----------------------------------------- Version 2-Build4.2.41 2020-10-07T08:04:50 ----------------------------------------- Patch: SUSE-2018-1223 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------- Patch: SUSE-2018-1327 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Severity: moderate References: 1096718,CVE-2018-12015 Description: This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------- Patch: SUSE-2018-1332 Released: Tue Jul 17 09:01:19 2018 Summary: Recommended update for timezone Severity: moderate References: 1073299,1093392 Description: This update for timezone provides the following fixes: - North Korea switches back from +0830 to +09 on 2018-05-05. - Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299) - yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392) ----------------------------------------- Patch: SUSE-2018-1334 Released: Tue Jul 17 09:06:41 2018 Summary: Recommended update for mozilla-nss Severity: moderate References: 1096515 Description: This update for mozilla-nss provides the following fixes: - Update to NSS 3.36.4 required by Firefox 60.0.2. (bsc#1096515) - Fix a problem that would cause connections to a server that was recently upgraded to TLS 1.3 to result in a SSL_RX_MALFORMED_SERVER_HELLO error. - Fix a rare bug with PKCS#12 files. - Use relro linker option. ----------------------------------------- Patch: SUSE-2018-1346 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------- Patch: SUSE-2018-1353 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 Description: This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------- Patch: SUSE-2018-1409 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 Description: This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------- Patch: SUSE-2018-1760 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Severity: moderate References: 1072183 Description: This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------- Patch: SUSE-2018-1999 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Severity: moderate References: 1071321 Description: This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------- Patch: SUSE-2018-2055 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------- Patch: SUSE-2018-2155 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Severity: moderate References: 1101470 Description: This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------- Patch: SUSE-2018-2170 Released: Mon Oct 8 10:31:14 2018 Summary: Recommended update for python3 Severity: moderate References: 1107030 Description: This update for python3 fixes the following issues: - Add -fwrapv to OPTS, which is default for python3 for bugs which are caused by avoiding it. (bsc#1107030) ----------------------------------------- Patch: SUSE-2018-2177 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Severity: moderate References: 1095661,1095670,1100488 Description: This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------- Patch: SUSE-2018-2182 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------- Patch: SUSE-2018-2370 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Severity: moderate References: 1102310,1104531 Description: This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------- Patch: SUSE-2018-2463 Released: Thu Oct 25 14:48:34 2018 Summary: Recommended update for timezone, timezone-java Severity: moderate References: 1104700,1112310 Description: This update for timezone, timezone-java fixes the following issues: The timezone database was updated to 2018f: - Volgograd moves from +03 to +04 on 2018-10-28. - Fiji ends DST 2019-01-13, not 2019-01-20. - Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700) - Corrections to past timestamps of DST transitions - Use 'PST' and 'PDT' for Philippine time - minor code changes to zic handling of the TZif format - documentation updates Other bugfixes: - Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310) ----------------------------------------- Patch: SUSE-2018-2487 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Severity: moderate References: 1102526 Description: This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------- Patch: SUSE-2018-2550 Released: Wed Oct 31 16:16:56 2018 Summary: Recommended update for timezone, timezone-java Severity: moderate References: 1113554 Description: This update provides the latest time zone definitions (2018g), including the following change: - Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554) ----------------------------------------- Patch: SUSE-2018-2569 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Severity: moderate References: 1110700 Description: This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------- Patch: SUSE-2018-2595 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user@.service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------- Patch: SUSE-2018-2607 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------- Patch: SUSE-2018-2825 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Severity: important References: 1115640,CVE-2018-17953 Description: This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------- Patch: SUSE-2018-2861 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Severity: important References: 1103320,1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------- Patch: SUSE-2018-2984 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 Description: This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------- Patch: SUSE-2018-2986 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Severity: moderate References: 1118086,CVE-2018-16869 Description: This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------- Patch: SUSE-2018-3044 Released: Fri Dec 21 18:47:21 2018 Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss Severity: important References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 Description: This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues: Issues fixed in MozillaFirefox: - Update to Firefox ESR 60.4 (bsc#1119105) - CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 - CVE-2018-18492: Fixed a use-after-free with select element - CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia - CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs - CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images - CVE-2018-12405: Fixed a few memory safety bugs Issues fixed in mozilla-nss: - Update to NSS 3.40.1 (bsc#1119105) - CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069) - CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873) - CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410) - Fixed a decryption failure during FFDHE key exchange - Various security fixes in the ASN.1 code Issues fixed in mozilla-nspr: - Update mozilla-nspr to 4.20 (bsc#1119105) ----------------------------------------- Patch: SUSE-2019-23 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Severity: moderate References: 1120346,CVE-2018-1000858 Description: This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------- Patch: SUSE-2019-44 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Severity: low References: 953659 Description: This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------- Patch: SUSE-2019-91 Released: Tue Jan 15 14:14:43 2019 Summary: Recommended update for mozilla-nss Severity: moderate References: 1090767,1121045,1121207 Description: This update for mozilla-nss fixes the following issues: - The hmac packages used in FIPS certification inadvertently removed in last update: re-added. (bsc#1121207) - Added 'Suggest:' for libfreebl3 and libsoftokn3 respective -hmac packages to avoid dependency issues during updates (bsc#1090767, bsc#1121045) ----------------------------------------- Patch: SUSE-2019-102 Released: Tue Jan 15 18:02:58 2019 Summary: Recommended update for timezone Severity: moderate References: 1120402 Description: This update for timezone fixes the following issues: - Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402) - Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090 ----------------------------------------- Patch: SUSE-2019-137 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------- Patch: SUSE-2019-215 Released: Thu Jan 31 15:59:57 2019 Summary: Security update for python3 Severity: important References: 1120644,1122191,CVE-2018-20406,CVE-2019-5010 Description: This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) - CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) ----------------------------------------- Patch: SUSE-2019-247 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Severity: moderate References: 1123043,CVE-2019-6706 Description: This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------- Patch: SUSE-2019-273 Released: Wed Feb 6 16:48:18 2019 Summary: Security update for MozillaFirefox Severity: important References: 1119069,1120374,1122983,CVE-2018-12404,CVE-2018-18500,CVE-2018-18501,CVE-2018-18505 Description: This update for MozillaFirefox, mozilla-nss fixes the following issues: Security issues fixed: - CVE-2018-18500: Fixed a use-after-free parsing HTML5 stream (bsc#1122983). - CVE-2018-18501: Fixed multiple memory safety bugs (bsc#1122983). - CVE-2018-18505: Fixed a privilege escalation through IPC channel messages (bsc#1122983). - CVE-2018-12404: Cache side-channel variant of the Bleichenbacher attack (bsc#1119069). Non-security issue fixed: - Update to MozillaFirefox ESR 60.5.0 - Update to mozilla-nss 3.41.1 ----------------------------------------- Patch: SUSE-2019-369 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Severity: moderate References: 1065270,1111019 Description: This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------- Patch: SUSE-2019-426 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 Description: This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------- Patch: SUSE-2019-571 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------- Patch: SUSE-2019-641 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Severity: moderate References: 1112570,1114984,1114993 Description: This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------- Patch: SUSE-2019-700 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Severity: moderate References: 1044840 Description: This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------- Patch: SUSE-2019-713 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Severity: moderate References: 1063675,1126590 Description: This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------- Patch: SUSE-2019-732 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1088524,1118364,1128246 Description: This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------- Patch: SUSE-2019-788 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Severity: moderate References: 1119687,CVE-2018-20346 Description: This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------- Patch: SUSE-2019-790 Released: Thu Mar 28 12:06:17 2019 Summary: Recommended update for timezone Severity: moderate References: 1130557 Description: This update for timezone fixes the following issues: timezone was updated 2019a: * Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23 * Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ----------------------------------------- Patch: SUSE-2019-791 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Severity: moderate References: 1129598 Description: This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------- Patch: SUSE-2019-858 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Severity: moderate References: 1120689,1126096 Description: This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------- Patch: SUSE-2019-903 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------- Patch: SUSE-2019-966 Released: Wed Apr 17 12:20:13 2019 Summary: Recommended update for python-rpm-macros Severity: moderate References: 1128323 Description: This update for python-rpm-macros fixes the following issues: The Python RPM macros were updated to version 20190408.32abece, fixing bugs (bsc#1128323) * Add missing $ expansion on the pytest call * Rewrite pytest and pytest_arch into Lua macros with multiple arguments. * We should preserve existing PYTHONPATH. * Add --ignore to pytest calls to ignore build directories. * Actually make pytest into function to capture arguments as well * Add pytest definitions. * Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros. * Fix an issue with epoch printing having too many \ * add epoch while printing 'Provides:' ----------------------------------------- Patch: SUSE-2019-971 Released: Wed Apr 17 14:43:26 2019 Summary: Security update for python3 Severity: important References: 1129346,CVE-2019-9636 Description: This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346). ----------------------------------------- Patch: SUSE-2019-1002 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Severity: moderate References: 1110304,1129576 Description: This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------- Patch: SUSE-2019-1040 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 Description: This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------- Patch: SUSE-2019-1127 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 Description: This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------- Patch: SUSE-2019-1206 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Severity: low References: 985657,CVE-2016-3189 Description: This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------- Patch: SUSE-2019-1312 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1096191 Description: This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------- Patch: SUSE-2019-1352 Released: Fri May 24 14:41:44 2019 Summary: Security update for python3 Severity: moderate References: 1130840,1133452,CVE-2019-9947 Description: This update for python3 to version 3.6.8 fixes the following issues: Security issue fixed: - CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840). Non-security issue fixed: - Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452). ----------------------------------------- Patch: SUSE-2019-1364 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------- Patch: SUSE-2019-1368 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Severity: important References: 1134524,CVE-2019-5021 Description: This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------- Patch: SUSE-2019-1372 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Severity: moderate References: 1105435,CVE-2018-1000654 Description: This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------- Patch: SUSE-2019-1484 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Severity: moderate References: 1128383 Description: This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------- Patch: SUSE-2019-1486 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 Description: This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------- Patch: SUSE-2019-1631 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Severity: low References: 1135709 Description: This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------- Patch: SUSE-2019-1635 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Severity: moderate References: 1134217 Description: This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------- Patch: SUSE-2019-1700 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Severity: moderate References: 1134193 Description: This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------- Patch: SUSE-2019-1808 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Severity: moderate References: 1133808 Description: This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------- Patch: SUSE-2019-1815 Released: Thu Jul 11 07:47:55 2019 Summary: Recommended update for timezone Severity: moderate References: 1140016 Description: This update for timezone fixes the following issues: - Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation. ----------------------------------------- Patch: SUSE-2019-1835 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Severity: moderate References: 1139937,CVE-2018-20843 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------- Patch: SUSE-2019-1846 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Severity: important References: 1139083,CVE-2019-12900 Description: This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------- Patch: SUSE-2019-1853 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Severity: moderate References: 1107617,1137053 Description: This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------- Patch: SUSE-2019-1869 Released: Wed Jul 17 14:03:20 2019 Summary: Security update for MozillaFirefox Severity: important References: 1140868,CVE-2019-11709,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11715,CVE-2019-11717,CVE-2019-11719,CVE-2019-11729,CVE-2019-11730,CVE-2019-9811 Description: This update for MozillaFirefox, mozilla-nss fixes the following issues: MozillaFirefox to version ESR 60.8: - CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868). - CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868). - CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868). - CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868). - CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868). - CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868). - CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868). - CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868). - CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868). - CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868). mozilla-nss to version 3.44.1: * Added IPSEC IKE support to softoken * Many new FIPS test cases ----------------------------------------- Patch: SUSE-2019-1877 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------- Patch: SUSE-2019-1971 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Severity: moderate References: 1138939,CVE-2019-12904 Description: This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------- Patch: SUSE-2019-1994 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Severity: moderate References: 1135123 Description: This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------- Patch: SUSE-2019-2004 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Severity: important References: 1139083,CVE-2019-12900 Description: This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------- Patch: SUSE-2019-2006 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Severity: important References: 1124847,1141093,CVE-2019-13050 Description: This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------- Patch: SUSE-2019-2050 Released: Tue Aug 6 09:42:37 2019 Summary: Security update for python3 Severity: important References: 1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160 Description: This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). - CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853). Non-security issue fixed: - Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814). ----------------------------------------- Patch: SUSE-2019-2097 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Severity: important References: 1097073 Description: This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------- Patch: SUSE-2019-2134 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Severity: moderate References: 1136717,1137624,1141059,SLE-5807 Description: This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------- Patch: SUSE-2019-2142 Released: Wed Aug 14 18:14:04 2019 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1141322 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.45 (bsc#1141322) : * New function in pk11pub.h: PK11_FindRawCertsWithSubject * The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374) * Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078). * Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579) * Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262) * Add IPSEC IKE support to softoken (bmo#1546229) * Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616) * Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed. * Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime. mozilla-nspr was updated to version 4.21 * Changed prbit.h to use builtin function on aarch64. * Removed Gonk/B2G references. ----------------------------------------- Patch: SUSE-2019-2188 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1140647 Description: This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------- Patch: SUSE-2019-2218 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Severity: moderate References: 1141883 Description: This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------- Patch: SUSE-2019-2307 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 Description: This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------- Patch: SUSE-2019-2361 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Severity: moderate References: 1081947,1144047 Description: This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------- Patch: SUSE-2019-2395 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------- Patch: SUSE-2019-2423 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1146866,SLE-9132 Description: This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------- Patch: SUSE-2019-2429 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Severity: moderate References: 1149429,CVE-2019-15903 Description: This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------- Patch: SUSE-2019-2483 Released: Fri Sep 27 14:16:23 2019 Summary: Optional update for python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate. Severity: low References: 1088358 Description: This update ships python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate for the SUSE Linux Enterprise Public Cloud 15 module. ----------------------------------------- Patch: SUSE-2019-2533 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Severity: moderate References: 1150137,CVE-2019-16168 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------- Patch: SUSE-2019-2676 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Severity: moderate References: 1145716,1152101,CVE-2019-5094 Description: This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------- Patch: SUSE-2019-2681 Released: Tue Oct 15 22:01:40 2019 Summary: Recommended update for libdb-4_8 Severity: moderate References: 1148244 Description: This update for libdb-4_8 fixes the following issues: - Add off-page deadlock patch as found and documented by Red Hat. (bsc#1148244) ----------------------------------------- Patch: SUSE-2019-2730 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------- Patch: SUSE-2019-2757 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Severity: moderate References: 1153936,CVE-2019-17543 Description: This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------- Patch: SUSE-2019-2762 Released: Thu Oct 24 07:08:44 2019 Summary: Recommended update for timezone Severity: moderate References: 1150451 Description: This update for timezone fixes the following issues: - Fiji observes DST from 2019-11-10 to 2020-01-12. - Norfolk Island starts observing Australian-style DST. ----------------------------------------- Patch: SUSE-2019-2802 Released: Tue Oct 29 11:39:05 2019 Summary: Security update for python3 Severity: moderate References: 1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426 Description: This update for python3 to 3.6.9 fixes the following issues: Security issues fixed: - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed: - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. ----------------------------------------- Patch: SUSE-2019-2812 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 Description: This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------- Patch: SUSE-2019-2870 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1051143,1138869,1151023 Description: This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------- Patch: SUSE-2019-2418 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Severity: moderate References: 1133773,1143055 Description: This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------- Patch: SUSE-2019-2997 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------- Patch: SUSE-2019-3059 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Severity: moderate References: 1155199,CVE-2019-14866 Description: This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------- Patch: SUSE-2019-3061 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 Description: This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------- Patch: SUSE-2019-3070 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Severity: low References: 1152755 Description: This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------- Patch: SUSE-2019-3086 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 Description: This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------- Patch: SUSE-2019-3087 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Severity: low References: 1123919 Description: This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------- Patch: SUSE-2019-3118 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Severity: moderate References: 1154295 Description: This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------- Patch: SUSE-2019-3166 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1007715,1084934,1157278 Description: This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------- Patch: SUSE-2019-3240 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Severity: moderate References: 1154871 Description: This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------- Patch: SUSE-2019-3267 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------- Patch: SUSE-2019-3392 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 Description: This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------- Patch: SUSE-2019-3395 Released: Mon Dec 30 14:05:06 2019 Summary: Security update for mozilla-nspr, mozilla-nss Severity: moderate References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.47.1: Security issues fixed: - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). - CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527). - CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322). mozilla-nspr was updated to version 4.23: - Whitespace in C files was cleaned up and no longer uses tab characters for indenting. ----------------------------------------- Patch: SUSE-2020-114 Released: Thu Jan 16 10:11:52 2020 Summary: Security update for python3 Severity: important References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947 Description: This update for python3 to version 3.6.10 fixes the following issues: - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). ----------------------------------------- Patch: SUSE-2020-129 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------- Patch: SUSE-2020-225 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Severity: moderate References: 1158830 Description: This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------- Patch: SUSE-2020-256 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1157794,1160970 Description: This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------- Patch: SUSE-2020-262 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------- Patch: SUSE-2020-265 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Severity: moderate References: 1160571,CVE-2019-5188 Description: This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------- Patch: SUSE-2020-279 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Severity: moderate References: 1013125 Description: This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------- Patch: SUSE-2020-335 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 Description: This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------- Patch: SUSE-2020-339 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Severity: low References: 1158921 Description: This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------- Patch: SUSE-2020-340 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Severity: moderate References: 1161770 Description: This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------- Patch: SUSE-2020-451 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 Description: This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------- Patch: SUSE-2020-467 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 Description: This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------- Patch: SUSE-2020-476 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Severity: moderate References: 1102840,1160039 Description: This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------- Patch: SUSE-2020-480 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1160735 Description: This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------- Patch: SUSE-2020-525 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Severity: moderate References: 1164562 Description: This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------- Patch: SUSE-2020-556 Released: Mon Mar 2 13:32:11 2020 Summary: Recommended update for 389-ds Severity: moderate References: 1155951 Description: This update for 389-ds to version 1.4.2.2 fixes the following issues: 389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes. Issue addressed: - Enabled python lib389 installer tooling to match upstream and suse documentation. More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html ----------------------------------------- Patch: SUSE-2020-572 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Severity: moderate References: 1162518 Description: This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------- Patch: SUSE-2020-597 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1164950 Description: This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------- Patch: SUSE-2020-633 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1139939,1151023 Description: This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------- Patch: SUSE-2020-668 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 Description: This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------- Patch: SUSE-2020-689 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Severity: moderate References: 1166510 Description: This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------- Patch: SUSE-2020-475 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Severity: moderate References: 1160595 Description: This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------- Patch: SUSE-2020-729 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Severity: moderate References: 1166106 Description: This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------- Patch: SUSE-2020-777 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Severity: moderate References: 1165894 Description: This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------- Patch: SUSE-2020-793 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 Description: This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-↑ - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------- Patch: SUSE-2020-820 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Severity: important References: 1167631,CVE-2020-1752 Description: This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------- Patch: SUSE-2020-846 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1164950,1166748,1167674 Description: This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------- Patch: SUSE-2020-850 Released: Thu Apr 2 14:37:31 2020 Summary: Recommended update for mozilla-nss Severity: moderate References: 1155350,1155357,1155360,1166880 Description: This update for mozilla-nss fixes the following issues: Added various fixes related to FIPS certification: * Use getrandom() to obtain entropy where possible. * Make DSA KAT FIPS compliant. * Use FIPS compliant hash when validating keypair. * Enforce FIPS requirements on RSA key generation. * Miscellaneous fixes to CAVS tests. * Enforce FIPS limits on how much data can be processed without rekeying. * Run self tests on library initialization in FIPS mode. * Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher). * Clear various temporary variables after use. * Allow MD5 to be used in TLS PRF. * Preferentially gather entropy from /dev/random over /dev/urandom. * Allow enabling FIPS mode consistently with NSS_FIPS environment variable. * Fix argument parsing bug in lowhashtest. ----------------------------------------- Patch: SUSE-2020-917 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Severity: moderate References: 1166510 Description: This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------- Patch: SUSE-2020-948 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 Description: This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------- Patch: SUSE-2020-949 Released: Wed Apr 8 07:45:48 2020 Summary: Recommended update for mozilla-nss Severity: moderate References: 1168669 Description: This update for mozilla-nss fixes the following issues: - Use secure_getenv() to avoid PR_GetEnvSecure() being called when NSPR is unavailable, resulting in an abort (bsc#1168669). ----------------------------------------- Patch: SUSE-2020-961 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Severity: moderate References: 1160979 Description: This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------- Patch: SUSE-2020-967 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Severity: moderate References: 1168699,CVE-2020-1730 Description: This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------- Patch: SUSE-2020-1061 Released: Wed Apr 22 10:45:41 2020 Summary: Recommended update for mozilla-nss Severity: moderate References: 1169872 Description: This update for mozilla-nss fixes the following issues: - This implements API mechanisms for performing DSA and ECDSA hash-and-sign in a single call, which will be required in future FIPS cycles (bsc#1169872). - Always perform nssdbm checksumming on softoken load, even if nssdbm itself is not loaded. ----------------------------------------- Patch: SUSE-2020-1063 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1165539,1169569 Description: This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------- Patch: SUSE-2020-1131 Released: Tue Apr 28 11:59:17 2020 Summary: Recommended update for mozilla-nss Severity: moderate References: 1170571,1170572 Description: This update for mozilla-nss fixes the following issues: - FIPS: Add Softoken POSTs for new DSA and ECDSA hash-and-sign update functions. (bsc#1170571) - FIPS: Add pairwise consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224 checks. - FIPS: Replace bad attempt at unconditional nssdbm checksumming with a dlopen(), so it can be located consistently and perform its own self-tests. - FIPS: This fixes an instance of inverted logic due to a boolean being mistaken for a SECStatus, which caused key derivation to fail when the caller provided a valid subprime. ----------------------------------------- Patch: SUSE-2020-1175 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Severity: moderate References: 1165011,1168076 Description: This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------- Patch: SUSE-2020-1214 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1169944 Description: This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------- Patch: SUSE-2020-1219 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Severity: important References: 1170771,CVE-2020-12243 Description: This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------- Patch: SUSE-2020-1226 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Severity: moderate References: 1149995,1152590,1167898 Description: This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------- Patch: SUSE-2020-1294 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Severity: moderate References: 1154661,1169512,CVE-2019-18218 Description: This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------- Patch: SUSE-2020-1299 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 Description: This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------- Patch: SUSE-2020-1303 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Severity: moderate References: 1169582 Description: This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------- Patch: SUSE-2020-1328 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Severity: moderate References: 1155271 Description: This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------- Patch: SUSE-2020-1342 Released: Tue May 19 13:27:31 2020 Summary: Recommended update for python3 Severity: moderate References: 1149955,1165894,CVE-2019-16056 Description: This update for python3 fixes the following issues: - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ----------------------------------------- Patch: SUSE-2020-1348 Released: Wed May 20 11:37:41 2020 Summary: Recommended update for mozilla-nss Severity: moderate References: 1170908 Description: This update for mozilla-nss fixes the following issues: The following issues are fixed: - Add AES Keywrap POST. - Accept EACCES in lieu of ENOENT when trying to access /proc/sys/crypto/fips_enabled (bsc#1170908). ----------------------------------------- Patch: SUSE-2020-1361 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1171872 Description: This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------- Patch: SUSE-2020-1400 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Severity: moderate References: 1162930 Description: This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------- Patch: SUSE-2020-1404 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Severity: moderate References: 1138793,1166260 Description: This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------- Patch: SUSE-2020-1492 Released: Wed May 27 18:32:41 2020 Summary: Recommended update for python-rpm-macros Severity: moderate References: 1171561 Description: This update for python-rpm-macros fixes the following issue: - Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests ----------------------------------------- Patch: SUSE-2020-1506 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1087982,1170527 Description: This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------- Patch: SUSE-2020-1532 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Severity: moderate References: 1172021,CVE-2019-19956 Description: This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------- Patch: SUSE-2020-1542 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Severity: moderate References: 1172055 Description: This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) ----------------------------------------- Patch: SUSE-2020-1677 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes mozilla-nspr to version 4.25 ----------------------------------------- Patch: SUSE-2020-1682 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 Description: This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). ----------------------------------------- Patch: SUSE-2020-1733 Released: Wed Jun 24 09:43:36 2020 Summary: Security update for curl Severity: important References: 1173026,1173027,CVE-2020-8169,CVE-2020-8177 Description: This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). - CVE-2020-8169: Fixed an issue where could have led to partial password leak over DNS on HTTP redirect (bsc#1173026). ----------------------------------------- Patch: SUSE-2020-1759 Released: Thu Jun 25 18:44:37 2020 Summary: Recommended update for krb5 Severity: moderate References: 1169357 Description: This update for krb5 fixes the following issue: - Call systemd to reload the services instead of init-scripts. (bsc#1169357) ----------------------------------------- Patch: SUSE-2020-1760 Released: Thu Jun 25 18:46:13 2020 Summary: Recommended update for systemd Severity: moderate References: 1157315,1162698,1164538,1169488,1171145,1172072 Description: This update for systemd fixes the following issues: - Merge branch 'SUSE/v234' into SLE15 units: starting suspend.target should not fail when suspend is successful (bsc#1172072) core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488) mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too udev: rename the persistent link for ATA devices (bsc#1164538) shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) tmpfiles: remove unnecessary assert (bsc#1171145) test-engine: manager_free() was called too early pid1: by default make user units inherit their umask from the user manager (bsc#1162698) ----------------------------------------- Patch: SUSE-2020-1822 Released: Thu Jul 2 11:30:42 2020 Summary: Security update for python3 Severity: important References: 1173274,CVE-2020-14422 Description: This update for python3 fixes the following issues: - CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface could have led to denial of service (bsc#1173274). ----------------------------------------- Patch: SUSE-2020-1396 Released: Fri Jul 3 12:33:05 2020 Summary: Security update for zstd Severity: moderate References: 1082318,1133297 Description: This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------- Patch: SUSE-2020-1850 Released: Mon Jul 6 14:44:39 2020 Summary: Security update for mozilla-nss Severity: moderate References: 1168669,1173032,CVE-2020-12402 Description: This update for mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53.1 - CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032) - Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669). ----------------------------------------- Patch: SUSE-2020-1856 Released: Mon Jul 6 17:05:51 2020 Summary: Security update for openldap2 Severity: important References: 1172698,1172704,CVE-2020-8023 Description: This update for openldap2 fixes the following issues: - CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698). - Changed DB_CONFIG to root:ldap permissions (bsc#1172704). ----------------------------------------- Patch: SUSE-2020-1938 Released: Thu Jul 16 14:43:32 2020 Summary: Recommended update for libsolv, libzypp, zypper Severity: moderate References: 1169947,1170801,1172925,1173106 Description: This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to: - Enable zstd compression support for sle15 zypper was updated to version 1.14.37: - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) libzypp was updated to 17.24.0 - Fix core dump with corrupted history file (bsc#1170801) - Enable zchunk metadata download if libsolv supports it. - Better handling of the purge-kernels algorithm. (bsc#1173106) ----------------------------------------- Patch: SUSE-2020-1954 Released: Sat Jul 18 03:07:15 2020 Summary: Recommended update for cracklib Severity: moderate References: 1172396 Description: This update for cracklib fixes the following issues: - Fixed a buffer overflow when processing long words. ----------------------------------------- Patch: SUSE-2020-1987 Released: Tue Jul 21 17:02:15 2020 Summary: Recommended update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings Severity: important References: 1172477,1173336,1174011 Description: This update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings fixes the following issues: libsolv: - No source changes, just shipping it as an installer update (required by yast2-pkg-bindings). libzypp: - Proactively send credentials if the URL specifes '?auth=basic' and a username. (bsc#1174011) - ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011) yast2-packager: - Handle variable expansion in repository name. (bsc#1172477) - Improve medium type detection, do not report Online medium when the /media.1/products file is missing in the repository, SMT does not mirror this file. (bsc#1173336) yast2-pkg-bindings: - Extensions to handle raw repository name. (bsc#1172477) ----------------------------------------- Patch: SUSE-2020-2083 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Severity: moderate References: 1156913 Description: This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------- Patch: SUSE-2020-2096 Released: Thu Jul 30 17:10:55 2020 Summary: Recommended update for 389-ds Severity: moderate References: 1172328 Description: This update for 389-ds fixes the following issues: - This corrects a failure to install on SUSE due to incorrect hostname generation, and a python3 utf8 issue that is triggered by systemd. (bsc#1172328) ----------------------------------------- Patch: SUSE-2020-2099 Released: Fri Jul 31 08:06:40 2020 Summary: Recommended update for systemd Severity: moderate References: 1173227,1173229,1173422 Description: This update for systemd fixes the following issues: - migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229) The marker is used to make sure the script is run only once. Instead of storing it in /usr, use /var which is more appropriate for such file. Also make it owned by systemd package. - Fix inconsistent file modes for some ghost files (bsc#1173227) Ghost files are assumed by rpm to have mode 000 by default which is not consistent with file permissions set at runtime. Also /var/lib/systemd/random-seed was tracked wrongly as a directory. Also don't track (ghost) /etc/systemd/system/runlevel*.target aliases since we're not supposed to track units or aliases user might define/override. - Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422) ----------------------------------------- Patch: SUSE-2020-2148 Released: Thu Aug 6 13:36:17 2020 Summary: Recommended update for ca-certificates-mozilla Severity: important References: 1174673 Description: This update for ca-certificates-mozilla fixes the following issues: Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 ----------------------------------------- Patch: SUSE-2020-2224 Released: Thu Aug 13 09:15:47 2020 Summary: Recommended update for glibc Severity: moderate References: 1171878,1172085 Description: This update for glibc fixes the following issues: - Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178) - Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100) ----------------------------------------- Patch: SUSE-2020-2277 Released: Wed Aug 19 13:24:03 2020 Summary: Security update for python3 Severity: moderate References: 1174091,CVE-2019-20907 Description: This update for python3 fixes the following issues: - bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball. ----------------------------------------- Patch: SUSE-2020-2278 Released: Wed Aug 19 21:26:08 2020 Summary: Recommended update for util-linux Severity: moderate References: 1149911,1151708,1168235,1168389 Description: This update for util-linux fixes the following issues: - blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235) - nologin: Add support for -c to prevent error from su -c. (bsc#1151708) - Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389) - mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911) ----------------------------------------- Patch: SUSE-2020-2384 Released: Sat Aug 29 00:57:13 2020 Summary: Recommended update for e2fsprogs Severity: low References: 1170964 Description: This update for e2fsprogs fixes the following issues: - Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964) ----------------------------------------- Patch: SUSE-2020-2411 Released: Tue Sep 1 13:28:47 2020 Summary: Recommended update for systemd Severity: moderate References: 1142733,1146991,1158336,1172195,1172824,1173539 Description: This update for systemd fixes the following issues: - Improve logging when PID1 fails at setting a namespace up when spawning a command specified by 'Exec*='. (bsc#1172824, bsc#1142733) pid1: improve message when setting up namespace fails. execute: let's close glibc syslog channels too. execute: normalize logging in *execute.c*. execute: fix typo in error message. execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary. execute: make use of the new logging mode in *execute.c* log: add a mode where we open the log fds for every single log message. log: let's make use of the fact that our functions return the negative error code for *log_oom()* too. execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result. execute: rework logging in *setup_keyring()* to include unit info. execute: improve and augment execution log messages. - vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539) - fix infinite timeout. (bsc#1158336) - bpf: mount bpffs by default on boot. (bsc#1146991) - man: explain precedence for options which take a list. - man: unify titling, fix description of precedence in sysusers.d(5) - udev-event: fix timeout log messages. ----------------------------------------- Patch: SUSE-2020-2413 Released: Tue Sep 1 13:32:47 2020 Summary: Recommended update for 389-ds Severity: moderate References: 1174057 Description: This update for 389-ds fixes the following issues: Update from version 1.4.3.9~git0.3eb8617f6 to version 1.4.3.12~git0.9bc042902 - It should not be allowed to delete Managed Entry manually - SSL alert: The value of sslVersionMax 'TLS1.3' is higher than the supported version - Fix instance name length for interactive install - JSON Error output has redundant messages - If dbhome directory is set online backup fails - Separate the BDB backend monitors - entryUSN is duplicated after memberOf operation - Fix disk_mon_check_diskspace types - Resolve upstream stability and fix rollup. (bsc#1174057) - Add option to reject internal unindexed searches - dsidm ou delete fails - add more logconv stats for the new access log keywords - db2ldif crashes when LDIF file can't be accessed - add new access log keywords for wtime and optime - Fix Allowed and Denied Ciphers lists - WebUI - UI - attr uniqueness - selecting empty subtree crashes cockpit - log warning when thread number is very different from autotuned value - Reindex task may create abandoned index file - Log an error when a search is fully unindexed - fix SLE15.2 install issps - dsctl fails with instance names that contain slapd- - Memory leaks in disk monitoring - nsIndexIDListScanLimit accepts any value - A distinguished value can be missing in an entry - Healthcheck should look for notes=A/F in access log - Set the default minimum worker threads - pwdReset can be modified by a user - Correct numSubordinates value for cn=monitor - dsctl and dsidm do not errors correctly when using JSON - Winsync setting winSyncWindowsFilter not working as expected - improve autotune defaults - Add option to healthcheck to list all the lint reports - UI - improve modal validation when creating an instance ----------------------------------------- Patch: SUSE-2020-2420 Released: Tue Sep 1 13:48:35 2020 Summary: Recommended update for zlib Severity: moderate References: 1174551,1174736 Description: This update for zlib provides the following fixes: - Permit a deflateParams() parameter change as soon as possible. (bsc#1174736) - Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551) ----------------------------------------- Patch: SUSE-2020-2445 Released: Wed Sep 2 09:33:02 2020 Summary: Security update for curl Severity: moderate References: 1175109,CVE-2020-8231 Description: This update for curl fixes the following issues: - An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231] ----------------------------------------- Patch: SUSE-2020-2581 Released: Wed Sep 9 13:07:07 2020 Summary: Security update for openldap2 Severity: moderate References: 1174154,CVE-2020-15719 Description: This update for openldap2 fixes the following issues: - bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN's falling back to CN validation in violation of rfc6125. ----------------------------------------- Patch: SUSE-2020-2612 Released: Fri Sep 11 11:18:01 2020 Summary: Security update for libxml2 Severity: moderate References: 1176179,CVE-2020-24977 Description: This update for libxml2 fixes the following issues: - CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179). ----------------------------------------- Patch: SUSE-2020-2616 Released: Mon Sep 14 10:34:31 2020 Summary: Recommended update for python-argparse-manpage Severity: low References: Description: This update for python-argparse-manpage fixes the following issues: - Made the multiline text look better ----------------------------------------- Patch: SUSE-2020-2651 Released: Wed Sep 16 14:42:55 2020 Summary: Recommended update for zlib Severity: moderate References: 1175811,1175830,1175831 Description: This update for zlib fixes the following issues: - Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831) - Enable hardware compression on s390/s390x (jsc#SLE-13776) ----------------------------------------- Patch: SUSE-2020-2704 Released: Tue Sep 22 15:06:36 2020 Summary: Recommended update for krb5 Severity: moderate References: 1174079 Description: This update for krb5 fixes the following issue: - Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079) ----------------------------------------- Patch: SUSE-2020-2712 Released: Tue Sep 22 17:08:03 2020 Summary: Security update for openldap2 Severity: moderate References: 1175568,CVE-2020-8027 Description: This update for openldap2 fixes the following issues: - CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568). ----------------------------------------- Patch: SUSE-2020-2819 Released: Thu Oct 1 10:39:16 2020 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592 Description: This update for libzypp, zypper provides the following fixes: Changes in libzypp: - VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918) - Support buildnr with commit hash in purge-kernels. This adds special behaviour for when a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342) - Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529) - Make sure reading from lsof does not block forever. (bsc#1174240) - Just collect details for the signatures found. Changes in zypper: - man: Enhance description of the global package cache. (bsc#1175592) - man: Point out that plain rpm packages are not downloaded to the global package cache. (bsc#1173273) - Directly list subcommands in 'zypper help'. (bsc#1165424) - Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux. - Point out that plaindir repos do not follow symlinks. (bsc#1174561) - Fix help command for list-patches. ----------------------------------------- Patch: SUSE-2020-2852 Released: Fri Oct 2 16:55:39 2020 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1173470,1175844 Description: This update for openssl-1_1 fixes the following issues: FIPS: * Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1175844, bsc#1173470). * Add shared secret KAT to FIPS DH selftest (bsc#1175844). ----------------------------------------- Patch: SUSE-2020-2864 Released: Tue Oct 6 10:34:14 2020 Summary: Security update for gnutls Severity: moderate References: 1176086,1176181,1176671,CVE-2020-24659 Description: This update for gnutls fixes the following issues: - Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181) - FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086) - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - FIPS: Add TLS KDF selftest (bsc#1176671) ----------------------------------------- Patch: SUSE-2020-2869 Released: Tue Oct 6 16:13:20 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1011548,1153943,1153946,1161239,1171762 Description: This update for aaa_base fixes the following issues: - DIR_COLORS (bug#1006973): - add screen.xterm-256color - add TERM rxvt-unicode-256color - sort and merge TERM entries in etc/DIR_COLORS - check for Packages.db and use this instead of Packages. (bsc#1171762) - Rename path() to _path() to avoid using a general name. - refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548) - etc/profile add some missing ;; in case esac statements - profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946) - backup-rpmdb: exit if zypper is running (bsc#1161239) - Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943) ----------------------------------------- Version 2-Build4.2.43 2020-10-13T11:21:22 ----------------------------------------- Patch: SUSE-2020-2893 Released: Mon Oct 12 14:14:55 2020 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1177479 Description: This update for openssl-1_1 fixes the following issues: - Restore private key check in EC_KEY_check_key (bsc#1177479) ----------------------------------------- Version 2-Build4.2.47 2020-10-16T07:59:15 ----------------------------------------- Patch: SUSE-2020-2901 Released: Tue Oct 13 14:22:43 2020 Summary: Security update for libproxy Severity: important References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154 Description: This update for libproxy fixes the following issues: - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410). - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143). ----------------------------------------- Patch: SUSE-2020-2914 Released: Tue Oct 13 17:25:20 2020 Summary: Security update for bind Severity: moderate References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624 Description: This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon. ----------------------------------------- Version 2-Build4.2.50 2020-10-18T07:58:55 ----------------------------------------- Patch: SUSE-2020-2947 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 Description: This update for gcc10, nvptx-tools fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Changes in nvptx-tools: - Enable build on aarch64 ----------------------------------------- Version 2-Build4.2.58 2020-10-21T07:59:21 ----------------------------------------- Patch: SUSE-2020-2958 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Severity: moderate References: 1158830 Description: This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------- Version 2-Build4.2.62 2020-10-26T09:41:08 ----------------------------------------- Patch: SUSE-2020-2979 Released: Wed Oct 21 11:37:14 2020 Summary: Recommended update for mozilla-nss Severity: moderate References: 1176173 Description: This update for mozilla-nss fixes the following issue: - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------- Patch: SUSE-2020-2983 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Severity: moderate References: 1176123 Description: This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------- Version 2-Build4.2.68 2020-10-29T07:59:05 ----------------------------------------- Patch: SUSE-2020-3048 Released: Tue Oct 27 16:04:52 2020 Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 Description: This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues: libzypp was updated to 17.25.1: - When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902) - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435) - VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - Link against libzstd to close libsolvs open references (as we link statically) yaml-cpp: - The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS channels, and the INSTALLER channels, as a new libzypp dependency. No source changes were done to yaml-cpp. zypper was updated to 1.14.40: - info: Assume descriptions starting with '

' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------- Version 2-Build4.2.70 2020-10-30T07:59:43 ----------------------------------------- Patch: SUSE-2020-3091 Released: Thu Oct 29 16:35:37 2020 Summary: Security update for MozillaThunderbird and mozilla-nspr Severity: important References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969 Description: This update for MozillaThunderbird and mozilla-nspr fixes the following issues: - Mozilla Thunderbird 78.4 * new: MailExtensions: browser.tabs.sendMessage API added * new: MailExtensions: messageDisplayScripts API added * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages * changed: MailExtensions: compose.begin functions now support creating a message with attachments * fixed: Thunderbird could freeze when updating global search index * fixed: Multiple issues with handling of self-signed SSL certificates addressed * fixed: Recipient address fields in compose window could expand to fill all available space * fixed: Inserting emoji characters in message compose window caused unexpected behavior * fixed: Button to restore default folder icon color was not keyboard accessible * fixed: Various keyboard navigation fixes * fixed: Various color-related theme fixes * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4 - Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * Creating a new calendar event did not require an event title - Mozilla Thunderbird 78.3.2 (bsc#1176899) * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes - Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket - Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 Download origin spoofing via redirect * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3 - update mozilla-nspr to version 4.25.1 * The macOS platform code for shared library loading was changed to support macOS 11. * Dependency needed for the MozillaThunderbird udpate ----------------------------------------- Patch: SUSE-2020-3099 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------- Version 2-Build4.2.79 2020-11-06T08:01:01 ----------------------------------------- Patch: SUSE-2020-3123 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Severity: important References: 1177460,1178346,1178350,1178353 Description: This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460) - Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460) ----------------------------------------- Patch: SUSE-2020-3138 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 Description: This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------- Patch: SUSE-2020-3157 Released: Wed Nov 4 15:37:05 2020 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1177864 Description: This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------- Version 2-Build4.2.80 2020-11-09T08:02:18 ----------------------------------------- Patch: SUSE-2020-3253 Released: Mon Nov 9 07:45:04 2020 Summary: Recommended update for mozilla-nss Severity: moderate References: 1174697,1176173 Description: This update for mozilla-nss fixes the following issues: - Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697) - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------- Version 2-Build4.2.85 2020-11-14T08:01:57 ----------------------------------------- Patch: SUSE-2020-3290 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Severity: moderate References: 1174232 Description: This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------- Patch: SUSE-2020-3313 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Severity: important References: 1178387,CVE-2020-25692 Description: This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------- Version 2-Build4.2.94 2020-11-20T08:02:49 ----------------------------------------- Patch: SUSE-2020-3377 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Severity: moderate References: 1178512,CVE-2020-28196 Description: This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------- Patch: SUSE-2020-3381 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Severity: moderate References: 1177458,1177490,1177510 Description: This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------- Version 2-Build4.2.99 2020-11-21T08:01:55 ----------------------------------------- Patch: SUSE-2020-3462 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Severity: moderate References: 1174593,1177858,1178727 Description: This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------- Version 2-Build4.2.109 2020-12-02T07:57:54 ----------------------------------------- Patch: SUSE-2020-3566 Released: Mon Nov 30 16:56:52 2020 Summary: Security update for python-setuptools Severity: important References: 1176262,CVE-2019-20916 Description: This update for python-setuptools fixes the following issues: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) ----------------------------------------- Patch: SUSE-2020-3581 Released: Tue Dec 1 14:40:22 2020 Summary: Recommended update for libusb-1_0 Severity: moderate References: 1178376 Description: This update for libusb-1_0 fixes the following issues: - Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376) ----------------------------------------- Version 2-Build4.2.113 2020-12-04T08:50:12 ----------------------------------------- Patch: SUSE-2020-3593 Released: Wed Dec 2 10:33:49 2020 Summary: Security update for python3 Severity: important References: 1176262,1179193,CVE-2019-20916 Description: This update for python3 fixes the following issues: Update to 3.6.12 (bsc#1179193), including: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) ----------------------------------------- Patch: SUSE-2020-3620 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Severity: moderate References: Description: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------- Version 2-Build4.2.115 2020-12-07T07:46:58 ----------------------------------------- Patch: SUSE-2020-3626 Released: Fri Dec 4 13:51:46 2020 Summary: Recommended update for audit Severity: moderate References: 1179515 Description: This update for audit fixes the following issues: - Enable Aarch64 processor support. (bsc#1179515) ----------------------------------------- Version 2-Build4.2.119 2020-12-08T13:36:26 ----------------------------------------- Patch: SUSE-2020-3703 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1179431 Description: This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------- Version 2-Build4.2.120 2020-12-09T07:41:14 ----------------------------------------- Patch: SUSE-2020-3711 Released: Tue Dec 8 16:40:25 2020 Summary: Recommended update for 389-ds Severity: important References: 1176889,1178445 Description: This update for 389-ds fixes the following issues: Update from version 1.4.3.12~git0.9bc042902 to version 1.4.3.17~git0.3c2d054e1 - Crash in `paged` chaining search. (bsc#1178445) - Mapping tree may be invalid. (bsc#1176889) - Use `MONOTONIC` clock for all timing events and conditions - Add `dsconf` replication monitor test case - Fix test: `SyncRepl` plugin provides a wrong cookie - Fix `lib389` and use system `TLS` policy - During setup and remove add and remove the new instance to the global dsrc to enable transparent administration. - UI - Handle objectclasses that do not have `X-ORIGIN` set ----------------------------------------- Version 2-Build4.2.123 2020-12-09T18:06:15 ----------------------------------------- Patch: SUSE-2020-3721 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Severity: important References: 1179491,CVE-2020-1971 Description: This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------- Version 2-Build4.2.124 2020-12-10T07:41:00 ----------------------------------------- Patch: SUSE-2020-3735 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 Description: This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------- Version 3-Build5.5.6 2020-12-16T07:40:20 ----------------------------------------- Patch: SUSE-2020-3809 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Severity: moderate References: 1178346 Description: This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------- Version 3-Build5.5.9 2020-12-17T07:41:10 ----------------------------------------- Patch: SUSE-2020-3853 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 Description: This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942) ----------------------------------------- Version 3-Build5.5.16 2020-12-30T07:39:39 ----------------------------------------- Patch: SUSE-2020-3930 Released: Wed Dec 23 18:19:39 2020 Summary: Security update for python3 Severity: important References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492 Description: This update for python3 fixes the following issues: - Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. - Change setuptools and pip version numbers according to new wheels - Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738) - add triplets for mips-r6 and riscv - RISC-V needs CTYPES_PASS_BY_REF_HACK Update to 3.6.12 (bsc#1179193) * Ensure python3.dll is loaded from correct locations when Python is embedded * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). * Prevent http header injection by rejecting control characters in http.client.putrequest(…). * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. * Avoid infinite loop when reading specially crafted TAR files using the tarfile module - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091). Update to 3.6.11: - Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks. - Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094) - CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. ----------------------------------------- Patch: SUSE-2020-3942 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Severity: moderate References: 1180138 Description: This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------- Patch: SUSE-2020-3943 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Severity: moderate References: 1178823 Description: This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------- Patch: SUSE-2020-3946 Released: Tue Dec 29 17:39:54 2020 Summary: Recommended update for python3 Severity: important References: 1180377 Description: This update for python3 fixes the following issues: - A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3, which caused regressions in several applications. (bsc#1180377) ----------------------------------------- Version 3-Build5.5.24 2021-01-14T07:42:46 ----------------------------------------- Patch: SUSE-2021-109 Released: Wed Jan 13 10:13:24 2021 Summary: Security update for libzypp, zypper Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271 Description: This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) ----------------------------------------- Version 3-Build5.5.26 2021-01-15T11:43:25 ----------------------------------------- Patch: SUSE-2021-129 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------- Version 3-Build5.5.37 2021-01-23T09:27:52 ----------------------------------------- Patch: SUSE-2021-169 Released: Tue Jan 19 16:18:46 2021 Summary: Recommended update for libsolv, libzypp, zypper Severity: moderate References: 1179816,1180077,1180663,1180721 Description: This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to 17.25.6: - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) zypper was updated to 1.14.42: - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) libsolv was updated to 0.7.16; - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases ----------------------------------------- Patch: SUSE-2021-174 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Severity: moderate References: 1172695 Description: This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------- Patch: SUSE-2021-179 Released: Wed Jan 20 13:38:51 2021 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ----------------------------------------- Patch: SUSE-2021-197 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Severity: moderate References: 1171883,CVE-2020-8025 Description: This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------- Version 3-Build5.5.45 2021-01-27T07:39:55 ----------------------------------------- Patch: SUSE-2021-220 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Severity: moderate References: 1180603 Description: This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------- Version 3-Build5.5.47 2021-01-28T07:39:37 ----------------------------------------- Patch: SUSE-2021-233 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 Description: This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------- Version 3-Build5.5.52 2021-02-02T07:40:18 ----------------------------------------- Patch: SUSE-2021-265 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Severity: important References: 1178775,1180885 Description: This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------- Version 3-Build5.5.59 2021-02-04T07:39:31 ----------------------------------------- Patch: SUSE-2021-293 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Severity: moderate References: 1180603 Description: This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------- Version 3-Build5.5.62 2021-02-05T07:40:09 ----------------------------------------- Patch: SUSE-2021-301 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------- Version 3-Build5.5.66 2021-02-09T07:40:23 ----------------------------------------- Patch: SUSE-2021-339 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Severity: low References: Description: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------- Version 3-Build5.5.74 2021-02-20T07:39:33 ----------------------------------------- Patch: SUSE-2021-526 Released: Fri Feb 19 12:46:27 2021 Summary: Recommended update for python-distro Severity: moderate References: Description: This update for python-distro fixes the following issues: Upgrade from version 1.2.0 to 1.5.0 (jsc#ECO-3212) - Backward compatibility: - Keep output as native string so we can compatible with python2 interface - Prefer the `VERSION_CODENAME` field of `os-release` to parsing it from `VERSION` - Bug Fixes: - Fix detection of RHEL 6 `ComputeNode` - Fix Oracle 4/5 `lsb_release` id and names - Ignore `/etc/plesk-release` file while parsing distribution - Return `_uname_info` from the `uname_info()` method - Fixed `CloudLinux` id discovery - Update Oracle matching - Warn about wrong locale. - Documentation: - Distro is the recommended replacement for `platform.linux_distribution` - Add Ansible reference implementation and fix arch-linux link - Add facter reference implementation ----------------------------------------- Patch: SUSE-2021-529 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 Description: This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------- Version 3-Build5.5.75 2021-02-26T08:47:15 ----------------------------------------- Patch: SUSE-2020-1989 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Severity: important References: 1173582 Description: This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------- Patch: SUSE-2020-3294 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Severity: moderate References: 1177998 Description: This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------- Version 3-Build5.5.76 2021-02-27T07:42:33 ----------------------------------------- Patch: SUSE-2021-653 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 Description: This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------- Version 3-Build5.5.77 2021-03-02T07:42:17 ----------------------------------------- Patch: SUSE-2021-656 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Severity: moderate References: 1177127 Description: This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------- Version 3-Build5.5.85 2021-03-09T07:42:32 ----------------------------------------- Patch: SUSE-2021-723 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 Description: This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------- Patch: SUSE-2021-724 Released: Mon Mar 8 16:46:57 2021 Summary: Security update for 389-ds Severity: moderate References: 1181159,CVE-2020-35518 Description: This update for 389-ds fixes the following issues: - 389-ds was updated to version 1.4.3.19 - CVE-2020-35518: Fixed an information disclosure during the binding of a DN (bsc#1181159). ----------------------------------------- Version 3-Build5.5.87 2021-03-10T07:41:42 ----------------------------------------- Patch: SUSE-2021-754 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 Description: This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------- Version 3-Build5.5.91 2021-03-13T07:43:27 ----------------------------------------- Patch: SUSE-2021-778 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 Description: This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------- Version 3-Build5.5.94 2021-03-16T07:43:19 ----------------------------------------- Patch: SUSE-2021-786 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Severity: moderate References: 1176201 Description: This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------- Version 3-Build5.5.98 2021-03-19T07:45:36 ----------------------------------------- Patch: SUSE-2021-874 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Severity: moderate References: 1179847,1181328,1181622,1182629 Description: This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) ----------------------------------------- Version 3-Build5.5.101 2021-03-24T07:41:51 ----------------------------------------- Patch: SUSE-2021-924 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 Description: This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------- Patch: SUSE-2021-927 Released: Tue Mar 23 14:07:05 2021 Summary: Recommended update for libreoffice Severity: moderate References: 1041090,1049382,1116658,1136234,1155141,1173404,1173409,1173410,1173471,1174465,1176547,1177955,1178807,1178943,1178944,1179025,1179203,1181122,1181644,1181872,1182790 Description: This update for libreoffice provides the upgrade from version 6.4.5.2 to 7.1.1.2 (jsc#ECO-3150, bsc#1182790) libreoffice: - Image shown with different aspect ratio (bsc#1176547) - Text changes are reproducibly lost on PPTX with SmartArt (bsc#1181644) - Adjust to new Box2D and enable KDE on SUSE Linux Enterprise 15-SP3 or newer (jsc#ECO-3375) - Wrong bullet points in Impress (bsc#1174465) - SmartArt: text wrongly aligned, background boxes not quite right (bsc#1177955) - Update the SUSE color palette to reflect the new SUSE branding. (bsc#1181122, bsc#1173471) - SUSE Mint - SUSE Midnight Blue - SUSE Waterhole Blue - SUSE Persimmon - Fix a crash opening a PPTX. (bsc#1179025) - Fix text box from PowerPoint renders vertically instead of horizontally (bsc#1178807) - Shadow effects for table completely missing (bsc#1178944, bsc#1178943) - Disable firebird integration for the time being (bsc#1179203) - Fixes hang on Writer on scrolling/saving of a document (bsc#1136234) - Wrong rendering of bulleted lists in PPTX document (bsc#1155141) - Sidebar: paragraph widget: numeric fields become inactive/unaccessible after saving (bsc#1173404) - Crash of Writer opening any document having 'invalid' python file in home directory (bsc#1116658) libixion: Update to 0.16.1: - fixed a build issue on 32-bit linux platforms, caused by slicing of integer string ID values. - worked around floating point rounding errors which prevented two theoretically-equal numeric values from being evaluated as equal in test code. - added new function to allow printing of single formula tokens. - added method for setting cached results on formula cells in model_context. - changed the model_context design to ensure that all sheets are of the same size. - added an accessor method to formula_model_access interface (and implicitly in model_context) that directly returns a string value from cell. - added cell_access class for querying of cell states without knowing its type ahead of time. - added document class which provides a layer on top of model_context, to abstract away the handling of formula calculations. - deprecated model_context::erase_cell() in favor of empty_cell(). - added support for 3D references - references that contain multiple sheets. - added support for the exponent (^) and concatenation (&) operators. - fixed incorrect handling of range references containing whole columns such as A:A. - added support for unordered range references - range references whose start row or column is greater than their end position counterparts, such as A3:A1. - fixed a bug that prevented nested formula functions from working properly. - implemented Calc A1 style reference resolver. - formula results now directly store the string values when the results are of string type. They previously stored string ID values after interning the original strings. - Removed build-time dependency on spdlog. libmwaw: Update to 0.3.17: - add a parser for Jazz(Lotus) writer and spreasheet files. The writer parser can only be called if the file still contains its resource fork - add a parser for Canvas 3 and 3.5 files - AppleWorks parser: try to retrieve more Windows presentation - add a parser for Drawing Table files - add a parser for Canvas 2 files - API: add new reserved enums in MWAWDocument.hxx `MWAW_T_RESERVED10..MWAW_T_RESERVED29` and add a new define in libmwaw.hxx `MWAW_INTERFACE_VERSION` to check if these enums are defined - remove the QuarkXPress parser (must be in libqxp) - retrieve the annotation in MsWord 5 document - try to better understand RagTime 5-6 document libnumbertext: Update to 1.0.6 liborcus: Update to 0.16.1 - Add upstream changes to fix build with GCC 11 (bsc#1181872) libstaroffice: Update to 0.0.7: - fix `text:sender-lastname` when creating meta-data libwps: Update to 0.4.11: - XYWrite: add a parser to .fil v2 and v4 files - wks,wk1: correct some problems when retrieving cell's reference. glfw: New package provided on version 3.3.2: - See also: https://www.glfw.org/changelog.html - Sort list of input files to geany for reproducible builds (bsc#1049382, bsc#1041090) * Require pkgconfig(gl) for the devel package to supply needed include GL/gl.h * glfwFocusWindow could terminate on older WMs or without a WM * Creating an undecorated window could fail with BadMatch * Querying a disconnected monitor could segfault * Video modes with a duplicate screen area were discarded * The CMake files did not check for the XInput headers * Key names were not updated when the keyboard layout changed * Decorations could not be enabled after window creation * Content scale fallback value could be inconsistent * Disabled cursor mode was interrupted by indicator windows * Monitor physical dimensions could be reported as zero mm * Window position events were not emitted during resizing * Added on-demand loading of Vulkan and context creation API libraries * [X11] Bugfix: Window size limits were ignored if the minimum or maximum size was set to `GLFW_DONT_CARE` * [X11] Bugfix: Input focus was set before window was visible, causing BadMatch on some non-reparenting WMs * [X11] Bugfix: glfwGetWindowPos and glfwSetWindowPos operated on the window frame instead of the client area * [WGL] Added reporting of errors from `WGL_ARB_create_context` extension * [EGL] Added lib prefix matching between EGL and OpenGL ES library binaries * [EGL] Bugfix: Dynamically loaded entry points were not verified - Made build of geany-tags optional. Box2D: New package provided on version 2.4.1: * Extended distance joint to have a minimum and maximum limit. * `B2_USER_SETTINGS` and `b2_user_settings.h` can control user data, length units, and maximum polygon vertices. * Default user data is now uintptr_t instead of void* * b2FixtureDef::restitutionThreshold lets you set the restitution velocity threshold per fixture. * Collision * Chain and edge shape must now be one-sided to eliminate ghost collisions * Broad-phase optimizations * Added b2ShapeCast for linear shape casting * Dynamics * Joint limits are now predictive and not stateful * Experimental 2D cloth (rope) * b2Body::SetActive -> b2Body::SetEnabled * Better support for running multiple worlds * Handle zero density better * The body behaves like a static body * The body is drawn with a red color * Added translation limit to wheel joint * World dump now writes to box2d_dump.inl * Static bodies are never awake * All joints with spring-dampers now use stiffness and damping * Added utility functions to convert frequency and damping ratio to stiffness and damping * Polygon creation now computes the convex hull. * The convex hull code will merge vertices closer than dm_linearSlop. ----------------------------------------- Version 3-Build5.5.103 2021-03-25T07:41:22 ----------------------------------------- Patch: SUSE-2021-935 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 Description: This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------- Patch: SUSE-2021-947 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Severity: moderate References: 1182379,CVE-2021-23336 Description: This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------- Patch: SUSE-2021-948 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 Description: This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------- Version 3-Build5.5.104 2021-03-26T13:21:15 ----------------------------------------- Patch: SUSE-2021-955 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Severity: important References: 1183852,CVE-2021-3449 Description: This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------- Version 3-Build5.5.110 2021-04-02T07:43:41 ----------------------------------------- Patch: SUSE-2021-1004 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Severity: moderate References: 1180073 Description: This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------- Patch: SUSE-2021-1006 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 Description: This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------- Patch: SUSE-2021-1007 Released: Thu Apr 1 17:47:20 2021 Summary: Security update for MozillaFirefox Severity: important References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987 Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs ----------------------------------------- Version 3-Build5.5.115 2021-04-13T07:42:38 ----------------------------------------- Patch: SUSE-2021-1141 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Severity: low References: 1182791 Description: This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------- Version 3-Build5.5.117 2021-04-14T07:42:01 ----------------------------------------- Patch: SUSE-2021-1169 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Severity: low References: 1181976 Description: This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------- Version 3-Build5.5.122 2021-04-21T07:42:26 ----------------------------------------- Patch: SUSE-2021-1286 Released: Tue Apr 20 20:10:21 2021 Summary: Recommended update for SLES-release Severity: moderate References: 1180836 Description: This recommended update for SLES-release provides the following fix: - Revert the problematic changes previously released and make sure the version is high enough to obsolete the package on containers and images. (bsc#1180836) ----------------------------------------- Version 3-Build5.5.124 2021-04-22T07:42:44 ----------------------------------------- Patch: SUSE-2021-1296 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Severity: low References: 1183791 Description: This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------- Patch: SUSE-2021-1297 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Severity: moderate References: 1178219 Description: This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------- Patch: SUSE-2021-1299 Released: Wed Apr 21 14:11:41 2021 Summary: Optional update for gpgme Severity: low References: 1183801 Description: This update for gpgme fixes the following issues: - Fixed a bug in test cases (bsc#1183801) This patch is optional to install and does not provide any user visible bug fixes. ----------------------------------------- Version 3-Build5.5.132 2021-04-29T07:43:23 ----------------------------------------- Patch: SUSE-2021-1407 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Severity: important References: 1184690 Description: This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------- Patch: SUSE-2021-1412 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Severity: important References: 1184401,CVE-2021-20305 Description: This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------- Patch: SUSE-2021-1426 Released: Thu Apr 29 06:23:13 2021 Summary: Recommended update for libsolv Severity: moderate References: Description: This update for libsolv fixes the following issues: - Fix rare segfault in resolve_jobrules() that could happen if new rules are learnt. - Fix a couple of memory leaks in error cases. - Fix error handling in solv_xfopen_fd() - Fixed 'regex' code on win32. - Fixed memory leak in choice rule generation ----------------------------------------- Version 3-Build5.5.139 2021-05-05T07:42:43 ----------------------------------------- Patch: SUSE-2021-1466 Released: Tue May 4 08:30:57 2021 Summary: Security update for permissions Severity: important References: 1182899 Description: This update for permissions fixes the following issues: - etc/permissions: remove unnecessary entries (bsc#1182899) ----------------------------------------- Version 3-Build5.5.140 2021-05-06T07:43:25 ----------------------------------------- Patch: SUSE-2021-1523 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 Description: This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------- Version 3-Build5.5.144 2021-05-07T07:43:04 ----------------------------------------- Patch: SUSE-2021-1527 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Severity: important References: 1183064 Description: This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------- Patch: SUSE-2021-1528 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1161276 Description: This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------- Version 3-Build5.5.146 2021-05-08T07:42:42 ----------------------------------------- Patch: SUSE-2021-1543 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Severity: moderate References: 1184435 Description: This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------- Patch: SUSE-2021-1544 Released: Fri May 7 16:34:41 2021 Summary: Recommended update for libzypp Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 Description: This update for libzypp fixes the following issues: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------- Version 3-Build5.5.147 2021-05-11T07:43:09 ----------------------------------------- Patch: SUSE-2021-1549 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Severity: moderate References: 1185417 Description: This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------- Version 3-Build5.5.149 2021-05-12T07:42:55 ----------------------------------------- Patch: SUSE-2021-1557 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Severity: moderate References: 1183374,CVE-2021-3426 Description: This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------- Patch: SUSE-2021-1565 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Severity: moderate References: 1185163 Description: This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------- Version 3-Build5.5.151 2021-05-13T07:42:55 ----------------------------------------- Patch: SUSE-2021-1592 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Severity: low References: 1183797 Description: This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------- Version 3-Build5.5.153 2021-05-15T07:43:02 ----------------------------------------- Patch: SUSE-2021-1612 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Severity: moderate References: 1184614 Description: This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------- Version 3-Build5.5.159 2021-05-20T07:43:14 ----------------------------------------- Patch: SUSE-2021-1643 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Severity: important References: 1181443,1184358,1185562 Description: This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------- Patch: SUSE-2021-1647 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Severity: important References: 1185438,CVE-2021-3520 Description: This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------- Patch: SUSE-2021-1654 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 Description: This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------- Version Build5.8.7-4-Build5.8.7 2021-05-28T07:43:45 ----------------------------------------- Patch: SUSE-2021-1762 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Severity: moderate References: 1186114,CVE-2021-22898 Description: This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------- Patch: SUSE-2021-1773 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Severity: low References: Description: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------- Version Build5.8.10-4-Build5.8.10 2021-06-03T07:43:51 ----------------------------------------- Patch: SUSE-2021-1833 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 Description: This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------- Version Build5.8.13-4-Build5.8.13 2021-06-06T07:44:27 ----------------------------------------- Patch: SUSE-2021-1846 Released: Fri Jun 4 08:46:37 2021 Summary: Recommended update for mozilla-nss Severity: moderate References: 1185910 Description: This update for mozilla-nss fixes the following issue: - Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910) ----------------------------------------- Patch: SUSE-2021-1861 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 Description: This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------- Version Build5.8.16-4-Build5.8.16 2021-06-09T07:43:32 ----------------------------------------- Patch: SUSE-2021-1878 Released: Tue Jun 8 09:14:56 2021 Summary: Security update for 389-ds Severity: moderate References: 1185356,CVE-2021-3514 Description: This update for 389-ds fixes the following issues: - CVE-2021-3514: Fixed a sync_repl NULL pointer dereference in sync_create_state_control() (bsc#1185356) 389-ds was updated to version 1.4.3.23~git0.f53d0132b: Bump version to 1.4.3.23: * Issue 4725 - [RFE] DS - Update the password policy to support a Temporary Password Rules (#4727) * Issue 4759 - Fix coverity issue (#4760) * Issue 4656 - Fix cherry pick error around replication enabling * Issue 4701 - RFE - Exclude attributes from retro changelog (#4723) (#4746) * Issue 4742 - UI - should always use LDAPI path when calling CLI * Issue 4667 - incorrect accounting of readers in vattr rwlock (#4732) * Issue 4711 - SIGSEV with sync_repl (#4738) * Issue 4649 - fix testcase importing ContentSyncPlugin * Issue 2736 - Warnings from automatic shebang munging macro * Issue 2736 - https://github.com/389ds/389-ds-base/issues/2736 * Issue 4706 - negative wtime in access log for CMP operations Bump version to 1.4.3.22: * Issue 4671 - UI - Fix browser crashes * lib389 - Add ContentSyncPlugin class * Issue 4656 - lib389 - fix cherry pick error * Issue 4229 - Fix Rust linking * Issue 4658 - monitor - connection start date is incorrect * Issue 2621 - lib389 - backport ds_supports_new_changelog() * Issue 4656 - Make replication CLI backwards compatible with role name change * Issue 4656 - Remove problematic language from UI/CLI/lib389 * Issue 4459 - lib389 - Default paths should use dse.ldif if the server is down * Issue 4663 - CLI - unable to add objectclass/attribute without x-origin Bump version to 1.4.3.21: * Issue 4169 - UI - updates on the tuning page are not reflected in the UI * Issue 4588 - BUG - unable to compile without xcrypt (#4589) * Issue 4513 - Fix replication CI test failures (#4557) * Issue 4646 - CLI/UI - revise DNA plugin management * Issue 4644 - Large updates can reset the CLcache to the beginning of the changelog (#4647) * Issue 4649 - crash in sync_repl when a MODRDN create a cenotaph (#4652) * Issue 4615 - log message when psearch first exceeds max threads per conn Bump version to 1.4.3.20: * Issue 4324 - Some architectures the cache line size file does not exist * Issue 4593 - RFE - Print help when nsSSLPersonalitySSL is not found (#4614) ----------------------------------------- Patch: SUSE-2021-1879 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Severity: important References: 1184326,1184399,1184997,1185325 Description: This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------- Version Build5.8.23-4-Build5.8.23 2021-06-11T07:43:47 ----------------------------------------- Patch: SUSE-2021-1917 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Severity: moderate References: 1186015,CVE-2021-3541 Description: This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------- Patch: SUSE-2021-1953 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Severity: moderate References: 1161268,1172308 Description: This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------- Version Build5.8.29-4-Build5.8.29 2021-06-22T07:43:58 ----------------------------------------- Patch: SUSE-2021-2096 Released: Mon Jun 21 13:35:38 2021 Summary: Recommended update for python-six Severity: moderate References: 1186642 Description: This update for python-six fixes the following issue: - python-six had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2106 Released: Mon Jun 21 19:26:06 2021 Summary: Security update for salt Severity: critical References: 1171257,1176293,1179831,1181368,1182281,1182293,1182382,1185092,1185281,1186674,CVE-2018-15750,CVE-2018-15751,CVE-2020-11651,CVE-2020-11652,CVE-2020-25592,CVE-2021-25315,CVE-2021-31607 Description: This update for salt fixes the following issues: Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028) - Check if dpkgnotify is executable (bsc#1186674) - Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028) - virt module updates * network: handle missing ipv4 netmask attribute * more network support * PCI/USB host devices passthrough support - Set distro requirement to oldest supported version in requirements/base.txt - Bring missing part of async batch implementation back (CVE-2021-25315, bsc#1182382) - Always require `python3-distro` (bsc#1182293) - Remove deprecated warning that breaks minion execution when 'server_id_use_crc' opts is missing - Fix pkg states when DEB package has 'all' arch - Do not force beacons configuration to be a list. - Remove msgpack < 1.0.0 from base requirements (bsc#1176293) - msgpack support for version >= 1.0.0 (bsc#1171257) - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607) - transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update (jsc#SLE-18033) - Improvements on 'ansiblegate' module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Add notify beacon for Debian/Ubuntu systems - Fix zmq bug that causes salt-call to freeze (bsc#1181368) ----------------------------------------- Version Build5.8.30-4-Build5.8.30 2021-06-24T07:43:50 ----------------------------------------- Patch: SUSE-2021-2143 Released: Wed Jun 23 16:27:04 2021 Summary: Security update for libnettle Severity: important References: 1187060,CVE-2021-3580 Description: This update for libnettle fixes the following issues: - CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060). ----------------------------------------- Version Build5.8.31-4-Build5.8.31 2021-06-25T07:44:20 ----------------------------------------- Patch: SUSE-2021-2157 Released: Thu Jun 24 15:40:14 2021 Summary: Security update for libgcrypt Severity: important References: 1187212,CVE-2021-33560 Description: This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). ----------------------------------------- Version Build5.8.39-4-Build5.8.39 2021-06-29T07:43:22 ----------------------------------------- Patch: SUSE-2021-2173 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 Description: This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------- Version Build5.8.40-4-Build5.8.40 2021-06-30T07:44:47 ----------------------------------------- Patch: SUSE-2021-2196 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 Description: This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------- Version Build5.8.42-4-Build5.8.42 2021-07-01T07:43:42 ----------------------------------------- Patch: SUSE-2021-2205 Released: Wed Jun 30 09:17:41 2021 Summary: Recommended update for openldap2 Severity: important References: 1187210 Description: This update for openldap2 fixes the following issues: - Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210) ----------------------------------------- Version Build5.8.43-4-Build5.8.43 2021-07-02T07:44:29 ----------------------------------------- Patch: SUSE-2021-2229 Released: Thu Jul 1 20:40:37 2021 Summary: Recommended update for release packages Severity: moderate References: 1099521,1185221 Description: This update for the release packages provides the following fix: - Fix grub menu entries after migration from SLE-12*. (bsc#1099521) - Adjust the sles-release changelog to include an entry for the previous release that was reverting a broken change. (bsc#1185221) ----------------------------------------- Version Build5.8.46-4-Build5.8.46 2021-07-06T07:43:48 ----------------------------------------- Patch: SUSE-2021-2246 Released: Mon Jul 5 15:17:49 2021 Summary: Recommended update for systemd Severity: moderate References: 1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400 Description: This update for systemd fixes the following issues: cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available'' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) ----------------------------------------- Patch: SUSE-2021-2249 Released: Mon Jul 5 15:40:46 2021 Summary: Optional update for gnutls Severity: low References: 1047218,1186579 Description: This update for gnutls does not fix any user visible issues. It is therefore optional to install. ----------------------------------------- Version Build5.8.48-4-Build5.8.48 2021-07-08T12:06:26 ----------------------------------------- Patch: SUSE-2021-2273 Released: Thu Jul 8 09:48:48 2021 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1186447,1186503 Description: This update for libzypp, zypper fixes the following issues: - Enhance XML output of repo GPG options - Add optional attributes showing the raw values actually present in the '.repo' file. - Link all executables with -PIE (bsc#1186447) - Ship an empty '/etc/zypp/needreboot' per default (jsc#PM-2645) - Add 'Solvable::isBlacklisted' as superset of retracted and ptf packages (bsc#1186503) - Fix segv if 'ZYPP_FULLOG' is set. ----------------------------------------- Version Build5.8.52-4-Build5.8.52 2021-07-15T07:44:32 ----------------------------------------- Patch: SUSE-2021-2320 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 Description: This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------- Version Build5.8.54-4-Build5.8.54 2021-07-21T07:44:06 ----------------------------------------- Patch: SUSE-2021-2404 Released: Tue Jul 20 14:21:30 2021 Summary: Security update for systemd Severity: moderate References: 1184994,1188063,CVE-2021-33910 Description: This update for systemd fixes the following issues: - CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063) - Skip udev rules if 'elevator=' is used (bsc#1184994) ----------------------------------------- Version Build5.8.55-4-Build5.8.55 2021-07-22T07:43:56 ----------------------------------------- Patch: SUSE-2021-2439 Released: Wed Jul 21 13:46:48 2021 Summary: Security update for curl Severity: moderate References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 Description: This update for curl fixes the following issues: - CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220) - CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219) - CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218) - CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217) ----------------------------------------- Version Build5.8.61-4-Build5.8.61 2021-07-30T07:45:52 ----------------------------------------- Patch: SUSE-2021-2573 Released: Thu Jul 29 14:21:52 2021 Summary: Recommended update for timezone Severity: moderate References: 1188127 Description: This update for timezone fixes the following issue: - From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are now correctly supported. This update adds the 'tzdata.zi' file (bsc#1188127). ----------------------------------------- Version Build5.8.64-4-Build5.8.64 2021-09-15T07:45:08 ----------------------------------------- Patch: SUSE-2021-2689 Released: Mon Aug 16 10:54:52 2021 Summary: Security update for cpio Severity: important References: 1189206,CVE-2021-38185 Description: This update for cpio fixes the following issues: It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206) ----------------------------------------- Patch: SUSE-2021-2763 Released: Tue Aug 17 17:16:22 2021 Summary: Recommended update for cpio Severity: critical References: 1189465 Description: This update for cpio fixes the following issues: - A regression in last update would cause builds to hang on various architectures(bsc#1189465) ----------------------------------------- Patch: SUSE-2021-2780 Released: Thu Aug 19 16:09:15 2021 Summary: Recommended update for cpio Severity: critical References: 1189465,CVE-2021-38185 Description: This update for cpio fixes the following issues: - A regression in the previous update could lead to crashes (bsc#1189465) ----------------------------------------- Patch: SUSE-2021-2800 Released: Fri Aug 20 10:43:04 2021 Summary: Security update for krb5 Severity: important References: 1188571,CVE-2021-36222 Description: This update for krb5 fixes the following issues: - CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571) ----------------------------------------- Patch: SUSE-2021-2817 Released: Mon Aug 23 15:05:36 2021 Summary: Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 Severity: moderate References: 1102408,1138715,1138746,1176389,1177120,1182421,1182422,CVE-2020-26137 Description: This patch updates the Python AWS SDK stack in SLE 15: General: # aws-cli - Version updated to upstream release v1.19.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-boto3 - Version updated to upstream release 1.17.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-botocore - Version updated to upstream release 1.20.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-urllib3 - Version updated to upstream release 1.25.10 For a detailed list of all changes, please refer to the changelog file of this package. # python-service_identity - Added this new package to resolve runtime dependencies for other packages. Version: 18.1.0 # python-trustme - Added this new package to resolve runtime dependencies for other packages. Version: 0.6.0 Security fixes: # python-urllib3: - CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120) ----------------------------------------- Patch: SUSE-2021-2830 Released: Tue Aug 24 16:20:18 2021 Summary: Security update for openssl-1_1 Severity: important References: 1189520,1189521,CVE-2021-3711,CVE-2021-3712 Description: This update for openssl-1_1 fixes the following security issues: - CVE-2021-3711: A bug in the implementation of the SM2 decryption code could lead to buffer overflows. [bsc#1189520] - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------- Patch: SUSE-2021-2857 Released: Fri Aug 27 11:58:53 2021 Summary: Security update for 389-ds Severity: moderate References: 1188455,CVE-2021-3652 Description: This update for 389-ds fixes the following issues: - Update to version 1.4.3.24 - CVE-2021-3652: Fixed crypt handling of locked accounts. (bsc#1188455) ----------------------------------------- Patch: SUSE-2021-2938 Released: Fri Sep 3 09:19:36 2021 Summary: Recommended update for openldap2 Severity: moderate References: 1184614 Description: This update for openldap2 fixes the following issue: - openldap2-contrib is shipped to the Legacy Module. (bsc#1184614) ----------------------------------------- Patch: SUSE-2021-2966 Released: Tue Sep 7 09:49:14 2021 Summary: Security update for openssl-1_1 Severity: low References: 1189521,CVE-2021-3712 Description: This update for openssl-1_1 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------- Patch: SUSE-2021-3001 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Severity: moderate References: 1189683 Description: This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------- Patch: SUSE-2021-3030 Released: Tue Sep 14 09:27:45 2021 Summary: Recommended update for patterns-base Severity: moderate References: 1189534,1189554 Description: This update of patterns-base fixes the following issue: - The fips pattern should also install 'openssh-fips' if 'openssh' is installed (bsc#1189554 bsc#1189534) ----------------------------------------- Version Build5.8.69-4-Build5.8.69 2021-09-17T07:46:09 ----------------------------------------- Patch: SUSE-2021-3115 Released: Thu Sep 16 14:04:26 2021 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829 Description: This update for mozilla-nspr fixes the following issues: mozilla-nspr was updated to version 4.32: * implement new socket option PR_SockOpt_DontFrag * support larger DNS records by increasing the default buffer size for DNS queries * Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138 * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version. Mozilla NSS was updated to version 3.68: * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. update to NSS 3.67 * bmo#1683710 - Add a means to disable ALPN. * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c. * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte. update to NSS 3.66 * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS. * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * bmo#1708307 - Remove Trustis FPS Root CA from NSS. * bmo#1707097 - Add Certum Trusted Root CA to NSS. * bmo#1707097 - Add Certum EC-384 CA to NSS. * bmo#1703942 - Add ANF Secure Server Root CA to NSS. * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS. * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler. * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators. * bmo#1709291 - Add VerifyCodeSigningCertificateChain. update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. update to NSS 3.64 * bmo#1705286 - Properly detect mips64. * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. * bmo#1698320 - replace __builtin_cpu_supports('vsx') with ppc_crypto_support() for clang. * bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration. Fixed in 3.63 * bmo#1697380 - Make a clang-format run on top of helpful contributions. * bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * bmo#1694214 - tstclnt can't enable middlebox compat mode. * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * bmo#1685880 - Minor fix to prevent unused variable on early return. * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * bmo#1687822 - Turn off Websites trust bit for the “Staat der Nederlanden Root CA - G3” root cert in NSS. * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008’. * bmo#1694291 - Tracing fixes for ECH. update to NSS 3.62 * bmo#1688374 - Fix parallel build NSS-3.61 with make * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt 'cachedCertTable' * bmo#1690583 - Fix CH padding extension size calculation * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail * bmo#1690421 - Install packaged libabigail in docker-builds image * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing * bmo#1674819 - Fixup a51fae403328, enum type may be signed * bmo#1681585 - Add ECH support to selfserv * bmo#1681585 - Update ECH to Draft-09 * bmo#1678398 - Add Export/Import functions for HPKE context * bmo#1678398 - Update HPKE to draft-07 update to NSS 3.61 * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * bmo#1651411 - Improve constant-timeness in RSA operations. * bmo#1677207 - Upgrade Google Test version to latest release. * bmo#1654332 - Add aarch64-make target to nss-try. Update to NSS 3.60.1: Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information. Update to NSS 3.59.1: * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules Update to NSS 3.59: Notable changes: * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. update to NSS 3.57 * The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes update to NSS 3.56 Notable changes * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * bmo#1654142 - Add CPU feature detection for Intel SHA extension. * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. * bmo#1656986 - Properly detect arm64 during GYP build architecture detection. * bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. * bmo#1588941 - Send empty certificate message when scheme selection fails. * bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * bmo#1653975 - Fix 3.53 regression by setting 'all' as the default makefile target. * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * bmo#1656519 - NSPR dependency updated to 4.28 update to NSS 3.55 Notable changes * P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. * PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633) * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). * bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. * bmo#1646594 - Fix AVX2 detection in makefile builds. * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. * bmo#1649226 - Add Wycheproof ECDSA tests. * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover. * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension. update to NSS 3.54 Notable changes * Support for TLS 1.3 external pre-shared keys (bmo#1603042). * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113) * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. * The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. * A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed * bmo#1528113 - Use ARM Cryptography Extension for SHA256. * bmo#1603042 - Add TLS 1.3 external PSK support. * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. * bmo#1645186 - Add 'certSIGN Root CA G2' root certificate. * bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate. * bmo#1641716 - Add Microsoft's non-EV root certificates. * bmo1621151 - Disable email trust bit for 'O=Government Root Certification Authority; C=TW' root. * bmo#1645199 - Remove AddTrust root certificates. * bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate. * bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root certificate. * bmo#1618402 - Remove Symantec root certificates and disable email trust bit. * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26. * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c. * bmo#1642153 - Fix infinite recursion building NSS. * bmo#1642638 - Fix fuzzing assertion crash. * bmo#1642871 - Enable SSL_SendSessionTicket after resumption. * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs. * bmo#1643557 - Fix numerous compile warnings in NSS. * bmo#1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys. * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c. * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding. ----------------------------------------- Version Build5.8.72-4-Build5.8.72 2021-09-23T07:44:41 ----------------------------------------- Patch: SUSE-2021-3182 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Severity: moderate References: 1189996 Description: This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------- Version Build5.8.78-4-Build5.8.78 2021-10-09T10:13:37 ----------------------------------------- Patch: SUSE-2021-3298 Released: Wed Oct 6 16:54:52 2021 Summary: Security update for curl Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 Description: This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------- Version Build5.8.79-4-Build5.8.79 2021-10-13T08:25:20 ----------------------------------------- Patch: SUSE-2021-3348 Released: Tue Oct 12 13:08:06 2021 Summary: Security update for systemd Severity: moderate References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910 Description: This update for systemd fixes the following issues: - CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063). - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018). - Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353). - Rules weren't applied to dm devices (multipath) (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291). - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). ----------------------------------------- Patch: SUSE-2021-3385 Released: Tue Oct 12 15:54:31 2021 Summary: Security update for glibc Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 Description: This update for glibc fixes the following issues: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) ----------------------------------------- Version Build5.8.82-4-Build5.8.82 2021-10-16T08:25:37 ----------------------------------------- Patch: SUSE-2021-3444 Released: Fri Oct 15 09:03:07 2021 Summary: Security update for rpm Severity: important References: 1179416,1183543,1183545,1183632,1183659,1185299,1187670,1188548,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421 Description: This update for rpm fixes the following issues: Security issues fixed: - CVE-2021-3421, CVE-2021-20271, CVE-2021-20266: Multiple header check improvements (bsc#1183543, bsc#1183545, bsc#1183632) - PGP hardening changes (bsc#1185299) - Fixed potential access of freed mem in ndb's glue code (bsc#1179416) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) ----------------------------------------- Version Build5.8.85-4-Build5.8.85 2021-10-19T08:24:13 ----------------------------------------- Patch: SUSE-2021-3454 Released: Mon Oct 18 09:29:26 2021 Summary: Security update for krb5 Severity: moderate References: 1189929,CVE-2021-37750 Description: This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). ----------------------------------------- Version Build5.8.89-4-Build5.8.89 2021-10-21T08:31:48 ----------------------------------------- Patch: SUSE-2021-3480 Released: Wed Oct 20 11:24:10 2021 Summary: Recommended update for yast2-network Severity: moderate References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933 Description: This update for yast2-network fixes the following issues: - Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915). - Fix the shown description using the interface friendly name when it is empty (bsc#1190933). - Consider aliases sections as case insensitive (bsc#1190739). - Display user defined device name in the devices overview (bnc#1190645). - Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344). - Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910). - Fix desktop file so the control center tooltip is translated (bsc#1187270). - Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016). - Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512). ----------------------------------------- Patch: SUSE-2021-3490 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Severity: moderate References: 1190793,CVE-2021-39537 Description: This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------- Patch: SUSE-2021-3494 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Severity: moderate References: 1190052 Description: This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------- Version Build5.8.91-4-Build5.8.91 2021-10-23T08:25:56 ----------------------------------------- Patch: SUSE-2020-3026 Released: Fri Oct 23 15:35:49 2020 Summary: Optional update for the Public Cloud Module Severity: moderate References: Description: This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398). The following packages were included: - python3-grpcio - python3-protobuf - python3-google-api-core - python3-google-cloud-core - python3-google-cloud-storage - python3-google-resumable-media - python3-googleapis-common-protos - python3-grpcio-gcp - python3-mock (updated to version 3.0.5) ----------------------------------------- Patch: SUSE-2021-294 Released: Wed Feb 3 12:54:28 2021 Summary: Recommended update for libprotobuf Severity: moderate References: Description: libprotobuf was updated to fix: - ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911) ----------------------------------------- Patch: SUSE-2021-3501 Released: Fri Oct 22 10:42:46 2021 Summary: Recommended update for libzypp, zypper, libsolv, protobuf Severity: moderate References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815 Description: This update for libzypp, zypper, libsolv and protobuf fixes the following issues: - Choice rules: treat orphaned packages as newest (bsc#1190465) - Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602) - Do not check of signatures and keys two times(redundant) (bsc#1190059) - Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760) - Show key fpr from signature when signature check fails (bsc#1187224) - Fix solver jobs for PTFs (bsc#1186503) - Fix purge-kernels fails (bsc#1187738) - Fix obs:// platform guessing for Leap (bsc#1187425) - Make sure to keep states alives while transitioning. (bsc#1190199) - Manpage: Improve description about patch updates(bsc#1187466) - Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested. - Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815) - Fix crashes in logging code when shutting down (bsc#1189031) - Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712) - Add need reboot/restart hint to XML install summary (bsc#1188435) - Prompt: choose exact match if prompt options are not prefix free (bsc#1188156) - Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862) ----------------------------------------- Version Build5.8.96-4-Build5.8.96 2021-10-27T08:23:29 ----------------------------------------- Patch: SUSE-2021-3510 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Severity: important References: 1191987 Description: This update for pam fixes the following issues: - Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987) ----------------------------------------- Patch: SUSE-2021-3523 Released: Tue Oct 26 15:40:13 2021 Summary: Security update for util-linux Severity: moderate References: 1122417,1125886,1178236,1188921,CVE-2021-37600 Description: This update for util-linux fixes the following issues: Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921). - agetty: Fix 8-bit processing in get_logname() (bsc#1125886). - mount: Fix 'mount' output for net file systems (bsc#1122417). - ipcs: Avoid overflows (bsc#1178236) ----------------------------------------- Version Build5.8.99-4-Build5.8.99 2021-10-28T08:25:01 ----------------------------------------- Patch: SUSE-2021-3529 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 Description: This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) ----------------------------------------- Version Build5.8.114-4-Build5.8.114 2021-11-25T08:24:35 ----------------------------------------- Patch: SUSE-2021-3799 Released: Wed Nov 24 18:07:54 2021 Summary: Recommended update for gcc11 Severity: moderate References: 1187153,1187273,1188623 Description: This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided: To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants. ----------------------------------------- Version Build5.8.116-4-Build5.8.116 2021-11-26T08:24:17 ----------------------------------------- Patch: SUSE-2021-3809 Released: Fri Nov 26 00:31:59 2021 Summary: Recommended update for systemd Severity: moderate References: 1189803,1190325,1190440,1190984,1191252,1192161 Description: This update for systemd fixes the following issues: - Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103) - Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161) - shutdown: Reduce log level of unmounts (bsc#1191252) - pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803) - core: rework how we connect to the bus (bsc#1190325) - mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984) - virt: detect Amazon EC2 Nitro instance (bsc#1190440) - Several fixes for umount - busctl: use usec granularity for the timestamp printed by the busctl monitor command - fix unitialized fields in MountPoint in dm_list_get() - shutdown: explicitly set a log target - mount-util: add mount_option_mangle() - dissect: automatically mark partitions read-only that have a read-only file system - build-sys: require proper libmount version - systemd-shutdown: use log_set_prohibit_ipc(true) - rationalize interface for opening/closing logging - pid1: when we can't log to journal, remember our fallback log target - log: remove LOG_TARGET_SAFE pseudo log target - log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console() - log: add new 'prohibit_ipc' flag to logging system - log: make log_set_upgrade_syslog_to_journal() take effect immediately - dbus: split up bus_done() into seperate functions - machine-id-setup: generate machine-id from DMI product ID on Amazon EC2 - virt: if we detect Xen by DMI, trust that over CPUID ----------------------------------------- Version Build5.8.121-4-Build5.8.121 2021-12-02T08:24:36 ----------------------------------------- Patch: SUSE-2021-3830 Released: Wed Dec 1 13:45:46 2021 Summary: Security update for glibc Severity: moderate References: 1027496,1183085,CVE-2016-10228 Description: This update for glibc fixes the following issues: - libio: do not attempt to free wide buffers of legacy streams (bsc#1183085) - CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496) ----------------------------------------- Patch: SUSE-2021-3870 Released: Thu Dec 2 07:11:50 2021 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1190356,1191286,1191324,1191370,1191609,1192337,1192436 Description: This update for libzypp, zypper fixes the following issues: libzypp: - Check log writer before accessing it (bsc#1192337) - Zypper should keep cached files if transaction is aborted (bsc#1190356) - Require a minimum number of mirrors for multicurl (bsc#1191609) - Fixed slowdowns when rlimit is too high by using procfs to detect niumber of open file descriptors (bsc#1191324) - Fixed zypper incomplete messages when using non English localization (bsc#1191370) - RepoManager: Don't probe for plaindir repository if the URL schema is a plugin (bsc#1191286) - Disable logger in the child process after fork (bsc#1192436) zypper: - Fixed Zypper removing a kernel explicitely pinned that uses uname -r output format as name (openSUSE/zypper#418) ----------------------------------------- Patch: SUSE-2021-3872 Released: Thu Dec 2 07:25:55 2021 Summary: Recommended update for cracklib Severity: moderate References: 1191736 Description: This update for cracklib fixes the following issues: - Enable build time tests (bsc#1191736) ----------------------------------------- Version Build5.8.125-4-Build5.8.125 2021-12-05T08:22:29 ----------------------------------------- Patch: SUSE-2021-3883 Released: Thu Dec 2 11:47:07 2021 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: Update timezone to 2021e (bsc#1177460) - Palestine will fall back 10-29 (not 10-30) at 01:00 - Fiji suspends DST for the 2021/2022 season - 'zic -r' marks unspecified timestamps with '-00' - Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers - Refresh timezone info for china ----------------------------------------- Patch: SUSE-2021-3891 Released: Fri Dec 3 10:21:49 2021 Summary: Recommended update for keyutils Severity: moderate References: 1029961,1113013,1187654 Description: This update for keyutils fixes the following issues: - Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) keyutils was updated to 1.6.3 (jsc#SLE-20016): * Revert the change notifications that were using /dev/watch_queue. * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). * Allow 'keyctl supports' to retrieve raw capability data. * Allow 'keyctl id' to turn a symbolic key ID into a numeric ID. * Allow 'keyctl new_session' to name the keyring. * Allow 'keyctl add/padd/etc.' to take hex-encoded data. * Add 'keyctl watch*' to expose kernel change notifications on keys. * Add caps for namespacing and notifications. * Set a default TTL on keys that upcall for name resolution. * Explicitly clear memory after it's held sensitive information. * Various manual page fixes. * Fix C++-related errors. * Add support for keyctl_move(). * Add support for keyctl_capabilities(). * Make key=val list optional for various public-key ops. * Fix system call signature for KEYCTL_PKEY_QUERY. * Fix 'keyctl pkey_query' argument passing. * Use keyctl_read_alloc() in dump_key_tree_aux(). * Various manual page fixes. Updated to 1.6: * Apply various specfile cleanups from Fedora. * request-key: Provide a command line option to suppress helper execution. * request-key: Find least-wildcard match rather than first match. * Remove the dependency on MIT Kerberos. * Fix some error messages * keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. * Fix doc and comment typos. * Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). * Add pkg-config support for finding libkeyutils. * upstream isn't offering PGP signatures for the source tarballs anymore Updated to 1.5.11 (bsc#1113013) * Add keyring restriction support. * Add KDF support to the Diffie-Helman function. * DNS: Add support for AFS config files and SRV records ----------------------------------------- Patch: SUSE-2021-3899 Released: Fri Dec 3 11:27:41 2021 Summary: Security update for aaa_base Severity: moderate References: 1162581,1174504,1191563,1192248 Description: This update for aaa_base fixes the following issues: - Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504). - Add $HOME/.local/bin to PATH, if it exists (bsc#1192248). - Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563). - Support xz compressed kernel (bsc#1162581) ----------------------------------------- Version Build5.8.128-4-Build5.8.128 2021-12-07T08:23:54 ----------------------------------------- Patch: SUSE-2021-3934 Released: Mon Dec 6 13:22:27 2021 Summary: Security update for mozilla-nss Severity: important References: 1193170,CVE-2021-43527 Description: This update for mozilla-nss fixes the following issues: Update to version 3.68.1: - CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170). ----------------------------------------- Patch: SUSE-2021-3946 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Severity: moderate References: 1192717,CVE-2021-43618 Description: This update for gmp fixes the following issues: - CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717). ----------------------------------------- Version Build5.8.135-4-Build5.8.135 2021-12-14T08:28:26 ----------------------------------------- Patch: SUSE-2021-4015 Released: Mon Dec 13 17:16:00 2021 Summary: Security update for python3 Severity: moderate References: 1180125,1183374,1183858,1185588,1187338,1187668,1189241,1189287,CVE-2021-3426,CVE-2021-3733,CVE-2021-3737 Description: This update for python3 fixes the following issues: - CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241) - CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287) - CVE-2021-3426: Fixed an information disclosure via pydoc. (bsc#1183374) - Rebuild to get new headers, avoid building in support for stropts.h (bsc#1187338). ----------------------------------------- Version Build5.8.140-4-Build5.8.140 2021-12-22T08:28:39 ----------------------------------------- Patch: SUSE-2021-4139 Released: Tue Dec 21 17:02:44 2021 Summary: Recommended update for systemd Severity: critical References: 1193481,1193521 Description: This update for systemd fixes the following issues: - Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481) sleep-config: partitions can't be deleted, only files can shared/sleep-config: exclude zram devices from hibernation candidates ----------------------------------------- Patch: SUSE-2021-4145 Released: Wed Dec 22 05:27:48 2021 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1161276 Description: This update for openssl-1_1 fixes the following issues: - Remove previously applied patch because it interferes with FIPS validation (bsc#1161276) ----------------------------------------- Version Build5.8.142-4-Build5.8.142 2021-12-26T08:28:05 ----------------------------------------- Patch: SUSE-2021-4154 Released: Wed Dec 22 11:02:38 2021 Summary: Security update for p11-kit Severity: important References: 1180064,1187993,CVE-2020-29361 Description: This update for p11-kit fixes the following issues: - CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064) - Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993). ----------------------------------------- Patch: SUSE-2021-4182 Released: Thu Dec 23 11:51:51 2021 Summary: Recommended update for zlib Severity: moderate References: 1192688 Description: This update for zlib fixes the following issues: - Fix hardware compression incorrect result on z15 hardware (bsc#1192688) ----------------------------------------- Version Build5.8.144-4-Build5.8.144 2021-12-29T08:29:55 ----------------------------------------- Patch: SUSE-2021-4192 Released: Tue Dec 28 10:39:50 2021 Summary: Security update for permissions Severity: moderate References: 1174504 Description: This update for permissions fixes the following issues: - Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504) ----------------------------------------- Version Build5.8.150-4-Build5.8.150 2022-01-04T08:21:51 ----------------------------------------- Patch: SUSE-2022-4 Released: Mon Jan 3 08:28:54 2022 Summary: Recommended update for libgcrypt Severity: moderate References: 1193480 Description: This update for libgcrypt fixes the following issues: - Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480) ----------------------------------------- Version Build5.8.155-4-Build5.8.155 2022-01-14T08:23:01 ----------------------------------------- Patch: SUSE-2022-72 Released: Thu Jan 13 16:13:36 2022 Summary: Recommended update for mozilla-nss and MozillaFirefox Severity: important References: 1193845 Description: This update for mozilla-nss and MozillaFirefox fix the following issues: mozilla-nss: - Update from version 3.68.1 to 3.68.2 (bsc#1193845) - Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol implementation MozillaFirefox: - Firefox Extended Support Release 91.4.1 ESR (bsc#1193845) - Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol implementation to fix frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains ----------------------------------------- Version Build5.8.158-4-Build5.8.158 2022-01-18T08:23:00 ----------------------------------------- Patch: SUSE-2022-93 Released: Tue Jan 18 05:11:58 2022 Summary: Recommended update for openssl-1_1 Severity: important References: 1192489 Description: This update for openssl-1_1 fixes the following issues: - Add RSA_get0_pss_params() accessor that is used by nodejs16 and provide openssl-has-RSA_get0_pss_params (bsc#1192489) ----------------------------------------- Patch: SUSE-2022-94 Released: Tue Jan 18 05:13:24 2022 Summary: Recommended update for rpm Severity: important References: 1180125,1193711 Description: This update for rpm fixes the following issues: - Add explicit requirement on python-rpm-macros (bsc#1180125, bsc#1193711) ----------------------------------------- Version Build5.8.160-4-Build5.8.160 2022-01-20T16:32:47 ----------------------------------------- Patch: SUSE-2022-141 Released: Thu Jan 20 13:47:16 2022 Summary: Security update for permissions Severity: moderate References: 1169614 Description: This update for permissions fixes the following issues: - Update to version 20181225: setuid bit for cockpit session binary (bsc#1169614). ----------------------------------------- Version Build5.8.168-4-Build5.8.168 2022-01-26T12:25:01 ----------------------------------------- Patch: SUSE-2022-178 Released: Tue Jan 25 14:16:23 2022 Summary: Security update for expat Severity: important References: 1194251,1194362,1194474,1194476,1194477,1194478,1194479,1194480,CVE-2021-45960,CVE-2021-46143,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827 Description: This update for expat fixes the following issues: - CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251). - CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362). - CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474). - CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476). - CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477). - CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478). - CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479). - CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480). ----------------------------------------- Version Build5.8.173-4-Build5.8.173 2022-02-01T08:23:29 ----------------------------------------- Patch: SUSE-2022-228 Released: Mon Jan 31 06:07:52 2022 Summary: Recommended update for boost Severity: moderate References: 1194522 Description: This update for boost fixes the following issues: - Fix compilation errors (bsc#1194522) ----------------------------------------- Version Build5.8.179-4-Build5.8.179 2022-02-09T08:26:01 ----------------------------------------- Patch: SUSE-2022-348 Released: Tue Feb 8 13:02:20 2022 Summary: Recommended update for libzypp Severity: important References: 1193007,1193488,1194597,1194898,954813 Description: This update for libzypp fixes the following issues: - RepoManager: remember execution errors in exception history (bsc#1193007) - Fix exception handling when reading or writing credentials (bsc#1194898) - Fix install path for parser (bsc#1194597) - Fix Legacy include (bsc#1194597) - Public header files on older distros must use c++11 (bsc#1194597) - Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488) - Fix wrong encoding of URI compontents of ISO images (bsc#954813) - When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible - Introduce zypp-curl as a sublibrary for CURL related code - zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set - Save all signatures associated with a public key in its PublicKeyData ----------------------------------------- Version Build5.8.182-4-Build5.8.182 2022-02-21T08:23:26 ----------------------------------------- Patch: SUSE-2022-498 Released: Fri Feb 18 10:46:56 2022 Summary: Security update for expat Severity: important References: 1195054,1195217,CVE-2022-23852,CVE-2022-23990 Description: This update for expat fixes the following issues: - CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054). - CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217). ----------------------------------------- Patch: SUSE-2022-511 Released: Fri Feb 18 12:41:53 2022 Summary: Recommended update for coreutils Severity: moderate References: 1082318,1189152 Description: This update for coreutils fixes the following issues: - Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152). - Properly sort docs and license files (bsc#1082318). ----------------------------------------- Patch: SUSE-2022-523 Released: Fri Feb 18 12:49:09 2022 Summary: Recommended update for systemd Severity: moderate References: 1193759,1193841 Description: This update for systemd fixes the following issues: - systemctl: exit with 1 if no unit files found (bsc#1193841). - add rules for virtual devices (bsc#1193759). - enforce 'none' for loop devices (bsc#1193759). ----------------------------------------- Version Build5.8.200-4-Build5.8.200 2022-03-06T08:24:13 ----------------------------------------- Patch: SUSE-2022-674 Released: Wed Mar 2 13:24:38 2022 Summary: Recommended update for yast2-network Severity: moderate References: 1187512 Description: This update for yast2-network fixes the following issues: - Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512) ----------------------------------------- Patch: SUSE-2022-692 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Severity: moderate References: 1190447 Description: This update for filesystem fixes the following issues: - Release ported filesystem to LTSS channels (bsc#1190447). ----------------------------------------- Patch: SUSE-2022-702 Released: Thu Mar 3 18:22:59 2022 Summary: Security update for cyrus-sasl Severity: important References: 1196036,CVE-2022-24407 Description: This update for cyrus-sasl fixes the following issues: - CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036). ----------------------------------------- Patch: SUSE-2022-713 Released: Fri Mar 4 09:34:17 2022 Summary: Security update for expat Severity: important References: 1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315 Description: This update for expat fixes the following issues: - CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025). - CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026). - CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168). - CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169). - CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171). ----------------------------------------- Patch: SUSE-2022-717 Released: Fri Mar 4 09:45:20 2022 Summary: Security update for gnutls Severity: moderate References: 1196167,CVE-2021-4209 Description: This update for gnutls fixes the following issues: - CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167). ----------------------------------------- Version Build5.8.217-4-Build5.8.217 2022-03-18T16:43:26 ----------------------------------------- Patch: SUSE-2022-787 Released: Thu Mar 10 11:20:13 2022 Summary: Recommended update for openldap2 Severity: moderate References: Description: This update for openldap2 fixes the following issue: - restore CLDAP functionality in CLI tools (jsc#PM-3288) ----------------------------------------- Patch: SUSE-2022-788 Released: Thu Mar 10 11:21:04 2022 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1195326 Description: This update for libzypp, zypper fixes the following issues: - Fix handling of redirected command in-/output (bsc#1195326) This fixes delays at the end of zypper operations, where zypper unintentionally waits for appdata plugin scripts to complete. ----------------------------------------- Patch: SUSE-2022-789 Released: Thu Mar 10 11:22:05 2022 Summary: Recommended update for update-alternatives Severity: moderate References: 1195654 Description: This update for update-alternatives fixes the following issues: - Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654) ----------------------------------------- Patch: SUSE-2022-808 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Severity: moderate References: 1195468 Description: This update for procps fixes the following issues: - Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468) ----------------------------------------- Patch: SUSE-2022-832 Released: Mon Mar 14 17:27:03 2022 Summary: Security update for glibc Severity: important References: 1193625,1194640,1194768,1194770,1195560,CVE-2015-8985,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219 Description: glibc was updated to fix the following issues: Security issues fixed: - CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768) - CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770) - CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640) - CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625) Also the following bug was fixed: - Fix pthread_rwlock_try*lock stalls (bsc#1195560) ----------------------------------------- Patch: SUSE-2022-844 Released: Tue Mar 15 11:33:57 2022 Summary: Security update for expat Severity: important References: 1196025,1196784,CVE-2022-25236 Description: This update for expat fixes the following issues: - Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784). ----------------------------------------- Patch: SUSE-2022-845 Released: Tue Mar 15 11:40:52 2022 Summary: Security update for chrony Severity: moderate References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367 Description: This update for chrony fixes the following issues: Chrony was updated to 4.1, bringing features and bugfixes. Update to 4.1 * Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server - Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229) - Enable syscallfilter unconditionally [bsc#1181826]. Update to 4.0 - Enhancements - Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and 'reload sources' command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get 'maxsources' sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add 'add pool' command - Add 'reset sources' command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data - Bug fixes - Don’t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don’t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option 'version 3') - Drop support for line editing with GNU Readline - By default we don't write log files but log to journald, so only recommend logrotate. - Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277). Update to 3.5.1: * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911) - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113). Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems - Fix location of helper script in chrony-dnssrv@.service (bsc#1128846). - Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272. - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. Update to version 3.4 * Enhancements + Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script * Bug fixes + Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD Update to version 3.3 * Enhancements: + Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc * Bug fixes: + Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step ----------------------------------------- Patch: SUSE-2022-861 Released: Tue Mar 15 23:30:48 2022 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1182959,1195149,1195792,1195856 Description: This update for openssl-1_1 fixes the following issues: openssl-1_1: - Fix PAC pointer authentication in ARM (bsc#1195856) - Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792) - FIPS: Fix function and reason error codes (bsc#1182959) - Enable zlib compression support (bsc#1195149) glibc: - Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1 linux-glibc-devel: - Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1 libxcrypt: - Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1 zlib: - Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1 ----------------------------------------- Patch: SUSE-2022-867 Released: Wed Mar 16 07:14:44 2022 Summary: Recommended update for libtirpc Severity: moderate References: 1193805 Description: This update for libtirpc fixes the following issues: - Fix memory leak in client protocol version 2 code (bsc#1193805) ----------------------------------------- Patch: SUSE-2022-874 Released: Wed Mar 16 10:40:52 2022 Summary: Recommended update for openldap2 Severity: moderate References: 1197004 Description: This update for openldap2 fixes the following issue: - Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004) ----------------------------------------- Patch: SUSE-2022-884 Released: Thu Mar 17 09:47:43 2022 Summary: Recommended update for python-jsonschema, python-rfc3987, python-strict-rfc3339 Severity: moderate References: 1082318 Description: This update for python-jsonschema, python-rfc3987, python-strict-rfc3339 fixes the following issues: - Add patch to fix build with new webcolors. - update to version 3.2.0 (jsc#SLE-18756): * Added a format_nongpl setuptools extra, which installs only format dependencies that are non-GPL (#619). - specfile: * require python-importlib-metadata - update to version 3.1.1: * Temporarily revert the switch to js-regex until #611 and #612 are resolved. - changes from version 3.1.0: - Regular expressions throughout schemas now respect the ECMA 262 dialect, as recommended by the specification (#609). - Activate more of the test suite - Remove tests and benchmarking from the runtime package - Update to v3.0.2 - Fixed a bug where 0 and False were considered equal by const and enum - from v3.0.1 - Fixed a bug where extending validators did not preserve their notion of which validator property contains $id information. - Update to 3.0.1: - Support for Draft 6 and Draft 7 - Draft 7 is now the default - New TypeChecker object for more complex type definitions (and overrides) - Falling back to isodate for the date-time format checker is no longer attempted, in accordance with the specification - Use %license instead of %doc (bsc#1082318) - Remove hashbang from runtime module - Replace PyPI URL with https://github.com/dgerber/rfc3987 - Activate doctests - Add missing runtime dependency on timezone - Replace dead link with GitHub URL - Activate test suite - Trim bias from descriptions. - Initial commit, needed by flex ----------------------------------------- Version Build5.8.221-4-Build5.8.221 2022-03-26T17:37:10 ----------------------------------------- Patch: SUSE-2022-936 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Severity: moderate References: 1196275,1196406 Description: This update for filesystem and systemd-rpm-macros fixes the following issues: filesystem: - Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639) systemd-rpm-macros: - Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406) ----------------------------------------- Version Build5.8.226-4-Build5.8.226 2022-03-30T09:00:22 ----------------------------------------- Patch: SUSE-2022-1021 Released: Tue Mar 29 13:24:21 2022 Summary: Recommended update for systemd Severity: moderate References: 1195899 Description: This update for systemd fixes the following issues: - allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870) ----------------------------------------- Version Build5.8.230-4-Build5.8.230 2022-03-31T11:25:42 ----------------------------------------- Patch: SUSE-2022-1040 Released: Wed Mar 30 09:40:58 2022 Summary: Security update for protobuf Severity: moderate References: 1195258,CVE-2021-22570 Description: This update for protobuf fixes the following issues: - CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258). ----------------------------------------- Patch: SUSE-2022-1047 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Severity: moderate References: 1196093,1197024 Description: This update for pam fixes the following issues: - Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093) - Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024) ----------------------------------------- Patch: SUSE-2022-1061 Released: Wed Mar 30 18:27:06 2022 Summary: Security update for zlib Severity: important References: 1197459,CVE-2018-25032 Description: This update for zlib fixes the following issues: - CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459). ----------------------------------------- Version Build5.8.233-4-Build5.8.233 2022-04-02T09:00:21 ----------------------------------------- Patch: SUSE-2022-1073 Released: Fri Apr 1 11:45:01 2022 Summary: Security update for yaml-cpp Severity: moderate References: 1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292 Description: This update for yaml-cpp fixes the following issues: - CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227). - CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230). - CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004). - CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021). ----------------------------------------- Version Build5.8.239-4-Build5.8.239 2022-04-05T09:00:20 ----------------------------------------- Patch: SUSE-2022-1099 Released: Mon Apr 4 12:53:05 2022 Summary: Recommended update for aaa_base Severity: moderate References: 1194883 Description: This update for aaa_base fixes the following issues: - Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883) - Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library ----------------------------------------- Patch: SUSE-2022-1102 Released: Mon Apr 4 17:00:36 2022 Summary: Security update for 389-ds Severity: important References: 1197275,1197345,CVE-2022-0918,CVE-2022-0996 Description: This update for 389-ds fixes the following issues: - CVE-2022-0918: Fixed a potential denial of service via crafted packet (bsc#1197275). - CVE-2022-0996: Fixed a mishandling of password expiry (bsc#1197345). ----------------------------------------- Patch: SUSE-2022-1109 Released: Mon Apr 4 17:50:01 2022 Summary: Recommended update for util-linux Severity: important References: 1172427,1194642 Description: This update for util-linux fixes the following issues: - Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642) - Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642) - Warn if uuidd lock state is not usable. (bsc#1194642) - Fix 'su -s' bash completion. (bsc#1172427) ----------------------------------------- Version Build5.8.241-4-Build5.8.241 2022-04-06T09:00:21 ----------------------------------------- Patch: SUSE-2022-1118 Released: Tue Apr 5 18:34:06 2022 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2022a (bsc#1177460): * Palestine will spring forward on 2022-03-27, not on 03-26 * `zdump -v` now outputs better failure indications * Bug fixes for code that reads corrupted TZif data ----------------------------------------- Version Build5.8.244-4-Build5.8.244 2022-04-12T09:00:22 ----------------------------------------- Patch: SUSE-2022-1149 Released: Mon Apr 11 16:29:14 2022 Summary: Security update for mozilla-nss Severity: important References: 1197903,CVE-2022-1097 Description: This update for mozilla-nss fixes the following issues: Mozilla NSS 3.68.3 (bsc#1197903): - CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11 tokens are removed while in use. ----------------------------------------- Version Build5.8.249-4-Build5.8.249 2022-04-13T09:00:23 ----------------------------------------- Patch: SUSE-2022-1157 Released: Tue Apr 12 13:26:19 2022 Summary: Security update for libsolv, libzypp, zypper Severity: important References: 1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134 Description: This update for libsolv, libzypp, zypper fixes the following issues: Security relevant fix: - Harden package signature checks (bsc#1184501). libsolv update to 0.7.22: - reworked choice rule generation to cover more usecases - support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514) - support parsing of Debian's Multi-Arch indicator - fix segfault on conflict resolution when using bindings - fix split provides not working if the update includes a forbidden vendor change - support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY - support zstd compressed control files in debian packages - add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20) - support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata - support queying of the custom vendor check function new function: pool_get_custom_vendorcheck - support solv files with an idarray block - allow accessing the toolversion at runtime libzypp update to 17.30.0: - ZConfig: Update solver settings if target changes (bsc#1196368) - Fix possible hang in singletrans mode (bsc#1197134) - Do 2 retries if mount is still busy. - Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing. - Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry. - Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925) - Fix handling of ISO media in releaseAll (bsc#1196061) - Hint on common ptf resolver conflicts (bsc#1194848) - Hint on ptf<>patch resolver conflicts (bsc#1194848) zypper update to 1.14.52: - info: print the packages upstream URL if available (fixes #426) - info: Fix SEGV with not installed PTFs (bsc#1196317) - Don't prevent less restrictive umasks (bsc#1195999) ----------------------------------------- Patch: SUSE-2022-1158 Released: Tue Apr 12 14:44:43 2022 Summary: Security update for xz Severity: important References: 1198062,CVE-2022-1271 Description: This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) ----------------------------------------- Version Build5.8.255-4-Build5.8.255 2022-04-24T09:00:24 ----------------------------------------- Patch: SUSE-2022-1302 Released: Fri Apr 22 10:04:46 2022 Summary: Recommended update for e2fsprogs Severity: moderate References: 1196939 Description: This update for e2fsprogs fixes the following issues: - Add support for 'libreadline7' for Leap. (bsc#1196939) ----------------------------------------- Version Build5.8.259-4-Build5.8.259 2022-04-26T09:00:24 ----------------------------------------- Patch: SUSE-2022-1374 Released: Mon Apr 25 15:02:13 2022 Summary: Recommended update for openldap2 Severity: moderate References: 1191157,1197004 Description: This update for openldap2 fixes the following issues: - allow specification of max/min TLS version with TLS1.3 (bsc#1191157) - libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004) - restore CLDAP functionality in CLI tools (jsc#PM-3288) ----------------------------------------- Version Build5.8.261-4-Build5.8.261 2022-04-27T09:00:25 ----------------------------------------- Patch: SUSE-2022-1409 Released: Tue Apr 26 12:54:57 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1195628,1196107 Description: This update for gcc11 fixes the following issues: - Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107] - Fixed memory corruption when creating dependences with the D language frontend. - Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628] - Put libstdc++6-pp Requires on the shared library and drop to Recommends. ----------------------------------------- Version Build5.8.267-4-Build5.8.267 2022-04-29T13:01:42 ----------------------------------------- Patch: SUSE-2022-1452 Released: Thu Apr 28 10:48:06 2022 Summary: Recommended update for perl Severity: moderate References: 1193489 Description: This update for perl fixes the following issues: - Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489) ----------------------------------------- Patch: SUSE-2022-1455 Released: Thu Apr 28 11:31:51 2022 Summary: Security update for glib2 Severity: low References: 1183533,CVE-2021-28153 Description: This update for glib2 fixes the following issues: - CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533). ----------------------------------------- Version Build5.8.280-4-Build5.8.280 2022-05-14T09:00:25 ----------------------------------------- Patch: SUSE-2022-1655 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Severity: moderate References: 1197794 Description: This update for pam fixes the following issue: - Do not include obsolete header files (bsc#1197794) ----------------------------------------- Patch: SUSE-2022-1657 Released: Fri May 13 15:39:07 2022 Summary: Security update for curl Severity: moderate References: 1198614,1198723,1198766,CVE-2022-22576,CVE-2022-27775,CVE-2022-27776 Description: This update for curl fixes the following issues: - CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766) - CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723) - CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614) ----------------------------------------- Patch: SUSE-2022-1658 Released: Fri May 13 15:40:20 2022 Summary: Recommended update for libpsl Severity: important References: 1197771 Description: This update for libpsl fixes the following issues: - Fix libpsl compilation issues (bsc#1197771) ----------------------------------------- Version Build5.8.287-4-Build5.8.287 2022-05-17T09:00:23 ----------------------------------------- Patch: SUSE-2022-1670 Released: Mon May 16 10:06:30 2022 Summary: Security update for openldap2 Severity: important References: 1199240,CVE-2022-29155 Description: This update for openldap2 fixes the following issues: - CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240). ----------------------------------------- Patch: SUSE-2022-1688 Released: Mon May 16 14:02:49 2022 Summary: Security update for e2fsprogs Severity: important References: 1198446,CVE-2022-1304 Description: This update for e2fsprogs fixes the following issues: - CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446) ----------------------------------------- Patch: SUSE-2022-1691 Released: Mon May 16 15:13:39 2022 Summary: Recommended update for augeas Severity: moderate References: 1197443 Description: This update for augeas fixes the following issue: - Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443) ----------------------------------------- Version Build5.8.291-4-Build5.8.291 2022-05-20T09:00:21 ----------------------------------------- Patch: SUSE-2022-1750 Released: Thu May 19 15:28:20 2022 Summary: Security update for libxml2 Severity: important References: 1196490,1199132,CVE-2022-23308,CVE-2022-29824 Description: This update for libxml2 fixes the following issues: - CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490). - CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132). ----------------------------------------- Version Build5.8.299-4-Build5.8.299 2022-05-28T09:00:22 ----------------------------------------- Patch: SUSE-2022-1870 Released: Fri May 27 10:03:40 2022 Summary: Security update for curl Severity: important References: 1199223,1199224,CVE-2022-27781,CVE-2022-27782 Description: This update for curl fixes the following issues: - CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223) - CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224) ----------------------------------------- Version Build5.8.306-4-Build5.8.306 2022-06-01T15:54:02 ----------------------------------------- Patch: SUSE-2022-1887 Released: Tue May 31 09:24:18 2022 Summary: Recommended update for grep Severity: moderate References: 1040589 Description: This update for grep fixes the following issues: - Make profiling deterministic. (bsc#1040589, SLE-24115) ----------------------------------------- Version Build5.8.313-4-Build5.8.313 2022-06-09T09:00:23 ----------------------------------------- Patch: SUSE-2022-2019 Released: Wed Jun 8 16:50:07 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1192951,1193659,1195283,1196861,1197065 Description: This update for gcc11 fixes the following issues: Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] * fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065] * use --with-cpu rather than specifying --with-arch/--with-tune * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [bsc#1193659] * fixes issue with debug dumping together with -o /dev/null * fixes libgccjit issue showing up in emacs build [bsc#1192951] * Package mwaitintrin.h ----------------------------------------- Version Build5.8.316-4-Build5.8.316 2022-06-17T09:00:22 ----------------------------------------- Patch: SUSE-2022-2105 Released: Thu Jun 16 15:22:32 2022 Summary: Security update for 389-ds Severity: important References: 1195324,1199889,CVE-2021-4091,CVE-2022-1949 Description: This update for 389-ds fixes the following issues: - CVE-2021-4091: Fixed double free in psearch (bsc#1195324). - CVE-2022-1949: Fixed full access control bypass with simple crafted query (bsc#1199889). ----------------------------------------- Version Build5.8.328-4-Build5.8.328 2022-07-05T09:00:22 ----------------------------------------- Patch: SUSE-2022-2251 Released: Mon Jul 4 09:52:25 2022 Summary: Security update for openssl-1_1 Severity: moderate References: 1185637,1199166,1200550,CVE-2022-1292,CVE-2022-2068 Description: This update for openssl-1_1 fixes the following issues: - CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166). - CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550) ----------------------------------------- Version Build5.8.333-4-Build5.8.333 2022-07-08T09:00:22 ----------------------------------------- Patch: SUSE-2022-2327 Released: Thu Jul 7 15:06:13 2022 Summary: Security update for curl Severity: important References: 1200735,1200737,CVE-2022-32206,CVE-2022-32208 Description: This update for curl fixes the following issues: - CVE-2022-32206: HTTP compression denial of service (bsc#1200735) - CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737) ----------------------------------------- Patch: SUSE-2022-2328 Released: Thu Jul 7 15:07:35 2022 Summary: Security update for openssl-1_1 Severity: important References: 1201099,CVE-2022-2097 Description: This update for openssl-1_1 fixes the following issues: - CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099). ----------------------------------------- Version Build5.8.336-4-Build5.8.336 2022-07-12T09:19:35 ----------------------------------------- Patch: SUSE-2022-2351 Released: Mon Jul 11 10:50:12 2022 Summary: Security update for python3 Severity: important References: 1186819,1190566,1192249,1193179,1198511,CVE-2015-20107,CVE-2021-3572 Description: This update for python3 fixes the following issues: Security issues fixed: - CVE-2021-3572: Update bundled pip wheel to the latest SLE version (bsc#1186819) - CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511). Other bugs fixed: - Remove shebangs from from python-base libraries in _libdir (bsc#1193179, bsc#1192249). ----------------------------------------- Version Build5.8.338-4-Build5.8.338 2022-07-13T09:00:21 ----------------------------------------- Patch: SUSE-2022-2361 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Severity: important References: 1199232,CVE-2022-1586 Description: This update for pcre fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------- Version Build5.8.341-4-Build5.8.341 2022-07-16T09:00:23 ----------------------------------------- Patch: SUSE-2022-2405 Released: Fri Jul 15 11:47:57 2022 Summary: Security update for p11-kit Severity: moderate References: 1180065,CVE-2020-29362 Description: This update for p11-kit fixes the following issues: - CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065) ----------------------------------------- Version Build5.8.345-4-Build5.8.345 2022-07-22T10:25:10 ----------------------------------------- Patch: SUSE-2022-2471 Released: Thu Jul 21 04:42:58 2022 Summary: Recommended update for systemd Severity: important References: 1148309,1191502,1195529,1200170 Description: This update for systemd fixes the following issues: - Allow control characters in environment variable values (bsc#1200170) - basic/env-util: Allow newlines in values of environment variables - man: tweak description of auto/noauto (bsc#1191502) - shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309) - shared/install: fix error codes returned by install_context_apply() - shared/install: ignore failures for auxiliary files - systemctl: suppress enable/disable messages when `-q` is given - test-env-util: Verify that \r is disallowed in env var values - test-env-util: print function headers - udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529) ----------------------------------------- Version Build5.8.346-4-Build5.8.346 2022-07-23T09:00:25 ----------------------------------------- Patch: SUSE-2022-2533 Released: Fri Jul 22 17:37:15 2022 Summary: Security update for mozilla-nss Severity: important References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741 Description: This update for mozilla-nss fixes the following issues: Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4: - Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079). - FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980). - FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298). - FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325). - Run test suite at build time, and make it pass (bsc#1198486). - FIPS: skip algorithms that are hard disabled in FIPS mode. - Prevent expired PayPalEE cert from failing the tests. - Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc. - FIPS: Make the PBKDF known answer test compliant with NIST SP800-132. - Update FIPS validation string to version-release format. - FIPS: remove XCBC MAC from list of FIPS approved algorithms. - Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build. - FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080). - FIPS: allow testing of unapproved algorithms (bsc#1192228). - FIPS: add version indicators. (bmo#1729550, bsc#1192086). - FIPS: fix some secret clearing (bmo#1697303, bsc#1192087). Version update to NSS 3.79: - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. - Update mercurial in clang-format docker image. - Use of uninitialized pointer in lg_init after alloc fail. - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. - Add SECMOD_LockedModuleHasRemovableSlots. - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. - Correct invalid record inner and outer content type alerts. - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. - improve error handling after nssCKFWInstance_CreateObjectHandle. - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. - NSS 3.79 should depend on NSPR 4.34 Version update to NSS 3.78.1: - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple Version update to NSS 3.78: - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests. - Reworked overlong record size checks and added TLS1.3 specific boundaries. - Add ECH Grease Support to tstclnt - Add a strict variant of moz::pkix::CheckCertHostname. - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. - Make SEC_PKCS12EnableCipher succeed - Update zlib in NSS to 1.2.12. Version update to NSS 3.77: - Fix link to TLS page on wireshark wiki - Add two D-TRUST 2020 root certificates. - Add Telia Root CA v2 root certificate. - Remove expired explicitly distrusted certificates from certdata.txt. - support specific RSA-PSS parameters in mozilla::pkix - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. - Remove token member from NSSSlot struct. - Provide secure variants of mpp_pprime and mpp_make_prime. - Support UTF-8 library path in the module spec string. - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. - Update googletest to 1.11.0 - Add SetTls13GreaseEchSize to experimental API. - TLS 1.3 Illegal legacy_version handling/alerts. - Fix calculation of ECH HRR Transcript. - Allow ld path to be set as environment variable. - Ensure we don't read uninitialized memory in ssl gtests. - Fix DataBuffer Move Assignment. - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3 - rework signature verification in mozilla::pkix Version update to NSS 3.76.1 - Remove token member from NSSSlot struct. - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. - Check return value of PK11Slot_GetNSSToken. - Use Wycheproof JSON for RSASSA-PSS - Add SHA256 fingerprint comments to old certdata.txt entries. - Avoid truncating files in nss-release-helper.py. - Throw illegal_parameter alert for illegal extensions in handshake message. Version update to NSS 3.75 - Make DottedOIDToCode.py compatible with python3. - Avoid undefined shift in SSL_CERT_IS while fuzzing. - Remove redundant key type check. - Update ABI expectations to match ECH changes. - Enable CKM_CHACHA20. - check return on NSS_NoDB_Init and NSS_Shutdown. - Run ECDSA test vectors from bltest as part of the CI tests. - Add ECDSA test vectors to the bltest command line tool. - Allow to build using clang's integrated assembler. - Allow to override python for the build. - test HKDF output rather than input. - Use ASSERT macros to end failed tests early. - move assignment operator for DataBuffer. - Add test cases for ECH compression and unexpected extensions in SH. - Update tests for ECH-13. - Tidy up error handling. - Add tests for ECH HRR Changes. - Server only sends GREASE HRR extension if enabled by preference. - Update generation of the Associated Data for ECH-13. - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello. - Allow for compressed, non-contiguous, extensions. - Scramble the PSK extension in CHOuter. - Split custom extension handling for ECH. - Add ECH-13 HRR Handling. - Client side ECH padding. - Stricter ClientHelloInner Decompression. - Remove ECH_inner extension, use new enum format. - Update the version number for ECH-13 and adjust the ECHConfig size. Version update to NSS 3.74 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses - Ensure clients offer consistent ciphersuites after HRR - NSS does not properly restrict server keys based on policy - Set nssckbi version number to 2.54 - Replace Google Trust Services LLC (GTS) R4 root certificate - Replace Google Trust Services LLC (GTS) R3 root certificate - Replace Google Trust Services LLC (GTS) R2 root certificate - Replace Google Trust Services LLC (GTS) R1 root certificate - Replace GlobalSign ECC Root CA R4 - Remove Expired Root Certificates - DST Root CA X3 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate - Add iTrusChina ECC root certificate - Add iTrusChina RSA root certificate - Add ISRG Root X2 root certificate - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate - Avoid a clang 13 unused variable warning in opt build - Check for missing signedData field - Ensure DER encoded signatures are within size limits - enable key logging option (boo#1195040) Version update to NSS 3.73.1: - Add SHA-2 support to mozilla::pkix's OSCP implementation Version update to NSS 3.73 - check for missing signedData field. - Ensure DER encoded signatures are within size limits. - NSS needs FiPS 140-3 version indicators. - pkix_CacheCert_Lookup doesn't return cached certs - sunset Coverity from NSS Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures Version update to NSS 3.72 - Fix nsinstall parallel failure. - Increase KDF cache size to mitigate perf regression in about:logins Version update to NSS 3.71 - Set nssckbi version number to 2.52. - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py - Import of PKCS#12 files with Camellia encryption is not supported - Add HARICA Client ECC Root CA 2021. - Add HARICA Client RSA Root CA 2021. - Add HARICA TLS ECC Root CA 2021. - Add HARICA TLS RSA Root CA 2021. - Add TunTrust Root CA certificate to NSS. Version update to NSS 3.70 - Update test case to verify fix. - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback - Avoid using a lookup table in nssb64d. - Use HW accelerated SHA2 on AArch64 Big Endian. - Change default value of enableHelloDowngradeCheck to true. - Cache additional PBE entries. - Read HPKE vectors from official JSON. Version update to NSS 3.69.1: - Disable DTLS 1.0 and 1.1 by default - integrity checks in key4.db not happening on private components with AES_CBC NSS 3.69: - Disable DTLS 1.0 and 1.1 by default (backed out again) - integrity checks in key4.db not happening on private components with AES_CBC (backed out again) - SSL handling of signature algorithms ignores environmental invalid algorithms. - sqlite 3.34 changed it's open semantics, causing nss failures. - Gtest update changed the gtest reports, losing gtest details in all.sh reports. - NSS incorrectly accepting 1536 bit DH primes in FIPS mode - SQLite calls could timeout in starvation situations. - Coverity/cpp scanner errors found in nss 3.67 - Import the NSS documentation from MDN in nss/doc. - NSS using a tempdir to measure sql performance not active Version Update to 3.68.4 (bsc#1200027) - CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590) Mozilla NSPR was updated to version 4.34: * add an API that returns a preferred loopback IP on hosts that have two IP stacks available. ----------------------------------------- Version Build5.8.350-4-Build5.8.350 2022-07-29T09:00:23 ----------------------------------------- Patch: SUSE-2022-2572 Released: Thu Jul 28 04:22:33 2022 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1194550,1197684,1199042 Description: This update for libzypp, zypper fixes the following issues: libzypp: - appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684) - zypp-rpm: flush rpm script output buffer before sending endOfScriptTag - PluginRepoverification: initial version hooked into repo::Downloader and repo refresh - Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042) - singletrans: no dry-run commit if doing just download-only - Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo. - Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER zypper: - Basic JobReport for 'cmdout/monitor' - versioncmp: if verbose, also print the edition 'parts' which are compared - Make sure MediaAccess is closed on exception (bsc#1194550) - Display plus-content hint conditionally - Honor the NO_COLOR environment variable when auto-detecting whether to use color - Define table columns which should be sorted natural [case insensitive] - lr/ls: Use highlight color on name and alias as well ----------------------------------------- Version Build5.8.363-4-Build5.8.363 2022-08-10T15:34:36 ----------------------------------------- Patch: SUSE-2022-2717 Released: Tue Aug 9 12:54:16 2022 Summary: Security update for ncurses Severity: moderate References: 1198627,CVE-2022-29458 Description: This update for ncurses fixes the following issues: - CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627). ----------------------------------------- Version Build5.8.374-4-Build5.8.374 2022-08-25T09:00:28 ----------------------------------------- Patch: SUSE-2022-2882 Released: Wed Aug 24 10:34:31 2022 Summary: Security update for gnutls Severity: important References: 1202020,CVE-2022-2509 Description: This update for gnutls fixes the following issues: - CVE-2022-2509: Fixed a double free issue during PKCS7 verification (bsc#1202020). ----------------------------------------- Version Build5.8.376-4-Build5.8.376 2022-08-27T14:04:35 ----------------------------------------- Patch: SUSE-2022-2904 Released: Fri Aug 26 05:28:34 2022 Summary: Recommended update for openldap2 Severity: moderate References: 1198341 Description: This update for openldap2 fixes the following issues: - Prevent memory reuse which may lead to instability (bsc#1198341) ----------------------------------------- Version Build5.8.382-4-Build5.8.382 2022-08-31T09:00:25 ----------------------------------------- Patch: SUSE-2022-2929 Released: Mon Aug 29 11:21:47 2022 Summary: Recommended update for timezone Severity: important References: 1202310 Description: This update for timezone fixes the following issue: - Reflect new Chile DST change (bsc#1202310) ----------------------------------------- Patch: SUSE-2022-2944 Released: Wed Aug 31 05:39:14 2022 Summary: Recommended update for procps Severity: important References: 1181475 Description: This update for procps fixes the following issues: - Fix 'free' command reporting misleading 'used' value (bsc#1181475) ----------------------------------------- Version Build5.8.385-4-Build5.8.385 2022-09-01T09:00:24 ----------------------------------------- Patch: SUSE-2022-2947 Released: Wed Aug 31 09:16:21 2022 Summary: Security update for zlib Severity: important References: 1202175,CVE-2022-37434 Description: This update for zlib fixes the following issues: - CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175). ----------------------------------------- Version Build5.8.387-4-Build5.8.387 2022-09-02T09:00:24 ----------------------------------------- Patch: SUSE-2022-2991 Released: Thu Sep 1 16:04:30 2022 Summary: Security update for libtirpc Severity: important References: 1198752,1200800,1201680,CVE-2021-46828 Description: This update for libtirpc fixes the following issues: - CVE-2021-46828: Fixed an uncontrolled file descriptor consumption, which could be exploited by remote attackers to prevent applications using the library from accepting new connections (bsc#1201680). Non-security fixes: - Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800) - Fix memory leak in params.r_addr assignement (bsc#1198752) ----------------------------------------- Version Build5.8.390-4-Build5.8.390 2022-09-03T09:00:27 ----------------------------------------- Patch: SUSE-2022-2994 Released: Fri Sep 2 10:44:54 2022 Summary: Recommended update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame Severity: moderate References: 1198925 Description: This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925) No codechanges were done in this update. ----------------------------------------- Patch: SUSE-2022-3004 Released: Fri Sep 2 15:02:14 2022 Summary: Security update for curl Severity: low References: 1202593,CVE-2022-35252 Description: This update for curl fixes the following issues: - CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593). ----------------------------------------- Version Build5.8.395-4-Build5.8.395 2022-09-07T10:03:07 ----------------------------------------- Patch: SUSE-2022-3091 Released: Tue Sep 6 07:49:22 2022 Summary: Recommended update for mozilla-nss Severity: moderate References: 1201298,1202645 Description: This update for mozilla-nss fixes the following issues: Update to NSS 3.79.1 (bsc#1202645) * compare signature and signatureAlgorithm fields in legacy certificate verifier. * Uninitialized value in cert_ComputeCertType. * protect SFTKSlot needLogin with slotLock. * avoid data race on primary password change. * check for null template in sec_asn1{d,e}_push_state. - FIPS: unapprove the rest of the DSA ciphers, keeping signature verification only (bsc#1201298). ----------------------------------------- Patch: SUSE-2022-3129 Released: Wed Sep 7 04:42:53 2022 Summary: Recommended update for util-linux Severity: moderate References: 1197178,1198731,1200842 Description: This update for util-linux fixes the following issues: - su: Change owner and mode for pty (bsc#1200842) - agetty: Resolve tty name even if stdin is specified (bsc#1197178) - libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731) - mesg: use only stat() to get the current terminal status (bsc#1200842) ----------------------------------------- Version Build5.8.396-4-Build5.8.396 2022-09-07T14:06:53 ----------------------------------------- Patch: SUSE-2022-3142 Released: Wed Sep 7 09:54:18 2022 Summary: Security update for icu Severity: moderate References: 1193951,CVE-2020-21913 Description: This update for icu fixes the following issues: - CVE-2020-21913: Fixed a memory safetey issue that could lead to use after free (bsc#1193951). ----------------------------------------- Version Build5.8.397-4-Build5.8.397 2022-09-08T09:01:55 ----------------------------------------- Patch: SUSE-2022-3144 Released: Wed Sep 7 11:04:23 2022 Summary: Security update for gpg2 Severity: important References: 1201225,CVE-2022-34903 Description: This update for gpg2 fixes the following issues: - CVE-2022-34903: Fixed a potential signature forgery via injection into the status line when certain unusual conditions are met (bsc#1201225). ----------------------------------------- Version Build5.8.399-4-Build5.8.399 2022-09-09T09:53:37 ----------------------------------------- Patch: SUSE-2022-3223 Released: Fri Sep 9 04:33:35 2022 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1199895,1200993,1201092,1201576,1201638 Description: This update for libzypp, zypper fixes the following issues: libzypp: - Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895) - Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092) - Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993) - Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend. zypper: - Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638) - Reject install/remove modifier without argument (bsc#1201576) - zypper-download: Handle unresolvable arguments as errors - Put signing key supplying repository name in quotes ----------------------------------------- Version Build5.8.409-4-Build5.8.409 2022-09-14T10:42:25 ----------------------------------------- Patch: SUSE-2022-3262 Released: Tue Sep 13 15:34:29 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1199140 Description: This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140) ----------------------------------------- Version Build5.8.413-4-Build5.8.413 2022-09-20T09:00:26 ----------------------------------------- Patch: SUSE-2022-3304 Released: Mon Sep 19 11:43:25 2022 Summary: Recommended update for libassuan Severity: moderate References: Description: This update for libassuan fixes the following issues: - Add a timeout for writing to a SOCKS5 proxy - Add workaround for a problem with LD_LIBRARY_PATH on newer systems - Fix issue in the logging code - Fix some build trivialities - Upgrade autoconf ----------------------------------------- Patch: SUSE-2022-3307 Released: Mon Sep 19 13:26:51 2022 Summary: Security update for sqlite3 Severity: moderate References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 Description: This update for sqlite3 fixes the following issues: - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783). - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802). - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). ----------------------------------------- Version Build5.8.418-4-Build5.8.418 2022-09-27T09:00:23 ----------------------------------------- Patch: SUSE-2022-3394 Released: Mon Sep 26 16:05:19 2022 Summary: Security update for permissions Severity: moderate References: 1203018,CVE-2022-31252 Description: This update for permissions fixes the following issues: - CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018). ----------------------------------------- Version Build5.8.421-4-Build5.8.421 2022-10-08T09:40:01 ----------------------------------------- Patch: SUSE-2022-3549 Released: Fri Oct 7 14:39:40 2022 Summary: Security update for cyrus-sasl Severity: important References: 1159635,CVE-2019-19906 Description: This update for cyrus-sasl fixes the following issues: - CVE-2019-19906: Fixed an out-of-bounds write that could lead to unauthenticated remote denial of service in OpenLDAP via a malformed LDAP packet (bsc#1159635). ----------------------------------------- Version Build5.8.425-4-Build5.8.425 2022-10-12T09:00:23 ----------------------------------------- Patch: SUSE-2022-3565 Released: Tue Oct 11 16:17:38 2022 Summary: Recommended update for libzypp, zypper Severity: critical References: 1189282,1201972,1203649 Description: This update for libzypp, zypper fixes the following issues: libzypp: - Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282) - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Remove migration code that is no longer needed (bsc#1203649) - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined zypper: - Fix contradiction in the man page: `--download-in-advance` option is the default behavior - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Fix tests to use locale 'C.UTF-8' rather than 'en_US' - Make sure 'up' respects solver related CLI options (bsc#1201972) - Remove unneeded code to compute the PPP status because it is now auto established - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined ----------------------------------------- Version Build5.8.426-4-Build5.8.426 2022-10-15T09:00:25 ----------------------------------------- Patch: SUSE-2022-3593 Released: Fri Oct 14 13:35:50 2022 Summary: Security update for python3 Severity: important References: 1202624,CVE-2021-28861 Description: This update for python3 fixes the following issues: - CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624). ----------------------------------------- Version Build5.8.428-4-Build5.8.428 2022-10-18T09:00:24 ----------------------------------------- Patch: SUSE-2022-3597 Released: Mon Oct 17 13:13:16 2022 Summary: Security update for expat Severity: important References: 1203438,CVE-2022-40674 Description: This update for expat fixes the following issues: - CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438). ----------------------------------------- Version Build5.8.435-4-Build5.8.435 2022-10-22T09:00:22 ----------------------------------------- Patch: SUSE-2022-3683 Released: Fri Oct 21 11:48:39 2022 Summary: Security update for libksba Severity: critical References: 1204357,CVE-2022-3515 Description: This update for libksba fixes the following issues: - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357). ----------------------------------------- Patch: SUSE-2022-3689 Released: Fri Oct 21 14:19:56 2022 Summary: Feature update for rpm Severity: moderate References: Description: This feature update for rpm provides: - Support Ed25519 RPM signatures (jsc#SLE-24714, jsc#SLE-24715) ----------------------------------------- Version Build5.8.443-4-Build5.8.443 2022-10-27T09:00:26 ----------------------------------------- Patch: SUSE-2022-3773 Released: Wed Oct 26 12:19:29 2022 Summary: Security update for curl Severity: important References: 1204383,CVE-2022-32221 Description: This update for curl fixes the following issues: - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). ----------------------------------------- Patch: SUSE-2022-3776 Released: Wed Oct 26 14:06:43 2022 Summary: Recommended update for permissions Severity: important References: 1203911,1204137 Description: This update for permissions fixes the following issues: - Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't properly support ICMP_PROTO sockets feature yet (bsc#1204137) - Fix regression introduced by backport of security fix (bsc#1203911) ----------------------------------------- Patch: SUSE-2022-3784 Released: Wed Oct 26 18:03:28 2022 Summary: Security update for libtasn1 Severity: critical References: 1204690,CVE-2021-46848 Description: This update for libtasn1 fixes the following issues: - CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690) ----------------------------------------- Version Build5.8.452-4-Build5.8.452 2022-11-06T09:00:26 ----------------------------------------- Patch: SUSE-2022-3871 Released: Fri Nov 4 13:26:29 2022 Summary: Security update for libxml2 Severity: important References: 1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304 Description: This update for libxml2 fixes the following issues: - CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367). ----------------------------------------- Patch: SUSE-2022-3873 Released: Fri Nov 4 14:58:08 2022 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1191546,1198980,1201298,1202870,1204729 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nspr was updated to version 4.34.1: * add file descriptor sanity checks in the NSPR poll function. mozilla-nss was updated to NSS 3.79.2 (bsc#1204729): * Bump minimum NSPR version to 4.34.1. * Gracefully handle null nickname in CERT_GetCertNicknameWithValidity. Other fixes that were applied: - FIPS: Allow the use of DSA keys (verification only) (bsc#1201298). - FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file (bsc#1198980). - FIPS: Allow the use of longer symmetric keys via the service level indicator (bsc#1191546). - FIPS: Prevent TLS sessions from getting flagged as non-FIPS (bsc#1191546). - FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298). - FIPS: Use libjitterentropy for entropy (bsc#1202870). - FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled. ----------------------------------------- Version Build5.8.460-4-Build5.8.460 2022-11-12T09:00:26 ----------------------------------------- Patch: SUSE-2022-3901 Released: Tue Nov 8 10:50:06 2022 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1180995,1203046 Description: This update for openssl-1_1 fixes the following issues: - Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995) - Fix memory leaks (bsc#1203046) ----------------------------------------- Patch: SUSE-2022-3905 Released: Tue Nov 8 12:23:17 2022 Summary: Recommended update for aaa_base Severity: important References: 1196840,1199492,1199918,1199926,1199927 Description: This update for aaa_base and iputils fixes the following issues: aaa_base: - Failures in ping for SUSE Linux Enterprise 15 and 15 SP1 due to sysctl setting for ping_group_range (bsc#1199926, bsc#1199927) - The wrapper rootsh is not a restricted shell (bsc#1199492) iputils: - Fix device binding on ping6 for ICMP datagram socket. (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927) ----------------------------------------- Patch: SUSE-2022-3910 Released: Tue Nov 8 13:05:04 2022 Summary: Recommended update for pam Severity: moderate References: Description: This update for pam fixes the following issue: - Update pam_motd to the most current version. (PED-1712) ----------------------------------------- Patch: SUSE-2022-3912 Released: Tue Nov 8 13:38:11 2022 Summary: Security update for expat Severity: important References: 1204708,CVE-2022-43680 Description: This update for expat fixes the following issues: - CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708). ----------------------------------------- Patch: SUSE-2022-3922 Released: Wed Nov 9 09:03:33 2022 Summary: Security update for protobuf Severity: important References: 1194530,1203681,1204256,CVE-2021-22569,CVE-2022-1941,CVE-2022-3171 Description: This update for protobuf fixes the following issues: - CVE-2021-22569: Fixed Denial of Service in protobuf-java in the parsing procedure for binary data (bsc#1194530). - CVE-2022-1941: Fix a potential DoS issue in protobuf-cpp and protobuf-python (bsc#1203681) - CVE-2022-3171: Fix a potential DoS issue when parsing with binary data in protobuf-java (bsc#1204256) ----------------------------------------- Patch: SUSE-2022-3924 Released: Wed Nov 9 13:20:05 2022 Summary: Security update for python3 Severity: important References: 1203125,1204577,CVE-2020-10735,CVE-2022-37454 Description: This update for python3 fixes the following issues: - CVE-2022-37454: Fixed a buffer overflow in hashlib.sha3_* implementations. (bsc#1204577) - CVE-2020-10735: Fixed a bug to limit amount of digits converting text to int and vice vera. (bsc#1203125) ----------------------------------------- Version Build5.8.464-4-Build5.8.464 2022-11-16T09:00:24 ----------------------------------------- Patch: SUSE-2022-3961 Released: Mon Nov 14 07:33:50 2022 Summary: Recommended update for zlib Severity: important References: 1203652 Description: This update for zlib fixes the following issues: - Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652) ----------------------------------------- Patch: SUSE-2022-3975 Released: Mon Nov 14 15:41:13 2022 Summary: Recommended update for util-linux Severity: moderate References: 1201959 Description: This update for util-linux fixes the following issues: - libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid. ----------------------------------------- Version Build5.8.468-4-Build5.8.468 2022-11-19T09:00:22 ----------------------------------------- Patch: SUSE-2022-4066 Released: Fri Nov 18 10:43:00 2022 Summary: Recommended update for timezone Severity: important References: 1177460,1202324,1204649,1205156 Description: This update for timezone fixes the following issues: Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156): - Mexico will no longer observe DST except near the US border - Chihuahua moves to year-round -06 on 2022-10-30 - Fiji no longer observes DST - In vanguard form, GMT is now a Zone and Etc/GMT a link - zic now supports links to links, and vanguard form uses this - Simplify four Ontario zones - Fix a Y2438 bug when reading TZif data - Enable 64-bit time_t on 32-bit glibc platforms - Omit large-file support when no longer needed - Jordan and Syria switch from +02/+03 with DST to year-round +03 - Palestine transitions are now Saturdays at 02:00 - Simplify three Ukraine zones into one - Improve tzselect on intercontinental Zones - Chile's DST is delayed by a week in September 2022 (bsc#1202324) - Iran no longer observes DST after 2022 - Rename Europe/Kiev to Europe/Kyiv - New `zic -R` command option - Vanguard form now uses %z ----------------------------------------- Patch: SUSE-2022-4081 Released: Fri Nov 18 15:40:46 2022 Summary: Security update for dpkg Severity: low References: 1199944,CVE-2022-1664 Description: This update for dpkg fixes the following issues: - CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944). ----------------------------------------- Version Build5.8.471-4-Build5.8.471 2022-11-22T09:00:23 ----------------------------------------- Patch: SUSE-2022-4155 Released: Mon Nov 21 14:36:17 2022 Summary: Security update for krb5 Severity: important References: 1205126,CVE-2022-42898 Description: This update for krb5 fixes the following issues: - CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126). ----------------------------------------- Version Build5.8.477-4-Build5.8.477 2022-11-27T09:00:22 ----------------------------------------- Patch: SUSE-2022-4199 Released: Wed Nov 23 13:17:17 2022 Summary: Recommended update for rpm Severity: moderate References: 1202750 Description: This update for rpm fixes the following issues: - Strip critical bit in signature subpackage parsing - No longer deadlock DNF after pubkey import (bsc#1202750) ----------------------------------------- Patch: SUSE-2022-4214 Released: Thu Nov 24 16:17:31 2022 Summary: Security update for libdb-4_8 Severity: low References: 1174414,CVE-2019-2708 Description: This update for libdb-4_8 fixes the following issues: - CVE-2019-2708: Fixed partial DoS due to data store execution (bsc#1174414). ----------------------------------------- Version Build5.8.483-4-Build5.8.483 2022-11-30T11:16:41 ----------------------------------------- Patch: SUSE-2022-4256 Released: Mon Nov 28 12:36:32 2022 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module. The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------- Patch: SUSE-2022-4258 Released: Mon Nov 28 15:37:25 2022 Summary: Security update for python3 Severity: important References: 1205244,CVE-2022-45061 Description: This update for python3 fixes the following issues: - CVE-2022-45061: Fixed possible DoS when IDNA decoding extremely long domain names (bsc#1205244). ----------------------------------------- Version Build5.8.489-4-Build5.8.489 2022-12-09T09:00:23 ----------------------------------------- Patch: SUSE-2022-4388 Released: Fri Dec 9 04:07:21 2022 Summary: Recommended update for gnutls Severity: moderate References: 1204511 Description: This update for gnutls fixes the following issues: - Fix potential to free an invalid pointer (bsc#1204511) ----------------------------------------- Version Build5.8.507-4-Build5.8.507 2022-12-30T09:00:23 ----------------------------------------- Patch: SUSE-2022-4628 Released: Wed Dec 28 09:23:13 2022 Summary: Security update for sqlite3 Severity: moderate References: 1206337,CVE-2022-46908 Description: This update for sqlite3 fixes the following issues: - CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337). ----------------------------------------- Patch: SUSE-2022-4633 Released: Wed Dec 28 09:32:15 2022 Summary: Security update for curl Severity: moderate References: 1206309,CVE-2022-43552 Description: This update for curl fixes the following issues: - CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309). ----------------------------------------- Version Build5.8.510-4-Build5.8.510 2023-01-03T09:00:23 ----------------------------------------- Patch: SUSE-2023-13 Released: Mon Jan 2 12:08:13 2023 Summary: Recommended update for mozilla-nss Severity: moderate References: 1191546,1198980,1201298 Description: This update for mozilla-nss fixes the following issues: - FIPS: Disapprove the creation of DSA keys, i.e. mark them as not-fips (bsc#1201298) - FIPS: Allow the use SHA keygen mechs (bsc#1191546). - FIPS: Ensure abort() is called when the repeat integrity check fails (bsc#1198980). ----------------------------------------- Version Build5.8.515-4-Build5.8.515 2023-01-07T09:00:23 ----------------------------------------- Patch: SUSE-2023-25 Released: Thu Jan 5 09:51:41 2023 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: Version update from 2022f to 2022g (bsc#1177460): - In the Mexican state of Chihuahua: * The border strip near the US will change to agree with nearby US locations on 2022-11-30. * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. * A new Zone America/Ciudad_Juarez splits from America/Ojinaga. - Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time. - Changes for pre-1996 northern Canada - Update to past DST transition in Colombia (1993), Singapore (1981) - 'timegm' is now supported by default ----------------------------------------- Version Build5.8.517-4-Build5.8.517 2023-01-11T09:00:27 ----------------------------------------- Patch: SUSE-2023-56 Released: Mon Jan 9 11:13:43 2023 Summary: Security update for libksba Severity: moderate References: 1206579,CVE-2022-47629 Description: This update for libksba fixes the following issues: - CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579). ----------------------------------------- Version Build5.8.522-4-Build5.8.522 2023-01-17T09:00:26 ----------------------------------------- Patch: SUSE-2023-88 Released: Mon Jan 16 10:30:50 2023 Summary: Security update for python-wheel Severity: moderate References: 1206670,CVE-2022-40898 Description: This update for python-wheel fixes the following issues: - CVE-2022-40898: Fixed an excessive use of CPU that could be triggered via a crafted regular expression (bsc#1206670). ----------------------------------------- Version Build5.8.525-4-Build5.8.525 2023-01-25T09:00:26 ----------------------------------------- Patch: SUSE-2023-130 Released: Tue Jan 24 15:22:44 2023 Summary: Security update for mozilla-nss Severity: important References: 1204272,1207038,CVE-2022-23491,CVE-2022-3479 Description: This update for mozilla-nss fixes the following issues: - CVE-2022-3479: Fixed a potential crash that could be triggered when a server requested a client authentication certificate, but the client had no certificates stored (bsc#1204272). - Updated to version 3.79.3 (bsc#1207038): - CVE-2022-23491: Removed trust for 3 root certificates from TrustCor. ----------------------------------------- Version Build5.8.527-4-Build5.8.527 2023-01-27T09:00:25 ----------------------------------------- Patch: SUSE-2023-174 Released: Thu Jan 26 20:52:38 2023 Summary: Security update for glib2 Severity: low References: 1183533,CVE-2021-28153 Description: This update for glib2 fixes the following issues: - CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533). ----------------------------------------- Patch: SUSE-2023-176 Released: Thu Jan 26 20:56:20 2023 Summary: Recommended update for permissions Severity: moderate References: 1206738 Description: This update for permissions fixes the following issues: Update to version 20181225: * Backport postfix permissions to SLE 15 SP2 (bsc#1206738) ----------------------------------------- Patch: SUSE-2023-181 Released: Thu Jan 26 21:55:43 2023 Summary: Recommended update for procps Severity: low References: 1206412 Description: This update for procps fixes the following issues: - Improve memory handling/usage (bsc#1206412) - Make sure that correct library version is installed (bsc#1206412) ----------------------------------------- Version Build5.8.529-4-Build5.8.529 2023-01-30T09:00:25 ----------------------------------------- Patch: SUSE-2023-188 Released: Fri Jan 27 12:07:19 2023 Summary: Recommended update for zlib Severity: important References: 1203652 Description: This update for zlib fixes the following issues: - Follow up fix for bug bsc#1203652 due to libxml2 issues ----------------------------------------- Version Build5.8.531-4-Build5.8.531 2023-02-02T09:00:26 ----------------------------------------- Patch: SUSE-2023-223 Released: Wed Feb 1 09:36:03 2023 Summary: Security update for python-setuptools Severity: moderate References: 1206667,CVE-2022-40897 Description: This update for python-setuptools fixes the following issues: - CVE-2022-40897: Fixed an excessive CPU usage that could be triggered by fetching a malicious HTML document (bsc#1206667). ----------------------------------------- Version Build5.8.535-4-Build5.8.535 2023-02-08T09:00:25 ----------------------------------------- Patch: SUSE-2023-310 Released: Tue Feb 7 17:35:34 2023 Summary: Security update for openssl-1_1 Severity: important References: 1121365,1198472,1207533,1207534,1207536,1207538,CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533). - CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536). - CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538). - CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534). - FIPS: list only FIPS approved public key algorithms (bsc#1121365, bsc#1198472) ----------------------------------------- Version Build5.8.538-4-Build5.8.538 2023-02-18T09:00:24 ----------------------------------------- Patch: SUSE-2023-443 Released: Fri Feb 17 09:42:48 2023 Summary: Security update for mozilla-nss Severity: important References: 1208138,CVE-2023-0767 Description: This update for mozilla-nss fixes the following issues: Updated to NSS 3.79.4 (bsc#1208138): - CVE-2023-0767: Fixed handling of unknown PKCS#12 safe bag types. ----------------------------------------- Patch: SUSE-2023-446 Released: Fri Feb 17 09:52:43 2023 Summary: Recommended update for util-linux Severity: moderate References: 1194038,1205646 Description: This update for util-linux fixes the following issues: - Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038). - libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646). ----------------------------------------- Version Build5.8.547-4-Build5.8.547 2023-03-04T09:00:22 ----------------------------------------- Patch: SUSE-2023-610 Released: Fri Mar 3 12:06:49 2023 Summary: Security update for gnutls Severity: moderate References: 1208143,CVE-2023-0361 Description: This update for gnutls fixes the following issues: - CVE-2023-0361: Fixed a Bleichenbacher oracle in the TLS RSA key exchange (bsc#1208143). ----------------------------------------- Version Build5.8.552-4-Build5.8.552 2023-03-09T09:00:22 ----------------------------------------- Patch: SUSE-2023-676 Released: Wed Mar 8 14:33:23 2023 Summary: Recommended update for libxml2 Severity: moderate References: 1204585 Description: This update for libxml2 fixes the following issues: - Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz ----------------------------------------- Version Build5.8.556-4-Build5.8.556 2023-03-15T09:00:28 ----------------------------------------- Patch: SUSE-2023-736 Released: Tue Mar 14 19:05:34 2023 Summary: Security update for python3 Severity: important References: 1188607,1208443,1208471,CVE-2023-24329 Description: This update for python3 fixes the following issues: - CVE-2023-24329: Fixed blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters (bsc#1208471). The following non-security bugs were fixed: - Fixed a crash in the garbage collection (bsc#1188607) - Fixed email.generator.py to not replace a non-existent header (bsc#1208443, gh#python/cpython#71508). ----------------------------------------- Version Build5.8.558-4-Build5.8.558 2023-03-17T09:00:26 ----------------------------------------- Patch: SUSE-2023-776 Released: Thu Mar 16 17:29:23 2023 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products. SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------- Patch: SUSE-2023-786 Released: Thu Mar 16 19:36:09 2023 Summary: Recommended update for libsolv, libzypp, zypper Severity: important References: 1178233,1203248,1203249,1203715,1204548,1204956,1205570,1205636,1206949 Description: This update for libsolv, libzypp, zypper fixes the following issues: libsolv: - Do not autouninstall SUSE PTF packages - Ensure 'duplinvolvedmap_all' is reset when a solver is reused - Fix 'keep installed' jobs not disabling 'best update' rules - New '-P' and '-W' options for `testsolv` - New introspection interface for weak dependencies similar to ruleinfos - Ensure special case file dependencies are written correctly in the testcase writer - Support better info about alternatives - Support decision reason queries - Support merging of related decisions - Support stringification of multiple solvables - Support stringification of ruleinfo, decisioninfo and decision reasons libzypp: - Avoid calling getsockopt when we know the info already. This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections (bsc#1178233) - Avoid redirecting 'history.logfile=/dev/null' into the target - Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956) - Enhance yaml-cpp detection - Improve download of optional files - MultiCurl: Make sure to reset the progress function when falling back. - Properly reset range requests (bsc#1204548) - Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the installed PTF packages to theit latest version. - Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls. - Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side. - ProgressData: enforce reporting the INIT||END state (bsc#1206949) - ps: fix service detection on newer Tumbleweed systems (bsc#1205636) zypper: - Allow to (re)add a service with the same URL (bsc#1203715) - Bump dependency requirement to libzypp-devel 17.31.7 or greater - Explain outdatedness of repositories - patterns: Avoid dispylaing superfluous @System entries (bsc#1205570) - Provide `removeptf` command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official update versions. - Update man page and explain '.no_auto_prune' (bsc#1204956) ----------------------------------------- Version Build5.8.564-4-Build5.8.564 2023-04-01T09:00:26 ----------------------------------------- Patch: SUSE-2023-1711 Released: Fri Mar 31 13:33:04 2023 Summary: Security update for curl Severity: moderate References: 1207992,1209209,1209210,1209211,1209212,1209214,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538 Description: This update for curl fixes the following issues: - CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209). - CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210). - CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211). - CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212). - CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214). - CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992). ----------------------------------------- Version Build5.8.570-4-Build5.8.570 2023-04-08T09:00:22 ----------------------------------------- Patch: SUSE-2023-1783 Released: Thu Apr 6 08:24:57 2023 Summary: Recommended update for python3 Severity: important References: 1203355 Description: This update for python3 fixes the following issues: - Fix unnecessary and dangerous calls to PyThread_exit_thread() (bsc#1203355) ----------------------------------------- Patch: SUSE-2023-1790 Released: Thu Apr 6 15:36:15 2023 Summary: Security update for openssl-1_1 Severity: moderate References: 1209624,1209873,1209878,CVE-2023-0464,CVE-2023-0465,CVE-2023-0466 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624). - CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878). - CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873). ----------------------------------------- Version Build5.8.573-4-Build5.8.573 2023-04-11T14:00:16 ----------------------------------------- Patch: SUSE-2023-1805 Released: Tue Apr 11 10:12:41 2023 Summary: Recommended update for timezone Severity: important References: Description: This update for timezone fixes the following issues: - Version update from 2022g to 2023c: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later. ----------------------------------------- Version Build5.8.580-4-Build5.8.580 2023-04-25T09:00:25 ----------------------------------------- Patch: SUSE-2023-1969 Released: Mon Apr 24 17:37:56 2023 Summary: Recommended update for mozilla-nss Severity: moderate References: 1191546,1207209,1208242,1208999 Description: This update for mozilla-nss fixes the following issues: - Adjust SLI reporting for PBKDF2 parameter validation (bsc#1208999) - Update session->lastOpWasFIPS before destroying the key after derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE, CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases. (bsc#1191546) - FIPS: more changes for pairwise consistency checks. (bsc#1207209) - Add manpages to mozilla-nss-tools (bsc#1208242) ----------------------------------------- Version Build5.8.582-4-Build5.8.582 2023-04-27T09:00:24 ----------------------------------------- Patch: SUSE-2023-2048 Released: Wed Apr 26 21:05:45 2023 Summary: Security update for libxml2 Severity: important References: 1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469 Description: This update for libxml2 fixes the following issues: - CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412). - CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411). - CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). The following non-security bugs were fixed: - Added W3C conformance tests to the testsuite (bsc#1204585). - Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) . ----------------------------------------- Version Build5.8.584-4-Build5.8.584 2023-04-29T09:00:24 ----------------------------------------- Patch: SUSE-2023-2068 Released: Fri Apr 28 13:55:00 2023 Summary: Security update for shadow Severity: moderate References: 1210507,CVE-2023-29383 Description: This update for shadow fixes the following issues: - CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507). ----------------------------------------- Patch: SUSE-2023-2074 Released: Fri Apr 28 17:02:25 2023 Summary: Security update for zstd Severity: moderate References: 1209533,CVE-2022-4899 Description: This update for zstd fixes the following issues: - CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533). ----------------------------------------- Patch: SUSE-2023-2076 Released: Fri Apr 28 17:35:05 2023 Summary: Security update for glib2 Severity: moderate References: 1209713,1209714,1210135,CVE-2023-24593,CVE-2023-25180 Description: This update for glib2 fixes the following issues: - CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714). - CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713). The following non-security bug was fixed: - Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978). ----------------------------------------- Version Build5.8.587-4-Build5.8.587 2023-05-05T09:00:25 ----------------------------------------- Patch: SUSE-2023-2104 Released: Thu May 4 21:05:30 2023 Summary: Recommended update for procps Severity: moderate References: 1209122 Description: This update for procps fixes the following issue: - Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122) ----------------------------------------- Version Build5.8.590-4-Build5.8.590 2023-05-06T09:00:26 ----------------------------------------- Patch: SUSE-2023-2111 Released: Fri May 5 14:34:00 2023 Summary: Security update for ncurses Severity: moderate References: 1210434,CVE-2023-29491 Description: This update for ncurses fixes the following issues: - CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434). ----------------------------------------- Version Build5.8.593-4-Build5.8.593 2023-05-09T18:05:26 ----------------------------------------- Patch: SUSE-2023-2133 Released: Tue May 9 13:37:10 2023 Summary: Recommended update for zlib Severity: moderate References: 1206513 Description: This update for zlib fixes the following issues: - Add DFLTCC support for using inflate() with a small window (bsc#1206513) ----------------------------------------- Version Build5.8.598-4-Build5.8.598 2023-05-17T09:00:26 ----------------------------------------- Patch: SUSE-2023-2216 Released: Tue May 16 11:27:50 2023 Summary: Recommended update for python-packaging Severity: important References: 1186870,1199282 Description: This update for python-packaging fixes the following issues: - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Add patch to fix testsuite on big-endian targets - Ignore python3.6.2 since the test doesn't support it. - update to 21.3: * Add a pp3-none-any tag * Replace the blank pyparsing 3 exclusion with a 3.0.5 exclusion * Fix a spelling mistake - update to 21.2: * Update documentation entry for 21.1. * Update pin to pyparsing to exclude 3.0.0. * PEP 656: musllinux support * Drop support for Python 2.7, Python 3.4 and Python 3.5 * Replace distutils usage with sysconfig * Add support for zip files * Use cached hash attribute to short-circuit tag equality comparisons * Specify the default value for the 'specifier' argument to 'SpecifierSet' * Proper keyword-only 'warn' argument in packaging.tags * Correctly remove prerelease suffixes from ~= check * Fix type hints for 'Version.post' and 'Version.dev' * Use typing alias 'UnparsedVersion' * Improve type inference * Tighten the return typeo - Add Provides: for python*dist(packaging). (bsc#1186870) - add no-legacyversion-warning.patch to restore compatibility with 20.4 - update to 20.9: * Add support for the ``macosx_10_*_universal2`` platform tags * Introduce ``packaging.utils.parse_wheel_filename()`` and ``parse_sdist_filename()`` - update to 20.8: * Revert back to setuptools for compatibility purposes for some Linux distros * Do not insert an underscore in wheel tags when the interpreter version number is more than 2 digits * Fix flit configuration, to include LICENSE files * Make `intel` a recognized CPU architecture for the `universal` macOS platform tag * Add some missing type hints to `packaging.requirements` * Officially support Python 3.9 * Deprecate the ``LegacyVersion`` and ``LegacySpecifier`` classes * Handle ``OSError`` on non-dynamic executables when attempting to resolve the glibc version string. - update to 20.4: * Canonicalize version before comparing specifiers. * Change type hint for ``canonicalize_name`` to return ``packaging.utils.NormalizedName``. This enables the use of static typing tools (like mypy) to detect mixing of normalized and un-normalized names. ----------------------------------------- Version Build5.8.600-4-Build5.8.600 2023-05-18T09:00:25 ----------------------------------------- Patch: SUSE-2023-2227 Released: Wed May 17 09:57:41 2023 Summary: Security update for curl Severity: important References: 1211231,1211232,1211233,1211339,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322 Description: This update for curl fixes the following issues: - CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231). - CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232). - CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233). ----------------------------------------- Version Build5.8.602-4-Build5.8.602 2023-05-19T09:00:25 ----------------------------------------- Patch: SUSE-2023-2247 Released: Thu May 18 17:04:38 2023 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1127591,1195633,1208329,1209406,1210870 Description: This update for libzypp, zypper fixes the following issues: - Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633) - multicurl: propagate ssl settings stored in repo url (bsc#1127591) - MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870) - zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329) - Teach MediaNetwork to retry on HTTP2 errors. - Fix selecting installed patterns from picklist (bsc#1209406) - man: better explanation of --priority ----------------------------------------- Version Build5.8.607-4-Build5.8.607 2023-06-01T11:02:16 ----------------------------------------- Patch: SUSE-2023-2333 Released: Wed May 31 09:01:28 2023 Summary: Recommended update for zlib Severity: moderate References: 1210593 Description: This update for zlib fixes the following issue: - Fix function calling order to avoid crashes (bsc#1210593) ----------------------------------------- Version Build5.8.609-4-Build5.8.609 2023-06-02T09:00:27 ----------------------------------------- Patch: SUSE-2023-2343 Released: Thu Jun 1 11:35:28 2023 Summary: Security update for openssl-1_1 Severity: important References: 1211430,CVE-2023-2650 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430). ----------------------------------------- Version Build5.8.613-4-Build5.8.613 2023-06-12T14:56:54 ----------------------------------------- Patch: SUSE-2023-2484 Released: Mon Jun 12 08:49:58 2023 Summary: Security update for openldap2 Severity: moderate References: 1211795,CVE-2023-2953 Description: This update for openldap2 fixes the following issues: - CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795). ----------------------------------------- Version Build5.8.614-4-Build5.8.614 2023-06-14T09:23:29 ----------------------------------------- Patch: SUSE-2023-2497 Released: Tue Jun 13 15:37:25 2023 Summary: Recommended update for libzypp Severity: important References: 1211661,1212187 Description: This update for libzypp fixes the following issues: - Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187] - Do not unconditionally release a medium if provideFile failed. [bsc#1211661] ----------------------------------------- Version Build5.8.615-4-Build5.8.615 2023-06-15T09:00:25 ----------------------------------------- Patch: SUSE-2023-2509 Released: Wed Jun 14 14:44:28 2023 Summary: Security update for python3 Severity: moderate References: 1203750,1211158,CVE-2007-4559 Description: This update for python3 fixes the following issues: - CVE-2007-4559: Fixed filter for tarfile.extractall (bsc#1203750). - Fixed unittest.mock.patch.dict returns function when applied to coroutines (bsc#1211158). ----------------------------------------- Version Build5.8.619-4-Build5.8.619 2023-06-24T09:00:25 ----------------------------------------- Patch: SUSE-2023-2625 Released: Fri Jun 23 17:16:11 2023 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: - Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204 * includes regression and other bug fixes - Speed up builds with --enable-link-serialization. - Update embedded newlib to version 4.2.0 ----------------------------------------- Version Build5.8.623-4-Build5.8.623 2023-07-01T09:00:24 ----------------------------------------- Patch: SUSE-2023-2742 Released: Fri Jun 30 11:40:56 2023 Summary: Recommended update for autoyast2, libzypp, yast2-pkg-bindings, yast2-update, zypper Severity: moderate References: 1202234,1209565,1211261,1212187,1212222 Description: This update for yast2-pkg-bindings fixes the following issues: libzypp was updated to version 17.31.14 (22): - Curl: trim all custom headers (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. So we make sure all custom headers are trimmed. This also includes headers returned by URL-Resolver plugins. - build: honor libproxy.pc's includedir (bsc#1212222) zypper was updated to version 1.14.61: - targetos: Add an error note if XPath:/product/register/target is not defined in /etc/products.d/baseproduct (bsc#1211261) - targetos: Update help and man page (bsc#1211261) yast2-pkg-bindings, autoyast: - Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565) - Selected products are not installed after resetting the package manager internally (bsc#1202234) yast2-update: - Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565) ----------------------------------------- Version Build5.8.626-4-Build5.8.626 2023-07-07T09:00:24 ----------------------------------------- Patch: SUSE-2023-2788 Released: Thu Jul 6 11:51:02 2023 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1185116,1202118 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nspr was updated to version 4.35 * fixes for building with clang * use the number of online processors for the PR_GetNumberOfProcessors() API on some platforms * fix build on mips+musl libc * Add support for the LoongArch 64-bit architecture mozilla-nss was update to NSS 3.90: * clang-format lib/freebl/stubs.c * Add a constant time select function * Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access. * output early build errors by default * Update the technical constraints for KamuSM * Add BJCA Global Root CA1 and CA2 root certificates * Enable default UBSan Checks * Add explicit handling of zero length records * Tidy up DTLS ACK Error Handling Path * Refactor zero length record tests * Fix compiler warning via correct assert * run linux tests on nss-t/t-linux-xlarge-gcp * In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator * Fix reading raw negative numbers * Repairing unreachable code in clang built with gyp * Integrate Vale Curve25519 * Removing unused flags for Hacl* * Adding a better error message * Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6 * Fall back to the softokn when writing certificate trust * FIPS-104-3 requires we restart post programmatically * cmd/ecperf: fix dangling pointer warning on gcc 13 * Update ACVP dockerfile for compatibility with debian package changes * Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files * Removed deprecated sprintf function and replaced with snprintf * fix rst warnings in nss doc * Fix incorrect pygment style * Change GYP directive to apply across platforms * Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag - Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116) update to NSS 3.89.1 * Update the technical constraints for KamuSM. * Add BJCA Global Root CA1 and CA2 root certificates. update to NSS 3.89 * revert freebl/softoken RSA_MIN_MODULUS_BITS increase * PR_STATIC_ASSERT is cursed * Need to add policy control to keys lengths for signatures * Fix unreachable code warning in fuzz builds * Fix various compiler warnings in NSS * Enable various compiler warnings for clang builds * set PORT error after sftk_HMACCmp failure * Need to add policy control to keys lengths for signatures * remove data length assertion in sec_PKCS7Decrypt * Make high tag number assertion failure an error * CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384 * Tolerate certificate_authorities xtn in ClientHello * Fix build failure on Windows * migrate Win 2012 tasks to Azure * fix title length in doc * Add interop tests for HRR and PSK to GREASE suite * Add presence/absence tests for TLS GREASE * Correct addition of GREASE value to ALPN xtn * CH extension permutation * TLS GREASE (RFC8701) * improve handling of unknown PKCS#12 safe bag types * use a different treeherder symbol for each docker image build task * remove nested table in rst doc * Export NSS_CMSSignerInfo_GetDigestAlgTag * build failure while implicitly casting SECStatus to PRUInt32 update to NSS 3.88.1 * improve handling of unknown PKCS#12 safe bag types update to NSS 3.88 * remove nested table in rst doc * Export NSS_CMSSignerInfo_GetDigestAlgTag. * build failure while implicitly casting SECStatus to PRUInt32 * Add check for ClientHello SID max length * Added EarlyData ALPN test support to BoGo shim * ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup * On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm * ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test * Added Bogo ECH rejection test support * Added ECH 0Rtt support to BoGo shim * RSA OAEP Wycheproof JSON * RSA decrypt Wycheproof JSON * ECDSA Wycheproof JSON * ECDH Wycheproof JSON * PKCS#1v1.5 wycheproof json * Use X25519 wycheproof json * Move scripts to python3 * Properly link FuzzingEngine for oss-fuzz. * Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384) * NSS needs to move off of DSA for integrity checks * Add initial testing with ACVP vector sets using acvp-rust * Don't clone libFuzzer, rely on clang instead update to NSS 3.87 * NULL password encoding incorrect * Fix rng stub signature for fuzzing builds * Updating the compiler parsing for build * Modification of supported compilers * tstclnt crashes when accessing gnutls server without a user cert in the database. * Add configuration option to enable source-based coverage sanitizer * Update ECCKiila generated files. * Add support for the LoongArch 64-bit architecture * add checks for zero-length RSA modulus to avoid memory errors and failed assertions later * Additional zero-length RSA modulus checks update to NSS 3.86 * conscious language removal in NSS * Set nssckbi version number to 2.60 * Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates * Remove Staat der Nederlanden EV Root CA from NSS * Remove EC-ACC root cert from NSS * Remove SwissSign Platinum CA - G2 from NSS * Remove Network Solutions Certificate Authority * compress docker image artifact with zstd * Migrate nss from AWS to GCP * Enable static builds in the CI * Removing SAW docker from the NSS build system * Initialising variables in the rsa blinding code * Implementation of the double-signing of the message for ECDSA * Adding exponent blinding for RSA. update to NSS 3.85 * Modification of the primes.c and dhe-params.c in order to have better looking tables * Update zlib in NSS to 1.2.13 * Skip building modutil and shlibsign when building in Firefox * Mark _nss_version_c unused on clang-cl * bmo#1795668 - Remove redundant variable definitions in lowhashtest * Add note about python executable to build instructions. update to NSS 3.84 * Bump minimum NSPR version to 4.35 * Add a flag to disable building libnssckbi. update to NSS 3.83 * Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags * Set nssckbi version number to 2.58 * Add two SECOM root certificates to NSS * Add two DigitalSign root certificates to NSS * Remove Camerfirma Global Chambersign Root from NSS * Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test * Removed skipping of ECH on equality of private and public server name * Added comment and bug reference to ECHRandomHRRExtension bogo test * Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR * Added check for server only sending ECH extension with retry configs in EncryptedExtensions and if not accepting ECH. Changed config setting behavior to skip configs with unsupported mandatory extensions instead of failing * Added ECH client support to BoGo shim. Changed CHInner creation to skip TLS 1.2 only extensions to comply with BoGo * Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs * Update BoGo tests to recent BoringSSL version * Bump minimum NSPR version to 4.34.1 update to NSS 3.82 * check for null template in sec_asn1{d,e}_push_state * QuickDER: Forbid NULL tags with non-zero length * Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite * Cast the result of GetProcAddress * pk11wrap: Tighten certificate lookup based on PKCS #11 URI. update to NSS 3.81 * Enable aarch64 hardware crypto support on OpenBSD * make NSS_SecureMemcmp 0/1 valued * Add no_application_protocol alert handler and test client error code is set * Gracefully handle null nickname in CERT_GetCertNicknameWithValidity * required for Firefox 104 - raised NSPR requirement to 4.34.1 - changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118) update to NSS 3.80 * Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h. * Add support for asynchronous client auth hooks. * nss-policy-check: make unknown keyword check optional. * GatherBuffer: Reduced plaintext buffer allocations by allocating it on initialization. Replaced redundant code with assert. Debug builds: Added buffer freeing/allocation for each record. * Mark 3.79 as an ESR release. * Bump nssckbi version number for June. * Remove Hellenic Academic 2011 Root. * Add E-Tugra Roots. * Add Certainly Roots. * Add DigitCert Roots. * Protect SFTKSlot needLogin with slotLock. * Compare signature and signatureAlgorithm fields in legacy certificate verifier. * Uninitialized value in cert_VerifyCertChainOld. * Unchecked return code in sec_DecodeSigAlg. * Uninitialized value in cert_ComputeCertType. * Avoid data race on primary password change. * Replace ppc64 dcbzl intrinisic. * Allow LDFLAGS override in makefile builds. ----------------------------------------- Version Build5.8.631-4-Build5.8.631 2023-07-18T09:00:24 ----------------------------------------- Patch: SUSE-2023-2855 Released: Mon Jul 17 16:35:21 2023 Summary: Recommended update for openldap2 Severity: moderate References: 1212260 Description: This update for openldap2 fixes the following issues: - libldap2 crashes on ldap_sasl_bind_s (bsc#1212260) ----------------------------------------- Version Build5.8.634-4-Build5.8.634 2023-07-21T09:26:56 ----------------------------------------- Patch: SUSE-2023-2918 Released: Thu Jul 20 12:00:17 2023 Summary: Recommended update for gpgme Severity: moderate References: 1089497 Description: This update for gpgme fixes the following issues: gpgme: - Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497) libassuan: - Version upgrade to 2.5.5 in LTSS to address gpgme new requirements ----------------------------------------- Version Build5.8.639-4-Build5.8.639 2023-07-25T09:00:25 ----------------------------------------- Patch: SUSE-2023-2955 Released: Tue Jul 25 05:22:54 2023 Summary: Recommended update for util-linux Severity: moderate References: 1193015 Description: This update for util-linux fixes the following issues: - Fix memory leak on parse errors in libmount. (bsc#1193015) ----------------------------------------- Version Build5.8.640-4-Build5.8.640 2023-07-25T17:24:34 ----------------------------------------- Patch: SUSE-2023-2956 Released: Tue Jul 25 08:33:38 2023 Summary: Security update for libcap Severity: moderate References: 1211419,CVE-2023-2603 Description: This update for libcap fixes the following issues: - CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419). ----------------------------------------- Version Build5.8.641-4-Build5.8.641 2023-07-28T09:00:25 ----------------------------------------- Patch: SUSE-2023-2998 Released: Thu Jul 27 08:39:49 2023 Summary: Recommended update for libdb-4_8 Severity: moderate References: 1099695 Description: This update for libdb-4_8 fixes the following issues: - Fix incomplete license tag (bsc#1099695) ----------------------------------------- Version Build5.8.646-4-Build5.8.646 2023-08-04T09:00:25 ----------------------------------------- Patch: SUSE-2023-3179 Released: Thu Aug 3 13:59:38 2023 Summary: Security update for openssl-1_1 Severity: moderate References: 1201627,1207534,1213487,CVE-2022-4304,CVE-2023-3446 Description: This update for openssl-1_1 fixes the following issues: - CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534). - CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487). - Update further expiring certificates that affect tests [bsc#1201627] ----------------------------------------- Version Build5.8.652-4-Build5.8.652 2023-08-12T09:00:25 ----------------------------------------- Patch: SUSE-2023-3291 Released: Fri Aug 11 12:51:21 2023 Summary: Security update for openssl-1_1 Severity: moderate References: 1213517,1213853,CVE-2023-3817 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) ----------------------------------------- Version Build5.8.654-4-Build5.8.654 2023-08-16T17:36:25 ----------------------------------------- Patch: SUSE-2023-3330 Released: Wed Aug 16 08:59:33 2023 Summary: Recommended update for python-pyasn1 Severity: important References: 1207805 Description: This update for python-pyasn1 fixes the following issues: - To avoid users of this package having to recompile bytecode files, change the mtime of any __init__.py. (bsc#1207805) ----------------------------------------- Version Build5.8.662-4-Build5.8.662 2023-08-26T09:03:40 ----------------------------------------- Patch: SUSE-2023-3434 Released: Thu Aug 24 15:05:22 2023 Summary: Security update for krb5 Severity: important References: 1214054,CVE-2023-36054 Description: This update for krb5 fixes the following issues: - CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054) ----------------------------------------- Version Build5.8.664-4-Build5.8.664 2023-08-28T09:03:40 ----------------------------------------- Patch: SUSE-2023-3440 Released: Mon Aug 28 08:57:10 2023 Summary: Security update for gawk Severity: low References: 1214025,CVE-2023-4156 Description: This update for gawk fixes the following issues: - CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025) ----------------------------------------- Version Build5.8.668-4-Build5.8.668 2023-08-29T09:00:25 ----------------------------------------- Patch: SUSE-2023-3466 Released: Tue Aug 29 07:33:16 2023 Summary: Recommended update for icu Severity: moderate References: 1103893,1112183 Description: This update for icu fixes the following issues: - Japanese era Reiwa (bsc#1112183, bsc#1103893, fate570, fate#325570, fate#325419) ----------------------------------------- Version Build5.8.671-4-Build5.8.671 2023-08-30T09:00:25 ----------------------------------------- Patch: SUSE-2023-3472 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Severity: low References: 1214290,CVE-2023-4016 Description: This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------- Version Build5.8.673-4-Build5.8.673 2023-09-02T09:00:26 ----------------------------------------- Patch: SUSE-2023-3515 Released: Fri Sep 1 15:54:25 2023 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1158763,1210740,1213231,1213557,1213673 Description: This update for libzypp, zypper fixes the following issues: - Fix occasional isue with downloading very small files (bsc#1213673) - Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231) - Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763) - Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740) - Revised explanation of --force-resolution in man page (bsc#1213557) - Print summary hint if policies were violated due to --force-resolution (bsc#1213557) ----------------------------------------- Version Build5.8.679-4-Build5.8.679 2023-09-13T09:00:32 ----------------------------------------- Patch: SUSE-2023-3590 Released: Tue Sep 12 16:40:53 2023 Summary: Recommended update for mozilla-nss Severity: moderate References: 1176173 Description: This update for mozilla-nss fixes the following issue: - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------- Version Build5.8.683-4-Build5.8.683 2023-09-19T09:00:32 ----------------------------------------- Patch: SUSE-2023-3661 Released: Mon Sep 18 21:44:09 2023 Summary: Security update for gcc12 Severity: important References: 1214052,CVE-2023-4039 Description: This update for gcc12 fixes the following issues: - CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052). ----------------------------------------- Version Build5.8.687-4-Build5.8.687 2023-09-20T13:31:18 ----------------------------------------- Patch: SUSE-2023-3698 Released: Wed Sep 20 11:01:15 2023 Summary: Security update for libxml2 Severity: important References: 1214768,CVE-2023-39615 Description: This update for libxml2 fixes the following issues: - CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768). ----------------------------------------- Version Build5.8.694-4-Build5.8.694 2023-09-28T09:00:30 ----------------------------------------- Patch: SUSE-2023-3804 Released: Wed Sep 27 14:36:04 2023 Summary: Security update for python3 Severity: important References: 1214692,CVE-2023-40217 Description: This update for python3 fixes the following issues: - CVE-2023-40217: Fixed TLS handshake bypass on closed sockets (bsc#1214692). ----------------------------------------- Version Build5.8.697-4-Build5.8.697 2023-10-10T09:00:31 ----------------------------------------- Patch: SUSE-2023-4006 Released: Mon Oct 9 08:35:50 2023 Summary: Recommended update for zypper Severity: moderate References: 1213854,1214292,1214395,1215007 Description: This update for zypper fixes the following issues: - Fix name of the bash completion script (bsc#1215007) - Update notes about failing signature checks (bsc#1214395) - Improve the SIGINT handler to be signal safe (bsc#1214292) - Update to version 1.14.64 - Changed location of bash completion script (bsc#1213854). ----------------------------------------- Version Build5.8.700-4-Build5.8.700 2023-10-11T13:41:56 ----------------------------------------- Patch: SUSE-2023-4025 Released: Tue Oct 10 13:41:02 2023 Summary: Security update for shadow Severity: low References: 1214806,CVE-2023-4641 Description: This update for shadow fixes the following issues: - CVE-2023-4641: Fixed potential password leak (bsc#1214806). ----------------------------------------- Version Build5.8.701-4-Build5.8.701 2023-10-11T18:02:38 ----------------------------------------- Patch: SUSE-2023-4045 Released: Wed Oct 11 09:10:43 2023 Summary: Security update for curl Severity: moderate References: 1215889,CVE-2023-38546 Description: This update for curl fixes the following issues: - CVE-2023-38546: Fixed a cookie injection with none file (bsc#1215889). ----------------------------------------- Patch: SUSE-2023-4047 Released: Wed Oct 11 10:40:26 2023 Summary: Security update for glibc Severity: moderate References: 1215286,1215505,CVE-2023-4813 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931) Other changes: - Added GB18030-2022 charmap (jsc#PED-4908, BZ #30243) - Run vismain only if linker supports protected data symbol (bsc#1215505) ----------------------------------------- Version Build5.8.709-4-Build5.8.709 2023-10-24T09:00:14 ----------------------------------------- Patch: SUSE-2023-4162 Released: Mon Oct 23 15:33:03 2023 Summary: Security update for gcc13 Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039 Description: This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------- Version Build5.8.713-4-Build5.8.713 2023-10-26T15:32:54 ----------------------------------------- Patch: SUSE-2023-4217 Released: Thu Oct 26 12:20:27 2023 Summary: Security update for zlib Severity: moderate References: 1216378,CVE-2023-45853 Description: This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------- Version Build5.8.715-4-Build5.8.715 2023-10-27T15:00:36 ----------------------------------------- Patch: SUSE-2023-4226 Released: Fri Oct 27 11:14:10 2023 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1215215 Description: This update for openssl-1_1 fixes the following issues: - Displays 'fips' in the version string (bsc#1215215) ----------------------------------------- Version Build5.8.725-4-Build5.8.725 2023-11-16T17:54:18 ----------------------------------------- Patch: SUSE-2023-4458 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 Description: This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------- Version Build5.8.727-4-Build5.8.727 2023-11-17T09:00:14 ----------------------------------------- Patch: SUSE-2023-4464 Released: Thu Nov 16 17:56:12 2023 Summary: Security update for libxml2 Severity: moderate References: 1216129,CVE-2023-45322 Description: This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). ----------------------------------------- Version Build5.8.731-4-Build5.8.731 2023-11-22T09:00:15 ----------------------------------------- Patch: SUSE-2023-4512 Released: Tue Nov 21 17:25:02 2023 Summary: Security update for util-linux Severity: important References: 1213865,CVE-2018-7738 Description: This update for util-linux fixes the following issues: - CVE-2018-7738: Fixed shell code injection in umount bash-completions (bsc#1213865). ----------------------------------------- Patch: SUSE-2023-4519 Released: Tue Nov 21 17:39:58 2023 Summary: Security update for openssl-1_1 Severity: important References: 1216922,CVE-2023-5678 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). ----------------------------------------- Version Build5.8.732-4-Build5.8.732 2023-11-23T09:54:16 ----------------------------------------- Patch: SUSE-2023-4535 Released: Thu Nov 23 08:17:40 2023 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 Description: This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) ----------------------------------------- Version Build5.8.734-4-Build5.8.734 2023-11-30T09:00:14 ----------------------------------------- Patch: SUSE-2023-4615 Released: Wed Nov 29 20:33:38 2023 Summary: Recommended update for icu Severity: moderate References: 1217472 Description: This update of icu fixes the following issue: - missing 32bit libraries in SLES 15 SP3 were added, required by xerces-c 32bit. ----------------------------------------- Version Build5.8.736-4-Build5.8.736 2023-12-01T09:00:15 ----------------------------------------- Patch: SUSE-2023-4619 Released: Thu Nov 30 10:13:52 2023 Summary: Security update for sqlite3 Severity: important References: 1210660,CVE-2023-2137 Description: This update for sqlite3 fixes the following issues: - CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660). ----------------------------------------- Version Build5.8.741-4-Build5.8.741 2023-12-11T16:20:28 ----------------------------------------- Patch: SUSE-2023-4713 Released: Mon Dec 11 13:23:12 2023 Summary: Security update for curl Severity: moderate References: 1217573,CVE-2023-46218 Description: This update for curl fixes the following issues: - CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573). ----------------------------------------- Version Build5.8.744-4-Build5.8.744 2023-12-19T09:00:15 ----------------------------------------- Patch: SUSE-2023-4891 Released: Mon Dec 18 16:31:49 2023 Summary: Security update for ncurses Severity: moderate References: 1201384,1218014,CVE-2023-50495 Description: This update for ncurses fixes the following issues: - CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014) - Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384) ----------------------------------------- Version Build5.8.746-4-Build5.8.746 2023-12-25T09:00:15 ----------------------------------------- Patch: SUSE-2023-4963 Released: Fri Dec 22 14:37:08 2023 Summary: Recommended update for curl Severity: important References: 1216987 Description: This update for curl fixes the following issues: - libssh: Implement SFTP packet size limit (bsc#1216987) ----------------------------------------- Version Build5.8.748-4-Build5.8.748 2023-12-29T09:00:16 ----------------------------------------- Patch: SUSE-2023-4986 Released: Thu Dec 28 16:05:33 2023 Summary: Security update for gnutls Severity: moderate References: 1217277,CVE-2023-5981 Description: This update for gnutls fixes the following issues: - CVE-2023-5981: Fixed timing side-channel inside RSA-PSK key exchange (bsc#1217277). ----------------------------------------- Version Build5.8.749-4-Build5.8.749 2024-01-03T09:00:14 ----------------------------------------- Patch: SUSE-2024-11 Released: Tue Jan 2 13:24:52 2024 Summary: Recommended update for procps Severity: moderate References: 1029961,1158830,1206798,1209122 Description: This update for procps fixes the following issues: - Update procps to 3.3.17 (jsc#PED-3244 jsc#PED-6369) - For support up to 2048 CPU as well (bsc#1185417) - Allow `- as leading character to ignore possible errors on systctl entries (bsc#1209122) - Get the first CPU summary correct (bsc#1121753) - Enable pidof for SLE-15 as this is provided by sysvinit-tools - Use a check on syscall __NR_pidfd_open to decide if the pwait tool and its manual page will be build - Do not truncate output of w with option -n - Prefer logind over utmp (jsc#PED-3144) - Don't install translated man pages for non-installed binaries (uptime, kill). - Fix directory for Ukrainian man pages translations. - Move localized man pages to lang package. - Update to procps-ng-3.3.17 * library: Incremented to 8:3:0 (no removals or additions, internal changes only) * all: properly handle utf8 cmdline translations * kill: Pass int to signalled process * pgrep: Pass int to signalled process * pgrep: Check sanity of SG_ARG_MAX * pgrep: Add older than selection * pidof: Quiet mode * pidof: show worker threads * ps.1: Mention stime alias * ps: check also match on truncated 16 char comm names * ps: Add exe output option * ps: A lot more sorting available * pwait: New command waits for a process * sysctl: Match systemd directory order * sysctl: Document directory order * top: ensure config file backward compatibility * top: add command line 'e' for symmetry with 'E' * top: add '4' toggle for two abreast cpu display * top: add '!' toggle for combining multiple cpus * top: fix potential SEGV involving -p switch * vmstat: Wide mode gives wider proc columns * watch: Add environment variable for interval * watch: Add no linewrap option * watch: Support more colors * free,uptime,slabtop: complain about extra ops - Package translations in procps-lang. - Fix pgrep: cannot allocate 4611686018427387903 bytes when ulimit -s is unlimited. - Enable pidof by default - Update to procps-ng-3.3.16 * library: Increment to 8:2:0 No removals or functions Internal changes only, so revision is incremented. Previous version should have been 8:1:0 not 8:0:1 * docs: Use correct symbols for -h option in free.1 * docs: ps.1 now warns about command name length * docs: install translated man pages * pgrep: Match on runstate * snice: Fix matching on pid * top: can now exploit 256-color terminals * top: preserves 'other filters' in configuration file * top: can now collapse/expand forest view children * top: parent %CPU time includes collapsed children * top: improve xterm support for vim navigation keys * top: avoid segmentation fault at program termination * 'ps -C' does not allow anymore an argument longer than 15 characters (bsc#1158830) ----------------------------------------- Version Build5.8.750-4-Build5.8.750 2024-01-05T09:00:14 ----------------------------------------- Patch: SUSE-2024-28 Released: Thu Jan 4 11:18:52 2024 Summary: Recommended update for mozilla-nss Severity: moderate References: 1214980 Description: This update for mozilla-nss fixes the following issues: Mozilla NSS was updated to NSS 3.90.1: * regenerate NameConstraints test certificates. * add OSXSAVE and XCR0 tests to AVX2 detection. ----------------------------------------- Version Build5.8.759-4-Build5.8.759 2024-01-21T09:00:18 ----------------------------------------- Patch: SUSE-2024-136 Released: Thu Jan 18 09:53:47 2024 Summary: Security update for pam Severity: moderate References: 1217000,1218475,CVE-2024-22365 Description: This update for pam fixes the following issues: - CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475). - Check localtime_r() return value to fix crashing (bsc#1217000) ----------------------------------------- Version Build5.8.767-4-Build5.8.767 2024-02-09T09:00:14 ----------------------------------------- Patch: SUSE-2024-425 Released: Thu Feb 8 12:39:27 2024 Summary: Recommended update for python-argcomplete Severity: moderate References: 1219305 Description: This update for python-argcomplete fixes the following issues: - Use update-alternatives for package binaries to avoid conflict with python311 stack (bsc#1219305) ----------------------------------------- Version Build5.8.773-4-Build5.8.773 2024-02-14T09:00:14 ----------------------------------------- Patch: SUSE-2024-461 Released: Tue Feb 13 15:30:06 2024 Summary: Security update for libxml2 Severity: moderate References: 1219576,CVE-2024-25062 Description: This update for libxml2 fixes the following issues: - CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576). ----------------------------------------- Version Build5.8.775-4-Build5.8.775 2024-02-15T09:00:14 ----------------------------------------- Patch: SUSE-2024-464 Released: Wed Feb 14 09:21:25 2024 Summary: Security update for python3 Severity: moderate References: 1210638,1214691,CVE-2022-48566,CVE-2023-27043 Description: This update for python3 fixes the following issues: - CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638). - CVE-2022-48566: Use CRYPTO_memcmp() for compare_digest (bsc#1214691). ----------------------------------------- Version Build5.8.778-4-Build5.8.778 2024-02-21T17:36:32 ----------------------------------------- Patch: SUSE-2024-579 Released: Wed Feb 21 11:44:41 2024 Summary: Security update for mozilla-nss Severity: important References: 1216198,CVE-2023-5388 Description: This update for mozilla-nss fixes the following issues: Update to NSS 3.90.2: - CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198) ----------------------------------------- Version Build5.8.778-4-Build5.8.778 2024-02-22T09:00:15 ----------------------------------------- Patch: SUSE-2024-43 Released: Fri Jan 5 14:49:13 2024 Summary: Recommended update for libsolv, zypper, libzypp Severity: moderate References: 1212160,1215294,1216412,1217593,1217873,1218291 Description: This update for libsolv, zypper, libzypp fixes the following issues: - Expand RepoVars in URLs downloading a .repo file (bsc#1212160) - Fix search/info commands ignoring --ignore-unknown (bsc#1217593) - CheckAccessDeleted: fix 'running in container' filter (bsc#1218291) - Open rpmdb just once during execution of %posttrans scripts (bsc#1216412) - Make sure reboot-needed is remembered until next boot (bsc#1217873) - Stop using boost version 1 timer library (bsc#1215294) - Updated to version 0.7.27 - Add zstd support for the installcheck tool - Add putinowndirpool cache to make file list handling in repo_write much faster - Do not use deprecated headerUnload with newer rpm versions - Support complex deps in SOLVABLE_PREREQ_IGNOREINST - Fix minimization not prefering installed packages in some cases - Reduce memory usage in repo_updateinfoxml - Fix lock-step interfering with architecture selection - Fix choice rule handing for package downgrades - Fix complex dependencies with an 'else' part sometimes leading to unsolved dependencies ----------------------------------------- Patch: SUSE-2024-475 Released: Wed Feb 14 19:08:44 2024 Summary: Recommended update for libsolv Severity: important References: 1215698,1218782,1218831,1219442 Description: This update for libsolv, libzypp fixes the following issues: - build for multiple python versions [jsc#PED-6218] - applydeltaprm: Create target directory if it does not exist (bsc#1219442) - Fix problems with EINTR in ExternalDataSource::getline (bsc#1215698) - CheckAccessDeleted: fix running_in_container detection (bsc#1218782) - Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime (bsc#1218831) ----------------------------------------- Patch: SUSE-2024-525 Released: Mon Feb 19 08:03:59 2024 Summary: Security update for libssh Severity: important References: 1158095,1168699,1174713,1189608,1211188,1211190,1218126,1218186,1218209,CVE-2019-14889,CVE-2020-16135,CVE-2020-1730,CVE-2021-3634,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918 Description: This update for libssh fixes the following issues: Update to version 0.9.8 (jsc#PED-7719): * Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209) * Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126) * Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186) * Allow @ in usernames when parsing from URI composes Update to version 0.9.7: * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing (bsc#1211188) * Fix CVE-2023-2283: a possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190) * Fix several memory leaks in GSSAPI handling code Update to version 0.9.6 (bsc#1189608, CVE-2021-3634): * https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6 Update to 0.9.5 (bsc#1174713, CVE-2020-16135): * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232) * Improve handling of library initialization (T222) * Fix parsing of subsecond times in SFTP (T219) * Make the documentation reproducible * Remove deprecated API usage in OpenSSL * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN * Define version in one place (T226) * Prevent invalid free when using different C runtimes than OpenSSL (T229) * Compatibility improvements to testsuite Update to version 0.9.4 * https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/ * Fix possible Denial of Service attack when using AES-CTR-ciphers CVE-2020-1730 (bsc#1168699) Update to version 0.9.3 * Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution (bsc#1158095) * SSH-01-003 Client: Missing NULL check leads to crash in erroneous state * SSH-01-006 General: Various unchecked Null-derefs cause DOS * SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys * SSH-01-010 SSH: Deprecated hash function in fingerprinting * SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS * SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access * SSH-01-001 State Machine: Initial machine states should be set explicitly * SSH-01-002 Kex: Differently bound macros used to iterate same array * SSH-01-005 Code-Quality: Integer sign confusion during assignments * SSH-01-008 SCP: Protocol Injection via unescaped File Names * SSH-01-009 SSH: Update documentation which RFCs are implemented * SSH-01-012 PKI: Information leak via uninitialized stack buffer Update to version 0.9.2 * Fixed libssh-config.cmake * Fixed issues with rsa algorithm negotiation (T191) * Fixed detection of OpenSSL ed25519 support (T197) Update to version 0.9.1 * Added support for Ed25519 via OpenSSL * Added support for X25519 via OpenSSL * Added support for localuser in Match keyword * Fixed Match keyword to be case sensitive * Fixed compilation with LibreSSL * Fixed error report of channel open (T75) * Fixed sftp documentation (T137) * Fixed known_hosts parsing (T156) * Fixed build issue with MinGW (T157) * Fixed build with gcc 9 (T164) * Fixed deprecation issues (T165) * Fixed known_hosts directory creation (T166) - Split out configuration to separate package to not mess up the library packaging and coinstallation Update to verion 0.9.0 * Added support for AES-GCM * Added improved rekeying support * Added performance improvements * Disabled blowfish support by default * Fixed several ssh config parsing issues * Added support for DH Group Exchange KEX * Added support for Encrypt-then-MAC mode * Added support for parsing server side configuration file * Added support for ECDSA/Ed25519 certificates * Added FIPS 140-2 compatibility * Improved known_hosts parsing * Improved documentation * Improved OpenSSL API usage for KEX, DH, and signatures - Add libssh client and server config files ----------------------------------------- Version Build5.8.781-4-Build5.8.781 2024-02-27T09:50:42 ----------------------------------------- Patch: SUSE-2024-615 Released: Mon Feb 26 11:32:32 2024 Summary: Recommended update for netcfg Severity: moderate References: 1211886 Description: This update for netcfg fixes the following issues: - Add krb-prop entry (bsc#1211886) ----------------------------------------- Version Build5.8.789-4-Build5.8.789 2024-03-08T09:00:15 ----------------------------------------- Patch: SUSE-2024-792 Released: Thu Mar 7 09:55:23 2024 Summary: Recommended update for timezone Severity: moderate References: Description: This update for timezone fixes the following issues: - Update to version 2024a - Kazakhstan unifies on UTC+5 - Palestine springs forward a week later than previously predicted in 2024 and 2025 - Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 not 00:00 - From 1947 through 1949, Toronto's transitions occurred at 02:00 not 00:00 - In 1911 Miquelon adopted standard time on June 15, not May 15 - The FROM and TO columns of Rule lines can no longer be 'minimum' - localtime no longer mishandle some timestamps - strftime %s now uses tm_gmtoff if available - Ittoqqortoormiit, Greenland changes time zones on 2024-03-31 - Vostok, Antarctica changed time zones on 2023-12-18 - Casey, Antarctica changed time zones five times since 2020 - Code and data fixes for Palestine timestamps starting in 2072 - A new data file zonenow.tab for timestamps starting now - Much of Greenland changed its standard time from -03 to -02 on 2023-03-25 - localtime.c no longer mishandles TZif files that contain a single transition into a DST regime - tzselect no longer creates temporary files - tzselect no longer mishandles the following: * Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION. * TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/ * ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments * Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension * zic no longer mishandles data for Palestine after the year 2075 ----------------------------------------- Version Build5.8.791-4-Build5.8.791 2024-03-09T09:00:15 ----------------------------------------- Patch: SUSE-2024-824 Released: Fri Mar 8 17:34:36 2024 Summary: Security update for cpio Severity: moderate References: 1218571,1219238,CVE-2023-7207 Description: This update for cpio fixes the following issues: - CVE-2023-7207: Fixed path traversal vulnerability (bsc#1218571, bsc#1219238) ----------------------------------------- Version Build5.8.795-4-Build5.8.795 2024-03-11T16:55:22 ----------------------------------------- Patch: SUSE-2024-832 Released: Mon Mar 11 10:30:30 2024 Summary: Security update for openssl-1_1 Severity: moderate References: 1219243,CVE-2024-0727 Description: This update for openssl-1_1 fixes the following issues: - CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243). ----------------------------------------- Version Build5.8.796-4-Build5.8.796 2024-03-13T09:00:15 ----------------------------------------- Patch: SUSE-2024-850 Released: Tue Mar 12 16:18:02 2024 Summary: Security update for python3 Severity: important References: 1219666,CVE-2023-6597 Description: This update for python3 fixes the following issues: - CVE-2023-6597: Fixed symlink bug in cleanup of tempfile.TemporaryDirectory (bsc#1219666). ----------------------------------------- Version Build5.8.797-4-Build5.8.797 2024-03-14T09:00:14 ----------------------------------------- Patch: SUSE-2024-860 Released: Wed Mar 13 08:45:21 2024 Summary: Security update for gnutls Severity: moderate References: 1218865,CVE-2023-5981,CVE-2024-0553 Description: This update for gnutls fixes the following issues: - CVE-2024-0553: Fixed insufficient mitigation for side channel attack in RSA-PSK, aka CVE-2023-5981 (bsc#1218865). ----------------------------------------- Version Build5.8.806-4-Build5.8.806 2024-03-27T09:00:19 ----------------------------------------- Patch: SUSE-2024-999 Released: Tue Mar 26 14:03:42 2024 Summary: Security update for krb5 Severity: important References: 1220770,1220771,CVE-2024-26458,CVE-2024-26461 Description: This update for krb5 fixes the following issues: - CVE-2024-26458: Fixed memory leak at /krb5/src/lib/rpc/pmap_rmt.c (bsc#1220770). - CVE-2024-26461: Fixed memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c (bsc#1220771). ----------------------------------------- Version Build5.8.813-4-Build5.8.813 2024-04-04T09:00:18 ----------------------------------------- Patch: SUSE-2024-1106 Released: Wed Apr 3 15:33:00 2024 Summary: Security update for util-linux Severity: important References: 1194642,1207987,1221831,CVE-2024-28085 Description: This update for util-linux fixes the following issues: - CVE-2024-28085: Properly neutralize escape sequences in wall. (bsc#1221831) - Prevent error message if `/var/lib/libuuid/clock.txt` does not exist (bsc#1194642) - Fixed performance degradation (bsc#1207987) ----------------------------------------- Version Build5.8.815-4-Build5.8.815 2024-04-06T09:00:19 ----------------------------------------- Patch: SUSE-2024-1120 Released: Fri Apr 5 14:03:46 2024 Summary: Security update for curl Severity: moderate References: 1221665,1221667,CVE-2024-2004,CVE-2024-2398 Description: This update for curl fixes the following issues: - CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665) - CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667) ----------------------------------------- Version Build5.8.819-4-Build5.8.819 2024-04-09T09:00:18 ----------------------------------------- Patch: SUSE-2024-1133 Released: Mon Apr 8 11:29:02 2024 Summary: Security update for ncurses Severity: moderate References: 1220061,CVE-2023-45918 Description: This update for ncurses fixes the following issues: - CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061). ----------------------------------------- Version Build5.8.821-4-Build5.8.821 2024-04-11T15:42:09 ----------------------------------------- Patch: SUSE-2024-1202 Released: Thu Apr 11 10:49:34 2024 Summary: Recommended update for libzypp, zypper, PackageKit Severity: moderate References: 1175678,1218171,1218544,1221525,CVE-2024-0217 Description: This update for libzypp, zypper, PackageKit fixes the following issues: - Fixup New VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) - CVE-2024-0217: Check that Finished signal is emitted at most once (bsc#1218544) - Add resolver option 'removeOrphaned' for distupgrade (bsc#1221525) - New VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) - Add default stripe minimum - Don't expose std::optional where YAST/PK explicitly use c++11. - Digest: Avoid using the deprecated OPENSSL_config - version 17.32.0 - ProblemSolution::skipsPatchesOnly overload to handout the patches - Show active dry-run/download-only at the commit propmpt - Add --skip-not-applicable-patches option - Fix printing detailed solver problem description - Fix bash-completion to work with right adjusted numbers in the 1st column too - Set libzypp shutdown request signal on Ctrl+C - In the detailed view show all baseurls not just the first one (bsc#1218171) ----------------------------------------- Version Build5.8.825-4-Build5.8.825 2024-04-16T09:00:18 ----------------------------------------- Patch: SUSE-2024-1253 Released: Fri Apr 12 08:15:18 2024 Summary: Recommended update for gcc13 Severity: moderate References: 1210959,1214934,1217450,1217667,1218492,1219031,1219520,1220724,1221239 Description: This update for gcc13 fixes the following issues: - Fix unwinding for JIT code. [bsc#1221239] - Revert libgccjit dependency change. [bsc#1220724] - Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520] - Add support for -fmin-function-alignment. [bsc#1214934] - Use %{_target_cpu} to determine host and build. - Fix for building TVM. [bsc#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. - Fixed building mariadb on i686. [bsc#1217667] - Avoid update-alternatives dependency for accelerator crosses. - Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence. - Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450] ----------------------------------------- Patch: SUSE-2024-1254 Released: Fri Apr 12 08:18:48 2024 Summary: Recommended update for python3 Severity: moderate References: 1222109 Description: This update for python3 fixes the following issue: - Fix syslog making default 'ident' from sys.argv (bsc#1222109) ----------------------------------------- Version Build5.8.833-4-Build5.8.833 2024-04-25T09:00:18 ----------------------------------------- Patch: SUSE-2024-1433 Released: Wed Apr 24 21:41:41 2024 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1221525,1221963,1222086,1222398,1223094 Description: This update for libzypp, zypper fixes the following issues: - Fix creation of sibling cache dirs with too restrictive mode (bsc#1222398) - Don't try to refresh volatile media as long as raw metadata are present (bsc#1223094) - Update RepoStatus fromCookieFile according to the files mtime (bsc#1222086) - TmpFile: Don't call chmod if makeSibling failed - Do not try to refresh repo metadata as non-root user (bsc#1222086) - man: Explain how to protect orphaned packages by collecting them in a plaindir repo - packages: Add --autoinstalled and --userinstalled options to list them - Don't print 'reboot required' message if download-only or dry-run - Resepect zypper.conf option `showAlias` search commands (bsc#1221963) - dup: New option --remove-orphaned to remove all orphaned packages in dup (bsc#1221525) ----------------------------------------- Version Build5.8.843-4-Build5.8.843 2024-05-15T09:00:19 ----------------------------------------- Patch: SUSE-2024-1630 Released: Tue May 14 09:20:44 2024 Summary: Security update for perl Severity: important References: 1047178,1082216,1082233,1210999,CVE-2017-6512,CVE-2018-6798,CVE-2018-6913,CVE-2023-31484 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216) - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233) - CVE-2023-31484: Enabled TLS certificate verification in CPAN (bsc#1210999) - CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178) ----------------------------------------- Patch: SUSE-2024-1631 Released: Tue May 14 10:03:50 2024 Summary: Recommended update for python-argcomplete and python-Twisted Severity: moderate References: 1224109 Description: This update for python-argcomplete and python-Twisted fixes the following issue: - Fix update-alternatives (bsc#1224109) ----------------------------------------- Patch: SUSE-2024-1633 Released: Tue May 14 11:35:56 2024 Summary: Security update for openssl-1_1 Severity: moderate References: 1222548,CVE-2024-2511 Description: This update for openssl-1_1 fixes the following issues: - CVE-2024-2511: Fixed unconstrained session cache growth in TLSv1.3 (bsc#1222548). ----------------------------------------- Version Build5.8.846-4-Build5.8.846 2024-05-25T09:00:18 ----------------------------------------- Patch: SUSE-2024-1774 Released: Fri May 24 15:20:34 2024 Summary: Security update for python3 Severity: important References: 1219559,1220664,1221563,1221854,1222075,CVE-2023-52425,CVE-2024-0450 Description: This update for python3 fixes the following issues: - CVE-2023-52425: Fixed backport so it uses features sniffing, not just comparing version number (bsc#1219559). - CVE-2024-0450: Fixed detecting the vulnerability of 'quoted-overlap' zipbomb (bsc#1221854). ----------------------------------------- Version Build5.8.852-4-Build5.8.852 2024-06-04T09:43:00 ----------------------------------------- Patch: SUSE-2024-1903 Released: Mon Jun 3 15:58:29 2024 Summary: Recommended update for mozilla-nss Severity: moderate References: 1223724 Description: This update for mozilla-nss fixes the following issues: - Fixed startup crash of Firefox when using FIPS-mode (bsc#1223724). - Added 'Provides: nss' so other RPMs that require 'nss' can be installed (jsc#PED-6358). ----------------------------------------- Version Build5.8.855-4-Build5.8.855 2024-06-12T09:00:19 ----------------------------------------- Patch: SUSE-2024-1977 Released: Tue Jun 11 09:40:51 2024 Summary: Security update for glibc Severity: important References: 1222992,1223423,1223424,1223425,CVE-2024-2961,CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602 Description: This update for glibc fixes the following issues: - nscd: Release read lock after resetting timeout - nscd: Fix use-after-free in addgetnetgrentX (BZ #23520) - CVE-2024-33599; nscd: Stack-based buffer overflow in netgroup cache (bsc#1223423, BZ #31677) - CVE-2024-33600; nscd: Avoid null pointer crashes after notfound response (bsc#1223424, BZ #31678) - CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bsc#1223424, BZ #31678) - CVE-2024-33601, CVE-2024-33602: netgroup: Use two buffers in addgetnetgrentX (bsc#1223425, BZ #31680) - CVE-2024-33602: Use time_t for return type of addgetnetgrentX (bsc#1223425) - CVE-2024-2961: iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (bsc#1222992) ----------------------------------------- Version Build5.8.856-4-Build5.8.856 2024-06-13T09:00:21 ----------------------------------------- Patch: SUSE-2024-2009 Released: Wed Jun 12 13:47:43 2024 Summary: Security update for curl Severity: moderate References: 1219273,CVE-2023-27534 Description: This update for curl fixes the following issues: - CVE-2023-27534: Properly resolve ~ when used in a SFTP path. (bsc#1219273) ----------------------------------------- Version Build5.8.857-4-Build5.8.857 2024-06-18T09:00:21 ----------------------------------------- Patch: SUSE-2024-2035 Released: Mon Jun 17 09:29:26 2024 Summary: Security update for openssl-1_1 Severity: important References: 1225551,CVE-2024-4741 Description: This update for openssl-1_1 fixes the following issues: - CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551) ----------------------------------------- Version Build5.8.859-4-Build5.8.859 2024-06-19T11:23:36 ----------------------------------------- Patch: 33666 Released: Wed Jun 19 08:36:51 2024 Summary: Recommended update for libsolv, libzypp, zypper Severity: important References: 1222086,1223430,1223766 Description: This update for libsolv, libzypp, zypper fixes the following issues: - Improve updating of installed multiversion packages - Fix decision introspection going into an endless loop in some cases - Split libsolv-tools into libsolv-tools-base [jsc#PED-8153] - Improve checks against corrupt rpm - Fixed check for outdated repo metadata as non-root user (bsc#1222086) - Add ZYPP_API for exported functions and switch to visibility=hidden (jsc#PED-8153) - Dynamically resolve libproxy (jsc#PED-8153) - Fix download from gpgkey URL (bsc#1223430) - Delay zypp lock until command options are parsed (bsc#1223766) - Unify message format ----------------------------------------- Version Build5.8.861-4-Build5.8.861 2024-06-19T15:33:39 ----------------------------------------- Patch: SUSE-2024-2086 Released: Wed Jun 19 11:48:24 2024 Summary: Recommended update for gcc13 Severity: moderate References: 1188441 Description: This update for gcc13 fixes the following issues: Update to GCC 13.3 release - Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18. - Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441] - Make requirement to lld version specific to avoid requiring the meta-package. ----------------------------------------- Version Build5.8.864-4-Build5.8.864 2024-07-01T09:00:21 ----------------------------------------- Patch: SUSE-2024-2247 Released: Sun Jun 30 15:21:38 2024 Summary: Security update for glib2 Severity: low References: 1224044,CVE-2024-34397 Description: This update for glib2 fixes the following issues: - CVE-2024-34397: Fixed signal subscription unicast spoofing vulnerability (bsc#1224044). ----------------------------------------- Version Build5.8.865-4-Build5.8.865 2024-07-02T09:00:21 ----------------------------------------- Patch: SUSE-2024-2249 Released: Mon Jul 1 14:04:23 2024 Summary: Security update for python39 Severity: moderate References: 1226447,1226448,CVE-2024-0397,CVE-2024-4032 Description: This update for python39 fixes the following issues: - CVE-2024-4032: Rearranging definition of private v global IP. (bsc#1226448) - CVE-2024-0397: Remove a memory race condition in ssl.SSLContext certificate store methods. (bsc#1226447) ----------------------------------------- Version Build5.8.866-4-Build5.8.866 2024-07-02T12:45:50 ----------------------------------------- Patch: SUSE-2024-2267 Released: Tue Jul 2 10:33:36 2024 Summary: Security update for libxml2 Severity: low References: 1224282,CVE-2024-34459 Description: This update for libxml2 fixes the following issues: - CVE-2024-34459: Fixed buffer over-read in xmlHTMLPrintFileContext in xmllint.c (bsc#1224282). ----------------------------------------- Version Build5.8.869-4-Build5.8.869 2024-07-05T09:00:22 ----------------------------------------- Patch: SUSE-2024-2305 Released: Fri Jul 5 00:13:02 2024 Summary: Security update for krb5 Severity: important References: 1227186,1227187,CVE-2024-37370,CVE-2024-37371 Description: This update for krb5 fixes the following issues: - CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186). - CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187). ----------------------------------------- Version Build5.8.871-4-Build5.8.871 2024-07-09T09:00:22 ----------------------------------------- Patch: SUSE-2024-2310 Released: Mon Jul 8 09:15:35 2024 Summary: Recommended update for libssh Severity: moderate References: 1227396 Description: This update for libssh fixes the following issue: - Fix regression parsing IPv6 addresses provided as hostname (bsc#1227396) ----------------------------------------- Version Build5.8.874-4-Build5.8.874 2024-07-15T17:16:00 ----------------------------------------- Patch: SUSE-2024-2482 Released: Mon Jul 15 12:34:22 2024 Summary: Recommended update for mozilla-nss Severity: moderate References: Description: This update for mozilla-nss fixes the following issues: Update to NSS 3.90.3 * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * clean up escape handling. * remove redundant AllocItem implementation. * Disable ASM support for Curve25519. * Disable ASM support for Curve25519 for all but X86_64. ----------------------------------------- Version Build5.8.877-4-Build5.8.877 2024-07-24T09:00:19 ----------------------------------------- Patch: SUSE-2024-2600 Released: Tue Jul 23 09:15:51 2024 Summary: Security update for mozilla-nss Severity: moderate References: 1214980,1222804,1222807,1222811,1222813,1222814,1222821,1222822,1222826,1222828,1222830,1222833,1222834,1224113,1224115,1224116,1224118,CVE-2023-5388 Description: This update for mozilla-nss fixes the following issues: - FIPS: Added more safe memset (bsc#1222811). - FIPS: Adjusted AES GCM restrictions (bsc#1222830). - FIPS: Adjusted approved ciphers (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118, bsc#1222807, bsc#1222828, bsc#1222834, bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116). Update to NSS 3.101.1: * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. update to NSS 3.101: * add diagnostic assertions for SFTKObject refcount. * freeing the slot in DeleteCertAndKey if authentication failed * fix formatting issues. * Add Firmaprofesional CA Root-A Web to NSS. * remove invalid acvp fuzz test vectors. * pad short P-384 and P-521 signatures gtests. * remove unused FreeBL ECC code. * pad short P-384 and P-521 signatures. * be less strict about ECDSA private key length. * Integrate HACL* P-521. * Integrate HACL* P-384. * memory leak in create_objects_from_handles. * ensure all input is consumed in a few places in mozilla::pkix * SMIME/CMS and PKCS #12 do not integrate with modern NSS policy * clean up escape handling * Use lib::pkix as default validator instead of the old-one * Need to add high level support for PQ signing. * Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation * SMIME/CMS and PKCS #12 do not integrate with modern NSS policy * Allow for non-full length ecdsa signature when using softoken * Modification of .taskcluster.yml due to mozlint indent defects * Implement support for PBMAC1 in PKCS#12 * disable VLA warnings for fuzz builds. * remove redundant AllocItem implementation. * add PK11_ReadDistrustAfterAttribute. * - Clang-formatting of SEC_GetMgfTypeByOidTag update * Set SEC_ERROR_LIBRARY_FAILURE on self-test failure * sftk_getParameters(): Fix fallback to default variable after error with configfile. * Switch to the mozillareleases/image_builder image - switch from ec_field_GFp to ec_field_plain Update to NSS 3.100: * merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations. * remove ckcapi. * avoid a potential PK11GenericObject memory leak. * Remove incomplete ESDH code. * Decrypt RSA OAEP encrypted messages. * Fix certutil CRLDP URI code. * Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys. * Add ability to encrypt and decrypt CMS messages using ECDH. * Correct Templates for key agreement in smime/cmsasn.c. * Moving the decodedCert allocation to NSS. * Allow developers to speed up repeated local execution of NSS tests that depend on certificates. Update to NSS 3.99: * Removing check for message len in ed25519 (bmo#1325335) * add ed25519 to SECU_ecName2params. (bmo#1884276) * add EdDSA wycheproof tests. (bmo#1325335) * nss/lib layer code for EDDSA. (bmo#1325335) * Adding EdDSA implementation. (bmo#1325335) * Exporting Certificate Compression types (bmo#1881027) * Updating ACVP docker to rust 1.74 (bmo#1880857) * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335) * Add NSS_CMSRecipient_IsSupported. (bmo#1877730) Update to NSS 3.98: * (CVE-2023-5388) Timing attack against RSA decryption in TLS * Certificate Compression: enabling the check that the compression was advertised * Move Windows workers to nss-1/b-win2022-alpha * Remove Email trust bit from OISTE WISeKey Global Root GC CA * Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss` * Certificate Compression: Updating nss_bogo_shim to support Certificate compression * TLS Certificate Compression (RFC 8879) Implementation * Add valgrind annotations to freebl kyber operations for constant-time execution tests * Set nssckbi version number to 2.66 * Add Telekom Security roots * Add D-Trust 2022 S/MIME roots * Remove expired Security Communication RootCA1 root * move keys to a slot that supports concatenation in PK11_ConcatSymKeys * remove unmaintained tls-interop tests * bogo: add support for the -ipv6 and -shim-id shim flags * bogo: add support for the -curves shim flag and update Kyber expectations * bogo: adjust expectation for a key usage bit test * mozpkix: add option to ignore invalid subject alternative names * Fix selfserv not stripping `publicname:` from -X value * take ownership of ecckilla shims * add valgrind annotations to freebl/ec.c * PR_INADDR_ANY needs PR_htonl before assignment to inet.ip * Update zlib to 1.3.1 Update to NSS 3.97: * make Xyber768d00 opt-in by policy * add libssl support for xyber768d00 * add PK11_ConcatSymKeys * add Kyber and a PKCS#11 KEM interface to softoken * add a FreeBL API for Kyber * part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff * part 1: add a script for vendoring kyber from pq-crystals repo * Removing the calls to RSA Blind from loader.* * fix worker type for level3 mac tasks * RSA Blind implementation * Remove DSA selftests * read KWP testvectors from JSON * Backed out changeset dcb174139e4f * Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation * Wrap CC shell commands in gyp expansions Update to NSS 3.96.1: * Use pypi dependencies for MacOS worker in ./build_gyp.sh * p7sign: add -a hash and -u certusage (also p7verify cleanups) * add a defensive check for large ssl_DefSend return values * Add dependency to the taskcluster script for Darwin * Upgrade version of the MacOS worker for the CI Update to NSS 3.95: * Bump builtins version number. * Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert. * Remove 4 DigiCert (Symantec/Verisign) Root Certificates * Remove 3 TrustCor Root Certificates from NSS. * Remove Camerfirma root certificates from NSS. * Remove old Autoridad de Certificacion Firmaprofesional Certificate. * Add four Commscope root certificates to NSS. * Add TrustAsia Global Root CA G3 and G4 root certificates. * Include P-384 and P-521 Scalar Validation from HACL* * Include P-256 Scalar Validation from HACL*. * After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level * Add means to provide library parameters to C_Initialize * add OSXSAVE and XCR0 tests to AVX2 detection. * Typo in ssl3_AppendHandshakeNumber * Introducing input check of ssl3_AppendHandshakeNumber * Fix Invalid casts in instance.c Update to NSS 3.94: * Updated code and commit ID for HACL* * update ACVP fuzzed test vector: refuzzed with current NSS * Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants * NSS needs a database tool that can dump the low level representation of the database * declare string literals using char in pkixnames_tests.cpp * avoid implicit conversion for ByteString * update rust version for acvp docker * Moving the init function of the mpi_ints before clean-up in ec.c * P-256 ECDH and ECDSA from HACL* * Add ACVP test vectors to the repository * Stop relying on std::basic_string * Transpose the PPC_ABI check from Makefile to gyp Update to NSS 3.93: * Update zlib in NSS to 1.3. * softoken: iterate hashUpdate calls for long inputs. * regenerate NameConstraints test certificates (bsc#1214980). Update to NSS 3.92: * Set nssckbi version number to 2.62 * Add 4 Atos TrustedRoot Root CA certificates to NSS * Add 4 SSL.com Root CA certificates * Add Sectigo E46 and R46 Root CA certificates * Add LAWtrust Root CA2 (4096) * Remove E-Tugra Certification Authority root * Remove Camerfirma Chambers of Commerce Root. * Remove Hongkong Post Root CA 1 * Remove E-Tugra Global Root CA ECC v3 and RSA v3 * Avoid redefining BYTE_ORDER on hppa Linux Update to NSS 3.91: * Implementation of the HW support check for ADX instruction * Removing the support of Curve25519 * Fix comment about the addition of ticketSupportsEarlyData * Adding args to enable-legacy-db build * dbtests.sh failure in 'certutil dump keys with explicit default trust flags' * Initialize flags in slot structures * Improve the length check of RSA input to avoid heap overflow * Followup Fixes * avoid processing unexpected inputs by checking for m_exptmod base sign * add a limit check on order_k to avoid infinite loop * Update HACL* to commit 5f6051d2 * add SHA3 to cryptohi and softoken * HACL SHA3 * Disabling ASM C25519 for A but X86_64 Update to NSS 3.90.3: * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * clean up escape handling. * remove redundant AllocItem implementation. * Disable ASM support for Curve25519. * Disable ASM support for Curve25519 for all but X86_64. ----------------------------------------- Version Build5.8.883-4-Build5.8.883 2024-08-06T09:00:22 ----------------------------------------- Patch: SUSE-2024-2736 Released: Mon Aug 5 17:33:41 2024 Summary: Recommended update for mozilla-nss Severity: moderate References: 1227918 Description: This update for mozilla-nss fixes the following issues: - Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh depends on it and will create a broken, empty config, if sed is missing (bsc#1227918) update to NSS 3.101.2 * ChaChaXor to return after the function ----------------------------------------- Patch: SUSE-2024-2754 Released: Mon Aug 5 21:03:51 2024 Summary: Security update for skopeo Severity: important References: 1224123,CVE-2024-28180 Description: This update for skopeo fixes the following issues: Update to version 1.14.4: - CVE-2024-3727: Fixed a vulnerability that allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, resource exhaustion, local path traversal and other attacks. (bsc#1224123) ----------------------------------------- Version Build5.8.884-4-Build5.8.884 2024-08-07T09:00:23 ----------------------------------------- Patch: SUSE-2024-2791 Released: Tue Aug 6 16:35:06 2024 Summary: Recommended update for various 32bit packages Severity: moderate References: 1228322 Description: This update of various packages delivers 32bit variants to allow running Wine on SLE PackageHub 15 SP6. ----------------------------------------- Version Build5.8.887-4-Build5.8.887 2024-08-12T09:00:23 ----------------------------------------- Patch: SUSE-2024-2870 Released: Mon Aug 12 06:52:03 2024 Summary: Recommended update for libzypp, zypper, libsolv, zypp-plugin Severity: important References: 1081596,1223094,1224771,1225267,1226014,1226030,1226493,1227205,1227625,1227793,1228138,1228206,1228208,1228420,1228787,222971 Description: This update for libzypp, zypper, libsolv, zypp-plugin fixes the following issues: - Make sure not to statically linked installed tools (bsc#1228787) - MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208) - Export asSolvable for YAST (bsc#1228420) - Export CredentialManager for legacy YAST versions (bsc#1228420) - Fix 4 typos in zypp.conf - Fix typo in the geoip update pipeline (bsc#1228206) - Export RepoVariablesStringReplacer for yast2 (bsc#1228138) - Removed dependency on external find program in the repo2solv tool - Fix return value of repodata.add_solv() - New SOLVER_FLAG_FOCUS_NEW flag - Report unsupported compression in solv_xfopen() with errno - Fix return value of repodata.add_solv() in the bindings - Fix SHA-224 oid in solv_pgpvrfy - Translation: updated .pot file. - Conflict with python zypp-plugin < 0.6.4 (bsc#1227793) - Fix int overflow in Provider - Fix error reporting on repoindex.xml parse error (bsc#1227625) - Keep UrlResolverPlugin API public - Blacklist /snap executables for 'zypper ps' (bsc#1226014) - Fix handling of buddies when applying locks (bsc#1225267) - Fix readline setup to handle Ctrl-C and Ctrl-D correctly (bsc#1227205) - Show rpm install size before installing (bsc#1224771) - Install zypp/APIConfig.h legacy include - Update soname due to RepoManager refactoring and cleanup - Workaround broken libsolv-tools-base requirements - Strip ssl_clientkey from repo urls (bsc#1226030) - Remove protobuf build dependency - Lazily attach medium during refresh workflows (bsc#1223094) - Refactor RepoManager and add Service workflows - Let_readline_abort_on_Ctrl-C (bsc#1226493) - packages: add '--system' to show @System packages (bsc#222971) ----------------------------------------- Version Build5.8.891-4-Build5.8.891 2024-08-14T13:01:13 ----------------------------------------- Patch: SUSE-2024-2899 Released: Wed Aug 14 02:37:38 2024 Summary: Security update for python-setuptools Severity: important References: 1228105,CVE-2024-6345 Description: This update for python-setuptools fixes the following issues: - CVE-2024-6345: Fixed code execution via download functions in the package_index module (bsc#1228105) ----------------------------------------- Version Build5.8.892-4-Build5.8.892 2024-08-14T18:50:20 ----------------------------------------- Patch: SUSE-2024-2909 Released: Wed Aug 14 14:47:44 2024 Summary: Security update for openssl-1_1 Severity: moderate References: 1227138,CVE-2024-5535 Description: This update for openssl-1_1 fixes the following issues: - CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138) ----------------------------------------- Version Build5.8.893-4-Build5.8.893 2024-08-16T15:13:01 ----------------------------------------- Patch: SUSE-2024-2930 Released: Thu Aug 15 11:35:03 2024 Summary: Security update for curl Severity: moderate References: 1228535,CVE-2024-7264 Description: This update for curl fixes the following issues: - CVE-2024-7264: Fixed out-of-bounds read in ASN.1 date parser GTime2str() (bsc#1228535) ----------------------------------------- Version Build5.8.895-4-Build5.8.895 2024-08-20T09:00:23 ----------------------------------------- Patch: SUSE-2024-2967 Released: Mon Aug 19 15:41:29 2024 Summary: Recommended update for pam Severity: moderate References: 1194818 Description: This update for pam fixes the following issue: - Prevent cursor escape from the login prompt (bsc#1194818). ----------------------------------------- Version Build5.8.896-4-Build5.8.896 2024-08-23T09:00:23 ----------------------------------------- Patch: SUSE-2024-2998 Released: Thu Aug 22 12:52:17 2024 Summary: Security update for glib2 Severity: low References: 1224044,CVE-2024-34397 Description: This update for glib2 fixes the following issues: - Fixed a possible use after free regression introduced by CVE-2024-34397 patch (bsc#1224044). ----------------------------------------- Version Build5.8.900-4-Build5.8.900 2024-09-03T09:00:24 ----------------------------------------- Patch: SUSE-2024-3068 Released: Mon Sep 2 14:25:15 2024 Summary: Recommended update for util-linux Severity: moderate References: 1194818 Description: This update for util-linux fixes the following issue: - agetty: Prevent login cursor escape (bsc#1194818). ----------------------------------------- Patch: SUSE-2024-3084 Released: Mon Sep 2 17:18:50 2024 Summary: Recommended update for mozilla-nss Severity: moderate References: 1224113 Description: This update for mozilla-nss fixes the following issues: - FIPS: Enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). ----------------------------------------- Version Build5.8.903-4-Build5.8.903 2024-09-11T14:35:40 ----------------------------------------- Patch: SUSE-2024-3202 Released: Wed Sep 11 10:54:47 2024 Summary: Security update for curl Severity: moderate References: 1228535,1230093,CVE-2024-7264,CVE-2024-8096 Description: This update for curl fixes the following issues: - CVE-2024-8096: OCSP stapling bypass with GnuTLS. (bsc#1230093) - CVE-2024-7264: ASN.1 date parser overread. (bsc#1228535)