----------------------------------------- Version 15.5.0-Build15.2 2024-06-19T09:00:22 ----------------------------------------- Patch: SUSE-2018-2607 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------- Patch: SUSE-2018-2861 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Severity: important References: 1103320,1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------- Patch: SUSE-2019-44 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Severity: low References: 953659 Description: This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------- Patch: SUSE-2019-1040 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 Description: This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------- Patch: SUSE-2019-1368 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Severity: important References: 1134524,CVE-2019-5021 Description: This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------- Patch: SUSE-2019-1372 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Severity: moderate References: 1105435,CVE-2018-1000654 Description: This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------- Patch: SUSE-2019-1631 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Severity: low References: 1135709 Description: This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------- Patch: SUSE-2019-2997 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------- Patch: SUSE-2019-3061 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 Description: This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------- Patch: SUSE-2020-948 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 Description: This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------- Patch: SUSE-2020-1226 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Severity: moderate References: 1149995,1152590,1167898 Description: This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------- Patch: SUSE-2020-2148 Released: Thu Aug 6 13:36:17 2020 Summary: Recommended update for ca-certificates-mozilla Severity: important References: 1174673 Description: This update for ca-certificates-mozilla fixes the following issues: Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 ----------------------------------------- Patch: SUSE-2020-2947 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 Description: This update for gcc10, nvptx-tools fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Changes in nvptx-tools: - Enable build on aarch64 ----------------------------------------- Patch: SUSE-2020-3157 Released: Wed Nov 4 15:37:05 2020 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1177864 Description: This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------- Patch: SUSE-2021-293 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Severity: moderate References: 1180603 Description: This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------- Patch: SUSE-2021-924 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 Description: This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------- Patch: SUSE-2021-1861 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 Description: This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------- Patch: SUSE-2021-2173 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 Description: This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------- Patch: SUSE-2021-3274 Released: Fri Oct 1 10:34:17 2021 Summary: Recommended update for ca-certificates-mozilla Severity: important References: 1190858 Description: This update for ca-certificates-mozilla fixes the following issues: - remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858) ----------------------------------------- Patch: SUSE-2021-3291 Released: Wed Oct 6 16:45:36 2021 Summary: Security update for glibc Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 Description: This update for glibc fixes the following issues: - CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489). - CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911). ----------------------------------------- Patch: SUSE-2021-3382 Released: Tue Oct 12 14:30:17 2021 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: Description: This update for ca-certificates-mozilla fixes the following issues: - A new sub-package for minimal base containers (jsc#SLE-22162) ----------------------------------------- Patch: SUSE-2021-3490 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Severity: moderate References: 1190793,CVE-2021-39537 Description: This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------- Patch: SUSE-2021-3529 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 Description: This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) ----------------------------------------- Patch: SUSE-2021-3799 Released: Wed Nov 24 18:07:54 2021 Summary: Recommended update for gcc11 Severity: moderate References: 1187153,1187273,1188623 Description: This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided: To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants. ----------------------------------------- Patch: SUSE-2021-3946 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Severity: moderate References: 1192717,CVE-2021-43618 Description: This update for gmp fixes the following issues: - CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717). ----------------------------------------- Patch: SUSE-2021-3980 Released: Thu Dec 9 16:42:19 2021 Summary: Recommended update for glibc Severity: moderate References: 1191592 Description: glibc was updated to fix the following issue: - Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869) ----------------------------------------- Patch: SUSE-2022-207 Released: Thu Jan 27 09:24:49 2022 Summary: Recommended update for glibc Severity: moderate References: Description: This update for glibc fixes the following issues: - Add support for livepatches on x86_64 for SUSE Linux Enterprise 15 SP4 (jsc#SLE-20049). ----------------------------------------- Patch: SUSE-2022-330 Released: Fri Feb 4 09:29:08 2022 Summary: Security update for glibc Severity: important References: 1194640,1194768,1194770,1194785,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219 Description: This update for glibc fixes the following issues: - CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640) - CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768) - CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770) Features added: - IBM Power 10 string operation improvements (bsc#1194785, jsc#SLE-18195) ----------------------------------------- Patch: SUSE-2022-692 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Severity: moderate References: 1190447 Description: This update for filesystem fixes the following issues: - Release ported filesystem to LTSS channels (bsc#1190447). ----------------------------------------- Patch: SUSE-2022-861 Released: Tue Mar 15 23:31:21 2022 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1182959,1195149,1195792,1195856 Description: This update for openssl-1_1 fixes the following issues: openssl-1_1: - Fix PAC pointer authentication in ARM (bsc#1195856) - Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792) - FIPS: Fix function and reason error codes (bsc#1182959) - Enable zlib compression support (bsc#1195149) glibc: - Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1 linux-glibc-devel: - Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1 libxcrypt: - Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1 zlib: - Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1 ----------------------------------------- Patch: SUSE-2022-936 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Severity: moderate References: 1196275,1196406 Description: This update for filesystem and systemd-rpm-macros fixes the following issues: filesystem: - Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639) systemd-rpm-macros: - Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406) ----------------------------------------- Patch: SUSE-2022-1158 Released: Tue Apr 12 14:44:43 2022 Summary: Security update for xz Severity: important References: 1198062,CVE-2022-1271 Description: This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) ----------------------------------------- Patch: SUSE-2022-1253 Released: Tue Apr 19 09:00:06 2022 Summary: Recommended update for helm Severity: moderate References: Description: This update for helm delivers helm 3.8.0 to the Containers module. ----------------------------------------- Patch: SUSE-2022-1409 Released: Tue Apr 26 12:54:57 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1195628,1196107 Description: This update for gcc11 fixes the following issues: - Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107] - Fixed memory corruption when creating dependences with the D language frontend. - Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628] - Put libstdc++6-pp Requires on the shared library and drop to Recommends. ----------------------------------------- Patch: SUSE-2022-1909 Released: Wed Jun 1 16:25:35 2022 Summary: Recommended update for glibc Severity: moderate References: 1198751 Description: This update for glibc fixes the following issues: - Add the correct name for the IBM Z16 (bsc#1198751). ----------------------------------------- Patch: SUSE-2022-2019 Released: Wed Jun 8 16:50:07 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1192951,1193659,1195283,1196861,1197065 Description: This update for gcc11 fixes the following issues: Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] * fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065] * use --with-cpu rather than specifying --with-arch/--with-tune * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [bsc#1193659] * fixes issue with debug dumping together with -o /dev/null * fixes libgccjit issue showing up in emacs build [bsc#1192951] * Package mwaitintrin.h ----------------------------------------- Patch: SUSE-2022-2361 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Severity: important References: 1199232,CVE-2022-1586 Description: This update for pcre fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------- Patch: SUSE-2022-2406 Released: Fri Jul 15 11:49:01 2022 Summary: Recommended update for glibc Severity: moderate References: 1197718,1199140,1200334,1200855 Description: This update for glibc fixes the following issues: - powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334) - Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718) - i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718) - rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051) This readds the s390 32bit glibc and libcrypt1 libraries (glibc-32bit, glibc-locale-base-32bit, libcrypt1-32bit). ----------------------------------------- Patch: SUSE-2022-2494 Released: Thu Jul 21 15:16:42 2022 Summary: Recommended update for glibc Severity: important References: 1200855,1201560,1201640 Description: This update for glibc fixes the following issues: - Remove tunables from static tls surplus patch which caused crashes (bsc#1200855) - i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788) ----------------------------------------- Patch: SUSE-2022-2717 Released: Tue Aug 9 12:54:16 2022 Summary: Security update for ncurses Severity: moderate References: 1198627,CVE-2022-29458 Description: This update for ncurses fixes the following issues: - CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627). ----------------------------------------- Patch: SUSE-2022-2796 Released: Fri Aug 12 14:34:31 2022 Summary: Recommended update for jitterentropy Severity: moderate References: Description: This update for jitterentropy fixes the following issues: jitterentropy is included in version 3.4.0 (jsc#SLE-24941): This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library, used by other FIPS libraries. ----------------------------------------- Patch: SUSE-2022-3262 Released: Tue Sep 13 15:34:29 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1199140 Description: This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140) ----------------------------------------- Patch: SUSE-2022-3328 Released: Wed Sep 21 12:48:56 2022 Summary: Recommended update for jitterentropy Severity: moderate References: 1202870 Description: This update for jitterentropy fixes the following issues: - Hide the non-GNUC constructs that are library internal from the exported header, to make it usable in builds with strict C99 compliance. (bsc#1202870) ----------------------------------------- Patch: SUSE-2022-3395 Released: Mon Sep 26 16:35:18 2022 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1181994,1188006,1199079,1202868 Description: This update for ca-certificates-mozilla fixes the following issues: Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868) - Added: - Certainly Root E1 - Certainly Root R1 - DigiCert SMIME ECC P384 Root G5 - DigiCert SMIME RSA4096 Root G5 - DigiCert TLS ECC P384 Root G5 - DigiCert TLS RSA4096 Root G5 - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Removed: - Hellenic Academic and Research Institutions RootCA 2011 Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079) - Added: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - D-TRUST BR Root CA 1 2020 - D-TRUST EV Root CA 1 2020 - GlobalSign ECC Root CA R4 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - HiPKI Root CA - G1 - ISRG Root X2 - Telia Root CA v2 - vTrus ECC Root CA - vTrus Root CA - Removed: - Cybertrust Global Root - DST Root CA X3 - DigiNotar PKIoverheid CA Organisatie - G2 - GlobalSign ECC Root CA R4 - GlobalSign Root CA R2 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 Updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006) - Added: - HARICA Client ECC Root CA 2021 - HARICA Client RSA Root CA 2021 - HARICA TLS ECC Root CA 2021 - HARICA TLS RSA Root CA 2021 - TunTrust Root CA Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994) - Added new root CAs: - NAVER Global Root Certification Authority - Removed old root CAs: - GeoTrust Global CA - GeoTrust Primary Certification Authority - GeoTrust Primary Certification Authority - G3 - GeoTrust Universal CA - GeoTrust Universal CA 2 - thawte Primary Root CA - thawte Primary Root CA - G2 - thawte Primary Root CA - G3 - VeriSign Class 3 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G5 ----------------------------------------- Patch: SUSE-2022-3452 Released: Wed Sep 28 12:13:43 2022 Summary: Recommended update for glibc Severity: moderate References: 1201942 Description: This update for glibc fixes the following issues: - Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942) - powerpc: Optimized memcmp for power10 (jsc#PED-987) ----------------------------------------- Patch: SUSE-2022-3666 Released: Wed Oct 19 20:44:55 2022 Summary: Security update for helm Severity: important References: 1200528,1203054,CVE-2022-1996,CVE-2022-36055 Description: This update for helm fixes the following issues: helm was updated to version 3.9.4: * CVE-2022-36055: Fixed denial of service through string value parsing (bsc#1203054). * Updating the certificates used for testing * Updating index handling helm was updated to version 3.9.3: - CVE-2022-1996: Updated kube-openapi to fix an issue that could result in a CORS protection bypass (bsc#1200528). * Fix missing array length check on release helm was updated to version 3.9.2: * Update of the circleci image helm was updated to version 3.9.1: * Update to support Kubernetes 1.24.2 * Improve logging and safety of statefulSetReady * Make token caching an opt-in feature * Bump github.com/lib/pq from 1.10.5 to 1.10.6 * Bump github.com/Masterminds/squirrel from 1.5.2 to 1.5.3 helm was updated to version 3.9.0: * Added a --quiet flag to helm lint * Added a --post-renderer-args flag to support arguments being passed to the post renderer * Added more checks during the signing process * Updated to add Kubernetes 1.24 support helm was updated to version 3.8.2: * Bump oras.land/oras-go from 1.1.0 to 1.1.1 * Fixing downloader plugin error handling * Simplify testdata charts * Simplify testdata charts * Add tests for multi-level dependencies. * Fix value precedence * Bumping Kubernetes package versions * Updating vcs to latest version * Dont modify provided transport * Pass http getter as pointer in tests * Add docs block * Add transport option and tests * Reuse http transport * Updating Kubernetes libs to 0.23.4 (latest) * fix: remove deadcode * fix: helm package tests * fix: helm package with dependency update for charts with OCI dependencies * Fix typo Unset the env var before func return in Unit Test * add legal name check * maint: fix syntax error in deploy.sh * linting issue fixed * only apply overwrite if version is canary * overwrite flag added to az storage blob upload-batch * Avoid querying for OCI tags can explicit version provided in chart dependencies * Management of bearer tokens for tag listing * Updating Kubernetes packages to 1.23.3 * refactor: use `os.ReadDir` for lightweight directory reading * Add IngressClass to manifests to be (un)installed * feat(comp): Shell completion for OCI * Fix install memory/goroutine leak ----------------------------------------- Patch: SUSE-2022-3784 Released: Wed Oct 26 18:03:28 2022 Summary: Security update for libtasn1 Severity: critical References: 1204690,CVE-2021-46848 Description: This update for libtasn1 fixes the following issues: - CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690) ----------------------------------------- Patch: SUSE-2022-4256 Released: Mon Nov 28 12:36:32 2022 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module. The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------- Patch: SUSE-2022-4606 Released: Thu Dec 22 09:32:03 2022 Summary: Security update for helm Severity: moderate References: 1181419,1206467,1206469,1206471,CVE-2021-21272,CVE-2022-1996,CVE-2022-23524,CVE-2022-23525,CVE-2022-23526 Description: This update for helm fixes the following issues: Update to version 3.10.3: - CVE-2022-23524: Fixed a denial of service in the string value parsing (bsc#1206467). - CVE-2022-23525: Fixed a denial of service with the repository index file (bsc#1206469). - CVE-2022-23526: Fixed a denial of service in the schema file handling (bsc#1206471). ----------------------------------------- Patch: SUSE-2023-37 Released: Fri Jan 6 15:35:49 2023 Summary: Security update for ca-certificates-mozilla Severity: important References: 1206212,1206622 Description: This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622) Removed CAs: - Global Chambersign Root - EC-ACC - Network Solutions Certificate Authority - Staat der Nederlanden EV Root CA - SwissSign Platinum CA - G2 Added CAs: - DIGITALSIGN GLOBAL ROOT ECDSA CA - DIGITALSIGN GLOBAL ROOT RSA CA - Security Communication ECC RootCA1 - Security Communication RootCA3 Changed trust: - TrustCor certificates only trusted up to Nov 30 (bsc#1206212) - Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022' and it is not clear how many certs were issued for SSL middleware by TrustCor: - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1 ----------------------------------------- Patch: SUSE-2023-617 Released: Fri Mar 3 16:49:06 2023 Summary: Recommended update for jitterentropy Severity: moderate References: 1207789 Description: This update for jitterentropy fixes the following issues: - build jitterentropy library with debuginfo (bsc#1207789) ----------------------------------------- Patch: SUSE-2023-776 Released: Thu Mar 16 17:29:23 2023 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products. SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------- Patch: SUSE-2023-1571 Released: Fri Mar 24 13:45:05 2023 Summary: Security update for helm Severity: moderate References: 1208084,CVE-2023-25165 Description: This update for helm fixes the following issues: Update to version 3.11.1 (bsc#1208084): - CVE-2023-25165: Fixed a information disclosure problem via getHostByName injection inside a chart to get values to a malicious DNS server. ----------------------------------------- Patch: SUSE-2023-1718 Released: Fri Mar 31 15:47:34 2023 Summary: Security update for glibc Severity: moderate References: 1207571,1207957,1207975,1208358,CVE-2023-0687 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975) Other issues fixed: - Fix avx2 strncmp offset compare condition check (bsc#1208358) - elf: Allow dlopen of filter object to work (bsc#1207571) - powerpc: Fix unrecognized instruction errors with recent GCC - x86: Cache computation for AMD architecture (bsc#1207957) ----------------------------------------- Patch: SUSE-2023-1901 Released: Tue Apr 18 15:37:23 2023 Summary: Security update for helm Severity: moderate References: 1209670 Description: This update for helm fixes the following issues: Update to version 3.11.2: * chore(deps): bump github.com/rubenv/sql-migrate from 1.2.0 to 1.3.1 * the linter varcheck and deadcode are deprecated (since v1.49.0) * fix template --output-dir issue * build against a supported go version: go1.19 (bsc#1209670) ----------------------------------------- Patch: SUSE-2023-2111 Released: Fri May 5 14:34:00 2023 Summary: Security update for ncurses Severity: moderate References: 1210434,CVE-2023-29491 Description: This update for ncurses fixes the following issues: - CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434). ----------------------------------------- Patch: SUSE-2023-2179 Released: Thu May 11 14:13:44 2023 Summary: Security update for helm Severity: important References: 1200441 Description: This update of helm fixes the following issues: - rebuild the package with the go 19.9 secure release (bsc#1200441). ----------------------------------------- Patch: 29171 Released: Tue Jun 20 12:29:00 2023 Summary: Security update for openssl-1_1 Severity: important References: 1201627,1207534,1211430,CVE-2022-4304,CVE-2023-2650 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430). - CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534). - Update further expiring certificates that affect tests (bsc#1201627) ----------------------------------------- Patch: SUSE-2023-2625 Released: Fri Jun 23 17:16:11 2023 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: - Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204 * includes regression and other bug fixes - Speed up builds with --enable-link-serialization. - Update embedded newlib to version 4.2.0 ----------------------------------------- Patch: SUSE-2023-2765 Released: Mon Jul 3 20:28:14 2023 Summary: Security update for libcap Severity: moderate References: 1211418,1211419,CVE-2023-2602,CVE-2023-2603 Description: This update for libcap fixes the following issues: - CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418). - CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419). ----------------------------------------- Patch: SUSE-2023-2885 Released: Wed Jul 19 16:58:43 2023 Summary: Recommended update for glibc Severity: moderate References: 1208721,1209229,1211828 Description: This update for glibc fixes the following issues: - getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235) - Exclude static archives from preparation for live patching (bsc#1208721) - resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527) ----------------------------------------- Patch: SUSE-2023-2965 Released: Tue Jul 25 12:30:22 2023 Summary: Security update for openssl-1_1 Severity: moderate References: 1213487,CVE-2023-3446 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487). ----------------------------------------- Patch: SUSE-2023-3102 Released: Tue Aug 1 14:11:53 2023 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1213517 Description: This update for openssl-1_1 fixes the following issues: - Dont pass zero length input to EVP_Cipher (bsc#1213517) ----------------------------------------- Patch: SUSE-2023-3242 Released: Tue Aug 8 18:19:40 2023 Summary: Security update for openssl-1_1 Severity: moderate References: 1213853,CVE-2023-3817 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) ----------------------------------------- Patch: SUSE-2023-3454 Released: Mon Aug 28 13:43:18 2023 Summary: Security update for ca-certificates-mozilla Severity: important References: 1214248 Description: This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added: - Atos TrustedRoot Root CA ECC G2 2020 - Atos TrustedRoot Root CA ECC TLS 2021 - Atos TrustedRoot Root CA RSA G2 2020 - Atos TrustedRoot Root CA RSA TLS 2021 - BJCA Global Root CA1 - BJCA Global Root CA2 - LAWtrust Root CA2 (4096) - Sectigo Public Email Protection Root E46 - Sectigo Public Email Protection Root R46 - Sectigo Public Server Authentication Root E46 - Sectigo Public Server Authentication Root R46 - SSL.com Client ECC Root CA 2022 - SSL.com Client RSA Root CA 2022 - SSL.com TLS ECC Root CA 2022 - SSL.com TLS RSA Root CA 2022 Removed CAs: - Chambers of Commerce Root - E-Tugra Certification Authority - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Hongkong Post Root CA 1 ----------------------------------------- Patch: SUSE-2023-3577 Released: Mon Sep 11 15:04:01 2023 Summary: Recommended update for crypto-policies Severity: low References: 1209998 Description: This update for crypto-policies fixes the following issues: - Update update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. (bsc#1209998) ----------------------------------------- Patch: SUSE-2023-3661 Released: Mon Sep 18 21:44:09 2023 Summary: Security update for gcc12 Severity: important References: 1214052,CVE-2023-4039 Description: This update for gcc12 fixes the following issues: - CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052). ----------------------------------------- Patch: SUSE-2023-3814 Released: Wed Sep 27 18:08:17 2023 Summary: Recommended update for glibc Severity: moderate References: 1211829,1212819,1212910 Description: This update for glibc fixes the following issues: - nscd: Fix netlink cache invalidation if epoll is used (bsc#1212910, BZ #29415) - Restore lookup of IPv4 mapped addresses in files database (bsc#1212819, BZ #25457) - elf: Remove excessive p_align check on PT_LOAD segments (bsc#1211829, BZ #28688) - elf: Properly align PT_LOAD segments (bsc#1211829, BZ #28676) - ld.so: Always use MAP_COPY to map the first segment (BZ #30452) - add GB18030-2022 charmap (jsc#PED-4908, BZ #30243) ----------------------------------------- Patch: SUSE-2023-4105 Released: Wed Oct 18 08:15:40 2023 Summary: Recommended update for openssl-1_1 Severity: moderate References: 1215215 Description: This update for openssl-1_1 fixes the following issues: - Displays 'fips' in the version string (bsc#1215215) ----------------------------------------- Patch: SUSE-2023-4110 Released: Wed Oct 18 12:35:26 2023 Summary: Security update for glibc Severity: important References: 1215286,1215891,CVE-2023-4813 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931) Also a regression from a previous update was fixed: - elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676) ----------------------------------------- Patch: SUSE-2023-4124 Released: Thu Oct 19 09:32:26 2023 Summary: Security update for helm Severity: important References: 1183043,1215588,1215711,CVE-2022-41723,CVE-2023-25173 Description: This update for helm fixes the following issues: helm was updated to version 3.13.1: * Fixing precedence issue with the import of values. * Add missing with clause to release gh action * FIX Default ServiceAccount yaml * fix(registry): unswallow error * remove useless print during prepareUpgrade * fix(registry): address anonymous pull issue * Fix missing run statement on release action * Write latest version to get.helm.sh bucket * Increased release information key name max length. helm was updated to version 3.13.0 (bsc#1215588): * Fix leaking goroutines in Install * Update Helm to use k8s 1.28.2 libraries * make the dependabot k8s.io group explicit * use dependabot's group support for k8s.io dependencies * doc:Executing helm rollback release 0 will roll back to the previous release * Use labels instead of selectorLabels for pod labels * fix(helm): fix GetPodLogs, the hooks should be sorted before get the logs of each hook * chore: HTTPGetter add default timeout * Avoid nil dereference if passing a nil resolver * Add required changes after merge * Fix #3352, add support for --ignore-not-found just like kubectl delete * Fix helm may identify achieve of the application/x-gzip as application/vnd.ms-fontobject * Restore `helm get metadata` command * Revert 'Add `helm get metadata` command' * test: replace `ensure.TempDir` with `t.TempDir` * use json api url + report curl/wget error on fail * Added error in case try to supply custom label with name of system label during install/upgrade * fix(main): fix basic auth for helm pull or push * cmd: support generating index in JSON format * repo: detect JSON and unmarshal efficiently * Tweaking new dry-run internal handling * bump kubernetes modules to v0.27.3 * Remove warning for template directory not found. * Added tests for created OCI annotation time format * Add created OCI annotation * Fix multiple bugs in values handling * chore: fix a typo in `manager.go` * add GetRegistryClient method * oci: add tests for plain HTTP and insecure HTTPS registries * oci: Add flag `--plain-http` to enable working with HTTP registries * docs: add an example for using the upgrade command with existing values * Replace `fmt.Fprintf` with `fmt.Fprint` in get_metadata.go * Replace `fmt.Fprintln` with `fmt.Fprintf` in get_metadata.go * update kubernetes dependencies from v0.27.0 to v0.27.1 * Add ClientOptResolver to test util file * Check that missing keys are still handled in tpl * tests: change crd golden file to match after #11870 * Adding details on the Factory interface * update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart * feat(helm): add ability for --dry-run to do lookup functions When a helm command is run with the --dry-run flag, it will try to connect to the cluster to be able to render lookup functions. Closes #8137 * bugfix:(#11391) helm lint infinite loop when malformed template object * pkg/engine: fix nil-dereference * pkg/chartutil: fix nil-dereference * pkg/action: fix nil-dereference * full source path when output-dir is not provided * added Contributing.md section and ref link in the README * feat(helm): add ability for --dry-run to do lookup functions When a helm command is run with the --dry-run flag, it will try to connect to the cluster if the value is 'server' to be able to render lookup functions. Closes #8137 * feat(helm): add ability for --dry-run to do lookup functions * Add `CHART`, `VERSION` and `APP_VERSION` fields to `get all` command output * Adjust `get` command description to account metadata * add volumes and volumeMounts in chartutil * Seed a default switch to control `automountServiceAccountToken` * Avoid confusing error when passing in '--version X.Y.Z' * Add `helm get metadata` command * Use wrapped error so that ErrNoObjectsVisited can be compared after return. * Add exact version test. * strict file permissions of repository.yaml * Check redefinition of define and include in tpl * Check that `.Template` is passed through `tpl` * Make sure empty `tpl` values render empty. * Pick the test improvement out of PR#8371 * #11369 Use the correct index repo cache directory in the `parallelRepoUpdate` method as well * #11369 Add a test case to prove the bug and its resolution * ref(helm): export DescriptorPullSummary fields * feat(helm): add 'ClientOptResolver' ClientOption * Fix flaky TestSQLCreate test by making sqlmock ignore order of sql requests * Fixing tests after adding labels to release fixture * Make default release fixture contain custom labels to make tests check that labels are not lost * Added support for storing custom labels in SQL storage driver * Adding support merging new custom labels with original release labels during upgrade * Added note to install/upgrade commands that original release labels wouldn't be persisted in upgraded release * Added unit tests for implemented install/upgrade labels logic * Remove redudant types from util_test.go * Added tests for newly introduced util.go functions * Fix broken tests for SQL storage driver * Fix broken tests for configmap and secret storage drivers * Make superseded releases keep labels * Support configmap storage driver for install/upgrade actions --labels argument * Added upgrade --install labels argument support * Add labels support for install action with secret storage backend * test: added tests to load plugin from home dir with space * fix: plugin does not load when helm base dir contains space * Add priority class to kind sorter * Fixes #10566 * test(search): add mixedCase test case * fix(search): print repo search result in original case * Adjust error message wrongly claiming that there is a resource conflict * Throw an error from jobReady() if the job exceeds its BackoffLimit * github: add Asset Transparency action for GitHub releases Update to version 3.12.3: * bump kubernetes modules to v0.27.3 * Add priority class to kind sorter Update to version 3.12.2: * add GetRegistryClient method Update to version 3.12.1: * bugfix:(#11391) helm lint infinite loop when malformed template object * update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart * test(search): add mixedCase test case * fix(search): print repo search result in original case * strict file permissions of repository.yaml * update kubernetes dependencies from v0.27.0 to v0.27.1 Update to version 3.12.0: * Attach annotations to OCI artifacts * Fix goroutine leak in action install * fix quiet lint does not fail on non-linting errors * create failing test for quietly linting a chart that doesn't exist * Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774) * fix: failed testcase on windows * Fix 32bit-x86 typo in testsuite * Handle failed DNS case for Go 1.20+ * Updating the Go version in go.mod * Fix goroutine leak in perform * Properly invalidate client after CRD install * Provide a helper to set the registryClient in cmd * Reimplemented change in httpgetter for insecure TLS option * Added insecure option to login subcommand * Added support for insecure OCI registries * Enable custom certificates option for OCI * Add testing to default and release branches * Remove job dependency. Should have done when I moved job to new file * Remove check to run only in helm org * Add why comments * Convert remaining CircleCI config to GitHub Actions * Changed how the setup-go action sets go version * chore:Use http constants as http.request parameters * update k8s registry domain * don't mark issues as stale where a PR is in progress * Update to func handling * Add option to support cascade deletion options * the linter varcheck and deadcode are deprecated (since v1.49.0) * Check status code before retrying request * Fix improper use of Table request/response to k8s API * fix template --output-dir issue * Add protection for stack-overflows for nested keys * feature(helm): add --set-literal flag for literal string interpretation Update to version 3.11.3: * Fix goroutine leak in perform * Fix goroutine leak in action install * Fix 32bit-x86 typo in testsuite * Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774) - avoid CGO to workaround missing gold dependency (bsc#1183043) ----------------------------------------- Patch: SUSE-2023-4162 Released: Mon Oct 23 15:33:03 2023 Summary: Security update for gcc13 Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039 Description: This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------- Patch: SUSE-2023-4215 Released: Thu Oct 26 12:19:25 2023 Summary: Security update for zlib Severity: moderate References: 1216378,CVE-2023-45853 Description: This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------- Patch: SUSE-2023-4450 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Severity: moderate References: 1209998 Description: This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------- Patch: SUSE-2023-4458 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 Description: This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------- Patch: SUSE-2023-4509 Released: Tue Nov 21 13:36:00 2023 Summary: Recommended update for helm Severity: important References: 1217013 Description: This update for helm fixes the following issues: - Update to version 3.13.2 (bsc#1217013) - Fixes a regression when helm can't be pulled anonymously from registries. (bsc#1217013) - Allow using label selectors for system labels for sql backend. - Allow using label selectors for system labels for secrets and configmap backends. ----------------------------------------- Patch: SUSE-2023-4518 Released: Tue Nov 21 17:35:30 2023 Summary: Security update for openssl-1_1 Severity: important References: 1216922,CVE-2023-5678 Description: This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). ----------------------------------------- Patch: SUSE-2023-4700 Released: Mon Dec 11 07:03:27 2023 Summary: Recommended update for p11-kit Severity: moderate References: Description: This update for p11-kit fixes the following issues: - Ensure that programs using can be compiled with CRYPTOKI_GNU. Fixes GnuTLS builds (jsc#PED-6705). ----------------------------------------- Patch: SUSE-2023-4891 Released: Mon Dec 18 16:31:49 2023 Summary: Security update for ncurses Severity: moderate References: 1201384,1218014,CVE-2023-50495 Description: This update for ncurses fixes the following issues: - CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014) - Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384) ----------------------------------------- Patch: SUSE-2024-549 Released: Tue Feb 20 17:05:52 2024 Summary: Security update for openssl-1_1 Severity: moderate References: 1219243,CVE-2024-0727 Description: This update for openssl-1_1 fixes the following issues: - CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243). ----------------------------------------- Patch: SUSE-2024-870 Released: Wed Mar 13 13:05:14 2024 Summary: Security update for glibc Severity: moderate References: 1217445,1217589,1218866 Description: This update for glibc fixes the following issues: Security issues fixed: - qsort: harden handling of degenerated / non transient compare function (bsc#1218866) Other issues fixed: - getaddrinfo: translate ENOMEM to EAI_MEMORY (bsc#1217589, BZ #31163) - aarch64: correct CFI in rawmemchr (bsc#1217445, BZ #31113) ----------------------------------------- Patch: SUSE-2024-929 Released: Tue Mar 19 06:36:24 2024 Summary: Recommended update for coreutils Severity: moderate References: 1219321 Description: This update for coreutils fixes the following issues: - tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321) ----------------------------------------- Patch: SUSE-2024-1133 Released: Mon Apr 8 11:29:02 2024 Summary: Security update for ncurses Severity: moderate References: 1220061,CVE-2023-45918 Description: This update for ncurses fixes the following issues: - CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061). ----------------------------------------- Patch: SUSE-2024-1137 Released: Mon Apr 8 11:30:49 2024 Summary: Security update for helm Severity: moderate References: 1219969,1220207,CVE-2024-25620,CVE-2024-26147 Description: This update for helm fixes the following issues: - CVE-2024-25620: Fixed with dependency management path traversal (bsc#1219969). - CVE-2024-26147: Fixed uninitialized variable in yaml parsing (bsc#1220207). ----------------------------------------- Patch: SUSE-2024-1231 Released: Thu Apr 11 15:20:40 2024 Summary: Recommended update for glibc Severity: moderate References: 1220441 Description: This update for glibc fixes the following issues: - duplocale: protect use of global locale (bsc#1220441, BZ #23970) ----------------------------------------- Patch: SUSE-2024-1253 Released: Fri Apr 12 08:15:18 2024 Summary: Recommended update for gcc13 Severity: moderate References: 1210959,1214934,1217450,1217667,1218492,1219031,1219520,1220724,1221239 Description: This update for gcc13 fixes the following issues: - Fix unwinding for JIT code. [bsc#1221239] - Revert libgccjit dependency change. [bsc#1220724] - Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520] - Add support for -fmin-function-alignment. [bsc#1214934] - Use %{_target_cpu} to determine host and build. - Fix for building TVM. [bsc#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. - Fixed building mariadb on i686. [bsc#1217667] - Avoid update-alternatives dependency for accelerator crosses. - Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence. - Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450] ----------------------------------------- Patch: SUSE-2024-1375 Released: Mon Apr 22 14:56:13 2024 Summary: Security update for glibc Severity: important References: 1222992,CVE-2024-2961 Description: This update for glibc fixes the following issues: - iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961, bsc#1222992) ----------------------------------------- Patch: SUSE-2024-1429 Released: Wed Apr 24 15:13:10 2024 Summary: Recommended update for ca-certificates Severity: moderate References: 1188500,1221184 Description: This update for ca-certificates fixes the following issue: - Update version (bsc#1221184) * Use flock to serialize calls (bsc#1188500) * Make certbundle.run container friendly * Create /var/lib/ca-certificates if needed ----------------------------------------- Patch: SUSE-2024-1665 Released: Thu May 16 08:00:09 2024 Summary: Recommended update for coreutils Severity: moderate References: 1221632 Description: This update for coreutils fixes the following issues: - ls: avoid triggering automounts (bsc#1221632) ----------------------------------------- Patch: SUSE-2024-1808 Released: Tue May 28 22:12:38 2024 Summary: Security update for openssl-1_1 Severity: moderate References: 1222548,CVE-2024-2511 Description: This update for openssl-1_1 fixes the following issues: - CVE-2024-2511: Fixed unconstrained session cache growth in TLSv1.3 (bsc#1222548). ----------------------------------------- Patch: SUSE-2024-1895 Released: Mon Jun 3 09:00:20 2024 Summary: Security update for glibc Severity: important References: 1221940,1223423,1223424,1223425,CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602 Description: This update for glibc fixes the following issues: - CVE-2024-33599: Fixed a stack-based buffer overflow in netgroup cache in nscd (bsc#1223423) - CVE-2024-33600: Avoid null pointer crashes after notfound response in nscd (bsc#1223424) - CVE-2024-33600: Do not send missing not-found response in addgetnetgrentX in nscd (bsc#1223424) - CVE-2024-33601, CVE-2024-33602: Fixed use of two buffers in addgetnetgrentX ( bsc#1223425) - CVE-2024-33602: Use time_t for return type of addgetnetgrentX (bsc#1223425) - Avoid creating userspace live patching prologue for _start routine (bsc#1221940) ----------------------------------------- Patch: SUSE-2024-2024 Released: Thu Jun 13 16:15:18 2024 Summary: Recommended update for jitterentropy Severity: moderate References: 1209627 Description: This update for jitterentropy fixes the following issues: - Fixed a stack corruption on s390x: [bsc#1209627] * Output size of the STCKE command on s390x is 16 bytes, compared to 8 bytes of the STCK command. Fix a stack corruption in the s390x version of jent_get_nstime(). Add some more detailed information on the STCKE command. Updated to 3.4.1 * add FIPS 140 hints to man page * simplify the test tool to search for optimal configurations * fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0 * enhancement: add ARM64 assembler code to read high-res timer ----------------------------------------- Patch: SUSE-2024-2051 Released: Tue Jun 18 09:16:01 2024 Summary: Security update for openssl-1_1 Severity: important References: 1225551,CVE-2024-4741 Description: This update for openssl-1_1 fixes the following issues: - CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)