----------------------------------------- Version 33.45 2022-10-07T09:00:28 ----------------------------------------- Patch: SUSE-2019-571 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------- Patch: SUSE-2020-521 Released: Thu Feb 27 18:08:56 2020 Summary: Recommended update for c-ares Severity: moderate References: 1125306,1159006 Description: This update for c-ares fixes the following issues: c-ares version update to 1.15.0: * Add ares_init_options() configurability for path to resolv.conf file * Ability to exclude building of tools (adig, ahost, acountry) in CMake * Report ARES_ENOTFOUND for .onion domain names as per RFC7686 (bsc#1125306) * Apply the IPv6 server blacklist to all nameserver sources * Prevent changing name servers while queries are outstanding * ares_set_servers_csv() on failure should not leave channel in a bad state * getaddrinfo - avoid infinite loop in case of NXDOMAIN * ares_getenv - return NULL in all cases * implement ares_getaddrinfo - Fixed a regression in DNS results that contain both A and AAAA answers. - Add netcfg as the build requirement and runtime requirement. ----------------------------------------- Patch: SUSE-2020-1294 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Severity: moderate References: 1154661,1169512,CVE-2019-18218 Description: This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------- Patch: SUSE-2020-2983 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Severity: moderate References: 1176123 Description: This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------- Patch: SUSE-2020-3478 Released: Mon Nov 23 09:33:17 2020 Summary: Security update for c-ares Severity: moderate References: 1178882,CVE-2020-8277 Description: This update for c-ares fixes the following issues: - Version update to 1.17.0 * CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882) * For further details see https://c-ares.haxx.se/changelog.html ----------------------------------------- Patch: SUSE-2020-3533 Released: Thu Nov 26 13:50:41 2020 Summary: Recommended update for nodejs14 Severity: moderate References: Description: This update for nodejs14 fixes the following issues: NodeJS is shipped in version 14.15.0 (jsc#SLE-15774) ----------------------------------------- Patch: SUSE-2020-3616 Released: Thu Dec 3 10:56:12 2020 Summary: Recommended update for c-ares Severity: moderate References: 1178882 Description: - Fixed incomplete c-ares-devel dependencies introduced by the privous update (bsc#1178882). ----------------------------------------- Patch: SUSE-2021-61 Released: Mon Jan 11 15:01:26 2021 Summary: Security update for nodejs14 Severity: moderate References: 1178882,1180553,1180554,CVE-2020-8265,CVE-2020-8277,CVE-2020-8287 Description: This update for nodejs14 fixes the following issues: - New upstream LTS version 14.15.4: * CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits (bsc#1180553) * CVE-2020-8287: HTTP Request Smuggling allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html). (bsc#1180554) - New upstream LTS version 14.15.3: * deps: + upgrade npm to 6.14.9 + update acorn to v8.0.4 * http2: check write not scheduled in scope destructor * stream: fix regression on duplex end - New upstream LTS version 14.15.1: * deps: Denial of Service through DNS request (High). A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service by getting the application to resolve a DNS record with a larger number of responses (bsc#1178882, CVE-2020-8277) ----------------------------------------- Patch: SUSE-2021-648 Released: Fri Feb 26 16:36:18 2021 Summary: Security update for nodejs14 Severity: important References: 1182619,1182620,CVE-2021-22883,CVE-2021-22884 Description: This update for nodejs14 fixes the following issues: - New upstream LTS version 14.16.0: * CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (bsc#1182619) * CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620) ----------------------------------------- Patch: SUSE-2021-927 Released: Tue Mar 23 14:07:06 2021 Summary: Recommended update for libreoffice Severity: moderate References: 1041090,1049382,1116658,1136234,1155141,1173404,1173409,1173410,1173471,1174465,1176547,1177955,1178807,1178943,1178944,1179025,1179203,1181122,1181644,1181872,1182790 Description: This update for libreoffice provides the upgrade from version 6.4.5.2 to 7.1.1.2 (jsc#ECO-3150, bsc#1182790) libreoffice: - Image shown with different aspect ratio (bsc#1176547) - Text changes are reproducibly lost on PPTX with SmartArt (bsc#1181644) - Adjust to new Box2D and enable KDE on SUSE Linux Enterprise 15-SP3 or newer (jsc#ECO-3375) - Wrong bullet points in Impress (bsc#1174465) - SmartArt: text wrongly aligned, background boxes not quite right (bsc#1177955) - Update the SUSE color palette to reflect the new SUSE branding. (bsc#1181122, bsc#1173471) - SUSE Mint - SUSE Midnight Blue - SUSE Waterhole Blue - SUSE Persimmon - Fix a crash opening a PPTX. (bsc#1179025) - Fix text box from PowerPoint renders vertically instead of horizontally (bsc#1178807) - Shadow effects for table completely missing (bsc#1178944, bsc#1178943) - Disable firebird integration for the time being (bsc#1179203) - Fixes hang on Writer on scrolling/saving of a document (bsc#1136234) - Wrong rendering of bulleted lists in PPTX document (bsc#1155141) - Sidebar: paragraph widget: numeric fields become inactive/unaccessible after saving (bsc#1173404) - Crash of Writer opening any document having 'invalid' python file in home directory (bsc#1116658) libixion: Update to 0.16.1: - fixed a build issue on 32-bit linux platforms, caused by slicing of integer string ID values. - worked around floating point rounding errors which prevented two theoretically-equal numeric values from being evaluated as equal in test code. - added new function to allow printing of single formula tokens. - added method for setting cached results on formula cells in model_context. - changed the model_context design to ensure that all sheets are of the same size. - added an accessor method to formula_model_access interface (and implicitly in model_context) that directly returns a string value from cell. - added cell_access class for querying of cell states without knowing its type ahead of time. - added document class which provides a layer on top of model_context, to abstract away the handling of formula calculations. - deprecated model_context::erase_cell() in favor of empty_cell(). - added support for 3D references - references that contain multiple sheets. - added support for the exponent (^) and concatenation (&) operators. - fixed incorrect handling of range references containing whole columns such as A:A. - added support for unordered range references - range references whose start row or column is greater than their end position counterparts, such as A3:A1. - fixed a bug that prevented nested formula functions from working properly. - implemented Calc A1 style reference resolver. - formula results now directly store the string values when the results are of string type. They previously stored string ID values after interning the original strings. - Removed build-time dependency on spdlog. libmwaw: Update to 0.3.17: - add a parser for Jazz(Lotus) writer and spreasheet files. The writer parser can only be called if the file still contains its resource fork - add a parser for Canvas 3 and 3.5 files - AppleWorks parser: try to retrieve more Windows presentation - add a parser for Drawing Table files - add a parser for Canvas 2 files - API: add new reserved enums in MWAWDocument.hxx `MWAW_T_RESERVED10..MWAW_T_RESERVED29` and add a new define in libmwaw.hxx `MWAW_INTERFACE_VERSION` to check if these enums are defined - remove the QuarkXPress parser (must be in libqxp) - retrieve the annotation in MsWord 5 document - try to better understand RagTime 5-6 document libnumbertext: Update to 1.0.6 liborcus: Update to 0.16.1 - Add upstream changes to fix build with GCC 11 (bsc#1181872) libstaroffice: Update to 0.0.7: - fix `text:sender-lastname` when creating meta-data libwps: Update to 0.4.11: - XYWrite: add a parser to .fil v2 and v4 files - wks,wk1: correct some problems when retrieving cell's reference. glfw: New package provided on version 3.3.2: - See also: https://www.glfw.org/changelog.html - Sort list of input files to geany for reproducible builds (bsc#1049382, bsc#1041090) * Require pkgconfig(gl) for the devel package to supply needed include GL/gl.h * glfwFocusWindow could terminate on older WMs or without a WM * Creating an undecorated window could fail with BadMatch * Querying a disconnected monitor could segfault * Video modes with a duplicate screen area were discarded * The CMake files did not check for the XInput headers * Key names were not updated when the keyboard layout changed * Decorations could not be enabled after window creation * Content scale fallback value could be inconsistent * Disabled cursor mode was interrupted by indicator windows * Monitor physical dimensions could be reported as zero mm * Window position events were not emitted during resizing * Added on-demand loading of Vulkan and context creation API libraries * [X11] Bugfix: Window size limits were ignored if the minimum or maximum size was set to `GLFW_DONT_CARE` * [X11] Bugfix: Input focus was set before window was visible, causing BadMatch on some non-reparenting WMs * [X11] Bugfix: glfwGetWindowPos and glfwSetWindowPos operated on the window frame instead of the client area * [WGL] Added reporting of errors from `WGL_ARB_create_context` extension * [EGL] Added lib prefix matching between EGL and OpenGL ES library binaries * [EGL] Bugfix: Dynamically loaded entry points were not verified - Made build of geany-tags optional. Box2D: New package provided on version 2.4.1: * Extended distance joint to have a minimum and maximum limit. * `B2_USER_SETTINGS` and `b2_user_settings.h` can control user data, length units, and maximum polygon vertices. * Default user data is now uintptr_t instead of void* * b2FixtureDef::restitutionThreshold lets you set the restitution velocity threshold per fixture. * Collision * Chain and edge shape must now be one-sided to eliminate ghost collisions * Broad-phase optimizations * Added b2ShapeCast for linear shape casting * Dynamics * Joint limits are now predictive and not stateful * Experimental 2D cloth (rope) * b2Body::SetActive -> b2Body::SetEnabled * Better support for running multiple worlds * Handle zero density better * The body behaves like a static body * The body is drawn with a red color * Added translation limit to wheel joint * World dump now writes to box2d_dump.inl * Static bodies are never awake * All joints with spring-dampers now use stiffness and damping * Added utility functions to convert frequency and damping ratio to stiffness and damping * Polygon creation now computes the convex hull. * The convex hull code will merge vertices closer than dm_linearSlop. ----------------------------------------- Patch: SUSE-2021-2146 Released: Wed Jun 23 17:55:14 2021 Summary: Recommended update for openssh Severity: moderate References: 1115550,1174162 Description: This update for openssh fixes the following issues: - Fixed a race condition leading to a sshd termination of multichannel sessions with non-root users (bsc#1115550, bsc#1174162). ----------------------------------------- Patch: SUSE-2021-2354 Released: Thu Jul 15 15:18:52 2021 Summary: Security update for nodejs14 Severity: important References: 1184450,1187973,1187976,1187977,CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290 Description: This update for nodejs14 fixes the following issues: Update nodejs14 to 14.17.2. Including fixes for: - CVE-2021-22918: libuv upgrade - Out of bounds read (bsc#1187973) - CVE-2021-27290: ssri Regular Expression Denial of Service (bsc#1187976) - CVE-2021-23362: hosted-git-info Regular Expression Denial of Service (bsc#1187977) - CVE-2020-7774: y18n Prototype Pollution (bsc#1184450) ----------------------------------------- Patch: SUSE-2021-2555 Released: Thu Jul 29 08:29:55 2021 Summary: Security update for git Severity: moderate References: 1168930,1183026,1183580,CVE-2021-21300 Description: This update for git fixes the following issues: Update from version 2.26.2 to version 2.31.1 (jsc#SLE-18152) Security fixes: - CVE-2021-21300: On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could run remote code during a clone. (bsc#1183026) Non security changes: - Add `sysusers` file to create `git-daemon` user. - Remove `perl-base` and `openssh-server` dependency on `git-core`and provide a `perl-Git` package. (jsc#SLE-17838) - `fsmonitor` bug fixes - Fix `git bisect` to take an annotated tag as a good/bad endpoint - Fix a corner case in `git mv` on case insensitive systems - Require only `openssh-clients` where possible (like Tumbleweed or SUSE Linux Enterprise >= 15 SP3). (bsc#1183580) - Drop `rsync` requirement, not necessary anymore. - Use of `pack-redundant` command is discouraged and will trigger a warning. The replacement is `repack -d`. - The `--format=%(trailers)` mechanism gets enhanced to make it easier to design output for machine consumption. - No longer give message to choose between rebase or merge upon pull if the history `fast-forwards`. - The configuration variable `core.abbrev` can be set to `no` to force no abbreviation regardless of the hash algorithm - `git rev-parse` can be explicitly told to give output as absolute or relative path with the `--path-format=(absolute|relative)` option. - Bash completion update to make it easier for end-users to add completion for their custom `git` subcommands. - `git maintenance` learned to drive scheduled maintenance on platforms whose native scheduling methods are not 'cron'. - After expiring a reflog and making a single commit, the reflog for the branch would record a single entry that knows both `@{0}` and `@{1}`, but we failed to answer 'what commit were we on?', i.e. `@{1}` - `git bundle` learns `--stdin` option to read its refs from the standard input. Also, it now does not lose refs when they point at the same object. - `git log` learned a new `--diff-merges=` option. - `git ls-files` can and does show multiple entries when the index is unmerged, which is a source for confusion unless `-s/-u` option is in use. A new option `--deduplicate` has been introduced. - `git worktree list` now annotates worktrees as prunable, shows locked and prunable attributes in `--porcelain mode`, and gained a `--verbose` option. - `git clone` tries to locally check out the branch pointed at by HEAD of the remote repository after it is done, but the protocol did not convey the information necessary to do so when copying an empty repository. The protocol v2 learned how to do so. - There are other ways than `..` for a single token to denote a `commit range', namely `^!` and `^-`, but `git range-diff` did not understand them. - The `git range-diff` command learned `--(left|right)-only` option to show only one side of the compared range. - `git mergetool` feeds three versions (base, local and remote) of a conflicted path unmodified. The command learned to optionally prepare these files with unconflicted parts already resolved. - The `.mailmap` is documented to be read only from the root level of a working tree, but a stray file in a bare repository also was read by accident, which has been corrected. - `git maintenance` tool learned a new `pack-refs` maintenance task. - Improved error message given when a configuration variable that is expected to have a boolean value. - Signed commits and tags now allow verification of objects, whose two object names (one in SHA-1, the other in SHA-256) are both signed. - `git rev-list` command learned `--disk-usage` option. - `git diff`, `git log` `--{skip,rotate}-to=` allows the user to discard diff output for early paths or move them to the end of the output. - `git difftool` learned `--skip-to=` option to restart an interrupted session from an arbitrary path. - `git grep` has been tweaked to be limited to the sparse checkout paths. - `git rebase --[no-]fork-point` gained a configuration variable `rebase.forkPoint` so that users do not have to keep specifying a non-default setting. - `git stash` did not work well in a sparsely checked out working tree. - Newline characters in the host and path part of `git://` URL are now forbidden. - `Userdiff` updates for PHP, Rust, CSS - Avoid administrator error leading to data loss with `git push --force-with-lease[=]` by introducing `--force-if-includes` - only pull `asciidoctor` for the default ruby version - The `--committer-date-is-author-date` option of `rebase` and `am` subcommands lost the e-mail address by mistake in 2.29 - The transport protocol v2 has become the default again - `git worktree` gained a `repair` subcommand, `git init --separate-git-dir` no longer corrupts administrative data related to linked worktrees - `git maintenance` introduced for repository maintenance tasks - `fetch.writeCommitGraph` is deemed to be still a bit too risky and is no longer part of the `feature.experimental` set. - The commands in the `diff` family honors the `diff.relative` configuration variable. - `git diff-files` has been taught to say paths that are marked as `intent-to-add` are new files, not modified from an empty blob. - `git gui` now allows opening work trees from the start-up dialog. - `git bugreport` reports what shell is in use. - Some repositories have commits that record wrong committer timezone; `git fast-import` has an option to pass these timestamps intact to allow recreating existing repositories as-is. - `git describe` will always use the `long` version when giving its output based misplaced tags - `git pull` issues a warning message until the `pull.rebase` configuration variable is explicitly given ----------------------------------------- Patch: SUSE-2021-2606 Released: Wed Aug 4 13:16:09 2021 Summary: Recommended update for libcbor Severity: moderate References: 1102408 Description: This update for libcbor fixes the following issues: - Implement a fix to avoid building shared library twice. (bsc#1102408) ----------------------------------------- Patch: SUSE-2021-2760 Released: Tue Aug 17 17:11:14 2021 Summary: Security update for c-ares Severity: important References: 1188881,CVE-2021-3672 Description: This update for c-ares fixes the following issues: Version update to git snapshot 1.17.1+20200724: - CVE-2021-3672: fixed missing input validation on hostnames returned by DNS servers (bsc#1188881) - If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause crash - Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response - Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing - Use unbuffered /dev/urandom for random data to prevent early startup performance issues ----------------------------------------- Patch: SUSE-2021-2997 Released: Thu Sep 9 14:37:34 2021 Summary: Recommended update for python3 Severity: moderate References: 1187338,1189659 Description: This update for python3 fixes the following issues: - Fixed an issue when the missing 'stropts.h' causing build errors for different python modules. (bsc#1187338) ----------------------------------------- Patch: SUSE-2021-3022 Released: Mon Sep 13 10:48:16 2021 Summary: Recommended update for c-ares Severity: important References: 1190225 Description: This update for c-ares fixes the following issue: - Allow '_' as part of DNS response. (bsc#1190225) - 'c-ares' 1.17.2 introduced response validation to prevent a security issue, however it was not listing '_' as a valid character for domain name responses which caused issues when a 'CNAME' referenced a 'SRV' record which contained underscores. ----------------------------------------- Patch: SUSE-2021-3182 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Severity: moderate References: 1189996 Description: This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------- Patch: SUSE-2021-3211 Released: Thu Sep 23 16:21:49 2021 Summary: Security update for nodejs14 Severity: important References: 1188881,1188917,1189368,1189369,1189370,CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672 Description: This update for nodejs14 fixes the following issues: - CVE-2021-3672: Fixed missing input validation on hostnames (bsc#1188881). - CVE-2021-22931: Fixed improper handling of untypical characters in domain names (bsc#1189370). - CVE-2021-22940: Use after free on close http2 on stream canceling (bsc#1189368) - CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (bsc#1189369) - CVE-2021-22930: Fixed use after free on close http2 on stream canceling (bsc#1188917). ----------------------------------------- Patch: SUSE-2021-3766 Released: Tue Nov 23 07:07:43 2021 Summary: Recommended update for git Severity: moderate References: 1192023 Description: This update for git fixes the following issues: - Installation of the 'git-daemon' package needs nogroup group dependency (bsc#1192023) ----------------------------------------- Patch: SUSE-2021-3950 Released: Mon Dec 6 14:59:37 2021 Summary: Security update for openssh Severity: important References: 1190975,CVE-2021-41617 Description: This update for openssh fixes the following issues: - CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975). ----------------------------------------- Patch: SUSE-2021-3964 Released: Tue Dec 7 08:57:33 2021 Summary: Security update for nodejs14 Severity: important References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602,CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 Description: This update for nodejs14 fixes the following issues: nodejs14 was updated to 14.18.1: * deps: update llhttp to 2.1.4 - HTTP Request Smuggling due to spaced in headers (bsc#1191601, CVE-2021-22959) - HTTP Request Smuggling when parsing the body (bsc#1191602, CVE-2021-22960) Changes in 14.18.0: * buffer: + introduce Blob + add base64url encoding option * child_process: + allow options.cwd receive a URL + add timeout to spawn and fork + allow promisified exec to be cancel + add 'overlapped' stdio flag * dns: add 'tries' option to Resolve options * fs: + allow empty string for temp directory prefix + allow no-params fsPromises fileHandle read + add support for async iterators to fsPromises.writeFile * http2: add support for sensitive headers * process: add 'worker' event * tls: allow reading data into a static buffer * worker: add setEnvironmentData/getEnvironmentData Changes in 14.17.6 * deps: upgrade npm to 6.14.15 which fixes a number of security issues (bsc#1190057, CVE-2021-37701, bsc#1190056, CVE-2021-37712, bsc#1190055, CVE-2021-37713, bsc#1190054, CVE-2021-39134, bsc#1190053, CVE-2021-39135) ----------------------------------------- Patch: SUSE-2021-4104 Released: Thu Dec 16 11:14:12 2021 Summary: Security update for python3 Severity: moderate References: 1180125,1183374,1183858,1185588,1187668,1189241,1189287,CVE-2021-3426,CVE-2021-3733,CVE-2021-3737 Description: This update for python3 fixes the following issues: - CVE-2021-3426: Fixed information disclosure via pydoc (bsc#1183374). - CVE-2021-3733: Fixed infinitely reading potential HTTP headers after a 100 Continue status response from the server (bsc#1189241). - CVE-2021-3737: Fixed ReDoS in urllib.request (bsc#1189287). - We do not require python-rpm-macros package (bsc#1180125). - Use versioned python-Sphinx to avoid dependency on other version of Python (bsc#1183858). - Stop providing 'python' symbol, which means python2 currently (bsc#1185588). - Modify Lib/ensurepip/__init__.py to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668). ----------------------------------------- Patch: SUSE-2021-4153 Released: Wed Dec 22 11:00:48 2021 Summary: Security update for openssh Severity: important References: 1183137,CVE-2021-28041 Description: This update for openssh fixes the following issues: - CVE-2021-28041: Fixed double free in ssh-agent (bsc#1183137). ----------------------------------------- Patch: SUSE-2022-48 Released: Tue Jan 11 09:17:57 2022 Summary: Recommended update for python3 Severity: moderate References: 1190566,1192249,1193179 Description: This update for python3 fixes the following issues: - Don't use OpenSSL 1.1 on platforms which don't have it. - Remove shebangs from python-base libraries in '_libdir'. (bsc#1193179, bsc#1192249). - Build against 'openssl 1.1' as it is incompatible with 'openssl 3.0+' (bsc#1190566) - Fix for permission error when changing the mtime of the source file in presence of 'SOURCE_DATE_EPOCH'. ----------------------------------------- Patch: SUSE-2022-112 Released: Tue Jan 18 13:03:29 2022 Summary: Security update for nodejs14 Severity: moderate References: 1194511,1194512,1194513,1194514,CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 Description: This update for nodejs14 fixes the following issues: - CVE-2021-44531: Fixed improper handling of URI Subject Alternative Names (bsc#1194511). - CVE-2021-44532: Fixed certificate Verification Bypass via String Injection (bsc#1194512). - CVE-2021-44533: Fixed incorrect handling of certificate subject and issuer fields (bsc#1194513). - CVE-2022-21824: Fixed prototype pollution via console.table properties (bsc#1194514). ----------------------------------------- Patch: SUSE-2022-227 Released: Mon Jan 31 06:05:25 2022 Summary: Recommended update for git Severity: moderate References: 1193722 Description: This update for git fixes the following issues: - update to 2.34.1 (bsc#1193722): * 'git grep' looking in a blob that has non-UTF8 payload was completely broken when linked with certain versions of PCREv2 library in the latest release. * 'git pull' with any strategy when the other side is behind us should succeed as it is a no-op, but doesn't. * An earlier change in 2.34.0 caused JGit application (that abused GIT_EDITOR mechanism when invoking 'git config') to get stuck with a SIGTTOU signal; it has been reverted. * An earlier change that broke .gitignore matching has been reverted. * SubmittingPatches document gained a syntactically incorrect mark-up, which has been corrected. - git 2.33.0: * 'git send-email' learned the '--sendmail-cmd' command line option and the 'sendemail.sendmailCmd' configuration variable, which is a more sensible approach than the current way of repurposing the 'smtp-server' that is meant to name the server to instead name the command to talk to the server. * The userdiff pattern for C# learned the token 'record'. * 'git rev-list' learns to omit the 'commit ' header lines from the output with the `--no-commit-header` option. * 'git worktree add --lock' learned to record why the worktree is locked with a custom message. * internal improvements including performance optimizations * a number of bug fixes - git 2.32.0: * '.gitattributes', '.gitignore', and '.mailmap' files that are symbolic links are ignored * 'git apply --3way' used to first attempt a straight application, and only fell back to the 3-way merge algorithm when the straight application failed. Starting with this version, the command will first try the 3-way merge algorithm and only when it fails (either resulting with conflict or the base versions of blobs are missing), falls back to the usual patch application. * 'git stash show' can now show the untracked part of the stash * Improved 'git repack' strategy * http code can now unlock a certificate with a cached password respectively. * 'git clone --reject-shallow' option fails the clone as soon as we notice that we are cloning from a shallow repository. * 'gitweb' learned 'e-mail privacy' feature * Multiple improvements to output and configuration options * Bug fixes and developer visible fixes ----------------------------------------- Patch: SUSE-2022-715 Released: Fri Mar 4 09:37:47 2022 Summary: Security update for nodejs14 Severity: important References: 1191962,1191963,1192153,1192154,1192696,CVE-2021-23343,CVE-2021-32803,CVE-2021-32804,CVE-2021-3807,CVE-2021-3918 Description: This update for nodejs14 fixes the following issues: - CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153). - CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite (bsc#1191963). - CVE-2021-32804: Fixed insufficient absolute path sanitization in node-tar allowing arbitrary file creation and overwrite (bsc#1191962). - CVE-2021-3918: Fixed improper controlled modification of object prototype attributes in json-schema (bsc#1192696). - CVE-2021-3807: Fixed regular expression denial of service (ReDoS) matching ANSI escape codes in node-ansi-regex (bsc#1192154). ----------------------------------------- Patch: SUSE-2022-789 Released: Thu Mar 10 11:22:05 2022 Summary: Recommended update for update-alternatives Severity: moderate References: 1195654 Description: This update for update-alternatives fixes the following issues: - Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654) ----------------------------------------- Patch: SUSE-2022-942 Released: Thu Mar 24 10:30:15 2022 Summary: Security update for python3 Severity: moderate References: 1186819,CVE-2021-3572 Description: This update for python3 fixes the following issues: - CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819). ----------------------------------------- Patch: SUSE-2022-1462 Released: Thu Apr 28 16:46:15 2022 Summary: Security update for nodejs14 Severity: important References: 1194819,1196877,1197283,1198247,CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-0778 Description: This update for nodejs14 fixes the following issues: - CVE-2022-0778: Fixed a infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877). - CVE-2021-44906: Fixed a prototype pollution in node-minimist (bsc#1198247). - CVE-2021-44907: Fixed a potential Denial of Service vulnerability in node-qs (bsc#1197283). - CVE-2022-0235: Fixed an exposure of sensitive information to an unauthorized actor in node-fetch (bsc#1194819). ----------------------------------------- Patch: SUSE-2022-1484 Released: Mon May 2 16:47:10 2022 Summary: Security update for git Severity: important References: 1181400,1198234,CVE-2022-24765 Description: This update for git fixes the following issues: - Updated to version 2.35.3: - CVE-2022-24765: Fixed a potential command injection via git worktree (bsc#1198234). ----------------------------------------- Patch: SUSE-2022-1709 Released: Tue May 17 17:35:47 2022 Summary: Recommended update for libcbor Severity: important References: 1197743 Description: This update for libcbor fixes the following issues: - Fix build errors occuring on SUSE Linux Enterprise 15 Service Pack 4 ----------------------------------------- Patch: SUSE-2022-2294 Released: Wed Jul 6 13:34:15 2022 Summary: Security update for expat Severity: important References: 1196025,1196026,1196168,1196169,1196171,1196784,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315 Description: This update for expat fixes the following issues: - CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025). - Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784). - CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026). - CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168). - CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169). - CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171). ----------------------------------------- Patch: SUSE-2022-2357 Released: Mon Jul 11 20:34:20 2022 Summary: Security update for python3 Severity: important References: 1198511,CVE-2015-20107 Description: This update for python3 fixes the following issues: - CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511). ----------------------------------------- Patch: SUSE-2022-2360 Released: Tue Jul 12 12:01:39 2022 Summary: Security update for pcre2 Severity: important References: 1199232,CVE-2022-1586 Description: This update for pcre2 fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------- Patch: SUSE-2022-2425 Released: Mon Jul 18 09:04:24 2022 Summary: Security update for nodejs14 Severity: important References: 1201325,1201326,1201327,1201328,CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215 Description: This update for nodejs14 fixes the following issues: - CVE-2022-32212: Fixed DNS rebinding in --inspect via invalid IP addresses (bsc#1201328). - CVE-2022-32213: Fixed HTTP request smuggling due to flawed parsing of Transfer-Encoding (bsc#1201325). - CVE-2022-32214: Fixed HTTP request smuggling due to improper delimiting of header fields (bsc#1201326). - CVE-2022-32215: Fixed HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding (bsc#1201327). ----------------------------------------- Patch: SUSE-2022-2550 Released: Tue Jul 26 14:00:21 2022 Summary: Security update for git Severity: important References: 1201431,CVE-2022-29187 Description: This update for git fixes the following issues: - CVE-2022-29187: Incomplete fix for CVE-2022-24765: potential command injection via git worktree (bsc#1201431). ----------------------------------------- Patch: SUSE-2022-2566 Released: Wed Jul 27 15:04:49 2022 Summary: Security update for pcre2 Severity: important References: 1199235,CVE-2022-1587 Description: This update for pcre2 fixes the following issues: - CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235). ----------------------------------------- Patch: SUSE-2022-3142 Released: Wed Sep 7 09:54:18 2022 Summary: Security update for icu Severity: moderate References: 1193951,CVE-2020-21913 Description: This update for icu fixes the following issues: - CVE-2020-21913: Fixed a memory safetey issue that could lead to use after free (bsc#1193951). ----------------------------------------- Patch: SUSE-2022-3489 Released: Sat Oct 1 13:35:24 2022 Summary: Security update for expat Severity: important References: 1203438,CVE-2022-40674 Description: This update for expat fixes the following issues: - CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438). ----------------------------------------- Patch: SUSE-2022-3544 Released: Thu Oct 6 13:48:42 2022 Summary: Security update for python3 Severity: important References: 1202624,CVE-2021-28861 Description: This update for python3 fixes the following issues: - CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624).