----------------------------------------- Version 2-Build4.2.36 2020-10-07T08:04:50 ----------------------------------------- Patch: SUSE-2018-1223 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------- Patch: SUSE-2018-1327 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Severity: moderate References: 1096718,CVE-2018-12015 Description: This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------- Patch: SUSE-2018-1346 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------- Patch: SUSE-2018-1353 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 Description: This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------- Patch: SUSE-2018-1409 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 Description: This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------- Patch: SUSE-2018-1760 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Severity: moderate References: 1072183 Description: This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------- Patch: SUSE-2018-1999 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Severity: moderate References: 1071321 Description: This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------- Patch: SUSE-2018-2055 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------- Patch: SUSE-2018-2155 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Severity: moderate References: 1101470 Description: This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------- Patch: SUSE-2018-2177 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Severity: moderate References: 1095661,1095670,1100488 Description: This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------- Patch: SUSE-2018-2182 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------- Patch: SUSE-2018-2370 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Severity: moderate References: 1102310,1104531 Description: This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------- Patch: SUSE-2018-2485 Released: Fri Oct 26 12:38:01 2018 Summary: Recommended update for kmod Severity: moderate References: 1112928 Description: This update for kmod provides the following fixes: - Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928) ----------------------------------------- Patch: SUSE-2018-2487 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Severity: moderate References: 1102526 Description: This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------- Patch: SUSE-2018-2569 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Severity: moderate References: 1110700 Description: This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------- Patch: SUSE-2018-2595 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user@.service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------- Patch: SUSE-2018-2607 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------- Patch: SUSE-2018-2825 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Severity: important References: 1115640,CVE-2018-17953 Description: This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------- Patch: SUSE-2018-2861 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Severity: important References: 1103320,1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------- Patch: SUSE-2018-2984 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 Description: This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------- Patch: SUSE-2018-2986 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Severity: moderate References: 1118086,CVE-2018-16869 Description: This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------- Patch: SUSE-2019-23 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Severity: moderate References: 1120346,CVE-2018-1000858 Description: This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------- Patch: SUSE-2019-44 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Severity: low References: 953659 Description: This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------- Patch: SUSE-2019-137 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------- Patch: SUSE-2019-170 Released: Fri Jan 25 13:43:29 2019 Summary: Recommended update for kmod Severity: moderate References: 1118629 Description: This update for kmod fixes the following issues: - Fixes module dependency file corruption on parallel invocation (bsc#1118629). - Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option. ----------------------------------------- Patch: SUSE-2019-247 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Severity: moderate References: 1123043,CVE-2019-6706 Description: This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------- Patch: SUSE-2019-369 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Severity: moderate References: 1065270,1111019 Description: This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------- Patch: SUSE-2019-426 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 Description: This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------- Patch: SUSE-2019-571 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------- Patch: SUSE-2019-641 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Severity: moderate References: 1112570,1114984,1114993 Description: This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------- Patch: SUSE-2019-700 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Severity: moderate References: 1044840 Description: This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------- Patch: SUSE-2019-713 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Severity: moderate References: 1063675,1126590 Description: This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------- Patch: SUSE-2019-732 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1088524,1118364,1128246 Description: This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------- Patch: SUSE-2019-788 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Severity: moderate References: 1119687,CVE-2018-20346 Description: This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------- Patch: SUSE-2019-791 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Severity: moderate References: 1129598 Description: This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------- Patch: SUSE-2019-858 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Severity: moderate References: 1120689,1126096 Description: This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------- Patch: SUSE-2019-903 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------- Patch: SUSE-2019-1002 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Severity: moderate References: 1110304,1129576 Description: This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------- Patch: SUSE-2019-1040 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 Description: This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------- Patch: SUSE-2019-1127 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 Description: This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------- Patch: SUSE-2019-1206 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Severity: low References: 985657,CVE-2016-3189 Description: This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------- Patch: SUSE-2019-1312 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1096191 Description: This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------- Patch: SUSE-2019-1364 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------- Patch: SUSE-2019-1368 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Severity: important References: 1134524,CVE-2019-5021 Description: This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------- Patch: SUSE-2019-1372 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Severity: moderate References: 1105435,CVE-2018-1000654 Description: This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------- Patch: SUSE-2019-1484 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Severity: moderate References: 1128383 Description: This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------- Patch: SUSE-2019-1486 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 Description: This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------- Patch: SUSE-2019-1595 Released: Fri Jun 21 10:17:44 2019 Summary: Security update for dbus-1 Severity: important References: 1137832,CVE-2019-12749 Description: This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------- Patch: SUSE-2019-1631 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Severity: low References: 1135709 Description: This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------- Patch: SUSE-2019-1635 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Severity: moderate References: 1134217 Description: This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------- Patch: SUSE-2019-1700 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Severity: moderate References: 1134193 Description: This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------- Patch: SUSE-2019-1808 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Severity: moderate References: 1133808 Description: This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------- Patch: SUSE-2019-1835 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Severity: moderate References: 1139937,CVE-2018-20843 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------- Patch: SUSE-2019-1846 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Severity: important References: 1139083,CVE-2019-12900 Description: This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------- Patch: SUSE-2019-1853 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Severity: moderate References: 1107617,1137053 Description: This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------- Patch: SUSE-2019-1877 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------- Patch: SUSE-2019-1971 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Severity: moderate References: 1138939,CVE-2019-12904 Description: This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------- Patch: SUSE-2019-1994 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Severity: moderate References: 1135123 Description: This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------- Patch: SUSE-2019-2004 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Severity: important References: 1139083,CVE-2019-12900 Description: This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------- Patch: SUSE-2019-2006 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Severity: important References: 1124847,1141093,CVE-2019-13050 Description: This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------- Patch: SUSE-2019-2097 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Severity: important References: 1097073 Description: This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------- Patch: SUSE-2019-2134 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Severity: moderate References: 1136717,1137624,1141059,SLE-5807 Description: This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------- Patch: SUSE-2019-2188 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1140647 Description: This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------- Patch: SUSE-2019-2218 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Severity: moderate References: 1141883 Description: This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------- Patch: SUSE-2019-2307 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 Description: This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------- Patch: SUSE-2019-2361 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Severity: moderate References: 1081947,1144047 Description: This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------- Patch: SUSE-2019-2395 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------- Patch: SUSE-2019-2423 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1146866,SLE-9132 Description: This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------- Patch: SUSE-2019-2429 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Severity: moderate References: 1149429,CVE-2019-15903 Description: This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------- Patch: SUSE-2019-2517 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 Description: This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------- Patch: SUSE-2019-2533 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Severity: moderate References: 1150137,CVE-2019-16168 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------- Patch: SUSE-2019-2676 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Severity: moderate References: 1145716,1152101,CVE-2019-5094 Description: This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------- Patch: SUSE-2019-2730 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------- Patch: SUSE-2019-2757 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Severity: moderate References: 1153936,CVE-2019-17543 Description: This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------- Patch: SUSE-2019-2812 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 Description: This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------- Patch: SUSE-2019-2870 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1051143,1138869,1151023 Description: This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------- Patch: SUSE-2019-2418 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Severity: moderate References: 1133773,1143055 Description: This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------- Patch: SUSE-2019-2997 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------- Patch: SUSE-2019-3059 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Severity: moderate References: 1155199,CVE-2019-14866 Description: This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------- Patch: SUSE-2019-3061 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 Description: This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------- Patch: SUSE-2019-3070 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Severity: low References: 1152755 Description: This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------- Patch: SUSE-2019-3086 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 Description: This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------- Patch: SUSE-2019-3087 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Severity: low References: 1123919 Description: This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------- Patch: SUSE-2019-3118 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Severity: moderate References: 1154295 Description: This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------- Patch: SUSE-2019-3166 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Severity: moderate References: 1007715,1084934,1157278 Description: This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------- Patch: SUSE-2019-3240 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Severity: moderate References: 1154871 Description: This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------- Patch: SUSE-2019-3267 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------- Patch: SUSE-2019-3392 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 Description: This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------- Patch: SUSE-2020-129 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------- Patch: SUSE-2020-225 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Severity: moderate References: 1158830 Description: This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------- Patch: SUSE-2020-256 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1157794,1160970 Description: This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------- Patch: SUSE-2020-262 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------- Patch: SUSE-2020-265 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Severity: moderate References: 1160571,CVE-2019-5188 Description: This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------- Patch: SUSE-2020-279 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Severity: moderate References: 1013125 Description: This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------- Patch: SUSE-2020-335 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 Description: This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------- Patch: SUSE-2020-339 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Severity: low References: 1158921 Description: This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------- Patch: SUSE-2020-451 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 Description: This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------- Patch: SUSE-2020-476 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Severity: moderate References: 1102840,1160039 Description: This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------- Patch: SUSE-2020-480 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1160735 Description: This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------- Patch: SUSE-2020-525 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Severity: moderate References: 1164562 Description: This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------- Patch: SUSE-2020-572 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Severity: moderate References: 1162518 Description: This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------- Patch: SUSE-2020-597 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1164950 Description: This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------- Patch: SUSE-2020-633 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1139939,1151023 Description: This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------- Patch: SUSE-2020-668 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 Description: This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------- Patch: SUSE-2020-689 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Severity: moderate References: 1166510 Description: This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------- Patch: SUSE-2020-475 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Severity: moderate References: 1160595 Description: This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------- Patch: SUSE-2020-729 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Severity: moderate References: 1166106 Description: This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------- Patch: SUSE-2020-793 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 Description: This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-↑ - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------- Patch: SUSE-2020-820 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Severity: important References: 1167631,CVE-2020-1752 Description: This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------- Patch: SUSE-2020-846 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1164950,1166748,1167674 Description: This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------- Patch: SUSE-2020-917 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Severity: moderate References: 1166510 Description: This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------- Patch: SUSE-2020-948 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 Description: This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------- Patch: SUSE-2020-961 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Severity: moderate References: 1160979 Description: This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------- Patch: SUSE-2020-967 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Severity: moderate References: 1168699,CVE-2020-1730 Description: This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------- Patch: SUSE-2020-1063 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1165539,1169569 Description: This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------- Patch: SUSE-2020-1175 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Severity: moderate References: 1165011,1168076 Description: This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------- Patch: SUSE-2020-1214 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1169944 Description: This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------- Patch: SUSE-2020-1219 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Severity: important References: 1170771,CVE-2020-12243 Description: This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------- Patch: SUSE-2020-1226 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Severity: moderate References: 1149995,1152590,1167898 Description: This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------- Patch: SUSE-2020-1294 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Severity: moderate References: 1154661,1169512,CVE-2019-18218 Description: This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------- Patch: SUSE-2020-1299 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 Description: This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------- Patch: SUSE-2020-1328 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Severity: moderate References: 1155271 Description: This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------- Patch: SUSE-2020-1361 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1171872 Description: This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------- Patch: SUSE-2020-1370 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Severity: moderate References: 1171656 Description: This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------- Patch: SUSE-2020-1400 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Severity: moderate References: 1162930 Description: This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------- Patch: SUSE-2020-1404 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Severity: moderate References: 1138793,1166260 Description: This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------- Patch: SUSE-2020-1506 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1087982,1170527 Description: This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------- Patch: SUSE-2020-1532 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Severity: moderate References: 1172021,CVE-2019-19956 Description: This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------- Patch: SUSE-2020-1682 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 Description: This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). ----------------------------------------- Patch: SUSE-2020-1733 Released: Wed Jun 24 09:43:36 2020 Summary: Security update for curl Severity: important References: 1173026,1173027,CVE-2020-8169,CVE-2020-8177 Description: This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). - CVE-2020-8169: Fixed an issue where could have led to partial password leak over DNS on HTTP redirect (bsc#1173026). ----------------------------------------- Patch: SUSE-2020-1759 Released: Thu Jun 25 18:44:37 2020 Summary: Recommended update for krb5 Severity: moderate References: 1169357 Description: This update for krb5 fixes the following issue: - Call systemd to reload the services instead of init-scripts. (bsc#1169357) ----------------------------------------- Patch: SUSE-2020-1760 Released: Thu Jun 25 18:46:13 2020 Summary: Recommended update for systemd Severity: moderate References: 1157315,1162698,1164538,1169488,1171145,1172072 Description: This update for systemd fixes the following issues: - Merge branch 'SUSE/v234' into SLE15 units: starting suspend.target should not fail when suspend is successful (bsc#1172072) core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488) mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too udev: rename the persistent link for ATA devices (bsc#1164538) shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) tmpfiles: remove unnecessary assert (bsc#1171145) test-engine: manager_free() was called too early pid1: by default make user units inherit their umask from the user manager (bsc#1162698) ----------------------------------------- Patch: SUSE-2020-1795 Released: Mon Jun 29 11:22:45 2020 Summary: Recommended update for lvm2 Severity: important References: 1172566 Description: This update for lvm2 fixes the following issues: - Fix potential data loss problem with LVM cache (bsc#1172566) ----------------------------------------- Patch: SUSE-2020-1396 Released: Fri Jul 3 12:33:05 2020 Summary: Security update for zstd Severity: moderate References: 1082318,1133297 Description: This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------- Patch: SUSE-2020-1856 Released: Mon Jul 6 17:05:51 2020 Summary: Security update for openldap2 Severity: important References: 1172698,1172704,CVE-2020-8023 Description: This update for openldap2 fixes the following issues: - CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698). - Changed DB_CONFIG to root:ldap permissions (bsc#1172704). ----------------------------------------- Patch: SUSE-2020-1938 Released: Thu Jul 16 14:43:32 2020 Summary: Recommended update for libsolv, libzypp, zypper Severity: moderate References: 1169947,1170801,1172925,1173106 Description: This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to: - Enable zstd compression support for sle15 zypper was updated to version 1.14.37: - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) libzypp was updated to 17.24.0 - Fix core dump with corrupted history file (bsc#1170801) - Enable zchunk metadata download if libsolv supports it. - Better handling of the purge-kernels algorithm. (bsc#1173106) ----------------------------------------- Patch: SUSE-2020-1954 Released: Sat Jul 18 03:07:15 2020 Summary: Recommended update for cracklib Severity: moderate References: 1172396 Description: This update for cracklib fixes the following issues: - Fixed a buffer overflow when processing long words. ----------------------------------------- Patch: SUSE-2020-1979 Released: Tue Jul 21 02:41:47 2020 Summary: Recommended update for golang-github-prometheus-node_exporter Severity: moderate References: 1143913 Description: This update for golang-github-prometheus-node_exporter fixes the following issues: - Update from version 0.17.0 to version 0.18.1 (jsc#ECO-2110) 0.18.1 / 2019-06-04 * [BUGFIX] Fix incorrect sysctl call in BSD meminfo collector, resulting in broken swap metrics on FreeBSD * [BUGFIX] Fix rollover bug in mountstats collector 0.18.0 / 2019-05-09 * Renamed interface label to device in netclass collector for consistency with other network metrics * The cpufreq metrics now separate the cpufreq and scaling data based on what the driver provides. * The labels for the network_up metric have changed * Bonding collector now uses mii_status instead of operstatus * Several systemd metrics have been turned off by default to improve performance * These include unit_tasks_current, unit_tasks_max, service_restart_total, and unit_start_time_seconds * The systemd collector blacklist now includes automount, device, mount, and slice units by default. * [CHANGE] Bonding state uses mii_status * [CHANGE] Add a limit to the number of in-flight requests * [CHANGE] Renamed interface label to device in netclass collector * [CHANGE] Add separate cpufreq and scaling metrics * [CHANGE] Several systemd metrics have been turned off by default to improve performance * [CHANGE] Expand systemd collector blacklist * [CHANGE] Split cpufreq metrics into a separate collector * [FEATURE] Add a flag to disable exporter metrics * [FEATURE] Add kstat-based Solaris metrics for boottime, cpu and zfs collectors * [FEATURE] Add uname collector for FreeBSD * [FEATURE] Add diskstats collector for OpenBSD * [FEATURE] Add pressure collector exposing pressure stall information for Linux * [FEATURE] Add perf exporter for Linux * [ENHANCEMENT] Add Infiniband counters * [ENHANCEMENT] Add TCPSynRetrans to netstat default filter * [ENHANCEMENT] Move network_up labels into new metric network_info * [ENHANCEMENT] Use 64-bit counters for Darwin netstat * [BUGFIX] Add fallback for missing /proc/1/mounts * [BUGFIX] Fix node_textfile_mtime_seconds to work properly on symlinks - Add network-online (Wants and After) dependency to systemd unit. (bsc#1143913) ----------------------------------------- Patch: SUSE-2020-1987 Released: Tue Jul 21 17:02:15 2020 Summary: Recommended update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings Severity: important References: 1172477,1173336,1174011 Description: This update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings fixes the following issues: libsolv: - No source changes, just shipping it as an installer update (required by yast2-pkg-bindings). libzypp: - Proactively send credentials if the URL specifes '?auth=basic' and a username. (bsc#1174011) - ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011) yast2-packager: - Handle variable expansion in repository name. (bsc#1172477) - Improve medium type detection, do not report Online medium when the /media.1/products file is missing in the repository, SMT does not mirror this file. (bsc#1173336) yast2-pkg-bindings: - Extensions to handle raw repository name. (bsc#1172477) ----------------------------------------- Patch: SUSE-2020-2018 Released: Thu Jul 23 09:35:42 2020 Summary: Recommended update for apparmor Severity: moderate References: 1172040 Description: This update for apparmor fixes the following issues: - Add 'UI_Showfile' so Yast shows the profile correctly. (bsc#1172040) ----------------------------------------- Patch: SUSE-2020-2083 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Severity: moderate References: 1156913 Description: This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------- Patch: SUSE-2020-2099 Released: Fri Jul 31 08:06:40 2020 Summary: Recommended update for systemd Severity: moderate References: 1173227,1173229,1173422 Description: This update for systemd fixes the following issues: - migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229) The marker is used to make sure the script is run only once. Instead of storing it in /usr, use /var which is more appropriate for such file. Also make it owned by systemd package. - Fix inconsistent file modes for some ghost files (bsc#1173227) Ghost files are assumed by rpm to have mode 000 by default which is not consistent with file permissions set at runtime. Also /var/lib/systemd/random-seed was tracked wrongly as a directory. Also don't track (ghost) /etc/systemd/system/runlevel*.target aliases since we're not supposed to track units or aliases user might define/override. - Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422) ----------------------------------------- Patch: SUSE-2020-2148 Released: Thu Aug 6 13:36:17 2020 Summary: Recommended update for ca-certificates-mozilla Severity: important References: 1174673 Description: This update for ca-certificates-mozilla fixes the following issues: Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 ----------------------------------------- Patch: SUSE-2020-2224 Released: Thu Aug 13 09:15:47 2020 Summary: Recommended update for glibc Severity: moderate References: 1171878,1172085 Description: This update for glibc fixes the following issues: - Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178) - Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100) ----------------------------------------- Patch: SUSE-2020-2278 Released: Wed Aug 19 21:26:08 2020 Summary: Recommended update for util-linux Severity: moderate References: 1149911,1151708,1168235,1168389 Description: This update for util-linux fixes the following issues: - blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235) - nologin: Add support for -c to prevent error from su -c. (bsc#1151708) - Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389) - mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911) ----------------------------------------- Patch: SUSE-2020-2384 Released: Sat Aug 29 00:57:13 2020 Summary: Recommended update for e2fsprogs Severity: low References: 1170964 Description: This update for e2fsprogs fixes the following issues: - Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964) ----------------------------------------- Patch: SUSE-2020-2411 Released: Tue Sep 1 13:28:47 2020 Summary: Recommended update for systemd Severity: moderate References: 1142733,1146991,1158336,1172195,1172824,1173539 Description: This update for systemd fixes the following issues: - Improve logging when PID1 fails at setting a namespace up when spawning a command specified by 'Exec*='. (bsc#1172824, bsc#1142733) pid1: improve message when setting up namespace fails. execute: let's close glibc syslog channels too. execute: normalize logging in *execute.c*. execute: fix typo in error message. execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary. execute: make use of the new logging mode in *execute.c* log: add a mode where we open the log fds for every single log message. log: let's make use of the fact that our functions return the negative error code for *log_oom()* too. execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result. execute: rework logging in *setup_keyring()* to include unit info. execute: improve and augment execution log messages. - vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539) - fix infinite timeout. (bsc#1158336) - bpf: mount bpffs by default on boot. (bsc#1146991) - man: explain precedence for options which take a list. - man: unify titling, fix description of precedence in sysusers.d(5) - udev-event: fix timeout log messages. ----------------------------------------- Patch: SUSE-2020-2420 Released: Tue Sep 1 13:48:35 2020 Summary: Recommended update for zlib Severity: moderate References: 1174551,1174736 Description: This update for zlib provides the following fixes: - Permit a deflateParams() parameter change as soon as possible. (bsc#1174736) - Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551) ----------------------------------------- Patch: SUSE-2020-2445 Released: Wed Sep 2 09:33:02 2020 Summary: Security update for curl Severity: moderate References: 1175109,CVE-2020-8231 Description: This update for curl fixes the following issues: - An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231] ----------------------------------------- Patch: SUSE-2020-2581 Released: Wed Sep 9 13:07:07 2020 Summary: Security update for openldap2 Severity: moderate References: 1174154,CVE-2020-15719 Description: This update for openldap2 fixes the following issues: - bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN's falling back to CN validation in violation of rfc6125. ----------------------------------------- Patch: SUSE-2020-2612 Released: Fri Sep 11 11:18:01 2020 Summary: Security update for libxml2 Severity: moderate References: 1176179,CVE-2020-24977 Description: This update for libxml2 fixes the following issues: - CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179). ----------------------------------------- Patch: SUSE-2020-2638 Released: Tue Sep 15 15:41:32 2020 Summary: Recommended update for cryptsetup Severity: moderate References: 1165580 Description: This update for cryptsetup fixes the following issues: Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580) - Fix support of larger metadata areas in *LUKS2* header. This release properly supports all specified metadata areas, as documented in *LUKS2* format description. Currently, only default metadata area size is used (in format or convert). Later cryptsetup versions will allow increasing this metadata area size. - If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check if the requested *AEAD* algorithm with specified key size is available in kernel crypto API. This change avoids formatting a device that cannot be later activated. For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) are already mandatory for LUKS2. - Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option. - Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt. - Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested sector size. Previously it was possible, and the device was rejected to activate by kernel later. - Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash algorithm with invalid keyslot preventing the device from activation. - Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used both for data encryption and keyslot encryption in *LUKS1/2* devices. For benchmark, use: # cryptsetup benchmark -c xchacha12,aes-adiantum # cryptsetup benchmark -c xchacha20,aes-adiantum For LUKS format: # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 ----------------------------------------- Patch: SUSE-2020-2651 Released: Wed Sep 16 14:42:55 2020 Summary: Recommended update for zlib Severity: moderate References: 1175811,1175830,1175831 Description: This update for zlib fixes the following issues: - Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831) - Enable hardware compression on s390/s390x (jsc#SLE-13776) ----------------------------------------- Patch: SUSE-2020-2704 Released: Tue Sep 22 15:06:36 2020 Summary: Recommended update for krb5 Severity: moderate References: 1174079 Description: This update for krb5 fixes the following issue: - Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079) ----------------------------------------- Patch: SUSE-2020-2712 Released: Tue Sep 22 17:08:03 2020 Summary: Security update for openldap2 Severity: moderate References: 1175568,CVE-2020-8027 Description: This update for openldap2 fixes the following issues: - CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568). ----------------------------------------- Patch: SUSE-2020-2819 Released: Thu Oct 1 10:39:16 2020 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592 Description: This update for libzypp, zypper provides the following fixes: Changes in libzypp: - VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918) - Support buildnr with commit hash in purge-kernels. This adds special behaviour for when a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342) - Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529) - Make sure reading from lsof does not block forever. (bsc#1174240) - Just collect details for the signatures found. Changes in zypper: - man: Enhance description of the global package cache. (bsc#1175592) - man: Point out that plain rpm packages are not downloaded to the global package cache. (bsc#1173273) - Directly list subcommands in 'zypper help'. (bsc#1165424) - Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux. - Point out that plaindir repos do not follow symlinks. (bsc#1174561) - Fix help command for list-patches. ----------------------------------------- Patch: SUSE-2020-2842 Released: Fri Oct 2 12:17:55 2020 Summary: Recommended update for golang-github-prometheus-node_exporter Severity: moderate References: 1151557 Description: This update for golang-github-prometheus-node_exporter fixes the following issues: - Add missing sysconfig file in rpm bsc#1151557 - Changes from 1.0.1 * Changes to build specification + Modify spec: update golang version to 1.14 + Remove update tarball script + Add _service file to allow for updates via `osc service disabledrun` * Bug fixes + [BUGFIX] filesystem_freebsd: Fix label values #1728 + [BUGFIX] Update prometheus/procfs to fix log noise #1735 + [BUGFIX] Fix build tags for collectors #1745 + [BUGFIX] Handle no data from powersupplyclass #1747, #1749 - Changes from 1.0.0 * Bug fixes + [BUGFIX] Read /proc/net files with a single read syscall #1380 + [BUGFIX] Renamed label state to name on node_systemd_service_restart_total. #1393 + [BUGFIX] Fix netdev nil reference on Darwin #1414 + [BUGFIX] Strip path.rootfs from mountpoint labels #1421 + [BUGFIX] Fix seconds reported by schedstat #1426 + [BUGFIX] Fix empty string in path.rootfs #1464 + [BUGFIX] Fix typo in cpufreq metric names #1510 + [BUGFIX] Read /proc/stat in one syscall #1538 + [BUGFIX] Fix OpenBSD cache memory information #1542 + [BUGFIX] Refactor textfile collector to avoid looping defer #1549 + [BUGFIX] Fix network speed math #1580 + [BUGFIX] collector/systemd: use regexp to extract systemd version #1647 + [BUGFIX] Fix initialization in perf collector when using multiple CPUs #1665 + [BUGFIX] Fix accidentally empty lines in meminfo_linux #1671 * Several enhancements + See https://github.com/prometheus/node_exporter/releases/tag/v1.0.0 - Changes from 1.0.0-rc.0 Breaking changes * The netdev collector CLI argument --collector.netdev.ignored-devices was renamed to --collector.netdev.device-blacklist in order to conform with the systemd collector. #1279 * The label named state on node_systemd_service_restart_total metrics was changed to name to better describe the metric. #1393 * Refactoring of the mdadm collector changes several metrics node_md_disks_active is removed node_md_disks now has a state label for 'fail', 'spare', 'active' disks. node_md_is_active is replaced by node_md_state with a state set of 'active', 'inactive', 'recovering', 'resync'. * Additional label mountaddr added to NFS device metrics to distinguish mounts from the same URL, but different IP addresses. #1417 * Metrics node_cpu_scaling_frequency_min_hrts and node_cpu_scaling_frequency_max_hrts of the cpufreq collector were renamed to node_cpu_scaling_frequency_min_hertz and node_cpu_scaling_frequency_max_hertz. #1510 * Collectors that are enabled, but are unable to find data to collect, now return 0 for node_scrape_collector_success. ----------------------------------------- Patch: SUSE-2020-2850 Released: Fri Oct 2 12:26:03 2020 Summary: Recommended update for lvm2 Severity: moderate References: 1175110 Description: This update for lvm2 fixes the following issues: - Fixed an issue when the hot spares in LVM not added automatically. (bsc#1175110) ----------------------------------------- Patch: SUSE-2020-2852 Released: Fri Oct 2 16:55:39 2020 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1173470,1175844 Description: This update for openssl-1_1 fixes the following issues: FIPS: * Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1175844, bsc#1173470). * Add shared secret KAT to FIPS DH selftest (bsc#1175844). ----------------------------------------- Patch: SUSE-2020-2864 Released: Tue Oct 6 10:34:14 2020 Summary: Security update for gnutls Severity: moderate References: 1176086,1176181,1176671,CVE-2020-24659 Description: This update for gnutls fixes the following issues: - Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181) - FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086) - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - FIPS: Add TLS KDF selftest (bsc#1176671) ----------------------------------------- Patch: SUSE-2020-2869 Released: Tue Oct 6 16:13:20 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1011548,1153943,1153946,1161239,1171762 Description: This update for aaa_base fixes the following issues: - DIR_COLORS (bug#1006973): - add screen.xterm-256color - add TERM rxvt-unicode-256color - sort and merge TERM entries in etc/DIR_COLORS - check for Packages.db and use this instead of Packages. (bsc#1171762) - Rename path() to _path() to avoid using a general name. - refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548) - etc/profile add some missing ;; in case esac statements - profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946) - backup-rpmdb: exit if zypper is running (bsc#1161239) - Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943) ----------------------------------------- Version 2-Build4.2.38 2020-10-13T11:21:22 ----------------------------------------- Patch: SUSE-2020-2893 Released: Mon Oct 12 14:14:55 2020 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1177479 Description: This update for openssl-1_1 fixes the following issues: - Restore private key check in EC_KEY_check_key (bsc#1177479) ----------------------------------------- Version 2-Build4.2.41 2020-10-16T07:59:15 ----------------------------------------- Patch: SUSE-2020-2901 Released: Tue Oct 13 14:22:43 2020 Summary: Security update for libproxy Severity: important References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154 Description: This update for libproxy fixes the following issues: - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410). - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143). ----------------------------------------- Patch: SUSE-2020-2914 Released: Tue Oct 13 17:25:20 2020 Summary: Security update for bind Severity: moderate References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624 Description: This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon. ----------------------------------------- Version 2-Build4.2.43 2020-10-18T07:58:55 ----------------------------------------- Patch: SUSE-2020-2947 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 Description: This update for gcc10, nvptx-tools fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Changes in nvptx-tools: - Enable build on aarch64 ----------------------------------------- Version 2-Build4.2.49 2020-10-21T07:59:21 ----------------------------------------- Patch: SUSE-2020-2958 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Severity: moderate References: 1158830 Description: This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------- Version 2-Build4.2.52 2020-10-26T09:41:08 ----------------------------------------- Patch: SUSE-2020-2983 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Severity: moderate References: 1176123 Description: This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------- Version 2-Build4.2.57 2020-10-29T07:59:05 ----------------------------------------- Patch: SUSE-2020-3048 Released: Tue Oct 27 16:04:52 2020 Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 Description: This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues: libzypp was updated to 17.25.1: - When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902) - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435) - VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - Link against libzstd to close libsolvs open references (as we link statically) yaml-cpp: - The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS channels, and the INSTALLER channels, as a new libzypp dependency. No source changes were done to yaml-cpp. zypper was updated to 1.14.40: - info: Assume descriptions starting with '

' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------- Version 2-Build4.2.64 2020-11-06T08:01:01 ----------------------------------------- Patch: SUSE-2020-3138 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 Description: This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------- Patch: SUSE-2020-3157 Released: Wed Nov 4 15:37:05 2020 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1177864 Description: This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------- Version 2-Build4.2.67 2020-11-14T08:01:57 ----------------------------------------- Patch: SUSE-2020-3290 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Severity: moderate References: 1174232 Description: This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------- Patch: SUSE-2020-3313 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Severity: important References: 1178387,CVE-2020-25692 Description: This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------- Version 2-Build4.2.73 2020-11-20T08:02:49 ----------------------------------------- Patch: SUSE-2020-3377 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Severity: moderate References: 1178512,CVE-2020-28196 Description: This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------- Patch: SUSE-2020-3381 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Severity: moderate References: 1177458,1177490,1177510 Description: This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------- Version 2-Build4.2.76 2020-11-21T08:01:55 ----------------------------------------- Patch: SUSE-2020-3462 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Severity: moderate References: 1174593,1177858,1178727 Description: This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------- Version 2-Build4.2.81 2020-12-02T07:57:54 ----------------------------------------- Patch: SUSE-2020-3581 Released: Tue Dec 1 14:40:22 2020 Summary: Recommended update for libusb-1_0 Severity: moderate References: 1178376 Description: This update for libusb-1_0 fixes the following issues: - Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376) ----------------------------------------- Version 2-Build4.2.83 2020-12-04T08:50:12 ----------------------------------------- Patch: SUSE-2020-3620 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Severity: moderate References: Description: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------- Version 2-Build4.2.84 2020-12-07T07:46:58 ----------------------------------------- Patch: SUSE-2020-3626 Released: Fri Dec 4 13:51:46 2020 Summary: Recommended update for audit Severity: moderate References: 1179515 Description: This update for audit fixes the following issues: - Enable Aarch64 processor support. (bsc#1179515) ----------------------------------------- Version 2-Build4.2.86 2020-12-08T13:36:26 ----------------------------------------- Patch: SUSE-2020-3703 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Severity: moderate References: 1179431 Description: This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------- Version 2-Build4.2.88 2020-12-09T18:06:15 ----------------------------------------- Patch: SUSE-2020-3721 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Severity: important References: 1179491,CVE-2020-1971 Description: This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------- Version 2-Build4.2.89 2020-12-10T07:41:00 ----------------------------------------- Patch: SUSE-2020-3735 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 Description: This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------- Version 3-Build5.5.5 2020-12-16T07:40:20 ----------------------------------------- Patch: SUSE-2020-3809 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Severity: moderate References: 1178346 Description: This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------- Version 3-Build5.5.8 2020-12-17T07:41:10 ----------------------------------------- Patch: SUSE-2020-3853 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 Description: This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942) ----------------------------------------- Version 3-Build5.5.13 2020-12-30T07:39:39 ----------------------------------------- Patch: SUSE-2020-3942 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Severity: moderate References: 1180138 Description: This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------- Patch: SUSE-2020-3943 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Severity: moderate References: 1178823 Description: This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------- Version 3-Build5.5.14 2021-01-04T07:40:54 ----------------------------------------- Patch: SUSE-2021-6 Released: Mon Jan 4 07:05:06 2021 Summary: Recommended update for libdlm Severity: moderate References: 1098449,1144793,1168771,1177533,1177658 Description: This update for libdlm fixes the following issues: - Rework libdlm3 require with a shared library version tag instead so it propagates to all consuming packages.(bsc#1177658, bsc#1098449) - Add support for type 'uint64_t' to corosync ringid. (bsc#1168771) - Include some fixes/enhancements for dlm_controld. (bsc#1144793) - Fixed an issue where /boot logical volume was accidentally unmounted. (bsc#1177533) ----------------------------------------- Version 3-Build5.5.20 2021-01-14T07:42:46 ----------------------------------------- Patch: SUSE-2021-109 Released: Wed Jan 13 10:13:24 2021 Summary: Security update for libzypp, zypper Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271 Description: This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) ----------------------------------------- Version 3-Build5.5.21 2021-01-15T11:43:25 ----------------------------------------- Patch: SUSE-2021-129 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------- Version 3-Build5.5.22 2021-01-16T07:40:32 ----------------------------------------- Patch: SUSE-2021-152 Released: Fri Jan 15 17:04:47 2021 Summary: Recommended update for lvm2 Severity: moderate References: 1179691,1179738 Description: This update for lvm2 fixes the following issues: - Fix for lvm2 to use udev as external device by default. (bsc#1179691) - Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738) ----------------------------------------- Version 3-Build5.5.28 2021-01-23T09:27:52 ----------------------------------------- Patch: SUSE-2021-169 Released: Tue Jan 19 16:18:46 2021 Summary: Recommended update for libsolv, libzypp, zypper Severity: moderate References: 1179816,1180077,1180663,1180721 Description: This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to 17.25.6: - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) zypper was updated to 1.14.42: - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) libsolv was updated to 0.7.16; - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases ----------------------------------------- Patch: SUSE-2021-174 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Severity: moderate References: 1172695 Description: This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------- Patch: SUSE-2021-197 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Severity: moderate References: 1171883,CVE-2020-8025 Description: This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------- Version 3-Build5.5.33 2021-01-27T07:39:55 ----------------------------------------- Patch: SUSE-2021-220 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Severity: moderate References: 1180603 Description: This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------- Version 3-Build5.5.35 2021-01-28T07:39:37 ----------------------------------------- Patch: SUSE-2021-233 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 Description: This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------- Version 3-Build5.5.40 2021-02-02T07:40:18 ----------------------------------------- Patch: SUSE-2021-265 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Severity: important References: 1178775,1180885 Description: This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------- Version 3-Build5.5.43 2021-02-03T07:40:18 ----------------------------------------- Patch: SUSE-2021-278 Released: Tue Feb 2 09:43:08 2021 Summary: Recommended update for lvm2 Severity: moderate References: 1181319 Description: This update for lvm2 fixes the following issues: - Backport 'lvmlockd' to adopt orphan locks feature. (bsc#1181319) ----------------------------------------- Version 3-Build5.5.46 2021-02-04T07:39:31 ----------------------------------------- Patch: SUSE-2021-293 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Severity: moderate References: 1180603 Description: This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------- Version 3-Build5.5.47 2021-02-05T07:40:09 ----------------------------------------- Patch: SUSE-2021-302 Released: Thu Feb 4 13:18:35 2021 Summary: Recommended update for lvm2 Severity: important References: 1179691 Description: This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------- Version 3-Build5.5.50 2021-02-09T07:40:23 ----------------------------------------- Patch: SUSE-2021-339 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Severity: low References: Description: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------- Version 3-Build5.5.56 2021-02-26T08:47:15 ----------------------------------------- Patch: SUSE-2020-1989 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Severity: important References: 1173582 Description: This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------- Patch: SUSE-2020-3294 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Severity: moderate References: 1177998 Description: This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------- Version 3-Build5.5.57 2021-02-27T07:42:33 ----------------------------------------- Patch: SUSE-2021-653 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 Description: This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------- Version 3-Build5.5.64 2021-03-09T07:42:32 ----------------------------------------- Patch: SUSE-2021-723 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 Description: This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------- Version 3-Build5.5.66 2021-03-10T07:41:42 ----------------------------------------- Patch: SUSE-2021-754 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 Description: This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------- Version 3-Build5.5.68 2021-03-13T07:43:27 ----------------------------------------- Patch: SUSE-2021-778 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 Description: This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------- Version 3-Build5.5.70 2021-03-16T07:43:19 ----------------------------------------- Patch: SUSE-2021-786 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Severity: moderate References: 1176201 Description: This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------- Version 3-Build5.5.74 2021-03-19T07:45:36 ----------------------------------------- Patch: SUSE-2021-874 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Severity: moderate References: 1179847,1181328,1181622,1182629 Description: This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) ----------------------------------------- Version 3-Build5.5.77 2021-03-24T07:41:51 ----------------------------------------- Patch: SUSE-2021-924 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 Description: This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------- Patch: SUSE-2021-926 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 Description: This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------- Version 3-Build5.5.78 2021-03-25T07:41:22 ----------------------------------------- Patch: SUSE-2021-935 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 Description: This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------- Patch: SUSE-2021-948 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 Description: This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------- Version 3-Build5.5.79 2021-03-26T13:21:15 ----------------------------------------- Patch: SUSE-2021-955 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Severity: important References: 1183852,CVE-2021-3449 Description: This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------- Version 3-Build5.5.85 2021-04-02T07:43:41 ----------------------------------------- Patch: SUSE-2021-1004 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Severity: moderate References: 1180073 Description: This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------- Patch: SUSE-2021-1006 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 Description: This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------- Version 3-Build5.5.89 2021-04-13T07:42:38 ----------------------------------------- Patch: SUSE-2021-1141 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Severity: low References: 1182791 Description: This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------- Version 3-Build5.5.91 2021-04-14T07:42:01 ----------------------------------------- Patch: SUSE-2021-1169 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Severity: low References: 1181976 Description: This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------- Version 3-Build5.5.95 2021-04-21T07:42:26 ----------------------------------------- Patch: SUSE-2021-1286 Released: Tue Apr 20 20:10:21 2021 Summary: Recommended update for SLES-release Severity: moderate References: 1180836 Description: This recommended update for SLES-release provides the following fix: - Revert the problematic changes previously released and make sure the version is high enough to obsolete the package on containers and images. (bsc#1180836) ----------------------------------------- Version 3-Build5.5.96 2021-04-22T07:42:44 ----------------------------------------- Patch: SUSE-2021-1295 Released: Wed Apr 21 14:08:19 2021 Summary: Recommended update for systemd-presets-common-SUSE Severity: moderate References: 1184136 Description: This update for systemd-presets-common-SUSE fixes the following issues: - Enabled hcn-init.service for HNV on POWER (bsc#1184136) ----------------------------------------- Patch: SUSE-2021-1296 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Severity: low References: 1183791 Description: This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------- Patch: SUSE-2021-1297 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Severity: moderate References: 1178219 Description: This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------- Patch: SUSE-2021-1299 Released: Wed Apr 21 14:11:41 2021 Summary: Optional update for gpgme Severity: low References: 1183801 Description: This update for gpgme fixes the following issues: - Fixed a bug in test cases (bsc#1183801) This patch is optional to install and does not provide any user visible bug fixes. ----------------------------------------- Version 3-Build5.5.102 2021-04-29T07:43:23 ----------------------------------------- Patch: SUSE-2021-1407 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Severity: important References: 1184690 Description: This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------- Patch: SUSE-2021-1412 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Severity: important References: 1184401,CVE-2021-20305 Description: This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------- Patch: SUSE-2021-1426 Released: Thu Apr 29 06:23:13 2021 Summary: Recommended update for libsolv Severity: moderate References: Description: This update for libsolv fixes the following issues: - Fix rare segfault in resolve_jobrules() that could happen if new rules are learnt. - Fix a couple of memory leaks in error cases. - Fix error handling in solv_xfopen_fd() - Fixed 'regex' code on win32. - Fixed memory leak in choice rule generation ----------------------------------------- Version 3-Build5.5.103 2021-05-02T07:44:31 ----------------------------------------- Patch: SUSE-2021-1449 Released: Fri Apr 30 08:08:25 2021 Summary: Recommended update for systemd-presets-branding-SLE Severity: moderate References: 1165780 Description: This update for systemd-presets-branding-SLE fixes the following issues: - Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780) ----------------------------------------- Version 3-Build5.5.107 2021-05-05T07:42:43 ----------------------------------------- Patch: SUSE-2021-1466 Released: Tue May 4 08:30:57 2021 Summary: Security update for permissions Severity: important References: 1182899 Description: This update for permissions fixes the following issues: - etc/permissions: remove unnecessary entries (bsc#1182899) ----------------------------------------- Patch: SUSE-2021-1481 Released: Tue May 4 14:18:32 2021 Summary: Recommended update for lvm2 Severity: moderate References: 1178680 Description: This update for lvm2 fixes the following issues: - Add metadata-based autoactivation property for volume group and logical volume. (bsc#1178680) ----------------------------------------- Version 3-Build5.5.108 2021-05-06T07:43:25 ----------------------------------------- Patch: SUSE-2021-1523 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 Description: This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------- Version 3-Build5.5.110 2021-05-07T07:43:04 ----------------------------------------- Patch: SUSE-2021-1527 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Severity: important References: 1183064 Description: This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------- Patch: SUSE-2021-1528 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1161276 Description: This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------- Version 3-Build5.5.111 2021-05-08T07:42:42 ----------------------------------------- Patch: SUSE-2021-1543 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Severity: moderate References: 1184435 Description: This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------- Patch: SUSE-2021-1544 Released: Fri May 7 16:34:41 2021 Summary: Recommended update for libzypp Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 Description: This update for libzypp fixes the following issues: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------- Version 3-Build5.5.112 2021-05-11T07:43:09 ----------------------------------------- Patch: SUSE-2021-1549 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Severity: moderate References: 1185417 Description: This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------- Version 3-Build5.5.114 2021-05-12T07:42:55 ----------------------------------------- Patch: SUSE-2021-1565 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Severity: moderate References: 1185163 Description: This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------- Version 3-Build5.5.115 2021-05-13T07:42:55 ----------------------------------------- Patch: SUSE-2021-1582 Released: Wed May 12 13:40:03 2021 Summary: Recommended update for lvm2 Severity: moderate References: 1184687,1185190 Description: This update for lvm2 fixes the following issues: - Honor 'lvm.conf' parameter event_activation=0 on 'pvscan --cache -aay'. (bsc#1185190) - Fixed and issue when LVM can't be disabled on boot. (bsc#1184687) - Update patch for avoiding apply warning messages. (bsc#1012973) ----------------------------------------- Patch: SUSE-2021-1592 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Severity: low References: 1183797 Description: This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------- Version 3-Build5.5.117 2021-05-15T07:43:02 ----------------------------------------- Patch: SUSE-2021-1612 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Severity: moderate References: 1184614 Description: This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------- Version 3-Build5.5.121 2021-05-20T07:43:14 ----------------------------------------- Patch: SUSE-2021-1643 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Severity: important References: 1181443,1184358,1185562 Description: This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------- Patch: SUSE-2021-1647 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Severity: important References: 1185438,CVE-2021-3520 Description: This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------- Patch: SUSE-2021-1654 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 Description: This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------- Version Build5.8.5-4-Build5.8.5 2021-05-28T07:43:45 ----------------------------------------- Patch: SUSE-2021-1762 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Severity: moderate References: 1186114,CVE-2021-22898 Description: This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------- Version Build5.8.7-4-Build5.8.7 2021-06-03T07:43:51 ----------------------------------------- Patch: SUSE-2021-1833 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 Description: This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------- Version Build5.8.8-4-Build5.8.8 2021-06-06T07:44:27 ----------------------------------------- Patch: SUSE-2021-1861 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 Description: This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------- Version Build5.8.10-4-Build5.8.10 2021-06-09T07:43:32 ----------------------------------------- Patch: SUSE-2021-1879 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Severity: important References: 1184326,1184399,1184997,1185325 Description: This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------- Version Build5.8.15-4-Build5.8.15 2021-06-11T07:43:47 ----------------------------------------- Patch: SUSE-2021-1917 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Severity: moderate References: 1186015,CVE-2021-3541 Description: This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------- Patch: SUSE-2021-1953 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Severity: moderate References: 1161268,1172308 Description: This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------- Version Build5.8.20-4-Build5.8.20 2021-06-22T07:43:58 ----------------------------------------- Patch: SUSE-2021-2107 Released: Mon Jun 21 19:29:09 2021 Summary: Recommended update for golang-github-prometheus-node_exporter Severity: moderate References: 1151558 Description: This update for golang-github-prometheus-node_exporter fixes the following issues: Update from version 1.0.1 to version 1.1.2 - Bug fixes: - Do not include sources (bsc#1151558) - Handle errors from disabled `Pressure Stall Information (PSI)` subsystem - Sanitize strings from `/sys/class/power_supply` - Silence missing `netclass` errors - Fix `ineffassign` issue - Demote some warning to `Debug` level - `filesystem_freebsd`: Fix label values - Fix various `procfs` parsing errors - Handle no data from the power supply class - `udp_queues_linux.go`: change `upd` to `udp` in two error strings - Fix `node_scrape_collector_success` behavior - Fix `NodeRAIDDegraded` to not use a string rule expressions - Fix `node_md_disks` state label from fail to failed - Handle `EPERM` for syscall in timex collector - `bcache`: fix typo in a metric name - Fix XFS read/write stats - Enhancements: - Improve filter flag names - Add `btrfs` and `powersupplyclass` to list of exporters enabled by default - Add more `InfiniBand` counters - Add a flag to aggregate `ipvs` metrics to avoid high cardinality metrics - Add `backlog/current` queue length to `qdisc` collector - Include `TCP OutRsts` in `netstat` metrics - Add the `pool size` to entropy collector - Remove `CGO` dependencies for OpenBSD amd64 - `bcache`: add `writeback_rate_debug` statistics - Add `check state` for `mdadm` arrays via `node_md_state metric` - Expose `XFS inode` statistics - Expose `zfs zpool` state - Add the ability to pass `collector.supervisord.url` via `SUPERVISORD_URL` environment variable - Features: - Add fiber channel collector - Expose cpu bugs and flags as info metrics. - Add `network_route` collector - Add `zoneinfo` collector ----------------------------------------- Version Build5.8.21-4-Build5.8.21 2021-06-24T07:43:50 ----------------------------------------- Patch: SUSE-2021-2143 Released: Wed Jun 23 16:27:04 2021 Summary: Security update for libnettle Severity: important References: 1187060,CVE-2021-3580 Description: This update for libnettle fixes the following issues: - CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060). ----------------------------------------- Version Build5.8.22-4-Build5.8.22 2021-06-25T07:44:20 ----------------------------------------- Patch: SUSE-2021-2157 Released: Thu Jun 24 15:40:14 2021 Summary: Security update for libgcrypt Severity: important References: 1187212,CVE-2021-33560 Description: This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). ----------------------------------------- Version Build5.8.29-4-Build5.8.29 2021-06-29T07:43:22 ----------------------------------------- Patch: SUSE-2021-2173 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 Description: This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------- Version Build5.8.30-4-Build5.8.30 2021-06-30T07:44:47 ----------------------------------------- Patch: SUSE-2021-2196 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 Description: This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------- Version Build5.8.32-4-Build5.8.32 2021-07-01T07:43:42 ----------------------------------------- Patch: SUSE-2021-2205 Released: Wed Jun 30 09:17:41 2021 Summary: Recommended update for openldap2 Severity: important References: 1187210 Description: This update for openldap2 fixes the following issues: - Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210) ----------------------------------------- Version Build5.8.33-4-Build5.8.33 2021-07-02T07:44:29 ----------------------------------------- Patch: SUSE-2021-2229 Released: Thu Jul 1 20:40:37 2021 Summary: Recommended update for release packages Severity: moderate References: 1099521,1185221 Description: This update for the release packages provides the following fix: - Fix grub menu entries after migration from SLE-12*. (bsc#1099521) - Adjust the sles-release changelog to include an entry for the previous release that was reverting a broken change. (bsc#1185221) ----------------------------------------- Version Build5.8.35-4-Build5.8.35 2021-07-06T07:43:48 ----------------------------------------- Patch: SUSE-2021-2246 Released: Mon Jul 5 15:17:49 2021 Summary: Recommended update for systemd Severity: moderate References: 1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400 Description: This update for systemd fixes the following issues: cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available'' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) ----------------------------------------- Patch: SUSE-2021-2249 Released: Mon Jul 5 15:40:46 2021 Summary: Optional update for gnutls Severity: low References: 1047218,1186579 Description: This update for gnutls does not fix any user visible issues. It is therefore optional to install. ----------------------------------------- Version Build5.8.37-4-Build5.8.37 2021-07-08T12:06:26 ----------------------------------------- Patch: SUSE-2021-2273 Released: Thu Jul 8 09:48:48 2021 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1186447,1186503 Description: This update for libzypp, zypper fixes the following issues: - Enhance XML output of repo GPG options - Add optional attributes showing the raw values actually present in the '.repo' file. - Link all executables with -PIE (bsc#1186447) - Ship an empty '/etc/zypp/needreboot' per default (jsc#PM-2645) - Add 'Solvable::isBlacklisted' as superset of retracted and ptf packages (bsc#1186503) - Fix segv if 'ZYPP_FULLOG' is set. ----------------------------------------- Version Build5.8.40-4-Build5.8.40 2021-07-15T07:44:32 ----------------------------------------- Patch: SUSE-2021-2320 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 Description: This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------- Version Build5.8.42-4-Build5.8.42 2021-07-21T07:44:06 ----------------------------------------- Patch: SUSE-2021-2404 Released: Tue Jul 20 14:21:30 2021 Summary: Security update for systemd Severity: moderate References: 1184994,1188063,CVE-2021-33910 Description: This update for systemd fixes the following issues: - CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063) - Skip udev rules if 'elevator=' is used (bsc#1184994) ----------------------------------------- Version Build5.8.43-4-Build5.8.43 2021-07-22T07:43:56 ----------------------------------------- Patch: SUSE-2021-2439 Released: Wed Jul 21 13:46:48 2021 Summary: Security update for curl Severity: moderate References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 Description: This update for curl fixes the following issues: - CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220) - CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219) - CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218) - CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217) ----------------------------------------- Version Build5.8.53-4-Build5.8.53 2021-08-18T07:47:13 ----------------------------------------- Patch: SUSE-2021-2689 Released: Mon Aug 16 10:54:52 2021 Summary: Security update for cpio Severity: important References: 1189206,CVE-2021-38185 Description: This update for cpio fixes the following issues: It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206) ----------------------------------------- Patch: SUSE-2021-2763 Released: Tue Aug 17 17:16:22 2021 Summary: Recommended update for cpio Severity: critical References: 1189465 Description: This update for cpio fixes the following issues: - A regression in last update would cause builds to hang on various architectures(bsc#1189465) ----------------------------------------- Version Build5.8.54-4-Build5.8.54 2021-08-20T07:46:44 ----------------------------------------- Patch: SUSE-2021-2780 Released: Thu Aug 19 16:09:15 2021 Summary: Recommended update for cpio Severity: critical References: 1189465,CVE-2021-38185 Description: This update for cpio fixes the following issues: - A regression in the previous update could lead to crashes (bsc#1189465) ----------------------------------------- Version Build5.8.56-4-Build5.8.56 2021-08-22T07:44:00 ----------------------------------------- Patch: SUSE-2021-2800 Released: Fri Aug 20 10:43:04 2021 Summary: Security update for krb5 Severity: important References: 1188571,CVE-2021-36222 Description: This update for krb5 fixes the following issues: - CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571) ----------------------------------------- Version Build5.8.59-4-Build5.8.59 2021-08-26T07:46:06 ----------------------------------------- Patch: SUSE-2021-2830 Released: Tue Aug 24 16:20:18 2021 Summary: Security update for openssl-1_1 Severity: important References: 1189520,1189521,CVE-2021-3711,CVE-2021-3712 Description: This update for openssl-1_1 fixes the following security issues: - CVE-2021-3711: A bug in the implementation of the SM2 decryption code could lead to buffer overflows. [bsc#1189520] - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------- Version Build5.8.66-4-Build5.8.66 2021-09-04T07:43:42 ----------------------------------------- Patch: SUSE-2021-2938 Released: Fri Sep 3 09:19:36 2021 Summary: Recommended update for openldap2 Severity: moderate References: 1184614 Description: This update for openldap2 fixes the following issue: - openldap2-contrib is shipped to the Legacy Module. (bsc#1184614) ----------------------------------------- Version Build5.8.67-4-Build5.8.67 2021-09-08T07:44:09 ----------------------------------------- Patch: SUSE-2021-2966 Released: Tue Sep 7 09:49:14 2021 Summary: Security update for openssl-1_1 Severity: low References: 1189521,CVE-2021-3712 Description: This update for openssl-1_1 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------- Version Build5.8.68-4-Build5.8.68 2021-09-10T07:44:33 ----------------------------------------- Patch: SUSE-2021-3001 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Severity: moderate References: 1189683 Description: This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------- Version Build5.8.70-4-Build5.8.70 2021-09-15T07:45:08 ----------------------------------------- Patch: SUSE-2021-3030 Released: Tue Sep 14 09:27:45 2021 Summary: Recommended update for patterns-base Severity: moderate References: 1189534,1189554 Description: This update of patterns-base fixes the following issue: - The fips pattern should also install 'openssh-fips' if 'openssh' is installed (bsc#1189554 bsc#1189534) ----------------------------------------- Version Build5.8.74-4-Build5.8.74 2021-09-23T07:44:41 ----------------------------------------- Patch: SUSE-2021-3182 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Severity: moderate References: 1189996 Description: This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------- Version Build5.8.78-4-Build5.8.78 2021-10-09T10:13:37 ----------------------------------------- Patch: SUSE-2021-3298 Released: Wed Oct 6 16:54:52 2021 Summary: Security update for curl Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 Description: This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------- Version Build5.8.79-4-Build5.8.79 2021-10-13T08:25:20 ----------------------------------------- Patch: SUSE-2021-3348 Released: Tue Oct 12 13:08:06 2021 Summary: Security update for systemd Severity: moderate References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910 Description: This update for systemd fixes the following issues: - CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063). - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018). - Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353). - Rules weren't applied to dm devices (multipath) (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291). - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). ----------------------------------------- Patch: SUSE-2021-3385 Released: Tue Oct 12 15:54:31 2021 Summary: Security update for glibc Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 Description: This update for glibc fixes the following issues: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) ----------------------------------------- Version Build5.8.82-4-Build5.8.82 2021-10-16T08:25:37 ----------------------------------------- Patch: SUSE-2021-3444 Released: Fri Oct 15 09:03:07 2021 Summary: Security update for rpm Severity: important References: 1179416,1183543,1183545,1183632,1183659,1185299,1187670,1188548,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421 Description: This update for rpm fixes the following issues: Security issues fixed: - CVE-2021-3421, CVE-2021-20271, CVE-2021-20266: Multiple header check improvements (bsc#1183543, bsc#1183545, bsc#1183632) - PGP hardening changes (bsc#1185299) - Fixed potential access of freed mem in ndb's glue code (bsc#1179416) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) ----------------------------------------- Version Build5.8.84-4-Build5.8.84 2021-10-19T08:24:13 ----------------------------------------- Patch: SUSE-2021-3454 Released: Mon Oct 18 09:29:26 2021 Summary: Security update for krb5 Severity: moderate References: 1189929,CVE-2021-37750 Description: This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). ----------------------------------------- Version Build5.8.86-4-Build5.8.86 2021-10-21T08:31:48 ----------------------------------------- Patch: SUSE-2021-3480 Released: Wed Oct 20 11:24:10 2021 Summary: Recommended update for yast2-network Severity: moderate References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933 Description: This update for yast2-network fixes the following issues: - Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915). - Fix the shown description using the interface friendly name when it is empty (bsc#1190933). - Consider aliases sections as case insensitive (bsc#1190739). - Display user defined device name in the devices overview (bnc#1190645). - Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344). - Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910). - Fix desktop file so the control center tooltip is translated (bsc#1187270). - Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016). - Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512). ----------------------------------------- Patch: SUSE-2021-3490 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Severity: moderate References: 1190793,CVE-2021-39537 Description: This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------- Patch: SUSE-2021-3494 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Severity: moderate References: 1190052 Description: This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------- Version Build5.8.87-4-Build5.8.87 2021-10-23T08:25:56 ----------------------------------------- Patch: SUSE-2020-3026 Released: Fri Oct 23 15:35:49 2020 Summary: Optional update for the Public Cloud Module Severity: moderate References: Description: This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398). The following packages were included: - python3-grpcio - python3-protobuf - python3-google-api-core - python3-google-cloud-core - python3-google-cloud-storage - python3-google-resumable-media - python3-googleapis-common-protos - python3-grpcio-gcp - python3-mock (updated to version 3.0.5) ----------------------------------------- Patch: SUSE-2021-294 Released: Wed Feb 3 12:54:28 2021 Summary: Recommended update for libprotobuf Severity: moderate References: Description: libprotobuf was updated to fix: - ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911) ----------------------------------------- Patch: SUSE-2021-656 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Severity: moderate References: 1177127 Description: This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------- Patch: SUSE-2021-3501 Released: Fri Oct 22 10:42:46 2021 Summary: Recommended update for libzypp, zypper, libsolv, protobuf Severity: moderate References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815 Description: This update for libzypp, zypper, libsolv and protobuf fixes the following issues: - Choice rules: treat orphaned packages as newest (bsc#1190465) - Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602) - Do not check of signatures and keys two times(redundant) (bsc#1190059) - Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760) - Show key fpr from signature when signature check fails (bsc#1187224) - Fix solver jobs for PTFs (bsc#1186503) - Fix purge-kernels fails (bsc#1187738) - Fix obs:// platform guessing for Leap (bsc#1187425) - Make sure to keep states alives while transitioning. (bsc#1190199) - Manpage: Improve description about patch updates(bsc#1187466) - Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested. - Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815) - Fix crashes in logging code when shutting down (bsc#1189031) - Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712) - Add need reboot/restart hint to XML install summary (bsc#1188435) - Prompt: choose exact match if prompt options are not prefix free (bsc#1188156) - Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862) ----------------------------------------- Version Build5.8.90-4-Build5.8.90 2021-10-27T08:23:29 ----------------------------------------- Patch: SUSE-2021-3510 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Severity: important References: 1191987 Description: This update for pam fixes the following issues: - Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987) ----------------------------------------- Patch: SUSE-2021-3523 Released: Tue Oct 26 15:40:13 2021 Summary: Security update for util-linux Severity: moderate References: 1122417,1125886,1178236,1188921,CVE-2021-37600 Description: This update for util-linux fixes the following issues: Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921). - agetty: Fix 8-bit processing in get_logname() (bsc#1125886). - mount: Fix 'mount' output for net file systems (bsc#1122417). - ipcs: Avoid overflows (bsc#1178236) ----------------------------------------- Version Build5.8.93-4-Build5.8.93 2021-10-28T08:25:01 ----------------------------------------- Patch: SUSE-2021-3529 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 Description: This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) ----------------------------------------- Version Build5.8.104-4-Build5.8.104 2021-11-25T08:24:35 ----------------------------------------- Patch: SUSE-2021-3799 Released: Wed Nov 24 18:07:54 2021 Summary: Recommended update for gcc11 Severity: moderate References: 1187153,1187273,1188623 Description: This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided: To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants. ----------------------------------------- Version Build5.8.105-4-Build5.8.105 2021-11-26T08:24:17 ----------------------------------------- Patch: SUSE-2021-3809 Released: Fri Nov 26 00:31:59 2021 Summary: Recommended update for systemd Severity: moderate References: 1189803,1190325,1190440,1190984,1191252,1192161 Description: This update for systemd fixes the following issues: - Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103) - Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161) - shutdown: Reduce log level of unmounts (bsc#1191252) - pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803) - core: rework how we connect to the bus (bsc#1190325) - mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984) - virt: detect Amazon EC2 Nitro instance (bsc#1190440) - Several fixes for umount - busctl: use usec granularity for the timestamp printed by the busctl monitor command - fix unitialized fields in MountPoint in dm_list_get() - shutdown: explicitly set a log target - mount-util: add mount_option_mangle() - dissect: automatically mark partitions read-only that have a read-only file system - build-sys: require proper libmount version - systemd-shutdown: use log_set_prohibit_ipc(true) - rationalize interface for opening/closing logging - pid1: when we can't log to journal, remember our fallback log target - log: remove LOG_TARGET_SAFE pseudo log target - log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console() - log: add new 'prohibit_ipc' flag to logging system - log: make log_set_upgrade_syslog_to_journal() take effect immediately - dbus: split up bus_done() into seperate functions - machine-id-setup: generate machine-id from DMI product ID on Amazon EC2 - virt: if we detect Xen by DMI, trust that over CPUID ----------------------------------------- Version Build5.8.109-4-Build5.8.109 2021-12-02T08:24:36 ----------------------------------------- Patch: SUSE-2021-3830 Released: Wed Dec 1 13:45:46 2021 Summary: Security update for glibc Severity: moderate References: 1027496,1183085,CVE-2016-10228 Description: This update for glibc fixes the following issues: - libio: do not attempt to free wide buffers of legacy streams (bsc#1183085) - CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496) ----------------------------------------- Patch: SUSE-2021-3870 Released: Thu Dec 2 07:11:50 2021 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1190356,1191286,1191324,1191370,1191609,1192337,1192436 Description: This update for libzypp, zypper fixes the following issues: libzypp: - Check log writer before accessing it (bsc#1192337) - Zypper should keep cached files if transaction is aborted (bsc#1190356) - Require a minimum number of mirrors for multicurl (bsc#1191609) - Fixed slowdowns when rlimit is too high by using procfs to detect niumber of open file descriptors (bsc#1191324) - Fixed zypper incomplete messages when using non English localization (bsc#1191370) - RepoManager: Don't probe for plaindir repository if the URL schema is a plugin (bsc#1191286) - Disable logger in the child process after fork (bsc#1192436) zypper: - Fixed Zypper removing a kernel explicitely pinned that uses uname -r output format as name (openSUSE/zypper#418) ----------------------------------------- Patch: SUSE-2021-3872 Released: Thu Dec 2 07:25:55 2021 Summary: Recommended update for cracklib Severity: moderate References: 1191736 Description: This update for cracklib fixes the following issues: - Enable build time tests (bsc#1191736) ----------------------------------------- Version Build5.8.112-4-Build5.8.112 2021-12-05T08:22:29 ----------------------------------------- Patch: SUSE-2021-3891 Released: Fri Dec 3 10:21:49 2021 Summary: Recommended update for keyutils Severity: moderate References: 1029961,1113013,1187654 Description: This update for keyutils fixes the following issues: - Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) keyutils was updated to 1.6.3 (jsc#SLE-20016): * Revert the change notifications that were using /dev/watch_queue. * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). * Allow 'keyctl supports' to retrieve raw capability data. * Allow 'keyctl id' to turn a symbolic key ID into a numeric ID. * Allow 'keyctl new_session' to name the keyring. * Allow 'keyctl add/padd/etc.' to take hex-encoded data. * Add 'keyctl watch*' to expose kernel change notifications on keys. * Add caps for namespacing and notifications. * Set a default TTL on keys that upcall for name resolution. * Explicitly clear memory after it's held sensitive information. * Various manual page fixes. * Fix C++-related errors. * Add support for keyctl_move(). * Add support for keyctl_capabilities(). * Make key=val list optional for various public-key ops. * Fix system call signature for KEYCTL_PKEY_QUERY. * Fix 'keyctl pkey_query' argument passing. * Use keyctl_read_alloc() in dump_key_tree_aux(). * Various manual page fixes. Updated to 1.6: * Apply various specfile cleanups from Fedora. * request-key: Provide a command line option to suppress helper execution. * request-key: Find least-wildcard match rather than first match. * Remove the dependency on MIT Kerberos. * Fix some error messages * keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. * Fix doc and comment typos. * Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). * Add pkg-config support for finding libkeyutils. * upstream isn't offering PGP signatures for the source tarballs anymore Updated to 1.5.11 (bsc#1113013) * Add keyring restriction support. * Add KDF support to the Diffie-Helman function. * DNS: Add support for AFS config files and SRV records ----------------------------------------- Patch: SUSE-2021-3899 Released: Fri Dec 3 11:27:41 2021 Summary: Security update for aaa_base Severity: moderate References: 1162581,1174504,1191563,1192248 Description: This update for aaa_base fixes the following issues: - Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504). - Add $HOME/.local/bin to PATH, if it exists (bsc#1192248). - Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563). - Support xz compressed kernel (bsc#1162581) ----------------------------------------- Version Build5.8.113-4-Build5.8.113 2021-12-08T08:25:10 ----------------------------------------- Patch: SUSE-2021-3946 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Severity: moderate References: 1192717,CVE-2021-43618 Description: This update for gmp fixes the following issues: - CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717). ----------------------------------------- Version Build5.8.124-4-Build5.8.124 2021-12-26T08:28:05 ----------------------------------------- Patch: SUSE-2021-4139 Released: Tue Dec 21 17:02:44 2021 Summary: Recommended update for systemd Severity: critical References: 1193481,1193521 Description: This update for systemd fixes the following issues: - Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481) sleep-config: partitions can't be deleted, only files can shared/sleep-config: exclude zram devices from hibernation candidates ----------------------------------------- Patch: SUSE-2021-4145 Released: Wed Dec 22 05:27:48 2021 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1161276 Description: This update for openssl-1_1 fixes the following issues: - Remove previously applied patch because it interferes with FIPS validation (bsc#1161276) ----------------------------------------- Patch: SUSE-2021-4154 Released: Wed Dec 22 11:02:38 2021 Summary: Security update for p11-kit Severity: important References: 1180064,1187993,CVE-2020-29361 Description: This update for p11-kit fixes the following issues: - CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064) - Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993). ----------------------------------------- Patch: SUSE-2021-4182 Released: Thu Dec 23 11:51:51 2021 Summary: Recommended update for zlib Severity: moderate References: 1192688 Description: This update for zlib fixes the following issues: - Fix hardware compression incorrect result on z15 hardware (bsc#1192688) ----------------------------------------- Version Build5.8.126-4-Build5.8.126 2021-12-29T08:29:55 ----------------------------------------- Patch: SUSE-2021-4192 Released: Tue Dec 28 10:39:50 2021 Summary: Security update for permissions Severity: moderate References: 1174504 Description: This update for permissions fixes the following issues: - Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504) ----------------------------------------- Version Build5.8.129-4-Build5.8.129 2022-01-04T08:21:51 ----------------------------------------- Patch: SUSE-2022-4 Released: Mon Jan 3 08:28:54 2022 Summary: Recommended update for libgcrypt Severity: moderate References: 1193480 Description: This update for libgcrypt fixes the following issues: - Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480) ----------------------------------------- Version Build5.8.134-4-Build5.8.134 2022-01-18T08:23:00 ----------------------------------------- Patch: SUSE-2022-93 Released: Tue Jan 18 05:11:58 2022 Summary: Recommended update for openssl-1_1 Severity: important References: 1192489 Description: This update for openssl-1_1 fixes the following issues: - Add RSA_get0_pss_params() accessor that is used by nodejs16 and provide openssl-has-RSA_get0_pss_params (bsc#1192489) ----------------------------------------- Patch: SUSE-2022-94 Released: Tue Jan 18 05:13:24 2022 Summary: Recommended update for rpm Severity: important References: 1180125,1193711 Description: This update for rpm fixes the following issues: - Add explicit requirement on python-rpm-macros (bsc#1180125, bsc#1193711) ----------------------------------------- Version Build5.8.135-4-Build5.8.135 2022-01-20T16:32:47 ----------------------------------------- Patch: SUSE-2022-141 Released: Thu Jan 20 13:47:16 2022 Summary: Security update for permissions Severity: moderate References: 1169614 Description: This update for permissions fixes the following issues: - Update to version 20181225: setuid bit for cockpit session binary (bsc#1169614). ----------------------------------------- Version Build5.8.146-4-Build5.8.146 2022-02-01T08:23:29 ----------------------------------------- Patch: SUSE-2022-228 Released: Mon Jan 31 06:07:52 2022 Summary: Recommended update for boost Severity: moderate References: 1194522 Description: This update for boost fixes the following issues: - Fix compilation errors (bsc#1194522) ----------------------------------------- Version Build5.8.151-4-Build5.8.151 2022-02-09T08:26:01 ----------------------------------------- Patch: SUSE-2022-348 Released: Tue Feb 8 13:02:20 2022 Summary: Recommended update for libzypp Severity: important References: 1193007,1193488,1194597,1194898,954813 Description: This update for libzypp fixes the following issues: - RepoManager: remember execution errors in exception history (bsc#1193007) - Fix exception handling when reading or writing credentials (bsc#1194898) - Fix install path for parser (bsc#1194597) - Fix Legacy include (bsc#1194597) - Public header files on older distros must use c++11 (bsc#1194597) - Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488) - Fix wrong encoding of URI compontents of ISO images (bsc#954813) - When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible - Introduce zypp-curl as a sublibrary for CURL related code - zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set - Save all signatures associated with a public key in its PublicKeyData ----------------------------------------- Version Build5.8.153-4-Build5.8.153 2022-02-21T08:23:26 ----------------------------------------- Patch: SUSE-2022-511 Released: Fri Feb 18 12:41:53 2022 Summary: Recommended update for coreutils Severity: moderate References: 1082318,1189152 Description: This update for coreutils fixes the following issues: - Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152). - Properly sort docs and license files (bsc#1082318). ----------------------------------------- Patch: SUSE-2022-523 Released: Fri Feb 18 12:49:09 2022 Summary: Recommended update for systemd Severity: moderate References: 1193759,1193841 Description: This update for systemd fixes the following issues: - systemctl: exit with 1 if no unit files found (bsc#1193841). - add rules for virtual devices (bsc#1193759). - enforce 'none' for loop devices (bsc#1193759). ----------------------------------------- Version Build5.8.165-4-Build5.8.165 2022-03-06T08:24:13 ----------------------------------------- Patch: SUSE-2022-674 Released: Wed Mar 2 13:24:38 2022 Summary: Recommended update for yast2-network Severity: moderate References: 1187512 Description: This update for yast2-network fixes the following issues: - Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512) ----------------------------------------- Patch: SUSE-2022-692 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Severity: moderate References: 1190447 Description: This update for filesystem fixes the following issues: - Release ported filesystem to LTSS channels (bsc#1190447). ----------------------------------------- Patch: SUSE-2022-702 Released: Thu Mar 3 18:22:59 2022 Summary: Security update for cyrus-sasl Severity: important References: 1196036,CVE-2022-24407 Description: This update for cyrus-sasl fixes the following issues: - CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036). ----------------------------------------- Patch: SUSE-2022-717 Released: Fri Mar 4 09:45:20 2022 Summary: Security update for gnutls Severity: moderate References: 1196167,CVE-2021-4209 Description: This update for gnutls fixes the following issues: - CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167). ----------------------------------------- Version Build5.8.176-4-Build5.8.176 2022-03-18T16:43:26 ----------------------------------------- Patch: SUSE-2022-787 Released: Thu Mar 10 11:20:13 2022 Summary: Recommended update for openldap2 Severity: moderate References: Description: This update for openldap2 fixes the following issue: - restore CLDAP functionality in CLI tools (jsc#PM-3288) ----------------------------------------- Patch: SUSE-2022-788 Released: Thu Mar 10 11:21:04 2022 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1195326 Description: This update for libzypp, zypper fixes the following issues: - Fix handling of redirected command in-/output (bsc#1195326) This fixes delays at the end of zypper operations, where zypper unintentionally waits for appdata plugin scripts to complete. ----------------------------------------- Patch: SUSE-2022-808 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Severity: moderate References: 1195468 Description: This update for procps fixes the following issues: - Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468) ----------------------------------------- Patch: SUSE-2022-832 Released: Mon Mar 14 17:27:03 2022 Summary: Security update for glibc Severity: important References: 1193625,1194640,1194768,1194770,1195560,CVE-2015-8985,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219 Description: glibc was updated to fix the following issues: Security issues fixed: - CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768) - CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770) - CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640) - CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625) Also the following bug was fixed: - Fix pthread_rwlock_try*lock stalls (bsc#1195560) ----------------------------------------- Patch: SUSE-2022-845 Released: Tue Mar 15 11:40:52 2022 Summary: Security update for chrony Severity: moderate References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367 Description: This update for chrony fixes the following issues: Chrony was updated to 4.1, bringing features and bugfixes. Update to 4.1 * Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server - Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229) - Enable syscallfilter unconditionally [bsc#1181826]. Update to 4.0 - Enhancements - Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and 'reload sources' command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get 'maxsources' sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add 'add pool' command - Add 'reset sources' command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data - Bug fixes - Don’t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don’t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option 'version 3') - Drop support for line editing with GNU Readline - By default we don't write log files but log to journald, so only recommend logrotate. - Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277). Update to 3.5.1: * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911) - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113). Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems - Fix location of helper script in chrony-dnssrv@.service (bsc#1128846). - Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272. - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. Update to version 3.4 * Enhancements + Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script * Bug fixes + Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD Update to version 3.3 * Enhancements: + Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc * Bug fixes: + Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step ----------------------------------------- Patch: SUSE-2022-861 Released: Tue Mar 15 23:30:48 2022 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1182959,1195149,1195792,1195856 Description: This update for openssl-1_1 fixes the following issues: openssl-1_1: - Fix PAC pointer authentication in ARM (bsc#1195856) - Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792) - FIPS: Fix function and reason error codes (bsc#1182959) - Enable zlib compression support (bsc#1195149) glibc: - Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1 linux-glibc-devel: - Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1 libxcrypt: - Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1 zlib: - Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1 ----------------------------------------- Patch: SUSE-2022-867 Released: Wed Mar 16 07:14:44 2022 Summary: Recommended update for libtirpc Severity: moderate References: 1193805 Description: This update for libtirpc fixes the following issues: - Fix memory leak in client protocol version 2 code (bsc#1193805) ----------------------------------------- Patch: SUSE-2022-874 Released: Wed Mar 16 10:40:52 2022 Summary: Recommended update for openldap2 Severity: moderate References: 1197004 Description: This update for openldap2 fixes the following issue: - Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004) ----------------------------------------- Version Build5.8.180-4-Build5.8.180 2022-03-26T17:37:10 ----------------------------------------- Patch: SUSE-2022-936 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Severity: moderate References: 1196275,1196406 Description: This update for filesystem and systemd-rpm-macros fixes the following issues: filesystem: - Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639) systemd-rpm-macros: - Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406) ----------------------------------------- Version Build5.8.185-4-Build5.8.185 2022-03-30T09:00:22 ----------------------------------------- Patch: SUSE-2022-1021 Released: Tue Mar 29 13:24:21 2022 Summary: Recommended update for systemd Severity: moderate References: 1195899 Description: This update for systemd fixes the following issues: - allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870) ----------------------------------------- Version Build5.8.187-4-Build5.8.187 2022-04-01T09:00:25 ----------------------------------------- Patch: SUSE-2022-1040 Released: Wed Mar 30 09:40:58 2022 Summary: Security update for protobuf Severity: moderate References: 1195258,CVE-2021-22570 Description: This update for protobuf fixes the following issues: - CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258). ----------------------------------------- Patch: SUSE-2022-1047 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Severity: moderate References: 1196093,1197024 Description: This update for pam fixes the following issues: - Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093) - Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024) ----------------------------------------- Patch: SUSE-2022-1061 Released: Wed Mar 30 18:27:06 2022 Summary: Security update for zlib Severity: important References: 1197459,CVE-2018-25032 Description: This update for zlib fixes the following issues: - CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459). ----------------------------------------- Version Build5.8.189-4-Build5.8.189 2022-04-02T09:00:21 ----------------------------------------- Patch: SUSE-2022-1073 Released: Fri Apr 1 11:45:01 2022 Summary: Security update for yaml-cpp Severity: moderate References: 1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292 Description: This update for yaml-cpp fixes the following issues: - CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227). - CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230). - CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004). - CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021). ----------------------------------------- Version Build5.8.194-4-Build5.8.194 2022-04-05T09:00:20 ----------------------------------------- Patch: SUSE-2022-1099 Released: Mon Apr 4 12:53:05 2022 Summary: Recommended update for aaa_base Severity: moderate References: 1194883 Description: This update for aaa_base fixes the following issues: - Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883) - Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library ----------------------------------------- Patch: SUSE-2022-1109 Released: Mon Apr 4 17:50:01 2022 Summary: Recommended update for util-linux Severity: important References: 1172427,1194642 Description: This update for util-linux fixes the following issues: - Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642) - Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642) - Warn if uuidd lock state is not usable. (bsc#1194642) - Fix 'su -s' bash completion. (bsc#1172427) ----------------------------------------- Version Build5.8.201-4-Build5.8.201 2022-04-13T09:00:23 ----------------------------------------- Patch: SUSE-2022-1157 Released: Tue Apr 12 13:26:19 2022 Summary: Security update for libsolv, libzypp, zypper Severity: important References: 1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134 Description: This update for libsolv, libzypp, zypper fixes the following issues: Security relevant fix: - Harden package signature checks (bsc#1184501). libsolv update to 0.7.22: - reworked choice rule generation to cover more usecases - support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514) - support parsing of Debian's Multi-Arch indicator - fix segfault on conflict resolution when using bindings - fix split provides not working if the update includes a forbidden vendor change - support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY - support zstd compressed control files in debian packages - add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20) - support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata - support queying of the custom vendor check function new function: pool_get_custom_vendorcheck - support solv files with an idarray block - allow accessing the toolversion at runtime libzypp update to 17.30.0: - ZConfig: Update solver settings if target changes (bsc#1196368) - Fix possible hang in singletrans mode (bsc#1197134) - Do 2 retries if mount is still busy. - Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing. - Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry. - Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925) - Fix handling of ISO media in releaseAll (bsc#1196061) - Hint on common ptf resolver conflicts (bsc#1194848) - Hint on ptf<>patch resolver conflicts (bsc#1194848) zypper update to 1.14.52: - info: print the packages upstream URL if available (fixes #426) - info: Fix SEGV with not installed PTFs (bsc#1196317) - Don't prevent less restrictive umasks (bsc#1195999) ----------------------------------------- Patch: SUSE-2022-1158 Released: Tue Apr 12 14:44:43 2022 Summary: Security update for xz Severity: important References: 1198062,CVE-2022-1271 Description: This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) ----------------------------------------- Version Build5.8.205-4-Build5.8.205 2022-04-24T09:00:24 ----------------------------------------- Patch: SUSE-2022-1302 Released: Fri Apr 22 10:04:46 2022 Summary: Recommended update for e2fsprogs Severity: moderate References: 1196939 Description: This update for e2fsprogs fixes the following issues: - Add support for 'libreadline7' for Leap. (bsc#1196939) ----------------------------------------- Version Build5.8.208-4-Build5.8.208 2022-04-26T09:00:24 ----------------------------------------- Patch: SUSE-2022-1374 Released: Mon Apr 25 15:02:13 2022 Summary: Recommended update for openldap2 Severity: moderate References: 1191157,1197004 Description: This update for openldap2 fixes the following issues: - allow specification of max/min TLS version with TLS1.3 (bsc#1191157) - libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004) - restore CLDAP functionality in CLI tools (jsc#PM-3288) ----------------------------------------- Version Build5.8.210-4-Build5.8.210 2022-04-27T09:00:25 ----------------------------------------- Patch: SUSE-2022-1409 Released: Tue Apr 26 12:54:57 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1195628,1196107 Description: This update for gcc11 fixes the following issues: - Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107] - Fixed memory corruption when creating dependences with the D language frontend. - Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628] - Put libstdc++6-pp Requires on the shared library and drop to Recommends. ----------------------------------------- Version Build5.8.213-4-Build5.8.213 2022-04-29T13:01:42 ----------------------------------------- Patch: SUSE-2022-1452 Released: Thu Apr 28 10:48:06 2022 Summary: Recommended update for perl Severity: moderate References: 1193489 Description: This update for perl fixes the following issues: - Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489) ----------------------------------------- Patch: SUSE-2022-1455 Released: Thu Apr 28 11:31:51 2022 Summary: Security update for glib2 Severity: low References: 1183533,CVE-2021-28153 Description: This update for glib2 fixes the following issues: - CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533). ----------------------------------------- Version Build5.8.225-4-Build5.8.225 2022-05-14T09:00:25 ----------------------------------------- Patch: SUSE-2022-1655 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Severity: moderate References: 1197794 Description: This update for pam fixes the following issue: - Do not include obsolete header files (bsc#1197794) ----------------------------------------- Patch: SUSE-2022-1657 Released: Fri May 13 15:39:07 2022 Summary: Security update for curl Severity: moderate References: 1198614,1198723,1198766,CVE-2022-22576,CVE-2022-27775,CVE-2022-27776 Description: This update for curl fixes the following issues: - CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766) - CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723) - CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614) ----------------------------------------- Patch: SUSE-2022-1658 Released: Fri May 13 15:40:20 2022 Summary: Recommended update for libpsl Severity: important References: 1197771 Description: This update for libpsl fixes the following issues: - Fix libpsl compilation issues (bsc#1197771) ----------------------------------------- Version Build5.8.229-4-Build5.8.229 2022-05-17T09:00:23 ----------------------------------------- Patch: SUSE-2022-1670 Released: Mon May 16 10:06:30 2022 Summary: Security update for openldap2 Severity: important References: 1199240,CVE-2022-29155 Description: This update for openldap2 fixes the following issues: - CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240). ----------------------------------------- Patch: SUSE-2022-1688 Released: Mon May 16 14:02:49 2022 Summary: Security update for e2fsprogs Severity: important References: 1198446,CVE-2022-1304 Description: This update for e2fsprogs fixes the following issues: - CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446) ----------------------------------------- Patch: SUSE-2022-1691 Released: Mon May 16 15:13:39 2022 Summary: Recommended update for augeas Severity: moderate References: 1197443 Description: This update for augeas fixes the following issue: - Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443) ----------------------------------------- Version Build5.8.233-4-Build5.8.233 2022-05-20T09:00:21 ----------------------------------------- Patch: SUSE-2022-1750 Released: Thu May 19 15:28:20 2022 Summary: Security update for libxml2 Severity: important References: 1196490,1199132,CVE-2022-23308,CVE-2022-29824 Description: This update for libxml2 fixes the following issues: - CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490). - CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132). ----------------------------------------- Version Build5.8.240-4-Build5.8.240 2022-05-28T09:00:22 ----------------------------------------- Patch: SUSE-2022-1870 Released: Fri May 27 10:03:40 2022 Summary: Security update for curl Severity: important References: 1199223,1199224,CVE-2022-27781,CVE-2022-27782 Description: This update for curl fixes the following issues: - CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223) - CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224) ----------------------------------------- Version Build5.8.244-4-Build5.8.244 2022-06-01T15:54:02 ----------------------------------------- Patch: SUSE-2022-1887 Released: Tue May 31 09:24:18 2022 Summary: Recommended update for grep Severity: moderate References: 1040589 Description: This update for grep fixes the following issues: - Make profiling deterministic. (bsc#1040589, SLE-24115) ----------------------------------------- Version Build5.8.249-4-Build5.8.249 2022-06-09T09:00:23 ----------------------------------------- Patch: SUSE-2022-2019 Released: Wed Jun 8 16:50:07 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1192951,1193659,1195283,1196861,1197065 Description: This update for gcc11 fixes the following issues: Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] * fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065] * use --with-cpu rather than specifying --with-arch/--with-tune * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [bsc#1193659] * fixes issue with debug dumping together with -o /dev/null * fixes libgccjit issue showing up in emacs build [bsc#1192951] * Package mwaitintrin.h ----------------------------------------- Version Build5.8.255-4-Build5.8.255 2022-06-21T13:51:24 ----------------------------------------- Patch: SUSE-2022-2140 Released: Mon Jun 20 14:58:38 2022 Summary: Security update for node_exporter Severity: important References: 1190535,1196338,CVE-2022-21698 Description: This security update for golang-github-prometheus-node_exporter provides: Update golang-github-prometheus-node_exporter from version 1.1.2 to version 1.3.0 (bsc#1196338, jsc#SLE-24238, jsc#SLE-24239) - CVE-2022-21698: Denial of service using InstrumentHandlerCounter - Update vendor tarball with prometheus/client_golang 1.11.1 - Update to 1.3.0 * [CHANGE] Add path label to rapl collector #2146 * [CHANGE] Exclude filesystems under /run/credentials #2157 * [CHANGE] Add TCPTimeouts to netstat default filter #2189 * [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771 * [FEATURE] Add darwin powersupply collector #1777 * [FEATURE] Add support for monitoring GPUs on Linux #1998 * [FEATURE] Add Darwin thermal collector #2032 * [FEATURE] Add os release collector #2094 * [FEATURE] Add netdev.address-info collector #2105 * [FEATURE] Add clocksource metrics to time collector #2197 * [ENHANCEMENT] Support glob textfile collector directories #1985 * [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080 * [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165 * [ENHANCEMENT] Add flag to disable guest CPU metrics #2123 * [ENHANCEMENT] Add DMI collector #2131 * [ENHANCEMENT] Add threads metrics to processes collector #2164 * [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169 * [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189 * [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208 * [BUGFIX] ethtool: Sanitize metric names #2093 * [BUGFIX] Fix ethtool collector for multiple interfaces #2126 * [BUGFIX] Fix possible panic on macOS #2133 * [BUGFIX] Collect flag_info and bug_info only for one core #2156 * [BUGFIX] Prevent duplicate ethtool metric names #2187 - Update to 1.2.2 * Bug fixes Fix processes collector long int parsing #2112 - Update to 1.2.1 * Removed Remove obsolete capture permission denied error fix already included upstream * Bug fixes Fix zoneinfo parsing prometheus/procfs#386 Fix nvme collector log noise #2091 Fix rapl collector log noise #2092 - Update to 1.2.0 * Changes Rename filesystem collector flags to match other collectors #2012 Make node_exporter print usage to STDOUT #203 * Features Add conntrack statistics metrics #1155 Add ethtool stats collector #1832 Add flag to ignore network speed if it is unknown #1989 Add tapestats collector for Linux #2044 Add nvme collector #2062 * Enhancements Add ErrorLog plumbing to promhttp #1887 Add more Infiniband counters #2019 netclass: retrieve interface names and filter before parsing #2033 Add time zone offset metric #2060 * Bug fixes Handle errors from disabled PSI subsystem #1983 Fix panic when using backwards compatible flags #2000 Fix wrong value for OpenBSD memory buffer cache #2015 Only initiate collectors once #2048 Handle small backwards jumps in CPU idle #2067 - Capture permission denied error for 'energy_uj' file (bsc#1190535) ----------------------------------------- Version Build5.8.260-4-Build5.8.260 2022-07-05T09:00:22 ----------------------------------------- Patch: SUSE-2022-2251 Released: Mon Jul 4 09:52:25 2022 Summary: Security update for openssl-1_1 Severity: moderate References: 1185637,1199166,1200550,CVE-2022-1292,CVE-2022-2068 Description: This update for openssl-1_1 fixes the following issues: - CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166). - CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550) ----------------------------------------- Version Build5.8.263-4-Build5.8.263 2022-07-08T09:00:22 ----------------------------------------- Patch: SUSE-2022-2327 Released: Thu Jul 7 15:06:13 2022 Summary: Security update for curl Severity: important References: 1200735,1200737,CVE-2022-32206,CVE-2022-32208 Description: This update for curl fixes the following issues: - CVE-2022-32206: HTTP compression denial of service (bsc#1200735) - CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737) ----------------------------------------- Patch: SUSE-2022-2328 Released: Thu Jul 7 15:07:35 2022 Summary: Security update for openssl-1_1 Severity: important References: 1201099,CVE-2022-2097 Description: This update for openssl-1_1 fixes the following issues: - CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099). ----------------------------------------- Version Build5.8.266-4-Build5.8.266 2022-07-13T09:00:21 ----------------------------------------- Patch: SUSE-2022-2361 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Severity: important References: 1199232,CVE-2022-1586 Description: This update for pcre fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------- Version Build5.8.268-4-Build5.8.268 2022-07-16T09:00:23 ----------------------------------------- Patch: SUSE-2022-2405 Released: Fri Jul 15 11:47:57 2022 Summary: Security update for p11-kit Severity: moderate References: 1180065,CVE-2020-29362 Description: This update for p11-kit fixes the following issues: - CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065) ----------------------------------------- Version Build5.8.272-4-Build5.8.272 2022-07-22T10:25:10 ----------------------------------------- Patch: SUSE-2022-2471 Released: Thu Jul 21 04:42:58 2022 Summary: Recommended update for systemd Severity: important References: 1148309,1191502,1195529,1200170 Description: This update for systemd fixes the following issues: - Allow control characters in environment variable values (bsc#1200170) - basic/env-util: Allow newlines in values of environment variables - man: tweak description of auto/noauto (bsc#1191502) - shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309) - shared/install: fix error codes returned by install_context_apply() - shared/install: ignore failures for auxiliary files - systemctl: suppress enable/disable messages when `-q` is given - test-env-util: Verify that \r is disallowed in env var values - test-env-util: print function headers - udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529) ----------------------------------------- Version Build5.8.276-4-Build5.8.276 2022-07-29T09:00:23 ----------------------------------------- Patch: SUSE-2022-2572 Released: Thu Jul 28 04:22:33 2022 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1194550,1197684,1199042 Description: This update for libzypp, zypper fixes the following issues: libzypp: - appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684) - zypp-rpm: flush rpm script output buffer before sending endOfScriptTag - PluginRepoverification: initial version hooked into repo::Downloader and repo refresh - Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042) - singletrans: no dry-run commit if doing just download-only - Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo. - Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER zypper: - Basic JobReport for 'cmdout/monitor' - versioncmp: if verbose, also print the edition 'parts' which are compared - Make sure MediaAccess is closed on exception (bsc#1194550) - Display plus-content hint conditionally - Honor the NO_COLOR environment variable when auto-detecting whether to use color - Define table columns which should be sorted natural [case insensitive] - lr/ls: Use highlight color on name and alias as well ----------------------------------------- Version Build5.8.285-4-Build5.8.285 2022-08-10T15:34:36 ----------------------------------------- Patch: SUSE-2022-2717 Released: Tue Aug 9 12:54:16 2022 Summary: Security update for ncurses Severity: moderate References: 1198627,CVE-2022-29458 Description: This update for ncurses fixes the following issues: - CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627). ----------------------------------------- Version Build5.8.294-4-Build5.8.294 2022-08-25T09:00:28 ----------------------------------------- Patch: SUSE-2022-2882 Released: Wed Aug 24 10:34:31 2022 Summary: Security update for gnutls Severity: important References: 1202020,CVE-2022-2509 Description: This update for gnutls fixes the following issues: - CVE-2022-2509: Fixed a double free issue during PKCS7 verification (bsc#1202020). ----------------------------------------- Version Build5.8.296-4-Build5.8.296 2022-08-27T14:04:35 ----------------------------------------- Patch: SUSE-2022-2904 Released: Fri Aug 26 05:28:34 2022 Summary: Recommended update for openldap2 Severity: moderate References: 1198341 Description: This update for openldap2 fixes the following issues: - Prevent memory reuse which may lead to instability (bsc#1198341) ----------------------------------------- Version Build5.8.301-4-Build5.8.301 2022-08-31T09:00:25 ----------------------------------------- Patch: SUSE-2022-2944 Released: Wed Aug 31 05:39:14 2022 Summary: Recommended update for procps Severity: important References: 1181475 Description: This update for procps fixes the following issues: - Fix 'free' command reporting misleading 'used' value (bsc#1181475) ----------------------------------------- Version Build5.8.303-4-Build5.8.303 2022-09-01T09:00:24 ----------------------------------------- Patch: SUSE-2022-2947 Released: Wed Aug 31 09:16:21 2022 Summary: Security update for zlib Severity: important References: 1202175,CVE-2022-37434 Description: This update for zlib fixes the following issues: - CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175). ----------------------------------------- Version Build5.8.304-4-Build5.8.304 2022-09-02T09:00:24 ----------------------------------------- Patch: SUSE-2022-2991 Released: Thu Sep 1 16:04:30 2022 Summary: Security update for libtirpc Severity: important References: 1198752,1200800,1201680,CVE-2021-46828 Description: This update for libtirpc fixes the following issues: - CVE-2021-46828: Fixed an uncontrolled file descriptor consumption, which could be exploited by remote attackers to prevent applications using the library from accepting new connections (bsc#1201680). Non-security fixes: - Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800) - Fix memory leak in params.r_addr assignement (bsc#1198752) ----------------------------------------- Version Build5.8.308-4-Build5.8.308 2022-09-03T09:00:27 ----------------------------------------- Patch: SUSE-2022-2994 Released: Fri Sep 2 10:44:54 2022 Summary: Recommended update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame Severity: moderate References: 1198925 Description: This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925) No codechanges were done in this update. ----------------------------------------- Patch: SUSE-2022-3004 Released: Fri Sep 2 15:02:14 2022 Summary: Security update for curl Severity: low References: 1202593,CVE-2022-35252 Description: This update for curl fixes the following issues: - CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593). ----------------------------------------- Version Build5.8.312-4-Build5.8.312 2022-09-07T14:06:53 ----------------------------------------- Patch: SUSE-2022-3129 Released: Wed Sep 7 04:42:53 2022 Summary: Recommended update for util-linux Severity: moderate References: 1197178,1198731,1200842 Description: This update for util-linux fixes the following issues: - su: Change owner and mode for pty (bsc#1200842) - agetty: Resolve tty name even if stdin is specified (bsc#1197178) - libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731) - mesg: use only stat() to get the current terminal status (bsc#1200842) ----------------------------------------- Version Build5.8.313-4-Build5.8.313 2022-09-08T09:01:55 ----------------------------------------- Patch: SUSE-2022-3144 Released: Wed Sep 7 11:04:23 2022 Summary: Security update for gpg2 Severity: important References: 1201225,CVE-2022-34903 Description: This update for gpg2 fixes the following issues: - CVE-2022-34903: Fixed a potential signature forgery via injection into the status line when certain unusual conditions are met (bsc#1201225). ----------------------------------------- Version Build5.8.314-4-Build5.8.314 2022-09-08T15:10:41 ----------------------------------------- Patch: SUSE-2022-3179 Released: Thu Sep 8 09:37:41 2022 Summary: Recommended update for golang-github-prometheus-node_exporter Severity: moderate References: 1196652 Description: This update for golang-github-prometheus-node_exporter fixes the following issues: - Exclude s390 arch. - Update spec file in order to make --version work (bsc#1196652) ----------------------------------------- Version Build5.8.316-4-Build5.8.316 2022-09-09T09:53:37 ----------------------------------------- Patch: SUSE-2022-3223 Released: Fri Sep 9 04:33:35 2022 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1199895,1200993,1201092,1201576,1201638 Description: This update for libzypp, zypper fixes the following issues: libzypp: - Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895) - Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092) - Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993) - Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend. zypper: - Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638) - Reject install/remove modifier without argument (bsc#1201576) - zypper-download: Handle unresolvable arguments as errors - Put signing key supplying repository name in quotes ----------------------------------------- Version Build5.8.324-4-Build5.8.324 2022-09-14T10:42:25 ----------------------------------------- Patch: SUSE-2022-3262 Released: Tue Sep 13 15:34:29 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1199140 Description: This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140) ----------------------------------------- Version Build5.8.326-4-Build5.8.326 2022-09-20T09:00:26 ----------------------------------------- Patch: SUSE-2022-3304 Released: Mon Sep 19 11:43:25 2022 Summary: Recommended update for libassuan Severity: moderate References: Description: This update for libassuan fixes the following issues: - Add a timeout for writing to a SOCKS5 proxy - Add workaround for a problem with LD_LIBRARY_PATH on newer systems - Fix issue in the logging code - Fix some build trivialities - Upgrade autoconf ----------------------------------------- Patch: SUSE-2022-3307 Released: Mon Sep 19 13:26:51 2022 Summary: Security update for sqlite3 Severity: moderate References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 Description: This update for sqlite3 fixes the following issues: - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783). - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802). - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). ----------------------------------------- Version Build5.8.330-4-Build5.8.330 2022-09-27T09:00:23 ----------------------------------------- Patch: SUSE-2022-3394 Released: Mon Sep 26 16:05:19 2022 Summary: Security update for permissions Severity: moderate References: 1203018,CVE-2022-31252 Description: This update for permissions fixes the following issues: - CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018). ----------------------------------------- Version Build5.8.333-4-Build5.8.333 2022-10-08T09:40:01 ----------------------------------------- Patch: SUSE-2022-3549 Released: Fri Oct 7 14:39:40 2022 Summary: Security update for cyrus-sasl Severity: important References: 1159635,CVE-2019-19906 Description: This update for cyrus-sasl fixes the following issues: - CVE-2019-19906: Fixed an out-of-bounds write that could lead to unauthenticated remote denial of service in OpenLDAP via a malformed LDAP packet (bsc#1159635). ----------------------------------------- Version Build5.8.337-4-Build5.8.337 2022-10-12T09:00:23 ----------------------------------------- Patch: SUSE-2022-3565 Released: Tue Oct 11 16:17:38 2022 Summary: Recommended update for libzypp, zypper Severity: critical References: 1189282,1201972,1203649 Description: This update for libzypp, zypper fixes the following issues: libzypp: - Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282) - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Remove migration code that is no longer needed (bsc#1203649) - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined zypper: - Fix contradiction in the man page: `--download-in-advance` option is the default behavior - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Fix tests to use locale 'C.UTF-8' rather than 'en_US' - Make sure 'up' respects solver related CLI options (bsc#1201972) - Remove unneeded code to compute the PPP status because it is now auto established - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined ----------------------------------------- Version Build5.8.342-4-Build5.8.342 2022-10-22T09:00:22 ----------------------------------------- Patch: SUSE-2022-3683 Released: Fri Oct 21 11:48:39 2022 Summary: Security update for libksba Severity: critical References: 1204357,CVE-2022-3515 Description: This update for libksba fixes the following issues: - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357). ----------------------------------------- Patch: SUSE-2022-3689 Released: Fri Oct 21 14:19:56 2022 Summary: Feature update for rpm Severity: moderate References: Description: This feature update for rpm provides: - Support Ed25519 RPM signatures (jsc#SLE-24714, jsc#SLE-24715) ----------------------------------------- Version Build5.8.347-4-Build5.8.347 2022-10-27T09:00:26 ----------------------------------------- Patch: SUSE-2022-3745 Released: Wed Oct 26 10:37:11 2022 Summary: Security update for golang-github-prometheus-node_exporter Severity: moderate References: 1196338,CVE-2022-21698 Description: This update for golang-github-prometheus-node_exporter fixes the following issues: (bsc#1196338, jsc#SLE-24238, jsc#SLE-24239, jsc#SUMA-114, CVE-2022-21698) ----------------------------------------- Patch: SUSE-2022-3773 Released: Wed Oct 26 12:19:29 2022 Summary: Security update for curl Severity: important References: 1204383,CVE-2022-32221 Description: This update for curl fixes the following issues: - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). ----------------------------------------- Patch: SUSE-2022-3776 Released: Wed Oct 26 14:06:43 2022 Summary: Recommended update for permissions Severity: important References: 1203911,1204137 Description: This update for permissions fixes the following issues: - Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't properly support ICMP_PROTO sockets feature yet (bsc#1204137) - Fix regression introduced by backport of security fix (bsc#1203911) ----------------------------------------- Patch: SUSE-2022-3784 Released: Wed Oct 26 18:03:28 2022 Summary: Security update for libtasn1 Severity: critical References: 1204690,CVE-2021-46848 Description: This update for libtasn1 fixes the following issues: - CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690) ----------------------------------------- Version Build5.8.354-4-Build5.8.354 2022-11-06T09:00:26 ----------------------------------------- Patch: SUSE-2022-3871 Released: Fri Nov 4 13:26:29 2022 Summary: Security update for libxml2 Severity: important References: 1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304 Description: This update for libxml2 fixes the following issues: - CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367). ----------------------------------------- Version Build5.8.358-4-Build5.8.358 2022-11-12T09:00:26 ----------------------------------------- Patch: SUSE-2022-3901 Released: Tue Nov 8 10:50:06 2022 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1180995,1203046 Description: This update for openssl-1_1 fixes the following issues: - Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995) - Fix memory leaks (bsc#1203046) ----------------------------------------- Patch: SUSE-2022-3905 Released: Tue Nov 8 12:23:17 2022 Summary: Recommended update for aaa_base Severity: important References: 1196840,1199492,1199918,1199926,1199927 Description: This update for aaa_base and iputils fixes the following issues: aaa_base: - Failures in ping for SUSE Linux Enterprise 15 and 15 SP1 due to sysctl setting for ping_group_range (bsc#1199926, bsc#1199927) - The wrapper rootsh is not a restricted shell (bsc#1199492) iputils: - Fix device binding on ping6 for ICMP datagram socket. (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927) ----------------------------------------- Patch: SUSE-2022-3910 Released: Tue Nov 8 13:05:04 2022 Summary: Recommended update for pam Severity: moderate References: Description: This update for pam fixes the following issue: - Update pam_motd to the most current version. (PED-1712) ----------------------------------------- Patch: SUSE-2022-3922 Released: Wed Nov 9 09:03:33 2022 Summary: Security update for protobuf Severity: important References: 1194530,1203681,1204256,CVE-2021-22569,CVE-2022-1941,CVE-2022-3171 Description: This update for protobuf fixes the following issues: - CVE-2021-22569: Fixed Denial of Service in protobuf-java in the parsing procedure for binary data (bsc#1194530). - CVE-2022-1941: Fix a potential DoS issue in protobuf-cpp and protobuf-python (bsc#1203681) - CVE-2022-3171: Fix a potential DoS issue when parsing with binary data in protobuf-java (bsc#1204256) ----------------------------------------- Version Build5.8.360-4-Build5.8.360 2022-11-16T09:00:24 ----------------------------------------- Patch: SUSE-2022-3961 Released: Mon Nov 14 07:33:50 2022 Summary: Recommended update for zlib Severity: important References: 1203652 Description: This update for zlib fixes the following issues: - Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652) ----------------------------------------- Patch: SUSE-2022-3975 Released: Mon Nov 14 15:41:13 2022 Summary: Recommended update for util-linux Severity: moderate References: 1201959 Description: This update for util-linux fixes the following issues: - libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid. ----------------------------------------- Version Build5.8.363-4-Build5.8.363 2022-11-22T09:00:23 ----------------------------------------- Patch: SUSE-2022-4155 Released: Mon Nov 21 14:36:17 2022 Summary: Security update for krb5 Severity: important References: 1205126,CVE-2022-42898 Description: This update for krb5 fixes the following issues: - CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126). ----------------------------------------- Version Build5.8.369-4-Build5.8.369 2022-11-27T09:00:22 ----------------------------------------- Patch: SUSE-2022-4199 Released: Wed Nov 23 13:17:17 2022 Summary: Recommended update for rpm Severity: moderate References: 1202750 Description: This update for rpm fixes the following issues: - Strip critical bit in signature subpackage parsing - No longer deadlock DNF after pubkey import (bsc#1202750) ----------------------------------------- Version Build5.8.372-4-Build5.8.372 2022-11-30T11:16:41 ----------------------------------------- Patch: SUSE-2022-4256 Released: Mon Nov 28 12:36:32 2022 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module. The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------- Version Build5.8.378-4-Build5.8.378 2022-12-09T09:00:23 ----------------------------------------- Patch: SUSE-2022-4388 Released: Fri Dec 9 04:07:21 2022 Summary: Recommended update for gnutls Severity: moderate References: 1204511 Description: This update for gnutls fixes the following issues: - Fix potential to free an invalid pointer (bsc#1204511) ----------------------------------------- Version Build5.8.394-4-Build5.8.394 2022-12-30T09:00:23 ----------------------------------------- Patch: SUSE-2022-4628 Released: Wed Dec 28 09:23:13 2022 Summary: Security update for sqlite3 Severity: moderate References: 1206337,CVE-2022-46908 Description: This update for sqlite3 fixes the following issues: - CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337). ----------------------------------------- Patch: SUSE-2022-4633 Released: Wed Dec 28 09:32:15 2022 Summary: Security update for curl Severity: moderate References: 1206309,CVE-2022-43552 Description: This update for curl fixes the following issues: - CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309). ----------------------------------------- Version Build5.8.401-4-Build5.8.401 2023-01-11T09:00:27 ----------------------------------------- Patch: SUSE-2023-56 Released: Mon Jan 9 11:13:43 2023 Summary: Security update for libksba Severity: moderate References: 1206579,CVE-2022-47629 Description: This update for libksba fixes the following issues: - CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579). ----------------------------------------- Version Build5.8.409-4-Build5.8.409 2023-01-27T09:00:25 ----------------------------------------- Patch: SUSE-2023-174 Released: Thu Jan 26 20:52:38 2023 Summary: Security update for glib2 Severity: low References: 1183533,CVE-2021-28153 Description: This update for glib2 fixes the following issues: - CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533). ----------------------------------------- Patch: SUSE-2023-176 Released: Thu Jan 26 20:56:20 2023 Summary: Recommended update for permissions Severity: moderate References: 1206738 Description: This update for permissions fixes the following issues: Update to version 20181225: * Backport postfix permissions to SLE 15 SP2 (bsc#1206738) ----------------------------------------- Patch: SUSE-2023-181 Released: Thu Jan 26 21:55:43 2023 Summary: Recommended update for procps Severity: low References: 1206412 Description: This update for procps fixes the following issues: - Improve memory handling/usage (bsc#1206412) - Make sure that correct library version is installed (bsc#1206412) ----------------------------------------- Version Build5.8.410-4-Build5.8.410 2023-01-30T09:00:25 ----------------------------------------- Patch: SUSE-2023-188 Released: Fri Jan 27 12:07:19 2023 Summary: Recommended update for zlib Severity: important References: 1203652 Description: This update for zlib fixes the following issues: - Follow up fix for bug bsc#1203652 due to libxml2 issues ----------------------------------------- Version Build5.8.413-4-Build5.8.413 2023-02-08T09:00:25 ----------------------------------------- Patch: SUSE-2023-310 Released: Tue Feb 7 17:35:34 2023 Summary: Security update for openssl-1_1 Severity: important References: 1121365,1198472,1207533,1207534,1207536,1207538,CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533). - CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536). - CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538). - CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534). - FIPS: list only FIPS approved public key algorithms (bsc#1121365, bsc#1198472) ----------------------------------------- Version Build5.8.416-4-Build5.8.416 2023-02-18T09:00:24 ----------------------------------------- Patch: SUSE-2023-446 Released: Fri Feb 17 09:52:43 2023 Summary: Recommended update for util-linux Severity: moderate References: 1194038,1205646 Description: This update for util-linux fixes the following issues: - Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038). - libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646). ----------------------------------------- Version Build5.8.423-4-Build5.8.423 2023-03-04T09:00:22 ----------------------------------------- Patch: SUSE-2023-610 Released: Fri Mar 3 12:06:49 2023 Summary: Security update for gnutls Severity: moderate References: 1208143,CVE-2023-0361 Description: This update for gnutls fixes the following issues: - CVE-2023-0361: Fixed a Bleichenbacher oracle in the TLS RSA key exchange (bsc#1208143). ----------------------------------------- Version Build5.8.426-4-Build5.8.426 2023-03-09T09:00:22 ----------------------------------------- Patch: SUSE-2023-676 Released: Wed Mar 8 14:33:23 2023 Summary: Recommended update for libxml2 Severity: moderate References: 1204585 Description: This update for libxml2 fixes the following issues: - Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz ----------------------------------------- Version Build5.8.430-4-Build5.8.430 2023-03-17T09:00:26 ----------------------------------------- Patch: SUSE-2023-776 Released: Thu Mar 16 17:29:23 2023 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products. SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------- Patch: SUSE-2023-786 Released: Thu Mar 16 19:36:09 2023 Summary: Recommended update for libsolv, libzypp, zypper Severity: important References: 1178233,1203248,1203249,1203715,1204548,1204956,1205570,1205636,1206949 Description: This update for libsolv, libzypp, zypper fixes the following issues: libsolv: - Do not autouninstall SUSE PTF packages - Ensure 'duplinvolvedmap_all' is reset when a solver is reused - Fix 'keep installed' jobs not disabling 'best update' rules - New '-P' and '-W' options for `testsolv` - New introspection interface for weak dependencies similar to ruleinfos - Ensure special case file dependencies are written correctly in the testcase writer - Support better info about alternatives - Support decision reason queries - Support merging of related decisions - Support stringification of multiple solvables - Support stringification of ruleinfo, decisioninfo and decision reasons libzypp: - Avoid calling getsockopt when we know the info already. This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections (bsc#1178233) - Avoid redirecting 'history.logfile=/dev/null' into the target - Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956) - Enhance yaml-cpp detection - Improve download of optional files - MultiCurl: Make sure to reset the progress function when falling back. - Properly reset range requests (bsc#1204548) - Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the installed PTF packages to theit latest version. - Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls. - Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side. - ProgressData: enforce reporting the INIT||END state (bsc#1206949) - ps: fix service detection on newer Tumbleweed systems (bsc#1205636) zypper: - Allow to (re)add a service with the same URL (bsc#1203715) - Bump dependency requirement to libzypp-devel 17.31.7 or greater - Explain outdatedness of repositories - patterns: Avoid dispylaing superfluous @System entries (bsc#1205570) - Provide `removeptf` command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official update versions. - Update man page and explain '.no_auto_prune' (bsc#1204956) ----------------------------------------- Patch: SUSE-2023-791 Released: Fri Mar 17 05:20:45 2023 Summary: Optional update for golang-github-prometheus-node_exporter Severity: moderate References: Description: This update for golang-github-prometheus-node_exporter fixes the following issues: - Move package for SUSE Linux Enterprise Micro to the correct codestream - No source changes ----------------------------------------- Version Build5.8.434-4-Build5.8.434 2023-04-01T09:00:26 ----------------------------------------- Patch: SUSE-2023-1711 Released: Fri Mar 31 13:33:04 2023 Summary: Security update for curl Severity: moderate References: 1207992,1209209,1209210,1209211,1209212,1209214,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538 Description: This update for curl fixes the following issues: - CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209). - CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210). - CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211). - CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212). - CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214). - CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992). ----------------------------------------- Version Build5.8.437-4-Build5.8.437 2023-04-08T09:00:22 ----------------------------------------- Patch: SUSE-2023-1790 Released: Thu Apr 6 15:36:15 2023 Summary: Security update for openssl-1_1 Severity: moderate References: 1209624,1209873,1209878,CVE-2023-0464,CVE-2023-0465,CVE-2023-0466 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624). - CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878). - CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873). ----------------------------------------- Version Build5.8.446-4-Build5.8.446 2023-04-27T09:00:24 ----------------------------------------- Patch: SUSE-2023-2048 Released: Wed Apr 26 21:05:45 2023 Summary: Security update for libxml2 Severity: important References: 1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469 Description: This update for libxml2 fixes the following issues: - CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412). - CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411). - CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). The following non-security bugs were fixed: - Added W3C conformance tests to the testsuite (bsc#1204585). - Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) . ----------------------------------------- Version Build5.8.447-4-Build5.8.447 2023-04-29T09:00:24 ----------------------------------------- Patch: SUSE-2023-2068 Released: Fri Apr 28 13:55:00 2023 Summary: Security update for shadow Severity: moderate References: 1210507,CVE-2023-29383 Description: This update for shadow fixes the following issues: - CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507). ----------------------------------------- Patch: SUSE-2023-2074 Released: Fri Apr 28 17:02:25 2023 Summary: Security update for zstd Severity: moderate References: 1209533,CVE-2022-4899 Description: This update for zstd fixes the following issues: - CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533). ----------------------------------------- Patch: SUSE-2023-2076 Released: Fri Apr 28 17:35:05 2023 Summary: Security update for glib2 Severity: moderate References: 1209713,1209714,1210135,CVE-2023-24593,CVE-2023-25180 Description: This update for glib2 fixes the following issues: - CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714). - CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713). The following non-security bug was fixed: - Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978). ----------------------------------------- Version Build5.8.449-4-Build5.8.449 2023-05-05T09:00:25 ----------------------------------------- Patch: SUSE-2023-2104 Released: Thu May 4 21:05:30 2023 Summary: Recommended update for procps Severity: moderate References: 1209122 Description: This update for procps fixes the following issue: - Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122) ----------------------------------------- Version Build5.8.450-4-Build5.8.450 2023-05-06T09:00:26 ----------------------------------------- Patch: SUSE-2023-2111 Released: Fri May 5 14:34:00 2023 Summary: Security update for ncurses Severity: moderate References: 1210434,CVE-2023-29491 Description: This update for ncurses fixes the following issues: - CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434). ----------------------------------------- Version Build5.8.452-4-Build5.8.452 2023-05-09T18:05:26 ----------------------------------------- Patch: SUSE-2023-2133 Released: Tue May 9 13:37:10 2023 Summary: Recommended update for zlib Severity: moderate References: 1206513 Description: This update for zlib fixes the following issues: - Add DFLTCC support for using inflate() with a small window (bsc#1206513) ----------------------------------------- Version Build5.8.454-4-Build5.8.454 2023-05-12T09:00:26 ----------------------------------------- Patch: SUSE-2023-2187 Released: Thu May 11 18:59:16 2023 Summary: Security update for Prometheus Golang clients Severity: moderate References: 1197284,1203185,1208051,1208064,CVE-2022-27191,CVE-2022-27664,CVE-2022-46146 Description: This update for golang-github-prometheus-alertmanager and golang-github-prometheus-node_exporter fixes the following issues: golang-github-prometheus-alertmanager: - Security issues fixed: * CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208051) golang-github-prometheus-node_exporter: - Security issues fixed in this version update to version 1.5.0 (jsc#PED-3578): * CVE-2022-27191: Update go/x/crypto (bsc#1197284) * CVE-2022-27664: Update go/x/net (bsc#1203185) * CVE-2022-46146: Update exporter-toolkit (bsc#1208064) - Other non-security bug fixes and changes in this version update to 1.5.0 (jsc#PED-3578): * NOTE: This changes the Go runtime 'GOMAXPROCS' to 1. This is done to limit the concurrency of the exporter to 1 CPU thread at a time in order to avoid a race condition problem in the Linux kernel and parallel IO issues on nodes with high numbers of CPUs/CPU threads. * [BUGFIX] Fix hwmon label sanitizer * [BUGFIX] Use native endianness when encoding InetDiagMsg * [BUGFIX] Fix btrfs device stats always being zero * [BUGFIX] Fix diskstats exclude flags * [BUGFIX] [node-mixin] Fix fsSpaceAvailableCriticalThreshold and fsSpaceAvailableWarning * [BUGFIX] Fix concurrency issue in ethtool collector * [BUGFIX] Fix concurrency issue in netdev collector * [BUGFIX] Fix diskstat reads and write metrics for disks with different sector sizes * [BUGFIX] Fix iostat on macos broken by deprecation warning * [BUGFIX] Fix NodeFileDescriptorLimit alerts * [BUGFIX] Sanitize rapl zone names * [BUGFIX] Add file descriptor close safely in test * [BUGFIX] Fix race condition in os_release.go * [BUGFIX] Skip ZFS IO metrics if their paths are missing * [BUGFIX] Handle nil CPU thermal power status on M1 * [BUGFIX] bsd: Ignore filesystems flagged as MNT_IGNORE * [BUGFIX] Sanitize UTF-8 in dmi collector * [CHANGE] Merge metrics descriptions in textfile collector * [FEATURE] Add multiple listeners and systemd socket listener activation * [FEATURE] [node-mixin] Add darwin dashboard to mixin * [FEATURE] Add 'isolated' metric on cpu collector on linux * [FEATURE] Add cgroup summary collector * [FEATURE] Add selinux collector * [FEATURE] Add slab info collector * [FEATURE] Add sysctl collector * [FEATURE] Also track the CPU Spin time for OpenBSD systems * [FEATURE] Add support for MacOS version * [ENHANCEMENT] Add RTNL version of netclass collector * [ENHANCEMENT] [node-mixin] Add missing selectors * [ENHANCEMENT] [node-mixin] Change current datasource to grafana's default * [ENHANCEMENT] [node-mixin] Change disk graph to disk table * [ENHANCEMENT] [node-mixin] Change io time units to %util * [ENHANCEMENT] Ad user_wired_bytes and laundry_bytes on *bsd * [ENHANCEMENT] Add additional vm_stat memory metrics for darwin * [ENHANCEMENT] Add device filter flags to arp collector * [ENHANCEMENT] Add diskstats include and exclude device flags * [ENHANCEMENT] Add node_softirqs_total metric * [ENHANCEMENT] Add rapl zone name label option * [ENHANCEMENT] Add slabinfo collector * [ENHANCEMENT] Allow user to select port on NTP server to query * [ENHANCEMENT] collector/diskstats: Add labels and metrics from udev * [ENHANCEMENT] Enable builds against older macOS SDK * [ENHANCEMENT] qdisk-linux: Add exclude and include flags for interface name * [ENHANCEMENT] systemd: Expose systemd minor version * [ENHANCEMENT] Use netlink for tcpstat collector * [ENHANCEMENT] Use netlink to get netdev stats * [ENHANCEMENT] Add additional perf counters for stalled frontend/backend cycles * [ENHANCEMENT] Add btrfs device error stats - Change build requirement to go1.18 or higher (previously this was fixed to version 1.14) ----------------------------------------- Version Build5.8.457-4-Build5.8.457 2023-05-18T09:00:25 ----------------------------------------- Patch: SUSE-2023-2227 Released: Wed May 17 09:57:41 2023 Summary: Security update for curl Severity: important References: 1211231,1211232,1211233,1211339,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322 Description: This update for curl fixes the following issues: - CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231). - CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232). - CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233). ----------------------------------------- Version Build5.8.458-4-Build5.8.458 2023-05-19T09:00:25 ----------------------------------------- Patch: SUSE-2023-2247 Released: Thu May 18 17:04:38 2023 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1127591,1195633,1208329,1209406,1210870 Description: This update for libzypp, zypper fixes the following issues: - Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633) - multicurl: propagate ssl settings stored in repo url (bsc#1127591) - MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870) - zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329) - Teach MediaNetwork to retry on HTTP2 errors. - Fix selecting installed patterns from picklist (bsc#1209406) - man: better explanation of --priority ----------------------------------------- Version Build5.8.461-4-Build5.8.461 2023-06-01T11:02:16 ----------------------------------------- Patch: SUSE-2023-2333 Released: Wed May 31 09:01:28 2023 Summary: Recommended update for zlib Severity: moderate References: 1210593 Description: This update for zlib fixes the following issue: - Fix function calling order to avoid crashes (bsc#1210593) ----------------------------------------- Version Build5.8.462-4-Build5.8.462 2023-06-02T09:00:27 ----------------------------------------- Patch: SUSE-2023-2343 Released: Thu Jun 1 11:35:28 2023 Summary: Security update for openssl-1_1 Severity: important References: 1211430,CVE-2023-2650 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430). ----------------------------------------- Version Build5.8.464-4-Build5.8.464 2023-06-12T14:56:54 ----------------------------------------- Patch: SUSE-2023-2484 Released: Mon Jun 12 08:49:58 2023 Summary: Security update for openldap2 Severity: moderate References: 1211795,CVE-2023-2953 Description: This update for openldap2 fixes the following issues: - CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795). ----------------------------------------- Version Build5.8.465-4-Build5.8.465 2023-06-14T09:23:29 ----------------------------------------- Patch: SUSE-2023-2497 Released: Tue Jun 13 15:37:25 2023 Summary: Recommended update for libzypp Severity: important References: 1211661,1212187 Description: This update for libzypp fixes the following issues: - Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187] - Do not unconditionally release a medium if provideFile failed. [bsc#1211661] ----------------------------------------- Version Build5.8.468-4-Build5.8.468 2023-06-24T09:00:25 ----------------------------------------- Patch: SUSE-2023-2625 Released: Fri Jun 23 17:16:11 2023 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: - Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204 * includes regression and other bug fixes - Speed up builds with --enable-link-serialization. - Update embedded newlib to version 4.2.0 ----------------------------------------- Version Build5.8.470-4-Build5.8.470 2023-07-01T09:00:24 ----------------------------------------- Patch: SUSE-2023-2742 Released: Fri Jun 30 11:40:56 2023 Summary: Recommended update for autoyast2, libzypp, yast2-pkg-bindings, yast2-update, zypper Severity: moderate References: 1202234,1209565,1211261,1212187,1212222 Description: This update for yast2-pkg-bindings fixes the following issues: libzypp was updated to version 17.31.14 (22): - Curl: trim all custom headers (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. So we make sure all custom headers are trimmed. This also includes headers returned by URL-Resolver plugins. - build: honor libproxy.pc's includedir (bsc#1212222) zypper was updated to version 1.14.61: - targetos: Add an error note if XPath:/product/register/target is not defined in /etc/products.d/baseproduct (bsc#1211261) - targetos: Update help and man page (bsc#1211261) yast2-pkg-bindings, autoyast: - Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565) - Selected products are not installed after resetting the package manager internally (bsc#1202234) yast2-update: - Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565) ----------------------------------------- Version Build5.8.474-4-Build5.8.474 2023-07-18T09:00:24 ----------------------------------------- Patch: SUSE-2023-2855 Released: Mon Jul 17 16:35:21 2023 Summary: Recommended update for openldap2 Severity: moderate References: 1212260 Description: This update for openldap2 fixes the following issues: - libldap2 crashes on ldap_sasl_bind_s (bsc#1212260) ----------------------------------------- Version Build5.8.477-4-Build5.8.477 2023-07-21T09:26:56 ----------------------------------------- Patch: SUSE-2023-2918 Released: Thu Jul 20 12:00:17 2023 Summary: Recommended update for gpgme Severity: moderate References: 1089497 Description: This update for gpgme fixes the following issues: gpgme: - Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497) libassuan: - Version upgrade to 2.5.5 in LTSS to address gpgme new requirements ----------------------------------------- Version Build5.8.481-4-Build5.8.481 2023-07-25T09:00:25 ----------------------------------------- Patch: SUSE-2023-2955 Released: Tue Jul 25 05:22:54 2023 Summary: Recommended update for util-linux Severity: moderate References: 1193015 Description: This update for util-linux fixes the following issues: - Fix memory leak on parse errors in libmount. (bsc#1193015) ----------------------------------------- Version Build5.8.482-4-Build5.8.482 2023-07-25T17:24:34 ----------------------------------------- Patch: SUSE-2023-2956 Released: Tue Jul 25 08:33:38 2023 Summary: Security update for libcap Severity: moderate References: 1211419,CVE-2023-2603 Description: This update for libcap fixes the following issues: - CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419). ----------------------------------------- Version Build5.8.486-4-Build5.8.486 2023-08-04T09:00:25 ----------------------------------------- Patch: SUSE-2023-3179 Released: Thu Aug 3 13:59:38 2023 Summary: Security update for openssl-1_1 Severity: moderate References: 1201627,1207534,1213487,CVE-2022-4304,CVE-2023-3446 Description: This update for openssl-1_1 fixes the following issues: - CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534). - CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487). - Update further expiring certificates that affect tests [bsc#1201627] ----------------------------------------- Version Build5.8.490-4-Build5.8.490 2023-08-12T09:00:25 ----------------------------------------- Patch: SUSE-2023-3291 Released: Fri Aug 11 12:51:21 2023 Summary: Security update for openssl-1_1 Severity: moderate References: 1213517,1213853,CVE-2023-3817 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) ----------------------------------------- Version Build5.8.495-4-Build5.8.495 2023-08-26T09:03:40 ----------------------------------------- Patch: SUSE-2023-3434 Released: Thu Aug 24 15:05:22 2023 Summary: Security update for krb5 Severity: important References: 1214054,CVE-2023-36054 Description: This update for krb5 fixes the following issues: - CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054) ----------------------------------------- Version Build5.8.501-4-Build5.8.501 2023-08-30T09:00:25 ----------------------------------------- Patch: SUSE-2023-3472 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Severity: low References: 1214290,CVE-2023-4016 Description: This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------- Version Build5.8.503-4-Build5.8.503 2023-09-02T09:00:26 ----------------------------------------- Patch: SUSE-2023-3515 Released: Fri Sep 1 15:54:25 2023 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1158763,1210740,1213231,1213557,1213673 Description: This update for libzypp, zypper fixes the following issues: - Fix occasional isue with downloading very small files (bsc#1213673) - Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231) - Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763) - Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740) - Revised explanation of --force-resolution in man page (bsc#1213557) - Print summary hint if policies were violated due to --force-resolution (bsc#1213557) ----------------------------------------- Version Build5.8.509-4-Build5.8.509 2023-09-19T09:00:32 ----------------------------------------- Patch: SUSE-2023-3661 Released: Mon Sep 18 21:44:09 2023 Summary: Security update for gcc12 Severity: important References: 1214052,CVE-2023-4039 Description: This update for gcc12 fixes the following issues: - CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052). ----------------------------------------- Version Build5.8.512-4-Build5.8.512 2023-09-20T13:31:18 ----------------------------------------- Patch: SUSE-2023-3698 Released: Wed Sep 20 11:01:15 2023 Summary: Security update for libxml2 Severity: important References: 1214768,CVE-2023-39615 Description: This update for libxml2 fixes the following issues: - CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768). ----------------------------------------- Version Build5.8.518-4-Build5.8.518 2023-09-29T09:37:35 ----------------------------------------- Patch: SUSE-2023-3888 Released: Thu Sep 28 16:12:29 2023 Summary: Security update for Golang Prometheus Severity: important References: 1213880,CVE-2023-29409 Description: This update for Golang Prometheus fixes the following issues: golang-github-prometheus-alertmanager: - CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880) There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version. golang-github-prometheus-node_exporter: - CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880) There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version. ----------------------------------------- Version Build5.8.521-4-Build5.8.521 2023-10-10T09:00:31 ----------------------------------------- Patch: SUSE-2023-4006 Released: Mon Oct 9 08:35:50 2023 Summary: Recommended update for zypper Severity: moderate References: 1213854,1214292,1214395,1215007 Description: This update for zypper fixes the following issues: - Fix name of the bash completion script (bsc#1215007) - Update notes about failing signature checks (bsc#1214395) - Improve the SIGINT handler to be signal safe (bsc#1214292) - Update to version 1.14.64 - Changed location of bash completion script (bsc#1213854). ----------------------------------------- Version Build5.8.522-4-Build5.8.522 2023-10-11T13:41:56 ----------------------------------------- Patch: SUSE-2023-4025 Released: Tue Oct 10 13:41:02 2023 Summary: Security update for shadow Severity: low References: 1214806,CVE-2023-4641 Description: This update for shadow fixes the following issues: - CVE-2023-4641: Fixed potential password leak (bsc#1214806). ----------------------------------------- Version Build5.8.523-4-Build5.8.523 2023-10-11T18:02:38 ----------------------------------------- Patch: SUSE-2023-4045 Released: Wed Oct 11 09:10:43 2023 Summary: Security update for curl Severity: moderate References: 1215889,CVE-2023-38546 Description: This update for curl fixes the following issues: - CVE-2023-38546: Fixed a cookie injection with none file (bsc#1215889). ----------------------------------------- Patch: SUSE-2023-4047 Released: Wed Oct 11 10:40:26 2023 Summary: Security update for glibc Severity: moderate References: 1215286,1215505,CVE-2023-4813 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931) Other changes: - Added GB18030-2022 charmap (jsc#PED-4908, BZ #30243) - Run vismain only if linker supports protected data symbol (bsc#1215505) ----------------------------------------- Version Build5.8.529-4-Build5.8.529 2023-10-24T09:00:14 ----------------------------------------- Patch: SUSE-2023-4162 Released: Mon Oct 23 15:33:03 2023 Summary: Security update for gcc13 Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039 Description: This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------- Version Build5.8.532-4-Build5.8.532 2023-10-26T15:32:54 ----------------------------------------- Patch: SUSE-2023-4217 Released: Thu Oct 26 12:20:27 2023 Summary: Security update for zlib Severity: moderate References: 1216378,CVE-2023-45853 Description: This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------- Version Build5.8.534-4-Build5.8.534 2023-10-27T15:00:36 ----------------------------------------- Patch: SUSE-2023-4226 Released: Fri Oct 27 11:14:10 2023 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1215215 Description: This update for openssl-1_1 fixes the following issues: - Displays 'fips' in the version string (bsc#1215215) ----------------------------------------- Version Build5.8.543-4-Build5.8.543 2023-11-16T17:54:18 ----------------------------------------- Patch: SUSE-2023-4458 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 Description: This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------- Version Build5.8.544-4-Build5.8.544 2023-11-17T09:00:14 ----------------------------------------- Patch: SUSE-2023-4464 Released: Thu Nov 16 17:56:12 2023 Summary: Security update for libxml2 Severity: moderate References: 1216129,CVE-2023-45322 Description: This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). ----------------------------------------- Version Build5.8.547-4-Build5.8.547 2023-11-22T09:00:15 ----------------------------------------- Patch: SUSE-2023-4512 Released: Tue Nov 21 17:25:02 2023 Summary: Security update for util-linux Severity: important References: 1213865,CVE-2018-7738 Description: This update for util-linux fixes the following issues: - CVE-2018-7738: Fixed shell code injection in umount bash-completions (bsc#1213865). ----------------------------------------- Patch: SUSE-2023-4519 Released: Tue Nov 21 17:39:58 2023 Summary: Security update for openssl-1_1 Severity: important References: 1216922,CVE-2023-5678 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). ----------------------------------------- Version Build5.8.548-4-Build5.8.548 2023-11-23T16:01:35 ----------------------------------------- Patch: SUSE-2023-4535 Released: Thu Nov 23 08:17:40 2023 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 Description: This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) ----------------------------------------- Version Build5.8.552-4-Build5.8.552 2023-12-01T09:00:15 ----------------------------------------- Patch: SUSE-2023-4619 Released: Thu Nov 30 10:13:52 2023 Summary: Security update for sqlite3 Severity: important References: 1210660,CVE-2023-2137 Description: This update for sqlite3 fixes the following issues: - CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660). ----------------------------------------- Version Build5.8.557-4-Build5.8.557 2023-12-11T16:20:28 ----------------------------------------- Patch: SUSE-2023-4713 Released: Mon Dec 11 13:23:12 2023 Summary: Security update for curl Severity: moderate References: 1217573,CVE-2023-46218 Description: This update for curl fixes the following issues: - CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573). ----------------------------------------- Version Build5.8.559-4-Build5.8.559 2023-12-19T09:00:15 ----------------------------------------- Patch: SUSE-2023-4891 Released: Mon Dec 18 16:31:49 2023 Summary: Security update for ncurses Severity: moderate References: 1201384,1218014,CVE-2023-50495 Description: This update for ncurses fixes the following issues: - CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014) - Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384) ----------------------------------------- Version Build5.8.561-4-Build5.8.561 2023-12-25T09:00:15 ----------------------------------------- Patch: SUSE-2023-4963 Released: Fri Dec 22 14:37:08 2023 Summary: Recommended update for curl Severity: important References: 1216987 Description: This update for curl fixes the following issues: - libssh: Implement SFTP packet size limit (bsc#1216987) ----------------------------------------- Version Build5.8.563-4-Build5.8.563 2023-12-29T09:00:16 ----------------------------------------- Patch: SUSE-2023-4986 Released: Thu Dec 28 16:05:33 2023 Summary: Security update for gnutls Severity: moderate References: 1217277,CVE-2023-5981 Description: This update for gnutls fixes the following issues: - CVE-2023-5981: Fixed timing side-channel inside RSA-PSK key exchange (bsc#1217277). ----------------------------------------- Version Build5.8.564-4-Build5.8.564 2024-01-03T09:00:14 ----------------------------------------- Patch: SUSE-2024-11 Released: Tue Jan 2 13:24:52 2024 Summary: Recommended update for procps Severity: moderate References: 1029961,1158830,1206798,1209122 Description: This update for procps fixes the following issues: - Update procps to 3.3.17 (jsc#PED-3244 jsc#PED-6369) - For support up to 2048 CPU as well (bsc#1185417) - Allow `-´ as leading character to ignore possible errors on systctl entries (bsc#1209122) - Get the first CPU summary correct (bsc#1121753) - Enable pidof for SLE-15 as this is provided by sysvinit-tools - Use a check on syscall __NR_pidfd_open to decide if the pwait tool and its manual page will be build - Do not truncate output of w with option -n - Prefer logind over utmp (jsc#PED-3144) - Don't install translated man pages for non-installed binaries (uptime, kill). - Fix directory for Ukrainian man pages translations. - Move localized man pages to lang package. - Update to procps-ng-3.3.17 * library: Incremented to 8:3:0 (no removals or additions, internal changes only) * all: properly handle utf8 cmdline translations * kill: Pass int to signalled process * pgrep: Pass int to signalled process * pgrep: Check sanity of SG_ARG_MAX * pgrep: Add older than selection * pidof: Quiet mode * pidof: show worker threads * ps.1: Mention stime alias * ps: check also match on truncated 16 char comm names * ps: Add exe output option * ps: A lot more sorting available * pwait: New command waits for a process * sysctl: Match systemd directory order * sysctl: Document directory order * top: ensure config file backward compatibility * top: add command line 'e' for symmetry with 'E' * top: add '4' toggle for two abreast cpu display * top: add '!' toggle for combining multiple cpus * top: fix potential SEGV involving -p switch * vmstat: Wide mode gives wider proc columns * watch: Add environment variable for interval * watch: Add no linewrap option * watch: Support more colors * free,uptime,slabtop: complain about extra ops - Package translations in procps-lang. - Fix pgrep: cannot allocate 4611686018427387903 bytes when ulimit -s is unlimited. - Enable pidof by default - Update to procps-ng-3.3.16 * library: Increment to 8:2:0 No removals or functions Internal changes only, so revision is incremented. Previous version should have been 8:1:0 not 8:0:1 * docs: Use correct symbols for -h option in free.1 * docs: ps.1 now warns about command name length * docs: install translated man pages * pgrep: Match on runstate * snice: Fix matching on pid * top: can now exploit 256-color terminals * top: preserves 'other filters' in configuration file * top: can now collapse/expand forest view children * top: parent %CPU time includes collapsed children * top: improve xterm support for vim navigation keys * top: avoid segmentation fault at program termination * 'ps -C' does not allow anymore an argument longer than 15 characters (bsc#1158830) ----------------------------------------- Version Build5.8.571-4-Build5.8.571 2024-01-21T09:00:18 ----------------------------------------- Patch: SUSE-2024-136 Released: Thu Jan 18 09:53:47 2024 Summary: Security update for pam Severity: moderate References: 1217000,1218475,CVE-2024-22365 Description: This update for pam fixes the following issues: - CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475). - Check localtime_r() return value to fix crashing (bsc#1217000) ----------------------------------------- Version Build5.8.583-4-Build5.8.583 2024-02-14T09:00:14 ----------------------------------------- Patch: SUSE-2024-461 Released: Tue Feb 13 15:30:06 2024 Summary: Security update for libxml2 Severity: moderate References: 1219576,CVE-2024-25062 Description: This update for libxml2 fixes the following issues: - CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576). ----------------------------------------- Version Build5.8.586-4-Build5.8.586 2024-02-22T09:00:15 ----------------------------------------- Patch: SUSE-2024-43 Released: Fri Jan 5 14:49:13 2024 Summary: Recommended update for libsolv, zypper, libzypp Severity: moderate References: 1212160,1215294,1216412,1217593,1217873,1218291 Description: This update for libsolv, zypper, libzypp fixes the following issues: - Expand RepoVars in URLs downloading a .repo file (bsc#1212160) - Fix search/info commands ignoring --ignore-unknown (bsc#1217593) - CheckAccessDeleted: fix 'running in container' filter (bsc#1218291) - Open rpmdb just once during execution of %posttrans scripts (bsc#1216412) - Make sure reboot-needed is remembered until next boot (bsc#1217873) - Stop using boost version 1 timer library (bsc#1215294) - Updated to version 0.7.27 - Add zstd support for the installcheck tool - Add putinowndirpool cache to make file list handling in repo_write much faster - Do not use deprecated headerUnload with newer rpm versions - Support complex deps in SOLVABLE_PREREQ_IGNOREINST - Fix minimization not prefering installed packages in some cases - Reduce memory usage in repo_updateinfoxml - Fix lock-step interfering with architecture selection - Fix choice rule handing for package downgrades - Fix complex dependencies with an 'else' part sometimes leading to unsolved dependencies ----------------------------------------- Patch: SUSE-2024-475 Released: Wed Feb 14 19:08:44 2024 Summary: Recommended update for libsolv Severity: important References: 1215698,1218782,1218831,1219442 Description: This update for libsolv, libzypp fixes the following issues: - build for multiple python versions [jsc#PED-6218] - applydeltaprm: Create target directory if it does not exist (bsc#1219442) - Fix problems with EINTR in ExternalDataSource::getline (bsc#1215698) - CheckAccessDeleted: fix running_in_container detection (bsc#1218782) - Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime (bsc#1218831) ----------------------------------------- Patch: SUSE-2024-525 Released: Mon Feb 19 08:03:59 2024 Summary: Security update for libssh Severity: important References: 1158095,1168699,1174713,1189608,1211188,1211190,1218126,1218186,1218209,CVE-2019-14889,CVE-2020-16135,CVE-2020-1730,CVE-2021-3634,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918 Description: This update for libssh fixes the following issues: Update to version 0.9.8 (jsc#PED-7719): * Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209) * Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126) * Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186) * Allow @ in usernames when parsing from URI composes Update to version 0.9.7: * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing (bsc#1211188) * Fix CVE-2023-2283: a possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190) * Fix several memory leaks in GSSAPI handling code Update to version 0.9.6 (bsc#1189608, CVE-2021-3634): * https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6 Update to 0.9.5 (bsc#1174713, CVE-2020-16135): * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232) * Improve handling of library initialization (T222) * Fix parsing of subsecond times in SFTP (T219) * Make the documentation reproducible * Remove deprecated API usage in OpenSSL * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN * Define version in one place (T226) * Prevent invalid free when using different C runtimes than OpenSSL (T229) * Compatibility improvements to testsuite Update to version 0.9.4 * https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/ * Fix possible Denial of Service attack when using AES-CTR-ciphers CVE-2020-1730 (bsc#1168699) Update to version 0.9.3 * Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution (bsc#1158095) * SSH-01-003 Client: Missing NULL check leads to crash in erroneous state * SSH-01-006 General: Various unchecked Null-derefs cause DOS * SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys * SSH-01-010 SSH: Deprecated hash function in fingerprinting * SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS * SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access * SSH-01-001 State Machine: Initial machine states should be set explicitly * SSH-01-002 Kex: Differently bound macros used to iterate same array * SSH-01-005 Code-Quality: Integer sign confusion during assignments * SSH-01-008 SCP: Protocol Injection via unescaped File Names * SSH-01-009 SSH: Update documentation which RFCs are implemented * SSH-01-012 PKI: Information leak via uninitialized stack buffer Update to version 0.9.2 * Fixed libssh-config.cmake * Fixed issues with rsa algorithm negotiation (T191) * Fixed detection of OpenSSL ed25519 support (T197) Update to version 0.9.1 * Added support for Ed25519 via OpenSSL * Added support for X25519 via OpenSSL * Added support for localuser in Match keyword * Fixed Match keyword to be case sensitive * Fixed compilation with LibreSSL * Fixed error report of channel open (T75) * Fixed sftp documentation (T137) * Fixed known_hosts parsing (T156) * Fixed build issue with MinGW (T157) * Fixed build with gcc 9 (T164) * Fixed deprecation issues (T165) * Fixed known_hosts directory creation (T166) - Split out configuration to separate package to not mess up the library packaging and coinstallation Update to verion 0.9.0 * Added support for AES-GCM * Added improved rekeying support * Added performance improvements * Disabled blowfish support by default * Fixed several ssh config parsing issues * Added support for DH Group Exchange KEX * Added support for Encrypt-then-MAC mode * Added support for parsing server side configuration file * Added support for ECDSA/Ed25519 certificates * Added FIPS 140-2 compatibility * Improved known_hosts parsing * Improved documentation * Improved OpenSSL API usage for KEX, DH, and signatures - Add libssh client and server config files ----------------------------------------- Version Build5.8.589-4-Build5.8.589 2024-02-27T09:50:42 ----------------------------------------- Patch: SUSE-2024-615 Released: Mon Feb 26 11:32:32 2024 Summary: Recommended update for netcfg Severity: moderate References: 1211886 Description: This update for netcfg fixes the following issues: - Add krb-prop entry (bsc#1211886) ----------------------------------------- Version Build5.8.598-4-Build5.8.598 2024-03-09T09:00:15 ----------------------------------------- Patch: SUSE-2024-824 Released: Fri Mar 8 17:34:36 2024 Summary: Security update for cpio Severity: moderate References: 1218571,1219238,CVE-2023-7207 Description: This update for cpio fixes the following issues: - CVE-2023-7207: Fixed path traversal vulnerability (bsc#1218571, bsc#1219238) ----------------------------------------- Version Build5.8.601-4-Build5.8.601 2024-03-11T16:55:22 ----------------------------------------- Patch: SUSE-2024-832 Released: Mon Mar 11 10:30:30 2024 Summary: Security update for openssl-1_1 Severity: moderate References: 1219243,CVE-2024-0727 Description: This update for openssl-1_1 fixes the following issues: - CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243). ----------------------------------------- Version Build5.8.603-4-Build5.8.603 2024-03-14T09:00:14 ----------------------------------------- Patch: SUSE-2024-860 Released: Wed Mar 13 08:45:21 2024 Summary: Security update for gnutls Severity: moderate References: 1218865,CVE-2023-5981,CVE-2024-0553 Description: This update for gnutls fixes the following issues: - CVE-2024-0553: Fixed insufficient mitigation for side channel attack in RSA-PSK, aka CVE-2023-5981 (bsc#1218865). ----------------------------------------- Version Build5.8.610-4-Build5.8.610 2024-03-27T09:00:19 ----------------------------------------- Patch: SUSE-2024-999 Released: Tue Mar 26 14:03:42 2024 Summary: Security update for krb5 Severity: important References: 1220770,1220771,CVE-2024-26458,CVE-2024-26461 Description: This update for krb5 fixes the following issues: - CVE-2024-26458: Fixed memory leak at /krb5/src/lib/rpc/pmap_rmt.c (bsc#1220770). - CVE-2024-26461: Fixed memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c (bsc#1220771). ----------------------------------------- Version Build5.8.615-4-Build5.8.615 2024-04-04T09:00:18 ----------------------------------------- Patch: SUSE-2024-1106 Released: Wed Apr 3 15:33:00 2024 Summary: Security update for util-linux Severity: important References: 1194642,1207987,1221831,CVE-2024-28085 Description: This update for util-linux fixes the following issues: - CVE-2024-28085: Properly neutralize escape sequences in wall. (bsc#1221831) - Prevent error message if `/var/lib/libuuid/clock.txt` does not exist (bsc#1194642) - Fixed performance degradation (bsc#1207987) ----------------------------------------- Version Build5.8.617-4-Build5.8.617 2024-04-06T09:00:19 ----------------------------------------- Patch: SUSE-2024-1120 Released: Fri Apr 5 14:03:46 2024 Summary: Security update for curl Severity: moderate References: 1221665,1221667,CVE-2024-2004,CVE-2024-2398 Description: This update for curl fixes the following issues: - CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665) - CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667) ----------------------------------------- Version Build5.8.621-4-Build5.8.621 2024-04-09T09:00:18 ----------------------------------------- Patch: SUSE-2024-1133 Released: Mon Apr 8 11:29:02 2024 Summary: Security update for ncurses Severity: moderate References: 1220061,CVE-2023-45918 Description: This update for ncurses fixes the following issues: - CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061). ----------------------------------------- Version Build5.8.623-4-Build5.8.623 2024-04-11T15:42:09 ----------------------------------------- Patch: SUSE-2024-1202 Released: Thu Apr 11 10:49:34 2024 Summary: Recommended update for libzypp, zypper, PackageKit Severity: moderate References: 1175678,1218171,1218544,1221525,CVE-2024-0217 Description: This update for libzypp, zypper, PackageKit fixes the following issues: - Fixup New VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) - CVE-2024-0217: Check that Finished signal is emitted at most once (bsc#1218544) - Add resolver option 'removeOrphaned' for distupgrade (bsc#1221525) - New VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) - Add default stripe minimum - Don't expose std::optional where YAST/PK explicitly use c++11. - Digest: Avoid using the deprecated OPENSSL_config - version 17.32.0 - ProblemSolution::skipsPatchesOnly overload to handout the patches - Show active dry-run/download-only at the commit propmpt - Add --skip-not-applicable-patches option - Fix printing detailed solver problem description - Fix bash-completion to work with right adjusted numbers in the 1st column too - Set libzypp shutdown request signal on Ctrl+C - In the detailed view show all baseurls not just the first one (bsc#1218171) ----------------------------------------- Version Build5.8.627-4-Build5.8.627 2024-04-16T09:00:18 ----------------------------------------- Patch: SUSE-2024-1253 Released: Fri Apr 12 08:15:18 2024 Summary: Recommended update for gcc13 Severity: moderate References: 1210959,1214934,1217450,1217667,1218492,1219031,1219520,1220724,1221239 Description: This update for gcc13 fixes the following issues: - Fix unwinding for JIT code. [bsc#1221239] - Revert libgccjit dependency change. [bsc#1220724] - Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520] - Add support for -fmin-function-alignment. [bsc#1214934] - Use %{_target_cpu} to determine host and build. - Fix for building TVM. [bsc#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. - Fixed building mariadb on i686. [bsc#1217667] - Avoid update-alternatives dependency for accelerator crosses. - Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence. - Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450] ----------------------------------------- Version Build5.8.634-4-Build5.8.634 2024-04-25T09:00:18 ----------------------------------------- Patch: SUSE-2024-1433 Released: Wed Apr 24 21:41:41 2024 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1221525,1221963,1222086,1222398,1223094 Description: This update for libzypp, zypper fixes the following issues: - Fix creation of sibling cache dirs with too restrictive mode (bsc#1222398) - Don't try to refresh volatile media as long as raw metadata are present (bsc#1223094) - Update RepoStatus fromCookieFile according to the files mtime (bsc#1222086) - TmpFile: Don't call chmod if makeSibling failed - Do not try to refresh repo metadata as non-root user (bsc#1222086) - man: Explain how to protect orphaned packages by collecting them in a plaindir repo - packages: Add --autoinstalled and --userinstalled options to list them - Don't print 'reboot required' message if download-only or dry-run - Resepect zypper.conf option `showAlias` search commands (bsc#1221963) - dup: New option --remove-orphaned to remove all orphaned packages in dup (bsc#1221525) ----------------------------------------- Version Build5.8.639-4-Build5.8.639 2024-05-07T09:00:18 ----------------------------------------- Patch: SUSE-2024-1531 Released: Mon May 6 11:54:10 2024 Summary: Recommended update for golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter Severity: moderate References: Description: This update for golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter fixes the following issues: - update to 1.7.0 (jsc#PED-7893, jsc#PED-7928): * [FEATURE] Add ZFS freebsd per dataset stats #2753 * [FEATURE] Add cpu vulnerabilities reporting from sysfs #2721 * [ENHANCEMENT] Parallelize stat calls in Linux filesystem collector #1772 * [ENHANCEMENT] Add missing linkspeeds to ethtool collector #2711 * [ENHANCEMENT] Add CPU MHz as the value for node_cpu_info metric #2778 * [ENHANCEMENT] Improve qdisc collector performance #2779 * [ENHANCEMENT] Add include and exclude filter for hwmon collector #2699 * [ENHANCEMENT] Optionally fetch ARP stats via rtnetlink instead of procfs #2777 * [BUFFIX] Fix ZFS arcstats on FreeBSD 14.0+ 2754 * [BUGFIX] Fallback to 32-bit stats in netdev #2757 * [BUGFIX] Close btrfs.FS handle after use #2780 * [BUGFIX] Move RO status before error return #2807 * [BUFFIX] Fix promhttp_metric_handler_errors_total being always active #2808 * [BUGFIX] Fix nfsd v4 index miss #2824 - update to 1.6.1: (no source code changes in this release) - BuildRequire go1.20 - update to 1.6.0: * [CHANGE] Fix cpustat when some cpus are offline #2318 * [CHANGE] Remove metrics of offline CPUs in CPU collector #2605 * [CHANGE] Deprecate ntp collector #2603 * [CHANGE] Remove bcache `cache_readaheads_totals` metrics #2583 * [CHANGE] Deprecate supervisord collector #2685 * [FEATURE] Enable uname collector on NetBSD #2559 * [FEATURE] NetBSD support for the meminfo collector #2570 * [FEATURE] NetBSD support for CPU collector #2626 * [FEATURE] Add FreeBSD collector for netisr subsystem #2668 * [FEATURE] Add softirqs collector #2669 * [ENHANCEMENT] Add suspended as a `node_zfs_zpool_state` #2449 * [ENHANCEMENT] Add administrative state of Linux network interfaces #2515 * [ENHANCEMENT] Log current value of GOMAXPROCS #2537 * [ENHANCEMENT] Add profiler options for perf collector #2542 * [ENHANCEMENT] Allow root path as metrics path #2590 * [ENHANCEMENT] Add cpu frequency governor metrics #2569 * [ENHANCEMENT] Add new landing page #2622 * [ENHANCEMENT] Reduce privileges needed for btrfs device stats #2634 * [ENHANCEMENT] Add ZFS `memory_available_bytes` #2687 * [ENHANCEMENT] Use `SCSI_IDENT_SERIAL` as serial in diskstats #2612 * [ENHANCEMENT] Read missing from netlink netclass attributes from sysfs #2669 * [BUGFIX] perf: fixes for automatically detecting the correct tracefs mountpoints #2553 * [BUGFIX] Fix `thermal_zone` collector noise @2554 * [BUGFIX] Fix a problem fetching the user wire count on FreeBSD 2584 * [BUGFIX] interrupts: Fix fields on linux aarch64 #2631 * [BUGFIX] Remove metrics of offline CPUs in CPU collector #2605 * [BUGFIX] Fix OpenBSD filesystem collector string parsing #2637 * [BUGFIX] Fix bad reporting of `node_cpu_seconds_total` in OpenBSD #2663 - change go_modules archive in _service to use obscpio file ----------------------------------------- Version Build5.8.645-4-Build5.8.645 2024-05-15T09:00:19 ----------------------------------------- Patch: SUSE-2024-1630 Released: Tue May 14 09:20:44 2024 Summary: Security update for perl Severity: important References: 1047178,1082216,1082233,1210999,CVE-2017-6512,CVE-2018-6798,CVE-2018-6913,CVE-2023-31484 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216) - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233) - CVE-2023-31484: Enabled TLS certificate verification in CPAN (bsc#1210999) - CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178) ----------------------------------------- Patch: SUSE-2024-1633 Released: Tue May 14 11:35:56 2024 Summary: Security update for openssl-1_1 Severity: moderate References: 1222548,CVE-2024-2511 Description: This update for openssl-1_1 fixes the following issues: - CVE-2024-2511: Fixed unconstrained session cache growth in TLSv1.3 (bsc#1222548). ----------------------------------------- Version Build5.8.656-4-Build5.8.656 2024-06-12T09:00:19 ----------------------------------------- Patch: SUSE-2024-1977 Released: Tue Jun 11 09:40:51 2024 Summary: Security update for glibc Severity: important References: 1222992,1223423,1223424,1223425,CVE-2024-2961,CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602 Description: This update for glibc fixes the following issues: - nscd: Release read lock after resetting timeout - nscd: Fix use-after-free in addgetnetgrentX (BZ #23520) - CVE-2024-33599; nscd: Stack-based buffer overflow in netgroup cache (bsc#1223423, BZ #31677) - CVE-2024-33600; nscd: Avoid null pointer crashes after notfound response (bsc#1223424, BZ #31678) - CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bsc#1223424, BZ #31678) - CVE-2024-33601, CVE-2024-33602: netgroup: Use two buffers in addgetnetgrentX (bsc#1223425, BZ #31680) - CVE-2024-33602: Use time_t for return type of addgetnetgrentX (bsc#1223425) - CVE-2024-2961: iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (bsc#1222992) ----------------------------------------- Version Build5.8.657-4-Build5.8.657 2024-06-13T09:00:21 ----------------------------------------- Patch: SUSE-2024-2009 Released: Wed Jun 12 13:47:43 2024 Summary: Security update for curl Severity: moderate References: 1219273,CVE-2023-27534 Description: This update for curl fixes the following issues: - CVE-2023-27534: Properly resolve ~ when used in a SFTP path. (bsc#1219273) ----------------------------------------- Version Build5.8.658-4-Build5.8.658 2024-06-18T09:00:21 ----------------------------------------- Patch: SUSE-2024-2035 Released: Mon Jun 17 09:29:26 2024 Summary: Security update for openssl-1_1 Severity: important References: 1225551,CVE-2024-4741 Description: This update for openssl-1_1 fixes the following issues: - CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551) ----------------------------------------- Version Build5.8.660-4-Build5.8.660 2024-06-19T11:23:36 ----------------------------------------- Patch: 33666 Released: Wed Jun 19 08:36:51 2024 Summary: Recommended update for libsolv, libzypp, zypper Severity: important References: 1222086,1223430,1223766 Description: This update for libsolv, libzypp, zypper fixes the following issues: - Improve updating of installed multiversion packages - Fix decision introspection going into an endless loop in some cases - Split libsolv-tools into libsolv-tools-base [jsc#PED-8153] - Improve checks against corrupt rpm - Fixed check for outdated repo metadata as non-root user (bsc#1222086) - Add ZYPP_API for exported functions and switch to visibility=hidden (jsc#PED-8153) - Dynamically resolve libproxy (jsc#PED-8153) - Fix download from gpgkey URL (bsc#1223430) - Delay zypp lock until command options are parsed (bsc#1223766) - Unify message format ----------------------------------------- Version Build5.8.662-4-Build5.8.662 2024-06-19T15:33:39 ----------------------------------------- Patch: SUSE-2024-2086 Released: Wed Jun 19 11:48:24 2024 Summary: Recommended update for gcc13 Severity: moderate References: 1188441 Description: This update for gcc13 fixes the following issues: Update to GCC 13.3 release - Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18. - Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441] - Make requirement to lld version specific to avoid requiring the meta-package. ----------------------------------------- Version Build5.8.665-4-Build5.8.665 2024-07-01T09:00:21 ----------------------------------------- Patch: SUSE-2024-2247 Released: Sun Jun 30 15:21:38 2024 Summary: Security update for glib2 Severity: low References: 1224044,CVE-2024-34397 Description: This update for glib2 fixes the following issues: - CVE-2024-34397: Fixed signal subscription unicast spoofing vulnerability (bsc#1224044). ----------------------------------------- Version Build5.8.666-4-Build5.8.666 2024-07-02T12:45:50 ----------------------------------------- Patch: SUSE-2024-2267 Released: Tue Jul 2 10:33:36 2024 Summary: Security update for libxml2 Severity: low References: 1224282,CVE-2024-34459 Description: This update for libxml2 fixes the following issues: - CVE-2024-34459: Fixed buffer over-read in xmlHTMLPrintFileContext in xmllint.c (bsc#1224282). ----------------------------------------- Version Build5.8.669-4-Build5.8.669 2024-07-05T09:00:22 ----------------------------------------- Patch: SUSE-2024-2305 Released: Fri Jul 5 00:13:02 2024 Summary: Security update for krb5 Severity: important References: 1227186,1227187,CVE-2024-37370,CVE-2024-37371 Description: This update for krb5 fixes the following issues: - CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186). - CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187). ----------------------------------------- Version Build5.8.671-4-Build5.8.671 2024-07-09T09:00:22 ----------------------------------------- Patch: SUSE-2024-2310 Released: Mon Jul 8 09:15:35 2024 Summary: Recommended update for libssh Severity: moderate References: 1227396 Description: This update for libssh fixes the following issue: - Fix regression parsing IPv6 addresses provided as hostname (bsc#1227396) ----------------------------------------- Version Build5.8.680-4-Build5.8.680 2024-08-06T09:00:22 ----------------------------------------- Patch: SUSE-2024-2754 Released: Mon Aug 5 21:03:51 2024 Summary: Security update for skopeo Severity: important References: 1224123,CVE-2024-28180 Description: This update for skopeo fixes the following issues: Update to version 1.14.4: - CVE-2024-3727: Fixed a vulnerability that allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, resource exhaustion, local path traversal and other attacks. (bsc#1224123) ----------------------------------------- Version Build5.8.681-4-Build5.8.681 2024-08-07T09:00:23 ----------------------------------------- Patch: SUSE-2024-2791 Released: Tue Aug 6 16:35:06 2024 Summary: Recommended update for various 32bit packages Severity: moderate References: 1228322 Description: This update of various packages delivers 32bit variants to allow running Wine on SLE PackageHub 15 SP6. ----------------------------------------- Version Build5.8.684-4-Build5.8.684 2024-08-12T09:00:23 ----------------------------------------- Patch: SUSE-2024-2870 Released: Mon Aug 12 06:52:03 2024 Summary: Recommended update for libzypp, zypper, libsolv, zypp-plugin Severity: important References: 1081596,1223094,1224771,1225267,1226014,1226030,1226493,1227205,1227625,1227793,1228138,1228206,1228208,1228420,1228787,222971 Description: This update for libzypp, zypper, libsolv, zypp-plugin fixes the following issues: - Make sure not to statically linked installed tools (bsc#1228787) - MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208) - Export asSolvable for YAST (bsc#1228420) - Export CredentialManager for legacy YAST versions (bsc#1228420) - Fix 4 typos in zypp.conf - Fix typo in the geoip update pipeline (bsc#1228206) - Export RepoVariablesStringReplacer for yast2 (bsc#1228138) - Removed dependency on external find program in the repo2solv tool - Fix return value of repodata.add_solv() - New SOLVER_FLAG_FOCUS_NEW flag - Report unsupported compression in solv_xfopen() with errno - Fix return value of repodata.add_solv() in the bindings - Fix SHA-224 oid in solv_pgpvrfy - Translation: updated .pot file. - Conflict with python zypp-plugin < 0.6.4 (bsc#1227793) - Fix int overflow in Provider - Fix error reporting on repoindex.xml parse error (bsc#1227625) - Keep UrlResolverPlugin API public - Blacklist /snap executables for 'zypper ps' (bsc#1226014) - Fix handling of buddies when applying locks (bsc#1225267) - Fix readline setup to handle Ctrl-C and Ctrl-D correctly (bsc#1227205) - Show rpm install size before installing (bsc#1224771) - Install zypp/APIConfig.h legacy include - Update soname due to RepoManager refactoring and cleanup - Workaround broken libsolv-tools-base requirements - Strip ssl_clientkey from repo urls (bsc#1226030) - Remove protobuf build dependency - Lazily attach medium during refresh workflows (bsc#1223094) - Refactor RepoManager and add Service workflows - Let_readline_abort_on_Ctrl-C (bsc#1226493) - packages: add '--system' to show @System packages (bsc#222971) ----------------------------------------- Version Build5.8.688-4-Build5.8.688 2024-08-14T18:50:20 ----------------------------------------- Patch: SUSE-2024-2909 Released: Wed Aug 14 14:47:44 2024 Summary: Security update for openssl-1_1 Severity: moderate References: 1227138,CVE-2024-5535 Description: This update for openssl-1_1 fixes the following issues: - CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138) ----------------------------------------- Version Build5.8.689-4-Build5.8.689 2024-08-16T15:13:01 ----------------------------------------- Patch: SUSE-2024-2930 Released: Thu Aug 15 11:35:03 2024 Summary: Security update for curl Severity: moderate References: 1228535,CVE-2024-7264 Description: This update for curl fixes the following issues: - CVE-2024-7264: Fixed out-of-bounds read in ASN.1 date parser GTime2str() (bsc#1228535) ----------------------------------------- Version Build5.8.691-4-Build5.8.691 2024-08-20T09:00:23 ----------------------------------------- Patch: SUSE-2024-2967 Released: Mon Aug 19 15:41:29 2024 Summary: Recommended update for pam Severity: moderate References: 1194818 Description: This update for pam fixes the following issue: - Prevent cursor escape from the login prompt (bsc#1194818). ----------------------------------------- Version Build5.8.692-4-Build5.8.692 2024-08-23T09:00:23 ----------------------------------------- Patch: SUSE-2024-2998 Released: Thu Aug 22 12:52:17 2024 Summary: Security update for glib2 Severity: low References: 1224044,CVE-2024-34397 Description: This update for glib2 fixes the following issues: - Fixed a possible use after free regression introduced by CVE-2024-34397 patch (bsc#1224044). ----------------------------------------- Version Build5.8.696-4-Build5.8.696 2024-09-03T09:00:24 ----------------------------------------- Patch: SUSE-2024-3068 Released: Mon Sep 2 14:25:15 2024 Summary: Recommended update for util-linux Severity: moderate References: 1194818 Description: This update for util-linux fixes the following issue: - agetty: Prevent login cursor escape (bsc#1194818). ----------------------------------------- Version Build5.8.699-4-Build5.8.699 2024-09-11T14:35:40 ----------------------------------------- Patch: SUSE-2024-3202 Released: Wed Sep 11 10:54:47 2024 Summary: Security update for curl Severity: moderate References: 1228535,1230093,CVE-2024-7264,CVE-2024-8096 Description: This update for curl fixes the following issues: - CVE-2024-8096: OCSP stapling bypass with GnuTLS. (bsc#1230093) - CVE-2024-7264: ASN.1 date parser overread. (bsc#1228535)