----------------------------------------- Version 31.7 2022-10-12T09:00:23 ----------------------------------------- Patch: SUSE-2018-1462 Released: Tue Jul 31 14:04:41 2018 Summary: Security update for java-11-openjdk Severity: moderate References: 1101645,1101651,1101655,1101656,CVE-2018-2940,CVE-2018-2952,CVE-2018-2972,CVE-2018-2973 Description: This java-11-openjdk update to version jdk-11+24 fixes the following issues: Security issues fixed: - CVE-2018-2940: Fix unspecified vulnerability in subcomponent Libraries (bsc#1101645). - CVE-2018-2952: Fix unspecified vulnerability in subcomponent Concurrency (bsc#1101651). - CVE-2018-2972: Fix unspecified vulnerability in subcomponent Security (bsc#1101655). - CVE-2018-2973: Fix unspecified vulnerability in subcomponent JSSE (bsc#1101656). ----------------------------------------- Patch: SUSE-2018-2082 Released: Sun Sep 30 14:06:27 2018 Summary: Security update for libX11 Severity: moderate References: 1102062,1102068,1102073,CVE-2018-14598,CVE-2018-14599,CVE-2018-14600 Description: This update for libX11 fixes the following security issues: - CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact (bsc#1102062) - CVE-2018-14600: The function XListExtensions interpreted a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution (bsc#1102068) - CVE-2018-14598: A malicious server could have sent a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault) (bsc#1102073) ----------------------------------------- Patch: SUSE-2018-2298 Released: Wed Oct 17 17:02:57 2018 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1111162,1112142,1112143,1112144,1112145,1112146,1112147,1112148,1112149,CVE-2018-3136,CVE-2018-3139,CVE-2018-3149,CVE-2018-3150,CVE-2018-3157,CVE-2018-3169,CVE-2018-3180,CVE-2018-3183 Description: This update for java-11-openjdk fixes the following issues: Update to upstream tag jdk-11.0.1+13 (Oracle October 2018 CPU) Security fixes: - S8202936, CVE-2018-3183, bsc#1112148: Improve script engine support - S8199226, CVE-2018-3169, bsc#1112146: Improve field accesses - S8199177, CVE-2018-3149, bsc#1112144: Enhance JNDI lookups - S8202613, CVE-2018-3180, bsc#1112147: Improve TLS connections stability - S8208209, CVE-2018-3180, bsc#1112147: Improve TLS connection stability again - S8199172, CVE-2018-3150, bsc#1112145: Improve jar attribute checks - S8200648, CVE-2018-3157, bsc#1112149: Make midi code more sound - S8194534, CVE-2018-3136, bsc#1112142: Manifest better support - S8208754, CVE-2018-3136, bsc#1112142: The fix for JDK-8194534 needs updates - S8196902, CVE-2018-3139, bsc#1112143: Better HTTP Redirection Security-In-Depth fixes: - S8194546: Choosier FileManagers - S8195874: Improve jar specification adherence - S8196897: Improve PRNG support - S8197881: Better StringBuilder support - S8201756: Improve cipher inputs - S8203654: Improve cypher state updates - S8204497: Better formatting of decimals - S8200666: Improve LDAP support - S8199110: Address Internet Addresses Update to upstream tag jdk-11+28 (OpenJDK 11 rc1) - S8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy - S8207838: AArch64: Float registers incorrectly restored in JNI call - S8209637: [s390x] Interpreter doesn't call result handler after native calls - S8209670: CompilerThread releasing code buffer in destructor is unsafe - S8209735: Disable avx512 by default - S8209806: API docs should be updated to refer to javase11 - Report version without the '-internal' postfix - Don't build against gdk making the accessibility depend on a particular version of gtk. Update to upstream tag jdk-11+27 - S8031761: [TESTBUG] Add a regression test for JDK-8026328 - S8151259: [TESTBUG] nsk/jvmti/RedefineClasses/redefclass030 fails with 'unexpected values of outer fields of the class' when running with -Xcomp - S8164639: Configure PKCS11 tests to use user-supplied NSS libraries - S8189667: Desktop#moveToTrash expects incorrect '<>' FilePermission - S8194949: [Graal] gc/TestNUMAPageSize.java fail with OOM in -Xcomp - S8195156: [Graal] serviceability/jvmti/GetModulesInfo/ /JvmtiGetAllModulesTest.java fails with Graal in Xcomp mode - S8199081: [Testbug] compiler/linkage/LinkageErrors.java fails if run twice - S8201394: Update java.se module summary to reflect removal of java.se.ee module - S8204931: Colors with alpha are painted incorrectly on Linux - S8204966: [TESTBUG] hotspot/test/compiler/whitebox/ /IsMethodCompilableTest.java test fails with -XX:CompileThreshold=1 - S8205608: Fix 'frames()' in ThreadReferenceImpl.c to prevent quadratic runtime behavior - S8205687: TimeoutHandler generates huge core files - S8206176: Remove the temporary tls13VN field - S8206258: [Test Error] sun/security/pkcs11 tests fail if NSS libs not found - S8206965: java/util/TimeZone/Bug8149452.java failed on de_DE and ja_JP locale. - S8207009: TLS 1.3 half-close and synchronization issues - S8207046: arm32 vm crash: C1 arm32 platform functions parameters type mismatch - S8207139: NMT is not enabled on Windows 2016/10 - S8207237: SSLSocket#setEnabledCipherSuites is accepting empty string - S8207355: C1 compilation hangs in ComputeLinearScanOrder::compute_dominator - S8207746: C2: Lucene crashes on AVX512 instruction - S8207765: HeapMonitorTest.java intermittent failure - S8207944: java.lang.ClassFormatError: Extra bytes at the end of class file test' possibly violation of JVMS 4.7.1 - S8207948: JDK 11 L10n resource file update msg drop 10 - S8207966: HttpClient response without content-length does not return body - S8208125: Cannot input text into JOptionPane Text Input Dialog - S8208164: (str) improve specification of String::lines - S8208166: Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029 - S8208189: ProblemList compiler/graalunit/JttThreadsTest.java - S8208205: ProblemList tests that fail due to 'Error attaching to process: Can't create thread_db agent!' - S8208226: ProblemList com/sun/jdi/BasicJDWPConnectionTest.java - S8208251: serviceability/jvmti/HeapMonitor/MyPackage/ /HeapMonitorGCCMSTest.java fails intermittently on Linux-X64 - S8208305: ProblemList compiler/jvmci/compilerToVM/GetFlagValueTest.java - S8208347: ProblemList compiler/cpuflags/TestAESIntrinsicsOnSupportedConfig.java - S8208353: Upgrade JDK 11 to libpng 1.6.35 - S8208358: update bug ids mentioned in tests - S8208370: fix typo in ReservedStack tests' @requires - S8208391: Differentiate response and connect timeouts in HTTP Client API - S8208466: Fix potential memory leak in harfbuzz shaping. - S8208496: New Test to verify concurrent behavior of TLS. - S8208521: ProblemList more tests that fail due to 'Error attaching to process: Can't create thread_db agent!' - S8208640: [a11y] [macos] Unable to navigate between Radiobuttons in Radio group using keyboard. - S8208663: JDK 11 L10n resource file update msg drop 20 - S8208676: Missing NULL check and resource leak in NetworkPerformanceInterface::NetworkPerformance::network_utilization - S8208691: Tighten up jdk.includeInExceptions security property - S8209011: [TESTBUG] AArch64: sun/security/pkcs11/Secmod/ /TestNssDbSqlite.java fails in aarch64 platforms - S8209029: ProblemList tests that fail due to 'Error attaching to process: Can't create thread_db agent!' in jdk-11+25 testing - S8209149: [TESTBUG] runtime/RedefineTests/ /RedefineRunningMethods.java needs a longer timeout - S8209451: Please change jdk 11 milestone to FCS - S8209452: VerifyCACerts.java failed with 'At least one cacert test failed' - S8209506: Add Google Trust Services GlobalSign root certificates - S8209537: Two security tests failed after JDK-8164639 due to dependency was missed ----------------------------------------- Patch: SUSE-2018-2307 Released: Thu Oct 18 14:42:54 2018 Summary: Recommended update for libxcb Severity: moderate References: 1101560 Description: This update for libxcb provides the following fix: - Fix some IO errors when using KWin in combination with the NVIDIA driver. (bsc#1101560) ----------------------------------------- Patch: SUSE-2018-2625 Released: Mon Nov 12 08:58:25 2018 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1113734 Description: This update for java-11-openjdk fixes the following issues: Merge into the JDK following modules from github.com/javaee: * com.sum.xml.fastinfoset * org.jvnet.staxex * com.sun.istack.runtime * com.sun.xml.txw2 * com.sun.xml.bind This provides a default implementation of JAXB-API that existed in JDK before Java 11 and that some applications depend on. ----------------------------------------- Patch: SUSE-2018-3044 Released: Fri Dec 21 18:47:21 2018 Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss Severity: important References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 Description: This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues: Issues fixed in MozillaFirefox: - Update to Firefox ESR 60.4 (bsc#1119105) - CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 - CVE-2018-18492: Fixed a use-after-free with select element - CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia - CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs - CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images - CVE-2018-12405: Fixed a few memory safety bugs Issues fixed in mozilla-nss: - Update to NSS 3.40.1 (bsc#1119105) - CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069) - CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873) - CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410) - Fixed a decryption failure during FFDHE key exchange - Various security fixes in the ASN.1 code Issues fixed in mozilla-nspr: - Update mozilla-nspr to 4.20 (bsc#1119105) ----------------------------------------- Patch: SUSE-2019-221 Released: Fri Feb 1 15:20:56 2019 Summary: Security update for java-11-openjdk Severity: important References: 1120431,1122293,1122299,CVE-2018-11212,CVE-2019-2422,CVE-2019-2426 Description: This update for java-11-openjdk to version 11.0.2+7 fixes the following issues: Security issues fixed: - CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293) - CVE-2019-2426: Improve web server connections - CVE-2018-11212: Improve JPEG processing (bsc#1122299) - Better route routing - Better interface enumeration - Better interface lists - Improve BigDecimal support - Improve robot support - Better icon support - Choose printer defaults - Proper allocation handling - Initial class initialization - More reliable p11 transactions - Improve NIO stability - Better loading of classloader classes - Strengthen Windows Access Bridge Support - Improved data set handling - Improved LSA authentication - Libsunmscapi improved interactions Non-security issues fix: - Do not resolve by default the added JavaEE modules (bsc#1120431) - ~2.5% regression on compression benchmark starting with 12-b11 - java.net.http.HttpClient hangs on 204 reply without Content-length 0 - Add additional TeliaSonera root certificate - Add more ld preloading related info to hs_error file on Linux - Add test to exercise server-side client hello processing - AES encrypt performance regression in jdk11b11 - AIX: ProcessBuilder: Piping between created processes does not work. - AIX: Some class library files are missing the Classpath exception - AppCDS crashes for some uses with JRuby - Automate vtable/itable stub size calculation - BarrierSetC1::generate_referent_check() confuses register allocator - Better HTTP Redirection - Catastrophic size_t underflow in BitMap::*_large methods - Clip.isRunning() may return true after Clip.stop() was called - Compiler thread creation should be bounded by available space in memory and Code Cache - com.sun.net.httpserver.HttpServer returns Content-length header for 204 response code - Default mask register for avx512 instructions - Delayed starting of debugging via jcmd - Disable all DES cipher suites - Disable anon and NULL cipher suites - Disable unsupported GCs for Zero - Epsilon alignment adjustments can overflow max TLAB size - Epsilon elastic TLAB sizing may cause misalignment - HotSpot update for vm_version.cpp to recognise updated VS2017 - HttpClient does not retrieve files with large sizes over HTTP/1.1 - IIOException 'tEXt chunk length is not proper' on opening png file - Improve TLS connection stability again - InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection - Inspect stack during error reporting - Instead of circle rendered in appl window, but ellipse is produced JEditor Pane - Introduce diagnostic flag to abort VM on failed JIT compilation - Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap - jar has issues with UNC-path arguments for the jar -C parameter [windows] - java.net.http HTTP client should allow specifying Origin and Referer headers - java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8 - JDK 11.0.1 l10n resource file update - JDWP Transport Listener: dt_socket thread crash - JVMTI ResourceExhausted should not be posted in CompilerThread - LDAPS communication failure with jdk 1.8.0_181 - linux: Poor StrictMath performance due to non-optimized compilation - Missing synchronization when reading counters for live threads and peak thread count - NPE in SupportedGroupsExtension - OpenDataException thrown when constructing CompositeData for StackTraceElement - Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader - Populate handlers while holding streamHandlerLock - ppc64: Enable POWER9 CPU detection - print_location is not reliable enough (printing register info) - Reconsider default option for ClassPathURLCheck change done in JDK-8195874 - Register to register spill may use AVX 512 move instruction on unsupported platform. - s390: Use of shift operators not covered by cpp standard - serviceability/sa/TestUniverse.java#id0 intermittently fails with assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded - SIGBUS in CodeHeapState::print_names() - SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls - Soft reference reclamation race in com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator - Swing apps are slow if displaying from a remote source to many local displays - switch jtreg to 4.2b13 - Test library OSInfo.getSolarisVersion cannot determine Solaris version - TestOptionsWithRanges.java is very slow - TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails intermittently - The Japanese message of FileNotFoundException garbled - The 'supported_groups' extension in ServerHellos - ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData - TimeZone.getDisplayName given Locale.US doesn't always honor the Locale. - TLS 1.2 Support algorithm in SunPKCS11 provider - TLS 1.3 handshake server name indication is missing on a session resume - TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes - TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth - tz: Upgrade time-zone data to tzdata2018g - Undefined behaviour in ADLC - Update avx512 implementation - URLStreamHandler initialization race - UseCompressedOops requirement check fails fails on 32-bit system - windows: Update OS detection code to recognize Windows Server 2019 - x86: assert on unbound assembler Labels used as branch targets - x86: jck tests for ldc2_w bytecode fail - x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization - '-XX:OnOutOfMemoryError' uses fork instead of vfork ----------------------------------------- Patch: SUSE-2019-571 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------- Patch: SUSE-2019-1052 Released: Fri Apr 26 14:33:42 2019 Summary: Security update for java-11-openjdk Severity: moderate References: 1132728,1132732,CVE-2019-2602,CVE-2019-2684 Description: This update for java-11-openjdk to version 11.0.3+7 fixes the following issues: Security issues fixed: - CVE-2019-2602: Fixed excessive use of CPU time in the BigDecimal implementation (bsc#1132728). - CVE-2019-2684: Fixed a flaw in the RMI registry implementation which could lead to selection of an incorrect skeleton class (bsc#1132732). Non-security issues fixed: - Multiple bug fixes and improvements. ----------------------------------------- Patch: SUSE-2019-1152 Released: Fri May 3 18:06:09 2019 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1131378 Description: This update for java-11-openjdk fixes the following issues: - Require update-ca-certificates by the headless subpackage (bsc#1131378) - Removed a font rendering patch with broke related to other font changes. ----------------------------------------- Patch: SUSE-2019-1398 Released: Fri May 31 12:54:22 2019 Summary: Security update for libpng16 Severity: low References: 1100687,1121624,1124211,CVE-2018-13785,CVE-2019-7317 Description: This update for libpng16 fixes the following issues: Security issues fixed: - CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when png_image_free() was called under png_safe_execute (bsc#1124211). - CVE-2018-13785: Fixed a wrong calculation of row_factor in the png_check_chunk_length function in pngrutil.c, which could haved triggered and integer overflow and result in an divide-by-zero while processing a crafted PNG file, leading to a denial of service (bsc#1100687) ----------------------------------------- Patch: SUSE-2019-1807 Released: Wed Jul 10 13:13:21 2019 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1137264 Description: This update ships the OpenJDK LTS version 11 in the java-11-openjdk packages. (FATE#326347 bsc#1137264) ----------------------------------------- Patch: SUSE-2019-2002 Released: Mon Jul 29 13:00:27 2019 Summary: Security update for java-11-openjdk Severity: important References: 1115375,1140461,1141780,1141781,1141782,1141783,1141784,1141785,1141787,1141788,1141789,CVE-2019-2745,CVE-2019-2762,CVE-2019-2766,CVE-2019-2769,CVE-2019-2786,CVE-2019-2816,CVE-2019-2818,CVE-2019-2821,CVE-2019-7317 Description: This update for java-11-openjdk to version jdk-11.0.4+11 fixes the following issues: Security issues fixed: - CVE-2019-2745: Improved ECC Implementation (bsc#1141784). - CVE-2019-2762: Exceptional throw cases (bsc#1141782). - CVE-2019-2766: Improve file protocol handling (bsc#1141789). - CVE-2019-2769: Better copies of CopiesList (bsc#1141783). - CVE-2019-2786: More limited privilege usage (bsc#1141787). - CVE-2019-7317: Improve PNG support options (bsc#1141780). - CVE-2019-2818: Better Poly1305 support (bsc#1141788). - CVE-2019-2816: Normalize normalization (bsc#1141785). - CVE-2019-2821: Improve TLS negotiation (bsc#1141781). - Certificate validation improvements Non-security issues fixed: - Do not fail installation when the manpages are not present (bsc#1115375) - Backport upstream fix for JDK-8208602: Cannot read PEM X.509 cert if there is whitespace after the header or footer (bsc#1140461) ----------------------------------------- Patch: SUSE-2019-2142 Released: Wed Aug 14 18:14:04 2019 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1141322 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.45 (bsc#1141322) : * New function in pk11pub.h: PK11_FindRawCertsWithSubject * The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374) * Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078). * Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579) * Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262) * Add IPSEC IKE support to softoken (bmo#1546229) * Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616) * Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed. * Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime. mozilla-nspr was updated to version 4.21 * Changed prbit.h to use builtin function on aarch64. * Removed Gonk/B2G references. ----------------------------------------- Patch: SUSE-2019-2998 Released: Mon Nov 18 15:17:23 2019 Summary: Security update for java-11-openjdk Severity: important References: 1152856,1154212,CVE-2019-2894,CVE-2019-2933,CVE-2019-2945,CVE-2019-2949,CVE-2019-2958,CVE-2019-2962,CVE-2019-2964,CVE-2019-2973,CVE-2019-2975,CVE-2019-2977,CVE-2019-2978,CVE-2019-2981,CVE-2019-2983,CVE-2019-2987,CVE-2019-2988,CVE-2019-2989,CVE-2019-2992,CVE-2019-2999 Description: This update for java-11-openjdk to version jdk-11.0.5-10 fixes the following issues: Security issues fixed (October 2019 CPU bsc#1154212): - CVE-2019-2933: Windows file handling redux - CVE-2019-2945: Better socket support - CVE-2019-2949: Better Kerberos ccache handling - CVE-2019-2958: Build Better Processes - CVE-2019-2964: Better support for patterns - CVE-2019-2962: Better Glyph Images - CVE-2019-2973: Better pattern compilation - CVE-2019-2975: Unexpected exception in jjs - CVE-2019-2978: Improved handling of jar files - CVE-2019-2977: Improve String index handling - CVE-2019-2981: Better Path supports - CVE-2019-2983: Better serial attributes - CVE-2019-2987: Better rendering of native glyphs - CVE-2019-2988: Better Graphics2D drawing - CVE-2019-2989: Improve TLS connection support - CVE-2019-2992: Enhance font glyph mapping - CVE-2019-2999: Commentary on Javadoc comments - CVE-2019-2894: Enhance ECDSA operations (bsc#1152856). ----------------------------------------- Patch: SUSE-2019-3395 Released: Mon Dec 30 14:05:06 2019 Summary: Security update for mozilla-nspr, mozilla-nss Severity: moderate References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.47.1: Security issues fixed: - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). - CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527). - CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322). mozilla-nspr was updated to version 4.23: - Whitespace in C files was cleaned up and no longer uses tab characters for indenting. ----------------------------------------- Patch: SUSE-2020-213 Released: Wed Jan 22 15:38:15 2020 Summary: Security update for java-11-openjdk Severity: important References: 1160968,CVE-2020-2583,CVE-2020-2590,CVE-2020-2593,CVE-2020-2601,CVE-2020-2604,CVE-2020-2654,CVE-2020-2655 Description: This update for java-11-openjdk fixes the following issues: Update to version jdk-11.0.6-10 (January 2020 CPU, bsc#1160968) Fixing these security related issues: - CVE-2020-2583: Unlink Set of LinkedHashSets - CVE-2020-2590: Improve Kerberos interop capabilities - CVE-2020-2593: Normalize normalization for all - CVE-2020-2601: Better Ticket Granting Services - CVE-2020-2604: Better serial filter handling - CVE-2020-2655: Better TLS messaging support - CVE-2020-2654: Improve Object Identifier Processing ----------------------------------------- Patch: SUSE-2020-362 Released: Fri Feb 7 11:14:20 2020 Summary: Recommended update for libXi Severity: moderate References: 1153311 Description: This update for libXi fixes the following issue: - The libXi6-32bit library on x86_64 are now shipped in the Basesystem module. (bsc#1153311) ----------------------------------------- Patch: SUSE-2020-1294 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Severity: moderate References: 1154661,1169512,CVE-2019-18218 Description: This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------- Patch: SUSE-2020-1353 Released: Wed May 20 13:02:32 2020 Summary: Security update for freetype2 Severity: moderate References: 1079603,1091109,CVE-2018-6942 Description: This update for freetype2 to version 2.10.1 fixes the following issues: Security issue fixed: - CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603). Non-security issues fixed: - Update to version 2.10.1 * The bytecode hinting of OpenType variation fonts was flawed, since the data in the `CVAR' table wasn't correctly applied. * Auto-hinter support for Mongolian. * The handling of the default character in PCF fonts as introduced in version 2.10.0 was partially broken, causing premature abortion of charmap iteration for many fonts. * If `FT_Set_Named_Instance' was called with the same arguments twice in a row, the function returned an incorrect error code the second time. * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug introduced in version 2.10.0). * Increased precision while computing OpenType font variation instances. * The flattening algorithm of cubic Bezier curves was slightly changed to make it faster. This can cause very subtle rendering changes, which aren't noticeable by the eye, however. * The auto-hinter now disables hinting if there are blue zones defined for a `style' (i.e., a certain combination of a script and its related typographic features) but the font doesn't contain any characters needed to set up at least one blue zone. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * A bunch of new functions has been added to access and process COLR/CPAL data of OpenType fonts with color-layered glyphs. * As a GSoC 2018 project, Nikhil Ramakrishnan completely overhauled and modernized the API reference. * The logic for computing the global ascender, descender, and height of OpenType fonts has been slightly adjusted for consistency. * `TT_Set_MM_Blend' could fail if called repeatedly with the same arguments. * The precision of handling deltas in Variation Fonts has been increased.The problem did only show up with multidimensional designspaces. * New function `FT_Library_SetLcdGeometry' to set up the geometry of LCD subpixels. * FreeType now uses the `defaultChar' property of PCF fonts to set the glyph for the undefined character at glyph index 0 (as FreeType already does for all other supported font formats). As a consequence, the order of glyphs of a PCF font if accessed with FreeType can be different now compared to previous versions. This change doesn't affect PCF font access with cmaps. * `FT_Select_Charmap' has been changed to allow parameter value `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT formats to access built-in cmaps that don't have a predefined `FT_Encoding' value. * A previously reserved field in the `FT_GlyphSlotRec' structure now holds the glyph index. * The usual round of fuzzer bug fixes to better reject malformed fonts. * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have been removed.These two functions were public by oversight only and were never documented. * A new function `FT_Error_String' returns descriptions of error codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is defined. * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new functions limited to Adobe MultiMaster fonts to directly set and get the weight vector. - Enable subpixel rendering with infinality config: - Re-enable freetype-config, there is just too many fallouts. - Update to version 2.9.1 * Type 1 fonts containing flex features were not rendered correctly (bug introduced in version 2.9). * CVE-2018-6942: Older FreeType versions can crash with certain malformed variation fonts. * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage. * Emboldening of bitmaps didn't work correctly sometimes, showing various artifacts (bug introduced in version 2.8.1). * The auto-hinter script ranges have been updated for Unicode 11. No support for new scripts have been added, however, with the exception of Georgian Mtavruli. - freetype-config is now deprecated by upstream and not enabled by default. - Update to version 2.10.1 * The `ftmulti' demo program now supports multiple hidden axes with the same name tag. * `ftview', `ftstring', and `ftgrid' got a `-k' command line option to emulate a sequence of keystrokes at start-up. * `ftview', `ftstring', and `ftgrid' now support screen dumping to a PNG file. * The bytecode debugger, `ttdebug', now supports variation TrueType fonts; a variation font instance can be selected with the new `-d' command line option. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * The `ftdump' demo program has new options `-c' and `-C' to display charmaps in compact and detailed format, respectively. Option `-V' has been removed. * The `ftview', `ftstring', and `ftgrid' demo programs use a new command line option `-d' to specify the program window's width, height, and color depth. * The `ftview' demo program now displays red boxes for zero-width glyphs. * `ftglyph' has limited support to display fonts with color-layered glyphs.This will be improved later on. * `ftgrid' can now display bitmap fonts also. * The `ttdebug' demo program has a new option `-f' to select a member of a TrueType collection (TTC). * Other various improvements to the demo programs. - Remove 'Supplements: fonts-config' to avoid accidentally pulling in Qt dependencies on some non-Qt based desktops.(bsc#1091109) fonts-config is fundamental but ft2demos seldom installs by end users. only fonts-config maintainers/debuggers may use ft2demos along to debug some issues. - Update to version 2.9.1 * No changelog upstream. ----------------------------------------- Patch: SUSE-2020-1511 Released: Fri May 29 18:03:39 2020 Summary: Security update for java-11-openjdk Severity: important References: 1167462,1169511,CVE-2020-2754,CVE-2020-2755,CVE-2020-2756,CVE-2020-2757,CVE-2020-2767,CVE-2020-2773,CVE-2020-2778,CVE-2020-2781,CVE-2020-2800,CVE-2020-2803,CVE-2020-2805,CVE-2020-2816,CVE-2020-2830 Description: This update for java-11-openjdk fixes the following issues: Java was updated to jdk-11.0.7+10 (April 2020 CPU, bsc#1169511). Security issues fixed: - CVE-2020-2754: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2755: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2756: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2757: Fixed an object deserialization issue that could have resulted in denial of service via crafted serialized input (bsc#1169511). - CVE-2020-2767: Fixed an incorrect handling of certificate messages during TLS handshakes (bsc#1169511). - CVE-2020-2773: Fixed the incorrect handling of exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature() (bsc#1169511). - CVE-2020-2778: Fixed the incorrect handling of SSLParameters in setAlgorithmConstraints(), which could have been abused to override the defined systems security policy and lead to the use of weak crypto algorithms (bsc#1169511). - CVE-2020-2781: Fixed the incorrect re-use of single null TLS sessions (bsc#1169511). - CVE-2020-2800: Fixed an HTTP header injection issue caused by mishandling of CR/LF in header values (bsc#1169511). - CVE-2020-2803: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2805: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2816: Fixed an incorrect handling of application data packets during TLS handshakes (bsc#1169511). - CVE-2020-2830: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). ----------------------------------------- Patch: SUSE-2020-1677 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes mozilla-nspr to version 4.25 ----------------------------------------- Patch: SUSE-2020-1852 Released: Mon Jul 6 16:50:23 2020 Summary: Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts Severity: moderate References: 1169444 Description: This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues: Changes in fontforge: - Support transforming bitmap glyphs from python. (bsc#1169444) - Allow python-Sphinx >= 3 Changes in ttf-converter: - Update from version 1.0 to version 1.0.6: * ftdump is now shipped additionally as new dependency for ttf-converter * Standardize output when converting vector and bitmap fonts * Add more subfamilies fixes (bsc#1169444) * Add --family and --subfamily arguments to force values on those fields * Add parameters to fix glyph unicode values --fix-glyph-unicode : Try to fix unicode points and glyph names based on glyph names containing hexadecimal codes (like '$0C00', 'char12345' or 'uni004F') --replace-unicode-values: When passed 2 comma separated numbers a,b the glyph with an unicode value of a is replaced with the unicode value b. Can be used more than once. --shift-unicode-values: When passed 3 comma separated numbers a,b,c this shifts the unicode values of glyphs between a and b (both included) by adding c. Can be used more than once. * Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444) When used, all glyphs are modified with the transformation function and values passed as parameters. The parameter has three values separated by commas: fliph|flipv|rotate90cw|rotate90ccw|rotate180|skew|transmove,xoff,yoff * Add support to convert bitmap fonts (bsc#1169444) * Rename MediumItalic subfamily to Medium Italic * Show some more information when removing duplicated glyphs * Add a --force-monospaced argument instead of hardcoding font names * Convert `BoldCond` subfamily to `Bold Condensed` * Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41) * Add a --version argument * Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41) Changes in xorg-x11-fonts: - Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage - Include the subfamily in the filename of converted fonts - Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41) - Replace some unicode values in cu-pua12.pcf.gz to fix them - Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs don't pretend to be latin characters when they're not. - Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444) Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular, MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular Changes in ghostscript-fonts: - Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41) Use the --force-monospaced argument of ttf-converter 1.0.3 ----------------------------------------- Patch: SUSE-2020-2116 Released: Tue Aug 4 15:12:41 2020 Summary: Security update for libX11 Severity: important References: 1174628,CVE-2020-14344 Description: This update for libX11 fixes the following issues: - Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628) ----------------------------------------- Patch: SUSE-2020-2143 Released: Thu Aug 6 11:06:49 2020 Summary: Security update for java-11-openjdk Severity: important References: 1174157,CVE-2020-14556,CVE-2020-14562,CVE-2020-14573,CVE-2020-14577,CVE-2020-14581,CVE-2020-14583,CVE-2020-14593,CVE-2020-14621 Description: This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.8+10 (July 2020 CPU, bsc#1174157) * Security fixes: + JDK-8230613: Better ASCII conversions + JDK-8231800: Better listing of arrays + JDK-8232014: Expand DTD support + JDK-8233234: Better Zip Naming + JDK-8233239, CVE-2020-14562: Enhance TIFF support + JDK-8233255: Better Swing Buttons + JDK-8234032: Improve basic calendar services + JDK-8234042: Better factory production of certificates + JDK-8234418: Better parsing with CertificateFactory + JDK-8234836: Improve serialization handling + JDK-8236191: Enhance OID processing + JDK-8236867, CVE-2020-14573: Enhance Graal interface handling + JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior + JDK-8237592, CVE-2020-14577: Enhance certificate verification + JDK-8238002, CVE-2020-14581: Better matrix operations + JDK-8238013: Enhance String writing + JDK-8238804: Enhance key handling process + JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable + JDK-8238843: Enhanced font handing + JDK-8238920, CVE-2020-14583: Better Buffer support + JDK-8238925: Enhance WAV file playback + JDK-8240119, CVE-2020-14593: Less Affine Transformations + JDK-8240482: Improved WAV file playback + JDK-8241379: Update JCEKS support + JDK-8241522: Manifest improved jar headers redux + JDK-8242136, CVE-2020-14621: Better XML namespace handling * Other changes: + JDK-6933331: (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created + JDK-7124307: JSpinner and changing value by mouse + JDK-8022574: remove HaltNode code after uncommon trap calls + JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails + JDK-8040630: Popup menus and tooltips flicker with previous popup contents when first shown + JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) + JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ThreadMXBeanProxy.java Expected non-null LockInfo + JDK-8051349: nsk/jvmti/scenarios/sampling/SP06/sp06t003 fails in nightly + JDK-8080353: JShell: Better error message on attempting to add default method + JDK-8139876: Exclude hanging nsk/stress/stack from execution with deoptimization enabled + JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails with -XX:+DeoptimizeALot + JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout + JDK-8156207: Resource allocated BitMaps are often cleared unnecessarily + JDK-8159740: JShell: corralled declarations do not have correct source to wrapper mapping + JDK-8175984: ICC_Profile has un-needed, not-empty finalize method + JDK-8176359: Frame#setMaximizedbounds not working properly in multi screen environments + JDK-8183369: RFC unconformity of HttpURLConnection with proxy + JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT + JDK-8189861: Refactor CacheFind + JDK-8191169: java/net/Authenticator/B4769350.java failed intermittently + JDK-8191930: [Graal] emits unparseable XML into compile log + JDK-8193879: Java debugger hangs on method invocation + JDK-8196019: java/awt/Window/Grab/GrabTest.java fails on Windows + JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails + JDK-8198000: java/awt/List/EmptyListEventTest/EmptyListEventTest.java debug assert on Windows + JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/ /WrongParentAfterRemoveMenu.java debug assert on Windows + JDK-8198339: Test javax/swing/border/Test6981576.java is unstable + JDK-8200701: jdk/jshell/ExceptionsTest.java fails on Windows, after JDK-8198801 + JDK-8203264: JNI exception pending in PlainDatagramSocketImpl.c:740 + JDK-8203672: JNI exception pending in PlainSocketImpl.c + JDK-8203673: JNI exception pending in DualStackPlainDatagramSocketImpl.c:398 + JDK-8204834: Fix confusing 'allocate' naming in OopStorage + JDK-8205399: Set node color on pinned HashMap.TreeNode deletion + JDK-8205653: test/jdk/sun/management/jmxremote/bootstrap/ /RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with handshake_failure + JDK-8206179: com/sun/management/OperatingSystemMXBean/ /GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value + JDK-8207334: VM times out in VM_HandshakeAllThreads::doit() with RunThese30M + JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages ----------------------------------------- Patch: SUSE-2020-2197 Released: Tue Aug 11 13:32:49 2020 Summary: Security update for libX11 Severity: important References: 1174628,CVE-2020-14344 Description: This update for libX11 fixes the following issues: - Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628). ----------------------------------------- Patch: SUSE-2020-2474 Released: Thu Sep 3 12:10:29 2020 Summary: Security update for libX11 Severity: moderate References: 1175239,CVE-2020-14363 Description: This update for libX11 fixes the following issues: - CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239). ----------------------------------------- Patch: SUSE-2020-2983 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Severity: moderate References: 1176123 Description: This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------- Patch: SUSE-2020-2995 Released: Thu Oct 22 10:03:09 2020 Summary: Security update for freetype2 Severity: important References: 1177914,CVE-2020-15999 Description: This update for freetype2 fixes the following issues: - CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914). ----------------------------------------- Patch: SUSE-2020-3091 Released: Thu Oct 29 16:35:37 2020 Summary: Security update for MozillaThunderbird and mozilla-nspr Severity: important References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969 Description: This update for MozillaThunderbird and mozilla-nspr fixes the following issues: - Mozilla Thunderbird 78.4 * new: MailExtensions: browser.tabs.sendMessage API added * new: MailExtensions: messageDisplayScripts API added * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages * changed: MailExtensions: compose.begin functions now support creating a message with attachments * fixed: Thunderbird could freeze when updating global search index * fixed: Multiple issues with handling of self-signed SSL certificates addressed * fixed: Recipient address fields in compose window could expand to fill all available space * fixed: Inserting emoji characters in message compose window caused unexpected behavior * fixed: Button to restore default folder icon color was not keyboard accessible * fixed: Various keyboard navigation fixes * fixed: Various color-related theme fixes * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4 - Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * Creating a new calendar event did not require an event title - Mozilla Thunderbird 78.3.2 (bsc#1176899) * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes - Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket - Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 Download origin spoofing via redirect * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3 - update mozilla-nspr to version 4.25.1 * The macOS platform code for shared library loading was changed to support macOS 11. * Dependency needed for the MozillaThunderbird udpate ----------------------------------------- Patch: SUSE-2020-3359 Released: Tue Nov 17 13:18:30 2020 Summary: Security update for java-11-openjdk Severity: moderate References: 1177943,CVE-2020-14779,CVE-2020-14781,CVE-2020-14782,CVE-2020-14792,CVE-2020-14796,CVE-2020-14797,CVE-2020-14798,CVE-2020-14803 Description: This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.9-11 (October 2020 CPU, bsc#1177943) * New features + JDK-8250784: Shenandoah: A Low-Pause-Time Garbage Collector * Security fixes + JDK-8233624: Enhance JNI linkage + JDK-8236196: Improve string pooling + JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + JDK-8237995, CVE-2020-14782: Enhance certificate processing + JDK-8240124: Better VM Interning + JDK-8241114, CVE-2020-14792: Better range handling + JDK-8242680, CVE-2020-14796: Improved URI Support + JDK-8242685, CVE-2020-14797: Better Path Validation + JDK-8242695, CVE-2020-14798: Enhanced buffer support + JDK-8243302: Advanced class supports + JDK-8244136, CVE-2020-14803: Improved Buffer supports + JDK-8244479: Further constrain certificates + JDK-8244955: Additional Fix for JDK-8240124 + JDK-8245407: Enhance zoning of times + JDK-8245412: Better class definitions + JDK-8245417: Improve certificate chain handling + JDK-8248574: Improve jpeg processing + JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + JDK-8253019: Enhanced JPEG decoding * Other changes + JDK-6532025: GIF reader throws misleading exception with truncated images + JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/ /PDialogTest.java needs update by removing an infinite loop + JDK-8022535: [TEST BUG] javax/swing/text/html/parser/ /Test8017492.java fails + JDK-8062947: Fix exception message to correctly represent LDAP connection failure + JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed + JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/ /CloseServerSocket.java fails intermittently with Address already in use + JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect + JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider + JDK-8172404: Tools should warn if weak algorithms are used before restricting them + JDK-8193367: Annotated type variable bounds crash javac + JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails intermittently: Connection reset + JDK-8203026: java.rmi.NoSuchObjectException: no such object in table + JDK-8203281: [Windows] JComboBox change in ui when editor.setBorder() is called + JDK-8203382: Rename SystemDictionary::initialize_wk_klass to resolve_wk_klass + JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout + JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell script tests to java + JDK-8204963: javax.swing.border.TitledBorder has a memory leak + JDK-8204994: SA might fail to attach to process with 'Windbg Error: WaitForEvent failed' + JDK-8205534: Remove SymbolTable dependency from serviceability agent + JDK-8206309: Tier1 SA tests fail + JDK-8208281: java/nio/channels/ /AsynchronousSocketChannel/Basic.java timed out + JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version - step1 + JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect + JDK-8209342: Problemlist SA tests on Solaris due to Error attaching to process: Can't create thread_db agent! + JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful + JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout + JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version - step2 + JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC + JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java + JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ /ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code + JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version - step3 + JDK-8210527: JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack + JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests + JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds + JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify which output is the pending reply after a timeout + JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version - step4 + JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject + JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test + JDK-8211694: JShell: Redeclared variable should be reset + JDK-8212200: assert when shared java.lang.Object is redefined by JVMTI agent + JDK-8212629: [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest + JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55 + JDK-8212807: tools/jar/multiRelease/Basic.java times out + JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when shared java.lang.Object is redefined by JVMTI agent) + JDK-8213214: Set -Djava.io.tmpdir= when running tests + JDK-8213275: ReplaceCriticalClasses.java fails with jdk.internal.vm.PostVMInitHook not found + JDK-8213574: Deadlock in string table expansion when dumping lots of CDS classes + JDK-8213703: LambdaConversionException: Invalid receiver type not a subtype of implementation type interface + JDK-8214074: Ghash optimization using AVX instructions + JDK-8214491: Upgrade to JLine 3.9.0 + JDK-8214797: TestJmapCoreMetaspace.java timed out + JDK-8215243: JShell tests failing intermitently with 'Problem cleaning up the following threads:' + JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference failed + JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash optimization using AVX instructions) + JDK-8215438: jshell tool: Ctrl-D causes EOF + JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows + JDK-8216974: HttpConnection not returned to the pool after 204 response + JDK-8218948: SimpleDateFormat :: format - Zone Names are not reflected correctly during run time + JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs + JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs + JDK-8221658: aarch64: add necessary predicate for ubfx patterns + JDK-8221759: Crash when completing 'java.io.File.path' + JDK-8221918: runtime/SharedArchiveFile/serviceability/ /ReplaceCriticalClasses.java fails: Shared archive not found + JDK-8222074: Enhance auto vectorization for x86 + JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp + JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely on hostname command + JDK-8223688: JShell: crash on the instantiation of raw anonymous class + JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper does not result in an error + JDK-8223940: Private key not supported by chosen signature algorithm + JDK-8224184: jshell got IOException at exiting with AIX + JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc + JDK-8225037: java.net.JarURLConnection::getJarEntry() throws NullPointerException + JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions + JDK-8226536: Catch OOM from deopt that fails rematerializing objects + JDK-8226575: OperatingSystemMXBean should be made container aware + JDK-8226697: Several tests which need the @key headful keyword are missing it. + JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous + JDK-8227059: sun/security/tools/keytool/ /DefaultSignatureAlgorithm.java timed out + JDK-8227269: Slow class loading when running with JDWP + JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails due to 'exitValue = 6' + JDK-8228448: Jconsole can't connect to itself + JDK-8228967: Trust/Key store and SSL context utilities for tests + JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow + JDK-8229815: Upgrade Jline to 3.12.1 + JDK-8230000: some httpclients testng tests run zero test + JDK-8230002: javax/xml/jaxp/unittest/transform/ /SecureProcessingTest.java runs zero test + JDK-8230010: Remove jdk8037819/BasicTest1.java + JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter + JDK-8230402: Allocation of compile task fails with assert: 'Leaking compilation tasks?' + JDK-8230767: FlightRecorderListener returns null recording + JDK-8230870: (zipfs) Add a ZIP FS test that is similar to test/jdk/java/util/zip/EntryCount64k.java + JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread + JDK-8231586: enlarge encoding space for OopMapValue offsets + JDK-8231953: Wrong assumption in assertion in oop::register_oop + JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes + JDK-8232083: Minimal VM is broken after JDK-8231586 + JDK-8232161: Align some one-way conversion in MS950 charset with Windows + JDK-8232855: jshell missing word in /help help + JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration + JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR + JDK-8233386: Initialize NULL fields for unused decorations + JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result + JDK-8233686: XML transformer uses excessive amount of memory + JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 + VAES instructions + JDK-8233829: javac cannot find non-ASCII module name under non-UTF8 environment + JDK-8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose + JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater() + JDK-8234058: runtime/CompressedOops/ /CompressedClassPointers.java fails with 'Narrow klass base: 0x0000000000000000' missing from stdout/stderr + JDK-8234149: Several regression tests do not dispose Frame at end + JDK-8234347: 'Turkey' meta time zone does not generate composed localized names + JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/ /bug6980209.java fails in linux nightly + JDK-8234535: Cross compilation fails due to missing CFLAGS for the BUILD_CC + JDK-8234541: C1 emits an empty message when it inlines successfully + JDK-8234687: change javap reporting on unknown attributes + JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11 + JDK-8236548: Localized time zone name inconsistency between English and other locales + JDK-8236617: jtreg test containers/docker/ /TestMemoryAwareness.java fails after 8226575 + JDK-8237182: Update copyright header for shenandoah and epsilon files + JDK-8237888: security/infra/java/security/cert/ /CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval + JDK-8237977: Further update javax/net/ssl/compatibility/Compatibility.java + JDK-8238270: java.net HTTP/2 client does not decrease stream count when receives 204 response + JDK-8238284: [macos] Zero VM build fails due to an obvious typo + JDK-8238380: java.base/unix/native/libjava/childproc.c 'multiple definition' link errors with GCC10 + JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c 'multiple definition' link errors with GCC10 + JDK-8238388: libj2gss/NativeFunc.o 'multiple definition' link errors with GCC10 + JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes + JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with non-zero code + JDK-8239083: C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), 'should be non-static concrete method'); + JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD + JDK-8240169: javadoc fails to link to non-modular api docs + JDK-8240295: hs_err elapsed time in seconds is not accurate enough + JDK-8240360: NativeLibraryEvent has wrong library name on Linux + JDK-8240676: Meet not symmetric failure when running lucene on jdk8 + JDK-8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support + JDK-8241065: Shenandoah: remove leftover code after JDK-8231086 + JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows + JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException + JDK-8241138: http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector + JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark + JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java fails with OOME + JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure + JDK-8241750: x86_32 build failure after JDK-8227269 + JDK-8242184: CRL generation error with RSASSA-PSS + JDK-8242283: Can't start JVM when java home path includes non-ASCII character + JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array + JDK-8243029: Rewrite javax/net/ssl/compatibility/ /Compatibility.java with a flexible interop test framework + JDK-8243138: Enhance BaseLdapServer to support starttls extended request + JDK-8243320: Add SSL root certificates to Oracle Root CA program + JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program + JDK-8243389: enhance os::pd_print_cpu_info on linux + JDK-8243453: java --describe-module failed with non-ASCII module name under non-UTF8 environment + JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp + JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions + JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows) + JDK-8244087: 2020-04-24 public suffix list update + JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 + JDK-8244164: AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base + JDK-8244196: adjust output in os_linux + JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in + JDK-8244287: JFR: Methods samples have line number 0 + JDK-8244703: 'platform encoding not initialized' exceptions with debugger, JNI + JDK-8244719: CTW: C2 compilation fails with 'assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it' + JDK-8244729: Shenandoah: remove resolve paths from SBSA::generate_shenandoah_lrb + JDK-8244763: Update --release 8 symbol information after JSR 337 MR3 + JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor + JDK-8245151: jarsigner should not raise duplicate warnings on verification + JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9 + JDK-8245714: 'Bad graph detected in build_loop_late' when loads are pinned on loop limit check uncommon branch + JDK-8245801: StressRecompilation triggers assert 'redundunt OSR recompilation detected. memory leak in CodeCache!' + JDK-8245832: JDK build make-static-libs should build all JDK libraries + JDK-8245880: Shenandoah: check class unloading flag early in concurrent code root scan + JDK-8245981: Upgrade to jQuery 3.5.1 + JDK-8246027: Minimal fastdebug build broken after JDK-8245801 + JDK-8246094: [macos] Sound Recording and playback is not working + JDK-8246153: TestEliminateArrayCopy fails with -XX:+StressReflectiveCode + JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ + JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails with AssertionError + JDK-8246203: Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN + JDK-8246330: Add TLS Tests for Legacy ECDSA curves + JDK-8246453: TestClone crashes with 'all collected exceptions must come from the same place' + JDK-8247246: Add explicit ResolvedJavaType.link and expose presence of default methods + JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node + JDK-8247502: PhaseStringOpts crashes while optimising effectively dead code + JDK-8247615: Initialize the bytes left for the heap sampler + JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in SBC2Support::pin_and_expand + JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' + JDK-8247979: aarch64: missing side effect of killing flags for clearArray_reg_reg + JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention + JDK-8248219: aarch64: missing memory barrier in fast_storefield and fast_accessfield + JDK-8248348: Regression caused by the update to BCEL 6.0 + JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1 + JDK-8248495: [macos] zerovm is broken due to libffi headers location + JDK-8248851: CMS: Missing memory fences between free chunk check and klass read + JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows + JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650 + JDK-8249215: JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows. + JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel + JDK-8249255: Build fails if source code in cygwin home dir + JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in OpenJDK 11 + JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList + JDK-8249560: Shenandoah: Fix racy GC request handling + JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle + JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases + JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets + JDK-8250609: C2 crash in IfNode::fold_compares + JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics + JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java + JDK-8250787: Provider.put no longer registering aliases in FIPS env + JDK-8250826: jhsdb does not work with coredump which comes from Substrate VM + JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead count before/after parallel walk + JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the bounds + JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher + JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test failure + JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U + JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java + JDK-8251487: Shenandoah: missing detail timing tracking for final mark cleaning phase + JDK-8252120: compiler/oracle/TestCompileCommand.java misspells 'occured' + JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility + JDK-8252258: [11u] JDK-8242154 changes the default vendor + JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport of 8234011 + JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11 + JDK-8253283: [11u] Test build/translations/ /VerifyTranslations.java failing after JDK-8252258 + JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes + Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)' introduced in jdk 11.0.9 ----------------------------------------- Patch: SUSE-2021-352 Released: Tue Feb 9 15:02:05 2021 Summary: Security update for java-11-openjdk Severity: important References: 1181239 Description: This update for java-11-openjdk fixes the following issues: java-11-openjdk was upgraded to include January 2021 CPU (bsc#1181239) - Enable Sheandoah GC for x86_64 (jsc#ECO-3171) ----------------------------------------- Patch: SUSE-2021-761 Released: Wed Mar 10 12:26:54 2021 Summary: Recommended update for libX11 Severity: moderate References: 1181963 Description: This update for libX11 fixes the following issues: - Fixes a race condition in 'libX11' that causes various applications to crash randomly. (bsc#1181963) ----------------------------------------- Patch: SUSE-2021-1007 Released: Thu Apr 1 17:47:20 2021 Summary: Security update for MozillaFirefox Severity: important References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987 Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs ----------------------------------------- Patch: SUSE-2021-1409 Released: Wed Apr 28 16:32:50 2021 Summary: Security update for giflib Severity: low References: 1184123 Description: This update for giflib fixes the following issues: - Enable Position Independent Code and inherit CFLAGS from the build system (bsc#1184123). ----------------------------------------- Patch: SUSE-2021-1554 Released: Tue May 11 09:43:41 2021 Summary: Security update for java-11-openjdk Severity: important References: 1184606,1185055,1185056,CVE-2021-2161,CVE-2021-2163 Description: This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.11+9 (April 2021 CPU) * CVE-2021-2163: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055) * CVE-2021-2161: Fixed incorrect handling of partially quoted arguments in ProcessBuilder (bsc#1185056) - moved mozilla-nss dependency to java-11-openjdk-headless package, this is necessary to be able to do crypto with just java-11-openjdk-headless installed (bsc#1184606). ----------------------------------------- Patch: SUSE-2021-1765 Released: Wed May 26 12:36:38 2021 Summary: Security update for libX11 Severity: moderate References: 1182506,CVE-2021-31535 Description: This update for libX11 fixes the following issues: - CVE-2021-31535: Fixed missing request length checks in libX11 (bsc#1182506). ----------------------------------------- Patch: SUSE-2021-1897 Released: Tue Jun 8 16:15:17 2021 Summary: Security update for libX11 Severity: important References: 1186643,CVE-2021-31535 Description: This update for libX11 fixes the following issues: - Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643) ----------------------------------------- Patch: SUSE-2021-2952 Released: Fri Sep 3 14:38:44 2021 Summary: Security update for java-11-openjdk Severity: important References: 1185476,1188564,1188565,1188566,CVE-2021-2341,CVE-2021-2369,CVE-2021-2388 Description: This update for java-11-openjdk fixes the following issues: - Update to jdk-11.0.12+7 - CVE-2021-2369: Fixed JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565) - CVE-2021-2388: Fixed a flaw inside the Hotspot component performed range check elimination. (bsc#1188566) - CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564) ----------------------------------------- Patch: SUSE-2021-3115 Released: Thu Sep 16 14:04:26 2021 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829 Description: This update for mozilla-nspr fixes the following issues: mozilla-nspr was updated to version 4.32: * implement new socket option PR_SockOpt_DontFrag * support larger DNS records by increasing the default buffer size for DNS queries * Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138 * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version. Mozilla NSS was updated to version 3.68: * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. update to NSS 3.67 * bmo#1683710 - Add a means to disable ALPN. * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c. * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte. update to NSS 3.66 * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS. * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * bmo#1708307 - Remove Trustis FPS Root CA from NSS. * bmo#1707097 - Add Certum Trusted Root CA to NSS. * bmo#1707097 - Add Certum EC-384 CA to NSS. * bmo#1703942 - Add ANF Secure Server Root CA to NSS. * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS. * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler. * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators. * bmo#1709291 - Add VerifyCodeSigningCertificateChain. update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. update to NSS 3.64 * bmo#1705286 - Properly detect mips64. * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. * bmo#1698320 - replace __builtin_cpu_supports('vsx') with ppc_crypto_support() for clang. * bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration. Fixed in 3.63 * bmo#1697380 - Make a clang-format run on top of helpful contributions. * bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * bmo#1694214 - tstclnt can't enable middlebox compat mode. * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * bmo#1685880 - Minor fix to prevent unused variable on early return. * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * bmo#1687822 - Turn off Websites trust bit for the “Staat der Nederlanden Root CA - G3” root cert in NSS. * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008’. * bmo#1694291 - Tracing fixes for ECH. update to NSS 3.62 * bmo#1688374 - Fix parallel build NSS-3.61 with make * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt 'cachedCertTable' * bmo#1690583 - Fix CH padding extension size calculation * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail * bmo#1690421 - Install packaged libabigail in docker-builds image * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing * bmo#1674819 - Fixup a51fae403328, enum type may be signed * bmo#1681585 - Add ECH support to selfserv * bmo#1681585 - Update ECH to Draft-09 * bmo#1678398 - Add Export/Import functions for HPKE context * bmo#1678398 - Update HPKE to draft-07 update to NSS 3.61 * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * bmo#1651411 - Improve constant-timeness in RSA operations. * bmo#1677207 - Upgrade Google Test version to latest release. * bmo#1654332 - Add aarch64-make target to nss-try. Update to NSS 3.60.1: Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information. Update to NSS 3.59.1: * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules Update to NSS 3.59: Notable changes: * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. update to NSS 3.57 * The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes update to NSS 3.56 Notable changes * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * bmo#1654142 - Add CPU feature detection for Intel SHA extension. * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. * bmo#1656986 - Properly detect arm64 during GYP build architecture detection. * bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. * bmo#1588941 - Send empty certificate message when scheme selection fails. * bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * bmo#1653975 - Fix 3.53 regression by setting 'all' as the default makefile target. * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * bmo#1656519 - NSPR dependency updated to 4.28 update to NSS 3.55 Notable changes * P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. * PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633) * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). * bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. * bmo#1646594 - Fix AVX2 detection in makefile builds. * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. * bmo#1649226 - Add Wycheproof ECDSA tests. * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover. * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension. update to NSS 3.54 Notable changes * Support for TLS 1.3 external pre-shared keys (bmo#1603042). * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113) * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. * The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. * A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed * bmo#1528113 - Use ARM Cryptography Extension for SHA256. * bmo#1603042 - Add TLS 1.3 external PSK support. * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. * bmo#1645186 - Add 'certSIGN Root CA G2' root certificate. * bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate. * bmo#1641716 - Add Microsoft's non-EV root certificates. * bmo1621151 - Disable email trust bit for 'O=Government Root Certification Authority; C=TW' root. * bmo#1645199 - Remove AddTrust root certificates. * bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate. * bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root certificate. * bmo#1618402 - Remove Symantec root certificates and disable email trust bit. * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26. * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c. * bmo#1642153 - Fix infinite recursion building NSS. * bmo#1642638 - Fix fuzzing assertion crash. * bmo#1642871 - Enable SSL_SendSessionTicket after resumption. * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs. * bmo#1643557 - Fix numerous compile warnings in NSS. * bmo#1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys. * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c. * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding. ----------------------------------------- Patch: SUSE-2021-3171 Released: Mon Sep 20 17:26:34 2021 Summary: Recommended update for java-11-openjdk Severity: important References: 1189201,1190252 Description: This update for java-11-openjdk fixes the following issues: - Implement FIPS support in OpenJDK - Fix build with 'glibc-2.34' (bsc#1189201) - Add support for 'riscv64' (zero VM) - Make NSS the default security provider. (bsc#1190252) ----------------------------------------- Patch: SUSE-2021-3182 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Severity: moderate References: 1189996 Description: This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------- Patch: SUSE-2021-3671 Released: Tue Nov 16 14:48:10 2021 Summary: Security update for java-11-openjdk Severity: important References: 1191901,1191903,1191904,1191906,1191909,1191910,1191911,1191912,1191913,1191914,CVE-2021-35550,CVE-2021-35556,CVE-2021-35559,CVE-2021-35561,CVE-2021-35564,CVE-2021-35565,CVE-2021-35567,CVE-2021-35578,CVE-2021-35586,CVE-2021-35603 Description: This update for java-11-openjdk fixes the following issues: Update to 11.0.13+8 (October 2021 CPU) - CVE-2021-35550, bsc#1191901: Update the default enabled cipher suites preference - CVE-2021-35565, bsc#1191909: com.sun.net.HttpsServer spins on TLS session close - CVE-2021-35556, bsc#1191910: Richer Text Editors - CVE-2021-35559, bsc#1191911: Enhanced style for RTF kit - CVE-2021-35561, bsc#1191912: Better hashing support - CVE-2021-35564, bsc#1191913: Improve Keystore integrity - CVE-2021-35567, bsc#1191903: More Constrained Delegation - CVE-2021-35578, bsc#1191904: Improve TLS client handshaking - CVE-2021-35586, bsc#1191914: Better BMP support - CVE-2021-35603, bsc#1191906: Better session identification - Improve Stream handling for SSL - Improve requests of certificates - Correct certificate requests - Enhance DTLS client handshake ----------------------------------------- Patch: SUSE-2022-12 Released: Mon Jan 3 15:36:04 2022 Summary: Recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff Severity: moderate References: Description: This recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff provides the following fix: - Ship some missing binaries to PackageHub. ----------------------------------------- Patch: SUSE-2022-143 Released: Thu Jan 20 14:32:30 2022 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1193314 Description: This update for java-11-openjdk fixes the following issues: - Java Cryptography was always operating in FIPS mode if crypto-policies was not used. - Allow plain key import in fips mode unless 'com.suse.fips.plainKeySupport' is set to false ----------------------------------------- Patch: SUSE-2022-789 Released: Thu Mar 10 11:22:05 2022 Summary: Recommended update for update-alternatives Severity: moderate References: 1195654 Description: This update for update-alternatives fixes the following issues: - Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654) ----------------------------------------- Patch: SUSE-2022-816 Released: Mon Mar 14 10:22:04 2022 Summary: Security update for java-11-openjdk Severity: moderate References: 1194925,1194926,1194927,1194928,1194929,1194930,1194931,1194932,1194933,1194934,1194935,1194937,1194939,1194940,1194941,CVE-2022-21248,CVE-2022-21277,CVE-2022-21282,CVE-2022-21283,CVE-2022-21291,CVE-2022-21293,CVE-2022-21294,CVE-2022-21296,CVE-2022-21299,CVE-2022-21305,CVE-2022-21340,CVE-2022-21341,CVE-2022-21360,CVE-2022-21365,CVE-2022-21366 Description: This update for java-11-openjdk fixes the following issues: - CVE-2022-21248: Fixed incomplete deserialization class filtering in ObjectInputStream. (bnc#1194926) - CVE-2022-21277: Fixed incorrect reading of TIFF files in TIFFNullDecompressor. (bnc#1194930) - CVE-2022-21282: Fixed Insufficient URI checks in the XSLT TransformerImpl. (bnc#1194933) - CVE-2022-21283: Fixed unexpected exception thrown in regex Pattern. (bnc#1194937) - CVE-2022-21291: Fixed Incorrect marking of writeable fields. (bnc#1194925) - CVE-2022-21293: Fixed Incomplete checks of StringBuffer and StringBuilder during deserialization. (bnc#1194935) - CVE-2022-21294: Fixed Incorrect IdentityHashMap size checks during deserialization. (bnc#1194934) - CVE-2022-21296: Fixed Incorrect access checks in XMLEntityManager. (bnc#1194932) - CVE-2022-21299: Fixed Infinite loop related to incorrect handling of newlines in XMLEntityScanner. (bnc#1194931) - CVE-2022-21305: Fixed Array indexing issues in LIRGenerator. (bnc#1194939) - CVE-2022-21340: Fixed Excessive resource use when reading JAR manifest attributes. (bnc#1194940) - CVE-2022-21341: Fixed OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream. (bnc#1194941) - CVE-2022-21360: Fixed Excessive memory allocation in BMPImageReader. (bnc#1194929) - CVE-2022-21365: Fixed Integer overflow in BMPImageReader. (bnc#1194928) - CVE-2022-21366: Fixed Excessive memory allocation in TIFF*Decompressor. (bnc#1194927) ----------------------------------------- Patch: SUSE-2022-1033 Released: Tue Mar 29 18:42:05 2022 Summary: Recommended update for java-11-openjdk Severity: moderate References: Description: This update for java-11-openjdk fixes the following issues: - Build failure on Solaris. - Unable to connect to https://google.com using java.net.HttpClient. ----------------------------------------- Patch: SUSE-2022-1513 Released: Tue May 3 16:13:25 2022 Summary: Security update for java-11-openjdk Severity: important References: 1198671,1198672,1198673,1198674,1198675,CVE-2022-21426,CVE-2022-21434,CVE-2022-21443,CVE-2022-21476,CVE-2022-21496 Description: This update for java-11-openjdk fixes the following issues: - CVE-2022-21426: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198672). - CVE-2022-21434: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198674). - CVE-2022-21496: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198673). - CVE-2022-21443: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198675). - CVE-2022-21476: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198671). ----------------------------------------- Patch: SUSE-2022-1565 Released: Fri May 6 17:09:36 2022 Summary: Security update for giflib Severity: moderate References: 1094832,1146299,1184123,974847,CVE-2016-3977,CVE-2018-11490,CVE-2019-15133 Description: This update for giflib fixes the following issues: - CVE-2019-15133: Fixed a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero (bsc#1146299). - CVE-2018-11490: Fixed a heap-based buffer overflow in DGifDecompressLine function in dgif_lib.c (bsc#1094832). - CVE-2016-3977: Fixed a heap buffer overflow in gif2rgb (bsc#974847). Update to version 5.2.1 * In gifbuild.c, avoid a core dump on no color map. * Restore inadvertently removed library version numbers in Makefile. Changes in version 5.2.0 * The undocumented and deprecated GifQuantizeBuffer() entry point has been moved to the util library to reduce libgif size and attack surface. Applications needing this function are couraged to link the util library or make their own copy. * The following obsolete utility programs are no longer installed: gifecho, giffilter, gifinto, gifsponge. These were either installed in error or have been obsolesced by modern image-transformmation tools like ImageMagick convert. They may be removed entirely in a future release. * Address SourceForge issue #136: Stack-buffer-overflow in gifcolor.c:84 * Address SF bug #134: Giflib fails to slurp significant number of gifs * Apply SPDX convention for license tagging. Changes in version 5.1.9 * The documentation directory now includes an HTMlified version of the GIF89 standard, and a more detailed description of how LZW compression is applied to GIFs. * Address SF bug #129: The latest version of giflib cannot be build on windows. * Address SF bug #126: Cannot compile giflib using c89 Changes in version 5.1.8 * Address SF bug #119: MemorySanitizer: FPE on unknown address (CVE-2019-15133 bsc#1146299) * Address SF bug #125: 5.1.7: xmlto is still required for tarball * Address SF bug #124: 5.1.7: ar invocation is not crosscompile compatible * Address SF bug #122: 5.1.7 installs manpages to wrong directory * Address SF bug #121: make: getversion: Command not found * Address SF bug #120: 5.1.7 does not build a proper library - no Changes in version 5.1.7 * Correct a minor packaging error (superfluous symlinks) in the 5.1.6 tarballs. Changes in version 5.1.6 * Fix library installation in the Makefile. Changes in version 5.1.5 * Fix SF bug #114: Null dereferences in main() of gifclrmp * Fix SF bug #113: Heap Buffer Overflow-2 in function DGifDecompressLine() in cgif.c. This had been assigned (CVE-2018-11490 bsc#1094832). * Fix SF bug #111: segmentation fault in PrintCodeBlock * Fix SF bug #109: Segmentation fault of giftool reading a crafted file * Fix SF bug #107: Floating point exception in giftext utility * Fix SF bug #105: heap buffer overflow in DumpScreen2RGB in gif2rgb.c:317 * Fix SF bug #104: Ineffective bounds check in DGifSlurp * Fix SF bug #103: GIFLIB 5.1.4: DGifSlurp fails on empty comment * Fix SF bug #87: Heap buffer overflow in 5.1.2 (gif2rgb). (CVE-2016-3977 bsc#974847) * The horrible old autoconf build system has been removed with extreme prejudice. You now build this simply by running 'make' from the top-level directory. The following non-security bugs were fixed: - build path independent objects and inherit CFLAGS from the build system (bsc#1184123) ----------------------------------------- Patch: SUSE-2022-2294 Released: Wed Jul 6 13:34:15 2022 Summary: Security update for expat Severity: important References: 1196025,1196026,1196168,1196169,1196171,1196784,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315 Description: This update for expat fixes the following issues: - CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025). - Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784). - CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026). - CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168). - CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169). - CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171). ----------------------------------------- Patch: SUSE-2022-2533 Released: Fri Jul 22 17:37:15 2022 Summary: Security update for mozilla-nss Severity: important References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741 Description: This update for mozilla-nss fixes the following issues: Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4: - Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079). - FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980). - FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298). - FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325). - Run test suite at build time, and make it pass (bsc#1198486). - FIPS: skip algorithms that are hard disabled in FIPS mode. - Prevent expired PayPalEE cert from failing the tests. - Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc. - FIPS: Make the PBKDF known answer test compliant with NIST SP800-132. - Update FIPS validation string to version-release format. - FIPS: remove XCBC MAC from list of FIPS approved algorithms. - Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build. - FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080). - FIPS: allow testing of unapproved algorithms (bsc#1192228). - FIPS: add version indicators. (bmo#1729550, bsc#1192086). - FIPS: fix some secret clearing (bmo#1697303, bsc#1192087). Version update to NSS 3.79: - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. - Update mercurial in clang-format docker image. - Use of uninitialized pointer in lg_init after alloc fail. - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. - Add SECMOD_LockedModuleHasRemovableSlots. - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. - Correct invalid record inner and outer content type alerts. - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. - improve error handling after nssCKFWInstance_CreateObjectHandle. - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. - NSS 3.79 should depend on NSPR 4.34 Version update to NSS 3.78.1: - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple Version update to NSS 3.78: - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests. - Reworked overlong record size checks and added TLS1.3 specific boundaries. - Add ECH Grease Support to tstclnt - Add a strict variant of moz::pkix::CheckCertHostname. - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. - Make SEC_PKCS12EnableCipher succeed - Update zlib in NSS to 1.2.12. Version update to NSS 3.77: - Fix link to TLS page on wireshark wiki - Add two D-TRUST 2020 root certificates. - Add Telia Root CA v2 root certificate. - Remove expired explicitly distrusted certificates from certdata.txt. - support specific RSA-PSS parameters in mozilla::pkix - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. - Remove token member from NSSSlot struct. - Provide secure variants of mpp_pprime and mpp_make_prime. - Support UTF-8 library path in the module spec string. - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. - Update googletest to 1.11.0 - Add SetTls13GreaseEchSize to experimental API. - TLS 1.3 Illegal legacy_version handling/alerts. - Fix calculation of ECH HRR Transcript. - Allow ld path to be set as environment variable. - Ensure we don't read uninitialized memory in ssl gtests. - Fix DataBuffer Move Assignment. - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3 - rework signature verification in mozilla::pkix Version update to NSS 3.76.1 - Remove token member from NSSSlot struct. - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. - Check return value of PK11Slot_GetNSSToken. - Use Wycheproof JSON for RSASSA-PSS - Add SHA256 fingerprint comments to old certdata.txt entries. - Avoid truncating files in nss-release-helper.py. - Throw illegal_parameter alert for illegal extensions in handshake message. Version update to NSS 3.75 - Make DottedOIDToCode.py compatible with python3. - Avoid undefined shift in SSL_CERT_IS while fuzzing. - Remove redundant key type check. - Update ABI expectations to match ECH changes. - Enable CKM_CHACHA20. - check return on NSS_NoDB_Init and NSS_Shutdown. - Run ECDSA test vectors from bltest as part of the CI tests. - Add ECDSA test vectors to the bltest command line tool. - Allow to build using clang's integrated assembler. - Allow to override python for the build. - test HKDF output rather than input. - Use ASSERT macros to end failed tests early. - move assignment operator for DataBuffer. - Add test cases for ECH compression and unexpected extensions in SH. - Update tests for ECH-13. - Tidy up error handling. - Add tests for ECH HRR Changes. - Server only sends GREASE HRR extension if enabled by preference. - Update generation of the Associated Data for ECH-13. - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello. - Allow for compressed, non-contiguous, extensions. - Scramble the PSK extension in CHOuter. - Split custom extension handling for ECH. - Add ECH-13 HRR Handling. - Client side ECH padding. - Stricter ClientHelloInner Decompression. - Remove ECH_inner extension, use new enum format. - Update the version number for ECH-13 and adjust the ECHConfig size. Version update to NSS 3.74 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses - Ensure clients offer consistent ciphersuites after HRR - NSS does not properly restrict server keys based on policy - Set nssckbi version number to 2.54 - Replace Google Trust Services LLC (GTS) R4 root certificate - Replace Google Trust Services LLC (GTS) R3 root certificate - Replace Google Trust Services LLC (GTS) R2 root certificate - Replace Google Trust Services LLC (GTS) R1 root certificate - Replace GlobalSign ECC Root CA R4 - Remove Expired Root Certificates - DST Root CA X3 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate - Add iTrusChina ECC root certificate - Add iTrusChina RSA root certificate - Add ISRG Root X2 root certificate - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate - Avoid a clang 13 unused variable warning in opt build - Check for missing signedData field - Ensure DER encoded signatures are within size limits - enable key logging option (boo#1195040) Version update to NSS 3.73.1: - Add SHA-2 support to mozilla::pkix's OSCP implementation Version update to NSS 3.73 - check for missing signedData field. - Ensure DER encoded signatures are within size limits. - NSS needs FiPS 140-3 version indicators. - pkix_CacheCert_Lookup doesn't return cached certs - sunset Coverity from NSS Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures Version update to NSS 3.72 - Fix nsinstall parallel failure. - Increase KDF cache size to mitigate perf regression in about:logins Version update to NSS 3.71 - Set nssckbi version number to 2.52. - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py - Import of PKCS#12 files with Camellia encryption is not supported - Add HARICA Client ECC Root CA 2021. - Add HARICA Client RSA Root CA 2021. - Add HARICA TLS ECC Root CA 2021. - Add HARICA TLS RSA Root CA 2021. - Add TunTrust Root CA certificate to NSS. Version update to NSS 3.70 - Update test case to verify fix. - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback - Avoid using a lookup table in nssb64d. - Use HW accelerated SHA2 on AArch64 Big Endian. - Change default value of enableHelloDowngradeCheck to true. - Cache additional PBE entries. - Read HPKE vectors from official JSON. Version update to NSS 3.69.1: - Disable DTLS 1.0 and 1.1 by default - integrity checks in key4.db not happening on private components with AES_CBC NSS 3.69: - Disable DTLS 1.0 and 1.1 by default (backed out again) - integrity checks in key4.db not happening on private components with AES_CBC (backed out again) - SSL handling of signature algorithms ignores environmental invalid algorithms. - sqlite 3.34 changed it's open semantics, causing nss failures. - Gtest update changed the gtest reports, losing gtest details in all.sh reports. - NSS incorrectly accepting 1536 bit DH primes in FIPS mode - SQLite calls could timeout in starvation situations. - Coverity/cpp scanner errors found in nss 3.67 - Import the NSS documentation from MDN in nss/doc. - NSS using a tempdir to measure sql performance not active Version Update to 3.68.4 (bsc#1200027) - CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590) Mozilla NSPR was updated to version 4.34: * add an API that returns a preferred loopback IP on hosts that have two IP stacks available. ----------------------------------------- Patch: SUSE-2022-2595 Released: Fri Jul 29 16:00:42 2022 Summary: Security update for mozilla-nss Severity: important References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741 Description: This update for mozilla-nss fixes the following issues: Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4: - Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079). - FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980). - FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298). - FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325). - Run test suite at build time, and make it pass (bsc#1198486). - FIPS: skip algorithms that are hard disabled in FIPS mode. - Prevent expired PayPalEE cert from failing the tests. - Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc. - FIPS: Make the PBKDF known answer test compliant with NIST SP800-132. - Update FIPS validation string to version-release format. - FIPS: remove XCBC MAC from list of FIPS approved algorithms. - Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build. - FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080). - FIPS: allow testing of unapproved algorithms (bsc#1192228). - FIPS: add version indicators. (bmo#1729550, bsc#1192086). - FIPS: fix some secret clearing (bmo#1697303, bsc#1192087). Version update to NSS 3.79: - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. - Update mercurial in clang-format docker image. - Use of uninitialized pointer in lg_init after alloc fail. - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. - Add SECMOD_LockedModuleHasRemovableSlots. - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. - Correct invalid record inner and outer content type alerts. - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. - improve error handling after nssCKFWInstance_CreateObjectHandle. - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. - NSS 3.79 should depend on NSPR 4.34 Version update to NSS 3.78.1: - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple Version update to NSS 3.78: - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests. - Reworked overlong record size checks and added TLS1.3 specific boundaries. - Add ECH Grease Support to tstclnt - Add a strict variant of moz::pkix::CheckCertHostname. - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. - Make SEC_PKCS12EnableCipher succeed - Update zlib in NSS to 1.2.12. Version update to NSS 3.77: - Fix link to TLS page on wireshark wiki - Add two D-TRUST 2020 root certificates. - Add Telia Root CA v2 root certificate. - Remove expired explicitly distrusted certificates from certdata.txt. - support specific RSA-PSS parameters in mozilla::pkix - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. - Remove token member from NSSSlot struct. - Provide secure variants of mpp_pprime and mpp_make_prime. - Support UTF-8 library path in the module spec string. - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. - Update googletest to 1.11.0 - Add SetTls13GreaseEchSize to experimental API. - TLS 1.3 Illegal legacy_version handling/alerts. - Fix calculation of ECH HRR Transcript. - Allow ld path to be set as environment variable. - Ensure we don't read uninitialized memory in ssl gtests. - Fix DataBuffer Move Assignment. - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3 - rework signature verification in mozilla::pkix Version update to NSS 3.76.1 - Remove token member from NSSSlot struct. - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. - Check return value of PK11Slot_GetNSSToken. - Use Wycheproof JSON for RSASSA-PSS - Add SHA256 fingerprint comments to old certdata.txt entries. - Avoid truncating files in nss-release-helper.py. - Throw illegal_parameter alert for illegal extensions in handshake message. Version update to NSS 3.75 - Make DottedOIDToCode.py compatible with python3. - Avoid undefined shift in SSL_CERT_IS while fuzzing. - Remove redundant key type check. - Update ABI expectations to match ECH changes. - Enable CKM_CHACHA20. - check return on NSS_NoDB_Init and NSS_Shutdown. - Run ECDSA test vectors from bltest as part of the CI tests. - Add ECDSA test vectors to the bltest command line tool. - Allow to build using clang's integrated assembler. - Allow to override python for the build. - test HKDF output rather than input. - Use ASSERT macros to end failed tests early. - move assignment operator for DataBuffer. - Add test cases for ECH compression and unexpected extensions in SH. - Update tests for ECH-13. - Tidy up error handling. - Add tests for ECH HRR Changes. - Server only sends GREASE HRR extension if enabled by preference. - Update generation of the Associated Data for ECH-13. - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello. - Allow for compressed, non-contiguous, extensions. - Scramble the PSK extension in CHOuter. - Split custom extension handling for ECH. - Add ECH-13 HRR Handling. - Client side ECH padding. - Stricter ClientHelloInner Decompression. - Remove ECH_inner extension, use new enum format. - Update the version number for ECH-13 and adjust the ECHConfig size. Version update to NSS 3.74 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses - Ensure clients offer consistent ciphersuites after HRR - NSS does not properly restrict server keys based on policy - Set nssckbi version number to 2.54 - Replace Google Trust Services LLC (GTS) R4 root certificate - Replace Google Trust Services LLC (GTS) R3 root certificate - Replace Google Trust Services LLC (GTS) R2 root certificate - Replace Google Trust Services LLC (GTS) R1 root certificate - Replace GlobalSign ECC Root CA R4 - Remove Expired Root Certificates - DST Root CA X3 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate - Add iTrusChina ECC root certificate - Add iTrusChina RSA root certificate - Add ISRG Root X2 root certificate - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate - Avoid a clang 13 unused variable warning in opt build - Check for missing signedData field - Ensure DER encoded signatures are within size limits - enable key logging option (boo#1195040) Version update to NSS 3.73.1: - Add SHA-2 support to mozilla::pkix's OSCP implementation Version update to NSS 3.73 - check for missing signedData field. - Ensure DER encoded signatures are within size limits. - NSS needs FiPS 140-3 version indicators. - pkix_CacheCert_Lookup doesn't return cached certs - sunset Coverity from NSS Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures Version update to NSS 3.72 - Fix nsinstall parallel failure. - Increase KDF cache size to mitigate perf regression in about:logins Version update to NSS 3.71 - Set nssckbi version number to 2.52. - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py - Import of PKCS#12 files with Camellia encryption is not supported - Add HARICA Client ECC Root CA 2021. - Add HARICA Client RSA Root CA 2021. - Add HARICA TLS ECC Root CA 2021. - Add HARICA TLS RSA Root CA 2021. - Add TunTrust Root CA certificate to NSS. Version update to NSS 3.70 - Update test case to verify fix. - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback - Avoid using a lookup table in nssb64d. - Use HW accelerated SHA2 on AArch64 Big Endian. - Change default value of enableHelloDowngradeCheck to true. - Cache additional PBE entries. - Read HPKE vectors from official JSON. Version update to NSS 3.69.1: - Disable DTLS 1.0 and 1.1 by default - integrity checks in key4.db not happening on private components with AES_CBC NSS 3.69: - Disable DTLS 1.0 and 1.1 by default (backed out again) - integrity checks in key4.db not happening on private components with AES_CBC (backed out again) - SSL handling of signature algorithms ignores environmental invalid algorithms. - sqlite 3.34 changed it's open semantics, causing nss failures. - Gtest update changed the gtest reports, losing gtest details in all.sh reports. - NSS incorrectly accepting 1536 bit DH primes in FIPS mode - SQLite calls could timeout in starvation situations. - Coverity/cpp scanner errors found in nss 3.67 - Import the NSS documentation from MDN in nss/doc. - NSS using a tempdir to measure sql performance not active Version Update to 3.68.4 (bsc#1200027) - CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590) ----------------------------------------- Patch: SUSE-2022-2664 Released: Thu Aug 4 09:22:06 2022 Summary: Security update for harfbuzz Severity: important References: 1200900,CVE-2022-33068 Description: This update for harfbuzz fixes the following issues: - CVE-2022-33068: Fixed a integer overflow in hb-ot-shape-fallback.cc (bsc#1200900). ----------------------------------------- Patch: SUSE-2022-2707 Released: Tue Aug 9 10:18:18 2022 Summary: Security update for java-11-openjdk Severity: important References: 1201684,1201692,1201694,CVE-2022-21540,CVE-2022-21541,CVE-2022-34169 Description: This update for java-11-openjdk fixes the following issues: Update to upstream tag jdk-11.0.16+8 (July 2022 CPU) - CVE-2022-21540: Improve class compilation (bsc#1201694) - CVE-2022-21541: Enhance MethodHandle invocations (bsc#1201692) - CVE-2022-34169: Improve Xalan supports (bsc#1201684) ----------------------------------------- Patch: SUSE-2022-2939 Released: Mon Aug 29 14:49:17 2022 Summary: Recommended update for mozilla-nss Severity: moderate References: 1201298,1202645 Description: This update for mozilla-nss fixes the following issues: Update to NSS 3.79.1 (bsc#1202645) * compare signature and signatureAlgorithm fields in legacy certificate verifier. * Uninitialized value in cert_ComputeCertType. * protect SFTKSlot needLogin with slotLock. * avoid data race on primary password change. * check for null template in sec_asn1{d,e}_push_state. - FIPS: unapprove the rest of the DSA ciphers, keeping signature verification only (bsc#1201298). ----------------------------------------- Patch: SUSE-2022-2994 Released: Fri Sep 2 10:44:54 2022 Summary: Recommended update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame Severity: moderate References: 1198925 Description: This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925) No codechanges were done in this update. ----------------------------------------- Patch: SUSE-2022-3252 Released: Mon Sep 12 09:07:53 2022 Summary: Security update for freetype2 Severity: moderate References: 1198823,1198830,1198832,CVE-2022-27404,CVE-2022-27405,CVE-2022-27406 Description: This update for freetype2 fixes the following issues: - CVE-2022-27404 Fixed a segmentation fault via a crafted typeface (bsc#1198830). - CVE-2022-27405 Fixed a buffer overflow via a crafted typeface (bsc#1198832). - CVE-2022-27406 Fixed a segmentation fault via a crafted typeface (bsc#1198823). Non-security fixes: - Updated to version 2.10.4 ----------------------------------------- Patch: SUSE-2022-3489 Released: Sat Oct 1 13:35:24 2022 Summary: Security update for expat Severity: important References: 1203438,CVE-2022-40674 Description: This update for expat fixes the following issues: - CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).