Image summary for sles-15-sp3-chost-byos-v20210629

SUSE-IU-2021:597-1

This update for timezone provides the following fixes:

• North Korea switches back from +0830 to +09 on 2018-05-05.
• Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299)
• yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392)

This update for mozilla-nss provides the following fixes:

• Update to NSS 3.36.4 required by Firefox 60.0.2. (bsc#1096515)
• Fix a problem that would cause connections to a server that was recently upgraded to TLS 1.3 to result in a SSL_RX_MALFORMED_SERVER_HELLO error.
• Fix a rare bug with PKCS#12 files.
• Use relro linker option.

This update for e2fsprogs fixes the following issues:
Security issues fixed:

• CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402).
• CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346).

• bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system.
• bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system.
• bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}.

This update for cups fixes the following issues:
The following security vulnerabilities were fixed:

• Fixed a local privilege escalation to root and sandbox bypasses in the scheduler
• CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend (bsc#1096405)
• CVE-2018-4181: Limited local file reads as root via cupsd.conf include directive (bsc#1096406)
• CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling (bsc#1096407)
• CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration (bsc#1096408)

This update for growpart provides the following fix:

• Support btrfs resize and handle ro setup in rootgrow. (bsc#1097455, bsc#1098681)

This update for xfsprogs fixes the following issues:

• avoid divide-by-zero when hardware reports optimal i/o size as 0 (bsc#1089777)
• repair: shift inode back into place if corrupted by bad log replay (bsc#1105396).

This update for docker fixes the following issues:

• Build the client binary with -buildmode=pie to fix issues on POWER. (bsc#1100727)
• Fix an issue where changed AppArmor profiles don't actually get applied on Docker daemon reboot. (bsc#1099277)
• Update to AppArmor patch so that signal mediation also works for signals between in-container processes. (bsc#1073877)
• Do not log incorrect warnings when attempting to inject non-existent host files. (bsc#1065609)

This update for zlib provides the following fixes:

• Speedup zlib on power8. (fate#325307)
• Add safeguard against negative values in uInt. (bsc#1071321)

This update for openldap2 provides the following fix:

• Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640)

This update for python3 fixes the following issues:

• Add -fwrapv to OPTS, which is default for python3 for bugs which are caused by avoiding it. (bsc#1107030)

This update for libxml2 fixes the following security issues:

• CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279)
• CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166)
• CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046)

This update for fuse fixes the following issues:

• CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797)

This update for logrotate provides the following fix:

• Ensure the HOME environment variable is set to /root when logrotate is started via systemd. This allows mariadb to rotate its logs when the database has a root password defined. (bsc#1093617)

This update for aaa_base provides the following fixes:

• Let bash.bashrc work even for (m)ksh. (bsc#1104531)
• Fix an error at login if java system directory is empty. (bsc#1102310)

This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:

• Volgograd moves from +03 to +04 on 2018-10-28.
• Fiji ends DST 2019-01-13, not 2019-01-20.
• Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
• Corrections to past timestamps of DST transitions
• Use 'PST' and 'PDT' for Philippine time
• minor code changes to zic handling of the TZif format
• documentation updates

• Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

This update for xfsprogs fixes the following issues:

• Explictly disable systemd unit files for scrub (bsc#1105068).

This update provides the latest time zone definitions (2018g), including the following change:

• Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for nfsidmap fixes the following issues:

• Improve support for SAMBA with Active Directory. (bsc#1098217)

This update for rpcbind fixes the following issues:

• Fix tool stack buffer overflow aborting (bsc#969953)

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for cups fixes the following issues:
Security issue fixed:

• CVE-2018-4700: Fixed extremely predictable cookie generation that is effectively breaking the CSRF protection of the CUPS web interface (bsc#1115750).

This update for tcpdump fixes the following issues:
Security issues fixed:

• CVE-2018-19519: Fixed a stack-based buffer over-read in the print_prefix function (bsc#1117267)

This update for libnettle fixes the following issues:
Security issues fixed:

• CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086)

This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:

• Update to Firefox ESR 60.4 (bsc#1119105)
• CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
• CVE-2018-18492: Fixed a use-after-free with select element
• CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
• CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs
• CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
• CVE-2018-12405: Fixed a few memory safety bugs

• Update to NSS 3.40.1 (bsc#1119105)
• CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
• CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
• CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
• Fixed a decryption failure during FFDHE key exchange
• Various security fixes in the ASN.1 code

• Update mozilla-nspr to 4.20 (bsc#1119105)

This update for containerd, docker and go fixes the following issues:
containerd and docker:

• Add backport for building containerd (bsc#1102522, bsc#1113313)
• Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce. (bsc#1102522)
• Enable seccomp support on SLE12 (fate#325877)
• Update to containerd v1.1.1, which is the required version for the Docker v18.06.0-ce upgrade. (bsc#1102522)
• Put containerd under the podruntime slice (bsc#1086185)
• 3rd party registries used the default Docker certificate (bsc#1084533)
• Handle build breakage due to missing 'export GOPATH' (caused by resolution of boo#1119634). I believe Docker is one of the only packages with this problem.

• golang: arbitrary command execution via VCS path (bsc#1081495, CVE-2018-7187)
• Make profile.d/go.sh no longer set GOROOT=, in order to make switching between versions no longer break. This ends up removing the need for go.sh entirely (because GOPATH is also set automatically) (boo#1119634)
• Fix a regression that broke go get for import path patterns containing '...' (bsc#1119706)

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for xfsprogs fixes the following issues:

• Fix root inode's parent when it's bogus for sf directory (xfs repair). (bsc#1119063)

This update for suse-build-key fixes the following issues:

• Include the SUSE PTF GPG key in the key directory to avoid it being stripped via %doc stripping in CAASP. (bsc#1044232)

This update for mozilla-nss fixes the following issues:

• The hmac packages used in FIPS certification inadvertently removed in last update: re-added. (bsc#1121207)
• Added 'Suggest:' for libfreebl3 and libsoftokn3 respective -hmac packages to avoid dependency issues during updates (bsc#1090767, bsc#1121045)

This update for wget fixes the following issues:
Security issue fixed:

• CVE-2018-20483: Fixed an information disclosure through file metadata (bsc#1120382)

This update for timezone fixes the following issues:

• Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
• Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090

This update for chrony fixes the following issues:

• Generate chronyd sysconfig file. (bsc#1117147)

This update for python3 fixes the following issues:
Security issue fixed:

• CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191)
• CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644)

This update for lua53 fixes the following issues:
Security issue fixed:

• CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

This update for MozillaFirefox, mozilla-nss fixes the following issues:
Security issues fixed:

• CVE-2018-18500: Fixed a use-after-free parsing HTML5 stream (bsc#1122983).
• CVE-2018-18501: Fixed multiple memory safety bugs (bsc#1122983).
• CVE-2018-18505: Fixed a privilege escalation through IPC channel messages (bsc#1122983).
• CVE-2018-12404: Cache side-channel variant of the Bleichenbacher attack (bsc#1119069).

• Update to MozillaFirefox ESR 60.5.0
• Update to mozilla-nss 3.41.1

This update for containerd, docker, docker-runc and golang-github-docker-libnetwork fixes the following issues:
Security issues fixed for containerd, docker, docker-runc and golang-github-docker-libnetwork:

• CVE-2018-16873: cmd/go: remote command execution during 'go get -u' (bsc#1118897)
• CVE-2018-16874: cmd/go: directory traversal in 'go get' via curly braces in import paths (bsc#1118898)
• CVE-2018-16875: crypto/x509: CPU denial of service (bsc#1118899)

• Disable leap based builds for kubic flavor (bsc#1121412)
• Allow users to explicitly specify the NIS domainname of a container (bsc#1001161)
• Update docker.service to match upstream and avoid rlimit problems (bsc#1112980)
• Allow docker images larger then 23GB (bsc#1118990)
• Docker version update to version 18.09.0-ce (bsc#1115464)

This update for itstool and python-libxml2-python fixes the following issues:
Package: itstool - Updated version to support Python3. (bnc#1111019)
Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270)

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:
Security issues fixed:

• CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
• CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
• CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
• CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967).

• Update shell completion to use Group: System/Shells.
• Add daemon.json file with rotation logs configuration (bsc#1114832)
• Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
• Update go requirements to >= go1.10
• Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
• Remove the usage of 'cp -r' to reduce noise in the build logs.

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for cups fixes the following issues:

• Fixed validation of UTF-8 filenames to avoid crashes (bsc#1118118)

This update for aaa_base fixes the following issues:

• Restore old position of ssh/sudo source of profile (bsc#1118364).
• Update logic for JRE_HOME env variable (bsc#1128246)

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for timezone fixes the following issues:
timezone was updated 2019a:

• Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
• Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
• Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
• zic now has an -r option to limit the time range of output data

This update for libnettle to version 3.4.1 fixes the following issues:
Issues addressed and new features:

• Updated to 3.4.1 (fate#327114 and bsc#1129598)
• Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv.
• Fixed a link error on the pss-mgf1-test which was affecting builds without public key support.
• All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption.
• Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended.

This update for chrony fixes the following issues:

• Fix ordering and dependencies of chronyd.service, so that it is started after name resolution is up (bsc#1129914).

This update for wget fixes the following issues:
Security issue fixed:

• CVE-2019-5953: Fixed a buffer overflow vulnerability which might cause code execution (bsc#1131493).

This update for tar fixes the following issues:
Security issues fixed:

• CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
• CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

This update for python-rpm-macros fixes the following issues:
The Python RPM macros were updated to version 20190408.32abece, fixing bugs (bsc#1128323)

• Add missing $ expansion on the pytest call
• Rewrite pytest and pytest_arch into Lua macros with multiple arguments.
• We should preserve existing PYTHONPATH.
• Add --ignore to pytest calls to ignore build directories.
• Actually make pytest into function to capture arguments as well
• Add pytest definitions.
• Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros.
• Fix an issue with epoch printing having too many \
• add epoch while printing 'Provides:'

This update for python3 fixes the following issues:
Security issue fixed:

• CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).

This update for zlib fixes the following issues:

• Fixes a segmentation fault error (bsc#1110304, bsc#1129576)

This update for samba fixes the following issues:
Security issue fixed:

• CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).

• Out of bound read in ldb_wildcard_compare
• Hold at most 10 outstanding paged result cookies
• Put 'results_store' into a doubly linked list
• Refuse to build Samba against a newer minor version of ldb

• Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377).
• Abide to the load_printers parameter in smb.conf (bsc#1124223).
• Provide the 32bit samba winbind PAM module and its dependend 32bit libraries.

This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:

• CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326).
• CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325).

This update for bzip2 fixes the following issues:
Security issue fixed:

• CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).

This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues:
Security issues fixed:

• CVE-2019-5736: containerd: Fixing container breakout vulnerability (bsc#1121967).
• CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013).
• CVE-2018-16873: go secuirty release, fixing cmd/go remote command execution (bsc#1118897).
• CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898).
• CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899).

• Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, bsc#1134068).
• Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, bsc#1134068).
• Update to Docker 18.09.5-ce see upstream changelog in the packaged (bsc#1128376, bsc#1134068).
• docker-test: Improvements to test packaging (bsc#1128746).
• Move daemon.json file to /etc/docker directory (bsc#1114832).
• Revert golang(API) removal since it turns out this breaks >= requires in certain cases (bsc#1114209).
• Fix go build failures (bsc#1121397).

This update for aaa_base fixes the following issue:
* Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191)

This update for python3 to version 3.6.8 fixes the following issues:
Security issue fixed:

• CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).

• Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452).

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for libtasn1 fixes the following issues:
Security issue fixed:

• CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).

This update for libpng16 fixes the following issues:
Security issues fixed:

• CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when png_image_free() was called under png_safe_execute (bsc#1124211).
• CVE-2018-13785: Fixed a wrong calculation of row_factor in the png_check_chunk_length function in pngrutil.c, which could haved triggered and integer overflow and result in an divide-by-zero while processing a crafted PNG file, leading to a denial of service (bsc#1100687)

This update for vim fixes the following issue:
Security issue fixed:

• CVE-2019-12735: Fixed a potential arbitrary code execution vulnerability in getchar.c (bsc#1137443).

This update for e2fsprogs fixes the following issues:

• Check and fix tails of all bitmap blocks (bsc#1128383)

This update for elfutils fixes the following issues:
Security issues fixed:

• CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084)
• CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085)
• CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086)
• CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087)
• CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088)
• CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089)
• CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090)
• CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390)
• CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066)
• CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067)
• CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973)
• CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726)
• CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723)
• CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685)
• CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007)

This update for libidn fixes the following issue:

• The missing libidn11-32bit compat library package was provided. (bsc#1132869)

This update for docker fixes the following issues:
Security issue fixed:

• CVE-2018-15664: Fixed an issue which could make docker cp vulnerable to symlink-exchange race attacks (bsc#1096726).

This update for dbus-1 fixes the following issues:
Security issue fixed:

• CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832).

This update for rpcbind fixes the following issues:

• Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659)
• Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update.

This update for xfsprogs fixes the following issues:

• xfs_repair: will now allow '/' in attribute names (bsc#1122271)
• xfs_repair: will now allow zeroing of corrupt log (bsc#1073421)
• enabdled offline (unmounted) filesystem geometry queries (bsc#1129859)

This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709]

This update for krb5 provides the following fix:

• Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217)

This update for libssh fixes the following issue:
Issue addressed:

• Added support for new AES-GCM encryption types (bsc#1134193).

This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues:
Changes in ruby2.5:
Update to 2.5.5 and 2.5.4:
https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/
Security issues fixed:

• CVE-2019-8320: Delete directory using symlink when decompressing tar (bsc#1130627)
• CVE-2019-8321: Escape sequence injection vulnerability in verbose (bsc#1130623)
• CVE-2019-8322: Escape sequence injection vulnerability in gem owner (bsc#1130622)
• CVE-2019-8323: Escape sequence injection vulnerability in API response handling (bsc#1130620)
• CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution (bsc#1130617)
• CVE-2019-8325: Escape sequence injection vulnerability in errors (bsc#1130611)

• CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives (bsc#1112532)
• CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly (bsc#1112530)

• CVE-2017-17742: HTTP response splitting in WEBrick (bsc#1087434)
• CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441)
• CVE-2018-8777: DoS by large request in WEBrick (bsc#1087436)
• CVE-2018-8778: Buffer under-read in String#unpack (bsc#1087433)
• CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440)
• CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437)

• Multiple vulnerabilities in RubyGems were fixed:

• Fixed Net::POPMail methods modify frozen literal when using default arg
• ruby: change over of the Japanese Era to the new emperor May 1st 2019 (bsc#1133790)
• build with PIE support (bsc#1130028)

• Add a new helper for bundled ruby gems.

This update for libgcrypt fixes the following issues:

• Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808

This update for timezone fixes the following issues:

• Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation.

This update for expat fixes the following issues:
Security issue fixed:

• CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937).

This update for bzip2 fixes the following issues:
Security issue fixed:

• CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).

This update for MozillaFirefox, mozilla-nss fixes the following issues:
MozillaFirefox to version ESR 60.8:

• CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
• CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
• CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
• CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
• CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
• CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
• CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
• CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
• CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
• CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).

• Added IPSEC IKE support to softoken
• Many new FIPS test cases

This update for libgcrypt fixes the following issues:
Security issue fixed:

• CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939).

This update for libxml2 fixes the following issues:

• Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123)

This update for docker fixes the following issues:

• Mark daemon.json as %config(noreplace) to not overwrite it during installation (bsc#1138920)

This update for bzip2 fixes the following issues:

• Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083).

This update for python3 fixes the following issues:
Security issue fixed:

• CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
• CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).

• Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814).

This update for tcpdump fixes the following issues:
Security issues fixed:

• CVE-2019-1010220: Fixed a buffer over-read in print_prefix() which may expose data (bsc#1142439).
• CVE-2017-16808: Fixed a heap-based buffer over-read related to aoe_print() and lookup_emem() (bsc#1068716).

This update for libgcrypt fixes the following issues:

• Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073).

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Docker:

• CVE-2019-14271: Fixed a code injection if the nsswitch facility dynamically loaded a library inside a chroot (bsc#1143409).
• CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160).
• Update to version 19.03.1-ce, see changelog at /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413, bsc#1139649).

• Use %config(noreplace) for /etc/docker/daemon.json (bsc#1138920).
• Update to runc 425e105d5a03, which is required by Docker (bsc#1139649).

• CVE-2019-5736: Fixed a container breakout vulnerability (bsc#1121967).
• Update to containerd v1.2.6, which is required by docker (bsc#1139649).

• Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by docker (bsc#1142413, bsc#1139649).

This update for zlib fixes the following issues:

• Update the s390 patchset. (bsc#1137624)
• Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059)
• Use FAT LTO objects in order to provide proper static library.
• Do not enable the previous patchset on s390 but just s390x. (bsc#1137624)
• Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717)

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.45 (bsc#1141322) :

• New function in pk11pub.h: PK11_FindRawCertsWithSubject
• The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374)
• Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
• Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
• Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
• Add IPSEC IKE support to softoken (bmo#1546229)
• Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
• Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed.
• Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.

• Changed prbit.h to use builtin function on aarch64.
• Removed Gonk/B2G references.

This update for aaa_base fixes the following issues:

• Make systemd detection cgroup oblivious. (bsc#1140647)

This update for pinentry fixes the following issues:

• Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883)

This update for lmdb fixes the following issues:

• Fix occasional crash when freed pages landed on the dirty list twice (bsc#1136132).

This update for krb5 contains the following fixes:

• Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947)

This update for openldap2 fixes the following issues:
Security issue fixed:

• CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194).
• CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273).
• CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313)

• Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845).
• Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388)
• Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388).

This update for aaa_base fixes the following issues:
Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132)
Following settings have been tightened (and set to 0):

• net.ipv4.conf.all.accept_redirects
• net.ipv4.conf.default.accept_redirects
• net.ipv4.conf.default.accept_source_route
• net.ipv6.conf.all.accept_redirects
• net.ipv6.conf.default.accept_redirects

This update for expat fixes the following issues:
Security issues fixed:

• CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429)

This update for libseccomp fixes the following issues:
Security issues fixed:

• CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828)

• Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks.

• Update the syscall table for Linux v5.0-rc5
• Added support for the SCMP_ACT_KILL_PROCESS action
• Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
• Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
• Added support for the parisc and parisc64 architectures
• Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
• Return -EDOM on an endian mismatch when adding an architecture to a filter
• Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
• Fix PFC generation when a syscall is prioritized, but no rule exists
• Numerous fixes to the seccomp-bpf filter generation code
• Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
• Numerous tests added to the included test suite, coverage now at ~92%
• Update our Travis CI configuration to use Ubuntu 16.04
• Numerous documentation fixes and updates

• Updated the syscall table for Linux v4.15-rc7

This update for sqlite3 fixes the following issues:
Security issue fixed:

• CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).

This update for tcpdump fixes the following issues:

• CVE-2017-16808: Fixed a heap-based buffer over-read related to aoe_print and lookup_emem (bsc#1068716 bsc#1153098).
• CVE-2018-10103: Fixed a mishandling of the printing of SMB data (bsc#1153098).
• CVE-2018-10105: Fixed a mishandling of the printing of SMB data (bsc#1153098).
• CVE-2018-14461: Fixed a buffer over-read in print-ldp.c:ldp_tlv_print (bsc#1153098).
• CVE-2018-14462: Fixed a buffer over-read in print-icmp.c:icmp_print (bsc#1153098).
• CVE-2018-14463: Fixed a buffer over-read in print-vrrp.c:vrrp_print (bsc#1153098).
• CVE-2018-14464: Fixed a buffer over-read in print-lmp.c:lmp_print_data_link_subobjs (bsc#1153098).
• CVE-2018-14465: Fixed a buffer over-read in print-rsvp.c:rsvp_obj_print (bsc#1153098).
• CVE-2018-14466: Fixed a buffer over-read in print-rx.c:rx_cache_find (bsc#1153098).
• CVE-2018-14467: Fixed a buffer over-read in print-bgp.c:bgp_capabilities_print (bsc#1153098).
• CVE-2018-14468: Fixed a buffer over-read in print-fr.c:mfr_print (bsc#1153098).
• CVE-2018-14469: Fixed a buffer over-read in print-isakmp.c:ikev1_n_print (bsc#1153098).
• CVE-2018-14470: Fixed a buffer over-read in print-babel.c:babel_print_v2 (bsc#1153098).
• CVE-2018-14879: Fixed a buffer overflow in the command-line argument parser (bsc#1153098).
• CVE-2018-14880: Fixed a buffer over-read in the OSPFv3 parser (bsc#1153098).
• CVE-2018-14881: Fixed a buffer over-read in the BGP parser (bsc#1153098).
• CVE-2018-14882: Fixed a buffer over-read in the ICMPv6 parser (bsc#1153098).
• CVE-2018-16227: Fixed a buffer over-read in the IEEE 802.11 parser in print-802_11.c for the Mesh Flags subfield (bsc#1153098).
• CVE-2018-16228: Fixed a buffer over-read in the HNCP parser (bsc#1153098).
• CVE-2018-16229: Fixed a buffer over-read in the DCCP parser (bsc#1153098).
• CVE-2018-16230: Fixed a buffer over-read in the BGP parser in print-bgp.c:bgp_attr_print (bsc#1153098).
• CVE-2018-16300: Fixed an unlimited recursion in the BGP parser that allowed denial-of-service by stack consumption (bsc#1153098).
• CVE-2018-16301: Fixed a buffer overflow (bsc#1153332 bsc#1153098).
• CVE-2018-16451: Fixed several buffer over-reads in print-smb.c:print_trans() for \MAILSLOT\BROWSE and \PIPE\LANMAN (bsc#1153098).
• CVE-2018-16452: Fixed a stack exhaustion in smbutil.c:smb_fdata (bsc#1153098).
• CVE-2019-15166: Fixed a bounds check in lmp_print_data_link_subobjs (bsc#1153098).
• CVE-2019-15167: Fixed a vulnerability in VRRP (bsc#1153098).

This update for e2fsprogs fixes the following issues:
Security issue fixed:

• CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101)

• libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716)

This update for rpcbind fixes the following issues:

• Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343)

This is a version update for pciutils-ids to version 20190830 (bsc#1133581, bsc#1127840)

This update for procps fixes the following issues:
procps was updated to 3.3.15. (bsc#1092100)
Following security issues were fixed:

• CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).
• CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).
• CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).
• CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
• CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

• Fix CPU summary showing old data. (bsc#1121753)

• library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures
• library: Just check for SIGLOST and don't delete it
• library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
• library: Use size_t for alloc functions CVE-2018-1126
• library: Increase comm size to 64
• pgrep: Fix stack-based buffer overflow CVE-2018-1125
• pgrep: Remove >15 warning as comm can be longer
• ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
• ps: Increase command name selection field to 64
• top: Don't use cwd for location of config CVE-2018-1122
• update translations
• library: build on non-glibc systems
• free: fix scaling on 32-bit systems
• Revert 'Support running with child namespaces'
• library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
• doc: Document I idle state in ps.1 and top.1
• free: fix some of the SI multiples
• kill: -l space between name parses correctly
• library: dont use vm_min_free on non Linux
• library: don't strip off wchan prefixes (ps & top)
• pgrep: warn about 15+ char name only if -f not used
• pgrep/pkill: only match in same namespace by default
• pidof: specify separator between pids
• pkill: Return 0 only if we can kill process
• pmap: fix duplicate output line under '-x' option
• ps: avoid eip/esp address truncations
• ps: recognizes SCHED_DEADLINE as valid CPU scheduler
• ps: display NUMA node under which a thread ran
• ps: Add seconds display for cputime and time
• ps: Add LUID field
• sysctl: Permit empty string for value
• sysctl: Don't segv when file not available
• sysctl: Read and write large buffers
• top: add config file support for XDG specification
• top: eliminated minor libnuma memory leak
• top: show fewer memory decimal places (configurable)
• top: provide command line switch for memory scaling
• top: provide command line switch for CPU States
• top: provides more accurate cpu usage at startup
• top: display NUMA node under which a thread ran
• top: fix argument parsing quirk resulting in SEGV
• top: delay interval accepts non-locale radix point
• top: address a wishlist man page NLS suggestion
• top: fix potential distortion in 'Mem' graph display
• top: provide proper multi-byte string handling
• top: startup defaults are fully customizable
• watch: define HOST_NAME_MAX where not defined
• vmstat: Fix alignment for disk partition format
• watch: Support ANSI 39,49 reset sequences

This update for timezone fixes the following issues:

• Fiji observes DST from 2019-11-10 to 2020-01-12.
• Norfolk Island starts observing Australian-style DST.

This update for fipscheck fixes the following issues:

• Remove #include of unused fips.h to fix build with OpenSSL 1.1.1 (bsc#1149792)

This update for nfs-utils fixes the following issues:

• CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733)

This update for python3 to 3.6.9 fixes the following issues:
Security issues fixed:

• CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955)
• CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).

• Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490)
• Improved locale handling by implementing PEP 538.

This update for runc fixes the following issues:
Security issue fixed:

• CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)

• Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).

This update for aaa_base provides the following fixes:

• Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869)
• Add s390x compressed kernel support. (bsc#1151023)
• service: Check if there is a second argument before using it. (bsc#1051143)

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

• Removed screen.xterm from terminfo database (bsc#1103320).

This update for cups fixes the following issues:

• CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358).
• CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359).

This update for cpio fixes the following issues:

• CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199).

This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html

The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it.

Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

This update for libidn2 to version 2.2.0 fixes the following issues:

• CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
• CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past.

This update for e2fsprogs fixes the following issues:

• Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295)

This update for aaa_base fixes the following issues:

• Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
• Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715)
• Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278)

This update for growpart, growpart-rootgrow contains the following fixes:
growpart:

• Removed rootgrow sub-package as it is a standalone package now. (bsc#1154357, jsc#ECO-550)

• Added growpart-rootgrow as a standalone package. (bsc#1154357, jsc#ECO-550)
• Bump from version 1.0.0 to 1.0.1: - Fixed binary location in service unit file.

This update for ca-certificates-mozilla, p11-kit fixes the following issues:
Changes in ca-certificates-mozilla:

• export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871).

• support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871)

This update for libssh fixes the following issues:

• CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).

This update for libgcrypt fixes the following issues:
Security issues fixed:

• CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).

• Added CMAC AES self test (bsc#1155339).
• Added CMAC TDES self test missing (bsc#1155338).
• Fix test dsa-rfc6979 in FIPS mode.

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:

• CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
• CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
• CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).

• Whitespace in C files was cleaned up and no longer uses tab characters for indenting.

This update for xfsprogs fixes the following issues:

• Remove the 'xfs_scrub_all' script from the package, and the corresponding dependency of python. (bsc#1157438)

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Security issue fixed:

• CVE-2019-16884: Fixed incomplete patch for LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308).

• Update to Docker 19.03.5-ce (bsc#1158590).
• Update to Docker 19.03.3-ce (bsc#1153367).
• Update to Docker 19.03.2-ce (bsc#1150397).
• Fixed default installation such that --userns-remap=default works properly (bsc#1143349).
• Fixed nginx blocked by apparmor (bsc#1122469).

This update for python3 to version 3.6.10 fixes the following issues:

• CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507).
• CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955).
• CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429).

This update for libssh fixes the following issues:

• CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).

This update for procps fixes the following issues:

• Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)

This update for aaa_base fixes the following issues:

• Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794)
• Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970)

This update for e2fsprogs fixes the following issues:

• CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).

This update for p11-kit fixes the following issues:

• Also build documentation (bsc#1013125)

This update for dmidecode fixes the following issues:

• Add enumerated values from SMBIOS 3.3.0 preventing incorrect report of new VGA card. (bsc#1153533, bsc#1158833, jsc#SLE-10875)
• Only scan '/dev/mem' for entry point on x86 (fixes reboot on ARM64).
• Fix formatting of TPM table output (missing newlines).
• Fix displaying system slot information for PCIe SSD.

This update for openldap2 provides the following fix:

• Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921)

This update for python-rpm-macros fixes the following issues:

• Add macros related to the Python dist metadata dependency generator. (bsc#1161770)

This update for lmdb fixes the following issues:

• Fix assert in LMBD during 'mdb_page_search_root'. (bsc#1159086).

This update for chrony fixes the following issues:

• Fix 'make check' builds made after 2019-12-20. Existing installations do not need to be updated as the bug only affects the test, but not chrony itself (bsc#1159840).

This update for libgcrypt fixes the following issues:

• ECDSA: Check range of coordinates (bsc#1161216)
• FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219]
• FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215]
• FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220]
• FIPS: keywrap gives incorrect results [bsc#1161218]
• FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337]

This update for xfsprogs fixes the following issues:

• Allow the filesystem utility xfs_io to suffix sizes with k,m,g for kilobytes, megabytes or gigabytes respectively. (bsc#1158630)
• Validate extent size hint parameters through libxfs to avoid output mismatch. (bsc#1158509)
• Fix for 'xfs_repair' not to fail recovery of orphaned shortform directories. (bsc#1158504)
• Fix for 'xfs_quota' to avoid false error reporting of project inheritance flag is not set. (bsc#1158758)

This update for python3 fixes the following issues:
Security issues fixed:

• CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
• CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367).

• If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).

This update for aaa_base fixes the following issues:

• Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735)

This update for cifs-utils fixes the following issues:
Update cifs-utils 6.9; (bsc#1132087); (bsc#1136031).

• follow SMB default version changes in the kernel.
• adds fixes for Azure
• new smbinfo utility

• Fix double-free in mount.cifs; (bsc#1149164).

This update for c-ares fixes the following issues:
c-ares version update to 1.15.0:

• Add ares_init_options() configurability for path to resolv.conf file
• Ability to exclude building of tools (adig, ahost, acountry) in CMake
• Report ARES_ENOTFOUND for .onion domain names as per RFC7686 (bsc#1125306)
• Apply the IPv6 server blacklist to all nameserver sources
• Prevent changing name servers while queries are outstanding
• ares_set_servers_csv() on failure should not leave channel in a bad state
• getaddrinfo - avoid infinite loop in case of NXDOMAIN
• ares_getenv - return NULL in all cases
• implement ares_getaddrinfo

• Fixed a regression in DNS results that contain both A and AAAA answers.
• Add netcfg as the build requirement and runtime requirement.

This update for pam fixes the following issues:

• Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

This update for libgcrypt fixes the following issues:

• FIPS: Run the self-tests from the constructor [bsc#1164950]

This update for aaa_base fixes the following issues:

• get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939)
• added '-h'/'--help' to the command old
• change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues

This update for growpart fixes the following issues:

• Operation system disk is not automatically resized beyond 2TB on Azure hosts. (bsc#1164736)

This update for PAM fixes the following issue:

• The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510)

This update for suse-build-key fixes the following issues:

• created a new security@suse.de communication key (bsc#1166334)

This update for ruby2.5 toversion 2.5.7 fixes the following issues: ruby 2.5 was updated to version 2.5.7

• CVE-2020-8130: Fixed a command injection in intree copy of rake (bsc#1164804).
• CVE-2019-16255: Fixed a code injection vulnerability of Shell#[] and Shell#test (bsc#1152990).
• CVE-2019-16254: Fixed am HTTP response splitting in WEBrick (bsc#1152992).
• CVE-2019-15845: Fixed a null injection vulnerability of File.fnmatch and File.fnmatch? (bsc#1152994).
• CVE-2019-16201: Fixed a regular expression denial of service of WEBrick Digest access authentication (bsc#1152995).
• CVE-2012-6708: Fixed an XSS in JQuery
• CVE-2015-9251: Fixed an XSS in JQuery
• Fixed unit tests (bsc#1140844)
• Removed some unneeded test files (bsc#1162396).

This update for python3 fixes the following issue:

• Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894)

This update for libgcrypt fixes the following issues:

• FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950)
• FIPS: Fix drbg to be threadsafe (bsc#1167674)
• FIPS: Run self-tests from constructor during power-on [bsc#1166748]

This update for mozilla-nss fixes the following issues:
Added various fixes related to FIPS certification:

• Use getrandom() to obtain entropy where possible.
• Make DSA KAT FIPS compliant.
• Use FIPS compliant hash when validating keypair.
• Enforce FIPS requirements on RSA key generation.
• Miscellaneous fixes to CAVS tests.
• Enforce FIPS limits on how much data can be processed without rekeying.
• Run self tests on library initialization in FIPS mode.
• Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher).
• Clear various temporary variables after use.
• Allow MD5 to be used in TLS PRF.
• Preferentially gather entropy from /dev/random over /dev/urandom.
• Allow enabling FIPS mode consistently with NSS_FIPS environment variable.
• Fix argument parsing bug in lowhashtest.

This update for pam fixes the following issues:

• Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

This update for wget fixes the following issues:
wget was updated to 1.20.3, fixing various bugs, including:

• Fix for wget ignoring domains with leading '.' in environment variable 'no_proxy'. (bsc#1167919)

This update for xfsprogs fixes the following issues:

• xfs_quota: reformat commands in the manpage. (bsc#1167206) Reformat commands in the manpage so that fstest can check that each command is actually documented.

• xfs_db: document missing commands. (bsc#1167205) Document the commands 'attr_set', 'attr_remove', 'logformat' in the manpage.

• xfs_io: allow size suffixes for the copy_range command. (bsc#1158630) Allow the usage of size suffixes k,m,g for kilobytes, megabytes or gigabytes respectively for the copy_range command

This update for runc fixes the following issues:
runc was updated to v1.0.0~rc10

• CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).
• Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).

This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:

• CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

• FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
• FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881)
• FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

This update for mozilla-nss fixes the following issues:

• Use secure_getenv() to avoid PR_GetEnvSecure() being called when NSPR is unavailable, resulting in an abort (bsc#1168669).

This update for e2fsprogs fixes the following issues:

• e2fsck: clarify overflow link count error message (bsc#1160979)
• ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
• ext2fs: implement dir entry creation in htree directories (bsc#1160979)
• tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
• tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)

This update for libssh fixes the following issues:

• CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).

This update for ruby2.5 to version 2.5.8 fixes the following issues:

• CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (bsc#1167244).
• CVE-2020-10933: Heap exposure vulnerability in the socket library (bsc#1168938).

This update for mozilla-nss fixes the following issues:

• This implements API mechanisms for performing DSA and ECDSA hash-and-sign in a single call, which will be required in future FIPS cycles (bsc#1169872).
• Always perform nssdbm checksumming on softoken load, even if nssdbm itself is not loaded.

This update for libgcrypt fixes the following issues:
This update for libgcrypt fixes the following issues:

• FIPS: Switch the PCT to use the new signature operation (bsc#1165539)
• FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539)
• Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates.
• Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569)

This update for cups fixes the following issues:

• CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422).

This update for suse-build-key fixes the following issues:

• add a /usr/share/container-keys/ directory for GPG based Container verification.
• Add the SUSE build key as 'suse-container-key.asc'. (PM-1845 bsc#1170347)

This update for mozilla-nss fixes the following issues:

• FIPS: Add Softoken POSTs for new DSA and ECDSA hash-and-sign update functions. (bsc#1170571)
• FIPS: Add pairwise consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224 checks.
• FIPS: Replace bad attempt at unconditional nssdbm checksumming with a dlopen(), so it can be located consistently and perform its own self-tests.
• FIPS: This fixes an instance of inverted logic due to a boolean being mistaken for a SECStatus, which caused key derivation to fail when the caller provided a valid subprime.

This update for pciutils-ids fixes the following issues:

• Update the PCI utilities database to 20200324. (bsc#1170160)

This update for chrony fixes the following issues:

• Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272, bsc#1161119)
• Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.
• Add chrony-pool-suse and chrony-pool-openSUSE subpackages that preconfigure chrony to use NTP servers from the respective pools for SUSE and openSUSE. (bsc#1156884, SLE-11424)
• Add chrony-pool-empty to still allow installing chrony without preconfigured servers.

This update for libgcrypt fixes the following issues:

• FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944)

This update for openldap2 fixes the following issues:

• CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

This update for jq fixes the following issues:
jq was updated to version 1.6:

• Destructuring Alternation
• many new builtins (see docs)
• Add support for ASAN and UBSAN
• Make it easier to use jq with shebangs
• Add $ENV builtin variable to access environment
• Add JQ_COLORS env var for configuring the output colors
• change: Calling jq without a program argument now always assumes

• Make jq depend on libjq1, so upgrading jq upgrades both

This update for file fixes the following issues:
Security issues fixed:

• CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).

• Fixed broken '--help' output (bsc#1169512).

This update for libxml2 fixes the following issues:

• CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
• CVE-2019-19956: Fixed a memory leak (bsc#1159928).
• CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).

This update for timezone fixes the following issues:

• timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists.

This update for grep fixes the following issues:

• Update testsuite expectations, no functional changes (bsc#1155271)

This update for python3 fixes the following issues:

• Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).

This update for mozilla-nss fixes the following issues:
The following issues are fixed:

• Add AES Keywrap POST.
• Accept EACCES in lieu of ENOENT when trying to access /proc/sys/crypto/fips_enabled (bsc#1170908).

This update for freetype2 to version 2.10.1 fixes the following issues:
Security issue fixed:

• CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603).

• Update to version 2.10.1 * The bytecode hinting of OpenType variation fonts was flawed, since the data in the `CVAR' table wasn't correctly applied. * Auto-hinter support for Mongolian. * The handling of the default character in PCF fonts as introduced in version 2.10.0 was partially broken, causing premature abortion of charmap iteration for many fonts. * If `FT_Set_Named_Instance' was called with the same arguments twice in a row, the function returned an incorrect error code the second time. * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug introduced in version 2.10.0). * Increased precision while computing OpenType font variation instances. * The flattening algorithm of cubic Bezier curves was slightly changed to make it faster. This can cause very subtle rendering changes, which aren't noticeable by the eye, however. * The auto-hinter now disables hinting if there are blue zones defined for a `style' (i.e., a certain combination of a script and its related typographic features) but the font doesn't contain any characters needed to set up at least one blue zone.
• Add tarball signatures and freetype2.keyring

• Update to version 2.10.0 * A bunch of new functions has been added to access and process COLR/CPAL data of OpenType fonts with color-layered glyphs. * As a GSoC 2018 project, Nikhil Ramakrishnan completely overhauled and modernized the API reference. * The logic for computing the global ascender, descender, and height of OpenType fonts has been slightly adjusted for consistency. * `TT_Set_MM_Blend' could fail if called repeatedly with the same arguments. * The precision of handling deltas in Variation Fonts has been increased.The problem did only show up with multidimensional designspaces. * New function `FT_Library_SetLcdGeometry' to set up the geometry of LCD subpixels. * FreeType now uses the `defaultChar' property of PCF fonts to set the glyph for the undefined character at glyph index 0 (as FreeType already does for all other supported font formats). As a consequence, the order of glyphs of a PCF font if accessed with FreeType can be different now compared to previous versions. This change doesn't affect PCF font access with cmaps. * `FT_Select_Charmap' has been changed to allow parameter value `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT formats to access built-in cmaps that don't have a predefined `FT_Encoding' value. * A previously reserved field in the `FT_GlyphSlotRec' structure now holds the glyph index. * The usual round of fuzzer bug fixes to better reject malformed fonts. * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have been removed.These two functions were public by oversight only and were never documented. * A new function `FT_Error_String' returns descriptions of error codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is defined. * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new functions limited to Adobe MultiMaster fonts to directly set and get the weight vector.

• Enable subpixel rendering with infinality config:

• Re-enable freetype-config, there is just too many fallouts.

• Update to version 2.9.1 * Type 1 fonts containing flex features were not rendered correctly (bug introduced in version 2.9). * CVE-2018-6942: Older FreeType versions can crash with certain malformed variation fonts. * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage. * Emboldening of bitmaps didn't work correctly sometimes, showing various artifacts (bug introduced in version 2.8.1). * The auto-hinter script ranges have been updated for Unicode 11. No support for new scripts have been added, however, with the exception of Georgian Mtavruli.
• freetype-config is now deprecated by upstream and not enabled by default.

• Update to version 2.10.1 * The `ftmulti' demo program now supports multiple hidden axes with the same name tag. * `ftview', `ftstring', and `ftgrid' got a `-k' command line option to emulate a sequence of keystrokes at start-up. * `ftview', `ftstring', and `ftgrid' now support screen dumping to a PNG file. * The bytecode debugger, `ttdebug', now supports variation TrueType fonts; a variation font instance can be selected with the new `-d' command line option.
• Add tarball signatures and freetype2.keyring

• Update to version 2.10.0 * The `ftdump' demo program has new options `-c' and `-C' to display charmaps in compact and detailed format, respectively. Option `-V' has been removed. * The `ftview', `ftstring', and `ftgrid' demo programs use a new command line option `-d' to specify the program window's width, height, and color depth. * The `ftview' demo program now displays red boxes for zero-width glyphs. * `ftglyph' has limited support to display fonts with color-layered glyphs.This will be improved later on. * `ftgrid' can now display bitmap fonts also. * The `ttdebug' demo program has a new option `-f' to select a member of a TrueType collection (TTC). * Other various improvements to the demo programs.

• Remove 'Supplements: fonts-config' to avoid accidentally pulling in Qt dependencies on some non-Qt based desktops.(bsc#1091109) fonts-config is fundamental but ft2demos seldom installs by end users. only fonts-config maintainers/debuggers may use ft2demos along to debug some issues.

• Update to version 2.9.1 * No changelog upstream.

This update for libgcrypt fixes the following issues:

• FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872)

This update for systemd-presets-branding-SLE fixes the following issues:
Cleanup of outdated autostart services (bsc#1171656):

• Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE.
• Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this.
• Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable.

This update for zlib fixes the following issues:

• Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
• Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime.

This update for python-rpm-macros fixes the following issue:

• Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests

This update for aaa_base fixes the following issues:

• Not all XTerm based emulators do have a terminfo entry. (bsc#1087982)
• Better support of Midnight Commander. (bsc#1170527)

This update for libxml2 fixes the following issues:

• CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021).

This update for timezone fixes the following issue:

• zdump --version reported 'unknown' (bsc#1172055)

This update for vim fixes the following issues:

• CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim was possible using interfaces (bsc#1172225).

This update for chrony fixes the following issue:

• Use iburst in the default pool statements to speed up initial synchronization. (bsc#1172113)

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Docker was updated to 19.03.11-ce runc was updated to version 1.0.0-rc10 containerd was updated to version 1.2.13

• CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial of service (bsc#1172377).

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53

• CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
• CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).

This update for curl fixes the following issues:

• CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).
• CVE-2020-8169: Fixed an issue where could have led to partial password leak over DNS on HTTP redirect (bsc#1173026).

This update for krb5 fixes the following issue:

• Call systemd to reload the services instead of init-scripts. (bsc#1169357)

This update for lvm2 fixes the following issues:

• Fix potential data loss problem with LVM cache (bsc#1172566)

This update for dracut fixes the following issues:

• 35network-legacy: Fix dual stack setups. (bsc#1172807)
• 95iscsi: fix missing space when compiling cmdline args. (bsc#1172816)

This update for python3 fixes the following issues:

• CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface could have led to denial of service (bsc#1173274).

This update for zstd fixes the following issues:

• Fix for build error caused by wrong static libraries. (bsc#1133297)
• Correction in spec file marking the license as documentation. (bsc#1082318)
• Add new package for SLE-15. (jsc#ECO-1886)

This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53.1

• CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032)
• Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).

This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues:
Changes in fontforge:

• Support transforming bitmap glyphs from python. (bsc#1169444)
• Allow python-Sphinx >= 3

• Update from version 1.0 to version 1.0.6: * ftdump is now shipped additionally as new dependency for ttf-converter * Standardize output when converting vector and bitmap fonts * Add more subfamilies fixes (bsc#1169444) * Add --family and --subfamily arguments to force values on those fields * Add parameters to fix glyph unicode values --fix-glyph-unicode : Try to fix unicode points and glyph names based on glyph names containing hexadecimal codes (like '$0C00', 'char12345' or 'uni004F') --replace-unicode-values: When passed 2 comma separated numbers a,b the glyph with an unicode value of a is replaced with the unicode value b. Can be used more than once.

• Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage
• Include the subfamily in the filename of converted fonts
• Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41)
• Replace some unicode values in cu-pua12.pcf.gz to fix them
• Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs don't pretend to be latin characters when they're not.
• Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444) Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular, MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular

• Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41) Use the --force-monospaced argument of ttf-converter 1.0.3

This update for openldap2 fixes the following issues:

• CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
• Changed DB_CONFIG to root:ldap permissions (bsc#1172704).

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to:

• Enable zstd compression support for sle15

• Print switch abbrev warning to stderr (bsc#1172925)
• Fix typo in man page (bsc#1169947)

• Fix core dump with corrupted history file (bsc#1170801)
• Enable zchunk metadata download if libsolv supports it.
• Better handling of the purge-kernels algorithm. (bsc#1173106)

This update for dracut fixes the following issues:

• Update to version 049.1+suse.152.g8506e86f: * 01fips: modprobe failures during manual module loading is not fatal. (bsc#bsc#1169997) * 91zipl: parse-zipl.sh: honor SYSTEMD_READY. (bsc#1165828) * 95iscsi: fix ipv6 target discovery. (bsc#1172807) * 35network-legacy: correct conditional for creating did-setup file. (bsc#1172807)

• Update to version 049.1+suse.148.gc4a6c2dd: * 95fcoe: load 'libfcoe' module as a fallback. (bsc#1173560) * 99base: enable the initqueue in both 'dracut --add-device' and 'dracut --mount' cases. (bsc#1161573)

This update for cracklib fixes the following issues:

• Fixed a buffer overflow when processing long words.

This update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings fixes the following issues:
libsolv:

• No source changes, just shipping it as an installer update (required by yast2-pkg-bindings).

• Proactively send credentials if the URL specifes '?auth=basic' and a username. (bsc#1174011)
• ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011)

• Handle variable expansion in repository name. (bsc#1172477)
• Improve medium type detection, do not report Online medium when the /media.1/products file is missing in the repository, SMT does not mirror this file. (bsc#1173336)

• Extensions to handle raw repository name. (bsc#1172477)

This update for efivar fixes the following issues:

• fix logic that checks for UCS-2 string termination (bsc#1127544)
• fix casting of IPv4 addresses
• Don't require an EUI for NVMe (bsc#1100077)
• Add support for ACPI Generic Container and Embedded Controller root nodes (bsc#1101023)
• fix for compilation failures bsc#1120862

The python based packages google-compute-engine-init and google-compute-engine-oslogin were deprecated and are now replaced by the new Go based packages google-guest-agent, google-guest-configs, and google-guest-oslogin (jsc#ECO-2099)

This update for diffutils fixes the following issue:

• Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

This update for ca-certificates-mozilla fixes the following issues:
Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
Removed CAs:
* AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3
Added CAs:
* certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017

This update for supportutils-plugin-suse-public-cloud and python3-azuremetadata fixes the following issues:
supportutils-plugin-suse-public-cloud:

• Fixes an error when supportutils-plugin-suse-public-cloud and supportutils-plugin-salt are installed at the same time (bsc#1174618)
• Sensitive information like credentials (such as access keys) will be removed when the metadata is being collected (bsc#1170475, bsc#1170476)

• Added latest support for `--listapis` and `--api` (bsc#1173238, bsc#1173240)
• Detects when the VM is running in ASM (Azure Classic) and does now handle the condition to generate the data without requiring access to the full IMDS available, only in ARM instances (bsc#1173357, bsc#1174847)

This update for sysfsutils fixes the following issue:

• Fix cdev name comparison. (bsc#1155305)

This update for python3 fixes the following issues:

• bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball.

This update for supportutils-plugin-suse-public-cloud contains the following fix:

• Update to version 1.0.5: (bsc#1175250, bsc#1175251) + Query for new GCE initialization code packages

This update for e2fsprogs fixes the following issues:

• Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)

This update for zlib provides the following fixes:

• Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
• Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)

This update for nfs-utils fixes the following issues:

• Fix a bug when concurrent 'gssd' requests arrive from kernel, causing hanging NFS mounts. (bsc#1174260)

This update for avahi fixes the following issues:

• When changing ownership of /var/lib/autoipd, only change ownership of files owned by avahi, to mitigate against possible exploits (bsc#1154063).

This update for curl fixes the following issues:

• An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231]

This update for dracut fixes the following issues:
Update from version 049.1+suse.152.g8506e86f to version 049.1+suse.156.g7d852636:

• net-lib.sh: support infiniband network mac addresses (bsc#996146)
• 95nfs: use ip_params_for_remote_addr() (bsc#1167494)
• 95iscsi: use ip_params_for_remote_addr() (bsc#1167494)
• dracut-functions: add ip_params_for_remote_addr() helper (bsc#1167494)

This update for iputils fixes the following issue:

• ping: Remove workaround for bug in IP_RECVERR on raw sockets. (bsc#927831)

This update for openldap2 fixes the following issues:

• bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN's falling back to CN validation in violation of rfc6125.

This update for libxml2 fixes the following issues:

• CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).

This update for zlib fixes the following issues:

• Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
• Enable hardware compression on s390/s390x (jsc#SLE-13776)

This update for google-guest-agent, google-guest-configs, google-guest-oslogin contains the following fixes:

• Update to version 20200819.00. (bsc#1175740, bsc#1175741) * handle oslogin enable/disable cases (#70). (bsc#1175173) * add README (#69) * Fix metric for addIPForwardEntry (#68) * Correctly determine default route index (#67) * oslogin: dont add entry to pam.d/su (#66) * end group.conf with newline (#64) * Add source field in googet spec (#59) * Set route to metadata on interface with default route (#47) * fix typo in boto.cfg (#62)
• Properly handle enabling of systemd services when upgrading from the old google-compute-engine-init package (bsc#1174745)

• Update to version 20200626.00. (bsc#1175740, bsc#1175741) * Updates the udev rules for local SSD disks. (#9) * Fix tx affinity logic when number of CPUs is above 32 (#6)

• Switch udev requires to pkgconfig to allow the build service to use the -mini package for build optimization

• Update to version 20200819.00. (bsc#1175740, bsc#1175741) * deny non-2fa users (#37) * use asterisks instead (#39) * set passwords to ! (#38) * correct index 0 bug (#36) * Support security key generated OTP challenges. (#35)

• No post action for ssh

This update for krb5 fixes the following issue:

• Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)

This update for openldap2 fixes the following issues:

• CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).

This update for cifs-utils fixes the following issues:

• CVE-2020-14342: Fixed a shell command injection vulnerability in mount.cifs (bsc#1174477).
• Fixed an invalid free in mount.cifs; (bsc#1152930).

This update for nfs-utils fixes the following issue:

• Some scripts are requiring Python2 while it is not installed by default and they can work with Python3. (bsc#1173104)

This update for libzypp, zypper provides the following fixes:
Changes in libzypp:

• VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
• Support buildnr with commit hash in purge-kernels. This adds special behaviour for when a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
• Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
• Make sure reading from lsof does not block forever. (bsc#1174240)
• Just collect details for the signatures found.

• man: Enhance description of the global package cache. (bsc#1175592)
• man: Point out that plain rpm packages are not downloaded to the global package cache. (bsc#1173273)
• Directly list subcommands in 'zypper help'. (bsc#1165424)
• Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
• Point out that plaindir repos do not follow symlinks. (bsc#1174561)
• Fix help command for list-patches.

This update for suse-build-key fixes the following issues:

• The SUSE Notary Container key is different from the build signing key, include this key instead as suse-container-key. (PM-1845 bsc#1170347)

• The SUSE build key for SUSE Linux Enterprise 12 and 15 is extended by 4 more years. (bsc#1176759)

This update for lvm2 fixes the following issues:

• Fixed an issue when the hot spares in LVM not added automatically. (bsc#1175110)

This update for openssl-1_1 fixes the following issues:
FIPS:

• Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1175844, bsc#1173470).
• Add shared secret KAT to FIPS DH selftest (bsc#1175844).

This update for efivar fixes the following issues:

• Fixed an issue when segmentation fault are caused on non-EFI systems. (bsc#1175989)

This update for gnutls fixes the following issues:

• Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
• FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
• FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
• FIPS: Add TLS KDF selftest (bsc#1176671)

This update for aaa_base fixes the following issues:

• DIR_COLORS (bug#1006973): - add screen.xterm-256color - add TERM rxvt-unicode-256color - sort and merge TERM entries in etc/DIR_COLORS
• check for Packages.db and use this instead of Packages. (bsc#1171762)
• Rename path() to _path() to avoid using a general name.
• refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
• etc/profile add some missing ;; in case esac statements
• profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
• backup-rpmdb: exit if zypper is running (bsc#1161239)
• Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)

This update for openssl-1_1 fixes the following issues:

• Restore private key check in EC_KEY_check_key (bsc#1177479)

This update for bind fixes the following issues:
BIND was upgraded to version 9.16.6:
Note:

• bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC.

• CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain.
• CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740)
• CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051).
• CVE-2018-5741: Fixed the documentation (bsc#1109160).
• CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958).
• CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958).
• CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443).
• CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443).
• CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443).
• CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443).
• CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443).

• Add engine support to OpenSSL EdDSA implementation.
• Add engine support to OpenSSL ECDSA implementation.
• Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
• Warn about AXFR streams with inconsistent message IDs.
• Make ISC rwlock implementation the default again.
• Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
• Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
• Fixed an issue where bind was not working in FIPS mode (bsc#906079).
• Fixed dependency issues (bsc#1118367 and bsc#1118368).
• GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
• Fixed an issue with FIPS (bsc#1128220).
• The liblwres library is discontinued upstream and is no longer included.
• Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
• Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
• The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
• Zone timers are now exported via statistics channel.
• The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
• 'rndc dnstap -roll ' did not limit the number of saved files to .
• Add 'rndc dnssec -status' command.
• Addressed a couple of situations where named could crash.
• Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf]
• Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
• Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713)
• /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313]
• Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092).
• Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.

This update for iproute2 provides the following fix:

• Add the iproute2-arpd sub-package to the SLE Basesystem module. (bsc#1175281)

This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them via:
CC=gcc-10 CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:

• Enable build on aarch64

This update for procps fixes the following issues:

• Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

This update for mozilla-nss fixes the following issue:

• FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173).

This update for file fixes the following issues:

• Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

This update for chrony fixes the following issues:

• Integrate three upstream patches to fix an infinite loop in chronyc. (bsc#1171806)

This update for freetype2 fixes the following issues:

• CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).

This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:
libzypp was updated to 17.25.1:

• When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
• Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched.
• RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435)
• VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918)
• Update docs regarding 'opensuse' namepace matching.
• Link against libzstd to close libsolvs open references (as we link statically)

• The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS channels, and the INSTALLER channels, as a new libzypp dependency.

• info: Assume descriptions starting with '

  ' are richtext (bsc#935885)

• help: prevent 'whatis' from writing to stderr (bsc#1176712)
• wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271)

• make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238]
• fix deduceq2addedmap clearing bits outside of the map
• conda: feature depriorization first
• conda: fix startswith implementation
• move find_update_seeds() call in cleandeps calculation
• set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
• new testcase_mangle_repo_names() function
• new solv_fmemopen() function

This update for catatonit fixes the following issues:

• Fixes an issue when catatonit hangs when process dies in very specific way. (bsc#1176155)

This update for sysconfig fixes the following issues:

• Fix for 'netconfig' to run with a new library including fallback to the previous location. (bsc#1176285)
• Fix for changing content of such files like '/etc/resolv.conf' to avoid linked applications re-read them and unnecessarily re-initializes themselves accordingly. (bsc#1176325)
• Fix for 'chrony helper' calling in background. (bsc#1173391)
• Fix for configuration file by creating a symlink for it to prevent false ownership on the file. (bsc#1159566)

This update for timezone fixes the following issues:

• timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules.

This update for timezone fixes the following issues:

• Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
• Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
• Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)

This update for ca-certificates-mozilla fixes the following issues:
The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

• Removed CAs:

• Added CAs:

This update for SUSEConnect fixes the following issues:

• Recognize more formats when parsing the '.curlrc' for proxy credentials. (bsc#1155027)
• Add 'rpmlintrc' to filter false-positive warning about patch not applied
• Extend the YaST API in order to access to the package search functionality. (jsc#SLE-9109)

This update for mozilla-nss fixes the following issues:

• Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697)
• FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173).

This update for google-osconfig-agent fixes the following issues:
This update ships the google-osconfig-agent in version 20200929.00 (bsc#1176427, bsc#1178249, jsc#ECO-2702, jsc#PM-2203)

This update for rsyslog fixes the following issues:

• Fix the URL for bug reporting. (bsc#1173433)
• ship rsyslog-module-mmnormalize module which was forgotten in GA (bsc#1178627)

This update for openldap2 fixes the following issues:

• CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

This update for tcpdump fixes the following issues:

• CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466).

This update for krb5 fixes the following security issue:

• CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

This update for dmidecode fixes the following issues:

• Add partial support for SMBIOS 3.4.0. (bsc#1174257)
• Skip details of uninstalled memory modules. (bsc#1174257)

This update for pam and sudo fixes the following issue:
pam:

• pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
• Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
• Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

• Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

This update for c-ares fixes the following issues:

• Version update to 1.17.0 * CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882) * For further details see https://c-ares.haxx.se/changelog.html

This update for vim doesn't fix any user visible issues and it is optional to install.

• Introduce vim-small package with reduced requirements for small installations (bsc#1166602).
• Stop owning /etc/vimrc so the old, distro provided config actually gets removed.
• Own some dirs in vim-data-common so installation of vim-small doesn't leave not owned directories. (bsc#1173256)
• Add vi as slave to update-alternatives so that every package has a matching 'vi' symlink. (bsc#1174564, bsc#1176549)

This update for dracut fixes the following issues:

• Update from version 049.1+suse.156.g7d852636 to version 049.1+suse.171.g65b2addf: - dracut.sh: FIPS workaround for openssl-libs (bsc#1178217) - 01fips: turn info calls into fips_info calls (bsc#1164076) - 00systemd: add missing cryptsetup-related targets (bsc#1177811)

This update for python-setuptools fixes the following issues:

• Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)

This update for rsyslog fixes the following issue:

• Fix location and naming of journald dropin. (bsc#1178288)

This update for libusb-1_0 fixes the following issues:

• Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)