----------------------------------------- Version 3.64 2024-04-24T11:24:09 ----------------------------------------- Patch: SUSE-2018-1277 Released: Thu Jul 5 08:38:06 2018 Summary: Security update for unzip Severity: moderate References: 1080074,910683,914442,CVE-2014-9636,CVE-2018-1000035 Description: This update for unzip fixes the following issues: - CVE-2014-9636: Prevent denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression (bsc#914442) - CVE-2018-1000035: Prevent heap-based buffer overflow in the processing of password-protected archives that allowed an attacker to perform a denial of service or to possibly achieve code execution (bsc#1080074) This non-security issue was fixed: +- Allow processing of Windows zip64 archives (Windows archivers set total_disks field to 0 but per standard, valid values are 1 and higher) (bnc#910683) ----------------------------------------- Patch: SUSE-2018-1462 Released: Tue Jul 31 14:04:41 2018 Summary: Security update for java-11-openjdk Severity: moderate References: 1101645,1101651,1101655,1101656,CVE-2018-2940,CVE-2018-2952,CVE-2018-2972,CVE-2018-2973 Description: This java-11-openjdk update to version jdk-11+24 fixes the following issues: Security issues fixed: - CVE-2018-2940: Fix unspecified vulnerability in subcomponent Libraries (bsc#1101645). - CVE-2018-2952: Fix unspecified vulnerability in subcomponent Concurrency (bsc#1101651). - CVE-2018-2972: Fix unspecified vulnerability in subcomponent Security (bsc#1101655). - CVE-2018-2973: Fix unspecified vulnerability in subcomponent JSSE (bsc#1101656). ----------------------------------------- Patch: SUSE-2018-2022 Released: Wed Sep 26 09:48:09 2018 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1103388,1104120,1106523 Description: This update fixes the following issues: hwdata: - Update to version 0.314: + Updated pci, usb and vendor ids. spacewalk-backend: - Channels to be actually un-subscribed from the assigned systems when being removed using spacewalk-remove-channel tool. (bsc#1104120) - Take only text files from /srv/salt to make spacewalk-debug smaller. (bsc#1103388) ----------------------------------------- Patch: SUSE-2018-2298 Released: Wed Oct 17 17:02:57 2018 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1111162,1112142,1112143,1112144,1112145,1112146,1112147,1112148,1112149,CVE-2018-3136,CVE-2018-3139,CVE-2018-3149,CVE-2018-3150,CVE-2018-3157,CVE-2018-3169,CVE-2018-3180,CVE-2018-3183 Description: This update for java-11-openjdk fixes the following issues: Update to upstream tag jdk-11.0.1+13 (Oracle October 2018 CPU) Security fixes: - S8202936, CVE-2018-3183, bsc#1112148: Improve script engine support - S8199226, CVE-2018-3169, bsc#1112146: Improve field accesses - S8199177, CVE-2018-3149, bsc#1112144: Enhance JNDI lookups - S8202613, CVE-2018-3180, bsc#1112147: Improve TLS connections stability - S8208209, CVE-2018-3180, bsc#1112147: Improve TLS connection stability again - S8199172, CVE-2018-3150, bsc#1112145: Improve jar attribute checks - S8200648, CVE-2018-3157, bsc#1112149: Make midi code more sound - S8194534, CVE-2018-3136, bsc#1112142: Manifest better support - S8208754, CVE-2018-3136, bsc#1112142: The fix for JDK-8194534 needs updates - S8196902, CVE-2018-3139, bsc#1112143: Better HTTP Redirection Security-In-Depth fixes: - S8194546: Choosier FileManagers - S8195874: Improve jar specification adherence - S8196897: Improve PRNG support - S8197881: Better StringBuilder support - S8201756: Improve cipher inputs - S8203654: Improve cypher state updates - S8204497: Better formatting of decimals - S8200666: Improve LDAP support - S8199110: Address Internet Addresses Update to upstream tag jdk-11+28 (OpenJDK 11 rc1) - S8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy - S8207838: AArch64: Float registers incorrectly restored in JNI call - S8209637: [s390x] Interpreter doesn't call result handler after native calls - S8209670: CompilerThread releasing code buffer in destructor is unsafe - S8209735: Disable avx512 by default - S8209806: API docs should be updated to refer to javase11 - Report version without the '-internal' postfix - Don't build against gdk making the accessibility depend on a particular version of gtk. Update to upstream tag jdk-11+27 - S8031761: [TESTBUG] Add a regression test for JDK-8026328 - S8151259: [TESTBUG] nsk/jvmti/RedefineClasses/redefclass030 fails with 'unexpected values of outer fields of the class' when running with -Xcomp - S8164639: Configure PKCS11 tests to use user-supplied NSS libraries - S8189667: Desktop#moveToTrash expects incorrect '<>' FilePermission - S8194949: [Graal] gc/TestNUMAPageSize.java fail with OOM in -Xcomp - S8195156: [Graal] serviceability/jvmti/GetModulesInfo/ /JvmtiGetAllModulesTest.java fails with Graal in Xcomp mode - S8199081: [Testbug] compiler/linkage/LinkageErrors.java fails if run twice - S8201394: Update java.se module summary to reflect removal of java.se.ee module - S8204931: Colors with alpha are painted incorrectly on Linux - S8204966: [TESTBUG] hotspot/test/compiler/whitebox/ /IsMethodCompilableTest.java test fails with -XX:CompileThreshold=1 - S8205608: Fix 'frames()' in ThreadReferenceImpl.c to prevent quadratic runtime behavior - S8205687: TimeoutHandler generates huge core files - S8206176: Remove the temporary tls13VN field - S8206258: [Test Error] sun/security/pkcs11 tests fail if NSS libs not found - S8206965: java/util/TimeZone/Bug8149452.java failed on de_DE and ja_JP locale. - S8207009: TLS 1.3 half-close and synchronization issues - S8207046: arm32 vm crash: C1 arm32 platform functions parameters type mismatch - S8207139: NMT is not enabled on Windows 2016/10 - S8207237: SSLSocket#setEnabledCipherSuites is accepting empty string - S8207355: C1 compilation hangs in ComputeLinearScanOrder::compute_dominator - S8207746: C2: Lucene crashes on AVX512 instruction - S8207765: HeapMonitorTest.java intermittent failure - S8207944: java.lang.ClassFormatError: Extra bytes at the end of class file test' possibly violation of JVMS 4.7.1 - S8207948: JDK 11 L10n resource file update msg drop 10 - S8207966: HttpClient response without content-length does not return body - S8208125: Cannot input text into JOptionPane Text Input Dialog - S8208164: (str) improve specification of String::lines - S8208166: Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029 - S8208189: ProblemList compiler/graalunit/JttThreadsTest.java - S8208205: ProblemList tests that fail due to 'Error attaching to process: Can't create thread_db agent!' - S8208226: ProblemList com/sun/jdi/BasicJDWPConnectionTest.java - S8208251: serviceability/jvmti/HeapMonitor/MyPackage/ /HeapMonitorGCCMSTest.java fails intermittently on Linux-X64 - S8208305: ProblemList compiler/jvmci/compilerToVM/GetFlagValueTest.java - S8208347: ProblemList compiler/cpuflags/TestAESIntrinsicsOnSupportedConfig.java - S8208353: Upgrade JDK 11 to libpng 1.6.35 - S8208358: update bug ids mentioned in tests - S8208370: fix typo in ReservedStack tests' @requires - S8208391: Differentiate response and connect timeouts in HTTP Client API - S8208466: Fix potential memory leak in harfbuzz shaping. - S8208496: New Test to verify concurrent behavior of TLS. - S8208521: ProblemList more tests that fail due to 'Error attaching to process: Can't create thread_db agent!' - S8208640: [a11y] [macos] Unable to navigate between Radiobuttons in Radio group using keyboard. - S8208663: JDK 11 L10n resource file update msg drop 20 - S8208676: Missing NULL check and resource leak in NetworkPerformanceInterface::NetworkPerformance::network_utilization - S8208691: Tighten up jdk.includeInExceptions security property - S8209011: [TESTBUG] AArch64: sun/security/pkcs11/Secmod/ /TestNssDbSqlite.java fails in aarch64 platforms - S8209029: ProblemList tests that fail due to 'Error attaching to process: Can't create thread_db agent!' in jdk-11+25 testing - S8209149: [TESTBUG] runtime/RedefineTests/ /RedefineRunningMethods.java needs a longer timeout - S8209451: Please change jdk 11 milestone to FCS - S8209452: VerifyCACerts.java failed with 'At least one cacert test failed' - S8209506: Add Google Trust Services GlobalSign root certificates - S8209537: Two security tests failed after JDK-8164639 due to dependency was missed ----------------------------------------- Patch: SUSE-2018-2307 Released: Thu Oct 18 14:42:54 2018 Summary: Recommended update for libxcb Severity: moderate References: 1101560 Description: This update for libxcb provides the following fix: - Fix some IO errors when using KWin in combination with the NVIDIA driver. (bsc#1101560) ----------------------------------------- Patch: SUSE-2018-2340 Released: Fri Oct 19 16:05:53 2018 Summary: Security update for fuse Severity: moderate References: 1101797,CVE-2018-10906 Description: This update for fuse fixes the following issues: - CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797) ----------------------------------------- Patch: SUSE-2018-2569 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Severity: moderate References: 1110700 Description: This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------- Patch: SUSE-2018-2607 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------- Patch: SUSE-2018-2625 Released: Mon Nov 12 08:58:25 2018 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1113734 Description: This update for java-11-openjdk fixes the following issues: Merge into the JDK following modules from github.com/javaee: * com.sum.xml.fastinfoset * org.jvnet.staxex * com.sun.istack.runtime * com.sun.xml.txw2 * com.sun.xml.bind This provides a default implementation of JAXB-API that existed in JDK before Java 11 and that some applications depend on. ----------------------------------------- Patch: SUSE-2018-2798 Released: Wed Nov 28 07:48:35 2018 Summary: Recommended update for make Severity: moderate References: 1100504 Description: This update for make fixes the following issues: - Use a non-blocking read with pselect to avoid hangs (bsc#1100504) ----------------------------------------- Patch: SUSE-2018-2825 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Severity: important References: 1115640,CVE-2018-17953 Description: This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------- Patch: SUSE-2018-2861 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Severity: important References: 1103320,1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------- Patch: SUSE-2018-3044 Released: Fri Dec 21 18:47:21 2018 Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss Severity: important References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 Description: This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues: Issues fixed in MozillaFirefox: - Update to Firefox ESR 60.4 (bsc#1119105) - CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 - CVE-2018-18492: Fixed a use-after-free with select element - CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia - CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs - CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images - CVE-2018-12405: Fixed a few memory safety bugs Issues fixed in mozilla-nss: - Update to NSS 3.40.1 (bsc#1119105) - CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069) - CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873) - CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410) - Fixed a decryption failure during FFDHE key exchange - Various security fixes in the ASN.1 code Issues fixed in mozilla-nspr: - Update mozilla-nspr to 4.20 (bsc#1119105) ----------------------------------------- Patch: SUSE-2019-6 Released: Wed Jan 2 20:25:25 2019 Summary: Recommended update for gcc7 Severity: moderate References: 1099119,1099192 Description: GCC 7 was updated to the GCC 7.4 release. - Fix AVR configuration to not use __cxa_atexit or libstdc++ headers. Point to /usr/avr/sys-root/include as system header include directory. - Includes fix for build with ISL 0.20. - Pulls fix for libcpp lexing bug on ppc64le manifesting during build with gcc8. [bsc#1099119] - Pulls fix for forcing compile-time tuning even when building with -march=z13 on s390x. [bsc#1099192] - Fixes support for 32bit ASAN with glibc 2.27+ ----------------------------------------- Patch: SUSE-2019-44 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Severity: low References: 953659 Description: This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------- Patch: SUSE-2019-110 Released: Thu Jan 17 14:17:05 2019 Summary: Security update for zeromq Severity: important References: 1121717,CVE-2019-6250 Description: This update for zeromq fixes the following issues: Security issue fixed: - CVE-2019-6250: fix a remote execution vulnerability due to pointer arithmetic overflow (bsc#1121717) ----------------------------------------- Patch: SUSE-2019-221 Released: Fri Feb 1 15:20:56 2019 Summary: Security update for java-11-openjdk Severity: important References: 1120431,1122293,1122299,CVE-2018-11212,CVE-2019-2422,CVE-2019-2426 Description: This update for java-11-openjdk to version 11.0.2+7 fixes the following issues: Security issues fixed: - CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293) - CVE-2019-2426: Improve web server connections - CVE-2018-11212: Improve JPEG processing (bsc#1122299) - Better route routing - Better interface enumeration - Better interface lists - Improve BigDecimal support - Improve robot support - Better icon support - Choose printer defaults - Proper allocation handling - Initial class initialization - More reliable p11 transactions - Improve NIO stability - Better loading of classloader classes - Strengthen Windows Access Bridge Support - Improved data set handling - Improved LSA authentication - Libsunmscapi improved interactions Non-security issues fix: - Do not resolve by default the added JavaEE modules (bsc#1120431) - ~2.5% regression on compression benchmark starting with 12-b11 - java.net.http.HttpClient hangs on 204 reply without Content-length 0 - Add additional TeliaSonera root certificate - Add more ld preloading related info to hs_error file on Linux - Add test to exercise server-side client hello processing - AES encrypt performance regression in jdk11b11 - AIX: ProcessBuilder: Piping between created processes does not work. - AIX: Some class library files are missing the Classpath exception - AppCDS crashes for some uses with JRuby - Automate vtable/itable stub size calculation - BarrierSetC1::generate_referent_check() confuses register allocator - Better HTTP Redirection - Catastrophic size_t underflow in BitMap::*_large methods - Clip.isRunning() may return true after Clip.stop() was called - Compiler thread creation should be bounded by available space in memory and Code Cache - com.sun.net.httpserver.HttpServer returns Content-length header for 204 response code - Default mask register for avx512 instructions - Delayed starting of debugging via jcmd - Disable all DES cipher suites - Disable anon and NULL cipher suites - Disable unsupported GCs for Zero - Epsilon alignment adjustments can overflow max TLAB size - Epsilon elastic TLAB sizing may cause misalignment - HotSpot update for vm_version.cpp to recognise updated VS2017 - HttpClient does not retrieve files with large sizes over HTTP/1.1 - IIOException 'tEXt chunk length is not proper' on opening png file - Improve TLS connection stability again - InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection - Inspect stack during error reporting - Instead of circle rendered in appl window, but ellipse is produced JEditor Pane - Introduce diagnostic flag to abort VM on failed JIT compilation - Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap - jar has issues with UNC-path arguments for the jar -C parameter [windows] - java.net.http HTTP client should allow specifying Origin and Referer headers - java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8 - JDK 11.0.1 l10n resource file update - JDWP Transport Listener: dt_socket thread crash - JVMTI ResourceExhausted should not be posted in CompilerThread - LDAPS communication failure with jdk 1.8.0_181 - linux: Poor StrictMath performance due to non-optimized compilation - Missing synchronization when reading counters for live threads and peak thread count - NPE in SupportedGroupsExtension - OpenDataException thrown when constructing CompositeData for StackTraceElement - Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader - Populate handlers while holding streamHandlerLock - ppc64: Enable POWER9 CPU detection - print_location is not reliable enough (printing register info) - Reconsider default option for ClassPathURLCheck change done in JDK-8195874 - Register to register spill may use AVX 512 move instruction on unsupported platform. - s390: Use of shift operators not covered by cpp standard - serviceability/sa/TestUniverse.java#id0 intermittently fails with assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded - SIGBUS in CodeHeapState::print_names() - SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls - Soft reference reclamation race in com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator - Swing apps are slow if displaying from a remote source to many local displays - switch jtreg to 4.2b13 - Test library OSInfo.getSolarisVersion cannot determine Solaris version - TestOptionsWithRanges.java is very slow - TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails intermittently - The Japanese message of FileNotFoundException garbled - The 'supported_groups' extension in ServerHellos - ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData - TimeZone.getDisplayName given Locale.US doesn't always honor the Locale. - TLS 1.2 Support algorithm in SunPKCS11 provider - TLS 1.3 handshake server name indication is missing on a session resume - TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes - TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth - tz: Upgrade time-zone data to tzdata2018g - Undefined behaviour in ADLC - Update avx512 implementation - URLStreamHandler initialization race - UseCompressedOops requirement check fails fails on 32-bit system - windows: Update OS detection code to recognize Windows Server 2019 - x86: assert on unbound assembler Labels used as branch targets - x86: jck tests for ldc2_w bytecode fail - x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization - '-XX:OnOutOfMemoryError' uses fork instead of vfork ----------------------------------------- Patch: SUSE-2019-247 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Severity: moderate References: 1123043,CVE-2019-6706 Description: This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------- Patch: SUSE-2019-571 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------- Patch: SUSE-2019-707 Released: Fri Mar 22 13:32:07 2019 Summary: Security update for unzip Severity: moderate References: 1110194,CVE-2018-18384 Description: This update for unzip fixes the following issues: - CVE-2018-18384: Fixed a buffer overflow when listing archives (bsc#1110194) ----------------------------------------- Patch: SUSE-2019-788 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Severity: moderate References: 1119687,CVE-2018-20346 Description: This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------- Patch: SUSE-2019-905 Released: Mon Apr 8 16:48:02 2019 Summary: Recommended update for gcc Severity: moderate References: 1096008 Description: This update for gcc fixes the following issues: - Fix gcc-PIE spec to properly honor -no-pie at link time. (bsc#1096008) ----------------------------------------- Patch: SUSE-2019-926 Released: Wed Apr 10 16:33:12 2019 Summary: Security update for tar Severity: moderate References: 1120610,1130496,CVE-2018-20482,CVE-2019-9923 Description: This update for tar fixes the following issues: Security issues fixed: - CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496). - CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610). ----------------------------------------- Patch: SUSE-2019-1022 Released: Wed Apr 24 13:46:51 2019 Summary: Recommended update for hwdata Severity: moderate References: 1121410 Description: This update for hwdata fixes the following issues: Update to version 0.320 (bsc#1121410): - Updated the pci, usb and vendor ids vendor and product databases. ----------------------------------------- Patch: SUSE-2019-1040 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 Description: This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------- Patch: SUSE-2019-1052 Released: Fri Apr 26 14:33:42 2019 Summary: Security update for java-11-openjdk Severity: moderate References: 1132728,1132732,CVE-2019-2602,CVE-2019-2684 Description: This update for java-11-openjdk to version 11.0.3+7 fixes the following issues: Security issues fixed: - CVE-2019-2602: Fixed excessive use of CPU time in the BigDecimal implementation (bsc#1132728). - CVE-2019-2684: Fixed a flaw in the RMI registry implementation which could lead to selection of an incorrect skeleton class (bsc#1132732). Non-security issues fixed: - Multiple bug fixes and improvements. ----------------------------------------- Patch: SUSE-2019-1105 Released: Tue Apr 30 12:10:58 2019 Summary: Recommended update for gcc7 Severity: moderate References: 1084842,1114592,1124644,1128794,1129389,1131264,SLE-6738 Description: This update for gcc7 fixes the following issues: Update to gcc-7-branch head (r270528). - Disables switch jump-tables when retpolines are used. This restores some lost performance for kernel builds with retpolines. (bsc#1131264, jsc#SLE-6738) - Fix ICE compiling tensorflow on aarch64. (bsc#1129389) - Fix for aarch64 FMA steering pass use-after-free. (bsc#1128794) - Fix for s390x FP load-and-test issue. (bsc#1124644) - Improve build reproducability by disabling address-space randomization during build. - Adjust gnat manual entries in the info directory. (bsc#1114592) - Includes fix to no longer try linking -lieee with -mieee-fp. (bsc#1084842) ----------------------------------------- Patch: SUSE-2019-1113 Released: Tue Apr 30 14:08:42 2019 Summary: Recommended update for python-pycurl Severity: moderate References: 1128355 Description: This update for python-pycurl fixes the following issues: - bsc#1128355: update to the Factory package to get multibuild and better working tests. - Update to 7.43.0.2: * Added perform_rb and perform_rs methods to Curl objects to return response body as byte string and string, respectively. * Added OPT_COOKIELIST constant for consistency with other option constants. * PycURL is now able to report errors triggered by libcurl via CURLOPT_FAILONERROR mechanism when the error messages are not decodable in Python's default encoding (GitHub issue #259). * Added getinfo_raw method to Curl objects to return byte strings as is from libcurl without attempting to decode them (GitHub issue #493). * When adding a Curl easy object to CurlMulti via add_handle, the easy objects now have their reference counts increased so that the application is no longer required to keep references to them to keep them from being garbage collected (GitHub issue #171). * PycURL easy, multi and share objects can now be weak referenced. * set_ca_certs now accepts byte strings as it should have been all along. * Use OpenSSL 1.1 and 1.0 specific APIs for controlling thread locks depending on OpenSSL version (patch by Vitaly Murashev). * Fixed a crash when closesocket callback failed (patch by Gisle Vanem and toddrme2178). * Added CURLOPT_PROXY_SSLCERT, CURLOPT_PROXY_SSLCERTTYPE, CURLOPT_PROXY_SSLKEY, CURLOPT_PROXY_SSLKEYTYPE, CURLOPT_PROXY_SSL_VERIFYPEER (libcurl 7.52.0+, patch by Casey Miller). * Added CURLOPT_PRE_PROXY (libcurl 7.52.0+, patch by ziggy). * Added SOCKET_BAD constant and it is now recognized as a valid return value from OPENSOCKET callback. ----------------------------------------- Patch: SUSE-2019-1127 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 Description: This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------- Patch: SUSE-2019-1152 Released: Fri May 3 18:06:09 2019 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1131378 Description: This update for java-11-openjdk fixes the following issues: - Require update-ca-certificates by the headless subpackage (bsc#1131378) - Removed a font rendering patch with broke related to other font changes. ----------------------------------------- Patch: SUSE-2019-1156 Released: Mon May 6 13:46:07 2019 Summary: Security update for python-Jinja2 Severity: important References: 1125815,1132174,1132323,CVE-2016-10745,CVE-2019-10906,CVE-2019-8341 Description: This update for python-Jinja2 to version 2.10.1 fixes the following issues: Security issues fixed: - CVE-2019-8341: Fixed a command injection in from_string() (bsc#1125815). - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323). ----------------------------------------- Patch: SUSE-2019-1229 Released: Tue May 14 11:05:55 2019 Summary: Recommended update for sensors Severity: moderate References: 1108468,1116021 Description: This update for sensors fixes the following issues: sensors was updated to version 3.5.0: The following changes were done: + soname was bumped due to commit dcf2367 which introduced an ABI change. (This was reverted for the SUSE packages, as it was not necessary) + Fixed disappearance of certain hwmon chips with 4.19+ kernels (bsc#1116021). + Add the find-driver script for debugging. + Various documentation and man page improvements. + Fix various issues found by Coverity Scan. + Updated links in documentation to reflect the new home of lm_sensors. + sensors.1: Add reference to sensors-detect and document -j option (json output). + sensors: Add support for json output, add support for power min, lcrit, min_alarm, lcrit_alarm. + sensors-detect changes: * Fix systemd paths. * Add detection of Fintek F81768. * Only probe I/O ports on x86. * Add detection of Nuvoton NCT6793D. * Add detection of Microchip MCP9808. * Mark F71868A as supported by the f71882fg driver. * Mark F81768D as supported by the f71882fg driver. * Mark F81866D as supported by the f71882fg driver. * Add detection of various ITE chips. * Add detection of Nuvoton NCT6795D. * Add detection of DDR4 SPD. * Add detection of ITE IT8987D. * Add detection of AMD Family 17h temperature sensors. * Add detection of AMD KERNCZ SMBus controller. * Add detection of various Intel SMBus controllers. * Add detection of Giantec GT30TS00. * Add detection of ONS CAT34TS02C and CAT34TS04. * Add detection of AMD Family 15h Model 60+ temperature sensors. * Add detection of Nuvoton NCT6796D. * Add detection of AMD Family 15h Model 70+ temperature sensors. + configs: Add sample configuration files. + sensors.conf.default: * Add hardwired inputs of NCT6795D * Add hardwired inputs of F71868A * Add hardwired NCT6796D inputs + vt1211_pwm: replaced deprecated sub shell syntax, run with bash instead of sh. + pwmconfig: replaced deprecated sub shell syntax. + fancontrol: replaced deprecated sub shell syntax, save original pwm values. + fancontrol.8: replaced deprecated sub shell syntax. + libsensors: * Add support for SENSORS_BUS_TYPE_SCSI, add support for power min, lcrit, min_alarm, lcrit_alarm. * Handle hwmon device with thermal device parent (bsc#1108468). - Undo unnecessary libsensors version bump. - Undo the SENSORS_API_VERSION change, to stay source-compatible with upstream. ----------------------------------------- Patch: SUSE-2019-1368 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Severity: important References: 1134524,CVE-2019-5021 Description: This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------- Patch: SUSE-2019-1372 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Severity: moderate References: 1105435,CVE-2018-1000654 Description: This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------- Patch: SUSE-2019-1492 Released: Thu Jun 13 14:51:01 2019 Summary: Recommended update for libidn Severity: low References: 1132869 Description: This update for libidn fixes the following issue: - The missing libidn11-32bit compat library package was provided. (bsc#1132869) ----------------------------------------- Patch: SUSE-2019-1691 Released: Mon Jun 24 16:21:37 2019 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1095804,1103388,1103696,1104034,1118492,1120242,1125610,1125744,1128529,1128564,1129243,1129300,1130041,1130077,1131677,1132346,1133424,1134876,1136102,1138130,987798 Description: This update fixes the following issues: koan: - Require virt-install only for RHEL6/7. Other distributions accepting Recommends must use it as virt-install is not available sometimes (for example SLED) - Change virt-install from Reccommends to Require because this fixes RHEL 6 & 7 - Fix regex error in the files section - Remove Recursion in python_sitelib and remove non relevant parts of the specfile - Replace python2_sitelib macro with python_sitelib to fix build on older distros. - Remove duplicate file section entrys - Adjust Group Tag to Development/Libraries/Python to satisfy linter prometheus-node_exporter: - Add the package to the SLE Basesytem module. (fate#327287) rhnlib: - Add group to python*-rhnlib to fix building at SLE11 - Read SSL decoded buffer completely when no pending bytes on the underlying connection. - Fix encoding issues after porting to Python 3. - Sync changes from Spacewalk - 1652859 - python3 http.client does not contain _set_hostport() - Use rpm for debian packaging - Bump version to 4.0.0 (bsc#1104034) - Fix copyright for the package specfile (bsc#1103696) spacecmd: - Save SSM list on system delete and update cache (bsc#1130077, bsc#1125744) - Replace iteritems with items for python2/3 compat (bsc#1129243) - Fix python 3 bytes issue when handling config channels - Prevent spacecmd crashing when piping the output in Python 3 (bsc#1125610) - Fix compatibility with Python 3 - Add function to merge errata and packages through spacecmd (bsc#987798) - Bump version to 4.0.0 (bsc#1104034) - Fix copyright for the package specfile (bsc#1103696) spacewalk-backend: - Use new names in code for client tool packages which were renamed (bsc#1134876) - Fix password prompt within mgr-sign-metadata - Fix TypeError for 'errata.getErrataInfo' XMLRPC handler (bsc#1132346) - Fix typo in syncing product extensions (bsc#1118492) - Fix mgr-sign-metadata-ctl checking of exported keys. - Use suseLib.get_proxy to get the HTTP proxy configuration properly on DEB repos (bsc#1133424) - Add support for mirrorlist and metalink on Zypper reposync. - Solve situations where synced packages have epoch 0 but reposync does not find them them on the database. - Fix path to the RPM database used by Zypper at reposync. - Add makefile for python linter and unit/integration tests - Fix linking of packages in reposync (bsc#1131677) - Include arch to distinct latest packages on reposync. - Migrate missing spacewalk-cfg-get script to Python3 - Improve dependency solving algorithm for spacewalk-repo-sync. - Remove apache access_compat module and adapt config files - Add support for getting latest versions from RPM packages when running 'spacewalk-repo-sync' after migration to Zypper. - Include packages dependencies on 'spacewalk-repo-sync' when using filters for RPM packages. - Allow package filtering (name matching) on spacewalk-repo-sync after migrating away from yum. - Fix crash when importing new channel families on 'mgr-inter-sync' (bsc#1129300) - Make Zypper to use the spacewalk GPG keyring in reposync (bsc#1128529) - Fix: handle non-standard filenames for comps.xml (bsc#1120242) - Make reposync use and append token correctly to the URL - Fix invalid mode error when doing spacewalk-repo-sync on Ubuntu official repos. - Fix bootstrapping SLE15 traditional client (bsc#1128564) - Fix reading LOB objects with python3 - Fix 'mgr-inter-sync' problems after Python 3 migration. - Mgr-sign-metadata can optionally clear-sign metadata files - Allow errata import from local repositories. - Fix 'rhnpush' after migration to Python 3. - Fix package import issues when package encoding is ISO8859-1. - Fix issues with HTTP proxy and reposync. - Solve Python 3 problem and allow traditional registration. - Add 'python-urlgrabber' as a new dependency. - Fix Python3 issues on satellite_tools scripts - Use 'Zypper' and 'libsolv' in 'spacewalk-repo-sync'. Replace 'yum'. - Require the correct dependency for python-rpm to allow the Proxy to work with Python3 only - Make rhn-ssl-dbstore compatible with python3 - Take only text files from /srv/salt to make spacewalk-debug smaller (bsc#1103388) - Support mirroring of source packages - Make spacewalk-backend code compatible with Python 3 - Prepare spacewalk-backend packages to build on Python 3 - Replace PyPAM with python-python-pam - Bump version to 4.0.0 (bsc#1104034) - Fix copyright for the package specfile (bsc#1103696) - Disable Oracle support for openSUSE (bsc#1095804) spacewalk-client-tools: - Fix bootstrapping SLE15 traditional client (bsc#1128564) - Sync with Spacewalk - Add ability to work behind http proxies - 1666099 - python3 is picky about bytes and string - Fix testConfig.py - Use rpm for debian packaging - Bump version to 4.0.0 (bsc#1104034) - Fix copyright for the package specfile (bsc#1103696) - The rhnsd service was replaced by rhnsd timer, so registration script and systemd presets are now adapted to this (bsc#1138130) spacewalk-koan: - Fix building on openSUSE 15.0 - Add Uyuni URL to package - Bump version to 4.0.0 (bsc#1104034) - Fix copyright for the package specfile (bsc#1103696) spacewalk-oscap: - Fix python2 compilation on openSUSE - Add Uyuni URL to package - Bump version to 4.0.0 (bsc#1104034) - Fix copyright for the package specfile (bsc#1103696) spacewalk-remote-utils: - Sync changes from Spacewalk - 1649374 - Update spacewalk-remote-utils with RHEL 7.6 channel definitions - 1633532 - Use python-gpg instead of python-gpgme where possible - Add Uyuni URL to package - Bump version to 4.0.0 (bsc#1104034) - Fix copyright for the package specfile (bsc#1103696) spacewalk-usix: - Add compatibility with Python 3 - Use rpm for debian packaging - Bump version to 4.0.0 (bsc#1104034) - Fix copyright for the package specfile (bsc#1103696) supportutils-plugin-susemanager-client: - Bump version to 4.0.0 (bsc#1104034) - Fix copyright for the package specfile (bsc#1103696) suseRegisterInfo: - Make suseRegisterInfo compatible with Python 2 and 3 - Bump version to 4.0.0 (bsc#1104034) - Fix copyright for the package specfile (bsc#1103696) zypp-plugin-spacewalk: - Fix python syntax error in distupgrade (bsc#1136102) mgr-daemon: - rhnsd service was replaced by rhnsd timer (bsc#1138130) ----------------------------------------- Patch: SUSE-2019-1776 Released: Mon Jul 8 18:18:37 2019 Summary: Security update for zeromq Severity: important References: 1082318,1140255,CVE-2019-13132 Description: This update for zeromq fixes the following issues: - CVE-2019-13132: An unauthenticated remote attacker could have exploited a stack overflow vulnerability on a server that is supposed to be protected by encryption and authentication to potentially gain a remote code execution. (bsc#1140255) - Correctly mark license files as licence instead of documentation (bsc#1082318) ----------------------------------------- Patch: SUSE-2019-1804 Released: Wed Jul 10 10:40:44 2019 Summary: Security update for ruby-bundled-gems-rpmhelper, ruby2.5 Severity: important References: 1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130028,1130611,1130617,1130620,1130622,1130623,1130627,1133790,CVE-2017-17742,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325 Description: This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues: Changes in ruby2.5: Update to 2.5.5 and 2.5.4: https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/ Security issues fixed: - CVE-2019-8320: Delete directory using symlink when decompressing tar (bsc#1130627) - CVE-2019-8321: Escape sequence injection vulnerability in verbose (bsc#1130623) - CVE-2019-8322: Escape sequence injection vulnerability in gem owner (bsc#1130622) - CVE-2019-8323: Escape sequence injection vulnerability in API response handling (bsc#1130620) - CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution (bsc#1130617) - CVE-2019-8325: Escape sequence injection vulnerability in errors (bsc#1130611) Ruby 2.5 was updated to 2.5.3: This release includes some bug fixes and some security fixes. Security issues fixed: - CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives (bsc#1112532) - CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly (bsc#1112530) Ruby 2.5 was updated to 2.5.1: This release includes some bug fixes and some security fixes. Security issues fixed: - CVE-2017-17742: HTTP response splitting in WEBrick (bsc#1087434) - CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441) - CVE-2018-8777: DoS by large request in WEBrick (bsc#1087436) - CVE-2018-8778: Buffer under-read in String#unpack (bsc#1087433) - CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440) - CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437) - Multiple vulnerabilities in RubyGems were fixed: - CVE-2018-1000079: Fixed path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058) - CVE-2018-1000075: Fixed infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014) - CVE-2018-1000078: Fixed XSS vulnerability in homepage attribute when displayed via gem server (bsc#1082011) - CVE-2018-1000077: Fixed that missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL (bsc#1082010) - CVE-2018-1000076: Fixed improper verification of signatures in tarball allows to install mis-signed gem (bsc#1082009) - CVE-2018-1000074: Fixed unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (bsc#1082008) - CVE-2018-1000073: Fixed path traversal when writing to a symlinked basedir outside of the root (bsc#1082007) Other changes: - Fixed Net::POPMail methods modify frozen literal when using default arg - ruby: change over of the Japanese Era to the new emperor May 1st 2019 (bsc#1133790) - build with PIE support (bsc#1130028) Changes in ruby-bundled-gems-rpmhelper: - Add a new helper for bundled ruby gems. ----------------------------------------- Patch: SUSE-2019-1807 Released: Wed Jul 10 13:13:21 2019 Summary: Recommended update for java-11-openjdk Severity: moderate References: 1137264 Description: This update ships the OpenJDK LTS version 11 in the java-11-openjdk packages. (FATE#326347 bsc#1137264) ----------------------------------------- Patch: SUSE-2019-2002 Released: Mon Jul 29 13:00:27 2019 Summary: Security update for java-11-openjdk Severity: important References: 1115375,1140461,1141780,1141781,1141782,1141783,1141784,1141785,1141787,1141788,1141789,CVE-2019-2745,CVE-2019-2762,CVE-2019-2766,CVE-2019-2769,CVE-2019-2786,CVE-2019-2816,CVE-2019-2818,CVE-2019-2821,CVE-2019-7317 Description: This update for java-11-openjdk to version jdk-11.0.4+11 fixes the following issues: Security issues fixed: - CVE-2019-2745: Improved ECC Implementation (bsc#1141784). - CVE-2019-2762: Exceptional throw cases (bsc#1141782). - CVE-2019-2766: Improve file protocol handling (bsc#1141789). - CVE-2019-2769: Better copies of CopiesList (bsc#1141783). - CVE-2019-2786: More limited privilege usage (bsc#1141787). - CVE-2019-7317: Improve PNG support options (bsc#1141780). - CVE-2019-2818: Better Poly1305 support (bsc#1141788). - CVE-2019-2816: Normalize normalization (bsc#1141785). - CVE-2019-2821: Improve TLS negotiation (bsc#1141781). - Certificate validation improvements Non-security issues fixed: - Do not fail installation when the manpages are not present (bsc#1115375) - Backport upstream fix for JDK-8208602: Cannot read PEM X.509 cert if there is whitespace after the header or footer (bsc#1140461) ----------------------------------------- Patch: SUSE-2019-2142 Released: Wed Aug 14 18:14:04 2019 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1141322 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.45 (bsc#1141322) : * New function in pk11pub.h: PK11_FindRawCertsWithSubject * The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374) * Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078). * Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579) * Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262) * Add IPSEC IKE support to softoken (bmo#1546229) * Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616) * Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed. * Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime. mozilla-nspr was updated to version 4.21 * Changed prbit.h to use builtin function on aarch64. * Removed Gonk/B2G references. ----------------------------------------- Patch: SUSE-2019-2218 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Severity: moderate References: 1141883 Description: This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------- Patch: SUSE-2019-2483 Released: Fri Sep 27 14:16:23 2019 Summary: Optional update for python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate. Severity: low References: 1088358 Description: This update ships python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate for the SUSE Linux Enterprise Public Cloud 15 module. ----------------------------------------- Patch: SUSE-2019-2533 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Severity: moderate References: 1150137,CVE-2019-16168 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------- Patch: SUSE-2019-2681 Released: Tue Oct 15 22:01:40 2019 Summary: Recommended update for libdb-4_8 Severity: moderate References: 1148244 Description: This update for libdb-4_8 fixes the following issues: - Add off-page deadlock patch as found and documented by Red Hat. (bsc#1148244) ----------------------------------------- Patch: SUSE-2019-2702 Released: Wed Oct 16 18:41:30 2019 Summary: Security update for gcc7 Severity: moderate References: 1071995,1141897,1142649,1148517,1149145,CVE-2019-14250,CVE-2019-15847 Description: This update for gcc7 to r275405 fixes the following issues: Security issues fixed: - CVE-2019-14250: Fixed an integer overflow in binutils (bsc#1142649). - CVE-2019-15847: Fixed an optimization in the POWER9 backend of gcc that could reduce the entropy of the random number generator (bsc#1149145). Non-security issue fixed: - Move Live Patching technology stack from kGraft to upstream klp (bsc#1071995, fate#323487). ----------------------------------------- Patch: SUSE-2019-2730 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------- Patch: SUSE-2019-2779 Released: Thu Oct 24 16:57:42 2019 Summary: Security update for binutils Severity: moderate References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206 Description: This update for binutils fixes the following issues: binutils was updated to current 2.32 branch [jsc#ECO-368]. Includes following security fixes: - CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412) - CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413) - CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414) - CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827) - CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996) - CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535) - CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534) - CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255) - CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252) - CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247) - CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831) - CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830) - CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035) - CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034) - CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056) - CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640) - CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772) - enable xtensa architecture (Tensilica lc6 and related) - Use -ffat-lto-objects in order to provide assembly for static libs (bsc#1141913). - Fixed some LTO build issues (bsc#1133131 bsc#1133232). - riscv: Don't check ABI flags if no code section - Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016). - Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590). Update to binutils 2.32: * The binutils now support for the C-SKY processor series. * The x86 assembler now supports a -mvexwig=[0|1] option to control encoding of VEX.W-ignored (WIG) VEX instructions. It also has a new -mx86-used-note=[yes|no] option to generate (or not) x86 GNU property notes. * The MIPS assembler now supports the Loongson EXTensions R2 (EXT2), the Loongson EXTensions (EXT) instructions, the Loongson Content Address Memory (CAM) ASE and the Loongson MultiMedia extensions Instructions (MMI) ASE. * The addr2line, c++filt, nm and objdump tools now have a default limit on the maximum amount of recursion that is allowed whilst demangling strings. This limit can be disabled if necessary. * Objdump's --disassemble option can now take a parameter, specifying the starting symbol for disassembly. Disassembly will continue from this symbol up to the next symbol or the end of the function. * The BFD linker will now report property change in linker map file when merging GNU properties. * The BFD linker's -t option now doesn't report members within archives, unless -t is given twice. This makes it more useful when generating a list of files that should be packaged for a linker bug report. * The GOLD linker has improved warning messages for relocations that refer to discarded sections. - Improve relro support on s390 [fate#326356] - Fix broken debug symbols (bsc#1118644) - Handle ELF compressed header alignment correctly. ----------------------------------------- Patch: SUSE-2019-2993 Released: Mon Nov 18 11:52:23 2019 Summary: Recommended update for tftp Severity: moderate References: 1153625 Description: This update for tftp fixes the following issues: - Add tftp.socket requirement to the service unit section. (bsc#1153625) ----------------------------------------- Patch: SUSE-2019-2997 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------- Patch: SUSE-2019-2998 Released: Mon Nov 18 15:17:23 2019 Summary: Security update for java-11-openjdk Severity: important References: 1152856,1154212,CVE-2019-2894,CVE-2019-2933,CVE-2019-2945,CVE-2019-2949,CVE-2019-2958,CVE-2019-2962,CVE-2019-2964,CVE-2019-2973,CVE-2019-2975,CVE-2019-2977,CVE-2019-2978,CVE-2019-2981,CVE-2019-2983,CVE-2019-2987,CVE-2019-2988,CVE-2019-2989,CVE-2019-2992,CVE-2019-2999 Description: This update for java-11-openjdk to version jdk-11.0.5-10 fixes the following issues: Security issues fixed (October 2019 CPU bsc#1154212): - CVE-2019-2933: Windows file handling redux - CVE-2019-2945: Better socket support - CVE-2019-2949: Better Kerberos ccache handling - CVE-2019-2958: Build Better Processes - CVE-2019-2964: Better support for patterns - CVE-2019-2962: Better Glyph Images - CVE-2019-2973: Better pattern compilation - CVE-2019-2975: Unexpected exception in jjs - CVE-2019-2978: Improved handling of jar files - CVE-2019-2977: Improve String index handling - CVE-2019-2981: Better Path supports - CVE-2019-2983: Better serial attributes - CVE-2019-2987: Better rendering of native glyphs - CVE-2019-2988: Better Graphics2D drawing - CVE-2019-2989: Improve TLS connection support - CVE-2019-2992: Enhance font glyph mapping - CVE-2019-2999: Commentary on Javadoc comments - CVE-2019-2894: Enhance ECDSA operations (bsc#1152856). ----------------------------------------- Patch: SUSE-2019-3061 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 Description: This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------- Patch: SUSE-2019-3086 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 Description: This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------- Patch: SUSE-2019-3205 Released: Mon Dec 9 13:48:28 2019 Summary: Recommended update for insserv-compat Severity: moderate References: 1052837,1133306 Description: This update for insserv-compat fixes the following issues: - Fix handling of start parameters. (bsc#1133306) - Remove unnecessary entry from configuration file. (bsc#1052837) ----------------------------------------- Patch: SUSE-2019-3361 Released: Thu Dec 19 18:54:43 2019 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1113160,1131556,1143913,1146683,1152722,1153090,1154968,1156211,1156397,1156521 Description: This update fixes the following issues: golang-github-lusitaniae-apache_exporter: - Handle OS TERM signals - Add option to override host name golang-github-prometheus-prometheus: - Patch macros on spec file to support builds on SLE 12 - Remove prometheus.firewall.xml source file - Remove firewalld files. They are installed in the main firewalld package. - Update Uyuni/SUSE Manager service discovery patch + Fixes crashes when systems have no FQDN + Adds Parallel calls to Uyuni API, meaningful performance increase + Adds Support for system group labels - Do not install the firewalld config file on Tumbleweed (on versions newer than Leap 15.1). It's installed in the main firewalld package. - reorder some %install tasks - Add network-online (Wants and After) dependency to systemd unit bsc#1143913 - Only package required files (reduces rpm size by 4 MB) - Add sysconfig file - Add firewall config file - Use variables for defining user and group koan: - Fix auto installing VMs (bsc#1156211) rhnlib: - Fix malformed XML response when data contains non-ASCII chars (bsc#1154968) spacecmd: - Enable building and installing for Ubuntu 16.04 and Ubuntu 18.04 - Prevent error when piping stdout in Python 2 (bsc#1153090) spacewalk-backend: - Fix specfile for systems that do not yet use systemd - Fix spacewalk-update-signatures for python3 (bsc#1156521) - Fix problems with Package Hub repos having multiple rpms with same NEVRA but different checksums (bsc#1146683) - Add systemd service macros for diskcheck.service - Port diskcheck utility to 4.0.3 branch (bsc#1156397) - Use active values for diskchecker mails - Do not require parameters to start on column 1 - Add Requires: systemd for completeness - Create /usr/lib/systemd/systemd during build - BuildRequires: systemd for spacewalk-diskcheck - Add option spacecheck_shutdown; tidy up wording of notifications - Add disk space checker script - Fix broken spacewalk-data-fsck utility (bsc#1131556) spacewalk-client-tools: - Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160) spacewalk-koan: - Gfx_type needs to default to 'vnc' (bsc#1156211) zypp-plugin-spacewalk: - Prevent possible encoding issues on Python 3 (bsc#1152722) ----------------------------------------- Patch: SUSE-2019-3395 Released: Mon Dec 30 14:05:06 2019 Summary: Security update for mozilla-nspr, mozilla-nss Severity: moderate References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.47.1: Security issues fixed: - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). - CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527). - CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322). mozilla-nspr was updated to version 4.23: - Whitespace in C files was cleaned up and no longer uses tab characters for indenting. ----------------------------------------- Patch: SUSE-2019-3400 Released: Tue Dec 31 08:18:40 2019 Summary: Recommended update for libsodium Severity: moderate References: 1146257 Description: This update for libsodium fixes the following issues: - build libsodium23-32bit, which is required by zeromq's -32bit packages. (bsc#1146257) ----------------------------------------- Patch: SUSE-2020-10 Released: Thu Jan 2 12:35:06 2020 Summary: Recommended update for gcc7 Severity: moderate References: 1146475 Description: This update for gcc7 fixes the following issues: - Fix miscompilation with thread-safe localstatic initialization (gcc#85887). - Fix debug info created for array definitions that complete an earlier declaration (bsc#1146475). ----------------------------------------- Patch: SUSE-2020-213 Released: Wed Jan 22 15:38:15 2020 Summary: Security update for java-11-openjdk Severity: important References: 1160968,CVE-2020-2583,CVE-2020-2590,CVE-2020-2593,CVE-2020-2601,CVE-2020-2604,CVE-2020-2654,CVE-2020-2655 Description: This update for java-11-openjdk fixes the following issues: Update to version jdk-11.0.6-10 (January 2020 CPU, bsc#1160968) Fixing these security related issues: - CVE-2020-2583: Unlink Set of LinkedHashSets - CVE-2020-2590: Improve Kerberos interop capabilities - CVE-2020-2593: Normalize normalization for all - CVE-2020-2601: Better Ticket Granting Services - CVE-2020-2604: Better serial filter handling - CVE-2020-2655: Better TLS messaging support - CVE-2020-2654: Improve Object Identifier Processing ----------------------------------------- Patch: SUSE-2020-225 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Severity: moderate References: 1158830 Description: This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------- Patch: SUSE-2020-338 Released: Thu Feb 6 13:00:23 2020 Summary: Recommended update for apr Severity: moderate References: 1151059 Description: This update for apr fixes the following issues: - Increase timeout to fix random failure of testsuite [bsc#1151059]. ----------------------------------------- Patch: SUSE-2020-362 Released: Fri Feb 7 11:14:20 2020 Summary: Recommended update for libXi Severity: moderate References: 1153311 Description: This update for libXi fixes the following issue: - The libXi6-32bit library on x86_64 are now shipped in the Basesystem module. (bsc#1153311) ----------------------------------------- Patch: SUSE-2020-395 Released: Tue Feb 18 14:16:48 2020 Summary: Recommended update for gcc7 Severity: moderate References: 1160086 Description: This update for gcc7 fixes the following issue: - Fixed a miscompilation in zSeries code (bsc#1160086) ----------------------------------------- Patch: SUSE-2020-453 Released: Tue Feb 25 10:51:53 2020 Summary: Recommended update for binutils Severity: moderate References: 1160590 Description: This update for binutils fixes the following issues: - Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464) ----------------------------------------- Patch: SUSE-2020-525 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Severity: moderate References: 1164562 Description: This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------- Patch: SUSE-2020-556 Released: Mon Mar 2 13:32:14 2020 Summary: Recommended update for 389-ds Severity: moderate References: 1155951 Description: This update for 389-ds to version 1.4.2.2 fixes the following issues: 389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes. Issue addressed: - Enabled python lib389 installer tooling to match upstream and suse documentation. More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html ----------------------------------------- Patch: SUSE-2020-689 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Severity: moderate References: 1166510 Description: This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------- Patch: SUSE-2020-737 Released: Fri Mar 20 13:47:16 2020 Summary: Recommended update for ruby2.5 Severity: important References: 1140844,1152990,1152992,1152994,1152995,1162396,1164804,CVE-2012-6708,CVE-2015-9251,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2020-8130 Description: This update for ruby2.5 toversion 2.5.7 fixes the following issues: ruby 2.5 was updated to version 2.5.7 - CVE-2020-8130: Fixed a command injection in intree copy of rake (bsc#1164804). - CVE-2019-16255: Fixed a code injection vulnerability of Shell#[] and Shell#test (bsc#1152990). - CVE-2019-16254: Fixed am HTTP response splitting in WEBrick (bsc#1152992). - CVE-2019-15845: Fixed a null injection vulnerability of File.fnmatch and File.fnmatch? (bsc#1152994). - CVE-2019-16201: Fixed a regular expression denial of service of WEBrick Digest access authentication (bsc#1152995). - CVE-2012-6708: Fixed an XSS in JQuery - CVE-2015-9251: Fixed an XSS in JQuery - Fixed unit tests (bsc#1140844) - Removed some unneeded test files (bsc#1162396). ----------------------------------------- Patch: SUSE-2020-917 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Severity: moderate References: 1166510 Description: This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------- Patch: SUSE-2020-948 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 Description: This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------- Patch: SUSE-2020-693 Released: Wed Apr 8 14:11:14 2020 Summary: Security update for wireshark Severity: moderate References: 1093733,1094301,1101776,1101777,1101786,1101788,1101791,1101794,1101800,1101802,1101804,1101810,1106514,1111647,1117740,1121231,1121232,1121233,1121234,1121235,1127367,1127369,1127370,1131941,1131945,1136021,1141980,1150690,1156288,1158505,1161052,1165241,1165710,957624,CVE-2018-11354,CVE-2018-11355,CVE-2018-11356,CVE-2018-11357,CVE-2018-11358,CVE-2018-11359,CVE-2018-11360,CVE-2018-11361,CVE-2018-11362,CVE-2018-12086,CVE-2018-14339,CVE-2018-14340,CVE-2018-14341,CVE-2018-14342,CVE-2018-14343,CVE-2018-14344,CVE-2018-14367,CVE-2018-14368,CVE-2018-14369,CVE-2018-14370,CVE-2018-16056,CVE-2018-16057,CVE-2018-16058,CVE-2018-18225,CVE-2018-18226,CVE-2018-18227,CVE-2018-19622,CVE-2018-19623,CVE-2018-19624,CVE-2018-19625,CVE-2018-19626,CVE-2018-19627,CVE-2018-19628,CVE-2019-10894,CVE-2019-10895,CVE-2019-10896,CVE-2019-10897,CVE-2019-10898,CVE-2019-10899,CVE-2019-10900,CVE-2019-10901,CVE-2019-10902,CVE-2019-10903,CVE-2019-13619,CVE-2019-16319,CVE-2019-19553,CVE-2019-5716,CVE-2019-5717,CVE-2019-5718,CVE-2019-5719,CVE-2019-5721,CVE-2019-9208,CVE-2019-9209,CVE-2019-9214,CVE-2020-7044,CVE-2020-9428,CVE-2020-9429,CVE-2020-9430,CVE-2020-9431 Description: This update for wireshark and libmaxminddb fixes the following issues: Update wireshark to new major version 3.2.2 and introduce libmaxminddb for GeoIP support (bsc#1156288). New features include: - Added support for 111 new protocols, including WireGuard, LoRaWAN, TPM 2.0, 802.11ax and QUIC - Improved support for existing protocols, like HTTP/2 - Improved analytics and usability functionalities ----------------------------------------- Patch: SUSE-2020-995 Released: Wed Apr 15 08:30:39 2020 Summary: Security update for ruby2.5 Severity: moderate References: 1167244,1168938,CVE-2020-10663,CVE-2020-10933 Description: This update for ruby2.5 to version 2.5.8 fixes the following issues: - CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (bsc#1167244). - CVE-2020-10933: Heap exposure vulnerability in the socket library (bsc#1168938). ----------------------------------------- Patch: SUSE-2020-1037 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Severity: low References: 1002895,1107105,1138666,1167732 Description: This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------- Patch: SUSE-2020-1226 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Severity: moderate References: 1149995,1152590,1167898 Description: This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------- Patch: SUSE-2020-1261 Released: Tue May 12 18:40:18 2020 Summary: Recommended update for hwdata Severity: moderate References: 1168806 Description: This update for hwdata fixes the following issues: Update from version 0.320 to version 0.324 (bsc#1168806) - Updated pci, usb and vendor ids. - Replace pciutils-ids package providing compatibility symbolic link ----------------------------------------- Patch: SUSE-2020-1280 Released: Thu May 14 14:27:51 2020 Summary: Recommended update for postgresql, postgresql10, postgresql12 Severity: moderate References: 1138034,1151591,1153168,1163985,1167541,CVE-2019-10164,CVE-2020-1720 Description: This update for postgresql, postgresql10, postgresql12 fixes the following issues: Changes in the postgresql wrapper package: - Sync ownership of /run/postgresql in the file list with tmpfiles. - Use the correct content for .bash_profile (bsc#1153168). - Stop shipping SUSEfirewall2 config files (bsc#1151591). - Use /run/postgresql instead of /var/run/postgresql in %ghost and postgresql-tmpfiles.conf to avoid rpmlint warnings and errors. - add /var/run/postgresql to the filelist. as %ghost for systemd systems and directly for non systemd systems Changes in postgresql10: - packaging changed to no longer build the libraries, these now come from postgresql12. Changes in postgresql12: Initial package for the postgresql 12 branch https://www.postgresql.org/about/news/1976/ - Update to 12.2 (CVE-2020-1720) https://www.postgresql.org/about/news/2011/ https://www.postgresql.org/docs/12/release-12-2.html - Avoid the dependency from the devel package to the main package. devel packages are exclusive, thus ecpg does not require update-alternatives. - Remove unused build dependencies from the client libs package: LVM, icu, selinux, systemd. - Update to 12.1 https://www.postgresql.org/docs/12/release-12-1.html https://www.postgresql.org/about/news/1994/ - add requires to the server-devel package for the libs that are returned by pg_config --libs python-psycopg2 was updated to 2.8.4 to allow working with postgresql12. ----------------------------------------- Patch: SUSE-2020-1294 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Severity: moderate References: 1154661,1169512,CVE-2019-18218 Description: This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------- Patch: SUSE-2020-1328 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Severity: moderate References: 1155271 Description: This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------- Patch: SUSE-2020-1353 Released: Wed May 20 13:02:32 2020 Summary: Security update for freetype2 Severity: moderate References: 1079603,1091109,CVE-2018-6942 Description: This update for freetype2 to version 2.10.1 fixes the following issues: Security issue fixed: - CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603). Non-security issues fixed: - Update to version 2.10.1 * The bytecode hinting of OpenType variation fonts was flawed, since the data in the `CVAR' table wasn't correctly applied. * Auto-hinter support for Mongolian. * The handling of the default character in PCF fonts as introduced in version 2.10.0 was partially broken, causing premature abortion of charmap iteration for many fonts. * If `FT_Set_Named_Instance' was called with the same arguments twice in a row, the function returned an incorrect error code the second time. * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug introduced in version 2.10.0). * Increased precision while computing OpenType font variation instances. * The flattening algorithm of cubic Bezier curves was slightly changed to make it faster. This can cause very subtle rendering changes, which aren't noticeable by the eye, however. * The auto-hinter now disables hinting if there are blue zones defined for a `style' (i.e., a certain combination of a script and its related typographic features) but the font doesn't contain any characters needed to set up at least one blue zone. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * A bunch of new functions has been added to access and process COLR/CPAL data of OpenType fonts with color-layered glyphs. * As a GSoC 2018 project, Nikhil Ramakrishnan completely overhauled and modernized the API reference. * The logic for computing the global ascender, descender, and height of OpenType fonts has been slightly adjusted for consistency. * `TT_Set_MM_Blend' could fail if called repeatedly with the same arguments. * The precision of handling deltas in Variation Fonts has been increased.The problem did only show up with multidimensional designspaces. * New function `FT_Library_SetLcdGeometry' to set up the geometry of LCD subpixels. * FreeType now uses the `defaultChar' property of PCF fonts to set the glyph for the undefined character at glyph index 0 (as FreeType already does for all other supported font formats). As a consequence, the order of glyphs of a PCF font if accessed with FreeType can be different now compared to previous versions. This change doesn't affect PCF font access with cmaps. * `FT_Select_Charmap' has been changed to allow parameter value `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT formats to access built-in cmaps that don't have a predefined `FT_Encoding' value. * A previously reserved field in the `FT_GlyphSlotRec' structure now holds the glyph index. * The usual round of fuzzer bug fixes to better reject malformed fonts. * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have been removed.These two functions were public by oversight only and were never documented. * A new function `FT_Error_String' returns descriptions of error codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is defined. * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new functions limited to Adobe MultiMaster fonts to directly set and get the weight vector. - Enable subpixel rendering with infinality config: - Re-enable freetype-config, there is just too many fallouts. - Update to version 2.9.1 * Type 1 fonts containing flex features were not rendered correctly (bug introduced in version 2.9). * CVE-2018-6942: Older FreeType versions can crash with certain malformed variation fonts. * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage. * Emboldening of bitmaps didn't work correctly sometimes, showing various artifacts (bug introduced in version 2.8.1). * The auto-hinter script ranges have been updated for Unicode 11. No support for new scripts have been added, however, with the exception of Georgian Mtavruli. - freetype-config is now deprecated by upstream and not enabled by default. - Update to version 2.10.1 * The `ftmulti' demo program now supports multiple hidden axes with the same name tag. * `ftview', `ftstring', and `ftgrid' got a `-k' command line option to emulate a sequence of keystrokes at start-up. * `ftview', `ftstring', and `ftgrid' now support screen dumping to a PNG file. * The bytecode debugger, `ttdebug', now supports variation TrueType fonts; a variation font instance can be selected with the new `-d' command line option. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * The `ftdump' demo program has new options `-c' and `-C' to display charmaps in compact and detailed format, respectively. Option `-V' has been removed. * The `ftview', `ftstring', and `ftgrid' demo programs use a new command line option `-d' to specify the program window's width, height, and color depth. * The `ftview' demo program now displays red boxes for zero-width glyphs. * `ftglyph' has limited support to display fonts with color-layered glyphs.This will be improved later on. * `ftgrid' can now display bitmap fonts also. * The `ttdebug' demo program has a new option `-f' to select a member of a TrueType collection (TTC). * Other various improvements to the demo programs. - Remove 'Supplements: fonts-config' to avoid accidentally pulling in Qt dependencies on some non-Qt based desktops.(bsc#1091109) fonts-config is fundamental but ft2demos seldom installs by end users. only fonts-config maintainers/debuggers may use ft2demos along to debug some issues. - Update to version 2.9.1 * No changelog upstream. ----------------------------------------- Patch: SUSE-2020-1494 Released: Wed May 27 20:29:48 2020 Summary: Recommended update for python-psycopg2 Severity: moderate References: 1171213 Description: This update for python-psycopg2 fixes the following issues: - Sort out the syntax of the dependencies to fix possible build failures. (bsc#1171213) ----------------------------------------- Patch: SUSE-2020-1507 Released: Fri May 29 17:23:52 2020 Summary: Recommended update for publicsuffix Severity: moderate References: 1171819 Description: This update for publicsuffix fixes the following issues: - Update from version 20180312 to version 20200506. (bsc#1171819). - New in version 20200506: * gTLD autopull: 2020-05-06 (#1030) * Update public_suffix_list.dat (#993) * Add shopware.store domain (#958) * Add clic2000.net to Private Section (#1010) * Add Fabrica apps domain: onfabrica.com (#999) * Add dyndns.dappnode.io (#912) * Added curv.dev to public_suffix_list.dat (#968) * Add panel.gg and daemon.panel.gg (#978) * adding sth.ac.at (#997) * Add netlify.app (#1012) * Added Wiki Link as info resource (#1011) * Add schulserver.de, update IServ GmbH contact information (#996) * Add conn.uk, copro.uk, couk.me and ukco.me domains (#963) * Remove flynnhub.com (#971) * Added graphox.us domain (#960) * Add domains for FASTVPS EESTI OU (#941) * Add platter.dev user app domains (#935) * Add playstation-cloud.com (#1006) * gTLD autopull: 2020-04-02 (#1005) * ACI prefix (#930) * Update public_suffix_list.dat (#923) * Add toolforge.org and wmcloud.org (#970) * gTLD autopull: 2020-03-29 (#1003) - New in version 20200326: * aero registry removal * Add Mineduc subregistry for public schools: aprendemas.cl * Update public_suffix_list.dat - Existing Section * gTLD autopull: 2020-03-15 * Add 'urown.cloud' and 'dnsupdate.info' * Remove site.builder.nu * Remove unnecessary trailing whitespace for name.fj * Update .eu IDNs to add Greek and URL for Cyrillic * Update fj entry - New in version 20200201: * gTLD autopull: 2020-02-01 (#952) * gTLD autopull: 2020-01-31 (#951) * Add WoltLab Cloud domains (#947) * Add qbuser.com domain (#943) * Added senseering domain (#946) * Add u.channelsdvr.net to PSL (#950) * Add discourse.team (#949) * gTLD autopull: 2020-01-06 (#942) * gTLD autopull: 2019-12-25 (#939) * Urgent removal of eq.edu.au (#924) * gTLD autopull: 2019-12-20 (#938) * gTLD autopull: 2019-12-11 (#932) * Added adobeaemcloud domains (#931) * Add Observable domain: observableusercontent.com. (#914) * Correct v.ua sorting * add v.ua (#919) * Add en-root.fr domain (#910) * add Datawire private domain (#925) * Add amsw.nl private domain to PSL (#929) * Add *.on-k3s.io (#922) * Add *.r.appspot.com to public suffix list (#920) * Added gentapps.com (#916) * Add oya.to (#908) * Add Group 53, LLC Domains (#900) * Add perspecta.cloud (#898) * Add 0e.vc to PSL (#896) * Add skygearapp.com (#892) * Update Hostbip Section (#871) * Add qcx.io and *.sys.qcx.io (#868) * Add builtwithdark.com to the public suffix list (#857) * Add_customer-oci.com (#811) * Move out old .ru reserved domains * gTLD autopull: 2019-12-02 (#928) * gTLD autopull: 2019-11-20 (#926) - New in version 20191115: * Add gov.scot for Scottish Government * update gTLD list to 2019-11-15 state * remove go-vip.co, go-vip.net, wpcomstaging.com - New in version 20191025: * gTLD list updated to 2019-10-24 state * Update .so suffix list * Add the new TLD .ss * Add xn--mgbah1a3hjkrd (موريتانيا) * Add lolipop.io * Add altervista.org * Remove zone.id from list * Add new domain to Synology dynamic dns service - New in version 20190808: * tools: update newgtlds.go to filter removed gTLDs (#860) * gTLD autopull: 2019-08-08 (#862) * Remove non-public nuernberg.museum nuremberg.museum domains (#859) * gTLD autopull: 2019-08-02 (#858) * Update public_suffix_list.dat (#825) * Update reference as per #855 * add nic.za * Update contact for SymfonyCloud (#854) * Add lelux.site (#849) * Add *.webhare.dev (#847) * Update Hostbip Section (#846) * Add Yandex Cloud domains (#850) * Add ASEINet domains (#844) * Update nymnom section (#771) * Add Handshake zones (#796) * Add iserv.dev for IServ GmbH (#826) * Add trycloudflare.com to Cloudflare's domains (#835) * Add shopitsite.com (#838) * Add pubtls.org (#839) * Add qualifio.com domains (#840) * Update newgtlds tooling & associated gTLD data. (#834) * Add web.app for Google (#830) * Add iobb.net (#828) * Add cloudera.site (#829) - New in version 20190529: * Add Balena domains (#814) * Add KingHost domains (#827) * Add dyn53.io (#820) * Add azimuth.network and arvo.network (#812) * Update .rw domains per ccTLD (#821) * Add b-data.io (#759) * Add co.bn (#789) * Add Zitcom domains (#817) * Add Carrd suffixes (#816) * Add Linode Suffixes (#810) * Add lab.ms (#807) * Add wafflecell.com (#805) * Add häkkinen.fi (#804) * Add prvcy.page (#803) * Add SRCF user domains: soc.srcf.net, user.srcf.net (#802) * Add KaasHosting (#801) * Adding cloud66.zone (#797) * Add gehirn.ne.jp and usercontent.jp for Gehirn Inc. (#795) * Add Clerk user domains (#791) * Add loginline (.app, .dev, .io, .services, .site) (#790) * Add wnext.app (#785) * Add Hostbip Registry Domains (#770) * Add glitch.me (#769) * added thingdustdata.com (#767) * Add dweb.link (#766) * Add onred.one (#764) * Add mo-siemens.io (#762) * Add Render domains (#761) * Add *.moonscale.io (#757) * Add Stackhero domain (#755) * Add voorloper.cloud (#750) * Add repl.co and repl.run (#748) * Add edugit.org (#736) * Add Hakaran domains (#733) * Add barsy.ca (#732) * Add Names.of.London Domains (#543) * Add nctu.me (#746) * Br 201904 update (#809) * Delete DOHA * Add app.banzaicloud.io (#730) * Update .TR (#741) * Add Nabu Casa (#781) * Added uk0.bigv.io under Bytemark Hosting (#745) * Add GOV.UK PaaS client domains (#765) * Add discourse.group for Civilized Discourse Construction Kit, Inc. (#768) * Add on-rancher.cloud and on-rio.io (#779) * Syncloud dynamic dns service (#727) * Add git-pages.rit.edu (#690) * Add workers.dev (#772) * Update .AM (#756) * Add go-vip.net. (#793) * Add site.builder.nu (#723) * Update .FR sectorial domains (#527) * Remove ACTIVE * Remove SPIEGEL * Remove EPOST * Remove ZIPPO * Remove BLANCO - New in version 20190205: * Add domains of Individual Network Berlin e.V. (#711) * Added bss.design to PSL (#685) * Add fastly-terrarium.com (#729) * Add Swisscom Application Cloud domains (#698) * Update public_suffix_list.dat with api.stdlib.com (#751) * Add regional domain for filegear.me (#713) * Remove bv.nl (#758) * Update public_suffix_list.dat - Link public_suffix_list.dat to effective_tld_names.dat for the purpose of httpcomponents-client - Do not pull in full python3, psl-make-dafsa already pulls in what it needs to generate the things - New in version 20181227: * Add run.app and a.run.app to the psl (#681) * Add telebit.io .app .xyz (#726) * Add Leadpages domains (#731) * Add public suffix entries for dapps.earth (#708) * Add Bytemark Hosting domains (#620) * Remove .STATOIL * linter: Expect rules to be in NFKC (#725) * Convert list data from NFKD to NFKC (#720) * Update LS (#718) - New in version 20181030: * Add readthedocs.io (#722) * Remove trailing whitespace from L11948 (#721) * Add krasnik.pl, leczna.pl, lubartow.pl, lublin.pl, poniatowa.pl and swidnik.pl domains to the Public Suffix List (#670) * Add instantcloud.cn by Redstar Consultants (#696) * Add Fermax and mydobiss.com domain (#706) * Add shop.th & online.th (#716) * Add siteleaf.net (#655) * Add wpcomstaging.com and go-vip.co to the PSL (#719) - Update to version 20181003: * Remove deleted TLDs (#710) * Added apigee.io (#712) * Add AWS ElasticBeanstalk Ningxia, CN region (#597) * Add Github PULL REQUEST TEMPLATE (#699) * Add ong.br 2nd level domain (#707) - Update to version 20180813: * Update .ID list (#703) * Updated .bn ccTLD. Removed wildcard. (#702) * Remove stackspace.space from PSL (#691) * Remove XPERIA (#697) - Update to version 20180719: * Remove .IWC * Update Kuwait's ccTLD (.kw) * Use https for www.transip.nl * Remove MEO and SAPO - New in version 20180523: * Remove 1password domains (#632) * Add cleverapps.io (Clever Cloud) (#634) * Remove .BOOTS * Add azurecontainer.io to Microsoft domains (#637) * Change the patchnewgtlds tool for the updated .zw domain * Add new gTLDs up to 2018-04-17 and new ccTLDs up to 2018-04-17 * cloud.muni.cz cloud subdomains (#622) * Add YunoHost DynDns domains: nohost.me & noho.st (#615) * Use a custom token for the newGTLD list (#645) * lug.org.uk (#514) * Adding xnbay.com,u2.xnbay.com,u2-local.xnbay.com to public_suffix_list.dat. (#506) * Adding customer.speedpartner.de (#585) * Adding ravendb.net subdomains (#535) * Adding own.pm (#544) * pcloud.host (#531) * Add additional Lukanet Ltd domains (#652) * Add zone.id (#575) * Add half.host (#571) * Update 香港 TLD (#568) * Add Now-DNS domains (#560) * Added blackbaudcdn.net private domain to PSL (#558) * Adding IServ GmbH domains (#552) * Add FASTVPS EESTI OU domains (#541) * nic.it - update regions and provinces (#524) * Update Futureweb OG Private Domains (#520) * add United Gameserver virtualuser domains (#600) * Add Lightmaker Property Manager, Inc domains (#604) * Update Uberspace domains (#616) * Add Datto, Inc domains * Add memset hosting domains (#625) * Add utwente.io (#626) * Add bci.dnstrace.pro (#630) * Add May First domains (#635) * Add Linki Tools domains (#636) * Update NymNom domains * Add Co & Co domains (#650) * Add new gTLDs up to 2018-05-08 (#653) * Correct linter issues (#654) * Add cnpy.gdn as private domain (#633) * Add freedesktop.org (#619) * Add Omnibond Systems (#656) * Add hasura.app to the list (#668) * Update gu ccTLD suffixes (#669) - New in version 20180328: * Add gwiddle.co.uk (#521) * Add ox.rs (#522) * Add myjino.ru (#512) * Add ras.ru domains (#511) * Add AWS ElasticBeanstalk Osaka, JP region (#628) * Remove trailing whitespace (#621) ----------------------------------------- Patch: SUSE-2020-1511 Released: Fri May 29 18:03:39 2020 Summary: Security update for java-11-openjdk Severity: important References: 1167462,1169511,CVE-2020-2754,CVE-2020-2755,CVE-2020-2756,CVE-2020-2757,CVE-2020-2767,CVE-2020-2773,CVE-2020-2778,CVE-2020-2781,CVE-2020-2800,CVE-2020-2803,CVE-2020-2805,CVE-2020-2816,CVE-2020-2830 Description: This update for java-11-openjdk fixes the following issues: Java was updated to jdk-11.0.7+10 (April 2020 CPU, bsc#1169511). Security issues fixed: - CVE-2020-2754: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2755: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2756: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2757: Fixed an object deserialization issue that could have resulted in denial of service via crafted serialized input (bsc#1169511). - CVE-2020-2767: Fixed an incorrect handling of certificate messages during TLS handshakes (bsc#1169511). - CVE-2020-2773: Fixed the incorrect handling of exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature() (bsc#1169511). - CVE-2020-2778: Fixed the incorrect handling of SSLParameters in setAlgorithmConstraints(), which could have been abused to override the defined systems security policy and lead to the use of weak crypto algorithms (bsc#1169511). - CVE-2020-2781: Fixed the incorrect re-use of single null TLS sessions (bsc#1169511). - CVE-2020-2800: Fixed an HTTP header injection issue caused by mishandling of CR/LF in header values (bsc#1169511). - CVE-2020-2803: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2805: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2816: Fixed an incorrect handling of application data packets during TLS handshakes (bsc#1169511). - CVE-2020-2830: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). ----------------------------------------- Patch: SUSE-2020-1677 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes mozilla-nspr to version 4.25 ----------------------------------------- Patch: SUSE-2020-1801 Released: Tue Jun 30 13:07:01 2020 Summary: Recommended update for zeromq Severity: low References: 1171566 Description: This update of zeromq fixes the following issue. - the libzmq5-32bit package is shipped on x86_64 platforms. (bsc#1171566) ----------------------------------------- Patch: SUSE-2020-1852 Released: Mon Jul 6 16:50:23 2020 Summary: Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts Severity: moderate References: 1169444 Description: This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues: Changes in fontforge: - Support transforming bitmap glyphs from python. (bsc#1169444) - Allow python-Sphinx >= 3 Changes in ttf-converter: - Update from version 1.0 to version 1.0.6: * ftdump is now shipped additionally as new dependency for ttf-converter * Standardize output when converting vector and bitmap fonts * Add more subfamilies fixes (bsc#1169444) * Add --family and --subfamily arguments to force values on those fields * Add parameters to fix glyph unicode values --fix-glyph-unicode : Try to fix unicode points and glyph names based on glyph names containing hexadecimal codes (like '$0C00', 'char12345' or 'uni004F') --replace-unicode-values: When passed 2 comma separated numbers a,b the glyph with an unicode value of a is replaced with the unicode value b. Can be used more than once. --shift-unicode-values: When passed 3 comma separated numbers a,b,c this shifts the unicode values of glyphs between a and b (both included) by adding c. Can be used more than once. * Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444) When used, all glyphs are modified with the transformation function and values passed as parameters. The parameter has three values separated by commas: fliph|flipv|rotate90cw|rotate90ccw|rotate180|skew|transmove,xoff,yoff * Add support to convert bitmap fonts (bsc#1169444) * Rename MediumItalic subfamily to Medium Italic * Show some more information when removing duplicated glyphs * Add a --force-monospaced argument instead of hardcoding font names * Convert `BoldCond` subfamily to `Bold Condensed` * Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41) * Add a --version argument * Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41) Changes in xorg-x11-fonts: - Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage - Include the subfamily in the filename of converted fonts - Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41) - Replace some unicode values in cu-pua12.pcf.gz to fix them - Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs don't pretend to be latin characters when they're not. - Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444) Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular, MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular Changes in ghostscript-fonts: - Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41) Use the --force-monospaced argument of ttf-converter 1.0.3 ----------------------------------------- Patch: SUSE-2020-1979 Released: Tue Jul 21 02:41:47 2020 Summary: Recommended update for golang-github-prometheus-node_exporter Severity: moderate References: 1143913 Description: This update for golang-github-prometheus-node_exporter fixes the following issues: - Update from version 0.17.0 to version 0.18.1 (jsc#ECO-2110) 0.18.1 / 2019-06-04 * [BUGFIX] Fix incorrect sysctl call in BSD meminfo collector, resulting in broken swap metrics on FreeBSD * [BUGFIX] Fix rollover bug in mountstats collector 0.18.0 / 2019-05-09 * Renamed interface label to device in netclass collector for consistency with other network metrics * The cpufreq metrics now separate the cpufreq and scaling data based on what the driver provides. * The labels for the network_up metric have changed * Bonding collector now uses mii_status instead of operstatus * Several systemd metrics have been turned off by default to improve performance * These include unit_tasks_current, unit_tasks_max, service_restart_total, and unit_start_time_seconds * The systemd collector blacklist now includes automount, device, mount, and slice units by default. * [CHANGE] Bonding state uses mii_status * [CHANGE] Add a limit to the number of in-flight requests * [CHANGE] Renamed interface label to device in netclass collector * [CHANGE] Add separate cpufreq and scaling metrics * [CHANGE] Several systemd metrics have been turned off by default to improve performance * [CHANGE] Expand systemd collector blacklist * [CHANGE] Split cpufreq metrics into a separate collector * [FEATURE] Add a flag to disable exporter metrics * [FEATURE] Add kstat-based Solaris metrics for boottime, cpu and zfs collectors * [FEATURE] Add uname collector for FreeBSD * [FEATURE] Add diskstats collector for OpenBSD * [FEATURE] Add pressure collector exposing pressure stall information for Linux * [FEATURE] Add perf exporter for Linux * [ENHANCEMENT] Add Infiniband counters * [ENHANCEMENT] Add TCPSynRetrans to netstat default filter * [ENHANCEMENT] Move network_up labels into new metric network_info * [ENHANCEMENT] Use 64-bit counters for Darwin netstat * [BUGFIX] Add fallback for missing /proc/1/mounts * [BUGFIX] Fix node_textfile_mtime_seconds to work properly on symlinks - Add network-online (Wants and After) dependency to systemd unit. (bsc#1143913) ----------------------------------------- Patch: SUSE-2020-1983 Released: Tue Jul 21 08:31:44 2020 Summary: Security update for tomcat Severity: important References: 1173389,CVE-2020-11996 Description: This update for tomcat fixes the following issues: Tomcat was updated to 9.0.36 See changelog at - CVE-2020-11996: Fixed an issue which by sending a specially crafted sequence of HTTP/2 requests could have triggered high CPU usage for several seconds making potentially the server unresponsive (bsc#1173389). ----------------------------------------- Patch: SUSE-2020-2000 Released: Wed Jul 22 09:04:41 2020 Summary: Recommended update for efivar Severity: important References: 1100077,1101023,1120862,1127544 Description: This update for efivar fixes the following issues: - fix logic that checks for UCS-2 string termination (bsc#1127544) - fix casting of IPv4 addresses - Don't require an EUI for NVMe (bsc#1100077) - Add support for ACPI Generic Container and Embedded Controller root nodes (bsc#1101023) - fix for compilation failures bsc#1120862 ----------------------------------------- Patch: SUSE-2020-2047 Released: Fri Jul 24 14:09:14 2020 Summary: Security update for tomcat Severity: important References: 1174117,1174121,CVE-2020-13934,CVE-2020-13935 Description: This update for tomcat fixes the following issues: - Fixed CVEs: * CVE-2020-13934 (bsc#1174121) * CVE-2020-13935 (bsc#1174117) ----------------------------------------- Patch: SUSE-2020-2083 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Severity: moderate References: 1156913 Description: This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------- Patch: SUSE-2020-2116 Released: Tue Aug 4 15:12:41 2020 Summary: Security update for libX11 Severity: important References: 1174628,CVE-2020-14344 Description: This update for libX11 fixes the following issues: - Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628) ----------------------------------------- Patch: SUSE-2020-2143 Released: Thu Aug 6 11:06:49 2020 Summary: Security update for java-11-openjdk Severity: important References: 1174157,CVE-2020-14556,CVE-2020-14562,CVE-2020-14573,CVE-2020-14577,CVE-2020-14581,CVE-2020-14583,CVE-2020-14593,CVE-2020-14621 Description: This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.8+10 (July 2020 CPU, bsc#1174157) * Security fixes: + JDK-8230613: Better ASCII conversions + JDK-8231800: Better listing of arrays + JDK-8232014: Expand DTD support + JDK-8233234: Better Zip Naming + JDK-8233239, CVE-2020-14562: Enhance TIFF support + JDK-8233255: Better Swing Buttons + JDK-8234032: Improve basic calendar services + JDK-8234042: Better factory production of certificates + JDK-8234418: Better parsing with CertificateFactory + JDK-8234836: Improve serialization handling + JDK-8236191: Enhance OID processing + JDK-8236867, CVE-2020-14573: Enhance Graal interface handling + JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior + JDK-8237592, CVE-2020-14577: Enhance certificate verification + JDK-8238002, CVE-2020-14581: Better matrix operations + JDK-8238013: Enhance String writing + JDK-8238804: Enhance key handling process + JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable + JDK-8238843: Enhanced font handing + JDK-8238920, CVE-2020-14583: Better Buffer support + JDK-8238925: Enhance WAV file playback + JDK-8240119, CVE-2020-14593: Less Affine Transformations + JDK-8240482: Improved WAV file playback + JDK-8241379: Update JCEKS support + JDK-8241522: Manifest improved jar headers redux + JDK-8242136, CVE-2020-14621: Better XML namespace handling * Other changes: + JDK-6933331: (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created + JDK-7124307: JSpinner and changing value by mouse + JDK-8022574: remove HaltNode code after uncommon trap calls + JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails + JDK-8040630: Popup menus and tooltips flicker with previous popup contents when first shown + JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) + JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ThreadMXBeanProxy.java Expected non-null LockInfo + JDK-8051349: nsk/jvmti/scenarios/sampling/SP06/sp06t003 fails in nightly + JDK-8080353: JShell: Better error message on attempting to add default method + JDK-8139876: Exclude hanging nsk/stress/stack from execution with deoptimization enabled + JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails with -XX:+DeoptimizeALot + JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout + JDK-8156207: Resource allocated BitMaps are often cleared unnecessarily + JDK-8159740: JShell: corralled declarations do not have correct source to wrapper mapping + JDK-8175984: ICC_Profile has un-needed, not-empty finalize method + JDK-8176359: Frame#setMaximizedbounds not working properly in multi screen environments + JDK-8183369: RFC unconformity of HttpURLConnection with proxy + JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT + JDK-8189861: Refactor CacheFind + JDK-8191169: java/net/Authenticator/B4769350.java failed intermittently + JDK-8191930: [Graal] emits unparseable XML into compile log + JDK-8193879: Java debugger hangs on method invocation + JDK-8196019: java/awt/Window/Grab/GrabTest.java fails on Windows + JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails + JDK-8198000: java/awt/List/EmptyListEventTest/EmptyListEventTest.java debug assert on Windows + JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/ /WrongParentAfterRemoveMenu.java debug assert on Windows + JDK-8198339: Test javax/swing/border/Test6981576.java is unstable + JDK-8200701: jdk/jshell/ExceptionsTest.java fails on Windows, after JDK-8198801 + JDK-8203264: JNI exception pending in PlainDatagramSocketImpl.c:740 + JDK-8203672: JNI exception pending in PlainSocketImpl.c + JDK-8203673: JNI exception pending in DualStackPlainDatagramSocketImpl.c:398 + JDK-8204834: Fix confusing 'allocate' naming in OopStorage + JDK-8205399: Set node color on pinned HashMap.TreeNode deletion + JDK-8205653: test/jdk/sun/management/jmxremote/bootstrap/ /RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with handshake_failure + JDK-8206179: com/sun/management/OperatingSystemMXBean/ /GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value + JDK-8207334: VM times out in VM_HandshakeAllThreads::doit() with RunThese30M + JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages ----------------------------------------- Patch: SUSE-2020-2148 Released: Thu Aug 6 13:36:17 2020 Summary: Recommended update for ca-certificates-mozilla Severity: important References: 1174673 Description: This update for ca-certificates-mozilla fixes the following issues: Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 ----------------------------------------- Patch: SUSE-2020-2282 Released: Wed Aug 19 21:28:40 2020 Summary: Recommended update for libgit2 Severity: moderate References: 1157473 Description: This update for libgit2 provides the following fix: - Include the libgit2 package in SUSE Manager Server 4.0, no source changes made. (bsc#1157473) ----------------------------------------- Patch: SUSE-2020-2373 Released: Fri Aug 28 12:58:51 2020 Summary: Security update for SUSE Manager 4.1.1 Severity: moderate References: 1136857,1165572,1169553,1169780,1170244,1170468,1170654,1171281,1172279,1172504,1172709,1172807,1172831,1172839,1173169,1173522,1173535,1173554,1173566,1173584,1173932,1173982,1173997,1174025,1174167,1174201,1174229,1174325,1174405,1174470,1174965,1175485,1175555,1175558,1175724,1175791,678126,CVE-2020-11022 Description: This consolidated update includes multiple patchinfos for SUSE Manager Server and Proxy. This patchinfo is used for the codestream release only. ----------------------------------------- Patch: SUSE-2020-2374 Released: Fri Aug 28 12:59:39 2020 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1171281,1172709,1173149,1173584,1174405,1174965 Description: This update fixes the following issues: POS_Image-Graphical7: - Add plymouth-plugin-label-ft package to all *7 templates and set them to be of SLE15SP2 version - Add optional dracut-wireless comment section and move wpa_suplicant there POS_Image-JeOS7: - Add plymouth-plugin-label-ft package to all *7 templates and set them to be of SLE15SP2 version - Add optional dracut-wireless comment section and move wpa_suplicant there dracut-saltboot: - Use automatic RAID assembly only in the first phase before start of salt dracut-wireless: - Make sure ifup is scheduled (bsc#1173149) golang-github-prometheus-prometheus: - Add support for Prometheus exporters proxy mgr-osad: - Move uyuni-base-common dependency from mgr-osad to mgr-osa-dispatcher (bsc#1174405) spacecmd: - Fix softwarechannel update for vendor channels (bsc#1172709) - Fix escaping of package names (bsc#1171281) spacewalk-koan: - Use the 4.1 image to fix tests suseRegisterInfo: - Enhance RedHat product detection for CentOS and OracleLinux (bsc#1173584) uyuni-common-libs: - Fix issues importing RPM packages with long RPM headers (bsc#1174965) ----------------------------------------- Patch: SUSE-2020-2440 Released: Tue Sep 1 22:14:33 2020 Summary: Recommended update for libmaxminddb Severity: moderate References: 1175006 Description: This update for libmaxminddb fixes the following issues: - update to 1.4.3: * Use of uninitialized memory in dump_entry_data_list() could have cause a heap buffer flow in mmdblookup [bsc#1175006] ----------------------------------------- Patch: SUSE-2020-2539 Released: Fri Sep 4 16:43:26 2020 Summary: Recommended update for golang-github-QubitProducts-exporter_exporter Severity: important References: 1175946 Description: This Maintenance update for SUSE Manager fixes the following issue: - Add requires for fillup, groupadd, useradd, systemd (bsc#1175946) ----------------------------------------- Patch: SUSE-2020-2549 Released: Fri Sep 4 18:25:50 2020 Summary: Recommended update for OpenStack clients Severity: moderate References: 1121610,1174571,917818 Description: Updated OpenStack clients to the latest OpenStack release named Ussuri. ----------------------------------------- Patch: SUSE-2020-2558 Released: Mon Sep 7 14:32:59 2020 Summary: Recommended update for tomcat Severity: moderate References: 1092163,1172562,1173103 Description: This update for tomcat fixes the following issues: - Fixed the package alternatives for tomcat-servlet-4_0-api to use /usr/share/java/servlet.jar instead of /usr/share/java/tomcat-servlet.jar - We kept /usr/share/java/tomcat-servlet.jar as a symlink for compatibility reasons (bsc#1092163) - Removed write permissions on several files and directories for the tomcat group (bsc#1172562) - Changed the tomcat.pid location from /var/run to /run (bsc#1173103) ----------------------------------------- Patch: SUSE-2020-2646 Released: Wed Sep 16 12:07:28 2020 Summary: Security update for perl-DBI Severity: important References: 1176409,1176412,CVE-2020-14392,CVE-2020-14393 Description: This update for perl-DBI fixes the following issues: Security issues fixed: - CVE-2020-14392: Memory corruption in XS functions when Perl stack is reallocated (bsc#1176412). - CVE-2020-14393: Fixed a buffer overflow on an overlong DBD class name (bsc#1176409). ----------------------------------------- Patch: SUSE-2020-2735 Released: Thu Sep 24 13:32:25 2020 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: 1173034 Description: This update for systemd-rpm-macros fixes the following issues: - Introduce macro '%service_del_postun_without_restart' to resolve blocking new releases based on this. (bsc#1173034) ----------------------------------------- Patch: SUSE-2020-2782 Released: Tue Sep 29 11:40:22 2020 Summary: Recommended update for systemd-rpm-macros Severity: important References: 1176932 Description: This update for systemd-rpm-macros fixes the following issues: - Backport missing macros of directory paths from upstream + %_environmentdir + %_modulesloaddir + %_modprobedir - Make sure %_restart_on_update_never and %_stop_on_removal_never don't expand to the empty string. (bsc#1176932) Otherwise sequences like the following code: if [ ... ]; then %_restart_on_update_never fi would result in the following incorrect shell syntax: if [ ... ]; then fi ----------------------------------------- Patch: SUSE-2020-2828 Released: Fri Oct 2 10:33:22 2020 Summary: Security update for perl-DBI Severity: important References: 1176764,CVE-2019-20919 Description: This update for perl-DBI fixes the following issues: - CVE-2019-20919: Fixed a NULL profile dereference in dbi_profile (bsc#1176764). ----------------------------------------- Patch: SUSE-2020-2839 Released: Fri Oct 2 12:16:15 2020 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1173268,1175889 Description: This update fixes the following issues: POS_Image-Graphical7: - Set wicked to use plain mac address for computing DHCP DUID (bsc#1173268) POS_Image-JeOS7: - Set wicked to use plain mac address for computing DHCP DUID (bsc#1173268) dracut-saltboot: - Set wicked to use plain mac address for computing DHCP DUID - Copy wicked lease xml file to prevent query for second IP address (bsc#1173268) golang-github-QubitProducts-exporter_exporter: - Pin Golang version to 1.14 mgr-daemon: - Remove duplicate languages and update translation strings spacecmd: - Fix softwarechannel_listlatestpackages throwing error on empty channels (bsc#1175889) spacewalk-client-tools: - Remove duplicated languages and update translation strings ----------------------------------------- Patch: SUSE-2020-2842 Released: Fri Oct 2 12:17:55 2020 Summary: Recommended update for golang-github-prometheus-node_exporter Severity: moderate References: 1151557 Description: This update for golang-github-prometheus-node_exporter fixes the following issues: - Add missing sysconfig file in rpm bsc#1151557 - Changes from 1.0.1 * Changes to build specification + Modify spec: update golang version to 1.14 + Remove update tarball script + Add _service file to allow for updates via `osc service disabledrun` * Bug fixes + [BUGFIX] filesystem_freebsd: Fix label values #1728 + [BUGFIX] Update prometheus/procfs to fix log noise #1735 + [BUGFIX] Fix build tags for collectors #1745 + [BUGFIX] Handle no data from powersupplyclass #1747, #1749 - Changes from 1.0.0 * Bug fixes + [BUGFIX] Read /proc/net files with a single read syscall #1380 + [BUGFIX] Renamed label state to name on node_systemd_service_restart_total. #1393 + [BUGFIX] Fix netdev nil reference on Darwin #1414 + [BUGFIX] Strip path.rootfs from mountpoint labels #1421 + [BUGFIX] Fix seconds reported by schedstat #1426 + [BUGFIX] Fix empty string in path.rootfs #1464 + [BUGFIX] Fix typo in cpufreq metric names #1510 + [BUGFIX] Read /proc/stat in one syscall #1538 + [BUGFIX] Fix OpenBSD cache memory information #1542 + [BUGFIX] Refactor textfile collector to avoid looping defer #1549 + [BUGFIX] Fix network speed math #1580 + [BUGFIX] collector/systemd: use regexp to extract systemd version #1647 + [BUGFIX] Fix initialization in perf collector when using multiple CPUs #1665 + [BUGFIX] Fix accidentally empty lines in meminfo_linux #1671 * Several enhancements + See https://github.com/prometheus/node_exporter/releases/tag/v1.0.0 - Changes from 1.0.0-rc.0 Breaking changes * The netdev collector CLI argument --collector.netdev.ignored-devices was renamed to --collector.netdev.device-blacklist in order to conform with the systemd collector. #1279 * The label named state on node_systemd_service_restart_total metrics was changed to name to better describe the metric. #1393 * Refactoring of the mdadm collector changes several metrics node_md_disks_active is removed node_md_disks now has a state label for 'fail', 'spare', 'active' disks. node_md_is_active is replaced by node_md_state with a state set of 'active', 'inactive', 'recovering', 'resync'. * Additional label mountaddr added to NFS device metrics to distinguish mounts from the same URL, but different IP addresses. #1417 * Metrics node_cpu_scaling_frequency_min_hrts and node_cpu_scaling_frequency_max_hrts of the cpufreq collector were renamed to node_cpu_scaling_frequency_min_hertz and node_cpu_scaling_frequency_max_hertz. #1510 * Collectors that are enabled, but are unable to find data to collect, now return 0 for node_scrape_collector_success. ----------------------------------------- Patch: SUSE-2020-2863 Released: Tue Oct 6 09:28:41 2020 Summary: Recommended update for efivar Severity: moderate References: 1175989 Description: This update for efivar fixes the following issues: - Fixed an issue when segmentation fault are caused on non-EFI systems. (bsc#1175989) ----------------------------------------- Patch: SUSE-2020-2947 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 Description: This update for gcc10, nvptx-tools fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Changes in nvptx-tools: - Enable build on aarch64 ----------------------------------------- Patch: SUSE-2020-2958 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Severity: moderate References: 1158830 Description: This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------- Patch: SUSE-2020-2983 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Severity: moderate References: 1176123 Description: This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------- Patch: SUSE-2020-2995 Released: Thu Oct 22 10:03:09 2020 Summary: Security update for freetype2 Severity: important References: 1177914,CVE-2020-15999 Description: This update for freetype2 fixes the following issues: - CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914). ----------------------------------------- Patch: SUSE-2020-3059 Released: Wed Oct 28 06:11:23 2020 Summary: Recommended update for sysconfig Severity: moderate References: 1173391,1176285,1176325 Description: This update for sysconfig fixes the following issues: - Fix for 'netconfig' to run with a new library including fallback to the previous location. (bsc#1176285) - Fix for changing content of such files like '/etc/resolv.conf' to avoid linked applications re-read them and unnecessarily re-initializes themselves accordingly. (bsc#1176325) - Fix for 'chrony helper' calling in background. (bsc#1173391) - Fix for configuration file by creating a symlink for it to prevent false ownership on the file. (bsc#1159566) ----------------------------------------- Patch: SUSE-2020-3060 Released: Wed Oct 28 08:09:21 2020 Summary: Security update for binutils Severity: moderate References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077 Description: This update for binutils fixes the following issues: binutils was updated to version 2.35. (jsc#ECO-2373) Update to binutils 2.35: * The assembler can now produce DWARF-5 format line number tables. * Readelf now has a 'lint' mode to enable extra checks of the files it is processing. * Readelf will now display '[...]' when it has to truncate a symbol name. The old behaviour - of displaying as many characters as possible, up to the 80 column limit - can be restored by the use of the --silent-truncation option. * The linker can now produce a dependency file listing the inputs that it has processed, much like the -M -MP option supported by the compiler. - fix DT_NEEDED order with -flto [bsc#1163744] Update to binutils 2.34: * The disassembler (objdump --disassemble) now has an option to generate ascii art thats show the arcs between that start and end points of control flow instructions. * The binutils tools now have support for debuginfod. Debuginfod is a HTTP service for distributing ELF/DWARF debugging information as well as source code. The tools can now connect to debuginfod servers in order to download debug information about the files that they are processing. * The assembler and linker now support the generation of ELF format files for the Z80 architecture. - Add new subpackages for libctf and libctf-nobfd. - Disable LTO due to bsc#1163333. - Includes fixes for these CVEs: bsc#1153768 aka CVE-2019-17451 aka PR25070 bsc#1153770 aka CVE-2019-17450 aka PR25078 - fix various build fails on aarch64 (PR25210, bsc#1157755). Update to binutils 2.33.1: * Adds support for the Arm Scalable Vector Extension version 2 (SVE2) instructions, the Arm Transactional Memory Extension (TME) instructions and the Armv8.1-M Mainline and M-profile Vector Extension (MVE) instructions. * Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE, Cortex-A76AE, and Cortex-A77 processors. * Adds a .float16 directive for both Arm and AArch64 to allow encoding of 16-bit floating point literals. * For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not) Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no] configure time option to set the default behavior. Set the default if the configure option is not used to 'no'. * The Cortex-A53 Erratum 843419 workaround now supports a choice of which workaround to use. The option --fix-cortex-a53-843419 now takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp] which can be used to force a particular workaround to be used. See --help for AArch64 for more details. * Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties in the AArch64 ELF linker. * Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI on inputs and use PLTs protected with BTI. * Add -z pac-plt for AArch64 to pick PAC enabled PLTs. * Add --source-comment[=] option to objdump which if present, provides a prefix to source code lines displayed in a disassembly. * Add --set-section-alignment = option to objcopy to allow the changing of section alignments. * Add --verilog-data-width option to objcopy for verilog targets to control width of data elements in verilog hex format. * The separate debug info file options of readelf (--debug-dump=links and --debug-dump=follow) and objdump (--dwarf=links and --dwarf=follow-links) will now display and/or follow multiple links if more than one are present in a file. (This usually happens when gcc's -gsplit-dwarf option is used). In addition objdump's --dwarf=follow-links now also affects its other display options, so that for example, when combined with --syms it will cause the symbol tables in any linked debug info files to also be displayed. In addition when combined with --disassemble the --dwarf= follow-links option will ensure that any symbol tables in the linked files are read and used when disassembling code in the main file. * Add support for dumping types encoded in the Compact Type Format to objdump and readelf. - Includes fixes for these CVEs: bsc#1126826 aka CVE-2019-9077 aka PR1126826 bsc#1126829 aka CVE-2019-9075 aka PR1126829 bsc#1126831 aka CVE-2019-9074 aka PR24235 bsc#1140126 aka CVE-2019-12972 aka PR23405 bsc#1143609 aka CVE-2019-14444 aka PR24829 bsc#1142649 aka CVE-2019-14250 aka PR90924 * Add xBPF target * Fix various problems with DWARF 5 support in gas * fix nm -B for objects compiled with -flto and -fcommon. ----------------------------------------- Patch: SUSE-2020-3068 Released: Wed Oct 28 11:46:10 2020 Summary: Security update for tomcat Severity: moderate References: 1177582,CVE-2020-13943 Description: This update for tomcat fixes the following issues: - CVE-2020-13943: Fixed HTTP/2 Request mix-up (bsc#1177582) ----------------------------------------- Patch: SUSE-2020-3091 Released: Thu Oct 29 16:35:37 2020 Summary: Security update for MozillaThunderbird and mozilla-nspr Severity: important References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969 Description: This update for MozillaThunderbird and mozilla-nspr fixes the following issues: - Mozilla Thunderbird 78.4 * new: MailExtensions: browser.tabs.sendMessage API added * new: MailExtensions: messageDisplayScripts API added * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages * changed: MailExtensions: compose.begin functions now support creating a message with attachments * fixed: Thunderbird could freeze when updating global search index * fixed: Multiple issues with handling of self-signed SSL certificates addressed * fixed: Recipient address fields in compose window could expand to fill all available space * fixed: Inserting emoji characters in message compose window caused unexpected behavior * fixed: Button to restore default folder icon color was not keyboard accessible * fixed: Various keyboard navigation fixes * fixed: Various color-related theme fixes * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4 - Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * Creating a new calendar event did not require an event title - Mozilla Thunderbird 78.3.2 (bsc#1176899) * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes - Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket - Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 Download origin spoofing via redirect * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3 - update mozilla-nspr to version 4.25.1 * The macOS platform code for shared library loading was changed to support macOS 11. * Dependency needed for the MozillaThunderbird udpate ----------------------------------------- Patch: SUSE-2020-3157 Released: Wed Nov 4 15:37:05 2020 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1177864 Description: This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------- Patch: SUSE-2020-3264 Released: Tue Nov 10 09:50:29 2020 Summary: Security update for zeromq Severity: moderate References: 1176116,1176256,1176257,1176258,1176259,CVE-2020-15166 Description: This update for zeromq fixes the following issues: - CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116). - Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256) - Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257) - Fixed memory leak when processing PUB messages with metadata (bsc#1176259) - Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258) ----------------------------------------- Patch: SUSE-2020-3359 Released: Tue Nov 17 13:18:30 2020 Summary: Security update for java-11-openjdk Severity: moderate References: 1177943,CVE-2020-14779,CVE-2020-14781,CVE-2020-14782,CVE-2020-14792,CVE-2020-14796,CVE-2020-14797,CVE-2020-14798,CVE-2020-14803 Description: This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.9-11 (October 2020 CPU, bsc#1177943) * New features + JDK-8250784: Shenandoah: A Low-Pause-Time Garbage Collector * Security fixes + JDK-8233624: Enhance JNI linkage + JDK-8236196: Improve string pooling + JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + JDK-8237995, CVE-2020-14782: Enhance certificate processing + JDK-8240124: Better VM Interning + JDK-8241114, CVE-2020-14792: Better range handling + JDK-8242680, CVE-2020-14796: Improved URI Support + JDK-8242685, CVE-2020-14797: Better Path Validation + JDK-8242695, CVE-2020-14798: Enhanced buffer support + JDK-8243302: Advanced class supports + JDK-8244136, CVE-2020-14803: Improved Buffer supports + JDK-8244479: Further constrain certificates + JDK-8244955: Additional Fix for JDK-8240124 + JDK-8245407: Enhance zoning of times + JDK-8245412: Better class definitions + JDK-8245417: Improve certificate chain handling + JDK-8248574: Improve jpeg processing + JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + JDK-8253019: Enhanced JPEG decoding * Other changes + JDK-6532025: GIF reader throws misleading exception with truncated images + JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/ /PDialogTest.java needs update by removing an infinite loop + JDK-8022535: [TEST BUG] javax/swing/text/html/parser/ /Test8017492.java fails + JDK-8062947: Fix exception message to correctly represent LDAP connection failure + JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed + JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/ /CloseServerSocket.java fails intermittently with Address already in use + JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect + JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider + JDK-8172404: Tools should warn if weak algorithms are used before restricting them + JDK-8193367: Annotated type variable bounds crash javac + JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails intermittently: Connection reset + JDK-8203026: java.rmi.NoSuchObjectException: no such object in table + JDK-8203281: [Windows] JComboBox change in ui when editor.setBorder() is called + JDK-8203382: Rename SystemDictionary::initialize_wk_klass to resolve_wk_klass + JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout + JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell script tests to java + JDK-8204963: javax.swing.border.TitledBorder has a memory leak + JDK-8204994: SA might fail to attach to process with 'Windbg Error: WaitForEvent failed' + JDK-8205534: Remove SymbolTable dependency from serviceability agent + JDK-8206309: Tier1 SA tests fail + JDK-8208281: java/nio/channels/ /AsynchronousSocketChannel/Basic.java timed out + JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version - step1 + JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect + JDK-8209342: Problemlist SA tests on Solaris due to Error attaching to process: Can't create thread_db agent! + JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful + JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout + JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version - step2 + JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC + JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java + JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ /ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code + JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version - step3 + JDK-8210527: JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack + JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests + JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds + JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify which output is the pending reply after a timeout + JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version - step4 + JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject + JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test + JDK-8211694: JShell: Redeclared variable should be reset + JDK-8212200: assert when shared java.lang.Object is redefined by JVMTI agent + JDK-8212629: [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest + JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55 + JDK-8212807: tools/jar/multiRelease/Basic.java times out + JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when shared java.lang.Object is redefined by JVMTI agent) + JDK-8213214: Set -Djava.io.tmpdir= when running tests + JDK-8213275: ReplaceCriticalClasses.java fails with jdk.internal.vm.PostVMInitHook not found + JDK-8213574: Deadlock in string table expansion when dumping lots of CDS classes + JDK-8213703: LambdaConversionException: Invalid receiver type not a subtype of implementation type interface + JDK-8214074: Ghash optimization using AVX instructions + JDK-8214491: Upgrade to JLine 3.9.0 + JDK-8214797: TestJmapCoreMetaspace.java timed out + JDK-8215243: JShell tests failing intermitently with 'Problem cleaning up the following threads:' + JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference failed + JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash optimization using AVX instructions) + JDK-8215438: jshell tool: Ctrl-D causes EOF + JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows + JDK-8216974: HttpConnection not returned to the pool after 204 response + JDK-8218948: SimpleDateFormat :: format - Zone Names are not reflected correctly during run time + JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs + JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs + JDK-8221658: aarch64: add necessary predicate for ubfx patterns + JDK-8221759: Crash when completing 'java.io.File.path' + JDK-8221918: runtime/SharedArchiveFile/serviceability/ /ReplaceCriticalClasses.java fails: Shared archive not found + JDK-8222074: Enhance auto vectorization for x86 + JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp + JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely on hostname command + JDK-8223688: JShell: crash on the instantiation of raw anonymous class + JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper does not result in an error + JDK-8223940: Private key not supported by chosen signature algorithm + JDK-8224184: jshell got IOException at exiting with AIX + JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc + JDK-8225037: java.net.JarURLConnection::getJarEntry() throws NullPointerException + JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions + JDK-8226536: Catch OOM from deopt that fails rematerializing objects + JDK-8226575: OperatingSystemMXBean should be made container aware + JDK-8226697: Several tests which need the @key headful keyword are missing it. + JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous + JDK-8227059: sun/security/tools/keytool/ /DefaultSignatureAlgorithm.java timed out + JDK-8227269: Slow class loading when running with JDWP + JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails due to 'exitValue = 6' + JDK-8228448: Jconsole can't connect to itself + JDK-8228967: Trust/Key store and SSL context utilities for tests + JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow + JDK-8229815: Upgrade Jline to 3.12.1 + JDK-8230000: some httpclients testng tests run zero test + JDK-8230002: javax/xml/jaxp/unittest/transform/ /SecureProcessingTest.java runs zero test + JDK-8230010: Remove jdk8037819/BasicTest1.java + JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter + JDK-8230402: Allocation of compile task fails with assert: 'Leaking compilation tasks?' + JDK-8230767: FlightRecorderListener returns null recording + JDK-8230870: (zipfs) Add a ZIP FS test that is similar to test/jdk/java/util/zip/EntryCount64k.java + JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread + JDK-8231586: enlarge encoding space for OopMapValue offsets + JDK-8231953: Wrong assumption in assertion in oop::register_oop + JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes + JDK-8232083: Minimal VM is broken after JDK-8231586 + JDK-8232161: Align some one-way conversion in MS950 charset with Windows + JDK-8232855: jshell missing word in /help help + JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration + JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR + JDK-8233386: Initialize NULL fields for unused decorations + JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result + JDK-8233686: XML transformer uses excessive amount of memory + JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 + VAES instructions + JDK-8233829: javac cannot find non-ASCII module name under non-UTF8 environment + JDK-8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose + JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater() + JDK-8234058: runtime/CompressedOops/ /CompressedClassPointers.java fails with 'Narrow klass base: 0x0000000000000000' missing from stdout/stderr + JDK-8234149: Several regression tests do not dispose Frame at end + JDK-8234347: 'Turkey' meta time zone does not generate composed localized names + JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/ /bug6980209.java fails in linux nightly + JDK-8234535: Cross compilation fails due to missing CFLAGS for the BUILD_CC + JDK-8234541: C1 emits an empty message when it inlines successfully + JDK-8234687: change javap reporting on unknown attributes + JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11 + JDK-8236548: Localized time zone name inconsistency between English and other locales + JDK-8236617: jtreg test containers/docker/ /TestMemoryAwareness.java fails after 8226575 + JDK-8237182: Update copyright header for shenandoah and epsilon files + JDK-8237888: security/infra/java/security/cert/ /CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval + JDK-8237977: Further update javax/net/ssl/compatibility/Compatibility.java + JDK-8238270: java.net HTTP/2 client does not decrease stream count when receives 204 response + JDK-8238284: [macos] Zero VM build fails due to an obvious typo + JDK-8238380: java.base/unix/native/libjava/childproc.c 'multiple definition' link errors with GCC10 + JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c 'multiple definition' link errors with GCC10 + JDK-8238388: libj2gss/NativeFunc.o 'multiple definition' link errors with GCC10 + JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes + JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with non-zero code + JDK-8239083: C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), 'should be non-static concrete method'); + JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD + JDK-8240169: javadoc fails to link to non-modular api docs + JDK-8240295: hs_err elapsed time in seconds is not accurate enough + JDK-8240360: NativeLibraryEvent has wrong library name on Linux + JDK-8240676: Meet not symmetric failure when running lucene on jdk8 + JDK-8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support + JDK-8241065: Shenandoah: remove leftover code after JDK-8231086 + JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows + JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException + JDK-8241138: http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector + JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark + JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java fails with OOME + JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure + JDK-8241750: x86_32 build failure after JDK-8227269 + JDK-8242184: CRL generation error with RSASSA-PSS + JDK-8242283: Can't start JVM when java home path includes non-ASCII character + JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array + JDK-8243029: Rewrite javax/net/ssl/compatibility/ /Compatibility.java with a flexible interop test framework + JDK-8243138: Enhance BaseLdapServer to support starttls extended request + JDK-8243320: Add SSL root certificates to Oracle Root CA program + JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program + JDK-8243389: enhance os::pd_print_cpu_info on linux + JDK-8243453: java --describe-module failed with non-ASCII module name under non-UTF8 environment + JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp + JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions + JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows) + JDK-8244087: 2020-04-24 public suffix list update + JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 + JDK-8244164: AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base + JDK-8244196: adjust output in os_linux + JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in + JDK-8244287: JFR: Methods samples have line number 0 + JDK-8244703: 'platform encoding not initialized' exceptions with debugger, JNI + JDK-8244719: CTW: C2 compilation fails with 'assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it' + JDK-8244729: Shenandoah: remove resolve paths from SBSA::generate_shenandoah_lrb + JDK-8244763: Update --release 8 symbol information after JSR 337 MR3 + JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor + JDK-8245151: jarsigner should not raise duplicate warnings on verification + JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9 + JDK-8245714: 'Bad graph detected in build_loop_late' when loads are pinned on loop limit check uncommon branch + JDK-8245801: StressRecompilation triggers assert 'redundunt OSR recompilation detected. memory leak in CodeCache!' + JDK-8245832: JDK build make-static-libs should build all JDK libraries + JDK-8245880: Shenandoah: check class unloading flag early in concurrent code root scan + JDK-8245981: Upgrade to jQuery 3.5.1 + JDK-8246027: Minimal fastdebug build broken after JDK-8245801 + JDK-8246094: [macos] Sound Recording and playback is not working + JDK-8246153: TestEliminateArrayCopy fails with -XX:+StressReflectiveCode + JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ + JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails with AssertionError + JDK-8246203: Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN + JDK-8246330: Add TLS Tests for Legacy ECDSA curves + JDK-8246453: TestClone crashes with 'all collected exceptions must come from the same place' + JDK-8247246: Add explicit ResolvedJavaType.link and expose presence of default methods + JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node + JDK-8247502: PhaseStringOpts crashes while optimising effectively dead code + JDK-8247615: Initialize the bytes left for the heap sampler + JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in SBC2Support::pin_and_expand + JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' + JDK-8247979: aarch64: missing side effect of killing flags for clearArray_reg_reg + JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention + JDK-8248219: aarch64: missing memory barrier in fast_storefield and fast_accessfield + JDK-8248348: Regression caused by the update to BCEL 6.0 + JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1 + JDK-8248495: [macos] zerovm is broken due to libffi headers location + JDK-8248851: CMS: Missing memory fences between free chunk check and klass read + JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows + JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650 + JDK-8249215: JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows. + JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel + JDK-8249255: Build fails if source code in cygwin home dir + JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in OpenJDK 11 + JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList + JDK-8249560: Shenandoah: Fix racy GC request handling + JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle + JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases + JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets + JDK-8250609: C2 crash in IfNode::fold_compares + JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics + JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java + JDK-8250787: Provider.put no longer registering aliases in FIPS env + JDK-8250826: jhsdb does not work with coredump which comes from Substrate VM + JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead count before/after parallel walk + JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the bounds + JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher + JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test failure + JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U + JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java + JDK-8251487: Shenandoah: missing detail timing tracking for final mark cleaning phase + JDK-8252120: compiler/oracle/TestCompileCommand.java misspells 'occured' + JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility + JDK-8252258: [11u] JDK-8242154 changes the default vendor + JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport of 8234011 + JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11 + JDK-8253283: [11u] Test build/translations/ /VerifyTranslations.java failing after JDK-8252258 + JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes + Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)' introduced in jdk 11.0.9 ----------------------------------------- Patch: SUSE-2020-3384 Released: Thu Nov 19 11:33:53 2020 Summary: Security update for perl-DBI Severity: moderate References: 1176492,CVE-2014-10401,CVE-2014-10402 Description: This update for perl-DBI fixes the following issues: - DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). [bsc#1176492, CVE-2014-10401, CVE-2014-10402] ----------------------------------------- Patch: SUSE-2020-3452 Released: Thu Nov 19 19:42:47 2020 Summary: Recommended update for tomcat Severity: moderate References: 1178396 Description: This update for tomcat fixes the following issues: - Fixes an issue when after removing package rest remained in 'examples'. - Remove 'tomcat-9.0.init' and '/usr/lib/tmpfiles.d/tomcat.conf' because of using systemd. (bsc#1178396) ----------------------------------------- Patch: SUSE-2020-3462 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Severity: moderate References: 1174593,1177858,1178727 Description: This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------- Patch: SUSE-2020-3620 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Severity: moderate References: Description: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------- Patch: SUSE-2020-3640 Released: Mon Dec 7 13:24:41 2020 Summary: Recommended update for binutils Severity: important References: 1179036,1179341 Description: This update for binutils fixes the following issues: Update binutils 2.35 branch to commit 1c5243df: * Fixes PR26520, aka [bsc#1179036], a problem in addr2line with certain DWARF variable descriptions. * Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878, PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869, PR26711 * The above includes fixes for dwo files produced by modern dwp, fixing several problems in the DWARF reader. Update binutils to 2.35.1 and rebased branch diff: * This is a point release over the previous 2.35 version, containing bug fixes, and as an exception to the usual rule, one new feature. The new feature is the support for a new directive in the assembler: '.nop'. This directive creates a single no-op instruction in whatever encoding is correct for the target architecture. Unlike the .space or .fill this is a real instruction, and it does affect the generation of DWARF line number tables, should they be enabled. This fixes an incompatibility introduced in the latest update that broke the install scripts of the Oracle server. [bsc#1179341] ----------------------------------------- Patch: SUSE-2020-3749 Released: Thu Dec 10 14:39:28 2020 Summary: Security update for gcc7 Severity: moderate References: 1150164,1161913,1167939,1172798,1178577,1178614,1178624,1178675,CVE-2020-13844 Description: This update for gcc7 fixes the following issues: - CVE-2020-13844: Added mitigation for aarch64 Straight Line Speculation issue (bsc#1172798) - Enable fortran for the nvptx offload compiler. - Update README.First-for.SuSE.packagers - avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel. - Backport the aarch64 -moutline-atomics feature and accumulated fixes but not its default enabling. [jsc#SLE-12209, bsc#1167939] - Fixed 32bit libgnat.so link. [bsc#1178675] - Fixed memcpy miscompilation on aarch64. [bsc#1178624, bsc#1178577] - Fixed debug line info for try/catch. [bsc#1178614] - Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is used to build gcc7 (ie when ada is enabled) - Fixed corruption of pass private ->aux via DF. [gcc#94148] - Fixed debug information issue with inlined functions and passed by reference arguments. [gcc#93888] - Fixed binutils release date detection issue. - Fixed register allocation issue with exception handling code on s390x. [bsc#1161913] - Fixed miscompilation of some atomic code on aarch64. [bsc#1150164] ----------------------------------------- Patch: SUSE-2020-3767 Released: Fri Dec 11 16:06:22 2020 Summary: Recommended update for apache-commons-el Severity: low References: 1179637 Description: This update for apache-commons-el fixes the following issues: - Provide missing update dependencies for apache-commons-el. (bsc#1179637) ----------------------------------------- Patch: SUSE-2020-3791 Released: Mon Dec 14 17:39:19 2020 Summary: Recommended update for gzip Severity: moderate References: Description: This update for gzip fixes the following issue: - Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`. ----------------------------------------- Patch: SUSE-2020-3795 Released: Mon Dec 14 17:43:26 2020 Summary: Optional update for systemd-rpm-macros Severity: low References: 1059627,1178481,1179020 Description: This update for systemd-rpm-macros fixes the following issues: - Deprecate '-f'/'-n' options When used with %service_del_preun, support for these options will be dropped as DISABLE_STOP_ON_REMOVAL support will be removed on the next version of SLE (jsc#SLE-8968) When used with %service_del_postun, they should be replaced with their counterpart %service_del_postun_with_restart/%service_del_postun_without_restart - Introduced %service_del_postun_with_restart() It's the counterpart of %service_del_postun_without_restart() and replaces the '-f' option of %service_del_postun(). - Does no longer apply presets when migrating from a disabled initscript (bsc#1178481) - Fix importing of %{_unitdir} ----------------------------------------- Patch: SUSE-2020-3942 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Severity: moderate References: 1180138 Description: This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------- Patch: SUSE-2021-41 Released: Thu Jan 7 11:51:31 2021 Summary: Security update for tomcat Severity: moderate References: 1179602,CVE-2020-17527 Description: This update for tomcat fixes the following issue: - CVE-2020-17527: Fixed a HTTP/2 request header mix-up (bsc#1179602). ----------------------------------------- Patch: SUSE-2021-79 Released: Tue Jan 12 10:49:34 2021 Summary: Recommended update for gcc7 Severity: moderate References: 1167939 Description: This update for gcc7 fixes the following issues: - Amend the gcc7 aarch64 atomics for glibc namespace violation with getauxval. [bsc#1167939] ----------------------------------------- Patch: SUSE-2021-176 Released: Wed Jan 20 09:49:05 2021 Summary: Security update for xstream Severity: important References: 1180145,1180146,1180994,CVE-2020-26217,CVE-2020-26258,CVE-2020-26259 Description: This update for xstream fixes the following issues: xstream was updated to version 1.4.15. - CVE-2020-26217: Fixed a remote code execution due to insecure XML deserialization when relying on blocklists (bsc#1180994). - CVE-2020-26258: Fixed a server-side request forgery vulnerability (bsc#1180146). - CVE-2020-26259: Fixed an arbitrary file deletion vulnerability (bsc#1180145). ----------------------------------------- Patch: SUSE-2021-207 Released: Mon Jan 25 16:16:05 2021 Summary: Recommended update for python-websockify Severity: moderate References: 1163513 Description: This update for python-websockify fixes the following issues: - Add 'python-numpy' as requirement. (bsc#1163513) ----------------------------------------- Patch: SUSE-2021-220 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Severity: moderate References: 1180603 Description: This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------- Patch: SUSE-2021-243 Released: Fri Jan 29 09:37:29 2021 Summary: Security update for jackson-databind Severity: moderate References: 1177616,1180391,1181118,CVE-2020-25649,CVE-2020-35728,CVE-2021-20190 Description: This update for jackson-databind fixes the following issues: jackson-databind was updated to 2.10.5.1: * #2589: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent external entity expansion in all cases (CVE-2020-25649, bsc#1177616) * #2787 (partial fix): NPE after add mixin for enum * #2679: 'ObjectMapper.readValue('123', Void.TYPE)' throws 'should never occur' ----------------------------------------- Patch: SUSE-2021-293 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Severity: moderate References: 1180603 Description: This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------- Patch: SUSE-2021-333 Released: Mon Feb 8 10:31:48 2021 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1176823,1177884,1179555,1179566 Description: This update fixes the following issues: golang-github-prometheus-alertmanager: - Exclude s390 architecture - Update packaging * Remove systemd and shadow hard requirements * use the system user provided by the system-user-prometheus subpackge * add 'prometheus-alertmanager' package alias golang-github-prometheus-prometheus: - Update to upstream version 2.22.1 - Update packaging * Remove systemd and shadow hard requirements * use systemd-sysusers to configure the user in a dedicated 'system-user-prometheus' subpackage * add 'prometheus' package alias grafana: - Update packaging * avoid systemd and shadow hard requirements * Require the user from a new dedicated 'system-user-grafana' sibling package * avoid pinning to a specific Go version in the spec file - Update to version 7.3.1: * Breaking changes - CloudWatch: The AWS CloudWatch data source's authentication scheme has changed. See the upgrade notes for details and how this may affect you. - Units: The date time units `YYYY-MM-DD HH:mm:ss` and `MM/DD/YYYY h:mm:ss a` have been renamed to `Datetime ISO` and `Datetime US` respectively. * Features / Enhancements - AzureMonitor: Support decimal (as float64) type in analytics/logs. - Add monitoring mixing for Grafana. - CloudWatch: Missing Namespace AWS/EC2CapacityReservations. - CloudWatch: Add support for AWS DirectConnect virtual interface metrics and add missing dimensions. - CloudWatch: Adding support for Amazon ElastiCache Redis metrics. - CloudWatch: Adding support for additional Amazon CloudFront metrics. - CloudWatch: Re-implement authentication. - Elasticsearch: Support multiple pipeline aggregations for a query. - Prometheus: Add time range parameters to labels API. - Loki: Visually distinguish error logs for LogQL2. - Api: Add /healthz endpoint for health checks. - API: Enrich add user to org endpoints with user ID in the response. - API: Enrich responses and improve error handling for alerting API endpoints. - Elasticsearch: Add support for date_nanos type. - Elasticsearch: Allow fields starting with underscore. - Elasticsearch: Increase maximum geohash aggregation precision to 12. - Postgres: Support request cancellation properly (Uses new backendSrv.fetch Observable request API). - Provisioning: Remove provisioned dashboards without parental reader. - API: Return ID of the deleted resource for dashboard, datasource and folder DELETE endpoints. - API: Support paging in the admin orgs list API. - API: return resource ID for auth key creation, folder permissions update and user invite complete endpoints. - BackendSrv: Uses credentials, deprecates withCredentials & defaults to same-origin. - CloudWatch: Update list of AmazonMQ metrics and dimensions. - Cloudwatch: Add Support for external ID in assume role. - Cloudwatch: Add af-south-1 region. - DateFormats: Default ISO & US formats never omit date part even if date is today (breaking change). - Explore: Transform prometheus query to elasticsearch query. - InfluxDB/Flux: Increase series limit for Flux datasource. - InfluxDB: exclude result and table column from Flux table results. - InfluxDB: return a table rather than an error when timeseries is missing time. - Loki: Add scopedVars support in legend formatting for repeated variables. - Loki: Re-introduce running of instant queries. - Loki: Support request cancellation properly (Uses new backendSrv.fetch Observable request API). - MixedDatasource: Shows retrieved data even if a data source fails. - Postgres: Support Unix socket for host. - Prometheus: Add scopedVars support in legend formatting for repeated variables. - Prometheus: Support request cancellation properly (Uses new backendSrv.fetch Observable request API). - Prometheus: add $__rate_interval variable. - Table: Adds column filtering. - grafana-cli: Add ability to read password from stdin to reset admin password. - Variables: enables cancel for slow query variables queries. - AzureMonitor: fix panic introduced in 7.1.4 when unit was unspecified and alias was used. - TextPanel: Fix content overflowing panel boundaries. - Fix golang version = 1.14 to avoid dependency conflicts on some OBS projects - Update to version 7.0.0 * Remove phantomJS patch from Makefile mgr-osad: - Change the log file permissions as expected by logrotate (bsc#1177884) spacecmd: - Fix spacecmd with no parameters produces traceback on SLE 11 SP4 (bsc#1176823) - Added '-r REVISION' option to the 'configchannel_updateinitsls' command (bsc#1179566) - Fix: internal: workaround for future tee of logs translation uyuni-common-libs: - Section in Debian packages in now treated as optional (bsc#1179555) ----------------------------------------- Patch: SUSE-2021-339 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Severity: low References: Description: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------- Patch: SUSE-2021-352 Released: Tue Feb 9 15:02:05 2021 Summary: Security update for java-11-openjdk Severity: important References: 1181239 Description: This update for java-11-openjdk fixes the following issues: java-11-openjdk was upgraded to include January 2021 CPU (bsc#1181239) - Enable Sheandoah GC for x86_64 (jsc#ECO-3171) ----------------------------------------- Patch: SUSE-2021-421 Released: Wed Feb 10 12:05:23 2021 Summary: Recommended update for hwdata Severity: low References: 1180422,1180482 Description: This update for hwdata fixes the following issues: - Added merge-pciids.pl to fully duplicate behavior of pciutils-ids (bsc#1180422, bsc#1180482) - Updated pci, usb and vendor ids. ----------------------------------------- Patch: SUSE-2021-526 Released: Fri Feb 19 12:46:27 2021 Summary: Recommended update for python-distro Severity: moderate References: Description: This update for python-distro fixes the following issues: Upgrade from version 1.2.0 to 1.5.0 (jsc#ECO-3212) - Backward compatibility: - Keep output as native string so we can compatible with python2 interface - Prefer the `VERSION_CODENAME` field of `os-release` to parsing it from `VERSION` - Bug Fixes: - Fix detection of RHEL 6 `ComputeNode` - Fix Oracle 4/5 `lsb_release` id and names - Ignore `/etc/plesk-release` file while parsing distribution - Return `_uname_info` from the `uname_info()` method - Fixed `CloudLinux` id discovery - Update Oracle matching - Warn about wrong locale. - Documentation: - Distro is the recommended replacement for `platform.linux_distribution` - Add Ansible reference implementation and fix arch-linux link - Add facter reference implementation ----------------------------------------- Patch: SUSE-2021-531 Released: Fri Feb 19 14:54:06 2021 Summary: Security update for tomcat Severity: moderate References: 1180947,CVE-2021-24122 Description: This update for tomcat fixes the following issues: - CVE-2021-24122: Fixed an information disclosure if resources are served from the NTFS file system (bsc#1180947). ----------------------------------------- Patch: SUSE-2021-596 Released: Thu Feb 25 10:26:30 2021 Summary: Recommended update for gcc7 Severity: moderate References: 1181618 Description: This update for gcc7 fixes the following issues: - Fixed webkit2gtk3 build (bsc#1181618) - Change GCC exception licenses to SPDX format - Remove include-fixed/pthread.h ----------------------------------------- Patch: SUSE-2021-644 Released: Fri Feb 26 11:21:54 2021 Summary: Recommended Beta update for SUSE Manager Client Tools Severity: moderate References: 1180583,1180585 Description: This update fixes the following issues: spacecmd: - Deprecated 'Software Crashes' feature - Document advanced package search on '--help' (bsc#1180583) - Fixed advanced search on 'package_listinstalledsystems' - Fixed duplicate results when using multiple search criteria (bsc#1180585) ----------------------------------------- Patch: SUSE-2021-654 Released: Fri Feb 26 20:01:10 2021 Summary: Security update for python-Jinja2 Severity: important References: 1181944,1182244,CVE-2020-28493 Description: This update for python-Jinja2 fixes the following issues: - CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944). ----------------------------------------- Patch: SUSE-2021-656 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Severity: moderate References: 1177127 Description: This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------- Patch: SUSE-2021-707 Released: Thu Mar 4 09:19:36 2021 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: 1177039 Description: This update for systemd-rpm-macros fixes the following issues: - Bump to version 6 - Make upstream '%systemd_{pre,post,preun,postun}' aliases to their SUSE counterparts. Packagers can now choose to use the upstream or the SUSE variants indifferently. For consistency the SUSE variants should be preferred since almost all SUSE packages already use them but the upstream versions might be usefull in certain cases where packages need to support multiple distros based on RPM. - Improve the logic used to apply the presets. (bsc#1177039) Before presests were applied at a) package installation b) new units introduced via a package update (but after making sure that it was not a SysV initscript being converted). The problem is that a) didn't handle package a renaming or split properly since the package with the new name is installed rather being updated and therefore the presets were applied even if they were already with the old name. We now cover this case (and the other ones) by applying presets only if the units are new and the services are not being migrated. This regardless of whether this happens during an install or an update. ----------------------------------------- Patch: SUSE-2021-784 Released: Mon Mar 15 11:19:08 2021 Summary: Recommended update for efivar Severity: moderate References: 1181967 Description: This update for efivar fixes the following issues: - Fixed an issue with the NVME path parsing (bsc#1181967) ----------------------------------------- Patch: SUSE-2021-792 Released: Tue Mar 16 08:43:01 2021 Summary: Security update for netty Severity: moderate References: 1183262,CVE-2021-21295 Description: This update for netty fixes the following issues: - CVE-2021-21295: Fixed an improper Content-Length header field validation (bsc#1183262). : ----------------------------------------- Patch: SUSE-2021-795 Released: Tue Mar 16 10:28:02 2021 Summary: Recommended update for systemd-rpm-macros Severity: low References: 1182661,1183012,1183051 Description: This update for systemd-rpm-macros fixes the following issues: - Added a %systemd_user_pre macro (bsc#1183051, bsc#1183012) - Fixed an issue with %systemd_user_post, where the --global parameter was treated like if it was another service (bsc#1183051, bsc#1182661) ----------------------------------------- Patch: SUSE-2021-880 Released: Fri Mar 19 04:14:38 2021 Summary: Recommended update for hwdata Severity: low References: 1170160,1182482 Description: This update for hwdata fixes the following issues: - Updated pci, usb and vendor ids (bsc#1182482, bsc#1170160, jsc#SLE-13791) ----------------------------------------- Patch: SUSE-2021-906 Released: Fri Mar 19 16:18:34 2021 Summary: Recommended maintenance update for SUSE Manager 4.1: Server and Proxy Severity: moderate References: 1157711,1173893,1175660,1177508,1179579,1180145,1180146,1180224,1180439,1180547,1180558,1180757,1180994,1181048,1181165,1181228,1181290,1181416,1181423,1181635,1181807,1181814,1182001,1182006,1182008,1182071,1182200,1182492,1182685,CVE-2020-26217,CVE-2020-26258,CVE-2020-26259,CVE-2020-28477 Description: Maintenance update for SUSE Manager 4.1: Server and Proxy This is a codestream only patchinfo. ----------------------------------------- Patch: SUSE-2021-924 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 Description: This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------- Patch: SUSE-2021-927 Released: Tue Mar 23 14:07:06 2021 Summary: Recommended update for libreoffice Severity: moderate References: 1041090,1049382,1116658,1136234,1155141,1173404,1173409,1173410,1173471,1174465,1176547,1177955,1178807,1178943,1178944,1179025,1179203,1181122,1181644,1181872,1182790 Description: This update for libreoffice provides the upgrade from version 6.4.5.2 to 7.1.1.2 (jsc#ECO-3150, bsc#1182790) libreoffice: - Image shown with different aspect ratio (bsc#1176547) - Text changes are reproducibly lost on PPTX with SmartArt (bsc#1181644) - Adjust to new Box2D and enable KDE on SUSE Linux Enterprise 15-SP3 or newer (jsc#ECO-3375) - Wrong bullet points in Impress (bsc#1174465) - SmartArt: text wrongly aligned, background boxes not quite right (bsc#1177955) - Update the SUSE color palette to reflect the new SUSE branding. (bsc#1181122, bsc#1173471) - SUSE Mint - SUSE Midnight Blue - SUSE Waterhole Blue - SUSE Persimmon - Fix a crash opening a PPTX. (bsc#1179025) - Fix text box from PowerPoint renders vertically instead of horizontally (bsc#1178807) - Shadow effects for table completely missing (bsc#1178944, bsc#1178943) - Disable firebird integration for the time being (bsc#1179203) - Fixes hang on Writer on scrolling/saving of a document (bsc#1136234) - Wrong rendering of bulleted lists in PPTX document (bsc#1155141) - Sidebar: paragraph widget: numeric fields become inactive/unaccessible after saving (bsc#1173404) - Crash of Writer opening any document having 'invalid' python file in home directory (bsc#1116658) libixion: Update to 0.16.1: - fixed a build issue on 32-bit linux platforms, caused by slicing of integer string ID values. - worked around floating point rounding errors which prevented two theoretically-equal numeric values from being evaluated as equal in test code. - added new function to allow printing of single formula tokens. - added method for setting cached results on formula cells in model_context. - changed the model_context design to ensure that all sheets are of the same size. - added an accessor method to formula_model_access interface (and implicitly in model_context) that directly returns a string value from cell. - added cell_access class for querying of cell states without knowing its type ahead of time. - added document class which provides a layer on top of model_context, to abstract away the handling of formula calculations. - deprecated model_context::erase_cell() in favor of empty_cell(). - added support for 3D references - references that contain multiple sheets. - added support for the exponent (^) and concatenation (&) operators. - fixed incorrect handling of range references containing whole columns such as A:A. - added support for unordered range references - range references whose start row or column is greater than their end position counterparts, such as A3:A1. - fixed a bug that prevented nested formula functions from working properly. - implemented Calc A1 style reference resolver. - formula results now directly store the string values when the results are of string type. They previously stored string ID values after interning the original strings. - Removed build-time dependency on spdlog. libmwaw: Update to 0.3.17: - add a parser for Jazz(Lotus) writer and spreasheet files. The writer parser can only be called if the file still contains its resource fork - add a parser for Canvas 3 and 3.5 files - AppleWorks parser: try to retrieve more Windows presentation - add a parser for Drawing Table files - add a parser for Canvas 2 files - API: add new reserved enums in MWAWDocument.hxx `MWAW_T_RESERVED10..MWAW_T_RESERVED29` and add a new define in libmwaw.hxx `MWAW_INTERFACE_VERSION` to check if these enums are defined - remove the QuarkXPress parser (must be in libqxp) - retrieve the annotation in MsWord 5 document - try to better understand RagTime 5-6 document libnumbertext: Update to 1.0.6 liborcus: Update to 0.16.1 - Add upstream changes to fix build with GCC 11 (bsc#1181872) libstaroffice: Update to 0.0.7: - fix `text:sender-lastname` when creating meta-data libwps: Update to 0.4.11: - XYWrite: add a parser to .fil v2 and v4 files - wks,wk1: correct some problems when retrieving cell's reference. glfw: New package provided on version 3.3.2: - See also: https://www.glfw.org/changelog.html - Sort list of input files to geany for reproducible builds (bsc#1049382, bsc#1041090) * Require pkgconfig(gl) for the devel package to supply needed include GL/gl.h * glfwFocusWindow could terminate on older WMs or without a WM * Creating an undecorated window could fail with BadMatch * Querying a disconnected monitor could segfault * Video modes with a duplicate screen area were discarded * The CMake files did not check for the XInput headers * Key names were not updated when the keyboard layout changed * Decorations could not be enabled after window creation * Content scale fallback value could be inconsistent * Disabled cursor mode was interrupted by indicator windows * Monitor physical dimensions could be reported as zero mm * Window position events were not emitted during resizing * Added on-demand loading of Vulkan and context creation API libraries * [X11] Bugfix: Window size limits were ignored if the minimum or maximum size was set to `GLFW_DONT_CARE` * [X11] Bugfix: Input focus was set before window was visible, causing BadMatch on some non-reparenting WMs * [X11] Bugfix: glfwGetWindowPos and glfwSetWindowPos operated on the window frame instead of the client area * [WGL] Added reporting of errors from `WGL_ARB_create_context` extension * [EGL] Added lib prefix matching between EGL and OpenGL ES library binaries * [EGL] Bugfix: Dynamically loaded entry points were not verified - Made build of geany-tags optional. Box2D: New package provided on version 2.4.1: * Extended distance joint to have a minimum and maximum limit. * `B2_USER_SETTINGS` and `b2_user_settings.h` can control user data, length units, and maximum polygon vertices. * Default user data is now uintptr_t instead of void* * b2FixtureDef::restitutionThreshold lets you set the restitution velocity threshold per fixture. * Collision * Chain and edge shape must now be one-sided to eliminate ghost collisions * Broad-phase optimizations * Added b2ShapeCast for linear shape casting * Dynamics * Joint limits are now predictive and not stateful * Experimental 2D cloth (rope) * b2Body::SetActive -> b2Body::SetEnabled * Better support for running multiple worlds * Handle zero density better * The body behaves like a static body * The body is drawn with a red color * Added translation limit to wheel joint * World dump now writes to box2d_dump.inl * Static bodies are never awake * All joints with spring-dampers now use stiffness and damping * Added utility functions to convert frequency and damping ratio to stiffness and damping * Polygon creation now computes the convex hull. * The convex hull code will merge vertices closer than dm_linearSlop. ----------------------------------------- Patch: SUSE-2021-933 Released: Wed Mar 24 12:16:14 2021 Summary: Security update for ruby2.5 Severity: important References: 1177125,1177222,CVE-2020-25613 Description: This update for ruby2.5 fixes the following issues: - CVE-2020-25613: Fixed a potential HTTP Request Smuggling in WEBrick (bsc#1177125). - Enable optimizations also on ARM64 (bsc#1177222) ----------------------------------------- Patch: SUSE-2021-952 Released: Thu Mar 25 14:36:56 2021 Summary: Recommended update for libunwind Severity: moderate References: 1160876,1171549 Description: This update for libunwind fixes the following issues: - Update to version 1.5.0. (jsc#ECO-3395) - Enable s390x for building. (jsc#ECO-3395) - Fix compilation with 'fno-common'. (bsc#1171549) - Fix build with 'GCC-10'. (bsc#1160876) ----------------------------------------- Patch: SUSE-2021-974 Released: Mon Mar 29 19:31:27 2021 Summary: Security update for tar Severity: low References: 1181131,CVE-2021-20193 Description: This update for tar fixes the following issues: CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131) ----------------------------------------- Patch: SUSE-2021-1007 Released: Thu Apr 1 17:47:20 2021 Summary: Security update for MozillaFirefox Severity: important References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987 Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs ----------------------------------------- Patch: SUSE-2021-1008 Released: Thu Apr 1 17:49:05 2021 Summary: Security update for tomcat Severity: important References: 1182909,1182912,CVE-2021-25122,CVE-2021-25329 Description: This update for tomcat fixes the following issues: CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912) CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909) ----------------------------------------- Patch: SUSE-2021-1018 Released: Tue Apr 6 14:29:13 2021 Summary: Recommended update for gzip Severity: moderate References: 1180713 Description: This update for gzip fixes the following issues: - Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) ----------------------------------------- Patch: SUSE-2021-1169 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Severity: low References: 1181976 Description: This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------- Patch: SUSE-2021-1230 Released: Thu Apr 15 17:09:58 2021 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1131670,1178072,1181124,1181474,1182339,1182603,1183959 Description: This update fixes the following issues: golang-github-boynux-squid_exporter: - Build requires Go 1.15 - Add %license macro for LICENSE file golang-github-lusitaniae-apache_exporter: - Build with Go 1.15 golang-github-prometheus-prometheus: - Uyuni: `hostname` label is now set to FQDN instead of IP grafana: - Update to version 7.4.2: * Make Datetime local (No date if today) working (#31274) (#31275) * 'Release: Updated versions in package to 7.4.2' (#31272) * [v7.4.x] Chore: grafana-toolkit uses grafana-ui and grafana-data workspaces (#31269) * Snapshots: Disallow anonymous user to create snapshots (#31263) (#31266) * only update usagestats every 30min (#31131) (#31262) * Prometheus: Fix enabling of disabled queries when editing in dashboard (#31055) (#31248) * CloudWatch: Ensure empty query row errors are not passed to the panel (#31172) (#31245) * StatPanels: Fixes to palette color scheme is not cleared when loading panel (#31126) (#31246) * QueryEditors: Fixes issue that happens after moving queries then editing would update other queries (#31193) (#31244) * LibraryPanels: Disconnect before connect during dashboard save (#31235) (#31238) * SqlDataSources: Fixes the Show Generated SQL button in query editors (#31236) (#31239) * Variables: Adds back default option for data source variable (#31208) (#31232) * IPv6: Support host address configured with enclosing square brackets (#31226) (#31228) * Postgres: Fix timeGroup macro converts long intervals to invalid numbers when TimescaleDB is enabled (#31179) (#31224) * Remove last synchronisation field from LDAP debug view (#30984) (#31221) * [v7.4.x]: Sync drone config from master to stable release branch (#31213) * DataSourceSrv: Filter out non queryable data sources by default (#31144) (#31214) * Alerting: Fix modal text for deleting obsolete notifier (#31171) (#31209) * Variables: Fixes missing empty elements from regex filters (#31156) (#31201) * DashboardLinks: Fixes links always cause full page reload (#31178) (#31181) * DashboardListPanel: Fixes issue with folder picker always showing All and using old form styles (#31160) (#31162) * Permissions: Fix team and role permissions on folders/dashboards not displayed for non Grafana Admin users (#31132) (#31176) * Prometheus: Multiply exemplars timestamp to follow api change (#31143) (#31170) - Added add-gotest-module.patch to fix 'inconsistent vendoring' build failure - Update to version 7.4.1: * 'Release: Updated versions in package to 7.4.1' (#31128) * Transforms: Fixes Outer join issue with duplicate field names not getting the same unique field names as before (#31121) (#31127) * MuxWriter: Handle error for already closed file (#31119) (#31120) * Logging: sourcemap transform asset urls from CDN in logged stacktraces (#31115) (#31117) * Exemplars: Change CTA style (#30880) (#31105) * test: add support for timeout to be passed in for addDatasource (#30736) (#31090) * Influx: Make max series limit configurable and show the limiting message if applied (#31025) (#31100) * Elasticsearch: fix log row context erroring out (#31088) (#31094) * test: update addDashboard flow for v7.4.0 changes (#31059) (#31084) * Usage stats: Adds source/distributor setting (#31039) (#31076) * DashboardLinks: Fixes crash when link has no title (#31008) (#31050) * Make value mappings correctly interpret numeric-like strings (#30893) (#30912) * Elasticsearch: Fix alias field value not being shown in query editor (#30992) (#31037) * BarGauge: Improvements to value sizing and table inner width calculations (#30990) (#31032) * convert path to posix by default (#31045) (#31053) * Alerting: Fixes so notification channels are properly deleted (#31040) (#31046) * Drone: Fix deployment image (#31027) (#31029) * Graph: Fixes so graph is shown for non numeric time values (#30972) (#31014) * instrumentation: make the first database histogram bucket smaller (#30995) (#31001) * Build: Releases e2e and e2e-selectors too (#31006) (#31007) * TextPanel: Fixes so panel title is updated when variables change (#30884) (#31005) * StatPanel: Fixes issue formatting date values using unit option (#30979) (#30991) * Units: Fixes formatting of duration units (#30982) (#30986) * Elasticsearch: Show Size setting for raw_data metric (#30980) (#30983) * Logging: sourcemap support for frontend stacktraces (#30590) (#30976) * e2e: extends selector factory to plugins (#30932) (#30934) * Variables: Adds queryparam formatting option (#30858) (#30924) * Exemplars: change api to reflect latest changes (#30910) (#30915) * 'Release: Updated versions in package to 7.4.0' (#30898) * DataSourceSettings: Adds info box and link to Grafana Cloud (#30891) (#30896) * GrafanaUI: Add a way to persistently close InfoBox (#30716) (#30895) * [7.4.x] AlertingNG: List saved Alert definitions in Alert Rule list (30890)(30603) * Alerting: Fixes alert panel header icon not showing (#30840) (#30885) * Plugins: Requests validator (#30445) (#30877) * PanelLibrary: Adds library panel meta information to dashboard json (#30770) (#30883) * bump grabpl version to 0.5.36 (#30874) (#30878) * Chore: remove __debug_bin (#30725) (#30857) * Grafana-ui: fixes closing modals with escape key (#30745) (#30873) * DashboardLinks: Support variable expression in to tooltip - Issue #30409 (#30569) (#30852) * Add alt text to plugin logos (#30710) (#30872) * InfluxDB: Add http configuration when selecting InfluxDB v2 flavor (#30827) (#30870) * Prometheus: Set type of labels to string (#30831) (#30835) * AlertingNG: change API permissions (#30781) (#30814) * Grafana-ui: fixes no data message in Table component (#30821) (#30855) * Prometheus: Add tooltip to explain possibility to use patterns in text and title fields in annotations (#30825) (#30843) * Chore: add more docs annotations (#30847) (#30851) * BarChart: inside-align strokes, upgrade uPlot to 1.6.4. (#30806) (#30846) * Transforms: allow boolean in field calculations (#30802) (#30845) * CDN: Fixes cdn path when Grafana is under sub path (#30822) (#30823) * bump cypress to 6.3.0 (#30644) (#30819) * Expressions: Measure total transformation requests and elapsed time (#30514) (#30789) * Grafana-UI: Add story/docs for ErrorBoundary (#30304) (#30811) * [v7.4.x]: Menu: Mark menu components as internal (#30801) * Graph: Fixes auto decimals issue in legend and tooltip (#30628) (#30635) * GraphNG: Disable Plot logging by default (#30390) (#30500) * Storybook: Migrate card story to use controls (#30535) (#30549) * GraphNG: add bar alignment option (#30499) (#30790) * Variables: Clears drop down state when leaving dashboard (#30810) (#30812) * Add missing callback dependency (#30797) (#30809) * GraphNG: improve behavior when switching between solid/dash/dots (#30796) (#30799) * Add width for Variable Editors (#30791) (#30795) * Panels: Fixes so panels are refreshed when scrolling past them fast (#30784) (#30792) * PanelEdit: Trigger refresh when changing data source (#30744) (#30767) * AlertingNG: Enable UI to Save Alert Definitions (#30394) (#30548) * CDN: Fix passing correct prefix to GetContentDeliveryURL (#30777) (#30779) * CDN: Adds support for serving assets over a CDN (#30691) (#30776) * Explore: Update styling of buttons (#30493) (#30508) * Loki: Append refId to logs uid (#30418) (#30537) * skip symlinks to directories when generating plugin manifest (#30721) (#30738) * Mobile: Fixes issue scrolling on mobile in chrome (#30746) (#30750) * BarChart: add alpha bar chart panel (#30323) (#30754) * Datasource: Use json-iterator configuration compatible with standard library (#30732) (#30739) * Variables: Fixes so text format will show All instead of custom all (#30730) (#30731) * AlertingNG: pause/unpause definitions via the API (#30627) (#30672) * PanelLibrary: better handling of deleted panels (#30709) (#30726) * Transform: improve the 'outer join' performance/behavior (#30407) (#30722) * DashboardPicker: switch to promise-based debounce, return dashboard UID (#30706) (#30714) * Use connected GraphNG in Explore (#30707) (#30708) * PanelLibrary: changes casing of responses and adds meta property (#30668) (#30711) * DeployImage: Switch base images to Debian (#30684) (#30699) * Trace: trace to logs design update (#30637) (#30702) * Influx: Show all datapoints for dynamically windowed flux query (#30688) (#30703) * ci(npm-publish): add missing github package token to env vars (#30665) (#30673) * Loki: Improve live tailing errors and fix Explore's logs container type errors (#30517) (#30681) * Grafana-UI: Fix setting default value for MultiSelect (#30671) (#30687) * Explore: Fix jumpy live tailing (#30650) (#30677) * Docs: Refer to product docs in whats new for alerting templating feature (#30652) (#30670) * Variables: Fixes display value when using capture groups in regex (#30636) (#30661) * Docs: Fix expressions enabled description (#30589) (#30651) * Licensing Docs: Adding license restrictions docs (#30216) (#30648) * DashboardSettings: fixes vertical scrolling (#30640) (#30643) * chore: bump redux toolkit to 1.5.0 for immer 8.0.1 vulnerability fix (#30605) (#30631) * Explore: Fix loading visualisation on the top of the new time series panel (#30553) (#30557) * Footer: Fixes layout issue in footer (#30443) (#30494) * Variables: Fixes so queries work for numbers values too (#30602) (#30624) * Admin: Fixes so form values are filled in from backend (#30544) (#30623) * Docs: Update 7.4 What's New to use more correct description of alerting notification template feature (#30502) (#30614) * NodeGraph: Add docs (#30504) (#30613) * Cloud Monitoring: Fix legend naming with display name override (#30440) (#30503) * Expressions: Add option to disable feature (#30541) (#30558) * OldGraph: Fix height issue in Firefox (#30565) (#30582) * XY Chart: fix editor error with empty frame (no fields) (#30573) (#30577) * XY Chart: share legend config with timeseries (#30559) (#30566) * DataFrame: cache frame/field index in field state (#30529) (#30560) * Prometheus: Fix show query instead of Value if no __name__ and metric (#30511) (#30556) * Decimals: Big Improvements to auto decimals and fixes to auto decimals bug found in 7.4-beta1 (#30519) (#30550) * chore: update packages dependent on dot-prop to fix security vulnerability (#30432) (#30487) * GraphNG: uPlot 1.6.3 (fix bands not filling below 0). close #30523. (#30527) (#30528) * GraphNG: uPlot 1.6.2 (#30521) (#30522) * Chore: Upgrade grabpl version (#30486) (#30513) * grafana/ui: Fix internal import from grafana/data (#30439) (#30507) * prevent field config from being overwritten (#30437) (#30442) * Chore: upgrade NPM security vulnerabilities (#30397) (#30495) * TimeSeriesPanel: Fixed default value for gradientMode (#30484) (#30492) * Admin: Fixes so whole org drop down is visible when adding users to org (#30481) (#30497) * Chore: adds wait to e2e test (#30488) (#30490) * Graph: Fixes so only users with correct permissions can add annotations (#30419) (#30466) * Alerting: Hides threshold handle for percentual thresholds (#30431) (#30467) * Timeseries: only migrage point size when configured (#30461) (#30470) * Expressions: Fix button icon (#30444) (#30450) * PanelModel: Make sure the angular options are passed to react panel type changed handler (#30441) (#30451) * Docs: Fix img link for alert notification template (#30436) (#30447) * Chore: Upgrade build pipeline tool (#30456) (#30457) * PanelOptions: Refactoring applying panel and field options out of PanelModel and add property clean up for properties not in field config registry (#30389) (#30438) * 'Release: Updated versions in package to 7.4.0-beta.1' (#30427) * Chore: Update what's new URL (#30423) * GraphNG: assume uPlot's series stroke is always a function (#30416) * PanelLibrary: adding library panels to Dashboard Api (#30278) * Prettier: Fixes to files that came in after main upgrade (#30410) * Cloud Monitoring: Add curated dashboards for the most popular GCP services (#29930) * Mssql integrated security (#30369) * Prettier: Upgrade to 2 (#30387) * GraphNG: sort ascending if the values appear reversed (#30405) * Docs: Grafana whats new 7.4 (#30404) * Dashboards: Adds cheat sheet toggle to supported query editors (#28857) * Docs: Update timeseries-dimensions.md (#30403) * Alerting: Evaluate data templating in alert rule name and message (#29908) * Docs: Add links to 7.3 patch release notes (#30292) * Docs: Update _index.md (#29546) * Docs: Update jaeger.md (#30401) * Expressions: Remove feature toggle (#30316) * Docs: Update tempo.md (#30399) * Docs: Update zipkin.md (#30400) * services/provisioning: Various cleanup (#30396) * DashboardSchemas: OpenAPI Schema Generation (#30242) * AlertingNG: Enforce unique alert definition title (non empty)/UID per organisation (#30380) * Licensing: Document new v7.4 options and APIs (#30217) * Auth: add expired token error and update CreateToken function (#30203) * NodeGraph: Add node graph visualization (#29706) * Add jwtTokenAuth to plugin metadata schema (#30346) * Plugins: Force POSIX style path separators for manifest generation (#30287) * Add enterprise reporting fonts to gitignore (#30385) * Field overrides: skipping overrides for properties no longer existing in plugin (#30197) * NgAlerting: View query result (#30218) * Grafana-UI: Make Card story public (#30388) * Dashboard: migrate version history list (#29970) * Search: use Card component (#29892) * PanelEvents: Isolate more for old angular query editors (#30379) * Loki: Remove showing of unique labels with the empty string value (#30363) * Chore: Lint all files for no-only-tests (#30364) * Clears errors after running new query (#30367) * Prometheus: Change exemplars endpoint (#30378) * Explore: Fix a bug where Typeahead crashes when a large amount of ite… (#29637) * Circular vector: improve generics (#30375) * Update signing docs (#30296) * Email: change the year in templates (#30294) * grafana/ui: export TLS auth component (#30320) * Query Editor: avoid word wrap (#30373) * Transforms: add sort by transformer (#30370) * AlertingNG: Save alert instances (#30223) * GraphNG: Color series from by value scheme & change to fillGradient to gradientMode (#29893) * Chore: Remove not used PanelOptionsGrid component (#30358) * Zipkin: Remove browser access mode (#30360) * Jaeger: Remove browser access mode (#30349) * chore: bump lodash to 4.17.20 (#30359) * ToolbarButton: New emotion based component to replace all navbar, DashNavButton and scss styles (#30333) * Badge: Increase contrast, remove rocket icon for plugin beta/alpha state (#30357) * Licensing: Send map of environment variables to plugins (#30347) * Dashboards: Exit to dashboard when deleting panel from panel view / edit view (#29032) * Cloud Monitoring: MQL support (#26551) * ReleaseNotes: Updated changelog and release notes for 7.4.0-beta1 (#30348) * Panel options UI: Allow collapsible categories (#30301) * Grafana-ui: Fix context menu item always using onClick instead of href (#30350) * Badge: Design improvement & reduce contrast (#30328) * make sure stats are added horizontally and not vertically (#30106) * Chore(deps): Bump google.golang.org/grpc from 1.33.1 to 1.35.0 (#30342) * Chore(deps): Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (#30341) * Chore(deps): Bump github.com/google/uuid from 1.1.2 to 1.1.5 (#30340) * Chore(deps): Bump github.com/hashicorp/go-version from 1.2.0 to 1.2.1 (#30339) * Fix HTML character entity error (#30334) * GraphNG: fix fillBelowTo regression (#30330) * GraphNG: implement softMin/softMax for auto-scaling stabilization. close #979. (#30326) * Legend: Fixes right y-axis legend from being pushed outside the bounds of the panel (#30327) * Grafana-toolkit: Update component generator templates (#30306) * Panels: remove beta flag from stat and bargauge panels (#30324) * GraphNG: support fill below to (bands) (#30268) * grafana-cli: Fix security issue (#28888) * AlertingNG: Modify queries and transform endpoint to get datasource UIDs (#30297) * Chore: Fix missing property from ExploreGraph (#30315) * Prometheus: Add support for Exemplars (#28057) * Grafana-UI: Enhances for TimeRangePicker and TimeRangeInput (#30102) * ReleaseNotes: Updated changelog and release notes for 7.4.0 (#30312) * Table: Fixes BarGauge cell display mode font size so that it is fixed to the default cell font size (#30303) * AngularGraph: Fixes issues with legend wrapping after legend refactoring (#30283) * Plugins: Add Open Distro to the list of data sources supported by sigv4 (#30308) * Chore: Moves common and response into separate packages (#30298) * GraphNG: remove y-axis position control from series color picker in the legend (#30302) * Table: migrate old-table config to new table config (#30142) * Elasticsearch: Support extended stats and percentiles in terms order by (#28910) * Docs: Update release notes index * GraphNG: stats in legend (#30251) * Grafana UI: EmptySearchResult docs (#30281) * Plugins: Use the includes.path (if exists) on sidebar includes links (#30291) * Fix spinner and broken buttons (#30286) * Graph: Consider reverse sorted data points on isOutsideRange check (#30289) * Update getting-started.md (#30257) * Backend: use sdk version (v0.81.0) without transform (gel) code (#29236) * Chore: update latest versions to 7.3.7 (#30282) * Loki: Fix hiding of series in table if labels have number values (#30185) * Loki: Lower min step to 1ms (#30135) * Prometheus: Improve autocomplete performance and remove disabling of dynamic label lookup (#30199) * Icons: Adds custom icon support ands new panel and interpolation icons (#30277) * ReleaseNotes: Updated changelog and release notes for 7.3.7 (#30280) * Grafana-ui: Allow context menu items to be open in new tab (#30141) * Cloud Monitoring: Convert datasource to use Dataframes (#29830) * GraphNG: added support to change series color from legend. (#30256) * AzureMonitor: rename labels for query type dropdown (#30143) * Decimals: Improving auto decimals logic for high numbers and scaled units (#30262) * Elasticsearch: Use minimum interval for alerts (#30049) * TimeSeriesPanel: The new graph panel now supports y-axis value mapping #30272 * CODEOWNERS: Make backend squad owners of backend style guidelines (#30266) * Auth: Add missing request headers to SigV4 middleware allowlist (#30115) * Grafana-UI: Add story/docs for FilterPill (#30252) * Grafana-UI: Add story/docs for Counter (#30253) * Backend style guide: Document JSON guidelines (#30267) * GraphNG: uPlot 1.6, hide 'Show points' in Points mode, enable 'dot' lineStyle (#30263) * Docs: Update prometheus.md (#30240) * Docs: Cloudwatch filter should be JSON format (#30243) * API: Add by UID routes for data sources (#29884) * Docs: Update datasource_permissions.md (#30255) * Cloudwatch: Move deep link creation to the backend (#30206) * Metrics API: Use jsoniter for JSON encoding (#30250) * Add option in database config to skip migrations for faster startup. (#30146) * Set signed in users email correctly (#30249) * Drone: Upgrade build pipeline tool (#30247) * runRequest: Fixes issue with request time range and time range returned to panels are off causing data points to be cut off (outside) (#30227) * Elasticsearch: fix handling of null values in query_builder (#30234) * Docs: help users connect to Prometheus using SigV4 (#30232) * Update documentation-markdown-guide.md (#30207) * Update documentation-markdown-guide.md (#30235) * Better logging of plugin scanning errors (#30231) * Print Node.js and Toolkit versions (#30230) * Chore: bump rollup across all packages (#29486) * Backend style guide: Document database patterns (#30219) * Chore: Bump plugin-ci-alpine Docker image version (#30225) * Legends: Refactoring and rewrites of legend components to simplify components & reuse (#30165) * Use Node.js 14.x in plugin CI (#30209) * Field overrides: extracting the field config factory into its own reusable module. (#30214) * LibraryPanels: adds connections (#30212) * PanelOptionsGroups: Only restore styles from PanelOptionsGroup (#30215) * Variables: Add deprecation warning for value group tags (#30160) * GraphNG: Hide grid for right-y axis if left x-axis exists (#30195) * Middleware: Add CSP support (#29740) * Updated image links to have newer format. (#30208) * Docs: Update usage-insights.md (#30150) * Share panel dashboard add images (#30201) * Update documentation-style-guide.md (#30202) * Docs: Fix links to transforms (#30194) * docs(badge): migrate story to use controls (#30180) * Chore(deps): Bump github.com/prometheus/common from 0.14.0 to 0.15.0 (#30188) * Fix alert definition routine stop (#30117) * Chore(deps): Bump gopkg.in/square/go-jose.v2 from 2.4.1 to 2.5.1 (#30189) * InlineSwitch: Minor story fix (#30186) * Chore(deps): Bump github.com/gosimple/slug from 1.4.2 to 1.9.0 (#30178) * Chore(deps): Bump github.com/fatih/color from 1.9.0 to 1.10.0 (#30183) * Chore(deps): Bump github.com/lib/pq from 1.3.0 to 1.9.0 (#30181) * Chore(deps): Bump github.com/hashicorp/go-plugin from 1.2.2 to 1.4.0 (#30175) * Chore(deps): Bump github.com/getsentry/sentry-go from 0.7.0 to 0.9.0 (#30171) * Gauge: Fixes issue with all null values cause min & max to be null (#30156) * Links: Add underline on hover for links in NewsPanel (#30166) * GraphNG: Update to test dashboards (#30153) * CleanUp: Removed old panel options group component (#30157) * AngularQueryEditors: Fixes to Graphite query editor and other who refer to other queries (#30154) * Chore(deps): Bump github.com/robfig/cron/v3 from 3.0.0 to 3.0.1 (#30172) * Chore(deps): Bump github.com/urfave/cli/v2 from 2.1.1 to 2.3.0 (#30173) * Chore: Fix spelling issue (#30168) * Revise README.md. (#30145) * Chore(deps): Bump github.com/mattn/go-sqlite3 from 1.11.0 to 1.14.6 (#30174) * InlineSwitch: Added missing InlineSwitch component and fixed two places that used unaligned inline switch (#30162) * GraphNG: add new alpha XY Chart (#30096) * Elastic: Support request cancellation properly (Uses new backendSrv.fetch Observable request API) (#30009) * OpenTSDB: Support request cancellation properly (#29992) * InfluxDB: Update Flux external link (#30158) * Allow dependabot to keep go packages up-to-date (#30170) * PluginState: Update comment * GraphNG: Minor polish & updates to new time series panel and move it from alpha to beta (#30163) * Share panel dashboard (#30147) * GraphNG: rename 'graph3' to 'timeseries' panel (#30123) * Add info about access mode (#30137) * Prometheus: Remove running of duplicated metrics query (#30108) * Prometheus: Fix autocomplete does not work on incomplete input (#29854) * GraphNG: remove graph2 panel (keep the parts needed for explore) (#30124) * Docs: Add metadata to activating licensing page (#30140) * MixedDataSource: Added missing variable support flag (#30110) * AngularPanels: Fixes issue with some panels not rendering when going into edit mode due to no height (#30113) * AngularPanels: Fixes issue with discrete panel that used the initialized event (#30133) * Explore: Make getFieldLinksForExplore more reusable (#30134) * Elasticsearch: Add Support for Serial Differencing Pipeline Aggregation (#28618) * Angular: Fixes issue with angular directive caused by angular upgrade in master (#30114) * Analytics: add data source type in data-request events (#30087) * GraphNG: 'Interpolation: Step after' test (#30127) * GraphNG: check cross-axis presence when auto-padding. close #30121. (#30126) * Alerting: improve alerting default datasource search when extracting alerts (#29993) * Loki: Timeseries should not produce 0-values for missing data (#30116) * GraphNG: support dashes (#30070) * GraphNG: fix spanGaps optimization in alignDataFrames(). see #30101. (#30118) * Alerting NG: update API to expect UIDs instead of IDs (#29896) * GraphNG: Overhaul of main test dashboard and update to null & gaps dashboard (#30101) * Chore: Fix intermittent time-related test failure in explore datasource instance update (#30109) * QueryEditorRow: Ability to change query name (#29779) * Frontend: Failed to load application files message improvement IE11 (#30011) * Drone: Upgrade build pipeline tool (#30104) * Fix phrasing. (#30075) * Chore: Add CloudWatch HTTP API tests (#29691) * Elastic: Fixes so templating queries work (#30003) * Chore: Rewrite elasticsearch client test to standard library (#30093) * Chore: Rewrite tsdb influxdb test to standard library (#30091) * Fix default maximum lifetime an authenticated user can be logged in (#30030) * Instrumentation: re-enable database wrapper feature to expose counter and histogram for database queries (#29662) * Docs: Update labels to fields transform (#30086) * GraphNG: adding possibility to toggle tooltip, graph and legend for series (#29575) * Chore: Rewrite tsdb cloudmonitoring test to standard library (#30090) * Chore: Rewrite tsdb azuremonitor time grain test to standard library (#30089) * Chore: Rewrite tsdb graphite test to standard library (#30088) * Chore: Upgrade Docker build image wrt. Go/golangci-lint/Node (#30077) * Usage Stats: Calculate concurrent users as a histogram (#30006) * Elasticsearch: Fix broken alerting when using pipeline aggregations (#29903) * Drone: Fix race conditions between Enterprise and Enterprise2 (#30076) * Chore: Rewrite models datasource cache test to standard library (#30040) * Plugins: prevent app plugin from rendering with wrong location (#30017) * Update NOTICE.md * Chore: Tiny typo fix `rage` -> `range` (#30067) * Docs: loki.md: Add example of Loki data source config (#29976) * ReleaseNotes: Updated changelog and release notes for 7.3.6 (#30066) * Docs: Update usage-insights.md (#30065) * Docs: Update white-labeling.md (#30064) * Chore(deps): Bump axios from 0.19.2 to 0.21.1 (#30059) * Chore: Rewrite models tags test to standard library (#30041) * Bump actions/setup-node from v1 to v2.1.4 (#29891) * Build(deps): Bump ini from 1.3.5 to 1.3.7 (#29787) * fall back to any architecture when getting plugin's checksum #30034 (#30035) * Lerna: Update to 3.22.1 (#30057) * SeriesToRows: Fixes issue in transform so that value field is always named Value (#30054) * [dashboard api] manage error when data in dashboard table is not valid json (#29999) * use sha256 checksum instead of md5 (#30018) * Chore: Rewrite brute force login protection test to standard library (#29986) * Chore: Rewrite login auth test to standard library (#29985) * Chore: Rewrite models dashboards test to standard library (#30023) * Chore: Rewrite models dashboard acl test to standard library (#30022) * Chore: Rewrite models alert test to standard library (#30021) * Chore: Rewrite ldap login test to standard library (#29998) * Chore: Rewrite grafana login test to standard library (#29997) * Fix two ini-file typos regarding LDAP (#29843) * Chore: Changes source map devtool to inline-source-map (#30004) * Chore: Sync Enterprise go.sum (#30005) * Chore: Add Enterprise dependencies (#29994) * SQLStore: customise the limit of retrieved datasources per organisation (#29358) * Chore: update crewjam/saml library to the latest master (#29991) * Graph: Fixes so users can not add annotations in readonly dash (#29990) * Currency: add Vietnamese dong (VND) (#29983) * Drone: Update pipelines for Enterprise (#29939) * Remove the bus from teamgroupsync (#29810) * Influx: Make variable query editor input uncontrolled (#29968) * PanelLibrary: Add PATCH to the API (#29956) * PanelEvents: Isolating angular panel events into it's own event bus + more event refactoring (#29904) * Bump node-notifier from 8.0.0 to 8.0.1 (#29952) * LDAP: Update use_ssl documentation (#29964) * Docs: Missing 's' on 'logs' (#29966) * Docs: Update opentsdb.md (#29963) * Docs: Minor typo correction (#29962) * librarypanels: Fix JSON field casing in tests (#29954) * TemplateSrv: Do not throw error for an unknown format but use glob as fallback and warn in the console (#29955) * PanelLibrary: Adds uid and renames title to name (#29944) * Docs: Fix raw format variable docs (#29945) * RedirectResponse: Implement all of api.Response (#29946) * PanelLibrary: Adds get and getAll to the api (#29772) * Chore: Remove duplicate interpolateString test (#29941) * Chore: Rewrite influxdb query parser test to standard library (#29940) * Folders: Removes the possibility to delete the General folder (#29902) * Chore: Convert tsdb request test to standard library (#29936) * Chore: Convert tsdb interval test to standard library (#29935) * Docs: Update configuration.md (#29912) * Docs: Update organization_roles.md (#29911) * Docs: Update _index.md (#29918) * GraphNG: bring back tooltip (#29910) * Ng Alerting: Remove scroll and fix SplitPane limiters (#29906) * Dashboard: Migrating dashboard settings to react (#27561) * Minor correction to explanation on correct MS SQL usage. (#29889) * AlertingNG: Create a scheduler to evaluate alert definitions (#29305) * Add changelog items for 7.3.6, 7.2.3 and 6.7.5 (#29901) * bump stable to 7.3.6 (#29899) * Upgrade go deps. (#29900) * Expressions: Replace query input fields with select. (#29816) * PanelEdit: Update UI if panel plugin changes field config (#29898) * Elasticsearch: Remove timeSrv dependency (#29770) * PanelEdit: Need new data after plugin change (#29874) * Chore(toolkit): disable react/prop-types for eslint config (#29888) * Field Config API: Add ability to hide field option or disable it from the overrides (#29879) * SharedQuery: Fixes shared query editor now showing queries (#29849) * GraphNG: support fill gradient (#29765) * Backend style guide: Add more guidelines (#29871) * Keep query keys consistent (#29855) * Alerting: Copy frame field labels to time series tags (#29886) * Update configure-docker.md (#29883) * Usage Stats: Introduce an interface for usage stats service (#29882) * DataFrame: add a writable flag to fields (#29869) * InlineForms: Changes to make inline forms more flexible for query editors (#29782) * Usage Stats: Allow to add additional metrics to the stats (#29774) * Fix the broken link of XORM documentation (#29865) * Move colors demo under theme colors (#29873) * Dashboard: Increase folder name size in search dashboard (#29821) * MSSQL: Config UI touches (#29834) * QueryOptions: Open QueryEditors: run queries after changing group options #29864 * GraphNG: uPlot 1.5.2, dynamic stroke/fill, Flot-style hover points (#29866) * Variables: Fixes so numerical sortorder works for options with null values (#29846) * GraphNG: only initialize path builders once (#29863) * GraphNG: Do not set fillColor from GraphNG only opacity (#29851) * add an example cloudwatch resource_arns() query that uses multiple tags (ref: #29499) (#29838) * Backend: Remove more globals (#29644) * MS SQL: Fix MS SQL add data source UI issues (#29832) * Display palette and colors for dark and light themes in storybook (#29848) * Docs: Fix broken link in logs-panel (#29833) * Docs: Add info about typing of connected props to Redux style guide (#29842) * Loki: Remove unnecessary deduplication (#29421) * Varibles: Fixes so clicking on Selected will not include All (#29844) * Explore/Logs: Correctly display newlines in detected fields (#29541) * Link suppliers: getLinks API update (#29757) * Select: Changes default menu placement for Select from auto to bottom (#29837) * Chore: Automatically infer types for dashgrid connected components (#29818) * Chore: Remove unused Loki and Cloudwatch syntax providers (#29686) * Pass row (#29839) * GraphNG: Context menu (#29745) * GraphNG: Enable scale distribution configuration (#29684) * Explore: Improve Explore performance but removing unnecessary re-renders (#29752) * DashboardDS: Fixes display of long queries (#29808) * Sparkline: Fixes issue with sparkline that sent in custom fillColor instead of fillOpacity (#29825) * Chore: Disable default golangci-lint filter (#29751) * Update style guide with correct usage of MS SQL (#29829) * QueryEditor: do not auto refresh on every update (#29762) * Chore: remove unused datasource status enum (#29827) * Expressions: support ${my var} syntax (#29819) * Docs: Update types-options.md (#29777) * Chore: Enable more go-ruleguard rules (#29781) * GraphNG: Load uPlot path builders lazily (#29813) * Elasticsearch: ensure query model has timeField configured in datasource settings (#29807) * Chore: Use Header.Set method instead of Header.Add (#29804) * Allow dependabot to check actions (#28159) * Grafana-UI: Support optgroup for MultiSelect (#29805) * Sliders: Update behavior and style tweak (#29795) * Grafana-ui: Fix collapsible children sizing (#29776) * Style guide: Document avoidance of globals in Go code (#29803) * Chore: Rewrite opentsdb test to standard library (#29792) * CloudWatch: Add support for AWS DirectConnect ConnectionErrorCount metric (#29583) * GraphNG: uPlot 1.5.1 (#29789) * GraphNG: update uPlot v1.5.0 (#29763) * Added httpMethod to webhook (#29780) * @grafana-runtime: Throw error if health check fails in DataSourceWithBackend (#29743) * Explore: Fix remounting of query row (#29771) * Expressions: Add placeholders to hint on input (#29773) * Alerting: Next gen Alerting page (#28397) * GraphNG: Add test dashboard for null & and gaps rendering (#29769) * Expressions: Field names from refId (#29755) * Plugins: Add support for signature manifest V2 (#29240) * Chore: Configure go-ruleguard via golangci-lint (#28419) * Move middleware context handler logic to service (#29605) * AlertListPanel: Add options to sort by Time(asc) and Time(desc) (#29764) * PanelLibrary: Adds delete Api (#29741) * Tracing: Release trace to logs feature (#29443) * ReleaseNotes: Updated changelog and release notes for 7.3.5 (#29753) * DataSourceSettings: Add servername field to DataSource TLS config (#29279) * Chore: update stable and testing versions (#29748) * ReleaseNotes: Updated changelog and release notes for 7.3.5 (#29744) * Elasticsearch: View in context feature for logs (#28764) * Chore: Disable gosec on certain line (#29382) * Logging: log frontend errors caught by ErrorBoundary, including component stack (#29345) * ChangePassword: improved keyboard navigation (#29567) * GrafanaDataSource: Fix selecting -- Grafana -- data source, broken after recent changes (#29737) * Docs: added version note for rename by regex transformation. (#29735) * @grafana/ui: Fix UI issues for cascader button dropdown and query input (#29727) * Docs: Update configuration.md (#29728) * Docs: Remove survey (#29549) * Logging: rate limit fronted logging endpoint (#29272) * API: add Status() to RedirectResponse (#29722) * Elasticsearch: Deprecate browser access mode (#29649) * Elasticsearch: Fix query initialization action (#29652) * PanelLibrary: Adds api and db to create Library/Shared/Reusable Panel (#29642) * Transformer: Rename metrics based on regex (#29281) * Variables: Fixes upgrade of legacy Prometheus queries (#29704) * Auth: Add SigV4 header allowlist to reduce chances of verification issues (#29650) * DataFrame: add path and description metadata (#29695) * Alerting: Use correct time series name override from frame fields (#29693) * GraphNG: fix bars migration and support color and linewidth (#29697) * PanelHeader: Fix panel header description inline code wrapping (#29628) * Bugfix 29848: Remove annotation_tag entries as part of annotations cleanup (#29534) * GraphNG: simple settings migration from flot panel (#29599) * GraphNG: replace bizcharts with uPlot for sparklines (#29632) * GitHubActions: Update node version in github action (#29683) * Adds go dep used by an Enterprise feature. (#29645) * Typescript: Raise strict error limit for enterprise (#29688) * Remove unnecessary escaping (#29677) * Update getting-started-prometheus.md (#29678) * instrumentation: align label name with our other projects (#29514) * Typescript: Fixing typescript strict error, and separate check from publishing (#29679) * CloudWatch: namespace in search expression should be quoted if match exact is enabled #29109 (#29563) * Docs: Plugin schema updates (#28232) * RadioButton: Fix flex issue in master for radio buttons (#29664) * Update getting-started.md (#29670) * Expr: fix time unit typo in ds queries (#29668) * Expr: make reduction nan/null more consistent (#29665) * Expr: fix func argument panic (#29663) * Update documentation-style-guide.md (#29661) * Update documentation-markdown-guide.md (#29659) * Docs: Changed image format (#29658) * Expr: fix failure to execute due to OrgID (#29653) * GraphNG: rename 'points' to 'showPoints' (#29635) * Expressions: Restore showing expression query editor even if main data source is not mixed (#29656) * GraphNG: time range should match the panel timeRange (#29596) * Support svg embedded favicons in whitelabeling (#29436) * Add changelog to docs style guide (#29581) * Loki: Retry web socket connection when connection is closed abnormally (#29438) * GraphNG: Fix annotations and exemplars plugins (#29613) * Chore: Rewrite tsdb sql engine test to standard library (#29590) * GraphNG: fix and optimize spanNulls (#29633) * Build(deps): Bump highlight.js from 10.4.0 to 10.4.1 (#29625) * Cloudwatch: session cache should use UTC consistently (#29627) * GraphNG: rename GraphMode to DrawStyle (#29623) * GraphNG: add spanNulls config option (#29512) * Docs: add docs for concatenate transformer (#28667) * Stat/Gauge: expose explicit font sizing (#29476) * GraphNG: add gaps/nulls support to staircase & smooth interpolation modes (#29593) * grafana/ui: Migrate Field knobs to controls (#29433) * Prometheus: Fix link to Prometheus graph in dashboard (#29543) * Build: Publish next and latest npm channels to Github (#29615) * Update broken aliases (#29603) * API: add ID to snapshot API responses (#29600) * Elasticsearch: Migrate queryeditor to React (#28033) * QueryGroup & DataSourceSrv & DataSourcePicker changes simplify usage, error handling and reduce duplication, support for uid (#29542) * Elastic: Fixes config UI issues (#29608) * GraphNG: Fix issues with plugins not retrieving plot instance (#29585) * middleware: Make scenario test functions take a testing.T argument (#29564) * Grafana/ui: Storybook controls understand component types (#29574) * Login: Fixes typo in tooltip (#29604) * Panel: making sure we support all versions of chrome when detecting position of click event. (#29544) * Chore: Rewrite sqlstore migration test to use standard library (#29589) * Chore: Rewrite tsdb prometheus test to standard library (#29592) * Security: Add gosec G304 auditing annotations (#29578) * Chore: Rewrite tsdb testdatasource scenarios test to standard library (#29591) * Docs: Add missing key to enable SigV4 for provisioning Elasticsearch data source (#29584) * Add Microsoft.Network/natGateways (#29479) * Update documentation-style-guide.md (#29586) * @grafana/ui: Add bell-slash to available icons (#29579) * Alert: Fix forwardRef warning (#29577) * Update documentation-style-guide.md (#29580) * Chore: Upgrade typescript to 4.1 (#29493) * PanelLibrary: Adds library_panel table (#29565) * Make build docker full fix (#29570) * Build: move canary packages to github (#29411) * Devenv: Add default db for influxdb (#29371) * Chore: Check errors from Close calls (#29562) * GraphNG: support auto and explicit axis width (#29553) * Chore: upgrading y18n to 4.0.1 for security reasons (#29523) * Middleware: Rewrite tests to use standard library (#29535) * Overrides: show category on the overrides (#29556) * GraphNG: Bars, Staircase, Smooth modes (#29359) * Docs: Fix docs sync actions (#29551) * Chore: Update dev guide node version for Mac (#29548) * Docs: Update formatting-multi-value-variables.md (#29547) * Arrow: toArray() on nullable values should include null values (#29520) * Docs: Update syntax.md (#29545) * NodeJS: Update to LTS (14) (#29467) * Docs: Update repeat-panels-or-rows.md (#29540) * 3 minor changes, including updating the title TOC (#29501) * Auth proxy: Return standard error type (#29502) * Data: use pre-defined output array length in vectorToArray() (#29516) * Dashboards: hide playlist edit functionality from viewers and snapshots link from unauthenticated users (#28992) * docker: use yarn to build (#29538) * QueryEditors: Refactoring & rewriting out dependency on PanelModel (#29419) * Chore: skip flaky tests (#29537) * Graph NG: Invalidate uPlot config on timezone changes (#29531) * IntelliSense: Fix autocomplete and highlighting for Loki, Prometheus, Cloudwatch (#29381) * Variables: Fixes Textbox current value persistence (#29481) * OptionsEditor: simplify the options editor interfaces (#29518) * Icon: Changed the icon for signing in (#29530) * fixes bug with invalid handler name for metrics (#29529) * Middleware: Simplifications (#29491) * GraphNG: simplify effects responsible for plot updates/initialization (#29496) * Alarting: fix alarm messages in dingding (Fixes #29470) (#29482) * PanelEdit: making sure the correct datasource query editor is being rendered. (#29500) * AzureMonitor: Unit MilliSeconds naming (#29399) * Devenv: update mysql_tests and postgres_tests blocks for allowing dynamically change of underlying docker image (#29525) * Chore: Enable remaining eslint-plugin-react rules (#29519) * Docs/Transformations: Add documentation about Binary operations in Add field from calculation (#29511) * Datasources: fixed long error message overflowing container (#29440) * docker: fix Dockerfile after Gruntfile.js removed (#29515) * Chore: Adds Panel Library featuretoggle (#29521) * Docs: Update filter-variables-with-regex.md (#29508) * Docs: InfluxDB_V2 datasource: adding an example on how to add InfluxQL as a datasource (#29490) * Loki: Add query type and line limit to query editor in dashboard (#29356) * Docs: Added Security Group support to Azure Auth (#29418) * DataLinks: Removes getDataSourceSettingsByUid from applyFieldOverrides (#29447) * Bug: trace viewer doesn't show more than 300 spans (#29377) * Live: publish all dashboard changes to a single channel (#29474) * Chore: Enable eslint-plugin-react partial rules (#29428) * Alerting: Update alertDef.ts with more time options (#29498) * DataSourceSrv: Look up data source by uid and name transparently (#29449) * Instrumentation: Add examplars for request histograms (#29357) * Variables: Fixes Constant variable persistence confusion (#29407) * Docs: Fix broken link for plugins (#29346) * Prometheus: don't override displayName property (#29441) * Grunt: Removes grunt dependency and replaces some of its usage (#29461) * Transformation: added support for excluding/including rows based on their values. (#26884) * Chore: Enable exhaustive linter (#29458) * Field overrides: added matcher to match all fields within frame/query. (#28872) * Log: Use os.Open to open file for reading (#29483) * MinMax: keep global min/main in field state (#29406) * ReactGridLayout: Update dependency to 1.2 (#29455) * Jest: Upgrade to latest (#29450) * Chore: bump grafana-ui rollup dependencies (#29315) * GraphNG: use uPlot's native ms support (#29445) * Alerting: Add support for Sensu Go notification channel (#28012) * adds tracing for all bus calls that passes ctx (#29434) * prometheus: Improve IsAPIError's documentation (#29432) * ReleaseNotes: Updated changelog and release notes for 7.3.4 (#29430) * Elasticsearch: Fix index pattern not working with multiple base sections (#28348) * Plugins: Add support for includes' icon (#29416) * Docs: fixing frontend docs issue where enums ending up in wrong folder level. (#29429) * Variables: Fixes issue with upgrading legacy queries (#29375) * Queries: Extract queries from dashboard (#29349) * Docs: docker -> Docker (#29331) * PanelEvents: Refactors and removes unnecessary events, fixes panel editor update issue when panel options change (#29414) * Fix: Correct panel edit uistate migration (#29413) * Alerting: Improve Prometheus Alert Rule error message (#29390) * Fix: Migrate Panel edit uiState percentage strings to number (#29412) * remove insecure cipher suit as default option (#29378) * * prometheus fix variables fetching when customQueryParameters used #28907 (#28949) * Chore: Removes observableTester (#29369) * Chore: Adds e2e tests for Variables (#29341) * Fix gosec finding of unhandled errors (#29398) * Getting started with Grafana and MS SQL (#29401) * Arrow: cast timestams to Number (#29402) * Docs: Add Cloud content links (#29317) * PanelEditor: allow access to the eventBus from panel options (#29327) * GraphNG: support x != time in library (#29353) * removes unused golint file (#29391) * prefer server cipher suites (#29379) * Panels/DashList: Fix order of recent dashboards (#29366) * Core: Move SplitPane layout from PanelEdit. (#29266) * Drone: Upgrade build pipeline tool (#29365) * Update yarn.lock to use latest rc-util (#29313) * Variables: Adds description field (#29332) * Chore: Update latest.json (#29351) * Drone: Upload artifacts for release branch builds (#29297) * Docs: fixing link issues in auto generated frontend docs. (#29326) * Drone: Execute artifact publishing for both editions in parallel during release (#29362) * Devenv: adding default credentials for influxdb (#29344) * Drone: Check CUE dashboard schemas (#29334) * Backend: fix IPv6 address parsing erroneous (#28585) * dashboard-schemas cue 3.0.0 compatible (#29352) * Update documentation-style-guide.md (#29354) * Docs: Update requirements.md (#29350) * ReleaseNotes: Updated changelog and release notes for 7.3.4 (#29347) * ReleaseNotes: Updated changelog and release notes for 7.3.4 (#29338) * Drone: Publish NPM packages after Storybook to avoid race condition (#29340) * Add an option to hide certain users in the UI (#28942) * Guardian: Rewrite tests from goconvey (#29292) * Docs: Fix editor role and alert notification channel description (#29301) * Docs: Improve custom Docker image instructions (#29263) * Security: Fixes minor security issue with alert notification webhooks that allowed GET & DELETE requests #29330 * Chore: Bump storybook to v6 (#28926) * ReleaseNotes: Updates release notes link in package.json (master) (#29329) * Docs: Accurately reflecting available variables (#29302) * Heatmap: Fixes issue introduced by new eventbus (#29322) * Dashboard Schemas (#28793) * devenv: Add docker load test which authenticates with API key (#28905) * Login: Fixes redirect url encoding issues of # %23 being unencoded after login (#29299) * InfluxDB: update flux library and support boolean label values (#29310) * Explore/Logs: Update Parsed fields to Detected fields (#28881) * GraphNG: Init refactorings and fixes (#29275) * fixing a broken relref link (#29312) * Drone: Upgrade build pipeline tool (#29308) * decreasing frontend docs threshold. (#29304) * Docker: update docker root group docs and docker image (#29222) * WebhookNotifier: Convert tests away from goconvey (#29291) * Annotations: fixing so when changing annotations query links submenu will be updated. (#28990) * [graph-ng] add temporal DataFrame alignment/outerJoin & move null-asZero pass inside (#29250) * Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * make it possible to hide change password link in profile menu (#29246) * Theme: Add missing color type (#29265) * Chore: Allow reducerTester to work with every data type & payload-less actions (#29241) * Explore/Prometheus: Update default query type option to 'Both' (#28935) * Loki/Explore: Add query type selector (#28817) * Variables: New Variables are stored immediately (#29178) * reduce severity level to warning (#28939) * Units: Changes FLOP/s to FLOPS and some other rates per second units get /s suffix (#28825) * Docs: Remove duplicate 'Transformations overview' topics from the TOC (#29247) * Docs: Fixed broken relrefs and chanfed TOC entry name from Alerting to Alerts. (#29251) * Docs: Remove duplicate Panel overview topic. (#29248) * Increase search limit on team add user and improve placeholder (#29258) * Fix warnings for conflicting style rules (#29249) * Make backwards compatible (#29212) * Minor cosmetic markdown tweaks in docs/cloudwatch.md (#29238) * Getting Started: Updated index topic, removed 'what-is-grafana', and adjusted weight o… (#29216) * BarGauge: Fix story for BarGauge, caused knobs to show for other stories (#29232) * Update glossary to add hyperlinks to Explore and Transformation entries (#29217) * Chore: Enable errorlint linter (#29227) * TimeRegions: Fixed issue with time regions and tresholds due to angular js upgrade (#29229) * CloudWatch: Support request cancellation properly (#28865) * CloudMonitoring: Support request cancellation properly (#28847) * Chore: Handle wrapped errors (#29223) * Expressions: Move GEL into core as expressions (#29072) * Chore: remove compress:release grunt task (#29225) * Refactor/Explore: Inline datasource actions into initialisation (#28953) * Fix README typo (#29219) * Grafana UI: Card API refactor (#29034) * Plugins: Changed alertlist alert url to view instead of edit (#29060) * React: Upgrading react to v17, wip (#29057) * Gauge: Tweaks short value auto-sizing (#29197) * BackendSrv: support binary responseType like $http did (#29004) * GraphNG: update the options config (#28917) * Backend: Fix build (#29206) * Permissions: Validate against Team/User permission role update (#29101) * ESlint: React fixes part 1 (#29062) * Tests: Adds expects for observables (#28929) * Variables: Adds new Api that allows proper QueryEditors for Query variables (#28217) * Introduce eslint-plugin-react (#29053) * Automation: Adds GitHub release action (#29194) * Refactor declarative series configuration to a config builder (#29106) * ReleaseNotes: Updated changelog and release notes for 7.3.3 (#29189) * Panels: fix positioning of the header title (#29167) * trace user login and datasource name instead of id (#29183) * playlist: Improve test (#29120) * Drone: Fix publish-packages invocation (#29179) * Table: Fix incorrect condtition for rendering table filter (#29165) * Chore: Upgrade grafana/build-ci-deploy image to latest Go (#29171) * DashboardLinks: will only refresh dashboard search when changing tags for link. (#29040) * ReleaseNotes: Updated changelog and release notes for 7.3.3 (#29169) * CloudWatch: added HTTP API Gateway specific metrics and dimensions (#28780) * Release: Adding release notes for 7.3.3 (#29168) * SQL: Define primary key for tables without it (#22255) * changed link format from MD to HTML (#29163) * Backend: Rename variables for style conformance (#29097) * Docs: Fixes what'new menu and creates index page, adds first draft of release notes to docs (#29158) * Drone: Upgrade build pipeline tool and build image (#29161) * ReleaseNotes: Updated changelog and release notes for 7.4.0 (#29160) * ReleaseNotes: Updated changelog and release notes for 7.3.3 (#29159) * Chore: Upgrade Go etc in build images (#29157) * Chore: Remove unused Go code (#28852) * API: Rewrite tests from goconvey (#29091) * Chore: Fix linting issues caught by ruleguard (#28799) * Fix panic when using complex dynamic URLs in app plugin routes (#27977) * Snapshots: Fixes so that dashboard snapshots show data when using Stat, Gauge, BarGauge or Table panels (#29031) * Fix authomation text: remove hyphen (#29149) * respect fronted-logging.enabled flag (#29107) * build paths in an os independent way (#29143) * Provisioning: always pin app to the sidebar when enabled (#29084) * Automation: Adds new changelog actions (#29142) * Chore: Rewrite preferences test from GoConvey to stdlib and testify (#29129) * Chore: Upgrade Go dev tools (#29124) * Automation: Adding version bump action * DataFrames: add utility function to check if structure has changed (#29006) * Drone: Fix Drone config verification for enterprise on Windows (#29118) * Chore: Require OrgId to be specified in delete playlist command (#29117) * Plugin proxy: Handle URL parsing errors (#29093) * Drone: Verify Drone config at beginning of pipelines (#29071) * Legend/GraphNG: Refactoring legend types and options (#29067) * Doc: Update documentation-style-guide.md (#29082) * Chore: Bumps types for jest (#29098) * LogsPanel: Fix scrolling in dashboards (#28974) * sort alphabetically unique labels, labels and parsed fields (#29030) * Data source proxy: Convert 401 from data source to 400 (#28962) * Plugins: Implement testDatasource for Jaeger (#28916) * Update react-testing-library (#29061) * Graph: Fixes stacking issues like floating bars when data is not aligned (#29051) * StatPanel: Fixes hanging issue when all values are zero (#29077) * Auth: Enable more complete credential chain for SigV4 default SDK auth option (#29065) * Chore: Convert API tests to standard Go lib (#29009) * Update README.md (#29075) * Update CODEOWNERS (#28906) * Enhance automation text for missing information (#29052) * GraphNG: Adding ticks test dashboard and improves tick spacing (#29044) * Chore: Migrate Dashboard List panel to React (#28607) * Test Datasource/Bug: Fixes division by zero in csv metric values scenario (#29029) * Plugins: Bring back coreplugin package (#29064) * Add 'EventBusName' dimension to CloudWatch 'AWS/Events' namespace (#28402) * CloudWatch: Add support for AWS/ClientVPN metrics and dimensions (#29055) * AlertingNG: manage and evaluate alert definitions via the API (#28377) * Fix linting issues (#28811) * Logging: Log frontend errors (#28073) * Fix for multi-value template variable for project selector (#29042) * Chore: Rewrite test helpers from GoConvey to stdlib (#28919) * GraphNG: Fixed axis measurements (#29036) * Fix links to logql docs (#29037) * latest 7.3.2 (#29041) * Elasticsearch: Add Moving Function Pipeline Aggregation (#28131) * changelog 7.3.2 (#29038) * MutableDataFrame: Remove unique field name constraint and values field index and unused/seldom used stuff (#27573) * Fix prometheus docs related to query variable (#29027) * Explore: support ANSI colors in live logs (#28895) * Docs: Add documentation about log levels (#28975) * Dashboard: remove usage of Legacyforms (#28707) * Docs: Troubleshoot starting docker containers on Mac (#28754) * Elasticsearch: interpolate variables in Filters Bucket Aggregation (#28969) * Chore: Bump build pipeline version (#29023) * Annotations: Fixes error when trying to create annotation when dashboard is unsaved (#29013) * TraceViewer: Make sure it does not break when no trace is passed (#28909) * Thresholds: Fixes color assigned to null values (#29010) * Backend: Remove unused code (#28933) * Fix documentation (#28998) * Tracing: Add setting for sampling server (#29011) * Logs Panel: Fix inconsistent higlighting (#28971) * MySQL: Update README.md (#29003) * IntervalVariable: Fix variable tooltip (#28988) * StatPanels: Fixes auto min max when latest value is zero (#28982) * Chore: Fix SQL related Go variable naming (#28887) * MSSQL: Support request cancellation properly (Uses new backendSrv.fetch Observable request API) (#28809) * Variables: Fixes loading with a custom all value in url (#28958) * Backend: Adds route for well-known change password URL (#28788) * docs: fix repeated dashboards link (#29002) * LogsPanel: Don't show scroll bars when not needed (#28972) * Drone: Fix docs building (#28986) * StatPanel: Fixed center of values in edge case scenarios (#28968) * Update getting-started-prometheus.md (#28502) * Docs: fix relref (#28977) * Docs: Minor docs update * Docs: Another workflow docs update * Docs: Workflow minor edit * Docs: Another minor edit * Docs: Update PR workflow docs * Docs: Update bot docs * StatPanels: set default to last (#28617) * Tracing: log traceID in request logger (#28952) * start tracking usage stats for tempo (#28948) * Docs: Update bot docs * GrafanaBot: Update labels and commands and adds docs (#28950) * Docs: updates for file-based menu (#28500) * Grot: Added command/label to close feature requests with standard message (#28937) * GraphNG: Restore focus option (#28946) * Docs: Fix links (#28945) * Short URL: Cleanup unvisited/stale short URLs (#28867) * GraphNG: Using new VizLayout, moving Legend into GraphNG and some other refactorings (#28913) * CloudWatch Logs: Change what we use to measure progress (#28912) * Chore: use jest without grunt (#28558) * Chore: Split Explore redux code into multiple sections (#28819) * TestData: Fix issue with numeric inputs in TestData query editor (#28936) * setting: Fix tests on Mac (#28886) * Plugins signing: Fix docs urls (#28930) * Field color: handling color changes when switching panel types (#28875) * Variables: make sure that we support both old and new syntax for custom variables. (#28896) * CodeEditor: added support for javascript language (#28818) * Update CHANGELOG.md (#28928) * Plugins: allow override when allowing unsigned plugins (#28901) * Chore: Fix spelling issue (#28904) * Grafana-UI: LoadingPlaceholder docs (#28874) * Gauge: making sure threshold panel json is correct before render (#28898) * Chore: Rewrite test in GoConvey to stdlib and testify (#28918) * Update documentation-style-guide.md (#28908) * Adding terms to glossary (#28884) * Devenv: Fix Prometheus basic auth proxy (#28889) * API: replace SendLoginLogCommand with LoginHook (#28777) * Dashboards / Folders: delete related data (permissions, stars, tags, versions, annotations) when deleting a dashboard or a folder (#28826) * Loki: Correct grammar in DerivedFields.tsx (#28885) * Docs: Update list of Enterprise plugins (#28882) * Live: update centrifuge and the ChannelHandler api (#28843) * Update share-panel.md (#28880) * CRLF (#28822) * PanelHeader: show streaming indicator (and allow unsubscribe) (#28682) * Docs: Plugin signing docs (#28671) * Chore: Fix issues reported by staticcheck; enable stylecheck linter (#28866) * Elasticsearch: Filter pipeline aggregations from order by options (#28620) * Variables: added __user.email to global variable (#28853) * Fix titles case and add missing punctuation marks (#28713) * VizLayout: Simple viz layout component for legend placement and scaling (#28820) * Chore: Fix staticcheck issues (#28860) * Chore: Fix staticcheck issues (#28854) * Disable selecting enterprise plugins with no license (#28758) * Tempo: fix test data source (#28836) * Prometheus: fix missing labels from value (#28842) * Chore: Fix issues found by staticcheck (#28802) * Chore: Remove dead code (#28664) * Units: added support to handle negative fractional numbers. (#28849) * Variables: Adds variables inspection (#25214) * Marked: Upgrade and always sanitize by default (#28796) * Currency: add Philippine peso currency (PHP) (#28823) * Alert: Remove z-index on Alert component so that it does not overlay ontop of other content (#28834) * increase blob column size for encrypted dashboard data (#28831) * Gauge: Improve font size auto sizing (#28797) * grafana/toolkit: allow builds with lint warnings (#28810) * core and grafana/toolkit: Use latest version of grafana-eslint-conifg (#28816) * Icon: Replace font awesome icons where possible (#28757) * Remove homelinks panel (#28808) * StatPanels: Add new calculation option for percentage difference (#26369) * Dashboard: Add Datetime local (No date if today) option in panel axes' units (#28011) * Variables: Adds named capture groups to variable regex (#28625) * Panel inspect: Interpolate variables in panel inspect title (#28779) * grafana/toolkit: Drop console and debugger statements by default when building plugin with toolkit (#28776) * Variables: Fixes URL values for dependent variables (#28798) * Graph: Fixes event emit function error (#28795) * Adds storybook integrity check to drone config (#28785) * Live: improve broadcast semantics and avoid double posting (#28765) * Events: Remove unused or unnecessary events (#28783) * Docs: added code comments to frontend packages. (#28784) * Plugin Dockerfiles: Upgrade Go, golangci-lint, gcloud SDK (#28767) * Dependencies: Update angularjs to 1.8.2 (#28736) * EventBus: Introduces new event bus with emitter backward compatible interface (#27564) * ColorSchemes: Add new color scheme (#28719) * Docs: Add NGINX example for using websockets to Loki (#27998) * Docs: Made usage of config/configuration consistent #19270 (#28167) * Cloudwatch: Fix issue with field calculation transform not working properly with Cloudwatch data (#28761) * grafana/toolkit: Extract CHANGELOG when building plugin (#28773) * Drone: Upgrade build pipeline tool (#28769) * devenv: Upgrade MSSQL Docker image (#28749) * Docs: Add docs for InfoBox component (#28705) * Reoeragnization. (#28760) * gtime: Add ParseDuration function (#28525) * Explore: Remove redundant decodeURI and fix urls (#28697) * Dashboard: fix view panel mode for Safari / iOS (#28702) * Provisioning: Fixed problem with getting started panel being added to custom home dashboard (#28750) * LoginPage: Removed auto-capitalization from the login form (#28716) * Plugin page: Fix dom validation warning (#28737) * Migration: Remove LegacyForms from dashboard folder permissions (#28564) * Dependencies: Remove unused dependency (#28711) * AlertRuleList: Add keys to alert rule items (#28735) * Chore: Pin nginx base image in nginx proxy Dockerfiles (#28730) * Drone: Upgrade build-pipeline tool (#28728) * TableFilters: Fixes filtering with field overrides (#28690) * Templating: Speeds up certain variable queries for Postgres, MySql and MSSql (#28686) * Fix typo in unsigned plugin warning (#28709) * Chore: Convert sqlstore annotation test from GoConvey to testify (#28715) * updates from https://github.com/grafana/grafana/pull/28679 (#28708) * Chore: Add some scenario tests for Explore (#28534) * Update latest version to 7.3.1 (#28701) * Changelog update - 7.3.1 (#28699) * Drone: Don't build on Windows for PRs (#28663) * Build: changing docs docker image to prevent setting up frontend devenv. (#28670) * Prometheus: Fix copy paste behaving as cut and paste (#28622) * Loki: Fix error when some queries return zero results (#28645) * Chore: allow higher nodejs version than 12 (#28624) * TextPanel: Fixes problems where text panel would show old content (#28643) * PanelMenu: Fixes panel submenu not being accessible for panels close to the right edge of the screen (#28666) * Cloudwatch: Fix duplicate metric data (#28642) * Add info about CSV download for Excel in What's new article (#28661) * Docs: Describe pipeline aggregation changes in v7.3 (#28660) * Plugins: Fix descendent frontend plugin signature validation (#28638) * Docker: use root group in the custom Dockerfile (#28639) * Bump rxjs to 6.6.3 (#28657) * StatPanel: Fixed value being under graph and reduced likley hood for white and dark value text mixing (#28641) * Table: Fix image cell mode so that it works with value mappings (#28644) * Build: support custom build tags (#28609) * Plugin signing: Fix copy on signed plugin notice (#28633) * Dashboard: Fix navigation from one SoloPanelPage to another one (#28578) * CloudWatch: Improve method name, performance optimization (#28632) * Developer guide: Update wrt. Windows (#28559) * Docs: Update graph panel for tabs (#28552) * update latest.json (#28603) * Docs: data source insights (#28542) * Field config API: add slider editor (#28007) * changelog: update for 7.3.0 (#28602) * Update uPlot to 1.2.2 and align timestamps config with new uPLot API (#28569) * Live: updated the reference to use lazy loaded Monaco in code editor. (#28597) * Dashboard: Allow add panel for viewers_can_edit (#28570) * Docs: Data source provisioning and sigV4 (#28593) * Docs: Additional 7.3 upgrade notes (#28592) * CI: Add GCC to Windows Docker image (#28562) * CloudWatch Logs queue and websocket support (#28176) * Explore/Loki: Update docs and cheatsheet (#28541) * Grafana-UI: Add Card component (#28216) * AddDatasource: Improve plugin categories (#28584) * StatPanel: Fixes BizChart error max: yyy should not be less than min zzz (#28587) * docs: a few tweaks for clarity and readability (#28579) * API: Reducing some api docs errors (#28575) * Grafana-UI: ContextMenu docs (#28508) * Short URL: Update last seen at when visiting a short URL (#28565) * Fix backend build on Windows (#28557) * add value prop (#28561) * Plugin signing: UI information (#28469) * Use fetch API in InfluxDB data source (#28555) * PanelEdit: Prevent the preview pane to be resized further than window height (#28370) * Docs: Update generic-oauth.md (#28517) * GCS image uploader: Add tests (#28521) * Move metrics collector queries to config (#28549) * Plugins: Fix plugin URL paths on Windows (#28548) * API: add login username in SendLoginLogCommand (#28544) * AzureMonitor: Support decimal (as float64) type in analytics/logs (#28480) * Auth: Fix SigV4 request verification step for Amazon Elasticsearch Service (#28481) * Grafana/ui: auto focus threshold editor input (#28360) * Docs: SigV4 What's New and AWS Elasticsearch documentation (#28506) * Drone: Upgrade build pipeline tool (#28533) * Drone: Refactor version branch pipeline logic (#28531) * Drone: Upgrade build-pipeline tool (#28520) * Docs: Update field color scheme docs and 7.3 what's new (#28496) * Templating: Custom variable edit UI, change text input into textarea (#28312) (#28322) * Currency: Adds Indonesian IDR currency (#28363) * Chore: Fix flaky sqlstore annotation test (#28527) * Checkbox: Fix component sample typo (#28518) * Image uploader: Fix uploading of images to GCS (#26493) * OAuth: Support Forward OAuth Identity for backend data source plugins (#27055) * Updated documentation style guide (#28488) * Cloud Monitoring: Fix help section for aliases (#28499) * Docs: what's new in enterprise 7.3 (#28472) * Plugins: Track plugin signing errors and expose them to the frontend (#28219) * Elasticsearch: Fix handling of errors when testing data source (#28498) * Auth: Should redirect to login when anonymous enabled and URL with different org than anonymous specified (#28158) * Drone: Don't build Windows installer for version branches (#28494) * Docs: Grafana Enterprise auditing feature (#28356) * Drone: Add version branch pipeline (#28490) * Getting Started section rehaul (#28090) * Docs: Add survey content (#28446) * Docs: Update prometheus.md (#28483) * Docs: Add view settings and view stats (#28155) * Remove entry from 7.3.0-beta2 Changelog (#28478) * Circle: Remove release pipeline (#28474) * Update latest.json (#28476) * Switch default version to Graphite 1.1 (#28471) * Plugin page: update readme icon (#28465) * Chore: Update changelog (#28473) * Explore: parse time range fix (#28467) * Alerting: Log alert warnings for obsolete notifiers when extracting alerts and remove spammy error (#28162) * Shorten url: Unification across Explore and Dashboards (#28434) * Explore: Support wide data frames (#28393) * Docs: updated cmd to build docs locally to generate docs prior to building site. (#28371) * Live: support real time measurements (alpha) (#28022) * CloudWatch/Athena - valid metrics and dimensions. (#28436) * Chore: Use net.JoinHostPort (#28421) * Chore: Upgrade grafana-eslint to latest (#28444) * Fix cut off icon (#28442) * Docs: Add shared (#28411) * Loki: Visually distinguish error logs for LogQL2 (#28359) * Database; Remove database metric feature flag and update changelog (#28438) * TestData: multiple arrow requests should return multiple frames (#28417) * Docs: Test survey code (#28437) * Docs: improved github action that syncs docs to website (#28277) * update latest.json with latest stable version (#28433) * 7.2.2 changelog update (#28406) * plugins: Don't exit on duplicate plugin (#28390) * API: Query database from /api/health endpoint (#28349) * Chore: Fix conversion of a 64-bit integer to a lower bit size type uint (#28425) * Prometheus: fix parsing of infinite sample values (#28287) (#28288) * Chore: Rewrite some tests to use testify (#28420) * Plugins: do not remount app plugin on nav change (#28105) * App Plugins: Add backend support (#28272) * Chore: react hooks eslint fixes in grafana-ui (#28026) * ci-e2e: Add Git (#28410) * TestData: Remove useEffect that triggeres query on component load (#28321) * FieldColor: Remove inverted color scheme (#28408) * Chore: Set timezone for tests to non utc. (#28405) * Chore: fix jsdoc desc and return (#28383) * Docs: Fixing v51 link (#28396) * fixes windows crlf warning (#28346) * Grafana/ui: pass html attributes to segment (#28316) * Alerting: Return proper status code when trying to create alert notification channel with duplicate name or uid (#28043) * OAuth: Able to skip auto login (#28357) * CloudWatch: Fix custom metrics (#28391) * Docs: Adds basic frontend data request concepts (#28253) * Instrumentation: Add histogram for request duration (#28364) * remove status label from histogram (#28387) * OAuth: configurable user name attribute (#28286) * Component/NewsPanel: Add rel='noopener' to NewsPanel links (#28379) * Webpack: Split out unicons and bizcharts (#28374) * Explore: Fix date formatting in url for trace logs link (#28381) * Docs: Add activate-license (#28156) * Instrumentation: Add counters and histograms for database queries (#28236) * Docs: Make tables formatting more consistent (#28164) * CloudWatch: Adding support for additional Amazon CloudFront metrics (#28378) * Add unique ids to query editor fields (#28376) * Plugins: Compose filesystem paths with filepath.Join (#28375) * Explore: Minor tweaks to exemplars marble (#28366) * Instrumentation: Adds environment_info metric (#28355) * AzureMonitor: Fix capitalization of NetApp 'volumes' namespace (#28369) * ColorSchemes: Adds more color schemes and text colors that depend on the background (#28305) * Automation: Update backport github action trigger (#28352) * Dashboard links: Places drop down list so it's always visible (#28330) * Docs: Add missing records from grafana-ui 7.2.1 CHANGELOG (#28302) * Templating: Replace all '$tag' in tag values query (#28343) * Docs: Add docs for valuepicker (#28327) * Git: Create .gitattributes for windows line endings (#28340) * Update auth-proxy.md (#28339) * area/grafana/toolkit: update e2e docker image (#28335) * AlertingNG: remove warn/crit from eval prototype (#28334) * Automation: Tweaks to more info message (#28332) * Loki: Run instant query only when doing metric query (#28325) * SAML: IdP-initiated SSO docs (#28280) * IssueTriage: Needs more info automation and messages (#28137) * GraphNG: Use AxisSide enum (#28320) * BackendSrv: Fixes queue countdown when unsubscribe is before response (#28323) * Automation: Add backport github action (#28318) * Build(deps): Bump http-proxy from 1.18.0 to 1.18.1 (#27507) * Bump handlebars from 4.4.3 to 4.7.6 (#27416) * Bump tree-kill from 1.2.1 to 1.2.2 (#27405) * Loki: Base maxDataPoints limits on query type (#28298) * Explore: respect min_refresh_interval (#27988) * Drone: Use ${DRONE_TAG} in release pipelines, since it should work (#28299) * Graph NG: fix toggling queries and extract Graph component from graph3 panel (#28290) * fix: for graph size not taking up full height or width * should only ignore the file in the grafana mixin root folder (#28306) * Drone: Fix grafana-mixin linting (#28308) * SQLStore: Run tests as integration tests (#28265) * Chore: Add cloud-middleware as code owners (#28310) * API: Fix short URLs (#28300) * CloudWatch: Add EC2CapacityReservations Namespace (#28309) * Jaeger: timeline collapser to show icons (#28284) * update latest.json with latest beta version (#28293) * Update changelog (#28292) * Docs : - Added period (#28260) * Add monitoring mixing for Grafana (#28285) * Chore: Update package.json (#28291) * Drone: Fix enterprise release pipeline (#28289) * Alerting: Append appSubUrl to back button on channel form (#28282) - Rework package Makefile & README now that Grunt is gone - Update to version 7.3.6: * fixes for saml vulnerability * [v7.3.x] Fix: Correct panel edit uistate migration (#29413) (#29711) * PanelEdit: Prevent the preview pane to be resized further than window height (#28370) (#29726) * Fix: Migrate Panel edit uiState percentage strings to number (#29412) (#29723) * 'Release: Updated versions in package to 7.3.5' (#29710) * Chore: upgrading y18n to 4.0.1 for security reasons (#29523) (#29709) * Panel: making sure we support all versions of chrome when detecting position of click event. (#29544) (#29708) * PanelEdit: making sure the correct datasource query editor is being rendered. (#29500) (#29707) * [v7.3.x] Auth: Add SigV4 header allowlist to reduce chances of verification issues (#29705) * Alerting: Use correct time series name override from frame fields (#29693) (#29698) * CloudWatch: namespace in search expression should be quoted if match exact is enabled #29109 (#29563) (#29687) * Adds go dep used by an Enterprise feature. (#29645) (#29690) * instrumentation: align label name with our other projects (#29514) (#29685) * Instrumentation: Add examplars for request histograms (#29357) (#29682) * Login: Fixes typo in tooltip (#29604) (#29606) * fixes bug with invalid handler name for metrics (#29529) (#29532) * AzureMonitor: Unit MilliSeconds naming (#29399) (#29526) * Alarting: fix alarm messages in dingding (Fixes #29470) (#29482) (#29527) * Bug: trace viewer doesn't show more than 300 spans (#29377) (#29504) * Prometheus: don't override displayName property (#29441) (#29488) * resolve conflicts (#29415) * Drone: Upgrade build pipeline tool (#29365) (#29368) * Drone: Upload artifacts for release branch builds (#29297) (#29364) * Drone: Execute artifact publishing for both editions in parallel during release (#29362) (#29363) * Drone: Publish NPM packages after Storybook to avoid race condition (#29340) (#29343) * Docs: Fix editor role and alert notification channel description (#29301) (#29337) * 'Release: Updated versions in package to 7.3.4' (#29336) * Security: Fixes minor security issue with alert notification webhooks that allowed GET & DELETE requests #29330 (#29335) * Backport of InfluxDB: update flux library and support boolean label values #29333 * ReleaseNotes: Update link in package.json (#29328) * Login: Fixes redirect url encoding issues of # %23 being unencoded after login (#29299) (#29323) * Drone: Upgrade build pipeline tool (#29308) (#29309) * Annotations: fixing so when changing annotations query links submenu will be updated. (#28990) (#29285) * Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) (#29278) * Increase search limit on team add user and improve placeholder (#29258) (#29261) * Drone: Sync with master (#29205) * Drone: Fix publish-packages invocation (#29179) (#29184) * Chore: Upgrade grafana/build-ci-deploy image to latest Go (#29171) (#29180) * Table: Fix incorrect condtition for rendering table filter (#29165) (#29181) * DashboardLinks: will only refresh dashboard search when changing tags for link. (#29040) (#29177) * Drone: Upgrade build pipeline tool and build image (#29161) (#29162) * Release: Updated versions in package to 7.3.3 (#29126) * git cherry-pick -x 0f3bebb38daa488e108881ce17d4f68167a834e6 (#29155) * Build: support custom build tags (#28609) (#29128) * Revert 'Graph: Fixes stacking issues like floating bars when data is not aligned (#29051) (#29088)' (#29151) * Provisioning: always pin app to the sidebar when enabled (#29084) (#29146) * build paths in an os independent way (#29143) (#29147) * Chore: Upgrade Go dev tools (#29124) (#29132) * Automatin: set node version * Automation: Adding version bump action * Drone: Fix Drone config verification for enterprise on Windows (#29118) (#29119) * [v7.3.x] Drone: Verify Drone config at beginning of pipelines (#29111) * Test Datasource/Bug: Fixes division by zero in csv metric values scenario (#29029) (#29068) * [v7.3.x] StatPanel: Fixes hanging issue when all values are zero (#29087) * Data source proxy: Convert 401 from data source to 400 (#28962) (#29095) * Graph: Fixes stacking issues like floating bars when data is not aligned (#29051) (#29088) * Auth: Enable more complete credential chain for SigV4 default SDK auth option (#29065) (#29086) * Fix for multi-value template variable for project selector (#29042) (#29054) * Thresholds: Fixes color assigned to null values (#29010) (#29018) * [v7.3.x] Chore: Bump build pipeline version (#29025) * Release v7.3.2 (#29024) * Fix conflict (#29020) * StatPanels: Fixes auto min max when latest value is zero (#28982) (#29007) * Tracing: Add setting for sampling server (#29011) (#29015) * Gauge: making sure threshold panel json is correct before render (#28898) (#28984) * Variables: make sure that we support both old and new syntax for custom variables. (#28896) (#28985) * Explore: Remove redundant decodeURI and fix urls (#28697) (#28963) * [v7.3.x] Drone: Fix docs building (#28987) * Alerting: Append appSubUrl to back button on channel form (#28282) (#28983) * Plugins: allow override when allowing unsigned plugins (#28901) (#28927) * CloudWatch Logs: Change what we use to measure progress (#28912) (#28964) * Tracing: log traceID in request logger (#28952) (#28959) * Panel inspect: Interpolate variables in panel inspect title (#28779) (#28801) * UsageStats: start tracking usage stats for tempo (#28948) (#28951) * Short URL: Cleanup unvisited/stale short URLs (#28867) (#28944) * Plugins signing: Fix docs urls (#28930) (#28934) * Chore: Fix spelling issue (#28904) (#28925) * API: replace SendLoginLogCommand with LoginHook (#28777) (#28891) * Elasticsearch: Exclude pipeline aggregations from order by options (#28620) (#28873) * Dashboards / Folders: delete related data (permissions, stars, tags, versions, annotations) when deleting a dashboard or a folder (#28826) (#28890) * Disable selecting enterprise plugins with no license (#28758) (#28859) * Tempo: fix test data source (#28836) (#28856) * Prometheus: fix missing labels from value (#28842) (#28855) * Units: added support to handle negative fractional numbers. (#28849) (#28851) * increase blob column size for encrypted dashboard data (#28831) (#28832) * Gauge: Improve font size auto sizing (#28797) (#28828) * Variables: Fixes URL values for dependent variables (#28798) (#28800) * grafana/toolkit: Extract CHANGELOG when building plugin (#28773) (#28774) * Templating: Custom variable edit UI, change text input into textarea (#28312) (#28322) (#28704) * Cloudwatch: Fix issue with field calculation transform not working properly with Cloudwatch data (#28761) (#28775) * Plugin page: Fix dom validation warning (#28737) (#28741) * Dashboard: fix view panel mode for Safari / iOS (#28702) (#28755) * Fix typo in unsigned plugin warning (#28709) (#28722) * TableFilters: Fixes filtering with field overrides (#28690) (#28727) * Templating: Speeds up certain variable queries for Postgres, MySql and MSSql (#28686) (#28726) * Prometheus: Fix copy paste behaving as cut and paste (#28622) (#28691) rhnlib: - Require missing python-backports.ssl_match_hostname on SLE 11 (bsc#1183959) spacecmd: - Handle SIGPIPE without user-visible Exception (bsc#1181124) spacewalk-client-tools: - Fallback to sysfs when reading info from python-dmidecode fails (bsc#1182603) - Log an error when product detection failed (bsc#1182339) supportutils-plugin-salt: - Fix yaml.load() warnings and issues with Python versions (bsc#1178072) (bsc#1181474) - Fix errors when collecting data for salt-minion (bsc#1131670) zypp-plugin-spacewalk: - Support for 'allow vendor change' for patching/upgrading ----------------------------------------- Patch: SUSE-2021-1280 Released: Tue Apr 20 14:34:19 2021 Summary: Security update for ruby2.5 Severity: moderate References: 1184644,CVE-2021-28965 Description: This update for ruby2.5 fixes the following issues: - Update to 2.5.9 - CVE-2021-28965: XML round-trip vulnerability in REXML (bsc#1184644) ----------------------------------------- Patch: SUSE-2021-1282 Released: Tue Apr 20 14:47:17 2021 Summary: Security update for apache-commons-io Severity: moderate References: 1184755,CVE-2021-29425 Description: This update for apache-commons-io fixes the following issues: - CVE-2021-29425: Limited path traversal when invoking the method FileNameUtils.normalize with an improper input string (bsc#1184755) ----------------------------------------- Patch: SUSE-2021-1289 Released: Wed Apr 21 14:02:46 2021 Summary: Recommended update for gzip Severity: moderate References: 1177047 Description: This update for gzip fixes the following issues: - Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047) ----------------------------------------- Patch: SUSE-2021-1291 Released: Wed Apr 21 14:04:06 2021 Summary: Recommended update for mpfr Severity: moderate References: 1141190 Description: This update for mpfr fixes the following issues: - Fixed an issue when building for ppc64le (bsc#1141190) Technical library fixes: - A subtraction of two numbers of the same sign or addition of two numbers of different signs can be rounded incorrectly (and the ternary value can be incorrect) when one of the two inputs is reused as the output (destination) and all these MPFR numbers have exactly GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit machines, 64 bits on 64-bit machines). - The mpfr_fma and mpfr_fms functions can behave incorrectly in case of internal overflow or underflow. - The result of the mpfr_sqr function can be rounded incorrectly in a rare case near underflow when the destination has exactly GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit machines, 64 bits on 64-bit machines) and the input has at most GMP_NUMB_BITS bits of precision. - The behavior and documentation of the mpfr_get_str function are inconsistent concerning the minimum precision (this is related to the change of the minimum precision from 2 to 1 in MPFR 4.0.0). The get_str patch fixes this issue in the following way: the value 1 can now be provided for n (4th argument of mpfr_get_str); if n = 0, then the number of significant digits in the output string can now be 1, as already implied by the documentation (but the code was increasing it to 2). - The mpfr_cmp_q function can behave incorrectly when the rational (mpq_t) number has a null denominator. - The mpfr_inp_str and mpfr_out_str functions might behave incorrectly when the stream is a null pointer: the stream is replaced by stdin and stdout, respectively. This behavior is useless, not documented (thus incorrect in case a null pointer would have a special meaning), and not consistent with other input/output functions. ----------------------------------------- Patch: SUSE-2021-1409 Released: Wed Apr 28 16:32:50 2021 Summary: Security update for giflib Severity: low References: 1184123 Description: This update for giflib fixes the following issues: - Enable Position Independent Code and inherit CFLAGS from the build system (bsc#1184123). ----------------------------------------- Patch: SUSE-2021-1549 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Severity: moderate References: 1185417 Description: This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------- Patch: SUSE-2021-1554 Released: Tue May 11 09:43:41 2021 Summary: Security update for java-11-openjdk Severity: important References: 1184606,1185055,1185056,CVE-2021-2161,CVE-2021-2163 Description: This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.11+9 (April 2021 CPU) * CVE-2021-2163: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055) * CVE-2021-2161: Fixed incorrect handling of partially quoted arguments in ProcessBuilder (bsc#1185056) - moved mozilla-nss dependency to java-11-openjdk-headless package, this is necessary to be able to do crypto with just java-11-openjdk-headless installed (bsc#1184606). ----------------------------------------- Patch: SUSE-2021-1583 Released: Wed May 12 13:40:35 2021 Summary: Recommended update for sensors Severity: moderate References: 1185183 Description: This update for sensors fixes the following issues: - Change PIDFile path from '/var/run' to '/run' as the it is deprecated. (bsc#1185183) ----------------------------------------- Patch: SUSE-2021-1643 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Severity: important References: 1181443,1184358,1185562 Description: This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------- Patch: SUSE-2021-1840 Released: Wed Jun 2 16:29:28 2021 Summary: Security update for xstream Severity: important References: 1184372,1184373,1184374,1184375,1184376,1184377,1184378,1184379,1184380,1184796,1184797,CVE-2021-21341,CVE-2021-21342,CVE-2021-21343,CVE-2021-21344,CVE-2021-21345,CVE-2021-21346,CVE-2021-21347,CVE-2021-21348,CVE-2021-21349,CVE-2021-21350,CVE-2021-21351 Description: This update for xstream fixes the following issues: - Upgrade to 1.4.16 - CVE-2021-21351: remote attacker to load and execute arbitrary code (bsc#1184796) - CVE-2021-21349: SSRF can lead to a remote attacker to request data from internal resources (bsc#1184797) - CVE-2021-21350: arbitrary code execution (bsc#1184380) - CVE-2021-21348: remote attacker could cause denial of service by consuming maximum CPU time (bsc#1184374) - CVE-2021-21347: remote attacker to load and execute arbitrary code from a remote host (bsc#1184378) - CVE-2021-21344: remote attacker could load and execute arbitrary code from a remote host (bsc#1184375) - CVE-2021-21342: server-side forgery (bsc#1184379) - CVE-2021-21341: remote attacker could cause a denial of service by allocating 100% CPU time (bsc#1184377) - CVE-2021-21346: remote attacker could load and execute arbitrary code (bsc#1184373) - CVE-2021-21345: remote attacker with sufficient rights could execute commands (bsc#1184372) - CVE-2021-21343: replace or inject objects, that result in the deletion of files on the local host (bsc#1184376) ----------------------------------------- Patch: SUSE-2021-1859 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Severity: moderate References: 1179805,1184505,CVE-2020-29651 Description: This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------- Patch: SUSE-2021-1861 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 Description: This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------- Patch: SUSE-2021-1876 Released: Mon Jun 7 14:01:09 2021 Summary: Security update for snakeyaml Severity: important References: 1159488,1186088,CVE-2017-18640 Description: This update for snakeyaml fixes the following issues: - Upgrade to 1.28 - CVE-2017-18640: The Alias feature allows entity expansion during a load operation (bsc#1159488, bsc#1186088) ----------------------------------------- Patch: SUSE-2021-1926 Released: Thu Jun 10 08:38:14 2021 Summary: Recommended update for gcc Severity: moderate References: 1096677 Description: This update for gcc fixes the following issues: - Added gccgo symlink and go and gofmt as alternatives to support parallel installation of golang (bsc#1096677) ----------------------------------------- Patch: SUSE-2021-1935 Released: Thu Jun 10 10:45:09 2021 Summary: Recommended update for gzip Severity: moderate References: 1186642 Description: This update for gzip fixes the following issue: - gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-1941 Released: Thu Jun 10 10:49:52 2021 Summary: Recommended update for sysconfig Severity: moderate References: 1186642 Description: This update for sysconfig fixes the following issue: - sysconfig had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-1950 Released: Thu Jun 10 14:42:00 2021 Summary: Recommended update for hwdata Severity: moderate References: 1170160,1182482,1185697 Description: This update for hwdata fixes the following issues: - Update to version 0.347: + Updated pci, usb and vendor ids. (bsc#1185697) - Update to version 0.346: + Updated pci, usb and vendor ids. (bsc#1182482, jsc#SLE-13791, bsc#1170160) ----------------------------------------- Patch: SUSE-2021-1995 Released: Thu Jun 17 15:11:40 2021 Summary: Security update for xstream Severity: important References: 1186651,CVE-2021-29505 Description: This update for xstream fixes the following issues: Upgrade to 1.4.17 - CVE-2021-29505: Fixed potential code execution when unmarshalling with XStream instances using an uninitialized security framework (bsc#1186651) ----------------------------------------- Patch: SUSE-2021-2000 Released: Thu Jun 17 16:50:00 2021 Summary: Recommended update for tomcat Severity: moderate References: 1186642 Description: This update for tomcat fixes the following issue: - tomcat had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2012 Released: Fri Jun 18 09:15:13 2021 Summary: Security update for python-urllib3 Severity: important References: 1187045,CVE-2021-33503 Description: This update for python-urllib3 fixes the following issues: - CVE-2021-33503: Fixed a denial of service when the URL contained many @ characters in the authority component (bsc#1187045) ----------------------------------------- Patch: SUSE-2021-2096 Released: Mon Jun 21 13:35:38 2021 Summary: Recommended update for python-six Severity: moderate References: 1186642 Description: This update for python-six fixes the following issue: - python-six had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------- Patch: SUSE-2021-2103 Released: Mon Jun 21 19:23:28 2021 Summary: Recommended update for SUSE Manager Client Tools Severity: moderate References: 1173557,1177884,1177928,1180583,1180584,1180585,1185178 Description: This update fixes the following issues: POS_Image-Graphical7: - Use absolute path in bootloader service - Update install-local-bootloader.service for recent saltboot - Use linuxefi only on x86 POS_Image-JeOS7: - Use absolute path in bootloader service - Update install-local-bootloader.service for recent saltboot - Use linuxefi only on x86 golang-github-prometheus-prometheus: - Add tarball with vendor modules and web assets - Read formula data from exporters map - Add support for TLS targets - Upgrade to upstream version 2.26.0 + Changes * Alerting: Using Alertmanager v2 API by default. * Prometheus/Promtool: Binaries are now printing help and usage to stdout instead of stderr. * UI: Make the React UI default. * Remote write: The following metrics were removed/renamed in remote write. > prometheus_remote_storage_succeeded_samples_total was removed and prometheus_remote_storage_samples_total was introduced for all the samples attempted to send. > prometheus_remote_storage_sent_bytes_total was removed and replaced with prometheus_remote_storage_samples_bytes_total and prometheus_remote_storage_metadata_bytes_total. > prometheus_remote_storage_failed_samples_total -> prometheus_remote_storage_samples_failed_total. > prometheus_remote_storage_retried_samples_total -> prometheus_remote_storage_samples_retried_total. > prometheus_remote_storage_dropped_samples_total -> prometheus_remote_storage_samples_dropped_total. > prometheus_remote_storage_pending_samples -> prometheus_remote_storage_samples_pending. * Remote: Do not collect non-initialized timestamp metrics. + Features * Remote: Add support for AWS SigV4 auth method for remote_write. * PromQL: Allow negative offsets. Behind --enable-feature=promql-negative-offset flag. * UI: Add advanced auto-completion, syntax highlighting and linting to graph page query input. * Include a new `--enable-feature=` flag that enables experimental features. * Add TLS and basic authentication to HTTP endpoints. * promtool: Add check web-config subcommand to check web config files. * promtool: Add tsdb create-blocks-from openmetrics subcommand to backfill metrics data from an OpenMetrics file. + Enhancements * PromQL: Add last_over_time, sgn, clamp functions. * Scrape: Add support for specifying type of Authorization header credentials with Bearer by default. * Scrape: Add follow_redirects option to scrape configuration. * Remote: Allow retries on HTTP 429 response code for remote_write. * Remote: Allow configuring custom headers for remote_read. * UI: Hitting Enter now triggers new query. * UI: Better handling of long rule and names on the /rules and /targets pages. * UI: Add collapse/expand all button on the /targets page. * Add optional name property to testgroup for better test failure output. * Add warnings into React Panel on the Graph page. * TSDB: Increase the number of buckets for the compaction duration metric. * Remote: Allow passing along custom remote_write HTTP headers. * Mixins: Scope grafana configuration. * Kubernetes SD: Add endpoint labels metadata. * UI: Expose total number of label pairs in head in TSDB stats page. * TSDB: Reload blocks every minute, to detect new blocks and enforce retention more often. * Cache basic authentication results to significantly improve performance of HTTP endpoints. * HTTP API: Fast-fail queries with only empty matchers. * HTTP API: Support matchers for labels API. * promtool: Improve checking of URLs passed on the command line. * SD: Expose IPv6 as a label in EC2 SD. * SD: Reuse EC2 client, reducing frequency of requesting credentials. * TSDB: Add logging when compaction takes more than the block time range. * TSDB: Avoid unnecessary GC runs after compaction. * Remote write: Added a metric prometheus_remote_storage_max_samples_per_send for remote write. * TSDB: Make the snapshot directory name always the same length. * TSDB: Create a checkpoint only once at the end of all head compactions. * TSDB: Avoid Series API from hitting the chunks. * TSDB: Cache label name and last value when adding series during compactions making compactions faster. * PromQL: Improved performance of Hash method making queries a bit faster. * promtool: tsdb list now prints block sizes. * promtool: Calculate mint and maxt per test avoiding unnecessary calculations. * SD: Add filtering of services to Docker Swarm SD. + Bug fixes * API: Fix global URL when external address has no port. * Deprecate unused flag --alertmanager.timeout. mgr-cfg: - SPEC: Updated Python definitions for RHEL8 and quoted text comparisons. mgr-custom-info: - Update package version to 4.2.0 mgr-daemon: - Update translation strings - Update the translations from weblate - Added quotes around %{_vendor} token for the if statements in spec file. - Fix removal of mgr-deamon with selinux enabled (bsc#1177928) - Updating translations from weblate mgr-osad: - Change the log file permissions as expected by logrotate (bsc#1177884) - Change deprecated path /var/run into /run for systemd (bsc#1185178) - Python fixes - Removal of RHEL5 mgr-push: - Defined __python for python2. - Excluded RHEL8 for Python 2 build. mgr-virtualization: - Update package version to 4.2.0 python-hwdata: - Modified to build on RHEL8. rhnlib: - Update package version to 4.2.0 spacecmd: - Rename system migration to system transfer - Rename SP to product migration - Update translation strings - Add group_addconfigchannel and group_removeconfigchannel - Add group_listconfigchannels and configchannel_listgroups - Fix spacecmd compat with Python 3 - Deprecated 'Software Crashes' feature - Document advanced package search on '--help' (bsc#1180583) - Fixed advanced search on 'package_listinstalledsystems' - Fixed duplicate results when using multiple search criteria (bsc#1180585) - Fixed 'non-advanced' package search when using multiple package names (bsc#1180584) - Update translations - Fix: make spacecmd build on Debian - Add Service Pack migration operations (bsc#1173557) spacewalk-client-tools: - Update the translations from weblate - Drop the --noSSLServerURL option - Updated RHEL Python requirements. - Added quotes around %{_vendor}. spacewalk-koan: - Fix for spacewalk-koan test spacewalk-oscap: - Update package version to 4.2.0 spacewalk-remote-utils: - Update package version to 4.2.0 supportutils-plugin-susemanager-client: - Update package version to 4.2.0 suseRegisterInfo: - Add support for Amazon Linux 2 - Add support for Alibaba Cloud Linux 2 - Adapted for RHEL build. uyuni-common-libs: - Cleaning up unused Python 2 build leftovers. - Disabled debug package build. ----------------------------------------- Patch: SUSE-2021-2106 Released: Mon Jun 21 19:26:19 2021 Summary: Security update for salt Severity: critical References: 1171257,1176293,1179831,1181368,1182281,1182293,1182382,1185092,1185281,1186674,CVE-2018-15750,CVE-2018-15751,CVE-2020-11651,CVE-2020-11652,CVE-2020-25592,CVE-2021-25315,CVE-2021-31607 Description: This update for salt fixes the following issues: Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028) - Check if dpkgnotify is executable (bsc#1186674) - Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028) - virt module updates * network: handle missing ipv4 netmask attribute * more network support * PCI/USB host devices passthrough support - Set distro requirement to oldest supported version in requirements/base.txt - Bring missing part of async batch implementation back (CVE-2021-25315, bsc#1182382) - Always require `python3-distro` (bsc#1182293) - Remove deprecated warning that breaks minion execution when 'server_id_use_crc' opts is missing - Fix pkg states when DEB package has 'all' arch - Do not force beacons configuration to be a list. - Remove msgpack < 1.0.0 from base requirements (bsc#1176293) - msgpack support for version >= 1.0.0 (bsc#1171257) - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607) - transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update (jsc#SLE-18033) - Improvements on 'ansiblegate' module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Add notify beacon for Debian/Ubuntu systems - Fix zmq bug that causes salt-call to freeze (bsc#1181368) ----------------------------------------- Patch: SUSE-2021-2107 Released: Mon Jun 21 19:29:09 2021 Summary: Recommended update for golang-github-prometheus-node_exporter Severity: moderate References: 1151558 Description: This update for golang-github-prometheus-node_exporter fixes the following issues: Update from version 1.0.1 to version 1.1.2 - Bug fixes: - Do not include sources (bsc#1151558) - Handle errors from disabled `Pressure Stall Information (PSI)` subsystem - Sanitize strings from `/sys/class/power_supply` - Silence missing `netclass` errors - Fix `ineffassign` issue - Demote some warning to `Debug` level - `filesystem_freebsd`: Fix label values - Fix various `procfs` parsing errors - Handle no data from the power supply class - `udp_queues_linux.go`: change `upd` to `udp` in two error strings - Fix `node_scrape_collector_success` behavior - Fix `NodeRAIDDegraded` to not use a string rule expressions - Fix `node_md_disks` state label from fail to failed - Handle `EPERM` for syscall in timex collector - `bcache`: fix typo in a metric name - Fix XFS read/write stats - Enhancements: - Improve filter flag names - Add `btrfs` and `powersupplyclass` to list of exporters enabled by default - Add more `InfiniBand` counters - Add a flag to aggregate `ipvs` metrics to avoid high cardinality metrics - Add `backlog/current` queue length to `qdisc` collector - Include `TCP OutRsts` in `netstat` metrics - Add the `pool size` to entropy collector - Remove `CGO` dependencies for OpenBSD amd64 - `bcache`: add `writeback_rate_debug` statistics - Add `check state` for `mdadm` arrays via `node_md_state metric` - Expose `XFS inode` statistics - Expose `zfs zpool` state - Add the ability to pass `collector.supervisord.url` via `SUPERVISORD_URL` environment variable - Features: - Add fiber channel collector - Expose cpu bugs and flags as info metrics. - Add `network_route` collector - Add `zoneinfo` collector ----------------------------------------- Patch: SUSE-2021-2173 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 Description: This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------- Patch: SUSE-2021-2179 Released: Mon Jun 28 17:36:37 2021 Summary: Recommended update for thin-provisioning-tools Severity: moderate References: 1184124 Description: This update for thin-provisioning-tools fixes the following issues: - Link as position-independent executable (bsc#1184124) ----------------------------------------- Patch: SUSE-2021-2193 Released: Mon Jun 28 18:38:43 2021 Summary: Recommended update for tar Severity: moderate References: 1184124 Description: This update for tar fixes the following issues: - Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124) ----------------------------------------- Patch: SUSE-2021-2196 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 Description: This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------- Patch: SUSE-2021-2286 Released: Fri Jul 9 17:38:53 2021 Summary: Recommended update for dosfstools Severity: moderate References: 1172863 Description: This update for dosfstools fixes the following issue: - Fixed a bug that was causing an installation issue when trying to create an EFI partition on an NVMe-over-Fabrics device (bsc#1172863) ----------------------------------------- Patch: SUSE-2021-2320 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 Description: This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------- Patch: SUSE-2021-2395 Released: Mon Jul 19 12:08:34 2021 Summary: Recommended update for efivar Severity: moderate References: 1187386 Description: This update for efivar provides the following fix: - Fix the eMMC sysfs parsing. (bsc#1187386) ----------------------------------------- Patch: SUSE-2021-2447 Released: Thu Jul 22 08:26:29 2021 Summary: Recommended update for hwdata Severity: moderate References: 1186749,1187948 Description: This update for hwdata fixes the following issue: - Version 0.349: Updated pci, usb and vendor ids (bsc#1187948). ----------------------------------------- Patch: SUSE-2021-2463 Released: Fri Jul 23 12:56:22 2021 Summary: Recommended update for python-pyzmq Severity: moderate References: 1186945 Description: This update for python-pyzmq fixes the following issues: - Update to version 17.1.2 (bsc#1186945) * Fix possible hang when working with asyncio * Remove some outdated workarounds for old Cython versions * Fix some compilation with custom compilers * Remove unneeded link of libstdc++ on PyPy ----------------------------------------- Patch: SUSE-2021-2464 Released: Fri Jul 23 14:20:23 2021 Summary: Recommended update for shim Severity: moderate References: 1185232,1185261,1185441,1185464,1185961,1187071,1187260,1187696 Description: This update for shim fixes the following issues: - shim-install: Always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464) - Avoid deleting the mirrored RT variables (bsc#1187696) - Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz - Handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071) - Relax the maximum variable size check for u-boot (bsc#1185621) - Relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261) - Ignore the odd LoadOptions length (bsc#1185232) - shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist - Fided the size of rela sections for AArch64 - Disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261) - Avoid potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260) - Avoid buffer overflow when copying data to the MOK config table (bsc#1185232) ----------------------------------------- Patch: SUSE-2021-2467 Released: Mon Jul 26 11:57:11 2021 Summary: Recommended update for jsch Severity: low References: Description: This update for jsch fixes the following issues: - Miscellaneous clean-up - Create the osgi manifest during the ant build. ----------------------------------------- Patch: SUSE-2021-2481 Released: Tue Jul 27 14:20:27 2021 Summary: Recommended update for sysconfig Severity: moderate References: 1184124 Description: This update for sysconfig fixes the following issues: - Link as Position Independent Executable (bsc#1184124). ----------------------------------------- Patch: SUSE-2021-2558 Released: Thu Jul 29 12:05:03 2021 Summary: Recommended update for python-pytz Severity: moderate References: 1185748 Description: This update for python-pytz fixes the following issues: - Add %pyunittest shim for platforms where it is missing. - Remove real directory of %{python_sitelib}/pytz/zoneinfo when upgrading, before it is replaced by a symlink. (bsc#1185748) - Bump tzdata_version - update to 2021.1: * update to IANA 2021a timezone release ----------------------------------------- Patch: SUSE-2021-2612 Released: Thu Aug 5 10:17:44 2021 Summary: Security update for apache-commons-compress Severity: important References: 1188463,1188464,1188465,1188466,CVE-2021-35515,CVE-2021-35516,CVE-2021-35517,CVE-2021-36090 Description: This update for apache-commons-compress fixes the following issues: - Updated to 1.21 - CVE-2021-35515: Fixed an infinite loop when reading a specially crafted 7Z archive. (bsc#1188463) - CVE-2021-35516: Fixed an excessive memory allocation when reading a specially crafted 7Z archive. (bsc#1188464) - CVE-2021-35517: Fixed an excessive memory allocation when reading a specially crafted TAR archive. (bsc#1188465) - CVE-2021-36090: Fixed an excessive memory allocation when reading a specially crafted ZIP archive. (bsc#1188466) ----------------------------------------- Patch: SUSE-2021-2627 Released: Thu Aug 5 12:10:46 2021 Summary: Recommended maintenance update for systemd-default-settings Severity: moderate References: 1188348 Description: This update for systemd-default-settings fixes the following issue: - Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348) ----------------------------------------- Patch: SUSE-2021-2667 Released: Thu Aug 12 12:03:18 2021 Summary: Recommended update for system-user-prometheus Severity: moderate References: Description: This recommended update for system-user-prometheus provides the following fixes: - Provide the user and group 'prometheus' to SUSE Enterprise Storage 6 needed by 'golang-github-prometheus-prometheus' (jsc#SLE-18254) ----------------------------------------- Patch: SUSE-2021-2817 Released: Mon Aug 23 15:05:18 2021 Summary: Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 Severity: moderate References: 1102408,1138715,1138746,1176389,1177120,1182421,1182422,CVE-2020-26137 Description: This patch updates the Python AWS SDK stack in SLE 15: General: # aws-cli - Version updated to upstream release v1.19.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-boto3 - Version updated to upstream release 1.17.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-botocore - Version updated to upstream release 1.20.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-urllib3 - Version updated to upstream release 1.25.10 For a detailed list of all changes, please refer to the changelog file of this package. # python-service_identity - Added this new package to resolve runtime dependencies for other packages. Version: 18.1.0 # python-trustme - Added this new package to resolve runtime dependencies for other packages. Version: 0.6.0 Security fixes: # python-urllib3: - CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120) ----------------------------------------- Patch: SUSE-2021-2885 Released: Tue Aug 31 12:21:17 2021 Summary: Recommended update for publicsuffix Severity: low References: 1189124 Description: This update for publicsuffix fixes the following issues: - Updates the list of known/accepted domains with recent data (bsc#1189124). ----------------------------------------- Patch: SUSE-2021-2899 Released: Wed Sep 1 08:30:58 2021 Summary: Recommended update for systemd-rpm-macros Severity: moderate References: 1186282,1187332 Description: This update for systemd-rpm-macros fixes the following issues: - Fixed an issue whe zypper ignores the ordering constraints. (bsc#1187332) - Introduce '%sysusers_create_package': '%sysusers_create' and '%sysusers_create_inline' are now deprecated and the new macro should be used instead. - %sysusers_create_inline: use here-docs instead of echo (bsc#1186282) ----------------------------------------- Patch: SUSE-2021-2901 Released: Wed Sep 1 10:34:50 2021 Summary: Recommended update for insserv-compat Severity: moderate References: 1187941 Description: This update for insserv-compat fixes the following issues: - Require sysvinit-tools. (bsc#1187941) ----------------------------------------- Patch: SUSE-2021-2952 Released: Fri Sep 3 14:38:44 2021 Summary: Security update for java-11-openjdk Severity: important References: 1185476,1188564,1188565,1188566,CVE-2021-2341,CVE-2021-2369,CVE-2021-2388 Description: This update for java-11-openjdk fixes the following issues: - Update to jdk-11.0.12+7 - CVE-2021-2369: Fixed JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565) - CVE-2021-2388: Fixed a flaw inside the Hotspot component performed range check elimination. (bsc#1188566) - CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564) ----------------------------------------- Patch: SUSE-2021-2973 Released: Tue Sep 7 16:56:08 2021 Summary: Recommended update for hwdata Severity: moderate References: 1190091 Description: This update for hwdata fixes the following issue: - Update pci, usb and vendor ids (bsc#1190091) ----------------------------------------- Patch: SUSE-2021-2993 Released: Thu Sep 9 14:31:33 2021 Summary: Recommended update for gcc Severity: moderate References: 1185348 Description: This update for gcc fixes the following issues: - With gcc-PIE add -pie even when -fPIC is specified but we are not linking a shared library. [bsc#1185348] - Fix postun of gcc-go alternative. ----------------------------------------- Patch: SUSE-2021-2997 Released: Thu Sep 9 14:37:34 2021 Summary: Recommended update for python3 Severity: moderate References: 1187338,1189659 Description: This update for python3 fixes the following issues: - Fixed an issue when the missing 'stropts.h' causing build errors for different python modules. (bsc#1187338) ----------------------------------------- Patch: SUSE-2021-3001 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Severity: moderate References: 1189683 Description: This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------- Patch: SUSE-2021-3115 Released: Thu Sep 16 14:04:26 2021 Summary: Recommended update for mozilla-nspr, mozilla-nss Severity: moderate References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829 Description: This update for mozilla-nspr fixes the following issues: mozilla-nspr was updated to version 4.32: * implement new socket option PR_SockOpt_DontFrag * support larger DNS records by increasing the default buffer size for DNS queries * Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138 * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version. Mozilla NSS was updated to version 3.68: * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. update to NSS 3.67 * bmo#1683710 - Add a means to disable ALPN. * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c. * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte. update to NSS 3.66 * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS. * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * bmo#1708307 - Remove Trustis FPS Root CA from NSS. * bmo#1707097 - Add Certum Trusted Root CA to NSS. * bmo#1707097 - Add Certum EC-384 CA to NSS. * bmo#1703942 - Add ANF Secure Server Root CA to NSS. * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS. * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler. * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators. * bmo#1709291 - Add VerifyCodeSigningCertificateChain. update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. update to NSS 3.64 * bmo#1705286 - Properly detect mips64. * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. * bmo#1698320 - replace __builtin_cpu_supports('vsx') with ppc_crypto_support() for clang. * bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration. Fixed in 3.63 * bmo#1697380 - Make a clang-format run on top of helpful contributions. * bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * bmo#1694214 - tstclnt can't enable middlebox compat mode. * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * bmo#1685880 - Minor fix to prevent unused variable on early return. * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * bmo#1687822 - Turn off Websites trust bit for the “Staat der Nederlanden Root CA - G3” root cert in NSS. * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008’. * bmo#1694291 - Tracing fixes for ECH. update to NSS 3.62 * bmo#1688374 - Fix parallel build NSS-3.61 with make * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt 'cachedCertTable' * bmo#1690583 - Fix CH padding extension size calculation * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail * bmo#1690421 - Install packaged libabigail in docker-builds image * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing * bmo#1674819 - Fixup a51fae403328, enum type may be signed * bmo#1681585 - Add ECH support to selfserv * bmo#1681585 - Update ECH to Draft-09 * bmo#1678398 - Add Export/Import functions for HPKE context * bmo#1678398 - Update HPKE to draft-07 update to NSS 3.61 * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * bmo#1651411 - Improve constant-timeness in RSA operations. * bmo#1677207 - Upgrade Google Test version to latest release. * bmo#1654332 - Add aarch64-make target to nss-try. Update to NSS 3.60.1: Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information. Update to NSS 3.59.1: * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules Update to NSS 3.59: Notable changes: * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. update to NSS 3.57 * The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes update to NSS 3.56 Notable changes * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * bmo#1654142 - Add CPU feature detection for Intel SHA extension. * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. * bmo#1656986 - Properly detect arm64 during GYP build architecture detection. * bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. * bmo#1588941 - Send empty certificate message when scheme selection fails. * bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * bmo#1653975 - Fix 3.53 regression by setting 'all' as the default makefile target. * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * bmo#1656519 - NSPR dependency updated to 4.28 update to NSS 3.55 Notable changes * P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. * PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633) * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). * bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. * bmo#1646594 - Fix AVX2 detection in makefile builds. * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. * bmo#1649226 - Add Wycheproof ECDSA tests. * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover. * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension. update to NSS 3.54 Notable changes * Support for TLS 1.3 external pre-shared keys (bmo#1603042). * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113) * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. * The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. * A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed * bmo#1528113 - Use ARM Cryptography Extension for SHA256. * bmo#1603042 - Add TLS 1.3 external PSK support. * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. * bmo#1645186 - Add 'certSIGN Root CA G2' root certificate. * bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate. * bmo#1641716 - Add Microsoft's non-EV root certificates. * bmo1621151 - Disable email trust bit for 'O=Government Root Certification Authority; C=TW' root. * bmo#1645199 - Remove AddTrust root certificates. * bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate. * bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root certificate. * bmo#1618402 - Remove Symantec root certificates and disable email trust bit. * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26. * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c. * bmo#1642153 - Fix infinite recursion building NSS. * bmo#1642638 - Fix fuzzing assertion crash. * bmo#1642871 - Enable SSL_SendSessionTicket after resumption. * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs. * bmo#1643557 - Fix numerous compile warnings in NSS. * bmo#1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys. * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c. * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding. ----------------------------------------- Patch: SUSE-2021-3168 Released: Mon Sep 20 17:25:42 2021 Summary: Feature update for SUSE Manager 4.2.2 Proxy and Server Severity: moderate References: Description: This update provides the following package to SUSE Manager 4.2.2 Proxy python-pyvmomi: - python-pyvmomi is added to SUSE Manager Proxy as L3 supported. ----------------------------------------- Patch: SUSE-2021-3169 Released: Mon Sep 20 17:26:07 2021 Summary: Feature update for SUSE Manager 4.2.2 Proxy and Server Severity: moderate References: Description: This update provides the following packages to SUSE Manager 4.2.2 Proxy and Server: ansible: - ansible and ansible-doc are added to SUSE Manager Proxy as L2 supported golang-github-prometheus-alertmanager: - golang-github-prometheus-alertmanager is added to SUSE Manager Proxy as L3 supported python-python-memcached: - python-python-memcached is added to SUSE Manager Proxy as L3 supported python-redis: - python-redis is added to SUSE Manager Proxy as L3 supported system-user-prometheus: - system-user-prometheus is added to SUSE Manager Proxy as L3 supported ----------------------------------------- Patch: SUSE-2021-3171 Released: Mon Sep 20 17:26:34 2021 Summary: Recommended update for java-11-openjdk Severity: important References: 1189201,1190252 Description: This update for java-11-openjdk fixes the following issues: - Implement FIPS support in OpenJDK - Fix build with 'glibc-2.34' (bsc#1189201) - Add support for 'riscv64' (zero VM) - Make NSS the default security provider. (bsc#1190252) ----------------------------------------- Patch: SUSE-2021-3182 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Severity: moderate References: 1189996 Description: This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------- Patch: SUSE-2021-3263 Released: Thu Sep 30 11:39:37 2021 Summary: Feature update for SUSE Manager 4.1.11 Proxy Severity: moderate References: Description: This update provides the following packages to SUSE Manager 4.1.11 Proxy golang-github-prometheus-alertmanager: - golang-github-prometheus-alertmanager is added to SUSE Manager Proxy as L3 supported system-user-prometheus: - system-user-prometheus is added to SUSE Manager Proxy as L3 supported ----------------------------------------- Patch: SUSE-2021-3274 Released: Fri Oct 1 10:34:17 2021 Summary: Recommended update for ca-certificates-mozilla Severity: important References: 1190858 Description: This update for ca-certificates-mozilla fixes the following issues: - remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858) ----------------------------------------- Patch: SUSE-2021-3382 Released: Tue Oct 12 14:30:17 2021 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: Description: This update for ca-certificates-mozilla fixes the following issues: - A new sub-package for minimal base containers (jsc#SLE-22162) ----------------------------------------- Patch: SUSE-2021-3476 Released: Wed Oct 20 08:42:00 2021 Summary: Security update for xstream Severity: important References: 1189798,CVE-2021-39139,CVE-2021-39140,CVE-2021-39141,CVE-2021-39144,CVE-2021-39145,CVE-2021-39146,CVE-2021-39147,CVE-2021-39148,CVE-2021-39149,CVE-2021-39150,CVE-2021-39151,CVE-2021-39152,CVE-2021-39153,CVE-2021-39154 Description: This update for xstream fixes the following issues: - Upgrade to 1.4.18 - CVE-2021-39139: Fixed an issue that allowed an attacker to execute arbitrary code execution by manipulating the processed input stream with type information. (bsc#1189798) - CVE-2021-39140: Fixed an issue that allowed an attacker to execute a DoS attack by manipulating the processed input stream. (bsc#1189798) - CVE-2021-39141: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39144: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39145: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39146: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39147: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39148: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39149: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39150: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798) - CVE-2021-39151: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39152: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798) - CVE-2021-39153: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39154: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) ----------------------------------------- Patch: SUSE-2021-3490 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Severity: moderate References: 1190793,CVE-2021-39537 Description: This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------- Patch: SUSE-2021-3494 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Severity: moderate References: 1190052 Description: This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------- Patch: SUSE-2021-3510 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Severity: important References: 1191987 Description: This update for pam fixes the following issues: - Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987) ----------------------------------------- Patch: SUSE-2021-3529 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 Description: This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) ----------------------------------------- Patch: SUSE-2021-3616 Released: Thu Nov 4 12:29:16 2021 Summary: Security update for binutils Severity: moderate References: 1179898,1179899,1179900,1179901,1179902,1179903,1180451,1180454,1180461,1181452,1182252,1183511,1184620,1184794,CVE-2020-16590,CVE-2020-16591,CVE-2020-16592,CVE-2020-16593,CVE-2020-16598,CVE-2020-16599,CVE-2020-35448,CVE-2020-35493,CVE-2020-35496,CVE-2020-35507,CVE-2021-20197,CVE-2021-20284,CVE-2021-3487 Description: This update for binutils fixes the following issues: Update to binutils 2.37: * The GNU Binutils sources now requires a C99 compiler and library to build. * Support for Realm Management Extension (RME) for AArch64 has been added. * A new linker option '-z report-relative-reloc' for x86 ELF targets has been added to report dynamic relative relocations. * A new linker option '-z start-stop-gc' has been added to disable special treatment of __start_*/__stop_* references when --gc-sections. * A new linker options '-Bno-symbolic' has been added which will cancel the '-Bsymbolic' and '-Bsymbolic-functions' options. * The readelf tool has a new command line option which can be used to specify how the numeric values of symbols are reported. --sym-base=0|8|10|16 tells readelf to display the values in base 8, base 10 or base 16. A sym base of 0 represents the default action of displaying values under 10000 in base 10 and values above that in base 16. * A new format has been added to the nm program. Specifying '--format=just-symbols' (or just using -j) will tell the program to only display symbol names and nothing else. * A new command line option '--keep-section-symbols' has been added to objcopy and strip. This stops the removal of unused section symbols when the file is copied. Removing these symbols saves space, but sometimes they are needed by other tools. * The '--weaken', '--weaken-symbol' and '--weaken-symbols' options supported by objcopy now make undefined symbols weak on targets that support weak symbols. * Readelf and objdump can now display and use the contents of .debug_sup sections. * Readelf and objdump will now follow links to separate debug info files by default. This behaviour can be stopped via the use of the new '-wN' or '--debug-dump=no-follow-links' options for readelf and the '-WN' or '--dwarf=no-follow-links' options for objdump. Also the old behaviour can be restored by the use of the '--enable-follow-debug-links=no' configure time option. The semantics of the =follow-links option have also been slightly changed. When enabled, the option allows for the loading of symbol tables and string tables from the separate files which can be used to enhance the information displayed when dumping other sections, but it does not automatically imply that information from the separate files should be displayed. If other debug section display options are also enabled (eg '--debug-dump=info') then the contents of matching sections in both the main file and the separate debuginfo file *will* be displayed. This is because in most cases the debug section will only be present in one of the files. If however non-debug section display options are enabled (eg '--sections') then the contents of matching parts of the separate debuginfo file will *not* be displayed. This is because in most cases the user probably only wanted to load the symbol information from the separate debuginfo file. In order to change this behaviour a new command line option --process-links can be used. This will allow di0pslay options to applied to both the main file and any separate debuginfo files. * Nm has a new command line option: '--quiet'. This suppresses 'no symbols' diagnostic. Update to binutils 2.36: New features in the Assembler: - General: * When setting the link order attribute of ELF sections, it is now possible to use a numeric section index instead of symbol name. * Added a .nop directive to generate a single no-op instruction in a target neutral manner. This instruction does have an effect on DWARF line number generation, if that is active. * Removed --reduce-memory-overheads and --hash-size as gas now uses hash tables that can be expand and shrink automatically. - X86/x86_64: * Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key Locker instructions. * Support non-absolute segment values for lcall and ljmp. * Add {disp16} pseudo prefix to x86 assembler. * Configure with --enable-x86-used-note by default for Linux/x86. - ARM/AArch64: * Add support for Cortex-A78, Cortex-A78AE and Cortex-X1, Cortex-R82, Neoverse V1, and Neoverse N2 cores. * Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call Stack Recorder Extension) and BRBE (Branch Record Buffer Extension) system registers. * Add support for Armv8-R and Armv8.7-A ISA extensions. * Add support for DSB memory nXS barrier, WFET and WFIT instruction for Armv8.7. * Add support for +csre feature for -march. Add CSR PDEC instruction for CSRE feature in AArch64. * Add support for +flagm feature for -march in Armv8.4 AArch64. * Add support for +ls64 feature for -march in Armv8.7 AArch64. Add atomic 64-byte load/store instructions for this feature. * Add support for +pauth (Pointer Authentication) feature for -march in AArch64. New features in the Linker: * Add --error-handling-script= command line option to allow a helper script to be invoked when an undefined symbol or a missing library is encountered. This option can be suppressed via the configure time switch: --enable-error-handling-script=no. * Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark x86-64-{baseline|v[234]} ISA level as needed. * Add -z unique-symbol to avoid duplicated local symbol names. * The creation of PE format DLLs now defaults to using a more secure set of DLL characteristics. * The linker now deduplicates the types in .ctf sections. The new command-line option --ctf-share-types describes how to do this: its default value, share-unconflicted, produces the most compact output. * The linker now omits the 'variable section' from .ctf sections by default, saving space. This is almost certainly what you want unless you are working on a project that has its own analogue of symbol tables that are not reflected in the ELF symtabs. New features in other binary tools: * The ar tool's previously unused l modifier is now used for specifying dependencies of a static library. The arguments of this option (or --record-libdeps long form option) will be stored verbatim in the __.LIBDEP member of the archive, which the linker may read at link time. * Readelf can now display the contents of LTO symbol table sections when asked to do so via the --lto-syms command line option. * Readelf now accepts the -C command line option to enable the demangling of symbol names. In addition the --demangle=