: SUSE-2021-707 Released: Thu Mar 4 09:19:36 2021 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: 1177039 Description: This update for systemd-rpm-macros fixes the following issues: - Bump to version 6 - Make upstream '%systemd_{pre,post,preun,postun}' aliases to their SUSE counterparts. Packagers can now choose to use the upstream or the SUSE variants indifferently. For consistency the SUSE variants should be preferred since almost all SUSE packages already use them but the upstream versions might be usefull in certain cases where packages need to support multiple distros based on RPM. - Improve the logic used to apply the presets. (bsc#1177039) Before presests were applied at a) package installation b) new units introduced via a package update (but after making sure that it was not a SysV initscript being converted). The problem is that a) didn't handle package a renaming or split properly since the package with the new name is installed rather being updated and therefore the presets were applied even if they were already with the old name. We now cover this case (and the other ones) by applying presets only if the units are new and the services are not being migrated. This regardless of whether this happens during an install or an update. ----------------------------------------- Patch: SUSE-2021-717 Released: Fri Mar 5 17:22:41 2021 Summary: Recommended update for stunnel Severity: moderate References: 1182376 Description: This update for stunnel fixes the following issues: - Do not replace the active config file (bsc#1182376) ----------------------------------------- Patch: SUSE-2021-721 Released: Mon Mar 8 16:41:21 2021 Summary: Security update for wpa_supplicant Severity: important References: 1182805,CVE-2021-27803 Description: This update for wpa_supplicant fixes the following issues: - CVE-2021-27803: Fixed a P2P provision discovery processing vulnerability (bsc#1182805). ----------------------------------------- Patch: SUSE-2021-726 Released: Mon Mar 8 17:16:33 2021 Summary: Recommended update for regionServiceClientConfigEC2 Severity: moderate References: 1176005,1176007 Description: This update for regionServiceClientConfigEC2 contains the following fixes: - Update to version 3.0.0: (bsc#1176005, bsc#1176007) + Reduce the number of region servers + Require python3-ec2metadata to support IMDSv2 only setups ----------------------------------------- Patch: SUSE-2021-734 Released: Tue Mar 9 14:40:17 2021 Summary: Recommended update for dehydrated Severity: moderate References: 1154167,1178927 Description: This update for dehydrated fixes the following issues: Update to dehydrated 0.7.0 (jsc#SLE-15909) - Added - Support for external account bindings - Special support for ZeroSSL - Support presets for some CAs instead of requiring URLs - Allow requesting preferred chain (--preferred-chain) - Added method to show CAs current terms of service (--display-terms) - Allow setting path to domains.txt using cli arguments (--domains-txt) - Added new cli command --cleanupdelete which deletes old files instead of archiving them - Fixed - No more silent failures on broken hook-scripts - Better error-handling with KEEP_GOING enabled - Check actual order status instead of assuming it's valid - Don't include keyAuthorization in challenge validation (RFC compliance) - Changed - Using EC secp384r1 as default certificate type - Use JSON.sh to parse JSON - Use account URL instead of account ID (RFC compliance) - Dehydrated now has a new home: https://github.com/dehydrated-io/dehydrated - Added OCSP_FETCH and OCSP_DAYS to per-certificate configurable options - dehydrated-apache2: Check for mod_compat (bsc#1178927) - Update maintainer file and package description, remove features that are better described in the (upstream maintained) man page. - Remove potentially harmful scriptlet (bsc#1154167). - Removed lighttpd 1.x integration package. If you still would like to use lighttpd with dehydrated, follow the instructions in the README.maintainers file. ----------------------------------------- Patch: SUSE-2021-746 Released: Tue Mar 9 16:57:49 2021 Summary: Recommended update for xorg-x11-server Severity: moderate References: 1182884 Description: This update for xorg-x11-server fixes the following issues: - Fix for build issues with armv7. (bsc#1182884) ----------------------------------------- Patch: SUSE-2021-761 Released: Wed Mar 10 12:26:54 2021 Summary: Recommended update for libX11 Severity: moderate References: 1181963 Description: This update for libX11 fixes the following issues: - Fixes a race condition in 'libX11' that causes various applications to crash randomly. (bsc#1181963) ----------------------------------------- Patch: SUSE-2021-769 Released: Thu Mar 11 20:22:29 2021 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------- Patch: SUSE-2021-772 Released: Fri Mar 12 11:56:21 2021 Summary: Security update for stunnel Severity: important References: 1177580,1182529,CVE-2021-20230 Description: This update for stunnel fixes the following issues: - Security fix: [bsc#1177580, bsc#1182529, CVE-2021-20230] * 'redirect' option does not properly handle 'verifyChain = yes' ----------------------------------------- Patch: SUSE-2021-784 Released: Mon Mar 15 11:19:08 2021 Summary: Recommended update for efivar Severity: moderate References: 1181967 Description: This update for efivar fixes the following issues: - Fixed an issue with the NVME path parsing (bsc#1181967) ----------------------------------------- Patch: SUSE-2021-786 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Severity: moderate References: 1176201 Description: This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------- Patch: SUSE-2021-795 Released: Tue Mar 16 10:28:02 2021 Summary: Recommended update for systemd-rpm-macros Severity: low References: 1182661,1183012,1183051 Description: This update for systemd-rpm-macros fixes the following issues: - Added a %systemd_user_pre macro (bsc#1183051, bsc#1183012) - Fixed an issue with %systemd_user_post, where the --global parameter was treated like if it was another service (bsc#1183051, bsc#1182661) ----------------------------------------- Patch: SUSE-2021-800 Released: Tue Mar 16 12:53:08 2021 Summary: Security update for velocity Severity: important References: 1183360,CVE-2020-13936 Description: This update for velocity fixes the following issues: - CVE-2020-13936: Fixed an arbitrary code execution when attacker is able to modify templates (bsc#1183360). ----------------------------------------- Patch: SUSE-2021-873 Released: Thu Mar 18 09:40:58 2021 Summary: Recommended update for xorg-x11-server Severity: moderate References: 1182510 Description: This update for xorg-x11-server fixes the following issues: - Fix broken man page in 'autoconf' build. (bsc#1182510) ----------------------------------------- Patch: SUSE-2021-880 Released: Fri Mar 19 04:14:38 2021 Summary: Recommended update for hwdata Severity: low References: 1170160,1182482 Description: This update for hwdata fixes the following issues: - Updated pci, usb and vendor ids (bsc#1182482, bsc#1170160, jsc#SLE-13791) ----------------------------------------- Patch: SUSE-2021-881 Released: Fri Mar 19 04:16:42 2021 Summary: Recommended update for yast2-adcommon-python, yast2-aduc, samba Severity: moderate References: 1084864,1132565,1133568,1135130,1135224,1138203,1138487,1145508,1146898,1150394,1150612,1151713,1152052,1154121,1170998 Description: This update for yast2-adcommon-python, yast2-aduc, samba fixes the following issues: - Update 'aduc' for 'realmd' customer. (jsc#SLE-5527) - Add ability to change/enable/unlock user's passwords. (bsc#1152052) - Fixes a Failure to authenticate on first try and throws a MemoryError on Ubuntu. (bsc#1151713) - Fixes an issue when unused 'xset' may cause exception in 'appimage'. (bsc#1150612) - Include other object creaiton options. (bsc#1138203) - Use the domain name stored in the samba credentials object. (bsc#1138487) - Display a backtrace if the connection fails. - Use new schema of desktop files. (bsc#1084864) - Move the module to Network Services. - Use common authentication from yast2-adcommon-python. - Switch to using a unified file/actions menu, instead of random buttons - Remove 'ad-dc' dependency. (jsc#ECO-2527) - Fix slow load of 'ADUC' caused by chatty ldap traffic. (bsc#1170998) - The domain label should be a text field, for manually entering the domain name. (bsc#1154121) - Fix to reconnect the 'ldap' session if it times out. (bsc#1150394) - 'AD' modules should connect to an AD-DC via the SamDB interface, instead of 'python-ldap'. (bsc#1146898) - Fix incorrectly placed domain in change domain dialog (bsc#1145508) - YaST 'aduc/adsi/gpmc' should not exit after entering empty password and explicitly state that an Active Directory administrator should sign in. (bsc#1132565) - Move schema parsing code from adsi to the common code. (bsc#1138203) - 'TypeError: Expected a string or unicode object' during auth. (bsc#1135224) - Authentication fails with 'Failed to initialize ldap connection'. (bsc#1135130) - Fix for an issue when 'yast2-adcommon-python' 'ldap' does not correctly parse 'ldap' urls. (bsc#1133568) - Initial version ----------------------------------------- Patch: SUSE-2021-906 Released: Fri Mar 19 16:18:34 2021 Summary: Recommended maintenance update for SUSE Manager 4.1: Server and Proxy Severity: moderate References: 1157711,1173893,1175660,1177508,1179579,1180145,1180146,1180224,1180439,1180547,1180558,1180757,1180994,1181048,1181165,1181228,1181290,1181416,1181423,1181635,1181807,1181814,1182001,1182006,1182008,1182071,1182200,1182492,1182685,CVE-2020-26217,CVE-2020-26258,CVE-2020-26259,CVE-2020-28477 Description: Maintenance update for SUSE Manager 4.1: Server and Proxy This is a codestream only patchinfo. ----------------------------------------- Patch: SUSE-2021-924 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 Description: This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------- Patch: SUSE-2021-925 Released: Tue Mar 23 10:39:19 2021 Summary: Recommended update for fetchmail Severity: moderate References: 1136538,1182807 Description: This update for fetchmail fixes the following issues: - Remove comment about not available FETCHMAIL_USER configuration variable in sysconfig.fetchmail. (bsc#1136538) - Set the hostname for SNI when using TLS (bsc#1182807) ----------------------------------------- Patch: SUSE-2021-926 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 Description: This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------- Patch: SUSE-2021-927 Released: Tue Mar 23 14:07:06 2021 Summary: Recommended update for libreoffice Severity: moderate References: 1041090,1049382,1116658,1136234,1155141,1173404,1173409,1173410,1173471,1174465,1176547,1177955,1178807,1178943,1178944,1179025,1179203,1181122,1181644,1181872,1182790 Description: This update for libreoffice provides the upgrade from version 6.4.5.2 to 7.1.1.2 (jsc#ECO-3150, bsc#1182790) libreoffice: - Image shown with different aspect ratio (bsc#1176547) - Text changes are reproducibly lost on PPTX with SmartArt (bsc#1181644) - Adjust to new Box2D and enable KDE on SUSE Linux Enterprise 15-SP3 or newer (jsc#ECO-3375) - Wrong bullet points in Impress (bsc#1174465) - SmartArt: text wrongly aligned, background boxes not quite right (bsc#1177955) - Update the SUSE color palette to reflect the new SUSE branding. (bsc#1181122, bsc#1173471) - SUSE Mint - SUSE Midnight Blue - SUSE Waterhole Blue - SUSE Persimmon - Fix a crash opening a PPTX. (bsc#1179025) - Fix text box from PowerPoint renders vertically instead of horizontally (bsc#1178807) - Shadow effects for table completely missing (bsc#1178944, bsc#1178943) - Disable firebird integration for the time being (bsc#1179203) - Fixes hang on Writer on scrolling/saving of a document (bsc#1136234) - Wrong rendering of bulleted lists in PPTX document (bsc#1155141) - Sidebar: paragraph widget: numeric fields become inactive/unaccessible after saving (bsc#1173404) - Crash of Writer opening any document having 'invalid' python file in home directory (bsc#1116658) libixion: Update to 0.16.1: - fixed a build issue on 32-bit linux platforms, caused by slicing of integer string ID values. - worked around floating point rounding errors which prevented two theoretically-equal numeric values from being evaluated as equal in test code. - added new function to allow printing of single formula tokens. - added method for setting cached results on formula cells in model_context. - changed the model_context design to ensure that all sheets are of the same size. - added an accessor method to formula_model_access interface (and implicitly in model_context) that directly returns a string value from cell. - added cell_access class for querying of cell states without knowing its type ahead of time. - added document class which provides a layer on top of model_context, to abstract away the handling of formula calculations. - deprecated model_context::erase_cell() in favor of empty_cell(). - added support for 3D references - references that contain multiple sheets. - added support for the exponent (^) and concatenation (&) operators. - fixed incorrect handling of range references containing whole columns such as A:A. - added support for unordered range references - range references whose start row or column is greater than their end position counterparts, such as A3:A1. - fixed a bug that prevented nested formula functions from working properly. - implemented Calc A1 style reference resolver. - formula results now directly store the string values when the results are of string type. They previously stored string ID values after interning the original strings. - Removed build-time dependency on spdlog. libmwaw: Update to 0.3.17: - add a parser for Jazz(Lotus) writer and spreasheet files. The writer parser can only be called if the file still contains its resource fork - add a parser for Canvas 3 and 3.5 files - AppleWorks parser: try to retrieve more Windows presentation - add a parser for Drawing Table files - add a parser for Canvas 2 files - API: add new reserved enums in MWAWDocument.hxx `MWAW_T_RESERVED10..MWAW_T_RESERVED29` and add a new define in libmwaw.hxx `MWAW_INTERFACE_VERSION` to check if these enums are defined - remove the QuarkXPress parser (must be in libqxp) - retrieve the annotation in MsWord 5 document - try to better understand RagTime 5-6 document libnumbertext: Update to 1.0.6 liborcus: Update to 0.16.1 - Add upstream changes to fix build with GCC 11 (bsc#1181872) libstaroffice: Update to 0.0.7: - fix `text:sender-lastname` when creating meta-data libwps: Update to 0.4.11: - XYWrite: add a parser to .fil v2 and v4 files - wks,wk1: correct some problems when retrieving cell's reference. glfw: New package provided on version 3.3.2: - See also: https://www.glfw.org/changelog.html - Sort list of input files to geany for reproducible builds (bsc#1049382, bsc#1041090) * Require pkgconfig(gl) for the devel package to supply needed include GL/gl.h * glfwFocusWindow could terminate on older WMs or without a WM * Creating an undecorated window could fail with BadMatch * Querying a disconnected monitor could segfault * Video modes with a duplicate screen area were discarded * The CMake files did not check for the XInput headers * Key names were not updated when the keyboard layout changed * Decorations could not be enabled after window creation * Content scale fallback value could be inconsistent * Disabled cursor mode was interrupted by indicator windows * Monitor physical dimensions could be reported as zero mm * Window position events were not emitted during resizing * Added on-demand loading of Vulkan and context creation API libraries * [X11] Bugfix: Window size limits were ignored if the minimum or maximum size was set to `GLFW_DONT_CARE` * [X11] Bugfix: Input focus was set before window was visible, causing BadMatch on some non-reparenting WMs * [X11] Bugfix: glfwGetWindowPos and glfwSetWindowPos operated on the window frame instead of the client area * [WGL] Added reporting of errors from `WGL_ARB_create_context` extension * [EGL] Added lib prefix matching between EGL and OpenGL ES library binaries * [EGL] Bugfix: Dynamically loaded entry points were not verified - Made build of geany-tags optional. Box2D: New package provided on version 2.4.1: * Extended distance joint to have a minimum and maximum limit. * `B2_USER_SETTINGS` and `b2_user_settings.h` can control user data, length units, and maximum polygon vertices. * Default user data is now uintptr_t instead of void* * b2FixtureDef::restitutionThreshold lets you set the restitution velocity threshold per fixture. * Collision * Chain and edge shape must now be one-sided to eliminate ghost collisions * Broad-phase optimizations * Added b2ShapeCast for linear shape casting * Dynamics * Joint limits are now predictive and not stateful * Experimental 2D cloth (rope) * b2Body::SetActive -> b2Body::SetEnabled * Better support for running multiple worlds * Handle zero density better * The body behaves like a static body * The body is drawn with a red color * Added translation limit to wheel joint * World dump now writes to box2d_dump.inl * Static bodies are never awake * All joints with spring-dampers now use stiffness and damping * Added utility functions to convert frequency and damping ratio to stiffness and damping * Polygon creation now computes the convex hull. * The convex hull code will merge vertices closer than dm_linearSlop. ----------------------------------------- Patch: SUSE-2021-930 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Severity: important References: 1172442,1181358,CVE-2020-11080 Description: This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------- Patch: SUSE-2021-933 Released: Wed Mar 24 12:16:14 2021 Summary: Security update for ruby2.5 Severity: important References: 1177125,1177222,CVE-2020-25613 Description: This update for ruby2.5 fixes the following issues: - CVE-2020-25613: Fixed a potential HTTP Request Smuggling in WEBrick (bsc#1177125). - Enable optimizations also on ARM64 (bsc#1177222) ----------------------------------------- Patch: SUSE-2021-936 Released: Wed Mar 24 12:21:17 2021 Summary: Security update for libass Severity: important References: 1177862,CVE-2020-26682 Description: This update for libass fixes the following issues: - CVE-2020-26682: Fixed a signed integer overflow in the call to outline_stroke() (bsc#1177862). ----------------------------------------- Patch: SUSE-2021-940 Released: Wed Mar 24 12:25:20 2021 Summary: Security update for jetty-minimal Severity: important References: 1182898,CVE-2020-27223 Description: This update for jetty-minimal fixes the following issues: - jetty-minimal was upgraded to version 9.4.38.v20210224 - CVE-2020-27223: Fixed an issue with Accept request header which might have led to Denial of Service (bsc#1182898). ----------------------------------------- Patch: SUSE-2021-941 Released: Wed Mar 24 12:25:53 2021 Summary: Security update for hawk2 Severity: important References: 1179999,1182165,1182166,CVE-2020-35459,CVE-2021-25314 Description: This update for hawk2 fixes the following issues: - Update to version 2.6.3: * Remove hawk_invoke and use capture3 instead of runas (bsc#1179999)(CVE-2020-35459) * Remove unnecessary chmod (bsc#1182166)(CVE-2021-25314) * Sanitize filename to contains whitelist of alphanumeric (bsc#1182165) ----------------------------------------- Patch: SUSE-2021-949 Released: Wed Mar 24 14:32:00 2021 Summary: Security update for evolution-data-server Severity: moderate References: 1173910,1174712,1182882,CVE-2020-14928,CVE-2020-16117 Description: This update for evolution-data-server fixes the following issues: - CVE-2020-16117: Fix crash on malformed server response with minimal capabilities (bsc#1174712). - CVE-2020-14928: Response injection via STARTTLS in SMTP and POP3 (bsc#1173910). - Fix buffer overrun when parsing base64 data (bsc#1182882). This update for evolution-ews fixes the following issue: - Fix buffer overrun when parsing base64 data (bsc#1182882). ----------------------------------------- Patch: SUSE-2021-952 Released: Thu Mar 25 14:36:56 2021 Summary: Recommended update for libunwind Severity: moderate References: 1160876,1171549 Description: This update for libunwind fixes the following issues: - Update to version 1.5.0. (jsc#ECO-3395) - Enable s390x for building. (jsc#ECO-3395) - Fix compilation with 'fno-common'. (bsc#1171549) - Fix build with 'GCC-10'. (bsc#1160876) ----------------------------------------- Patch: SUSE-2021-953 Released: Thu Mar 25 14:37:26 2021 Summary: Recommended update for psmisc Severity: moderate References: 1178407 Description: This update for psmisc fixes the following issues: - Fix for 'fuser' when it does not show open kvm storage image files such as 'qcow2' files. (bsc#1178407) ----------------------------------------- Patch: SUSE-2021-960 Released: Mon Mar 29 11:16:28 2021 Summary: Recommended update for cloud-init Severity: moderate References: 1181283 Description: This update for cloud-init fixes the following issues: - Does no longer include the sudoers.d directory twice (bsc#1181283) ----------------------------------------- Patch: SUSE-2021-961 Released: Mon Mar 29 11:19:46 2021 Summary: Feature providing sapstartsrv-resource-agents Severity: moderate References: Description: This update for sapstartsrv-resource-agents provides the following changes: Simplified Cluster FS architecture for S/4HANA and NetWeaver (jsc#ECO-3341): - This is a resource agent for the instance specific SAP start framework. It controls the instance specific sapstartsrv process which provides the API to start, stop and check an SAP instance. ----------------------------------------- Patch: SUSE-2021-964 Released: Mon Mar 29 11:31:30 2021 Summary: Recommended update for clamsap Severity: moderate References: 1181586 Description: This update for clamsap fixes the following issues: - updated the documentation about RAM allocation of anon memory segment for SAP worker processes (bsc#1181586) ----------------------------------------- Patch: SUSE-2021-966 Released: Mon Mar 29 13:06:24 2021 Summary: Security update for MozillaFirefox Severity: important References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987 Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs ----------------------------------------- Patch: SUSE-2021-967 Released: Mon Mar 29 13:48:07 2021 Summary: Recommended update for scap-security-guide Severity: moderate References: Description: This update for scap-security-guide fixes the following issues: - Restore the Red Hat conflict when the package builds on Red Hat, Fedora or derivates. ----------------------------------------- Patch: SUSE-2021-974 Released: Mon Mar 29 19:31:27 2021 Summary: Security update for tar Severity: low References: 1181131,CVE-2021-20193 Description: This update for tar fixes the following issues: CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131) ----------------------------------------- Patch: SUSE-2021-981 Released: Tue Mar 30 10:59:43 2021 Summary: Recommended update for cloud-regionsrv Severity: moderate References: 1029162,1171232,1171233 Description: This update for cloud-regionsrv fixes the following issues: - Fix for region server that may return an incorrect region and during verification of the IP leads to a mismatch. (bsc#1171232, bsc#1171233) - Update to version 8.0.5 (bsc#1029162) - Improve region hint matching by forcing config settings and received 'regionHint' to lower case - IPv6 support ----------------------------------------- Patch: SUSE-2021-985 Released: Tue Mar 30 14:43:43 2021 Summary: Recommended update for the Azure SDK and CLI Severity: moderate References: 1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659 Description: This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105) ----------------------------------------- Patch: SUSE-2021-991 Released: Wed Mar 31 13:28:37 2021 Summary: Recommended update for vim Severity: moderate References: 1182324 Description: This update for vim provides the following fixes: - Install SUSE vimrc in /usr. (bsc#1182324) - Source correct suse.vimrc file. (bsc#1182324) ----------------------------------------- Patch: SUSE-2021-996 Released: Wed Mar 31 15:17:03 2021 Summary: Recommended update for mariadb-connector-c Severity: moderate References: 1182739 Description: This update for mariadb-connector-c fixes the following issues: - mariadb-connector-c was updated to 3.1.12 (bsc#1182739): * MDEV-24577: Fix warnings generated during compilation of plugin/auth_pam/testing/pam_mariadb_mtr.c on FreeBSD * CONC-521: Fixed warning on MacOS when including ucontext.h * CONC-518: Check if mysql->options.extension was allocated before checking async_context * CONC-517: C/C looks for plugins in wrong location on Windows ----------------------------------------- Patch: SUSE-2021-1002 Released: Thu Apr 1 13:59:48 2021 Summary: Recommended update for wireguard-tools Severity: low References: 1181334 Description: This update for wireguard-tools fixes the following issues: - Added tunnel config reload functionality (e.g. systemctl reload wg-quick@wg0.service) ----------------------------------------- Patch: SUSE-2021-1007 Released: Thu Apr 1 17:47:20 2021 Summary: Security update for MozillaFirefox Severity: important References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987 Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs ----------------------------------------- Patch: SUSE-2021-1008 Released: Thu Apr 1 17:49:05 2021 Summary: Security update for tomcat Severity: important References: 1182909,1182912,CVE-2021-25122,CVE-2021-25329 Description: This update for tomcat fixes the following issues: CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912) CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909) ----------------------------------------- Patch: SUSE-2021-1017 Released: Tue Apr 6 14:27:58 2021 Summary: Recommended update for dehydrated Severity: moderate References: Description: This update for dehydrated fixes the following issues: - Add directory where cleanup can archive unused certificates - Clarified new default settings. KEY_ALGO=secp384r1. Please consult README.maintainer for details and how to return to RSA-based certificate issuance. (jsc#ECO-3435, jsc#SLE-15909) - Added a note about ACMEv1 deprecation - Added a note on new ACME providers and the new non-URL provider syntax. See README.maintainer for details. ----------------------------------------- Patch: SUSE-2021-1018 Released: Tue Apr 6 14:29:13 2021 Summary: Recommended update for gzip Severity: moderate References: 1180713 Description: This update for gzip fixes the following issues: - Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) ----------------------------------------- Patch: SUSE-2021-1019 Released: Tue Apr 6 14:29:37 2021 Summary: Recommended update for gdb Severity: moderate References: 1180786 Description: This update for gdb fixes the following issues: - Fixed a heap-use-after-free issue in remote_async_inferior_event_handler - Changed the license back to 'GPL-3.0-or-later AND GPL-3.0-with-GCC-exception AND LGPL-2.1-or-later AND LGPL-3.0-or-later' - it was accidentally changed (bsc#1180786) ----------------------------------------- Patch: SUSE-2021-1021 Released: Tue Apr 6 14:30:30 2021 Summary: Recommended update for cups Severity: moderate References: 1175960 Description: This update for cups fixes the following issues: - Fixed the web UI kerberos authentication (bsc#1175960) ----------------------------------------- Patch: SUSE-2021-1029 Released: Tue Apr 6 18:26:20 2021 Summary: Security update for gssproxy Severity: moderate References: 1180515,CVE-2020-12658 Description: This update for gssproxy fixes the following issues: - CVE-2020-12658: Fixed an issue where gssproxy was not unlocking cond_mutex before pthread exit in gp_worker_main() (bsc#1180515). ----------------------------------------- Patch: SUSE-2021-1097 Released: Wed Apr 7 18:06:54 2021 Summary: Security update for openexr Severity: moderate References: 1184172,1184173,1184174,CVE-2021-3474,CVE-2021-3475,CVE-2021-3476 Description: This update for openexr fixes the following issues: - CVE-2021-3474: Undefined-shift in Imf_2_5::FastHufDecoder::FastHufDecoder (bsc#1184174) - CVE-2021-3475: Integer-overflow in Imf_2_5::calculateNumTiles (bsc#1184173) - CVE-2021-3476: Undefined-shift in Imf_2_5::unpack14 (bsc#1184172) ----------------------------------------- Patch: SUSE-2021-1100 Released: Thu Apr 8 08:44:13 2021 Summary: Recommended update for sapconf Severity: moderate References: 1176061,1179524,1182314,1182906 Description: This update for sapconf fixes the following issues: - Added sapconf_check and supportconfig plugin for sapconf - Added change log message for 'MIN_PERF_PCT' parameter to reduce the spot light (bsc#1179524) - Added an additional check to detect an active saptune service to improve log messages (bsc#1182314) - sapconf.service starts now automatically during package update, if tuned is running with sapconf as profile (bsc#1176061) - sapconf.service will now only be disabled if saptune is active (bsc#1182906) ----------------------------------------- Patch: SUSE-2021-1104 Released: Thu Apr 8 10:32:42 2021 Summary: Security update for fwupdate Severity: important References: 1182057 Description: This update for fwupdate fixes the following issues: - Add SBAT section to EFI images (bsc#1182057) ----------------------------------------- Patch: SUSE-2021-1116 Released: Fri Apr 9 10:56:55 2021 Summary: Security update for umoci Severity: important References: 1184147,CVE-2021-29136 Description: This update for umoci fixes the following issues: - Update to umoci v0.4.6. - CVE-2021-29136: malicious layer allows overwriting of host files (bsc#1184147) ----------------------------------------- Patch: SUSE-2021-1137 Released: Mon Apr 12 13:09:53 2021 Summary: Recommended update for lifecycle-data-sle-live-patching Severity: low References: 1020320 Description: This update for lifecycle-data-sle-live-patching fixes the following issues: - Added data for 4_12_14-122_63, 4_12_14-95_71, 4_4_121-92_152, 4_4_180-94_141 (bsc#1020320) ----------------------------------------- Patch: SUSE-2021-1155 Released: Tue Apr 13 04:42:54 2021 Summary: Recommended update for sblim-sfcb Severity: important References: 1180753 Description: This update for sblim-sfcb fixes the following issue: - Avoid a double free during a failed localhost client connection. (bsc#1180753) ----------------------------------------- Patch: SUSE-2021-1163 Released: Tue Apr 13 13:42:38 2021 Summary: Security update for spamassassin Severity: important References: 1159133,1184221,CVE-2019-12420,CVE-2020-1946 Description: This update for spamassassin fixes the following issues: - CVE-2019-12420: memory leak via crafted messages (bsc#1159133) - CVE-2020-1946: security update (bsc#1184221) ----------------------------------------- Patch: SUSE-2021-1166 Released: Tue Apr 13 14:03:51 2021 Summary: Security update for wpa_supplicant Severity: moderate References: 1184348,CVE-2021-30004 Description: This update for wpa_supplicant fixes the following issues: - CVE-2021-30004: Fixed an issue where forging attacks might have occured because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348). ----------------------------------------- Patch: SUSE-2021-1167 Released: Tue Apr 13 14:04:14 2021 Summary: Security update for MozillaThunderbird Severity: important References: 1177542,1183942,1184536,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987,CVE-2021-23991,CVE-2021-23992 Description: This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird was updated to version 78.9.1 (MFSA 2021-12,MFSA 2021-13, bsc#1183942, bsc#1184536) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs * CVE-2021-23991: An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key * CVE-2021-23993: Inability to send encrypted OpenPGP email after importing a crafted OpenPGP key - cleaned up and fixed mozilla.sh.in for wayland (bsc#1177542) ----------------------------------------- Patch: SUSE-2021-1169 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Severity: low References: 1181976 Description: This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------- Patch: SUSE-2021-1182 Released: Tue Apr 13 18:38:05 2021 Summary: Security update for xorg-x11-server Severity: important References: 1180128,CVE-2021-3472 Description: This update for xorg-x11-server fixes the following issues: - CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128) ----------------------------------------- Patch: SUSE-2021-1190 Released: Wed Apr 14 14:08:13 2021 Summary: Security update for clamav Severity: important References: 1181256,1184532,1184533,1184534,CVE-2021-1252,CVE-2021-1404,CVE-2021-1405 Description: This update for clamav fixes the following issues: - CVE-2021-1252: Fix for Excel XLM parser infinite loop. (bsc#1184532) - CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. (bsc#1184533) - CVE-2021-1405: Fix for mail parser NULL-dereference crash. (bsc#1184534) - Fix errors when scanning files > 4G (bsc#1181256) - Update clamav.keyring - Update to 0.103.2 ----------------------------------------- Patch: SUSE-2021-1230 Released: Thu Apr 15 17:09:58 2021 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1131670,1178072,1181124,1181474,1182339,1182603,1183959 Description: This update fixes the following issues: golang-github-boynux-squid_exporter: - Build requires Go 1.15 - Add %license macro for LICENSE file golang-github-lusitaniae-apache_exporter: - Build with Go 1.15 golang-github-prometheus-prometheus: - Uyuni: `hostname` label is now set to FQDN instead of IP grafana: - Update to version 7.4.2: * Make Datetime local (No date if today) working (#31274) (#31275) * 'Release: Updated versions in package to 7.4.2' (#31272) * [v7.4.x] Chore: grafana-toolkit uses grafana-ui and grafana-data workspaces (#31269) * Snapshots: Disallow anonymous user to create snapshots (#31263) (#31266) * only update usagestats every 30min (#31131) (#31262) * Prometheus: Fix enabling of disabled queries when editing in dashboard (#31055) (#31248) * CloudWatch: Ensure empty query row errors are not passed to the panel (#31172) (#31245) * StatPanels: Fixes to palette color scheme is not cleared when loading panel (#31126) (#31246) * QueryEditors: Fixes issue that happens after moving queries then editing would update other queries (#31193) (#31244) * LibraryPanels: Disconnect before connect during dashboard save (#31235) (#31238) * SqlDataSources: Fixes the Show Generated SQL button in query editors (#31236) (#31239) * Variables: Adds back default option for data source variable (#31208) (#31232) * IPv6: Support host address configured with enclosing square brackets (#31226) (#31228) * Postgres: Fix timeGroup macro converts long intervals to invalid numbers when TimescaleDB is enabled (#31179) (#31224) * Remove last synchronisation field from LDAP debug view (#30984) (#31221) * [v7.4.x]: Sync drone config from master to stable release branch (#31213) * DataSourceSrv: Filter out non queryable data sources by default (#31144) (#31214) * Alerting: Fix modal text for deleting obsolete notifier (#31171) (#31209) * Variables: Fixes missing empty elements from regex filters (#31156) (#31201) * DashboardLinks: Fixes links always cause full page reload (#31178) (#31181) * DashboardListPanel: Fixes issue with folder picker always showing All and using old form styles (#31160) (#31162) * Permissions: Fix team and role permissions on folders/dashboards not displayed for non Grafana Admin users (#31132) (#31176) * Prometheus: Multiply exemplars timestamp to follow api change (#31143) (#31170) - Added add-gotest-module.patch to fix 'inconsistent vendoring' build failure - Update to version 7.4.1: * 'Release: Updated versions in package to 7.4.1' (#31128) * Transforms: Fixes Outer join issue with duplicate field names not getting the same unique field names as before (#31121) (#31127) * MuxWriter: Handle error for already closed file (#31119) (#31120) * Logging: sourcemap transform asset urls from CDN in logged stacktraces (#31115) (#31117) * Exemplars: Change CTA style (#30880) (#31105) * test: add support for timeout to be passed in for addDatasource (#30736) (#31090) * Influx: Make max series limit configurable and show the limiting message if applied (#31025) (#31100) * Elasticsearch: fix log row context erroring out (#31088) (#31094) * test: update addDashboard flow for v7.4.0 changes (#31059) (#31084) * Usage stats: Adds source/distributor setting (#31039) (#31076) * DashboardLinks: Fixes crash when link has no title (#31008) (#31050) * Make value mappings correctly interpret numeric-like strings (#30893) (#30912) * Elasticsearch: Fix alias field value not being shown in query editor (#30992) (#31037) * BarGauge: Improvements to value sizing and table inner width calculations (#30990) (#31032) * convert path to posix by default (#31045) (#31053) * Alerting: Fixes so notification channels are properly deleted (#31040) (#31046) * Drone: Fix deployment image (#31027) (#31029) * Graph: Fixes so graph is shown for non numeric time values (#30972) (#31014) * instrumentation: make the first database histogram bucket smaller (#30995) (#31001) * Build: Releases e2e and e2e-selectors too (#31006) (#31007) * TextPanel: Fixes so panel title is updated when variables change (#30884) (#31005) * StatPanel: Fixes issue formatting date values using unit option (#30979) (#30991) * Units: Fixes formatting of duration units (#30982) (#30986) * Elasticsearch: Show Size setting for raw_data metric (#30980) (#30983) * Logging: sourcemap support for frontend stacktraces (#30590) (#30976) * e2e: extends selector factory to plugins (#30932) (#30934) * Variables: Adds queryparam formatting option (#30858) (#30924) * Exemplars: change api to reflect latest changes (#30910) (#30915) * 'Release: Updated versions in package to 7.4.0' (#30898) * DataSourceSettings: Adds info box and link to Grafana Cloud (#30891) (#30896) * GrafanaUI: Add a way to persistently close InfoBox (#30716) (#30895) * [7.4.x] AlertingNG: List saved Alert definitions in Alert Rule list (30890)(30603) * Alerting: Fixes alert panel header icon not showing (#30840) (#30885) * Plugins: Requests validator (#30445) (#30877) * PanelLibrary: Adds library panel meta information to dashboard json (#30770) (#30883) * bump grabpl version to 0.5.36 (#30874) (#30878) * Chore: remove __debug_bin (#30725) (#30857) * Grafana-ui: fixes closing modals with escape key (#30745) (#30873) * DashboardLinks: Support variable expression in to tooltip - Issue #30409 (#30569) (#30852) * Add alt text to plugin logos (#30710) (#30872) * InfluxDB: Add http configuration when selecting InfluxDB v2 flavor (#30827) (#30870) * Prometheus: Set type of labels to string (#30831) (#30835) * AlertingNG: change API permissions (#30781) (#30814) * Grafana-ui: fixes no data message in Table component (#30821) (#30855) * Prometheus: Add tooltip to explain possibility to use patterns in text and title fields in annotations (#30825) (#30843) * Chore: add more docs annotations (#30847) (#30851) * BarChart: inside-align strokes, upgrade uPlot to 1.6.4. (#30806) (#30846) * Transforms: allow boolean in field calculations (#30802) (#30845) * CDN: Fixes cdn path when Grafana is under sub path (#30822) (#30823) * bump cypress to 6.3.0 (#30644) (#30819) * Expressions: Measure total transformation requests and elapsed time (#30514) (#30789) * Grafana-UI: Add story/docs for ErrorBoundary (#30304) (#30811) * [v7.4.x]: Menu: Mark menu components as internal (#30801) * Graph: Fixes auto decimals issue in legend and tooltip (#30628) (#30635) * GraphNG: Disable Plot logging by default (#30390) (#30500) * Storybook: Migrate card story to use controls (#30535) (#30549) * GraphNG: add bar alignment option (#30499) (#30790) * Variables: Clears drop down state when leaving dashboard (#30810) (#30812) * Add missing callback dependency (#30797) (#30809) * GraphNG: improve behavior when switching between solid/dash/dots (#30796) (#30799) * Add width for Variable Editors (#30791) (#30795) * Panels: Fixes so panels are refreshed when scrolling past them fast (#30784) (#30792) * PanelEdit: Trigger refresh when changing data source (#30744) (#30767) * AlertingNG: Enable UI to Save Alert Definitions (#30394) (#30548) * CDN: Fix passing correct prefix to GetContentDeliveryURL (#30777) (#30779) * CDN: Adds support for serving assets over a CDN (#30691) (#30776) * Explore: Update styling of buttons (#30493) (#30508) * Loki: Append refId to logs uid (#30418) (#30537) * skip symlinks to directories when generating plugin manifest (#30721) (#30738) * Mobile: Fixes issue scrolling on mobile in chrome (#30746) (#30750) * BarChart: add alpha bar chart panel (#30323) (#30754) * Datasource: Use json-iterator configuration compatible with standard library (#30732) (#30739) * Variables: Fixes so text format will show All instead of custom all (#30730) (#30731) * AlertingNG: pause/unpause definitions via the API (#30627) (#30672) * PanelLibrary: better handling of deleted panels (#30709) (#30726) * Transform: improve the 'outer join' performance/behavior (#30407) (#30722) * DashboardPicker: switch to promise-based debounce, return dashboard UID (#30706) (#30714) * Use connected GraphNG in Explore (#30707) (#30708) * PanelLibrary: changes casing of responses and adds meta property (#30668) (#30711) * DeployImage: Switch base images to Debian (#30684) (#30699) * Trace: trace to logs design update (#30637) (#30702) * Influx: Show all datapoints for dynamically windowed flux query (#30688) (#30703) * ci(npm-publish): add missing github package token to env vars (#30665) (#30673) * Loki: Improve live tailing errors and fix Explore's logs container type errors (#30517) (#30681) * Grafana-UI: Fix setting default value for MultiSelect (#30671) (#30687) * Explore: Fix jumpy live tailing (#30650) (#30677) * Docs: Refer to product docs in whats new for alerting templating feature (#30652) (#30670) * Variables: Fixes display value when using capture groups in regex (#30636) (#30661) * Docs: Fix expressions enabled description (#30589) (#30651) * Licensing Docs: Adding license restrictions docs (#30216) (#30648) * DashboardSettings: fixes vertical scrolling (#30640) (#30643) * chore: bump redux toolkit to 1.5.0 for immer 8.0.1 vulnerability fix (#30605) (#30631) * Explore: Fix loading visualisation on the top of the new time series panel (#30553) (#30557) * Footer: Fixes layout issue in footer (#30443) (#30494) * Variables: Fixes so queries work for numbers values too (#30602) (#30624) * Admin: Fixes so form values are filled in from backend (#30544) (#30623) * Docs: Update 7.4 What's New to use more correct description of alerting notification template feature (#30502) (#30614) * NodeGraph: Add docs (#30504) (#30613) * Cloud Monitoring: Fix legend naming with display name override (#30440) (#30503) * Expressions: Add option to disable feature (#30541) (#30558) * OldGraph: Fix height issue in Firefox (#30565) (#30582) * XY Chart: fix editor error with empty frame (no fields) (#30573) (#30577) * XY Chart: share legend config with timeseries (#30559) (#30566) * DataFrame: cache frame/field index in field state (#30529) (#30560) * Prometheus: Fix show query instead of Value if no __name__ and metric (#30511) (#30556) * Decimals: Big Improvements to auto decimals and fixes to auto decimals bug found in 7.4-beta1 (#30519) (#30550) * chore: update packages dependent on dot-prop to fix security vulnerability (#30432) (#30487) * GraphNG: uPlot 1.6.3 (fix bands not filling below 0). close #30523. (#30527) (#30528) * GraphNG: uPlot 1.6.2 (#30521) (#30522) * Chore: Upgrade grabpl version (#30486) (#30513) * grafana/ui: Fix internal import from grafana/data (#30439) (#30507) * prevent field config from being overwritten (#30437) (#30442) * Chore: upgrade NPM security vulnerabilities (#30397) (#30495) * TimeSeriesPanel: Fixed default value for gradientMode (#30484) (#30492) * Admin: Fixes so whole org drop down is visible when adding users to org (#30481) (#30497) * Chore: adds wait to e2e test (#30488) (#30490) * Graph: Fixes so only users with correct permissions can add annotations (#30419) (#30466) * Alerting: Hides threshold handle for percentual thresholds (#30431) (#30467) * Timeseries: only migrage point size when configured (#30461) (#30470) * Expressions: Fix button icon (#30444) (#30450) * PanelModel: Make sure the angular options are passed to react panel type changed handler (#30441) (#30451) * Docs: Fix img link for alert notification template (#30436) (#30447) * Chore: Upgrade build pipeline tool (#30456) (#30457) * PanelOptions: Refactoring applying panel and field options out of PanelModel and add property clean up for properties not in field config registry (#30389) (#30438) * 'Release: Updated versions in package to 7.4.0-beta.1' (#30427) * Chore: Update what's new URL (#30423) * GraphNG: assume uPlot's series stroke is always a function (#30416) * PanelLibrary: adding library panels to Dashboard Api (#30278) * Prettier: Fixes to files that came in after main upgrade (#30410) * Cloud Monitoring: Add curated dashboards for the most popular GCP services (#29930) * Mssql integrated security (#30369) * Prettier: Upgrade to 2 (#30387) * GraphNG: sort ascending if the values appear reversed (#30405) * Docs: Grafana whats new 7.4 (#30404) * Dashboards: Adds cheat sheet toggle to supported query editors (#28857) * Docs: Update timeseries-dimensions.md (#30403) * Alerting: Evaluate data templating in alert rule name and message (#29908) * Docs: Add links to 7.3 patch release notes (#30292) * Docs: Update _index.md (#29546) * Docs: Update jaeger.md (#30401) * Expressions: Remove feature toggle (#30316) * Docs: Update tempo.md (#30399) * Docs: Update zipkin.md (#30400) * services/provisioning: Various cleanup (#30396) * DashboardSchemas: OpenAPI Schema Generation (#30242) * AlertingNG: Enforce unique alert definition title (non empty)/UID per organisation (#30380) * Licensing: Document new v7.4 options and APIs (#30217) * Auth: add expired token error and update CreateToken function (#30203) * NodeGraph: Add node graph visualization (#29706) * Add jwtTokenAuth to plugin metadata schema (#30346) * Plugins: Force POSIX style path separators for manifest generation (#30287) * Add enterprise reporting fonts to gitignore (#30385) * Field overrides: skipping overrides for properties no longer existing in plugin (#30197) * NgAlerting: View query result (#30218) * Grafana-UI: Make Card story public (#30388) * Dashboard: migrate version history list (#29970) * Search: use Card component (#29892) * PanelEvents: Isolate more for old angular query editors (#30379) * Loki: Remove showing of unique labels with the empty string value (#30363) * Chore: Lint all files for no-only-tests (#30364) * Clears errors after running new query (#30367) * Prometheus: Change exemplars endpoint (#30378) * Explore: Fix a bug where Typeahead crashes when a large amount of ite… (#29637) * Circular vector: improve generics (#30375) * Update signing docs (#30296) * Email: change the year in templates (#30294) * grafana/ui: export TLS auth component (#30320) * Query Editor: avoid word wrap (#30373) * Transforms: add sort by transformer (#30370) * AlertingNG: Save alert instances (#30223) * GraphNG: Color series from by value scheme & change to fillGradient to gradientMode (#29893) * Chore: Remove not used PanelOptionsGrid component (#30358) * Zipkin: Remove browser access mode (#30360) * Jaeger: Remove browser access mode (#30349) * chore: bump lodash to 4.17.20 (#30359) * ToolbarButton: New emotion based component to replace all navbar, DashNavButton and scss styles (#30333) * Badge: Increase contrast, remove rocket icon for plugin beta/alpha state (#30357) * Licensing: Send map of environment variables to plugins (#30347) * Dashboards: Exit to dashboard when deleting panel from panel view / edit view (#29032) * Cloud Monitoring: MQL support (#26551) * ReleaseNotes: Updated changelog and release notes for 7.4.0-beta1 (#30348) * Panel options UI: Allow collapsible categories (#30301) * Grafana-ui: Fix context menu item always using onClick instead of href (#30350) * Badge: Design improvement & reduce contrast (#30328) * make sure stats are added horizontally and not vertically (#30106) * Chore(deps): Bump google.golang.org/grpc from 1.33.1 to 1.35.0 (#30342) * Chore(deps): Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (#30341) * Chore(deps): Bump github.com/google/uuid from 1.1.2 to 1.1.5 (#30340) * Chore(deps): Bump github.com/hashicorp/go-version from 1.2.0 to 1.2.1 (#30339) * Fix HTML character entity error (#30334) * GraphNG: fix fillBelowTo regression (#30330) * GraphNG: implement softMin/softMax for auto-scaling stabilization. close #979. (#30326) * Legend: Fixes right y-axis legend from being pushed outside the bounds of the panel (#30327) * Grafana-toolkit: Update component generator templates (#30306) * Panels: remove beta flag from stat and bargauge panels (#30324) * GraphNG: support fill below to (bands) (#30268) * grafana-cli: Fix security issue (#28888) * AlertingNG: Modify queries and transform endpoint to get datasource UIDs (#30297) * Chore: Fix missing property from ExploreGraph (#30315) * Prometheus: Add support for Exemplars (#28057) * Grafana-UI: Enhances for TimeRangePicker and TimeRangeInput (#30102) * ReleaseNotes: Updated changelog and release notes for 7.4.0 (#30312) * Table: Fixes BarGauge cell display mode font size so that it is fixed to the default cell font size (#30303) * AngularGraph: Fixes issues with legend wrapping after legend refactoring (#30283) * Plugins: Add Open Distro to the list of data sources supported by sigv4 (#30308) * Chore: Moves common and response into separate packages (#30298) * GraphNG: remove y-axis position control from series color picker in the legend (#30302) * Table: migrate old-table config to new table config (#30142) * Elasticsearch: Support extended stats and percentiles in terms order by (#28910) * Docs: Update release notes index * GraphNG: stats in legend (#30251) * Grafana UI: EmptySearchResult docs (#30281) * Plugins: Use the includes.path (if exists) on sidebar includes links (#30291) * Fix spinner and broken buttons (#30286) * Graph: Consider reverse sorted data points on isOutsideRange check (#30289) * Update getting-started.md (#30257) * Backend: use sdk version (v0.81.0) without transform (gel) code (#29236) * Chore: update latest versions to 7.3.7 (#30282) * Loki: Fix hiding of series in table if labels have number values (#30185) * Loki: Lower min step to 1ms (#30135) * Prometheus: Improve autocomplete performance and remove disabling of dynamic label lookup (#30199) * Icons: Adds custom icon support ands new panel and interpolation icons (#30277) * ReleaseNotes: Updated changelog and release notes for 7.3.7 (#30280) * Grafana-ui: Allow context menu items to be open in new tab (#30141) * Cloud Monitoring: Convert datasource to use Dataframes (#29830) * GraphNG: added support to change series color from legend. (#30256) * AzureMonitor: rename labels for query type dropdown (#30143) * Decimals: Improving auto decimals logic for high numbers and scaled units (#30262) * Elasticsearch: Use minimum interval for alerts (#30049) * TimeSeriesPanel: The new graph panel now supports y-axis value mapping #30272 * CODEOWNERS: Make backend squad owners of backend style guidelines (#30266) * Auth: Add missing request headers to SigV4 middleware allowlist (#30115) * Grafana-UI: Add story/docs for FilterPill (#30252) * Grafana-UI: Add story/docs for Counter (#30253) * Backend style guide: Document JSON guidelines (#30267) * GraphNG: uPlot 1.6, hide 'Show points' in Points mode, enable 'dot' lineStyle (#30263) * Docs: Update prometheus.md (#30240) * Docs: Cloudwatch filter should be JSON format (#30243) * API: Add by UID routes for data sources (#29884) * Docs: Update datasource_permissions.md (#30255) * Cloudwatch: Move deep link creation to the backend (#30206) * Metrics API: Use jsoniter for JSON encoding (#30250) * Add option in database config to skip migrations for faster startup. (#30146) * Set signed in users email correctly (#30249) * Drone: Upgrade build pipeline tool (#30247) * runRequest: Fixes issue with request time range and time range returned to panels are off causing data points to be cut off (outside) (#30227) * Elasticsearch: fix handling of null values in query_builder (#30234) * Docs: help users connect to Prometheus using SigV4 (#30232) * Update documentation-markdown-guide.md (#30207) * Update documentation-markdown-guide.md (#30235) * Better logging of plugin scanning errors (#30231) * Print Node.js and Toolkit versions (#30230) * Chore: bump rollup across all packages (#29486) * Backend style guide: Document database patterns (#30219) * Chore: Bump plugin-ci-alpine Docker image version (#30225) * Legends: Refactoring and rewrites of legend components to simplify components & reuse (#30165) * Use Node.js 14.x in plugin CI (#30209) * Field overrides: extracting the field config factory into its own reusable module. (#30214) * LibraryPanels: adds connections (#30212) * PanelOptionsGroups: Only restore styles from PanelOptionsGroup (#30215) * Variables: Add deprecation warning for value group tags (#30160) * GraphNG: Hide grid for right-y axis if left x-axis exists (#30195) * Middleware: Add CSP support (#29740) * Updated image links to have newer format. (#30208) * Docs: Update usage-insights.md (#30150) * Share panel dashboard add images (#30201) * Update documentation-style-guide.md (#30202) * Docs: Fix links to transforms (#30194) * docs(badge): migrate story to use controls (#30180) * Chore(deps): Bump github.com/prometheus/common from 0.14.0 to 0.15.0 (#30188) * Fix alert definition routine stop (#30117) * Chore(deps): Bump gopkg.in/square/go-jose.v2 from 2.4.1 to 2.5.1 (#30189) * InlineSwitch: Minor story fix (#30186) * Chore(deps): Bump github.com/gosimple/slug from 1.4.2 to 1.9.0 (#30178) * Chore(deps): Bump github.com/fatih/color from 1.9.0 to 1.10.0 (#30183) * Chore(deps): Bump github.com/lib/pq from 1.3.0 to 1.9.0 (#30181) * Chore(deps): Bump github.com/hashicorp/go-plugin from 1.2.2 to 1.4.0 (#30175) * Chore(deps): Bump github.com/getsentry/sentry-go from 0.7.0 to 0.9.0 (#30171) * Gauge: Fixes issue with all null values cause min & max to be null (#30156) * Links: Add underline on hover for links in NewsPanel (#30166) * GraphNG: Update to test dashboards (#30153) * CleanUp: Removed old panel options group component (#30157) * AngularQueryEditors: Fixes to Graphite query editor and other who refer to other queries (#30154) * Chore(deps): Bump github.com/robfig/cron/v3 from 3.0.0 to 3.0.1 (#30172) * Chore(deps): Bump github.com/urfave/cli/v2 from 2.1.1 to 2.3.0 (#30173) * Chore: Fix spelling issue (#30168) * Revise README.md. (#30145) * Chore(deps): Bump github.com/mattn/go-sqlite3 from 1.11.0 to 1.14.6 (#30174) * InlineSwitch: Added missing InlineSwitch component and fixed two places that used unaligned inline switch (#30162) * GraphNG: add new alpha XY Chart (#30096) * Elastic: Support request cancellation properly (Uses new backendSrv.fetch Observable request API) (#30009) * OpenTSDB: Support request cancellation properly (#29992) * InfluxDB: Update Flux external link (#30158) * Allow dependabot to keep go packages up-to-date (#30170) * PluginState: Update comment * GraphNG: Minor polish & updates to new time series panel and move it from alpha to beta (#30163) * Share panel dashboard (#30147) * GraphNG: rename 'graph3' to 'timeseries' panel (#30123) * Add info about access mode (#30137) * Prometheus: Remove running of duplicated metrics query (#30108) * Prometheus: Fix autocomplete does not work on incomplete input (#29854) * GraphNG: remove graph2 panel (keep the parts needed for explore) (#30124) * Docs: Add metadata to activating licensing page (#30140) * MixedDataSource: Added missing variable support flag (#30110) * AngularPanels: Fixes issue with some panels not rendering when going into edit mode due to no height (#30113) * AngularPanels: Fixes issue with discrete panel that used the initialized event (#30133) * Explore: Make getFieldLinksForExplore more reusable (#30134) * Elasticsearch: Add Support for Serial Differencing Pipeline Aggregation (#28618) * Angular: Fixes issue with angular directive caused by angular upgrade in master (#30114) * Analytics: add data source type in data-request events (#30087) * GraphNG: 'Interpolation: Step after' test (#30127) * GraphNG: check cross-axis presence when auto-padding. close #30121. (#30126) * Alerting: improve alerting default datasource search when extracting alerts (#29993) * Loki: Timeseries should not produce 0-values for missing data (#30116) * GraphNG: support dashes (#30070) * GraphNG: fix spanGaps optimization in alignDataFrames(). see #30101. (#30118) * Alerting NG: update API to expect UIDs instead of IDs (#29896) * GraphNG: Overhaul of main test dashboard and update to null & gaps dashboard (#30101) * Chore: Fix intermittent time-related test failure in explore datasource instance update (#30109) * QueryEditorRow: Ability to change query name (#29779) * Frontend: Failed to load application files message improvement IE11 (#30011) * Drone: Upgrade build pipeline tool (#30104) * Fix phrasing. (#30075) * Chore: Add CloudWatch HTTP API tests (#29691) * Elastic: Fixes so templating queries work (#30003) * Chore: Rewrite elasticsearch client test to standard library (#30093) * Chore: Rewrite tsdb influxdb test to standard library (#30091) * Fix default maximum lifetime an authenticated user can be logged in (#30030) * Instrumentation: re-enable database wrapper feature to expose counter and histogram for database queries (#29662) * Docs: Update labels to fields transform (#30086) * GraphNG: adding possibility to toggle tooltip, graph and legend for series (#29575) * Chore: Rewrite tsdb cloudmonitoring test to standard library (#30090) * Chore: Rewrite tsdb azuremonitor time grain test to standard library (#30089) * Chore: Rewrite tsdb graphite test to standard library (#30088) * Chore: Upgrade Docker build image wrt. Go/golangci-lint/Node (#30077) * Usage Stats: Calculate concurrent users as a histogram (#30006) * Elasticsearch: Fix broken alerting when using pipeline aggregations (#29903) * Drone: Fix race conditions between Enterprise and Enterprise2 (#30076) * Chore: Rewrite models datasource cache test to standard library (#30040) * Plugins: prevent app plugin from rendering with wrong location (#30017) * Update NOTICE.md * Chore: Tiny typo fix `rage` -> `range` (#30067) * Docs: loki.md: Add example of Loki data source config (#29976) * ReleaseNotes: Updated changelog and release notes for 7.3.6 (#30066) * Docs: Update usage-insights.md (#30065) * Docs: Update white-labeling.md (#30064) * Chore(deps): Bump axios from 0.19.2 to 0.21.1 (#30059) * Chore: Rewrite models tags test to standard library (#30041) * Bump actions/setup-node from v1 to v2.1.4 (#29891) * Build(deps): Bump ini from 1.3.5 to 1.3.7 (#29787) * fall back to any architecture when getting plugin's checksum #30034 (#30035) * Lerna: Update to 3.22.1 (#30057) * SeriesToRows: Fixes issue in transform so that value field is always named Value (#30054) * [dashboard api] manage error when data in dashboard table is not valid json (#29999) * use sha256 checksum instead of md5 (#30018) * Chore: Rewrite brute force login protection test to standard library (#29986) * Chore: Rewrite login auth test to standard library (#29985) * Chore: Rewrite models dashboards test to standard library (#30023) * Chore: Rewrite models dashboard acl test to standard library (#30022) * Chore: Rewrite models alert test to standard library (#30021) * Chore: Rewrite ldap login test to standard library (#29998) * Chore: Rewrite grafana login test to standard library (#29997) * Fix two ini-file typos regarding LDAP (#29843) * Chore: Changes source map devtool to inline-source-map (#30004) * Chore: Sync Enterprise go.sum (#30005) * Chore: Add Enterprise dependencies (#29994) * SQLStore: customise the limit of retrieved datasources per organisation (#29358) * Chore: update crewjam/saml library to the latest master (#29991) * Graph: Fixes so users can not add annotations in readonly dash (#29990) * Currency: add Vietnamese dong (VND) (#29983) * Drone: Update pipelines for Enterprise (#29939) * Remove the bus from teamgroupsync (#29810) * Influx: Make variable query editor input uncontrolled (#29968) * PanelLibrary: Add PATCH to the API (#29956) * PanelEvents: Isolating angular panel events into it's own event bus + more event refactoring (#29904) * Bump node-notifier from 8.0.0 to 8.0.1 (#29952) * LDAP: Update use_ssl documentation (#29964) * Docs: Missing 's' on 'logs' (#29966) * Docs: Update opentsdb.md (#29963) * Docs: Minor typo correction (#29962) * librarypanels: Fix JSON field casing in tests (#29954) * TemplateSrv: Do not throw error for an unknown format but use glob as fallback and warn in the console (#29955) * PanelLibrary: Adds uid and renames title to name (#29944) * Docs: Fix raw format variable docs (#29945) * RedirectResponse: Implement all of api.Response (#29946) * PanelLibrary: Adds get and getAll to the api (#29772) * Chore: Remove duplicate interpolateString test (#29941) * Chore: Rewrite influxdb query parser test to standard library (#29940) * Folders: Removes the possibility to delete the General folder (#29902) * Chore: Convert tsdb request test to standard library (#29936) * Chore: Convert tsdb interval test to standard library (#29935) * Docs: Update configuration.md (#29912) * Docs: Update organization_roles.md (#29911) * Docs: Update _index.md (#29918) * GraphNG: bring back tooltip (#29910) * Ng Alerting: Remove scroll and fix SplitPane limiters (#29906) * Dashboard: Migrating dashboard settings to react (#27561) * Minor correction to explanation on correct MS SQL usage. (#29889) * AlertingNG: Create a scheduler to evaluate alert definitions (#29305) * Add changelog items for 7.3.6, 7.2.3 and 6.7.5 (#29901) * bump stable to 7.3.6 (#29899) * Upgrade go deps. (#29900) * Expressions: Replace query input fields with select. (#29816) * PanelEdit: Update UI if panel plugin changes field config (#29898) * Elasticsearch: Remove timeSrv dependency (#29770) * PanelEdit: Need new data after plugin change (#29874) * Chore(toolkit): disable react/prop-types for eslint config (#29888) * Field Config API: Add ability to hide field option or disable it from the overrides (#29879) * SharedQuery: Fixes shared query editor now showing queries (#29849) * GraphNG: support fill gradient (#29765) * Backend style guide: Add more guidelines (#29871) * Keep query keys consistent (#29855) * Alerting: Copy frame field labels to time series tags (#29886) * Update configure-docker.md (#29883) * Usage Stats: Introduce an interface for usage stats service (#29882) * DataFrame: add a writable flag to fields (#29869) * InlineForms: Changes to make inline forms more flexible for query editors (#29782) * Usage Stats: Allow to add additional metrics to the stats (#29774) * Fix the broken link of XORM documentation (#29865) * Move colors demo under theme colors (#29873) * Dashboard: Increase folder name size in search dashboard (#29821) * MSSQL: Config UI touches (#29834) * QueryOptions: Open QueryEditors: run queries after changing group options #29864 * GraphNG: uPlot 1.5.2, dynamic stroke/fill, Flot-style hover points (#29866) * Variables: Fixes so numerical sortorder works for options with null values (#29846) * GraphNG: only initialize path builders once (#29863) * GraphNG: Do not set fillColor from GraphNG only opacity (#29851) * add an example cloudwatch resource_arns() query that uses multiple tags (ref: #29499) (#29838) * Backend: Remove more globals (#29644) * MS SQL: Fix MS SQL add data source UI issues (#29832) * Display palette and colors for dark and light themes in storybook (#29848) * Docs: Fix broken link in logs-panel (#29833) * Docs: Add info about typing of connected props to Redux style guide (#29842) * Loki: Remove unnecessary deduplication (#29421) * Varibles: Fixes so clicking on Selected will not include All (#29844) * Explore/Logs: Correctly display newlines in detected fields (#29541) * Link suppliers: getLinks API update (#29757) * Select: Changes default menu placement for Select from auto to bottom (#29837) * Chore: Automatically infer types for dashgrid connected components (#29818) * Chore: Remove unused Loki and Cloudwatch syntax providers (#29686) * Pass row (#29839) * GraphNG: Context menu (#29745) * GraphNG: Enable scale distribution configuration (#29684) * Explore: Improve Explore performance but removing unnecessary re-renders (#29752) * DashboardDS: Fixes display of long queries (#29808) * Sparkline: Fixes issue with sparkline that sent in custom fillColor instead of fillOpacity (#29825) * Chore: Disable default golangci-lint filter (#29751) * Update style guide with correct usage of MS SQL (#29829) * QueryEditor: do not auto refresh on every update (#29762) * Chore: remove unused datasource status enum (#29827) * Expressions: support ${my var} syntax (#29819) * Docs: Update types-options.md (#29777) * Chore: Enable more go-ruleguard rules (#29781) * GraphNG: Load uPlot path builders lazily (#29813) * Elasticsearch: ensure query model has timeField configured in datasource settings (#29807) * Chore: Use Header.Set method instead of Header.Add (#29804) * Allow dependabot to check actions (#28159) * Grafana-UI: Support optgroup for MultiSelect (#29805) * Sliders: Update behavior and style tweak (#29795) * Grafana-ui: Fix collapsible children sizing (#29776) * Style guide: Document avoidance of globals in Go code (#29803) * Chore: Rewrite opentsdb test to standard library (#29792) * CloudWatch: Add support for AWS DirectConnect ConnectionErrorCount metric (#29583) * GraphNG: uPlot 1.5.1 (#29789) * GraphNG: update uPlot v1.5.0 (#29763) * Added httpMethod to webhook (#29780) * @grafana-runtime: Throw error if health check fails in DataSourceWithBackend (#29743) * Explore: Fix remounting of query row (#29771) * Expressions: Add placeholders to hint on input (#29773) * Alerting: Next gen Alerting page (#28397) * GraphNG: Add test dashboard for null & and gaps rendering (#29769) * Expressions: Field names from refId (#29755) * Plugins: Add support for signature manifest V2 (#29240) * Chore: Configure go-ruleguard via golangci-lint (#28419) * Move middleware context handler logic to service (#29605) * AlertListPanel: Add options to sort by Time(asc) and Time(desc) (#29764) * PanelLibrary: Adds delete Api (#29741) * Tracing: Release trace to logs feature (#29443) * ReleaseNotes: Updated changelog and release notes for 7.3.5 (#29753) * DataSourceSettings: Add servername field to DataSource TLS config (#29279) * Chore: update stable and testing versions (#29748) * ReleaseNotes: Updated changelog and release notes for 7.3.5 (#29744) * Elasticsearch: View in context feature for logs (#28764) * Chore: Disable gosec on certain line (#29382) * Logging: log frontend errors caught by ErrorBoundary, including component stack (#29345) * ChangePassword: improved keyboard navigation (#29567) * GrafanaDataSource: Fix selecting -- Grafana -- data source, broken after recent changes (#29737) * Docs: added version note for rename by regex transformation. (#29735) * @grafana/ui: Fix UI issues for cascader button dropdown and query input (#29727) * Docs: Update configuration.md (#29728) * Docs: Remove survey (#29549) * Logging: rate limit fronted logging endpoint (#29272) * API: add Status() to RedirectResponse (#29722) * Elasticsearch: Deprecate browser access mode (#29649) * Elasticsearch: Fix query initialization action (#29652) * PanelLibrary: Adds api and db to create Library/Shared/Reusable Panel (#29642) * Transformer: Rename metrics based on regex (#29281) * Variables: Fixes upgrade of legacy Prometheus queries (#29704) * Auth: Add SigV4 header allowlist to reduce chances of verification issues (#29650) * DataFrame: add path and description metadata (#29695) * Alerting: Use correct time series name override from frame fields (#29693) * GraphNG: fix bars migration and support color and linewidth (#29697) * PanelHeader: Fix panel header description inline code wrapping (#29628) * Bugfix 29848: Remove annotation_tag entries as part of annotations cleanup (#29534) * GraphNG: simple settings migration from flot panel (#29599) * GraphNG: replace bizcharts with uPlot for sparklines (#29632) * GitHubActions: Update node version in github action (#29683) * Adds go dep used by an Enterprise feature. (#29645) * Typescript: Raise strict error limit for enterprise (#29688) * Remove unnecessary escaping (#29677) * Update getting-started-prometheus.md (#29678) * instrumentation: align label name with our other projects (#29514) * Typescript: Fixing typescript strict error, and separate check from publishing (#29679) * CloudWatch: namespace in search expression should be quoted if match exact is enabled #29109 (#29563) * Docs: Plugin schema updates (#28232) * RadioButton: Fix flex issue in master for radio buttons (#29664) * Update getting-started.md (#29670) * Expr: fix time unit typo in ds queries (#29668) * Expr: make reduction nan/null more consistent (#29665) * Expr: fix func argument panic (#29663) * Update documentation-style-guide.md (#29661) * Update documentation-markdown-guide.md (#29659) * Docs: Changed image format (#29658) * Expr: fix failure to execute due to OrgID (#29653) * GraphNG: rename 'points' to 'showPoints' (#29635) * Expressions: Restore showing expression query editor even if main data source is not mixed (#29656) * GraphNG: time range should match the panel timeRange (#29596) * Support svg embedded favicons in whitelabeling (#29436) * Add changelog to docs style guide (#29581) * Loki: Retry web socket connection when connection is closed abnormally (#29438) * GraphNG: Fix annotations and exemplars plugins (#29613) * Chore: Rewrite tsdb sql engine test to standard library (#29590) * GraphNG: fix and optimize spanNulls (#29633) * Build(deps): Bump highlight.js from 10.4.0 to 10.4.1 (#29625) * Cloudwatch: session cache should use UTC consistently (#29627) * GraphNG: rename GraphMode to DrawStyle (#29623) * GraphNG: add spanNulls config option (#29512) * Docs: add docs for concatenate transformer (#28667) * Stat/Gauge: expose explicit font sizing (#29476) * GraphNG: add gaps/nulls support to staircase & smooth interpolation modes (#29593) * grafana/ui: Migrate Field knobs to controls (#29433) * Prometheus: Fix link to Prometheus graph in dashboard (#29543) * Build: Publish next and latest npm channels to Github (#29615) * Update broken aliases (#29603) * API: add ID to snapshot API responses (#29600) * Elasticsearch: Migrate queryeditor to React (#28033) * QueryGroup & DataSourceSrv & DataSourcePicker changes simplify usage, error handling and reduce duplication, support for uid (#29542) * Elastic: Fixes config UI issues (#29608) * GraphNG: Fix issues with plugins not retrieving plot instance (#29585) * middleware: Make scenario test functions take a testing.T argument (#29564) * Grafana/ui: Storybook controls understand component types (#29574) * Login: Fixes typo in tooltip (#29604) * Panel: making sure we support all versions of chrome when detecting position of click event. (#29544) * Chore: Rewrite sqlstore migration test to use standard library (#29589) * Chore: Rewrite tsdb prometheus test to standard library (#29592) * Security: Add gosec G304 auditing annotations (#29578) * Chore: Rewrite tsdb testdatasource scenarios test to standard library (#29591) * Docs: Add missing key to enable SigV4 for provisioning Elasticsearch data source (#29584) * Add Microsoft.Network/natGateways (#29479) * Update documentation-style-guide.md (#29586) * @grafana/ui: Add bell-slash to available icons (#29579) * Alert: Fix forwardRef warning (#29577) * Update documentation-style-guide.md (#29580) * Chore: Upgrade typescript to 4.1 (#29493) * PanelLibrary: Adds library_panel table (#29565) * Make build docker full fix (#29570) * Build: move canary packages to github (#29411) * Devenv: Add default db for influxdb (#29371) * Chore: Check errors from Close calls (#29562) * GraphNG: support auto and explicit axis width (#29553) * Chore: upgrading y18n to 4.0.1 for security reasons (#29523) * Middleware: Rewrite tests to use standard library (#29535) * Overrides: show category on the overrides (#29556) * GraphNG: Bars, Staircase, Smooth modes (#29359) * Docs: Fix docs sync actions (#29551) * Chore: Update dev guide node version for Mac (#29548) * Docs: Update formatting-multi-value-variables.md (#29547) * Arrow: toArray() on nullable values should include null values (#29520) * Docs: Update syntax.md (#29545) * NodeJS: Update to LTS (14) (#29467) * Docs: Update repeat-panels-or-rows.md (#29540) * 3 minor changes, including updating the title TOC (#29501) * Auth proxy: Return standard error type (#29502) * Data: use pre-defined output array length in vectorToArray() (#29516) * Dashboards: hide playlist edit functionality from viewers and snapshots link from unauthenticated users (#28992) * docker: use yarn to build (#29538) * QueryEditors: Refactoring & rewriting out dependency on PanelModel (#29419) * Chore: skip flaky tests (#29537) * Graph NG: Invalidate uPlot config on timezone changes (#29531) * IntelliSense: Fix autocomplete and highlighting for Loki, Prometheus, Cloudwatch (#29381) * Variables: Fixes Textbox current value persistence (#29481) * OptionsEditor: simplify the options editor interfaces (#29518) * Icon: Changed the icon for signing in (#29530) * fixes bug with invalid handler name for metrics (#29529) * Middleware: Simplifications (#29491) * GraphNG: simplify effects responsible for plot updates/initialization (#29496) * Alarting: fix alarm messages in dingding (Fixes #29470) (#29482) * PanelEdit: making sure the correct datasource query editor is being rendered. (#29500) * AzureMonitor: Unit MilliSeconds naming (#29399) * Devenv: update mysql_tests and postgres_tests blocks for allowing dynamically change of underlying docker image (#29525) * Chore: Enable remaining eslint-plugin-react rules (#29519) * Docs/Transformations: Add documentation about Binary operations in Add field from calculation (#29511) * Datasources: fixed long error message overflowing container (#29440) * docker: fix Dockerfile after Gruntfile.js removed (#29515) * Chore: Adds Panel Library featuretoggle (#29521) * Docs: Update filter-variables-with-regex.md (#29508) * Docs: InfluxDB_V2 datasource: adding an example on how to add InfluxQL as a datasource (#29490) * Loki: Add query type and line limit to query editor in dashboard (#29356) * Docs: Added Security Group support to Azure Auth (#29418) * DataLinks: Removes getDataSourceSettingsByUid from applyFieldOverrides (#29447) * Bug: trace viewer doesn't show more than 300 spans (#29377) * Live: publish all dashboard changes to a single channel (#29474) * Chore: Enable eslint-plugin-react partial rules (#29428) * Alerting: Update alertDef.ts with more time options (#29498) * DataSourceSrv: Look up data source by uid and name transparently (#29449) * Instrumentation: Add examplars for request histograms (#29357) * Variables: Fixes Constant variable persistence confusion (#29407) * Docs: Fix broken link for plugins (#29346) * Prometheus: don't override displayName property (#29441) * Grunt: Removes grunt dependency and replaces some of its usage (#29461) * Transformation: added support for excluding/including rows based on their values. (#26884) * Chore: Enable exhaustive linter (#29458) * Field overrides: added matcher to match all fields within frame/query. (#28872) * Log: Use os.Open to open file for reading (#29483) * MinMax: keep global min/main in field state (#29406) * ReactGridLayout: Update dependency to 1.2 (#29455) * Jest: Upgrade to latest (#29450) * Chore: bump grafana-ui rollup dependencies (#29315) * GraphNG: use uPlot's native ms support (#29445) * Alerting: Add support for Sensu Go notification channel (#28012) * adds tracing for all bus calls that passes ctx (#29434) * prometheus: Improve IsAPIError's documentation (#29432) * ReleaseNotes: Updated changelog and release notes for 7.3.4 (#29430) * Elasticsearch: Fix index pattern not working with multiple base sections (#28348) * Plugins: Add support for includes' icon (#29416) * Docs: fixing frontend docs issue where enums ending up in wrong folder level. (#29429) * Variables: Fixes issue with upgrading legacy queries (#29375) * Queries: Extract queries from dashboard (#29349) * Docs: docker -> Docker (#29331) * PanelEvents: Refactors and removes unnecessary events, fixes panel editor update issue when panel options change (#29414) * Fix: Correct panel edit uistate migration (#29413) * Alerting: Improve Prometheus Alert Rule error message (#29390) * Fix: Migrate Panel edit uiState percentage strings to number (#29412) * remove insecure cipher suit as default option (#29378) * * prometheus fix variables fetching when customQueryParameters used #28907 (#28949) * Chore: Removes observableTester (#29369) * Chore: Adds e2e tests for Variables (#29341) * Fix gosec finding of unhandled errors (#29398) * Getting started with Grafana and MS SQL (#29401) * Arrow: cast timestams to Number (#29402) * Docs: Add Cloud content links (#29317) * PanelEditor: allow access to the eventBus from panel options (#29327) * GraphNG: support x != time in library (#29353) * removes unused golint file (#29391) * prefer server cipher suites (#29379) * Panels/DashList: Fix order of recent dashboards (#29366) * Core: Move SplitPane layout from PanelEdit. (#29266) * Drone: Upgrade build pipeline tool (#29365) * Update yarn.lock to use latest rc-util (#29313) * Variables: Adds description field (#29332) * Chore: Update latest.json (#29351) * Drone: Upload artifacts for release branch builds (#29297) * Docs: fixing link issues in auto generated frontend docs. (#29326) * Drone: Execute artifact publishing for both editions in parallel during release (#29362) * Devenv: adding default credentials for influxdb (#29344) * Drone: Check CUE dashboard schemas (#29334) * Backend: fix IPv6 address parsing erroneous (#28585) * dashboard-schemas cue 3.0.0 compatible (#29352) * Update documentation-style-guide.md (#29354) * Docs: Update requirements.md (#29350) * ReleaseNotes: Updated changelog and release notes for 7.3.4 (#29347) * ReleaseNotes: Updated changelog and release notes for 7.3.4 (#29338) * Drone: Publish NPM packages after Storybook to avoid race condition (#29340) * Add an option to hide certain users in the UI (#28942) * Guardian: Rewrite tests from goconvey (#29292) * Docs: Fix editor role and alert notification channel description (#29301) * Docs: Improve custom Docker image instructions (#29263) * Security: Fixes minor security issue with alert notification webhooks that allowed GET & DELETE requests #29330 * Chore: Bump storybook to v6 (#28926) * ReleaseNotes: Updates release notes link in package.json (master) (#29329) * Docs: Accurately reflecting available variables (#29302) * Heatmap: Fixes issue introduced by new eventbus (#29322) * Dashboard Schemas (#28793) * devenv: Add docker load test which authenticates with API key (#28905) * Login: Fixes redirect url encoding issues of # %23 being unencoded after login (#29299) * InfluxDB: update flux library and support boolean label values (#29310) * Explore/Logs: Update Parsed fields to Detected fields (#28881) * GraphNG: Init refactorings and fixes (#29275) * fixing a broken relref link (#29312) * Drone: Upgrade build pipeline tool (#29308) * decreasing frontend docs threshold. (#29304) * Docker: update docker root group docs and docker image (#29222) * WebhookNotifier: Convert tests away from goconvey (#29291) * Annotations: fixing so when changing annotations query links submenu will be updated. (#28990) * [graph-ng] add temporal DataFrame alignment/outerJoin & move null-asZero pass inside (#29250) * Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * make it possible to hide change password link in profile menu (#29246) * Theme: Add missing color type (#29265) * Chore: Allow reducerTester to work with every data type & payload-less actions (#29241) * Explore/Prometheus: Update default query type option to 'Both' (#28935) * Loki/Explore: Add query type selector (#28817) * Variables: New Variables are stored immediately (#29178) * reduce severity level to warning (#28939) * Units: Changes FLOP/s to FLOPS and some other rates per second units get /s suffix (#28825) * Docs: Remove duplicate 'Transformations overview' topics from the TOC (#29247) * Docs: Fixed broken relrefs and chanfed TOC entry name from Alerting to Alerts. (#29251) * Docs: Remove duplicate Panel overview topic. (#29248) * Increase search limit on team add user and improve placeholder (#29258) * Fix warnings for conflicting style rules (#29249) * Make backwards compatible (#29212) * Minor cosmetic markdown tweaks in docs/cloudwatch.md (#29238) * Getting Started: Updated index topic, removed 'what-is-grafana', and adjusted weight o… (#29216) * BarGauge: Fix story for BarGauge, caused knobs to show for other stories (#29232) * Update glossary to add hyperlinks to Explore and Transformation entries (#29217) * Chore: Enable errorlint linter (#29227) * TimeRegions: Fixed issue with time regions and tresholds due to angular js upgrade (#29229) * CloudWatch: Support request cancellation properly (#28865) * CloudMonitoring: Support request cancellation properly (#28847) * Chore: Handle wrapped errors (#29223) * Expressions: Move GEL into core as expressions (#29072) * Chore: remove compress:release grunt task (#29225) * Refactor/Explore: Inline datasource actions into initialisation (#28953) * Fix README typo (#29219) * Grafana UI: Card API refactor (#29034) * Plugins: Changed alertlist alert url to view instead of edit (#29060) * React: Upgrading react to v17, wip (#29057) * Gauge: Tweaks short value auto-sizing (#29197) * BackendSrv: support binary responseType like $http did (#29004) * GraphNG: update the options config (#28917) * Backend: Fix build (#29206) * Permissions: Validate against Team/User permission role update (#29101) * ESlint: React fixes part 1 (#29062) * Tests: Adds expects for observables (#28929) * Variables: Adds new Api that allows proper QueryEditors for Query variables (#28217) * Introduce eslint-plugin-react (#29053) * Automation: Adds GitHub release action (#29194) * Refactor declarative series configuration to a config builder (#29106) * ReleaseNotes: Updated changelog and release notes for 7.3.3 (#29189) * Panels: fix positioning of the header title (#29167) * trace user login and datasource name instead of id (#29183) * playlist: Improve test (#29120) * Drone: Fix publish-packages invocation (#29179) * Table: Fix incorrect condtition for rendering table filter (#29165) * Chore: Upgrade grafana/build-ci-deploy image to latest Go (#29171) * DashboardLinks: will only refresh dashboard search when changing tags for link. (#29040) * ReleaseNotes: Updated changelog and release notes for 7.3.3 (#29169) * CloudWatch: added HTTP API Gateway specific metrics and dimensions (#28780) * Release: Adding release notes for 7.3.3 (#29168) * SQL: Define primary key for tables without it (#22255) * changed link format from MD to HTML (#29163) * Backend: Rename variables for style conformance (#29097) * Docs: Fixes what'new menu and creates index page, adds first draft of release notes to docs (#29158) * Drone: Upgrade build pipeline tool and build image (#29161) * ReleaseNotes: Updated changelog and release notes for 7.4.0 (#29160) * ReleaseNotes: Updated changelog and release notes for 7.3.3 (#29159) * Chore: Upgrade Go etc in build images (#29157) * Chore: Remove unused Go code (#28852) * API: Rewrite tests from goconvey (#29091) * Chore: Fix linting issues caught by ruleguard (#28799) * Fix panic when using complex dynamic URLs in app plugin routes (#27977) * Snapshots: Fixes so that dashboard snapshots show data when using Stat, Gauge, BarGauge or Table panels (#29031) * Fix authomation text: remove hyphen (#29149) * respect fronted-logging.enabled flag (#29107) * build paths in an os independent way (#29143) * Provisioning: always pin app to the sidebar when enabled (#29084) * Automation: Adds new changelog actions (#29142) * Chore: Rewrite preferences test from GoConvey to stdlib and testify (#29129) * Chore: Upgrade Go dev tools (#29124) * Automation: Adding version bump action * DataFrames: add utility function to check if structure has changed (#29006) * Drone: Fix Drone config verification for enterprise on Windows (#29118) * Chore: Require OrgId to be specified in delete playlist command (#29117) * Plugin proxy: Handle URL parsing errors (#29093) * Drone: Verify Drone config at beginning of pipelines (#29071) * Legend/GraphNG: Refactoring legend types and options (#29067) * Doc: Update documentation-style-guide.md (#29082) * Chore: Bumps types for jest (#29098) * LogsPanel: Fix scrolling in dashboards (#28974) * sort alphabetically unique labels, labels and parsed fields (#29030) * Data source proxy: Convert 401 from data source to 400 (#28962) * Plugins: Implement testDatasource for Jaeger (#28916) * Update react-testing-library (#29061) * Graph: Fixes stacking issues like floating bars when data is not aligned (#29051) * StatPanel: Fixes hanging issue when all values are zero (#29077) * Auth: Enable more complete credential chain for SigV4 default SDK auth option (#29065) * Chore: Convert API tests to standard Go lib (#29009) * Update README.md (#29075) * Update CODEOWNERS (#28906) * Enhance automation text for missing information (#29052) * GraphNG: Adding ticks test dashboard and improves tick spacing (#29044) * Chore: Migrate Dashboard List panel to React (#28607) * Test Datasource/Bug: Fixes division by zero in csv metric values scenario (#29029) * Plugins: Bring back coreplugin package (#29064) * Add 'EventBusName' dimension to CloudWatch 'AWS/Events' namespace (#28402) * CloudWatch: Add support for AWS/ClientVPN metrics and dimensions (#29055) * AlertingNG: manage and evaluate alert definitions via the API (#28377) * Fix linting issues (#28811) * Logging: Log frontend errors (#28073) * Fix for multi-value template variable for project selector (#29042) * Chore: Rewrite test helpers from GoConvey to stdlib (#28919) * GraphNG: Fixed axis measurements (#29036) * Fix links to logql docs (#29037) * latest 7.3.2 (#29041) * Elasticsearch: Add Moving Function Pipeline Aggregation (#28131) * changelog 7.3.2 (#29038) * MutableDataFrame: Remove unique field name constraint and values field index and unused/seldom used stuff (#27573) * Fix prometheus docs related to query variable (#29027) * Explore: support ANSI colors in live logs (#28895) * Docs: Add documentation about log levels (#28975) * Dashboard: remove usage of Legacyforms (#28707) * Docs: Troubleshoot starting docker containers on Mac (#28754) * Elasticsearch: interpolate variables in Filters Bucket Aggregation (#28969) * Chore: Bump build pipeline version (#29023) * Annotations: Fixes error when trying to create annotation when dashboard is unsaved (#29013) * TraceViewer: Make sure it does not break when no trace is passed (#28909) * Thresholds: Fixes color assigned to null values (#29010) * Backend: Remove unused code (#28933) * Fix documentation (#28998) * Tracing: Add setting for sampling server (#29011) * Logs Panel: Fix inconsistent higlighting (#28971) * MySQL: Update README.md (#29003) * IntervalVariable: Fix variable tooltip (#28988) * StatPanels: Fixes auto min max when latest value is zero (#28982) * Chore: Fix SQL related Go variable naming (#28887) * MSSQL: Support request cancellation properly (Uses new backendSrv.fetch Observable request API) (#28809) * Variables: Fixes loading with a custom all value in url (#28958) * Backend: Adds route for well-known change password URL (#28788) * docs: fix repeated dashboards link (#29002) * LogsPanel: Don't show scroll bars when not needed (#28972) * Drone: Fix docs building (#28986) * StatPanel: Fixed center of values in edge case scenarios (#28968) * Update getting-started-prometheus.md (#28502) * Docs: fix relref (#28977) * Docs: Minor docs update * Docs: Another workflow docs update * Docs: Workflow minor edit * Docs: Another minor edit * Docs: Update PR workflow docs * Docs: Update bot docs * StatPanels: set default to last (#28617) * Tracing: log traceID in request logger (#28952) * start tracking usage stats for tempo (#28948) * Docs: Update bot docs * GrafanaBot: Update labels and commands and adds docs (#28950) * Docs: updates for file-based menu (#28500) * Grot: Added command/label to close feature requests with standard message (#28937) * GraphNG: Restore focus option (#28946) * Docs: Fix links (#28945) * Short URL: Cleanup unvisited/stale short URLs (#28867) * GraphNG: Using new VizLayout, moving Legend into GraphNG and some other refactorings (#28913) * CloudWatch Logs: Change what we use to measure progress (#28912) * Chore: use jest without grunt (#28558) * Chore: Split Explore redux code into multiple sections (#28819) * TestData: Fix issue with numeric inputs in TestData query editor (#28936) * setting: Fix tests on Mac (#28886) * Plugins signing: Fix docs urls (#28930) * Field color: handling color changes when switching panel types (#28875) * Variables: make sure that we support both old and new syntax for custom variables. (#28896) * CodeEditor: added support for javascript language (#28818) * Update CHANGELOG.md (#28928) * Plugins: allow override when allowing unsigned plugins (#28901) * Chore: Fix spelling issue (#28904) * Grafana-UI: LoadingPlaceholder docs (#28874) * Gauge: making sure threshold panel json is correct before render (#28898) * Chore: Rewrite test in GoConvey to stdlib and testify (#28918) * Update documentation-style-guide.md (#28908) * Adding terms to glossary (#28884) * Devenv: Fix Prometheus basic auth proxy (#28889) * API: replace SendLoginLogCommand with LoginHook (#28777) * Dashboards / Folders: delete related data (permissions, stars, tags, versions, annotations) when deleting a dashboard or a folder (#28826) * Loki: Correct grammar in DerivedFields.tsx (#28885) * Docs: Update list of Enterprise plugins (#28882) * Live: update centrifuge and the ChannelHandler api (#28843) * Update share-panel.md (#28880) * CRLF (#28822) * PanelHeader: show streaming indicator (and allow unsubscribe) (#28682) * Docs: Plugin signing docs (#28671) * Chore: Fix issues reported by staticcheck; enable stylecheck linter (#28866) * Elasticsearch: Filter pipeline aggregations from order by options (#28620) * Variables: added __user.email to global variable (#28853) * Fix titles case and add missing punctuation marks (#28713) * VizLayout: Simple viz layout component for legend placement and scaling (#28820) * Chore: Fix staticcheck issues (#28860) * Chore: Fix staticcheck issues (#28854) * Disable selecting enterprise plugins with no license (#28758) * Tempo: fix test data source (#28836) * Prometheus: fix missing labels from value (#28842) * Chore: Fix issues found by staticcheck (#28802) * Chore: Remove dead code (#28664) * Units: added support to handle negative fractional numbers. (#28849) * Variables: Adds variables inspection (#25214) * Marked: Upgrade and always sanitize by default (#28796) * Currency: add Philippine peso currency (PHP) (#28823) * Alert: Remove z-index on Alert component so that it does not overlay ontop of other content (#28834) * increase blob column size for encrypted dashboard data (#28831) * Gauge: Improve font size auto sizing (#28797) * grafana/toolkit: allow builds with lint warnings (#28810) * core and grafana/toolkit: Use latest version of grafana-eslint-conifg (#28816) * Icon: Replace font awesome icons where possible (#28757) * Remove homelinks panel (#28808) * StatPanels: Add new calculation option for percentage difference (#26369) * Dashboard: Add Datetime local (No date if today) option in panel axes' units (#28011) * Variables: Adds named capture groups to variable regex (#28625) * Panel inspect: Interpolate variables in panel inspect title (#28779) * grafana/toolkit: Drop console and debugger statements by default when building plugin with toolkit (#28776) * Variables: Fixes URL values for dependent variables (#28798) * Graph: Fixes event emit function error (#28795) * Adds storybook integrity check to drone config (#28785) * Live: improve broadcast semantics and avoid double posting (#28765) * Events: Remove unused or unnecessary events (#28783) * Docs: added code comments to frontend packages. (#28784) * Plugin Dockerfiles: Upgrade Go, golangci-lint, gcloud SDK (#28767) * Dependencies: Update angularjs to 1.8.2 (#28736) * EventBus: Introduces new event bus with emitter backward compatible interface (#27564) * ColorSchemes: Add new color scheme (#28719) * Docs: Add NGINX example for using websockets to Loki (#27998) * Docs: Made usage of config/configuration consistent #19270 (#28167) * Cloudwatch: Fix issue with field calculation transform not working properly with Cloudwatch data (#28761) * grafana/toolkit: Extract CHANGELOG when building plugin (#28773) * Drone: Upgrade build pipeline tool (#28769) * devenv: Upgrade MSSQL Docker image (#28749) * Docs: Add docs for InfoBox component (#28705) * Reoeragnization. (#28760) * gtime: Add ParseDuration function (#28525) * Explore: Remove redundant decodeURI and fix urls (#28697) * Dashboard: fix view panel mode for Safari / iOS (#28702) * Provisioning: Fixed problem with getting started panel being added to custom home dashboard (#28750) * LoginPage: Removed auto-capitalization from the login form (#28716) * Plugin page: Fix dom validation warning (#28737) * Migration: Remove LegacyForms from dashboard folder permissions (#28564) * Dependencies: Remove unused dependency (#28711) * AlertRuleList: Add keys to alert rule items (#28735) * Chore: Pin nginx base image in nginx proxy Dockerfiles (#28730) * Drone: Upgrade build-pipeline tool (#28728) * TableFilters: Fixes filtering with field overrides (#28690) * Templating: Speeds up certain variable queries for Postgres, MySql and MSSql (#28686) * Fix typo in unsigned plugin warning (#28709) * Chore: Convert sqlstore annotation test from GoConvey to testify (#28715) * updates from https://github.com/grafana/grafana/pull/28679 (#28708) * Chore: Add some scenario tests for Explore (#28534) * Update latest version to 7.3.1 (#28701) * Changelog update - 7.3.1 (#28699) * Drone: Don't build on Windows for PRs (#28663) * Build: changing docs docker image to prevent setting up frontend devenv. (#28670) * Prometheus: Fix copy paste behaving as cut and paste (#28622) * Loki: Fix error when some queries return zero results (#28645) * Chore: allow higher nodejs version than 12 (#28624) * TextPanel: Fixes problems where text panel would show old content (#28643) * PanelMenu: Fixes panel submenu not being accessible for panels close to the right edge of the screen (#28666) * Cloudwatch: Fix duplicate metric data (#28642) * Add info about CSV download for Excel in What's new article (#28661) * Docs: Describe pipeline aggregation changes in v7.3 (#28660) * Plugins: Fix descendent frontend plugin signature validation (#28638) * Docker: use root group in the custom Dockerfile (#28639) * Bump rxjs to 6.6.3 (#28657) * StatPanel: Fixed value being under graph and reduced likley hood for white and dark value text mixing (#28641) * Table: Fix image cell mode so that it works with value mappings (#28644) * Build: support custom build tags (#28609) * Plugin signing: Fix copy on signed plugin notice (#28633) * Dashboard: Fix navigation from one SoloPanelPage to another one (#28578) * CloudWatch: Improve method name, performance optimization (#28632) * Developer guide: Update wrt. Windows (#28559) * Docs: Update graph panel for tabs (#28552) * update latest.json (#28603) * Docs: data source insights (#28542) * Field config API: add slider editor (#28007) * changelog: update for 7.3.0 (#28602) * Update uPlot to 1.2.2 and align timestamps config with new uPLot API (#28569) * Live: updated the reference to use lazy loaded Monaco in code editor. (#28597) * Dashboard: Allow add panel for viewers_can_edit (#28570) * Docs: Data source provisioning and sigV4 (#28593) * Docs: Additional 7.3 upgrade notes (#28592) * CI: Add GCC to Windows Docker image (#28562) * CloudWatch Logs queue and websocket support (#28176) * Explore/Loki: Update docs and cheatsheet (#28541) * Grafana-UI: Add Card component (#28216) * AddDatasource: Improve plugin categories (#28584) * StatPanel: Fixes BizChart error max: yyy should not be less than min zzz (#28587) * docs: a few tweaks for clarity and readability (#28579) * API: Reducing some api docs errors (#28575) * Grafana-UI: ContextMenu docs (#28508) * Short URL: Update last seen at when visiting a short URL (#28565) * Fix backend build on Windows (#28557) * add value prop (#28561) * Plugin signing: UI information (#28469) * Use fetch API in InfluxDB data source (#28555) * PanelEdit: Prevent the preview pane to be resized further than window height (#28370) * Docs: Update generic-oauth.md (#28517) * GCS image uploader: Add tests (#28521) * Move metrics collector queries to config (#28549) * Plugins: Fix plugin URL paths on Windows (#28548) * API: add login username in SendLoginLogCommand (#28544) * AzureMonitor: Support decimal (as float64) type in analytics/logs (#28480) * Auth: Fix SigV4 request verification step for Amazon Elasticsearch Service (#28481) * Grafana/ui: auto focus threshold editor input (#28360) * Docs: SigV4 What's New and AWS Elasticsearch documentation (#28506) * Drone: Upgrade build pipeline tool (#28533) * Drone: Refactor version branch pipeline logic (#28531) * Drone: Upgrade build-pipeline tool (#28520) * Docs: Update field color scheme docs and 7.3 what's new (#28496) * Templating: Custom variable edit UI, change text input into textarea (#28312) (#28322) * Currency: Adds Indonesian IDR currency (#28363) * Chore: Fix flaky sqlstore annotation test (#28527) * Checkbox: Fix component sample typo (#28518) * Image uploader: Fix uploading of images to GCS (#26493) * OAuth: Support Forward OAuth Identity for backend data source plugins (#27055) * Updated documentation style guide (#28488) * Cloud Monitoring: Fix help section for aliases (#28499) * Docs: what's new in enterprise 7.3 (#28472) * Plugins: Track plugin signing errors and expose them to the frontend (#28219) * Elasticsearch: Fix handling of errors when testing data source (#28498) * Auth: Should redirect to login when anonymous enabled and URL with different org than anonymous specified (#28158) * Drone: Don't build Windows installer for version branches (#28494) * Docs: Grafana Enterprise auditing feature (#28356) * Drone: Add version branch pipeline (#28490) * Getting Started section rehaul (#28090) * Docs: Add survey content (#28446) * Docs: Update prometheus.md (#28483) * Docs: Add view settings and view stats (#28155) * Remove entry from 7.3.0-beta2 Changelog (#28478) * Circle: Remove release pipeline (#28474) * Update latest.json (#28476) * Switch default version to Graphite 1.1 (#28471) * Plugin page: update readme icon (#28465) * Chore: Update changelog (#28473) * Explore: parse time range fix (#28467) * Alerting: Log alert warnings for obsolete notifiers when extracting alerts and remove spammy error (#28162) * Shorten url: Unification across Explore and Dashboards (#28434) * Explore: Support wide data frames (#28393) * Docs: updated cmd to build docs locally to generate docs prior to building site. (#28371) * Live: support real time measurements (alpha) (#28022) * CloudWatch/Athena - valid metrics and dimensions. (#28436) * Chore: Use net.JoinHostPort (#28421) * Chore: Upgrade grafana-eslint to latest (#28444) * Fix cut off icon (#28442) * Docs: Add shared (#28411) * Loki: Visually distinguish error logs for LogQL2 (#28359) * Database; Remove database metric feature flag and update changelog (#28438) * TestData: multiple arrow requests should return multiple frames (#28417) * Docs: Test survey code (#28437) * Docs: improved github action that syncs docs to website (#28277) * update latest.json with latest stable version (#28433) * 7.2.2 changelog update (#28406) * plugins: Don't exit on duplicate plugin (#28390) * API: Query database from /api/health endpoint (#28349) * Chore: Fix conversion of a 64-bit integer to a lower bit size type uint (#28425) * Prometheus: fix parsing of infinite sample values (#28287) (#28288) * Chore: Rewrite some tests to use testify (#28420) * Plugins: do not remount app plugin on nav change (#28105) * App Plugins: Add backend support (#28272) * Chore: react hooks eslint fixes in grafana-ui (#28026) * ci-e2e: Add Git (#28410) * TestData: Remove useEffect that triggeres query on component load (#28321) * FieldColor: Remove inverted color scheme (#28408) * Chore: Set timezone for tests to non utc. (#28405) * Chore: fix jsdoc desc and return (#28383) * Docs: Fixing v51 link (#28396) * fixes windows crlf warning (#28346) * Grafana/ui: pass html attributes to segment (#28316) * Alerting: Return proper status code when trying to create alert notification channel with duplicate name or uid (#28043) * OAuth: Able to skip auto login (#28357) * CloudWatch: Fix custom metrics (#28391) * Docs: Adds basic frontend data request concepts (#28253) * Instrumentation: Add histogram for request duration (#28364) * remove status label from histogram (#28387) * OAuth: configurable user name attribute (#28286) * Component/NewsPanel: Add rel='noopener' to NewsPanel links (#28379) * Webpack: Split out unicons and bizcharts (#28374) * Explore: Fix date formatting in url for trace logs link (#28381) * Docs: Add activate-license (#28156) * Instrumentation: Add counters and histograms for database queries (#28236) * Docs: Make tables formatting more consistent (#28164) * CloudWatch: Adding support for additional Amazon CloudFront metrics (#28378) * Add unique ids to query editor fields (#28376) * Plugins: Compose filesystem paths with filepath.Join (#28375) * Explore: Minor tweaks to exemplars marble (#28366) * Instrumentation: Adds environment_info metric (#28355) * AzureMonitor: Fix capitalization of NetApp 'volumes' namespace (#28369) * ColorSchemes: Adds more color schemes and text colors that depend on the background (#28305) * Automation: Update backport github action trigger (#28352) * Dashboard links: Places drop down list so it's always visible (#28330) * Docs: Add missing records from grafana-ui 7.2.1 CHANGELOG (#28302) * Templating: Replace all '$tag' in tag values query (#28343) * Docs: Add docs for valuepicker (#28327) * Git: Create .gitattributes for windows line endings (#28340) * Update auth-proxy.md (#28339) * area/grafana/toolkit: update e2e docker image (#28335) * AlertingNG: remove warn/crit from eval prototype (#28334) * Automation: Tweaks to more info message (#28332) * Loki: Run instant query only when doing metric query (#28325) * SAML: IdP-initiated SSO docs (#28280) * IssueTriage: Needs more info automation and messages (#28137) * GraphNG: Use AxisSide enum (#28320) * BackendSrv: Fixes queue countdown when unsubscribe is before response (#28323) * Automation: Add backport github action (#28318) * Build(deps): Bump http-proxy from 1.18.0 to 1.18.1 (#27507) * Bump handlebars from 4.4.3 to 4.7.6 (#27416) * Bump tree-kill from 1.2.1 to 1.2.2 (#27405) * Loki: Base maxDataPoints limits on query type (#28298) * Explore: respect min_refresh_interval (#27988) * Drone: Use ${DRONE_TAG} in release pipelines, since it should work (#28299) * Graph NG: fix toggling queries and extract Graph component from graph3 panel (#28290) * fix: for graph size not taking up full height or width * should only ignore the file in the grafana mixin root folder (#28306) * Drone: Fix grafana-mixin linting (#28308) * SQLStore: Run tests as integration tests (#28265) * Chore: Add cloud-middleware as code owners (#28310) * API: Fix short URLs (#28300) * CloudWatch: Add EC2CapacityReservations Namespace (#28309) * Jaeger: timeline collapser to show icons (#28284) * update latest.json with latest beta version (#28293) * Update changelog (#28292) * Docs : - Added period (#28260) * Add monitoring mixing for Grafana (#28285) * Chore: Update package.json (#28291) * Drone: Fix enterprise release pipeline (#28289) * Alerting: Append appSubUrl to back button on channel form (#28282) - Rework package Makefile & README now that Grunt is gone - Update to version 7.3.6: * fixes for saml vulnerability * [v7.3.x] Fix: Correct panel edit uistate migration (#29413) (#29711) * PanelEdit: Prevent the preview pane to be resized further than window height (#28370) (#29726) * Fix: Migrate Panel edit uiState percentage strings to number (#29412) (#29723) * 'Release: Updated versions in package to 7.3.5' (#29710) * Chore: upgrading y18n to 4.0.1 for security reasons (#29523) (#29709) * Panel: making sure we support all versions of chrome when detecting position of click event. (#29544) (#29708) * PanelEdit: making sure the correct datasource query editor is being rendered. (#29500) (#29707) * [v7.3.x] Auth: Add SigV4 header allowlist to reduce chances of verification issues (#29705) * Alerting: Use correct time series name override from frame fields (#29693) (#29698) * CloudWatch: namespace in search expression should be quoted if match exact is enabled #29109 (#29563) (#29687) * Adds go dep used by an Enterprise feature. (#29645) (#29690) * instrumentation: align label name with our other projects (#29514) (#29685) * Instrumentation: Add examplars for request histograms (#29357) (#29682) * Login: Fixes typo in tooltip (#29604) (#29606) * fixes bug with invalid handler name for metrics (#29529) (#29532) * AzureMonitor: Unit MilliSeconds naming (#29399) (#29526) * Alarting: fix alarm messages in dingding (Fixes #29470) (#29482) (#29527) * Bug: trace viewer doesn't show more than 300 spans (#29377) (#29504) * Prometheus: don't override displayName property (#29441) (#29488) * resolve conflicts (#29415) * Drone: Upgrade build pipeline tool (#29365) (#29368) * Drone: Upload artifacts for release branch builds (#29297) (#29364) * Drone: Execute artifact publishing for both editions in parallel during release (#29362) (#29363) * Drone: Publish NPM packages after Storybook to avoid race condition (#29340) (#29343) * Docs: Fix editor role and alert notification channel description (#29301) (#29337) * 'Release: Updated versions in package to 7.3.4' (#29336) * Security: Fixes minor security issue with alert notification webhooks that allowed GET & DELETE requests #29330 (#29335) * Backport of InfluxDB: update flux library and support boolean label values #29333 * ReleaseNotes: Update link in package.json (#29328) * Login: Fixes redirect url encoding issues of # %23 being unencoded after login (#29299) (#29323) * Drone: Upgrade build pipeline tool (#29308) (#29309) * Annotations: fixing so when changing annotations query links submenu will be updated. (#28990) (#29285) * Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) (#29278) * Increase search limit on team add user and improve placeholder (#29258) (#29261) * Drone: Sync with master (#29205) * Drone: Fix publish-packages invocation (#29179) (#29184) * Chore: Upgrade grafana/build-ci-deploy image to latest Go (#29171) (#29180) * Table: Fix incorrect condtition for rendering table filter (#29165) (#29181) * DashboardLinks: will only refresh dashboard search when changing tags for link. (#29040) (#29177) * Drone: Upgrade build pipeline tool and build image (#29161) (#29162) * Release: Updated versions in package to 7.3.3 (#29126) * git cherry-pick -x 0f3bebb38daa488e108881ce17d4f68167a834e6 (#29155) * Build: support custom build tags (#28609) (#29128) * Revert 'Graph: Fixes stacking issues like floating bars when data is not aligned (#29051) (#29088)' (#29151) * Provisioning: always pin app to the sidebar when enabled (#29084) (#29146) * build paths in an os independent way (#29143) (#29147) * Chore: Upgrade Go dev tools (#29124) (#29132) * Automatin: set node version * Automation: Adding version bump action * Drone: Fix Drone config verification for enterprise on Windows (#29118) (#29119) * [v7.3.x] Drone: Verify Drone config at beginning of pipelines (#29111) * Test Datasource/Bug: Fixes division by zero in csv metric values scenario (#29029) (#29068) * [v7.3.x] StatPanel: Fixes hanging issue when all values are zero (#29087) * Data source proxy: Convert 401 from data source to 400 (#28962) (#29095) * Graph: Fixes stacking issues like floating bars when data is not aligned (#29051) (#29088) * Auth: Enable more complete credential chain for SigV4 default SDK auth option (#29065) (#29086) * Fix for multi-value template variable for project selector (#29042) (#29054) * Thresholds: Fixes color assigned to null values (#29010) (#29018) * [v7.3.x] Chore: Bump build pipeline version (#29025) * Release v7.3.2 (#29024) * Fix conflict (#29020) * StatPanels: Fixes auto min max when latest value is zero (#28982) (#29007) * Tracing: Add setting for sampling server (#29011) (#29015) * Gauge: making sure threshold panel json is correct before render (#28898) (#28984) * Variables: make sure that we support both old and new syntax for custom variables. (#28896) (#28985) * Explore: Remove redundant decodeURI and fix urls (#28697) (#28963) * [v7.3.x] Drone: Fix docs building (#28987) * Alerting: Append appSubUrl to back button on channel form (#28282) (#28983) * Plugins: allow override when allowing unsigned plugins (#28901) (#28927) * CloudWatch Logs: Change what we use to measure progress (#28912) (#28964) * Tracing: log traceID in request logger (#28952) (#28959) * Panel inspect: Interpolate variables in panel inspect title (#28779) (#28801) * UsageStats: start tracking usage stats for tempo (#28948) (#28951) * Short URL: Cleanup unvisited/stale short URLs (#28867) (#28944) * Plugins signing: Fix docs urls (#28930) (#28934) * Chore: Fix spelling issue (#28904) (#28925) * API: replace SendLoginLogCommand with LoginHook (#28777) (#28891) * Elasticsearch: Exclude pipeline aggregations from order by options (#28620) (#28873) * Dashboards / Folders: delete related data (permissions, stars, tags, versions, annotations) when deleting a dashboard or a folder (#28826) (#28890) * Disable selecting enterprise plugins with no license (#28758) (#28859) * Tempo: fix test data source (#28836) (#28856) * Prometheus: fix missing labels from value (#28842) (#28855) * Units: added support to handle negative fractional numbers. (#28849) (#28851) * increase blob column size for encrypted dashboard data (#28831) (#28832) * Gauge: Improve font size auto sizing (#28797) (#28828) * Variables: Fixes URL values for dependent variables (#28798) (#28800) * grafana/toolkit: Extract CHANGELOG when building plugin (#28773) (#28774) * Templating: Custom variable edit UI, change text input into textarea (#28312) (#28322) (#28704) * Cloudwatch: Fix issue with field calculation transform not working properly with Cloudwatch data (#28761) (#28775) * Plugin page: Fix dom validation warning (#28737) (#28741) * Dashboard: fix view panel mode for Safari / iOS (#28702) (#28755) * Fix typo in unsigned plugin warning (#28709) (#28722) * TableFilters: Fixes filtering with field overrides (#28690) (#28727) * Templating: Speeds up certain variable queries for Postgres, MySql and MSSql (#28686) (#28726) * Prometheus: Fix copy paste behaving as cut and paste (#28622) (#28691) rhnlib: - Require missing python-backports.ssl_match_hostname on SLE 11 (bsc#1183959) spacecmd: - Handle SIGPIPE without user-visible Exception (bsc#1181124) spacewalk-client-tools: - Fallback to sysfs when reading info from python-dmidecode fails (bsc#1182603) - Log an error when product detection failed (bsc#1182339) supportutils-plugin-salt: - Fix yaml.load() warnings and issues with Python versions (bsc#1178072) (bsc#1181474) - Fix errors when collecting data for salt-minion (bsc#1131670) zypp-plugin-spacewalk: - Support for 'allow vendor change' for patching/upgrading ----------------------------------------- Patch: SUSE-2021-1234 Released: Thu Apr 15 17:21:44 2021 Summary: Recommended update for python-kiwi Severity: moderate References: 1178670,1182211,1182264,1182963,1183059 Description: This update for python-kiwi fixes the following issues: Upgrade from version 9.23.19 to version 9.23.20 - Require `qemu-img` in any filesystem based image. Move the qemu-img requirement into the `kiwi-systemdeps-filesystems` to ensure ISO, OEM and PXE images include it in the build service. This is also required for images that are simple root-trees in a filesystem `(image=ext4)`. - Add a requirement for `kiwi-systemdeps-iso-media` on disk images. Add a requirement for `kiwi-systemdeps-iso-media` in `kiwi-systemdeps-disk-images`. This is to ensure that installing `kiwi-systemdeps-disk-images` is enough to build OEM images including install media. - Turn `fb-util-for-appx` requirement into a recommendation. Relax the requirement for `fb-util-for-appx` since the utiliy is not part of all SUSE Linux Enterprise 15 Service Packs. - Refactor grub2 installation. (bsc#1182211) Split the installation in two parts. Former `grub2.install` method was meant to run the `grub2-install` tool, however, in addition it was also running the secure boot installation `shim-install`. The install method in `KIWI` is skipped for those architectures and firmware combinations for which bios support doesn't exist. This was leading to skip the secure boot installation. The current approach strips the secure boot installation logic from the `grub2.install` method, so skipping the install method does not automatically result in skipping the secure boot installation. - Fix `lsblk` flags to get sorted output (bsc#1182264, bsc#1182963, bsc#1183059) Modify the `lsblk` command flags to get a sorted output according to the disk layout. - Avoid using generators in `pre-mount` hooks (bsc#1178670) Delete the generator that was creating the `sysroot.mount` unit for ramdisk deployments. Generators, specially the `sysroot.mount` is expected to be created on very early stages of the boot procedure as this has impact on relevant targets such as `initrd-root-fs.target`, which does not depend on `sysroot.mount` if the unit is not there. In ramdisk deployments some data is known on pre-mount stage as it is downloaded from the PXE server. At this stage it is not safe to generate a `sysroot.mount` unit that depends on `initrd-root-fs.target` as the target is close to finalize or even finalized already and could potentially skip `sysroot.mount` exection. Instead include a mount hook which is only executed on ramdisk deployments that simply runs the mount command to mount `/sysroot`. ----------------------------------------- Patch: SUSE-2021-1236 Released: Fri Apr 16 08:13:51 2021 Summary: Recommended update for tcsh Severity: important References: 1179316 Description: This update for tcsh fixes the following issues: - Fixed an issue, where the history file continued growing, leading to csh processes consuming 100% of the CPU (bsc#1179316) ----------------------------------------- Patch: SUSE-2021-1280 Released: Tue Apr 20 14:34:19 2021 Summary: Security update for ruby2.5 Severity: moderate References: 1184644,CVE-2021-28965 Description: This update for ruby2.5 fixes the following issues: - Update to 2.5.9 - CVE-2021-28965: XML round-trip vulnerability in REXML (bsc#1184644) ----------------------------------------- Patch: SUSE-2021-1282 Released: Tue Apr 20 14:47:17 2021 Summary: Security update for apache-commons-io Severity: moderate References: 1184755,CVE-2021-29425 Description: This update for apache-commons-io fixes the following issues: - CVE-2021-29425: Limited path traversal when invoking the method FileNameUtils.normalize with an improper input string (bsc#1184755) ----------------------------------------- Patch: SUSE-2021-1289 Released: Wed Apr 21 14:02:46 2021 Summary: Recommended update for gzip Severity: moderate References: 1177047 Description: This update for gzip fixes the following issues: - Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047) ----------------------------------------- Patch: SUSE-2021-1291 Released: Wed Apr 21 14:04:06 2021 Summary: Recommended update for mpfr Severity: moderate References: 1141190 Description: This update for mpfr fixes the following issues: - Fixed an issue when building for ppc64le (bsc#1141190) Technical library fixes: - A subtraction of two numbers of the same sign or addition of two numbers of different signs can be rounded incorrectly (and the ternary value can be incorrect) when one of the two inputs is reused as the output (destination) and all these MPFR numbers have exactly GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit machines, 64 bits on 64-bit machines). - The mpfr_fma and mpfr_fms functions can behave incorrectly in case of internal overflow or underflow. - The result of the mpfr_sqr function can be rounded incorrectly in a rare case near underflow when the destination has exactly GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit machines, 64 bits on 64-bit machines) and the input has at most GMP_NUMB_BITS bits of precision. - The behavior and documentation of the mpfr_get_str function are inconsistent concerning the minimum precision (this is related to the change of the minimum precision from 2 to 1 in MPFR 4.0.0). The get_str patch fixes this issue in the following way: the value 1 can now be provided for n (4th argument of mpfr_get_str); if n = 0, then the number of significant digits in the output string can now be 1, as already implied by the documentation (but the code was increasing it to 2). - The mpfr_cmp_q function can behave incorrectly when the rational (mpq_t) number has a null denominator. - The mpfr_inp_str and mpfr_out_str functions might behave incorrectly when the stream is a null pointer: the stream is replaced by stdin and stdout, respectively. This behavior is useless, not documented (thus incorrect in case a null pointer would have a special meaning), and not consistent with other input/output functions. ----------------------------------------- Patch: SUSE-2021-1295 Released: Wed Apr 21 14:08:19 2021 Summary: Recommended update for systemd-presets-common-SUSE Severity: moderate References: 1184136 Description: This update for systemd-presets-common-SUSE fixes the following issues: - Enabled hcn-init.service for HNV on POWER (bsc#1184136) ----------------------------------------- Patch: SUSE-2021-1307 Released: Fri Apr 23 09:15:01 2021 Summary: Security update for MozillaFirefox Severity: important References: 1184960,CVE-2021-23961,CVE-2021-23994,CVE-2021-23995,CVE-2021-23998,CVE-2021-23999,CVE-2021-24002,CVE-2021-29945,CVE-2021-29946 Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.10.0 ESR (bsc#1184960) * CVE-2021-23994: Out of bound write due to lazy initialization * CVE-2021-23995: Use-after-free in Responsive Design Mode * CVE-2021-23998: Secure Lock icon could have been spoofed * CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage * CVE-2021-23999: Blob URLs may have been granted additional privileges * CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL * CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads * CVE-2021-29946: Port blocking could be bypassed ----------------------------------------- Patch: SUSE-2021-1313 Released: Mon Apr 26 09:12:07 2021 Summary: Security update for python-aiohttp Severity: important References: 1184745,CVE-2021-21330 Description: This update for python-aiohttp fixes the following issues: - CVE-2021-21330: Fixed the way pure-Python HTTP parser interprets `//` (bsc#1184745) ----------------------------------------- Patch: SUSE-2021-1320 Released: Mon Apr 26 15:07:58 2021 Summary: Recommended update for xorg-x11-server Severity: moderate References: 1184072,1184543 Description: This update for xorg-x11-server fixes the following issues: - Fixed a crash that might occur when talking to Xwayland (bsc#1184072, bsc#1184543) ----------------------------------------- Patch: SUSE-2021-1327 Released: Tue Apr 27 13:41:31 2021 Summary: Recommended update for sapstartsrv-resource-agents Severity: moderate References: 1183969 Description: This update for sapstartsrv-resource-agents fixes the following issues: - sapping.service does no longer run a second time after a restart/start of corosync (bsc#1183969) ----------------------------------------- Patch: SUSE-2021-1335 Released: Tue Apr 27 17:01:57 2021 Summary: Recommended update for hawk2 Severity: important References: 1184274 Description: This update for hawk2 fixes the following issue: Update to version 2.6.4: - Fix the wizards User Interface and show it.(bsc#1184274) ----------------------------------------- Patch: SUSE-2021-1405 Released: Wed Apr 28 15:09:07 2021 Summary: Recommended update for brp-check-suse Severity: moderate References: 1184555 Description: This update for brp-check-suse fixes the following issues: - Add patch to implement fipscheck. (bsc#1184555) ----------------------------------------- Patch: SUSE-2021-1409 Released: Wed Apr 28 16:32:50 2021 Summary: Security update for giflib Severity: low References: 1184123 Description: This update for giflib fixes the following issues: - Enable Position Independent Code and inherit CFLAGS from the build system (bsc#1184123). ----------------------------------------- Patch: SUSE-2021-1414 Released: Wed Apr 28 18:32:11 2021 Summary: Recommended update for boost-legacy Severity: important References: 1006584,1038083,1076640,1082318,1175886,401964,439805,457699,461372,477603,479659,544958,621140,655747,714373,765443,951902,958150,994378,994381,994382,994383,996917,CVE-2008-0171 Description: This update for boost-legacy fixes the following issues: Create a new boost-legacy package with version 1.66.0. (bsc#1175886, jsc#SLE-17304, jsc#ECO-3147) - Remove duplicate license package that we get from original Boost - Add a backport of `Boost.Optional::has_value()` for LibreOffice - Use `%license` instead of `%doc` (bsc#1082318) - Multibuild requires versioned `Name: tag` . (bsc#1076640) Changes in version 1.66.0: - `Beast`: new portable HTTP, WebSocket and network operations using `Boost.Asio`. Header-only library. - `Callable Traits`: new library and successor to `Boost.FunctionTypes`. Header-only library. - `Mp11:` new metaprogramming library - ` Asio`: - implemented interface changes to reflect the Networking TS (N4656) - functions and classes that have been superseded by Networking TS functionality have been deprecated. - added support for customized handler tracking - removed previously deprecated functions - `Atomic`: improved compatibility with GCC 7. 128-bit operations on `x86_64` no longer require linking with compiled library. - `DateTime`: Fixed an integral overflow that could cause incorrect results when adding or subtracting many years from a date. - `Format`: New format specifiers added and volatile arguments can not be safely used with operator`%` - `Fusion`: - fix compile error with `std::array` - remove circular preprocessor include - `PolyCollection`: backported to GCC 4.8 and 4.9 with some limitations - `Uuid`: added `RTF-4122` namespaces in `boost::uuids::ns` ----------------------------------------- Patch: SUSE-2021-1416 Released: Thu Apr 29 06:19:16 2021 Summary: Recommended update for kyotocabinet Severity: low References: 1185033 Description: This update for kyotocabinet fixes the following issues: - Proactive fix for a hardening making 'kyotokabinet' in SLE as position independent executable. (bsc#1185033) ----------------------------------------- Patch: SUSE-2021-1417 Released: Thu Apr 29 06:19:47 2021 Summary: Recommended update for ntp Severity: moderate References: 1185171 Description: This update for ntp fixes the following issues: - Use '/run' instead of '/var/run' for PIDFile in 'ntpd.service'. (bsc#1185171) ----------------------------------------- Patch: SUSE-2021-1424 Released: Thu Apr 29 06:22:32 2021 Summary: Recommended update for openslp Severity: moderate References: 1166637,1184008 Description: This update for openslp fixes the following issues: - Added automated active discovery retries so that DAs do not get dropped, if they are not reachable for some time (bsc#1166637, bsc#1184008) ----------------------------------------- Patch: SUSE-2021-1427 Released: Thu Apr 29 06:24:32 2021 Summary: Recommended update for scap-security-guide Severity: moderate References: Description: This update for scap-security-guide fixes the following issues: This update ships the ComplianceAsCode build version 0.1.55+git containing the following supported file: - SCAP STIG automation for SUSE Linux Enterprise 12 (SUSE supplied, more rules added compared to 0.1.54) - SCAP STIG automation for SUSE Linux Enterprise 15 (SUSE supplied, new, first rules added) - CIS automation for SUSE Linux Enterprise 15 (community supplied) It can be evaluated using 'oscap' from 'openscap-utils', e.g. by doing on SUSE Linux Enterprise 12: - oscap xccdf eval --profile stig /usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml On SUSE Linux Enterprise 15: - oscap xccdf eval --profile stig /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml or the community supplied CIS on SUSE Linux Enterprise 15: - oscap xccdf eval --profile cis /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml More content will be added in future updates. ----------------------------------------- Patch: SUSE-2021-1432 Released: Thu Apr 29 10:06:47 2021 Summary: Security update for MozillaThunderbird Severity: important References: 1184960,CVE-2021-23961,CVE-2021-23994,CVE-2021-23995,CVE-2021-23998,CVE-2021-23999,CVE-2021-24002,CVE-2021-29945,CVE-2021-29946,CVE-2021-29948 Description: This update for MozillaThunderbird fixes the following issues: - Firefox was updated to 78.10.0 ESR (bsc#1184960) * CVE-2021-23994: Out of bound write due to lazy initialization * CVE-2021-23995: Use-after-free in Responsive Design Mode * CVE-2021-23998: Secure Lock icon could have been spoofed * CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage * CVE-2021-23999: Blob URLs may have been granted additional privileges * CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL * CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads * CVE-2021-29946: Port blocking could be bypassed * CVE-2021-29948: Race condition when reading from disk while verifying signatures ----------------------------------------- Patch: SUSE-2021-1448 Released: Fri Apr 30 08:08:17 2021 Summary: Recommended update for pidentd Severity: moderate References: 1185070 Description: This update for pidentd fixes the following issues: - Use '/run' instead of '/var/run'. (bsc#1185070) ----------------------------------------- Patch: SUSE-2021-1449 Released: Fri Apr 30 08:08:25 2021 Summary: Recommended update for systemd-presets-branding-SLE Severity: moderate References: 1165780 Description: This update for systemd-presets-branding-SLE fixes the following issues: - Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780) ----------------------------------------- Patch: SUSE-2021-1451 Released: Fri Apr 30 08:08:45 2021 Summary: Recommended update for dhcp Severity: moderate References: 1185157 Description: This update for dhcp fixes the following issues: - Use '/run' instead of '/var/run' for PIDFile in 'dhcrelay.service'. (bsc#1185157) ----------------------------------------- Patch: SUSE-2021-1454 Released: Fri Apr 30 09:22:26 2021 Summary: Security update for cups Severity: important References: 1184161,CVE-2021-25317 Description: This update for cups fixes the following issues: - CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161) ----------------------------------------- Patch: SUSE-2021-1462 Released: Fri Apr 30 14:54:23 2021 Summary: Recommended update for cloud-init Severity: moderate References: 1181283,1184085 Description: This update for cloud-init fixes the following issues: - Fixed an issue, where the bonding options were wrongly configured in SLE and openSUSE (bsc#1184085) ----------------------------------------- Patch: SUSE-2021-1476 Released: Tue May 4 13:58:52 2021 Summary: Recommended update for cups-filters Severity: moderate References: 1182893 Description: This update for cups-filters fixes the following issues: - Fixed an issue when 'foomatic-rip-Filter' crashes. (bsc#1182893) ----------------------------------------- Patch: SUSE-2021-1478 Released: Tue May 4 14:05:38 2021 Summary: Recommended update for libhugetlbfs Severity: moderate References: 1184123 Description: This update for libhugetlbfs fixes the following issues: - Hardening: Link as PIE (bsc#1184123) ----------------------------------------- Patch: SUSE-2021-1487 Released: Tue May 4 15:31:45 2021 Summary: Recommended update for python-yarl Severity: moderate References: Description: This update for python-yarl contains the following fixes: - Fix python-yarl to build with new python3 version. - Allows mixing amps and semicolons in query strings as separators over previous changes. ----------------------------------------- Patch: SUSE-2021-1489 Released: Tue May 4 17:10:15 2021 Summary: Security update for openexr Severity: important References: 1184353,1184354,1184355,1185216,1185217,CVE-2021-20296,CVE-2021-23215,CVE-2021-26260,CVE-2021-3477,CVE-2021-3479 Description: This update for openexr fixes the following issues: - CVE-2021-23215: Fixed an integer-overflow in Imf_2_5:DwaCompressor:initializeBuffers (bsc#1185216). - CVE-2021-26260: Fixed an Integer-overflow in Imf_2_5:DwaCompressor:initializeBuffers (bsc#1185217). - CVE-2021-20296: Fixed a Null Pointer dereference in Imf_2_5:hufUncompress (bsc#1184355). - CVE-2021-3477: Fixed a Heap-buffer-overflow in Imf_2_5::DeepTiledInputFile::readPixelSampleCounts (bsc#1184353). - CVE-2021-3479: Fixed an Out-of-memory caused by allocation of a very large buffer (bsc#1184354). ----------------------------------------- Patch: SUSE-2021-1491 Released: Tue May 4 17:11:03 2021 Summary: Security update for p7zip Severity: moderate References: 1184699,CVE-2021-3465 Description: This update for p7zip fixes the following issues: - CVE-2021-3465: Fixed a NULL pointer dereference in NCompress:CCopyCoder:Code (bsc#1184699) ----------------------------------------- Patch: SUSE-2021-1532 Released: Thu May 6 15:32:21 2021 Summary: Recommended update for python-shaptools Severity: moderate References: 1185090 Description: This update for python-shaptools fixes the following issues: - Fix the HANA 'sidadm' user creation to transform to lowercase properly. (bsc#1185090) ----------------------------------------- Patch: SUSE-2021-1533 Released: Thu May 6 17:04:28 2021 Summary: Recommended update for google-guest-agent, google-guest-configs, google-guest-oslogin, google-osconfig-agent Severity: moderate References: 1174304,1174306,1175740,1175741,1179031,1179032,1180304,1182793,1183414,1183415 Description: This update for google-guest-agent, google-guest-configs, google-guest-oslogin, google-osconfig-agent contains the following fixes: Changes in google-guest-agent: - Update to version 20210223.01 (bsc#1183414, bsc#1183415) * add a match block to sshd_config for SAs (#99) * add ipv6 forwarded ip support (#101) * call restorecon on ssh host keys (#98) * Include startup and shutdown in preset (#96) * set metadata URL earlier (#94) - Fix activation logic of systemd services (bsc#1182793) - Update to version 20201211.00 * Require snapshot scripts to live under /etc/google/snapshots (#90) * Adding support for Windows user account password lengths between 15 and 255 characters. (#91) * Adding bkatyl to OWNERS (#92) Changes in google-guest-configs: - Update to version 20210317.00 (bsc#1183414, bsc#1183415) * dracut.conf wants spaces around values (#19) * make the same change for debian (#18) * change path back for google_nvme_id (#17) * move google_nvme_id to /usr/bin (#16) * correct udev rule syntax (#15) * prune el6 spec (#13) * Updated udev rules (#11) - Remove empty %{_sbindir} from %install and %files section - Remove service files (bsc#1180304) + google-optimize-local-ssd.service, google-set-multiqueue.service scripts are called from within the guest agent Changes in google-guest-oslogin: - Update to version 20210316.00 (bsc#1183414, bsc#1183415) * call correct function in pwenthelper (#53) - Update to version 20210108.00 * Update logic in the cache_refresh binary (#52) * remove old unused workflow files (#49) * add getpwnam,getpwuid,getgrnam,getgrgid (#42) * Change requires to not require the python library for policycoreutils. (#44) * add dial and recvline (#41) * PR feedback * new client component and tests Changes in google-osconfig-agent: - Update to version 20210316.00 (bsc#1183414, bsc#1183415) * call correct function in pwenthelper (#53) - Update to version 20210108.00 * Update logic in the cache_refresh binary (#52) * remove old unused workflow files (#49) - Update to version 20200925.00 (bsc#1179031, bsc#1179032) * add getpwnam,getpwuid,getgrnam,getgrgid (#42) * Change requires to not require the python library for policycoreutils. (#44) * add dial and recvline (#41) * PR feedback * new client component and tests - Update to version 20200819.00 (bsc#1175740, bsc#1175741) * deny non-2fa users (#37) * use asterisks instead (#39) * set passwords to ! (#38) * correct index 0 bug (#36) * Support security key generated OTP challenges. (#35) - No post action for ssh - Initial build (bsc#1174304, bsc#1174306, jsc#ECO-2099, jsc#PM-1945) + Version 20200507.00 + Replaces google-compute-engine-oslogin package ----------------------------------------- Patch: SUSE-2021-1535 Released: Thu May 6 17:05:42 2021 Summary: Recommended update for spamassassin Severity: low References: 1185184 Description: This update for spamassassin fixes the following issues: - Deprecated path '/var/run/' used in systemd-services (bsc#1185184) ----------------------------------------- Patch: SUSE-2021-1536 Released: Thu May 6 17:05:59 2021 Summary: Recommended update for dovecot Severity: moderate References: 1185074 Description: This update for dovecot fixes the following issues: - Using /run instead of /var/run which was deprecated (bsc#1185074) - The home directories of the internal users was moved from /var/run/dovecot to /run/dovecot as well. ----------------------------------------- Patch: SUSE-2021-1543 Released: Fri May 7 15:16:33 2021 Summary: Recommended update for patterns-microos Severity: moderate References: 1184435 Description: This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------- Patch: SUSE-2021-1549 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Severity: moderate References: 1185417 Description: This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------- Patch: SUSE-2021-1554 Released: Tue May 11 09:43:41 2021 Summary: Security update for java-11-openjdk Severity: important References: 1184606,1185055,1185056,CVE-2021-2161,CVE-2021-2163 Description: This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.11+9 (April 2021 CPU) * CVE-2021-2163: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055) * CVE-2021-2161: Fixed incorrect handling of partially quoted arguments in ProcessBuilder (bsc#1185056) - moved mozilla-nss dependency to java-11-openjdk-headless package, this is necessary to be able to do crypto with just java-11-openjdk-headless installed (bsc#1184606). ----------------------------------------- Patch: SUSE-2021-1562 Released: Tue May 11 11:12:51 2021 Summary: Recommended update for amazon-ecs-init Severity: moderate References: 1182343,1182344 Description: This update for amazon-ecs-init contains the following fixes: - Fix for an issue where no restart happens when ECS Agent exits with exit code 5 (bsc#1182343, bsc#1182344) ----------------------------------------- Patch: SUSE-2021-1563 Released: Tue May 11 11:16:00 2021 Summary: Recommended update for maven Severity: moderate References: 1184022 Description: This update for systemtap fixes the following issues: - Releasing maven for SLE-15 SP1 and SP2. (bsc#1184022) ----------------------------------------- Patch: SUSE-2021-1570 Released: Wed May 12 11:59:39 2021 Summary: Recommended update for python-paramiko Severity: moderate References: 1178341 Description: This update for python-paramiko fixes the following issue: - Do not use deprecated methods. SUSE Linux Enterprise 15-SP1 and newer have `python-cryptography 2.8`. (bsc#1178341) ----------------------------------------- Patch: SUSE-2021-1583 Released: Wed May 12 13:40:35 2021 Summary: Recommended update for sensors Severity: moderate References: 1185183 Description: This update for sensors fixes the following issues: - Change PIDFile path from '/var/run' to '/run' as the it is deprecated. (bsc#1185183) ----------------------------------------- Patch: SUSE-2021-1587 Released: Wed May 12 13:43:48 2021 Summary: Recommended update for cloud-regionsrv-client Severity: moderate References: 1182779,1185198,1185234 Description: This update for cloud-regionsrv-client fixes the following issues: - Added a fix when the zypper lock is acquired by another process. In that case cloud-regionsrv-client will now wait up to 30 seconds for that lock to be freed (bsc#1182779, bsc#1185234, bsc#1185198) ----------------------------------------- Patch: SUSE-2021-1588 Released: Wed May 12 13:44:31 2021 Summary: Recommended update for python3-azuremetadata Severity: moderate References: 1172581,1184720 Description: This update for python3-azuremetadata fixes the following issues: - Fixed an issue where SUSEConnect was unable to set cloud_provider when registering an instance the first time (bsc#1172581) - When querying the metdata server for access verification via a proxy, the wrong data was delivered. This has been fixed (bsc#1184720) ----------------------------------------- Patch: SUSE-2021-1591 Released: Wed May 12 13:46:23 2021 Summary: Optional update for apache2-mod_auth_openidc Severity: low References: Description: This update for apache2-mod_auth_openidc fixes the following issues: - Avoid pulling hiredis-devel during build time (jsc#SLE-11726) This patch is optional to install and does not address any user visible issues. ----------------------------------------- Patch: SUSE-2021-1598 Released: Thu May 13 13:14:33 2021 Summary: Security update for dtc Severity: low References: 1184122 Description: This update for dtc fixes the following issues: - make all packaged binaries PIE-executables (bsc#1184122). ----------------------------------------- Patch: SUSE-2021-1599 Released: Thu May 13 13:15:20 2021 Summary: Security update for ipvsadm Severity: low References: 1184988 Description: This update for ipvsadm fixes the following issues: - Hardening: link as position independent executable (bsc#1184988). ----------------------------------------- Patch: SUSE-2021-1601 Released: Thu May 13 16:34:34 2021 Summary: Recommended update for brp-check-suse Severity: moderate References: 1184555 Description: This update for brp-check-suse fixes the following issues: - Make sure all brp-scripts are actually executable. (bsc#1184555) ----------------------------------------- Patch: SUSE-2021-1603 Released: Thu May 13 16:35:55 2021 Summary: Recommended update for gssproxy Severity: low References: 1185161 Description: This update for gssproxy fixes the following issues: - Using now /run instead of /var/run for daemon PID files (bsc#1185161) ----------------------------------------- Patch: SUSE-2021-1604 Released: Thu May 13 16:36:13 2021 Summary: Recommended update for autofs Severity: low References: 1185155 Description: This update for autofs fixes the following issues: - Changed pidfile path to /run from /var/run (bsc#1185155) ----------------------------------------- Patch: SUSE-2021-1618 Released: Mon May 17 13:11:28 2021 Summary: Recommended update for llvm7 and libqt5-qttools Severity: moderate References: 1067478,1109367,1145085,1184920 Description: This update for llvm7 and libqt5-qttools fixes the following issues: libqt5-qttools: - Use `libclang` instead of `clang`, now that `llvm7` moved the header files to `libclang` (bsc#1109367, bsc#1184920) llvm7: - Remove unneeded and unused dependencies: - groff, bison, flex, jsoncpp - Devel packages are only required in other devel packages, when their headers are included in the installed headers. - Skip a test that is broken with 387 FPU registers and avoids check failure on i586. (bsc#1145085) - Link `libomp` with `atomic` if needed and fix build using gcc-4.8. (bsc#1145085) - Make build of `gnustep-libobjc2` package reproducible. (bsc#1067478) - Remove `-fno-strict-aliasing` which upstream doesn't use any more. - Package `clang` builtin headers with `libclang`. (bsc#1109367) - The library is unusable without the builtin headers. Currently consumers of `libclang` have to require `clang` as well, although only the headers are needed. ----------------------------------------- Patch: SUSE-2021-1641 Released: Wed May 19 13:48:59 2021 Summary: Security update for djvulibre Severity: important References: 1185895,1185900,1185904,1185905,CVE-2021-32490,CVE-2021-32491,CVE-2021-32492,CVE-2021-32493 Description: This update for djvulibre fixes the following issues: - CVE-2021-32490 [bsc#1185895]: Out of bounds write in function DJVU:filter_bv() via crafted djvu file - CVE-2021-32491 [bsc#1185900]: Integer overflow in function render() in tools/ddjvu via crafted djvu file - CVE-2021-32492 [bsc#1185904]: Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file - CVE-2021-32493 [bsc#1185905]: Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file ----------------------------------------- Patch: SUSE-2021-1643 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Severity: important References: 1181443,1184358,1185562 Description: This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------- Patch: SUSE-2021-1660 Released: Wed May 19 18:46:53 2021 Summary: Recommended update for python-kiwi Severity: moderate References: Description: This update for python-kiwi fixes the following issues: - Fix appx manifest for WSL containers This patch is two fold * This commit prevents KIWI from setting Identity Name attribute and DisplayName and PublisherDisplayName elements. Fixes #1780 * Fix WSL appx filemap relative paths not preserved During WSL appx image type creation step the file hierarchy under metadata_path is written to a temporary file for eventual use as argument to utility appx. The file hierarchy information is dropped resulting in all filemap entries appearing to be at the metadata_path root. The resulting image will side load and run but without icon and other resources. Stricter checks at Windows Store submission will fail due to mismatch between image manifest and contents. Fix by preserving relative path of filemap entries relative to metadata_path. Add log output showing both input absolute path and output relative path. (jsc#SLE-12986) - Recommend kiwi-systemdeps-containers This commit recommends 'kiwi-systemdeps-containers' instead of a hard requirement in kiwi-systemdeps package for SLE builds. This is needed because the containers tool chain is spread in different SLE modules. ----------------------------------------- Patch: SUSE-2021-1662 Released: Wed May 19 22:24:31 2021 Summary: Recommended update for saphanabootstrap-formula Severity: moderate References: 1185090 Description: This update for saphanabootstrap-formula fixes the following issues: - Fix the HANA sidadm usage to transform to lowercase some states managing the sudoers file in ha_cluster.sls state file. (bsc#1185090) ----------------------------------------- Patch: SUSE-2021-1663 Released: Wed May 19 22:25:14 2021 Summary: Recommended update for drbd-formula Severity: moderate References: 1179529 Description: This update for drbd-formula fixes the following issues: - Support different backing device per node. (bsc#1179529) ----------------------------------------- Patch: SUSE-2021-1664 Released: Thu May 20 08:03:30 2021 Summary: Security update for libass Severity: moderate References: 1184153,CVE-2020-24994 Description: This update for libass fixes the following issues: - CVE-2020-24994: Fixed a stack overflow in the parse_tag (bsc#1184153). ----------------------------------------- Patch: SUSE-2021-1669 Released: Thu May 20 11:10:44 2021 Summary: Recommended update for nfs-utils Severity: moderate References: 1181540,1181651,1183194,1185170 Description: This update for nfs-utils fixes the following issues: - The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170) - Improve logging of authentication (bsc#1181540) - Add man page of the 'nconnect mount'. (bsc#1181651) - Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194) ----------------------------------------- Patch: SUSE-2021-1675 Released: Thu May 20 15:00:23 2021 Summary: Recommended update for snappy Severity: moderate References: 1080040,1184507 Description: This update for snappy fixes the following issues: Update from version 1.1.3 to 1.1.8 - Small performance improvements. - Removed `snappy::string` alias for `std::string`. - Improved `CMake` configuration. - Improved packages descriptions. - Fix RPM groups. - Aarch64 fixes - PPC speedups - PIE improvements - Fix license install. (bsc#1080040) - Fix a 1% performance regression when snappy is used in PIE executable. - Improve compression performance by 5%. - Improve decompression performance by 20%. - Use better download URL. - Fix a build issue for tensorflow2. (bsc#1184507) ----------------------------------------- Patch: SUSE-2021-1677 Released: Thu May 20 15:29:32 2021 Summary: Recommended update for purge-kernels-service Severity: low References: 1184399 Description: This update for purge-kernels-service fixes the following issues: - Add 'ZYPP_LOCK_TIMEOUT=-1' to keep waiting for the lock to avoid possible conflict with other background services uding zypper. (bsc#1184399) ----------------------------------------- Patch: SUSE-2021-1678 Released: Thu May 20 15:30:01 2021 Summary: Recommended update for prometheus-ha_cluster_exporter Severity: moderate References: 1184422 Description: This update for prometheus-ha_cluster_exporter fixes the following issues: - Add parsing of the `crm_config` node in the CIB parser. - Update the minimum required Go version to 1.14. - Avoid duplicate metric recording errors for non-running OCFS resources. (bsc#1184422) ----------------------------------------- Patch: SUSE-2021-1679 Released: Thu May 20 15:31:35 2021 Summary: Recommended update for ddclient Severity: moderate References: 1185069 Description: This update for ddclient fixes the following issues: - As '/var/run' is deprecated, replaced by '/run' in 'ddclient-tmpfiles.conf' (bsc#1185069) - Systemd expects the PID file to exist as soon as the main process exists. However, it takes quite a while until the pid file is created by the daemon process, so we delay the main process for 1 second before exit()ing. This gets rid of an annoying warning message in 'systemctl status'. ----------------------------------------- Patch: SUSE-2021-1681 Released: Thu May 20 16:49:23 2021 Summary: Recommended update for sapstartsrv-resource-agents Severity: moderate References: 1185152 Description: This update for sapstartsrv-resource-agents fixes the following issues: - Remove deprecated option 'syslog' from the 'sapping.service' and 'sappong.service' files. (bsc#1185152) ----------------------------------------- Patch: SUSE-2021-1698 Released: Fri May 21 19:46:59 2021 Summary: Recommended update for SAPHanaSR-ScaleOut Severity: moderate References: 1144442,1182115,1182545 Description: This update for SAPHanaSR-ScaleOut fixes the following issues: - The resource start and stop timeout is now configurable by increasing the timeout for the action 'start' and/or 'stop'. (bsc#1182545) - Add return codes for saphana_stop and saphana_StopSystem. (bsc#1182115) - Man page SAPhanaSR-ScaleOut minor mistakes. (bsc#1144442) ----------------------------------------- Patch: SUSE-2021-1700 Released: Mon May 24 16:39:35 2021 Summary: Recommended update for google-guest-agent, google-guest-oslogin, google-osconfig-agent Severity: moderate References: 1185848,1185849 Description: This update for google-guest-agent, google-guest-oslogin, google-osconfig-agent contains the following fixes: - Update to version 20210414.00 (bsc#1185848, bsc#1185849) * start sshd (#106) * Add systemd-networkd.service restart dependency. (#104) * Update error message for handleHealthCheckRequest. (#105) - Update to version 20210429.00 (bsc#1185848, bsc#1185849) * correct pagetoken in groupsforuser (#59) * resolve self groups last (#58) * support empty groups (#57) * no paginating to find groups (#56) * clear users vector (#55) * correct usage of pagetoken (#54) - Update to version 20210506.00 (bsc#1185848, bsc#1185849) * Add more os policy assignment examples (#348) * e2e_tests: enable stable tests for OSPolicies (#347) * Align start and end task logs (#346) * ConfigTask: add additional info logs (#345) * e2e_tests: add validation tests (#344) * Config Task: make sure agent respects policy mode (#343) * update * e2e_tests: readd retries to OSPolicies * Set minWaitDuration as a string instead of object (#341) * e2e_tests: Fix a few SUSE tests (#339) * Remove pre-release flag from config (#340) * e2e_tests: fixup OSPolicy tests (#338) * e2e_tests: unlock mutex for CreatePolicies as soon as create finishes (#337) * e2e_tests: Don't retry failed OSPolicy tests, fix msi test (#336) * Examples for os policy assignments (#334) * e2e_tests: increase the deadline for OSPolicy tests and only start after a zone has been secured (#335) * Fix panic when installing MSI (#332) * e2e_tests: Add test cases of installing dbe, rpm and msi packages (#333) * e2e_tests: add more logging * e2e_tests: (#330) * e2e_test: Add timouts to OSPolicy tests so we don't wait forever (#329) * Create top level directories for gcloud and console for os policy assignment examples (#328) * e2e_tests: Move api from an internal directory (#327) * Make sure we use the same test name for reruns (#326) * Add CONFIG_V1 capability (#325) * e2e_tests: reduce size of instances, use pd-balanced, rerun failed tests once (#324) * Only report installed packages for dpkg (#322) * e2e_tests: fix windows package and repository tests (#323) * Add top level directories for os policy examples (#321) * e2e_tests: move to using inventory api for inventory reporting (#320) * e2e_tests: add ExecResource tests (#319) * ExecResource: make sure we set permissions correctly for downloaded files (#318) * Config task: only run post check on resources that have already been evaluated (#317) * e2e_test: reorganize OSPolicy tests to be per Resource type (#316) * Set custom user agent (#299) * e2e_tests: check InstanceOSPoliciesCompliance for each test case, add LocalPath FileResource test (#314) * PackageResource: make sure to run AptUpdate prior to package install (#315) * Fix bugs/add more logging for OSPolicies (#313) * Change metadata http client to ignore http proxies (#312) * e2e_test: add tests for FileResource (#311) * Add task_type context logging (#310) * Fix e2e_test typo (#309) * Fix e2e_tests (#308) * Disable OSPolicies by default since it is an unreleased feature (#307) * e2e_tests: Add more OSPolicies package and repo tests (#306) * Do not enforce repo_gpgcheck in guestpolicies (#305) * Gather inventory 3-5min after agent start (#303) * e2e_tests: add OSPolicies tests for package install (#302) * Add helpful error log if a service account is missing (#304) * OSPolicies: correct apt repo extension, remove yum/zypper gpgcheck override (#301) * Update cos library to parse new version of packages file (#300) * config_task: Rework config step logic (#296) * e2e_test: enable serial logs in cos to support ReportInventory test (#297) ----------------------------------------- Patch: SUSE-2021-1752 Released: Tue May 25 13:26:10 2021 Summary: Recommended update for expect Severity: moderate References: 1172681,1183904,1184122 Description: This update for expect fixes the following issues: - Fixed an issue when expect in permanently open connection causes hanging for scripts. (bsc#1183904) - pass explicit -pie flag to CFLAGS and hack `make` invocation so that /usr/bin/expect actually becomes a PIE binary. This is especially awkard since the expect build system implicitly passes -fPIC which breaks our gcc-PIE package, but does not pass -pie while linking the executable. Shared libraries are also not linked with -shared so we need to explicitly pass this, too, to avoid build breakage. (bsc#1184122) - Add an unversioned symlink to make linking easier for applications that use libexpect without Tcl. (bsc#1172681) ----------------------------------------- Patch: SUSE-2021-1755 Released: Tue May 25 13:29:57 2021 Summary: Security update for libu2f-host Severity: moderate References: 1124781,1128140,1184648,CVE-2018-20340,CVE-2019-9578 Description: This update for libu2f-host fixes the following issues: This update ships the u2f-host package (jsc#ECO-3687 bsc#1184648) Version 1.1.10 (released 2019-05-15) - Add new devices to udev rules. - Fix a potentially uninitialized buffer (CVE-2019-9578, bsc#1128140) Version 1.1.9 (released 2019-03-06) - Fix CID copying from the init response, which broke compatibility with some devices. Version 1.1.8 (released 2019-03-05) - Add udev rules - Drop 70-old-u2f.rules and use 70-u2f.rules for everything - Use a random nonce for setting up CID to prevent fingerprinting - CVE-2019-9578: Parse the response to init in a more stable way to prevent leakage of uninitialized stack memory back to the device (bsc#1128140). Version 1.1.7 (released 2019-01-08) - Fix for trusting length from device in device init. - Fix for buffer overflow when receiving data from device. (YSA-2019-01, CVE-2018-20340, bsc#1124781) - Add udev rules for some new devices. - Add udev rule for Feitian ePass FIDO - Add a timeout to the register and authenticate actions. ----------------------------------------- Patch: SUSE-2021-1759 Released: Wed May 26 11:16:44 2021 Summary: Security update for rubygem-actionpack-5_1 Severity: important References: 1185715,CVE-2021-22885 Description: This update for rubygem-actionpack-5_1 fixes the following issues: - CVE-2021-22885: Fixed possible information disclosure / unintended method execution in Action Pack (bsc#1185715). ----------------------------------------- Patch: SUSE-2021-1765 Released: Wed May 26 12:36:38 2021 Summary: Security update for libX11 Severity: moderate References: 1182506,CVE-2021-31535 Description: This update for libX11 fixes the following issues: - CVE-2021-31535: Fixed missing request length checks in libX11 (bsc#1182506). ----------------------------------------- Patch: SUSE-2021-1772 Released: Wed May 26 17:21:45 2021 Summary: Recommended update for motif Severity: moderate References: 1184184 Description: This update for motif fixes the following issues: - Add patches to prevent the third party application crashing. (bsc#1184184) ----------------------------------------- Patch: SUSE-2021-1785 Released: Thu May 27 16:44:19 2021 Summary: Security update for postgresql13 Severity: moderate References: 1179945,1183118,1183168,1185924,1185925,1185926,CVE-2021-32027,CVE-2021-32028,CVE-2021-32029 Description: This update for postgresql13 fixes the following issues: - Upgrade to version 13.3: - CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924). - CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925). - CVE-2021-32029: Fixed possibly-incorrect computation of UPDATE ... RETURNING outputs for joined cross-partition updates (bsc#1185926). - Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168). - Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (bsc#1183118). - Disable icu for PostgreSQL 10 (and older) on TW (bsc#1179945). ----------------------------------------- Patch: SUSE-2021-1794 Released: Thu May 27 19:25:29 2021 Summary: Recommended update for radvd Severity: moderate References: 1185066 Description: This update for radvd fixes the following issues: - replace '/var/run' with '/run' in '/usr/lib/tmpfiles.d/radvd.conf' (bsc#1185066) ----------------------------------------- Patch: SUSE-2021-1797 Released: Fri May 28 12:56:31 2021 Summary: Recommended update for python-aliyun-img-utils, python-click-man, python-crcmod, python-oss2 Severity: moderate References: 1181995 Description: This update for python-aliyun-img-utils, python-click-man, python-crcmod, python-oss2 fixes the following issues: - Include in SLE-15 (bsc#1181995, jsc#ECO-3329, jsc#PM-2475) - Cleanup spec file - Use fdupes - Do not bundle html doc - singlespec auto-conversion - Include in SLE 12 (FATE #316168) - No need to use upstream tarball, download PyPI tarball instead - Switch to github archive as the tests are not present on pypi version. - Initial build ----------------------------------------- Patch: SUSE-2021-1800 Released: Fri May 28 15:28:23 2021 Summary: Recommended update for mdadm Severity: moderate References: 1175758,1181619 Description: This update for mdadm fixes the following issues: - Fixed an issue when md device broke while adding another disk (bsc#1181619) - imsm: Addded nvme multipath support (bsc#1175758) ----------------------------------------- Patch: SUSE-2021-1805 Released: Mon May 31 15:34:37 2021 Summary: Recommended update for amazon-ssm-agent and amazon-ecs-init Severity: moderate References: 1186239,1186262 Description: This update for amazon-ssm-agent and amazon-ecs-init fixes the following issues: - Added support for Amazon ECS Anywhere (bsc#1186239, bsc#1186262) The amazon-ssm-agent package provides a RELEASENOTES.md file with a more detailed list of all changes. ----------------------------------------- Patch: SUSE-2021-1806 Released: Mon May 31 16:23:04 2021 Summary: Security update for python-httplib2 Severity: moderate References: 1171998,1182053,CVE-2020-11078,CVE-2021-21240 Description: This update for python-httplib2 fixes the following issues: - Update to version 0.19.0 (bsc#1182053). - CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053). - CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053). ----------------------------------------- Patch: SUSE-2021-1817 Released: Tue Jun 1 10:09:53 2021 Summary: Recommended update for google-poppins-fonts Severity: moderate References: 1186642 Description: This update of google-poppins-fonts releases it in a higher version than on SLES 15 SP2, to allow better migration and solve a openSUSE Leap 15.3 patch problem. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-1826 Released: Tue Jun 1 16:40:26 2021 Summary: Security update for bind Severity: important References: 1183453,1185073,CVE-2021-25214,CVE-2021-25215 Description: This update for bind fixes the following issues: - CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345). - CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345). - Switched from /var/run to /run (bsc#1185073) - Hardening: Compiled binary with PIE flags to make it position independent ----------------------------------------- Patch: SUSE-2021-1840 Released: Wed Jun 2 16:29:28 2021 Summary: Security update for xstream Severity: important References: 1184372,1184373,1184374,1184375,1184376,1184377,1184378,1184379,1184380,1184796,1184797,CVE-2021-21341,CVE-2021-21342,CVE-2021-21343,CVE-2021-21344,CVE-2021-21345,CVE-2021-21346,CVE-2021-21347,CVE-2021-21348,CVE-2021-21349,CVE-2021-21350,CVE-2021-21351 Description: This update for xstream fixes the following issues: - Upgrade to 1.4.16 - CVE-2021-21351: remote attacker to load and execute arbitrary code (bsc#1184796) - CVE-2021-21349: SSRF can lead to a remote attacker to request data from internal resources (bsc#1184797) - CVE-2021-21350: arbitrary code execution (bsc#1184380) - CVE-2021-21348: remote attacker could cause denial of service by consuming maximum CPU time (bsc#1184374) - CVE-2021-21347: remote attacker to load and execute arbitrary code from a remote host (bsc#1184378) - CVE-2021-21344: remote attacker could load and execute arbitrary code from a remote host (bsc#1184375) - CVE-2021-21342: server-side forgery (bsc#1184379) - CVE-2021-21341: remote attacker could cause a denial of service by allocating 100% CPU time (bsc#1184377) - CVE-2021-21346: remote attacker could load and execute arbitrary code (bsc#1184373) - CVE-2021-21345: remote attacker with sufficient rights could execute commands (bsc#1184372) - CVE-2021-21343: replace or inject objects, that result in the deletion of files on the local host (bsc#1184376) ----------------------------------------- Patch: SUSE-2021-1841 Released: Wed Jun 2 16:30:17 2021 Summary: Security update for dhcp Severity: important References: 1186382,CVE-2021-25217 Description: This update for dhcp fixes the following issues: - CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382) ----------------------------------------- Patch: SUSE-2021-1843 Released: Thu Jun 3 16:22:36 2021 Summary: Security update for polkit Severity: important References: 1186497,CVE-2021-3560 Description: This update for polkit fixes the following issues: - CVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497). ----------------------------------------- Patch: SUSE-2021-1847 Released: Fri Jun 4 08:47:12 2021 Summary: Optional update for bison Severity: low References: 1183777 Description: This update for bison fixes the following issues: - Fixed an issue when building bison for SUSE Linux Enterprise Server 15 SP3 (bsc#1183777) This update does not fix any user visible issues, thus it is optional to install. ----------------------------------------- Patch: SUSE-2021-1848 Released: Fri Jun 4 08:48:03 2021 Summary: Recommended update for libraw Severity: low References: 1184123 Description: This update for libraw fixes the following issues: - Hardening: Link as PIE (bsc#1184123) ----------------------------------------- Patch: SUSE-2021-1849 Released: Fri Jun 4 08:48:14 2021 Summary: Recommended update for fltk Severity: low References: 1184122 Description: This update for fltk fixes the following issues: - Hardening: Removed non position independent binaries (bsc#1184122) ----------------------------------------- Patch: SUSE-2021-1850 Released: Fri Jun 4 08:48:41 2021 Summary: Recommended update for doxygen Severity: low References: 1184122 Description: This update for doxygen fixes the following issues: - Hardeing: Removed non-PIE binaries (bsc#1184122) ----------------------------------------- Patch: SUSE-2021-1852 Released: Fri Jun 4 08:49:00 2021 Summary: Recommended update for libstoragemgmt Severity: low References: 1185067 Description: This update for libstoragemgmt fixes the following issues: - Moved from /var/run to /run because of deprecation warnings (bsc#1185067) ----------------------------------------- Patch: SUSE-2021-1853 Released: Fri Jun 4 08:49:13 2021 Summary: Recommended update for exfatprogs Severity: moderate References: 1184882 Description: This update for exfatprogs fixes the following issue: - Make `set_bit_le()` 64-bit compatible. (bsc#1184882) bitmap data is not written normally in bitmap location s390x (64bit big endian system) and this fix makes it 64-bit compatible. ----------------------------------------- Patch: SUSE-2021-1854 Released: Fri Jun 4 08:54:10 2021 Summary: Security update for MozillaThunderbird Severity: moderate References: 1185086,1185633,1186198,1186199,CVE-2021-29950,CVE-2021-29951,CVE-2021-29956,CVE-2021-29957 Description: This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird 78.10.2 - CVE-2021-29957: Fixed partial protection of inline OpenPGP message not indicated (bsc#1186198). - CVE-2021-29956: Fixed Thunderbird stored OpenPGP secret keys without master password protection (bsc#1186199). - CVE-2021-29951: Fixed Thunderbird Maintenance Service could have been started or stopped by domain users (bsc#1185633). - CVE-2021-29950: Fixed logic issue potentially leaves key material unlocked (bsc#1185086). ----------------------------------------- Patch: SUSE-2021-1859 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Severity: moderate References: 1179805,1184505,CVE-2020-29651 Description: This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------- Patch: SUSE-2021-1860 Released: Fri Jun 4 09:04:05 2021 Summary: Security update for libwebp Severity: critical References: 1185652,1185654,1185673,1185674,1185685,1185686,1185688,1185690,1185691,1186247,CVE-2018-25009,CVE-2018-25010,CVE-2018-25011,CVE-2018-25012,CVE-2018-25013,CVE-2020-36328,CVE-2020-36329,CVE-2020-36330,CVE-2020-36331,CVE-2020-36332 Description: This update for libwebp fixes the following issues: - CVE-2018-25010: Fixed heap-based buffer overflow in ApplyFilter() (bsc#1185685). - CVE-2020-36330: Fixed heap-based buffer overflow in ChunkVerifyAndAssign() (bsc#1185691). - CVE-2020-36332: Fixed extreme memory allocation when reading a file (bsc#1185674). - CVE-2020-36329: Fixed use-after-free in EmitFancyRGB() (bsc#1185652). - CVE-2018-25012: Fixed heap-based buffer overflow in GetLE24() (bsc#1185690). - CVE-2020-36328: Fixed heap-based buffer overflow in WebPDecode*Into functions (bsc#1185688). - CVE-2018-25013: Fixed heap-based buffer overflow in ShiftBytes() (bsc#1185654). - CVE-2020-36331: Fixed heap-based buffer overflow in ChunkAssignData() (bsc#1185686). - CVE-2018-25009: Fixed heap-based buffer overflow in GetLE16() (bsc#1185673). - CVE-2018-25011: Fixed fail on multiple image chunks (bsc#1186247). ----------------------------------------- Patch: SUSE-2021-1861 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 Description: This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------- Patch: SUSE-2021-1863 Released: Fri Jun 4 11:16:23 2021 Summary: Security update for umoci Severity: important References: 1184147,CVE-2021-29136 Description: This update for umoci fixes the following issues: Update to v0.4.7 (bsc#1184147). - CVE-2021-29136: Fixed overwriting of host files via malicious layer (bsc#1184147). ----------------------------------------- Patch: SUSE-2021-1876 Released: Mon Jun 7 14:01:09 2021 Summary: Security update for snakeyaml Severity: important References: 1159488,1186088,CVE-2017-18640 Description: This update for snakeyaml fixes the following issues: - Upgrade to 1.28 - CVE-2017-18640: The Alias feature allows entity expansion during a load operation (bsc#1159488, bsc#1186088) ----------------------------------------- Patch: SUSE-2021-1877 Released: Mon Jun 7 15:33:46 2021 Summary: Recommended update for gpm Severity: low References: 1160873,1182147 Description: This update for gpm fixes the following issues: - Removed unnecessary StandardOutput override in the unit definition file. (bsc#1182147) - Fixed a compilation issue when using -fno-common during compilation (bsc#1160873) ----------------------------------------- Patch: SUSE-2021-1884 Released: Tue Jun 8 15:05:25 2021 Summary: Security update for MozillaFirefox Severity: important References: 1185633,1186696,CVE-2021-29951,CVE-2021-29964,CVE-2021-29967 Description: This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 78.11.0 ESR (bsc#1186696) * CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message * CVE-2021-29967: Memory safety bugs fixed in Firefox ----------------------------------------- Patch: SUSE-2021-1896 Released: Tue Jun 8 16:08:27 2021 Summary: Security update for pam_radius Severity: moderate References: 1163933,CVE-2015-9542 Description: This update for pam_radius fixes the following issues: - CVE-2015-9542: pam_radius: buffer overflow in password field (bsc#1163933) ----------------------------------------- Patch: SUSE-2021-1897 Released: Tue Jun 8 16:15:17 2021 Summary: Security update for libX11 Severity: important References: 1186643,CVE-2021-31535 Description: This update for libX11 fixes the following issues: - Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643) ----------------------------------------- Patch: SUSE-2021-1914 Released: Wed Jun 9 14:29:32 2021 Summary: Security update for libopenmpt Severity: moderate References: 1186663 Description: This update for libopenmpt fixes the following issues: Various bugfix and stability issues were fixed, some of those might have security impact. libopenmpt was updated to 0.3.28: * Fixed excessive memory consumption with malformed files in various formats. Changes in 0.3.27: * AMS: Avoid allocating excessive amount of memory for compressed song message in malformed files. * S3M: Some samples were imported with a too high sample rate if module was saved with Scream Tracker 3. Changes in 0.3.26: * DMF: Improve import of finetune effect with parameters larger than +/-15. Changes in 0.3.25: * AMS: An upper bound for uncompressed sample size is now established to avoid memory exhaustion from malformed files. * MO3: Avoid certain ModPlug hacks from being fixed up twice, which could lead to e.g. very narrow pan swing range for old OpenMPT IT files saved with a recent MO3 encoder version. * IMF: Instrument sample mapping was off by one octave, notable in the guitar part of Astaris by Karsten Koch. * PLM: Percentage offset (Mxx) was slightly off. Changes in 0.3.24: * PP20: The first few bytes of some files were not decompressed properly, making some files unplayable (depending on the original format). Changes in 0.3.23: * IT: Global volume slides with both nibbles set preferred the “slide up” nibble over the “slide down” nibble in old OpenMPT versions, unlike other slides. Such old files are now imported correctly again. * IT: Fixed an edge case where, if the filter hit full cutoff / no resonance on the first tick of a row where a new delayed note would be triggered, the filter would be disabled even though it should stay active. Fixes trace.it by maddie. * XM: Out-of-range arpeggio clamping behaviour broke in OpenMPT 1.23.05.00. The arpeggios in Binary World by Dakota now play correctly again. * S3M: Support old-style sample pre-amp value in very early S3M files. * S3M: Only force-enable fast slides for files ST 3.00. Previously, any S3M file made with an ST3 version older than 3.20 enabled them. * M15: Improve tracker detection heuristics to never assume SoundTracker 2.0 if there is a huge number of Dxx commands, as that is a definite hint that they should be treated as volume slides. Fixes Monty On The Run by Master Blaster. Changes in 0.3.22: * IT: Disable retrigger with short notes quirk for modules saved with Chibi Tracker, as it does not implement that quirk. * MOD: Fix early song ending due to ProTracker pattern jump quirk (EEx + Dxx on same row) if infinite looping is disabled. Fixes Haunted Tracks.mod by Triace. * MOD: Vibrato type “ramp down” was upside down. Changes in 0.3.21: * IT: Vibrato was too fast in Old Effects mode since libopenmpt 0.3. * XM: Treat 8bitbubsy’s FT2 clone exactly like Fasttracker 2 with respect to compatibility and playback flags. For example, FT2 Pan Law was not applied. * DMF: Some files had a wrong tempo since libopenmpt 0.2.5705-beta15. ----------------------------------------- Patch: SUSE-2021-1923 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Severity: important References: 1183194 Description: This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) ----------------------------------------- Patch: SUSE-2021-1926 Released: Thu Jun 10 08:38:14 2021 Summary: Recommended update for gcc Severity: moderate References: 1096677 Description: This update for gcc fixes the following issues: - Added gccgo symlink and go and gofmt as alternatives to support parallel installation of golang (bsc#1096677) ----------------------------------------- Patch: SUSE-2021-1933 Released: Thu Jun 10 10:28:41 2021 Summary: Security update for ucode-intel Severity: important References: 1179833,1179836,1179837,1179839,CVE-2020-24489,CVE-2020-24511,CVE-2020-24512,CVE-2020-24513 Description: This update for ucode-intel fixes the following issues: Updated to Intel CPU Microcode 20210608 release. - CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (INTEL-SA-00465 bsc#1179833) See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00465.html - CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (INTEL-SA-00464 bsc#1179836) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html) - CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 INTEL-SA-00464) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html) - CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (INTEL-SA-00442 bsc#1179839) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00442.html Other fixes: - Update for functional issues. Refer to [Third Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780)for details. - Update for functional issues. Refer to [Second Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel Xeon Processor D-1500, D-1500 NS and D-1600 NS Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-d-1500-specification-update.html) for details. - Update for functional issues. Refer to [Intel Xeon E7-8800 and E7-4800 v3 Processor Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e7-v3-spec-update.html) for details. - Update for functional issues. Refer to [Intel Xeon Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel Core Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel Core Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel Xeon E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel Xeon E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details. - New platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CLX-SP | A0 | 06-55-05/b7 | | 03000010 | Xeon Scalable Gen2 | ICX-SP | C0 | 06-6a-05/87 | | 0c0002f0 | Xeon Scalable Gen3 | ICX-SP | D0 | 06-6a-06/87 | | 0d0002a0 | Xeon Scalable Gen3 | SNR | B0 | 06-86-04/01 | | 0b00000f | Atom P59xxB | SNR | B1 | 06-86-05/01 | | 0b00000f | Atom P59xxB | TGL | B1 | 06-8c-01/80 | | 00000088 | Core Gen11 Mobile | TGL-R | C0 | 06-8c-02/c2 | | 00000016 | Core Gen11 Mobile | TGL-H | R0 | 06-8d-01/c2 | | 0000002c | Core Gen11 Mobile | EHL | B1 | 06-96-01/01 | | 00000011 | Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E | JSL | A0/A1 | 06-9c-00/01 | | 0000001d | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105 | RKL-S | B0 | 06-a7-01/02 | | 00000040 | Core Gen11 - Updated platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000044 | 00000046 | Core Gen4 X series; Xeon E5 v3 | HSX-EX | E0 | 06-3f-04/80 | 00000016 | 00000019 | Xeon E7 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile | BDX-ML | B0/M0/R0 | 06-4f-01/ef | 0b000038 | 0b00003e | Xeon E5/E7 v4; Core i7-69xx/68xx | SKX-SP | B1 | 06-55-03/97 | 01000159 | 0100015b | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04003006 | 04003102 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05003006 | 05003102 | Xeon Scalable Gen2 | CPX-SP | A1 | 06-55-0b/bf | 0700001e | 07002302 | Xeon Scalable Gen3 | BDX-DE | V2/V3 | 06-56-03/10 | 07000019 | 0700001b | Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19 | BDX-DE | Y0 | 06-56-04/10 | 0f000017 | 0f000019 | Xeon D-1557/59/67/71/77/81/87 | BDX-NS | A0 | 06-56-05/10 | 0e00000f | 0e000012 | Xeon D-1513N/23/33/43/53 | APL | D0 | 06-5c-09/03 | 00000040 | 00000044 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 0000001e | 00000020 | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000e2 | 000000ea | Core Gen6; Xeon E3 v5 | DNV | B0 | 06-5f-01/01 | 0000002e | 00000034 | Atom C Series | GLK | B0 | 06-7a-01/01 | 00000034 | 00000036 | Pentium Silver N/J5xxx, Celeron N/J4xxx | GKL-R | R0 | 06-7a-08/01 | 00000018 | 0000001a | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 000000a0 | 000000a6 | Core Gen10 Mobile | LKF | B2/B3 | 06-8a-01/10 | 00000028 | 0000002a | Core w/Hybrid Technology | AML-Y22 | H0 | 06-8e-09/10 | 000000de | 000000ea | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000de | 000000ea | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000e0 | 000000ea | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000de | 000000ea | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000de | 000000ea | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000de | 000000ea | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000de | 000000ea | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000de | 000000ea | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000de | 000000ea | Core Gen9 Mobile | CML-H | R1 | 06-a5-02/20 | 000000e0 | 000000ea | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | 000000e0 | 000000ea | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | 000000e0 | 000000ec | Core Gen10 | CML-U62 | A0 | 06-a6-00/80 | 000000e0 | 000000e8 | Core Gen10 Mobile | CML-U62 V2 | K0 | 06-a6-01/80 | 000000e0 | 000000ea | Core Gen10 Mobile ----------------------------------------- Patch: SUSE-2021-1934 Released: Thu Jun 10 10:35:09 2021 Summary: Recommended update for xorg-x11-server Severity: moderate References: 1184906,1186092 Description: This update for xorg-x11-server fixes the following issues: - xwayland: Fix invisible window produced by Xwayland. (bsc#1186092, bsc#1184906) ----------------------------------------- Patch: SUSE-2021-1935 Released: Thu Jun 10 10:45:09 2021 Summary: Recommended update for gzip Severity: moderate References: 1186642 Description: This update for gzip fixes the following issue: - gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-1937 Released: Thu Jun 10 10:47:09 2021 Summary: Recommended update for nghttp2 Severity: moderate References: 1186642 Description: This update for nghttp2 fixes the following issue: - The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-1941 Released: Thu Jun 10 10:49:52 2021 Summary: Recommended update for sysconfig Severity: moderate References: 1186642 Description: This update for sysconfig fixes the following issue: - sysconfig had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-1948 Released: Thu Jun 10 12:32:08 2021 Summary: Security update for djvulibre Severity: important References: 1186253,CVE-2021-3500 Description: This update for djvulibre fixes the following issues: - CVE-2021-3500: Stack overflow in function DJVU:DjVuDocument:get_djvu_file() via crafted djvu file (bsc#1186253) ----------------------------------------- Patch: SUSE-2021-1950 Released: Thu Jun 10 14:42:00 2021 Summary: Recommended update for hwdata Severity: moderate References: 1170160,1182482,1185697 Description: This update for hwdata fixes the following issues: - Update to version 0.347: + Updated pci, usb and vendor ids. (bsc#1185697) - Update to version 0.346: + Updated pci, usb and vendor ids. (bsc#1182482, jsc#SLE-13791, bsc#1170160) ----------------------------------------- Patch: SUSE-2021-1954 Released: Fri Jun 11 10:45:09 2021 Summary: Security update for containerd, docker, runc Severity: important References: 1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183855,1184768,1184962,1185405,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334,CVE-2021-30465 Description: This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594) * Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476). * CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) * CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730). * btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081) runc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962). * Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821). * Fixed /dev/null is not available (bsc#1168481). * CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405). containerd was updated to v1.4.4 * CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397). * Handle a requirement from docker (bsc#1181594). ----------------------------------------- Patch: SUSE-2021-1955 Released: Fri Jun 11 12:50:54 2021 Summary: Recommended update for webkit2gtk3 Severity: moderate References: 1186642 Description: This update for webkit2gtk3 fixes the following issue: - webkit2gtk3 had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-1973 Released: Tue Jun 15 12:10:54 2021 Summary: Recommended update for libreoffice and xmlsec1 Severity: important References: 1184527,1184961,1185505,1185797,1186110,1186706 Description: This update for libreoffice and xmlsec1 fixes the following issues: libreoffice: Update from version 7.1.2.2 to version 7.1.3.2 - Searching in PPTX document makes LibreOffice crash. (bsc#1185797) - Fix a text highlight issue when saving as PPTX. (bsc#1185505) - Recommend `libreoffice-qt5` only when it is actually created - Fix a build error with GCC11. (bsc#1186110) - LibreOffice requires at least java 1.8.0 to run properly. - Fix a potential dataloss in LibreOffice Math. (bsc#1184961, bsc#1184527) The issue occurred only while trying to close the document via shortcuts. In this case LibreOffice Math was closed without asking to save the document. xmlsec1: - Provide missing binaries to SUSE Linux Enterprise 15-SP3 with l3 support level. (bsc#1186706) myspell-dictionaries: - Provide missing binaries to SUSE Linux Enterprise 15-SP3 with l2 support level. (bsc#1186706) ----------------------------------------- Patch: SUSE-2021-1989 Released: Thu Jun 17 09:51:26 2021 Summary: Security update for java-1_8_0-openjdk Severity: moderate References: 1185055,CVE-2021-2163 Description: This update for java-1_8_0-openjdk fixes the following issues: - Update to version jdk8u292 (icedtea 3.19.0). - CVE-2021-2161: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055). ----------------------------------------- Patch: SUSE-2021-1995 Released: Thu Jun 17 15:11:40 2021 Summary: Security update for xstream Severity: important References: 1186651,CVE-2021-29505 Description: This update for xstream fixes the following issues: Upgrade to 1.4.17 - CVE-2021-29505: Fixed potential code execution when unmarshalling with XStream instances using an uninitialized security framework (bsc#1186651) ----------------------------------------- Patch: SUSE-2021-2000 Released: Thu Jun 17 16:50:00 2021 Summary: Recommended update for tomcat Severity: moderate References: 1186642 Description: This update for tomcat fixes the following issue: - tomcat had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2001 Released: Thu Jun 17 16:54:07 2021 Summary: Recommended update for python-pycryptodome Severity: moderate References: 1186642 Description: This update for python-pycryptodome fixes the following issue: - python-pycryptodome had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2002 Released: Thu Jun 17 17:27:47 2021 Summary: Recommended update for open-vm-tools Severity: moderate References: 1186642 Description: This update for open-vm-tools fixes the following issue: - open-vm-tools had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2003 Released: Thu Jun 17 18:03:10 2021 Summary: Security update for MozillaThunderbird Severity: important References: 1186696,CVE-2021-29964,CVE-2021-29967 Description: This update for MozillaThunderbird fixes the following issues: Mozilla Thunderbird 78.11 (bsc#1186696) Security issues fixed: - CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message - CVE-2021-29967: Memory safety bugs fixed in Thunderbird 78.11 General improvements: - OpenPGP could not be disabled for an account if a key was previously configured - Recipients were unable to decrypt some messages when the sender had changed the message encryption from OpenPGP to S/MIME - Contacts moved between CardDAV address books were not synced to the new server - CardDAV compatibility fixes for Google Contacts - Folder pane had no clear indication of focus on macOS ----------------------------------------- Patch: SUSE-2021-2005 Released: Thu Jun 17 18:04:06 2021 Summary: Security update for jetty-minimal Severity: important References: 1184366,1184367,1184368,1187117,CVE-2021-28163,CVE-2021-28164,CVE-2021-28165,CVE-2021-28169 Description: This update for jetty-minimal fixes the following issues: Update to version 9.4.42.v20210604 - Fix: bsc#1187117, CVE-2021-28169 - possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory - Fix: bsc#1184367, CVE-2021-28165 - jetty server high CPU when client send data length > 17408 - Fix: bsc#1184368, CVE-2021-28164 - Normalize ambiguous URIs - Fix: bsc#1184366, CVE-2021-28163 - Exclude webapps directory from deployment scan ----------------------------------------- Patch: SUSE-2021-2008 Released: Thu Jun 17 18:07:45 2021 Summary: Security update for python-rsa Severity: important References: 1172389,CVE-2020-13757 Description: This update for python-rsa fixes the following issues: - CVE-2020-13757: Proper handling of leading '\0' bytes during decryption of ciphertext (bsc#1172389) ----------------------------------------- Patch: SUSE-2021-2011 Released: Fri Jun 18 09:14:39 2021 Summary: Security update for xterm Severity: important References: 1182091,CVE-2021-27135 Description: This update for xterm fixes the following issues: - CVE-2021-27135: Fixed buffer-overflow when clicking on selected utf8 text. (bsc#1182091) ----------------------------------------- Patch: SUSE-2021-2012 Released: Fri Jun 18 09:15:13 2021 Summary: Security update for python-urllib3 Severity: important References: 1187045,CVE-2021-33503 Description: This update for python-urllib3 fixes the following issues: - CVE-2021-33503: Fixed a denial of service when the URL contained many @ characters in the authority component (bsc#1187045) ----------------------------------------- Patch: SUSE-2021-2076 Released: Fri Jun 18 13:47:19 2021 Summary: Recommended update for dovecot23 Severity: moderate References: 1186642 Description: This update for dovecot23 fixes the following issue: - dovecot23 had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2079 Released: Fri Jun 18 14:39:49 2021 Summary: Recommended update for build Severity: moderate References: 1186642 Description: This update for build fixes the following issue: - build had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2089 Released: Mon Jun 21 08:19:42 2021 Summary: Recommended update for libreoffice Severity: important References: 1187354 Description: This update for libreoffice fixes the following issue: - LibreOffice migration conflict from SUSE Linux Enterprise 15-SP2 to SUSE Linux Enterprise 15-SP3. (bsc#1187354) ----------------------------------------- Patch: SUSE-2021-2090 Released: Mon Jun 21 10:43:56 2021 Summary: Optional update for p7zip Severity: low References: 1185910 Description: This update for p7zip fixes the following issues: - Initial shipping of p7zip-full (bsc#1185910) ----------------------------------------- Patch: SUSE-2021-2091 Released: Mon Jun 21 10:45:13 2021 Summary: Recommended update for wget Severity: moderate References: 1181173 Description: This update for wget fixes the following issue: - When running recursively, wget will verify the length of the whole URL when saving the files. This will make it overwrite files with truncated names, throwing the following message: 'The name is too long,... trying to shorten'. (bsc#1181173) ----------------------------------------- Patch: SUSE-2021-2095 Released: Mon Jun 21 13:35:08 2021 Summary: Recommended update for ntp Severity: low References: Description: This update for ntp fixes the following issues: - Adjusted the man page documentation to clarify that 'interface ignore all' does not cover the wildcard and localhost addresses (jsc#SLE-15482) ----------------------------------------- Patch: SUSE-2021-2096 Released: Mon Jun 21 13:35:38 2021 Summary: Recommended update for python-six Severity: moderate References: 1186642 Description: This update for python-six fixes the following issue: - python-six had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2103 Released: Mon Jun 21 19:23:28 2021 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1173557,1177884,1177928,1180583,1180584,1180585,1185178 Description: This update fixes the following issues: POS_Image-Graphical7: - Use absolute path in bootloader service - Update install-local-bootloader.service for recent saltboot - Use linuxefi only on x86 POS_Image-JeOS7: - Use absolute path in bootloader service - Update install-local-bootloader.service for recent saltboot - Use linuxefi only on x86 golang-github-prometheus-prometheus: - Add tarball with vendor modules and web assets - Read formula data from exporters map - Add support for TLS targets - Upgrade to upstream version 2.26.0 + Changes * Alerting: Using Alertmanager v2 API by default. * Prometheus/Promtool: Binaries are now printing help and usage to stdout instead of stderr. * UI: Make the React UI default. * Remote write: The following metrics were removed/renamed in remote write. > prometheus_remote_storage_succeeded_samples_total was removed and prometheus_remote_storage_samples_total was introduced for all the samples attempted to send. > prometheus_remote_storage_sent_bytes_total was removed and replaced with prometheus_remote_storage_samples_bytes_total and prometheus_remote_storage_metadata_bytes_total. > prometheus_remote_storage_failed_samples_total -> prometheus_remote_storage_samples_failed_total. > prometheus_remote_storage_retried_samples_total -> prometheus_remote_storage_samples_retried_total. > prometheus_remote_storage_dropped_samples_total -> prometheus_remote_storage_samples_dropped_total. > prometheus_remote_storage_pending_samples -> prometheus_remote_storage_samples_pending. * Remote: Do not collect non-initialized timestamp metrics. + Features * Remote: Add support for AWS SigV4 auth method for remote_write. * PromQL: Allow negative offsets. Behind --enable-feature=promql-negative-offset flag. * UI: Add advanced auto-completion, syntax highlighting and linting to graph page query input. * Include a new `--enable-feature=` flag that enables experimental features. * Add TLS and basic authentication to HTTP endpoints. * promtool: Add check web-config subcommand to check web config files. * promtool: Add tsdb create-blocks-from openmetrics subcommand to backfill metrics data from an OpenMetrics file. + Enhancements * PromQL: Add last_over_time, sgn, clamp functions. * Scrape: Add support for specifying type of Authorization header credentials with Bearer by default. * Scrape: Add follow_redirects option to scrape configuration. * Remote: Allow retries on HTTP 429 response code for remote_write. * Remote: Allow configuring custom headers for remote_read. * UI: Hitting Enter now triggers new query. * UI: Better handling of long rule and names on the /rules and /targets pages. * UI: Add collapse/expand all button on the /targets page. * Add optional name property to testgroup for better test failure output. * Add warnings into React Panel on the Graph page. * TSDB: Increase the number of buckets for the compaction duration metric. * Remote: Allow passing along custom remote_write HTTP headers. * Mixins: Scope grafana configuration. * Kubernetes SD: Add endpoint labels metadata. * UI: Expose total number of label pairs in head in TSDB stats page. * TSDB: Reload blocks every minute, to detect new blocks and enforce retention more often. * Cache basic authentication results to significantly improve performance of HTTP endpoints. * HTTP API: Fast-fail queries with only empty matchers. * HTTP API: Support matchers for labels API. * promtool: Improve checking of URLs passed on the command line. * SD: Expose IPv6 as a label in EC2 SD. * SD: Reuse EC2 client, reducing frequency of requesting credentials. * TSDB: Add logging when compaction takes more than the block time range. * TSDB: Avoid unnecessary GC runs after compaction. * Remote write: Added a metric prometheus_remote_storage_max_samples_per_send for remote write. * TSDB: Make the snapshot directory name always the same length. * TSDB: Create a checkpoint only once at the end of all head compactions. * TSDB: Avoid Series API from hitting the chunks. * TSDB: Cache label name and last value when adding series during compactions making compactions faster. * PromQL: Improved performance of Hash method making queries a bit faster. * promtool: tsdb list now prints block sizes. * promtool: Calculate mint and maxt per test avoiding unnecessary calculations. * SD: Add filtering of services to Docker Swarm SD. + Bug fixes * API: Fix global URL when external address has no port. * Deprecate unused flag --alertmanager.timeout. mgr-cfg: - SPEC: Updated Python definitions for RHEL8 and quoted text comparisons. mgr-custom-info: - Update package version to 4.2.0 mgr-daemon: - Update translation strings - Update the translations from weblate - Added quotes around %{_vendor} token for the if statements in spec file. - Fix removal of mgr-deamon with selinux enabled (bsc#1177928) - Updating translations from weblate mgr-osad: - Change the log file permissions as expected by logrotate (bsc#1177884) - Change deprecated path /var/run into /run for systemd (bsc#1185178) - Python fixes - Removal of RHEL5 mgr-push: - Defined __python for python2. - Excluded RHEL8 for Python 2 build. mgr-virtualization: - Update package version to 4.2.0 python-hwdata: - Modified to build on RHEL8. rhnlib: - Update package version to 4.2.0 spacecmd: - Rename system migration to system transfer - Rename SP to product migration - Update translation strings - Add group_addconfigchannel and group_removeconfigchannel - Add group_listconfigchannels and configchannel_listgroups - Fix spacecmd compat with Python 3 - Deprecated 'Software Crashes' feature - Document advanced package search on '--help' (bsc#1180583) - Fixed advanced search on 'package_listinstalledsystems' - Fixed duplicate results when using multiple search criteria (bsc#1180585) - Fixed 'non-advanced' package search when using multiple package names (bsc#1180584) - Update translations - Fix: make spacecmd build on Debian - Add Service Pack migration operations (bsc#1173557) spacewalk-client-tools: - Update the translations from weblate - Drop the --noSSLServerURL option - Updated RHEL Python requirements. - Added quotes around %{_vendor}. spacewalk-koan: - Fix for spacewalk-koan test spacewalk-oscap: - Update package version to 4.2.0 spacewalk-remote-utils: - Update package version to 4.2.0 supportutils-plugin-susemanager-client: - Update package version to 4.2.0 suseRegisterInfo: - Add support for Amazon Linux 2 - Add support for Alibaba Cloud Linux 2 - Adapted for RHEL build. uyuni-common-libs: - Cleaning up unused Python 2 build leftovers. - Disabled debug package build. ----------------------------------------- Patch: SUSE-2021-2106 Released: Mon Jun 21 19:26:19 2021 Summary: Security update for salt Severity: critical References: 1171257,1176293,1179831,1181368,1182281,1182293,1182382,1185092,1185281,1186674,CVE-2018-15750,CVE-2018-15751,CVE-2020-11651,CVE-2020-11652,CVE-2020-25592,CVE-2021-25315,CVE-2021-31607 Description: This update for salt fixes the following issues: Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028) - Check if dpkgnotify is executable (bsc#1186674) - Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028) - virt module updates * network: handle missing ipv4 netmask attribute * more network support * PCI/USB host devices passthrough support - Set distro requirement to oldest supported version in requirements/base.txt - Bring missing part of async batch implementation back (CVE-2021-25315, bsc#1182382) - Always require `python3-distro` (bsc#1182293) - Remove deprecated warning that breaks minion execution when 'server_id_use_crc' opts is missing - Fix pkg states when DEB package has 'all' arch - Do not force beacons configuration to be a list. - Remove msgpack < 1.0.0 from base requirements (bsc#1176293) - msgpack support for version >= 1.0.0 (bsc#1171257) - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607) - transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update (jsc#SLE-18033) - Improvements on 'ansiblegate' module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Add notify beacon for Debian/Ubuntu systems - Fix zmq bug that causes salt-call to freeze (bsc#1181368) ----------------------------------------- Patch: SUSE-2021-2107 Released: Mon Jun 21 19:29:09 2021 Summary: Recommended update for golang-github-prometheus-node_exporter Severity: moderate References: 1151558 Description: This update for golang-github-prometheus-node_exporter fixes the following issues: Update from version 1.0.1 to version 1.1.2 - Bug fixes: - Do not include sources (bsc#1151558) - Handle errors from disabled `Pressure Stall Information (PSI)` subsystem - Sanitize strings from `/sys/class/power_supply` - Silence missing `netclass` errors - Fix `ineffassign` issue - Demote some warning to `Debug` level - `filesystem_freebsd`: Fix label values - Fix various `procfs` parsing errors - Handle no data from the power supply class - `udp_queues_linux.go`: change `upd` to `udp` in two error strings - Fix `node_scrape_collector_success` behavior - Fix `NodeRAIDDegraded` to not use a string rule expressions - Fix `node_md_disks` state label from fail to failed - Handle `EPERM` for syscall in timex collector - `bcache`: fix typo in a metric name - Fix XFS read/write stats - Enhancements: - Improve filter flag names - Add `btrfs` and `powersupplyclass` to list of exporters enabled by default - Add more `InfiniBand` counters - Add a flag to aggregate `ipvs` metrics to avoid high cardinality metrics - Add `backlog/current` queue length to `qdisc` collector - Include `TCP OutRsts` in `netstat` metrics - Add the `pool size` to entropy collector - Remove `CGO` dependencies for OpenBSD amd64 - `bcache`: add `writeback_rate_debug` statistics - Add `check state` for `mdadm` arrays via `node_md_state metric` - Expose `XFS inode` statistics - Expose `zfs zpool` state - Add the ability to pass `collector.supervisord.url` via `SUPERVISORD_URL` environment variable - Features: - Add fiber channel collector - Expose cpu bugs and flags as info metrics. - Add `network_route` collector - Add `zoneinfo` collector ----------------------------------------- Patch: SUSE-2021-2123 Released: Tue Jun 22 14:29:43 2021 Summary: Security update for dovecot23 Severity: important References: 1187418,1187419,CVE-2021-29157,CVE-2021-33515 Description: This update for dovecot23 fixes the following issues: - CVE-2021-29157: Local attacker can login as any user and access their emails (bsc#1187418) - CVE-2021-33515: Attacker can potentially steal user credentials and mails (bsc#1187419) ----------------------------------------- Patch: SUSE-2021-2125 Released: Tue Jun 22 14:41:26 2021 Summary: Security update for wireshark Severity: important References: 1179930,1179931,1179932,1179933,1180102,1180232,1181598,1181599,1183353,1184110,1185128,CVE-2020-26418,CVE-2020-26419,CVE-2020-26420,CVE-2020-26421,CVE-2020-26422,CVE-2021-22173,CVE-2021-22174,CVE-2021-22191,CVE-2021-22207 Description: This update for wireshark, libvirt, sbc and libqt5-qtmultimedia fixes the following issues: Update wireshark to version 3.4.5 - New and updated support and bug fixes for multiple protocols - Asynchronous DNS resolution is always enabled - Protobuf fields can be dissected as Wireshark (header) fields - UI improvements Including security fixes for: - CVE-2021-22191: Wireshark could open unsafe URLs (bsc#1183353). - CVE-2021-22207: MS-WSP dissector excessive memory consumption (bsc#1185128) - CVE-2020-26422: QUIC dissector crash (bsc#1180232) - CVE-2020-26418: Kafka dissector memory leak (bsc#1179930) - CVE-2020-26419: Multiple dissector memory leaks (bsc#1179931) - CVE-2020-26420: RTPS dissector memory leak (bsc#1179932) - CVE-2020-26421: USB HID dissector crash (bsc#1179933) - CVE-2021-22173: Fix USB HID dissector memory leak (bsc#1181598) - CVE-2021-22174: Fix USB HID dissector crash (bsc#1181599) libqt5-qtmultimedia and sbc are necessary dependencies. libvirt is needed to rebuild wireshark-plugin-libvirt. ----------------------------------------- Patch: SUSE-2021-2136 Released: Wed Jun 23 13:40:13 2021 Summary: Security update for cryptctl Severity: important References: 1186226,CVE-2019-18906 Description: This update for cryptctl fixes the following issues: Update to version 2.4: - CVE-2019-18906: Client side password hashing was equivalent to clear text password storage (bsc#1186226) - First step to use plain text password instead of hashed password. - Move repository into the SUSE github organization - in RPC server, if client comes from localhost, remember its ipv4 localhost address instead of ipv6 address - tell a record to clear expired pending commands upon saving a command result; introduce pending commands RPC test case - avoid hard coding 127.0.0.1 in host ID of alive message test; let system administrator mount and unmount disks by issuing these two commands on key server. ----------------------------------------- Patch: SUSE-2021-2140 Released: Wed Jun 23 14:53:09 2021 Summary: Recommended update for prometheus-ha_cluster_exporter Severity: moderate References: Description: This update for prometheus-ha_cluster_exporter fixes the following issues: Update from version 1.2.2 to version 1.2.3: - Compress GitHub artifacts after having built them. - Fix cloned resource collection and track stopped resources even when they are cloned. `Pacemaker Clone Resources` appear multiple times in `crm_mon`; since the main discriminator field is the node, and that's missing when a resource is stopped, the cloned and stopped entries will appear multiple times in the `crm_mon` output, with the exact same fields and values: this is a problem for the `Prometheus SDK`, which doesn't expect duplicate metrics over the course of a single collection cycle. - Remove the `make download` target, which was required when using old Go versions. ----------------------------------------- Patch: SUSE-2021-2146 Released: Wed Jun 23 17:55:14 2021 Summary: Recommended update for openssh Severity: moderate References: 1115550,1174162 Description: This update for openssh fixes the following issues: - Fixed a race condition leading to a sshd termination of multichannel sessions with non-root users (bsc#1115550, bsc#1174162). ----------------------------------------- Patch: SUSE-2021-2148 Released: Wed Jun 23 21:11:07 2021 Summary: Recommended update for csync2 Severity: moderate References: 1187080 Description: This update for csync2 fixes the following issues: - Removal of csync2 package throws error for non-existent service template. (bsc#1187080) ----------------------------------------- Patch: SUSE-2021-2150 Released: Thu Jun 24 09:59:44 2021 Summary: Recommended update for x3270 Severity: moderate References: 1186642 Description: This update for x3270 fixes the following issue: - x3270 had a lower release number in 15 sp3 than in 15 sp2, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2154 Released: Thu Jun 24 13:49:13 2021 Summary: Recommended update for python-Cython Severity: moderate References: 1186642,1187450 Description: This update for python-Cython fixes the following issue: - python-Cython had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642 bsc#1187450) ----------------------------------------- Patch: SUSE-2021-2158 Released: Thu Jun 24 15:40:57 2021 Summary: Security update for openexr Severity: important References: 1187310,1187395,CVE-2021-3598,CVE-2021-3605 Description: This update for openexr fixes the following issues: - Fixed CVE-2021-3605 [bsc#1187395]: Heap buffer overflow in the rleUncompress function - Fixed CVE-2021-3598 [bsc#1187310]: Heap buffer overflow in Imf_3_1:CharPtrIO:readChars ----------------------------------------- Patch: SUSE-2021-2163 Released: Fri Jun 25 18:03:45 2021 Summary: Security update for bouncycastle Severity: moderate References: 1186328,CVE-2020-15522 Description: This update for bouncycastle fixes the following issues: - CVE-2020-15522: Fixed a timing issue within the EC math library (bsc#1186328). ----------------------------------------- Patch: SUSE-2021-2169 Released: Mon Jun 28 13:19:09 2021 Summary: Recommended update for hexchat Severity: moderate References: 1187587 Description: This update for hexchat fixes the following issues: - Added Libera.chat to available servers (bsc#1187587) ----------------------------------------- Patch: SUSE-2021-2171 Released: Mon Jun 28 14:06:45 2021 Summary: Recommended update for btrfsmaintenance Severity: moderate References: 1178874 Description: This update for btrfsmaintenance fixes the following issues: - Remove [Install] section from btrfsmaintenance. (bsc#1178874) ----------------------------------------- Patch: SUSE-2021-2173 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 Description: This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------- Patch: SUSE-2021-2177 Released: Mon Jun 28 15:47:27 2021 Summary: Security update for arpwatch Severity: important References: 1186240,CVE-2021-25321 Description: This update for arpwatch fixes the following issues: - CVE-2021-25321: Fixed local privilege escalation from runtime user to root (bsc#1186240). ----------------------------------------- Patch: SUSE-2021-2178 Released: Mon Jun 28 15:56:15 2021 Summary: Recommended update for systemd-presets-common-SUSE Severity: moderate References: 1186561 Description: This update for systemd-presets-common-SUSE fixes the following issues: When installing the systemd-presets-common-SUSE package for the first time in a new system, it might happen that some services are installed before systemd so the %systemd_pre/post macros would not work. This is handled by enabling all preset services in this package's %posttrans section but it wasn't enabling user services, just system services. Now it enables also the user services installed before this package (bsc#1186561) ----------------------------------------- Patch: SUSE-2021-2179 Released: Mon Jun 28 17:36:37 2021 Summary: Recommended update for thin-provisioning-tools Severity: moderate References: 1184124 Description: This update for thin-provisioning-tools fixes the following issues: - Link as position-independent executable (bsc#1184124) ----------------------------------------- Patch: SUSE-2021-2191 Released: Mon Jun 28 18:38:12 2021 Summary: Recommended update for patterns-microos Severity: moderate References: 1186791 Description: This update for patterns-microos provides the following fix: - Add zypper-migration-plugin to the default pattern. (bsc#1186791) ----------------------------------------- Patch: SUSE-2021-2193 Released: Mon Jun 28 18:38:43 2021 Summary: Recommended update for tar Severity: moderate References: 1184124 Description: This update for tar fixes the following issues: - Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124) ----------------------------------------- Patch: SUSE-2021-2196 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 Description: This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------- Patch: SUSE-2021-2203 Released: Tue Jun 29 13:11:33 2021 Summary: Recommended update for postfix Severity: moderate References: 1186669 Description: This update for postfix fixes the following issues: - Remove incorrect requirements from the postfix service configuration. (bsc#1186669) ----------------------------------------- Patch: SUSE-2021-2215 Released: Wed Jun 30 17:13:30 2021 Summary: Recommended update for scap-security-guide Severity: moderate References: Description: This update for scap-security-guide fixes the following issues: The scap-security-guide was updated to 0.1.56 release (jsc#ECO-3319) - Align ism_o profile with latest ISM SSP (#6878) - Align RHEL 7 STIG profile with DISA STIG V3R3 - Creating new RHEL 7 STIG GUI profile (#6863) - Creating new RHEL 8 STIG GUI profile (#6862) - Add the RHEL9 product (#6801) - Initial support for SUSE SLE-15 (#6666) - add support for osbuild blueprint remediations (#6970) This update brings the following SUSE Linux Enterprise STIG SCAP automations: - SCAP STIG automation for SUSE Linux Enterprise 12 (SUSE supplied, nearly complete, missing 4 rules) - SCAP STIG automation for SUSE Linux Enterprise 15 (SUSE supplied, nearly complete, missing 4 rules) - CIS automation for SUSE Linux Enterprise 15 (community supplied) It can be evaluated using 'oscap' from 'openscap-utils', e.g. by doing on SUSE Linux Enterprise 12: - oscap xccdf eval --profile stig /usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml On SUSE Linux Enterprise 15: - oscap xccdf eval --profile stig /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml or the community supplied CIS on SUSE Linux Enterprise 15: - oscap xccdf eval --profile cis /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml More content will be added in future updates. ----------------------------------------- Patch: SUSE-2021-2217 Released: Wed Jun 30 17:17:50 2021 Summary: Recommended update for supportutils-plugin-ha-sap Severity: moderate References: 1187373 Description: This update for supportutils-plugin-ha-sap fixes the following issues: Update to version 0.0.2+git.1623772960.fed5aa7 (bsc#1187373) - Added process list for 'sid' user - Added 'ENSA1' and 'ENSA2' informational messages - Added filter to gather logs for 'sap_suse_cluster_connector' - Updated Documentation Links - Added Authentication Section and capture information about 'sid' user - Obscure clear text password from cluster resources using 'crm configure show' output ----------------------------------------- Patch: SUSE-2021-2219 Released: Wed Jun 30 17:19:34 2021 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issue: - Added data for 4_12_14-150_72, 4_12_14-197_89, 5_3_18-24_61, 5_3_18-24_64. (bsc#1020320) ----------------------------------------- Patch: SUSE-2021-2224 Released: Thu Jul 1 13:48:44 2021 Summary: Recommended update for psmisc Severity: important References: 1185208 Description: This update for psmisc fixes the following issues: - It does no longer list all processes from different private namespaces when fuser is run on an NFS mount. This led to an issue where the wrong processes were terminated in an SAP application cluster environment (bsc#1185208) ----------------------------------------- Patch: SUSE-2021-2234 Released: Fri Jul 2 13:56:08 2021 Summary: Recommended update for ntp Severity: moderate References: 1186431 Description: This update for ntp fixes the following issues: - Fix a typo in '%post' section. (bsc#1186431) ----------------------------------------- Patch: SUSE-2021-2245 Released: Mon Jul 5 12:14:52 2021 Summary: Recommended update for lifecycle-data-sle-module-development-tools Severity: moderate References: Description: This update for lifecycle-data-sle-module-development-tools fixes the following issues: - mark go1.14 as 'end of life' as go1.16 was released and we only support 2 go versions parallel (jsc#ECO-1484) ----------------------------------------- Patch: SUSE-2021-2248 Released: Mon Jul 5 15:40:28 2021 Summary: Recommended update for sysstat Severity: low References: 1186827 Description: This update for sysstat fixes the following issues: - Dropped systemd runtime requirement (bsc#1186827) ----------------------------------------- Patch: SUSE-2021-2254 Released: Tue Jul 6 09:23:54 2021 Summary: Recommended update for raptor Severity: moderate References: 1186642,1187464 Description: This update for raptor fixes the following issue: - raptor was not delivered correctly for openSUSE Leap 15.3 (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2255 Released: Tue Jul 6 10:27:54 2021 Summary: Recommended update for myspell-dictionaries, ucpp Severity: moderate References: 1186642,1187464 Description: This update rereleases myspell-dictionaries and ucpp for SUSE Linux Enterprise 15 sp3 to fix a migration issue. ----------------------------------------- Patch: SUSE-2021-2261 Released: Tue Jul 6 13:34:21 2021 Summary: Recommended update for xmlsec1 Severity: moderate References: 1177233,1186642,1186706 Description: This update rereleases xmlsec1 for SUSE Linux Enterprise 15 SP3 to fix a migration issue. ----------------------------------------- Patch: SUSE-2021-2265 Released: Tue Jul 6 17:13:10 2021 Summary: Recommended update for mariadb-connector-c Severity: moderate References: 1179921,1183878,1185868,1185870,1185872,1187459 Description: This update for mariadb-connector-c fixes the following issues: Update to release 3.1.13 [bsc#1185870], [bsc#1185872], [bsc#1185868] - CONC-537: Only read from MYSQL_HOME if MARIADB_HOME was not set - CONC-548: Symbol conflict with libsodium - CONC-490: Handshake error when CLIENT_CONNECT_WITH_DB flag was set without specifying database - CONC-543: Hash functions conflict with GnuTLS - CONC-539: Added cipher suites ECDHE-RSA-AES128-SHA256 (0xC027) and ECDHE-RSA-AES256-SHA384 (0xC028) to the cipher map which maps cipher suite names to the corresponding algorithm ids (Windows Schannel) - CONC-535: Disabled checksum ignored in events (replication/ binlog API) ----------------------------------------- Patch: SUSE-2021-2266 Released: Tue Jul 6 22:38:01 2021 Summary: Recommended update for clamav Severity: important References: 1187509 Description: This update for clamav fixes the following issue: - In the 'clamscan' and 'clamdscan' manpages, document that files over a certain size by default will silently not be scanned and how this can be adjusted. (bsc#1187509) ----------------------------------------- Patch: SUSE-2021-2270 Released: Wed Jul 7 17:20:31 2021 Summary: Recommended update for migrate-sles-to-sles4sap Severity: important References: 1171033,1187433 Description: This update for migrate-sles-to-sles4sap fixes the following issues: - Migrating SUSE Linux Enterprise Server to SUSE Linux Enterprise Server for SAP with SMT server fails. (bsc#1187433) - Fix setup scripts URL. (bsc#1171033) - Fix pattern to find release packages ----------------------------------------- Patch: SUSE-2021-2286 Released: Fri Jul 9 17:38:53 2021 Summary: Recommended update for dosfstools Severity: moderate References: 1172863 Description: This update for dosfstools fixes the following issue: - Fixed a bug that was causing an installation issue when trying to create an EFI partition on an NVMe-over-Fabrics device (bsc#1172863) ----------------------------------------- Patch: SUSE-2021-2287 Released: Fri Jul 9 18:08:31 2021 Summary: Recommended update for xorg-x11-server Severity: moderate References: 1182955 Description: This update for xorg-x11-server fixes the following issues: - Fixes an issue where screen rotation was not working (bsc#1182955) ----------------------------------------- Patch: SUSE-2021-2290 Released: Fri Jul 9 19:03:39 2021 Summary: Recommended update for postgresql13 Severity: moderate References: 1183118,1187751 Description: This update for postgresql13 fixes the following issue: - reduce requirement of clang and llvm to recommends in 'postgresql13-server-devel'. ----------------------------------------- Patch: SUSE-2021-2293 Released: Mon Jul 12 08:26:26 2021 Summary: Security update for jdom2 Severity: important References: 1187446,CVE-2021-33813 Description: This update for jdom2 fixes the following issues: - CVE-2021-33813: XXE issue in SAXBuilder can cause a denial of service via a crafted HTTP request (bsc#1187446) ----------------------------------------- Patch: SUSE-2021-2314 Released: Wed Jul 14 13:07:21 2021 Summary: Recommended update for netcontrol Severity: moderate References: 1179144 Description: This update for netcontrol fixes the following issues: - Fixed an issue when the interface list takes too long with many interfaces. (bsc#1179144) - Install pkgconfig into libdir instead of datadir ----------------------------------------- Patch: SUSE-2021-2320 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 Description: This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------- Patch: SUSE-2021-2322 Released: Wed Jul 14 17:03:03 2021 Summary: Security update for ffmpeg Severity: important References: 1172640,1186406,1186583,1186586,1186587,1186596,1186597,1186598,1186600,1186603,1186604,1186605,1186613,1186614,1186615,1186616,1186658,1186660,1186757,1186758,1186762,1186763,CVE-2019-17539,CVE-2020-13904,CVE-2020-20448,CVE-2020-20451,CVE-2020-21041,CVE-2020-22015,CVE-2020-22016,CVE-2020-22017,CVE-2020-22019,CVE-2020-22020,CVE-2020-22021,CVE-2020-22022,CVE-2020-22023,CVE-2020-22025,CVE-2020-22026,CVE-2020-22031,CVE-2020-22032,CVE-2020-22033,CVE-2020-22034,CVE-2020-22038,CVE-2020-22039,CVE-2020-22043,CVE-2020-22044 Description: This update for ffmpeg fixes the following issues: - CVE-2020-13904: Fixed use-after-free via a crafted EXTINF duration in an m3u8 file (bsc#1172640). - CVE-2020-21041: Fixed buffer overflow vulnerability via apng_do_inverse_blend in libavcodec/pngenc.c (bsc#1186406). - CVE-2019-17539: Fixed NULL pointer dereference in avcodec_open2 in libavcodec/utils.c (bsc# 1154065). - CVE-2020-22026: Fixed buffer overflow vulnerability in config_input() at libavfilter/af_tremolo.c (bsc#1186583). - CVE-2020-22021: Fixed buffer overflow vulnerability in filter_edges function in libavfilter/vf_yadif.c (bsc#1186586). - CVE-2020-22020: Fixed buffer overflow vulnerability in build_diff_map() in libavfilter/vf_fieldmatch.c (bsc#1186587). - CVE-2020-22015: Fixed buffer overflow vulnerability in mov_write_video_tag() due to the out of bounds in libavformat/movenc.c (bsc#1186596). - CVE-2020-22016: Fixed a heap-based Buffer Overflow vulnerability at libavcodec/get_bits.h when writing .mov files (bsc#1186598). - CVE-2020-22017: Fixed a heap-based Buffer Overflow vulnerability in ff_fill_rectangle() in libavfilter/drawutils.c (bsc#1186600). - CVE-2020-22022: Fixed a heap-based Buffer Overflow vulnerability in filter_frame at libavfilter/vf_fieldorder.c (bsc#1186603). - CVE-2020-22023: Fixed a heap-based Buffer Overflow vulnerability in filter_frame at libavfilter/vf_bitplanenoise.c (bsc#1186604) - CVE-2020-22025: Fixed a heap-based Buffer Overflow vulnerability in gaussian_blur at libavfilter/vf_edgedetect.c (bsc#1186605). - CVE-2020-22031: Fixed a heap-based Buffer Overflow vulnerability at libavfilter/vf_w3fdif.c in filter16_complex_low() (bsc#1186613). - CVE-2020-22032: Fixed a heap-based Buffer Overflow vulnerability at libavfilter/vf_edgedetect.c in gaussian_blur() (bsc#1186614). - CVE-2020-22034: Fixed a heap-based Buffer Overflow vulnerability at libavfilter/vf_floodfill.c (bsc#1186616). - CVE-2020-20451: Fixed denial of service issue due to resource management errors via fftools/cmdutils.c (bsc#1186658). - CVE-2020-20448: Fixed divide by zero issue via libavcodec/ratecontrol.c (bsc#1186660). - CVE-2020-22038: Fixed denial of service vulnerability due to a memory leak in the ff_v4l2_m2m_create_context function in v4l2_m2m.c (bsc#1186757). - CVE-2020-22039: Fixed denial of service vulnerability due to a memory leak in the inavi_add_ientry function (bsc#1186758). - CVE-2020-22043: Fixed denial of service vulnerability due to a memory leak at the fifo_alloc_common function in libavutil/fifo.c (bsc#1186762). - CVE-2020-22044: Fixed denial of service vulnerability due to a memory leak in the url_open_dyn_buf_internal function in libavformat/aviobuf.c (bsc#1186763). - CVE-2020-22033,CVE-2020-22019: Fixed a heap-based Buffer Overflow Vulnerability at libavfilter/vf_vmafmotion.c in convolution_y_8bit() and in convolution_y_10bit() in libavfilter/vf_vmafmotion.c (bsc#1186615, bsc#1186597). ----------------------------------------- Patch: SUSE-2021-2351 Released: Thu Jul 15 13:48:23 2021 Summary: Recommended update for mgetty Severity: low References: 1184124 Description: This update for mgetty fixes the following issues: - Link /usr/bin/newslock as PIE. (bsc#1184124) ----------------------------------------- Patch: SUSE-2021-2393 Released: Mon Jul 19 09:01:49 2021 Summary: Security update for MozillaFirefox Severity: important References: 1188275,CVE-2021-29970,CVE-2021-29976,CVE-2021-30547 Description: This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 78.12.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-29 (bsc#1188275) * CVE-2021-29970 (bmo#1709976): Use-after-free in accessibility features of a document * CVE-2021-30547 (bmo#1715766): Out of bounds write in ANGLE * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910, bmo#1711576, bmo#1714391): Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 ----------------------------------------- Patch: SUSE-2021-2395 Released: Mon Jul 19 12:08:34 2021 Summary: Recommended update for efivar Severity: moderate References: 1187386 Description: This update for efivar provides the following fix: - Fix the eMMC sysfs parsing. (bsc#1187386) ----------------------------------------- Patch: SUSE-2021-2412 Released: Tue Jul 20 15:25:21 2021 Summary: Security update for containerd Severity: moderate References: 1188282,CVE-2021-32760 Description: This update for containerd fixes the following issues: - CVE-2021-32760: Fixed a bug which allows untrusted container images to change permissions in the host's filesystem. (bsc#1188282) ----------------------------------------- Patch: SUSE-2021-2444 Released: Wed Jul 21 15:53:37 2021 Summary: Recommended update for autogen Severity: low References: 1047218 Description: This update for autogen fixes the following issue: This update doesn't solve any visible issue to final users but it makes the builds reproducible. (bsc#1047218) In particular: - it normalize 'tar' - it normalize date in 'man-pages' ----------------------------------------- Patch: SUSE-2021-2447 Released: Thu Jul 22 08:26:29 2021 Summary: Recommended update for hwdata Severity: moderate References: 1186749,1187948 Description: This update for hwdata fixes the following issue: - Version 0.349: Updated pci, usb and vendor ids (bsc#1187948). ----------------------------------------- Patch: SUSE-2021-2454 Released: Thu Jul 22 13:16:58 2021 Summary: Security update for transfig Severity: moderate References: 1143650,1159130,1159293,1161698,1186329,CVE-2019-14275,CVE-2019-19555,CVE-2019-19746,CVE-2019-19797,CVE-2021-3561 Description: This update for transfig fixes the following issues: Update to version 3.2.8, including fixes for - CVE-2021-3561: overflow in fig2dev/read.c in function read_colordef() (bsc#1186329). - CVE-2019-19797: out-of-bounds write in read_colordef in read.c (bsc#1159293). - CVE-2019-19555: stack-based buffer overflow because of an incorrect sscanf (bsc#1161698). - CVE-2019-19746: segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type (bsc#1159130). - CVE-2019-14275: stack-based buffer overflow in the calc_arrow function in bound.c (bsc#1143650). ----------------------------------------- Patch: SUSE-2021-2455 Released: Thu Jul 22 15:28:19 2021 Summary: Recommended update for php7-pear Severity: moderate References: 1187372 Description: This update for php7-pear fixes the following issues: - Fix for an issue when php-pear provides error messages with invalid variables. (bsc#1187372) ----------------------------------------- Patch: SUSE-2021-2456 Released: Thu Jul 22 15:28:39 2021 Summary: Recommended update for pam-config Severity: moderate References: 1187091 Description: This update for pam-config fixes the following issues: - Add 'revoke' to the option list for 'pam_keyinit'. - Fixed an issue when pam-config fails to create a new service config file. (bsc#1187091) ----------------------------------------- Patch: SUSE-2021-2457 Released: Thu Jul 22 18:05:53 2021 Summary: Security update for wireshark Severity: moderate References: 1186790 Description: This update for wireshark fixes the following issues: Update wireshark to 3.4.6. Including a fix for: - DVB-S2-BB dissector infinite loop (bsc#1186790). ----------------------------------------- Patch: SUSE-2021-2458 Released: Thu Jul 22 18:08:47 2021 Summary: Security update for MozillaThunderbird Severity: important References: 1188275,CVE-2021-29969,CVE-2021-29970,CVE-2021-29976,CVE-2021-30547 Description: This update for MozillaThunderbird fixes the following issues: Mozilla Thunderbird 78.12 * fixed: Sending an email containing HTML links with spaces in the URL sometimes resulted in broken links * fixed: Folder Pane display theme fixes for macOS * fixed: Chat account settings did not always save as expected * fixed: RSS feed subscriptions sometimes lost * fixed: Calendar: A parsing error for alarm triggers of type 'DURATION' caused sync problems for some users * fixed: Various security fixes MFSA 2021-30 (bsc#1188275) * CVE-2021-29969: IMAP server responses sent by a MITM prior to STARTTLS could be processed * CVE-2021-29970: Use-after-free in accessibility features of a document * CVE-2021-30547: Out of bounds write in ANGLE * CVE-2021-29976: Memory safety bugs fixed in Thunderbird 78.12 ----------------------------------------- Patch: SUSE-2021-2463 Released: Fri Jul 23 12:56:22 2021 Summary: Recommended update for python-pyzmq Severity: moderate References: 1186945 Description: This update for python-pyzmq fixes the following issues: - Update to version 17.1.2 (bsc#1186945) * Fix possible hang when working with asyncio * Remove some outdated workarounds for old Cython versions * Fix some compilation with custom compilers * Remove unneeded link of libstdc++ on PyPy ----------------------------------------- Patch: SUSE-2021-2464 Released: Fri Jul 23 14:20:23 2021 Summary: Recommended update for shim Severity: moderate References: 1185232,1185261,1185441,1185464,1185961,1187071,1187260,1187696 Description: This update for shim fixes the following issues: - shim-install: Always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464) - Avoid deleting the mirrored RT variables (bsc#1187696) - Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz - Handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071) - Relax the maximum variable size check for u-boot (bsc#1185621) - Relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261) - Ignore the odd LoadOptions length (bsc#1185232) - shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist - Fided the size of rela sections for AArch64 - Disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261) - Avoid potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260) - Avoid buffer overflow when copying data to the MOK config table (bsc#1185232) ----------------------------------------- Patch: SUSE-2021-2467 Released: Mon Jul 26 11:57:11 2021 Summary: Recommended update for jsch Severity: low References: Description: This update for jsch fixes the following issues: - Miscellaneous clean-up - Create the osgi manifest during the ant build. ----------------------------------------- Patch: SUSE-2021-2475 Released: Tue Jul 27 13:03:29 2021 Summary: Recommended update for novnc Severity: important References: 1183291 Description: This update for novnc fixes the following issues: - Update to 1.2.0: * Quality and compression hints can now be modified dynamically * Added touch gestures to emulate common mouse actions * Support for full Unicode in clipboard * Support for VeNCrypt Plain authentication * Support for TightVNC Unix authentication * Support for alpha cursors * The session name is now updated whilst connected - Update to 1.1.0: Application: * New translations for Russian, Korean, Czech and Chinese (traditional) languages * Fixed an issue where you didn't get scrollbars in your browser on Windows you had a touch screen. * Added the Super/Windows key to the toolbar. * Added an option to show a dot when there otherwise wouldn't be a visible cursor. * View drag is no longer available when in scaling mode. Library: * A large number of coding style changes has been made to make the code easier to read and better to work with. * Many keyboard issues has been fixed. * Local cursor is now available on all platforms. * Fixed a number of crashes related to clipboard. * Fixed issues that occurred if data from the server was being received slowly. * A problem has been fixed where the display module would incorrectly handle high DPI systems causing scrollbars to show when they shouldn't. ----------------------------------------- Patch: SUSE-2021-2477 Released: Tue Jul 27 13:32:50 2021 Summary: Recommended update for growpart-rootgrow Severity: important References: 1165198,1188179 Description: This update for growpart-rootgrow fixes the following issues: - Change the logic to determine the partition ID of the root filesystem (bsc#1188179) + Previously the algorithm depended on the order of the output from lsblk using an index to keep track of the known partitions. The new implementation is order independent, it depends on the partition ID being numerical in nature and at the end of the device string. - Add coverage config. Omit version module from coverage check. - Fix string formatting for flake8 formatting. - Replace travis testing with GitHub actions. Add ci testing workflow action. - Switch implementation to use Popen for Python 3.4 compatibility (bsc#1165198) - Bump version: 1.0.2 → 1.0.3 - Fixed unit tests and style This clobbers several fixes into one. Sorry about it but I started on already made changes done by other people. This commit includes several pep8 style fixes mostly on the indentation level. In addition it fixes the unit tests to really cover all code and to make the exception tests really effective. - Switch to use Popen instead of run The run() fuction in the subprocess module was implemented after Python 3.4. However, we need to support Python 3.4 for SLES 12 - Bump version: 1.0.1 → 1.0.2 - Package LICENSE file The LICENSE file is part of the source repo but was not packaged with the rpm package ----------------------------------------- Patch: SUSE-2021-2481 Released: Tue Jul 27 14:20:27 2021 Summary: Recommended update for sysconfig Severity: moderate References: 1184124 Description: This update for sysconfig fixes the following issues: - Link as Position Independent Executable (bsc#1184124). ----------------------------------------- Patch: SUSE-2021-2547 Released: Wed Jul 28 11:57:32 2021 Summary: Recommended update for fence-agents Severity: moderate References: 1182701,1185058 Description: This update for fence-agents fixes the following issues: - Corrections to support Azure SDK greater than 15 - including backward compatibility (bsc#1185058) - Fixed an issue when libvirt breaks the connection in every 30 seconds. - ECO: Update fence-agents. (jsc#SLE-18182) - Add upstream PR to aws-vpc-move-ip and apply required resource and fence agent patches. (jsc#SLE-17998) - Fixed an issue when fence-agent does not restart the node properly. (bsc#1182701) - Major rework of the original agent: * fence_gce: default method moved back to powercycle (#389) * fence_gce: make serviceaccount work with new libraries * fence_virt*: simple_auth: use %zu for sizeof to avoid failing verbose builds on some archs * configure: dont fail when --with-agents contains virt * fence_mpath: watchdog retries support * fencing: add multi plug support for reboot-action * fence_redfish: add missing diag logic * fencing: fix issue with hardcoded help text length for metadata * fencing: add stonith_status_sleep parameter for sleep between status calls during a STONITH action * fence_aws: add filter parameter to be able to limit which nodes are listed * virt: fix a bunch of coverity scan errors in ip_lookup * virt: make sure to provide an empty default to strncpy * virt: make sure buffers are big enough for 0 byte end string * virt: increase buffer size to avoid overruns * virt: check return code in virt-sockets * virt: fix plugin (minor) memory leak and plug in load race * virt: attempt to open file directly and avoid race condition * virt: fix different coverity scan errors in common/tcp * virt: cleanup deadcode in client/vsock * virt: cleanup deadcode in client/tcp * virt: fix potential buffer overrun * virt: fix mcast coverity scan errors * virt: drop pm-fence plugin * virt: drop libvirt-qmf plugin * virt: drop null plugin * virt: drop fence_virtd non-modular build * virt: fix plugin installation regression on upgrades * fence_virt: metadata fixes, implement manpage generation and metadata/delay/rng checks * virt: make sure variable is initialized * zvm: reformat fence_zvm to avoid gcc warnings * virt: drop -Werror to avoid unnecessary failures * virt: disable -Wunused for yy generated files * virt: disable fence-virt on bsd variants * virt: merge spec files * build: fix more gcc warnings * build: remove unused / obsoleted options * build: fix some annoying warnings at ./autogen.sh time * virt: move all virt CFLAGS/LDFLAGS in the right location * virt: fix unused gcc warnings and re-enable all build warnings * virt: fix write-strings gcc warnings * virt: fix pointer-arith gcc warnings * virt: fix declaration-after-statement gcc warnings * virt: fix build with -Wmissing-prototypes * build: don´t override clean target * virt: plug fence_virt into the build * virt: allow fence_virt build to be optional * virt: drop support for LSB init script * virt: collect docs in one location * virt: remove unnecessary files and move build macros in place * Ignore fence-virt man pages * Move fence_virt to the correct location * spec: use python3 path for newer releases * spec: undo autosetup change that breaks builds w/git commit hashes * Ignore unknown options on stdin * fence_gce: support google-auth and oauthlib and fallback to deprecated libs when not available * spec: add aliyun subpackage and fence_mpath_check* to mpath subpackage * fence_gce: Adds cloud-platform scope for bare metal API and optional proxy flags (#382) * fence_virt: Fix minor typo in metadata * fence_gce: update module reqs for SLES 15 (#383) * Add fence_ipmilanplus as fence_ipmilan wrapper always enabling lanplus * fence_redfish: Add diag action * fence_vbox: updated metadata file * fence_vbox: do not flood host account with vboxmanage calls * fence_aws/fence_gce: allow building without cloud libs * fence_gce: default to onoff * fence_lpar: Make --managed a required option * fence_zvmip: fix shell-timeout when using new disable-timeout parameter * Adds service account authentication to GCE fence agent * spec: dont build -all subpackage as noarch * fence_virt: add plug parameter that obsoletes old port parameter * Try to detect directory for initscripts configuration * Accept SIGTERM while waiting for initialization. * Add man pages to fence_virtd service file. * Fix spelling error in fence_virt.conf.5 * build: fix BRs for suse distros * build: remove ExclusiveArch * build: removed gcc-c++ BR * build: add spec-file and rpm build targets * build: cleanup/improvements to reworked build system * [build] rework build system to use automake/libtool * fence_virtd: Fix segfault in vl_get when no domains are found * fence_virt: fix core dump * build: harden and make it possible to build with -fPIE * fence_virt: dont report success for incorrect parameters * fence_virt: mcast: config: Warn when provided mcast addr is not used * fence_virtd: Return control to main loop on select interruption * fence-virtd: Add missing vsock makefile bits * fence-virt: Add vsock support * fence_virtd: Fix transposed arguments in startup message * fence_virt: Rename challenge functions * fence_virtd: Cleanup: remove unused configuration options * fence_virt: Remove remaining references to checkpoints * fence_virt: Remove remaining references to checkpoints * fence-virt: Format string cleanup * fence_virtd: Implment hostlist for the cpg backend * fence_virt: Fix logic error in fence_xvm * fence_virtd: Cleanup config module * fence_virtd: cpg: Fail initialization if no hypervisor connections * fence_virtd: Make the libvirt backend survive libvirtd restarts * fence_virtd: Allow the cpg backend to survive libvirt failures * fence_virtd: cpg: Fix typo * fence-virtd: Add cpg-virt backend plugin * fence_virtd: Remove checkpoint, replace it with a CPG only plugin * fence-virt: Bump version * fence_virtd: Add better debugging messages for the TCP listner * fence_virtd: Fix potential unlocked pthread_cond_timedwait() * fence-virtd: Cleanup small memory leak * fence_virtd: Fix select logic in listener plugins * Factor out common libvirt code so that it can be reused by multiple backends * Document the fence_virtd -p command line flag * fence_virtd: Log an error when startup fails * Retry writes in the TCP, mcast, and serial listener plugins while sending a response to clients, if the write fails or is incomplete. * Make the packet authentication code more resilient in the face of transient failures. * Disable the libvirt-qmf backend by default * Bump the versions of the libvirt and checkpoint plugins * fence-virtd: Enable TCP listener plugin by default * fence-virtd: Cleanup documentation of the TCP listener * fence_xvm/fence_virt: Add support for the validate-all status op * fence-virt: Add list-status command to man page and metadata * fence-virt: Cleanup numeric argument parsing * fence-virt: Log message to syslog in addition to stdout/stderr * fence-virt: Permit explicitly setting delay to 0 * fence-virt: Add 'list-status' operation for compat with other agents * Allow fence_virtd to run as non-root * Remove delay from the status, monitor and list functions * Resolves serveral problems in checkpoint plugin, making it functional. * daemon_init: Removed PID check and update * fence_virtd: drop legacy SysVStartPriority from service unit * fence-virt: client: Do not truncate VM domains in list output * client: fix 'delay' parameter checking (copy-paste) * fence-virt: Fix broken restrictions on the port ranges * Clarify debug message * fence-virtd: Use perror only if the last system call returns an error. * fence-virtd: Fix printing wrong system call in perror * fence-virtd: Allow multiple hypervisors for the libvirt backend * fence-virt: Don't overrwrite saved errno * fence-virt: Fix small memory leak in the config module * fence-virt: Fix mismatched sizeof in memset call * fence-virt: Send complete hostlist info * fence-virt: Clarify the path option in serial mode * Bump version * fence-virt: Bump version * fence_virtd: Fix broken systemd service file * fence_virt/fence_xvm: Print status when invoked with -o status * fence-virt: Fix for missed libvirtd events * fence-virt: Fail properly if unable to bind the listener socket * client: dump all arguments structure in debug mode * Drop executable flag for man pages (finally) * Honor implicit 'ip_family=auto' in fence_xvm w/IPv6 mult.addr. * Fix using bad struct item for auth algorithm * Drop executable flag for man pages * use bswap_X() instead of b_swapX() * fence_virtd: Fix memcpy size params in the TCP plugin * Revert 'fence-virt: Fix possible descriptor leak' * fence_virtd: Return success if a domain exists but is already off. * fence-virt: Add back missing tcp_listener.h file * fence-virt: Fix a few fd leaks * fence-virt: Fix free of uninitialized variable * fence-virt: Fix possible null pointer dereference * fence-virt: Fix memory leak * fence-virt: Fix fd leak when finding local addresses * fence-virt: Fix possible descriptor leak * fence-virt: Fix possible fd leak * fence-virt: Fix null pointer deref * fence-virt: Explicitly set delay to 0 * fence-virt: Fix return with lock held * fence_virt: Fix typo in fence_virt(8) man page * fence_virt: Return failure for nonexistent domains * Improve fence_virt.conf man page description of 'hash' * Add a TCP listener plugin for use with viosproxy * In serial mode, return failure if the other end closes the connection before we see SERIAL_MAGIC in the reply or timeout. * Stop linking against unnecessary QPid libs. * Update libvirt-qmf plugin and docs * Fix crash when we fail to read key file. * Fix erroneous man page XML * Add 'interface' directive to example.conf * Add old wait_for_backend directive handling & docs * Return proper error if we can't set up our socket. * Fix startup in systemd environments * Add systemd unit file and generation * Don't override user's pick for backend server module * Use libvirt as default in shipped config * Clean up compiler warnings * Fix serial domain handling * Fix monolithic build * Clean up build and comments. * Add missing pm_fence source code * Disable CMAN / checkpoint build by default * Rename libvirt-qpid -> libvirt-qmf * Fix static analysis errors * Reword assignment to appease static analyzers * Handle return value from virDomainGetInfo * Fix bad sizeof() * Make listen() retry * Add map_check on 'status' action * Update README * Don't reference out-of-scope temporary * Ensure we don't try to strdup() or atoi() on NULL * Add libvirt-qmf support to the libvirt-qpid plugin * Convert libvirt-qpid plugin to QMFv2 * Fix incorrect return value on hash mismatch * Fix error getting status from libvirt-qpid plugin * Make fence-virt requests endian clean * Fix input parsing to allow domain again * Provide 'domain' in metadata output for compatibility * High: Fix UUID lookups in checkpoint backend * Curtail 'list' operation requests * Fix man page references: fence_virtd.conf -> fence_virt.conf * Add 'list' operation for plugins; fix missing getopt line * Fix build with newer versions of qpid * Make configure.in actually disable plugins * Rename parameters to match other fencing agents * Fix fence_xvm man page to point to the right location * client: Clarify license in serial.c * Return 2 for 'off' like other fencing agents * Reset flags before returning from connect_nb * Use nonblocking connect to vmchannel sockets * More parity with other fencing agents' parameters * Fix memory leaks found with valgrind * Add basic daemon functions * Fix bug in path pruning support for serial plugin * Fix libvirt-qpid bugs found while testing * Fix segfault caused by invalid map pointer assignment * Fix another compiler warning * Fix build warnings in client/serial.c * Add 'monitor' as an alias for 'status' * Add serial listener to configuration utility * Make serial/vmchannel module enabled by default * Add missing 'metadata' option to help text * Add missing static_map.h * Add metadata support to fence_xvm/fence_virt * Allow IPs to be members of groups * Allow use of static mappings w/ mcast listener * Make 'path' be a directory * Remove useless debug printfs * Enable VM Channel support in serial plugin * Pass source VM UUID (if known) to backend * Mirror libvirt-qpid's settings in libvirt-qpid plugin * libvirt-qpid: clean up global variable * Enable a configurable host/port on libvirt-qpid plugin * Minor config utility cleanups * Remove unnecessary name_mode from multicast plugin * Add prototypes and clean up build warnings * Use seqno in serial requests * Minor debugging message cleanup * Fix build error due to improper value * Static map support and permissions reporting * Sync up on SERIAL_MAGIC while waiting for a response * Don't build serial vmchannel module by default * Initial checkin of serial server-side support * Fix fence_virt.conf man page name * Add Fedora init script * Compiler warning cleanups in virt-serial.c * Add wait-for-backend mode * Fix up help text for clients * Minor XML cleanups, add missing free() call * add missing module_path to fence_virtd.conf.5 * Add capabilities to virt-serial * Note that serial support is experimental * Add a serial.so build target * Add vmchannel serial event interface * Split fence_virt vs. fence_xvm args * Add static map functions. * Fix build warning due to missing #include * Fix multiple query code * Better config query & multiple value/tag support * Add simple configuration mode * Allow setting config values to NULL to clear them * Clean up example config file * Sort plugins by type when printing them * Revert 'Sort plugins by type when printing them' * Sort plugins by type when printing them * Clean up some configuration plugin information * add empty line between names * Make libvirt to automatically use uuid or names * Improve error reporting * Fix build for hostlist functionality * Hostlist functionality for libvirt, libvirt-qpid * Work around broken nspr headers * Fix installation target for man pages * Add man page build infrastructure * Make fence_xvm compatibility mode enabled by default * Fix libvirt / mcast support for name_mode * Fix agent option parsing * Fix dlsym mapping of C++ module * Make uuids work with libvirt-qpid * Fix uninitialized variable causing false returns * Add 'help' to fence_virtd * Fix libvirt-qpid build * Fix libvirt-qpid build * Add libvirt-qpid build target * Initial checking of libvirt-qpid plugin * Fix build on i686 * Make symlink/compatibilty mode disabled by default * Add simple tarball / release script * Use immediate resolution of symbols * Example config tweaks * Use sysconfdir for /etc/fence_virt.conf * Fix package name and install locations * Add 'maintainer-clean' target * Fix build errors on Fedora * Add missing header file * Ignore automake error * Make the build script actually build * Make cluster mode plugin work * Add basic cpg stuff for later * Enable 'on' operation for libvirt backend * Clean up modular build * Minor build cleanups * Yet more build fixes * More build cleanups * Build cleanups * Initial port to autoconf * Add checkpoint.c stub functions * Add sequence numbers to requests for tracking * Include missing include * Call generic history functions * Make history functions generic * Make debugging work from modules again * Revert 'Fix build issue breaking debug printing from modules' * Fix build issue breaking debug printing from modules * Fix libvirt backend; VALIDATE was wrong * Cleanups, add daemon support * Add simple 'null' skeleton backend plugin * Make all plugins dynamically loaded. * Fix error message * Remove dummy serial prototypes * Remove modules in 'make clean' * Make listeners plugins. * Move name_mode to fence_virtd block * Add name_mode to example.conf * Move VM naming scheme to top level of config * Enable UUID use in libvirt.c * Move options.c to client directory * Drop duplicate fencing requests * Don't require specifying an interface in fence_virt.conf * Fix empty node parsing * Actually use the default port by default * Don't overwrite config files * Install modules, too. * Add temporary 'make install' target * Make a default configuration file * Make mcast work with UUIDs * Add checkpoint.so to the build * Fix missing carriage returns on debug prints * Add architecture overview description * Make serial_init match mcast_init. * Make multicast use config file * Integrate config file processing * Create server-side plugin architecture * Make libvirt a built-in plugin * Fix header in serial.c. ----------------------------------------- Patch: SUSE-2021-2555 Released: Thu Jul 29 08:29:55 2021 Summary: Security update for git Severity: moderate References: 1168930,1183026,1183580,CVE-2021-21300 Description: This update for git fixes the following issues: Update from version 2.26.2 to version 2.31.1 (jsc#SLE-18152) Security fixes: - CVE-2021-21300: On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could run remote code during a clone. (bsc#1183026) Non security changes: - Add `sysusers` file to create `git-daemon` user. - Remove `perl-base` and `openssh-server` dependency on `git-core`and provide a `perl-Git` package. (jsc#SLE-17838) - `fsmonitor` bug fixes - Fix `git bisect` to take an annotated tag as a good/bad endpoint - Fix a corner case in `git mv` on case insensitive systems - Require only `openssh-clients` where possible (like Tumbleweed or SUSE Linux Enterprise >= 15 SP3). (bsc#1183580) - Drop `rsync` requirement, not necessary anymore. - Use of `pack-redundant` command is discouraged and will trigger a warning. The replacement is `repack -d`. - The `--format=%(trailers)` mechanism gets enhanced to make it easier to design output for machine consumption. - No longer give message to choose between rebase or merge upon pull if the history `fast-forwards`. - The configuration variable `core.abbrev` can be set to `no` to force no abbreviation regardless of the hash algorithm - `git rev-parse` can be explicitly told to give output as absolute or relative path with the `--path-format=(absolute|relative)` option. - Bash completion update to make it easier for end-users to add completion for their custom `git` subcommands. - `git maintenance` learned to drive scheduled maintenance on platforms whose native scheduling methods are not 'cron'. - After expiring a reflog and making a single commit, the reflog for the branch would record a single entry that knows both `@{0}` and `@{1}`, but we failed to answer 'what commit were we on?', i.e. `@{1}` - `git bundle` learns `--stdin` option to read its refs from the standard input. Also, it now does not lose refs when they point at the same object. - `git log` learned a new `--diff-merges=` option. - `git ls-files` can and does show multiple entries when the index is unmerged, which is a source for confusion unless `-s/-u` option is in use. A new option `--deduplicate` has been introduced. - `git worktree list` now annotates worktrees as prunable, shows locked and prunable attributes in `--porcelain mode`, and gained a `--verbose` option. - `git clone` tries to locally check out the branch pointed at by HEAD of the remote repository after it is done, but the protocol did not convey the information necessary to do so when copying an empty repository. The protocol v2 learned how to do so. - There are other ways than `..` for a single token to denote a `commit range', namely `^!` and `^-`, but `git range-diff` did not understand them. - The `git range-diff` command learned `--(left|right)-only` option to show only one side of the compared range. - `git mergetool` feeds three versions (base, local and remote) of a conflicted path unmodified. The command learned to optionally prepare these files with unconflicted parts already resolved. - The `.mailmap` is documented to be read only from the root level of a working tree, but a stray file in a bare repository also was read by accident, which has been corrected. - `git maintenance` tool learned a new `pack-refs` maintenance task. - Improved error message given when a configuration variable that is expected to have a boolean value. - Signed commits and tags now allow verification of objects, whose two object names (one in SHA-1, the other in SHA-256) are both signed. - `git rev-list` command learned `--disk-usage` option. - `git diff`, `git log` `--{skip,rotate}-to=` allows the user to discard diff output for early paths or move them to the end of the output. - `git difftool` learned `--skip-to=` option to restart an interrupted session from an arbitrary path. - `git grep` has been tweaked to be limited to the sparse checkout paths. - `git rebase --[no-]fork-point` gained a configuration variable `rebase.forkPoint` so that users do not have to keep specifying a non-default setting. - `git stash` did not work well in a sparsely checked out working tree. - Newline characters in the host and path part of `git://` URL are now forbidden. - `Userdiff` updates for PHP, Rust, CSS - Avoid administrator error leading to data loss with `git push --force-with-lease[=]` by introducing `--force-if-includes` - only pull `asciidoctor` for the default ruby version - The `--committer-date-is-author-date` option of `rebase` and `am` subcommands lost the e-mail address by mistake in 2.29 - The transport protocol v2 has become the default again - `git worktree` gained a `repair` subcommand, `git init --separate-git-dir` no longer corrupts administrative data related to linked worktrees - `git maintenance` introduced for repository maintenance tasks - `fetch.writeCommitGraph` is deemed to be still a bit too risky and is no longer part of the `feature.experimental` set. - The commands in the `diff` family honors the `diff.relative` configuration variable. - `git diff-files` has been taught to say paths that are marked as `intent-to-add` are new files, not modified from an empty blob. - `git gui` now allows opening work trees from the start-up dialog. - `git bugreport` reports what shell is in use. - Some repositories have commits that record wrong committer timezone; `git fast-import` has an option to pass these timestamps intact to allow recreating existing repositories as-is. - `git describe` will always use the `long` version when giving its output based misplaced tags - `git pull` issues a warning message until the `pull.rebase` configuration variable is explicitly given ----------------------------------------- Patch: SUSE-2021-2558 Released: Thu Jul 29 12:05:03 2021 Summary: Recommended update for python-pytz Severity: moderate References: 1185748 Description: This update for python-pytz fixes the following issues: - Add %pyunittest shim for platforms where it is missing. - Remove real directory of %{python_sitelib}/pytz/zoneinfo when upgrading, before it is replaced by a symlink. (bsc#1185748) - Bump tzdata_version - update to 2021.1: * update to IANA 2021a timezone release ----------------------------------------- Patch: SUSE-2021-2568 Released: Thu Jul 29 14:18:37 2021 Summary: Recommended update for open-vm-tools Severity: moderate References: 1029961,1185103,1185175,1187567 Description: This update for open-vm-tools fixes the following issues: Update to 11.3.0 (bsc#1187567) - Reduce or eliminate Linux dependency on the 'net-tools' package. - The 'ifconfig' and 'netstat' commands are deprecated in more recent releases of Linux. Update the Linux 'vm-support' script to use the 'ip' and 'ss' commands when available. If the new commands are missing a fallback will be used. In Particular, 'ip' has a fallback on 'ifconfig', 'ip route' will fallback on 'route' and 'ss' will fallback on 'netstat'. - Configuring OVT with the '--without-pam' option will implicitly disable 'vgauth'. - When no 'vgauth' option is given alongside '--without-pam', a warning is displayed with a message 'Building without PAM; vgauth will be disabled.'. - When '--disable-vgauth' is supplied alongside '--without-pam', no warning or error message is displayed. - When '--enable-vgauth' is supplied alongside '--without-pam', an error will be shown and the configure stage will be aborted with an error message 'Cannot enable vgauth without PAM. Please configure without --without-pam or without --enable-vgauth.' - Fix issues using GCC 11 with gtk >= 3.20 and glib >=2.66.3 - Fix more GCC 11 failures. (bsc#1185103) - Update the 'FreeBSD' specific sections of 'open-vm-tools' to adjust what necessary for 'ARM64'. - New command line tool 'vmwgfxctrl' introduced in 'open-vm-tools'. - A user can now control various aspects of the 'vmwgfx' Linux kernel module. Currently it can both display and set the current topology of the 'vmwgfx' kernel driver. It is useful when trying to configure custom resolutions on recent Linux distributions, including multi-monitor setups. - New command line tool 'vmware-alias-import' added to 'open-vm-tools' that can be used to import 'vgauth' config data and apply it to the running 'vgauth' service. - Enhancements to support or utilize various vSphere features. - In 'vmtoolsd.service' move the deprecated path '/var/run' to '/run' for it's 'PID' file. (bsc#1185175) - Finalize the 'UsrMerge'. (bsc#1029961) ----------------------------------------- Patch: SUSE-2021-2573 Released: Thu Jul 29 14:21:52 2021 Summary: Recommended update for timezone Severity: moderate References: 1188127 Description: This update for timezone fixes the following issue: - From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are now correctly supported. This update adds the 'tzdata.zi' file (bsc#1188127). ----------------------------------------- Patch: SUSE-2021-2579 Released: Sun Aug 1 15:57:01 2021 Summary: Recommended update for rust, rust1.43, rust1.53 Severity: moderate References: Description: This update for rust, rust1.43, rust1.53 fixes the following issues: This will ship multiple rust versions. - rust1.43: for Firefox ESR - rust1.53: The current rust release The 'rust' package itself will be a wrapper package. ----------------------------------------- Patch: SUSE-2021-2580 Released: Sun Aug 1 15:57:20 2021 Summary: Recommended update for pdsh Severity: moderate References: 1186642 Description: This update for pdsh fixes the following issue: - pdsh had a lower release number in 15 sp3 than in 15 sp2, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2602 Released: Wed Aug 4 08:45:01 2021 Summary: Recommended update for amazon-ecs-init Severity: moderate References: 1187662 Description: This update for amazon-ecs-init fixes the following issues: - Update to version 1.53.0-1 (bsc#1187662) * Cache Agent version 1.53.0 - from version 1.52.2-2 * Cache Agent version 1.52.2 * ecs-anywhere-install: fix incorrect download url when running in cn region - from version 1.52.2-1 * Cache Agent version 1.52.2 * ecs-anywhere-install: remove dependency on gpg key server * ecs-anywhere-install: allow sandboxed apt installations ----------------------------------------- Patch: SUSE-2021-2606 Released: Wed Aug 4 13:16:09 2021 Summary: Recommended update for libcbor Severity: moderate References: 1102408 Description: This update for libcbor fixes the following issues: - Implement a fix to avoid building shared library twice. (bsc#1102408) ----------------------------------------- Patch: SUSE-2021-2612 Released: Thu Aug 5 10:17:44 2021 Summary: Security update for apache-commons-compress Severity: important References: 1188463,1188464,1188465,1188466,CVE-2021-35515,CVE-2021-35516,CVE-2021-35517,CVE-2021-36090 Description: This update for apache-commons-compress fixes the following issues: - Updated to 1.21 - CVE-2021-35515: Fixed an infinite loop when reading a specially crafted 7Z archive. (bsc#1188463) - CVE-2021-35516: Fixed an excessive memory allocation when reading a specially crafted 7Z archive. (bsc#1188464) - CVE-2021-35517: Fixed an excessive memory allocation when reading a specially crafted TAR archive. (bsc#1188465) - CVE-2021-36090: Fixed an excessive memory allocation when reading a specially crafted ZIP archive. (bsc#1188466) ----------------------------------------- Patch: SUSE-2021-2614 Released: Thu Aug 5 10:19:19 2021 Summary: Security update for spice-vdagent Severity: important References: 1173749,1177780,1177781,1177782,1177783,CVE-2020-25650,CVE-2020-25651,CVE-2020-25652,CVE-2020-25653 Description: This update for spice-vdagent fixes the following issues: - Update to version 0.21.0 - CVE-2020-25650: memory DoS via arbitrary entries in `active_xfers` hash table (bsc#1177780) - CVE-2020-25651: possible file transfer DoS and information leak via `active_xfers` hash map (bsc#1177781) - CVE-2020-25652: possibility to exhaust file descriptors in `vdagentd` (bsc#1177782) - CVE-2020-25653: UNIX domain socket peer PID retrieved via `SO_PEERCRED` is subject to race condition (bsc#1177783) ----------------------------------------- Patch: SUSE-2021-2619 Released: Thu Aug 5 10:35:15 2021 Summary: Security update for djvulibre Severity: important References: 1187869,CVE-2021-3630 Description: This update for djvulibre fixes the following issues: - CVE-2021-3630: out-of-bounds write in DJVU:DjVuTXT:decode() in DjVuText.cpp (bsc#1187869) ----------------------------------------- Patch: SUSE-2021-2625 Released: Thu Aug 5 12:10:27 2021 Summary: Recommended update for supportutils Severity: moderate References: 1185991,1185993,1186347,1186397,1186687,1188348 Description: This update for supportutils fixes the following issues: ethtool was updated to version 3.1.17: - Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348) - Adding ethtool options g l m to network.txt (jsc#SLE-18240) - lsof options to improve performance (bsc#1186687) - Exclude rhn.conf from etc.txt (bsc#1186347) - analyzevmcore supports local directories (bsc#1186397) - getappcore checks for valid compression binary (bsc#1185991) - getappcore does not trigger errors with help message (bsc#1185993) ----------------------------------------- Patch: SUSE-2021-2627 Released: Thu Aug 5 12:10:46 2021 Summary: Recommended maintenance update for systemd-default-settings Severity: moderate References: 1188348 Description: This update for systemd-default-settings fixes the following issue: - Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348) ----------------------------------------- Patch: SUSE-2021-2629 Released: Thu Aug 5 12:11:09 2021 Summary: Recommended update for libreoffice Severity: moderate References: 1178806,1182969,1186871,1187173 Description: This update for libreoffice fixes the following issues: Update to version 7.1.4.2 (bsc#1178806) - Fix external URL connections issues when WebDav is built using 'libserf'. (bsc#1187173, bsc#1186871) - Fix a regression caused by 'Multi column textbox in editengine'. - Improve the build time on aarch64 to select only powerful buildhosts. - Fix an issue with PPTX where one column becomes two within one text frame. (bsc#1182969) ----------------------------------------- Patch: SUSE-2021-2640 Released: Fri Aug 6 13:25:58 2021 Summary: Recommended update for cloud-regionsrv-client Severity: moderate References: 1029162 Description: This update for cloud-regionsrv-client contains the following fix: - Update to version 9.2.0: (bsc#1029162) + Support IPv6 as best-effort, with fallback to IPv4 ----------------------------------------- Patch: SUSE-2021-2652 Released: Wed Aug 11 13:25:42 2021 Summary: Recommended update for cloud-regionsrv Severity: moderate References: 1029162 Description: This update for cloud-regionsrv contains the following fix: - Update to version 8.1.0: (bsc#1029162) + Enable multiple IP assignments (IPv4+IPv6) on TLS Certificate ----------------------------------------- Patch: SUSE-2021-2681 Released: Thu Aug 12 14:59:06 2021 Summary: Recommended update for growpart-rootgrow Severity: important References: 1188868,1188904 Description: This update for growpart-rootgrow fixes the following issues: - Fix root partition ID lookup. Only consider trailing digits to be part of the paritition ID. (bsc#1188868) (bsc#1188904) ----------------------------------------- Patch: SUSE-2021-2682 Released: Thu Aug 12 20:06:19 2021 Summary: Security update for rpm Severity: important References: 1179416,1181805,1183543,1183545,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421 Description: This update for rpm fixes the following issues: - Changed default package verification level to 'none' to be compatible to rpm-4.14.1 - Made illegal obsoletes a warning - Fixed a potential access of freed mem in ndb's glue code (bsc#1179416) - Added support for enforcing signature policy and payload verification step to transactions (jsc#SLE-17817) - Added :humansi and :hmaniec query formatters for human readable output - Added query selectors for whatobsoletes and whatconflicts - Added support for sorting caret higher than base version - rpm does no longer require the signature header to be in a contiguous region when signing (bsc#1181805) Security fixes: - CVE-2021-3421: A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity (bsc#1183543) - CVE-2021-20271: A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability (bsc#1183545) - CVE-2021-20266: A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability. ----------------------------------------- Patch: SUSE-2021-2688 Released: Sat Aug 14 10:18:12 2021 Summary: Recommended update for patterns-base, patterns-server-enterprise, sles15-image Severity: moderate References: 1183154 Description: This update for patterns-base, patterns-server-enterprise, sles15-image fixes the following issues: - Add pattern to install necessary packages for FIPS (bsc#1183154) - Add patterns-base-fips to work also in FIPS environments (bsc#1183154) ----------------------------------------- Patch: SUSE-2021-2760 Released: Tue Aug 17 17:11:14 2021 Summary: Security update for c-ares Severity: important References: 1188881,CVE-2021-3672 Description: This update for c-ares fixes the following issues: Version update to git snapshot 1.17.1+20200724: - CVE-2021-3672: fixed missing input validation on hostnames returned by DNS servers (bsc#1188881) - If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause crash - Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response - Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing - Use unbuffered /dev/urandom for random data to prevent early startup performance issues ----------------------------------------- Patch: SUSE-2021-2764 Released: Tue Aug 17 17:17:17 2021 Summary: Security update for libsndfile Severity: critical References: 1100167,1116993,1117954,1188540,CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246 Description: This update for libsndfile fixes the following issues: - CVE-2018-13139: Fixed a stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. (bsc#1100167) - CVE-2018-19432: Fixed a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service. (bsc#1116993) - CVE-2021-3246: Fixed a heap buffer overflow vulnerability in msadpcm_decode_block. (bsc#1188540) - CVE-2018-19758: Fixed a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. (bsc#1117954) ----------------------------------------- Patch: SUSE-2021-2774 Released: Thu Aug 19 13:49:30 2021 Summary: Security update for MozillaFirefox Severity: important References: 1188891,CVE-2021-29980,CVE-2021-29984,CVE-2021-29985,CVE-2021-29986,CVE-2021-29988,CVE-2021-29989 Description: This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 78.13.0 ESR (MFSA 2021-34, bsc#1188891): - CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption - CVE-2021-29988: Memory corruption as a result of incorrect style treatment - CVE-2021-29984: Incorrect instruction reordering during JIT optimization - CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption - CVE-2021-29985: Use-after-free media channels - CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13 ----------------------------------------- Patch: SUSE-2021-2778 Released: Thu Aug 19 15:19:52 2021 Summary: Recommended update for compat-libpthread-nonshared Severity: moderate References: 1188004 Description: This update for compat-libpthread-nonshared fixes the following issues: - Add build for 32-bit version for Oracle client. (bsc#1188004) ----------------------------------------- Patch: SUSE-2021-2781 Released: Thu Aug 19 18:54:14 2021 Summary: Recommended update for psqlODBC Severity: moderate References: Description: This update for psqlODBC fixes the following issues: - Update to 13.01.0000: * Fix a bug of CC_send_query_append() when the ignore_roundtrip_time flag is on. * Add a call for SQLDescribeCol() before SQLExecute() to prepare-test. * Add a *update returning* test case to insertreturning regression test. * Let SQLDescribeCol() use parsed result when the current executed result is NULL. * Let SQLExecute() destroy the old result first. * Forget to apply disable_convert_func flag to VARCHAR and LONGVARCHAR. * Prioritize DISABLE_KEEPALIVE checkbox over the disable_keepalive bit of ExtraOptions. * Format check for ExtraOptions of setup dialog. - Update to 13.00.0000: * Add support for CONVERT scalar function. * Cope with the case that openssl libraries link msvc runtimes other than libraries which psqlodbc or libpq links. * Call AC_CHECK_SIZEOF() or AC_CHECK_TYPES() macros at earlier stage where LIBS variable isn't set yet. * Fix a compilation error with GCC 10 due to conflicting variable names. * Remove curr_param_result property of StatementClass and separate parsed result from the exec result. * Add support for development with VC16(Visual Studio 2019). * Hold the first and last result for parametrized SQL statements with array of parameters. * This would improve the performance of bulk inserts/updates etc. * Revise the handling of QResultClass list. * Introduce macros QR_concat(), QR_detach() and QR_next(). * Correct the handling of SQL_ROW_ERROR and SQL_ROW_SUCCESS_WITH_INFO. * Remove the single table restriction in SC_set_SS_columnkey. * Improve error reporting about SC_pos_reload_needed(). - Update to 12.02.0000: * Add a new *Display Optional Error Message* option. * Handle notice messages in libpq_bind_and_exec(). * Ignore PQtransactionStatus PQTRANS_ACTIVE in LIBPQ_update_transaction_status(). PQTRANS_ACTIVE isn't a transaction status. * Improve execution of parameterized SQL statements with arrays * Add a new option IgnoreTimeout. * An improvement for psqlodbc developpers. Make it possible to call some shell scripts from other directories. ----------------------------------------- Patch: SUSE-2021-2791 Released: Fri Aug 20 10:14:13 2021 Summary: Security update for fetchmail Severity: moderate References: 1188034,1188875,CVE-2021-36386 Description: This update for fetchmail fixes the following issues: - CVE-2021-36386: Fixed a missing variable initialization that can cause read from bad memory locations. (bsc#1188875) - Change PASSWORDLEN from 64 to 256 (bsc#1188034) ----------------------------------------- Patch: SUSE-2021-2792 Released: Fri Aug 20 10:18:15 2021 Summary: Security update for libass Severity: important References: 1188539,CVE-2020-36430 Description: This update for libass fixes the following issues: - CVE-2020-36430: Fixed heap-based buffer overflow in decode_chars (bsc#1188539). ----------------------------------------- Patch: SUSE-2021-2793 Released: Fri Aug 20 10:22:53 2021 Summary: Security update for openexr Severity: important References: 1188457,1188458,1188459,1188460,1188461,1188462,CVE-2021-20298,CVE-2021-20299,CVE-2021-20300,CVE-2021-20302,CVE-2021-20303,CVE-2021-20304,CVE-2021-3476 Description: This update for openexr fixes the following issues: - CVE-2021-20298 [bsc#1188460]: Fixed Out-of-memory in B44Compressor - CVE-2021-20299 [bsc#1188459]: Fixed Null-dereference READ in Imf_2_5:Header:operator - CVE-2021-20300 [bsc#1188458]: Fixed Integer-overflow in Imf_2_5:hufUncompress - CVE-2021-20302 [bsc#1188462]: Fixed Floating-point-exception in Imf_2_5:precalculateTileInfot - CVE-2021-20303 [bsc#1188457]: Fixed Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer - CVE-2021-20304 [bsc#1188461]: Fixed Undefined-shift in Imf_2_5:hufDecode ----------------------------------------- Patch: SUSE-2021-2794 Released: Fri Aug 20 10:25:35 2021 Summary: Security update for aspell Severity: important References: 1177523,1188576,CVE-2019-25051 Description: This update for aspell fixes the following issues: - CVE-2019-25051: Fixed heap-buffer-overflow in acommon:ObjStack:dup_top (bsc#1188576). ----------------------------------------- Patch: SUSE-2021-2798 Released: Fri Aug 20 10:37:58 2021 Summary: Security update for java-1_8_0-openjdk Severity: important References: 1185056,1188564,1188565,1188566,CVE-2021-2161,CVE-2021-2341,CVE-2021-2369,CVE-2021-2388 Description: This update for java-1_8_0-openjdk fixes the following issues: - Update to version jdk8u302 (icedtea 3.20.0) - CVE-2021-2341: Improve file transfers. (bsc#1188564) - CVE-2021-2369: Better jar file validation. (bsc#1188565) - CVE-2021-2388: Enhance compiler validation. (bsc#1188566) - CVE-2021-2161: Less ambiguous processing. (bsc#1185056) ----------------------------------------- Patch: SUSE-2021-2802 Released: Fri Aug 20 10:47:08 2021 Summary: Security update for libmspack Severity: moderate References: 1103032,CVE-2018-14679,CVE-2018-14681,CVE-2018-14682 Description: This update for libmspack fixes the following issues: - CVE-2018-14681: Bad KWAJ file header extensions could cause a one or two byte overwrite. (bsc#1103032) - CVE-2018-14682: There is an off-by-one error in the TOLOWER() macro for CHM decompression. (bsc#1103032) - CVE-2018-14679: There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service. (bsc#1103032) ----------------------------------------- Patch: SUSE-2021-2812 Released: Mon Aug 23 12:17:44 2021 Summary: Security update for libvirt Severity: moderate References: 1184253,1187871,1188232,1188843,CVE-2021-3631,CVE-2021-3667 Description: This update for libvirt fixes the following issues: Security issues fixed: - CVE-2021-3631: fix SELinux label generation logic (bsc#1187871) - CVE-2021-3667: Unlock object on ACL fail in storagePoolLookupByTargetPath (bsc#1188843) Non-security issues fixed: - virtlockd: Don't report error if lockspace exists (bsc#1184253) - Don't forcibly remove '--listen' arg from /etc/sysconfig/libvirtd. Add '--timeout 120' if '--listen' is not specified. (bsc#1188232) ----------------------------------------- Patch: SUSE-2021-2816 Released: Mon Aug 23 14:16:58 2021 Summary: Optional update for python-kubernetes Severity: low References: Description: This patch provides the python3-kubernetes package to the following modules: - Container Module for SUSE Linux Enterprise 15 SP2 - Container Module for SUSE Linux Enterprise 15 SP3 ----------------------------------------- Patch: SUSE-2021-2817 Released: Mon Aug 23 15:05:36 2021 Summary: Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 Severity: moderate References: 1102408,1138715,1138746,1176389,1177120,1182421,1182422,CVE-2020-26137 Description: This patch updates the Python AWS SDK stack in SLE 15: General: # aws-cli - Version updated to upstream release v1.19.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-boto3 - Version updated to upstream release 1.17.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-botocore - Version updated to upstream release 1.20.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-urllib3 - Version updated to upstream release 1.25.10 For a detailed list of all changes, please refer to the changelog file of this package. # python-service_identity - Added this new package to resolve runtime dependencies for other packages. Version: 18.1.0 # python-trustme - Added this new package to resolve runtime dependencies for other packages. Version: 0.6.0 Security fixes: # python-urllib3: - CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120) ----------------------------------------- Patch: SUSE-2021-2821 Released: Tue Aug 24 10:53:01 2021 Summary: Recommended update for ClusterTools2 Severity: moderate References: 1166943,1186119 Description: This update for ClusterTools2 fixes the following issues: - change version from 3.1.0 to 3.1.1 - As some of the supportconfig plugins of ClusterTools2 take very long time to process, we will disable these plugins by default. (bsc#1186119) - Add file samples to support SLE15. (bsc#1166943) ----------------------------------------- Patch: SUSE-2021-2827 Released: Tue Aug 24 16:16:26 2021 Summary: Security update for openssl-1_0_0 Severity: important References: 1189521,CVE-2021-3712 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------- Patch: SUSE-2021-2838 Released: Wed Aug 25 12:34:01 2021 Summary: Security update for jetty-minimal Severity: moderate References: 1188438,CVE-2021-34429 Description: This update for jetty-minimal fixes the following issues: - Update to version 9.4.43.v20210629 - CVE-2021-34429: URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. (bsc#1188438) ----------------------------------------- Patch: SUSE-2021-2855 Released: Fri Aug 27 09:21:24 2021 Summary: Recommended update for rust Severity: moderate References: Description: This update for rust fixes the following issues: This ships the new parallel rust 1.54 version. Version 1.54.0 (2021-07-29) Language: - You can now use macros for values in built-in attribute macros. While a seemingly minor addition on its own, this enables a lot of powerful functionality when combined correctly. Most notably you can now include external documentation in your crate by writing the following. ```rust #![doc = include_str!('README.md')] ``` You can also use this to include auto-generated modules: ```rust #[path = concat!(env!('OUT_DIR'), '/generated.rs')] mod generated; ``` - You can now cast between unsized slice types (and types which contain unsized slices) in `const fn`. - You can now use multiple generic lifetimes with `impl Trait` where the lifetimes don't explicitly outlive another. In code this means that you can now have `impl Trait<'a, 'b>` where as before you could only have `impl Trait<'a, 'b> where 'b: 'a`. Compiler: - Rustc will now search for custom JSON targets in `/lib/rustlib//target.json` where `/` is the 'sysroot' directory. You can find your sysroot directory by running `rustc --print sysroot`. - Added `wasm` as a `target_family` for WebAssembly platforms. - You can now use `#[target_feature]` on safe functions when targeting WebAssembly platforms. - Improved debugger output for enums on Windows MSVC platforms. - Added tier 3\* support for `bpfel-unknown-none` and `bpfeb-unknown-none`. \* Refer to Rust's platform support page for more information on Rust's tiered platform support. Libraries: - `panic::panic_any` will now `#[track_caller]`. - Added `OutOfMemory` as a variant of `io::ErrorKind`. - `proc_macro::Literal` now implements `FromStr`. - The implementations of vendor intrinsics in core::arch have been significantly refactored. The main user-visible changes are a 50% reduction in the size of libcore.rlib and stricter validation of constant operands passed to intrinsics. The latter is technically a breaking change, but allows Rust to more closely match the C vendor intrinsics API. Stabilized APIs: - BTreeMap::into_keys - BTreeMap::into_values - HashMap::into_keys - HashMap::into_values - arch::wasm32 - VecDeque::binary_search - VecDeque::binary_search_by - VecDeque::binary_search_by_key - VecDeque::partition_point Cargo: - Added the `--prune ` option to `cargo-tree` to remove a package from the dependency graph. - Added the `--depth` option to `cargo-tree` to print only to a certain depth in the tree. - Added the `no-proc-macro` value to `cargo-tree --edges` to hide procedural macro dependencies. - A new environment variable named `CARGO_TARGET_TMPDIR` is available. This variable points to a directory that integration tests and benches can use as a 'scratchpad' for testing filesystem operations. ----------------------------------------- Patch: SUSE-2021-2861 Released: Fri Aug 27 14:41:03 2021 Summary: Security update for spectre-meltdown-checker Severity: moderate References: 1189477,CVE-2017-5753 Description: This update for spectre-meltdown-checker fixes the following issues: spectre-meltdown-checker was updated to version 0.44 (bsc#1189477) - feat: add support for SRBDS related vulnerabilities - feat: add zstd kernel decompression (#370) - enh: arm: add experimental support for binary arm images - enh: rsb filling: no longer need the 'strings' tool to check for kernel support in live mode - fix: fwdb: remove Intel extract tempdir on exit - fix: has_vmm: ignore kernel threads when looking for a hypervisor (fixes #278) - fix: fwdb: use the commit date as the intel fwdb version - fix: fwdb: update Intel's repository URL - fix: arm64: CVE-2017-5753: kernels 4.19+ use a different nospec macro - fix: on CPU parse info under FreeBSD - chore: github: add check run on pull requests - chore: fwdb: update to v165.20201021+i20200616 ----------------------------------------- Patch: SUSE-2021-2863 Released: Mon Aug 30 08:18:50 2021 Summary: Recommended update for python-dbus-python Severity: moderate References: 1183818 Description: This update for python-dbus-python fixes the following issues: - Update to latest version from tumbleweed. (jsc#ECO-3589, bsc#1183818) - update to 1.2.16: * All tests are run even if the 'tap.py' module is not available, althoug diagnostics for failing tests will be better if it is present. - Support builds with more than one python3 flavor - Clean duplicate python flavor variables for configure - Version update to version 1.2.14: * Ensure that the numeric types from dbus.types get the same str() under Python 3.8 that they did under previous versions. * Disable -Winline. * Add clearer license information using SPDX-License-Identifier. * Include inherited methods and properties when documenting objects, which regressed when migrating from epydoc to sphinx. * Add missing variant_level member to UnixFd type, for parity with the other dbus.types types * Don't reply to method calls if they have the NO_REPLY_EXPECTED flag * Silence '-Wcast-function-type' with gcc 8. * Fix distcheck with python3.7 by deleting '__pycache__' during uninstall. * Consistently save and restore the exception indicator when called from C code. - Add missing dependency for pkg-config files - Version update to version 1.2.8: * Python 2.7 required or 3.4 respectively * Upstream dropped epydoc completely - Add dbus-1-python3 package - Make BusConnection.list_activatable_names actually call struct entries than the signature allows with libdbus 1.4 imports dbus, is finalized, is re-initialized, and re-imports - When removing signal matches, clean up internal state, avoiding a memory leak in long-lived Python processes that connect to - When setting the sender of a message, allow it to be org.freedesktop.DBus so you can implement a D-Bus daemon - New package: dbus-1-python-devel ----------------------------------------- Patch: SUSE-2021-2874 Released: Mon Aug 30 15:54:34 2021 Summary: Security update for MozillaThunderbird Severity: important References: 1188891,CVE-2021-29980,CVE-2021-29984,CVE-2021-29985,CVE-2021-29986,CVE-2021-29988,CVE-2021-29989 Description: This update for MozillaThunderbird fixes the following issues: Update to version 78.13 (MFSA 2021-35, bsc#1188891) - CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption - CVE-2021-29988: Memory corruption as a result of incorrect style treatment - CVE-2021-29984: Incorrect instruction reordering during JIT optimization - CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption - CVE-2021-29985: Use-after-free media channels - CVE-2021-29989: Memory safety bugs fixed in Thunderbird 78.13 ----------------------------------------- Patch: SUSE-2021-2885 Released: Tue Aug 31 12:21:17 2021 Summary: Recommended update for publicsuffix Severity: low References: 1189124 Description: This update for publicsuffix fixes the following issues: - Updates the list of known/accepted domains with recent data (bsc#1189124). ----------------------------------------- Patch: SUSE-2021-2886 Released: Tue Aug 31 13:21:20 2021 Summary: Recommended update for bind Severity: moderate References: 1187921 Description: This update for bind fixes the following issues: - tsig-keygen is now used to generate DDNS keys (bsc#1187921) ----------------------------------------- Patch: SUSE-2021-2887 Released: Tue Aug 31 13:31:19 2021 Summary: Recommended update for cloud-init Severity: moderate References: 1183939,1184758 Description: This update for cloud-init contains the following: - Change log file creation mode to 640. (bsc#1183939) - Do not write the generated password to the log file. (bsc#1184758) - Allow purging cache when Python when version change detected. ----------------------------------------- Patch: SUSE-2021-2892 Released: Tue Aug 31 16:38:22 2021 Summary: Security update for dovecot23 Severity: moderate References: 1187418,1187419,1187420,CVE-2020-28200,CVE-2021-29157 Description: This update for dovecot23 fixes the following issues: Update dovecot to version 2.3.15 (jsc#SLE-19970): Security issues fixed: - CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access. (bsc#1187418) Local attacker can login as any user and access their emails - CVE-2021-33515: On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. (bsc#1187419) Attacker can potentially steal user credentials and mails * Disconnection log messages are now more standardized across services. They also always now start with 'Disconnected' prefix. * Dovecot now depends on libsystemd for systemd integration. * Removed support for Lua 5.2. Use version 5.1 or 5.3 instead. * config: Some settings are now marked as 'hidden'. It's discouraged to change these settings. They will no longer be visible in doveconf output, except if they have been changed or if doveconf -s parameter is used. See https://doc.dovecot.org/settings/advanced/ for details. * imap-compress: Compression level is now algorithm specific. See https://doc.dovecot.org/settings/plugin/compress-plugin/ * indexer-worker: Convert 'Indexed' info logs to an event named 'indexer_worker_indexing_finished'. See https://doc.dovecot.org/admin_manual/list_of_events/#indexer-worker-indexing-finished + Add TSLv1.3 support to min_protocols. + Allow configuring ssl_cipher_suites. (for TLSv1.3+) + acl: Add acl_ignore_namespace setting which allows to entirely ignore ACLs for the listed namespaces. + imap: Support official RFC8970 preview/snippet syntax. Old methods of retrieving preview information via IMAP commands ('SNIPPET and PREVIEW with explicit algorithm selection') have been deprecated. + imapc: Support INDEXPVT for imapc storage to enable private message flags for cluster wide shared mailboxes. + lib-storage: Add new events: mail_opened, mail_expunge_requested, mail_expunged, mail_cache_lookup_finished. See https://doc.dovecot.org/admin_manual/list_of_events/#mail + zlib, imap-compression, fs-compress: Support compression levels that the algorithm supports. Before, we would allow hardcoded value between 1 to 9 and would default to 6. Now we allow using per-algorithm value range and default to whatever default the algorithm specifies. - *-login: Commands pipelined together with and just after the authenticate command cause these commands to be executed twice. This applies to all protocols that involve user login, which currently comprises of imap, pop3, submisision and managesieve. - *-login: Processes are supposed to disconnect the oldest non-logged in connection when process_limit was reached. This didn't actually happen with the default 'high-security mode' (with service_count=1) where each connection is handled by a separate process. - *-login: When login process reaches client/process limits, oldest client connections are disconnected. If one of these was still doing anvil lookup, this caused a crash. This could happen only if the login process limits were very low or if the server was overloaded. - Fixed building with link time optimizations (-flto). - auth: Userdb iteration with passwd driver does not always return all users with some nss drivers. - dsync: Shared INBOX not synced when 'mail_shared_explicit_inbox' was disabled. If a user has a shared mailbox which is another user's INBOX, dsync didn't include the mailbox in syncing unless explicit naming is enabled with 'mail_shared_explicit_inbox' set to 'yes'. - dsync: Shared namespaces were not synced with '-n' flag. - dsync: Syncing shared INBOX failed if mail_attribute_dict was not set. If a user has a shared mailbox that is another user's INBOX, dsync failed to export the mailbox if mail attributes are disabled. - fts-solr, fts-tika: Using both Solr FTS and Tika may have caused HTTP requests to assert-crash: Panic: file http-client-request.c: line 1232 (http_client_request_send_more): assertion failed: (req->payload_input != NULL) - fts-tika: 5xx errors returned by Tika server as indexing failures. However, Tika can return 5xx for some attachments every time. So the 5xx error should be retried once, but treated as success if it happens on the retry as well. v2.3 regression. - fts-tika: v2.3.11 regression: Indexing messages with fts-tika may have resulted in Panic: file message-parser.c: line 802 (message_parser_deinit_from_parts): assertion failed: (ctx->nested_parts_count == 0 || i_stream_have_bytes_left(ctx->input)) - imap: SETMETADATA could not be used to unset metadata values. Instead NIL was handled as a 'NIL' string. v2.3.14 regression. - imap: IMAP BINARY FETCH crashes at least on empty base64 body: Panic: file index-mail-binary.c: line 358 (blocks_count_lines): assertion failed: (block_count == 0 || block_idx+1 == block_count) - imap: If IMAP client using the NOTIFY command was disconnected while sending FETCH notifications to the client, imap could crash with Panic: Trying to close mailbox INBOX with open transactions. - imap: Using IMAP COMPRESS extension can cause IMAP connection to hang when IMAP commands are >8 kB long. - imapc: If remote server sent BYE but didn't immediately disconnect, it could cause infinite busy-loop. - lib-index: Corrupted cache record size in dovecot.index.cache file could have caused a crash (segfault) when accessing it. - lib-oauth2: JWT token time validation now works correctly with 32-bit systems. - lib-ssl-iostream: Checking hostnames against an SSL certificate was case-sensitive. - lib-storage: Corrupted mime.parts in dovecot.index.cache may have resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body): assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) != 0)) - lib-storage: Index rebuilding (e.g. via doveadm force-resync) didn't preserve the 'hdr-pop3-uidl' header. Because of this, the next pop3 session could have accessed all of the emails' metadata to read their POP3 UIDL (opening dbox files). - listescape: When using the listescape plugin and a shared namespace the plugin didn't work properly anymore resulting in errors like: 'Invalid mailbox name: Name must not have '/' character.' - lmtp: Connection crashes if connection gets disconnected due to multiple bad commands and the last bad command is BDAT. - lmtp: The Dovecot-specific LMTP parameter XRCPTFORWARD was blindly forwarded by LMTP proxy without checking that the backend has support. This caused a command parameter error from the backend if it was running an older Dovecot release. This could only occur in more complex setups where the message was proxied twice; when the proxy generated the XRCPTFORWARD parameter itself the problem did not occur, so this only happened when it was forwarded. - lmtp: The LMTP proxy crashes with a panic when the remote server replies with an error while the mail is still being forwarded through a DATA/BDAT command. - lmtp: Username may have been missing from lmtp log line prefixes when it was performing autoexpunging. - master: Dovecot would incorrectly fail with haproxy 2.0.14 service checks. - master: Systemd service: Dovecot announces readiness for accepting connections earlier than it should. The following environment variables are now imported automatically and can be omitted from import_environment setting: NOTIFY_SOCKET LISTEN_FDS LISTEN_PID. - master: service { process_min_avail } was launching processes too slowly when master was forking a lot of processes. - util: Make the health-check.sh example script POSIX shell compatible. * Added new aliases for some variables. Usage of the old ones is possible, but discouraged. (These were partially added already to v2.3.13.) See https://doc.dovecot.org/configuration_manual/config_file/config_variables/ for more information. * Optimize imap/pop3/submission/managesieve proxies to use less CPU at the cost of extra memory usage. * Remove autocreate, expire, snarf and mail-filter plugins. * Remove cydir storage driver. * Remove XZ/LZMA write support. Read support will be removed in future release. * doveadm -D: Add timestamps to debug output even when LOG_STDERR_TIMESTAMP environment variable is not set. Timestamp format is taken from log_timestamp setting. * If BROKENCHAR or listescape plugin is used, the escaped folder names may be slightly different from before in some situations. This is unlikely to cause issues, although caching clients may redownload the folders. * imapc: It now enables BROKENCHAR=~ by default to escape remote folder names if necessary. This also means that if there are any '~' characters in the remote folder names, they will be visible as '~7e'. * imapc: When using local index files folder names were escaped on filesystem a bit differently. This affects only if there are folder names that actually require escaping, which isn't so common. The old style folders will be automatically deleted from filesystem. * stats: Update exported metrics to be compliant with OpenMetrics standard. + doveadm: Add an optional '-p' parameter to metadata list command. If enabled, '/private', and '/shared' metadata prefixes will be prepended to the keys in the list output. + doveconf: Support environment variables in config files. See https://doc.dovecot.org/configuration_manual/config_file/config_file_syntax/#environment-variables for more details. + indexer-worker: Change indexer to disconnect from indexer-worker after each request. This allows service indexer-worker's service_count & idle_kill settings to work. These can be used to restart indexer-worker processes once in a while to reduce their memory usage. - auth: 'nodelay' with various authentication mechanisms such as apop and digest-md5 crashed AUTH process if authentication failed. - auth: Auth lua script generating an error triggered an assertion failure: Panic: file db-lua.c: line 630 (auth_lua_call_password_verify): assertion failed: (lua_gettop(script->L) == 0). - configure: Fix libunwind detection to work on other than x86_64 systems. - doveadm-server: Process could crash if logging was done outside command handling. For example http-client could have done debug logging afterwards, resulting in either segfault or Panic: file http-client.c: line 642 (http_client_context_close): assertion failed: (cctx->clients_list == NULL). - dsync: Folder name escaping with BROKENCHAR didn't work completely correctly. This especially caused problems with dsync-migrations using imapc where some of the remote folder names may not have been accessible. - dsync: doveadm sync + imapc doesn't always sync all mails when doing an incremental sync (-1), which could lead to mail loss when it's used for migration. This happens only when GUIDs aren't used (i.e. imapc without imapc_features=guid-forced). - fts-tika: When tika server returns error, some mails cause Panic: file message-parser.c: line 802 (message_parser_deinit_from_parts): assertion failed: (ctx->nested_parts_count == 0 || i_stream_have_bytes_left(ctx->input)) - lib-imap: imapc parsing illegal BODYSTRUCTUREs with NILs could have resulted in crashes. This exposed that Dovecot was wrongly accepting atoms in 'nstring' handling. Changed the IMAP parsing to be more strict about this now. - lib-index: If dovecot.index.cache has corrupted message size, fetching BODY/BODYSTRUCTURE may cause assert-crash: Panic: file index-mail.c: line 1140 (index_mail_parse_body_finish): assertion failed: (mail->data.parts != NULL). - lib-index: Minor error handling and race condition fixes related to rotating dovecot.index.log. These didn't usually cause problems, unless the log files were rotated rapidly. - lib-lua: Lua scripts using coroutines or lua libraries using coroutines (e.g., cqueues) panicked. - Message PREVIEW handled whitespace wrong so first space would get eaten from between words. - FTS and message PREVIEW (snippet) parsed HTML &entities case-sensitively. - lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE was written in a way that may have caused confusion for IMAP clients and also Dovecot itself when parsing it. The truncated part is now written out using application/octet-stream MIME type. - lib-oauth2: HS512 and HS384 JWT token algorithms crash when you try to use them: Panic: file hmac.c: line 26 (hmac_init): assertion failed: (meth->context_size <= MAC_MAX_CONTEXT_SIZE). - event filters: NOT keyword did not have the correct associativity. - Ignore ECONNRESET when closing socket. This avoids logging useless errors on systems like FreeBSD. - event filters: event filter syntax error may lead to Panic: file event-filter.c: line 137 (event_filter_parse): assertion failed: (state.output == NULL) - lib: timeval_cmp_margin() was broken on 32-bit systems. This could potentially have caused HTTP timeouts to be handled incorrectly. - log: instance_name wasn't used as syslog ident by the log process. - master: After a service reached process_limit and client_limit, it could have taken up to 1 second to realize that more client connections became available. During this time client connections could have been unnecessarily rejected and a warning logged: Warning: service(...): process_limit (...) reached, client connections are being dropped - stats: Crash would occur when generating openmetrics data for metrics using aggregating functions. - stats: Event filters comparing against empty strings crash the stats process. * CVE-2020-24386: Specially crafted command can cause IMAP hibernate to allow logged in user to access other people's emails and filesystem information. * Metric filter and global event filter variable syntax changed to a SQL-like format. See https://doc.dovecot.org/configuration_manual/event_filter/ * auth: Added new aliases for %{variables}. Usage of the old ones is possible, but discouraged. * auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth mechanism and related password schemes. * auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. * auth: Removed postfix postmap socket + auth: Added new fields for auth server events. These fields are now also available for all auth events. See https://doc.dovecot.org/admin_manual/list_of_events/#authentication-server for details. + imap-hibernate: Added imap_client_hibernated, imap_client_unhibernated and imap_client_unhibernate_retried events. See https://doc.dovecot.org/admin_manual/list_of_events/ for details. + lib-index: Added new mail_index_recreated event. See https://doc.dovecot.org/admin_manual/list_of_events/#mail-index-recreated + lib-sql: Support TLS options for cassandra driver. This requires cpp-driver v2.15 (or later) to work reliably. + lib-storage: Missing $HasAttachment / $HasNoAttachment flags are now added to existing mails if mail_attachment_detection_option=add-flags and it can be done inexpensively. + login proxy: Added login_proxy_max_reconnects setting (default 3) to control how many reconnections are attempted. + login proxy: imap/pop3/submission/managesieve proxying now supports reconnection retrying on more than just connect() failure. Any error except a non-temporary authentication failure will result in reconnect attempts. - auth: Lua passdb/userdb leaks stack elements per call, eventually causing the stack to become too deep and crashing the auth or auth-worker process. - auth: SASL authentication PLAIN mechanism could be used to trigger read buffer overflow. However, this doesn't seem to be exploitable in any way. - auth: v2.3.11 regression: GSSAPI authentication fails because dovecot disallows NUL bytes for it. - dict: Process used too much CPU when iterating keys, because each key used a separate write() syscall. - doveadm-server: Crash could occur if logging was done outside command handling. For example http-client could have done debug logging afterwards, resulting in either segfault or Panic: file http-client.c: line 642 (http_client_context_close): assertion failed: (cctx->clients_list == NULL). - doveadm-server: v2.3.11 regression: Trying to connect to doveadm server process via starttls assert-crashed if there were no ssl=yes listeners: Panic: file master-service-ssl.c: line 22 (master_service_ssl_init): assertion failed: (service->ssl_ctx_initialized). - fts-solr: HTTP requests may have assert-crashed: Panic: file http-client-request.c: line 1232 (http_client_request_send_more): assertion failed: (req->payload_input != NULL) - imap: IMAP NOTIFY could crash with a segmentation fault due to a bad configuration that causes errors. Sending the error responses to the client can cause the segmentation fault. This can for example happen when several namespaces use the same mail storage location. - imap: IMAP NOTIFY used on a shared namespace that doesn't actually exist (e.g. public namespace for a nonexistent user) can crash with a panic: Panic: Leaked view for index /tmp/home/asdf/mdbox/dovecot.list.index: Opened in (null):0 - imap: IMAP session can crash with QRESYNC extension if many changes are done before asking for expunged mails since last sync. - imap: Process might hang indefinitely if client disconnects after sending some long-running commands pipelined, for example FETCH+LOGOUT. - lib-compress: Mitigate crashes when configuring a not compiled in compression. Errors with compression configuration now distinguish between not supported and unknown. - lib-compression: Using xz/lzma compression in v2.3.11 could have written truncated output in some situations. This would result in 'Broken pipe' read errors when trying to read it back. - lib-compression: zstd compression could have crashed in some situations: Panic: file ostream.c: line 287 (o_stream_sendv_int): assertion failed: (!stream->blocking) - lib-dict: dict client could have crashed in some rare situations when iterating keys. - lib-http: Fix several assert-crashes in HTTP client. - lib-index: v2.3.11 regression: When mails were expunged at the same time as lots of new content was being saved to the cache (e.g. cache file was lost and is being re-filled) a deadlock could occur with dovecot.index.cache / dovecot.index.log. - lib-index: v2.3.11 regression: dovecot.index.cache file was being purged (rewritten) too often when it had a field that hadn't been accessed for over 1 month, but less than 2 months. Every cache file change caused a purging in this situation. - lib-mail: MIME parts were not returned correctly by Dovecot MIME parser. Regression caused by fixing CVE-2020-12100. - lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE was written in a way that may have caused confusion for both IMAP clients and Dovecot itself when parsing it. The truncated part is now written out using application/octet-stream MIME type. - lib-mail: v2.3.11 regression: Mail delivery / parsing crashed when the 10000th MIME part was message/rfc822 (or if parent was multipart/digest): Panic: file message-parser.c: line 167 (message_part_append): assertion failed: (ctx->total_parts_count <= ctx->max_total_mime_parts). - lib-oauth2: Dovecot incorrectly required oauth2 server introspection reply to contain username with invalid token. - lib-ssl-iostream, lib-dcrypt: Fix building with OpenSSL that has deprecated APIs disabled. - lib-storage: When mail's size is different from the cached one (in dovecot.index.cache or Maildir S=size in the filename), this is handled by logging 'Cached message size smaller/larger than expected' error. However, in some situations this also ended up crashing with: Panic: file istream.c: line 315 (i_stream_read_memarea): assertion failed: (old_size <= _stream->pos - _stream->skip). - lib-storage: v2.3 regression: Copying/moving mails was taking much more memory than before. This was mainly visible when copying/moving thousands of mails in a single transaction. - lib-storage: v2.3.11 regression: Searching messages assert-crashed (without FTS): Panic: file message-parser.c: line 174 (message_part_finish): assertion failed: (ctx->nested_parts_count > 0). - lib: Dovecot v2.3 moved signal handlers around in ioloops, causing more CPU usage than in v2.2. - lib: Fixed JSON parsing: '\' escape sequence may have wrongly resulted in error if it happened to be at read boundary. Any NUL characters and '\u0000' will now result in parsing error instead of silently truncating the data. - lmtp, submission: Server may hang if SSL client connection disconnects during the delivery. If this happened repeated, it could have ended up reaching process_limit and preventing any further lmtp/submission deliveries. - lmtp: Proxy does not always properly log TLS connection problems as errors; in some cases, only a debug message is logged if enabled. - lmtp: The LMTP service can hang when commands are pipelined. This can particularly occur when one command in the middle of the pipeline fails. One example of this occurs for proxied LMTP transactions in which the final DATA or BDAT command is pipelined after a failing RCPT command. - login-proxy: The login_source_ips setting has no effect, and therefore the proxy source IPs are not cycled through as they should be. - master: Process was using 100% CPU in some situations when a broken service was being throttled. - pop3-login: POP3 login would fail with 'Input buffer full' if the initial response for SASL was too long. - stats: Crash would occur when generating openmetrics data for metrics using aggregating functions. Update pigeonhole to version 0.5.15 * CVE-2020-28200: Sieve interpreter is not protected against abusive scripts that claim excessive resource usage. Fixed by limiting the user CPU time per single script execution and cumulatively over several script runs within a configurable timeout period. Sufficiently large CPU time usage is summed in the Sieve script binary and execution is blocked when the sum exceeds the limit within that time. The block is lifted when the script is updated after the resource usage times out. (bsc#1187420) Attacker can DoS the mail delivery system (jsc#PM-2746) ECO: Dovecot 2.3.15 version upgrade * Disconnection log messages are now more standardized across services. They also always now start with 'Disconnected' prefix. * managesieve: Commands pipelined together with and just after the authenticate command cause these commands to be executed twice. * duplicate: The test was handled badly in a multiscript (sieve_before, sieve_after) scenario in which an earlier script in the sequence with a duplicate test succeeded, while a later script caused a runtime failure. In that case, the message is recorded for duplicate tracking, while the message may not actually have been delivered in the end. * editheader: Sieve interpreter entered infinite loop at startup when the 'editheader' configuration listed an invalid header name. This problem can only be triggered by the administrator. * relational: The Sieve relational extension can cause a segfault at compile time. This is triggered by invalid script syntax. The segfault happens when this match type is the last argument of the test command. This situation is not possible in a valid script; positional arguments are normally present after that, which would prevent the segfault. * sieve: For some Sieve commands the provided mailbox name is not properly checked for UTF-8 validity, which can cause assert crashes at runtime when an invalid mailbox name is encountered. This can be caused by the user by writing a bad Sieve script involving the affected commands ('mailboxexists', 'specialuse_exists'). This can be triggered by the remote sender only when the user has written a Sieve script that passes message content to one of the affected commands. * sieve: Large sequences of 8-bit octets passed to certain Sieve commands that create or modify message headers that allow UTF-8 text (vacation, notify and addheader) can cause the delivery or IMAP process (when IMAPSieve is used) to enter a memory-consuming semi-infinite loop that ends when the process exceeds its memory limits. Logged in users can cause these hangs only for their own processes. ----------------------------------------- Patch: SUSE-2021-2895 Released: Tue Aug 31 19:40:32 2021 Summary: Recommended update for unixODBC Severity: moderate References: Description: This update for unixODBC fixes the following issues: - ECO: Update unixODBC to 2.3.9 in SLE 15. (jsc#SLE-18004) - Fix incorrect permission for documentation files. - Update requires and baselibs for new libodbc2. - Employ shared library packaging guideline: new subpacakge libodbc2. - Update to 2.3.9: * Remove '#define UNIXODBC_SOURCE' from unixodbc_conf.h - Update to 2.3.8: * Add configure support for editline * SQLDriversW was ignoring user config * SQLDataSources Fix termination character * Fix for pooling seg fault * Make calling SQLSetStmtAttrW call the W function in the driver is its there * Try and fix race condition clearing system odbc.ini file * Remove trailing space from isql/iusql SQL * When setting connection attributes set before connect also check if the W entry poins can be used * Try calling the W error functions first if available in the driver * Add iconvperdriver configure option to allow calling unicode_setup in SQLAllocHandle * iconv handles was being lost when reusing pooled connection * Catch null copy in iniPropertyInsert * Fix a few leaks - Update to 2.3.7: * Fix for pkg-config file update on no linux platforms * Add W entry for GUI work * Various fixes for SQLBrowseConnect/W, SQLGetConnectAttr/W,and SQLSetConnectAttr/W * Fix buffer overflows in SQLConnect/W and refine behaviour of SQLGet/WritePrivateProfileString * SQLBrowseConnect/W allow disconnecting a started browse session after error * Add --with-stats-ftok-name configure option to allow the selection of a file name used to generate the IPC id when collecting stats. Default is the system odbc.ini file * Improve diag record handling with the behavior of Windows DM and export SQLCancelHandle * bug fix when SQLGetPrivateProfileString() is called to get a list of sections or a list of keys * Connection pooling: Fix liveness check for Unicode drivers ----------------------------------------- Patch: SUSE-2021-2897 Released: Tue Aug 31 23:04:07 2021 Summary: Recommended update for postfix Severity: moderate References: 1189684 Description: This update for postfix fixes the following issues: - Include 'submissions' service in master configuration (bsc#1189684) ----------------------------------------- Patch: SUSE-2021-2899 Released: Wed Sep 1 08:30:58 2021 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: 1186282,1187332 Description: This update for systemd-rpm-macros fixes the following issues: - Fixed an issue whe zypper ignores the ordering constraints. (bsc#1187332) - Introduce '%sysusers_create_package': '%sysusers_create' and '%sysusers_create_inline' are now deprecated and the new macro should be used instead. - %sysusers_create_inline: use here-docs instead of echo (bsc#1186282) ----------------------------------------- Patch: SUSE-2021-2901 Released: Wed Sep 1 10:34:50 2021 Summary: Recommended update for insserv-compat Severity: moderate References: 1187941 Description: This update for insserv-compat fixes the following issues: - Require sysvinit-tools. (bsc#1187941) ----------------------------------------- Patch: SUSE-2021-2905 Released: Wed Sep 1 14:18:41 2021 Summary: Recommended update for corosync Severity: important References: 1189680 Description: This update for corosync fixes the following issue: - Add 'cancel_hold_on_retransmit' config option on corosync totem (bsc#1189680) - This option allows Corosync to hold the token by representative when there are too many retransmit messages. This allows the network to process increased load without overloading it. The used mechanism is same as described for the hold directive. Some deployments may prefer to never hold token when there is retransmit messages. If so, the option should be set to yes. The default value is no. ----------------------------------------- Patch: SUSE-2021-2919 Released: Thu Sep 2 10:04:41 2021 Summary: Security update for ffmpeg Severity: important References: 1129714,1186849,1186859,1186861,1186863,1189142,1189348,1189350,CVE-2019-9721,CVE-2020-21688,CVE-2020-21697,CVE-2020-22046,CVE-2020-22048,CVE-2020-22049,CVE-2020-22054,CVE-2021-38114 Description: This update for ffmpeg fixes the following issues: - CVE-2019-9721: Fix denial of service in the subtitle decoder in handle_open_brace from libavcodec/htmlsubtitles.c (bsc#1129714). - CVE-2020-22046: Fix a denial of service vulnerability exists in FFmpeg 4.2 due to a memory leak in the avpriv_float_dsp_allocl function in libavutil/float_dsp.c (bsc#1186849). - CVE-2020-22048: Fix a denial of service vulnerability exists in FFmpeg 4.2 due to a memory leak in the ff_frame_pool_get function in framepool.c (bsc#1186859). - CVE-2020-22049: Fix a denial of service vulnerability exists in FFmpeg 4.2 due to a memory leak in the wtvfile_open_sector function in wtvdec.c (bsc#1186861). - CVE-2020-22054: Fix a denial of service vulnerability exists in FFmpeg 4.2 due to a memory leak in the av_dict_set function in dict.c (bsc#1186863). - CVE-2020-21688: Fixed a heap-use-after-free in the av_freep function in libavutil/mem.c (bsc#1189348). - CVE-2020-21697: Fixed a heap-use-after-free in the mpeg_mux_write_packet function in libavformat/mpegenc.c (bsc#1189350). - CVE-2021-38114: Fixed a not checked return value of the init_vlc function (bsc#1189142). ----------------------------------------- Patch: SUSE-2021-2934 Released: Thu Sep 2 18:29:50 2021 Summary: Recommended update for SAPHanaSR-ScaleOut Severity: important References: 1144312,1144442,1173581,1182115,1182545 Description: This update for SAPHanaSR-ScaleOut fixes the following issues: - change version to 0.180.1 - Extent the SAP HANA ressource agents from single replication automation to multi replication automation (jsc#SLE-17452, jsc#SLE-20081) - The resource start and stop timeout is now configurable by increasing the timeout for the action 'start' and/or 'stop' in the cluster. (bsc#1182545) - Improve handling of return codes in 'saphana_stopSystem' and 'saphana_stop' function. (bsc#1182115) - Integrate man pages back to the base package SAPHanaSR-ScaleOut. - Fixed an issue when HANA failover returns and empty site name. (bsc#1173581) - Add SAPHanaSR-call-monitor - Fixed an issue when HANA is configured to have only one master name server, but no additional master name server candidates, there may be the situation, where the master name server died and so the landscape has no active name server anymore. - Manual page updates: SAPHanaSR-ScaleOut.7 (bsc#1144442) SAPHanaSR-showAttr.8 (bsc#1144312) and others ----------------------------------------- Patch: SUSE-2021-2935 Released: Thu Sep 2 18:30:33 2021 Summary: Recommended update for yast2-saptune Severity: moderate References: 1188321 Description: This update for yast2-saptune fixes the following issues: - Exchange the tuned daemon handling with the new saptune service. (bsc#1188321) - Add information, if the service is enabled or disabled. ----------------------------------------- Patch: SUSE-2021-2937 Released: Fri Sep 3 09:18:45 2021 Summary: Security update for libesmtp Severity: important References: 1160462,1189097,CVE-2019-19977 Description: This update for libesmtp fixes the following issues: - CVE-2019-19977: Fixed stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462). ----------------------------------------- Patch: SUSE-2021-2947 Released: Fri Sep 3 09:49:40 2021 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Added data for 4_12_14-197_92, 5_3_18-24_53_4, 5_3_18-24_67, 5_3_18-57, 5_3_18-59_10, 5_3_18-59_5. (bsc#1020320) ----------------------------------------- Patch: SUSE-2021-2951 Released: Fri Sep 3 14:18:50 2021 Summary: Recommended update for scap-security-guide Severity: moderate References: Description: This update for scap-security-guide fixes the following issues: Updated to 0.1.57 release (jsc#ECO-3319) - Small bugfixes for SUSE Linux Enterprise STIG profiles. - CIS profile for RHEL 7 is updated. - Initial CIS profiles for Ubuntu 20.04. - Major improvement of RHEL 9 content. ----------------------------------------- Patch: SUSE-2021-2952 Released: Fri Sep 3 14:38:44 2021 Summary: Security update for java-11-openjdk Severity: important References: 1185476,1188564,1188565,1188566,CVE-2021-2341,CVE-2021-2369,CVE-2021-2388 Description: This update for java-11-openjdk fixes the following issues: - Update to jdk-11.0.12+7 - CVE-2021-2369: Fixed JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565) - CVE-2021-2388: Fixed a flaw inside the Hotspot component performed range check elimination. (bsc#1188566) - CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564) ----------------------------------------- Patch: SUSE-2021-2960 Released: Mon Sep 6 13:35:58 2021 Summary: Recommended update for habootstrap-formula Severity: moderate References: 1181731 Description: This update for habootstrap-formula fixes the following issue: - Fix SUSE Manager integration. (bsc#1181731) ----------------------------------------- Patch: SUSE-2021-2962 Released: Mon Sep 6 18:23:01 2021 Summary: Recommended update for runc Severity: critical References: 1189743 Description: This update for runc fixes the following issues: - Fixed an issue when toolbox container fails to start. (bsc#1189743) ----------------------------------------- Patch: SUSE-2021-2971 Released: Tue Sep 7 10:45:21 2021 Summary: Security update for ntfs-3g_ntfsprogs Severity: important References: 1189720,CVE-2019-9755,CVE-2021-33285,CVE-2021-33286,CVE-2021-33287,CVE-2021-33289,CVE-2021-35266,CVE-2021-35267,CVE-2021-35268,CVE-2021-35269,CVE-2021-39251,CVE-2021-39252,CVE-2021-39253,CVE-2021-39255,CVE-2021-39256,CVE-2021-39257,CVE-2021-39258,CVE-2021-39259,CVE-2021-39260,CVE-2021-39261,CVE-2021-39262,CVE-2021-39263 Description: This update for ntfs-3g_ntfsprogs fixes the following issues: Update to version 2021.8.22 (bsc#1189720): * Fixed compile error when building with libfuse < 2.8.0 * Fixed obsolete macros in configure.ac * Signalled support of UTIME_OMIT to external libfuse2 * Fixed an improper macro usage in ntfscp.c * Updated the repository change in the README * Fixed vulnerability threats caused by maliciously tampered NTFS partitions * Security fixes: CVE-2021-33285, CVE-2021-33286, CVE-2021-33287, CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268, CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE_2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263. - Library soversion is now 89 * Changes in version 2017.3.23 * Delegated processing of special reparse points to external plugins * Allowed kernel cacheing by lowntfs-3g when not using Posix ACLs * Enabled fallback to read-only mount when the volume is hibernated * Made a full check for whether an extended attribute is allowed * Moved secaudit and usermap to ntfsprogs (now ntfssecaudit and ntfsusermap) * Enabled encoding broken UTF-16 into broken UTF-8 * Autoconfigured selecting vs * Allowed using the full library API on systems without extended attributes support * Fixed DISABLE_PLUGINS as the condition for not using plugins * Corrected validation of multi sector transfer protected records * Denied creating/removing files from $Extend * Returned the size of locale encoded target as the size of symlinks ----------------------------------------- Patch: SUSE-2021-2973 Released: Tue Sep 7 16:56:08 2021 Summary: Recommended update for hwdata Severity: moderate References: 1190091 Description: This update for hwdata fixes the following issue: - Update pci, usb and vendor ids (bsc#1190091) ----------------------------------------- Patch: SUSE-2021-2974 Released: Tue Sep 7 17:17:23 2021 Summary: Recommended update for librdkafka Severity: important References: 1189792 Description: This update for librdkafka fixes the following issue: - Fixed thread creation on SUSE Linux Enterprise Server 15 SP3. (bsc#1189792) ----------------------------------------- Patch: SUSE-2021-2977 Released: Wed Sep 8 11:54:32 2021 Summary: Recommended update for usbutils Severity: moderate References: Description: This update for usbutils fixes the following issue: - Update to version 0.14 (jira#SLE-19451) ----------------------------------------- Patch: SUSE-2021-2987 Released: Thu Sep 9 00:00:13 2021 Summary: Recommended update for pesign Severity: low References: 1184124 Description: This update for pesign fixes the following issues: - Link as Position Independent Executable (bsc#1184124). ----------------------------------------- Patch: SUSE-2021-2993 Released: Thu Sep 9 14:31:33 2021 Summary: Recommended update for gcc Severity: moderate References: 1185348 Description: This update for gcc fixes the following issues: - With gcc-PIE add -pie even when -fPIC is specified but we are not linking a shared library. [bsc#1185348] - Fix postun of gcc-go alternative. ----------------------------------------- Patch: SUSE-2021-2994 Released: Thu Sep 9 14:33:21 2021 Summary: Security update for openssl-1_0_0 Severity: low References: 1189521,CVE-2021-3712 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------- Patch: SUSE-2021-2997 Released: Thu Sep 9 14:37:34 2021 Summary: Recommended update for python3 Severity: moderate References: 1187338,1189659 Description: This update for python3 fixes the following issues: - Fixed an issue when the missing 'stropts.h' causing build errors for different python modules. (bsc#1187338) ----------------------------------------- Patch: SUSE-2021-3000 Released: Thu Sep 9 15:08:04 2021 Summary: Recommended update for vncmanager-controller Severity: moderate References: 1188118 Description: This update for vncmanager-controller fixes the following issues: - Fix extension loading error that disables 'Vnc session configuration' option (bsc#1188118) ----------------------------------------- Patch: SUSE-2021-3001 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Severity: moderate References: 1189683 Description: This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------- Patch: SUSE-2021-3004 Released: Thu Sep 9 15:20:43 2021 Summary: Security update for libtpms Severity: important References: 1189935,CVE-2021-3746 Description: This update for libtpms fixes the following issues: - CVE-2021-3746: Fixed out-of-bounds access via specially crafted TPM 2 command packets (bsc#1189935). ----------------------------------------- Patch: SUSE-2021-3017 Released: Mon Sep 13 09:13:11 2021 Summary: Security update for wireshark Severity: moderate References: 1188375,CVE-2021-22235 Description: This update for wireshark fixes the following issues: - Update to Wireshark 3.4.7 - CVE-2021-22235: Fixed DNP dissector crash (bsc#1188375). ----------------------------------------- Patch: SUSE-2021-3018 Released: Mon Sep 13 09:13:56 2021 Summary: Security update for php7-pear Severity: important References: 1189591,CVE-2020-36193 Description: This update for php7-pear fixes the following issues: - CVE-2020-36193: Fixed Archive_Tar directory traversal due to inadequate checking of symbolic links (bsc#1189591). ----------------------------------------- Patch: SUSE-2021-3020 Released: Mon Sep 13 09:17:14 2021 Summary: Security update for apache2-mod_auth_openidc Severity: moderate References: 1188638,1188639,1188848,1188849,CVE-2021-32785,CVE-2021-32786,CVE-2021-32791,CVE-2021-32792 Description: This update for apache2-mod_auth_openidc fixes the following issues: - CVE-2021-32785: format string bug via hiredis (bsc#1188638) - CVE-2021-32786: open redirect in logout functionality (bsc#1188639) - CVE-2021-32791: Hardcoded static IV and AAD with a reused key in AES GCM encryption (bsc#1188849) - CVE-2021-32792: XSS when using OIDCPreservePost On (bsc#1188848) ----------------------------------------- Patch: SUSE-2021-3022 Released: Mon Sep 13 10:48:16 2021 Summary: Recommended update for c-ares Severity: important References: 1190225 Description: This update for c-ares fixes the following issue: - Allow '_' as part of DNS response. (bsc#1190225) - 'c-ares' 1.17.2 introduced response validation to prevent a security issue, however it was not listing '_' as a valid character for domain name responses which caused issues when a 'CNAME' referenced a 'SRV' record which contained underscores. ----------------------------------------- Patch: SUSE-2021-3027 Released: Mon Sep 13 14:53:51 2021 Summary: Feature providing NVIDIA GPU utilities Severity: moderate References: Description: This feature provides NVIDIA GPU utilities (jsc#SLE-18750, jsc#SLE-19341): Provide: - 'bmake' version 20181221 - 'libnvidia-container' version 1.4.0 - 'nvidia-container-runtime' version 3.5.0 - 'nvidia-container-toolkit' version 1.5.1 ----------------------------------------- Patch: SUSE-2021-3028 Released: Mon Sep 13 14:55:33 2021 Summary: Recommended update for wxWidgets-3_0 Severity: moderate References: 1162418,1180492 Description: This update for wxWidgets-3_0 fixes the following issues: Update from version 3.0.3 to 3.0.5.1 (bsc#1180492, jsc#ECO-3376) - Workaround for the problem with overflowing the maximum command line length in MinGW builds not using configure. - Fix for a problem with 'wxSpinCtrl' in 'wxGTK' - Update the 'SOVERSION' - Relax the ABI changes avoiding to check for the exact match of '__GXX_ABI_VERSION'. - Build 'wxWidgets-3_0-nostl' variant with LTO disabled. (bsc#1162418) - Don't crash on trailing '%' in 'wxDateTime::Format()'. - Fix various problems when parsing invalid ZIP files. - Fix generic 'wxTimePickerCtrl' to accept max values from keyboard. - Multiple surrogate-related fixes in UTF-16 support. - Fix reading wide character data in 'wxFile::ReadAll()'. - Make parsing 'WAV' data more robust. - Fix copy 'ctor' in numeric validators classes. - Fix a memory error when 'wxDataViewCtrl' is deleted. - Avoid some GTK+ run-time errors when using 'wx{File,Dir}PickerCtrl'. - Prevent breaking binaries, if C++11 is enabled. ----------------------------------------- Patch: SUSE-2021-3029 Released: Tue Sep 14 07:32:31 2021 Summary: Recommended update for sapconf Severity: moderate References: 1189496 Description: This update for sapconf fixes the following issues: - Adapt the activity detection of saptune to the upcoming saptune version 3. (bsc#1189496) ----------------------------------------- Patch: SUSE-2021-3036 Released: Tue Sep 14 15:21:53 2021 Summary: Recommended update for ocl-icd Severity: moderate References: 1172303 Description: This update for ocl-icd fixes the following issue: - provide a libOpenCL1-32bit for use by Wine. ----------------------------------------- Patch: SUSE-2021-3040 Released: Tue Sep 14 17:35:59 2021 Summary: Recommended update for lifecycle-data-sle-module-live-patching Severity: moderate References: 1020320 Description: This update for lifecycle-data-sle-module-live-patching fixes the following issue: Lifecycle data updates. (bsc#1020320) - Updates for 4_12_14-150_75, 4_12_14-197_99, 5_3_18-24_70, 5_3_18-24_75, 5_3_18-24_78, 5_3_18-59_13, 5_3_18-59_16, 5_3_18-59_19. ----------------------------------------- Patch: SUSE-2021-3044 Released: Wed Sep 15 10:17:23 2021 Summary: Security update for ghostscript Severity: critical References: 1184123,1190381,CVE-2021-3781 Description: This update for ghostscript fixes the following issues: Security issue fixed: - CVE-2021-3781: Fixed a trivial -dSAFER bypass command injection (bsc#1190381) Also a hardening fix was added: - Link as position independent executable (bsc#1184123) ----------------------------------------- Patch: SUSE-2021-3045 Released: Wed Sep 15 10:32:15 2021 Summary: Recommended update for golang-github-vpenso-prometheus_slurm_exporter Severity: important References: 1188619 Description: This update for golang-github-vpenso-prometheus_slurm_exporter fixes the following issues: - Update to version 0.19 - GPUs accounting has to be activated explicitly via cmd line option. - Export detailed usage info for every node (CPU, Memory). - With the present version of Slurm (20.11), GPU accounting in the prometheus-slurm-exporter will cause the exporter to terminate, thus it must not be enabled for the time being. (bsc#1188619) - Do not ship sources. ----------------------------------------- Patch: SUSE-2021-3052 Released: Thu Sep 16 10:05:24 2021 Summary: Recommended update for lshw Severity: moderate References: Description: This update for lshw fixes the following issues: - Update to version B.02.19.2+git.20210619 (jsc#SLE-19399) ----------------------------------------- Patch: SUSE-2021-3115 Released: Thu Sep 16 14:04:26 2021 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829 Description: This update for mozilla-nspr fixes the following issues: mozilla-nspr was updated to version 4.32: * implement new socket option PR_SockOpt_DontFrag * support larger DNS records by increasing the default buffer size for DNS queries * Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138 * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version. Mozilla NSS was updated to version 3.68: * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. update to NSS 3.67 * bmo#1683710 - Add a means to disable ALPN. * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c. * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte. update to NSS 3.66 * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS. * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * bmo#1708307 - Remove Trustis FPS Root CA from NSS. * bmo#1707097 - Add Certum Trusted Root CA to NSS. * bmo#1707097 - Add Certum EC-384 CA to NSS. * bmo#1703942 - Add ANF Secure Server Root CA to NSS. * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS. * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler. * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators. * bmo#1709291 - Add VerifyCodeSigningCertificateChain. update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. update to NSS 3.64 * bmo#1705286 - Properly detect mips64. * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. * bmo#1698320 - replace __builtin_cpu_supports('vsx') with ppc_crypto_support() for clang. * bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration. Fixed in 3.63 * bmo#1697380 - Make a clang-format run on top of helpful contributions. * bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * bmo#1694214 - tstclnt can't enable middlebox compat mode. * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * bmo#1685880 - Minor fix to prevent unused variable on early return. * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * bmo#1687822 - Turn off Websites trust bit for the “Staat der Nederlanden Root CA - G3” root cert in NSS. * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008’. * bmo#1694291 - Tracing fixes for ECH. update to NSS 3.62 * bmo#1688374 - Fix parallel build NSS-3.61 with make * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt 'cachedCertTable' * bmo#1690583 - Fix CH padding extension size calculation * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail * bmo#1690421 - Install packaged libabigail in docker-builds image * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing * bmo#1674819 - Fixup a51fae403328, enum type may be signed * bmo#1681585 - Add ECH support to selfserv * bmo#1681585 - Update ECH to Draft-09 * bmo#1678398 - Add Export/Import functions for HPKE context * bmo#1678398 - Update HPKE to draft-07 update to NSS 3.61 * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * bmo#1651411 - Improve constant-timeness in RSA operations. * bmo#1677207 - Upgrade Google Test version to latest release. * bmo#1654332 - Add aarch64-make target to nss-try. Update to NSS 3.60.1: Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information. Update to NSS 3.59.1: * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules Update to NSS 3.59: Notable changes: * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. update to NSS 3.57 * The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes update to NSS 3.56 Notable changes * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * bmo#1654142 - Add CPU feature detection for Intel SHA extension. * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. * bmo#1656986 - Properly detect arm64 during GYP build architecture detection. * bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. * bmo#1588941 - Send empty certificate message when scheme selection fails. * bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * bmo#1653975 - Fix 3.53 regression by setting 'all' as the default makefile target. * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * bmo#1656519 - NSPR dependency updated to 4.28 update to NSS 3.55 Notable changes * P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. * PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633) * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). * bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. * bmo#1646594 - Fix AVX2 detection in makefile builds. * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. * bmo#1649226 - Add Wycheproof ECDSA tests. * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover. * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension. update to NSS 3.54 Notable changes * Support for TLS 1.3 external pre-shared keys (bmo#1603042). * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113) * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. * The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. * A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed * bmo#1528113 - Use ARM Cryptography Extension for SHA256. * bmo#1603042 - Add TLS 1.3 external PSK support. * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. * bmo#1645186 - Add 'certSIGN Root CA G2' root certificate. * bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate. * bmo#1641716 - Add Microsoft's non-EV root certificates. * bmo1621151 - Disable email trust bit for 'O=Government Root Certification Authority; C=TW' root. * bmo#1645199 - Remove AddTrust root certificates. * bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate. * bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root certificate. * bmo#1618402 - Remove Symantec root certificates and disable email trust bit. * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26. * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c. * bmo#1642153 - Fix infinite recursion building NSS. * bmo#1642638 - Fix fuzzing assertion crash. * bmo#1642871 - Enable SSL_SendSessionTicket after resumption. * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs. * bmo#1643557 - Fix numerous compile warnings in NSS. * bmo#1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys. * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c. * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding. ----------------------------------------- Patch: SUSE-2021-3128 Released: Fri Sep 17 16:23:21 2021 Summary: Recommended update for rpmlint Severity: moderate References: 1169494,1189106 Description: This update for rpmlint fixes the following issues: - Backport whitelisting of oddjob (bsc#1189106, bsc#1169494). ----------------------------------------- Patch: SUSE-2021-3131 Released: Fri Sep 17 16:36:55 2021 Summary: Recommended update for xorg-x11-fonts Severity: moderate References: 1174895 Description: This update for xorg-x11-fonts fixes the following issues: - Convert the 'helv*.otb' and 'cour*.otb' files in a different way, generating all available font sizes. (bsc#1174895) - As part of the above fix, don't remove the 'Regular' suffix from the full name of fonts in 'convertfont.py' This update for fonttosfnt fixes the following issues: - Fix more metric calculations (bsc#1174895): ----------------------------------------- Patch: SUSE-2021-3132 Released: Fri Sep 17 16:37:37 2021 Summary: Recommended update for google-guest-oslogin Severity: moderate References: 1188992,1189041 Description: This update for google-guest-oslogin contains the following fixes: - Update to version 20210728.00 (bsc#1188992, bsc#1189041) * JSON object cleanup (#65) - Update to version 20210707.00 * throw exceptions in cache_refresh (#64) - from version 20210702.00 * Use IP address for calling the metadata server. (#63) - Update to version 20210618.00 * flush each group member write (#62) ----------------------------------------- Patch: SUSE-2021-3138 Released: Fri Sep 17 17:01:08 2021 Summary: Recommended update for mdadm Severity: moderate References: 1180661,1182642 Description: This update for mdadm fixes the following issues: - Remove Spare drives line from details for external metadata. (bsc#1180661, bsc#1182642) - Arrays with external metadata do not have spare disks directly assigned to volumes; spare disks belong to containers and are moved to arrays when the array is degraded/reshaping. Thus, the display of zero spare disks in volume details is incorrect and can be confusing. - Don't associate spares with other arrays during RAID Examine. (bsc#1180661, bsc#1182642) - Spares in imsm belong to containers, not volumes, and must go into a separate container when assembling the RAID. Remove association spares with other arrays and make Examine print separate containers for spares. Auto assemble without config file already works like this. So make creating a config file and assembling from it consistent with auto assemble. With this change, 'mdadm -Es' will add this line to output if spares are found: 'ARRAY metadata=imsm UUID=00000000:00000000:00000000:00000000' ----------------------------------------- Patch: SUSE-2021-3139 Released: Fri Sep 17 21:48:32 2021 Summary: Recommended update for openhpi Severity: moderate References: 1185173,1190042 Description: This update for openhpi fixes the following issues: - Use /run not /var/run for PID file creation (bsc#1185173) - Remove group rights on config file (bsc#1190042) ----------------------------------------- Patch: SUSE-2021-3171 Released: Mon Sep 20 17:26:34 2021 Summary: Recommended update for java-11-openjdk Severity: important References: 1189201,1190252 Description: This update for java-11-openjdk fixes the following issues: - Implement FIPS support in OpenJDK - Fix build with 'glibc-2.34' (bsc#1189201) - Add support for 'riscv64' (zero VM) - Make NSS the default security provider. (bsc#1190252) ----------------------------------------- Patch: SUSE-2021-3182 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Severity: moderate References: 1189996 Description: This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------- Patch: SUSE-2021-3187 Released: Wed Sep 22 15:09:23 2021 Summary: Security update for samba Severity: important References: 1182830,1183572,1183574,1184677,1189875,CVE-2020-27840,CVE-2021-20254,CVE-2021-20277 Description: This update for samba fixes the following issues: - CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574). - CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677). - CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572). - Spec file fixes around systemd and requires (bsc#1182830) - Fix dependency problem upgrading from libndr0 to libndr1 (bsc#1189875) - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2 (bsc#1189875) ----------------------------------------- Patch: SUSE-2021-3188 Released: Wed Sep 22 15:45:22 2021 Summary: Recommended update for sapnwbootstrap-formula Severity: moderate References: 1181541,1185093,1185627,1186236 Description: This update for sapnwbootstrap-formula fixes the following issues: Update to version 0.6.4+git.1621842068.a86c37c: - Set the default empty dictionary for 'virtual_addresses'. (bsc#1185627) - This also ensures that a dictionary is obtained if the value is None (needed by SUSE Manager) - Fix issue when 'azure-lb' resource for 'ASCS/ERS' is not added in the corresponding Resource Group (bsc#1186236) - Set the virtual ip addresses as permanent, except for HA scenarios, to have them even after a reboot of the machine. (bsc#1185093) - Give the option to mount '/sapmnt' folder locally without using a 'NFS' share. - Make '/sapmnt' path configurable using 'sapmnt_path' pillar variable - Update PAS and AAS templates to use HANA sid and instance number to create the configuration file - Fix error about missing instance installation requisite when monitoring is enabled. (bsc#1181541) ----------------------------------------- Patch: SUSE-2021-3193 Released: Thu Sep 23 11:24:50 2021 Summary: Security update for ffmpeg Severity: important References: 1189724,CVE-2021-38171 Description: This update for ffmpeg fixes the following issues: - CVE-2021-38171: Fixed adts_decode_extradata in libavformat/adtsenc.c to check the init_get_bits return value (bsc#1189724). ----------------------------------------- Patch: SUSE-2021-3203 Released: Thu Sep 23 14:41:35 2021 Summary: Recommended update for kmod Severity: moderate References: 1189537,1190190 Description: This update for kmod fixes the following issues: - Use docbook 4 rather than docbook 5 for building man pages (bsc#1190190). - Enable support for ZSTD compressed modules - Display module information even for modules built into the running kernel (bsc#1189537) - '/usr/lib' should override '/lib' where both are available. Support '/usr/lib' for depmod.d as well. - Remove test patches included in release 29 - Update to release 29 * Fix `modinfo -F` not working for built-in modules and certain fields. * Fix a memory leak, overflow and double free on error path. ----------------------------------------- Patch: SUSE-2021-3221 Released: Fri Sep 24 10:20:35 2021 Summary: Recommended update for apache2-mod_wsgi Severity: moderate References: 1189467 Description: This update for apache2-mod_wsgi fixes the following issue: - Enable installation of Python 'sitelib' wrapper. (bsc#1189467) - This update will solve a 'DistributionNotFound' error providing the Python metadata and wrapper for 'mod_wsgi'. ----------------------------------------- Patch: SUSE-2021-3224 Released: Fri Sep 24 11:34:33 2021 Summary: Recommended update for shim-susesigned Severity: moderate References: 1177315,1177789,1182057,1184454,1185232,1185261,1185441,1185464,1185621,1185961,1187260,1187696 Description: This update for shim-susesigned fixes the following issues: Sync with Microsoft signed shim to Thu Jul 15 08:13:26 UTC 2021. This update addresses the 'susesigned' shim component. shim was updated to 15.4 (bsc#1182057) - console: Move the countdown function to console.c - fallback: show a countdown menu before reset - MOK: Fix the missing vendor cert in MokListRT - mok: fix the mirroring of RT variables - Add the license change statement for errlog.c and mok.c - Remove a couple of incorrect license claims. - MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid - Make EFI variable copying fatal only on secureboot enabled systems - Remove call to TPM2 get_event_log - tpm: Fix off-by-one error when calculating event size - tpm: Define EFI_VARIABLE_DATA_TREE as packed - tpm: Don't log duplicate identical events - VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls - OpenSSL: always provide OBJ_create() with name strings. - translate_slashes(): don't write to string literals - Fix a use of strlen() instead of Strlen() - shim: Update EFI_LOADED_IMAGE with the second stage loader file path - tpm: Include information about PE/COFF images in the TPM Event Log - Fix a broken tpm type - All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore. - Fix the NULL pointer dereference in AuthenticodeVerify() - Remove the build ID to make the binary reproducible when building with AArch64 container - Prevent the build id being added to the binary. That can cause issues with the signature - Allocate MOK config table as BootServicesData to avoid the error message from linux kernel - Handle ignore_db and user_insecure_mode correctly (bsc#1185441) - Relax the maximum variable size check for u-boot - Relax the check for import_mok_state() when Secure Boot is off - Relax the check for the LoadOptions length - Fix the size of rela* sections for AArch64 - Disable exporting vendor-dbx to MokListXRT - Don't call QueryVariableInfo() on EFI 1.10 machines - Avoid buffer overflow when copying the MOK config table - Avoid deleting the mirrored RT variables - Update to 15.3 for SBAT support (bsc#1182057) - Generate vender-specific SBAT metadata - Rename the SBAT variable and fix the self-check of SBAT - Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) - shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist - shim-install: instead of assuming 'removable' for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961) - shim-install: always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464) - shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315) - Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys: + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt ----------------------------------------- Patch: SUSE-2021-3227 Released: Mon Sep 27 09:50:51 2021 Summary: Recommended update for createrepo_c, libmodulemd, and zchunk Severity: moderate References: Description: This update for createrepo_c fixes the following issues: createrepo_c: - Does no longer perform a dir walk when --recycle-pkglist is specified - Added automatic module metadata handling for repos - Fixed a couple of memory leaks - Added --arch-expand option - Added --recycle-pkglist option - Set global_exit_status on sigint so that .repodata are cleaned up - Enhance error handling when locating repositories libmodulemd: - Just a rebuild of the package, no source changes zchunk: - Initial shipment of zchunk to SUSE Linux Enterprise ----------------------------------------- Patch: SUSE-2021-3236 Released: Mon Sep 27 16:37:22 2021 Summary: Security update for gd Severity: moderate References: 1190400,CVE-2021-40812 Description: This update for gd fixes the following issues: - CVE-2021-40812: Fixed out-of-bounds read caused by the lack of certain gdGetBuf and gdPutBuf return value checks (bsc#1190400). ----------------------------------------- Patch: SUSE-2021-3242 Released: Tue Sep 28 10:50:36 2021 Summary: Recommended update for apache2-mod_auth_mellon, lasso Severity: moderate References: Description: This update for lasso fixes the following issues: - Implement package 'apache2-mod_auth_mellon' along with its dependency 'lasso' in SLE-15-SP2. (jsc#SLE-8958, jsc#ECO-1309) ----------------------------------------- Patch: SUSE-2021-3244 Released: Tue Sep 28 13:17:04 2021 Summary: Security update for shibboleth-sp Severity: low References: 1184222 Description: This update for shibboleth-sp fixes the following issues: - Template generation allows external parameters to override placeholders (bsc#1184222) ----------------------------------------- Patch: SUSE-2021-3245 Released: Tue Sep 28 13:54:31 2021 Summary: Recommended update for docker Severity: important References: 1190670 Description: This update for docker fixes the following issues: - Return ENOSYS for clone3 in the seccomp profile to avoid breaking containers using glibc 2.34. - Add shell requires for the *-completion subpackages. ----------------------------------------- Patch: SUSE-2021-3255 Released: Wed Sep 29 16:29:48 2021 Summary: Security update for postgresql13 Severity: moderate References: 1179945,1185952,1187751,1189748,CVE-2021-3677 Description: This update for postgresql13 fixes the following issues: - CVE-2021-3677: Fixed memory disclosure in certain queries (bsc#1189748). - Fixed build with llvm12 on s390x (bsc#1185952). - Re-enabled icu for PostgreSQL 10 (bsc#1179945). - Made the dependency of postgresqlXX-server-devel on llvm and clang optional (bsc#1187751). - llvm12 breaks PostgreSQL 11 and 12 on s390x. Use llvm11 as a workaround (bsc#1185952). ----------------------------------------- Patch: SUSE-2021-3274 Released: Fri Oct 1 10:34:17 2021 Summary: Recommended update for ca-certificates-mozilla Severity: important References: 1190858 Description: This update for ca-certificates-mozilla fixes the following issues: - remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858) ----------------------------------------- Patch: SUSE-2021-3291 Released: Wed Oct 6 16:45:36 2021 Summary: Security update for glibc Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 Description: This update for glibc fixes the following issues: - CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489). - CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911). ----------------------------------------- Patch: SUSE-2021-3293 Released: Wed Oct 6 16:47:31 2021 Summary: Security update for ffmpeg Severity: moderate References: 1186761,CVE-2020-22042 Description: This update for ffmpeg fixes the following issues: - CVE-2020-22042: Fixed a denial of service vulnerability led by a memory leak in the link_filter_inouts function in libavfilter/graphparser.c. (bsc#1186761) ----------------------------------------- Patch: SUSE-2021-3307 Released: Wed Oct 6 18:12:07 2021 Summary: Recommended update for virt-what Severity: moderate References: 1161850,1176132 Description: This update for virt-what fixes the following issues: - Nutanix Acropolis Hypervisor detection - podman detection - Add 'which' to requires ----------------------------------------- Patch: SUSE-2021-3315 Released: Wed Oct 6 19:29:43 2021 Summary: Recommended update for go1.17 Severity: moderate References: 1190589,1190649,CVE-2021-39293 Description: This update for go1.17 fixes the following issues: This is the initial go 1.17 shipment. go1.17.1 (released 2021-09-09) includes a security fix to the archive/zip package, as well as bug fixes to the compiler, linker, the go command, and to the crypto/rand, embed, go/types, html/template, and net/http packages. (bsc#1190649) CVE-2021-39293: Fixed an overflow in preallocation check that can cause OOM panic in archive/zip (bsc#1190589) go1.17 (released 2021-08-16) is a major release of Go. go1.17.x minor releases will be provided through August 2022. See https://github.com/golang/go/wiki/Go-Release-Cycle Most changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. (bsc#1190649) * See release notes https://golang.org/doc/go1.17. Excerpts relevant to OBS environment and for SUSE/openSUSE follow: * The compiler now implements a new way of passing function arguments and results using registers instead of the stack. Benchmarks for a representative set of Go packages and programs show performance improvements of about 5%, and a typical reduction in binary size of about 2%. This is currently enabled for Linux, macOS, and Windows on the 64-bit x86 architecture (the linux/amd64, darwin/amd64, and windows/amd64 ports). This change does not affect the functionality of any safe Go code and is designed to have no impact on most assembly code. * When the linker uses external linking mode, which is the default when linking a program that uses cgo, and the linker is invoked with a -I option, the option will now be passed to the external linker as a -Wl,--dynamic-linker option. * The runtime/cgo package now provides a new facility that allows to turn any Go values to a safe representation that can be used to pass values between C and Go safely. See runtime/cgo.Handle for more information. * ARM64 Go programs now maintain stack frame pointers on the 64-bit ARM architecture on all operating systems. Previously, stack frame pointers were only enabled on Linux, macOS, and iOS. * Pruned module graphs in go 1.17 modules: If a module specifies go 1.17 or higher, the module graph includes only the immediate dependencies of other go 1.17 modules, not their full transitive dependencies. To convert the go.mod file for an existing module to Go 1.17 without changing the selected versions of its dependencies, run: go mod tidy -go=1.17 By default, go mod tidy verifies that the selected versions of dependencies relevant to the main module are the same versions that would be used by the prior Go release (Go 1.16 for a module that specifies go 1.17), and preserves the go.sum entries needed by that release even for dependencies that are not normally needed by other commands. The -compat flag allows that version to be overridden to support older (or only newer) versions, up to the version specified by the go directive in the go.mod file. To tidy a go 1.17 module for Go 1.17 only, without saving checksums for (or checking for consistency with) Go 1.16: go mod tidy -compat=1.17 Note that even if the main module is tidied with -compat=1.17, users who require the module from a go 1.16 or earlier module will still be able to use it, provided that the packages use only compatible language and library features. The go mod graph subcommand also supports the -go flag, which causes it to report the graph as seen by the indicated Go version, showing dependencies that may otherwise be pruned out. * Module deprecation comments: Module authors may deprecate a module by adding a // Deprecated: comment to go.mod, then tagging a new version. go get now prints a warning if a module needed to build packages named on the command line is deprecated. go list -m -u prints deprecations for all dependencies (use -f or -json to show the full message). The go command considers different major versions to be distinct modules, so this mechanism may be used, for example, to provide users with migration instructions for a new major version. * go get -insecure flag is deprecated and has been removed. To permit the use of insecure schemes when fetching dependencies, please use the GOINSECURE environment variable. The -insecure flag also bypassed module sum validation, use GOPRIVATE or GONOSUMDB if you need that functionality. See go help environment for details. * go get prints a deprecation warning when installing commands outside the main module (without the -d flag). go install cmd@version should be used instead to install a command at a specific version, using a suffix like @latest or @v1.2.3. In Go 1.18, the -d flag will always be enabled, and go get will only be used to change dependencies in go.mod. * go.mod files missing go directives: If the main module's go.mod file does not contain a go directive and the go command cannot update the go.mod file, the go command now assumes go 1.11 instead of the current release. (go mod init has added go directives automatically since Go 1.12.) If a module dependency lacks an explicit go.mod file, or its go.mod file does not contain a go directive, the go command now assumes go 1.16 for that dependency instead of the current release. (Dependencies developed in GOPATH mode may lack a go.mod file, and the vendor/modules.txt has to date never recorded the go versions indicated by dependencies' go.mod files.) * vendor contents: If the main module specifies go 1.17 or higher, go mod vendor now annotates vendor/modules.txt with the go version indicated by each vendored module in its own go.mod file. The annotated version is used when building the module's packages from vendored source code. If the main module specifies go 1.17 or higher, go mod vendor now omits go.mod and go.sum files for vendored dependencies, which can otherwise interfere with the ability of the go command to identify the correct module root when invoked within the vendor tree. * Password prompts: The go command by default now suppresses SSH password prompts and Git Credential Manager prompts when fetching Git repositories using SSH, as it already did previously for other Git password prompts. Users authenticating to private Git repos with password-protected SSH may configure an ssh-agent to enable the go command to use password-protected SSH keys. * go mod download: When go mod download is invoked without arguments, it will no longer save sums for downloaded module content to go.sum. It may still make changes to go.mod and go.sum needed to load the build list. This is the same as the behavior in Go 1.15. To save sums for all modules, use: go mod download all * The go command now understands //go:build lines and prefers them over // +build lines. The new syntax uses boolean expressions, just like Go, and should be less error-prone. As of this release, the new syntax is fully supported, and all Go files should be updated to have both forms with the same meaning. To aid in migration, gofmt now automatically synchronizes the two forms. For more details on the syntax and migration plan, see https://golang.org/design/draft-gobuild. * go run now accepts arguments with version suffixes (for example, go run example.com/cmd@v1.0.0). This causes go run to build and run packages in module-aware mode, ignoring the go.mod file in the current directory or any parent directory, if there is one. This is useful for running executables without installing them or without changing dependencies of the current module. * The format of stack traces from the runtime (printed when an uncaught panic occurs, or when runtime.Stack is called) is improved. * TLS strict ALPN: When Config.NextProtos is set, servers now enforce that there is an overlap between the configured protocols and the ALPN protocols advertised by the client, if any. If there is no mutually supported protocol, the connection is closed with the no_application_protocol alert, as required by RFC 7301. This helps mitigate the ALPACA cross-protocol attack. As an exception, when the value 'h2' is included in the server's Config.NextProtos, HTTP/1.1 clients will be allowed to connect as if they didn't support ALPN. See issue go#46310 for more information. * crypto/ed25519: The crypto/ed25519 package has been rewritten, and all operations are now approximately twice as fast on amd64 and arm64. The observable behavior has not otherwise changed. * crypto/elliptic: CurveParams methods now automatically invoke faster and safer dedicated implementations for known curves (P-224, P-256, and P-521) when available. Note that this is a best-effort approach and applications should avoid using the generic, not constant-time CurveParams methods and instead use dedicated Curve implementations such as P256. The P521 curve implementation has been rewritten using code generated by the fiat-crypto project, which is based on a formally-verified model of the arithmetic operations. It is now constant-time and three times faster on amd64 and arm64. The observable behavior has not otherwise changed. * crypto/tls: The new Conn.HandshakeContext method allows the user to control cancellation of an in-progress TLS handshake. The provided context is accessible from various callbacks through the new ClientHelloInfo.Context and CertificateRequestInfo.Context methods. Canceling the context after the handshake has finished has no effect. Cipher suite ordering is now handled entirely by the crypto/tls package. Currently, cipher suites are sorted based on their security, performance, and hardware support taking into account both the local and peer's hardware. The order of the Config.CipherSuites field is now ignored, as well as the Config.PreferServerCipherSuites field. Note that Config.CipherSuites still allows applications to choose what TLS 1.0–1.2 cipher suites to enable. The 3DES cipher suites have been moved to InsecureCipherSuites due to fundamental block size-related weakness. They are still enabled by default but only as a last resort, thanks to the cipher suite ordering change above. Beginning in the next release, Go 1.18, the Config.MinVersion for crypto/tls clients will default to TLS 1.2, disabling TLS 1.0 and TLS 1.1 by default. Applications will be able to override the change by explicitly setting Config.MinVersion. This will not affect crypto/tls servers. * crypto/x509: CreateCertificate now returns an error if the provided private key doesn't match the parent's public key, if any. The resulting certificate would have failed to verify. * crypto/x509: The temporary GODEBUG=x509ignoreCN=0 flag has been removed. * crypto/x509: ParseCertificate has been rewritten, and now consumes ~70% fewer resources. The observable behavior has not otherwise changed, except for error messages. * crypto/x509: Beginning in the next release, Go 1.18, crypto/x509 will reject certificates signed with the SHA-1 hash function. This doesn't apply to self-signed root certificates. Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015. * go/build: The new Context.ToolTags field holds the build tags appropriate to the current Go toolchain configuration. * net/http package now uses the new (*tls.Conn).HandshakeContext with the Request context when performing TLS handshakes in the client or server. * syscall: On Unix-like systems, the process group of a child process is now set with signals blocked. This avoids sending a SIGTTOU to the child when the parent is in a background process group. * time: The new Time.IsDST method can be used to check whether the time is in Daylight Savings Time in its configured location. * time: The new Time.UnixMilli and Time.UnixMicro methods return the number of milliseconds and microseconds elapsed since January 1, 1970 UTC respectively. * time: The new UnixMilli and UnixMicro functions return the local Time corresponding to the given Unix time. - Add bash scripts used by go tool commands to provide a more complete cross-compiling go toolchain install. ----------------------------------------- Patch: SUSE-2021-3325 Released: Sat Oct 9 19:45:01 2021 Summary: Security update for rabbitmq-server Severity: moderate References: 1185075,1186203,1187818,1187819,CVE-2021-22116,CVE-2021-32718,CVE-2021-32719 Description: This update for rabbitmq-server fixes the following issues: - CVE-2021-32718: Fixed improper neutralization of script-related HTML tags in a web page (basic XSS) in management UI (bsc#1187818). - CVE-2021-32719: Fixed improper neutralization of script-related HTML tags in a web page (basic XSS) in federation management plugin (bsc#1187819). - CVE-2021-22116: Fixed improper input validation may lead to DoS (bsc#1186203). - Use /run instead of /var/run in tmpfiles.d configuration (bsc#1185075). ----------------------------------------- Patch: SUSE-2021-3349 Released: Tue Oct 12 13:21:48 2021 Summary: Recommended update for libgphoto2 Severity: moderate References: 1172301 Description: This update for libgphoto2 fixes the following issues: libgphoto2 was updated to the 2.5.27 release (jsc#SLE-21615) - Lots of new camera models added. - Camera support enhanced for Sony Alpha, Fuji XT, Nikon Z, Canon EOS R, Panasonic Lumix, Leica SL, ... - Better support for files over 4GB - Lumix Wifi, Docupen support added. - Lots of bugfixes ----------------------------------------- Patch: SUSE-2021-3382 Released: Tue Oct 12 14:30:17 2021 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: Description: This update for ca-certificates-mozilla fixes the following issues: - A new sub-package for minimal base containers (jsc#SLE-22162) ----------------------------------------- Patch: SUSE-2021-3390 Released: Tue Oct 12 18:53:38 2021 Summary: Recommended update for fcoe-utils Severity: moderate References: 1010047,1182804 Description: This update for fcoe-utils fixes the following issues: Update to version 1.0.34 (bsc#1182804) - Fix 21 string-op truncation, format truncation, and format overflow errors - Use of uninitialized values detected during LTO - fix VLAN device name overflow check - Fix an issue caused by 'safe_makepath' change in 'libopenfcoe.c' - Char can be unsigned on ARM, so set signed explicitly as the check expects it can be negative - Handle NIC names longer than 7 characters. (bsc#1010047) - Change debug->log message if daemon running - Remove references to 'open-fcoe.org' - Fix two gcc-11 compiler warnings. - Exit 'fcoemon' command if 'fcoemon' daemon is already running. - Update systemd service files ----------------------------------------- Patch: SUSE-2021-3406 Released: Wed Oct 13 10:40:44 2021 Summary: Recommended update for ServiceReport Severity: moderate References: Description: This update for ServiceReport fixes the following issues: - ServiceReport v2.2.3 release.(jsc#18193) - Added hardening to systemd service(s). - Run-on supported architectures only. - [fadump] Update crashkernel recommendation. - [Daemon] check active status along with enabled. - Take crashkernel recommendation from kdump-lib.sh scripts. ----------------------------------------- Patch: SUSE-2021-3409 Released: Wed Oct 13 10:41:02 2021 Summary: Recommended update for libGLw Severity: low References: 1191122 Description: This update for libGLw fixes the following issue: - fix libGLw.so symlink of devel package. (bsc#1191122) ----------------------------------------- Patch: SUSE-2021-3410 Released: Wed Oct 13 10:41:36 2021 Summary: Recommended update for xkeyboard-config Severity: moderate References: 1191242 Description: This update for xkeyboard-config fixes the following issue: - Wrong keyboard mapping causing input delays with ABNT2 keyboards. (bsc#1191242) ----------------------------------------- Patch: SUSE-2021-3445 Released: Fri Oct 15 09:03:39 2021 Summary: Security update for rpm Severity: important References: 1183659,1185299,1187670,1188548 Description: This update for rpm fixes the following issues: Security issues fixed: - PGP hardening changes (bsc#1185299) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) ----------------------------------------- Patch: SUSE-2021-3448 Released: Fri Oct 15 09:12:28 2021 Summary: Recommended update for scap-security-guide Severity: moderate References: 1191431,1191432 Description: This update for scap-security-guide fixes the following issues: The scap-security-guide was updated to 0.1.58 release (jsc#ECO-3319) - Support for Script Checking Engine (SCE) - Split RHEL 8 CIS profile using new controls file format - CIS Profiles for SUSE Linux Enterprise 12 - Initial Ubuntu 20.04 STIG Profiles - Addition of an automated CCE adder ----------------------------------------- Patch: SUSE-2021-3451 Released: Sat Oct 16 10:49:25 2021 Summary: Security update for MozillaFirefox Severity: important References: 1188891,1189547,1190269,1190274,1190710,1191332,CVE-2021-29980,CVE-2021-29981,CVE-2021-29982,CVE-2021-29983,CVE-2021-29984,CVE-2021-29985,CVE-2021-29986,CVE-2021-29987,CVE-2021-29988,CVE-2021-29989,CVE-2021-29990,CVE-2021-29991,CVE-2021-32810,CVE-2021-38492,CVE-2021-38495,CVE-2021-38496,CVE-2021-38497,CVE-2021-38498,CVE-2021-38500,CVE-2021-38501 Description: This update for MozillaFirefox fixes the following issues: This update contains the Firefox Extended Support Release 91.2.0 ESR. Release 91.2.0 ESR: * Fixed: Various stability, functionality, and security fixes MFSA 2021-45 (bsc#1191332): * CVE-2021-38496: Use-after-free in MessageTask * CVE-2021-38497: Validation message could have been overlaid on another origin * CVE-2021-38498: Use-after-free of nsLanguageAtomService object * CVE-2021-32810: Fixed Data race in crossbeam-deque * CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 * CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 - Fixed crash in FIPS mode (bsc#1190710) Release 91.1.0 ESR: * Fixed: Various stability, functionality, and security fixes MFSA 2021-40 (bsc#1190269, bsc#1190274): * CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer * CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1 Release 91.0.1esr ESR: * Fixed: Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bug 1704404) * Fixed: Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to- tab results in the address bar panel (bug 1720369) * Fixed: Various stability fixes * Fixed: Security fix MFSA 2021-37 (bsc#1189547) * CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses Firefox Extended Support Release 91.0 ESR * New: Some of the highlights of the new Extended Support Release are: - A number of user interface changes. For more information, see the Firefox 89 release notes. - Firefox now supports logging into Microsoft, work, and school accounts using Windows single sign-on. Learn more - On Windows, updates can now be applied in the background while Firefox is not running. - Firefox for Windows now offers a new page about:third-party to help identify compatibility issues caused by third-party applications - Version 2 of Firefox's SmartBlock feature further improves private browsing. Third party Facebook scripts are blocked to prevent you from being tracked, but are now automatically loaded 'just in time' if you decide to 'Log in with Facebook' on any website. - Enhanced the privacy of the Firefox Browser's Private Browsing mode with Total Cookie Protection, which confines cookies to the site where they were created, preventing companis from using cookies to track your browsing across sites. This feature was originally launched in Firefox's ETP Strict mode. - PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features. - You'll encounter less website breakage in Private Browsing and Strict Enhanced Tracking Protection with SmartBlock, which provides stand-in scripts so that websites load properly. - Improved Print functionality with a cleaner design and better integration with your computer's printer settings. - Firefox now protects you from supercookies, a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies. By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next. - Firefox now remembers your preferred location for saved bookmarks, displays the bookmarks toolbar by default on new tabs, and gives you easy access to all of your bookmarks via a toolbar folder. - Native support for macOS devices built with Apple Silicon CPUs brings dramatic performance improvements over the non- native build that was shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps are now twice as responsive (per the SpeedoMeter 2.0 test). If you are on a new Apple device, follow these steps to upgrade to the latest Firefox. - Pinch zooming will now be supported for our users with Windows touchscreen devices and touchpads on Mac devices. Firefox users may now use pinch to zoom on touch-capable devices to zoom in and out of webpages. - We’ve improved functionality and design for a number of Firefox search features: * Selecting a search engine at the bottom of the search panel now enters search mode for that engine, allowing you to see suggestions (if available) for your search terms. The old behavior (immediately performing a search) is available with a shift-click. * When Firefox autocompletes the URL of one of your search engines, you can now search with that engine directly in the address bar by selecting the shortcut in the address bar results. * We’ve added buttons at the bottom of the search panel to allow you to search your bookmarks, open tabs, and history. - Firefox supports AcroForm, which will allow you to fill in, print, and save supported PDF forms and the PDF viewer also has a new fresh look. - For our users in the US and Canada, Firefox can now save, manage, and auto-fill credit card information for you, making shopping on Firefox ever more convenient. - In addition to our default, dark and light themes, with this release, Firefox introduces the Alpenglow theme: a colorful appearance for buttons, menus, and windows. You can update your Firefox themes under settings or preferences. * Changed: Firefox no longer supports Adobe Flash. There is no setting available to re-enable Flash support. * Enterprise: Various bug fixes and new policies have been implemented in the latest version of Firefox. See more details in the Firefox for Enterprise 91 Release Notes. MFSA 2021-33 (bsc#1188891): * CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption * CVE-2021-29981: Live range splitting could have led to conflicting assignments in the JIT * CVE-2021-29988: Memory corruption as a result of incorrect style treatment * CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode * CVE-2021-29984: Incorrect instruction reordering during JIT optimization * CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption * CVE-2021-29987: Users could have been tricked into accepting unwanted permissions on Linux * CVE-2021-29985: Use-after-free media channels * CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and type confusion * CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13 * CVE-2021-29990: Memory safety bugs fixed in Firefox 91 ----------------------------------------- Patch: SUSE-2021-3465 Released: Tue Oct 19 13:12:46 2021 Summary: Recommended update for cloud-regionsrv Severity: moderate References: 1190250 Description: This update for cloud-regionsrv contains the following fixes: - Update to version 8.1.2 (bsc#1190250) + Place certificate key in proper destination - Update to version 8.1.1 (bsc#1190250) + Use a cross-filesystem compatible method to move certificates ----------------------------------------- Patch: SUSE-2021-3471 Released: Wed Oct 20 08:39:41 2021 Summary: Recommended update for habootstrap-formula Severity: moderate References: 1190940 Description: This update for habootstrap-formula fixes the following issues: Update to version 0.4.4 - Wait for cluster startup after a 'corosync' restart. (bsc#1190940) - Add support for The Oracle Cluster File System v2 (OCFS2) - Enable native fencing for 'microsoft-azure' - Add documentation on how to enable native fencing ----------------------------------------- Patch: SUSE-2021-3476 Released: Wed Oct 20 08:42:00 2021 Summary: Security update for xstream Severity: important References: 1189798,CVE-2021-39139,CVE-2021-39140,CVE-2021-39141,CVE-2021-39144,CVE-2021-39145,CVE-2021-39146,CVE-2021-39147,CVE-2021-39148,CVE-2021-39149,CVE-2021-39150,CVE-2021-39151,CVE-2021-39152,CVE-2021-39153,CVE-2021-39154 Description: This update for xstream fixes the following issues: - Upgrade to 1.4.18 - CVE-2021-39139: Fixed an issue that allowed an attacker to execute arbitrary code execution by manipulating the processed input stream with type information. (bsc#1189798) - CVE-2021-39140: Fixed an issue that allowed an attacker to execute a DoS attack by manipulating the processed input stream. (bsc#1189798) - CVE-2021-39141: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39144: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39145: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39146: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39147: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39148: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39149: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39150: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798) - CVE-2021-39151: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39152: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798) - CVE-2021-39153: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39154: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) ----------------------------------------- Patch: SUSE-2021-3483 Released: Wed Oct 20 16:08:18 2021 Summary: Feature update for saptune Severity: moderate References: 1149205,1164720,1167213,1167416,1167618,1170672,1176243,1178207,1179275,1182009,1182287,1182289,1185702 Description: This update for saptune fixes the following issues: Update saptune from version 2.0.3 to version 3.0.0 (jsc#SLE-20985) - This will be additional reflected in the saptune version found in '/etc/sysconfig/saptune' '(SAPTUNE_VERSION)' - Strengthen configuration process with staging, checks of external changes and expansion of automation to new platforms (Azure, AWS) and hardware specifics (jsc#SLE-20985) - Remove saptune version 1 (jsc#SLE-10823, jsc#SLE-10842) - Remove usage of 'tuned' from saptune - Add an own systemd service file for saptune to 'start/stop' tuning of parameter values during a reboot of the system. - Add a new saptune action 'service' to handle the 'saptune.service' supporting 'start/stop/enable/disable/status'. - The saptune action 'daemon', which handled 'tuned.service' in the past, is now flagged as 'deprecated' and internally linked to the new action 'service'. (jsc#SLE-5589, jsc#SLE-5588, jsc#SLE-6457) - Add a sanity check to detect Note definition files which do not exist anymore. (bsc#1149205) This can happen when a Note is renamed or deleted, but without reverting the Note before. saptune will now print an error message, remove the Note from the tracking variables in '/etc/sysconfig/saptune' and try to revert the related parameter settings. - Validate if the json input file is empty and handle left-over files from the migration from saptune v1 to saptune v2 (bsc#1167618) - To support system parameters only relevant for specific SUSE Linux Enterprise Server releases, service packs and/or hardware architectures saptune now supports 'tagged' sections inside the Note definition files. (jsc#SLE-13246, jsc#SLE-13245) - New kernel requirement for Power added to SAP-Note 2205917 and 2684254 (bsc#1167416) SAP Note 2205917 updated to Version 61 SAP Note 2684254 updated to Version 15 - SAP Note 2382421 updated to Version 37 (bsc#1170672) - Move all 'not-well-defined' parameters from the 'reminder' section into the 'sysctl' section, but with 'empty' values. - Use an override file to define the values fitting your system requirements - Support empty parameter values in the Note definition files and not only in the override file. (bsc#1170672, jsc#TEAM-1702) - This is needed for the support of SAP Notes like 2382421, so that the customer is able to simply use an override file to define some special parameters instead of using a customer specific Note definition file. - Report an 'error' instead of 'info' and set the exit code to '1', if we reject the apply of a solution (bsc#1167213) - Skip perf bias change if secure boot is enabled. (bsc#1176243) - When a system is in lockdown mode, i.e., Secure Boot is enabled, MSR cannot be altered in user-space. So check, if Secure Boot is enabled using the mokutil utility and skip setting the perf bias in case it is. - Rework the internal block device handling to speed up the apply of block device related tunings on systems with a high number of block devices. (bsc#1178207) - Change block device handling to handle multipath devices correctly. Only the DM multipath devices will be used for the settings, but not its paths. (bsc#1179275) - fixed wrong comparison used for setting FORCE_LATENCY (bsc#1185702) - add keyword 'all' to the 'rpm' section description in the man page saptune-note(5). (bsc#1182287) - support note definition versions containing digits, upper-case and lower-case letters, dots, underscores, minus and plus signs. (bsc#1182289) - fixed issue with 'verify' operation and parameter 'VSZ_TMPFS_PERCENT'. As this parameter is only used to calculate the value of 'ShmFileSystemSizeMB' (if it is not set to a value >0 in the Note definition file) it will not be checked and compared during the saptune operation 'verify'. A footnote is pointing this out. (bsc#1182009) - SAP Note 1771258 update nofile values (bsc#1164720) - SAP Note 2684254 updated to Version 20 SAP Note 2578899 updated to Version 39 SAP Note 1680803 updated to Version 26 - enhancements for saptune version 3 (jsc#SLE-16972) - Implement a lock to avoid multiple instances of saptune running in parallel. (jsc#TEAM-1700) - Support for non-colorized output (jsc#TEAM-1679) - If redirecting the output from saptune to a pipe, you no longer need to deal with the 'ugly' control sequences for the colorized output. - Add enable/disable for systemd units and support all systemd unit types in section [service] (jsc#TEAM-1701) - remove script '/usr/share/doc/packages/saptune/sapconf2saptune' and the associated man page (jsc#TEAM-1707) - implement staging of Note definition file and solution definitions. (jsc#TEAM-1844) - The idea is to freeze the saptune configuration to avoid config changes on package update when adding/removing/changing notes or solutions within the package - support custom solutions and override files for solutions. (jsc#TEAM-1706) - Partners and customers will now be able to define their own solution definitions by using files in '/etc/saptune/extra' or to override the shipped solution definitions by using override files in '/etc/saptune/override' - support for device specific configurations (jsc#TEAM-1728) - only supported for the [block] section, tags are 'vendor' and 'model' to support special block devices of a dedicated hardware vendor or a dedicated hardware model - add support for AZURE cloud (SAP Note 2993054) (jsc#TEAM-2676) - add support for AWS cloud (SAP Note 1656250) (jsc#TEAM-1754, jsc#TEAM-1755) - add NVMe support to the block device handling to support AWS (jsc#TEAM-2675) - add SAP Note 3024346 (a NetApp note) (jsc#TEAM-3454) - rework daemon and service actions (jsc#TEAM-3154) - add support for 'read_ahead_kb' and 'max_sectors_kb' to the [block] section (jsc#TEAM-1699) - add a warning to the reminder section of SAP Note 2382421 regarding iSCSI devices and setting of 'net.ipv4.tcp_syn_retries' (jsc#TEAM-1705) - For the actions 'note customise' and 'note create' check, if the customer has changed something during the editor session. If not, remove the temporary created note definition file. (jsc#TEAM-825) - add support for [sys] section and handle double configurations for parameters defined in the [sys] section (jsc#TEAM-3342) - check system sysctl config files as mentioned in the comments of '/etc/sysctl.conf' and in man page 'sysctl.conf(5)' for 'sysctl' parameters currently set by saptune notes. Print a warning and a footnote for 'verify' and 'customize'. (jsc#TEAM-1696) - add support for [filesystem] section only check filesystem mount options, not modify. Starting with filesystem type 'xfs' (jsc#TEAM-4093) - add SAP Note 900929 for SAP Netweaver workloads. (jsc#TEAM-4386) - It's the equivalent to the HANA Note 1980196. - move state files from '/var/lib/saptune' to '/run/saptune' to solve the problem of state files surviving a reboot. - add '/sbin/saptune_check' - add the description of the solution definitions shipped with saptune to the man page saptune(8) (jsc#TEAM-4260) ----------------------------------------- Patch: SUSE-2021-3488 Released: Wed Oct 20 16:18:39 2021 Summary: Security update for go1.17 Severity: moderate References: 1190649,1191468,CVE-2021-38297 Description: This update for go1.17 fixes the following issues: Update to go1.17.2 - CVE-2021-38297: misc/wasm, cmd/link: do not let command line args overwrite global data (bsc#1191468) ----------------------------------------- Patch: SUSE-2021-3490 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Severity: moderate References: 1190793,CVE-2021-39537 Description: This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------- Patch: SUSE-2021-3493 Released: Wed Oct 20 16:37:44 2021 Summary: Security update for fetchmail Severity: moderate References: 1190069,CVE-2021-39272 Description: This update for fetchmail fixes the following issues: - CVE-2021-39272: Fix failure to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. (bsc#1190069) ----------------------------------------- Patch: SUSE-2021-3494 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Severity: moderate References: 1190052 Description: This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------- Patch: SUSE-2021-3496 Released: Thu Oct 21 09:57:47 2021 Summary: Recommended update for bash-completion Severity: low References: 1190929 Description: This update for bash-completion fixes the following issue: - modinfo completion fails to recognize .ko.xz (bsc#1190929) ----------------------------------------- Patch: SUSE-2021-3500 Released: Fri Oct 22 09:42:21 2021 Summary: Recommended update for open-vm-tools Severity: moderate References: 1190987 Description: This update for open-vm-tools fixes the following issues: - New/Updated features: * Added a configurable logging capability to the network script * The hgfsmounter (mount.vmhgfs) command has been removed from open-vm-tools. It has been replaced by hgfs-fuse. - Resolved issues: * Customization: Retry the Linux reboot if telinit is a soft link to systemctl * open-vm-tools commands would hang if configured with '--enable-valgrind' ----------------------------------------- Patch: SUSE-2021-3501 Released: Fri Oct 22 10:42:46 2021 Summary: Recommended update for libzypp, zypper, libsolv, protobuf Severity: moderate References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815 Description: This update for libzypp, zypper, libsolv and protobuf fixes the following issues: - Choice rules: treat orphaned packages as newest (bsc#1190465) - Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602) - Do not check of signatures and keys two times(redundant) (bsc#1190059) - Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760) - Show key fpr from signature when signature check fails (bsc#1187224) - Fix solver jobs for PTFs (bsc#1186503) - Fix purge-kernels fails (bsc#1187738) - Fix obs:// platform guessing for Leap (bsc#1187425) - Make sure to keep states alives while transitioning. (bsc#1190199) - Manpage: Improve description about patch updates(bsc#1187466) - Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested. - Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815) - Fix crashes in logging code when shutting down (bsc#1189031) - Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712) - Add need reboot/restart hint to XML install summary (bsc#1188435) - Prompt: choose exact match if prompt options are not prefix free (bsc#1188156) - Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862) ----------------------------------------- Patch: SUSE-2021-3506 Released: Mon Oct 25 10:20:22 2021 Summary: Security update for containerd, docker, runc Severity: important References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 Description: This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.9-ce. (bsc#1191355) See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355 - CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282) - Install systemd service file as well (bsc#1190826) Update to runc v1.0.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.2 * Fixed a failure to set CPU quota period in some cases on cgroup v1. * Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. * Made release builds reproducible from now on. * Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec. * Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. Update to runc v1.0.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.1 * Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume. * Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters. * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). * cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. * cgroup/systemd/v2: don't freeze cgroup on Set. * cgroup/systemd/v1: avoid unnecessary freeze on Set. - fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704 Update to runc v1.0.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0 ! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94 * cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available. Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405) Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 Breaking Changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. Regression Fixes: * seccomp: fix 32-bit compilation errors * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code * runc start: fix 'chdir to cwd: permission denied' for some setups ----------------------------------------- Patch: SUSE-2021-3510 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Severity: important References: 1191987 Description: This update for pam fixes the following issues: - Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987) ----------------------------------------- Patch: SUSE-2021-3512 Released: Tue Oct 26 13:33:17 2021 Summary: Recommended update for MozillaFirefox Severity: moderate References: 1190141,1191815 Description: This update for MozillaFirefox fixes the following issues: - Allow accessing /proc/sys/crypto/fips_enabled from within the newly introduced socket process sandbox. (bsc#1191815, bsc#1190141) - Add a way to let users overwrite MOZ_ENABLE_WAYLAND ----------------------------------------- Patch: SUSE-2021-3516 Released: Tue Oct 26 14:42:44 2021 Summary: Recommended update for azure-cli, azure-cli-core, python-azure-mgmt, python-azure-mgmt-billing, python-azure-mgmt-cdn, python-azure-mgmt-hdinsight, python-azure-mgmt-netapp, python-azure-mgmt-resource, python-azure-mgmt-synapse Severity: important References: 1187880,1188178 Description: This update for azure-cli, azure-cli-core, python-azure-mgmt, python-azure-mgmt-billing, python-azure-mgmt-cdn, python-azure-mgmt-hdinsight, python-azure-mgmt-netapp, python-azure-mgmt-resource, python-azure-mgmt-synapse contains the following fixes: Changes in python-azure-mgmt: - Remove all version constraints in Requires. (bsc#1187880, bsc#1188178) Changes in azure-cli-core: - Update in SLE-15 (bsc#1187880, bsc#1188178) - New upstream release + Version 2.16.0 + For detailed information about changes see the HISTORY.rst file provided with this package - Refresh patches for new version - Update Requires from setup.py + Temporarily use a vendored copy of azure-mgmt-resource - New upstream release + Version 2.15.0 + For detailed information about changes see the HISTORY.rst file provided with this package - Update Requires from setup.py Changes in azure-cli: - Update in SLE-15 (bsc#1187880, bsc#1188178) - Add missing python3-azure-mgmt-resource dependency to Requires - New upstream release + Version 2.16.0 + For detailed information about changes see the HISTORY.rst file provided with this package - Update Requires from setup.py - New upstream release + Version 2.15.0 + For detailed information about changes see the HISTORY.rst file provided with this package - Update Requires from setup.py Changes in python-azure-mgmt-billing: - Update in SLE-15 (bsc#1187880, bsc#1188178) - New upstream release + Version 1.0.0 + For detailed information about changes see the CHANGELOG.md file provided with this package - Update Requires from setup.py Changes in python-azure-mgmt-cdn: - Update in SLE-15 (bsc#1187880, bsc#1188178) - New upstream release + Version 5.2.0 + For detailed information about changes see the CHANGELOG.md file provided with this package Changes in python-azure-mgmt-hdinsight: - Update in SLE-15 (bsc#1187880, bsc#1188178) - New upstream release + Version 2.0.0 + For detailed information about changes see the CHANGELOG.md file provided with this package Changes in python-azure-mgmt-netapp: - Update in SLE-15 (bsc#1187880, bsc#1188178) - New upstream release + Version 0.14.0 + For detailed information about changes see the CHANGELOG.md file provided with this package Changes in python-azure-mgmt-resource: - Update in SLE-15 (bsc#1187880, bsc#1188178) - New upstream release + Version 15.0.0 + For detailed information about changes see the CHANGELOG.md file provided with this package - Update Requires from setup.py Changes in python-azure-mgmt-synapse: - Update in SLE-15 (bsc#1187880, bsc#1188178) - New upstream release + Version 0.5.0 + For detailed information about changes see the CHANGELOG.md file provided with this package ----------------------------------------- Patch: SUSE-2021-3521 Released: Tue Oct 26 15:38:44 2021 Summary: Security update for ffmpeg Severity: moderate References: 1186756,1187852,1189166,1190718,1190719,1190722,1190723,1190726,1190729,1190733,1190734,1190735,CVE-2020-20891,CVE-2020-20892,CVE-2020-20895,CVE-2020-20896,CVE-2020-20899,CVE-2020-20902,CVE-2020-22037,CVE-2020-35965,CVE-2021-3566,CVE-2021-38092,CVE-2021-38093,CVE-2021-38094 Description: This update for ffmpeg fixes the following issues: - CVE-2021-3566: Fixed information leak (bsc#1189166). - CVE-2021-38093: Fixed integer overflow vulnerability in filter_robert() (bsc#1190734) - CVE-2021-38092: Fixed integer overflow vulnerability in filter_prewitt() (bsc#1190733) - CVE-2021-38094: Fixed integer overflow vulnerability in filter_sobel() (bsc#1190735) - CVE-2020-22037: Fixed denial of service vulnerability caused by memory leak in avcodec_alloc_context3() (bsc#1186756) - CVE-2020-35965: Fixed out-of-bounds write in decode_frame() (bsc#1187852) - CVE-2020-20892: Fixed an issue with filter_frame() (bsc#1190719) - CVE-2020-20891: Fixed a buffer overflow vulnerability in config_input() (bsc#1190718) - CVE-2020-20895: Fixed a buffer overflow vulnerability in function filter_vertically_##name (bsc#1190722) - CVE-2020-20896: Fixed an issue with latm_write_packet() (bsc#1190723) - CVE-2020-20899: Fixed a buffer overflow vulnerability in config_props() (bsc#1190726) - CVE-2020-20902: Fixed an out-of-bounds read vulnerabilit long_term_filter() (bsc#1190729) ----------------------------------------- Patch: SUSE-2021-3527 Released: Tue Oct 26 17:03:06 2021 Summary: Security update for wireguard-tools Severity: moderate References: 1191224 Description: This update for wireguard-tools fixes the following issues: - Removed world-readable permissions from /etc/wireguard (bsc#1191224) ----------------------------------------- Patch: SUSE-2021-3529 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 Description: This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) ----------------------------------------- Patch: SUSE-2021-3571 Released: Thu Oct 28 09:32:19 2021 Summary: Recommended update for postfix Severity: moderate References: 1190945 Description: This update for postfix fixes the following issues: - Adapt config.postfix to filter out lmdb files from the alias maps (bsc#1190945) ----------------------------------------- Patch: SUSE-2021-3574 Released: Thu Oct 28 12:50:07 2021 Summary: Recommended update for rpmlint Severity: moderate References: 1190790,1191821 Description: This update for rpmlint fixes the following issues: - whitelisting of systemd-od (bsc#1191821) and pam_u2f (bsc#1190790 jsc#SLE-21888) ----------------------------------------- Patch: SUSE-2021-3578 Released: Fri Oct 29 11:36:22 2021 Summary: Recommended update for migrate-sles-to-sles4sap Severity: moderate References: 1189481 Description: This update for migrate-sles-to-sles4sap fixes the following issues: - migrate-sles-to-sles4sap package has dependency perl-XML-Twig that is not installed. (bsc#1189481) ----------------------------------------- Patch: SUSE-2021-3579 Released: Fri Oct 29 14:56:48 2021 Summary: Recommended update for cloud-regionsrv-client Severity: moderate References: 1182026,1189362 Description: This update for cloud-regionsrv-client fixes the following issues: - Avoid race confition with ca-certificates. (bsc#1189362) + Make the service run after ca-sertificates is done + Attempt multiple times to update the trust chain - New package to enable/disable access due to AHB. (bsc#1182026, jsc#SLE-21246, jsc#SLE-21247, jsc#SLE-21248, jsc#SLE-21249) ----------------------------------------- Patch: SUSE-2021-3584 Released: Fri Oct 29 16:27:43 2021 Summary: Security update for transfig Severity: important References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019,CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280 Description: This update for transfig fixes the following issues: Update to fig2dev version 3.2.8 Patchlevel 8b (Aug 2021) - bsc#1190618, CVE-2020-21529: stack buffer overflow in the bezier_spline function in genepic.c. - bsc#1190615, CVE-2020-21530: segmentation fault in the read_objects function in read.c. - bsc#1190617, CVE-2020-21531: global buffer overflow in the conv_pattern_index function in gencgm.c. - bsc#1190616, CVE-2020-21532: global buffer overflow in the setfigfont function in genepic.c. - bsc#1190612, CVE-2020-21533: stack buffer overflow in the read_textobject function in read.c. - bsc#1190611, CVE-2020-21534: global buffer overflow in the get_line function in read.c. - bsc#1190607, CVE-2020-21535: segmentation fault in the gencgm_start function in gencgm.c. - bsc#1192019, CVE-2021-32280: NULL pointer dereference in compute_closed_spline() in trans_spline.c ----------------------------------------- Patch: SUSE-2021-3591 Released: Tue Nov 2 06:26:33 2021 Summary: Recommended update for man-pages Severity: moderate References: 1185534 Description: This update for man-pages fixes the following issues: - Added missing manual entry for kernel_lockdown in section 7 (bsc#1185534) ----------------------------------------- Patch: SUSE-2021-3599 Released: Wed Nov 3 10:29:54 2021 Summary: Recommended update for postgresql, postgresql13, postgresql14 Severity: moderate References: Description: This update for postgresql, postgresql13, postgresql14 fixes the following issues: This update ships postgresql14. (jsc#SLE-20675 jsc#SLE-20676) Feature changes in postgresql14: - https://www.postgresql.org/about/news/postgresql-14-released-2318/ - https://www.postgresql.org/docs/14/release-14.html Changes in postgresql13: - Stop building the mini and lib packages as they are now coming from postgresql14. Changes in postgresql: - Bump version to 14, leave default at 12. ----------------------------------------- Patch: SUSE-2021-3616 Released: Thu Nov 4 12:29:16 2021 Summary: Security update for binutils Severity: moderate References: 1179898,1179899,1179900,1179901,1179902,1179903,1180451,1180454,1180461,1181452,1182252,1183511,1184620,1184794,CVE-2020-16590,CVE-2020-16591,CVE-2020-16592,CVE-2020-16593,CVE-2020-16598,CVE-2020-16599,CVE-2020-35448,CVE-2020-35493,CVE-2020-35496,CVE-2020-35507,CVE-2021-20197,CVE-2021-20284,CVE-2021-3487 Description: This update for binutils fixes the following issues: Update to binutils 2.37: * The GNU Binutils sources now requires a C99 compiler and library to build. * Support for Realm Management Extension (RME) for AArch64 has been added. * A new linker option '-z report-relative-reloc' for x86 ELF targets has been added to report dynamic relative relocations. * A new linker option '-z start-stop-gc' has been added to disable special treatment of __start_*/__stop_* references when --gc-sections. * A new linker options '-Bno-symbolic' has been added which will cancel the '-Bsymbolic' and '-Bsymbolic-functions' options. * The readelf tool has a new command line option which can be used to specify how the numeric values of symbols are reported. --sym-base=0|8|10|16 tells readelf to display the values in base 8, base 10 or base 16. A sym base of 0 represents the default action of displaying values under 10000 in base 10 and values above that in base 16. * A new format has been added to the nm program. Specifying '--format=just-symbols' (or just using -j) will tell the program to only display symbol names and nothing else. * A new command line option '--keep-section-symbols' has been added to objcopy and strip. This stops the removal of unused section symbols when the file is copied. Removing these symbols saves space, but sometimes they are needed by other tools. * The '--weaken', '--weaken-symbol' and '--weaken-symbols' options supported by objcopy now make undefined symbols weak on targets that support weak symbols. * Readelf and objdump can now display and use the contents of .debug_sup sections. * Readelf and objdump will now follow links to separate debug info files by default. This behaviour can be stopped via the use of the new '-wN' or '--debug-dump=no-follow-links' options for readelf and the '-WN' or '--dwarf=no-follow-links' options for objdump. Also the old behaviour can be restored by the use of the '--enable-follow-debug-links=no' configure time option. The semantics of the =follow-links option have also been slightly changed. When enabled, the option allows for the loading of symbol tables and string tables from the separate files which can be used to enhance the information displayed when dumping other sections, but it does not automatically imply that information from the separate files should be displayed. If other debug section display options are also enabled (eg '--debug-dump=info') then the contents of matching sections in both the main file and the separate debuginfo file *will* be displayed. This is because in most cases the debug section will only be present in one of the files. If however non-debug section display options are enabled (eg '--sections') then the contents of matching parts of the separate debuginfo file will *not* be displayed. This is because in most cases the user probably only wanted to load the symbol information from the separate debuginfo file. In order to change this behaviour a new command line option --process-links can be used. This will allow di0pslay options to applied to both the main file and any separate debuginfo files. * Nm has a new command line option: '--quiet'. This suppresses 'no symbols' diagnostic. Update to binutils 2.36: New features in the Assembler: - General: * When setting the link order attribute of ELF sections, it is now possible to use a numeric section index instead of symbol name. * Added a .nop directive to generate a single no-op instruction in a target neutral manner. This instruction does have an effect on DWARF line number generation, if that is active. * Removed --reduce-memory-overheads and --hash-size as gas now uses hash tables that can be expand and shrink automatically. - X86/x86_64: * Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key Locker instructions. * Support non-absolute segment values for lcall and ljmp. * Add {disp16} pseudo prefix to x86 assembler. * Configure with --enable-x86-used-note by default for Linux/x86. - ARM/AArch64: * Add support for Cortex-A78, Cortex-A78AE and Cortex-X1, Cortex-R82, Neoverse V1, and Neoverse N2 cores. * Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call Stack Recorder Extension) and BRBE (Branch Record Buffer Extension) system registers. * Add support for Armv8-R and Armv8.7-A ISA extensions. * Add support for DSB memory nXS barrier, WFET and WFIT instruction for Armv8.7. * Add support for +csre feature for -march. Add CSR PDEC instruction for CSRE feature in AArch64. * Add support for +flagm feature for -march in Armv8.4 AArch64. * Add support for +ls64 feature for -march in Armv8.7 AArch64. Add atomic 64-byte load/store instructions for this feature. * Add support for +pauth (Pointer Authentication) feature for -march in AArch64. New features in the Linker: * Add --error-handling-script= command line option to allow a helper script to be invoked when an undefined symbol or a missing library is encountered. This option can be suppressed via the configure time switch: --enable-error-handling-script=no. * Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark x86-64-{baseline|v[234]} ISA level as needed. * Add -z unique-symbol to avoid duplicated local symbol names. * The creation of PE format DLLs now defaults to using a more secure set of DLL characteristics. * The linker now deduplicates the types in .ctf sections. The new command-line option --ctf-share-types describes how to do this: its default value, share-unconflicted, produces the most compact output. * The linker now omits the 'variable section' from .ctf sections by default, saving space. This is almost certainly what you want unless you are working on a project that has its own analogue of symbol tables that are not reflected in the ELF symtabs. New features in other binary tools: * The ar tool's previously unused l modifier is now used for specifying dependencies of a static library. The arguments of this option (or --record-libdeps long form option) will be stored verbatim in the __.LIBDEP member of the archive, which the linker may read at link time. * Readelf can now display the contents of LTO symbol table sections when asked to do so via the --lto-syms command line option. * Readelf now accepts the -C command line option to enable the demangling of symbol names. In addition the --demangle=